So, how to get in...
It's a small embedded-style device, so the possibility for there to be a non-root 'debug' account is vanishingly small. Still, even if we 'know' the account name, brute forcing the password over the serial connection through getty will be slow - about 3-4 seconds per attempt (but no 'locking' with too many attempts)... could take years...
A more sensible option would be to look through the filesystem for clues... Of course, we can't log in (yet) and browse through, but perhaps we can download the flash... There's a 16MB (128Mbit) flash chip on the board, which is big enough for a compressed filesystem. The datasheet confirmed it was a SPI device, readable with a CH341a and an 8pin SOIC clip. I was fortunate as flashrom could download the flash successfully without having to remove the chip from the board, or even holding the reset button!
Binwalk could read the resulting downloaded data and identified a number of different 'partitions', and various .xz compressed files. Not the simple root squashfs and overlay jffs2 partitions I'd hoped for, but... Better than nothing. Binwalk extracted everything happily. Some parts were easy to identify (the bootlogo was obvious) but the actual filesystem was a mess. Various text files all shmushed together.
Ok, let's look for /etc/passwd and/or /etc/shadow... Grepping through the extracted files for "0:0::/root:/bin/" turned up what looked like /etc/password inside a text file (along with a load of other random files concated). Even better, the line grep found included an md5 password hash!!
Hashcat was pressed into service and found the root password within a few minutes - "tc310".
Back onto the serial console...
login: root
password: tc310
root@tinalinux#
Woohoo!!!
Discussions
Become a Hackaday.io Member
Create an account to leave a comment. Already have an account? Log In.