> > > > I want to get access to the file system on this device, and the only wa= y seems to > > be to break the root password, and the only way I can see to do that is= to remove > > the NAND chip, read its contents, and see if I can find the password fi= le, and work > > from there in dumping it to pass it through a cracker. However having f= ollowed this > > discussion I am wondering if there may possibly be another way of getti= ng into it > > with removing the chip. >=20 > Hardware wise, it would be JTAG, so if you can find the JTAG header and h= ook up an > adapter, you should be able to read the raw data. Of course, this is prob= ably > compressed, but if you have the image, you should be able to mount the im= age file on > a Linux host. >=20 > Is there any way to interrupt the bootloader and modify the kernel comman= d line? You > might be able to boot it in single user mode: > http://www.debuntu.org/recover-root-password-single-user-mode-and-grub OK, those are both methods I hadn't considered. I'll have to open the box a= nd have a look for the JTAG connector - or maybe just look up the chip data= sheet to see if it has JTAG ... sounds like tonight's homework ... I am guessing that the file system on the "hard disk" is yffs or one of its= variants. If one was to copy the NAND contents onto a USB stick (doing any= error correction along the way - that doesn't faze me) could it be plugged= straight into a Linux system and be recognised? I'm thinking in terms of t= aking each NAND block in turn as a logical block, and copying it to the sam= e logical block on a USB stick. The only way to hook up a terminal is using Ethernet, as the screen on the = device only shows a 'booting' message and no Linux prompts. Would it be pos= sible to interrupt the boot process this way? My suspicion is that this wou= ldn't be active until it was already up and running in multi-user mode. I suspect the file system on the NAND device is loaded into RAM for eventua= l execution (possibly undergoing decompression on the way) so I guess if I = let it boot up, then maybe that could be probed for the password file.=20 Maybe this is what the OP wants to do, which is why he is asking about memo= ry addresses? Maybe the OP and I are wanting to do the same thing? If this is what happens to the NAND contents I presume there will be a kern= el that will be copied into RAM, then any currently necessary files will be= coped to the RAM FS after that by the now running kernel? --=20 Scanned by iCritical. --=20 http://www.piclist.com PIC/SX FAQ & list archive View/change your membership options at http://mailman.mit.edu/mailman/listinfo/piclist .