Recover password from config-file?

Discussion in 'Cisco/Linksys Wireless Routers' started by d-b, Jul 16, 2005.

  1. d-b

    d-b Network Guru Member

    Is there a way to recover the password from config file that is saved on a computer?

    Today when I needed to do some changes to the config on my WRT54GS I realized that I had forgot the password to the web interface. My setup is quite complicated so I want to avoid to reset the router (since I have the backup I can reset it but I then want to restore the config with the lost password).

    I opened the config-file in a text editor but it seems to be encrypted in some way, at least it wasn't human readable.

    Any suggestions on how to recover the password?

  2. davidsonf

    davidsonf Network Guru Member

    If you have a Sveasoft Alchemy/Talisman or derivative firmware (such as DD-WRT), the file is essentially a tar archive that has been gzipped. You can ungzip it and look for the file http_passwd. Or, if you have a smart enough editor, such as (X)Emacs, you can do all of that with the editor.

    I don't know what the format for the *.cfg files that Linksys provided firmware uses. The source code is available, so it can certainly be determined...

    If you have any firmware that allows you to execute shell commands (via the web, telnet, ssh, or whatever), the shell command to get the password is
    nvram get http_passwd
  3. jagboy

    jagboy Network Guru Member

    yes it is possible to recover the password fron the backup i did it irght now.
  4. d-b

    d-b Network Guru Member

    I should have mentioned that I use the default firmware. Anyone that has some ideas on how to recover passwords from Linksys FW?
  5. d-b

    d-b Network Guru Member

  6. jagboy

    jagboy Network Guru Member

    i used dd-wrt. try to download winrar.

    once you open it then you look for somthing "password" maybe "http_passwd"
  7. d-b

    d-b Network Guru Member

    I am not sure I understand you. Do you think you could be a little more specific?

    I tried with unrar (I don't use Windows but unrar should work) but it doesn't recognize my file as a RAR-archive.
  8. jagboy

    jagboy Network Guru Member

    go to this link and download winrar i am guessing that you are using linux or mac?? there are mac version and linux version avilible.
  9. pdpimp

    pdpimp Guest

    I need help my router did work with my xbox live and internet back and forth. but now it shuts everything off internet wise. and I dont remember the password to access it all. is there anyway to get the password?
  10. davidsonf

    davidsonf Network Guru Member

    I just took a look at the Linksys source code, and the *.cfg file is "encoded", which is why it looks like gibberish.

    However, it should be fairly easy to "decode" it too. So hold on a short time and I'll write a program that does it. However, I don't use Windows, so I can only provide source code and you or someone else will have to compile it.

    When it's ready, I'll let you know how to get it.
  11. davidsonf

    davidsonf Network Guru Member

    Well, that was even easier than I thought it would be! I'll just paste the source code into this message.

    This is a typical "filter", you can invoke it like this:
        foo < WRT54GV2_v3.01.3.cfg > text.cfg
    or as,
        foo  WRT54GV2_v3.01.3.cfg > text.cfg
    or, if you have grep, do this,
        foo WRT54GV2_v3.01.3.cfg | grep http_pass
    The first two command will produce a text file (text.cfg) that you can read with an editor. The third one will find the line with "http_pass" and print it.

    Here is the source code in C. (Somebody who knows perl can probably rewrite it. For that matter, it can probably be done in with any bourne shell too. I'll see if I can figure that one out too.)

    #include <stdio.h>
    #include <stdlib.h>
    #include <ctype.h>
    int decode(unsigned char);
    decode(unsigned char ch)
      ch = ~((ch << 2) | ((ch & 0xC0) >> 6));
      if (ch) {
        if (isprint(ch)) {
          return ch;
        } else {
          return ' ';
      return '\n';
    main(int argc, char *argv[])
      int  ch;
      FILE *fp;
      if (argc < 2) {
        fp = stdin;
      } else {
        if (NULL == (fp = fopen(argv[1], "r"))) {
          fprintf(stderr, "Error:  Cannot open file %s\n", argv[1]);
      while (EOF != (ch =fgetc(fp))) {
        fputc(decode(ch), stdout);
      return EXIT_SUCCESS;
  12. d-b

    d-b Network Guru Member

    Your little program worked! Thanks a lot.

    But what is this? It is some command line stuff with a few redirects but why? And where do I run them?

    I just read and compiled your code and run it with my cfg-file as argument piped through grep.
  13. Jopplehead

    Jopplehead Guest

    :clap: Very nice little program. I have a request. Can you write a C Program to do the same conversion on a Linksys BEFW11 Router? Tried this on that type and it could not convert it correctly. Please..., Thanks In Advance.
  14. metroplex

    metroplex Guest

    Thats great, but is there anyway to convert the text back to the linksys.cfg format? :)
  15. fatzbitz

    fatzbitz Network Guru Member

    your work is amazing :thumbup: , i've compiled your C program ... it is working 100%
  16. fatzbitz

    fatzbitz Network Guru Member

    here is the compiled exe

  17. teddytiger

    teddytiger Network Guru Member

    I'd like to bring this out of the ether, does someone have a little proggy to view/edit the newer Linksys WRT54G/GS config save files? I'd like to edit mine to set up forwarding to, since I can't do that from the web interface. I have a WRT54GS v6.

  18. gr11x

    gr11x Networkin' Nut Member

    Yes, I know: Dead thread. But this is one of the very few hits from Google, when looking for a decoder of the Linksys WRT54Gx config files...

    So here is my perl port of davidsonf's code:

    perl -e 'sub d($){$c=shift;$c=pack"C",sprintf("%d",~(($c<<2)|(($c&0xC0)>>6))&255);unless($c eq"\0"){if($c=~m/^[[:print:]]$/){return$c;}else{return" ";}}return"\n";}$f=shift;open FH,"<",$f or die;while(<FH>){my@l=split//,$_;foreach(@l){print d(ord$_);}}close FH;exit 0;' <linksys.cfg>
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice