[rescue] Service mode access on SPARC Enterprise M3000

Larkin Nickle me at larbob.org
Fri Dec 17 13:04:26 CST 2021


On 12/17/21 14:01, Larkin Nickle wrote:
> Progress!
> 
> Extracting IKXCP1124.tar.gz (the firmware tarball), we get multiple 
> files, such as "kernel_0001_01120001.gz" and "root_0001_0112004.gz". 
> Gunzipping the root gz, we get a:
> 
> root_0001_01120004: u-boot legacy uImage, XSCF rootfs 01120004 
> ,2018/07/05\037\213\010, Linux/PowerPC, RAMDisk Image (gzip), 5648811 
> bytes, Thu JulB  5 10:06:25 2018, Load Address: 0x00000000, Entry Point: 
> 0x00000000, Header CRC: 0xF0EB9B3F, Data CRC: 0x1EA905D6
> 
> binwalk output:
> 
> DECIMALB B B B B B  HEXADECIMALB B B B  DESCRIPTION
> -------------------------------------------------------------------------------- 
> 
> 64B B B B B B B B B B B  0x40B B B B B B B B B B B  gzip compressed data, maximum compression, 
> from Unix, last modified: 2018-07-05 10:05:42
> 
> Binwalk shows it's just gzip compressed data past the first 64 bytes, so 
> I extracted that with
> 
> dd if=root_0001_01120004 of=root.gz bs=1 skip=64
> 
> Then, gunzipping root.gz, we get ext2 data!
> 
> root: Linux rev 1.0 ext2 filesystem data, 
> UUID=0b469ee2-0054-c149-9c12-ba4dbdbb7a36
> 
> I was able to mount this and access the /etc/passwd and /etc/shadow 
> files. After a few seconds of openmp enabled john, I got "scfroot" for 
> the password, at least on this newer image. Hopefully it works for the 
> old firmware on this thing too.
> _______________________________________________
> rescue list - http://www.sunhelp.org/mailman/listinfo/rescue

login: root
Password:
login[156]: root login  on `console'



BusyBox v1.00 (2007.06.14-13:00+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

XSCF>

Awesome!


More information about the rescue mailing list