Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: 1 ... 3 4 [5]

Author Topic: VMG8924-B10A unbranded supervisor password  (Read 5371 times)

polymath

  • Just arrived
  • *
  • Posts: 19
Re: VMG8924-B10A unbranded supervisor password
« Reply #60 on: March 09, 2017, 12:31:23 PM »

Struggling here to understand how to get dumpmdm to work on my VMG3925-B10B. I telnet into the router and get:

Busybox v1.20.1 (2016-10-18 14:40:36 CST) built in shell (ash)

and then a $ prompt (not a > prompt)

I do $ dumpmdm

and the response is:

-sh: dumpmdm: not found

If I do $ help BusyBox responds with a list of built in commands bt dumpmdm is not there.

Have I missed something?
Logged

burakkucat

  • Global Moderator
  • Senior Kitizen
  • *
  • Posts: 19376
  • Over the Rainbow
    • The ELRepo Project
Re: VMG8924-B10A unbranded supervisor password
« Reply #61 on: March 09, 2017, 03:51:55 PM »

I have no experience with a VMG3925-B10B but you might like to experiment with the following . . .

At the busybox shell prompt, $, type  --

find / -xdev -name \*dump\*

It will show those files which contain the string dump as part of their name.

Performing the above on my VMG1312-B10D, I obtain the following --

Code: [Select]
$ find / -xdev -name \*dump\*
/bin/dumpmem
/usr/bin/hexdump
/usr/lib/opkg/info/tcpdump.control
/usr/lib/opkg/info/tcpdump.list
/usr/sbin/tcpdump
$

You would be interested in the lines that contain the string bin as part of the path name to the files. In my case, above, there are three --

Code: [Select]
$ ls -l /bin/dumpmem
lrwxrwxrwx    1 root     0                6 Oct 18 09:01 /bin/dumpmem -> xtmctl
$ ls -l /usr/bin/hexdump
lrwxrwxrwx    1 root     0               17 Oct 18 09:13 /usr/bin/hexdump -> ../../bin/busybox
$ ls -l /usr/sbin/tcpdump
-rwxr-xr-x    1 root     0           643787 Oct 18 09:06 /usr/sbin/tcpdump
$

Of those three, we can see that the first two are symbolic links to other binary files.

So then try each command with a --help flag.

Code: [Select]
$ dumpmem --help
usage: dumpmem <address_in_hex> <length_in_decimal>

$ hexdump --help
BusyBox v1.20.1 (2016-10-18 15:41:48 CST) multi-call binary.

Usage: hexdump [-bcCdefnosvx] [FILE]...

Display FILEs (or stdin) in a user specified format

        -b              One-byte octal display
        -c              One-byte character display
        -C              Canonical hex+ASCII, 16 bytes per line
        -d              Two-byte decimal display
        -e FORMAT_STRING
        -f FORMAT_FILE
        -n LENGTH       Interpret only LENGTH bytes of input
        -o              Two-byte octal display
        -s OFFSET       Skip OFFSET bytes
        -v              Display all input data
        -x              Two-byte hexadecimal display

$ tcpdump --help
tcpdump: invalid option -- -
tcpdump version 4.2.1
libpcap version 1.1.1
Usage: tcpdump [-aAbdDefhHIKlLnNOpqRStuUvxX] [ -B size ] [ -c count ]
                [ -C file_size ] [ -E algo:secret ] [ -F file ] [ -G seconds ]
                [ -i interface ] [ -M secret ]
                [ -r file ] [ -s snaplen ] [ -T type ] [ -w file ]
                [ -W filecount ] [ -y datalinktype ] [ -z command ]
                [ -Z user ] [ expression ]
$
« Last Edit: March 09, 2017, 09:23:03 PM by burakkucat »
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

polymath

  • Just arrived
  • *
  • Posts: 19
Re: VMG8924-B10A unbranded supervisor password
« Reply #62 on: March 09, 2017, 07:29:13 PM »

burakkucat: Thanks for the swift reply.

I get exactly the same response to the find and help commands as you.

My simple understanding of the dumpmdm command is it provides a 'memory dump'.

Is there a way of using, say the dumpmem command to achieve the same thing? That would need an appropriate start address and length.
Logged

burakkucat

  • Global Moderator
  • Senior Kitizen
  • *
  • Posts: 19376
  • Over the Rainbow
    • The ELRepo Project
Re: VMG8924-B10A unbranded supervisor password
« Reply #63 on: March 09, 2017, 09:09:42 PM »

Hmm . . . I'll have to have a poke around, for I suspect you may need something different from the dumpmem command to which we both have access.  :-\

From the busybox shell prompt, $ --

Code: [Select]
BusyBox v1.20.1 (2016-10-18 15:41:48 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

$ find / -xdev \( -name \*zycli\* -o -name \*zysh\* -o -name \*nvram\* \) | sort
/bin/nvram
/etc/wlan/bcm43602_nvramvars.bin
/etc/wlan/bcm4360_nvramvars.bin
/etc/wlan/bcmcmn_nvramvars.bin
/etc/zyshrc
/lib/libnvram.so
/sbin/zycli
/usr/bin/zysh
/usr/lib/opkg/info/zycli.control
/usr/lib/opkg/info/zycli.list
/usr/lib/opkg/info/zysh.control
/usr/lib/opkg/info/zysh.list
$ for F in $(find / -xdev \( -name \*zycli\* -o -name \*zysh\* -o -name \*nvram\* \) | sort)
> do echo $F
> hexdump -C -n 16 $F
> echo
> done
/bin/nvram
00000000  7f 45 4c 46 01 02 01 00  01 00 00 00 00 00 00 00  |.ELF............|
00000010

/etc/wlan/bcm43602_nvramvars.bin
00000000  6c 65 64 62 68 31 30 3d  30 78 38 38 00 45 4e 44  |ledbh10=0x88.END|
00000010

/etc/wlan/bcm4360_nvramvars.bin
00000000  6c 65 64 62 68 31 30 3d  30 78 38 38 00 45 4e 44  |ledbh10=0x88.END|
00000010

/etc/wlan/bcmcmn_nvramvars.bin
00000000  77 61 74 63 68 64 6f 67  3d 31 33 30 30 30 30 00  |watchdog=130000.|
00000010

/etc/zyshrc
00000000  23 20 42 65 67 69 6e 20  6f 66 20 5a 79 53 48 32  |# Begin of ZySH2|
00000010

/lib/libnvram.so
00000000  7f 45 4c 46 01 02 01 00  00 00 00 00 00 00 00 00  |.ELF............|
00000010

/sbin/zycli
00000000  7f 45 4c 46 01 02 01 00  00 00 00 00 00 00 00 00  |.ELF............|
00000010

/usr/bin/zysh
00000000  7f 45 4c 46 01 02 01 00  01 00 00 00 00 00 00 00  |.ELF............|
00000010

/usr/lib/opkg/info/zycli.control
00000000  50 61 63 6b 61 67 65 3a  20 7a 79 63 6c 69 0a 56  |Package: zycli.V|
00000010

/usr/lib/opkg/info/zycli.list
00000000  2f 73 62 69 6e 2f 64 6e  73 0a 2f 73 62 69 6e 2f  |/sbin/dns./sbin/|
00000010

/usr/lib/opkg/info/zysh.control
00000000  50 61 63 6b 61 67 65 3a  20 7a 79 73 68 0a 56 65  |Package: zysh.Ve|
00000010

/usr/lib/opkg/info/zysh.list
00000000  2f 65 74 63 2f 7a 79 73  68 72 63 0a 2f 75 73 72  |/etc/zyshrc./usr|
00000010

$ cat /etc/wlan/bcm43602_nvramvars.bin
ledbh10=0x88END$
$ cat /etc/wlan/bcm4360_nvramvars.bin
ledbh10=0x88END$
$ cat /etc/wlan/bcmcmn_nvramvars.bin
watchdog=130000END$
$ cat /etc/zyshrc
# Begin of ZySH2 initialization
# command-mode COMMAND_MODE_USER_EXEC 2
# privilege 0
# visibility 0
# End of ZySH2 initialization
$ cat /usr/lib/opkg/info/zycli.control
Package: zycli
Version: 1.0-1
Depends: libc, zcmd, libzyutil
Source: package/private/zyxel/zycli
SourceFile: zycli-1.0.tar.gz
SourceURL: @ZyXEL_SITE/private/ZyXEL
Section: net
Architecture: brcm963xx
Installed-Size: 27743
Description:  ZyXEL CLI
$ cat /usr/lib/opkg/info/zycli.list
/sbin/dns
/sbin/vcautohuntctl
/sbin/sys
/sbin/pppoectl
/sbin/zycli
/sbin/ethwanctl
/sbin/wan
/sbin/wlan
$ cat /usr/lib/opkg/info/zysh.control
Package: zysh
Version: 2.0-7
Depends: libc, zcmd, libedit, libncurses
Source: package/private/zyxel/zysh
SourceFile: zysh-2.0.tar.gz
SourceURL: @ZyXEL_SITE/private/ZyXEL
Section: net
Architecture: brcm963xx
Installed-Size: 48097
Description:  ZyXEL Shell and Command Line Interface
$ cat /usr/lib/opkg/info/zysh.list
/etc/zyshrc
/usr/bin/zysh
$ cat /etc/zyshrc
# Begin of ZySH2 initialization
# command-mode COMMAND_MODE_USER_EXEC 2
# privilege 0
# visibility 0
# End of ZySH2 initialization
$ zycli
zycli help
wan
ethwanctl
dns
pppoectl
vcautohuntctl
sys
tr069
wlan
cfgupdate
save_default
$

I was interested in the nvram, zycli and zysh commands, knowing that a sub-option to the zycli command allows the ROM-D to be cleared. Unfortunately I do not see anything remotely appropriate for what you wish to do.

At a long-shot, you might like to download a copy of the VMG1312-B10A CLI Reference Manual and read it through. It might prove to be a source of inspiration.
« Last Edit: March 09, 2017, 09:20:18 PM by burakkucat »
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

polymath

  • Just arrived
  • *
  • Posts: 19
Re: VMG8924-B10A unbranded supervisor password
« Reply #64 on: March 10, 2017, 02:59:31 PM »

Yes, I have had the CLI reference manual pdf for a while. It adds to my confusion. The document lists ZyXEL CLI commands. But before the list is an Overview (pages 3 and 4) which, in part, states:

.....The CLI is available from the serial console, telnet login and ssh logins. It is enabled via the make
menuconfig option "Enable Command Line Interface" in the "Management Protocols and User Interface
Selection" section. The CLI is part of the Configuration Management System (CMS), so CMS must also be
enabled make menuconfig in order to have the CLI.

The CLI has a">" prompt character. If you type "sh", you will enter the busybox shell, which has the "#"
prompt character. This document describes the commands available from the CLI (">"), not the busybox
shell......  (I assume the "#" prompt is the same as "$" prompt)

First thing is my telnet session lands straight into BusyBox, there is no other prompt but "$".  No way I can
see of entering another command prompt level, other than the zycli command.

The CLI reference manual list CLI commands and includes dumpmdm (page 58). For comparison it includes adsl (page 5).

Now in my telent session adsl works at the BusyBox $ prompt but returns an error when dumpmdm is input.
Using zycli adsl and zycli dumpmdm produces nothing, other than a new line with the $ prompt at the start.

Near the end of the Overview section it states:

In accordance to the CMS architecture, all commands which modify the configuration will modify the MDM
(shared memory configuration database). I assume that MDM is the same as in dumpmdm.

Logged

polymath

  • Just arrived
  • *
  • Posts: 19
Re: VMG8924-B10A unbranded supervisor password
« Reply #65 on: March 10, 2017, 03:33:16 PM »

One small extra bit of information:

At the BusyBox $ prompt I input zysh and the next line has  ZySH> as the prompt. Only problem is I cannot figure out anything to put in this new command line that gets any response other than an error.
Logged

burakkucat

  • Global Moderator
  • Senior Kitizen
  • *
  • Posts: 19376
  • Over the Rainbow
    • The ELRepo Project
Re: VMG8924-B10A unbranded supervisor password
« Reply #66 on: March 10, 2017, 07:28:21 PM »

Yes, I have had the CLI reference manual pdf for a while. It adds to my confusion.

It is the CLI reference manual for the VMG1312-B10A and not for my VMG1312-B10D nor your VMG3925-B10B.
 
The zycli command is a "one shot" invocation of the CLI from the busybox shell. So, for example, zycli save_default clean clears the ROM-D. (See here.)

The zysh> prompt should respond to a solitary ? input with a list of sub-options.
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

Chrysalis

  • Content Team
  • Kitizen
  • *
  • Posts: 4804
Re: VMG8924-B10A unbranded supervisor password
« Reply #67 on: July 29, 2017, 12:44:11 AM »

no luck for us with newer firmwares :(

dumpmdm command not found
Logged
Sky Fiber Pro - Billion 8800NL bridge & PFSense BOX running PFSense 2.4 - ECI Cab

Fuggi

  • Just arrived
  • *
  • Posts: 11
Re: VMG8924-B10A unbranded supervisor password
« Reply #68 on: July 29, 2017, 12:52:46 AM »

Chrys
Can you back to the version 16 firmware this still has access to dumpmdm. I used it two days ago to find the supervisor password
in my Vmg8924.
Logged

Chrysalis

  • Content Team
  • Kitizen
  • *
  • Posts: 4804
Re: VMG8924-B10A unbranded supervisor password
« Reply #69 on: July 29, 2017, 01:35:09 AM »

where is the v16 firmware? on zyxel's website is just v11 and v15.

also what is the exact command you used for dumpmdm, here is my output.  Thanks

Code: [Select]
$ dumpmdm
-sh: dumpmdm: not found

or maybe its only on the b10a but not the b10b?
Logged
Sky Fiber Pro - Billion 8800NL bridge & PFSense BOX running PFSense 2.4 - ECI Cab

Fuggi

  • Just arrived
  • *
  • Posts: 11
Re: VMG8924-B10A unbranded supervisor password
« Reply #70 on: July 29, 2017, 02:13:36 AM »

Quote
http://forum.kitz.co.uk/index.php/topic,13930.msg351376.html#msg351376
The dumpmdm command only seems to be on the VMG8924 not the VMG3925.
Logged
Pages: 1 ... 3 4 [5]
 

anything