Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: 1 ... 3 4 [5] 6 7 ... 10

Author Topic: VMG8924-B10A unbranded supervisor password  (Read 67134 times)

polymath

  • Member
  • **
  • Posts: 19
Re: VMG8924-B10A unbranded supervisor password
« Reply #60 on: March 09, 2017, 12:31:23 PM »

Struggling here to understand how to get dumpmdm to work on my VMG3925-B10B. I telnet into the router and get:

Busybox v1.20.1 (2016-10-18 14:40:36 CST) built in shell (ash)

and then a $ prompt (not a > prompt)

I do $ dumpmdm

and the response is:

-sh: dumpmdm: not found

If I do $ help BusyBox responds with a list of built in commands bt dumpmdm is not there.

Have I missed something?
Logged

burakkucat

  • Respected
  • Senior Kitizen
  • *
  • Posts: 38300
  • Over the Rainbow Bridge
    • The ELRepo Project
Re: VMG8924-B10A unbranded supervisor password
« Reply #61 on: March 09, 2017, 03:51:55 PM »

I have no experience with a VMG3925-B10B but you might like to experiment with the following . . .

At the busybox shell prompt, $, type  --

find / -xdev -name \*dump\*

It will show those files which contain the string dump as part of their name.

Performing the above on my VMG1312-B10D, I obtain the following --

Code: [Select]
$ find / -xdev -name \*dump\*
/bin/dumpmem
/usr/bin/hexdump
/usr/lib/opkg/info/tcpdump.control
/usr/lib/opkg/info/tcpdump.list
/usr/sbin/tcpdump
$

You would be interested in the lines that contain the string bin as part of the path name to the files. In my case, above, there are three --

Code: [Select]
$ ls -l /bin/dumpmem
lrwxrwxrwx    1 root     0                6 Oct 18 09:01 /bin/dumpmem -> xtmctl
$ ls -l /usr/bin/hexdump
lrwxrwxrwx    1 root     0               17 Oct 18 09:13 /usr/bin/hexdump -> ../../bin/busybox
$ ls -l /usr/sbin/tcpdump
-rwxr-xr-x    1 root     0           643787 Oct 18 09:06 /usr/sbin/tcpdump
$

Of those three, we can see that the first two are symbolic links to other binary files.

So then try each command with a --help flag.

Code: [Select]
$ dumpmem --help
usage: dumpmem <address_in_hex> <length_in_decimal>

$ hexdump --help
BusyBox v1.20.1 (2016-10-18 15:41:48 CST) multi-call binary.

Usage: hexdump [-bcCdefnosvx] [FILE]...

Display FILEs (or stdin) in a user specified format

        -b              One-byte octal display
        -c              One-byte character display
        -C              Canonical hex+ASCII, 16 bytes per line
        -d              Two-byte decimal display
        -e FORMAT_STRING
        -f FORMAT_FILE
        -n LENGTH       Interpret only LENGTH bytes of input
        -o              Two-byte octal display
        -s OFFSET       Skip OFFSET bytes
        -v              Display all input data
        -x              Two-byte hexadecimal display

$ tcpdump --help
tcpdump: invalid option -- -
tcpdump version 4.2.1
libpcap version 1.1.1
Usage: tcpdump [-aAbdDefhHIKlLnNOpqRStuUvxX] [ -B size ] [ -c count ]
                [ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]
                [ -i interface ] [ -M secret ]
                [ -r file ] [ -s snaplen ] [ -T type ] [ -w file ]
                [ -W filecount ] [ -y datalinktype ] [ -z command ]
                [ -Z user ] [ expression ]
$
« Last Edit: March 09, 2017, 09:23:03 PM by burakkucat »
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

polymath

  • Member
  • **
  • Posts: 19
Re: VMG8924-B10A unbranded supervisor password
« Reply #62 on: March 09, 2017, 07:29:13 PM »

burakkucat: Thanks for the swift reply.

I get exactly the same response to the find and help commands as you.

My simple understanding of the dumpmdm command is it provides a 'memory dump'.

Is there a way of using, say the dumpmem command to achieve the same thing? That would need an appropriate start address and length.
Logged

burakkucat

  • Respected
  • Senior Kitizen
  • *
  • Posts: 38300
  • Over the Rainbow Bridge
    • The ELRepo Project
Re: VMG8924-B10A unbranded supervisor password
« Reply #63 on: March 09, 2017, 09:09:42 PM »

Hmm . . . I'll have to have a poke around, for I suspect you may need something different from the dumpmem command to which we both have access.  :-\

From the busybox shell prompt, $ --

Code: [Select]
BusyBox v1.20.1 (2016-10-18 15:41:48 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

$ find / -xdev \( -name \*zycli\* -o -name \*zysh\* -o -name \*nvram\* \) | sort
/bin/nvram
/etc/wlan/bcm43602_nvramvars.bin
/etc/wlan/bcm4360_nvramvars.bin
/etc/wlan/bcmcmn_nvramvars.bin
/etc/zyshrc
/lib/libnvram.so
/sbin/zycli
/usr/bin/zysh
/usr/lib/opkg/info/zycli.control
/usr/lib/opkg/info/zycli.list
/usr/lib/opkg/info/zysh.control
/usr/lib/opkg/info/zysh.list
$ for F in $(find / -xdev \( -name \*zycli\* -o -name \*zysh\* -o -name \*nvram\* \) | sort)
> do echo $F
> hexdump -C -n 16 $F
> echo
> done
/bin/nvram
00000000  7f 45 4c 46 01 02 01 00  01 00 00 00 00 00 00 00  |.ELF............|
00000010

/etc/wlan/bcm43602_nvramvars.bin
00000000  6c 65 64 62 68 31 30 3d  30 78 38 38 00 45 4e 44  |ledbh10=0x88.END|
00000010

/etc/wlan/bcm4360_nvramvars.bin
00000000  6c 65 64 62 68 31 30 3d  30 78 38 38 00 45 4e 44  |ledbh10=0x88.END|
00000010

/etc/wlan/bcmcmn_nvramvars.bin
00000000  77 61 74 63 68 64 6f 67  3d 31 33 30 30 30 30 00  |watchdog=130000.|
00000010

/etc/zyshrc
00000000  23 20 42 65 67 69 6e 20  6f 66 20 5a 79 53 48 32  |# Begin of ZySH2|
00000010

/lib/libnvram.so
00000000  7f 45 4c 46 01 02 01 00  00 00 00 00 00 00 00 00  |.ELF............|
00000010

/sbin/zycli
00000000  7f 45 4c 46 01 02 01 00  00 00 00 00 00 00 00 00  |.ELF............|
00000010

/usr/bin/zysh
00000000  7f 45 4c 46 01 02 01 00  01 00 00 00 00 00 00 00  |.ELF............|
00000010

/usr/lib/opkg/info/zycli.control
00000000  50 61 63 6b 61 67 65 3a  20 7a 79 63 6c 69 0a 56  |Package: zycli.V|
00000010

/usr/lib/opkg/info/zycli.list
00000000  2f 73 62 69 6e 2f 64 6e  73 0a 2f 73 62 69 6e 2f  |/sbin/dns./sbin/|
00000010

/usr/lib/opkg/info/zysh.control
00000000  50 61 63 6b 61 67 65 3a  20 7a 79 73 68 0a 56 65  |Package: zysh.Ve|
00000010

/usr/lib/opkg/info/zysh.list
00000000  2f 65 74 63 2f 7a 79 73  68 72 63 0a 2f 75 73 72  |/etc/zyshrc./usr|
00000010

$ cat /etc/wlan/bcm43602_nvramvars.bin
ledbh10=0x88END$
$ cat /etc/wlan/bcm4360_nvramvars.bin
ledbh10=0x88END$
$ cat /etc/wlan/bcmcmn_nvramvars.bin
watchdog=130000END$
$ cat /etc/zyshrc
# Begin of ZySH2 initialization
# command-mode COMMAND_MODE_USER_EXEC 2
# privilege 0
# visibility 0
# End of ZySH2 initialization
$ cat /usr/lib/opkg/info/zycli.control
Package: zycli
Version: 1.0-1
Depends: libc, zcmd, libzyutil
Source: package/private/zyxel/zycli
SourceFile: zycli-1.0.tar.gz
SourceURL: @ZyXEL_SITE/private/ZyXEL
Section: net
Architecture: brcm963xx
Installed-Size: 27743
Description:  ZyXEL CLI
$ cat /usr/lib/opkg/info/zycli.list
/sbin/dns
/sbin/vcautohuntctl
/sbin/sys
/sbin/pppoectl
/sbin/zycli
/sbin/ethwanctl
/sbin/wan
/sbin/wlan
$ cat /usr/lib/opkg/info/zysh.control
Package: zysh
Version: 2.0-7
Depends: libc, zcmd, libedit, libncurses
Source: package/private/zyxel/zysh
SourceFile: zysh-2.0.tar.gz
SourceURL: @ZyXEL_SITE/private/ZyXEL
Section: net
Architecture: brcm963xx
Installed-Size: 48097
Description:  ZyXEL Shell and Command Line Interface
$ cat /usr/lib/opkg/info/zysh.list
/etc/zyshrc
/usr/bin/zysh
$ cat /etc/zyshrc
# Begin of ZySH2 initialization
# command-mode COMMAND_MODE_USER_EXEC 2
# privilege 0
# visibility 0
# End of ZySH2 initialization
$ zycli
zycli help
wan
ethwanctl
dns
pppoectl
vcautohuntctl
sys
tr069
wlan
cfgupdate
save_default
$

I was interested in the nvram, zycli and zysh commands, knowing that a sub-option to the zycli command allows the ROM-D to be cleared. Unfortunately I do not see anything remotely appropriate for what you wish to do.

At a long-shot, you might like to download a copy of the VMG1312-B10A CLI Reference Manual and read it through. It might prove to be a source of inspiration.
« Last Edit: March 09, 2017, 09:20:18 PM by burakkucat »
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

polymath

  • Member
  • **
  • Posts: 19
Re: VMG8924-B10A unbranded supervisor password
« Reply #64 on: March 10, 2017, 02:59:31 PM »

Yes, I have had the CLI reference manual pdf for a while. It adds to my confusion. The document lists ZyXEL CLI commands. But before the list is an Overview (pages 3 and 4) which, in part, states:

.....The CLI is available from the serial console, telnet login and ssh logins. It is enabled via the make
menuconfig option "Enable Command Line Interface" in the "Management Protocols and User Interface
Selection" section. The CLI is part of the Configuration Management System (CMS), so CMS must also be
enabled make menuconfig in order to have the CLI.

The CLI has a">" prompt character. If you type "sh", you will enter the busybox shell, which has the "#"
prompt character. This document describes the commands available from the CLI (">"), not the busybox
shell......  (I assume the "#" prompt is the same as "$" prompt)

First thing is my telnet session lands straight into BusyBox, there is no other prompt but "$".  No way I can
see of entering another command prompt level, other than the zycli command.

The CLI reference manual list CLI commands and includes dumpmdm (page 58). For comparison it includes adsl (page 5).

Now in my telent session adsl works at the BusyBox $ prompt but returns an error when dumpmdm is input.
Using zycli adsl and zycli dumpmdm produces nothing, other than a new line with the $ prompt at the start.

Near the end of the Overview section it states:

In accordance to the CMS architecture, all commands which modify the configuration will modify the MDM
(shared memory configuration database). I assume that MDM is the same as in dumpmdm.

Logged

polymath

  • Member
  • **
  • Posts: 19
Re: VMG8924-B10A unbranded supervisor password
« Reply #65 on: March 10, 2017, 03:33:16 PM »

One small extra bit of information:

At the BusyBox $ prompt I input zysh and the next line has  ZySH> as the prompt. Only problem is I cannot figure out anything to put in this new command line that gets any response other than an error.
Logged

burakkucat

  • Respected
  • Senior Kitizen
  • *
  • Posts: 38300
  • Over the Rainbow Bridge
    • The ELRepo Project
Re: VMG8924-B10A unbranded supervisor password
« Reply #66 on: March 10, 2017, 07:28:21 PM »

Yes, I have had the CLI reference manual pdf for a while. It adds to my confusion.

It is the CLI reference manual for the VMG1312-B10A and not for my VMG1312-B10D nor your VMG3925-B10B.
 
The zycli command is a "one shot" invocation of the CLI from the busybox shell. So, for example, zycli save_default clean clears the ROM-D. (See here.)

The zysh> prompt should respond to a solitary ? input with a list of sub-options.
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP
Re: VMG8924-B10A unbranded supervisor password
« Reply #67 on: July 29, 2017, 12:44:11 AM »

no luck for us with newer firmwares :(

dumpmdm command not found
Logged

Fuggi

  • Member
  • **
  • Posts: 15
Re: VMG8924-B10A unbranded supervisor password
« Reply #68 on: July 29, 2017, 12:52:46 AM »

Chrys
Can you back to the version 16 firmware this still has access to dumpmdm. I used it two days ago to find the supervisor password
in my Vmg8924.
Logged

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP
Re: VMG8924-B10A unbranded supervisor password
« Reply #69 on: July 29, 2017, 01:35:09 AM »

where is the v16 firmware? on zyxel's website is just v11 and v15.

also what is the exact command you used for dumpmdm, here is my output.  Thanks

Code: [Select]
$ dumpmdm
-sh: dumpmdm: not found

or maybe its only on the b10a but not the b10b?
Logged

Fuggi

  • Member
  • **
  • Posts: 15
Re: VMG8924-B10A unbranded supervisor password
« Reply #70 on: July 29, 2017, 02:13:36 AM »

Quote
http://forum.kitz.co.uk/index.php/topic,13930.msg351376.html#msg351376
The dumpmdm command only seems to be on the VMG8924 not the VMG3925.
Logged

Bestgear

  • Member
  • **
  • Posts: 88
Re: VMG8924-B10A unbranded supervisor password
« Reply #71 on: August 25, 2017, 07:56:24 PM »

I would really appreciate some guidance please.

I have a VMG8924-B10A running 1.00(AAKL.10)C0_20151008 which I bought from ebay, and expected an off the shelf Zyxel, but later found its a John Lewis device.

What i the best move in terms of firmware upgrade for me, given I dont want to loose supervisor access?

Thanks in advance for your time and help.


David
« Last Edit: August 25, 2017, 08:14:21 PM by Bestgear »
Logged

Iam_TJ

  • Reg Member
  • ***
  • Posts: 103
Re: VMG8924-B10A unbranded supervisor password
« Reply #72 on: August 25, 2017, 09:02:49 PM »

The dumpmdm command only seems to be on the VMG8924 not the VMG3925.
That's correct. It's because the 3925 firmware is based around OpenWRT rather than the Broadcom/Mitrastar/Zyxel framework.

I'm guessing the reason for that is the high maintenance overhead of the proprietary stack in the 8924 and similar.

For a 3925 that hasn't had a "save_default clear" operation you can find unencrypted passwords in the text config stored in /dev/mtd4 (or for older firmware versions, /dev/mtd3). 
Logged

NewtronStar

  • Kitizen
  • ****
  • Posts: 4898
Re: VMG8924-B10A unbranded supervisor password
« Reply #73 on: August 25, 2017, 10:11:02 PM »

I would really appreciate some guidance please.

I have a VMG8924-B10A running 1.00(AAKL.10)C0_20151008 which I bought from ebay, and expected an off the shelf Zyxel, but later found its a John Lewis device.

What i the best move in terms of firmware upgrade for me, given I dont want to loose supervisor access?

Thanks in advance for your time and help.


David

1. Unplug the DSL cable to 8924
2. you clear Rom-D by using telnet command save_default clean via putty or a linux OS
3. keep the 8924 powered up and hard reset it via the pinhole hold for 10 seconds until leds turn off and release.

4 wait until the 8924 fully boots use Web Browser enter 192.168.1.1 enter ADMIN then 1234 set the modem/router up with your ISP details and other stuff and save a config file, PS I would change the password

5 reboot modem/router again and wait for the DSL Internet LED to turn red on the 8924 then plug the DSL cable back into the modem/router if all has gone right the red Internet LED will become a blinking green Internet LED.

6 Download the most upto date firmware and install once its all updated and running use putty again but make sure you have text logging active and run the command dumpmdm the saved logging text file will show your supervisor password.
« Last Edit: August 25, 2017, 10:20:19 PM by NewtronStar »
Logged

machare

  • Member
  • **
  • Posts: 71
Re: VMG8924-B10A unbranded supervisor password
« Reply #74 on: September 22, 2017, 09:16:23 PM »

Alternatively, in windows, open a admin command prompt and start the telnet session with the command

telnet -f c:\dump.txt 192.168.1.1

This sends the telnet output to the file c:\dump.txt, then all you need do is search this file for supervisor.

That works fine for me.  Thank you very much!
Logged
Pages: 1 ... 3 4 [5] 6 7 ... 10
 

anything