view · edit · print · history

It is interesting, though maybe not very interesting, to know that you can telnet into the default firmware without flashing it to Unslung or OpenSlug. Some time ago, a message was posted on the yahoo message board with the source code that computes a password for the user ourtelnetrescueuser. Coming across this code as pointed out by dyoung, I modified it a bit so it can give you the password for your specific box. The password is calculated by looking at the default_server_name in /etc/CGI_ds.conf, which usually consists of the letters LKG followed by part of the MAC-address.

You can compile it by saving it to slugpass.c and then typing gcc slugpass.c -oslugpass -lcrypt. You will be asked to type in the correct LKG-serial.

  #include <stdio.h>
  #include <stdlib.h>
  #include <string.h>
  #include <crypt.h>
  #include <sys/stat.h>
  #include <sys/types.h>
  #include <pwd.h>
  #include <unistd.h>

  typedef struct {
      char server_default_name[10];
  } sys_info;

  #define _LINKSYS_
  #define MAXNSLUNAME 10 

  int ReadSYSInfo(sys_info *info) {
      char lkgname[MAXNSLUNAME];
      printf("Default NSLU2 name (e.g. LKG7F11C6):");
      fgets(lkgname, MAXNSLUNAME, stdin);
      strcpy(info->server_default_name, lkgname);
      return 0;

  char mksalt(int seed)
      int num = seed % 64;

      if (num < 26) {
          return 'a' + num;
      } else if (num < 52) {
          return 'A' + (num - 26);
      } else if (num < 62) {
          return '0' + (num - 52);
      } else if (num == 63) {
          return '.';
      } else {
          return '/';

  int main()
      sys_info info;
      char first[4],second[4],full[7];
      long new_long1, new_long2;
      char salt[3],pwd[20],pwd2[20];
      char *pw;

      if(ReadSYSInfo(&info)) return 1;

  #ifdef _LINKSYS_

      new_long1 = strtol(first, '\0', 16);
      new_long2 = strtol(second, '\0', 0);
      salt[0] = mksalt(new_long1);
      salt[1] = mksalt(new_long2);
      salt[2] = '\0';
      memset(&pwd[0], '\0', 20);
      pw = crypt(full, salt);
      memcpy(&pwd[0], pw, 16);

      memset(&pwd2[0], '\0', 20);
      pw = crypt(pwd, salt);
      memcpy(&pwd2[0], pw, 16);

      printf("your password is: %s\n(stored encrypted on your slug as %s)\n", pwd, pwd2);
      return 0;

Sidenote: yes, it can be a bit shorter when editing out the stub, but i wanted to stay as close to the original as possible.

view · edit · print · history · Last edited by EddyP.
Based on work by EddyP, tman, and Lex Delani.
Originally by rwhitby.
Page last modified on January 12, 2008, at 05:51 AM