-
-
Save thedroidgeek/80c379aa43b71015d71da130f85a435a to your computer and use it in GitHub Desktop.
| #!/usr/bin/env python3 | |
| # | |
| # Nokia/Alcatel-Lucent router backup configuration tool | |
| # | |
| # Features: | |
| # - Unpack/repack .cfg files generated from the backup and restore functionnality | |
| # in order to modify the full router configuration | |
| # - Decrypt/encrypt the passwords/secret values present in the configuration | |
| # | |
| # Blog post: https://0x41.cf/reversing/2019/10/08/unlocking-nokia-g240wa.html | |
| # | |
| # Released under the MIT License (http://opensource.org/licenses/MIT) | |
| # Copyright (c) Sami Alaoui Kendil (thedroidgeek) | |
| # | |
| import sys | |
| import zlib | |
| import struct | |
| import base64 | |
| import binascii | |
| import datetime | |
| big_endian = True | |
| encrypted_cfg = False | |
| def u32(val): | |
| return struct.unpack('>I' if big_endian else '<I', val)[0] | |
| def p32(val): | |
| return struct.pack('>I' if big_endian else '<I', val) | |
| def checkendian(cfg): | |
| if (cfg[0:4] == b'\x00\x12\x31\x23'): | |
| return True | |
| elif (cfg[0:4] == b'\x23\x31\x12\x00'): | |
| return False | |
| else: | |
| return None | |
| class RouterCrypto: | |
| def __init__(self): | |
| from Crypto.Cipher import AES | |
| # key and IV for AES | |
| key = '3D A3 73 D7 DC 82 2E 2A 47 0D EC 37 89 6E 80 D7 2C 49 B3 16 29 DD C9 97 35 4B 84 03 91 77 9E A4' | |
| iv = 'D0 E6 DC CD A7 4A 00 DF 76 0F C0 85 11 CB 05 EA' | |
| # create AES-128-CBC cipher | |
| self.cipher = AES.new(bytes(bytearray.fromhex(key)), AES.MODE_CBC, bytes(bytearray.fromhex(iv))) | |
| def decrypt(self, data): | |
| output = self.cipher.decrypt(data) | |
| # remove PKCS#7 padding | |
| return output[:-ord(output[-1:])] | |
| def encrypt(self, data): | |
| # add PKCS#7 padding for 128-bit AES | |
| pad_num = (16 - (len(data) % 16)) | |
| data += chr(pad_num).encode() * pad_num | |
| return self.cipher.encrypt(data) | |
| # | |
| # unpack xml from cfg | |
| # | |
| if (len(sys.argv) == 3 and sys.argv[1] == '-u'): | |
| # line feed | |
| print('') | |
| # read the cfg file | |
| cf = open(sys.argv[2], 'rb') | |
| cfg_data = cf.read() | |
| # check cfg file magic (0x123123) and determine endianness | |
| big_endian = checkendian(cfg_data) | |
| if big_endian == None: | |
| # check if config is encrypted | |
| decrypted = None | |
| try: | |
| # decrypt and check validity | |
| decrypted = RouterCrypto().decrypt(cfg_data) | |
| big_endian = checkendian(decrypted) | |
| except ValueError: | |
| pass | |
| # if decryption failed, or still invalid, bail out | |
| if big_endian == None: | |
| print('invalid cfg file/magic :(\n') | |
| exit() | |
| # set decrypted cfg buffer and encryption flag | |
| print('-> encrypted cfg detected') | |
| cfg_data = decrypted | |
| encrypted_cfg = True | |
| # log endianness | |
| if big_endian: | |
| print('-> big endian CPU detected') | |
| else: | |
| print('-> little endian CPU detected') | |
| # get fw_magic (unknown, could be fw version/compile time, hw serial number, etc.) | |
| fw_magic = u32(cfg_data[0x10:0x14]) | |
| print('-> fw_magic = ' + hex(fw_magic)) | |
| # get the size of the compressed data | |
| data_size = u32(cfg_data[4:8]) | |
| # get the compressed data | |
| compressed = cfg_data[0x14 : 0x14 + data_size] | |
| # get the checksum of the compressed data | |
| checksum = u32(cfg_data[8:12]) | |
| # verify the checksum | |
| if (binascii.crc32(compressed) & 0xFFFFFFFF != checksum): | |
| print('\nCRC32 checksum failed :(\n') | |
| exit() | |
| # unpack the config | |
| xml_data = zlib.decompress(compressed) | |
| # output the xml file | |
| out_filename = 'config-%s.xml' % datetime.datetime.now().strftime('%d%m%Y-%H%M%S') | |
| of = open(out_filename, 'wb') | |
| of.write(xml_data) | |
| print('\nunpacked as: ' + out_filename) | |
| print('\n# repack with:') | |
| print('%s %s %s %s\n' % (sys.argv[0], ('-pb' if big_endian else '-pl') + ('e' if encrypted_cfg else ''), out_filename, hex(fw_magic))) | |
| cf.close() | |
| of.close() | |
| # | |
| # generate cfg from xml | |
| # | |
| elif (len(sys.argv) == 4 and (sys.argv[1][:3] == '-pb' or sys.argv[1][:3] == '-pl')): | |
| fw_magic = 0 | |
| try: | |
| # parse hex string | |
| fw_magic = int(sys.argv[3], 16) | |
| # 32-bit check | |
| p32(fw_magic) | |
| except: | |
| print('\ninvalid magic value specified (32-bit hex)\n') | |
| exit() | |
| big_endian = sys.argv[1][:3] == '-pb' | |
| encrypted_cfg = sys.argv[1][3:] == 'e' | |
| out_filename = 'config-%s.cfg' % datetime.datetime.now().strftime('%d%m%Y-%H%M%S') | |
| # read the xml file | |
| xf = open(sys.argv[2], 'rb') | |
| xml_data = xf.read() | |
| xf.close() | |
| # compress using default zlib compression | |
| compressed = zlib.compress(xml_data) | |
| ## construct the header ## | |
| # magic | |
| cfg_data = p32(0x123123) | |
| # size of compressed data | |
| cfg_data += p32(len(compressed)) | |
| # crc32 checksum | |
| cfg_data += p32(binascii.crc32(compressed) & 0xFFFFFFFF) | |
| # size of xml file | |
| cfg_data += p32(len(xml_data) + 1) | |
| # fw_magic | |
| cfg_data += p32(fw_magic) | |
| # add the compressed xml | |
| cfg_data += compressed | |
| # encrypt if necessary | |
| if encrypted_cfg: | |
| cfg_data = RouterCrypto().encrypt(cfg_data) | |
| # write the cfg file | |
| of = open(out_filename, 'wb') | |
| of.write(cfg_data) | |
| of.close() | |
| print('\npacked as: ' + out_filename + '\n') | |
| # | |
| # decrypt/encrypt secret value | |
| # | |
| elif (len(sys.argv) == 3 and (sys.argv[1] == '-d' or sys.argv[1] == '-e')): | |
| decrypt_mode = sys.argv[1] == '-d' | |
| if decrypt_mode: | |
| # base64 decode + AES decrypt | |
| print('\ndecrypted: ' + RouterCrypto().decrypt(base64.b64decode(sys.argv[2])).decode('UTF-8') + '\n') | |
| else: | |
| # AES encrypt + base64 encode | |
| print('\nencrypted: ' + base64.b64encode(RouterCrypto().encrypt(sys.argv[2].encode())).decode('UTF-8') + '\n') | |
| else: | |
| print('\n#\n# Nokia/Alcatel-Lucent router backup configuration tool\n#\n') | |
| print('# unpack (cfg to xml)\n') | |
| print(sys.argv[0] + ' -u config.cfg\n') | |
| print('# pack (xml to cfg)\n') | |
| print(sys.argv[0] + ' -pb config.xml 0x13377331 # big endian, no encryption, fw_magic = 0x13377331') | |
| print(sys.argv[0] + ' -pl config.xml 0x13377331 # little endian, ...') | |
| print(sys.argv[0] + ' -pbe config.xml 0x13377331 # big endian, with encryption, ...') | |
| print(sys.argv[0] + ' -ple config.xml 0x13377331 # ...\n') | |
| print('# decrypt/encrypt secret values within xml (ealgo="ab")\n') | |
| print(sys.argv[0] + ' -d OYdLWUVDdKQTPaCIeTqniA==') | |
| print(sys.argv[0] + ' -e admin\n') |
sai ho bro
Help, please, find out the PPPoE password. Device name: G-1425G-B
@Padke9 @Banaune @r10p @r10p @krausar791 Hi, Anyone has latest firmware for unlock factory Nokia FastMile 3.1 by any chance ?, thank you
I am getting this error -> little endian CPU detected
-> fw_magic = 0xffffffff
Traceback (most recent call last):
File "/Users/arjun/Downloads/nokia-router-cfg-tool.py", line 137, in
xml_data = zlib.decompress(compressed)
zlib.error: Error -3 while decompressing data: incorrect header check
help
https://www.youtube.com/watch?v=taA0P52jUXw
Worked for XS-2426G-A 3FE49385HJJI85(1.2201.185)
Maybe someone will be able to update the script?
Can anyone share stock firmware for 2425g-a , i borked by setting the operator id to 0000 and reset the router. i can't get anywhere from internet.
@daemonlover7 You can refer here for the firmware : Firmware Link
Hello @thedroidgeek Thankyou for the detailed instruction , although this is the first time ive used python and still able get to root user succesfully on G-140w-F & G-140w-C . now what i want is to Modify the default configuration of the ONT ( that means if we hard reset the ONT it will restore our modified configuration). Thanks Again for the Guide
below are the available cmds.Hello how did you do to access ONTUSER my model G-140W-H and I believe it is different in some configuration. I already set LimitAccount_ONTUSER to false, but without success when logging via telnet. Can you help me. I can send the configuration file.
Hi... i want help on this one also... do you have the answers already?
Any Idea where i can Find the list of OperatorID in the router itself ?
Also for anyone Looking Info on Nokia G-1425-MA specially from Classictech :
Web Username : classicadmin
Web Password : Cr3d3nti@lofNok!aONT0061_P@SSW)RD
https://github.com/diwash5/nokia_G-1425-MA
Any Idea where i can Find the list of OperatorID in the router itself ? Also for anyone Looking Info on Nokia G-1425-MA specially from Classictech : Web Username : classicadmin Web Password : Cr3d3nti@lofNok!aONT0061_P@SSW)RD https://github.com/diwash5/nokia_G-1425-MA
Great bro
thanks a lot
model_name=Nokia WiFi Beacon 1.1
Username=superadmin Password=Telc@Admin2#
GPON New Password Need to crack this ont G-02425-B : Worldink user Web Auth Pass Just able to export the config was able to login with this sha256 key
$5$ml5m3FS4jai3Ic1Q$1rU3UrvBt8Zu39I/jmM3rwFI86AJCjXbuom3LlBWYl6 the username is on the string format but it is randomized but remains same for every device tried using hashcat but i have little knowledge about it
(so unable to do so)
Here is hash password
root:$1$GTMUOzhf$mjhy6wET5re92IB4KHqXz.
pass:-LA(ImvZx%8
$5$ml5m3FS4jai3Ic1Q$1rU3UrvBt8Zu39I/jmM3rwFI86AJCjXbuom3LlBWYl6
this is the Wordlink new password in hash format cracked this one
too
$5$UqWsQaG1XwNyGz/5$YZRmV5KRnhziJpQuB4mVCA4gn5hwhQOJZ8/vKx3YVYB Possible algorithms: sha256crypt$5$ , SHA256 (Unix)
how could i decrypt these
<DebugDyPass. n="DyPass" t="staticObject">
<Enable rw="RW" t="boolean" v="false"/>
<PriKey ml="256" rw="R" t="string" v="/9dZA08iJtpdxQwLEN/PXRuvp/W8vthrcznIfPpvWl1bW71HTLPxGcvLgXbMSCT80n0uIV8m4a7D73M2jManOPCJHIGQ/oFNQAEY794iUXOMacgsEJKWycVv59paSz/8SJsjdjMHx4JooJIDXScEWRpxQ2MDCfKOFneBr37u3gtVsWbCwF333Jo=" ealgo="sab" kn="key11" ckn="key3"/>
<UserName ml="64" rw="RW" t="string" v="superadmin"/>
<Password ml="64" rw="RW" t="string" v="/9Iyf1nuW9Jvqbpt0rKmF14mMp9S6stqWg==" ealgo="sab" kn="key11" ckn="key3"/>
<PresetPassword ml="64" rw="RW" t="string" v="/+7bmhokKmku68N3wd0D7q1lQhQzGyBm/w==" ealgo="sab" kn="key11" ckn="key3"/>
<UserName ml="64" rw="RW" t="string" v="superuser"/>
<Password ml="64" rw="RW" t="string" v="/+FSdhRkyEVTdqnlACIuZqb+JEOjo2W9AQ==" ealgo="sab" kn="key11" ckn="key3"/>
<Username ml="256" rw="RW" t="string" v="hgw"/>
<Password ml="256" rw="RW" t="string" v="//buUg3QO21FJsSkPuSqUO+IAeZqYNQbpA==" ealgo="sab" kn="key11" ckn="key3"/>
<ServerPort dv="1813" max="65535" min="1" rw="RW" t="unsignedInt" v="1813"/>
<SecondaryServerPort dv="1813" max="65535" min="1" rw="RW" t="unsignedInt" v="1813"/>
<Secret dv="/wUulBnBDCo+gskG5zJ6oBSZkt1BuY3XKA==" ml="128" rw="RW" t="string" v="/2ctMVcrsk94G9fTQV0aZb5Uj8+CfA+a5Q==" ealgo="sab" kn="key11" ckn="key3"/>
<SecondarySecret dv="/8Lc9Ew+5WA61Wch0ChNpc73lgZkV3Dyzg==" ml="128" rw="RW" t="string" v="/wzcD2XHnlc4ohWWh22hMn3RD3TuSDXc3A==" ealgo="sab" kn="key11" ckn="key3"/>
$5$ml5m3FS4jai3Ic1Q$1rU3UrvBt8Zu39I/jmM3rwFI86AJCjXbuom3LlBWYl6
this is the Wordlink new password in hash format cracked this one
too
$5$UqWsQaG1XwNyGz/5$YZRmV5KRnhziJpQuB4mVCA4gn5hwhQOJZ8/vKx3YVYB Possible algorithms: sha256crypt 5, SHA256 (Unix)
hashcat -a 0 -m 7400 ck2.txt honeypot.txt
Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 7400 (sha256crypt
Hash.Target......: ck2.txt
Time.Started.....: Tue May 21 00:20:50 2024 (2 mins, 55 secs)
Time.Estimated...: Tue May 21 00:23:45 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (honeypot.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 524 H/s (9.85ms) @ Accel:32 Loops:256 Thr:1 Vec:8
Recovered........: 0/2 (0.00%) Digests (total), 0/2 (0.00%) Digests (new), 0/2 (0.00%) Salts
Progress.........: 92016/92016 (100.00%)
Rejected.........: 0/92016 (0.00%)
Restore.Point....: 46008/46008 (100.00%)
Restore.Sub.#1...: Salt:1 Amplifier:0-1 Iteration:4864-5000
Candidate.Engine.: Device Generator
Candidates.#1....: lea -> LiaoNingLT
Hardware.Mon.#1..: Temp: 69c Util: 93%
have tried but seems my list does not have the password
I have Full Dump of firmware but cannot extract Ubi volume
i acn access only root volume and header volume of squash filesystem
ECIMAL HEXADECIMAL DESCRIPTION
1563908 0x17DD04 MySQL ISAM index file Version 8
6553634 0x640022 PGP RSA encrypted session key - keyid: 801000 1F RSA (Encrypt or Sign) 1024b
7794784 0x76F060 Linux kernel version 3.18.2
7809714 0x772AB2 bix header, header size: 64 bytes, header CRC: 0x0, created: 1970-01-01 00:04:16, image size: 21747 bytes, Data Address: 0x83800000, Entry Point: 0x645F, data CRC: 0x6D617465, image name: "ise_unique"
7986672 0x79DDF0 DES SP2, little endian
7987184 0x79DFF0 DES SP1, little endian
8071596 0x7B29AC AES S-Box
8072396 0x7B2CCC AES Inverse S-Box
8073780 0x7B3234 SHA256 hash constants, little endian
8117971 0x7BDED3 Neighborly text, "NeighborReqrRep"
8118027 0x7BDF0B Neighborly text, "NeighborRepsureReq"
8118376 0x7BE068 Neighborly text, "NeighborReqActionction"
8123135 0x7BF2FF Neighborly text, "NeighborRequestHandle_ActionHandle"
8123167 0x7BF31F Neighborly text, "NeighborResponseHandlexPacketBuffer"
8779148 0x85F58C xz compressed data
8796308 0x863894 Unix path: /lib/firmware/updates/3.18.21
9056436 0x8A30B4 Unix path: /etc/Wireless/RT2860AP_AC/RT30xxEEPROM.bin
9078888 0x8A8868 Unix path: /etc/Wireless/RT2860STA/RT2860STA.dat
9079048 0x8A8908 Unix path: /etc/wireless/l1profile.dat
9157740 0x8BBC6C XML document, version: "1.0"
9166472 0x8BDE88 Neighborly text, "Neighbor RSP02x:%02x:%02x:%02x:%02x:%02x), MeasureReqToken=%d"
9166932 0x8BE054 Neighborly text, "neighbor report frame"
9168375 0x8BE5F7 Neighborly text, "neighbor report response is meaninglessd "
9168581 0x8BE6C5 Neighborly text, "neighbor report frame failed"
9171197 0x8BF0FD Neighborly text, "NeighborAdvert: nextheader=0x%x, %d, %d"
9191449 0x8C4019 Neighborly text, "Neighbor Request from Peer IP = %d.%d.%d.%d, SSID = %stkd> Neighbor Response from Peer IP = %d.%d.%d.%d"
9191517 0x8C405D Neighborly text, "Neighbor Response from Peer IP = %d.%d.%d.%dcate type %d"
9193468 0x8C47FC Unix path: /etc/Wireless/RT2860STA/e2p.bin
9244612 0x8D0FC4 Unix path: /sys/firmware/devicetree/base
9257260 0x8D412C Unix path: /opt/upt/apps/info/reboot_info
9257400 0x8D41B8 Unix path: /opt/upt/apps/info/reboot_source
9288484 0x8DBB24 Neighborly text, "NeighborSolicits6InDatagrams"
9288504 0x8DBB38 Neighborly text, "NeighborAdvertisementsorts"
9293838 0x8DD00E Neighborly text, "neighbor %.2x%.2x.%pM lost rename link %s to %s"
9491392 0x90D3C0 CRC32 polynomial table, little endian
9643904 0x932780 AES S-Box
9649600 0x933DC0 CRC32 polynomial table, little endian
9668858 0x9388FA Unix path: /etc/Wireless/RT2860/RT2860.dat
9669264 0x938A90 Unix path: /etc/Wireless/iNIC/iNIC_ap.dat
9669676 0x938C2C Unix path: /etc/Wireless/WIFI3/RT2870AP.dat
9670092 0x938DCC Unix path: /etc/Wireless/RT2860/RT2860_2G.dat;/etc/Wireless/RT2860/RT2860_5G.dat
9670564 0x938FA4 Unix path: /etc/Wireless/MT7615A_B0_5G.dat;/etc/Wireless/MT7615A_B1_5G.dat
9671029 0x939175 Unix path: /etc/wireless/mt7663e/mt7663e.1.dat
9671442 0x939312 Unix path: /etc/wireless/mt7663e/mt7663e.2.dat
9671838 0x93949E Unix path: /etc/Wireless/RT2860AP_AC/RT2860AP.dat
10966144 0xA75480 Flattened device tree, size: 831 bytes, version: 17
Hello Forks! Could someone guide me in unlocking the new version
Details:
Device Name G-2425G-A
Vendor Nokia
Serial Number ALCLB2A6079B
Hardware Version 3FE48299DEAA
Boot Version U-Boot-Dec-31-2016--12:00:00
Software Version 3FE49362JJIJ54
tried with the script mentioned in the forum getting the same error
Error:
@Padke9 Which device are you using? Router or Beacon?
Hi!
Thanks for your work, it's awesome!!
I've got two devices: an I-240W-A, and a G-240W-B.
I got ssh access on the G-one! But it logs me out immediately:
`[tulio@TulainasV5 G-240W-B]$ ssh -vvv admin@192.168.1.253 OpenSSH_8.4p1, OpenSSL 1.1.1i 8 Dec 2020 debug1: Reading configuration data /etc/ssh/ssh_config debug2: resolve_canonicalize: hostname 192.168.1.253 is address debug3: expanded UserKnownHostsFile '
/.ssh/known_hosts' -> '/home/tulio/.ssh/known_hosts' debug3: expanded UserKnownHostsFile '/.ssh/known_hosts2' -> '/home/tulio/.ssh/known_hosts2' debug2: ssh_connect_direct debug1: Connecting to 192.168.1.253 [192.168.1.253] port 22. debug1: Connection established. debug1: identity file /home/tulio/.ssh/id_rsa type -1 debug1: identity file /home/tulio/.ssh/id_rsa-cert type -1 debug1: identity file /home/tulio/.ssh/id_dsa type -1 debug1: identity file /home/tulio/.ssh/id_dsa-cert type -1 debug1: identity file /home/tulio/.ssh/id_ecdsa type -1 debug1: identity file /home/tulio/.ssh/id_ecdsa-cert type -1 debug1: identity file /home/tulio/.ssh/id_ecdsa_sk type -1 debug1: identity file /home/tulio/.ssh/id_ecdsa_sk-cert type -1 debug1: identity file /home/tulio/.ssh/id_ed25519 type -1 debug1: identity file /home/tulio/.ssh/id_ed25519-cert type -1 debug1: identity file /home/tulio/.ssh/id_ed25519_sk type -1 debug1: identity file /home/tulio/.ssh/id_ed25519_sk-cert type -1 debug1: identity file /home/tulio/.ssh/id_xmss type -1 debug1: identity file /home/tulio/.ssh/id_xmss-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_8.4 debug1: Remote protocol version 2.0, remote software version dropbear_2016.74 debug1: no match: dropbear_2016.74 debug2: fd 3 setting O_NONBLOCK debug1: Authenticating to 192.168.1.253:22 as 'admin' debug3: hostkeys_foreach: reading file "/home/tulio/.ssh/known_hosts" debug3: record_hostkey: found key type ECDSA in file /home/tulio/.ssh/known_hosts:41 debug3: load_hostkeys: loaded 1 keys from 192.168.1.253 debug3: order_hostkeyalgs: have matching best-preference key type ecdsa-sha2-nistp256-cert-v01@openssh.com, using HostkeyAlgorithms verbatim debug3: send packet: type 20 debug1: SSH2_MSG_KEXINIT sent debug3: receive packet: type 20 debug1: SSH2_MSG_KEXINIT received debug2: local client KEXINIT proposal debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,[sk-ecdsa-sha2-.....................
Can you tell me how you managed to get the backup and restore page in the router's webUI? I have a G-240W-B as well but I can't get the cfg file. Tried changing the url, attempted all the different username/password combinations mentioned here, and even intercepted the login.cgi post request and didn't find anyway to unlock that page in the webUI.
I managed to get the root access on my G-140W-F and would like to do the same with this one. Any help is appreciated :(
@Banaune
I stoped working on Beacon
Now Router
here is a thing var all_nodes= { name:"all_nodes", target:0, nodes:[ { name:"<%T('Status')%>", target:0, nodes:[ { name:"<%T('Device Information')%>", target:"device_status.cgi" }, { name:"<%T('LAN Status')%>", target:"lan_status.cgi?lan" }, { name:"<%T('WAN Status')%>", target:"show_wan_status.cgi?ipv4" }, { name:"<%T('WAN Status IPv6')%>", target:"show_wan_status.cgi?ipv6" }, <% if is_hybrid then %> { name:"<%T('LTE Status')%>", target:"lte_management.cgi?status" }, <% end %> { name:"<%T('Home Networking')%>", target:"lan_status.cgi?wlan" }, { name:"<%T('DSL Statistics')%>", target:"dsl_status.cgi?dsl" }, <% if has_voice_info then %> { name:"<%T('Voice Information')%>", target:"voice_info.cgi" }, <% end %> ] }, { name:"<%T('Network')%>", target:0, nodes:[ <% if shown_in_route then %> { name:"<%T('LAN')%>", target:"lan_ipv4.cgi" }, <% end %> <% if shown_in_route then %> { name:"<%T('LAN_IPv6')%>", target:"lan_ipv6.cgi" }, <% end %> { name:"<%T('WAN')%>", target:"wan_config_glb.cgi" }, <% if shown_in_route then %> { name:"<%T('WAN DHCP')%>", target:"wan_dhcp.cgi" }, <% end %> <% if has_wifi_24G then %> { name:"<%T('Wireless (2.4GHz)')%>", target:"wlan_config.cgi" }, <% end %> <% if has_wifi_5G then %> { name:"<%T('Wireless (5GHz)')%>", target:"wlan_config.cgi?v=11ac" }, <% end %> <% if has_wifi_24G then %> { name:"<%T('Wireless Schedule')%>", target:"wifi_schedule.cgi" }, <% end %> { name:"<%T('IP Routing')%>", target:"route.cgi" }, <% if shown_in_route then %> { name:"<%T('DNS')%>", target:"dns.cgi" }, <% end %> <% if has_TR then %> { name:"<%T('TR-069')%>", target:"tr69.cgi" }, <% end %> { name:"<%T('QoS Config')%>", target:"qos.cgi" }, <% if has_mesh then %> { name:"<%T('MESH')%>", target:"mesh.cgi" }, <% end %> <% if is_hybrid then %> { name:"<%T('MPTCP Config')%>", target:"wanport_mptcp_config.cgi" }, <% end %> { name:"<%T('Vlan Binding')%>", target:"wan_config_glb.cgi?vbinding" }, ] }, { name:"<%T('Security')%>", target:0, nodes:[ <% if shown_in_route then %> { name:"<%T('Firewall')%>", target:"firewall.cgi?fire" }, <% end %> <% if shown_in_route then %> { name:"<%T('MAC Filter')%>", target:"macfilter.cgi" }, <% end %> <% if has_gfast_protocol then %> { name:"<%T('Service Access Control')%>", target:"protocolcfg.cgi" }, <% end %> <% if shown_in_route then %> { name:"<%T('IP Filter')%>", target:"ipfilter.cgi" }, <% end %> <% if shown_in_route then %> { name:"<%T('URL Filter')%>", target:"urlfilter.cgi" }, <% end %> <% if shown_in_route then %> { name:"<%T('Parental Control')%>", target:"parental_control.cgi" }, <% end %> <% if shown_in_route then %> { name:"<%T('DMZ and ALG')%>", target:"nat_glb.cgi?v=alg" }, <% end %> ] }, { name:"<%T('Application')%>", target:0, nodes:[ <% if shown_in_route then %> { name:"<%T('Port Forwarding')%>", target:"nat_glb.cgi?v=vhost" }, <% end %> <% if has_port_trigger then %> { name:"<%T('Port Triggering')%>", target:"nat_glb.cgi?v=thost" }, <% end %> <% if shown_in_route then %> { name:"<%T('DDNS')%>", target:"ddns.cgi" }, <% end %> <% if shown_in_route then %> { name:"<%T('NTP')%>", target:"sntp.cgi" }, <% end %> <% if has_usb then %> { name:"<%T('USB')%>", target:"storage.cgi" }, <% end %> <% if shown_in_route then %> { name:"<%T('UPNP and DLNA')%>", target:"upnp.cgi" }, <% end %> <% if has_voice_setting then %> { name:"<%T('Voice Setting')%>", target:"voice_setting.cgi?v=cfg_line" }, <% end %> ] }, { name:"<%T('Maintenance')%>", target:0, nodes:[ { name:"<%T('Password')%>", target:"user_glb.cgi" }, { name:"<%T('Device Management')%>", target:"device_name.cgi" }, <% if is_hybrid then %> { name:"<%T('LTE management')%>", target:"lte_management.cgi" }, <% end %> { name:"<%T('Backup and Restore')%>", target:"usb.cgi?backup" }, <% if has_pse then %> { name:"<%T('Reverse Power')%>", target:"reverse_power.cgi" }, <% end %> { name:"<%T('Firmware Upgrade')%>", target:"upgrade.cgi" }, { name:"<%T('Reboot Device')%>", target:"reboot.cgi" }, { name:"<%T('Factory Default')%>", target:"restore.cgi" }, { name:"<%T('Diagnostics')%>", target:"diag.cgi?ping" }, { name:"<%T('Log')%>", target:"log.cgi" }, ] }, ] }
so You have to be an admin to restore or backup the cfg fie
you can try 192.168.x.x/usb.cgi?backup
or
192.168.x.x/Maintenance/usb.cgi?backup
<LimitAccount_ONTUSER rw="RW" t="boolean" v="true"/> <CLIPrompt ml="256" rw="RW" t="string" v=""/> <DebugDyPass. n="DyPass" t="staticObject"> <Enable rw="RW" t="boolean" v="fasle"/> <PriKey ml="256" rw="R" t="string" v="ned+vPtd724opgH7hIHoF+4da0cGg8guyqlJonlqrdOST4xztVZiRk81QjH5Ob1nA5ApNMSRdczSg6/tWYjRSdrcdIW0qqUM50ssnttq742JVBSCU9IPYyA7vvZDsj4Vat7nP8Nzo69yN1r6G78ibLVVaLVa9U+jH7JJJ1YfPZI=" ealgo="ab"/>
Hello, im recieving an Import "Crypto.Cipher" could not be resolved error
here is a thing
var all_nodes= { name:"all_nodes", target:0, nodes:[ { name:"<%T('Status')%>", target:0, nodes:[ { name:"<%T('Device Information')%>", target:"device_status.cgi" }, { name:"<%T('LAN Status')%>", target:"lan_status.cgi?lan" }, { name:"<%T('WAN Status')%>", target:"show_wan_status.cgi?ipv4" }, { name:"<%T('WAN Status IPv6')%>", target:"show_wan_status.cgi?ipv6" }, <% if is_hybrid then %> { name:"<%T('LTE Status')%>", target:"lte_management.cgi?status" }, <% end %> { name:"<%T('Home Networking')%>", target:"lan_status.cgi?wlan" }, { name:"<%T('DSL Statistics')%>", target:"dsl_status.cgi?dsl" }, <% if has_voice_info then %> { name:"<%T('Voice Information')%>", target:"voice_info.cgi" }, <% end %> ] }, { name:"<%T('Network')%>", target:0, nodes:[ <% if shown_in_route then %> { name:"<%T('LAN')%>", target:"lan_ipv4.cgi" }, <% end %> <% if shown_in_route then %> { name:"<%T('LAN_IPv6')%>", target:"lan_ipv6.cgi" }, <% end %> { name:"<%T('WAN')%>", target:"wan_config_glb.cgi" }, <% if shown_in_route then %> { name:"<%T('WAN DHCP')%>", target:"wan_dhcp.cgi" }, <% end %> <% if has_wifi_24G then %> { name:"<%T('Wireless (2.4GHz)')%>", target:"wlan_config.cgi" }, <% end %> <% if has_wifi_5G then %> { name:"<%T('Wireless (5GHz)')%>", target:"wlan_config.cgi?v=11ac" }, <% end %> <% if has_wifi_24G then %> { name:"<%T('Wireless Schedule')%>", target:"wifi_schedule.cgi" }, <% end %> { name:"<%T('IP Routing')%>", target:"route.cgi" }, <% if shown_in_route then %> { name:"<%T('DNS')%>", target:"dns.cgi" }, <% end %> <% if has_TR then %> { name:"<%T('TR-069')%>", target:"tr69.cgi" }, <% end %> { name:"<%T('QoS Config')%>", target:"qos.cgi" }, <% if has_mesh then %> { name:"<%T('MESH')%>", target:"mesh.cgi" }, <% end %> <% if is_hybrid then %> { name:"<%T('MPTCP Config')%>", target:"wanport_mptcp_config.cgi" }, <% end %> { name:"<%T('Vlan Binding')%>", target:"wan_config_glb.cgi?vbinding" }, ] }, { name:"<%T('Security')%>", target:0, nodes:[ <% if shown_in_route then %> { name:"<%T('Firewall')%>", target:"firewall.cgi?fire" }, <% end %> <% if shown_in_route then %> { name:"<%T('MAC Filter')%>", target:"macfilter.cgi" }, <% end %> <% if has_gfast_protocol then %> { name:"<%T('Service Access Control')%>", target:"protocolcfg.cgi" }, <% end %> <% if shown_in_route then %> { name:"<%T('IP Filter')%>", target:"ipfilter.cgi" }, <% end %> <% if shown_in_route then %> { name:"<%T('URL Filter')%>", target:"urlfilter.cgi" }, <% end %> <% if shown_in_route then %> { name:"<%T('Parental Control')%>", target:"parental_control.cgi" }, <% end %> <% if shown_in_route then %> { name:"<%T('DMZ and ALG')%>", target:"nat_glb.cgi?v=alg" }, <% end %> ] }, { name:"<%T('Application')%>", target:0, nodes:[ <% if shown_in_route then %> { name:"<%T('Port Forwarding')%>", target:"nat_glb.cgi?v=vhost" }, <% end %> <% if has_port_trigger then %> { name:"<%T('Port Triggering')%>", target:"nat_glb.cgi?v=thost" }, <% end %> <% if shown_in_route then %> { name:"<%T('DDNS')%>", target:"ddns.cgi" }, <% end %> <% if shown_in_route then %> { name:"<%T('NTP')%>", target:"sntp.cgi" }, <% end %> <% if has_usb then %> { name:"<%T('USB')%>", target:"storage.cgi" }, <% end %> <% if shown_in_route then %> { name:"<%T('UPNP and DLNA')%>", target:"upnp.cgi" }, <% end %> <% if has_voice_setting then %> { name:"<%T('Voice Setting')%>", target:"voice_setting.cgi?v=cfg_line" }, <% end %> ] }, { name:"<%T('Maintenance')%>", target:0, nodes:[ { name:"<%T('Password')%>", target:"user_glb.cgi" }, { name:"<%T('Device Management')%>", target:"device_name.cgi" }, <% if is_hybrid then %> { name:"<%T('LTE management')%>", target:"lte_management.cgi" }, <% end %> { name:"<%T('Backup and Restore')%>", target:"usb.cgi?backup" }, <% if has_pse then %> { name:"<%T('Reverse Power')%>", target:"reverse_power.cgi" }, <% end %> { name:"<%T('Firmware Upgrade')%>", target:"upgrade.cgi" }, { name:"<%T('Reboot Device')%>", target:"reboot.cgi" }, { name:"<%T('Factory Default')%>", target:"restore.cgi" }, { name:"<%T('Diagnostics')%>", target:"diag.cgi?ping" }, { name:"<%T('Log')%>", target:"log.cgi" }, ] }, ] }so You have to be an admin to restore or backup the cfg fie
you can try 192.168.x.x/usb.cgi?backup or 192.168.x.x/Maintenance/usb.cgi?backup
me have G-2426G-A router admin page backup location locked. please help to unlock firmware link: https://drive.google.com/file/d/18RRiX4jbvCGwzyCAbn9ld8QxKHbJ_Pij/view
@r10p Yes,you can use this fork of this repo which is updated for latest configs: Updated Gist Link