Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: 1 [2] 3 4 5

Author Topic: VMG8924-B10A unbranded supervisor password  (Read 3156 times)

tubaman

  • Member
  • **
  • Posts: 82
Re: VMG8924-B10A unbranded supervisor password
« Reply #15 on: January 12, 2017, 05:15:22 PM »

Looking at the release notes for the firmware it appears that the Supervisor password becomes auto generated in V11.
I wonder if loading V10 and then defaulting it would put it back to zyad1234?
Logged
BT FTTC 80/20 Huawei Cab - Zyxel VMG8924

burakkucat

  • Global Moderator
  • Senior Kitizen
  • *
  • Posts: 18769
  • Over the Rainbow
    • The ELRepo Project
Re: VMG8924-B10A unbranded supervisor password
« Reply #16 on: January 12, 2017, 07:28:20 PM »

A couple of comments with regards to my ZyXEL VMG1312-B10D.

There are four entries in the password file --

root:$1$Vdupzo4w$vdXS8BpFfwJrHRbKbSn4S1:0:0:root:/home/root:/bin/sh
supervisor:$1$uG75nx3n$AxoIv1tn.4JJcql3ZhHDj.:12:12:supervisor:/home/supervisor:/bin/sh
admin:$1$3pK.WT/B$5NCl1sB7vIuwU6Oem74TA.:21:21:admin:/home/admin:/bin/sh
nobody:x:99:99:nobody:/nonexistent:/bin/false

Every official firmware release has contained a rom file, along with the bin and pdf files. Using the latest firmware package as an example, it contains --

V5.11(AAXA.4)C0.bin
V5.11(AAXA.4)C0.pdf
V5.11(AAXA.4)C0.rom
VMG1312-B10D_V5.11(AAXA.4)C0-foss.pdf

Whether it is relevant or useful . . .  :shrug2:
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

manny2003

  • Member
  • **
  • Posts: 37
Re: VMG8924-B10A unbranded supervisor password
« Reply #17 on: January 13, 2017, 12:00:13 AM »

Looking at the release notes for the firmware it appears that the Supervisor password becomes auto generated in V11.
I wonder if loading V10 and then defaulting it would put it back to zyad1234?
It could be possible... but probably will not revert the password. It is just my opinion but I think that before the version 10 no action will be taken by the firmware on the password, so the actual generated password will not be replaced. What I would like to understand is that if this is the case how Zyxel would reset the supervisor password if they remain locked out for some reason?
Logged

manny2003

  • Member
  • **
  • Posts: 37
Re: VMG8924-B10A unbranded supervisor password
« Reply #18 on: January 13, 2017, 12:06:44 AM »

A couple of comments with regards to my ZyXEL VMG1312-B10D.

There are four entries in the password file --

root:$1$Vdupzo4w$vdXS8BpFfwJrHRbKbSn4S1:0:0:root:/home/root:/bin/sh
supervisor:$1$uG75nx3n$AxoIv1tn.4JJcql3ZhHDj.:12:12:supervisor:/home/supervisor:/bin/sh
admin:$1$3pK.WT/B$5NCl1sB7vIuwU6Oem74TA.:21:21:admin:/home/admin:/bin/sh
nobody:x:99:99:nobody:/nonexistent:/bin/false

Every official firmware release has contained a rom file, along with the bin and pdf files. Using the latest firmware package as an example, it contains --

V5.11(AAXA.4)C0.bin
V5.11(AAXA.4)C0.pdf
V5.11(AAXA.4)C0.rom
VMG1312-B10D_V5.11(AAXA.4)C0-foss.pdf

Whether it is relevant or useful . . .  :shrug2:
It is possible that the Rom file is where the supervisor password is stored but rarely I found the rom file in the firmware package.
Maybe using the rom file along with the firmware 10 could restore the old default  password in case of downgrade.

Inviato dal mio SM-G930F utilizzando Tapatalk

Logged

burakkucat

  • Global Moderator
  • Senior Kitizen
  • *
  • Posts: 18769
  • Over the Rainbow
    • The ELRepo Project
Re: VMG8924-B10A unbranded supervisor password
« Reply #19 on: January 13, 2017, 06:17:48 PM »

Please remember that I am referring to a VMG1312-B10D in the following . . .

A quick check of where in the rom file certain key words appear shows --

[Duo2 Firmware]$ grep -in cwmp *rom
478:    "EnableCWMP": true,
491:    "CWMPRetryMinimumWaitInterval": 5,
492:    "CWMPRetryIntervalMultiplier": 2000,
[Duo2 Firmware]$ grep -in root *rom
2067:            "Username": "root",
[Duo2 Firmware]$ grep -in supervisor *rom
2077:            "Username": "supervisor",
[Duo2 Firmware]$ grep -in admin *rom
2092:            "Username": "admin",
[Duo2 Firmware]$ grep -in nobody *rom
[Duo2 Firmware]$

Lines 478 to 509, inclusive, are --

Code: [Select]
    "EnableCWMP": true,
    "URL": "",
    "X_ZYXEL_FallbackURL": "",
    "X_ZYXEL_URLChangedViaOption43": false,
    "Username": "",
    "Password": "changeme",
    "PeriodicInformEnable": false,
    "PeriodicInformInterval": 86400,
    "PeriodicInformTime": "0001-01-01T00:00:00Z",
    "ConnectionRequestUsername": "",
    "ConnectionRequestPassword": "",
    "UpgradesManaged": false,
    "DefaultActiveNotificationThrottle": 0,
    "CWMPRetryMinimumWaitInterval": 5,
    "CWMPRetryIntervalMultiplier": 2000,
    "STUNEnable": true,
    "STUNServerAddress": "",
    "STUNServerPort": 3478,
    "STUNUsername": "",
    "STUNPassword": "",
    "STUNMaximumKeepAlivePeriod": 0,
    "STUNMinimumKeepAlivePeriod": 0,
    "InstanceMode": "",
    "AutoCreateInstances": false,
    "X_ZYXEL_BoundInterface": "Any_WAN",
    "X_ZYXEL_BoundInterfaceList": "IP.Interface.2,IP.Interface.3,IP.Interface.4,IP.Interface.5",
    "X_ZYXEL_DisplaySOAP": false,
    "X_ZYXEL_ConnectionRequestUDPPort": 7678,
    "X_ZYXEL_ConnectionRequestPort": 7547,
    "X_ZYXEL_DataModelSpec": "TR-098",
    "X_ZYXEL_Certificate": "0",
    "X_ZYXEL_DebugLevel": 13

Lines 2063 to 2070, inclusive, are --

Code: [Select]
            "AutoShowQuickStart": false,
            "Enabled": true,
            "EnableQuickStart": true,
            "Page": "",
            "Username": "root",
            "Password": "",
            "PasswordHash": "",
            "Privilege": "login"

Lines 2073 to 2080, inclusive, are --

Code: [Select]
            "AutoShowQuickStart": false,
            "Enabled": true,
            "EnableQuickStart": true,
            "Page": "",
            "Username": "supervisor",
            "Password": "",
            "PasswordHash": "",
            "Privilege": "login,httpd,samba"

Lines 2088 to 2096, inclusive, are --

Code: [Select]
            "AutoShowQuickStart": true,
            "Enabled": true,
            "EnableQuickStart": true,
            "Page": "Broadband,Wireless,Home_Networking,QoS,NAT,Routing,DNS,IGMP_MLD,Vlan_Group,Interface_Grouping,USB_Service,Firewall,MAC_Filter,Parental_Control,Scheduler_Rule,Certificates,Log,Traffic_Status,Routing_Table,McastSt,ARP_Table,ARPTable_handle,WWAN_Statistics,SNMP,System,User_Account,Remote_MGMT,Time,Log_Setting,Backup/Restore,Backup_Restore,Reboot,Diagnostic,Status,Upnp_Portmap,Diagnostic_Result,xDSL_Statistics,xDSLStatistics_handle,NATSession_handle,RoutingTable_handle,McastSt,wps_status_handle,PortMirror,ParseDirectory,ParseUSBInfo,Email_Notify,Firmware_Upgrade,Diagnostic_id,ROMD",
            "Username": "admin",
            "Password": "_encrypt_hFmIO8s8qficW623JbZqT0FjY291bnQuAAAAIAAAAIk=",
            "PasswordHash": "",
            "Privilege": "login,httpd,samba",
            "AccountIdleTime": 300
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

manny2003

  • Member
  • **
  • Posts: 37
Re: VMG8924-B10A unbranded supervisor password
« Reply #20 on: January 13, 2017, 09:43:24 PM »

Thank you burakkucat.
I have investigated a bit about the .rom and I think that it is not different from the .conf we can save via the configuration backup procedure on the router.
Apparently there are 3 configuration on the router... the running config that is the one changed by the user, the default config that is the one used after a restore to factory and the rom-d configuration, that is the same as a default config but it is used in place of the default config (if it is present) after a restore to factory or a firmware update and should be the config the ISP put inside a stock router in order to set some permanents parameters that will last also after a factory reset.
So I think that the superuser pwd is not set there, but only admin and other users, like in a standard .conf file.
Logged

burakkucat

  • Global Moderator
  • Senior Kitizen
  • *
  • Posts: 18769
  • Over the Rainbow
    • The ELRepo Project
Re: VMG8924-B10A unbranded supervisor password
« Reply #21 on: January 13, 2017, 10:35:35 PM »

Thank you burakkucat.

And thank you for analysing my observations. What you have typed makes perfect sense.

There is one aspect for which I can not deduce a method . . . That of getting a default rom file onto the device and saving it to the relevant area of the flash memory.
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

manny2003

  • Member
  • **
  • Posts: 37
Re: VMG8924-B10A unbranded supervisor password
« Reply #22 on: January 14, 2017, 02:40:31 AM »

Thank you again burakkucat.  :)

Discovered that there exist 3 configs, I think that despite the fact that the file has an extension .rom and that the location in memory for the ISP custom default config is called Rom-d, I think that .rom file is nothing more than a saved running configuration, like the .conf, but given by the manufacturer as a file in order to put at default the current router config... a sort of reset to factory alternative. This should justify the fact that I have never used the .rom file, that is optional during a firmware update and that it can be uploaded the same way you would do with the .conf.

Instead, if you want to put the .rom file in the rom-d partition, Zyxel says that you should do it via ftp. I do not know if this apply to all CPE models, but just as a reference this should be the procedure:

1. Set your laptop IP address as 192.168.1.33(CPE is 192.168.1.1)
2. Type in command ftp 192.168.1.1 to login your CPE.
3. Type in username: admin
4. Type in password: 1234
5. Type in command put xxx.rom fw/rom-d (xxx as your file name)
6. Type in command bye to make it effective.
 
I have also read that the .rom file is already embedded into the .bin firmware so that it could be used as standard default config in case of a reset to factory.

In the end I think that the supervisor password was not modified on older firmware and that after a certain release version (in our model case the 10th) the reset to factory procedure will run a script that will generate the new supervisor password. So this is not stored anywhere, but generated on a specific algorithm for every factory reset. This way also the supervisor password will always be regenerated as expected after a reset.

Some firmware guru could be able to discover the algorithm and create a keygen for supervisor password. :P
Logged

broadstairs

  • Kitizen
  • ****
  • Posts: 2455
Re: VMG8924-B10A unbranded supervisor password
« Reply #23 on: January 14, 2017, 08:54:45 AM »

We have been assuming that the later f/w changes the supervisor p/w, however on my 8924 running the V15 f/w the old p/w still works. Now it is possible that I have not done any factory resets for a while which may be why it still works. I have not seemed to need a factory reset as I usually upgrade the f/w incrementally. Obviously I will try to not have to do a factory reset on it  ;)

Assuming this ftp process works and loads the romd does that mean a factory reset will be needed to get back the password? Also if the romd is loaded on every f/w update then this means we will have to re-run this ftp procedure after every update if we need the supervisor p/w. A p/w generator would be great IF someone can figure out the formula, or perhaps someone can crack their encryption and then translate that p/w shown earlier. Perhaps cracking the encryption might be possible since we can see the admin p/w as stored and obviously know what it is.

Stuart
Logged
ISP:TalkTalk Connection:FTTC Cab:ECI Router:ZyXEL VMG8924-B10A

broadstairs

  • Kitizen
  • ****
  • Posts: 2455
Re: VMG8924-B10A unbranded supervisor password
« Reply #24 on: January 14, 2017, 11:07:34 AM »

I have just been looking at the rom file for V15 of the 8924 f/w. No where in it is any reference to supervisor. There is Administrator, User. Same is found in the rom file for V10 f/w. So if there is nothing in the rom file for supervisor I suspect this could be built into the f/w?

Stuart

Edit: Just checked the pdf file for V15 and there are references to changing the supervisor password in V11 and other references earlier, nothing after V11. References to supervisor start on P17 of the pdf.
« Last Edit: January 14, 2017, 11:15:44 AM by broadstairs »
Logged
ISP:TalkTalk Connection:FTTC Cab:ECI Router:ZyXEL VMG8924-B10A

tubaman

  • Member
  • **
  • Posts: 82
Re: VMG8924-B10A unbranded supervisor password
« Reply #25 on: January 14, 2017, 04:53:27 PM »

I've just tried manny2003's trick (post #7) of copying a new set of privs for the admin user into the config file and reloading.
The amended file loaded just fine but I don't have any more menus than before. :(
If I export the config again the changes are still there.
It's all very strange.  :wall:
Logged
BT FTTC 80/20 Huawei Cab - Zyxel VMG8924

manny2003

  • Member
  • **
  • Posts: 37
Re: VMG8924-B10A unbranded supervisor password
« Reply #26 on: January 14, 2017, 06:42:13 PM »

I've just tried manny2003's trick (post #7) of copying a new set of privs for the admin user into the config file and reloading.
The amended file loaded just fine but I don't have any more menus than before. :(
If I export the config again the changes are still there.
It's all very strange.  :wall:

 :-\ mmm very strange.. I know it should work because was the workaround I used on my router... Just to be 110% sure, have you double checked that the Privileges you have modified really pertain to the right user? Sometime is easy to modify the wrong line. Also try a reboot.

Assuming this ftp process works and loads the romd does that mean a factory reset will be needed to get back the password? Also if the romd is loaded on every f/w update then this means we will have to re-run this ftp procedure after every update if we need the supervisor p/w. A p/w generator would be great IF someone can figure out the formula, or perhaps someone can crack their encryption and then translate that p/w shown earlier. Perhaps cracking the encryption might be possible since we can see the admin p/w as stored and obviously know what it is.

Please Stuart, consider this is just my opinion and not a global truth.
The .rom is not mandatory, is just a file that you can upload as default config (like the .conf). It is also embedded in the firmware as it install in the router a default config that will be used in case of reset. Put the .rom or any other configs in the rom-d partition is just an option for the ISP that want the customer to always have some special config set after a factory reset.

supervisor password in my opinion is not set anywhere but just generated by the firmware during the factory reset via a script. So updating will not change the old password but factory reset on a firmware greater than version 10 will do.
Logged

tubaman

  • Member
  • **
  • Posts: 82
Re: VMG8924-B10A unbranded supervisor password
« Reply #27 on: January 14, 2017, 07:11:26 PM »

manny2003,

Yes, it's the right line - in fact I tried it on both 'Privilege' lines and it made no difference.
It rebooted after I reloaded the file so I assume that should be good enough.

An earlier post mentioned that the Supervisor user can turn menu items on and off so perhaps that is overriding the config file settings?

It was worth a go and all is still working so nothing lost.
 :)
Logged
BT FTTC 80/20 Huawei Cab - Zyxel VMG8924

highpriest

  • Reg Member
  • ***
  • Posts: 118
Re: VMG8924-B10A unbranded supervisor password
« Reply #28 on: January 14, 2017, 10:33:29 PM »

I have just been looking at the rom file for V15 of the 8924 f/w. No where in it is any reference to supervisor. There is Administrator, User. Same is found in the rom file for V10 f/w. So if there is nothing in the rom file for supervisor I suspect this could be built into the f/w?

Yup, same here. Only two users as far as I can tell.

Code: [Select]
      <X_5067F0_Login_Group instance="1">
        <GroupKey>0</GroupKey>
        <Privilege>broadband,wireless,homeNetworking,usbService,powerManagement,routing,dnsroute,vlangroup,qos,nat,dns,halfBridge,igmpSetting,intfGrp,firewall,macFilter,parentalControl,schedulerRule,certificates,ipsecVPN,pptpVPN,sip,phone,callRule,callHistory,log,trafficStatus,voipStatus,arpTable,routeTable,igmpGroupStatus,xdslStatistics,3gStatistics,system,userAccount,remoteMGMT,tr069Client,tr064,time,emailNotification,logSetting,firmwareUpgrade,configuration,reboot,disagnostic,HelpDesk,wizard,status,snmp</Privilege>
        <Name>Administrator</Name>
        <ConsoleLevel>2</ConsoleLevel>
        <Use_Login_Info instance="1">
          <UserName>admin</UserName>
          <Password>_encrypted_removed</Password>
          <Modified>TRUE</Modified>
          <LatestLoginSuccessFrom>192.168.2.1</LatestLoginSuccessFrom>
          <CurrentLoginSuccessFrom>192.168.2.1</CurrentLoginSuccessFrom>
          <idleTimeout>300</idleTimeout>
        </Use_Login_Info>
        <Use_Login_Info nextInstance="2"></Use_Login_Info>
      </X_5067F0_Login_Group>
      <X_5067F0_Login_Group instance="2">
        <GroupKey>2</GroupKey>
        <Privilege>log,trafficStatus,arpTable,routeTable,igmpGroupStatus,xdslStatistics,3gStatistics,system,userAccount,remoteMGMT,time,emailNotification,logSetting,firmwareUpgrade,configuration,reboot,disagnostic,HelpDesk</Privilege>
        <Name>User</Name>
        <ConsoleLevel>2</ConsoleLevel>
        <Use_Login_Info instance="1">
          <UserName>zyuser</UserName>
          <Password>_encrypted_removed</Password>
          <idleTimeout>300</idleTimeout>
        </Use_Login_Info>
        <Use_Login_Info nextInstance="2"></Use_Login_Info>
      </X_5067F0_Login_Group>
      <X_5067F0_Login_Group nextInstance="3"></X_5067F0_Login_Group>

Nothing appears to be locked down in the GUI.



This is a de-branded F1000 running v15.
Logged
VMG8324-B10A Bridge | EdgeRouter PoE | UniFi AP AC Lite

manny2003

  • Member
  • **
  • Posts: 37
Re: VMG8924-B10A unbranded supervisor password
« Reply #29 on: January 15, 2017, 04:31:50 AM »

manny2003,

Yes, it's the right line - in fact I tried it on both 'Privilege' lines and it made no difference.
It rebooted after I reloaded the file so I assume that should be good enough.

An earlier post mentioned that the Supervisor user can turn menu items on and off so perhaps that is overriding the config file settings?

It was worth a go and all is still working so nothing lost.
 :)
Very strange... the privilege line in configuration should be where the selection made by the supervisor via the GUI are stored...
Logged
Pages: 1 [2] 3 4 5
 

anything