- Connect to the router via ssh, the username is "engineer" and the password is the access key on the bottom of your router
- You will be greeted with something akin to the following:
| | o | |--- ,---. ,---. |---. ,---. . ,---. ,---. | ,---. ,---. | |---' | | | | | | | | | | | | | `---' `---' `---' ` ' ` ' ` `---' `---' `---' `---' ` N E X T G E N E R A T I O N G A T E W A Y -------------------------------------------------------------------- NG GATEWAY SIGNATURE DRINK -------------------------------------------------------------------- * 1 oz Vodka Pour all ingredients into mixing * 1 oz Triple Sec tin with ice, strain into glass. * 1 oz Orange juice -------------------------------------------------------------------- This program contains proprietary information which is a trade secret of Technicolor and also is protected by intellectual property as an unpublished work under applicable Copyright laws/right of authorship. This program is also subject to some patent and pending patent applications. Technicolor is registered trademark and trade name of Technicolor group company, and shall not be used in any manner without express written from Technicolor. The use of the program and documentation is strictly limited to your own internal evaluation of the product embedding such program, unless expressly agreed otherwise by Technicolor under a specific agreement. Recipient is to retain this program in confidence and is not permitted to use or make copies thereof other than as permitted in a written agreement with Technicolor, unless otherwise expressly allowed by applicable laws. Recipient is not allowed to make any copy, decompile, reverse engineer, disassemble, and attempt to derive the source code of, modify, or create derivative works of the program, any update, or any part thereof. Any violation or attempt to do so is a violation of the rights of Technicolor. If you or any person under your control or authority breach this restriction, you may be subject to prosecution and damages. Product: vbnt-2 Release: Cobalt (18.3) Version: 18.3.0278-2741007-20190320103504-0a0de5fc444c0dd4b93760b5cebf15791868a0a7 Hash config: 0a0de5fc444c0dd4b93760b5cebf15791868a0a7 Hash openwrt: f05086f310e02591a501232ceecfa6ca3641deb2 Hash kernel: 0d40edb618b17d93b4b81a4178f38d107840bf58 Hash technicolor: d08bcf9fc16cc35e3967c8a1298d36d3cec1fdfe Hash routing: 210fc51dab0344d982f6be3c8cf289be0c27a689 Hash custo: 597f3f0d2bbd794727911db87025a86da665b28a Hash lte: ff91c9ab917fd6313ff2891788c33fef717d2425 Hash packages: cd399ca61469d26b2bf1777bc099a475fc19868d ==================================================================================== engineer> - run the command "ps"
- scroll through the list to find the "pppd" command, it will look something like:
5175 2365 root S 3304 1% 0% /usr/sbin/pppd nodetach ipparam wan ifname pppoe-wan lcp-echo-interval 10 lcp-echo-failure 5 lcp-echo-adaptive set PEERDNS=0 nodefaultroute usepeerdns maxfail 1 user PPPOEUSERNAME password PPPOEPASSWORD ip-up-script /lib/netifd/ppp-up ipv6-up-script /lib/netifd/ppp6-up ip-down-script /lib/netifd/ppp-down ipv6-down-script /lib/netifd/ppp-down plugin connstate.so mtu 1500 mru 1500 plugin rp-pppoe.so graceful_restart /etc/ppp/pppoesession_vlan_wan nic-vlan_wan host-uniq SOMMESTRING - The username and password are passed as arguments to that pppd command, so copy them down and do with them what you want!
Last active
December 24, 2023 22:23
-
-
Save chriscpritchard/db98167c0a1372ef16e131bfe9b76956 to your computer and use it in GitHub Desktop.
Technicolor DWA0120 - Obtain PPPOE Password
Oh I tried ps -w and I got this:
2152 root 2356 S /usr/sbin/pppd nodetach ipparam wan ifname pppoe-wan lcp-echo-interval 10 lcp-echo-failure 5 lcp-echo-ada
slightly better but still missing the vital info - I've tried putty, KiTTY and solar-putty, but they all do the same thing...
@totallytechit top exists, and will print out the full command line for all processes including pppd
@mhw - thats perfect thank you!
@totallytechit top doesn't show anything of the sort. I'm using a, modded I suppose, Technicolor DWA0120 from SSE and have the same issue of @mhw. Both ps and top shows no details.
Quite frustrating also that nothing on hack-technicolor.readthedocs.io mention anything about these model (DWA0120) @LuKePicci. Is there somewhere you can point us out? I'm italian if that helps (I see most of the forum links are for italian broadbands)
I'd like to manage to get access to the root user but can't seem to find something for this model
I can help you, as I was saying a few posts above here you can easily get root on this firmware. You will need a variant of the current #D strategy. I can explain you how to achive this. Once done, I'll kindly ask you to share your firmware dump and other stuff like firmware download history and firmware decryption keys. I can tell you how to get all of them. @theCrius reach me on Telegram if you like, same nickname.
Gotcha, following up in telegram
Hello, I dont get see my pppoe passwordas suggested. Please have a look below. Router is DGA4231
PID USER VSZ STAT COMMAND
1 root 2856 S /sbin/procd
2 root 0 SW [kthreadd]
3 root 0 SW [ksoftirqd/0]
5 root 0 SW< [kworker/0:0H]
6 root 0 SW [kworker/u4:0]
7 root 0 SW [rcu_preempt]
8 root 0 SW [rcu_sched]
9 root 0 SW [rcu_bh]
10 root 0 SW [migration/0]
11 root 0 SW [migration/1]
12 root 0 SW [ksoftirqd/1]
14 root 0 SW< [kworker/1:0H]
15 root 0 SW< [khelper]
16 root 0 SW< [netns]
17 root 0 SW< [writeback]
18 root 0 SW [kworker/0:1]
19 root 0 SW< [crypto]
20 root 0 SW< [bioset]
21 root 0 SW< [kblockd]
22 root 0 SW [skb_free_task]
23 root 0 SW [bcmFapDrv]
24 root 0 SWN [kswapd0]
25 root 0 SW [fsnotify_mark]
38 root 0 SW< [kthrotld]
39 root 0 SW [cfinteractive]
40 root 0 SW [kworker/1:1]
41 root 0 SW< [linkwatch]
42 root 0 SW< [ipv6_addrconf]
43 root 0 SW< [deferwq]
44 root 0 SW [kworker/u4:1]
47 root 0 SW< [kworker/1:1H]
48 root 0 SW< [kworker/0:1H]
60 root 0 SWN [jffs2_gcd_mtd2]
181 root 2484 S /sbin/ubusd
230 root 5492 S /usr/sbin/cgrulesengd -n -Q -u root
315 root 0 SW [kbdmf_shell]
354 root 0 SW [spdsvc_timer_th]
368 root 0 SW [bcmxtm_rx]
389 root 0 SW [bcmFlwStatsTask]
412 root 0 SW [bcmsw_rx]
437 root 0 SW [bcmsw]
635 root 0 SW [dhd_watchdog_th]
636 root 0 SW [dhd0_dpc]
637 root 0 SW [wfd0-thrd]
666 root 0 SW [dhd_watchdog_th]
667 root 0 SW [dhd1_dpc]
668 root 0 SW [wfd1-thrd]
955 root 2024 S /usr/sbin/watchdog-tch -c /var/etc/watchdog.conf --f
1235 root 3724 S {status-led-even} /usr/bin/lua /sbin/status-led-even
1239 root 5656 S {ledfw.lua} /usr/bin/lua /sbin/ledfw.lua
1284 root 6532 S /sbin/logd -S 4096
1367 root 19812 S /usr/bin/swmdk
1415 root 2516 S /usr/bin/bcmubusbridge
1437 root 2276 S /usr/bin/dhcpopassthrud
1462 root 6000 S lua /usr/bin/hostmanager.lua
1788 root 5244 S {interceptd} /usr/bin/lua /usr/bin/interceptd
2044 root 57676 S hostapd -bund -p /var/run/hostapd.pid -e /tmp/hostap
2486 root 2828 S /sbin/netifd
2549 root 2824 S < /usr/sbin/conntrackd -C /etc/conntrackd/conntrackd.c
2820 root 5300 S {mobiled.lua} /usr/bin/lua /lib/netifd/mobiled.lua -
2960 root 2436 S /usr/sbin/dropbear -F -P /var/run/dropbear.1.pid -p
3053 root 2564 S /usr/sbin/odhcpd
3102 root 3452 S /usr/sbin/crond -f -c /etc/crontabs -l 5
3242 root 5840 S lua /usr/bin/lcmd
3292 root 32940 S lua /usr/bin/transformer
3407 root 2524 S /usr/bin/dhcpsnooper -q 1
3463 root 6480 S {lte-doctor-logg} /usr/bin/lua /usr/bin/lte-doctor-l
3536 root 2368 S /usr/bin/mcsnooper
3591 root 2528 S /usr/bin/neighmd -m 0x7
3672 root 24624 S /usr/bin/nqnd
3673 root 24604 S /usr/bin/nqcs
3813 root 2056 S xl2tpd -D -l -p /var/run/xl2tpd.pid
3902 root 7056 S {mobiled} /usr/bin/lua /usr/bin/mobiled
4213 root 2948 S /usr/bin/igmpproxy
4378 root 2840 S /usr/bin/mldproxy
4469 root 5492 S nginx: master process /usr/sbin/nginx -c /etc/nginx/
4562 nobody 10336 S nginx: worker process
4608 root 12256 S /usr/sbin/urlfilterd
4734 root 3944 S /usr/sbin/miniupnpd-igdv1 -f /var/etc/miniupnpd-tch.
4802 root 7252 S lua /usr/bin/gre-hotspotd.lua
4864 root 3164 S /usr/sbin/opticald
5006 root 2440 S /usr/bin/fseventd -d
5082 root 3488 S {time_change_mon} /usr/bin/lua /sbin/time_change_mon
5113 root 14448 S /usr/bin/mvfs -o config=/tmp/.mvfs/mvfs.ini /var/mvf
5262 root 38436 S N
/usr/bin/mud -d -t /etc/mud/mud_file_type_config.ini
5289 root 3068 S mmpbxfwctl
5463 root 29924 S /usr/bin/dlnad -f /var/etc/dlnad.conf
6123 root 5288 S lua /usr/sbin/lxc_monitor.lua
6124 root 3044 S lxc-start -F -n lxc_ee
6210 root 2200 S /sbin/mountd -f
6272 root 3156 S {init} /bin/sh /sbin/init
6343 root 5248 S lua /usr/bin/pinholehelper.lua
6428 root 5252 S lua /usr/bin/redirecthelper.lua
9286 root 59620 S /usr/bin/cwmpd
9287 root 5228 S lua /usr/bin/cwmpevents
25626 root 3304 S /usr/sbin/pppd nodetach ipparam wan ifname pppoe-wan
26197 root 2260 S odhcp6c -R -s /lib/netifd/dhcpv6.script -P0 -S -r12
26531 dnsmasq 2788 S /usr/sbin/dnsmasq -C /var/etc/dnsmasq.conf.dnsmasq -
26537 root 2788 S /usr/sbin/dnsmasq -C /var/etc/dnsmasq.conf.dnsmasq -
26689 root 3552 S < /usr/sbin/ntpd -n -N -l -S /usr/sbin/ntpd-hotplug -p
26945 root 0 SW [kworker/0:0]
28048 root 0 SW [kworker/1:0]
30729 root 2564 S /usr/sbin/dropbear -F -P /var/run/dropbear.1.pid -p
30770 engineer 6692 S lua /usr/bin/clash
31279 root 0 SW [kworker/u4:2]
31332 root 3024 S sleep 10
31333 root 3324 S sh -c sleep 10
31334 root 3192 S sleep 10
31338 root 3456 R /bin/ps
My Router is a DGA4231. I tried following your instructions above but no joy to get the pppoe password.. Please see below
PID USER VSZ STAT COMMAND
1 root 2856 S /sbin/procd
2 root 0 SW [kthreadd]
3 root 0 SW [ksoftirqd/0]
5 root 0 SW< [kworker/0:0H]
6 root 0 SW [kworker/u4:0]
7 root 0 SW [rcu_preempt]
8 root 0 SW [rcu_sched]
9 root 0 SW [rcu_bh]
10 root 0 SW [migration/0]
11 root 0 SW [migration/1]
12 root 0 SW [ksoftirqd/1]
14 root 0 SW< [kworker/1:0H]
15 root 0 SW< [khelper]
16 root 0 SW< [netns]
17 root 0 SW< [writeback]
18 root 0 SW [kworker/0:1]
19 root 0 SW< [crypto]
20 root 0 SW< [bioset]
21 root 0 SW< [kblockd]
22 root 0 SW [skb_free_task]
23 root 0 SW [bcmFapDrv]
24 root 0 SWN [kswapd0]
25 root 0 SW [fsnotify_mark]
38 root 0 SW< [kthrotld]
39 root 0 SW [cfinteractive]
40 root 0 SW [kworker/1:1]
41 root 0 SW< [linkwatch]
42 root 0 SW< [ipv6_addrconf]
43 root 0 SW< [deferwq]
44 root 0 SW [kworker/u4:1]
47 root 0 SW< [kworker/1:1H]
48 root 0 SW< [kworker/0:1H]
60 root 0 SWN [jffs2_gcd_mtd2]
181 root 2484 S /sbin/ubusd
230 root 5492 S /usr/sbin/cgrulesengd -n -Q -u root
315 root 0 SW [kbdmf_shell]
354 root 0 SW [spdsvc_timer_th]
368 root 0 SW [bcmxtm_rx]
389 root 0 SW [bcmFlwStatsTask]
412 root 0 SW [bcmsw_rx]
437 root 0 SW [bcmsw]
635 root 0 SW [dhd_watchdog_th]
636 root 0 SW [dhd0_dpc]
637 root 0 SW [wfd0-thrd]
666 root 0 SW [dhd_watchdog_th]
667 root 0 SW [dhd1_dpc]
668 root 0 SW [wfd1-thrd]
955 root 2024 S /usr/sbin/watchdog-tch -c /var/etc/watchdog.conf --f
1235 root 3724 S {status-led-even} /usr/bin/lua /sbin/status-led-even
1239 root 5656 S {ledfw.lua} /usr/bin/lua /sbin/ledfw.lua
1284 root 6532 S /sbin/logd -S 4096
1367 root 19812 S /usr/bin/swmdk
1415 root 2516 S /usr/bin/bcmubusbridge
1437 root 2276 S /usr/bin/dhcpopassthrud
1462 root 6000 S lua /usr/bin/hostmanager.lua
1788 root 5244 S {interceptd} /usr/bin/lua /usr/bin/interceptd
2044 root 57676 S hostapd -bund -p /var/run/hostapd.pid -e /tmp/hostap
2486 root 2828 S /sbin/netifd
2549 root 2824 S < /usr/sbin/conntrackd -C /etc/conntrackd/conntrackd.c
2820 root 5300 S {mobiled.lua} /usr/bin/lua /lib/netifd/mobiled.lua -
2960 root 2436 S /usr/sbin/dropbear -F -P /var/run/dropbear.1.pid -p
3053 root 2564 S /usr/sbin/odhcpd
3102 root 3452 S /usr/sbin/crond -f -c /etc/crontabs -l 5
3242 root 5840 S lua /usr/bin/lcmd
3292 root 32940 S lua /usr/bin/transformer
3407 root 2524 S /usr/bin/dhcpsnooper -q 1
3463 root 6480 S {lte-doctor-logg} /usr/bin/lua /usr/bin/lte-doctor-l
3536 root 2368 S /usr/bin/mcsnooper
3591 root 2528 S /usr/bin/neighmd -m 0x7
3672 root 24624 S /usr/bin/nqnd
3673 root 24604 S /usr/bin/nqcs
3813 root 2056 S xl2tpd -D -l -p /var/run/xl2tpd.pid
3902 root 7056 S {mobiled} /usr/bin/lua /usr/bin/mobiled
4213 root 2948 S /usr/bin/igmpproxy
4378 root 2840 S /usr/bin/mldproxy
4469 root 5492 S nginx: master process /usr/sbin/nginx -c /etc/nginx/
4562 nobody 10336 S nginx: worker process
4608 root 12256 S /usr/sbin/urlfilterd
4734 root 3944 S /usr/sbin/miniupnpd-igdv1 -f /var/etc/miniupnpd-tch.
4802 root 7252 S lua /usr/bin/gre-hotspotd.lua
4864 root 3164 S /usr/sbin/opticald
5006 root 2440 S /usr/bin/fseventd -d
5082 root 3488 S {time_change_mon} /usr/bin/lua /sbin/time_change_mon
5113 root 14448 S /usr/bin/mvfs -o config=/tmp/.mvfs/mvfs.ini /var/mvf
5262 root 38436 S N
/usr/bin/mud -d -t /etc/mud/mud_file_type_config.ini
5289 root 3068 S mmpbxfwctl
5463 root 29924 S /usr/bin/dlnad -f /var/etc/dlnad.conf
6123 root 5288 S lua /usr/sbin/lxc_monitor.lua
6124 root 3044 S lxc-start -F -n lxc_ee
6210 root 2200 S /sbin/mountd -f
6272 root 3156 S {init} /bin/sh /sbin/init
6343 root 5248 S lua /usr/bin/pinholehelper.lua
6428 root 5252 S lua /usr/bin/redirecthelper.lua
9286 root 59620 S /usr/bin/cwmpd
9287 root 5228 S lua /usr/bin/cwmpevents
25626 root 3304 S /usr/sbin/pppd nodetach ipparam wan ifname pppoe-wan
26197 root 2260 S odhcp6c -R -s /lib/netifd/dhcpv6.script -P0 -S -r12
26531 dnsmasq 2788 S /usr/sbin/dnsmasq -C /var/etc/dnsmasq.conf.dnsmasq -
26537 root 2788 S /usr/sbin/dnsmasq -C /var/etc/dnsmasq.conf.dnsmasq -
26689 root 3552 S < /usr/sbin/ntpd -n -N -l -S /usr/sbin/ntpd-hotplug -p
26945 root 0 SW [kworker/0:0]
28048 root 0 SW [kworker/1:0]
30729 root 2564 S /usr/sbin/dropbear -F -P /var/run/dropbear.1.pid -p
30770 engineer 6692 S lua /usr/bin/clash
31279 root 0 SW [kworker/u4:2]
31332 root 3024 S sleep 10
31333 root 3324 S sh -c sleep 10
31334 root 3192 S sleep 10
31338 root 3456 R /bin/ps
make sure the wan port is plugged in to something, other wise the "pppd" command won't be running
Thanks! This method works for DGA0122 as well. Use top instead ps command.
Any idea for the DGA4135?
If the router firmware is based on customzied OpenWRT, you can try:
uci show network.wan.password
uci show network.wan
Thank you very much
…On Thu, 21 Dec 2023 at 20:29, levid0s ***@***.***> wrote:
***@***.**** commented on this gist.
------------------------------
If the router firmware is based on customzied OpenWRT, you can try:
uci show network.wan.password
uci show network.wan
—
Reply to this email directly, view it on GitHub
<https://gist.github.com/chriscpritchard/db98167c0a1372ef16e131bfe9b76956#gistcomment-4803266>
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ANVLEF7N7I6WXT33JNGHHCDYKSL2JBFKMF2HI4TJMJ2XIZLTSKBKK5TBNR2WLJDHNFZXJJDOMFWWLK3UNBZGKYLEL52HS4DFQKSXMYLMOVS2I5DSOVS2I3TBNVS3W5DIOJSWCZC7OBQXE5DJMNUXAYLOORPWCY3UNF3GS5DZVRZXKYTKMVRXIX3UPFYGLK2HNFZXIQ3PNVWWK3TUUZ2G64DJMNZZDAVEOR4XAZNEM5UXG5FFOZQWY5LFVEYTAMRQGA4TINZUU52HE2LHM5SXFJTDOJSWC5DF>
.
You are receiving this email because you commented on the thread.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>
.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hey @chriscpritchard
I've connected to my brand new DWA0120 and run the commands that you have suggested however I only get this out the output
3651 root 2356 S /usr/sbin/pppd nodetach ipparam wan ifname pppoe-wanAny ideas what else I can try please?