Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Nokia/Alcatel-Lucent router backup configuration tool
#!/usr/bin/env python3
#
# Nokia/Alcatel-Lucent router backup configuration tool
#
# Features:
# - Unpack/repack .cfg files generated from the backup and restore functionnality
# in order to modify the full router configuration
# - Decrypt/encrypt the passwords/secret values present in the configuration
#
# Blog post: https://0x41.cf/reversing/2019/10/08/unlocking-nokia-g240wa.html
#
# Released under the MIT License (http://opensource.org/licenses/MIT)
# Copyright (c) Sami Alaoui Kendil (thedroidgeek)
#
import sys
import zlib
import struct
import base64
import binascii
import datetime
big_endian = True
encrypted_cfg = False
def u32(val):
return struct.unpack('>I' if big_endian else '<I', val)[0]
def p32(val):
return struct.pack('>I' if big_endian else '<I', val)
def checkendian(cfg):
if (cfg[0:4] == b'\x00\x12\x31\x23'):
return True
elif (cfg[0:4] == b'\x23\x31\x12\x00'):
return False
else:
return None
class RouterCrypto:
def __init__(self):
from Crypto.Cipher import AES
# key and IV for AES
key = '3D A3 73 D7 DC 82 2E 2A 47 0D EC 37 89 6E 80 D7 2C 49 B3 16 29 DD C9 97 35 4B 84 03 91 77 9E A4'
iv = 'D0 E6 DC CD A7 4A 00 DF 76 0F C0 85 11 CB 05 EA'
# create AES-128-CBC cipher
self.cipher = AES.new(bytes(bytearray.fromhex(key)), AES.MODE_CBC, bytes(bytearray.fromhex(iv)))
def decrypt(self, data):
output = self.cipher.decrypt(data)
# remove PKCS#7 padding
return output[:-ord(output[-1:])]
def encrypt(self, data):
# add PKCS#7 padding for 128-bit AES
pad_num = (16 - (len(data) % 16))
data += chr(pad_num).encode() * pad_num
return self.cipher.encrypt(data)
#
# unpack xml from cfg
#
if (len(sys.argv) == 3 and sys.argv[1] == '-u'):
# line feed
print('')
# read the cfg file
cf = open(sys.argv[2], 'rb')
cfg_data = cf.read()
# check cfg file magic (0x123123) and determine endianness
big_endian = checkendian(cfg_data)
if big_endian == None:
# check if config is encrypted
decrypted = None
try:
# decrypt and check validity
decrypted = RouterCrypto().decrypt(cfg_data)
big_endian = checkendian(decrypted)
except ValueError:
pass
# if decryption failed, or still invalid, bail out
if big_endian == None:
print('invalid cfg file/magic :(\n')
exit()
# set decrypted cfg buffer and encryption flag
print('-> encrypted cfg detected')
cfg_data = decrypted
encrypted_cfg = True
# log endianness
if big_endian:
print('-> big endian CPU detected')
else:
print('-> little endian CPU detected')
# get fw_magic (unknown, could be fw version/compile time, hw serial number, etc.)
fw_magic = u32(cfg_data[0x10:0x14])
print('-> fw_magic = ' + hex(fw_magic))
# get the size of the compressed data
data_size = u32(cfg_data[4:8])
# get the compressed data
compressed = cfg_data[0x14 : 0x14 + data_size]
# get the checksum of the compressed data
checksum = u32(cfg_data[8:12])
# verify the checksum
if (binascii.crc32(compressed) & 0xFFFFFFFF != checksum):
print('\nCRC32 checksum failed :(\n')
exit()
# unpack the config
xml_data = zlib.decompress(compressed)
# output the xml file
out_filename = 'config-%s.xml' % datetime.datetime.now().strftime('%d%m%Y-%H%M%S')
of = open(out_filename, 'wb')
of.write(xml_data)
print('\nunpacked as: ' + out_filename)
print('\n# repack with:')
print('%s %s %s %s\n' % (sys.argv[0], ('-pb' if big_endian else '-pl') + ('e' if encrypted_cfg else ''), out_filename, hex(fw_magic)))
cf.close()
of.close()
#
# generate cfg from xml
#
elif (len(sys.argv) == 4 and (sys.argv[1][:3] == '-pb' or sys.argv[1][:3] == '-pl')):
fw_magic = 0
try:
# parse hex string
fw_magic = int(sys.argv[3], 16)
# 32-bit check
p32(fw_magic)
except:
print('\ninvalid magic value specified (32-bit hex)\n')
exit()
big_endian = sys.argv[1][:3] == '-pb'
encrypted_cfg = sys.argv[1][3:] == 'e'
out_filename = 'config-%s.cfg' % datetime.datetime.now().strftime('%d%m%Y-%H%M%S')
# read the xml file
xf = open(sys.argv[2], 'rb')
xml_data = xf.read()
xf.close()
# compress using default zlib compression
compressed = zlib.compress(xml_data)
## construct the header ##
# magic
cfg_data = p32(0x123123)
# size of compressed data
cfg_data += p32(len(compressed))
# crc32 checksum
cfg_data += p32(binascii.crc32(compressed) & 0xFFFFFFFF)
# size of xml file
cfg_data += p32(len(xml_data) + 1)
# fw_magic
cfg_data += p32(fw_magic)
# add the compressed xml
cfg_data += compressed
# encrypt if necessary
if encrypted_cfg:
cfg_data = RouterCrypto().encrypt(cfg_data)
# write the cfg file
of = open(out_filename, 'wb')
of.write(cfg_data)
of.close()
print('\npacked as: ' + out_filename + '\n')
#
# decrypt/encrypt secret value
#
elif (len(sys.argv) == 3 and (sys.argv[1] == '-d' or sys.argv[1] == '-e')):
decrypt_mode = sys.argv[1] == '-d'
if decrypt_mode:
# base64 decode + AES decrypt
print('\ndecrypted: ' + RouterCrypto().decrypt(base64.b64decode(sys.argv[2])).decode('UTF-8') + '\n')
else:
# AES encrypt + base64 encode
print('\nencrypted: ' + base64.b64encode(RouterCrypto().encrypt(sys.argv[2].encode())).decode('UTF-8') + '\n')
else:
print('\n#\n# Nokia/Alcatel-Lucent router backup configuration tool\n#\n')
print('# unpack (cfg to xml)\n')
print(sys.argv[0] + ' -u config.cfg\n')
print('# pack (xml to cfg)\n')
print(sys.argv[0] + ' -pb config.xml 0x13377331 # big endian, no encryption, fw_magic = 0x13377331')
print(sys.argv[0] + ' -pl config.xml 0x13377331 # little endian, ...')
print(sys.argv[0] + ' -pbe config.xml 0x13377331 # big endian, with encryption, ...')
print(sys.argv[0] + ' -ple config.xml 0x13377331 # ...\n')
print('# decrypt/encrypt secret values within xml (ealgo="ab")\n')
print(sys.argv[0] + ' -d OYdLWUVDdKQTPaCIeTqniA==')
print(sys.argv[0] + ' -e admin\n')
@lepierro
Copy link

Hello, I just bought this Nokia router on the internet, mine comes from Sweden and I am currently in Italy. The router does not pick up the 5g or 4g network at all and I think this is due to the fact that it was working on the Telia network and now I have inserted a Vodafone sim card in Italy.
I hope it is possible to unlock the modem to other networks?
Thank you for your help

@Naplifye
Copy link

Naplifye commented Feb 6, 2022

Hello, I have Nokia G-2425G-A, and I get this error:
-> little endian CPU detected -> fw_magic = 0xffffffff Traceback (most recent call last): File "C:\Users\Naplifayaie\Downloads\nokia-router-cfg-tool.py", line 137, in <module> xml_data = zlib.decompress(compressed) zlib.error: Error -3 while decompressing data: incorrect header check

@alexonpeace
Copy link

alexonpeace commented Feb 27, 2022

I'm getting the same error as @Naplifye

-> little endian CPU detected
-> fw_magic = 0xffffffff
Traceback (most recent call last):
  File "C:\Users\:)\router\nokia-router-cfg-tool.py", line 137, in <module>
    xml_data = zlib.decompress(compressed)
zlib.error: Error -3 while decompressing data: incorrect header check

@Kalyan-M
Copy link

Kalyan-M commented Mar 8, 2022

i've found this on the internet and i was able unlock the router image but i forgot dump my these files, i can't go back to the previous settings.....its been permanently unlocked image

and also i tried to insert My BSNL(ISP) fibre cable into the router and red light LOS still there I've also noticed that in optics status the RX power is around -29 dbm and TX power is infinite

so after unlocking it still useless like it was before.

what do you mean useless as before? BSNL ftth works after unlocking the webUI

@d-pank
Copy link

d-pank commented Mar 8, 2022

i've found this on the internet and i was able unlock the router image but i forgot dump my these files, i can't go back to the previous settings.....its been permanently unlocked image
and also i tried to insert My BSNL(ISP) fibre cable into the router and red light LOS still there I've also noticed that in optics status the RX power is around -29 dbm and TX power is infinite
so after unlocking it still useless like it was before.

what do you mean useless as before? BSNL ftth works after unlocking the webUI

No.......i found out that BSNL uses EPON technology for its Fibre optics........and this router supports only GPON......so the red light LOS is gonna be there if you're using BSNL.

@Nepankaj
Copy link

Nepankaj commented May 5, 2022

Hello @thedroidgeek Thankyou for the detailed instruction , although this is the first time ive used python and still able get to root user succesfully on G-140w-F & G-140w-C . now what i want is to Modify the default configuration of the ONT ( that means if we hard reset the ONT it will restore our modified configuration). Thanks Again for the Guide below are the available cmds. cmd1 cmd2 cmd3

Are you able to do so? Can you please share the steps in achieving this? is it possible to change the WebUI, because I want to hide some of the features of the Router.

@theshapguy
Copy link

Hi, I'm getting this error when I run this script

-> little endian CPU detected
-> fw_magic = 0xffffffff
Traceback (most recent call last):
  File "/Users/shapathneupane/Desktop/nokia-router-cfg-tool.py", line 137, in <module>
    xml_data = zlib.decompress(compressed)
zlib.error: Error -3 while decompressing data: incorrect header check

It seems like the configuration file is no longer static as you described in the blog post. When I checked the cfg file on the hex viewer, and all the hex changes even after one small change made via the configuration file.

I changed the IP range on my router (via web) from to 250 to 252, and downloaded the config file on each of the change, when I view it in the hex viewer, most things changes other than a few bytes of data and a persistent FF FF FF FF FF on the beginning of the second line. This is where the checksum is extracted on the script above.

What would be the best way to read the configuration file as text and re-upload it back? It would be great if you could share me some of your thoughts

Here are the three configuration files zipped up: https://paste.c-net.org/EmployeeSweater

Screen.Recording.2022-07-27.at.7.14.05.PM.mov

@AndyAtonement
Copy link

Hello my friends, is everything alright?

Recently i've been hacked, and i can't find anything about this router. I'm using a Nokia G-240W-C, and i can't find a firmware for it. I'm sorry for being dumb and ask you this, but with this can i protect my router of being invaded?

@wantei
Copy link

wantei commented Aug 6, 2022

Is there a way to disable IPv6 DHCP via config file? I can't find a way to do so on the GUI, even when setting the flag to false, it looks like it is still taking effect.

@ajaikumarnadar
Copy link

i've found this on the internet and i was able unlock the router image but i forgot dump my these files, i can't go back to the previous settings.....its been permanently unlocked image
and also i tried to insert My BSNL(ISP) fibre cable into the router and red light LOS still there I've also noticed that in optics status the RX power is around -29 dbm and TX power is infinite
so after unlocking it still useless like it was before.

what do you mean useless as before? BSNL ftth works after unlocking the webUI

Hey,
BSNL connection working fine for you after unlocking the Nokia router ? Can u share the screenshot of the configuration done in web panel.. i need it for my router configuration... Please text me on telegram @ajaikumarnadar

@ankityadav06it
Copy link

Hi, I am not able to run this script. I want to access the TR069 config from my router.

@anthonymoon
Copy link

@joaodalvi did you ever get access?

@ALANCOSTAL
Copy link

Por favor sou novo aqui gostaria de ajuda como faco, pois as minhas a frequenica 2g nao pega direito...
e quando o faco o arquivo de conifg de uma que ta boa e vou jogar em outra da erro.

@ALANCOSTAL
Copy link

Alguem pode me ajduar com esse erro; error set LanWlanObject :1

@AndyAtonement
Copy link

Por favor sou novo aqui gostaria de ajuda como faco, pois as minhas a frequenica 2g nao pega direito... e quando o faco o arquivo de conifg de uma que ta boa e vou jogar em outra da erro.

Cara dificil pra quem fala inglês, com portugues ainda...eu não consigo acessar esse roteador nem a pau...

@rajkosto
Copy link

I've added support for G2425 to my fork of this script, available here: https://gist.github.com/rajkosto/e2b2455d457cc2be82dbb5c85e22d708

@TheLazyHatGuy
Copy link

Has anyone figured out a way to enable the back up and restore function on G-2425G-B
or get any access to the SuperAdmin account?

@fakhriaunur
Copy link

I've added support for G2425 to my fork of this script, available here: https://gist.github.com/rajkosto/e2b2455d457cc2be82dbb5c85e22d708

image

thanks a lot for your contribution bro. I was so confused before with the zlib decompression error header checking error. That one must come from the newer issue or firmware of the router.
working flawlessly 👍🏻

Hi, I'm getting this error when I run this script

-> little endian CPU detected
-> fw_magic = 0xffffffff
Traceback (most recent call last):
  File "/Users/shapathneupane/Desktop/nokia-router-cfg-tool.py", line 137, in <module>
    xml_data = zlib.decompress(compressed)
zlib.error: Error -3 while decompressing data: incorrect header check

It seems like the configuration file is no longer static as you described in the blog post. When I checked the cfg file on the hex viewer, and all the hex changes even after one small change made via the configuration file.

I changed the IP range on my router (via web) from to 250 to 252, and downloaded the config file on each of the change, when I view it in the hex viewer, most things changes other than a few bytes of data and a persistent FF FF FF FF FF on the beginning of the second line. This is where the checksum is extracted on the script above.

What would be the best way to read the configuration file as text and re-upload it back? It would be great if you could share me some of your thoughts

Here are the three configuration files zipped up: https://paste.c-net.org/EmployeeSweater
Screen.Recording.2022-07-27.at.7.14.05.PM.mov

Hello, I have Nokia G-2425G-A, and I get this error: -> little endian CPU detected -> fw_magic = 0xffffffff Traceback (most recent call last): File "C:\Users\Naplifayaie\Downloads\nokia-router-cfg-tool.py", line 137, in <module> xml_data = zlib.decompress(compressed) zlib.error: Error -3 while decompressing data: incorrect header check

I'm getting the same error as @Naplifye

-> little endian CPU detected
-> fw_magic = 0xffffffff
Traceback (most recent call last):
  File "C:\Users\:)\router\nokia-router-cfg-tool.py", line 137, in <module>
    xml_data = zlib.decompress(compressed)
zlib.error: Error -3 while decompressing data: incorrect header check

try using this fork

@mriamnobody
Copy link

The issue is not related to patching but I'm facing an issue. I tried to enable port forwarding on Nokia G-2425G-A after that I'm facing internet connectivity issue. Can someone please help? If I hard reset the router then it works for few minutes(2-3 minutes) then again internet goes down. On router page it says Authentication failure.

[alert] <129>1 1970-01-01T00:03:40.542117+00:00 AONT syslog 4001 - -  cfg_getParam(oid=173,paramName=ISPLogo) failed 
[alert] <129>1 1970-01-01T00:03:40.542628+00:00 AONT syslog 4001 - -  cfgDal_getParamVal(InternetGatewayDevice.UserInterface.ISPLogo) stl=0 update=0 failed 
[alert] <129>1 1970-01-01T00:03:55.038055+00:00 AONT syslog 4001 - -  Session is closed now, now reset the WAN 
[alert] <129>1 1970-01-01T00:03:55.055777+00:00 AONT syslog 4001 - -  wan_reset done 
[err] <131>1 1970-01-01T00:04:13.287854+00:00 AONT pppd 7059 - -  PPP-Nego:upap_rauthnak() PAP authentication failed 
[alert] <129>1 1970-01-01T00:04:14.581323+00:00 AONT syslog 4001 - -  [tr069] signal 15 received, terminate now ```

@rajkosto
Copy link

I've added support for XS-2426 to my fork of this script, available here: https://gist.github.com/rajkosto/e2b2455d457cc2be82dbb5c85e22d708

@gavaskar199
Copy link

facing this problem on Nokia G-2425G-A

C:\Program Files\Python311>python.exe C:\Users\xyz\Downloads_nokia-router-cfg-tool_nokia-router-cfg-tool.py -u config.cfg

-> encrypted cfg detected
-> little endian CPU detected
-> fw_magic = 0x4924ea46
Traceback (most recent call last):
File "C:\Users\xyz\Downloads_nokia-router-cfg-tool_nokia-router-cfg-tool.py", line 141, in
of = open(out_filename, 'wb')
^^^^^^^^^^^^^^^^^^^^^^^^
PermissionError: [Errno 13] Permission denied: 'config-03032023-182654.xml'

@rajkosto
Copy link

rajkosto commented Mar 3, 2023

So either run your commandline as admin or dont run it the script INSIDE OF PROGRAM FILES where you NEED ADMIN RIGHTS TO WRITE FILES ?

@gavaskar199
Copy link

thanks

@gavaskar199
Copy link

Manufacturer:ALCL
ProductClass:G-2425G-A
SerialNumber:ALCLB3F9XYZ
HWVer:3FE48299DEAA
SWVer:3FE49362IJHK46
IP:192.168.1.1
USERNAME/PASSWORD ONTUSER:SUGAR2A041

[alert] <129>1 1970-01-01T05:32:57.960080+05:30 AONT syslog 3731 - - ssh: [192.168.1.2] login failed
[alert] <129>1 1970-01-01T05:33:13.470119+05:30 AONT syslog 3731 - - ssh: [192.168.1.2] login failed
[alert] <129>1 1970-01-01T05:35:28.700579+05:30 AONT syslog 3731 - - ssh: [192.168.1.2] login failed
[alert] <129>1 1970-01-01T05:35:28.706195+05:30 AONT syslog 3731 - - ssh: [192.168.1.2] login failed over max times
[alert] <129>1 1970-01-01T05:35:46.179659+05:30 AONT syslog 4264 - - ssh: [192.168.1.2] login failed over max times

@GokulSakthivel
Copy link

GokulSakthivel commented Mar 11, 2023

Hello,

I have Nokia G-2425G-A Router provided by my ISP (Airtel). But the ssh/telnet connection asks for password2.
2023-03-11_13-55

I have tried ONTUSER direct login, but password SUGAR2A041 not working
2023-03-11_14-35
2023-03-11_14-35_1

Router Configuration:
2023-03-11_14-40

configuration file attached :
https://drive.google.com/file/d/1T72DVCCyWS2IK5lpFrKAxyk_2yGFeS3b/view?usp=sharing

Please help me to get root access##

@rajkosto
Copy link

rajkosto commented Mar 11, 2023

I've already explained this here: https://gist.github.com/rajkosto/e2b2455d457cc2be82dbb5c85e22d708?permalink_comment_id=4417229#gistcomment-4417229, you need to enable ONTUSER first (with LimitAccount_ONTUSER "false") then make the username of TelnetSSHAccount be "ONTUSER" and whatever password is under there is set for ONTUSER, SUGAR2A041 does not work on these newer models by default

@Nepankaj
Copy link

Nepankaj commented May 9, 2023

How we can make current configuration as factory configuration?
like on every reset WAN setting should remained configured.
Any thoughts or suggestions.
@rajkosto @thedroidgeek

@Nepankaj
Copy link

Nepankaj commented May 9, 2023

How can we lock Nokia G-140W-C.
@rajkosto @thedroidgeek

@cantonalex
Copy link

Anyone know how to set Fastmile Gateway 3 (3TG00799ABAA) to PPPoE mode using the WAN port? I have managed to do it on the wifi 5 model.

@javanshirm
Copy link

@sh4k4 @Ahir7

Hello guys.

Cloud you be able to check the credentials that give your access admin page on your device

username: superadmin
password: 12345

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment