View Full Version : Reset password on IBM RT AIX 2.1.2?

November 18th, 2012, 11:42 AM
A while ago I acquired an IBM RT 6151, the desktop model. The 6153 monitor doesn't seem to work, so I got ahold of a 8-bit ISA MDA card which allows me to see the system boots up allright into AIX. However I don't know the root or any other password. Is there some default that I could try? I suppose asking for how to hack into a system might be a bit borderline for the VC Forum, but perhaps there is some advice to try.

From another source, I came across original floppy disks: Virtual Resource Mgr 1/2 + 2/2, Install/Maintainance 1/1 and Base System Program 1/5. Does anyone know if I could boot e.g. the Install/Maintainance disk and that way reset or configure user accounts? In the worst case, I might have to reinstall the system from scratch (and thus obtain a 1.2M drive to write image files for the missing floppy disks). Obviously I could just try to see what happens, but I might ask here first if that is possible.

November 18th, 2012, 05:13 PM
I don't have any firsthand information on how to boot into Single user mode on that model of machine, but I found where someone was able to get some assistance with these older IBM machines (http://www.old-computers.com/museum/computer.asp?c=867&st=1) look at the last post. He also maintains a website (http://pihost.us/~baphijmm/ or http://pihost.us/~baphijmm/retro/) that lists an IBM 6150 as one of his computers, so he may be able to help, if no one here is able.


November 19th, 2012, 12:00 PM
I don't know the RT6150 specifics, but in general unix systems on that vintage could boot into single user by using the install medium, if they couldn't from firmware / boot menu / special key.
Once in single user, you would generally
- mount root fs (from the hard drive)
- change the password (with the appropriate tools)
- sync
- reboot

Some steps might not be necessary, depending on how you did boot the system.
Update: Diagnostic Disk #1 is bootable, according to the FAQ: http://archive.rootvg.net/aix2faq2.txt

November 19th, 2012, 02:21 PM
Good thing that you pointed me to the FAQ. Actually I had already found and skimmed through it before, but alas I was too lazy to actually read it. :oops:

I don't have Diagnostic, but I can try VRM #1 followed by I/M and see where it gets me.

November 21st, 2012, 03:39 AM
Cool. Let us know how it goes.

December 30th, 2012, 12:45 PM
It took me a little over a month, but finally I've tried to boot from floppy.

VRM #1 gives me a menu where most tasks relate to reinstall the VRM (which I don't want at this moment). However it has a maintainance mode too. It allows me to mount slices of the hard disk, list files and even dump their contents to the screen. By doing this, I have found out three user names (root + two more) associated with encrypted passwords. I figure those are of little use as I don't know the salt, or perhaps there are uber-elite programs that can brute reverse-engineer an encrypted password and filter out meaningful plaintext passwords?

AIX I/M however is just touched, and the system boots from the hard disk no matter what I do according to the FAQ.

The VRM Maintainance mode also has options to copy files across disks and write stuff to files. I suppose I could try to take a backup of the passwd file and fiddle some, perhaps empty a password field and hope it will be recognized as empty password upon the next reboot. It should be added though that I haven't found a way to execute AIX binaries (e.g. passwd) from this mode, just read the contents of files. It should also be added that the procedure made public even by IBM themselves how to reset a root password in AIX 4.x on newer hardware does not apply on this one, at least not unless I can get that AIX Install/Maintainance floppy disk to boot just like the Virtual Resource Manager disk boots.

December 30th, 2012, 02:27 PM
If you have that encrypted password, and it's an "old-style Unix" encrypted password, then it's a good chance you could brute-force it. That was the common intrusion procedure in the past: Get hold of someone's /etc/passwd, and run it through an off-line tool to get the cleartext. I had to do that once, in my job. A computer located in Antarctica had a root password everyone had forgotten - I couldn't go there but I was handed the passwd file. Found the password in an hour or so. It's been years, but I think the tool was just called 'crack'.

December 30th, 2012, 02:32 PM
As it turns out, after multiple attempts I was able to boot the AIX Install/Maintainance floppy disk. That gave me the option to reinstall AIX or run a very limited shell. Fortunately it has options to mount the hard disk, but due to different shared libraries many of the binaries on the hard disk can't be run. The built-in shell toolset includes dd, ed and od (but no cp or cat). I was trying to edit the passwd file with ed when I found that on the hard disk root there was a statically linked "vi" binary which made my life much easier.

So I removed the encrypted password for root and rebooted. The system happily lets me in with blank password, and I got the chance to tidy up the root partition a bit to increase amount of free space from 0 kB to about 1.5 MB or so. Thus I can say this part of the adventure is complete, without the need of brute force cracking passwords.

December 31st, 2012, 02:27 AM
Great! I have no experience with an AIX that old, I didn't become a regular system-user of AIX until AIX 4. But AIX 4, 5 and 6 all have the option to boot from the installation/software/diag CDs and get access to the root disk, although the procedure can sometimes be a bit obscure.. hitting particular keys at the right point in time and so on. And it's also possible to redirect the console to a serial terminal, but that procedure is also something I remember as obscure.. as it is, I have one AIX box at work with a serial terminal because it doesn't have enough free slots for all the cards installed so the VGA card had to go. Many years ago some IBM techs visited and at that time I learned a lot about how to diag a system with a terminal connected to a system with a normal VGA login as well. Unfortunately I've forgotten most of it by now!