2004 to 2016 Mazda 3 Forum and Mazdaspeed 3 Forums banner

1 - 20 of 56 Posts

·
Registered
Joined
·
4 Posts
Discussion Starter #1
Has anyone figured out what the password is for the "cmu" root user in V59? My V59 NA is stuck in a boot loop that has rendered the USB tweaks.sh method useless. I can access the serial console via 3.3V 232RL cable and I can log into the "user/jci" account. But I can't figure out what the "cmu" root user account password is so I can start fixing my CMU.
 

·
Registered
Joined
·
16 Posts
Has anyone figured out what the password is for the "cmu" root user in V59? My V59 NA is stuck in a boot loop that has rendered the USB tweaks.sh method useless. I can access the serial console via 3.3V 232RL cable and I can log into the "user/jci" account. But I can't figure out what the "cmu" root user account password is so I can start fixing my CMU.
Is it not "jci" like previous versions?
 

·
Registered
Joined
·
304 Posts
Has anyone figured out what the password is for the "cmu" root user in V59? My V59 NA is stuck in a boot loop that has rendered the USB tweaks.sh method useless. I can access the serial console via 3.3V 232RL cable and I can log into the "user/jci" account. But I can't figure out what the "cmu" root user account password is so I can start fixing my CMU.
I'm sorry! No one know about new pass of root account in new firmware version! I've asked the Visteon and Johnson Control, but they can't told to me!
I've try used John The ripper to crack hash, but that imposible mission! :frown2:
 

·
Registered
Joined
·
143 Posts
I'm willing to help with that v59 shadow file to see if we can brute force that password. Can someone share it?
just build a simple tweak, like background replace or something, and modify the tweaks.sh file to copy the /etc/passwd and /etc/shadow files over to the USB drive.

That's the easy part. I doubt you will brute force the password, since these likely do 256-bit or 512-bit encryption. It would be easier to just replace the /etc/shadow file with a modified version where the root password hash is replaced with the old one that was a hash of "jci"
 

·
Registered
Joined
·
71 Posts
They are using 256-bit so brute forcing requires some serious firepower. And then you hope that they (JCI) picked a fairly weak password. Who knows if they decided to step their security game up and made a real password. I don't know why they changed the root password but left in the USB vulnerability though. That doesn't make sense if you wanted to make a concerted effort to improve security of the system. If anybody wants to give it a go, here is the new /etc/passwd file.

Code:
cmu:$5$phNsaxamJ/6XE4D7$7N55BFA26mj2HtlpxF9cIXzT01GxfgZcWg9UU9vlYo4:0:0:root:/root:/bin/sh
service:x:1001:1001:Service User:/root:/bin/false
hmi:x:1002:1002:HMI User:/root:/bin/false
browser:x:1003:1003:Browser User:/root:/bin/false
user:WxKYMo36qB5CA:1000:1000:Linux User,,,:/tmp/user:/bin/sh
For the OP, I'm not sure the best course of action. You might be screwed. Unless someone does crack the password, your options are:

1. Replace the CMU through a service provider (such as a dealer)
2. Find a vulnerability that gives root (with the Linux version used)
3. Find a way to interrupt the watchdog, either pausing/stopping it or simulating the watchdog heartbeat (might require root)

I have no idea where to start with options 2 and 3. They might not even be possible.

This is why permanently disabling the watchdog OR changing the root password is CRITICAL prior to implementing any tweaks for the newer firmware versions. You could change the root password with the SSH bring back tweak, with a script through the USB method or manually if you setup temporary SSH access.
 

·
Registered
Joined
·
143 Posts
Does tweaks.sh run with root or super user permission? If so, why not use tweaks.sh to call sed to inline-replace the salt and hash from the cmu line in /etc/passwd with the old salt and hash for he password "jci"?
Here is a $hashtype$salt$password i just generated with the python crypt module, via this on a linux command line:

python -c 'import crypt; print crypt.crypt("jci", "$5$pJUW3ztI$")'

$5$pJUW3ztI$oJFQPOh0Xbv3LDvZQ4ElqFd7RntZxQm/f5IEP59ZK1A


Unless the system is designed to fail if the /etc/passwd file is tampered, this should work, right? I mean, I've done this with success on other linux systems.
 

·
Registered
Joined
·
306 Posts
Does tweaks.sh run with root or super user permission? If so, why not use tweaks.sh to call sed to inline-replace the salt and hash from the cmu line in /etc/passwd with the old salt and hash for he password "jci"?
Here is a $hashtype$salt$password i just generated with the python crypt module, via this on a linux command line:

python -c 'import crypt; print crypt.crypt("jci", "$5$pJUW3ztI$")'

$5$pJUW3ztI$oJFQPOh0Xbv3LDvZQ4ElqFd7RntZxQm/f5IEP59ZK1A


Unless the system is designed to fail if the /etc/passwd file is tampered, this should work, right? I mean, I've done this with success on other linux systems.
thanks to Sumire from JPN to restore the old password.
take look on this and you will discover more about how and where
 

Attachments

·
Registered
Joined
·
71 Posts
Sorry, I should have read the OP more closely: OP cannot run a tweak.sh but does have /bin/sh access as unprivileged user.
So, how about the privilege escalation exploit Dirty COW, which wasn't fixed until recently. Maybe that would be a way to write the passwd file.
Very interesting! It looks promising. I don't work with Linux enough so my experience in this realm is limited. I do have a system setup though and I'll look into this some more. There are a few projects listed that modify the password; you would just need to compile them for ARM. For the OP, you also need to make sure you can access the USB drive so you can run it.
 

·
Registered
Joined
·
71 Posts
Well, I looked into how the CMU system is setup and I'm not so sure about the exploit. There is a reason why they (JCI) have a convoluted method of updating the passwd file. They are actually storing the file in a read only block on the flash of the CMU and the /etc/passwd file is just a link to it. The JCI password update script basically reads out this block to a temp directory, copies the new file over, and then writes back to the block. I'm not sure what this means for the "ready to go" Dirty Cow code that is available from that site. It might still work but I don't know.

This also means you cannot change any of the passwords with chpasswd or sed which is a good thing to know (as I did not!). If you are not in a boot loop, you could probably just remove the passwd file link and copy over a new file instead of using the JCI password update script.
 

·
Registered
Joined
·
57 Posts
I'm too having the same issue after running new AA tweak I got boot loop and forgot to run SShbring back tweak..
My options are I can still login to CMU using user/jci which I can't do anything with user.

Any guesses..
 

·
Registered
Joined
·
71 Posts
I'm too having the same issue after running new AA tweak I got boot loop and forgot to run SShbring back tweak..
My options are I can still login to CMU using user/jci which I can't do anything with user.

Any guesses..
You're probably screwed unless someone figures out the password or a working exploit. The exploit discussed here could be something but you or someone else has to work it out. Sorry.
 

·
Registered
Joined
·
57 Posts
well it's not icj...

There is a different with giving jci as the password and icj..

If it's jci it's prompt the output like this.

cmu login: root
Password:
00:08:13.684 login[403] Info :) )
FGSN: 25305450267338706
cmu login:

if it's icj or any other password it gives this

cmu login: root
Password:
Login incorrect

So for something is not the same with giving the password as "jci" but I'm clueless..

I'm searching any start up scripts that user allow to modify which I can inject some commands but so far I have failed.
I don't think we can get into single user mode or grub console to change root password like ordinary linux distrohence this is an ARM but is there any chance that we can access the file system from outside?
 

·
Mazda 3 Owner
Joined
·
124 Posts
I'm searching any start up scripts that user allow to modify which I can inject some commands but so far I have failed.
I don't think we can get into single user mode or grub console to change root password like ordinary linux distrohence this is an ARM but is there any chance that we can access the file system from outside?
I'm not on v59, still on v56, so can't test this myself, but have you tried my SSH tweak (posted here)?

It's non-invasive (it doesn't change any files on the CMU, it just starts a new SSH daemon on port 7777), and since tweaks are run as root, you should be able to get root privs with it (it completely circumvents the need to know the "cmu" user password).
 

·
Registered
Joined
·
57 Posts
@Rolenie3 : no it's not either of them.. 'visteon' or 'Visteon' I'm still in V56.0.513 I assume it's still jci owned that version... I could be wrong but somehow it got changed..
@brightvalve
I'm too in v56 and this can hit anyone who not bring your ssh back...
I can't apply any tweaks straight since it wont mount the USB and I don't see the CMU running the *.up file as it's not in that state.. ( if it does I could simply do a sed or cp command to revert the sm.conf with sm.conf.org using a tweak)

but sshd -D -p 7777 -o "AuthorizedKeysFile $DIR/mazda-ssh.pub" -o "StrictModes no" can this give straight to cmu to get authorized with the key file.. Do we need to stop the fw in order to do it?

There i another thread talked about focefully running the FAILSAFE but it needs some nagging in the CMU board with some tools which I don't have any idea..
 
1 - 20 of 56 Posts
Top