Products > Test Equipment

JDSU / VIAVI JD745B, JD785A, JD785B - A firmware investigation

(1/2) > >>

FlexibleMammoth:
After looking for a nice, compact spectrum analyzer / vector network analyzer for my home lab, I recently pulled the trigger on a used JDSU / VIAVI JD785A.

I previously had a look at the existing JD745A threads and found that they provide easy root login by running a script as root from a USB stick. Unfortunately, the newer JD745B, JD785A, JD785B models share a firmware that no longer exhibits this behavior. Instead, there is a binary recovery OS that allows to install another, binary, firmware file.

The recovery consists of the files Recovery and Recovery_lk2, which appear to be the same, and a system.dat containing the emergency OS. As for the Firmware itself, it has some version information at the beginning and the rest appears to be compressed or encrypted, but other than that, there is no indication on its composition.

Has anyone been lucky in obtaining root, or information on the firmware structure?

Thanks :)

zrq:
I'm also interested in acquiring such a JDSU device as a portable VNA, so I poked into theirs firmware. Apparently the .FW firmware image is not encrypted at all, but is simply in gzip format with a modified header. The original header is replaced by a string that is checked in the update process, and the correct gzip header is at the bottom of the image file. You can load the unstripped Recovery ELF to GHIDRA and check it out yourself.

So that if one want to explore what's in the image, one can load the .FW in a hex editor, move (copy and delete) the last 30 bytes to the head of the file (overwriting), and then it can be uncompressed by a tool that you prefer (like 7zip).

One possible approach to gain root is modify the scripts in the firmware image and craft a new .FW file, I didn't see any signature check so I think it should be possible, just need a brave guy with hardware to try this out...

zrq:
There is a root password hash in LKII_FW_3.120.043-rd946d9a.FW\UpgradePackageTree\app.tar.gz\app.tar\app\script\run_FW_1.sh

--- Code: ---sed -i 's|root::0:0:root:/root:/bin/bash|root:$1$qwixm66f$W/YVCVn5OcusO4ppJnChl0:0:0:root:/root:/bin/bash|' /etc/passwd
--- End code ---

I don't know if the system have the dropbear listening by default (before my JD785A arrive), but I have started hashcating... It would be nice if someone else can join as I don't have discrete graphics cards.

zrq:
FTP password:

--- Code: ---CellAdvisorMobile mu%=%3Yr@DSN
ca4g 0000

--- End code ---

Unfortunately if the developers used a similarly complex password for the root account, then hashcat will not be able to find it.

zrq:

--- Quote from: zrq on February 11, 2024, 02:10:25 pm ---There is a root password hash in LKII_FW_3.120.043-rd946d9a.FW\UpgradePackageTree\app.tar.gz\app.tar\app\script\run_FW_1.sh

--- Code: ---sed -i 's|root::0:0:root:/root:/bin/bash|root:$1$qwixm66f$W/YVCVn5OcusO4ppJnChl0:0:0:root:/root:/bin/bash|' /etc/passwd
--- End code ---

I don't know if the system have the dropbear listening by default (before my JD785A arrive), but I have started hashcating... It would be nice if someone else can join as I don't have discrete graphics cards.

--- End quote ---

Easier than expected:
$1$qwixm66f$W/YVCVn5OcusO4ppJnChl0:SiG2018

Session..........: hashcat
Status...........: Cracked

Navigation

[0] Message Index

[#] Next page

There was an error while thanking
Thanking...
Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod