Many people have had problems with passwords on the 3com NBX phone system. This describes some of the ways you may be able to recover passwords with out reinstalling or reconfiguring the system.
The first thing your going to need is a serial port hooked to to a PC. You can get a "serial mouse extention cable" from your local computer vendor. They should be less than $10. You will need a communications program as well. Windows comes with a junky program which I ignore. Load TeraTerm or use minicom under Linux.
At the command prompt ("nbx100->") you can issue a number of commands.
Easy right? Well they stoped showing the decrypted password sometime after Version R4_0_0. So we have to work harder to get it. Write down the bit after the '!' (or cut and paste it into notepad).
Next we will try to get the password file used for the imap program which stores the users and hunt group passwords.
nbx100->copy "/htfs0/R3_0_13/NBoss/etc/passwd"
root:nbx:0:0:Root Account:/htfs0:/bin/sh
uid202:!ReyRLcQfy9:202:200:New User:/htfs0/home/q/uid202:csh
uid203:!J0ZQxU2F$9:203:201:test :/htfs0/home/h/uid203:csh
One bad number and you may have a locked up NBX too so be careful and it only works on R3_0_13, R4_0_14 or R4_1_21 and its got to be the same one I've got or else you'll be telling the system to run all sorts of strange stuff.
If you have R3_0_13 (This will break any other version real bad)
nbx100-> mySymAdd "h2",0x43ec14
nbx100-> mySymAdd "malloc",0x3707c4
nbx100-> mySymAdd "free",0x370ca8
nbx100-> mySymAdd "chicago",0x43e624
If you have R4_0_14 (This will break any other version real bad)
nbx100-> mySymAdd "h2",0x80502c
nbx100-> mySymAdd "malloc",0x7ff35c
nbx100-> mySymAdd "free",0x7ff840
nbx100-> mySymAdd "chicago",0x804a3c
If you have R4_1_21 you have far more work since they took away mySymAdd you
will need these numbers below
"h2",0x87c4b8
"malloc",0x8767e8
"free",0x876ccc
"chicago",0x87bec8
Now allocate a 100 bytes of memory for R3 and R4_0 use
nbx100-> malloc 100
value = 60397620 = 0x3999834
nbx100-> mySymAdd "pa",0x3999834
For R4_1 use:
nbx100-> pa=0x8767e8(100)
Use the number returned by the malloc command, This will be different than the example above.
Now this will stay set up until you reset the NBX.
If you want to free the memory for some reason:
nbx100-> free pa
This will leave the symbol which could cause problems
if you use pa ever again. Since it only allocates 100 bytes of memory, it won't
hurt to leave it allocated.
For R3 and R4_0:
nbx100-> h2 "!Ofm0uealStEsrx1",pa (this is the encrypted form of 8 zeros)
For R4_1:
nbx-100-> 0x87c4b8("!Ofm0uealStEsrx1",pa)
For all:
nbx100-> d pa,10,4
0399c220: 30303030 30303030 00303000 * 00000000.00.*
0399c230: 31787273 00000000 005e1df0 00000000 *srx1......^.....*
0399c240: 00000000 005e1df0 00000000 *......^.........*
You have to look for the null (zeros) at the end.
0399c220: 30303030 30303030 00303000 * 00000000.00.*
^^ ^
The function chicago will encode a password, h2 will decode it.
nbx100-> chicago "MySecret",pa for R4_1 you need to doit with 0x0x87bec8("MySecret",pa)
nbx100-> d pa,10,4
This form talks to a lab NBX so it might not work all the time and
it will stop working if its hit too often.
0399c220: 59733221 31244b57 68623231 * !2sYWK$112bh*
0399c230: 31363352 00000000 005e1df0 00000000 *R361......^.....*
nbx100-> h2 "!2sYWK$112bhR361",pa
nbx100-> d pa,10,4
0399c220: 6553794d 74657263 00746500 * MySecret.et.*
0399c230: 31363352 00000000 005e1df0 00000000 *R361......^.....*
If thats too hard, this web form might decode it:
It's 106 miles to Chicago, we got a full tank of gas, half a pack of cigarettes, it's dark and we're wearing sunglasses. Hit it.
- Blues Brothers
| Back to Tim's Homepage | Back to current subject | Related Links | thogard@abnormal.com |
| This page was last updated Tuesday, 21-Dec-2004 09:35:58 UTC | Copyright 2000-2020 | thogard™ is a trademark of Tim Hogard | |