telnet-access for version 4.19 by using the info what bit to patch in memory in the description Zugang zum "ANET_MAN>" Prompt mit vxgdb with wtxtcl
-command wtxMemSet 0x00068b20 4 0x38600001
(li r3,1
).
Some versions of the device include an active telnetd, that is protected by an unknown authentication.
The unit answeres port 23/tcp
(telnet) probably showing telnetLib
:
VxWorks <vxTarget>
login : target
password : ********
Login/Password incorrect
login :
Having the memory patched to circumvent the login, the output looks like this:
VxWorks <vxTarget>
login :
ANET_MAN >
At this point you should read the ANET_MAN/SU_MAN commands (CLI-reference).
There are five invalid login-attempts until the unit gives:
Logon limit exceeded, bye bye
Also, there is a login-timout of P5m:
Timeout expired, bye bye
When trying to open a second telnet-session the unit responds:
Busy with another client, try again later ...
According to the VxWorks Reference Manual 5.4 Edition 1 the login security facility is installed, so telnetLib
uses loginLib
:
This library provides a login/password facility for network access to the VxWorks shell. When installed, it requires a user name and password match to gain access to the VxWorks shell from rlogin or telnet.
[…]
The login security feature is initialized by the root task,
usrRoot()
, inusrConfig.c
, if the configuration macroINCLUDE_SECURITY
is defined. Defining this macro also adds a single default user to the login table. The default user and password are defined asLOGIN_USER_NAME
andLOGIN_PASSWORD
.
LOGIN_USER_NAME:LOGIN_PASSWORD
are defined as target:password
.
[…]
The name/password pairs are added to the table by calling
loginUserAdd()
, which takes the name and an encrypted password as arguments. The VxWorks host tool vxencrypt is used to generate the encrypted form of a password.[…]
This can be done from the shell, a start-up script, or application code.
There is also a paragraph about the invalid-attemp-handling and the encryption algorithm:
The delay in prompting between unsuccessful logins is increased linearly with the number of attempts, in order to slow down password-guessing programs.
[…]
This library provides a simple default encryption routine,
loginDefaultEncrypt()
. This algorithm requires that passwords be at least 8 characters and no more than 40 characters.The routine
loginEncryptInstall()
allows a user-specified encryption function to be used instead of the default.
The wtxtcl-code for patching the telnetd-access is ready to work with any version. Use it with the jjaf.de ECI-ATU-memory-readout script-package, executing telnetd-patch.tcl
instead of wtxtcl.cmd
supplied with the package giving the following output:
jjaf.de ECI ATU-R telnetd-patch 1.0.0 (wtxtcl)
update on http://jjaf.de/support/eci/atu-r/telnetd/
---------------------------------------------------
registered targets:
{eci@station-5 tgtsvr rpc/station-5/192.168.20.5/570425345/1/tcp/1035}
{wtxregd@station-5 registry rpc/station-5/192.168.20.5/570425344/1/tcp}
connecting to eci: eci@station-5
model: Hi-FOCuS ANeT board - 850 SAR
memory: 0 + 4194288
CPU-type: 97
hasWriteProtect: 0
OS: type 1, version 5.4
bootline: 'cpm(0,0)ganesh:kuku g=192.168.20.10 e=192.168.20.80:ffffff00'
setting up code-signature
scanning memory for code-signature ...
changing 'li r3,0x0' to 'li r3,0x1'
{} 4 {00068b20} {38600000} {li r3, 0x0 (0)}
{} 4 {00068b20} {38600001} {li r3, 0x1 (1)}
exit.
This is currently untested with other than version 4.19 (ac218bu, ac220bu)! If you happen to test it on another version, report the result!