Tuesday, June 4, 2019

Using The Shoretel 90V Serial Console to Factory Reset

How to Connect to the Shoretel 90V Serial Console Like a Boss

You just bought a pre-owned Shoretel 90V from a grey market source, and now you find that you cannot logon anymore as anonymous.  Shoretel is full of hidden and secret passwords, including a secret CDR database with its own passwords. The Shoretel switch is no exception.  You may need to factory reset it, or you just need to set the root password.  Well, here are some ways to get in.  First step is to get a RS232 serial port added to your computer. You can use a USB to Serial adapter or you can just use the built in port. On most computers, it looks like a DB9 connector. Here are some pictures that will help you get in.  I buy and sell these grey market Shoretel switches all the time and this is often the first thing you need to do to clear them out and get them ready for the next user.  There is no user called anonymous, that was a feature from the previous generation of switches. The user is called "root" and his password is "ShoreTel"  The previous generation used Wind River VXWorks, The 90V runs Linux.  Curiously enough, there is removable compact flash drive inside the 90V that contains the ext4 file system. You can always remove it and mount it in ubuntu and them edit the /etc/shadow file

root@Default:/root# fdisk -l /dev/kcfa

Disk /dev/kcfa: 2096 MB, 2096898048 bytes

16 heads, 63 sectors/track, 4063 cylinders
Units = cylinders of 1008 * 512 = 516096 bytes
Disk identifier: 0xdbe3ac07

    Device Boot      Start         End      Blocks   Id  System

/dev/kcfa1               1        4063     2047720+  83  Linux


how to factory reset:  reboot, then use the option to stop auto boot, (press a key) and then type:
> bootc static flash vxworks
> saveenv
> reset

or just change the IP address and set to DHCP
All tests passed
Hit any key to stop autoboot:  0
=> printenv
serial#=90VF13152E94F4
ethaddr=00:10:49:2E:94:F4
bootdelay=3
user=anonymous
pass=tsk
autoload=FLASH
partition=nand0,1
flags=0x0000
gatewayip=10.90.2.1
ipaddr=10.90.2.30
netmask=255.255.255.0
serverip=10.70.2.32
cntrlsrv=10.70.2.32
bootfile=vImage
bootcmd=jboot;bootm

Environment size: 267/492 bytes
=> setenv flags 0x40
=> setenv host 10.0.11.45
=> setenv serverip 10.0.11.45
=> saveenv
Saving Environment to EEPROM...


Use a Cisco DB9 to RJ45 Cable with a Null Modem

Connect it to the bottom port /maint port using a gender changer

Set your RS232 port to 19200 Baud,8 bits, 1 stop bit, no parity

Use Putty with the serial port option

Power up your 90V, press a key when prompted to stop in env console

Logon as root, with password ShoreTel

As you can see, it just runs Wind River Linux
Thats all you need to do. I recommend pressing the reset button and holding it for 10 seconds to reset the root password back to ShoreTel.  If you found this bit of advice useful or if you know of more ways to get in, please leave us a comment.

No comments:

Post a Comment