Pica8 P-3297 Switch

This document details the procedure used to recover the password of a Pica8 P-3297 switch running PicOS 2.6.

User can use the procedure to gain access to the switch without knowing the password.

1. Power on the switch, and hit Ctrl-C when asked to reach the U-Boot prompt.

   U-Boot 2009.11(Kennisis Beta 3.5.4 Pica8)-svn1619 (Jan 22 2014 - 14:06:09)
   CPU0:  P2020, Version: 2.1, (0x80e20021)
   Core:  E500, Version: 5.1, (0x80211051)
   Clock Configuration:
          CPU0:800  MHz, CPU1:800  MHz, 
          CCB:400  MHz,
          DDR:333.333 MHz (666.667 MT/s data rate) (Asynchronous), LBC:25   MHz
   L1:    D-cache 32 kB enabled
          I-cache 32 kB enabled
   I2C:   ready
   DRAM:  Configuring DDR for 666.667 MT/s data rate
   DDR:  2 GB
   FLASH: 64 MB
   L2:    512 KB enabled
   NAND:  1024 MiB
   *** Warning - bad CRC, using default environment
   EEPROM: NXID v0
       eTSEC2 is in sgmii mode.
       eTSEC3 is in sgmii mode.
       PCIE2: disabled
       PCIE1 connected to Slot 2 as Root Complex (base addr ffe0a000)
                  Scanning PCI bus 01
           01  00  14e4  b634  0200  00
       PCIE1 on bus 00 - 01
   In:    serial
   Out:   serial
   Err:   serial
   Net:   get_phy_info: find the matched ID.
   get_phy_info: find the matched ID.
   eTSEC3: No support for PHY id ffffffff; assuming generic
   eTSEC2, eTSEC3
   Hit Ctrl^C to stop autoboot:  0 
   =>

2. At the U-Boot prompt, enter the run norrescueboot command, to boot a Linux kernel.

   => run norrescueboot
   WARNING: adjusting available memory to 30000000
   ## Booting kernel from Legacy Image at efb00000 ...
   Image Name: Linux-2.6.32
   Created: 2014-01-13 6:10:08 UTC
   Image Type: PowerPC Linux Kernel Image (gzip compressed)
   Data Size: 3324196 Bytes = 3.2 MB
   Load Address: 00000000
   Entry Point: 00000000
   Verifying Checksum ... OK
   ## Loading init Ramdisk from Legacy Image at ec000000 ...
   Image Name: uboot ext2 ramdisk rootfs
   Created: 2014-01-13 6:16:19 UTC
   Image Type: PowerPC Linux RAMDisk Image (gzip compressed)
   Data Size: 20854405 Bytes = 19.9 MB
   Load Address: 00000000
   Entry Point: 00000000
   Verifying Checksum ... OK
   
   
   <Some output omitted>
    
   POST test end
   diag post pass!
   [root@Kennisis /]#

3. Mount the SD/CF memory card.

   [root@Kennisis /]# mount /dev/sda1 /tmp

4. Open the /tmp/etc/shadow file in the vi editor.

   [root@Kennisis /]# vi /tmp/etc/shadow

5. Locate the following line in the /tmp/etc/shadow file.

   admin:$1$hEyOwJsC$r/vUK6M75TJOYdtWKCxDu/:16609:0:99999:7:::

6. Remove the string between the first and second colon. In the present example, we removed $1$hEyOwJsC$r/vUK6M75TJOYdtWKCxDu/ to make the line look like the following.

   admin::16609:0:99999:7:::

7. Save the /tmp/etc/shadow file and exit the vi editor.

8. Run the sync command.

   [root@Kennisis /]# sync

9. Unmount the SD/CF memory card.

   [root@Kennisis /]# umount /tmp

10. Reboot the switch.

    [root@Kennisis /]# reboot
    Unmounting filesystems
    chown: /home/user/.rhosts: Read-only file system
    chown: /home/user: Read-only file system
    chown: /home/user: Read-only file system
    cat: can't open '/proc/devices': No such file or directory
    The system is going down NOW!
    Sending SIGTERM to all processes
    Requesting system reboot
    Restarting system.
    
    U-Boot 2009.11(Kennisis Beta 3.5.4 Pica8)-svn1619 (Jan 22 2014 - 14:06:09)
    CPU0:  P2020, Version: 2.1, (0x80e20021)
    Core:  E500, Version: 5.1, (0x80211051)
    
    
    <Some output omitted>
     
    [ ok ] Starting enhanced syslogd: rsyslogd.
    [ ok ] Starting periodic command scheduler: cron.
    [ ok ] Starting OpenBSD Secure Shell server: sshd.
    Pica8 Auto Provisioning Tool - checking updates ....
    No tftp server address found, exit now
    [ ok ] Starting: PicOS L2/L3...........................
    
    Leaf1 login:

11. Use admin as the login to reach the Linux shell, without being prompted for a password. At this point, user can also enter the PicOS L2/L3 mode using the cli command at the Linux shell.

    Leaf1 login: admin
    admin@Leaf1$

12. User should configure (and remember) the new password for admin, using the passwd command at the Linux shell.

    admin@Leaf1$sudo passwd admin
    Enter new UNIX password: 
    Retype new UNIX password: 
    passwd: password updated successfully
    admin@Leaf1$

13. Alternately, user can configure the new password for admin, from the L2/L3 mode.

    admin@Leaf1$cli
    Synchronizing configuration...OK.
    Pica8 PicOS Version 2.6
    Welcome to PicOS L2/L3 on Leaf1
    admin@Leaf1> configure
    Entering configuration mode.
    There are no other users in configuration mode.
    admin@Leaf1# set system login user admin class super-user
    admin@Leaf1# set system login user admin authentication plain-text-password 123456
    admin@Leaf1# commit
    Commit OK.
    Save done.
    admin@Leaf1# exit
    admin@Leaf1>