problem with firmware on dsl router

[Will]

If the mods want to move this thread, I won't mind. Also, I'll give the hardware details (nomenclature and manufacturer), but I won't give the isp details. If any of that is too sensitive, feel free to delete that info as well.

My isp has locked down the dsl router that they sold me and refuses to give me the username and password to access the advanced config pages on the embedded web server. The manufacturer does not respond to voicemail or email, and googling shows me that other users have had this problem but nobody has posted a solution. BTW, I will not be violating their tos by gaining access to the router functionality of that modem/router.

Here's what I know so far:

The modem is made by Broadmax. It's a Linkmax HSA300A-2 dsl modem/router. It has an embedded web server with a browser user interface. It also has a telnet interface which is disabled, and according to my googling, the rs232 port connector was just snapped off at the solder point. My last resort will be to re-solder the connector and try accessing the equipment that way.

There is an http authentication on the page in question (username/password). Per the product manual, the username is arbitrary and the password is 'broadmax'. That doesn't work. I've contacted a couple of ex-employees of my isp and they don't know the username and password. There's no point in brute forcing, because I don't have a fixed username, or even know if their is a username for that matter.

There is also an option to upgrade the firmware from one of the config pages. Before doing so, you're prompted to download a 'recovery.exe' file, which is a rar'ed executable with several gif's and web pages, as well as several text-based config files and a couple of binary looking files. There is a copy of MS's tftp.exe renamed broadmax.exe. Then there is a batch file that tftp's all of the files to the modem.

I don't know much about tftp, except that it's used to read/write to upgradeable firmware. There are only two functions (get and put), and sadly no directory listing function. The instructions for the recovery files say to change the ip to '172.16.0.253', and then run the batch file. I guess I should note that the modem's ip (for all customers) is 172.16.0.254. I'm not sure if the ip change is necessary though, because I'm not sure if the tftp service can be locked down to only accept connections from a specific ip.

Anyways, from looking at the batch file I see that it first tries to 'PUT tfptlock.key', then 'PUT tfptupdt.beg', then PUT all other files, then finishes off with 'PUT tftpupdt.rbt' and 'PUT tftpupdt.end'. The tftplock.key contains 'broadmax' with a crlf. The other tftpupdt.xxx files are empty files that apparently just signify the beginning and end of the firmware upgrade.

I made a sample batch file that just put the .key, .beg, .rbt, and .end files with nothing else. I get an error saying that the authentication to the server failed after the .key put statement and then an error saying that the server wasn't unlocked for write after the other ones. So, what I was thinking was coding a brute force program that wrote the .key file, ran the tftp PUT .key and tested the return, and so on. It wouldn't be that difficult to code, and I wouldn't think that the password would be longer than 8 characters (26 letters, 10 numbers -- 36 to the 8th right?). What I'd like to be certain of before I try it though is does the ip of the connecting system matter? If it doesn't then this is looks like my best shot at brute forcing that password. Granted it wouldn't be nearly as good as unlocking the browser user interface, but I think I've figured out the file format of the nat config file in the recovery files, and if that works then I can just tftp that file everytime that I make changes which would be very rare once I get it up and working. I could also fish around blindly by get'ing various files. I know it doesn't sound like much, but I'm shooting blind here.

If anyone else has some ideas, I'm all ears.


cheers,
will

[sna]

how about changing your IP address to the suggested one, then running the original batch file to see if the unmodified recovery package can be applied at all? if all goes well and it's accepted you can then start modifying the package

Quote:

...I think I've figured out the file format of the nat config file in the recovery files...

try updating the settings to suite your needs and apply the now modified package again?

cheers, sna

[Will]

It didn't run. It gives the failed authentication message after the "PUT tftplock.key" line. I think what's going on is that the only way that my isp lets you upgrade the firmware is by pushing a button on one of the web pages of the bui. It then downloads the update directly to the modem. The recovery file is meant for to be used if that firmware upgrade fails. So I'm guessing that that upgrade routine 'unlocks' the modem, and if it fails then, then the modem will still be unlocked or something.

I've tried everything that I can think of, short of resoldering that serial connector. I'm going to have a go at that tonight though hopefully, if my girlfriend doesn't mind me spending some time away from her.

[sna]

it seems unlikely that the telnet server would accept anonymous logins
so you're probably back to bruteforcing then..

anyway, good luck!

[Will]

I soldered the console port back on the board, and can now connect that way. I've also managed to enable the telnet interface. The password is the same as the one for the bui which I found. Unfortunately, after entering the correct password for the setup page, it just kicks you back to the main page. Oh well, cli it is....

I'll be doing a write up of everything so that nobody else has to go through this crap. I'm not sure where I'll post it yet though. If anyone's interested in this topic, send me a pm and I'll send you some instructions.


cheers,
will

[jedcrary]

I'm looking to uprade the firmware. Here is a link to a pdf file http://www.sonic.net/support/ss/broadmax/HSA300A-2.pdf
see page 48 you should be able to use the password on that page after pressing the reset button on the side. HTH

[Will]

Yeah, but the problem is that my isp's branded firmware is different then the firmware described in that pdf. The pdf shows a config page that would let you do all of the nat configs. That page simply doesn't exist in the firmware that I've got.

But with a 232 connector that I swiped off of a loopback plug from work (shhh!) and a little soldering, I can now terminal into it. Also, I've enabled the telnet interface. There's an auto-update setting though that keeps shutting down the telnet which sucks, but if I disable it then my isp's dns changes won't get made automagically anymore which out-sucks having the telnet interface disabled every now and then.

Now I've got the modem in bridge mode and am using a linksys router to do the nat. It's a much cleaner setup now. I was just pissed initially because I basically bought the dsl modem but couldn't 'unlock' it.

Oh well, live and learn....


cheers,
will

[weasel]

I see you had some limited sucsess hacking that router, did you ever find a suitable firmware for it? I have the same device and have been able to get the telnet to turn on by editing the 'services' file and reuploading the earthlink firmware. but there is a password for it that i cannot find.

Did getting into the RS-232 port allow you to change the port forwarding. That is what i need to get into.

I am still looking for an image for it. If someone has a workign one with the proper image on it, i think we could pull the image with a bit of finesse.

Let me know what you found. Very intrested in this, just wondering if sodlering on a port will do me any good.

[Will]

weasel,
I did have limited success getting the nat configs working through telnet/direct 232 connection (versus browser user interface). What I ended up doing though was that I found an unlinked to config page on my isp's firmware that let you switch to bridge mode. Iirc I also figured out the commands to do it as well though. I'll look for my notes and post them.

The approach that I took with soldering the 232 connector only took a few minutes. It look longer to dremel out a nice little hole in the plastic backplane piece.

Anyways, so I put the modem into bridge, and put a linksys router behind it. Works great.


cheer,
will