-
-
Save thedroidgeek/80c379aa43b71015d71da130f85a435a to your computer and use it in GitHub Desktop.
| #!/usr/bin/env python3 | |
| # | |
| # Nokia/Alcatel-Lucent router backup configuration tool | |
| # | |
| # Features: | |
| # - Unpack/repack .cfg files generated from the backup and restore functionnality | |
| # in order to modify the full router configuration | |
| # - Decrypt/encrypt the passwords/secret values present in the configuration | |
| # | |
| # Blog post: https://0x41.cf/reversing/2019/10/08/unlocking-nokia-g240wa.html | |
| # | |
| # Released under the MIT License (http://opensource.org/licenses/MIT) | |
| # Copyright (c) Sami Alaoui Kendil (thedroidgeek) | |
| # | |
| import sys | |
| import zlib | |
| import struct | |
| import base64 | |
| import binascii | |
| import datetime | |
| big_endian = True | |
| encrypted_cfg = False | |
| def u32(val): | |
| return struct.unpack('>I' if big_endian else '<I', val)[0] | |
| def p32(val): | |
| return struct.pack('>I' if big_endian else '<I', val) | |
| def checkendian(cfg): | |
| if (cfg[0:4] == b'\x00\x12\x31\x23'): | |
| return True | |
| elif (cfg[0:4] == b'\x23\x31\x12\x00'): | |
| return False | |
| else: | |
| return None | |
| class RouterCrypto: | |
| def __init__(self): | |
| from Crypto.Cipher import AES | |
| # key and IV for AES | |
| key = '3D A3 73 D7 DC 82 2E 2A 47 0D EC 37 89 6E 80 D7 2C 49 B3 16 29 DD C9 97 35 4B 84 03 91 77 9E A4' | |
| iv = 'D0 E6 DC CD A7 4A 00 DF 76 0F C0 85 11 CB 05 EA' | |
| # create AES-128-CBC cipher | |
| self.cipher = AES.new(bytes(bytearray.fromhex(key)), AES.MODE_CBC, bytes(bytearray.fromhex(iv))) | |
| def decrypt(self, data): | |
| output = self.cipher.decrypt(data) | |
| # remove PKCS#7 padding | |
| return output[:-ord(output[-1:])] | |
| def encrypt(self, data): | |
| # add PKCS#7 padding for 128-bit AES | |
| pad_num = (16 - (len(data) % 16)) | |
| data += chr(pad_num).encode() * pad_num | |
| return self.cipher.encrypt(data) | |
| # | |
| # unpack xml from cfg | |
| # | |
| if (len(sys.argv) == 3 and sys.argv[1] == '-u'): | |
| # line feed | |
| print('') | |
| # read the cfg file | |
| cf = open(sys.argv[2], 'rb') | |
| cfg_data = cf.read() | |
| # check cfg file magic (0x123123) and determine endianness | |
| big_endian = checkendian(cfg_data) | |
| if big_endian == None: | |
| # check if config is encrypted | |
| decrypted = None | |
| try: | |
| # decrypt and check validity | |
| decrypted = RouterCrypto().decrypt(cfg_data) | |
| big_endian = checkendian(decrypted) | |
| except ValueError: | |
| pass | |
| # if decryption failed, or still invalid, bail out | |
| if big_endian == None: | |
| print('invalid cfg file/magic :(\n') | |
| exit() | |
| # set decrypted cfg buffer and encryption flag | |
| print('-> encrypted cfg detected') | |
| cfg_data = decrypted | |
| encrypted_cfg = True | |
| # log endianness | |
| if big_endian: | |
| print('-> big endian CPU detected') | |
| else: | |
| print('-> little endian CPU detected') | |
| # get fw_magic (unknown, could be fw version/compile time, hw serial number, etc.) | |
| fw_magic = u32(cfg_data[0x10:0x14]) | |
| print('-> fw_magic = ' + hex(fw_magic)) | |
| # get the size of the compressed data | |
| data_size = u32(cfg_data[4:8]) | |
| # get the compressed data | |
| compressed = cfg_data[0x14 : 0x14 + data_size] | |
| # get the checksum of the compressed data | |
| checksum = u32(cfg_data[8:12]) | |
| # verify the checksum | |
| if (binascii.crc32(compressed) & 0xFFFFFFFF != checksum): | |
| print('\nCRC32 checksum failed :(\n') | |
| exit() | |
| # unpack the config | |
| xml_data = zlib.decompress(compressed) | |
| # output the xml file | |
| out_filename = 'config-%s.xml' % datetime.datetime.now().strftime('%d%m%Y-%H%M%S') | |
| of = open(out_filename, 'wb') | |
| of.write(xml_data) | |
| print('\nunpacked as: ' + out_filename) | |
| print('\n# repack with:') | |
| print('%s %s %s %s\n' % (sys.argv[0], ('-pb' if big_endian else '-pl') + ('e' if encrypted_cfg else ''), out_filename, hex(fw_magic))) | |
| cf.close() | |
| of.close() | |
| # | |
| # generate cfg from xml | |
| # | |
| elif (len(sys.argv) == 4 and (sys.argv[1][:3] == '-pb' or sys.argv[1][:3] == '-pl')): | |
| fw_magic = 0 | |
| try: | |
| # parse hex string | |
| fw_magic = int(sys.argv[3], 16) | |
| # 32-bit check | |
| p32(fw_magic) | |
| except: | |
| print('\ninvalid magic value specified (32-bit hex)\n') | |
| exit() | |
| big_endian = sys.argv[1][:3] == '-pb' | |
| encrypted_cfg = sys.argv[1][3:] == 'e' | |
| out_filename = 'config-%s.cfg' % datetime.datetime.now().strftime('%d%m%Y-%H%M%S') | |
| # read the xml file | |
| xf = open(sys.argv[2], 'rb') | |
| xml_data = xf.read() | |
| xf.close() | |
| # compress using default zlib compression | |
| compressed = zlib.compress(xml_data) | |
| ## construct the header ## | |
| # magic | |
| cfg_data = p32(0x123123) | |
| # size of compressed data | |
| cfg_data += p32(len(compressed)) | |
| # crc32 checksum | |
| cfg_data += p32(binascii.crc32(compressed) & 0xFFFFFFFF) | |
| # size of xml file | |
| cfg_data += p32(len(xml_data) + 1) | |
| # fw_magic | |
| cfg_data += p32(fw_magic) | |
| # add the compressed xml | |
| cfg_data += compressed | |
| # encrypt if necessary | |
| if encrypted_cfg: | |
| cfg_data = RouterCrypto().encrypt(cfg_data) | |
| # write the cfg file | |
| of = open(out_filename, 'wb') | |
| of.write(cfg_data) | |
| of.close() | |
| print('\npacked as: ' + out_filename + '\n') | |
| # | |
| # decrypt/encrypt secret value | |
| # | |
| elif (len(sys.argv) == 3 and (sys.argv[1] == '-d' or sys.argv[1] == '-e')): | |
| decrypt_mode = sys.argv[1] == '-d' | |
| if decrypt_mode: | |
| # base64 decode + AES decrypt | |
| print('\ndecrypted: ' + RouterCrypto().decrypt(base64.b64decode(sys.argv[2])).decode('UTF-8') + '\n') | |
| else: | |
| # AES encrypt + base64 encode | |
| print('\nencrypted: ' + base64.b64encode(RouterCrypto().encrypt(sys.argv[2].encode())).decode('UTF-8') + '\n') | |
| else: | |
| print('\n#\n# Nokia/Alcatel-Lucent router backup configuration tool\n#\n') | |
| print('# unpack (cfg to xml)\n') | |
| print(sys.argv[0] + ' -u config.cfg\n') | |
| print('# pack (xml to cfg)\n') | |
| print(sys.argv[0] + ' -pb config.xml 0x13377331 # big endian, no encryption, fw_magic = 0x13377331') | |
| print(sys.argv[0] + ' -pl config.xml 0x13377331 # little endian, ...') | |
| print(sys.argv[0] + ' -pbe config.xml 0x13377331 # big endian, with encryption, ...') | |
| print(sys.argv[0] + ' -ple config.xml 0x13377331 # ...\n') | |
| print('# decrypt/encrypt secret values within xml (ealgo="ab")\n') | |
| print(sys.argv[0] + ' -d OYdLWUVDdKQTPaCIeTqniA==') | |
| print(sys.argv[0] + ' -e admin\n') |
@Ahir7 you enable by setting true in config file.
i am trying my password admin but can't login , i have edited the cfg file
I got a G-140W-H here, hardware version 3FE48054BDAA, software version 3FE48077CGCB30, boot version U-Boot Mar-31-2020--23:07:20. This is for a brazilian ISP called "Oi". They block A LOT of ports, and don't give the option to bridge the router. They provide a very limited "userAdmin" user, and they have changed the AdminGPON user default password. No one has it. I was trying an easier way to get AdminGPON access, other than dumping the firmware with JTAG cable, wich I don't have. One way would be backing up the firmware from web interface, but this userAdmin user does not have access to firmware page. Does anyone here know of a hardcoded password for this model, or knows a way to dump the firmware from web interface with this "userAdmin" unprivilleged user? BTW, changing html at runtime vi browser debug console does not work to change configurations at this model. Web interface complains about user privilleges for any changes at the "WAN" tab.
@joaodalvi did you find the password for AdminGPON ? I have a G-140W-C and ALC#FGU doesn't work for me either
@thedroidgeek @Ahir7 Can yo guys please guide me how to get config file. I cannot find backup and restore page, When I try ip/usb.cgi?backup I get blank page. Please guide me to get blank screen.
@thedroidgeek @Ahir7 Can yo guys please guide me how to get config file. I cannot find backup and restore page, When I try ip/usb.cgi?backup I get blank page. Please guide me to get blank screen.
Go to ont login page , the go to back up and restore you will get the option there
@Ahir7 you enable by setting true in config file.
Bro did you managed to get the shell access?
I have a Nokia GPON with Model Number: "G-2425G-A" and Hardware Version "3FE48299DBAA". Most of the settings have been disabled by Airtel when I login using "admin" user id. Is it possible to somehow enable the greyed out setting options?
Hello bro did you managed to get the SSH access it g2425g?
Can anyone help me to use the encrypt or decrypt command? I am unable to use these although cfg to xml and xml to cfg works.
@thedroidgeek Thanks man. Great work!
I was able to get ssh access but i am not able to get root. I am just trying to edit my DNS servers which is locked by my ISP. I tried unpacking the config file, changing the dns and repacked and uploaded it. But the dns settings won't change.
Can someone help me bypass this?
Thanks.
Please help
https://gist.github.com/thedroidgeek/80c379aa43b71015d71da130f85a435a#gistcomment-3793209
When I log in to ont page... I don't see any backup and restore. I hope it is blocked by Tatasky...
@thedroidgeek @Ahir7 Can yo guys please guide me how to get config file. I cannot find backup and restore page, When I try ip/usb.cgi?backup I get blank page. Please guide me to get blank screen.
Go to ont login page , the go to back up and restore you will get the option there
I cannot find back and restore page on ont admin console. I hope it is disabled by ISP
Is there any alternative. to get config file?
@thedroidgeek @Ahir7 Can yo guys please guide me how to get config file. I cannot find backup and restore page, When I try ip/usb.cgi?backup I get blank page. Please guide me to get blank screen.
Go to ont login page , the go to back up and restore you will get the option there
I cannot find back and restore page on ont admin console. I hope it is disabled by ISP
Is there any alternative. to get config file?
What is the model of the nokia ont?
@thedroidgeek @Ahir7 Can yo guys please guide me how to get config file. I cannot find backup and restore page, When I try ip/usb.cgi?backup I get blank page. Please guide me to get blank screen.
Go to ont login page , the go to back up and restore you will get the option there
I cannot find back and restore page on ont admin console. I hope it is disabled by ISP
You may need to login as AdminGPON (try password ALC#FGU) to be able to see/use the Backup and Restore page.
@mlongmailai , I've got a Nokia Fastmile and the 'userAdmin' account on the bottom of the router doesn't show the Backup/Restore page. But I've found an access control vulnerability which allows you to escalate to full admin and see the Backup/Restore page.
From there I'm able to use this tool.
Writeup here: https://eddiez.me/hacking-the-nokia-fastmile/
@thedroidgeek @Ahir7 Can yo guys please guide me how to get config file. I cannot find backup and restore page, When I try ip/usb.cgi?backup I get blank page. Please guide me to get blank screen.
Go to ont login page , the go to back up and restore you will get the option there
I cannot find back and restore page on ont admin console. I hope it is disabled by ISP
You may need to login as
AdminGPON(try passwordALC#FGU) to be able to see/use the Backup and Restore page.
The user ID and password is not working
@thedroidgeek @Ahir7 Can yo guys please guide me how to get config file. I cannot find backup and restore page, When I try ip/usb.cgi?backup I get blank page. Please guide me to get blank screen.
Go to ont login page , the go to back up and restore you will get the option there
I cannot find back and restore page on ont admin console. I hope it is disabled by ISP
Is there any alternative. to get config file?What is the model of the nokia ont?
@mlongmailai , I've got a Nokia Fastmile and the 'userAdmin' account on the bottom of the router doesn't show the Backup/Restore page. But I've found an access control vulnerability which allows you to escalate to full admin and see the Backup/Restore page.
From there I'm able to use this tool.
Writeup here: https://eddiez.me/hacking-the-nokia-fastmile/
I could not able to download the tool
I have enabled the SSH access. Now, how can we configure the WebGUI to add additional wan profiles?
i've found this on the internet and i was able unlock the router
but i forgot dump my these files, i can't go back to the previous settings.....its been permanently unlocked
and also i tried to insert My BSNL(ISP) fibre cable into the router and red light LOS still there
I've also noticed that in optics status
the RX power is around -29 dbm and TX power is infinite
so after unlocking it still useless like it was before.
Hello, I just bought this Nokia router on the internet, mine comes from Sweden and I am currently in Italy. The router does not pick up the 5g or 4g network at all and I think this is due to the fact that it was working on the Telia network and now I have inserted a Vodafone sim card in Italy.
I hope it is possible to unlock the modem to other networks?
Thank you for your help
Hello, I have Nokia G-2425G-A, and I get this error:
-> little endian CPU detected -> fw_magic = 0xffffffff Traceback (most recent call last): File "C:\Users\Naplifayaie\Downloads\nokia-router-cfg-tool.py", line 137, in <module> xml_data = zlib.decompress(compressed) zlib.error: Error -3 while decompressing data: incorrect header check
I'm getting the same error as @Naplifye
-> little endian CPU detected
-> fw_magic = 0xffffffff
Traceback (most recent call last):
File "C:\Users\:)\router\nokia-router-cfg-tool.py", line 137, in <module>
xml_data = zlib.decompress(compressed)
zlib.error: Error -3 while decompressing data: incorrect header check
i've found this on the internet and i was able unlock the router
and also i tried to insert My BSNL(ISP) fibre cable into the router and red light LOS still there I've also noticed that in optics status the RX power is around -29 dbm and TX power is infinite
so after unlocking it still useless like it was before.
what do you mean useless as before? BSNL ftth works after unlocking the webUI
i've found this on the internet and i was able unlock the router
and also i tried to insert My BSNL(ISP) fibre cable into the router and red light LOS still there I've also noticed that in optics status the RX power is around -29 dbm and TX power is infinite
so after unlocking it still useless like it was before.what do you mean useless as before? BSNL ftth works after unlocking the webUI
No.......i found out that BSNL uses EPON technology for its Fibre optics........and this router supports only GPON......so the red light LOS is gonna be there if you're using BSNL.
Hello @thedroidgeek Thankyou for the detailed instruction , although this is the first time ive used python and still able get to root user succesfully on G-140w-F & G-140w-C . now what i want is to Modify the default configuration of the ONT ( that means if we hard reset the ONT it will restore our modified configuration). Thanks Again for the Guide below are the available cmds.
Are you able to do so? Can you please share the steps in achieving this? is it possible to change the WebUI, because I want to hide some of the features of the Router.
Hi, I'm getting this error when I run this script
-> little endian CPU detected
-> fw_magic = 0xffffffff
Traceback (most recent call last):
File "/Users/shapathneupane/Desktop/nokia-router-cfg-tool.py", line 137, in <module>
xml_data = zlib.decompress(compressed)
zlib.error: Error -3 while decompressing data: incorrect header check
It seems like the configuration file is no longer static as you described in the blog post. When I checked the cfg file on the hex viewer, and all the hex changes even after one small change made via the configuration file.
I changed the IP range on my router (via web) from to 250 to 252, and downloaded the config file on each of the change, when I view it in the hex viewer, most things changes other than a few bytes of data and a persistent FF FF FF FF FF on the beginning of the second line. This is where the checksum is extracted on the script above.
What would be the best way to read the configuration file as text and re-upload it back? It would be great if you could share me some of your thoughts
Here are the three configuration files zipped up: https://paste.c-net.org/EmployeeSweater
Screen.Recording.2022-07-27.at.7.14.05.PM.mov
Hello my friends, is everything alright?
Recently i've been hacked, and i can't find anything about this router. I'm using a Nokia G-240W-C, and i can't find a firmware for it. I'm sorry for being dumb and ask you this, but with this can i protect my router of being invaded?
Is there a way to disable IPv6 DHCP via config file? I can't find a way to do so on the GUI, even when setting the flag to false, it looks like it is still taking effect.
i've found this on the internet and i was able unlock the router
and also i tried to insert My BSNL(ISP) fibre cable into the router and red light LOS still there I've also noticed that in optics status the RX power is around -29 dbm and TX power is infinite
so after unlocking it still useless like it was before.what do you mean useless as before? BSNL ftth works after unlocking the webUI
Hey,
BSNL connection working fine for you after unlocking the Nokia router ? Can u share the screenshot of the configuration done in web panel.. i need it for my router configuration... Please text me on telegram @ajaikumarnadar
Hi, I am not able to run this script. I want to access the TR069 config from my router.
@joaodalvi did you ever get access?
Por favor sou novo aqui gostaria de ajuda como faco, pois as minhas a frequenica 2g nao pega direito...
e quando o faco o arquivo de conifg de uma que ta boa e vou jogar em outra da erro.
Alguem pode me ajduar com esse erro; error set LanWlanObject :1
Por favor sou novo aqui gostaria de ajuda como faco, pois as minhas a frequenica 2g nao pega direito... e quando o faco o arquivo de conifg de uma que ta boa e vou jogar em outra da erro.
Cara dificil pra quem fala inglês, com portugues ainda...eu não consigo acessar esse roteador nem a pau...
I've added support for G2425 to my fork of this script, available here: https://gist.github.com/rajkosto/e2b2455d457cc2be82dbb5c85e22d708
Has anyone figured out a way to enable the back up and restore function on G-2425G-B
or get any access to the SuperAdmin account?
I've added support for G2425 to my fork of this script, available here: https://gist.github.com/rajkosto/e2b2455d457cc2be82dbb5c85e22d708
thanks a lot for your contribution bro. I was so confused before with the zlib decompression error header checking error. That one must come from the newer issue or firmware of the router.
working flawlessly 👍🏻
Hi, I'm getting this error when I run this script
-> little endian CPU detected -> fw_magic = 0xffffffff Traceback (most recent call last): File "/Users/shapathneupane/Desktop/nokia-router-cfg-tool.py", line 137, in <module> xml_data = zlib.decompress(compressed) zlib.error: Error -3 while decompressing data: incorrect header checkIt seems like the configuration file is no longer static as you described in the blog post. When I checked the cfg file on the hex viewer, and all the hex changes even after one small change made via the configuration file.
I changed the IP range on my router (via web) from to 250 to 252, and downloaded the config file on each of the change, when I view it in the hex viewer, most things changes other than a few bytes of data and a persistent FF FF FF FF FF on the beginning of the second line. This is where the checksum is extracted on the script above.
What would be the best way to read the configuration file as text and re-upload it back? It would be great if you could share me some of your thoughts
Here are the three configuration files zipped up: https://paste.c-net.org/EmployeeSweater
Screen.Recording.2022-07-27.at.7.14.05.PM.mov
Hello, I have Nokia G-2425G-A, and I get this error:
-> little endian CPU detected -> fw_magic = 0xffffffff Traceback (most recent call last): File "C:\Users\Naplifayaie\Downloads\nokia-router-cfg-tool.py", line 137, in <module> xml_data = zlib.decompress(compressed) zlib.error: Error -3 while decompressing data: incorrect header check
I'm getting the same error as @Naplifye
-> little endian CPU detected -> fw_magic = 0xffffffff Traceback (most recent call last): File "C:\Users\:)\router\nokia-router-cfg-tool.py", line 137, in <module> xml_data = zlib.decompress(compressed) zlib.error: Error -3 while decompressing data: incorrect header check
try using this fork
The issue is not related to patching but I'm facing an issue. I tried to enable port forwarding on Nokia G-2425G-A after that I'm facing internet connectivity issue. Can someone please help? If I hard reset the router then it works for few minutes(2-3 minutes) then again internet goes down. On router page it says Authentication failure.
[alert] <129>1 1970-01-01T00:03:40.542117+00:00 AONT syslog 4001 - - cfg_getParam(oid=173,paramName=ISPLogo) failed
[alert] <129>1 1970-01-01T00:03:40.542628+00:00 AONT syslog 4001 - - cfgDal_getParamVal(InternetGatewayDevice.UserInterface.ISPLogo) stl=0 update=0 failed
[alert] <129>1 1970-01-01T00:03:55.038055+00:00 AONT syslog 4001 - - Session is closed now, now reset the WAN
[alert] <129>1 1970-01-01T00:03:55.055777+00:00 AONT syslog 4001 - - wan_reset done
[err] <131>1 1970-01-01T00:04:13.287854+00:00 AONT pppd 7059 - - PPP-Nego:upap_rauthnak() PAP authentication failed
[alert] <129>1 1970-01-01T00:04:14.581323+00:00 AONT syslog 4001 - - [tr069] signal 15 received, terminate now ```
I've added support for XS-2426 to my fork of this script, available here: https://gist.github.com/rajkosto/e2b2455d457cc2be82dbb5c85e22d708
facing this problem on Nokia G-2425G-A
C:\Program Files\Python311>python.exe C:\Users\xyz\Downloads_nokia-router-cfg-tool_nokia-router-cfg-tool.py -u config.cfg
-> encrypted cfg detected
-> little endian CPU detected
-> fw_magic = 0x4924ea46
Traceback (most recent call last):
File "C:\Users\xyz\Downloads_nokia-router-cfg-tool_nokia-router-cfg-tool.py", line 141, in
of = open(out_filename, 'wb')
^^^^^^^^^^^^^^^^^^^^^^^^
PermissionError: [Errno 13] Permission denied: 'config-03032023-182654.xml'
So either run your commandline as admin or dont run it the script INSIDE OF PROGRAM FILES where you NEED ADMIN RIGHTS TO WRITE FILES ?
thanks
Manufacturer:ALCL
ProductClass:G-2425G-A
SerialNumber:ALCLB3F9XYZ
HWVer:3FE48299DEAA
SWVer:3FE49362IJHK46
IP:192.168.1.1
USERNAME/PASSWORD ONTUSER:SUGAR2A041
[alert] <129>1 1970-01-01T05:32:57.960080+05:30 AONT syslog 3731 - - ssh: [192.168.1.2] login failed
[alert] <129>1 1970-01-01T05:33:13.470119+05:30 AONT syslog 3731 - - ssh: [192.168.1.2] login failed
[alert] <129>1 1970-01-01T05:35:28.700579+05:30 AONT syslog 3731 - - ssh: [192.168.1.2] login failed
[alert] <129>1 1970-01-01T05:35:28.706195+05:30 AONT syslog 3731 - - ssh: [192.168.1.2] login failed over max times
[alert] <129>1 1970-01-01T05:35:46.179659+05:30 AONT syslog 4264 - - ssh: [192.168.1.2] login failed over max times
Hello,
I have Nokia G-2425G-A Router provided by my ISP (Airtel). But the ssh/telnet connection asks for password2.
I have tried ONTUSER direct login, but password SUGAR2A041 not working
Router Configuration:
configuration file attached :
https://drive.google.com/file/d/1T72DVCCyWS2IK5lpFrKAxyk_2yGFeS3b/view?usp=sharing
Please help me to get root access##
I've already explained this here: https://gist.github.com/rajkosto/e2b2455d457cc2be82dbb5c85e22d708?permalink_comment_id=4417229#gistcomment-4417229, you need to enable ONTUSER first (with LimitAccount_ONTUSER "false") then make the username of TelnetSSHAccount be "ONTUSER" and whatever password is under there is set for ONTUSER, SUGAR2A041 does not work on these newer models by default
How we can make current configuration as factory configuration?
like on every reset WAN setting should remained configured.
Any thoughts or suggestions.
@rajkosto @thedroidgeek
How can we lock Nokia G-140W-C.
@rajkosto @thedroidgeek
Anyone know how to set Fastmile Gateway 3 (3TG00799ABAA) to PPPoE mode using the WAN port? I have managed to do it on the wifi 5 model.
hello experts please guide me how to get configuration fil e there is no option for backup and restore or please anybody send me configuration file for my device NOKIA -G140W-F
@jaggifzr Is yours the wifi 6 model? Cause I have the same problem
@cantonalex I don't understand what u ask ..it's a locked modem from other isp
And no option for backup and restore so how can I unlock
please help me guys how to upload file there is no option for uploading file,i took file form net and edit and now i have correct file to upload for telnet access but there is no option for upload or restore so is there any software or loader through which i can upload this file
@jaggifzr did you work it out?
How to make untag vlan work on a Nokia G2425-A in route mode
Hey Anbody help me i am facing this error
PS C:\Users\The Lost Gaming Club\Desktop> python nokia.py -d OYdLWUVDdKQTPaCIeTqniA==
Traceback (most recent call last):
File "C:\Users\The Lost Gaming Club\Desktop\nokia.py", line 221, in
print('\ndecrypted: ' + RouterCrypto().decrypt(base64.b64decode(sys.argv[2])).decode('UTF-8') + '\n')
^^^^^^^^^^^^^^
File "C:\Users\The Lost Gaming Club\Desktop\nokia.py", line 50, in init
from Crypto.Cipher import AES
ModuleNotFoundError: No module named 'Crypto'
I am able to access the shell with root.
Now, how can we customise my router to enable all the features? I am unable to add new profiles. So, instead of changing the xml values, what should be the right way to make this changes?
@MrJithil What router is this for?
@MrJithil What router is this for?
G-2425G-A
Has anyone figured out a way to enable the back up and restore function on G-2425G-B or get any access to the SuperAdmin account?
@TheLazyHatGuy I haven't been able to find this out either, keep me posted if you find out!
I am unable to use the python script on 3FE49362JJIJ50
when I run the commands as per your instructions I get the below mentioned error
D:\nokia router -unlocker.py>python nokia.py
Nokia/Alcatel-Lucent router backup configuration tool
unpack (cfg to xml)
nokia.py -u config.cfg
pack (xml to cfg)
nokia.py -pb config.xml 0x13377331 # big endian, no encryption, fw_magic = 0x13377331
nokia.py -pl config.xml 0x13377331 # little endian, ...
nokia.py -pbe config.xml 0x13377331 # big endian, with encryption, ...
nokia.py -ple config.xml 0x13377331 # ...
decrypt/encrypt secret values within xml (ealgo="ab")
nokia.py -d OYdLWUVDdKQTPaCIeTqniA==
nokia.py -e admin
D:\nokia router -unlocker.py>python nokia.py -d OYdLWUVDdKQTPaCIeTqniA==
decrypted: admin
D:\nokia router -unlocker.py>python nokia.py -u config.cfg
-> little endian CPU detected
-> fw_magic = 0xffffffff
Traceback (most recent call last):
File "D:\nokia router -unlocker.py\nokia.py", line 138, in
xml_data = zlib.decompress(compressed)
zlib.error: Error -3 while decompressing data: incorrect header check
not sure what can I do next?
serial_number=ALCLFC0F3CE2 model_name=Nokia WiFi Beacon 1.1 model_number=3FE49236EAAA
NT_TYPE=beacon1_1 PON_MODE=ETHERNET SOFTWAREVERSION=HJI.I87p02 PRODUCTCLASS=beacon1_1 RELEASE=0.0.0 BUILDSTAMP= BUILDDATE=20210402_2046 COPYRIGHT=ASB WHOBUILD=buildmgr IMAGEVERSION=3FE49474HJII87 NODE=754bb9d584dc1e1dcd3b48a72a6e30800aaa69b5
ONTUSER:$1$gN5WP2Fo$6B.xGzm6kfpDOpYlY89Wp. wlinkuser:$1$IqXCkA2G$tD4LETpI3JuGqyMaxR5SH1 ONTUSER:$1$bgSEInSR$9mz9d01z5KeEqWCQDIXsw0 superadmin:$1$V2wemcad$2B/LkUQZ104dYCsTrdc5/1 ONTUSER:$1$bXtpwU3/$Qmlta87ByJOEnX0AllVJK1 superadmin:$1$JA/Lupt4$z9IvJy2VgUGL8n86.0dLx. ONTUSER:$1$4FG1vq0m$sbBHlJ44Nmoz0ADg6KKle1 superadmin:$1$8hB6r2PN$Zkl7rydE7syXwnC/V.rZc. superadmin:$1$MrZrEVDK$YqxsGcD7cYVz3.9wh2lzM1 ONTUSER:$1$Tyn/Cgvs$RdQuR6PUyfiwkwO167pDn. superadmin:$1$sfCosGGu$LKd9MUE6aJmpPy7vTHMdN1 root:$1$GTMUOzhf$mjhy6wET5re92IB4KHqXz.
web username :admin Password for this device only :KQ5bthrLZD i have dumped the firmware and shared to you
Could you share the firmware here?
please make a code for "3FE49362JJIJ54"
Hi @Padke9 , I have Nokia Airtel G-2425G-A router with Software Version
3FE49362JJIJ50 . Can you please provide the Python script for this software version? Thanks.
anyone know how to do this for Fastmile 3.2 wifi 6 version?
serial_number=ALCLFC0F3CE2 model_name=Nokia WiFi Beacon 1.1 model_number=3FE49236EAAA
(https://drive.google.com/file/d/1nrRQD-6ftSW1DlC0cpiG7CfsgFZGWa2R/view?usp=drive_link)
can I pay you to do this @Padke9 Prakesh, do you have twitter?
This is Locked to carrier
I dont have this hardware with me to reverse
Fastmile 3.2 wifi 6 version
But here is some thing you can see on other version
https://eddiez.me/hacking-the-nokia-fastmile/
serial_number=ALCLFC0F3CE2 model_name=Nokia WiFi Beacon 1.1 model_number=3FE49236EAAA
NT_TYPE=beacon1_1 PON_MODE=ETHERNET SOFTWAREVERSION=HJI.I87p02 PRODUCTCLASS=beacon1_1 RELEASE=0.0.0 BUILDSTAMP= BUILDDATE=20210402_2046 COPYRIGHT=ASB WHOBUILD=buildmgr IMAGEVERSION=3FE49474HJII87 NODE=754bb9d584dc1e1dcd3b48a72a6e30800aaa69b5
ONTUSER:$1$gN5WP2Fo$6B.xGzm6kfpDOpYlY89Wp. wlinkuser:$1$IqXCkA2G$tD4LETpI3JuGqyMaxR5SH1 ONTUSER:$1$bgSEInSR$9mz9d01z5KeEqWCQDIXsw0 superadmin:$1$V2wemcad$2B/LkUQZ104dYCsTrdc5/1 ONTUSER:$1$bXtpwU3/$Qmlta87ByJOEnX0AllVJK1 superadmin:$1$JA/Lupt4$z9IvJy2VgUGL8n86.0dLx. ONTUSER:$1$4FG1vq0m$sbBHlJ44Nmoz0ADg6KKle1 superadmin:$1$8hB6r2PN$Zkl7rydE7syXwnC/V.rZc. superadmin:$1$MrZrEVDK$YqxsGcD7cYVz3.9wh2lzM1 ONTUSER:$1$Tyn/Cgvs$RdQuR6PUyfiwkwO167pDn. superadmin:$1$sfCosGGu$LKd9MUE6aJmpPy7vTHMdN1 root:$1$GTMUOzhf$mjhy6wET5re92IB4KHqXz.
web username :admin Password for this device only :KQ5bthrLZD i have dumped the firmware and shared to you
Very happy to see someone from our country doing these stuff. Keep it up bro.
@Padke9 Did you succeed to extract the squashfs filesystem. Or if any new update?
This is Locked to carrier I dont have this hardware with me to reverse
Fastmile 3.2 wifi 6 version
But here is some thing you can see on other version https://eddiez.me/hacking-the-nokia-fastmile/
This is Locked to carrier I dont have this hardware with me to reverse
Fastmile 3.2 wifi 6 version
But here is some thing you can see on other version https://eddiez.me/hacking-the-nokia-fastmile/
Bro do you know shell password of Nokia G-120W-F or have clean firmware for it?
@Padke9
@krausar791
the password should be
username:ONTUSER
Password:SUGAR2A041
or (username will be given by isp)pass =ALC#FGU
@krausar791 the password should be username:ONTUSER Password:SUGAR2A041
or (username will be given by isp)pass =ALC#FGU
@Padke9 do you have clean firmware of this ont?
@Padke9 I was not able to extract all the contents of the firmware you provided. In particular the squashfs files are not being able to be extracted. I ran foremost, binwalk, unsquashfs with default flags to try to extract them. Nothing worked.
@Padke9 I was not able to extract all the contents of the firmware you provided. In particular the squashfs files are not being able to be extracted. I ran foremost, binwalk, unsquashfs with default flags to try to extract them. Nothing worked.
@r10p
Save this as fixOOB.py
import sys
def split_file(input_file, output_prefix):
with open(input_file, "rb") as file_in:
with open(f"{output_prefix}_0", "wb") as file_out:
buff = file_in.read()
for x in range (0,len(buff),0x800 + 0x40):
file_out.write(buff[x:x+0x800])
file_in.close()
file_out.close()
if __name__ == "__main__":
input_file = sys.argv[1]
output_prefix = sys.argv[2]
split_file(input_file, output_prefix)
Then run python3 fixOOB.py "Firmware.bin" "NewFilename"
NewFilename is the extractable firmware.
@Banaune
I cannot fix from your script
is there any good passwordlist to attack this hash faster,it is taking me very long more than a month.
@Padke9 You can use the script I gave above, in the firmware file. Regarding password cracking, I am not able to help as I am unknown about it.
Thank you @Banaune . It worked. By the way are you guys able to decrypt the newer router config? @Banaune @Padke9
@r10p Yes,you can use this fork of this repo which is updated for latest configs: Updated Gist Link
sai ho bro
Help, please, find out the PPPoE password. Device name: G-1425G-B
@Padke9 @Banaune @r10p @r10p @krausar791 Hi, Anyone has latest firmware for unlock factory Nokia FastMile 3.1 by any chance ?, thank you
I am getting this error -> little endian CPU detected
-> fw_magic = 0xffffffff
Traceback (most recent call last):
File "/Users/arjun/Downloads/nokia-router-cfg-tool.py", line 137, in
xml_data = zlib.decompress(compressed)
zlib.error: Error -3 while decompressing data: incorrect header check
help
https://www.youtube.com/watch?v=taA0P52jUXw
Worked for XS-2426G-A 3FE49385HJJI85(1.2201.185)
Maybe someone will be able to update the script?
Can anyone share stock firmware for 2425g-a , i borked by setting the operator id to 0000 and reset the router. i can't get anywhere from internet.
@daemonlover7 You can refer here for the firmware : Firmware Link
Hello @thedroidgeek Thankyou for the detailed instruction , although this is the first time ive used python and still able get to root user succesfully on G-140w-F & G-140w-C . now what i want is to Modify the default configuration of the ONT ( that means if we hard reset the ONT it will restore our modified configuration). Thanks Again for the Guide
below are the available cmds.Hello how did you do to access ONTUSER my model G-140W-H and I believe it is different in some configuration. I already set LimitAccount_ONTUSER to false, but without success when logging via telnet. Can you help me. I can send the configuration file.
Hi... i want help on this one also... do you have the answers already?
Any Idea where i can Find the list of OperatorID in the router itself ?
Also for anyone Looking Info on Nokia G-1425-MA specially from Classictech :
Web Username : classicadmin
Web Password : Cr3d3nti@lofNok!aONT0061_P@SSW)RD
https://github.com/diwash5/nokia_G-1425-MA
Any Idea where i can Find the list of OperatorID in the router itself ? Also for anyone Looking Info on Nokia G-1425-MA specially from Classictech : Web Username : classicadmin Web Password : Cr3d3nti@lofNok!aONT0061_P@SSW)RD https://github.com/diwash5/nokia_G-1425-MA
Great bro
Thanks for the answer. already done so much by telnet or ssh but not login.
If I send you the configuration file, you could see if I'm doing something wrong. or forgetting to activate something.
https://drive.google.com/file/d/163F4zYBfPb8_RlUQl3hPcvNhZ2zUkIJ6/view?usp=sharing