The following tutorial, explains how to establish a telnet session to a Hitron BVW3653v2 cable modem, running a customized version of OpenRG for ZON (a Portuguese ISP).
OpenRG is commercial platform, known to power many ISPs worldwide, so the following procedure may work with other router models. It runs on busybox so it\’s good old Linux, don\’t despair.
Like many ISPs worldwide, ZON disabled cli management to their routers , and they also crippled almost every single fun functionality, so here goes something interesting:
1- With the coaxial wan cable disconnected, reset the router (press the button next to the USB port, for a couple seconds)
2- Access web management (http://192.168.1.1), user/password is: admin/admin.
3- In System > Users change the username and password of all users (home, home_admin e admin), for example: user1,admin1, admin2.
4- Disable the firewall (minimum security) in Services > Firewall .
5- In a Linux (or BSD, Mac, etc) computer, insert a pen drive (20Mb will be enough), create a linux (ext3) filesystem.
6- Open a terminal, navigate to your newly formatted flash drive and create a symlink to root:
ln -s / sys
Then create a new file, name it, for example “pwn”:
Add the following lines:
Now give exec privileges:
chmod +x pwn
7- Insert the flashdrive into the router, then from any computer (could be windows) access by fileshare (\192.168.1.1).
8- Copy the “pwn” file to “sys/etc”. Still inside the “/etc/” folder edit smb.conf and add the following line, in the end of the [global] heading:
root preexec = /etc/pwn
9- Wait for about one min (could be less), so that samba reloads the config file.
(Note that these changes will not last a restart, the router re-mounts the filesystem at every reboot, so changes made inside are not actually saved.)
10- Connect to your router ip on telnet port (23), you will be asked for login (created above), but not for password (?). A busybox shell (msh) will be presented to you.
From the busybox shell you get some useful commands, here are some:
cat /etc/passwd cat /proc/cpuinfo cat /proc/meminfo cat /proc/version cat /proc/avalanche/eth0_rfc2665_stats cat /proc/avalanche/cpmac_stats cat /proc/avalanche/developers free lsmod ps ifconfig route cli # tftp is also available # cli command, calls a new shell, but I don\'t think it\'s openrg cli, as the commands are far to different from openrg config manual.
If you don’t have a Linux pc (or vm) lying around, or you just prefer Windows, you can download this attachment from psidoc.com, password of the archive is www.psidoc.com, you will have to register to download. Inside the archive you will find a ext image and a windows tool to write it to the flashdrive, from there follow the rest of the tutorial.