• February 17, 2019, 03:46:57 AM
Welcome, Guest. Please login or register. Registration is free.
Did you miss your activation email?

Author Topic: 7131 boot DIAG password?  (Read 12261 times)

0 Members and 1 Guest are viewing this topic.

Offline donb

  • Rookie
  • **
  • Posts: 16
Re: 7131 boot DIAG password?
« Reply #15 on: February 25, 2015, 08:17:13 PM »
Wow, thats incredible.. ! =)

What are you using to extract the .bin files? (to get the vmlinuz.bincs) ?


Offline coz

  • Rookie
  • **
  • Posts: 17
Re: 7131 boot DIAG password?
« Reply #16 on: February 25, 2015, 11:43:26 PM »
Binwalker was the name of the game,
i had to set up an virtual Ubuntu and then

sudo apt-get install binwalk

then binwalk -e firmwarefile

after that i jumped in to the directory, had to rename whatever file to whateverfile.tar
and

tar -xvf whateverfile.tar

but depending on what version of firmware you could do it in windows.

the img file could be an LZMA archvie, and in that it should be, an TAR compressed file.
in that case it would probably work if you rename the .img to firmware.LZMA

---

all that h4ck1n could probably be acheved in simpler ways, but i had to get it to parse that

init=/bin/ash so that i could enter the wicked world of shell.



if this would have been at work i would have asked for better salary.
oh well, learnt alot of cool stuff from this experiment.

« Last Edit: February 26, 2015, 12:01:18 AM by coz »

Offline donb

  • Rookie
  • **
  • Posts: 16
Re: 7131 boot DIAG password?
« Reply #17 on: February 26, 2015, 09:18:42 AM »
Ah,

A bit after I posted I found binwalk.. I installed it on a non Ubuntu server

When I tried extracting 5.5.5.bin I did get a few Lzma archives

But I think it got caught in a loop and extracted the same archive over and over

I am probably going to set up an Ubuntu vm because I don't think I installed every single pre req for binwalk

What version of firmware did you have most success in extracting?

Thanks again for sharing your findings

Offline coz

  • Rookie
  • **
  • Posts: 17
Re: 7131 boot DIAG password?
« Reply #18 on: February 26, 2015, 10:23:11 AM »
there was an error using binwalk some version and the latest Ubuntu.
don't remember how i solved that.. but i found an solution to it on the interweb.

for firmware, i attacked 71XX.5.5.4 R18


Offline donb

  • Rookie
  • **
  • Posts: 16
Re: 7131 boot DIAG password?
« Reply #19 on: February 26, 2015, 08:25:04 PM »
Yep, that was it.. my other install of linux wasn't complete

I was able to do as you said and rename a file after i binwalk'd to .tar

got the whole root/ and other script folders extracted

Offline McNulty

  • Sr. Member
  • ****
  • Posts: 217
Re: 7131 boot DIAG password?
« Reply #20 on: February 26, 2015, 11:53:03 PM »
Wow good work, thanks for sharing :)

Offline coz

  • Rookie
  • **
  • Posts: 17
Re: 7131 boot DIAG password?
« Reply #21 on: February 27, 2015, 12:03:25 AM »
 ;)

thanks.

Next project is to change the behaviour of those leds.
Unfortionate i have an D Ap7131. So the leds are blinking white and red =/

Saw some interesting bytes in achip.
and some more interesting stuff in some script in the rootshell.
something like miros..seems we can program the mfgrom.

Offline Goose

  • Jr. Member
  • **
  • Posts: 33
Re: 7131 boot DIAG password?
« Reply #22 on: February 27, 2015, 11:20:35 AM »
Wow !!!
great work,
I sent the units back to motorola - it has lifetime service ..
any way you can dig up a master reset password  8)

Offline coz

  • Rookie
  • **
  • Posts: 17
Re: 7131 boot DIAG password?
« Reply #23 on: February 27, 2015, 11:47:03 AM »
Thanks.. probably one could do it simpler. Now that i know the file table.

 But wanted to share my progress. And brain needed some workout.

Hopefully some people got interested in warranty voiding:)

U sayin there is more passwords?

Offline hchen01

  • Full Member
  • ***
  • Posts: 73
Re: 7131 boot DIAG password?
« Reply #24 on: March 01, 2015, 07:13:57 PM »
First of all, great thanks for coz's help! I turned 2 bricks into normal AP7131 :).

I'm using NOR from tftp to flash the firmware,

find the firmware version 4.1.5 from Moto website, and you can find two .nor files:
AP7131-5.1.3.0-006R-04010500004R.bin.nor and AP7131-5.1.4.0-001R-04010500004R.bin.nor,

please use AP7131-5.1.3.0-006R-04010500004R.bin.nor

nor tftp://xxx.xxx.xxx.xxx/AP7131-5.1.3.0-006R-04010500004R.bin.nor

after that, still use boot (because there was no img file loaded onto the AP), set the network and ftp information(IP, username, password and use the bin file of firmware 4.1.5), then

load ftp (please don't use tftp)

then it turned to normal AP7131.

I tried tftp to load the bin files from every firmware version, all failed showing checksum error, but ftp worked.
« Last Edit: March 01, 2015, 07:15:55 PM by hchen01 »

Offline coz

  • Rookie
  • **
  • Posts: 17
Re: 7131 boot DIAG password?
« Reply #25 on: March 01, 2015, 11:35:25 PM »
Ah much cleaner then my brutal method.
Thanks!

Offline donb

  • Rookie
  • **
  • Posts: 16
Re: 7131 boot DIAG password?
« Reply #26 on: March 02, 2015, 09:31:19 AM »
First of all, great thanks for coz's help! I turned 2 bricks into normal AP7131 :).

I'm using NOR from tftp to flash the firmware,

find the firmware version 4.1.5 from Moto website, and you can find two .nor files:
AP7131-5.1.3.0-006R-04010500004R.bin.nor and AP7131-5.1.4.0-001R-04010500004R.bin.nor,

please use AP7131-5.1.3.0-006R-04010500004R.bin.nor

nor tftp://xxx.xxx.xxx.xxx/AP7131-5.1.3.0-006R-04010500004R.bin.nor

after that, still use boot (because there was no img file loaded onto the AP), set the network and ftp information(IP, username, password and use the bin file of firmware 4.1.5), then

load ftp (please don't use tftp)

then it turned to normal AP7131.

I tried tftp to load the bin files from every firmware version, all failed showing checksum error, but ftp worked.

Hello,

Did you unpack BR7131_04010400002R.bin to get the .nor file?   I am using Brocade and we've only got the .bin file

Anyone mind sending me the .nor file?


Offline donb

  • Rookie
  • **
  • Posts: 16
Re: 7131 boot DIAG password?
« Reply #28 on: March 03, 2015, 10:16:29 AM »
It worked!

Thanks boys

Offline andrerdrummond

  • Rookie
  • **
  • Posts: 1
Re: 7131 boot DIAG password?
« Reply #29 on: January 16, 2019, 12:56:01 PM »
good news, it's ahliiiiive!!

set up tftp server and stick a fresh an clean vmlinux.bincs, rename it to vmlinux.bin

on ap
go to boot
diag 1915april24
set net 192.168.0.118 root=/dev/mtdblock7 debug init=/bin/ash
(your tftp ip goes there)

reset

mount -t proc proc /proc
mount -o remount,rw /

nano /etc/inittab

if two lines, delete those lines

and paste

ttyS0::sysinit:/etc/init.d/rcS
ttyS0::askfirst:/bin/login -h Console
::restart:/sbin/init
::shutdown:/usr/scripts/shutdown
::ctrlaltdel:/usr/scripts/techsupport_low_mem.sh
:10:respawn:/usr/sbin/logd -d
::respawn:/usr/sbin/rim -d
:240:respawn:/etc/init.d/cfgd start
:15:respawn:/usr/sbin/nsm -i
:0,-1:respawn:/usr/sbin/hsd -d
::respawn:/usr/sbin/mstp
:20:respawn:/etc/init.d/dpd2.init start
::finally:/usr/scripts/sysup



ctrl+x y

reboot -f

esc esc esc esc esc

diag 1915april24
set net 0.0.0.0

reset

worked for me =)    )

How can i make and vmlinux.bincs?