2004 to 2020 Mazda 3 Forum and Mazdaspeed 3 Forums banner

Password for "cmu" user in v59?

34K views 55 replies 17 participants last post by  Tristan-cx5 
#1 ·
Has anyone figured out what the password is for the "cmu" root user in V59? My V59 NA is stuck in a boot loop that has rendered the USB tweaks.sh method useless. I can access the serial console via 3.3V 232RL cable and I can log into the "user/jci" account. But I can't figure out what the "cmu" root user account password is so I can start fixing my CMU.
 
#7 ·
just build a simple tweak, like background replace or something, and modify the tweaks.sh file to copy the /etc/passwd and /etc/shadow files over to the USB drive.

That's the easy part. I doubt you will brute force the password, since these likely do 256-bit or 512-bit encryption. It would be easier to just replace the /etc/shadow file with a modified version where the root password hash is replaced with the old one that was a hash of "jci"
 
#8 ·
They are using 256-bit so brute forcing requires some serious firepower. And then you hope that they (JCI) picked a fairly weak password. Who knows if they decided to step their security game up and made a real password. I don't know why they changed the root password but left in the USB vulnerability though. That doesn't make sense if you wanted to make a concerted effort to improve security of the system. If anybody wants to give it a go, here is the new /etc/passwd file.

Code:
cmu:$5$phNsaxamJ/6XE4D7$7N55BFA26mj2HtlpxF9cIXzT01GxfgZcWg9UU9vlYo4:0:0:root:/root:/bin/sh
service:x:1001:1001:Service User:/root:/bin/false
hmi:x:1002:1002:HMI User:/root:/bin/false
browser:x:1003:1003:Browser User:/root:/bin/false
user:WxKYMo36qB5CA:1000:1000:Linux User,,,:/tmp/user:/bin/sh
For the OP, I'm not sure the best course of action. You might be screwed. Unless someone does crack the password, your options are:

1. Replace the CMU through a service provider (such as a dealer)
2. Find a vulnerability that gives root (with the Linux version used)
3. Find a way to interrupt the watchdog, either pausing/stopping it or simulating the watchdog heartbeat (might require root)

I have no idea where to start with options 2 and 3. They might not even be possible.

This is why permanently disabling the watchdog OR changing the root password is CRITICAL prior to implementing any tweaks for the newer firmware versions. You could change the root password with the SSH bring back tweak, with a script through the USB method or manually if you setup temporary SSH access.
 
#9 ·
Does tweaks.sh run with root or super user permission? If so, why not use tweaks.sh to call sed to inline-replace the salt and hash from the cmu line in /etc/passwd with the old salt and hash for he password "jci"?
Here is a $hashtype$salt$password i just generated with the python crypt module, via this on a linux command line:

python -c 'import crypt; print crypt.crypt("jci", "$5$pJUW3ztI$")'

$5$pJUW3ztI$oJFQPOh0Xbv3LDvZQ4ElqFd7RntZxQm/f5IEP59ZK1A


Unless the system is designed to fail if the /etc/passwd file is tampered, this should work, right? I mean, I've done this with success on other linux systems.
 
#12 ·
Very interesting! It looks promising. I don't work with Linux enough so my experience in this realm is limited. I do have a system setup though and I'll look into this some more. There are a few projects listed that modify the password; you would just need to compile them for ARM. For the OP, you also need to make sure you can access the USB drive so you can run it.
 
#13 ·
Well, I looked into how the CMU system is setup and I'm not so sure about the exploit. There is a reason why they (JCI) have a convoluted method of updating the passwd file. They are actually storing the file in a read only block on the flash of the CMU and the /etc/passwd file is just a link to it. The JCI password update script basically reads out this block to a temp directory, copies the new file over, and then writes back to the block. I'm not sure what this means for the "ready to go" Dirty Cow code that is available from that site. It might still work but I don't know.

This also means you cannot change any of the passwords with chpasswd or sed which is a good thing to know (as I did not!). If you are not in a boot loop, you could probably just remove the passwd file link and copy over a new file instead of using the JCI password update script.
 
#17 ·
well it's not icj...

There is a different with giving jci as the password and icj..

If it's jci it's prompt the output like this.

cmu login: root
Password:
00:08:13.684 login[403] Info :) )
FGSN: 25305450267338706
cmu login:

if it's icj or any other password it gives this

cmu login: root
Password:
Login incorrect

So for something is not the same with giving the password as "jci" but I'm clueless..

I'm searching any start up scripts that user allow to modify which I can inject some commands but so far I have failed.
I don't think we can get into single user mode or grub console to change root password like ordinary linux distrohence this is an ARM but is there any chance that we can access the file system from outside?
 
#19 ·
I'm searching any start up scripts that user allow to modify which I can inject some commands but so far I have failed.
I don't think we can get into single user mode or grub console to change root password like ordinary linux distrohence this is an ARM but is there any chance that we can access the file system from outside?
I'm not on v59, still on v56, so can't test this myself, but have you tried my SSH tweak (posted here)?

It's non-invasive (it doesn't change any files on the CMU, it just starts a new SSH daemon on port 7777), and since tweaks are run as root, you should be able to get root privs with it (it completely circumvents the need to know the "cmu" user password).
 
#20 ·
@Rolenie3 : no it's not either of them.. 'visteon' or 'Visteon' I'm still in V56.0.513 I assume it's still jci owned that version... I could be wrong but somehow it got changed..
@brightvalve
I'm too in v56 and this can hit anyone who not bring your ssh back...
I can't apply any tweaks straight since it wont mount the USB and I don't see the CMU running the *.up file as it's not in that state.. ( if it does I could simply do a sed or cp command to revert the sm.conf with sm.conf.org using a tweak)

but sshd -D -p 7777 -o "AuthorizedKeysFile $DIR/mazda-ssh.pub" -o "StrictModes no" can this give straight to cmu to get authorized with the key file.. Do we need to stop the fw in order to do it?

There i another thread talked about focefully running the FAILSAFE but it needs some nagging in the CMU board with some tools which I don't have any idea..
 
#21 ·
I can't apply any tweaks straight since it wont mount the USB and I don't see the CMU running the *.up file as it's not in that state.. ( if it does I could simply do a sed or cp command to revert the sm.conf with sm.conf.org using a tweak)
You should try to find out why it won't mount the USB and run the scripts. This is usually caused by incorrect formatting of the USB drive (it needs to have an oldfashioned MBR, not a GUID Partition map, and has to be formatted as FAT32), or having extraneous files on the drive (like the ones that Mac OS X tends to leave around).

but sshd -D -p 7777 -o "AuthorizedKeysFile $DIR/mazda-ssh.pub" -o "StrictModes no" can this give straight to cmu to get authorized with the key file.. Do we need to stop the fw in order to do it?
It's not useful to run that command as a regular user, because you won't be able to log in as root. The idea of my tweak is that because USB tweaks are run as root, the sshd will be as well, and if it allows logging in using a key file (instead of a password) you can log in as a root-user without having to know the password.
 
#22 ·
No issue with the USB or the CMU since it ran the Tweak of AA which leads to a brick. so I'm using same USB and now it's just not get mounted

I know it's root but doesn't it needs to get this key registered in the cmu's key store to get it authenticate?
I'm using USB to TTL2 serial connection to get access so far the SSH option also seems not enable.
e.g. I don't see a ip get registered in the CMU and I tried using Ethernet to USB cable which seems not get connect too and don't have authority to access the wifi:(

Simply I'm fucked and the only option is get this CMU into Failsafe mode that needs serious level of effort to flash an IC.
 
#23 ·
Yeah, if your CMU is (somewhat) bricked it's going to be a bit of a challenge.

If you have a serial connection, can you somehow interrupt the booting process and boot in single user mode and change the files from there? For SSH to work you'll need a working network connection first, which (I would imagine) also requires root access, so that won't be an option.
 
#24 ·
if you can't run scripts from usb at the moment, this won't help, but for anybody else and getting root on v59 in general - is it possible to run a script, which would add another user with root privileges, or grant root privileges to the standard user account?
 
#29 ·
Yes, you can but the only way to change the password is using the password update scripts built into the firmware update (which was also made part of the SSH restore script that is floating around here). The passwd file is not stored on a writable section of the system; it is stored on a read only flash partition that is only accessible (for writing) through the update scripts.

However, the SSH restore script should be modified slightly as it restores the old passwd file where the root user was just root. New firmware updates actually check to see if the passwd file contains the root user and if so, replaces the passwd file (see code excerpt below). In other words, if you use the SSH restore script and then update your firmware, you lose root. If you had swapped in your own passwd file where you changed the cmu (root) user password (not user name), you will not lose root, assuming JCI doesn't change their update scripts in future firmware updates. I don't know how many people realize this so I was going to post this as a separate thread in the coming days and include an updated script and passwd file.

Code:
#!/bin/sh
export PATH=$PATH:/tmp
mkdir /config-mfg
mount -t squashfs  /dev/mtdblock5 /config-mfg
/tmp/config-update.sh --start
[B]if grep '^root:' /config-mfg/passwd ; then[/B]
    # passwd needs updating
    cp /tmp/passwd /tmp/configtmp/passwd
    # authorized_keys needs to be added
    cp /tmp/authorized_keys /tmp/configtmp/authorized_keys
    
else
    cp /tmp/authorized_keys /tmp/configtmp/authorized_keys
fi
/tmp/config-update.sh --commit
 
#26 ·
Thanks for the replies..
@brightvalve : Yes if I can do ssh -i root@localhost <Auth Pem file> under user login then I would able to login as root but that also not possible:(
@CuteHornyUnicorn, @championway : u can gain root/jci if you have run the ssh bring back script which seems not the case for me.

Anyone knows about uboot which seems use to get into bootloader menu in ARM's? or how to pass ssh command over serial connection?
 
#27 ·
Just to let you know what is happening with the system..
OS info string.

0:00:09.174 kernel[] Note :) ) [ 0.000000] Linux version 3.0.35 (bsp@jci) (gcc version 4.5.2 20101026 (prerelease) (GCC) ) #1 SMP PREEMPT

Error logs during startup..

00:00:09.174 Std[] Error :) ) client: connect: No such file or directory
00:00:09.174 Std[] Error :) ) client: connect: No such file or directory
00:00:09.174 Std[] Error :) ) client: connect: No such file or directory
00:00:09.174 Std[] Error :) ) client: connect: No such file or directory
00:00:09.174 Std[] Error :) ) client: connect: No such file or directory
00:00:09.174 Std[] Error :) ) client: connect: No such file or directory
00:00:09.174 Std[] Error :) ) client: connect: No such file or directory
00:00:09.174 Std[] Error :) ) client: connect: No such file or directory
00:00:09.174 SM[252] Error (sm_launcherapi.cpp:290 SM_SVCLAUNCHER_CreateInstance) Socket connection error 101
00:00:09.174 SM[252] Error (sm_launcherapi.cpp:306 SM_SVCLAUNCHER_CreateInstance) client: failed to connect
00:00:09.174 SM[252] Error (sm_svclauncher.cpp:1660 main) SM_SVCLAUNCHER_CreateInstance returned 102:Communication Failure
00:00:09.174 SM[200] Info (sm.cpp:811 sm_ActionsForStoppedService) Svc settings[252] stopped!
00:00:09.174 SM[200] Info (sm.cpp:811 sm_ActionsForStoppedService) Svc system_mazda_my14[246] stopped!
00:00:09.174 SM[200] Critical (sm.cpp:2049 SM_StartNeededChildren) SM detected that the service "settings"

With the changes happens with sm.conf file which uses heavily in boot time the system can't create a SVC instance so that it's stuck there leaving not able to proceed into next level. I believe the DHCP, wifi authenticating *.up file authentication is still not loaded so no hopes of get the IP or running any USB tweaks..

Possibilities are..

1. single mode using uboot or some other way which uses for ARM and I seek help if anyone have any idea.
I can manage linux but I have very little to no understanding of how this works in ARM's with IBS embedded boot-loaders for quick startups anyone knows about these embedded systems please help..

2. my linux system I created a less priviladge user and try to connect to same machine using ssh -i root@localhost <authkey> which is successful but it's not in the cmu linux ARM system ..I believe it something with the permission that this user is having..( SHIT)

I kn the passwd hash for root ,the x509 key and the perm cert.. Does anyone knows a tool on how to do a bruceforce attack? giving our previous root password is simple we can try 3 to 4 letters only combinations wont need lot of firepower right...?
 
#28 ·
SO.. I was able to crack the root password and it just make me freak out.. it's jci but not get login to the system.. I have a big Y now it's been locked or somehing else privienting to login to the system...

Here the output
D:\Mazda\after brick\password cracker\john180j1w\run>john Password2.txt --show
root:jci:0:0:root:/root:/bin/sh
user:jci:1000:1000:Linux User,,,:/tmp/user:/bin/sh
2 password hashes cracked, 0 left

As I mentioned in my previous post there is a different me giving jci as the password and other one.. when it give as jci it doesn't take and given me some code and back to login:

If it's jci it's prompt the output like this.

cmu login: root
Password:
00:08:13.684 login[403] Info :) )
FGSN: 25305450267338706
cmu login:

if it's icj or any other password it gives this

cmu login: root
Password:
Login incorrect
 
#30 ·
You are looking at the old username and password. If you have the later firmware versions, JCI changed the root login. The root login user is no longer root; the user is 'cmu' and the password is not 'jci' anymore. They definitely switched to a more secure password (SHA256). I already ran a dictionary attack against the password using the CrackStation word list and no luck. To go further down that rabbit hole requires significant fire power so I'm not really bothering with it.

Can you get into the system as the jci user and see if you can browse to the SD card or USB drive? If you could do that, then you might be able to use the dirty COW exploit discussed earlier in this thread. The way it might work is to write the kill watchdog command to one of the JCI scripts that starts with the system. Changing the password is out of the question because it is not stored on a writable partition (see my other reply).
 
#32 ·
@brightvalue : Yes you are correct it seems 403 returns as when I give jci seems I'm not allow or fobidden to access as root but the password is correct.

In such scenario I need su in the system but..

~ $ login -p root
login: must be suid to work properly
~ $ su - root
su: must be suid to work properly
~ $

I know some ARM's can install superuser with varies ways to root the device. However in this case since it's brick my options are limited. Even I can't ssh to localhost

/etc $ ssh root@localhost
ssh: connect to host localhost port 22: Network is unreachable

It's a classic brick which close all the wholes to gain the access .. Final option is to flash the NOR IC which I hope to do tomorrow from a car audio dealer who said he can flash the IC's.. wish me luck guys..:)
 
#34 ·
~ $ login -p root
login: must be suid to work properly
~ $ su - root
su: must be suid to work properly
~ $
Ah too bad, incorrect permissions on those binaries :frown2:

I know some ARM's can install superuser with varies ways to root the device. However in this case since it's brick my options are limited. Even I can't ssh to localhost

/etc $ ssh root@localhost
ssh: connect to host localhost port 22: Network is unreachable
I doubt it'll work, but try ssh root@127.0.0.1.

FWIW, I googled around a bit on how to boot into single user mode using Uboot, and it seems to be possible: look here and here. I've never done this myself, though.
 
#33 ·
MAZDA-AXL-SL said:
;car audio dealer who said he can flash the IC's.. wish me luck guys..:)
why he want to flash the NOR, if he have the socket to plug in on the CMU boards enough to wake it up with shell command.

but one questions before it became complex.. did the USB port now had 5Volts ? if no, then trick it with USB to TTL and end of TTL plug with female USB to insert the script of replacing sm.conf.
any code you sent to cmu in this case it will sync the USB too and it can (( maybe ) i hope so the executed of script do the job.
 
This is an older thread, you may not receive a response, and could be reviving an old thread. Please consider creating a new thread.
Top