Hacking – Root @ NETGEAR DM111PBL ADSL2+
How to get a root shell on the NETGEAR DM111PBL?
The aim of this post is to get root access on the Netgear DM111PBL ADSL2+ Modem.
After opening the case of the device, we are able to remove the PCB and have a look at it.
On the bottom left there are four unequipped solder pads. Often this indicates a UART (GND, VCC, RX and TX). In this case the pads are labeled and we can easily attach a USB to UART adapter.
$ sudo picocom -b 115200 /dev/ttyUSB0 picocom v1.7 port is : /dev/ttyUSB0 flowcontrol : none baudrate is : 115200 parity is : none databits are : 8 escape is : C-a local echo is : no noinit is : no noreset is : no nolock is : no send_cmd is : sz -vv receive_cmd is : rz -vv imap is : omap is : emap is : crcrlf,delbs, Terminal ready U-Boot 1.1.5-1.0.4 (Oct 17 2008 - 12:52:10) relocate_code start relocate_code finish. type is 000000c2 type is 00000049/n Detect flash id is 300b1 Flash: 2 MB In: serial Out: serial Err: serial Net: Internal Clock Selected EPHY_MODE AMAZON_SE Switch Type "run flash_nfs" to mount root filesystem over NFS Hit any key to stop autoboot: 0 [...] starting pid 175, tty '': '/bin/sh' BusyBox v1.8.2 (2008-10-17 15:56:28 CST) built-in shell (ash) Enter 'help' for a list of built-in commands. # cat /etc/passwd root:$1$VNLZCQXf$WM/JtugoRLaCQmWRO0B.Z/:0:0:root:/:/bin/sh nobody:$1$IO6TUKLr$X8tmDLSpdHClE/4vlqyIu.:99:99:Nobody:/:/sbin/sh admin:$1$HQWjB6so$Z5AQKY2Zr3yQoQbymi3bW/:1000:1000:Linux User,,,:/home/admin:/bin/sh # echo "$USER" root
Here we are with root access.