Username: ONT_BTC
Password: Admin@8245
Thursday, May 20, 2021
Thursday, March 21, 2019
Hacking Huawei HG8245Q / HG8245Q2 ONT (from Batelco) to get Administrator access
Only low privilege access using default username password. Superuser access credential unknown...
Aim: To get superuser access.
Login
Superuser Access
Superuser password hash (Cracked to get full access)
Done!
Wednesday, February 13, 2019
Hacking Infinova V1772N-T series PTZ camera (for remote restart)
Hacking Infinova V1772N-T series PTZ camera to solve irritating hanging issue, where web interface becomes unresponsive.
Issue: Camera web interface becomes unresponsive after running for few days. Can't access the camera through web browser even though port 80 is open. Telnet daemon port 23 open but username & password are unknown. Contacted Infinova support several times but no solution.
The only solution to get the camera up and running is to physically power off / cut the power to camera and then power up.
Dumped the passwd/shadow file and cracked the root DES encrypted password.
Soluton:
Login via telnet using root credential and reboot the camera remotely or restart webs service.
After getting root:
root@INFINOVA # cat /proc/mtd
dev: size erasesize name
mtd0: 000c0000 00020000 "mboot1"
mtd1: 00320000 00020000 "kernel1"
mtd2: 00320000 00020000 "kernel2"
mtd3: 00220000 00020000 "initrd1"
mtd4: 00220000 00020000 "initrd2"
mtd5: 04680000 00020000 "rootfs"
mtd6: 0ae40000 00020000 "data"
END!
Read more!
Issue: Camera web interface becomes unresponsive after running for few days. Can't access the camera through web browser even though port 80 is open. Telnet daemon port 23 open but username & password are unknown. Contacted Infinova support several times but no solution.
The only solution to get the camera up and running is to physically power off / cut the power to camera and then power up.
Dumped the passwd/shadow file and cracked the root DES encrypted password.
Soluton:
Login via telnet using root credential and reboot the camera remotely or restart webs service.
After getting root:
root@INFINOVA # cat /proc/mtd
dev: size erasesize name
mtd0: 000c0000 00020000 "mboot1"
mtd1: 00320000 00020000 "kernel1"
mtd2: 00320000 00020000 "kernel2"
mtd3: 00220000 00020000 "initrd1"
mtd4: 00220000 00020000 "initrd2"
mtd5: 04680000 00020000 "rootfs"
mtd6: 0ae40000 00020000 "data"
END!
Sunday, January 3, 2016
Zain Wimax Routers Collection
Zain Wimax Routers
(Huawei BM635 & BM636e)
Bypassed security measures to get free internet!
(Huawei BM635 & BM636e)
Bypassed security measures to get free internet!
END!
Tuesday, July 21, 2015
Hacking G-Share2 (Satellite Card Sharing Client) Subscription
Expiry date: 2017-03-18
Expiry date: 2016-06-27
Expiry date: 2016-08-20
Changing SPI flash programmed with working OTP memory area
Monday, November 10, 2014
Zain Broadband 2.0 (Security flaws): Free Internet/VoIP calls with Huawei Echolife BM635
Free Internet
- Login to Huawei Echolife BM635 via telnet.telnet 192.168.1.1
- Enter username / password and then press ENTER
username: huawei
password: Adt26BnE
- At ATP prompt
type setallmacaddr XX:XX:XX:XX:XX:XX & then press ENTER (where XX:XX:XX:XX:XX:XX is a valid WAN MAC address)
e.g. ATP> setallmacaddr 4C:54:99:12:12:12
- Type restoredef & press ENTER
- Huawei BM635 will restart with new MAC address and default configuration.
- If done correctly then you will be connected to the Internet (with subscriber IP address)
Free VoIP Calls (Untraceable calls)
Security threat
- Point your browser to 192.168.1.1
- Login using admin:2gzVL6MT
- Click on Basic > VoIP > SIP User
- Enter SIP Super Password (link)
then enter a valid VoIP number in SIP ID & Username fields
Note: SIP ID & Username are same i.e.
SIP ID: 13644272
Username: 13644272
Password: !@#$%^&*()_ - Click on Apply then on Register
You can check the status of VOIP registration under STATUS > VoIP
Note: This will only work if you are using Zain WiMAX
Note: This will only work if you are using Zain WiMAX
- If done correctly then you can call for free (using subscriber call credit)
END!
Monday, November 3, 2014
Zain Broadband 2.0 (Wimax): NEW Admin Password
Zain Broadband 2.0 Updated
(Admin Password of Zain Broadband Device with updated firmware)
Huawei Echolife BM635
Get Full Access to your device (OWN IT)
WebGUI Login Detail
Username: admin
Password: 2gzVL6MT
Telnet Login Detail
Username: huawei
Password: Adt26BnE
SIP Super Password
Password: Reverse WAN MAC + R3bKaA
Wimax Super Password
Password: Reverse WAN MAC + hUm2A786
For Example
If WAN MAC is 84:A2:5F:3D:CD:2E
then Reverse WAN MAC will be E2DCD3F52A48
Screenshots
Get Full Access to your device (OWN IT)
WebGUI Login Detail
Username: admin
Password: 2gzVL6MT
Telnet Login Detail
Username: huawei
Password: Adt26BnE
SIP Super Password
Password: Reverse WAN MAC + R3bKaA
Wimax Super Password
Password: Reverse WAN MAC + hUm2A786
For Example
If WAN MAC is 84:A2:5F:3D:CD:2E
then Reverse WAN MAC will be E2DCD3F52A48
Screenshots
Wednesday, October 19, 2011
DV-250 WiMAX modem boot log
DV-250 WiMAX modemSerial boot log (click Read More!)
Ethernet eth0: MAC address 00:15:f2:0d:4f:9b
IP: 192.168.0.8/255.255.255.0, Gateway: 192.168.0.1
Default server: 192.168.0.1
RedBoot(tm) bootstrap and debug environment [ROMRAM]
Non-certified release, version UNKNOWN - built 20:17:12, Aug 11 2009
Platform: MT7108APP (ARM9)
Copyright (C) 2000, 2001, 2002, 2003, 2004 Red Hat, Inc.
Copyright (C) 2003, 2004, 2005, 2006 eCosCentric Limited
RAM: 0x00000000-0x02ffc000, [0x0002dc18-0x02fe9000] available
FLASH: 0x60000000 - 0x60e80000, 232 blocks of 0x00010000 bytes each.
RedBoot> mfill -b 0x80000008 -l 4 -4 -p 0x3D
RedBoot> mfill -b 0x80000008 -l 4 -p 0xffffffff -4
RedBoot> cache on
RedBoot> fs mount -d /dev/flash1 -t jffs2 /flash
RedBoot> fs cd /flash
RedBoot> load -m file -b 0x600000 -r zImage
Raw file loaded 0x00600000-0x0075444b, assumed entry at 0x00600000
RedBoot> load -m file -b 0x1000000 -r initrd
Raw file loaded 0x01000000-0x01484fff, assumed entry at 0x01000000
RedBoot> exec -z -b 0x600000
Uncompressing Linux............................................................................................ done, booting the kernel.
Linux version 2.6.10_mvl401-versatile926ejs (root@Ubuntu-WS) (gcc version 3.4.4) #1 Mon Nov 9 21:27:14 CST 2009
CPU: ARM926EJ-Sid(wb) [41069265] revision 5 (ARMv5TEJ)
CPU0: D VIVT write-back cache
CPU0: I cache: 16384 bytes, associativity 4, 32 byte lines, 128 sets
CPU0: D cache: 16384 bytes, associativity 4, 32 byte lines, 128 sets
Machine: MT7108
Memory policy: ECC disabled, Data cache writeback
Built 1 zonelists
Kernel command line: console=ttyS1,115200n1 mem=48M@0M initrd=0x1000000,0x800000 ramdisk_size=8192 root=/dev/ram
PID hash table entries: 256 (order: 8, 4096 bytes)
Console: colour dummy device 80x30
Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
Memory: 48MB = 48MB total
Memory: 37400KB available (2399K code, 502K data, 104K init)
Mount-cache hash table entries: 512 (order: 0, 4096 bytes)
CPU: Testing write buffer coherency: ok
spawn_desched_task(00000000)
desched cpu_callback 3/00000000
ksoftirqd started up.
desched cpu_callback 2/00000000
desched thread 0 started up.
checking if image is initramfs...it isn't (bad gzip magic numbers); looks like an initrd
Freeing initrd memory: 8192K
NET: Registered protocol family 16
PCI: bus0: Fast back to back transfers enabled
SCSI subsystem initialized
usbcore: registered new driver hub
NetWinder Floating Point Emulator V0.97 (double precision)
Registering GDB sysrq handler
Installing knfsd (copyright (C) 1996 [email protected]).
JFFS2 version 2.2. (NAND) (C) 2001-2003 Red Hat, Inc.
Initializing Cryptographic API
Serial: 8250/16550 driver $Revision: 1.90 $ 2 ports, IRQ sharing disabled
ttyS1 at MMIO 0x800a0000 (irq = 7) is a 16550A
io scheduler noop registered
io scheduler anticipatory registered
io scheduler deadline registered
io scheduler cfq registered
RAMDISK driver initialized: 16 RAM disks of 8192K size 1024 blocksize
PPP generic driver version 2.4.2
PPP Deflate Compression module registered
PPP BSD Compression module registered
MPPE/MPPC encryption/compression module registered
Uniform Multi-Platform E-IDE driver Revision: 7.00alpha2
ide: Assuming 50MHz system bus speed for PIO modes; override with idebus=xx
elevator: using anticipatory as default io scheduler
Initializing USB Mass Storage driver...
usbcore: registered new driver usb-storage
USB Mass Storage support registered.
mice: PS/2 mouse device common for all mice
u32 classifier
OLD policer on
NET: Registered protocol family 2
IP: routing cache hash table of 512 buckets, 4Kbytes
TCP: Hash tables configured (established 4096 bind 8192)
ip_conntrack version 2.1 (384 buckets, 3072 max) - 360 bytes per conntrack
ip_tables: (C) 2000-2002 Netfilter core team
ipt_recent v0.3.1: Stephen Frost
ClusterIP Version 0.6 loaded successfully
Initializing XFRM netlink socket
NET: Registered protocol family 1
NET: Registered protocol family 17
NET: Registered protocol family 15
Bridge firewalling registered
802.1Q VLAN Support v1.8 Ben Greear
All bugs added by David S. Miller
RAMDISK: cramfs filesystem found at block 0
RAMDISK: Loading 4628KiB [1 disk] into ram disk... | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / - \ | / done.
VFS: Mounted root (cramfs filesystem) readonly.
Freeing init memory: 104K
init started: BusyBox v1.6.1 (2009-11-09 21:34:32 CST) multi-call binary
starting pid 727, tty '': '/etc/rcS'
[WATCHDOG] check_umac_health=on timeout=31 interval=5
gpio: module license 'unspecified' taints kernel.
init mod-gpio
init mod-ledbutton
register fastpath id=3 net_device=c2b03800 name=vth%d if_type=2 hard_header_len=14
Searching for RedBoot partition table in MTDCCIF at offset 0x30000
4 RedBoot partitions found on MTD device MTDCCIF
Creating 4 MTD partitions on "MTDCCIF":
0x00000000-0x00030000 : "RedBoot_arm9"
rfd_ftl: no RFD magic found in 'RedBoot_arm9'.
0x00030000-0x0003f000 : "FIS directory"
0x0003f000-0x00040000 : "RedBoot config"
0x00040000-0x00e40000 : "etc_plus"
rfd_ftl: no RFD magic found in 'etc_plus'.
mtd_partitions add
mount etc -> mtd3
init mod-ksocket
******************************************************************
******************************************************************
insmod hostdriver.ko
******************************************************************
******************************************************************
wmx0: Dropping NETIF_F_SG since no checksum feature.
register fastpath id=1 net_device=c2df8000 name=wmx0 if_type=1 hard_header_len=14
register fastpath id=0 net_device=c2d9dc00 name=eth%d if_type=0 hard_header_len=14
eth0: IC+ IP101A
8139too Fast Ethernet driver 0.9.27
modprobe: module star_ether not found
modprobe: failed to load module star_ether
clock is 40MHz
DPLL = c3020
Initializing MUSB Driver (x.x) [debug=0][gadget=no][otg=no] REV=1
direct_bus_init 259: Probing direct bus [direct=1]
MGC_LinuxInitController 2058: MUSB Driver [Base Address(PA)=0xc3846000]
[IRQ = 13]
[pDevice=bf047948]
MGC_HdrcInit 1048: ConfigData=0xdf (UTMI-16, dyn FIFOs, bulk combine, bulk split, HB-ISO Rx, HB-ISO Tx, SoftConn)
MGC_HdrcInit 1074: xDRC version 2.0
end=0 TXRX sz=3 addr=0 offset=0
end=1 TX sz=6 addr=8 offset=64
end=2 RX sz=6 addr=72 offset=576
end=3 TX sz=3 addr=136 offset=1088
end=4 RX sz=3 addr=144 offset=1152
MGC_LinuxInitController 2150: End 00: Shared FIFO TxSize=0040/RxSize=0040
MGC_LinuxInitController 2150: End 01: FIFO TxSize=0200/RxSize=0000
MGC_LinuxInitController 2150: End 02: FIFO TxSize=0000/RxSize=0200
MGC_LinuxInitController 2150: End 03: FIFO TxSize=0040/RxSize=0000
MGC_LinuxInitController 2150: End 04: FIFO TxSize=0000/RxSize=0040
musb-hcd usb0: new USB bus registered, assigned bus number 1
mgc_init_bus 1934: Registered new bus @c17338e0
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 1 port detected
[Starting] sncfgd ... ----------------------------
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Congratulation, WMM initialized successfully
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
OK
[Starting] networking
device eth0 entered promiscuous mode
br0: port 1(eth0) entering learning state
br0: topology change detected, propagating
br0: port 1(eth0) entering forwarding state
.
[Starting] FW/NAT
ip_conntrack_pptp version 2.1 loaded
ip_nat_pptp version 2.0 loaded
.
[Strating] syslog and klog daemon ... OK
[wifi] Starting....
WLAN_LOCK=1
[wifi] initial wifi config file.
rtusb init --->
usbcore: registered new driver rt2870
ifconfig: SIOCGIFFLAGS: No such device
usbcore: deregistering driver rt2870
<--- rtusb exit [wifi] The device is not ready. [wifi] Failed to generate wifi config file. rtusb init --->
usbcore: registered new driver rt2870
WLAN_AUTO_SSIDWEP=,
WLAN_LOCK=0
Starting SW RTCThu Jan 1 00:04:00 UTC 1970
Thu Jan 1 08:06:00 LST 1970
SW_RTC_TIMESTAMP=010100061970.00
--- to install system time log (SW RTC)[Translating] crontab ... OK
.
[Starting] ssh server OK
[Starting] httpd serverWMX_AUTO_RECONNECT=1
/bin/lighttpd /usr/www_gemtek/lighttpd.conf ... lighttpd: copy conf filecp: cannot stat '/usr/www_gemtek/p1nadmin': No such file or directory
cp: cannot stat '/usr/www_gemtek/p1nadminJ': No such file or directory
.
OK
[Starting] httpd server/bin/mini_httpd.elf /etc/conf/mini_httpd.conf ... .
OK
[Starting] https server/usr/trans/httpsd.trans ... /bin/mini_httpd.elf /etc/conf/mini_httpsd.conf ... .
OK
Starting miniupnpd.
[Starting] telnet server/usr/sbin/telnetd -p 23 ... OK
[Strating] dhcp server ... /usr/trans/dhcpd.trans ... /usr/sbin/udhcpd /etc/conf/udhcpd.conf ... OK
/tmp/rcS: line 1: /etc/rc.d/S07networking_wan: Permission denied
[Starting] wimac upgrade checking ...
[Strating] zebra daemon ... /usr/trans/sroute.trans ... /usr/sbin/zebra -d -f /etc/conf/zebra.conf -i /var/run/zebra.pid ... OK
[Strating] rip daemon ... rip daemon was configured to be disabled ... FAIL
[Strating] VoIP ...
modprobe vdspsw kernel modules ...
probe info: pcm version=1, slic_typ=3215, chan_num=1, call/session_num=4
control PSTN-Relay
init mod-syss
init mod-pcm2
pcm_ver = 1
pcm_chan_no = 1
pcm_mmap_flushall = 0
pcm_mangle = 1
pcm_dsp_log_sz = 8000
init mod-lec, ch=1 Nov 9 2009 15:47:45
Init mod-drc drc_ch_num=1 Nov 9 2009 15:47:51
DSP: <1>init mod-dsp
init mod-slic3
start init slic=4294940183l
probe channel num=1
Silicon driver:si321x 0 reg 0 = C3 reg1 = 88
Silicon driver:si321x loading indirect registers
Silicon driver:si321x 0 checking for foreign volt source
Silicon driver:si321x 0 bringing up vbat 0
Silicon driver:si321x running cal 1
Silicon driver:si321x running cal 2
Silicon driver:si321x 0 cmdac and difdac cal start
Silicon driver:si321x manual cal ring starting
Silicon driver:si321x manual cal tip starting
Silicon driver:si321x 0 long balance cal starting
Silicon driver:si321x 0 long balance cal waiting for active line(s) to charge
Silicon driver:si321x 0 long balance cal executing
Silicon driver:si321x 0 cal sequence finished
Silicon driver:Si321x_PCMStart
dtnf init ch=1
DTMF_MAIN: dtmf_main_init: add to pcm engine, 0
FMTD: Enable Channel 0
SLIC2: <1>init mod-fxs3
init slic end=4294940475l
modprobe slic2 result=0
init mod-ortp
oRTP-0.13.1 initialized.<1>init mod-foip
init mod-acodec
init mod-vdsp for 1 channels 4 sessions
VDSP V 2.0.4 (Nov 9 2009 15:49:49)
voip_insert_modules result=0 ...
reset cfg channel number to 1
voip.cfg exist
voip_feature.cfg exist
voip.conf exist
voip_feature.conf exist
[Translating] crontab ...init voipconf_init, Nov 9 2009 16:04:51
OK
port=5060
System Info: Max Line Number:1, Max Account Number:1, Max Call Number:4
Build @ Date:Nov 9 2009, Time:16:05:08
VOIP_SERVER_PROXY_ADDR=10.109.2.6
VOIP_SERVER_PROXY_PORT=5060
VOIP_SERVER_REGISTRAR_ADDR=10.109.2.6
VOIP_SERVER_REGISTRAR_PORT=5060
VOIP_SERVER_OUTBOUND_ADDR=10.109.2.6
VOIP_SERVER_OUTBOUND_PORT=5060
VOIP_COMM_SIP_DOMAIN=10.109.2.6
[Starting] crond ... OK
[Starting] auto reconnect to BS ... OK
starting pid 1748, tty '': '/sbin/getty'
mt7xxx login:
END!
Sunday, October 16, 2011
Friday, October 7, 2011
WiMAX modems: Whose MAC can be changed
List of WiMAX modems whose MAC address can be changed to get FREE Internet
HUAWEI
BM635 (tested)
BM625 (similar to BM635)
BM622 (tested)
BM622i (tested)
and many more....
(almost all Huawei Wimax modems)
==================
ZyXEL
HES-319M (tested)
MAX-318M (tested)
==================
Motorola
CPEi 35775 (tested [needs device certificate])
==================
Most of the ISPs uses MAC address for authentication to allow a modem (with valid/active MAC) to get connected to the Network. So by changing the MAC, it is possible to get Free Internet....
END!
Read more!
BM635 (tested)
BM625 (similar to BM635)
BM622 (tested)
BM622i (tested)
and many more....
(almost all Huawei Wimax modems)
==================
ZyXEL
HES-319M (tested)
MAX-318M (tested)
==================
Motorola
CPEi 35775 (tested [needs device certificate])
==================
Most of the ISPs uses MAC address for authentication to allow a modem (with valid/active MAC) to get connected to the Network. So by changing the MAC, it is possible to get Free Internet....
