Thread Rating:
  • 1 Vote(s) - 4 Average
  • 1
  • 2
  • 3
  • 4
  • 5
[Tutorial] Reverse engineering a Hitron's bootloader password
BTC Offline
Haxorware Enthusiast
***

Posts: 49
Threads: 5
Joined: Aug 2018
Reputation: 5
#1
[Tutorial] Reverse engineering a Hitron's bootloader password
In this tutorial, we will dive into basic reverse engineering by researching a cable modem's bootloader password.

On the Hitron CDA3-35, when you terminate the boot process (by pressing Q within the 3 second delay), you are prompted to enter a password like so:

[Image: QEjDmKJ.png]

This is unfortunate because access to UBoot is an extremely useful tool for development/debugging.

Let's figure out how to bypass this password!



First, we must have a dump of the firmware of the device - this is not within the scope of this tutorial, so I will assume you already have a firmware dump.

Searching for strings
Open your firmware dump in your favorite text editor, then search for a string related to this password.
The best string to use is "Please enter password:", because this is what appears when the password prompt is shown.

[Image: XMoCQNC.png]

We found the only instance of this string.

Now, I'd like to point out an interesting string right next to our password prompt string: qpwd.

This is not a coincidence that it's right next to our password prompt.

Locating the password hash

Let's search for qpwd next.

The search returns 1 other result (excluding where we found the string originally).
[Image: TYHir4r.png]
Now, right next to our string is this other string: aa6670c39dc93b73a34605e4d14d5003
This appears to be an MD5 hash because it is exactly 128 bits (32 characters) and hexadecimal.

Cracking the hash

MD5 is not a very secure algorithm, so this hash should be relatively easy to crack! Luckily, they did not salt this hash at all so it is vulnerable to a rainbow table lookup attack.

Load up your favorite rainbow table lookup site, I prefer HashKiller.
Search the hash, and bam!
[Image: 26pHuVt.png]

We got the result "D0nt4g3tme!". This is the bootloader password. Rolleyes 


The last thing to do is test it out:
[Image: 1uFQ6lC.png]
It works. =)
25-08-2019, 11:15 AM
Find Reply
newname Offline
Haxorware Expert
*****

Posts: 395
Threads: 0
Joined: Jun 2012
Reputation: 18
#2
RE: [Tutorial] Reverse engineering a Hitron's bootloader password
Well, shiver me timbers and call me Mary-Lou...!
25-08-2019, 12:31 PM
Find Reply
ricktendo Offline
Haxorware Expert
*****

Posts: 268
Threads: 13
Joined: Apr 2014
Reputation: 22
#3
RE: [Tutorial] Reverse engineering a Hitron's bootloader password
Thanks for the awesome tuto!!!
25-08-2019, 05:19 PM
Find Reply
blacklisted Offline
Haxorware Enthusiast
***

Posts: 27
Threads: 0
Joined: Oct 2018
Reputation: 0
#4
RE: [Tutorial] Reverse engineering a Hitron's bootloader password
make a whole serious of these tuts request if admin can make em a sticky
25-08-2019, 05:53 PM
Find Reply
doctor Offline
Senior Member
****

Posts: 195
Threads: 11
Joined: Mar 2017
Reputation: 11
#5
RE: [Tutorial] Reverse engineering a Hitron's bootloader password
nice work. I tried before to retrieve the password but was never successful. I was also trying to get the MSO login password.

25-08-2019, 07:28 PM
Find Reply
BTC Offline
Haxorware Enthusiast
***

Posts: 49
Threads: 5
Joined: Aug 2018
Reputation: 5
#6
RE: [Tutorial] Reverse engineering a Hitron's bootloader password
(25-08-2019, 07:28 PM)doctor Wrote: nice work. I tried before to retrieve the password but was never successful. I was also trying to get the MSO login password.

The MSO password is probably "D0nt4g3tme" - which is similar to this password but not quite the same.

Also there is a password lock on the CLI/Production interface - if you would like I can explain how to bypass that too =).
25-08-2019, 09:35 PM
Find Reply
doctor Offline
Senior Member
****

Posts: 195
Threads: 11
Joined: Mar 2017
Reputation: 11
#7
RE: [Tutorial] Reverse engineering a Hitron's bootloader password
(25-08-2019, 09:35 PM)BTC Wrote:
(25-08-2019, 07:28 PM)doctor Wrote: nice work. I tried before to retrieve the password but was never successful. I was also trying to get the MSO login password.

The MSO password is probably "D0nt4g3tme" - which is similar to this password but not quite the same.

Also there is a password lock on the CLI/Production interface - if you would like I can explain how to bypass that too =).

cool i will try that. for the CLI production interface I have that password seems to work on all hitrons ive tested on. The newer hitrons ive worked on are not locked (cgn3AC, coda ,cgn3acsmr) which is good.

25-08-2019, 10:45 PM
Find Reply
BTC Offline
Haxorware Enthusiast
***

Posts: 49
Threads: 5
Joined: Aug 2018
Reputation: 5
#8
RE: [Tutorial] Reverse engineering a Hitron's bootloader password
(25-08-2019, 10:45 PM)doctor Wrote:
(25-08-2019, 09:35 PM)BTC Wrote:
(25-08-2019, 07:28 PM)doctor Wrote: nice work. I tried before to retrieve the password but was never successful. I was also trying to get the MSO login password.

The MSO password is probably "D0nt4g3tme" - which is similar to this password but not quite the same.

Also there is a password lock on the CLI/Production interface - if you would like I can explain how to bypass that too =).

cool i will try that. for the CLI production interface I have that password seems to work on all hitrons ive tested on. The newer hitrons ive worked on are not locked (cgn3AC, coda ,cgn3acsmr) which is good.

http://www.haxorware.com/forums/showthread.php?tid=7311

Here I explain how to bypass the CLI production password, though I am curious what the actual password is if you have it.
26-08-2019, 12:02 AM
Find Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)