[rescue] Service mode access on SPARC Enterprise M3000
Larkin Nickle
me at larbob.org
Fri Dec 17 13:01:24 CST 2021
Progress!
Extracting IKXCP1124.tar.gz (the firmware tarball), we get multiple
files, such as "kernel_0001_01120001.gz" and "root_0001_0112004.gz".
Gunzipping the root gz, we get a:
root_0001_01120004: u-boot legacy uImage, XSCF rootfs 01120004
,2018/07/05\037\213\010, Linux/PowerPC, RAMDisk Image (gzip), 5648811
bytes, Thu Jul 5 10:06:25 2018, Load Address: 0x00000000, Entry Point:
0x00000000, Header CRC: 0xF0EB9B3F, Data CRC: 0x1EA905D6
binwalk output:
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
64 0x40 gzip compressed data, maximum compression,
from Unix, last modified: 2018-07-05 10:05:42
Binwalk shows it's just gzip compressed data past the first 64 bytes, so
I extracted that with
dd if=root_0001_01120004 of=root.gz bs=1 skip=64
Then, gunzipping root.gz, we get ext2 data!
root: Linux rev 1.0 ext2 filesystem data,
UUID=0b469ee2-0054-c149-9c12-ba4dbdbb7a36
I was able to mount this and access the /etc/passwd and /etc/shadow
files. After a few seconds of openmp enabled john, I got "scfroot" for
the password, at least on this newer image. Hopefully it works for the
old firmware on this thing too.
More information about the rescue
mailing list