Getting web admin ID/password from config backup?

Something went wrong, so I reset OpenWrt and restored settings I had backed up last year. But I cannot log into the web UI. I think the password is probably right, so maybe the user name is not 'root'. But I am not sure.

I have the config backup TAR file and can see the inside, but there are so many files that I do not know whether the ID/password data is. How can I find those information?

PS: For what it's worth, I think the config backup was made for a previous version of OpenWrt. I am using 18.06 now, but the config was made 18.03 or something, probably. If the ID/password are encrypted and cannot be retrieved, can I remove them from the backup file so that I could physically reset the router and restore the settings leaving the web admin ID/password as default?

Like most secure systems, the password is hashed, so it is not recoverable from /etc/passwd or /etc/shadow

You can replace /etc/shadow with one with known passwords (note that OpenWrt presently only supports hashed passwords that begin with $1$).

The easiest approach would probably be to use failsafe mode, mount_root, and set a new password with passwd.

Thanks. I had looked at the 'passwd' file, but it only had root and other common entries, like this:

root:x:0:0:root:/root:/bin/ash

I looked at the 'shadow' file as you suggested, and it also had only root and other common entries, like this:

root:$1$...

Does this mean that my web login ID is 'root'?

So, now I can see the hash, but what hash algorithm is this? I would like to check if it matches the password I thought of. If I knew the hash algorithm (such as MD5), I could hash the password and compare it with the one in the 'shadow'.

Yes, that suggests that root is the user name.

Trying to log in over SSH or into LuCI are probably a lot easier than recreating the password-check code, but you could probably find something with an Internet search if you wanted to try.

I could not find a way to recreate the hash to see if one of the passwords I often use matches the value in the shadow, so I tried to reset the device, but that fail-safe reset does not seem to work. I pressed the WPS/Reset button when starting the device, and the LEDs started blinking and then restarted, but the web UI still says incorrect username/password.

TP-Link WDR4300.

failsafe/ firstboot are working on the tl-wdr4300, I've used it many times in the past. Invoking the failsafe environment and mount_root will also allow you to set a new password using passwd without knowing the old one.

Given that the webinterface may be troubled by caching issues, I'd suggest to clear your browser cache and/ or prefer ssh for debugging.

2 Likes

I managed to get the fail-safe mode, but I could not reset the settings. When I tried the mount_root, it said: "jffs2 not ready yet, using temporary tmpfs overlay". And then when I reset settings (tried both just resetting the password and completely resetting the device), the next time I start the router normally, nothing has changed.

root@(none):/etc# firstboot
This will erase all settings and remove any installed packages. Are you sure? [N/y]
y
/dev/mtdblock3 is not mounted
/dev/mtdblock3 will be erased on next mount

I don't know why deleting all the settings should be this difficult...

That's interesting/ unexpected (I'd only expect this behaviour if the jffs2 overlay either is being formatted (after a factory reset), corrupted or full), but did you let it settle a bit longer (~5 minutes)?

No, I didn't. Am I supposed to wait for 5 minutes after starting into the fail-safe mode? I will try that.

It shouldn't take that long (as in a full 5 minutes), but it may take ~a minute (so giving it 5 minutes is on the safe side) before you try logging in (keep in mind that failsafe boots involve a lot of one-time scripts being executed, e.g. generating new ssh/ ssl keys, formatting jffs2 if necessary, e.g.), which just take time to complete (easily ~half a minute to a minute after you're already able to log in).

I waited 5 minutes, and then it worked. Now the settings are reset, and I could log into the web UI.

Now, I want to restore the settings without changing the root password. If I edit the shadow file in the backed up TAR file like this (decompress the TAR.gz, modify the shadow, then compress it to TAR.gz again), will it work?

root:*:0:0:99999:7:::

PS: I tried the above, and it did not work. It still asked for the root password which I don't know... So, I have to set all the settings manually?

Remove /etc/group, /etc/passwd and /etc/shadow from your backup tarball completely, that way they'll remain untouched when restoring the backup (meaning no password set, respectively the one you've just set).

Thank you. But before reading your reply, I reset the settings and backed up the default settings. It was,

root::0:0:99999:7:::

Unlike the other entries, which had a *, the default root had nothing.

daemon:*:0:0:99999:7:::

I changed the root in the backed-up settings like that, and then restored the settings, now it did not ask for the password.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.