I managed to get root using clunc, on my cloudbox running firmware v188.8.131.52. I created a script and put it on the "family" share, then I adjusted the uboot console variable to add to the kernel boot arguments in such a way that they get added to a file that gets sourced by several utilities at boot time. Details:
Contents of script:
/usr/sbin/telnetd -l /bin/sh
Ensure the script contains newlines and not carriage-returns (so don't use Notepad to create). Copy it into the root of the "family" share on the cloudbox. Call it telnetd.sh
Run clunc, reboot the cloudbox, then when the Marvell prompt shows up, change the console variable with the setenv
command like so:
Marvell>> setenv console 'console=ttyS0,115200 a=a;/*/*/telnetd.sh'
Then type "ide reset" and "run nexus_boot".
After about 2 minutes, you should be able to telnet into a root shell.
This won't survive a reboot, so follow the other instructions provided in this thread, to get secure-shell logins working.
For those interested in how this works, check out the file lib/drive_utils. This and other scripts source the file /etc/cmdline.conf, without sanitizing the contents. The cmdline.conf file is built at boot time by /etc/init.d/cmdline, which simply splits apart (at spaces) the contents of /proc/cmdline (ie the boot parameters, including the uboot "console" variable), and each term is put into a var=val line in cmdline.conf, each variable prefixed with "cmdline_". So after booting with the above settings, my cmdline.conf contains this line:
When this gets sourced by drive_utils (and other places), "a=a" is executed and then "/*/*/telnetd.sh" is executed. The shell expands this to /shares/Family/telnetd.sh.
Also, I didn't want to change the root password, so instead, I gave my admin login a shell with this one-liner:
cp /etc/passwd /etc/passwd.bak && sed -i '/^admin:/s/false/bash/' /etc/passwd
Hmm, seems this isn't the reason that I cannot login as admin. So I did the ssh thing as follows:
cp /etc/initng/runlevel/default.runlevel /etc/initng/runlevel/default.runlevel.bak
sed -i '/^#sshd$/s/^#//' /etc/initng/runlevel/default.runlevel
cp /etc/unicorn/unicorn_conf/unicorn.sharing.ssh.conf /etc/unicorn/unicorn_conf/unicorn.sharing.ssh.conf.bak
sed -i '/enabled:.*false/s/:.*/: true/' /etc/unicorn/unicorn_conf/unicorn.sharing.ssh.conf
ngc --start sshd
Then for the keys:
ssh -o batchmode=yes 0.0.0.0 # creates .ssh with correct permissions
ssh-keygen # accept defaults, but be sure to enter a good passphrase
cp id_rsa.pub authorized_keys
chmod 600 authorized_keys
cp .ssh/id_rsa* /shares/Family # note: this is insecure unless you entered a good passphrase
Then from my Windows box I connected to the Family share, loaded up the id_rsa file in PuttyGen, entered the passphrase, saved the private key locally as a .ppk file, and loaded it up in Pageant. Then I connected to my cloudbox with PuTTY (on port 2222), entered the username of "root" and I was into a root shell. Free!!! After rebooting, I was still able to re-connect with PuTTY in the same way. Telnet no longer worked after the reboot, which is how it should be, and the telnetd.sh script can be removed from the Family share.
I'd prefer to be able to ssh in as admin and then su to root, but so far I haven't been able to work out why sshd is blocking me in this endeavor. More research needed.
Next? Perhaps I'll install some useful tools to replace the cut-down busybox ones - netstat and ps are too limited for my purposes.