How to recover a branch SRX root password \w protected console (insecure)

Some SRX firewalls need to be deployed in insecure environments, thus forcing administrators to protect the console from being accessed by non-root users. This complicates things when root password is lost and no way to login to the box to overwrite it.

Trying to recover a lost root password in SRX when the console is protected against non-root access:

(press space at the second prompt “Hit [Enter] to boot immediately, or space bar for command prompt.”)

Code:

Checking datalines... OK
Checking address lines... OK
Checking 512K memory for U-Boot... OK.
Running U-Boot CRC Test... OK.
Flash:  4 MB
USB:   scanning bus for devices... 3 USB Device(s) found
       scanning bus for storage devices... 1 Storage Device(s) found
Clearing DRAM....... done
BIST check passed.
Boot Media: nand-flash usb 
Net:   pic init done (err = 0)octeth0
POST Passed
Press SPACE to abort autoboot in 1 seconds
…
Loading /boot/defaults/loader.conf 
/kernel data=0xb03b68+0x1344a8 syms=[0x4+0x8a940+0x4+0xc8eb0]
Hit [Enter] to boot immediately, or space bar for command prompt.
Booting [/kernel] in 1 second... 
loader> boot -s
Kernel entry at 0x801000e0 ...
init regular console
Primary ICache: Sets 64 Size 128 Asso 4
Primary DCache: Sets 1 Size 128 Asso 64
…

clean, 74552 free (32 frags, 9315 blocks, 0.0% fragmentation)
System watchdog timer disabled
Enter root password, or ^D to go multi-user
Password:

At this point, either root password is remembered, or the device can boot in multi-user (normal) mode and continue it's operations once the configuration is loaded.

How to recover Juniper SRX root password when the console is protected:

The procedure requires a bootable USB stick containing a Junos snapshot (on a different device).
Creating SRX bootable USB with a snapshot.

Code:

> request system snapshot media usb partition

Juniper uses uBoot as boot loader so it needs to be to configured to boot from usb.

To change uBoot boot settings, press SPACE at the first prompt:

Code:

Clearing DRAM....... done
   BIST check passed.
   Boot Media: nand-flash usb
   Net:   pic init done (err = 0)octeth0
   POST Passed
   Press SPACE to abort autoboot in 1 seconds
=> 
=> setenv boot.devlist usb
=> saveenv
Saving Environment to Flash...
Un-Protected 1 sectors
Erasing Flash...
. done
Erased 1 sectors
Writing to Flash... writing to flash...
done
Protected 1 sectors
=> reset

At this point, the firewall will reboot and automatically boot from the USB containing a bootable snapshot. Once it booted up, the flash partition can be mounted and the root password can be changed.

Revert the boot sequence to flash again.

Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides