Recovering




Thursday, May 20, 2021

Hack: Cracked Super User of Huawei HG8245Q / HG8245Q2 ONT (from Batelco)

Username: ONT_BTC
Password: Admin@8245


Read more!

Thursday, March 21, 2019

Hacking Huawei HG8245Q / HG8245Q2 ONT (from Batelco) to get Administrator access




Only low privilege access using default username password. Superuser access credential unknown...

Aim: To get superuser access.


Login

Superuser Access 


Superuser password hash (Cracked to get full access)


Done!
Read more!

Wednesday, February 13, 2019

Hacking Infinova V1772N-T series PTZ camera (for remote restart)

Hacking Infinova V1772N-T series PTZ camera to solve irritating hanging issue, where web interface becomes unresponsive.

Issue: Camera web interface becomes unresponsive after running for few days. Can't access the camera through web browser even though port 80 is open. Telnet daemon port 23 open but username & password are unknown. Contacted Infinova support several times but no solution.

The only solution to get the camera up and running is to physically power off / cut the power to camera and then power up.

Dumped the passwd/shadow file and cracked the root DES encrypted password.

Soluton:

Login via telnet using root credential and reboot the camera remotely or restart webs service.

After getting root:

root@INFINOVA # cat /proc/mtd
dev: size erasesize name
mtd0: 000c0000 00020000 "mboot1"
mtd1: 00320000 00020000 "kernel1"
mtd2: 00320000 00020000 "kernel2"
mtd3: 00220000 00020000 "initrd1"
mtd4: 00220000 00020000 "initrd2"
mtd5: 04680000 00020000 "rootfs"
mtd6: 0ae40000 00020000 "data"


END!
Read more!

Sunday, January 3, 2016

Zain Wimax Routers Collection


Zain Wimax Routers
(Huawei BM635 & BM636e)
Bypassed security measures to get free internet!

END!
Read more!

Tuesday, July 21, 2015

Hacking G-Share2 (Satellite Card Sharing Client) Subscription



Expiry date: 2017-03-18

Expiry date: 2016-06-27


Expiry date: 2016-08-20


Changing SPI flash programmed with working OTP memory area

END!
Read more!

Monday, November 10, 2014

Zain Broadband 2.0 (Security flaws): Free Internet/VoIP calls with Huawei Echolife BM635


Free Internet
  • Login to Huawei Echolife BM635 via telnet.
    telnet 192.168.1.1
  • Enter username / password and then press ENTER
    username: huawei
    password: Adt26BnE
  • At ATP prompt
    type setallmacaddr XX:XX:XX:XX:XX:XX & then press ENTER (where XX:XX:XX:XX:XX:XX is a valid WAN MAC address)
    e.g. ATP> setallmacaddr 4C:54:99:12:12:12
  • Type restoredef & press ENTER
  • Huawei BM635 will restart with new MAC address and default configuration.
  • If done correctly then you will be connected to the Internet (with  subscriber IP address)

Free VoIP Calls (Untraceable calls)
Security threat



  • Point your browser to 192.168.1.1
  • Login using admin:2gzVL6MT
  • Click on Basic > VoIP > SIP User
  • Enter SIP Super Password (link)
    then enter a valid VoIP number in SIP ID & Username fields
    Note: SIP ID & Username are same i.e.
    SIP ID: 13644272
    Username: 13644272
    Password: !@#$%^&*()_
  • Click on Apply then on Register

You can check the status of VOIP registration under STATUS > VoIP

Note: This will only work if you are using Zain WiMAX
  • If done correctly then you can call for free (using subscriber call credit)



END!
Read more!

Monday, November 3, 2014

Zain Broadband 2.0 (Wimax): NEW Admin Password


Zain Broadband 2.0 Updated

(Admin Password of Zain Broadband Device with updated firmware)




Huawei Echolife BM635

Get Full Access to your device (OWN IT)



WebGUI Login Detail
Username: admin
Password: 2gzVL6MT

Telnet Login Detail
Username: huawei
Password: Adt26BnE

SIP Super Password
 Password: Reverse WAN MAC + R3bKaA

Wimax Super Password
 Password: Reverse WAN MAC + hUm2A786

 For Example
If WAN MAC is 84:A2:5F:3D:CD:2E 
then Reverse WAN MAC will be E2DCD3F52A48

Screenshots

Read more!

Tuesday, June 19, 2012

GPS Tracking & WiFi hacking

WiFi Location

SSID: Signal Temp
WPA key: N0Sm0king 

END!
Read more!

Saturday, October 29, 2011

Bahrain: Hacked Wi-Fi Networks

Hacked Wi-Fi Networks in Bahrain (at various locations)
(get connected to the internet anywhere in Bahrain)

ZAIN

SSID: Zain Home Broadband
Default Key: WiFi MAC + 1

Example:
Wifi MAC: 781212254102
Wifi key: 7812122541021

(to get wifi mac use airodump utility (linux))

------------

Hacked Wi-Fi Networks

Only WPA/WPA2 Key (Passphrase)

SSID:Key

JyoRaki:rakijyo2110
spook:hassanjuma17590716
AyahAlnajjar:2005ayah
Anoon:39090999
Penthouse 131:burjmustafa131
Bolarwah 7:CC-77107577
Yasser:virtue69
nigoumi.net:36239292
h2m:H2m@1234
anakibwifi:abcde12345
one piece:335566911
aimee:1loveyou
Goswami_Residence:distance
BuAhmed:***weakestlink_63***
A.M.G:25002500
lolo:36698959
yosy:AF140576D9
aliredha:nassimi101
bah home wireless:alibou61
Habib Izzat:awal1975
@BIG BOSS2@:NeverS@P10


More soon!


END!
Read more!

Wednesday, October 19, 2011

DV-250 WiMAX modem boot log

DV-250 WiMAX modem


Serial boot log (click Read More!)


Ethernet eth0: MAC address 00:15:f2:0d:4f:9b
IP: 192.168.0.8/255.255.255.0, Gateway: 192.168.0.1
Default server: 192.168.0.1

RedBoot(tm) bootstrap and debug environment [ROMRAM]
Non-certified release, version UNKNOWN - built 20:17:12, Aug 11 2009

Platform: MT7108APP (ARM9)
Copyright (C) 2000, 2001, 2002, 2003, 2004 Red Hat, Inc.
Copyright (C) 2003, 2004, 2005, 2006 eCosCentric Limited

RAM: 0x00000000-0x02ffc000, [0x0002dc18-0x02fe9000] available
FLASH: 0x60000000 - 0x60e80000, 232 blocks of 0x00010000 bytes each.
RedBoot> mfill -b 0x80000008 -l 4 -4 -p 0x3D
RedBoot> mfill -b 0x80000008 -l 4 -p 0xffffffff -4
RedBoot> cache on
RedBoot> fs mount -d /dev/flash1 -t jffs2 /flash
RedBoot> fs cd /flash
RedBoot> load -m file -b 0x600000 -r zImage
Raw file loaded 0x00600000-0x0075444b, assumed entry at 0x00600000
RedBoot> load -m file -b 0x1000000 -r initrd
Raw file loaded 0x01000000-0x01484fff, assumed entry at 0x01000000
RedBoot> exec -z -b 0x600000
Uncompressing Linux............................................................................................ done, booting the kernel.

Linux version 2.6.10_mvl401-versatile926ejs (root@Ubuntu-WS) (gcc version 3.4.4) #1 Mon Nov 9 21:27:14 CST 2009

CPU: ARM926EJ-Sid(wb) [41069265] revision 5 (ARMv5TEJ)
CPU0: D VIVT write-back cache
CPU0: I cache: 16384 bytes, associativity 4, 32 byte lines, 128 sets
CPU0: D cache: 16384 bytes, associativity 4, 32 byte lines, 128 sets
Machine: MT7108
Memory policy: ECC disabled, Data cache writeback
Built 1 zonelists

Kernel command line: console=ttyS1,115200n1 mem=48M@0M initrd=0x1000000,0x800000 ramdisk_size=8192 root=/dev/ram

PID hash table entries: 256 (order: 8, 4096 bytes)

Console: colour dummy device 80x30
Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
Memory: 48MB = 48MB total
Memory: 37400KB available (2399K code, 502K data, 104K init)
Mount-cache hash table entries: 512 (order: 0, 4096 bytes)
CPU: Testing write buffer coherency: ok
spawn_desched_task(00000000)
desched cpu_callback 3/00000000
ksoftirqd started up.
desched cpu_callback 2/00000000
desched thread 0 started up.
checking if image is initramfs...it isn't (bad gzip magic numbers); looks like an initrd
Freeing initrd memory: 8192K
NET: Registered protocol family 16
PCI: bus0: Fast back to back transfers enabled
SCSI subsystem initialized
usbcore: registered new driver hub
NetWinder Floating Point Emulator V0.97 (double precision)
Registering GDB sysrq handler
Installing knfsd (copyright (C) 1996 [email protected]).
JFFS2 version 2.2. (NAND) (C) 2001-2003 Red Hat, Inc.
Initializing Cryptographic API
Serial: 8250/16550 driver $Revision: 1.90 $ 2 ports, IRQ sharing disabled
ttyS1 at MMIO 0x800a0000 (irq = 7) is a 16550A
io scheduler noop registered
io scheduler anticipatory registered
io scheduler deadline registered
io scheduler cfq registered
RAMDISK driver initialized: 16 RAM disks of 8192K size 1024 blocksize
PPP generic driver version 2.4.2
PPP Deflate Compression module registered
PPP BSD Compression module registered
MPPE/MPPC encryption/compression module registered
Uniform Multi-Platform E-IDE driver Revision: 7.00alpha2
ide: Assuming 50MHz system bus speed for PIO modes; override with idebus=xx
elevator: using anticipatory as default io scheduler
Initializing USB Mass Storage driver...
usbcore: registered new driver usb-storage
USB Mass Storage support registered.
mice: PS/2 mouse device common for all mice
u32 classifier
OLD policer on
NET: Registered protocol family 2
IP: routing cache hash table of 512 buckets, 4Kbytes
TCP: Hash tables configured (established 4096 bind 8192)
ip_conntrack version 2.1 (384 buckets, 3072 max) - 360 bytes per conntrack
ip_tables: (C) 2000-2002 Netfilter core team
ipt_recent v0.3.1: Stephen Frost . http://snowman.net/projects/ipt_recent/

ClusterIP Version 0.6 loaded successfully
Initializing XFRM netlink socket
NET: Registered protocol family 1
NET: Registered protocol family 17
NET: Registered protocol family 15
Bridge firewalling registered
802.1Q VLAN Support v1.8 Ben Greear
All bugs added by David S. Miller
RAMDISK: cramfs filesystem found at block 0
RAMDISK: Loading 4628KiB [1 disk] into ram disk... | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / done.

VFS: Mounted root (cramfs filesystem) readonly.
Freeing init memory: 104K
init started: BusyBox v1.6.1 (2009-11-09 21:34:32 CST) multi-call binary
starting pid 727, tty '': '/etc/rcS'
[WATCHDOG] check_umac_health=on timeout=31 interval=5
gpio: module license 'unspecified' taints kernel.
init mod-gpio
init mod-ledbutton
register fastpath id=3 net_device=c2b03800 name=vth%d if_type=2 hard_header_len=14
Searching for RedBoot partition table in MTDCCIF at offset 0x30000
4 RedBoot partitions found on MTD device MTDCCIF

Creating 4 MTD partitions on "MTDCCIF":
0x00000000-0x00030000 : "RedBoot_arm9"
rfd_ftl: no RFD magic found in 'RedBoot_arm9'.
0x00030000-0x0003f000 : "FIS directory"
0x0003f000-0x00040000 : "RedBoot config"
0x00040000-0x00e40000 : "etc_plus"
rfd_ftl: no RFD magic found in 'etc_plus'.

mtd_partitions add
mount etc -> mtd3
init mod-ksocket

******************************************************************
******************************************************************
insmod hostdriver.ko
******************************************************************
******************************************************************
wmx0: Dropping NETIF_F_SG since no checksum feature.
register fastpath id=1 net_device=c2df8000 name=wmx0 if_type=1 hard_header_len=14
register fastpath id=0 net_device=c2d9dc00 name=eth%d if_type=0 hard_header_len=14
eth0: IC+ IP101A
8139too Fast Ethernet driver 0.9.27
modprobe: module star_ether not found
modprobe: failed to load module star_ether
clock is 40MHz

DPLL = c3020
Initializing MUSB Driver (x.x) [debug=0][gadget=no][otg=no] REV=1
direct_bus_init 259: Probing direct bus [direct=1]
MGC_LinuxInitController 2058: MUSB Driver [Base Address(PA)=0xc3846000]

[IRQ = 13]
[pDevice=bf047948]

MGC_HdrcInit 1048: ConfigData=0xdf (UTMI-16, dyn FIFOs, bulk combine, bulk split, HB-ISO Rx, HB-ISO Tx, SoftConn)
MGC_HdrcInit 1074: xDRC version 2.0
end=0 TXRX sz=3 addr=0 offset=0
end=1 TX sz=6 addr=8 offset=64
end=2 RX sz=6 addr=72 offset=576
end=3 TX sz=3 addr=136 offset=1088
end=4 RX sz=3 addr=144 offset=1152

MGC_LinuxInitController 2150: End 00: Shared FIFO TxSize=0040/RxSize=0040
MGC_LinuxInitController 2150: End 01: FIFO TxSize=0200/RxSize=0000
MGC_LinuxInitController 2150: End 02: FIFO TxSize=0000/RxSize=0200
MGC_LinuxInitController 2150: End 03: FIFO TxSize=0040/RxSize=0000
MGC_LinuxInitController 2150: End 04: FIFO TxSize=0000/RxSize=0040
musb-hcd usb0: new USB bus registered, assigned bus number 1
mgc_init_bus 1934: Registered new bus @c17338e0
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 1 port detected
[Starting] sncfgd ... ----------------------------
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Congratulation, WMM initialized successfully
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
OK
[Starting] networking
device eth0 entered promiscuous mode

br0: port 1(eth0) entering learning state
br0: topology change detected, propagating
br0: port 1(eth0) entering forwarding state

.
[Starting] FW/NAT
ip_conntrack_pptp version 2.1 loaded
ip_nat_pptp version 2.0 loaded
.
[Strating] syslog and klog daemon ... OK
[wifi] Starting....
WLAN_LOCK=1
[wifi] initial wifi config file.
rtusb init --->
usbcore: registered new driver rt2870
ifconfig: SIOCGIFFLAGS: No such device
usbcore: deregistering driver rt2870

<--- rtusb exit [wifi] The device is not ready. [wifi] Failed to generate wifi config file. rtusb init --->

usbcore: registered new driver rt2870
WLAN_AUTO_SSIDWEP=,
WLAN_LOCK=0
Starting SW RTCThu Jan 1 00:04:00 UTC 1970
Thu Jan 1 08:06:00 LST 1970
SW_RTC_TIMESTAMP=010100061970.00
--- to install system time log (SW RTC)[Translating] crontab ... OK
.
[Starting] ssh server OK
[Starting] httpd serverWMX_AUTO_RECONNECT=1
/bin/lighttpd /usr/www_gemtek/lighttpd.conf ... lighttpd: copy conf filecp: cannot stat '/usr/www_gemtek/p1nadmin': No such file or directory
cp: cannot stat '/usr/www_gemtek/p1nadminJ': No such file or directory
.
OK
[Starting] httpd server/bin/mini_httpd.elf /etc/conf/mini_httpd.conf ... .
OK
[Starting] https server/usr/trans/httpsd.trans ... /bin/mini_httpd.elf /etc/conf/mini_httpsd.conf ... .
OK
Starting miniupnpd.
[Starting] telnet server/usr/sbin/telnetd -p 23 ... OK
[Strating] dhcp server ... /usr/trans/dhcpd.trans ... /usr/sbin/udhcpd /etc/conf/udhcpd.conf ... OK
/tmp/rcS: line 1: /etc/rc.d/S07networking_wan: Permission denied
[Starting] wimac upgrade checking ...
[Strating] zebra daemon ... /usr/trans/sroute.trans ... /usr/sbin/zebra -d -f /etc/conf/zebra.conf -i /var/run/zebra.pid ... OK
[Strating] rip daemon ... rip daemon was configured to be disabled ... FAIL
[Strating] VoIP ...
modprobe vdspsw kernel modules ...
probe info: pcm version=1, slic_typ=3215, chan_num=1, call/session_num=4
control PSTN-Relay
init mod-syss

init mod-pcm2

pcm_ver = 1
pcm_chan_no = 1
pcm_mmap_flushall = 0
pcm_mangle = 1
pcm_dsp_log_sz = 8000

init mod-lec, ch=1 Nov 9 2009 15:47:45
Init mod-drc drc_ch_num=1 Nov 9 2009 15:47:51
DSP: <1>init mod-dsp
init mod-slic3
start init slic=4294940183l
probe channel num=1
Silicon driver:si321x 0 reg 0 = C3 reg1 = 88
Silicon driver:si321x loading indirect registers
Silicon driver:si321x 0 checking for foreign volt source
Silicon driver:si321x 0 bringing up vbat 0
Silicon driver:si321x running cal 1
Silicon driver:si321x running cal 2
Silicon driver:si321x 0 cmdac and difdac cal start
Silicon driver:si321x manual cal ring starting
Silicon driver:si321x manual cal tip starting
Silicon driver:si321x 0 long balance cal starting
Silicon driver:si321x 0 long balance cal waiting for active line(s) to charge
Silicon driver:si321x 0 long balance cal executing
Silicon driver:si321x 0 cal sequence finished
Silicon driver:Si321x_PCMStart
dtnf init ch=1
DTMF_MAIN: dtmf_main_init: add to pcm engine, 0
FMTD: Enable Channel 0

SLIC2: <1>init mod-fxs3
init slic end=4294940475l
modprobe slic2 result=0
init mod-ortp
oRTP-0.13.1 initialized.<1>init mod-foip
init mod-acodec
init mod-vdsp for 1 channels 4 sessions
VDSP V 2.0.4 (Nov 9 2009 15:49:49)
voip_insert_modules result=0 ...
reset cfg channel number to 1
voip.cfg exist
voip_feature.cfg exist
voip.conf exist
voip_feature.conf exist
[Translating] crontab ...init voipconf_init, Nov 9 2009 16:04:51
OK
port=5060
System Info: Max Line Number:1, Max Account Number:1, Max Call Number:4
Build @ Date:Nov 9 2009, Time:16:05:08
VOIP_SERVER_PROXY_ADDR=10.109.2.6
VOIP_SERVER_PROXY_PORT=5060
VOIP_SERVER_REGISTRAR_ADDR=10.109.2.6
VOIP_SERVER_REGISTRAR_PORT=5060
VOIP_SERVER_OUTBOUND_ADDR=10.109.2.6
VOIP_SERVER_OUTBOUND_PORT=5060
VOIP_COMM_SIP_DOMAIN=10.109.2.6
[Starting] crond ... OK
[Starting] auto reconnect to BS ... OK
starting pid 1748, tty '': '/sbin/getty'

mt7xxx login:


END!
Read more!

Sunday, October 16, 2011

Internet Speed Test

Internet Speed Test at UoB

Test 1

Test 2



END!
Read more!

Tuesday, October 11, 2011

SIM Cloning: COMP128 v1 cards

Good old days

Sim-cards & reader



Home-made sim-cards using Funcard (ATMEL-90S8515) and Silvercard (PIC16F877 + 24C64)

Mobile Operators in Bahrain:
Batelco old simcards (COMP128v1)
Zain (COMP128v2)
VIVA (COMP128v2)

FAQs:

Advantages of sim-cloning
Few advantages are as follows:

1. Backup of your original simcard

2. You use different phones at home and while going out. Swap the phone without swapping the simcard. (prevents the hassle of removing the battery and changing the simcard)

3. No need to go to Mobile service provider to get new Simcard, when your original sim gets damaged.

+ more


More Info
If you switch on two phones with clone sims (both clones or 1 original & 1 clone)
The last switched on phone will be the active one (i.e. Will able to receive Call/SMS)


END!
Read more!

Friday, October 7, 2011

WiMAX modems: Whose MAC can be changed

List of WiMAX modems whose MAC address can be changed to get FREE Internet

HUAWEI

BM635 (tested)
BM625 (similar to BM635)
BM622 (tested)
BM622i (tested)

and many more....
(almost all Huawei Wimax modems)

==================

ZyXEL

HES-319M (tested)
MAX-318M (tested)

==================

Motorola

CPEi 35775 (tested [needs device certificate])

==================


Most of the ISPs uses MAC address for authentication to allow a modem (with valid/active MAC) to get connected to the Network. So by changing the MAC, it is possible to get Free Internet....
END! Read more!