@morb@tychotithonus my head was in the same place - the "diagnosis" page that apparently had straight up shell injection isn't in the firmware I'm running on this phone, and now I'm digging into some of the MACADDRESS.cfg provisioning files and related XML translation on the phone checking what gets (ab)used by grep into shell variables, etc.
@morb@tychotithonus mmm whelp I bumped up the logging level through config, and I see when I try to telnet in with root/toor/admin/yealink any username all results in:
login[480]: invalid password for 'UNKNOWN' on 'pts/0'
@tychotithonus dunno what is in the /yealink/config filesystem yet. Haven't found a way into the device yet. I *did* manage to figure out how to enable telnet, through config it fetches via provisioning.
@xabean Depending on sensitivity, Hashes.com has a bounty / escrow system (free). Or you could upload it as a 'user list' to HashMob. Or you could let me take a ... crack at it (2x 4090s). :D
Edit: a third option, if you know hashcat and Docker, is to just rent a chunk of GPUs through vast.ai or similar.
@tychotithonus if you want to poke at it, here you go -- this is for a Yealink SIP phone. Strings in the firmware nearby suggest the password is YealinkPhone1106 but it doesn't seem to work on my hardware; which might be due to the fact that there's a config partition that overlay mounts a shadow file overtop of /etc/shadow from the ROM:
@xabean No immediate hits - permuted case and leet for both 'Yealink' and 'YealinkPhone', and appended and prepended all sorts of stuff (all possible 4-char suffixes, etc.) ... nothing so far