Hi!
So I've been "lurking" for quite some time around the forum, and followed the MSO mods saga, amongst other things. The level of skill shown here is quite impressive!
I finally bit the bullet and bought a second-hand RSA3030-TG. I was "foolishly" thinking about how easy it would be to run the serial number through "RigLol" to enable all feature... Boy was I wrong!
Thanks to all the tips posted by scottapotama, tv84 and qip, I was able to re-enable SSH and FTP, as mine didn't have them enabled on the get go. I'll throw some extra notes here to complete what was already said:
I don't believe any of the following is particularly sensitive, but might be of use to someone. This is a small dump of publicly available info, and steps detailed in forums and blog posts around the MSO5k and so on...
Finding the hash as mentioned earlier in the thread can be done by peeking at a firmware file or dump from a unit as described earlier in the thread, then finding the normal linux rootfs/etc/passwd file.
1. Download the Rigol RSA firmware
2. Unzip rsa3000_FW_v2.zip
3. Tear the bundle apart unzip rsa3000_FW_v2.zip
cd RSA5000\(ARM\)update_00.03.04.00.03/
tar -xvf rsa5000_updatefile.bin
gunzip *.gz
...
4. not-so-secret cramfs extraction trick - seems like we're leaving this bit as a 'hurdle'...
5. Use hashcat to break the DES hash hashcat -m 1500 -a 3 roothash.txt -o output.txt
6. SSH should be available for further poking...
The latest firmware available (v00.03.something), however, is packed with something different than Cramfs (according to binwalk), probably some kind of encryption. Luckily, I was able to find ver 00.02.00 with Wayback machine. The rest of the extraction was smooth sailing, quick cramfsck mod to support larger file size, as @tv84 said. Hashcat found the password within 2 minutes
Re-enabling SSH was a matter of packing a fw4linux.sh (that re-enables sshd and vsftpd by running the command) with gzip, then tar it into rsa3000_updatefile.bin (I learned that thanks to TV84's backup script).
Now, off to understand how to make it permanent as the rootfs is read-only, then tackle enabling those features! I'm learning quite a lot in the process.
Do you have any pointer on where to look for those? I'm thinking playing with Ghidra and tearing the rsa5000 bin apart, but I don't know much about disassembling executables...