From b433aa7104c6632145daf29e61a227d86c1dfdd0 Mon Sep 17 00:00:00 2001
From: naksper <61098366+naksper@users.noreply.github.com>
Date: Sat, 11 Mar 2023 17:48:03 +0100
Subject: [PATCH] Update research-security.md

---
 en/research-security.md | 57 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 57 insertions(+)

diff --git a/en/research-security.md b/en/research-security.md
index 3b93667..7532b04 100644
--- a/en/research-security.md
+++ b/en/research-security.md
@@ -95,6 +95,8 @@ discover even more yet unknown passwords. Sharing is caring, boys!
 | ab8nBoH3mb8.g                         | helpme     |
 | absxcfbgXtb3o                         | xc3511     |
 | xt5USRjG7rEDE                         | j1/_7sxw   |
+| $1$EmcmB/9a$UrsXTlmYL/6eZ9A2ST2Yl/    |            |
+
 ```
 
 ### Software
@@ -106,3 +108,58 @@ discover even more yet unknown passwords. Sharing is caring, boys!
 
 [1]: https://en.wikipedia.org/wiki/Rainbow_table
 [2]: https://en.wikipedia.org/wiki/Brute-force_attack
+
+
+
+
+Altenative way to get access to full working system
+---------------------------------------------------
+
+You will not have origilnal root pass but you will be able get into :)
+
+### Limited shell access
+TESTED on GOKE SOC. over the UART interface it is possible to get into a limited shell, but this shell does not load full working system.
+```
+setenv bootargs ${bootargs} single init=/bin/sh
+boot
+
+```
+Once we are in limited shell it is need to mount ROM filesystem:
+```
+mount -t jffs2 /dev/mtdblock3 /rom
+```
+
+Also wil be great to mount sd card to copy some files:
+```
+mount
+mount -a
+mount /dev/mmcblk0p1 on /mnt/s0
+```
+
+### Modifying the file system
+on /rom filesystem you can edit the /room/etc/passwd file but once the device restarts it will be set to default, this happends because there is a guide bin file writing to passwd file on each start, so we need to modify this executable.
+
+copy system.dat to sd card
+```
+cp /rom/system.dat /mnt/s0
+```
+
+on a linux computer it is need to unsquahfs system.dat, do some changes and resquashfs:
+```
+mkdir squashfs-temp
+cd squashfs-temp
+
+unsquashfs system.dat
+```
+
+find guide file and hexedit to modify where "/etc/passwd" is writen and change one leter, for example "/etc/passwT". This file will be created on start instead of passwd replaced.
+
+re squash the file system:
+```
+mksquashfs ./squashfs-root ./file -comp xz -no-xattrs -noappend -no-exports -all-root -quiet -b 131072
+```
+
+and copy back from sd card to /rom directory on goke soc.
+
+now you can edit /rom/etc/passwd with your own pass, and whe you restart the device you will have full working system with your own pass.
+