星络智能路由器后台密码破解操作流程

一、准备工作

• TTL串口工具，连接线（杜邦线）

  

• 准备好可靠的ttl接线，例如杜邦线和焊接插针，最左侧3.3v不接

  

• 打开串口软件，putty，xshell，tabby等 波特率115200其他默认就好

• 插电开机，此时软件会有代码快速滚动，等到出现下方代码时，按一下 F 键，然后回车

  Press the [f] key and hit [enter] to enter failsafe mode
  Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level

• 此时应该会出现下面的提示

• 

  表示准备工作已经做完

二、去掉密码

首先感谢星络路由群大佬 极度忄狂乱 提供的方法

1. 输入命令 mount_root

   root@(none):/# mount_root
   [  881.454108] UBIFS: background thread "ubifs_bgt1_1" started, PID 116
   [  881.477898] random: procd: uninitialized urandom read (4 bytes read, 54 bits of entropy available)
   [  881.479354] UBIFS: recovery needed
   [  881.564674] UBIFS: recovery completed
   [  881.567407] UBIFS: mounted UBI device 1, volume 1, name "rootfs_data"
   [  881.573737] UBIFS: LEB size: 126976 bytes (124 KiB), min./max. I/O unit sizes: 2048 bytes/2048 bytes
   [  881.582880] UBIFS: FS size: 50663424 bytes (48 MiB, 399 LEBs), journal size 2539520 bytes (2 MiB, 20 LEBs)
   [  881.592500] UBIFS: reserved for root: 2392958 bytes (2336 KiB)
   [  881.598321] UBIFS: media format: w4/r0 (latest is w4/r0), UUID 08E08BC3-1505-45CA-99C0-90F0DBB46881, small LPT model
   [  881.612061] mount_root: switching to jffs2 overlay

2. 继续输入 chmod 0777 /overlay/etc/shadow

   root@(none):/# chmod 0777 /overlay/etc/shadow

3. 继续输入 ls -la /overlay/etc/ 查看是否有写入权限

   root@(none):/# ls -la /overlay/etc/
   drwxr-xr-x    8 root     root          1112 Mar  8 15:06 .
   drwxr-xr-x    8 root     root           680 Mar  8 15:07 ..
   drwxr-xr-x    2 root     root           312 Mar  8 15:07 bluetooth
   drwxr-xr-x    2 root     root          3128 Mar  8 15:23 config
   -rw-r--r--    1 nobody   nogroup          0 Mar  8 15:06 dnsmasq.time
   -rw-r--r--    1 root     root             0 Mar  8 15:06 ethers
   -rw-r--r--    1 root     root             0 Mar  8 15:06 firewall.blacklist
   -rw-r--r--    1 root     root             0 Mar  8 15:06 firewall.qos
   -rw-r--r--    1 root     root            35 Mar  8 15:06 fw_env.config
   -rw-------    1 root     root         11209 Dec 16  2019 monitrc
   -rw-r--r--    1 root     root           188 Mar  8 15:06 passwd
   drwxr-xr-x    2 root     root          1304 Mar  8 15:06 rc.d
   -rwxrwxrwx    1 root     root           198 Mar  8 15:06 shadow
   drwxr-xr-x    2 root     root           224 Mar  8 15:07 sysstat
   drwxr-xr-x    2 root     root           384 Mar  8 15:07 system
   drwxr-xr-x    2 root     root          1696 Mar  8 15:06 uci-defaults

4. 输入 sed -i '/.*root*/c\root::0:0:99999:7:::' /overlay/etc/shadow

   root@(none):/# sed -i '/.*root*/c\root::0:0:99999:7:::' /overlay/etc/shadow
   [ 1366.105626] random: sed: uninitialized urandom read (6 bytes read, 78 bits of entropy available)

5. 输入 cat /overlay/etc/shadow 可以看到第一行root::为修改成功

   root@(none):/# cat /overlay/etc/shadow 
   root::0:0:99999:7:::
   daemon:*:0:0:99999:7:::
   ftp:*:0:0:99999:7:::
   network:*:0:0:99999:7:::
   nobody:*:0:0:99999:7:::
   mosquitto:x:0:0:99999:7:::
   lldp:x:0:0:99999:7:::

6. 重启 reboot 此时路由器将会重启，串口工具将会重新开始跑动代码

   reboot

7. 等待大概一分钟，代码不再跑动，代表系统已经启动完毕，按回车键，将会提示

   OpenWrt login: 

8. 输入 root 并回车，如果出现下面提示 ，代表破解成功

   BusyBox v1.25.1 (2019-12-16 18:42:56 CST) built-in shell (ash)
   
    _   _   ____     ___    ____
   | | | | |  _ \   / _ \  / ___|
   | |_| | | | | | | | | | \___ \
   |  _  | | |_| | | |_| |  ___) |
   |_| |_| |____/   \___/  |____/
    
   -----------------------------------------
    For those about to rock... (Chaos Calmer, unknown)
   -----------------------------------------
   root@OpenWrt:~#