In this tutorial, we will dive into basic reverse engineering by researching a cable modem's bootloader password.
On the Hitron CDA3-35, when you terminate the boot process (by pressing Q within the 3 second delay), you are prompted to enter a password like so:
![[Image: QEjDmKJ.png]]()
This is unfortunate because access to UBoot is an extremely useful tool for development/debugging.
Let's figure out how to bypass this password!
First, we must have a dump of the firmware of the device - this is not within the scope of this tutorial, so I will assume you already have a firmware dump.
Searching for strings
Open your firmware dump in your favorite text editor, then search for a string related to this password.
The best string to use is "Please enter password:", because this is what appears when the password prompt is shown.
![[Image: XMoCQNC.png]]()
We found the only instance of this string.
Now, I'd like to point out an interesting string right next to our password prompt string: qpwd.
This is not a coincidence that it's right next to our password prompt.
Locating the password hash
Let's search for qpwd next.
The search returns 1 other result (excluding where we found the string originally).
![[Image: TYHir4r.png]]()
Now, right next to our string is this other string: aa6670c39dc93b73a34605e4d14d5003
This appears to be an MD5 hash because it is exactly 128 bits (32 characters) and hexadecimal.
Cracking the hash
MD5 is not a very secure algorithm, so this hash should be relatively easy to crack! Luckily, they did not salt this hash at all so it is vulnerable to a rainbow table lookup attack.
Load up your favorite rainbow table lookup site, I prefer HashKiller.
Search the hash, and bam!
![[Image: 26pHuVt.png]]()
We got the result "D0nt4g3tme!". This is the bootloader password.![Rolleyes]( "Rolleyes")
The last thing to do is test it out:
![[Image: 1uFQ6lC.png]]()
It works. =)
On the Hitron CDA3-35, when you terminate the boot process (by pressing Q within the 3 second delay), you are prompted to enter a password like so:
![[Image: QEjDmKJ.png]](http://i.imgur.com/QEjDmKJ.png)
This is unfortunate because access to UBoot is an extremely useful tool for development/debugging.
Let's figure out how to bypass this password!
First, we must have a dump of the firmware of the device - this is not within the scope of this tutorial, so I will assume you already have a firmware dump.
Searching for strings
Open your firmware dump in your favorite text editor, then search for a string related to this password.
The best string to use is "Please enter password:", because this is what appears when the password prompt is shown.
![[Image: XMoCQNC.png]](http://i.imgur.com/XMoCQNC.png)
We found the only instance of this string.
Now, I'd like to point out an interesting string right next to our password prompt string: qpwd.
This is not a coincidence that it's right next to our password prompt.
Locating the password hash
Let's search for qpwd next.
The search returns 1 other result (excluding where we found the string originally).
![[Image: TYHir4r.png]](http://i.imgur.com/TYHir4r.png)
Now, right next to our string is this other string: aa6670c39dc93b73a34605e4d14d5003
This appears to be an MD5 hash because it is exactly 128 bits (32 characters) and hexadecimal.
Cracking the hash
MD5 is not a very secure algorithm, so this hash should be relatively easy to crack! Luckily, they did not salt this hash at all so it is vulnerable to a rainbow table lookup attack.
Load up your favorite rainbow table lookup site, I prefer HashKiller.
Search the hash, and bam!
![[Image: 26pHuVt.png]](http://i.imgur.com/26pHuVt.png)
We got the result "D0nt4g3tme!". This is the bootloader password.
The last thing to do is test it out:
![[Image: 1uFQ6lC.png]](http://i.imgur.com/1uFQ6lC.png)
It works. =)