Hello,
For the past few days I have been trying to find out the telnet/web password for a Inteno/Xavi XG6525p2 (http://www.xavi.com.tw/Product.aspx?PLT … M=XG6525p2). I found a rs232 (read: serial) port and it let me interface with the bootloader. Login via the serial interface is not possible, possibly due to starting of their "bin/webs" program after rc.
I dumped the flash and managed to extract the romfs image. Telnet is kind to tell me that there is a user named admin, but the user doesn't exist in "/etc/passwd". Perhaps passwd is recreated by "bin/webs" since the nvram is empty.
I searched for something of a password in the binaries but couldn't find anything that worked. Now I turn to you guys. Hopefully someone can tell me the next step. The password must be somewhere, I mean it can't just create a user out of thin air.
Flash dump: http://dl.dropbox.com/u/1008610/xg65252p/flash_dump.bin
ROM FS files: http://dl.dropbox.com/u/1008610/xg65252 … mfs.tar.gz
00111002
Copyright (c) 2003 Xavi Corporation
Chip select 0, Flash chip MXIC CFI-320 bottom, address 0xbfc00000, size 4MBytes
flash not detected in chip select 1
CPU type BRECIS 1000. CPU clock frequency 167 MHz.
Avail RAM 16025 KBytes.
PMON version 6.8.686 [EB], Wed Jul 4 11:50:52 CST 2007
IP address 192.168.1.1
MAC0 address: 00:01:38:c0:60:72
*** Press ^C to abort auto run (3 seconds) ***
Auto run second count down: 0
found image at 0xbfc20000, length 0x2582a0
Inflating image at bfc20000 to 80100000
block 86
Total blocks 86
original crc 0xa19b7d75 and length 0x3a3400
UART clock set to 1843200
LINUX started...
Clock rate set to 166666667
CPU revision is: 0001830a
Primary instruction cache 16kb, linesize 16 bytes (4 ways)
Primary data cache 16kb, linesize 16 bytes (4 ways)
Linux version 2.4.20-br251 (gcc version 3.2 20030120 (uClinux 2.4.19-br20 BRECIS Release 2.0)) #1 Mon Mar 10 17:25:26 CST 2008
Determined physical RAM map:
memory: 00001000 @ 00000000 (reserved)
memory: 000ff000 @ 00001000 (ROM data)
memory: 003d3000 @ 00100000 (reserved)
memory: 00b13400 @ 004d3000 (usable)
On node 0 totalpages: 4070
zone(0): 4070 pages.
zone(1): 0 pages.
zone(2): 0 pages.
Kernel command line: console=ttyS0,57600
calculating r4koff... 000cb735(833333)
CPU frequency 166.66 MHz
Calibrating delay loop... 166.29 BogoMIPS
Memory: 11156k/11340k available (1299k kernel code, 184k reserved, 127k data, 84k init)
Dentry cache hash table entries: 2048 (order: 2, 16384 bytes)
Inode cache hash table entries: 1024 (order: 1, 8192 bytes)
Mount-cache hash table entries: 512 (order: 0, 4096 bytes)
Buffer-cache hash table entries: 1024 (order: 0, 4096 bytes)
Page-cache hash table entries: 4096 (order: 2, 16384 bytes)
POSIX conformance testing by UNIFIX
pcibios_init: assign resources, Autoconfig PCI channel 0x8027cfa8
Scanning bus 00, I/O 0x00000004:0x00001000, Mem 0xb9002000:0xbc000000
scan the buses.
Scanning bus 00
Fixups for bus 00
Bus scan for 00 returning with max=00
Linux NET4.0 for Linux 2.4
Based upon Swansea University Computer Society NET3.039
Initializing RT netlink socket
Serial driver version 5.05c (2001-07-08) with MANY_PORTS SHARE_IRQ SERIAL_PCI enabled
ttyS00 at 0xbc000100 (irq = 19) is a 16550A
ttyS01 at 0xb8400030 (irq = 13) is a 16550A
brecisboard: brecis_board_init entry
VpQCreate: 64, 16, 1024, 0, 80fb8800, 80fb8800, 80fb8800
VpQCreate: 64, 16, 1024, 0, 80fb8c00, 80fb8c00, 80fb8c00
VpQCreate: 64, 16, 1024, 0, 80faa000, 80faa000, 80faa000
VpQCreate: 64, 16, 1024, 0, 80faa400, 80faa400, 80faa400
VpQCreate: 64, 16, 1024, 0, 80faa800, 80faa800, 80faa800
VpQCreate: 64, 16, 1024, 0, 80faac00, 80faac00, 80faac00
VpQCreate: 64, 16, 1024, 0, 80fab000, 80fab000, 80fab000
VpQCreate: 64, 16, 1024, 0, 80fab400, 80fab400, 80fab400
VpQCreate: 64, 16, 1024, 0, 80fab800, 80fab800, 80fab800
VpQCreate: 64, 16, 1024, 0, 80fabc00, 80fabc00, 80fabc00
VpQCreate: 64, 16, 1024, 0, 80fac000, 80fac000, 80fac000
VpQCreate: 64, 16, 1024, 0, 80fac400, 80fac400, 80fac400
VpQCreate: 64, 16, 1024, 0, 80fac800, 80fac800, 80fac800
VpQCreate: 64, 16, 1024, 0, 80facc00, 80facc00, 80facc00
VpQCreate: 64, 16, 1024, 0, 80fad000, 80fad000, 80fad000
VpQCreate: 64, 16, 1024, 0, 80fad400, 80fad400, 80fad400
VpQCreate: 32, 16, 512, 0, 80fba200, 80fba200, 80fba200
VpQCreate: 1024, 16, 16384, 0, 80508000, 80508000, 80508000
VpQCreate: 32, 16, 512, 0, 80fba400, 80fba400, 80fba400
RTP_lib initial(be)...
Loading code
RD:Download finished
brecismspeth.c:v1.97, Sep 8, 2003 BRECIS Communications, Corp., www.brecis.com
pktsched_init: reg priowrr---------------------------------------1
pktsched_init: reg priowrr---------------------------------------2
Blkmem copyright 1998,1999 D. Jeff Dionne
Blkmem copyright 1998 Kenneth Albanowski
Blkmem 1 disk images:
0: 8027E000-804A33FF [VIRTUAL A027E000-A04A33FF] (RO)
RAMDISK driver initialized: 16 RAM disks of 4096K size 1024 blocksize
PPP generic driver version 2.4.2
Copy engine driver installed
b_flash flash device: bfc00000 at 400000
Amd/Fujitsu Extended Query Table v1.1 at 0x0040
number of CFI chips: 1
---Using word write method---
cfi_cmdset_0002: Disabling fast programming due to code brokenness.
Creating 3 MTD partitions on "flash0":
0x00000000-0x00020000 : "pmon"
0x00020000-0x003f0000 : "linux image"
0x003f0000-0x00400000 : "nvram data storage"
NET4: Linux TCP/IP 1.0 for NET4.0
IP Protocols: ICMP, UDP, TCP, IGMP
IP: routing cache hash table of 512 buckets, 4Kbytes
TCP: Hash tables configured (established 512 bind 512)
Linux IP multicast router 0.06 plus PIM-SM
ip_conntrack version 2.1 (127 buckets, 1016 max) - 352 bytes per conntrack
ip_ct_ftp help registering helper callback=80201614
ip_ct_irc help registering helper callback=80201cd8
register h225 conntrack module
ip_ct_h323 help registering helper callback=80203dec
register h225 nat help module
ip_ct_tftp help registering helper callback=0
ip_ct_quake3 help registering helper callback=802053e0
ip_ct_pptp help registering helper callback=802056f8
ip_ct_mms help registering helper callback=80205ff8
ip_tables: (C) 2000-2002 Netfilter core team
ipt_timer loading
URLBLK init
ipt_inbox loading
NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.
NET4: Ethernet Bridge 008 for NET4.0
Dsp reseted
VFS: Mounted root (romfs filesystem) readonly.
Freeing prom memory: 1020kb freed
Freeing unused kernel memory: 84k freed [80248000-8025d000]
VP DSP INFO : MajorSWVersion = 341, MinorSWVersion = 35, HwVersion = 1400, MaxJitterBufSize = 250, dspNumChannels = 4, dspSubChannels = 1
Algorithmics/MIPS FPU Emulator v1.5
system clock 90112 KHz
Starting /etc/rc
Mount ramdisk as /var
Mount /proc
Create /var/tmp/
Create /var/run/utmp
Enabling IP forwarding
# nvram_retrieve_vars: magic number error
eth0: AUTO NEGOTIATION COMPLETE
device eth0 entered promiscuous mode
device eth1 entered promiscuous mode
br0: port 2(eth1) entering learning state
br0: port 1(eth0) entering learning state
br0: port 2(eth1) entering forwarding state
br0: topology change detected, propagating
br0: port 1(eth0) entering forwarding state
br0: topology change detected, propagating
CAPABILITIES: CHANNELS:4 G729:Y, G.723:Y, G.728:N, G729E:N, T.38:Y
(Last edited by paradoxmonkey on 19 Apr 2011, 21:10)