Hacking – Root @ NETGEAR DM111PBL ADSL2+

Hacking – Root @ NETGEAR DM111PBL ADSL2+

How to get a root shell on the NETGEAR DM111PBL?

The aim of this post is to get root access on the Netgear DM111PBL ADSL2+ Modem.


After opening the case of the device, we are able to remove the PCB and have a look at it.

On the bottom left there are four unequipped solder pads. Often this indicates a UART (GND, VCC, RX and TX). In this case the pads are labeled and we can easily attach a USB to UART adapter.

$ sudo picocom -b 115200 /dev/ttyUSB0
picocom v1.7

port is        : /dev/ttyUSB0
flowcontrol    : none
baudrate is    : 115200
parity is      : none
databits are   : 8
escape is      : C-a
local echo is  : no
noinit is      : no
noreset is     : no
nolock is      : no
send_cmd is    : sz -vv
receive_cmd is : rz -vv
imap is        : 
omap is        : 
emap is        : crcrlf,delbs,

Terminal ready
U-Boot 1.1.5-1.0.4 (Oct 17 2008 - 12:52:10)


 relocate_code start
 relocate_code finish.

 type is 000000c2
 type is 00000049/n Detect flash id is 300b1  
Flash:  2 MB
In:    serial
Out:   serial
Err:   serial
Net:   Internal Clock
Selected EPHY_MODE 
AMAZON_SE Switch

Type "run flash_nfs" to mount root filesystem over NFS

Hit any key to stop autoboot:  0
[...]
starting pid 175, tty '': '/bin/sh'


BusyBox v1.8.2 (2008-10-17 15:56:28 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

# cat /etc/passwd
root:$1$VNLZCQXf$WM/JtugoRLaCQmWRO0B.Z/:0:0:root:/:/bin/sh
nobody:$1$IO6TUKLr$X8tmDLSpdHClE/4vlqyIu.:99:99:Nobody:/:/sbin/sh
admin:$1$HQWjB6so$Z5AQKY2Zr3yQoQbymi3bW/:1000:1000:Linux User,,,:/home/admin:/bin/sh
# echo "$USER"
root

Here we are with root access.

Leave a Reply

Your email address will not be published. Required fields are marked *

*