[rescue] Service mode access on SPARC Enterprise M3000
Larkin Nickle
me at larbob.org
Fri Dec 17 13:04:26 CST 2021
On 12/17/21 14:01, Larkin Nickle wrote:
> Progress!
>
> Extracting IKXCP1124.tar.gz (the firmware tarball), we get multiple
> files, such as "kernel_0001_01120001.gz" and "root_0001_0112004.gz".
> Gunzipping the root gz, we get a:
>
> root_0001_01120004: u-boot legacy uImage, XSCF rootfs 01120004
> ,2018/07/05\037\213\010, Linux/PowerPC, RAMDisk Image (gzip), 5648811
> bytes, Thu JulB 5 10:06:25 2018, Load Address: 0x00000000, Entry Point:
> 0x00000000, Header CRC: 0xF0EB9B3F, Data CRC: 0x1EA905D6
>
> binwalk output:
>
> DECIMALB B B B B B HEXADECIMALB B B B DESCRIPTION
> --------------------------------------------------------------------------------
>
> 64B B B B B B B B B B B 0x40B B B B B B B B B B B gzip compressed data, maximum compression,
> from Unix, last modified: 2018-07-05 10:05:42
>
> Binwalk shows it's just gzip compressed data past the first 64 bytes, so
> I extracted that with
>
> dd if=root_0001_01120004 of=root.gz bs=1 skip=64
>
> Then, gunzipping root.gz, we get ext2 data!
>
> root: Linux rev 1.0 ext2 filesystem data,
> UUID=0b469ee2-0054-c149-9c12-ba4dbdbb7a36
>
> I was able to mount this and access the /etc/passwd and /etc/shadow
> files. After a few seconds of openmp enabled john, I got "scfroot" for
> the password, at least on this newer image. Hopefully it works for the
> old firmware on this thing too.
> _______________________________________________
> rescue list - http://www.sunhelp.org/mailman/listinfo/rescue
login: root
Password:
login[156]: root login on `console'
BusyBox v1.00 (2007.06.14-13:00+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.
XSCF>
Awesome!
More information about the rescue
mailing list