Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > Reverse Code Engineering
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #1  
Old 08-25-2003, 11:00 AM
Will Will is offline
Member
 
Join Date: Mar 2003
Posts: 10
Default problem with firmware on dsl router

If the mods want to move this thread, I won't mind. Also, I'll give the hardware details (nomenclature and manufacturer), but I won't give the isp details. If any of that is too sensitive, feel free to delete that info as well.

My isp has locked down the dsl router that they sold me and refuses to give me the username and password to access the advanced config pages on the embedded web server. The manufacturer does not respond to voicemail or email, and googling shows me that other users have had this problem but nobody has posted a solution. BTW, I will not be violating their tos by gaining access to the router functionality of that modem/router.

Here's what I know so far:

The modem is made by Broadmax. It's a Linkmax HSA300A-2 dsl modem/router. It has an embedded web server with a browser user interface. It also has a telnet interface which is disabled, and according to my googling, the rs232 port connector was just snapped off at the solder point. My last resort will be to re-solder the connector and try accessing the equipment that way.

There is an http authentication on the page in question (username/password). Per the product manual, the username is arbitrary and the password is 'broadmax'. That doesn't work. I've contacted a couple of ex-employees of my isp and they don't know the username and password. There's no point in brute forcing, because I don't have a fixed username, or even know if their is a username for that matter.

There is also an option to upgrade the firmware from one of the config pages. Before doing so, you're prompted to download a 'recovery.exe' file, which is a rar'ed executable with several gif's and web pages, as well as several text-based config files and a couple of binary looking files. There is a copy of MS's tftp.exe renamed broadmax.exe. Then there is a batch file that tftp's all of the files to the modem.

I don't know much about tftp, except that it's used to read/write to upgradeable firmware. There are only two functions (get and put), and sadly no directory listing function. The instructions for the recovery files say to change the ip to '172.16.0.253', and then run the batch file. I guess I should note that the modem's ip (for all customers) is 172.16.0.254. I'm not sure if the ip change is necessary though, because I'm not sure if the tftp service can be locked down to only accept connections from a specific ip.

Anyways, from looking at the batch file I see that it first tries to 'PUT tfptlock.key', then 'PUT tfptupdt.beg', then PUT all other files, then finishes off with 'PUT tftpupdt.rbt' and 'PUT tftpupdt.end'. The tftplock.key contains 'broadmax' with a crlf. The other tftpupdt.xxx files are empty files that apparently just signify the beginning and end of the firmware upgrade.

I made a sample batch file that just put the .key, .beg, .rbt, and .end files with nothing else. I get an error saying that the authentication to the server failed after the .key put statement and then an error saying that the server wasn't unlocked for write after the other ones. So, what I was thinking was coding a brute force program that wrote the .key file, ran the tftp PUT .key and tested the return, and so on. It wouldn't be that difficult to code, and I wouldn't think that the password would be longer than 8 characters (26 letters, 10 numbers -- 36 to the 8th right?). What I'd like to be certain of before I try it though is does the ip of the connecting system matter? If it doesn't then this is looks like my best shot at brute forcing that password. Granted it wouldn't be nearly as good as unlocking the browser user interface, but I think I've figured out the file format of the nat config file in the recovery files, and if that works then I can just tftp that file everytime that I make changes which would be very rare once I get it up and working. I could also fish around blindly by get'ing various files. I know it doesn't sound like much, but I'm shooting blind here.

If anyone else has some ideas, I'm all ears.


cheers,
will
Reply With Quote
  #2  
Old 08-25-2003, 06:46 PM
sna sna is offline
Administrator
 
Join Date: Jun 2003
Posts: 76
Default

how about changing your IP address to the suggested one, then running the original batch file to see if the unmodified recovery package can be applied at all? if all goes well and it's accepted you can then start modifying the package

Quote:

...I think I've figured out the file format of the nat config file in the recovery files...

try updating the settings to suite your needs and apply the now modified package again?

cheers, sna
Reply With Quote
  #3  
Old 08-25-2003, 07:36 PM
Will Will is offline
Member
 
Join Date: Mar 2003
Posts: 10
Default

It didn't run. It gives the failed authentication message after the "PUT tftplock.key" line. I think what's going on is that the only way that my isp lets you upgrade the firmware is by pushing a button on one of the web pages of the bui. It then downloads the update directly to the modem. The recovery file is meant for to be used if that firmware upgrade fails. So I'm guessing that that upgrade routine 'unlocks' the modem, and if it fails then, then the modem will still be unlocked or something.

I've tried everything that I can think of, short of resoldering that serial connector. I'm going to have a go at that tonight though hopefully, if my girlfriend doesn't mind me spending some time away from her.
Reply With Quote
  #4  
Old 08-26-2003, 06:22 AM
sna sna is offline
Administrator
 
Join Date: Jun 2003
Posts: 76
Default

it seems unlikely that the telnet server would accept anonymous logins
so you're probably back to bruteforcing then..

anyway, good luck!
Reply With Quote
  #5  
Old 09-06-2003, 09:05 PM
Will Will is offline
Member
 
Join Date: Mar 2003
Posts: 10
Default Wooohoooo!!!!!

I soldered the console port back on the board, and can now connect that way. I've also managed to enable the telnet interface. The password is the same as the one for the bui which I found. Unfortunately, after entering the correct password for the setup page, it just kicks you back to the main page. Oh well, cli it is....

I'll be doing a write up of everything so that nobody else has to go through this crap. I'm not sure where I'll post it yet though. If anyone's interested in this topic, send me a pm and I'll send you some instructions.


cheers,
will
Reply With Quote
  #6  
Old 02-12-2005, 02:10 AM
jedcrary jedcrary is offline
Junior Member
 
Join Date: Feb 2005
Posts: 1
Default

I'm looking to uprade the firmware. Here is a link to a pdf file http://www.sonic.net/support/ss/broadmax/HSA300A-2.pdf
see page 48 you should be able to use the password on that page after pressing the reset button on the side. HTH
Reply With Quote
  #7  
Old 02-12-2005, 11:21 PM
Will Will is offline
Member
 
Join Date: Mar 2003
Posts: 10
Default

Yeah, but the problem is that my isp's branded firmware is different then the firmware described in that pdf. The pdf shows a config page that would let you do all of the nat configs. That page simply doesn't exist in the firmware that I've got.

But with a 232 connector that I swiped off of a loopback plug from work (shhh!) and a little soldering, I can now terminal into it. Also, I've enabled the telnet interface. There's an auto-update setting though that keeps shutting down the telnet which sucks, but if I disable it then my isp's dns changes won't get made automagically anymore which out-sucks having the telnet interface disabled every now and then.

Now I've got the modem in bridge mode and am using a linksys router to do the nat. It's a much cleaner setup now. I was just pissed initially because I basically bought the dsl modem but couldn't 'unlock' it.

Oh well, live and learn....


cheers,
will
Reply With Quote
  #8  
Old 05-19-2005, 09:36 PM
weasel weasel is offline
Junior Member
 
Join Date: May 2005
Posts: 1
Default

I see you had some limited sucsess hacking that router, did you ever find a suitable firmware for it? I have the same device and have been able to get the telnet to turn on by editing the 'services' file and reuploading the earthlink firmware. but there is a password for it that i cannot find.

Did getting into the RS-232 port allow you to change the port forwarding. That is what i need to get into.

I am still looking for an image for it. If someone has a workign one with the proper image on it, i think we could pull the image with a bit of finesse.

Let me know what you found. Very intrested in this, just wondering if sodlering on a port will do me any good.
Reply With Quote
  #9  
Old 05-22-2005, 03:17 AM
Will Will is offline
Member
 
Join Date: Mar 2003
Posts: 10
Default

weasel,
I did have limited success getting the nat configs working through telnet/direct 232 connection (versus browser user interface). What I ended up doing though was that I found an unlinked to config page on my isp's firmware that let you switch to bridge mode. Iirc I also figured out the commands to do it as well though. I'll look for my notes and post them.

The approach that I took with soldering the 232 connector only took a few minutes. It look longer to dremel out a nice little hole in the plastic backplane piece.

Anyways, so I put the modem into bridge, and put a linksys router behind it. Works great.


cheer,
will
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2022, Jelsoft Enterprises Ltd.