Is it possible to get through a password protected CLI?

Hi,

I have a LUXUL XAP-310 access point that I knew ran a custom OpenWrt build.
I was able to get a console connection and it prompts with a user/password to get to the CLI. It's not an officially supported device but the goal was to just add customization and improvements if I could access it. Would there be any way around this?

Bootlog:

Decompressing...done


CFE version 5.100.138.3 based on BBP 1.0.37 for BCM947XX (32bit,SP,LE)
Build Date: 2011-05-26 10:33:50 4 (richard@aeteam.com)
Copyright (C) 2000-2008 Broadcom Corporation.

Init Arena
Init Devs.
Boot partition size = 131072(0x20000)
Found an ST compatible serial flash with 128 64KB blocks; total size 8MB
et0: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller 5.100.138.3
CPU type 0x19749: 300MHz
Tot mem: 65536 KBytes

CFE mem:    0x80700000 - 0x80798550 (623952)
Data:       0x8072E3A0 - 0x807315C0 (12832)
BSS:        0x807315C0 - 0x80732550 (3984)
Heap:       0x80732550 - 0x80796550 (409600)
Stack:      0x80796550 - 0x80798550 (8192)
Text:       0x80700000 - 0x8072E39C (189340)

Device eth0:  hwaddr A4-13-4E-21-52-70, ipaddr 192.168.1.1, mask 255.255.255.0
        gateway not set, nameserver not set
Loader:raw Filesys:raw Dev:flash0.os File: Options:(null)
Loading: .. 3864 bytes read
Entry at 0x80001000
Closing network.
Starting program at 0x80001000
[    0.000000] Linux version 4.4.167 (jenkins@openwrt_build) (gcc version 5.4.0 (LEDE GCC 5.4.0 r0+3696-65782b1) ) #0 Mon Feb 11 11:37:13 2019
[    0.000000] CPU0 revision is: 00019749 (MIPS 74Kc)
[    0.000000] bcm47xx: Using bcma bus
[    0.000000] bcma: bus0: Found chip with id 53572, rev 0x01 and package 0x08
[    0.000000] Determined physical RAM map:
[    0.000000]  memory: 04000000 @ 00000000 (usable)
[    0.000000] Initrd not found or empty - disabling initrd
[    0.000000] Zone ranges:
[    0.000000]   Normal   [mem 0x0000000000000000-0x0000000003ffffff]
[    0.000000]   HighMem  empty
[    0.000000] Movable zone start for each node
[    0.000000] Early memory node ranges
[    0.000000]   node   0: [mem 0x0000000000000000-0x0000000003ffffff]
[    0.000000] Initmem setup node 0 [mem 0x0000000000000000-0x0000000003ffffff]
[    0.000000] Primary instruction cache 32kB, VIPT, 4-way, linesize 32 bytes.
[    0.000000] Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes
[    0.000000] Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 16256
[    0.000000] Kernel command line:  noinitrd console=ttyS0,115200
[    0.000000] PID hash table entries: 256 (order: -2, 1024 bytes)
[    0.000000] Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
[    0.000000] Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
[    0.000000] Writing ErrCtl register=00000000
[    0.000000] Readback ErrCtl register=00000000
[    0.000000] Memory: 60624K/65536K available (2968K kernel code, 137K rwdata, 680K rodata, 172K init, 289K bss, 4912K reserved, 0K cma-reserved, 0K highmem)
[    0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
[    0.000000] NR_IRQS:128
[    0.000000] bcma: bus0: Core 0 found: ChipCommon (manuf 0x4BF, id 0x800, rev 0x27, class 0x0)
[    0.000000] bcma: bus0: Core 1 found: IEEE 802.11 (manuf 0x4BF, id 0x812, rev 0x1C, class 0x0)
[    0.000000] bcma: bus0: Core 2 found: GBit MAC (manuf 0x4BF, id 0x82D, rev 0x03, class 0x0)
[    0.000000] bcma: bus0: Core 3 found: MIPS 74K (manuf 0x4A7, id 0x82C, rev 0x05, class 0x0)
[    0.000000] bcma: bus0: Core 4 found: SDR/DDR1 Memory Controller (manuf 0x4BF, id 0x835, rev 0x02, class 0x0)
[    0.000000] bcma: bus0: Found M25P64 serial flash (size: 8192KiB, blocksize: 0x10000, blocks: 128)
[    0.000000] bcma: bus0: Early bus registered
[    0.000000] MIPS: machine is Luxul XAP-310 V1
[    0.000000] bcm47xx: Setting up vectored interrupts
[    0.000000] clocksource: MIPS: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 12741736309 ns
[    0.000022] sched_clock: 32 bits at 150MHz, resolution 6ns, wraps every 14316557820ns
[    0.000097] Calibrating delay loop... 149.91 BogoMIPS (lpj=749568)
[    0.070087] pid_max: default: 32768 minimum: 301
[    0.070423] Mount-cache hash table entries: 1024 (order: 0, 4096 bytes)
[    0.070465] Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes)
[    0.076257] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
[    0.076348] futex hash table entries: 256 (order: -1, 3072 bytes)
[    0.078006] NET: Registered protocol family 16
[    0.107620] clocksource: Switched to clocksource MIPS
[    0.111121] NET: Registered protocol family 2
[    0.113240] TCP established hash table entries: 1024 (order: 0, 4096 bytes)
[    0.113321] TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
[    0.113378] TCP: Hash tables configured (established 1024 bind 1024)
[    0.113599] UDP hash table entries: 256 (order: 0, 4096 bytes)
[    0.113669] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
[    0.114326] NET: Registered protocol family 1
[    0.142247] can not parse nvram name sb/1/ag3(null) with value 0xff got -34
[    0.146343] can not parse nvram name sb/1/rxpo2g(null) with value 0xff got -34
[    0.167066] bcma: bus0: Bus registered
[    0.169435] Crashlog allocated RAM at address 0x3f00000
[    0.214197] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[    0.214263] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc.
[    0.221266] io scheduler noop registered
[    0.221330] io scheduler deadline registered (default)
[    0.221823] Serial: 8250/16550 driver, 2 ports, IRQ sharing enabled
[    0.223310] console [ttyS0] disabled
[    0.243657] serial8250.0: ttyS0 at MMIO 0xb8000300 (irq = 2, base_baud = 1250000) is a U6_16550A
[    0.647154] console [ttyS0] enabled
[    0.795977] 6 bcm47xxpart partitions found on MTD device bcm47xxsflash
[    0.802698] Creating 6 MTD partitions on "bcm47xxsflash":
[    0.808288] 0x000000000000-0x000000020000 : "boot"
[    0.819131] 0x000000020000-0x0000007f0000 : "firmware"
[    0.828678] 0x0000007f0000-0x000000800000 : "nvram"
[    0.837971] 0x00000002001c-0x000000020924 : "loader"
[    0.847154] 0x000000020924-0x00000015a000 : "linux"
[    0.856449] 0x00000015a000-0x0000007f0000 : "rootfs"
[    0.865761] mtd: device 5 (rootfs) set to be root filesystem
[    0.871738] 1 squashfs-split partitions found on MTD device rootfs
[    0.878118] 0x0000006f0000-0x0000007f0000 : "rootfs_data"
[    0.901168] libphy: Fixed MDIO Bus: probed
[    0.905736] bgmac_bcma bcma0:2: Found PHY addr: 30 (NOREGS)
[    0.915573] libphy: bcma_mdio mii bus: probed
[    0.920165] bgmac_bcma bcma0:2: Support for Roboswitch not implemented
[    1.006287] b53_common: found switch: BCM5325, rev 4
[    1.013211] bgmac_bcma: Broadcom 47xx GBit MAC driver loaded
[    1.019882] bcm47xx-wdt bcm47xx-wdt.0: BCM47xx Watchdog Timer enabled (30 seconds)
[    1.030806] NET: Registered protocol family 10
[    1.043455] NET: Registered protocol family 17
[    1.048316] bridge: automatic filtering via arp/ip/ip6tables has been deprecated. Update your scripts to load br_netfilter if you need this.
[    1.061259] 8021q: 802.1Q VLAN Support v1.8
[    1.081233] VFS: Mounted root (squashfs filesystem) readonly on device 31:5.
[    1.090113] Freeing unused kernel memory: 172K
[    3.478536] init: Console is alive
[    3.482529] init: - watchdog -
[    5.181900] kmodloader: loading kernel modules from /etc/modules-boot.d/*
[    5.301328] kmodloader: done loading kernel modules from /etc/modules-boot.d/*
[    5.311536] init: - preinit -
Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level
[    8.074897] jffs2: notice: (295) jffs2_build_xattr_subsystem: complete building xattr subsystem, 0 of xdatum (0 unchecked, 0 orphan) and 0 of xref (0 dead, 0 orphan) found.
[    8.093679] mount_root: switching to jffs2 overlay
[   14.542453] urandom-seed: Seeding with /etc/urandom.seed
[   14.959298] procd: - early -
[   14.962517] procd: - watchdog -
[   15.682454] procd: - watchdog -
[   15.686554] procd: - ubus -
[   15.755497] random: ubusd: uninitialized urandom read (4 bytes read, 25 bits of entropy available)
[   15.765795] random: ubusd: uninitialized urandom read (4 bytes read, 25 bits of entropy available)
[   15.775163] random: ubusd: uninitialized urandom read (4 bytes read, 25 bits of entropy available)
[   15.791720] random: ubusd: uninitialized urandom read (4 bytes read, 25 bits of entropy available)
[   15.801084] random: ubusd: uninitialized urandom read (4 bytes read, 25 bits of entropy available)
[   15.810890] random: ubusd: uninitialized urandom read (4 bytes read, 25 bits of entropy available)
[   15.820681] random: ubusd: uninitialized urandom read (4 bytes read, 25 bits of entropy available)
[   15.830941] procd: - init -
Please press Enter to activate this console.
[   16.395533] kmodloader: loading kernel modules from /etc/modules.d/*
[   16.412369] ip6_tables: (C) 2000-2006 Netfilter Core Team
[   16.447496] Loading modules backported from Linux version wt-2017-01-31-0-ge882dff19e7f
[   16.455752] Backport generated by backports.git backports-20160324-13-g24da7d3c
[   16.468328] emf: module license 'Proprietary' taints kernel.
[   16.474109] Disabling lock debugging due to kernel taint
[   16.493704] ip_tables: (C) 2000-2006 Netfilter Core Team
[   16.522290] nf_conntrack version 0.5.0 (949 buckets, 3796 max)
[   19.287108] wl: Unknown symbol wiphy_register (err 0)
[   19.292443] wl: Unknown symbol ieee80211_channel_to_frequency (err 0)
[   19.299115] wl: Unknown symbol cfg80211_remain_on_channel_expired (err 0)
[   19.306141] wl: Unknown symbol cfg80211_del_sta_sinfo (err 0)
[   19.312128] wl: Unknown symbol wiphy_unregister (err 0)
[   19.317553] wl: Unknown symbol cfg80211_connect_bss (err 0)
[   19.323512] wl: Unknown symbol cfg80211_ready_on_channel (err 0)
[   19.329741] wl: Unknown symbol wl_glue_set_attach_callback (err 0)
[   19.336135] wl: Unknown symbol wiphy_free (err 0)
[   19.341048] wl: Unknown symbol wiphy_new_nm (err 0)
[   19.346094] wl: Unknown symbol cfg80211_get_bss (err 0)
[   19.351596] wl: Unknown symbol wl_glue_unregister (err 0)
[   19.357165] wl: Unknown symbol cfg80211_disconnected (err 0)
[   19.363061] wl: Unknown symbol cfg80211_michael_mic_failure (err 0)
[   19.369593] wl: Unknown symbol cfg80211_ibss_joined (err 0)
[   19.375480] wl: Unknown symbol cfg80211_inform_bss_data (err 0)
[   19.381653] wl: Unknown symbol cfg80211_scan_done (err 0)
[   19.387240] wl: Unknown symbol cfg80211_roamed (err 0)
[   19.392589] wl: Unknown symbol cfg80211_put_bss (err 0)
[   19.398278] wl: Unknown symbol wl_glue_get_dev (err 0)
[   19.403574] wl: Unknown symbol ieee80211_get_channel (err 0)
[   19.409469] wl: Unknown symbol cfg80211_inform_bss_frame_data (err 0)
[   19.416118] wl: Unknown symbol cfg80211_new_sta (err 0)
[   19.421632] wl: Unknown symbol wl_glue_set_remove_callback (err 0)
[   19.428021] wl: Unknown symbol wl_glue_get_dmadev (err 0)
[   19.433631] wl: Unknown symbol cfg80211_rx_mgmt (err 0)
[   19.439073] wl: Unknown symbol ieee80211_frequency_to_channel (err 0)
[   19.445694] wl: Unknown symbol wiphy_apply_custom_regulatory (err 0)
[   19.452289] wl: Unknown symbol cfg80211_mgmt_tx_status (err 0)
[   19.458441] wl: Unknown symbol wl_glue_register (err 0)
[   19.512529] xt_time: kernel timezone is -0000
[   19.907783] Using NAPI
[   19.910470] nvram_ro: Found flash size 8192 KiB, looking for NVRAM
[   19.916822] nvram_ro: Found NVRAM header, reading content
[   19.931654] [wlc_bmac_corereset] Testing core access after the first core reset...
[   19.939446] [wlc_bmac_corereset] Success!
[   19.958724] [wl_setup_wiphy] wiphy->bands[IEEE80211_BAND_2GHZ]:yes
[   19.965039] [wl_setup_wiphy] wiphy->bands[IEEE80211_BAND_5GHZ]:(null)
[   19.971692] [wl_setup_wiphy] wiphy->addresses[0]: a4:13:4e:21:52:71
[   19.978110] [wl_setup_wiphy] wiphy->addresses[1]: a4:13:4e:21:52:72
[   19.984485] [wl_setup_wiphy] wiphy->addresses[2]: a4:13:4e:21:52:73
[   19.990916] [wl_setup_wiphy] wiphy->addresses[3]: a4:13:4e:21:52:74
[   19.997838] [wl_cfg80211_reg_notifier] Requested country code 00 is unsupported by wl: rejecting the change
[   20.120415] INFO @wl_cfg80211_attach : Registered CFG80211 phy
[   20.128939] wl0: Broadcom BCM4329 802.11 Wireless Controller 6.30.102.9 (r366174)
[   20.136907] SSB/BCMA glue driver successfully attached
[   20.293558] kmodloader: done loading kernel modules from /etc/modules.d/*
[   21.211749] cwmp-auto-start: Switching lan to DHCP
[   22.445945] random: jshn: uninitialized urandom read (4 bytes read, 35 bits of entropy available)
[   22.623257] random: ubusd: uninitialized urandom read (4 bytes read, 35 bits of entropy available)
[   22.633077] random: ubus: uninitialized urandom read (4 bytes read, 35 bits of entropy available)
[   26.550976] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
[   27.914773] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[   34.094010] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
[   34.138638] device eth0.1 entered promiscuous mode
[   34.143549] device eth0 entered promiscuous mode
[   34.192511] IPv6: ADDRCONF(NETDEV_UP): br-lan: link is not ready
[   35.627957] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[   35.641584] br-lan: port 1(eth0.1) entered forwarding state
[   35.647406] br-lan: port 1(eth0.1) entered forwarding state
[   35.702272] IPv6: ADDRCONF(NETDEV_CHANGE): br-lan: link becomes ready
[   37.728510] br-lan: port 1(eth0.1) entered forwarding state
[   38.422267] device wlan0 entered promiscuous mode
[   38.427374] br-lan: port 2(wlan0) entered forwarding state
[   38.433176] br-lan: port 2(wlan0) entered forwarding state
[   38.501227] ERROR @wl_cfg80211_start_ap : wl_cfg80211_start_ap: struct ap_info re-allocated
[   40.427727] br-lan: port 2(wlan0) entered forwarding state
[   55.057871] br-lan: port 2(wlan0) entered disabled state
[   55.063450] br-lan: port 1(eth0.1) entered disabled state
[   55.084045] device eth0.1 left promiscuous mode
[   55.088818] device eth0 left promiscuous mode
[   55.093571] br-lan: port 1(eth0.1) entered disabled state
[   55.130322] IPv6: ADDRCONF(NETDEV_UP): eth0.1: link is not ready
[   55.159342] device wlan0 left promiscuous mode
[   55.164138] br-lan: port 2(wlan0) entered disabled state
[   55.350993] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
[   55.397809] device eth0.1 entered promiscuous mode
[   55.402711] device eth0 entered promiscuous mode
[   55.424737] device wlan0 entered promiscuous mode
[   55.447989] br-lan: port 2(wlan0) entered forwarding state
[   55.453725] br-lan: port 2(wlan0) entered forwarding state
[   56.847899] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[   56.868181] br-lan: port 1(eth0.1) entered forwarding state
[   56.873997] br-lan: port 1(eth0.1) entered forwarding state
[   57.447718] br-lan: port 2(wlan0) entered forwarding state
[   58.867664] br-lan: port 1(eth0.1) entered forwarding state
[   75.497694] random: nonblocking pool is initialized

XAP-310 login: root
Password:
Login incorrect
XAP-310 login: admin
Password:
Login incorrect
XAP-310 login:
Login timed out after 60 seconds
Please press Enter to activate this console.

Just leaving this here for future purposes and for others:

Serial is 115200, 8N1

The pinout starting from the closest edge of the board:

GND
RX
TX
+3V

Since this is a customized version of OpenWrt, you should ask other manufacturer/maintainer of this build or the user forums specific to that product.

Or, if you can install an official version of OpenWrt, this community can help you with any questions you have about the official version.

1 Like

Thanks for the info. It's not a supported device so the official version is out.

I can certainly try to ask the manufacturer for their developer password but my guess is they won't release it. I don't think passwords would fall under licenses.

You could boot an initramfs for a similar device from uboot, the dump the mtds to files, mount on another device and crack the passwd hashes.

Or pull the flash and dump it with a programmer.

3 Likes

Thanks, I'm learning here so I've got some exploring to do!

Dump the flash with programmer, extract mtds, mount the mtd with root fs, dump /etc/shadow - see following section, then assemble hex dump with hex editor, erase flash with programmer, flash the new hex dump.

If you can do that, you better modify /etc/shadow which keeps the encrypted passwords.

root@OpenWrt:~# cat /etc/shadow | grep root
root:$1$xyz$IR1KrndabVa9JyIuPkcpH0:19243:0:99999:7:::

The string between the first and second colons (:) is the password.

Generate a new hashed password using openssl passwd 1 command

root@OpenWrt:~# openssl passwd -1 -salt xyz your_new_pass_here
$1$xyz$nKNjAgEzzJ2lDCIcfbzEq0

and insert the result between the first and second colons after root.

In my experience, the easy way of just removing the content between the two colons (which means no password) doesn't always work, so better spend more time generating a new password to avoid disassembling the device twice.

1 Like