Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Nokia/Alcatel-Lucent router backup configuration tool
#!/usr/bin/env python3
#
# Nokia/Alcatel-Lucent router backup configuration tool
#
# Features:
# - Unpack/repack .cfg files generated from the backup and restore functionnality
# in order to modify the full router configuration
# - Decrypt/encrypt the passwords/secret values present in the configuration
#
# Blog post: https://0x41.cf/reversing/2019/10/08/unlocking-nokia-g240wa.html
#
# Released under the MIT License (http://opensource.org/licenses/MIT)
# Copyright (c) Sami Alaoui Kendil (thedroidgeek)
#
import sys
import zlib
import struct
import base64
import binascii
import datetime
big_endian = True
encrypted_cfg = False
def u32(val):
return struct.unpack('>I' if big_endian else '<I', val)[0]
def p32(val):
return struct.pack('>I' if big_endian else '<I', val)
def checkendian(cfg):
if (cfg[0:4] == b'\x00\x12\x31\x23'):
return True
elif (cfg[0:4] == b'\x23\x31\x12\x00'):
return False
else:
return None
class RouterCrypto:
def __init__(self):
from Crypto.Cipher import AES
# key and IV for AES
key = '3D A3 73 D7 DC 82 2E 2A 47 0D EC 37 89 6E 80 D7 2C 49 B3 16 29 DD C9 97 35 4B 84 03 91 77 9E A4'
iv = 'D0 E6 DC CD A7 4A 00 DF 76 0F C0 85 11 CB 05 EA'
# create AES-128-CBC cipher
self.cipher = AES.new(bytes(bytearray.fromhex(key)), AES.MODE_CBC, bytes(bytearray.fromhex(iv)))
def decrypt(self, data):
output = self.cipher.decrypt(data)
# remove PKCS#7 padding
return output[:-ord(output[-1:])]
def encrypt(self, data):
# add PKCS#7 padding for 128-bit AES
pad_num = (16 - (len(data) % 16))
data += chr(pad_num).encode() * pad_num
return self.cipher.encrypt(data)
#
# unpack xml from cfg
#
if (len(sys.argv) == 3 and sys.argv[1] == '-u'):
# line feed
print('')
# read the cfg file
cf = open(sys.argv[2], 'rb')
cfg_data = cf.read()
# check cfg file magic (0x123123) and determine endianness
big_endian = checkendian(cfg_data)
if big_endian == None:
# check if config is encrypted
decrypted = None
try:
# decrypt and check validity
decrypted = RouterCrypto().decrypt(cfg_data)
big_endian = checkendian(decrypted)
except ValueError:
pass
# if decryption failed, or still invalid, bail out
if big_endian == None:
print('invalid cfg file/magic :(\n')
exit()
# set decrypted cfg buffer and encryption flag
print('-> encrypted cfg detected')
cfg_data = decrypted
encrypted_cfg = True
# log endianness
if big_endian:
print('-> big endian CPU detected')
else:
print('-> little endian CPU detected')
# get fw_magic (unknown, could be fw version/compile time, hw serial number, etc.)
fw_magic = u32(cfg_data[0x10:0x14])
print('-> fw_magic = ' + hex(fw_magic))
# get the size of the compressed data
data_size = u32(cfg_data[4:8])
# get the compressed data
compressed = cfg_data[0x14 : 0x14 + data_size]
# get the checksum of the compressed data
checksum = u32(cfg_data[8:12])
# verify the checksum
if (binascii.crc32(compressed) & 0xFFFFFFFF != checksum):
print('\nCRC32 checksum failed :(\n')
exit()
# unpack the config
xml_data = zlib.decompress(compressed)
# output the xml file
out_filename = 'config-%s.xml' % datetime.datetime.now().strftime('%d%m%Y-%H%M%S')
of = open(out_filename, 'wb')
of.write(xml_data)
print('\nunpacked as: ' + out_filename)
print('\n# repack with:')
print('%s %s %s %s\n' % (sys.argv[0], ('-pb' if big_endian else '-pl') + ('e' if encrypted_cfg else ''), out_filename, hex(fw_magic)))
cf.close()
of.close()
#
# generate cfg from xml
#
elif (len(sys.argv) == 4 and (sys.argv[1][:3] == '-pb' or sys.argv[1][:3] == '-pl')):
fw_magic = 0
try:
# parse hex string
fw_magic = int(sys.argv[3], 16)
# 32-bit check
p32(fw_magic)
except:
print('\ninvalid magic value specified (32-bit hex)\n')
exit()
big_endian = sys.argv[1][:3] == '-pb'
encrypted_cfg = sys.argv[1][3:] == 'e'
out_filename = 'config-%s.cfg' % datetime.datetime.now().strftime('%d%m%Y-%H%M%S')
# read the xml file
xf = open(sys.argv[2], 'rb')
xml_data = xf.read()
xf.close()
# compress using default zlib compression
compressed = zlib.compress(xml_data)
## construct the header ##
# magic
cfg_data = p32(0x123123)
# size of compressed data
cfg_data += p32(len(compressed))
# crc32 checksum
cfg_data += p32(binascii.crc32(compressed) & 0xFFFFFFFF)
# size of xml file
cfg_data += p32(len(xml_data) + 1)
# fw_magic
cfg_data += p32(fw_magic)
# add the compressed xml
cfg_data += compressed
# encrypt if necessary
if encrypted_cfg:
cfg_data = RouterCrypto().encrypt(cfg_data)
# write the cfg file
of = open(out_filename, 'wb')
of.write(cfg_data)
of.close()
print('\npacked as: ' + out_filename + '\n')
#
# decrypt/encrypt secret value
#
elif (len(sys.argv) == 3 and (sys.argv[1] == '-d' or sys.argv[1] == '-e')):
decrypt_mode = sys.argv[1] == '-d'
if decrypt_mode:
# base64 decode + AES decrypt
print('\ndecrypted: ' + RouterCrypto().decrypt(base64.b64decode(sys.argv[2])).decode('UTF-8') + '\n')
else:
# AES encrypt + base64 encode
print('\nencrypted: ' + base64.b64encode(RouterCrypto().encrypt(sys.argv[2].encode())).decode('UTF-8') + '\n')
else:
print('\n#\n# Nokia/Alcatel-Lucent router backup configuration tool\n#\n')
print('# unpack (cfg to xml)\n')
print(sys.argv[0] + ' -u config.cfg\n')
print('# pack (xml to cfg)\n')
print(sys.argv[0] + ' -pb config.xml 0x13377331 # big endian, no encryption, fw_magic = 0x13377331')
print(sys.argv[0] + ' -pl config.xml 0x13377331 # little endian, ...')
print(sys.argv[0] + ' -pbe config.xml 0x13377331 # big endian, with encryption, ...')
print(sys.argv[0] + ' -ple config.xml 0x13377331 # ...\n')
print('# decrypt/encrypt secret values within xml (ealgo="ab")\n')
print(sys.argv[0] + ' -d OYdLWUVDdKQTPaCIeTqniA==')
print(sys.argv[0] + ' -e admin\n')
@espetoet

This comment has been minimized.

Copy link

@espetoet espetoet commented Jun 6, 2020

Hello!
very good your script,
I have a Nokia G-120W-F modem that looks similar. but when I use your script it returns me a message (Invalid magic) and generates a config.xml file but with 0 bytes. Would you help me. can i send you my cfg file for you to analyze
invalid magic

@thedroidgeek

This comment has been minimized.

Copy link
Owner Author

@thedroidgeek thedroidgeek commented Jun 7, 2020

@espetoet - Hello, I've been contacted last year by someone who had a Nokia router with an ARM (little endian) CPU and a different value for 'magic2', and I've since fixed the script for him in private, but never got around to rewriting this one and making it universal.
Now that I did just that, please recheck if it works for you and let me know.
Regards.

@espetoet

This comment has been minimized.

Copy link

@espetoet espetoet commented Jun 7, 2020

Thank you very much the extraction was successful.

Now I have another problem, I followed the tutorial as a reference https://0x41.cf/reversing/2019/10/08/unlocking-nokia-g240wa.html

I made the necessary changes, but when I logged into Telnet. he logs in as a normal user.

ok
1
2

@thedroidgeek

This comment has been minimized.

Copy link
Owner Author

@thedroidgeek thedroidgeek commented Jun 7, 2020

It seems the behavior is different across devices/fw versions - perhaps try setting LimitAccount_ONTUSER to false and then login with ONTUSER, if that doesn't work, I'd suggest you look for other settings that might look interesting in the xml.

@espetoet

This comment has been minimized.

Copy link

@espetoet espetoet commented Jun 9, 2020

hello it worked. set it to false LimitAccount_ONTUSER and signed in as ONTUSER

@mikegleasonjr

This comment has been minimized.

Copy link

@mikegleasonjr mikegleasonjr commented Jul 3, 2020

Salam!

I was able to unpack/pack successfully but when uploading the firmware I get this:

Checking upgrade partition...
Everything is OK.
swdl_parse_image: fail! image file invalid.
Web: swdl_write_image faild! ret=1

One thing odd is when I re-pack, the size of the firmware is quite different:

$ ls -lh
-rwxrwxrwx 1 root root  54K Jul  3 23:54 config-03072020-235406.cfg
-rwxrwxrwx 1 root root  60K Jul  3 12:52 default-bridged.cfg

I want to have a root access to try to put the device (Nokia G-240W-A) into wan bridge (do the vlan and media conversion on it, and only have to do the pppoe on a second router, a Mikrotik. Right now I'm on a full bridge mode and my Mikrotik struggles in terms of speed to do the vlan and pppoe on the cpu). I don't know if I will be able to do that :P

Shoukrane!

@thedroidgeek

This comment has been minimized.

Copy link
Owner Author

@thedroidgeek thedroidgeek commented Jul 4, 2020

Salam, I'm pretty confused as to why you're referring to the cfg file as firmware - I think you were meant to upload it via the same page you got it from.

For the size, it's normal, there's garbage bytes that are included when generating the cfg from the router (I think, didn't bother to check).

For your 'WAN bridge' setup, I'm not sure if you'll be able to achieve it - I'd advise you just get a decent router that can handle VLAN and PPPoE and leave the Nokia as a simple ONT modem - I personally got an Archer C60 v2 3 months ago (~500MAD) that I've flashed with OpenWrt (can easily NAT 100mbps even without software flow offloading, and has decent 5GHz range) and I never had to power cycle anything ever again.

@mikegleasonjr

This comment has been minimized.

Copy link

@mikegleasonjr mikegleasonjr commented Jul 5, 2020

If you knew what I meant then it's ok.

I already have a Mikrotik and using the Nokia in bridge mode and handling the VLAN and pppoe on the Mikrotik.

Just playing with it to see if I can do a wan bridge. I saw in the HTML than the drop down has been hidden to put in in "pppoe bridge". I was able to save the wan in bridge mode by enabling the previously hidden HTML element but I don't know if the hardware behind is supporting it. It does save correctly and says it's connected to the ISP in status but it doesn't seem to work, I will have to test again.

Still, the script don't work for me. And yes I was referring to a backup/restore of the config. A lot of companies are calling the bin a firmware.

@thedroidgeek

This comment has been minimized.

Copy link
Owner Author

@thedroidgeek thedroidgeek commented Jul 5, 2020

Feel free to send me an example cfg file via email (address is on my profile) I guess, even though it doesn't seem like the script failed ¯\_(ツ)_/¯

@sayushrestha

This comment has been minimized.

Copy link

@sayushrestha sayushrestha commented Jul 5, 2020

Is it possible to convert the function from GPON TO EPON via the configuration file?

@mikegleasonjr

This comment has been minimized.

Copy link

@mikegleasonjr mikegleasonjr commented Jul 6, 2020

Oh man I feel dumb :P I was not re-uploading the config at the right place, it works and I have root, my bad!

@0xrabin

This comment has been minimized.

Copy link

@0xrabin 0xrabin commented Aug 17, 2020

In the blog you did not mention how did you actually manage to find the hash mechanism?

@thedroidgeek

This comment has been minimized.

Copy link
Owner Author

@thedroidgeek thedroidgeek commented Aug 17, 2020

@rabindra1337 Blame my laziness, a part 2 was in plans but shit happened. ¯\_(ツ)_/¯ Maybe soon™ though. ;)

@0xrabin

This comment has been minimized.

Copy link

@0xrabin 0xrabin commented Aug 17, 2020

Real excited for part 2.
Any sneak peek of part2?
Part 1 was epic btw.

@shailparmar

This comment has been minimized.

Copy link

@shailparmar shailparmar commented Oct 22, 2020

Hello @thedroidgeek Thankyou for the detailed instruction , although this is the first time ive used python and still able get to root user succesfully on G-140w-F & G-140w-C . now what i want is to Modify the default configuration of the ONT ( that means if we hard reset the ONT it will restore our modified configuration). Thanks Again for the Guide
below are the available cmds.
cmd1
cmd2
cmd3

@dcetrulo

This comment has been minimized.

Copy link

@dcetrulo dcetrulo commented Oct 24, 2020

@thedroidgeek your script is awesome I have a Nokia G-140W-h ont and that looks similar. but when I use your script it returns me a message (Invalid magic) Would you help me
problema nokia
i change name of py for easy write.
and it is the same as the g240 include the access password but it is all locked and i am trying to put it in bridge mode i had the same problem as the espetoet so that with two errors besides the invalid magic i will send you the email with the file.

@mukhilanpari

This comment has been minimized.

Copy link

@mukhilanpari mukhilanpari commented Nov 5, 2020

Got the root shell. Thank you so much.

But my router is configured for airtel and hard-coded in tr-069 page. I want to use it for bsnl, but I think I can change in .XML if needed. And I don't know whether some other settings will mitigate usage.

Can you help, is there any way to reset the router without vendor detail ?

@sh4k4

This comment has been minimized.

Copy link

@sh4k4 sh4k4 commented Nov 11, 2020

My router (G-140w-C) doesn't have Backup and Restore page.
Maybe it's hidden. What is the url of Backup and Restore page (http://ip/something.cgi)?

@MrAnssaien

This comment has been minimized.

Copy link

@MrAnssaien MrAnssaien commented Nov 11, 2020

My router (G-140w-C) doesn't have Backup and Restore page.
Maybe it's hidden. What is the url of Backup and Restore page (http://ip/something.cgi)?

ip/usb.cgi?backup

@sh4k4

This comment has been minimized.

Copy link

@sh4k4 sh4k4 commented Nov 11, 2020

@MrAnssaien Thanks. Unfortunately, blank page. :(

@indihome2020

This comment has been minimized.

Copy link

@indihome2020 indihome2020 commented Dec 4, 2020

thank you very very much .its working.
Capture

@krohit83

This comment has been minimized.

Copy link

@krohit83 krohit83 commented Dec 23, 2020

Hello @shailparmar,

Did you able to root the Nokia - G-140W-F?
Because i am able to enable the TelenetSSHAccount but when i login to telnet i login as normal user.
Can you please share what I am missing here?

@C2N14

This comment has been minimized.

Copy link

@C2N14 C2N14 commented Dec 23, 2020

Aw man, looks like it's overwriting the TelnetEnable to False when I upload the config file :(

@shailparmar

This comment has been minimized.

Copy link

@shailparmar shailparmar commented Dec 24, 2020

Hello @shailparmar,

Did you able to root the Nokia - G-140W-F?

Yes

Because i am able to enable the TelenetSSHAccount but when i login to telnet i login as normal user.

At first I got same

Can you please share what I am missing here?

Than I tried This. It seems the behavior is different across devices/fw versions - perhaps try setting LimitAccount_ONTUSER to false and then login with ONTUSER, if that doesn't work, I'd suggest you look for other settings that might look interesting in the xml.

@thedroidgeek

This comment has been minimized.

Copy link
Owner Author

@thedroidgeek thedroidgeek commented Dec 27, 2020

@dcetrulo - I've now added support for encrypted cfg files, as it turned out (from the files I was sent by email), that they generally use the same encryption used on credentials, on some routers' cfg files.

@Tulainas

This comment has been minimized.

Copy link

@Tulainas Tulainas commented Dec 27, 2020

Hi!

Thanks for your work, it's awesome!!

I've got two devices: an I-240W-A, and a G-240W-B.

I got ssh access on the G-one! But it logs me out immediately:

`[tulio@TulainasV5 G-240W-B]$ ssh -vvv admin@192.168.1.253
OpenSSH_8.4p1, OpenSSL 1.1.1i 8 Dec 2020
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: resolve_canonicalize: hostname 192.168.1.253 is address
debug3: expanded UserKnownHostsFile '/.ssh/known_hosts' -> '/home/tulio/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '
/.ssh/known_hosts2' -> '/home/tulio/.ssh/known_hosts2'
debug2: ssh_connect_direct
debug1: Connecting to 192.168.1.253 [192.168.1.253] port 22.
debug1: Connection established.
debug1: identity file /home/tulio/.ssh/id_rsa type -1
debug1: identity file /home/tulio/.ssh/id_rsa-cert type -1
debug1: identity file /home/tulio/.ssh/id_dsa type -1
debug1: identity file /home/tulio/.ssh/id_dsa-cert type -1
debug1: identity file /home/tulio/.ssh/id_ecdsa type -1
debug1: identity file /home/tulio/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/tulio/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/tulio/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/tulio/.ssh/id_ed25519 type -1
debug1: identity file /home/tulio/.ssh/id_ed25519-cert type -1
debug1: identity file /home/tulio/.ssh/id_ed25519_sk type -1
debug1: identity file /home/tulio/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/tulio/.ssh/id_xmss type -1
debug1: identity file /home/tulio/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.4
debug1: Remote protocol version 2.0, remote software version dropbear_2016.74
debug1: no match: dropbear_2016.74
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to 192.168.1.253:22 as 'admin'
debug3: hostkeys_foreach: reading file "/home/tulio/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /home/tulio/.ssh/known_hosts:41
debug3: load_hostkeys: loaded 1 keys from 192.168.1.253
debug3: order_hostkeyalgs: have matching best-preference key type ecdsa-sha2-nistp256-cert-v01@openssh.com, using HostkeyAlgorithms verbatim
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c
debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,kexguess2@matt.ucc.asn.au
debug2: host key algorithms: ecdsa-sha2-nistp521,ssh-rsa,ssh-dss
debug2: ciphers ctos: aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc,twofish256-cbc,twofish-cbc,twofish128-cbc,3des-ctr,3des-cbc
debug2: ciphers stoc: aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc,twofish256-cbc,twofish-cbc,twofish128-cbc,3des-ctr,3des-cbc
debug2: MACs ctos: hmac-sha1-96,hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-md5
debug2: MACs stoc: hmac-sha1-96,hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-md5
debug2: compression ctos: zlib@openssh.com,none
debug2: compression stoc: zlib@openssh.com,none
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp521
debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha2-256 compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha2-256 compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ecdsa-sha2-nistp521 SHA256:eGdl0sN4v3sCojT46mswg1ZiI4Adc7+rnzJPwdI87Sg
debug3: hostkeys_foreach: reading file "/home/tulio/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /home/tulio/.ssh/known_hosts:41
debug3: load_hostkeys: loaded 1 keys from 192.168.1.253
debug1: Host '192.168.1.253' is known and matches the ECDSA host key.
debug1: Found key in /home/tulio/.ssh/known_hosts:41
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey out after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey in after 4294967296 blocks
debug1: Will attempt key: /home/tulio/.ssh/id_rsa
debug1: Will attempt key: /home/tulio/.ssh/id_dsa
debug1: Will attempt key: /home/tulio/.ssh/id_ecdsa
debug1: Will attempt key: /home/tulio/.ssh/id_ecdsa_sk
debug1: Will attempt key: /home/tulio/.ssh/id_ed25519
debug1: Will attempt key: /home/tulio/.ssh/id_ed25519_sk
debug1: Will attempt key: /home/tulio/.ssh/id_xmss
debug2: pubkey_prepare: done
debug3: send packet: type 5
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 53
debug3: input_userauth_banner
Login fail count since last successful login: 0
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/tulio/.ssh/id_rsa
debug3: no such identity: /home/tulio/.ssh/id_rsa: No such file or directory
debug1: Trying private key: /home/tulio/.ssh/id_dsa
debug3: no such identity: /home/tulio/.ssh/id_dsa: No such file or directory
debug1: Trying private key: /home/tulio/.ssh/id_ecdsa
debug3: no such identity: /home/tulio/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /home/tulio/.ssh/id_ecdsa_sk
debug3: no such identity: /home/tulio/.ssh/id_ecdsa_sk: No such file or directory
debug1: Trying private key: /home/tulio/.ssh/id_ed25519
debug3: no such identity: /home/tulio/.ssh/id_ed25519: No such file or directory
debug1: Trying private key: /home/tulio/.ssh/id_ed25519_sk
debug3: no such identity: /home/tulio/.ssh/id_ed25519_sk: No such file or directory
debug1: Trying private key: /home/tulio/.ssh/id_xmss
debug3: no such identity: /home/tulio/.ssh/id_xmss: No such file or directory
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
admin@192.168.1.253's password:
debug3: send packet: type 50
debug2: we sent a password packet, wait for reply
debug3: receive packet: type 53
debug3: input_userauth_banner
Last successful login date and time: Date:1969-12-31 Time:18:02:47

debug3: receive packet: type 52
debug1: Authentication succeeded (password).
Authenticated to 192.168.1.253 ([192.168.1.253]:22).
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug3: send packet: type 90
debug1: Entering interactive session.
debug1: pledge: network
debug3: receive packet: type 91
debug2: channel_input_open_confirmation: channel 0: callback start
debug2: fd 3 setting TCP_NODELAY
debug3: ssh_packet_set_tos: set IP_TOS 0x48
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 1
debug3: send packet: type 98
debug2: channel 0: request shell confirm 1
debug3: send packet: type 98
debug2: channel_input_open_confirmation: channel 0: callback done
debug2: channel 0: open confirm rwindow 24576 rmax 32759
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: shell request accepted on channel 0
debug3: receive packet: type 96
debug2: channel 0: rcvd eof
debug2: channel 0: output open -> drain
debug2: channel 0: obuf empty
debug2: channel 0: chan_shutdown_write (i0 o1 sock -1 wfd 5 efd 6 [write])
debug2: channel 0: output drain -> closed
debug3: receive packet: type 98
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug3: receive packet: type 97
debug2: channel 0: rcvd close
debug2: channel 0: chan_shutdown_read (i0 o3 sock -1 wfd 4 efd 6 [write])
debug2: channel 0: input open -> closed
debug3: channel 0: will not send data after close
debug2: channel 0: almost dead
debug2: channel 0: gc: notify user
debug2: channel 0: gc: user detached
debug2: channel 0: send close
debug3: send packet: type 97
debug2: channel 0: is dead
debug2: channel 0: garbage collecting
debug1: channel 0: free: client-session, nchannels 1
debug3: channel 0: status: The following connections are open:
#0 client-session (t4 r0 i3/0 o3/0 e[write]/0 fd -1/-1/6 sock -1 cc -1)

debug3: send packet: type 1
debug3: fd 1 is not O_NONBLOCK
Connection to 192.168.1.253 closed.
Transferred: sent 2264, received 1464 bytes, in 0.1 seconds
Bytes per second: sent 37541.4, received 24275.9
debug1: Exit status 1
`

Do you have an idea how to get around it?

I'm still working on the I-240 one, which has a firewall blocking ssh input traffic. I'm stilll working on it.

@krohit83

This comment has been minimized.

Copy link

@krohit83 krohit83 commented Dec 27, 2020

Hello @shailparmar,

Yes, LimitAccount_ONTUSER has been set to false. Still root access is not permitted.
If you dont mind can you please share your config file please ?

@joaodalvi

This comment has been minimized.

Copy link

@joaodalvi joaodalvi commented Jan 22, 2021

I got a G-140W-H here, hardware version 3FE48054BDAA, software version 3FE48077CGCB30, boot version U-Boot Mar-31-2020--23:07:20. This is for a brazilian ISP called "Oi". They block A LOT of ports, and don't give the option to bridge the router. They provide a very limited "userAdmin" user, and they have changed the AdminGPON user default password. No one has it. I was trying an easier way to get AdminGPON access, other than dumping the firmware with JTAG cable, wich I don't have. One way would be backing up the firmware from web interface, but this userAdmin user does not have access to firmware page. Does anyone here know of a hardcoded password for this model, or knows a way to dump the firmware from web interface with this "userAdmin" unprivilleged user? BTW, changing html at runtime vi browser debug console does not work to change configurations at this model. Web interface complains about user privilleges for any changes at the "WAN" tab.

@shirshak55

This comment has been minimized.

Copy link

@shirshak55 shirshak55 commented Jan 31, 2021

@espetoet Hello how did you login ONTUSER? I have password of ADMINGPON and the telnetssh but I don't have password of ONT USer?

@shirshak55

This comment has been minimized.

Copy link

@shirshak55 shirshak55 commented Feb 1, 2021

disregard previous comment. the password is SUGAR2A041

@narbij

This comment has been minimized.

Copy link

@narbij narbij commented Feb 5, 2021

I have a Nokia GPON with Model Number: "G-2425G-A" and Hardware Version "3FE48299DBAA". Most of the settings have been disabled by Airtel when I login using "admin" user id. Is it possible to somehow enable the greyed out setting options?

@calvarez1191

This comment has been minimized.

Copy link

@calvarez1191 calvarez1191 commented Feb 9, 2021

@thedroidgeek

i have G-140W-B from telmex, not telnet/ssh enable, download config using your excellent tool to unpack and only modify Telnet Enable from False to True, then pack with magic, when upload via page Import Config, it upload OK and then restart router, but when it restart no any changes, again download config and check and no changes appear done, do you have similar problem?, share some device daa

Device Name G-240W-B Vendor Nokia Serial Number ALCLF2X5XXXX Hardware Version 3FE56756ADBA Boot Version U-Boot Jun-03-2018--21:59:17 Software Version 3FE56773BFHB47

@sambansu

This comment has been minimized.

Copy link

@sambansu sambansu commented Feb 20, 2021

@thedroidgeek Thank you for the script. I was able to login to telnet and try to access shell which is asking for password that I try to provide same password as telnet but it says invalid. can you guys help to identify in the xml where is the shell password @shailparmar me having G-140w-F & G-140w-C both able to login to telnet but not getting shell prompt like you shared screenshot in this thread. Help to identify where is the configuration in the xml. I tried my best last 2 weeks. Thank you again

@ChrisG661

This comment has been minimized.

Copy link

@ChrisG661 ChrisG661 commented Mar 18, 2021

image
I tried to repack the unpacked xml without editing it. Result file isn't different in bytes, only missing some at the last bytes.
Are those last bytes important?
Byte 00011590 to 000115D5 seems to be "fixed" across backups.

@thedroidgeek

This comment has been minimized.

Copy link
Owner Author

@thedroidgeek thedroidgeek commented Mar 18, 2021

@ChrisG661 Those are seemingly leftover bytes from overwriting a previous (larger) cfg file - they shouldn't matter.

@ChrisG661

This comment has been minimized.

Copy link

@ChrisG661 ChrisG661 commented Mar 19, 2021

Thanks a lot! I got root with ONTUSER:SUGAR2A041. I guess the backdoor still works.
image

@prettyvoid

This comment has been minimized.

Copy link

@prettyvoid prettyvoid commented Mar 30, 2021

Awesome work and findings. Much to learn from your knowledge, thanks for sharing.

If someone have any details on my questions please help.

  1. Is it possible to disconnect/connect wan through ssh?
  2. Is there a way to see WAN uptime through ssh (this is not even available through the gui)?
  3. Is there any way we can update the firmware on these routers? (I tried searching to no avail)
@shirshak55

This comment has been minimized.

Copy link

@shirshak55 shirshak55 commented Mar 30, 2021

@prettyvoid

It is possible to do anything from ssh.
2. I can see wan uptime in connection status. So what do you want to imply here?
3. You update the firmware by going to gui page and upload it from there. If you want to do it from ssh you need to reverse that code.

@prettyvoid

This comment has been minimized.

Copy link

@prettyvoid prettyvoid commented Mar 30, 2021

@shirshak55
2. Can you tell me exactly where to see this in the interface? I can only find Device uptime and not the connection uptime.
3. Yes I know we can update the firmware through the gui but my point is that I couldn't find the firmware itself to upload.

image

@espetoet

This comment has been minimized.

Copy link

@espetoet espetoet commented May 14, 2021

Hi! so I have this model Nokia G-140W-H, I am not able to log in as root. I already set LimitAccount_ONTUSER to false and still do not activate the user. Can someone help me?

@espetoet

This comment has been minimized.

Copy link

@espetoet espetoet commented May 17, 2021

Can someone help me?

@Ahir7

This comment has been minimized.

Copy link

@Ahir7 Ahir7 commented May 26, 2021

Hello @thedroidgeek Thankyou for the detailed instruction , although this is the first time ive used python and still able get to root user succesfully on G-140w-F & G-140w-C . now what i want is to Modify the default configuration of the ONT ( that means if we hard reset the ONT it will restore our modified configuration). Thanks Again for the Guide
below are the available cmds.

how did you managed to get the root pass from config.xml file?

@shirshak55

This comment has been minimized.

Copy link

@shirshak55 shirshak55 commented May 26, 2021

@Ahir7 read the first post. There is decrypting tool that decrypts the password.

@Ahir7

This comment has been minimized.

Copy link

@Ahir7 Ahir7 commented May 26, 2021

@Ahir7 read the first post. There is decrypting tool that decrypts the password.

I used the py script and I decrypted the telnet password to admin , but I can't get access
If have a fix please let me know
Appreciate your help

@shirshak55

This comment has been minimized.

Copy link

@shirshak55 shirshak55 commented May 27, 2021

@ahir there are many users and you may be using password that is disabled for security purpose. You should enable ont user or something like that and use it.

@Ahir7

This comment has been minimized.

Copy link

@Ahir7 Ahir7 commented May 27, 2021

Can you help me enable ont user @shirshak55

@espetoet

This comment has been minimized.

Copy link

@espetoet espetoet commented May 29, 2021

Hello @thedroidgeek Thankyou for the detailed instruction , although this is the first time ive used python and still able get to root user succesfully on G-140w-F & G-140w-C . now what i want is to Modify the default configuration of the ONT ( that means if we hard reset the ONT it will restore our modified configuration). Thanks Again for the Guide
below are the available cmds.

Hello how did you do to access ONTUSER my model G-140W-H and I believe it is different in some configuration. I already set LimitAccount_ONTUSER to false, but without success when logging via telnet. Can you help me. I can send the configuration file.

@shirshak55

This comment has been minimized.

Copy link

@shirshak55 shirshak55 commented May 31, 2021

@espetoet you login via ssh not telnet.

@shirshak55

This comment has been minimized.

Copy link

@shirshak55 shirshak55 commented May 31, 2021

@Ahir7 you enable by setting true in config file.

@espetoet

This comment has been minimized.

Copy link

@espetoet espetoet commented May 31, 2021

@espetoet você faz o login via ssh e não telnet.

Thanks for the answer. already done so much by telnet or ssh but not login.

If I send you the configuration file, you could see if I'm doing something wrong. or forgetting to activate something.

https://drive.google.com/file/d/163F4zYBfPb8_RlUQl3hPcvNhZ2zUkIJ6/view?usp=sharing

ssh
telnet

@Ahir7

This comment has been minimized.

Copy link

@Ahir7 Ahir7 commented May 31, 2021

@Ahir7 you enable by setting true in config file.

i am trying my password admin but can't login , i have edited the cfg file
Untitl12ed

@sarthak-aditya

This comment has been minimized.

Copy link

@sarthak-aditya sarthak-aditya commented Jun 19, 2021

I got a G-140W-H here, hardware version 3FE48054BDAA, software version 3FE48077CGCB30, boot version U-Boot Mar-31-2020--23:07:20. This is for a brazilian ISP called "Oi". They block A LOT of ports, and don't give the option to bridge the router. They provide a very limited "userAdmin" user, and they have changed the AdminGPON user default password. No one has it. I was trying an easier way to get AdminGPON access, other than dumping the firmware with JTAG cable, wich I don't have. One way would be backing up the firmware from web interface, but this userAdmin user does not have access to firmware page. Does anyone here know of a hardcoded password for this model, or knows a way to dump the firmware from web interface with this "userAdmin" unprivilleged user? BTW, changing html at runtime vi browser debug console does not work to change configurations at this model. Web interface complains about user privilleges for any changes at the "WAN" tab.

@joaodalvi did you find the password for AdminGPON ? I have a G-140W-C and ALC#FGU doesn't work for me either

@mlongmailai

This comment has been minimized.

Copy link

@mlongmailai mlongmailai commented Jun 20, 2021

@thedroidgeek @Ahir7 Can yo guys please guide me how to get config file. I cannot find backup and restore page, When I try ip/usb.cgi?backup I get blank page. Please guide me to get blank screen.

@Ahir7

This comment has been minimized.

Copy link

@Ahir7 Ahir7 commented Jun 25, 2021

@thedroidgeek @Ahir7 Can yo guys please guide me how to get config file. I cannot find backup and restore page, When I try ip/usb.cgi?backup I get blank page. Please guide me to get blank screen.

Go to ont login page , the go to back up and restore you will get the option there

@Ahir7

This comment has been minimized.

Copy link

@Ahir7 Ahir7 commented Jun 25, 2021

@Ahir7 you enable by setting true in config file.

Bro did you managed to get the shell access?

@Ahir7

This comment has been minimized.

Copy link

@Ahir7 Ahir7 commented Jun 25, 2021

I have a Nokia GPON with Model Number: "G-2425G-A" and Hardware Version "3FE48299DBAA". Most of the settings have been disabled by Airtel when I login using "admin" user id. Is it possible to somehow enable the greyed out setting options?

Hello bro did you managed to get the SSH access it g2425g?

@shah-sudeep

This comment has been minimized.

Copy link

@shah-sudeep shah-sudeep commented Jul 16, 2021

Can anyone help me to use the encrypt or decrypt command? I am unable to use these although cfg to xml and xml to cfg works.

@redbluegear

This comment has been minimized.

Copy link

@redbluegear redbluegear commented Jul 23, 2021

@thedroidgeek Thanks man. Great work!
I was able to get ssh access but i am not able to get root. I am just trying to edit my DNS servers which is locked by my ISP. I tried unpacking the config file, changing the dns and repacked and uploaded it. But the dns settings won't change.
Can someone help me bypass this?

Thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment