The following tutorial, explains how to establish a telnet session to a Hitron BVW3653v2 cable modem, running a customized version of OpenRG for ZON (a Portuguese ISP).
OpenRG is commercial platform, known to power many ISPs worldwide, so the following procedure may work with other router models. It runs on busybox so it\’s good old Linux, don\’t despair.
Like many ISPs worldwide, ZON disabled cli management to their routers , and they also crippled almost every single fun functionality, so here goes something interesting:
1- With the coaxial wan cable disconnected, reset the router (press the button next to the USB port, for a couple seconds)
2- Access web management (http://192.168.1.1), user/password is: admin/admin.
3- In System > Users change the username and password of all users (home, home_admin e admin), for example: user1,admin1, admin2.
4- Disable the firewall (minimum security) in Services > Firewall .
5- In a Linux (or BSD, Mac, etc) computer, insert a pen drive (20Mb will be enough), create a linux (ext3) filesystem.
6- Open a terminal, navigate to your newly formatted flash drive and create a symlink to root:
ln -s / sys
Then create a new file, name it, for example “pwn”:
touch pwn
Add the following lines:
#!/bin/sh /usr/sbin/telnetd
Now give exec privileges:
chmod +x pwn
7- Insert the flashdrive into the router, then from any computer (could be windows) access by fileshare (\192.168.1.1).
8- Copy the “pwn” file to “sys/etc”. Still inside the “/etc/” folder edit smb.conf and add the following line, in the end of the [global] heading:
root preexec = /etc/pwn
9- Wait for about one min (could be less), so that samba reloads the config file.
(Note that these changes will not last a restart, the router re-mounts the filesystem at every reboot, so changes made inside are not actually saved.)
10- Connect to your router ip on telnet port (23), you will be asked for login (created above), but not for password (?). A busybox shell (msh) will be presented to you.
From the busybox shell you get some useful commands, here are some:
cat /etc/passwd cat /proc/cpuinfo cat /proc/meminfo cat /proc/version cat /proc/avalanche/eth0_rfc2665_stats cat /proc/avalanche/cpmac_stats cat /proc/avalanche/developers free lsmod ps ifconfig route cli # tftp is also available # cli command, calls a new shell, but I don\'t think it\'s openrg cli, as the commands are far to different from openrg config manual.
Have fun.
If you don’t have a Linux pc (or vm) lying around, or you just prefer Windows, you can download this attachment from psidoc.com, password of the archive is www.psidoc.com, you will have to register to download. Inside the archive you will find a ext image and a windows tool to write it to the flashdrive, from there follow the rest of the tutorial.
Have you been able to compile and run some apps on this machine? For example a ssh server (for remote file access also) and some downloads via http to the attached usb-2.0 drive?
Hi,
I don´t have the router anymore, so i’m unable to test.
As for compiling and running an ssh server, never tried that, could work, if you could gain access to the filesystem image (before it’s mounted in the boot process), then patch and reboot.
Never done nothing like that.
Hey. Have you been able to run it? i’m testing now. Do you have that modem ?
Hi,
I don’t have the modem anymore, so can’t test anything.
Good luck!
Hi! can you still access / with the simlink trick? when I try to open “sys” I get access denied..
I can´t test!
But you should be root, so permission can´t be a problem, either change them or in case its a filesystem mount it as “rw”, read write.
Watch out as you could easily turn your router into a brick.
Hi.
After enabling telnet acess, do you still got your ZON’s configuration?
I mean, your zon tv box still work? and internet access?
Just by enabling telnet you shouldn’t get any problems, coz it’s not related to config, it’s just a bug in the SO.
However if you mess the config you can get a very nasty result.
Good luck.
Can anyone confirm if the admin/admin login is still working with the latests firmware updates?
I have latest firmware and you MUST DISCONNECT the RF Aerial (antena) cable so that the server can’t reach your router that if it reach, your router is programmed to run a second configuration file, and then the admin will be changed by this fact, so if you NEVER plug the antena cable, you will be able to access CGI (HTTP CLI) with user/pass: admin/admin in new firmwares too, but the symlink trick no longer works at all. I think there is some way to get the CLI by opening up the case and getting connected by serial TTL header that this router has beside the wireless module.
I got a bit confused with the HTTP CLI. With CGT are you referring to the normal management console available on port 80 or to something else?
Unfortunately even with admin/admin, the page where the wifi speed can be configured is no longer accessible: http://zonhub.home/index.cgi?active_page=page_conn_settings_ra0
Hi Tiago
Do you by any chance use now the newer gigabit Ethernet optical fiber router, the GVE-39320?
Zon continues to limit any functionality that most users would like to configure in order to control their local networks.
The service overall is great. But this modem/router is indeed a joke; very short wireless range capability, featureless in all basic aspects of a router, having in account most routers in the market offers an extend range of functionalities/features.
On top of everything the customers needs to pay when in need of opening one of the ports to bridge to another router, which is shameless.
I wonder if you use it and already got other ways of configuring it.
Regards
JJ
No. I have the old thomson model, my zonhub got bricked and i asked them to give me the older model (thought it not compatible with the newer fiber “speeds”).
That older model works just as a modem, you can then install you own modem and deliver the public wan ip to it (bridge setup).
ZON modems suck! But thats not the problem, as routers from the other ISP’s also. The problem is they only enable you to use your own modem (bridge mode) if your a on a business plan.
The option is to use an dmz redirect to you own router, but that will also do double nat, so it sucks…
All their routers have wan access from their servers, they can see the files on your usb connected disk/pen or access you lan.
They argue that the modem/router is theirs (but they also say its an offer, so its yours, right!!!), and that they have the “right” to access it, its their “terminal”.
They were far better when they were a part of PT Telecom.
Sorry, i’m frustrated with this…
I’ll eventualy change ISP soon…
To answer your question, sry but no.
Are you sure bridge mode cannot be enabled? I’ve got this option available http://i.imgur.com/xvwRQ.png
Perhaps they changed that! Do you have the myHUB 2.0 or a newer version?
No, just put in the login
username = home_admin
pass = zonnetadmin
and go to Local network , definitions, and you will see that option.
Hello,
I tried your soluction till step 7 and stucked in step 8, I’ve got access denied to sys, I can’t access to it… any sugestion?
Regards,
uht_magro
this exploit has most probably been fixed, on newer routers.
try reseting the router again with no coaxial cable connected, also you have to wait some time for the smb config to reload.
i have no more ideas, sry.
login : home
password : zonnet