Nokia/Alcatel-Lucent router backup configuration tool

nokia-router-cfg-tool.py

#!/usr/bin/env python3


#
# Nokia/Alcatel-Lucent router backup configuration tool
#
# Features:
# - Unpack/repack .cfg files generated from the backup and restore functionnality
#   in order to modify the full router configuration
# - Decrypt/encrypt the passwords/secret values present in the configuration
#
# Blog post: https://0x41.cf/reversing/2019/10/08/unlocking-nokia-g240wa.html
#
# Released under the MIT License (http://opensource.org/licenses/MIT)
# Copyright (c) Sami Alaoui Kendil (thedroidgeek)
#


import sys
import zlib
import struct
import base64
import binascii
import datetime


big_endian = True
encrypted_cfg = False


def u32(val):
    return struct.unpack('>I' if big_endian else '<I', val)[0]

def p32(val):
    return struct.pack('>I' if big_endian else '<I', val)

def checkendian(cfg):
    if (cfg[0:4] == b'\x00\x12\x31\x23'):
        return True
    elif (cfg[0:4] == b'\x23\x31\x12\x00'):
        return False
    else:
        return None


class RouterCrypto:

    def __init__(self):

        from Crypto.Cipher import AES

        # key and IV for AES
        key = '3D A3 73 D7 DC 82 2E 2A 47 0D EC 37 89 6E 80 D7 2C 49 B3 16 29 DD C9 97 35 4B 84 03 91 77 9E A4'
        iv  = 'D0 E6 DC CD A7 4A 00 DF 76 0F C0 85 11 CB 05 EA'

        # create AES-128-CBC cipher
        self.cipher = AES.new(bytes(bytearray.fromhex(key)), AES.MODE_CBC, bytes(bytearray.fromhex(iv)))

    def decrypt(self, data):

        output = self.cipher.decrypt(data)

        # remove PKCS#7 padding
        return output[:-ord(output[-1:])]

    def encrypt(self, data):

        # add PKCS#7 padding for 128-bit AES
        pad_num = (16 - (len(data) % 16))
        data += chr(pad_num).encode() * pad_num

        return self.cipher.encrypt(data)


#
# unpack xml from cfg
#

if (len(sys.argv) == 3 and sys.argv[1] == '-u'):

    # line feed
    print('')

    # read the cfg file
    cf = open(sys.argv[2], 'rb')
    cfg_data = cf.read()

    # check cfg file magic (0x123123) and determine endianness
    big_endian = checkendian(cfg_data)

    if big_endian == None:

        # check if config is encrypted
        decrypted = None
        try:
            # decrypt and check validity
            decrypted = RouterCrypto().decrypt(cfg_data)
            big_endian = checkendian(decrypted)
        except ValueError:
            pass

        # if decryption failed, or still invalid, bail out
        if big_endian == None:
            print('invalid cfg file/magic :(\n')
            exit()

        # set decrypted cfg buffer and encryption flag
        print('-> encrypted cfg detected')
        cfg_data = decrypted
        encrypted_cfg = True

    # log endianness
    if big_endian:
        print('-> big endian CPU detected')
    else:
        print('-> little endian CPU detected')

    # get fw_magic (unknown, could be fw version/compile time, hw serial number, etc.)
    fw_magic = u32(cfg_data[0x10:0x14])
    print('-> fw_magic = ' + hex(fw_magic))

    # get the size of the compressed data
    data_size = u32(cfg_data[4:8])

    # get the compressed data
    compressed = cfg_data[0x14 : 0x14 + data_size]

    # get the checksum of the compressed data
    checksum = u32(cfg_data[8:12])

    # verify the checksum
    if (binascii.crc32(compressed) & 0xFFFFFFFF != checksum):
        print('\nCRC32 checksum failed :(\n')
        exit()

    # unpack the config
    xml_data = zlib.decompress(compressed)

    # output the xml file
    out_filename = 'config-%s.xml' % datetime.datetime.now().strftime('%d%m%Y-%H%M%S')
    of = open(out_filename, 'wb')
    of.write(xml_data)

    print('\nunpacked as: ' + out_filename)

    print('\n# repack with:')
    print('%s %s %s %s\n' % (sys.argv[0], ('-pb' if big_endian else '-pl') + ('e' if encrypted_cfg else ''), out_filename, hex(fw_magic)))

    cf.close()
    of.close()


#
# generate cfg from xml
#

elif (len(sys.argv) == 4 and (sys.argv[1][:3] == '-pb' or sys.argv[1][:3] == '-pl')):

    fw_magic = 0

    try:
        # parse hex string
        fw_magic = int(sys.argv[3], 16)
        # 32-bit check
        p32(fw_magic)
    except:
        print('\ninvalid magic value specified (32-bit hex)\n')
        exit()

    big_endian = sys.argv[1][:3] == '-pb'
    encrypted_cfg = sys.argv[1][3:] == 'e'

    out_filename = 'config-%s.cfg' % datetime.datetime.now().strftime('%d%m%Y-%H%M%S')

    # read the xml file
    xf = open(sys.argv[2], 'rb')
    xml_data = xf.read()
    xf.close()

    # compress using default zlib compression
    compressed = zlib.compress(xml_data)

    ## construct the header ##
    # magic
    cfg_data = p32(0x123123)
    # size of compressed data
    cfg_data += p32(len(compressed))
    # crc32 checksum
    cfg_data += p32(binascii.crc32(compressed) & 0xFFFFFFFF)
    # size of xml file
    cfg_data += p32(len(xml_data) + 1)
    # fw_magic
    cfg_data += p32(fw_magic)

    # add the compressed xml
    cfg_data += compressed

    # encrypt if necessary
    if encrypted_cfg:
        cfg_data = RouterCrypto().encrypt(cfg_data)

    # write the cfg file
    of = open(out_filename, 'wb')
    of.write(cfg_data)
    of.close()

    print('\npacked as: ' + out_filename + '\n')


#
# decrypt/encrypt secret value
#

elif (len(sys.argv) == 3 and (sys.argv[1] == '-d' or sys.argv[1] == '-e')):

    decrypt_mode = sys.argv[1] == '-d'

    if decrypt_mode:

        # base64 decode + AES decrypt
        print('\ndecrypted: ' + RouterCrypto().decrypt(base64.b64decode(sys.argv[2])).decode('UTF-8') + '\n')

    else:

        # AES encrypt + base64 encode
        print('\nencrypted: ' + base64.b64encode(RouterCrypto().encrypt(sys.argv[2].encode())).decode('UTF-8') + '\n')


else:

    print('\n#\n# Nokia/Alcatel-Lucent router backup configuration tool\n#\n')
    print('# unpack (cfg to xml)\n')
    print(sys.argv[0] + ' -u config.cfg\n')
    print('# pack (xml to cfg)\n')
    print(sys.argv[0] + ' -pb  config.xml 0x13377331 # big endian, no encryption, fw_magic = 0x13377331')
    print(sys.argv[0] + ' -pl  config.xml 0x13377331 # little endian, ...')
    print(sys.argv[0] + ' -pbe config.xml 0x13377331 # big endian, with encryption, ...')
    print(sys.argv[0] + ' -ple config.xml 0x13377331 # ...\n')
    print('# decrypt/encrypt secret values within xml (ealgo="ab")\n')
    print(sys.argv[0] + ' -d OYdLWUVDdKQTPaCIeTqniA==')
    print(sys.argv[0] + ' -e admin\n')

Hello!
very good your script,
I have a Nokia G-120W-F modem that looks similar. but when I use your script it returns me a message (Invalid magic) and generates a config.xml file but with 0 bytes. Would you help me. can i send you my cfg file for you to analyze

@espetoet - Hello, I've been contacted last year by someone who had a Nokia router with an ARM (little endian) CPU and a different value for 'magic2', and I've since fixed the script for him in private, but never got around to rewriting this one and making it universal.
Now that I did just that, please recheck if it works for you and let me know.
Regards.

Thank you very much the extraction was successful.

Now I have another problem, I followed the tutorial as a reference https://0x41.cf/reversing/2019/10/08/unlocking-nokia-g240wa.html

I made the necessary changes, but when I logged into Telnet. he logs in as a normal user.

It seems the behavior is different across devices/fw versions - perhaps try setting LimitAccount_ONTUSER to false and then login with ONTUSER, if that doesn't work, I'd suggest you look for other settings that might look interesting in the xml.

hello it worked. set it to false LimitAccount_ONTUSER and signed in as ONTUSER

Salam!

I was able to unpack/pack successfully but when uploading the firmware I get this:

Checking upgrade partition...
Everything is OK.
swdl_parse_image: fail! image file invalid.
Web: swdl_write_image faild! ret=1

One thing odd is when I re-pack, the size of the firmware is quite different:

$ ls -lh
-rwxrwxrwx 1 root root  54K Jul  3 23:54 config-03072020-235406.cfg
-rwxrwxrwx 1 root root  60K Jul  3 12:52 default-bridged.cfg

I want to have a root access to try to put the device (Nokia G-240W-A) into wan bridge (do the vlan and media conversion on it, and only have to do the pppoe on a second router, a Mikrotik. Right now I'm on a full bridge mode and my Mikrotik struggles in terms of speed to do the vlan and pppoe on the cpu). I don't know if I will be able to do that :P

Shoukrane!

Salam, I'm pretty confused as to why you're referring to the cfg file as firmware - I think you were meant to upload it via the same page you got it from.

For the size, it's normal, there's garbage bytes that are included when generating the cfg from the router (I think, didn't bother to check).

For your 'WAN bridge' setup, I'm not sure if you'll be able to achieve it - I'd advise you just get a decent router that can handle VLAN and PPPoE and leave the Nokia as a simple ONT modem - I personally got an Archer C60 v2 3 months ago (~500MAD) that I've flashed with OpenWrt (can easily NAT 100mbps even without software flow offloading, and has decent 5GHz range) and I never had to power cycle anything ever again.

If you knew what I meant then it's ok.

I already have a Mikrotik and using the Nokia in bridge mode and handling the VLAN and pppoe on the Mikrotik.

Just playing with it to see if I can do a wan bridge. I saw in the HTML than the drop down has been hidden to put in in "pppoe bridge". I was able to save the wan in bridge mode by enabling the previously hidden HTML element but I don't know if the hardware behind is supporting it. It does save correctly and says it's connected to the ISP in status but it doesn't seem to work, I will have to test again.

Still, the script don't work for me. And yes I was referring to a backup/restore of the config. A lot of companies are calling the bin a firmware.

Feel free to send me an example cfg file via email (address is on my profile) I guess, even though it doesn't seem like the script failed ¯\_(ツ)_/¯

Is it possible to convert the function from GPON TO EPON via the configuration file?

Oh man I feel dumb :P I was not re-uploading the config at the right place, it works and I have root, my bad!

In the blog you did not mention how did you actually manage to find the hash mechanism?

@rabindra1337 Blame my laziness, a part 2 was in plans but shit happened. ¯\_(ツ)_/¯ Maybe soon™ though. ;)

Real excited for part 2.
Any sneak peek of part2?
Part 1 was epic btw.

Hello @thedroidgeek Thankyou for the detailed instruction , although this is the first time ive used python and still able get to root user succesfully on G-140w-F & G-140w-C . now what i want is to Modify the default configuration of the ONT ( that means if we hard reset the ONT it will restore our modified configuration). Thanks Again for the Guide
below are the available cmds.

@thedroidgeek your script is awesome I have a Nokia G-140W-h ont and that looks similar. but when I use your script it returns me a message (Invalid magic) Would you help me

i change name of py for easy write.
and it is the same as the g240 include the access password but it is all locked and i am trying to put it in bridge mode i had the same problem as the espetoet so that with two errors besides the invalid magic i will send you the email with the file.

Got the root shell. Thank you so much.

But my router is configured for airtel and hard-coded in tr-069 page. I want to use it for bsnl, but I think I can change in .XML if needed. And I don't know whether some other settings will mitigate usage.

Can you help, is there any way to reset the router without vendor detail ?

My router (G-140w-C) doesn't have Backup and Restore page.
Maybe it's hidden. What is the url of Backup and Restore page (http://ip/something.cgi)?

My router (G-140w-C) doesn't have Backup and Restore page.
Maybe it's hidden. What is the url of Backup and Restore page (http://ip/something.cgi)?

ip/usb.cgi?backup

@MrAnssaien Thanks. Unfortunately, blank page. :(

thank you very very much .its working.

Hello @shailparmar,

Did you able to root the Nokia - G-140W-F?
Because i am able to enable the TelenetSSHAccount but when i login to telnet i login as normal user.
Can you please share what I am missing here?

Aw man, looks like it's overwriting the TelnetEnable to False when I upload the config file :(

Hello @shailparmar,

Did you able to root the Nokia - G-140W-F?

Yes

Because i am able to enable the TelenetSSHAccount but when i login to telnet i login as normal user.

At first I got same

Can you please share what I am missing here?

Than I tried This. It seems the behavior is different across devices/fw versions - perhaps try setting LimitAccount_ONTUSER to false and then login with ONTUSER, if that doesn't work, I'd suggest you look for other settings that might look interesting in the xml.

@dcetrulo - I've now added support for encrypted cfg files, as it turned out (from the files I was sent by email), that they generally use the same encryption used on credentials, on some routers' cfg files.

Hi!

Thanks for your work, it's awesome!!

I've got two devices: an I-240W-A, and a G-240W-B.

I got ssh access on the G-one! But it logs me out immediately:

`[tulio@TulainasV5 G-240W-B]$ ssh -vvv admin@192.168.1.253
OpenSSH_8.4p1, OpenSSL 1.1.1i 8 Dec 2020
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: resolve_canonicalize: hostname 192.168.1.253 is address
debug3: expanded UserKnownHostsFile '/.ssh/known_hosts' -> '/home/tulio/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '/.ssh/known_hosts2' -> '/home/tulio/.ssh/known_hosts2'
debug2: ssh_connect_direct
debug1: Connecting to 192.168.1.253 [192.168.1.253] port 22.
debug1: Connection established.
debug1: identity file /home/tulio/.ssh/id_rsa type -1
debug1: identity file /home/tulio/.ssh/id_rsa-cert type -1
debug1: identity file /home/tulio/.ssh/id_dsa type -1
debug1: identity file /home/tulio/.ssh/id_dsa-cert type -1
debug1: identity file /home/tulio/.ssh/id_ecdsa type -1
debug1: identity file /home/tulio/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/tulio/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/tulio/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/tulio/.ssh/id_ed25519 type -1
debug1: identity file /home/tulio/.ssh/id_ed25519-cert type -1
debug1: identity file /home/tulio/.ssh/id_ed25519_sk type -1
debug1: identity file /home/tulio/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/tulio/.ssh/id_xmss type -1
debug1: identity file /home/tulio/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.4
debug1: Remote protocol version 2.0, remote software version dropbear_2016.74
debug1: no match: dropbear_2016.74
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to 192.168.1.253:22 as 'admin'
debug3: hostkeys_foreach: reading file "/home/tulio/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /home/tulio/.ssh/known_hosts:41
debug3: load_hostkeys: loaded 1 keys from 192.168.1.253
debug3: order_hostkeyalgs: have matching best-preference key type ecdsa-sha2-nistp256-cert-v01@openssh.com, using HostkeyAlgorithms verbatim
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c
debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,kexguess2@matt.ucc.asn.au
debug2: host key algorithms: ecdsa-sha2-nistp521,ssh-rsa,ssh-dss
debug2: ciphers ctos: aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc,twofish256-cbc,twofish-cbc,twofish128-cbc,3des-ctr,3des-cbc
debug2: ciphers stoc: aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc,twofish256-cbc,twofish-cbc,twofish128-cbc,3des-ctr,3des-cbc
debug2: MACs ctos: hmac-sha1-96,hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-md5
debug2: MACs stoc: hmac-sha1-96,hmac-sha1,hmac-sha2-256,hmac-sha2-512,hmac-md5
debug2: compression ctos: zlib@openssh.com,none
debug2: compression stoc: zlib@openssh.com,none
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp521
debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha2-256 compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha2-256 compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ecdsa-sha2-nistp521 SHA256:eGdl0sN4v3sCojT46mswg1ZiI4Adc7+rnzJPwdI87Sg
debug3: hostkeys_foreach: reading file "/home/tulio/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /home/tulio/.ssh/known_hosts:41
debug3: load_hostkeys: loaded 1 keys from 192.168.1.253
debug1: Host '192.168.1.253' is known and matches the ECDSA host key.
debug1: Found key in /home/tulio/.ssh/known_hosts:41
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey out after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey in after 4294967296 blocks
debug1: Will attempt key: /home/tulio/.ssh/id_rsa
debug1: Will attempt key: /home/tulio/.ssh/id_dsa
debug1: Will attempt key: /home/tulio/.ssh/id_ecdsa
debug1: Will attempt key: /home/tulio/.ssh/id_ecdsa_sk
debug1: Will attempt key: /home/tulio/.ssh/id_ed25519
debug1: Will attempt key: /home/tulio/.ssh/id_ed25519_sk
debug1: Will attempt key: /home/tulio/.ssh/id_xmss
debug2: pubkey_prepare: done
debug3: send packet: type 5
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 53
debug3: input_userauth_banner
Login fail count since last successful login: 0
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /home/tulio/.ssh/id_rsa
debug3: no such identity: /home/tulio/.ssh/id_rsa: No such file or directory
debug1: Trying private key: /home/tulio/.ssh/id_dsa
debug3: no such identity: /home/tulio/.ssh/id_dsa: No such file or directory
debug1: Trying private key: /home/tulio/.ssh/id_ecdsa
debug3: no such identity: /home/tulio/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /home/tulio/.ssh/id_ecdsa_sk
debug3: no such identity: /home/tulio/.ssh/id_ecdsa_sk: No such file or directory
debug1: Trying private key: /home/tulio/.ssh/id_ed25519
debug3: no such identity: /home/tulio/.ssh/id_ed25519: No such file or directory
debug1: Trying private key: /home/tulio/.ssh/id_ed25519_sk
debug3: no such identity: /home/tulio/.ssh/id_ed25519_sk: No such file or directory
debug1: Trying private key: /home/tulio/.ssh/id_xmss
debug3: no such identity: /home/tulio/.ssh/id_xmss: No such file or directory
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
admin@192.168.1.253's password:
debug3: send packet: type 50
debug2: we sent a password packet, wait for reply
debug3: receive packet: type 53
debug3: input_userauth_banner
Last successful login date and time: Date:1969-12-31 Time:18:02:47

debug3: receive packet: type 52
debug1: Authentication succeeded (password).
Authenticated to 192.168.1.253 ([192.168.1.253]:22).
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug3: send packet: type 90
debug1: Entering interactive session.
debug1: pledge: network
debug3: receive packet: type 91
debug2: channel_input_open_confirmation: channel 0: callback start
debug2: fd 3 setting TCP_NODELAY
debug3: ssh_packet_set_tos: set IP_TOS 0x48
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 1
debug3: send packet: type 98
debug2: channel 0: request shell confirm 1
debug3: send packet: type 98
debug2: channel_input_open_confirmation: channel 0: callback done
debug2: channel 0: open confirm rwindow 24576 rmax 32759
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: shell request accepted on channel 0
debug3: receive packet: type 96
debug2: channel 0: rcvd eof
debug2: channel 0: output open -> drain
debug2: channel 0: obuf empty
debug2: channel 0: chan_shutdown_write (i0 o1 sock -1 wfd 5 efd 6 [write])
debug2: channel 0: output drain -> closed
debug3: receive packet: type 98
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug3: receive packet: type 97
debug2: channel 0: rcvd close
debug2: channel 0: chan_shutdown_read (i0 o3 sock -1 wfd 4 efd 6 [write])
debug2: channel 0: input open -> closed
debug3: channel 0: will not send data after close
debug2: channel 0: almost dead
debug2: channel 0: gc: notify user
debug2: channel 0: gc: user detached
debug2: channel 0: send close
debug3: send packet: type 97
debug2: channel 0: is dead
debug2: channel 0: garbage collecting
debug1: channel 0: free: client-session, nchannels 1
debug3: channel 0: status: The following connections are open:
#0 client-session (t4 r0 i3/0 o3/0 e[write]/0 fd -1/-1/6 sock -1 cc -1)

debug3: send packet: type 1
debug3: fd 1 is not O_NONBLOCK
Connection to 192.168.1.253 closed.
Transferred: sent 2264, received 1464 bytes, in 0.1 seconds
Bytes per second: sent 37541.4, received 24275.9
debug1: Exit status 1
`

Do you have an idea how to get around it?

I'm still working on the I-240 one, which has a firewall blocking ssh input traffic. I'm stilll working on it.

Hello @shailparmar,

Yes, LimitAccount_ONTUSER has been set to false. Still root access is not permitted.
If you dont mind can you please share your config file please ?

I got a G-140W-H here, hardware version 3FE48054BDAA, software version 3FE48077CGCB30, boot version U-Boot Mar-31-2020--23:07:20. This is for a brazilian ISP called "Oi". They block A LOT of ports, and don't give the option to bridge the router. They provide a very limited "userAdmin" user, and they have changed the AdminGPON user default password. No one has it. I was trying an easier way to get AdminGPON access, other than dumping the firmware with JTAG cable, wich I don't have. One way would be backing up the firmware from web interface, but this userAdmin user does not have access to firmware page. Does anyone here know of a hardcoded password for this model, or knows a way to dump the firmware from web interface with this "userAdmin" unprivilleged user? BTW, changing html at runtime vi browser debug console does not work to change configurations at this model. Web interface complains about user privilleges for any changes at the "WAN" tab.

@espetoet Hello how did you login ONTUSER? I have password of ADMINGPON and the telnetssh but I don't have password of ONT USer?

disregard previous comment. the password is SUGAR2A041

I have a Nokia GPON with Model Number: "G-2425G-A" and Hardware Version "3FE48299DBAA". Most of the settings have been disabled by Airtel when I login using "admin" user id. Is it possible to somehow enable the greyed out setting options?

@thedroidgeek

i have G-140W-B from telmex, not telnet/ssh enable, download config using your excellent tool to unpack and only modify Telnet Enable from False to True, then pack with magic, when upload via page Import Config, it upload OK and then restart router, but when it restart no any changes, again download config and check and no changes appear done, do you have similar problem?, share some device daa

Device Name G-240W-B Vendor Nokia Serial Number ALCLF2X5XXXX Hardware Version 3FE56756ADBA Boot Version U-Boot Jun-03-2018--21:59:17 Software Version 3FE56773BFHB47

@thedroidgeek Thank you for the script. I was able to login to telnet and try to access shell which is asking for password that I try to provide same password as telnet but it says invalid. can you guys help to identify in the xml where is the shell password @shailparmar me having G-140w-F & G-140w-C both able to login to telnet but not getting shell prompt like you shared screenshot in this thread. Help to identify where is the configuration in the xml. I tried my best last 2 weeks. Thank you again

I tried to repack the unpacked xml without editing it. Result file isn't different in bytes, only missing some at the last bytes.
Are those last bytes important?
Byte 00011590 to 000115D5 seems to be "fixed" across backups.

@ChrisG661 Those are seemingly leftover bytes from overwriting a previous (larger) cfg file - they shouldn't matter.

Thanks a lot! I got root with ONTUSER:SUGAR2A041. I guess the backdoor still works.

Awesome work and findings. Much to learn from your knowledge, thanks for sharing.

If someone have any details on my questions please help.

1. Is it possible to disconnect/connect wan through ssh?
2. Is there a way to see WAN uptime through ssh (this is not even available through the gui)?
3. Is there any way we can update the firmware on these routers? (I tried searching to no avail)

@prettyvoid

It is possible to do anything from ssh.
2. I can see wan uptime in connection status. So what do you want to imply here?
3. You update the firmware by going to gui page and upload it from there. If you want to do it from ssh you need to reverse that code.

@shirshak55
2. Can you tell me exactly where to see this in the interface? I can only find Device uptime and not the connection uptime.
3. Yes I know we can update the firmware through the gui but my point is that I couldn't find the firmware itself to upload.

Hi! so I have this model Nokia G-140W-H, I am not able to log in as root. I already set LimitAccount_ONTUSER to false and still do not activate the user. Can someone help me?

Can someone help me?

Hello @thedroidgeek Thankyou for the detailed instruction , although this is the first time ive used python and still able get to root user succesfully on G-140w-F & G-140w-C . now what i want is to Modify the default configuration of the ONT ( that means if we hard reset the ONT it will restore our modified configuration). Thanks Again for the Guide
below are the available cmds.

how did you managed to get the root pass from config.xml file?

@Ahir7 read the first post. There is decrypting tool that decrypts the password.

@Ahir7 read the first post. There is decrypting tool that decrypts the password.

I used the py script and I decrypted the telnet password to admin , but I can't get access
If have a fix please let me know
Appreciate your help

@ahir there are many users and you may be using password that is disabled for security purpose. You should enable ont user or something like that and use it.

Can you help me enable ont user @shirshak55

Hello @thedroidgeek Thankyou for the detailed instruction , although this is the first time ive used python and still able get to root user succesfully on G-140w-F & G-140w-C . now what i want is to Modify the default configuration of the ONT ( that means if we hard reset the ONT it will restore our modified configuration). Thanks Again for the Guide
below are the available cmds.

Hello how did you do to access ONTUSER my model G-140W-H and I believe it is different in some configuration. I already set LimitAccount_ONTUSER to false, but without success when logging via telnet. Can you help me. I can send the configuration file.

@espetoet you login via ssh not telnet.

@Ahir7 you enable by setting true in config file.

@espetoet você faz o login via ssh e não telnet.

Thanks for the answer. already done so much by telnet or ssh but not login.

If I send you the configuration file, you could see if I'm doing something wrong. or forgetting to activate something.

https://drive.google.com/file/d/163F4zYBfPb8_RlUQl3hPcvNhZ2zUkIJ6/view?usp=sharing

@Ahir7 you enable by setting true in config file.

i am trying my password admin but can't login , i have edited the cfg file

I got a G-140W-H here, hardware version 3FE48054BDAA, software version 3FE48077CGCB30, boot version U-Boot Mar-31-2020--23:07:20. This is for a brazilian ISP called "Oi". They block A LOT of ports, and don't give the option to bridge the router. They provide a very limited "userAdmin" user, and they have changed the AdminGPON user default password. No one has it. I was trying an easier way to get AdminGPON access, other than dumping the firmware with JTAG cable, wich I don't have. One way would be backing up the firmware from web interface, but this userAdmin user does not have access to firmware page. Does anyone here know of a hardcoded password for this model, or knows a way to dump the firmware from web interface with this "userAdmin" unprivilleged user? BTW, changing html at runtime vi browser debug console does not work to change configurations at this model. Web interface complains about user privilleges for any changes at the "WAN" tab.

@joaodalvi did you find the password for AdminGPON ? I have a G-140W-C and ALC#FGU doesn't work for me either

@thedroidgeek @Ahir7 Can yo guys please guide me how to get config file. I cannot find backup and restore page, When I try ip/usb.cgi?backup I get blank page. Please guide me to get blank screen.

@thedroidgeek @Ahir7 Can yo guys please guide me how to get config file. I cannot find backup and restore page, When I try ip/usb.cgi?backup I get blank page. Please guide me to get blank screen.

Go to ont login page , the go to back up and restore you will get the option there

@Ahir7 you enable by setting true in config file.

Bro did you managed to get the shell access?

I have a Nokia GPON with Model Number: "G-2425G-A" and Hardware Version "3FE48299DBAA". Most of the settings have been disabled by Airtel when I login using "admin" user id. Is it possible to somehow enable the greyed out setting options?

Hello bro did you managed to get the SSH access it g2425g?

Can anyone help me to use the encrypt or decrypt command? I am unable to use these although cfg to xml and xml to cfg works.

@thedroidgeek Thanks man. Great work!
I was able to get ssh access but i am not able to get root. I am just trying to edit my DNS servers which is locked by my ISP. I tried unpacking the config file, changing the dns and repacked and uploaded it. But the dns settings won't change.
Can someone help me bypass this?

Thanks.