NBX password recovery

NBX password recovery

This page is here since there is a total lack of online support from 3com.

Many people have had problems with passwords on the 3com NBX phone system. This describes some of the ways you may be able to recover passwords with out reinstalling or reconfiguring the system.

The first thing your going to need is a serial port hooked to to a PC. You can get a "serial mouse extention cable" from your local computer vendor. They should be less than $10. You will need a communications program as well. Windows comes with a junky program which I ignore. Load TeraTerm or use minicom under Linux.

At the command prompt ("nbx100->") you can issue a number of commands.

Restore System Password

If your not running version R4 or higher you can enter the nbxDb tool.
nbx100-> nbxDb
DBITEST (? for help): X
encrypted admin pass ---> (!k4xs67LAt9B6lR7)
decrypted admin pass ---> (password)
DBITEST (? for help): quit

Easy right? Well they stoped showing the decrypted password sometime after Version R4_0_0. So we have to work harder to get it. Write down the bit after the '!' (or cut and paste it into notepad).

Finding any password

VxWorks (for PC 486) version 5.4.
Kernel: WIND version 2.5.
Made on Jul 11 2001, 13:35:01.
Boot line:
ata=0,0(0,0)host:/dos0/R3_0_13/vxWorks e= tn=nbx100 f=0x0 o=cs
value = 83 = 0x53 = 'S'
The ata= line will tell you the current running verion. This case we have R3_0_13.

Next we will try to get the password file used for the imap program which stores the users and hunt group passwords.

nbx100->copy "/htfs0/R3_0_13/NBoss/etc/passwd"
root:nbx:0:0:Root Account:/htfs0:/bin/sh
uid202:!ReyRLcQfy9:202:200:New User:/htfs0/home/q/uid202:csh
uid203:!J0ZQxU2F$9:203:201:test :/htfs0/home/h/uid203:csh

Decoding any password

Now we get to go right into the guts of vxWorks.
We start by adding some symbols. This only needs to be done once per system boot.

One bad number and you may have a locked up NBX too so be careful and it only works on R3_0_13, R4_0_14 or R4_1_21 and its got to be the same one I've got or else you'll be telling the system to run all sorts of strange stuff.

If you have R3_0_13 (This will break any other version real bad)
nbx100-> mySymAdd "h2",0x43ec14
nbx100-> mySymAdd "malloc",0x3707c4
nbx100-> mySymAdd "free",0x370ca8
nbx100-> mySymAdd "chicago",0x43e624

If you have R4_0_14 (This will break any other version real bad)
nbx100-> mySymAdd "h2",0x80502c
nbx100-> mySymAdd "malloc",0x7ff35c
nbx100-> mySymAdd "free",0x7ff840
nbx100-> mySymAdd "chicago",0x804a3c

If you have R4_1_21 you have far more work since they took away mySymAdd you will need these numbers below

Now allocate a 100 bytes of memory for R3 and R4_0 use
nbx100-> malloc 100
value = 60397620 = 0x3999834
nbx100-> mySymAdd "pa",0x3999834

For R4_1 use:
nbx100-> pa=0x8767e8(100)

Use the number returned by the malloc command, This will be different than the example above.

Now this will stay set up until you reset the NBX. If you want to free the memory for some reason:
nbx100-> free pa
This will leave the symbol which could cause problems if you use pa ever again. Since it only allocates 100 bytes of memory, it won't hurt to leave it allocated.

For R3 and R4_0:
nbx100-> h2 "!Ofm0uealStEsrx1",pa (this is the encrypted form of 8 zeros)
For R4_1:
nbx-100-> 0x87c4b8("!Ofm0uealStEsrx1",pa) For all:
nbx100-> d pa,10,4

0399c220:           30303030 30303030 00303000   *    00000000.00.*
0399c230:  31787273 00000000 005e1df0 00000000   *srx1......^.....*
0399c240:  00000000 005e1df0 00000000            *......^.........*
You have to look for the null (zeros) at the end.
0399c220:           30303030 30303030 00303000   *    00000000.00.*
                                      ^^                      ^
The function chicago will encode a password, h2 will decode it.
nbx100-> chicago "MySecret",pa for R4_1 you need to doit with 0x0x87bec8("MySecret",pa)
nbx100-> d pa,10,4
0399c220:           59733221 31244b57 68623231   *    !2sYWK$112bh*
0399c230:  31363352 00000000 005e1df0 00000000   *R361......^.....*
nbx100-> h2 "!2sYWK$112bhR361",pa
nbx100-> d pa,10,4
0399c220:           6553794d 74657263 00746500   *    MySecret.et.*
0399c230:  31363352 00000000 005e1df0 00000000   *R361......^.....*

If thats too hard, this web form might decode it:

This form talks to a lab NBX so it might not work all the time and it will stop working if its hit too often.

It's 106 miles to Chicago, we got a full tank of gas, half a pack of cigarettes, it's dark and we're wearing sunglasses. Hit it.

- Blues Brothers

Back to Tim's Homepage Back to current subject Related Links thogard@abnormal.com
 This page was last updated Tuesday, 21-Dec-2004 09:35:58 UTC Copyright 2000-2018 thogard™ is a trademark of Tim Hogard