Support

Blog

Browsing all articles from September, 2014

Flattr this!

In January, I upgraded to 100M fibre, and paid upfront for the year (RMB2800).

While I was on vacation, my FTTB at home stopped working, so we called Shanghai Telecom.

What had actually happened was that there was a screwup with the account setup, and they’d put me on a monthly bill *and* 100M.
After 6 months, they decided that I hadn’t paid my bill, and cancelled my 100M fibre account!
Staff eventually sorted it out, and Telecom gave us a 6 month credit.
Even so, I ended up coming back to a crappy E8 wifi + modem setup and my router set to use DHCP.

The Shanghai Telecom unit was setup for a maximum of 16 wifi devices, and uPNP was disabled, sigh.

I prefer to use my own equipment, as I generally don’t gimp it, so I called Telecom to ask for my “new” account details so I could replace it.

Unfortunately the technician had changed the password, and the 10000 hotline didn’t have the new pass, or the LOID.

I called the install technician who’d installed it in my absence, but he wasn’t very helpful, and told me I couldn’t have it. Surprise…

What to do.

I took a look at their modem, and thought it should be fairly easy to try get the details from it.

Did a bit of googling, and found that it had an accessible serial port, so opened up the unit, and connected it up.

After a bit of cable fiddling, got a connection @ 115200 / 8n1

Cable pinout should be –
GND | MISSING PIN | TX | RX | VCC

I’ll add some photos later.

With some more fiddling around, I got terminal access (accidentally!) with some prudent Ctrl C/ Ctrl Z’ing during the boot process as something crashed and I got a terminal prompt.
Its vxware, although the boot process does look quite linuxy.

Lots of interesting commands..

 > ls -al
telnetd:error:341.568:processInput:440:unrecognized command ls -al
 > help
?
help
logout
exit
quit
reboot
brctl
cat
loglevel
logdest
virtualserver
ddns
df
dumpcfg
dumpmulticfg
dumpmdm
dumpnvram
meminfo
psp
kill
dumpsysinfo
dnsproxy
syslog
echo
ifconfig
ping
ps
pwd
sntp
sysinfo
tftp
voice
wlctl
showOmciStats
omci
omcipm
dumpOmciVoice
dumpOmciEnet
dumpOmciGem
arp
defaultgateway
dhcpserver
dns
lan
lanhosts
passwd
ppp
restoredefault
psiInvalidateCheck
route
save
swversion
uptime
cfgupdate
swupdate
exitOnIdle
wan
btt
oam
laser
overhead
mcpctl
sendInform
wlanpower
zyims_watchdog
atbp
ctrate
testled
ipversionmode
dumptr69soap
lan2lanmcast
telecomaccount
wanlimit
namechange
userinfo
localservice
tcptimewait
atsh
option125Mode
eponlinkper
setponlinkuptime
loidtimewait
phonetest
 

First up, dump the nvram

> dumpnvram
============NVRAM data============
nvramData.ulVersion=6l
nvramData.szBootline=e=192.168.1.1:ffffff00 h=192.168.1.100 g= r=f f=vmlinux i=bcm963xx_fs_kernel d=1 p=0 c= a= 
nvramData.szBoardId=      XPT2542NUR
nvramData.ulMainTpNum=0l
nvramData.ulPsiSize=64l
nvramData.ulNumMacAddrs=10l
nvramData.ucaBaseMacAddr=??Umo
nvramData.pad=
nvramData.ulCheckSumV4=0l
nvramData.gponSerialNumber=             
nvramData.gponPassword=           
nvramData.cardMode=-1
nvramData.cardNo=  000000000000000000
nvramData.userPasswd=telecomadmin31407623
nvramData.uSerialNumber=32300C4C755116D6F
nvramData.useradminPassword=62pfq
nvramData.wirelessPassword=3yyv3kum
nvramData.wirelessSSID=ChinaNet-WmqQ
nvramData.conntrack_multiple_rate=0
============NVRAM data============

Nice, got the router admin pass already.
– nvramData.userPasswd=telecomadmin31407623
(user is telecomadmin).

I actually needed the login details, this turned out to be via

 > dumpmdm 

This dumped a rather large xml style file with some interesting bits

[excerpted are some of the good bits – the whole file is huge]


FALSE
e8ftp
e8ftp
21
TRUE
FALSE
TRUE
e8telnet
e8telnet
23
FALSE
admin
v2mprt

Hmm, telnet, and a password!
Telnet is not enabled by default, nor is FTP.

It also had the pppoe user/pass which was what I was looking for, and the LOID, which I needed to stick into my modem.
Score.

While that was pretty much all I needed, I decided to enable Telnet and FTP to play around.

Ok, so how do we enable telnet?

 > localservice
usage:
   localservice show: show the current telnet/ftp service status.
   localservice telnet enable/disable: set the telnet service enable or disable.
   localservice telnetAccess enable/disable: allow access telnet in wan side or not.
   localservice ftp enable/disable: set the ftp service enable or disable.
   localservice ftpAccess enable/disable: allow access ftp in wan side or not.

 > localservice telnet enable
 
> localservice show
Current local services status:
Ftp Service: Disable
Ftp Allow Wan Access: No
Telnet Service: Enable
Telnet Allow Wan Access: No
 
> localservice ftp enable

> localservice show
Current local services status:
Ftp Service: Enable
Ftp Allow Wan Access: No
Telnet Service: Enable
Telnet Allow Wan Access: No
 > save
config saved.

reboot the modem, and see if we can login via ethernet

telnet 192.168.1.1
Trying 192.168.1.1...
Connected to broadcom.home.
Escape character is '^]'.
BCM96838 Broadband Router
Login: telecomadmin
Password: 
Login incorrect. Try again.
Login: e8telnet
Password: 
 > 

Cool, so we now have full access to the device.

There also seems to be a remote monitoring system config’d via devacs.edatahome.com, which maps to a Shanghai Telecom ip.

   http://devacs.edatahome.com:9090/ACS-server/ACS
      http://devacs.edatahome.com:9090/ACS-server/ACS
      hgw
      hgwXXXX1563

and something else called itms.

itms
 itmsXXXX5503

I’ve XXX’d out some of the numbers from my own dump, as I suspect its device / login specific.

I got what I needed though, which was admin access to the modem, despite Shanghai Telecom not telling me.

Would really be nice if they just gave you the PPPoE user/pass and LOID, but that would be too easy…

On my modem, the following were the default passwords:

Console Access (via serial port)

User: admin
Pass: v2mprt

Once in console, you can enable Telnet and FTP.

Telnet (not enabled by default)
User: e8telnet
Pass: e8telnet

FTP (not enabled by default)
User: e8ftp
Pass: e8ftp

To show the http password from console (either local, or via telnet).
dumpnvram

url: http://192.168.1.1
http user: telecomadmin
http pass: (as per nvram, mine was telecomadmin31407623 )

Once in you can see all the important bits. Probably easier to grep the xml file from

dumpmdm

Took me about an hour or so to get to that point, I’m running on my own equipment again, and its not gimped. Worth my time!

Archives

Categories

Most Popular Posts

Tags

PHOTOSTREAM

uploaduploaduploaduploaduploaduploaduploaduploaduploaduploadIMG_2273GuyGuyGuyGuyGuyGuyGuy