f@st3864 Telnet/Serial
f@st3864 Telnet/Serial
R.e F@st3864v2
Optus F@st3864
The quickest way to openly access this routers administration tools is to log in via
http://192.168.0.1/main.html?loginuser=0
logging in with the default
admin/Y3s0ptus loginuser=0
***support/support ***loginuser=1
***user/user*****loginuser=2
***To Activate telnet***
going to management/system settings " download this file " sysinfo.f24
open the file in notepad
the file splits into two sections
the section we want is headed by
backup config:
<?xml version="1.0"?>
<DslCpeConfig version="3.0">
and closed by
</InternetGatewayDevice>
</DslCpeConfig>
so by copying all the xml information between these two points and pasting into a new notepad
you have created our new backup file,
before we save it and close find
<X_GVT_Telnet_Enable>FALSE</X_GVT_Telnet_Enable>
Change FALSE to TRUE
then save the file as backupconfig.xml
then use this XML file to update the settings,
also i wouldnt advise trying to change the admin password directly thru this XML
unless you encrypted it first into base64 and place the encrypted password in the XML.
telnet to your routers ip using
telnet
open 192.168.x.y
logging in with the default admin/Y3s0ptus
and press ? for telnetd help
or type in sh for shell access(ash)
typing help for commands
also typing busybox for a larger set of commands
ls for list
cat to read files
cp to copy to usb
tftp to move files on and off via a tftp server(this is also how the router hides the cgi files)
use ./ to run any executables that arent listed in busybox. i.e bin files
use chmod to change the file permissions to files you cant access but first try cat so you do not have to change them back
passwd to change the passwords of accounts
Please note changing the admin password does not stop a normal user from checking the passwords which are in plain text and can be found by browsing to the password change utillity and pressing f12 then using the debugger to read the password out of the passwords cgi webpage which we have read in order to load the password utillity
the change of passwords will also be reflected on serial and telnet logins
also the samba servers can be shut down via the menus as well
telnet is easily closed by reuploading the backup config and changing the telnet value
or more easily by power cycling
the serial port is accessed via 4 pins on the main board using a usb to serial you simply need to connect the rx(white)/tx(green)/gnd to out/in/gnd
as the board is self powered , but a 3.3 v power supply could be used to serial the main chip with out power but this disables all the other accessorys
- stty
speed 115200 baud;
intr = ^C; quit = ^\; erase = ^?; kill = ^U; eof = ^D; eol = <undef>;
eol2 = <undef>; swtch = <undef>; start = ^Q; stop = ^S; susp = ^Z; rprnt = ^R;
werase = ^W; lnext = ^V; flush = ^O; min = 1; time =0;
-brkint ixoff -imaxbel
some times you can gain a shell access without logging in this is a major security failure ,
im still figuring out how the shell is gained but pressing ^D(backspace) or enter after the bootloader is finished you will receive a login prompt, your routers homepage admin details is the login/pass
on a side note
Has anyone worked out the Optus Fast program that is in the router it appears to need a password but is capable of restoring the firmware to sagem unbranded firmware,
location : ~/bin/ file: ~/bin/fast
# fast
Usage:
singled command:
fast unlock-next-reboot -p password
there is also commands to read out other infomation,
factory info / serial number / psi-config R/W/Clear / back-up config R/w/ hw – version/ base-mac/
SW version / config id / customer name / scratchpad R/Clear / led commands / factory-test[enable|disable|status] / factory eth test / flash-lastKB R/W / flash-data read -a address(hex) -l length(dec)
has anyone looked into how they create this password, i have looked into the file in IDa and found it is dynamical created from several memory locations that are only created at runtime. any help would be great
R.e F@st3864v2
Optus F@st3864
The quickest way to openly access this routers administration tools is to log in via
http://192.168.0.1/main.html?loginuser=0
logging in with the default
admin/Y3s0ptus loginuser=0
***support/support ***loginuser=1
***user/user*****loginuser=2
***To Activate telnet***
going to management/system settings " download this file " sysinfo.f24
open the file in notepad
the file splits into two sections
the section we want is headed by
backup config:
<?xml version="1.0"?>
<DslCpeConfig version="3.0">
and closed by
</InternetGatewayDevice>
</DslCpeConfig>
so by copying all the xml information between these two points and pasting into a new notepad
you have created our new backup file,
before we save it and close find
<X_GVT_Telnet_Enable>FALSE</X_GVT_Telnet_Enable>
Change FALSE to TRUE
then save the file as backupconfig.xml
then use this XML file to update the settings,
also i wouldnt advise trying to change the admin password directly thru this XML
unless you encrypted it first into base64 and place the encrypted password in the XML.
telnet to your routers ip using
telnet
open 192.168.x.y
logging in with the default admin/Y3s0ptus
and press ? for telnetd help
or type in sh for shell access(ash)
typing help for commands
also typing busybox for a larger set of commands
ls for list
cat to read files
cp to copy to usb
tftp to move files on and off via a tftp server(this is also how the router hides the cgi files)
use ./ to run any executables that arent listed in busybox. i.e bin files
use chmod to change the file permissions to files you cant access but first try cat so you do not have to change them back
passwd to change the passwords of accounts
Please note changing the admin password does not stop a normal user from checking the passwords which are in plain text and can be found by browsing to the password change utillity and pressing f12 then using the debugger to read the password out of the passwords cgi webpage which we have read in order to load the password utillity
the change of passwords will also be reflected on serial and telnet logins
also the samba servers can be shut down via the menus as well
telnet is easily closed by reuploading the backup config and changing the telnet value
or more easily by power cycling
the serial port is accessed via 4 pins on the main board using a usb to serial you simply need to connect the rx(white)/tx(green)/gnd to out/in/gnd
as the board is self powered , but a 3.3 v power supply could be used to serial the main chip with out power but this disables all the other accessorys
im still figuring out how the shell is gained but pressing ^D(backspace) or enter after the bootloader is finished you will receive a login prompt, your routers homepage admin details is the login/pass
on a side note
Has anyone worked out the Optus Fast program that is in the router it appears to need a password but is capable of restoring the firmware to sagem unbranded firmware,
location : ~/bin/ file: ~/bin/fast
# fast
Usage:
singled command:
fast unlock-next-reboot -p password
there is also commands to read out other infomation,
factory info / serial number / psi-config R/W/Clear / back-up config R/w/ hw – version/ base-mac/
SW version / config id / customer name / scratchpad R/Clear / led commands / factory-test[enable|disable|status] / factory eth test / flash-lastKB R/W / flash-data read -a address(hex) -l length(dec)
has anyone looked into how they create this password, i have looked into the file in IDa and found it is dynamical created from several memory locations that are only created at runtime. any help would be great
Optus F@st3864
The quickest way to openly access this routers administration tools is to log in via
http://192.168.0.1/main.html?loginuser=0
logging in with the default
admin/Y3s0ptus loginuser=0
***support/support
***user/user*****loginuser=2
***To Activate telnet***
going to management/system settings " download this file " sysinfo.f24
open the file in notepad
the file splits into two sections
the section we want is headed by
backup config:
<?xml version="1.0"?>
<DslCpeConfig version="3.0">
and closed by
</InternetGatewayDevice>
</DslCpeConfig>
so by copying all the xml information between these two points and pasting into a new notepad
you have created our new backup file,
before we save it and close find
<X_GVT_Telnet_Enable>FALSE</X_GVT_Telnet_Enable>
Change FALSE to TRUE
then save the file as backupconfig.xml
then use this XML file to update the settings,
also i wouldnt advise trying to change the admin password directly thru this XML
unless you encrypted it first into base64 and place the encrypted password in the XML.
telnet to your routers ip using
telnet
open 192.168.x.y
logging in with the default admin/Y3s0ptus
and press ? for telnetd help
or type in sh for shell access(ash)
typing help for commands
also typing busybox for a larger set of commands
ls for list
cat to read files
cp to copy to usb
tftp to move files on and off via a tftp server(this is also how the router hides the cgi files)
use ./ to run any executables that arent listed in busybox. i.e bin files
use chmod to change the file permissions to files you cant access but first try cat so you do not have to change them back
passwd to change the passwords of accounts
Please note changing the admin password does not stop a normal user from checking the passwords which are in plain text and can be found by browsing to the password change utillity and pressing f12 then using the debugger to read the password out of the passwords cgi webpage which we have read in order to load the password utillity
the change of passwords will also be reflected on serial and telnet logins
also the samba servers can be shut down via the menus as well
telnet is easily closed by reuploading the backup config and changing the telnet value
or more easily by power cycling
the serial port is accessed via 4 pins on the main board using a usb to serial you simply need to connect the rx(white)/tx(green)/gnd to out/in/gnd
as the board is self powered , but a 3.3 v power supply could be used to serial the main chip with out power but this disables all the other accessorys
- stty
speed 115200 baud;
intr = ^C; quit = ^\; erase = ^?; kill = ^U; eof = ^D; eol = <undef>;
eol2 = <undef>; swtch = <undef>; start = ^Q; stop = ^S; susp = ^Z; rprnt = ^R;
werase = ^W; lnext = ^V; flush = ^O; min = 1; time =0;
-brkint ixoff -imaxbel
im still figuring out how the shell is gained but pressing ^D(backspace) or enter after the bootloader is finished you will receive a login prompt, your routers homepage admin details is the login/pass
on a side note
Has anyone worked out the Optus Fast program that is in the router it appears to need a password but is capable of restoring the firmware to sagem unbranded firmware,
location : ~/bin/ file: ~/bin/fast
# fast
Usage:
singled command:
fast unlock-next-reboot -p password
there is also commands to read out other infomation,
factory info / serial number / psi-config R/W/Clear / back-up config R/w/ hw – version/ base-mac/
SW version / config id / customer name / scratchpad R/Clear / led commands / factory-test[enable|disable|status] / factory eth test / flash-lastKB R/W / flash-data read -a address(hex) -l length(dec)
has anyone looked into how they create this password, i have looked into the file in IDa and found it is dynamical created from several memory locations that are only created at runtime. any help would be great
Guys
ReplyDeleteI had a little bit of hassle trying to get access to the config dump. None of the known optus passwords would work.
However I finally had success dumping the config without having to enter user/pass by using:
http://192.168.0.1/dumpcfgdynamic.cmd?loginuser=2
-Anon
192.168.0.1 is the address of an array of D-Link and Netgear model routers, similar to 192.168.1.1
ReplyDeleteIf you get this i need a great amount of help with telnet
ReplyDeleteI Have access but need help
If anyone is here i could use help with telnet
ReplyDeletePuedes descargar y compartir el firmware sin marca?
ReplyDelete