1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

WRTP54G Unlocked?

Discussion in 'Other Linksys Equipment' started by rfv3, Jul 18, 2005.

  1. rfv3

    rfv3 LI Guru Member

    Notice: Some of the information below might help you use another VOIP provider, but that doesn't mean that you are legally entitled to. The License Agreement between you, the product owner, and Vonage may legally prevent you from using this device with another provider. Additionally, the following information is provided as is. Certain actions, such as loading new firmware can turn your expensive home router into a useless brick if not done properly. Use of the following information is at your own risk:

    First, this all started when I tried to use my router and found its performance sucked more than a 'Hoover'. After looking into upgraded firmware (and not getting anywhere), it found that setting the MTU on the router to a lower number was all I need do (and yes, if pays to RTFM: the manual clearly states that the default is 1500 but that they recommend a lower number). So, happy router, happy user... or so it would seem. When the web admin interface failed to load in a timely manner (due to the MTU settings), I tried both telnet and SSH. I did find that SSH is open on the router by default, but I wasn't allowed in... if I'm not then who is??? So I started to look around:

    SSH Attempts:
    1. download and setup a syslog program (such as kiwisyslog.com)
    2. login to the web interface to your router and go to admin\log
    3. set all logs to go to the IP of the machine running syslog (static is best)
    4. attempt to SSH into your router...
    5. hit head repeatedly when you can't figure out user/password
    6. Notice that "Admin" is accepted as a user
    7. Still hit head repeatedly when you can't figure out the password
    8. Take a nap, come back later and try a different approach.

    NOTE: You can also view some of the previous log entries by visiting: http://192.168.15.1/cgi-bin/webcm?getpage=../html/status/syslog.html
    (after you have logged in)

    Interesting Web Interface Findings:

    First thing to notice is that every page (after you have logged in) is actually retrieved by 'webcm':

    http://192.168.15.1/cgi-bin/webcm?getpage=../html/status/syslog.html

    What is "webcm?" It is the gatekeeper. It is guarding all the doors. It is holding all the keys, which means that sooner or later, someone is going to have to fight it.

    Let's break down the above url:

    http://192.168.15.1 -- your router IP
    /cgi-bin/ -- path to gatekeeper
    webcm? --the gatekeeper
    getpage= --the procedure
    ../html/status/syslog.html -- the requested page

    So, the first thing that I noticed is the "../html/"
    I tried http://192.168.15.1/html/ and was greeted with the standard logon page...
    This really didn't shock me as it simply presented me with an index page.

    Next I tried http://192.168.15.1/html/status/ and was presented with a nice directory listing of all the files in status.

    Being able to see the file is half the battle. If you try and open any of the files you will notice that they show garbage or rather they aren't interpreted. So, any page you want to see must be passed to the 'gatekeeper' (as was done in the above 'syslog.html' URL)

    With this knowledge I logged in normally to the router and found all the possible html/ directories that I could.

    Here is a list of the directories (no doubt I've missed some):
    http://192.168.15.1/html/adv/
    http://192.168.15.1/html/admin/
    http://192.168.15.1/html/voice/ *-good stuff
    http://192.168.15.1/html/status/
    http://192.168.15.1/html/security/
    http://192.168.15.1/html/wireless
    http://192.168.15.1/html/tools/

    And now for the meat :D....
    Here are some of the more interesting pages, including those used to dealing with the SIP settings of the router. Some of them (the voice settings) will try to kick you out by using JS... simply press ESC a few (dozen) times when the page is done loading to prevent your browser from sending you away (this is one case where I found IE to be better as it was slower to try and send me away).

    http://192.168.15.1/cgi-bin/webcm?getpage=../html/adv/sysinfo.html
    http://192.168.15.1/cgi-bin/webcm?getpage=../SetupWizard.htm
    http://192.168.15.1/cgi-bin/webcm?getpage=../html/tools/update_result.html
    http://192.168.15.1/cgi-bin/webcm?getpage=../html/voice/Provision.html
    http://192.168.15.1/cgi-bin/webcm?getpage=../html/voice/voiceSip.html

    And to do another take on the movie:
    webcm is not the only hope, there is another:

    http://192.168.15.1/cgi-bin/webcm?getpage=../../
    should list not only 'webcm', but 'firmwarecfg' as well.

    You can view this binary by visiting:
    http://192.168.15.1/cgi-bin/webcm?getpage=../../firmwarecfg

    of course you van view the 'gatekeeper' himself by visiting:

    http://192.168.15.1/cgi-bin/webcm?getpage=../../webcm

    Back to my firmware issue. I never could update my firmware as the 'user/tivonpw' account was 'not allowed this level of access' or something like that. I did find a page that seemed to deal with flashing the firmware, but didn't seem to work for me:

    http://192.168.15.1/html/tools/update_result.html
    and thus:
    http://192.168.15.1/cgi-bin/webcm?getpage=../html/tools/update_result.html

    Anyway, I hope these findings are a step in the right direction to actually allowing open firmware to be loaded on this brick.

    BTW My brick's firmware is version 1.00.18.
     
  2. Anonymous

    Anonymous Guest

    to get to flashing utility page go to html://192.168.15.1/update.html It will ask you to log in but your regular login will not work. The username is Admin (with the capital A) and the password that vonage gave me is (Case Sensitive) f197mrwW03

    Hope this helps if not call Vonage and tell them you want to update your firmware and they may help you out.

    PEACE
     
  3. Anonymous

    Anonymous Guest

  4. rfv3

    rfv3 LI Guru Member

    More info available

    First, thank you to anon. With the new 1.00.37 firmware, I tried the password you provided with no luck. I can't help but wonder if your password is possibly derived from some serial number on your box... clearly not the device itself, but possibly the board or one of the chips... this type information was available at:
    http://192.168.15.1/cgi-bin/webcm?getpage=../html/adv/sysinfo.html on my old firmware, but unfortunately it was removed from the new version.

    As stated above, I managed to update the firmware to the newer 1.00.37 revision. I'm currently away from any wired internet, so updating the firmware without admin passwords was a bit difficult(the tivonpw account was locked or something like that).

    In short, I used XP to bridge by wireless and ethernet port. As I didn't have a crossover cable, I plugged into a normal lan port and then ran a connection from the wan port back to the one of the lan ports. Not pretty, but spanning tree seemed to figure out what was going on.

    As my laptop was the middle man for the router (talk about backwards), I was able to use ethereal to monitor the update procedures. The update process is really quite elegant.

    Ignoring all normal network discovery packets, here is the run down:

    Update Process:

    0. Power cycle
    1. Resolve tftp.vonage.com using the DNS settings provided
    2. Request an XML configuration file from the tftp server
    -- Although the file ends with XML it is actually binary data, more below
    3. Resolve time.vonage.com (getting hostname from XML data?)
    4. Perform NTP time sync with time.vonage.com
    5. Resolve ti.tftp.vonage.com (no clue why)
    6. Resolve tftp.vonage.com (no resolve cache at this point?)
    7. Request the IMG update (as listed in the XML file?) from the tftp server
    8. Apply image?
    9. Repeat 1-4, but fail on new XML request as there are no updates

    The 'xml' file is infact some type of binary file. I assumed it was compressed using 7z or the like since the GPL files provided from linksys do include 7zip. No matter what extention I would set the 'xml' file to, it still wouldnt' open.


    Additional Findings


    The new firmware provdes the ability to back up the configuration. I assume that doing this probably backs up all kinds of information about the router (passwords, etc) so I thought maybe downloading, editing and uploading this file might provide a nice backdoor. Alas this file, a ".bin" file, is also some type of binary file. I couldn't determine was encoding or compression was used, but the first 4 byes are "LMMC", and again google couldn't find any file types that started with "LMMC."

    Aside from some of the pages that I've mentioned in my previous post, you can also visit ftp://ftp.linksys.com/datasheet/WRTP54G_ds_RevA.pdf and see some of the standard SIP protocols that are indeed used in this ATA.

    nmap results (fake mac, wan ssh/web, no wrls, and .1=LAN, .2=WAN)


    > nmap -v -v -sV -O -p 1-10000 192.168.15.1 192.168.15.2


    Initiating SYN Stealth Scan against 2 hosts [10000 ports/host] at 22:52
    Discovered open port 80/tcp on 192.168.15.1
    Discovered open port 22/tcp on 192.168.15.1
    Discovered open port 22/tcp on 192.168.15.2
    Completed SYN Stealth Scan against 192.168.15.1 in 5.23s (1 host left)
    Discovered open port 10000/tcp on 192.168.15.2
    The SYN Stealth Scan took 74.15s to scan 20000 total ports.
    Initiating service scan against 4 services on 2 hosts at 22:53
    The service scan took 5.02s to scan 4 services on 2 hosts.
    For OSScan assuming port 22 is open, 1 is closed, and neither are firewalled
    Host 192.168.15.1 appears to be up ... good.
    Interesting ports on 192.168.15.1:
    (The 9998 ports scanned but not shown below are in state: closed)
    PORT STATE SERVICE VERSION
    22/tcp open ssh?
    80/tcp open http?
    MAC Address: 00:00:00:00:00:00 (Unknown) (Real MAC removed)
    Device type: general purpose
    Running: Linux 2.4.X
    OS details: Linux 2.4.6 - 2.4.21

    --Fingerprint removed--

    Warning: OS detection will be MUCH less reliable because we did not find at lea
    st 1 open and 1 closed TCP port
    For OSScan assuming port 22 is open, 39019 is closed, and neither are firewalled

    Host 192.168.15.2 appears to be up ... good.
    Interesting ports on 192.168.15.2:
    (The 9998 ports scanned but not shown below are in state: filtered)
    PORT STATE SERVICE VERSION
    22/tcp open ssh?
    10000/tcp open snet-sensor-mgmt?
    MAC Address: 00:00:00:00:00:00 (Unknown) (Real MAC removed)
    Device type: general purpose|media device|broadband router
    Running: Linux 2.4.X|2.6.X, Pace embedded, Panasonic embedded
    OS details: Linux 2.4.21 (Suse, X86), Linux 2.4.6 - 2.4.21, Linux 2.6.8 (Debian)
    , Pace digital cable TV receiver, Panasonic IP Technology Broadband Networking G
    ateway, KX-HGW200
    --Fingerprint removed--

    WTF does this nmap stuff mean?

    - I asked for SSH to be open on lan/wan and it was.
    - I asked for http to be open on lan/wan, both are open, but only lan shows up.
    - I asked that port 8080 be used for remote http admin, it isn't.
    - Port 10000 is open, telnet in and get a blinking cursor, not sure why.

    Closing
    Anything new that I come across will find its way here. By all means, share what you know if you've got any info. I'd love to determine the ssh password, but still no luck. Maybe if the factory loaded firmware for the WRT54G supports SSH then someone in the linksysinfo.org community knows the SSH password for their model; maybe they are the same?
     
  5. ydef

    ydef LI Guru Member

    Re: More info available

    Good work rvf3!

    The type of compression used is lzma ... but it seems to be a custom lzma specific to the squashfs1.0 that's used specifically to compress these bin files.

    If you download the linksys gpl source you'll see what i'm talking about.

    I've tried patching my home kernel with the latest squashfs (2.2) and the latest lzma compression patch ... which should allow me to take the vonage image and mount it using mount -o loop ... that is after using dd to output the image starting at the hsqs beginning of the lzma compression.

    Didn't work, doesn't like the latest squashfs2.2. I somehow have to figure out how to use the squashfs1.0 and lzma provided in the linksys source packages to work with my kernel so I can mount he vonage images.

    I think this is the way to go as far as accessing the firmware image and figuring out what type of security vonage used, and what the default password is.

    let me know what additional info you have.

    Y
     
  6. xball

    xball LI Guru Member

    This is my experiment....

    dl the 1.00.37 firmware
    howto mount the filesystem?
    sol:
    dd if=xxx.img of=fs.img bs=1K skip=576
    mount -o loop fs.img /mnt/loop


    I find the /etc/passwd is the sym. link in /var/tmp/passwd. But, it was not included in var.tar. So, I think that the passwd is downloading from server....
     
  7. Mufasa

    Mufasa LI Guru Member

    I'm suspecting your distro has the required FS compiled/modular or an autodetect on the FS type. Attempting with your directions:

    mkdir /mnt/firmware

    dd if=wrt-11.1.0-r016-1.00.37-r050624.img of=fs.img bs=1K skip=576
    3200+1 records in
    3200+1 records out

    mount -o loop fs.img /mnt/firmware
    mount: you must specify the filesystem type

    What's the correct -t parameter?
     
  8. ydef

    ydef LI Guru Member

    squashfs ... see my previous post above.

    You'll need to apply squashfs and lzma patches to your kernel.

    Also what might of interest to some of you is that the TI ar7 chipset used in this router has been used in some similar routers such as the wag54g dsl router and the dlink dslg604t dsl router, both of which have gpl source and toolchains available that should work with the linksys provided source ... but with this being the first GPL'd voip router i'm surprised there hasn't been more interest to hack to the bottom of it at all costs, so at least we can dump vonage and their pathetic, weak service and their gestapo like attempt to keep us using their pitifullly buggy and poor performing firmware.

    When in fact, the TI AR7 chipset that it's running on is in fact a power demon waiting to be unleashed. This is a DUAL CORE MIPS folks ... TI MIPS32 + DSP620x on one piece of silicon. Here's a link by alec_v... the russian that's done some excellent work uncovering the secrets of this chipset on the dlink:
    http://www.seattlewireless.net/index.cgi/DlinkDslG604t#head-d5a3fd5b9583fcf9bf091ab9981c156ed98cfcea

    Reading through it gives a clearer understanding of what's going on with bootloader and some of the stuff rfv3 posted earlier of what he uncovered.

    Anyway, i hope to have some more time this coming weekend to dedicate to further archeological excavation. If all else fails, I might have to resort to dismantling and adding a serial or jtag interface. I haven't yet since that would naturally disrupt my phone service (which is rather piss poor anyway), but i've also been wondering how to take these newskool cases apart without permanently breaking them. Anyone have any leads on this? :?
     
  9. rfv3

    rfv3 LI Guru Member

    Tossing another stone in the water

    The majority of the information I posted in the past was gathered first hand. The biggest possible breakthrough comes from another page:

    http://openwrt.org/logs/wrt54g.log.20050716

    As mentioned earlier, lzma compression is used on the images, but using 7z or another LZMA compatible decompressor fails. As mentioned in the above post, there is an app called 'adam2' that uses the LZMA compressor and compresses TI images. Since the GPL'd code shows that the chipset is TI based, it would seem to reason that using adam2 (or simply analyzing it) one could actually view the contents of the image (secrets, passwords, etc.) Incase the post above is pulled, the link is listed below, but doesn't include any binaries (alas I've reloaded winxp recently and lost cygwin and gcc, so I havent been able to compile it yet... any takers?)

    http://www.sensi.org/~alec/mips/adam2_app.tgz
     
  10. ydef

    ydef LI Guru Member

    Re: Tossing another stone in the water


    Hah. Your purported 'biggest breakthrough' was authored by yours truly and if you read through it you'll see i hit a brick wall when attempting to use the adam2_dump utility in its stock form.

    Perhaps using a recompiled adam2_dump using the linksys gpl'd lzma+squashfs headers provided in the wrtp source might have a different outcome?

    To Xball:

    If you were really able to mount comprssed lzma image, any password passed from server would be a cakewalk to sniff. I doubt what you suggested regarding server provided password protection is occuring, but please post a tcpdump log should you find otherwise. Also, please share how you were able to mount lzma compressed image.
     
  11. xball

    xball LI Guru Member

    here is my step...
    1. download squashfs2.2.tar.gz (search google.com)
    2. patch the ../linux-2.4.26/squashfs2.2-patch to my kernel ( 2.4.25_pre-gss-r3 <Gentoo> )
    3. down the wrtp54g_cyt_1_00_37.... source from linksys
    4. extract it and copy wrtp54g_cyt.../src/kernel/linux-2.4.17_mv121/fs/squashfs to <your_kernel>/fs/
    5.make modules after select squahfs in file system menu
    6. then, the squashfs.o is created
    7. insmod squashfs.o
    8. follow to my old post to split the rootfs image using dd command
    9. mount it with "-t squashfs"
    10. see the etc/passwd , that is a links file to ../var/tmp/passwd , i think that it is downloaded from server provider...

    ....

    this is my experience to share everyone... :thumb:
     
  12. ydef

    ydef LI Guru Member

    #18 Today 08:57:36

    Ydef
    Member
    Registered: 2005-07-03
    Posts: 8
    E-mail PM

    Re: Support for WRTP54G

    Actually, give special thanks to nbd for this breakthrough by doublechecking my original failed attempt and doing it right:

    http://forum.openwrt.org/viewtopic.php?pid=10723#p10723

    We should probably migrate this whole thread and continued dev over there too.
     
  13. rfv3

    rfv3 LI Guru Member

    Cool

    All: Awesome progress at accessing the image; one question though: how do we update the current image on the box? I mean I know that being able to view the firmware we should be able to find holes or passwords, but have any been found yet? I'm still wondering what the SSH pswd is. Also what's up with port 10000?

    :dog:
     
  14. Anonymous

    Anonymous Guest

    I don't mean to discourage and/or discredit what you all have done here with the WRTP54G; however, there is something that I am missing here. AFAIK, squashfs is only a RO filesystem. So, let's assume you can finally compile/insmod the squashfs on you Linux machine and mount the WRTP54G firmware to look at the /etc/passwd file, you still can't decipher and/or delete the password mainly because the password is encrypted and the fs is RO.

    I just hope anyone can please prove me wrong here mainly because I also want to get the username and password to unlock the Voice menu so I can use my WRTP54G with other VoSP and not Vonage/ATT.
     
  15. ydef

    ydef LI Guru Member

    Yes, that's true regarding changing passwords on your current filesystem on the firmware.

    However, nothing prevents you from making changes to the image (customizing the passwords, thus preventing vonage all-access to your router like they have currently) and then uploading your own customized version of the firmware to the router. In order to do this, you must use tftp.

    See the following page for additional details:

    http://openwrt.org/OpenWrtDocs/InstallingAR7
     
  16. Anonymous

    Anonymous Guest

    Don't know if this would work...

    but can you
    chroot /mnt/linksys /bin/bash
    then
    passwd root it?.

    Just an idea
     
  17. mazilo

    mazilo LI Guru Member

    One thing I could think of is to use the mksquashfs utility that comes with the squashfs package. See if anyone can try this idea as follows:
    1. Get a USB drive and plug it into one of the USB ports of your Linux machine.
    2. Use the mksquashfs utility to format the USB drive to support squashfs.
    3. Mount the WRTP54G firmware through the loopback partition.
    4. Copy all files on the loopback drive where the WRTP54G firmware is mounted to your USB drive that has been formatted to squashfs.
    5. Edit the /etc/passwd file on your USB drive, and blank the password field for the Admin.
    6. Then, use dd to convert this partition to a squashfs image file.
    7. Re-flash your WRTP54G with this newly mod firmware.
    Please take the necessary precaution steps mainly because the modded firmware may ruin your WRTP54G unit. Good luck and please report back here.
     
  18. mazilo

    mazilo LI Guru Member

    A bit off topic question here:

    Does anyone know what is the filesystem used under the Linksys PAP2 firmware? If it is also a squashfs, how does one go about to determine the skip number for the Linksys PAP2 firmware as shown below for the Linksys WRTP54G firmware:

    If Linksys PAP2 firmware doesn't use a squashfs, does anyone know what FS does it use and where to get the FS source code used under Linksys PAP2 firmware to compile under Linux?

    BTW, do Linksys PAP2 and SPA2K Firmwares use the same FS? If so, what is the filesystem used? Can we get the source code of such filesystem under Linux?
     
  19. mazilo

    mazilo LI Guru Member

    I followed exactly you described above, except I tried it with linux-2.4.31 kernel. My result was no good where SQUASHFS complained with the following error messege:
    Code:
    SQUASHFS error: Can't find a SQUASHFS superblock on loop(7,0)
    Perhaps, the firmware I downloaded from vonage TFTP is encrypted. If that's the case, can you at least tell me the link to download the firmware and/or perhaps mail me a copy of the firmware you have?
     
  20. rfv3

    rfv3 LI Guru Member

    Passwords

    As seen in this post, the default passwords are as follows:

    ABsFuZ3PufkXY:user
    AB2ChJScbtR5I:admin

    Additionally ydef brought back up how a new config.xml is also automatically downloaded. Unfortunately my laptop, which was used for much of my work on my router, has fried.* More specifically I lost my dump of the traffic between the router and linksys. I do recall though that the xml files requested included the mac address... it was something like macaddress+somenumbers.xml. As the filename included my mac address, I 86ed the exact file name from my documentation in my original post.

    There is two key points I didn't even think about when it comes to how the router boots.

    First, as the router always asks for the newest XML file after a reboot, you should be able to, at least in theory, set up your own tftp.vonage server (run your own dns/tftp server internally) and upload a new xml file (using the TI/Adam2 encoder).

    Second, a hard reset should clear out all passwords... possibly including those downloaded in the xml file. If the xml passwords are infact reset, you should be able to ssh in with the username "Admin" and one of the passwords above (user/admin). (I'll be trying this shortly).

    *External temp was > 120F and the laptop in general is jacked
     
  21. rfv3

    rfv3 LI Guru Member

    I tried the default passwords after I restored the factory defaults and had no luck. I've heard with adam2 devices that the default IP is actually 192.168.2.1. Maybe as the router boots someone can get in via tftp on 192.168.2.1 using one of the previous mentioned passwords? I've heard of "adam2" and "adam2" being used as user/pass.

    I suppose it may all be moot as I've heard talk that even though TI developed parts of the wrtp54g, it isn't based off of the adam2.
     
  22. Manning

    Manning LI Guru Member

    That's right... it uses PSPBoot.

    I'm still curious to know if anyone's actually managed to compile an image from that GPL'ed sourcecode. I've made a few half hearted attempts and can't seem to find all the right places to put the config files.

    I read here: http://www.linux-mips.org/wiki/AR7 that TI didn't release certain portions of their source. Is that perhaps why we can't compile our own firmware image?

    How about mouting the image from Vonage, altering the appropriate files and repacking? Anyone know how to do that?
     
  23. rfv3

    rfv3 LI Guru Member

    Yeah, PSPBoot

    According to this page:

    If this layout is consistent with the binary on the WRTP54G, some comparison of the boot loader might reveal how this one was locked down to prevent JTAG users from pressing escape. Anyone down for a binary diff of the two images (at least when it comes to the two PSPBoot binaries)?

    The idea is that by patching the bootloader on the current firmware, we can gain access to extra features. Once patched, simply upload it back to the device via the html interface

    Sigh, I want the ssh password. (Heck, I'd be happy with the ssh hash. :wallbang:
     
  24. Anonymous

    Anonymous Guest

    On an rtp300 with 1.00.50 firmware the config backup is a zlib compressed file starting at offset 0x14. The ssh username (Admin on my box) and des password hash are contained within.
     
  25. Anonymous

    Anonymous Guest

    I have this same VoIP router. Is there a way that that hex offset can be read through the web interface or an open TCP/UDP port somewhere?
     
  26. Anonymous

    Anonymous Guest

    Just use the backup option in the web interface and remove the first 20 bytes of the file. Then use a zlib (not gzip, the only one i've found is this for win32) decompressor on the result.
     
  27. rfv3

    rfv3 LI Guru Member

    This is true, I'm doing a brute force attack on my passwords right now. I've tried to do a hash insertion and then repackage the files (I recompressed the xml). I figured out, that inside the header, there is a word early on that represents the size of the compressed xml file. Following the word it appears there are a few nulls and then some type of checksum for the file. Its 6 bytes long (or 48bits if you will), but I can't determine how it is calculated. I've run several different types of checksum routines on the compressed and uncompressed xml file and found no correlation.

    Trying to upload the hacked configuration (hash insertion) to the router didn't go too well. Like I said, I updated the 2 byte word that made up the "size" field for the zlib file, but I didn't know how to calculate the next group of bytes.

    I'm working on developing a VB package that can compress/decompress/extract the XML from an image. Currently the package works fine until I compile it (it works when I execute it from the design env.). I'd cut to the chase and post my "Admin" passsword hash, but I'm still thinking that it may be unique to my box (Doh if it's just my MAC).

    (Update: Screw it, the 10th character of the hash is "7", someone else can post another digit of their hash and if they all start to match than we can safely post our Admin Hashes.)

    FYI to do the brute force, I'm running the MMX optimized John the Ripper on my AMD3200. Not bragging by any means, just a little technical background of where I'm at. (Dictionary attacks failed with my dictionary... maybe someone knows of a decent dictionary?)

    -

    Also, those of you wanting to upload your own firmware, by being able to set the "Admin" password through hash insertion, you should be able to get root on the box and use SCP or the like to upload any tools you might need (granted you will be very limited in space).

    And of course those of you wanting to be able to kick Vonage to the curb will also be able to. :knock:
     
  28. Anonymous

    Anonymous Guest

    The checksum is ccitt-crc32 (unreflected) over the compressed data followed by the compressed data length in little endian format with trailing nulls stripped. The word following the checksum is the uncompressed data length.
     
  29. Anonymous

    Anonymous Guest

    I was able to get the device to accept a modified configuration but the injected password never took effect even after a reboot so it seems hash injection is out.
     
  30. rfv3

    rfv3 LI Guru Member

    Update

    With the above information in mind, I have figured out all aspects of how to do a hash insertion, I just need to calculate the crc32c (ccit32-crc). My research has found a poly for 32bit ccit crcs (assuming each crc implementation has a different poly). I've also found "CRCs for wannabe Linksys VOIP hackers." Ok well maybe that isn't the real name, but it’s something like that. Anyway, I've gone from having a general understanding of what a CRC is, to being able to understand how one is calculated in a relatively short amount of time. Of course things would go much quicker if I could find a tried and true implementation of said checksum for windows (I suppose I could use my *nix box, but why mess with a good firewall?).

    One question for Anon: Where are you finding your information? It is very much appreciated, but if there is already a source of all this info, maybe we could save some time by linking to it? Thanks again for all the info.

    As far as my brute force... yeah... oh well. I'm stationed overseas and unfortunately power isn't what it should be. I had my server cracking away at the hash, but the power dropped and eventually so did my UPS. The session file for john became corrupt (I haven’t tried rebuilding my array yet). At any rate, I hit a standstill in this department. Password for "user" is "user", but that really doesn't help anyone. The CLI interface "Admin" password hasn't been cracked yet. This brings me back to my first paragraph.

    Once I can figure out how to calculate the CRC, I will be able to completely repackage the configuration file and upload it to the router (and have it take this time). Anyway, the config file will contain default values, but the password will have been changed to something I know ("Password"). Then, I'll post the package config file in this thread along with the known password.

    Anyone can then upload the config to their wrtp54g and have root. Once you have root on your box, you should be able to change the password to what ever you like. Anyway, off to the start of another b-e-a-utiful AF day.
     
  31. rfv3

    rfv3 LI Guru Member

    I must be misunderstanding this somehow. Any CRC32 I get from the compressed data does not match the header. I also tried to append the comprssed data length to the compressed data and then calculate the crc32. Still no luck getting a match. I did indeed see that the word following the CRC is the data length. I'm still having trouble calculating this CRC though. The program I've found to do CRCs can perform a number of variations (all based off of the ccitt-crc32 standard), but none match.

    I still want to try hash insertion (even though someone reported that it hasn't worked for them). I believe that the previous user may have thought that the config file took, when in fact it didn't.

    Additionally, here is the admin hash: ABcMAJgFJ7eq2 . Maybe someone out there has access to some raw computing power who would be willing to crack it.

    While I'm on the topic of raw computing power, whats up with "Folding at Home." Ethics of the project aside, why hasn't the distributed computing concept hit home with hash cracking? I'd love to give up some CPU cycles if I could toss my hash into a stack of hashes waiting for thousands of computers to crack at. I mean if everyone who gave up CPU cycles could toss in a hash or two, that'd be great. Anyway, here's to wishful thinking.
     
  32. czyc

    czyc LI Guru Member

    Did you get my PM?
     
  33. mazilo

    mazilo LI Guru Member

    I have two units of WRTP54G that I recently bought and they have never been connected to the Internet. I don't have much of computing power; however, if you can tell me what I need to do, perhaps I can spare some of my computers to do the hashing.
     
  34. ydef

    ydef LI Guru Member

    Re: Update

     
  35. mazilo

    mazilo LI Guru Member

    Any progress in unlocking this beast? The other day when I visited the OpenWRT website and notice they have the SDK package runs on linux machine to compile the firmware source code and then package them in squashfs file. I started to think perhaps we can use this SDK to create a squashfs file and fill it with the files from a mounted WRTP54G firmware. And, under the /etc directory, delete the link and create a passwd file to contain the admin user without a password. Then, flash to a WRTP54G unit to see if it still needs a password to access the admin account. Can anyone please try this?
     
  36. rfv3

    rfv3 LI Guru Member

    No news

    Sorry for the lapse in time between posts; I haven't had time to play with the router lately. I still think password insertion or doing a brute force would be the best way to go about hacking this. It was asked how to perform a brute force, so here is how I've been doing it:

    I'm using John the Ripper (http://www.openwall.com/john/) on a win32 box to brute force the password hashes that I got from my config.xml file. I'm using a passwd.txt file to store the password hashes from my router. The format for the Admin hash on my router is as follows:

    Admin:ABcMAJgFJ7eq2:a:a:a:a:a

    Where:
    "Admin" is the username, "
    "ABcMAJgFJ7eq2" is the hash
    ":a:a:a:a:a" is there to help id the file as being a UNIX hash list

    The man files for JTR can provide much more info (I'm still a newb when it comes to much of this). The actual task can be split up (as far as I know) amongst several computers to make the task go quicker (ie comp1 takes half of the work, comp2 takes the other half...). Obviously the more PCs crunching away, the faster it should be cracked. It also helps things along if only uppercase/lowercase and numbers are used. Additionally it seems to be 10 characters long and while cracking a 10 character password seems like it may take forever, it may be safe to assume that the password=10characters no more and no less so you can a bunch of possible passwords. (I did sit down and calculate about how many, but I forget off the top of my head). The 10 digits and upper/lower/number info comes from the following quote:

    Also, I've been PMed by someone who claims to have successfully found an exploit on similar firmware and obtained root through it. Unfortunately the exploit (based on the well known ping exploit of the wrt54gs) doesn't work with this firmware. Having said that, the ping function still doesn't handle all data submitted correctly, so sending corrupt data (try to ping "|&" without quotes) will actually result in a syntax error as opposed to an unknown host error.

    I'm going to be 're-blued' at work, so I'll bust busy for a little while, but after that I should be better albeit to jump back on this. In the meantime I'll try to stand up a decent system to once again try to brute my box.

    Happy hacking,

    Rob
     
  37. Anonymous

    Anonymous Guest

    WRTP54G

    the latest users and password I used on my router was

    user
    tivonpw

    it worked to access the firmware upgrade
    try this
     
  38. mazilo

    mazilo LI Guru Member

    Re: WRTP54G

    I tried it and no go. I have a virgin WRTP54G that's never connected to the Internet. I also use a clip to factory reset the unit and the password you provided above also did not work.

    EDIT: Unfortunately, my unit doesn't want to make any connection to Vonage TFTP to get provisioned once connected to the Internet. So, its configuration won't have the user/tivonpw account... :(
     
  39. mazilo

    mazilo LI Guru Member

    Most SOHO router will use 192.168.1/24 subnet for its LAN side. OTOH, the VoIP routers that I have seen so far mostly will default to 192.168.15/24 subnet for its LAN. I don't know if this is a (de facto) industrial standard or what. Just from my observation.
     
  40. Anonymous

    Anonymous Guest

    Very ugly code for generating the proper crcs.

    Code:
    #include <stdlib.h>
    #include <sys/types.h>
    #include <sys/stat.h>
    #include <fcntl.h>
    #include <sys/mman.h>
    
    
    //from tichksum src
    static unsigned long crctab[256] =
    {
      0x0,
      0x04C11DB7, 0x09823B6E, 0x0D4326D9, 0x130476DC, 0x17C56B6B,
      0x1A864DB2, 0x1E475005, 0x2608EDB8, 0x22C9F00F, 0x2F8AD6D6,
      0x2B4BCB61, 0x350C9B64, 0x31CD86D3, 0x3C8EA00A, 0x384FBDBD,
      0x4C11DB70, 0x48D0C6C7, 0x4593E01E, 0x4152FDA9, 0x5F15ADAC,
      0x5BD4B01B, 0x569796C2, 0x52568B75, 0x6A1936C8, 0x6ED82B7F,
      0x639B0DA6, 0x675A1011, 0x791D4014, 0x7DDC5DA3, 0x709F7B7A,
      0x745E66CD, 0x9823B6E0, 0x9CE2AB57, 0x91A18D8E, 0x95609039,
      0x8B27C03C, 0x8FE6DD8B, 0x82A5FB52, 0x8664E6E5, 0xBE2B5B58,
      0xBAEA46EF, 0xB7A96036, 0xB3687D81, 0xAD2F2D84, 0xA9EE3033,
      0xA4AD16EA, 0xA06C0B5D, 0xD4326D90, 0xD0F37027, 0xDDB056FE,
      0xD9714B49, 0xC7361B4C, 0xC3F706FB, 0xCEB42022, 0xCA753D95,
      0xF23A8028, 0xF6FB9D9F, 0xFBB8BB46, 0xFF79A6F1, 0xE13EF6F4,
      0xE5FFEB43, 0xE8BCCD9A, 0xEC7DD02D, 0x34867077, 0x30476DC0,
      0x3D044B19, 0x39C556AE, 0x278206AB, 0x23431B1C, 0x2E003DC5,
      0x2AC12072, 0x128E9DCF, 0x164F8078, 0x1B0CA6A1, 0x1FCDBB16,
      0x018AEB13, 0x054BF6A4, 0x0808D07D, 0x0CC9CDCA, 0x7897AB07,
      0x7C56B6B0, 0x71159069, 0x75D48DDE, 0x6B93DDDB, 0x6F52C06C,
      0x6211E6B5, 0x66D0FB02, 0x5E9F46BF, 0x5A5E5B08, 0x571D7DD1,
      0x53DC6066, 0x4D9B3063, 0x495A2DD4, 0x44190B0D, 0x40D816BA,
      0xACA5C697, 0xA864DB20, 0xA527FDF9, 0xA1E6E04E, 0xBFA1B04B,
      0xBB60ADFC, 0xB6238B25, 0xB2E29692, 0x8AAD2B2F, 0x8E6C3698,
      0x832F1041, 0x87EE0DF6, 0x99A95DF3, 0x9D684044, 0x902B669D,
      0x94EA7B2A, 0xE0B41DE7, 0xE4750050, 0xE9362689, 0xEDF73B3E,
      0xF3B06B3B, 0xF771768C, 0xFA325055, 0xFEF34DE2, 0xC6BCF05F,
      0xC27DEDE8, 0xCF3ECB31, 0xCBFFD686, 0xD5B88683, 0xD1799B34,
      0xDC3ABDED, 0xD8FBA05A, 0x690CE0EE, 0x6DCDFD59, 0x608EDB80,
      0x644FC637, 0x7A089632, 0x7EC98B85, 0x738AAD5C, 0x774BB0EB,
      0x4F040D56, 0x4BC510E1, 0x46863638, 0x42472B8F, 0x5C007B8A,
      0x58C1663D, 0x558240E4, 0x51435D53, 0x251D3B9E, 0x21DC2629,
      0x2C9F00F0, 0x285E1D47, 0x36194D42, 0x32D850F5, 0x3F9B762C,
      0x3B5A6B9B, 0x0315D626, 0x07D4CB91, 0x0A97ED48, 0x0E56F0FF,
      0x1011A0FA, 0x14D0BD4D, 0x19939B94, 0x1D528623, 0xF12F560E,
      0xF5EE4BB9, 0xF8AD6D60, 0xFC6C70D7, 0xE22B20D2, 0xE6EA3D65,
      0xEBA91BBC, 0xEF68060B, 0xD727BBB6, 0xD3E6A601, 0xDEA580D8,
      0xDA649D6F, 0xC423CD6A, 0xC0E2D0DD, 0xCDA1F604, 0xC960EBB3,
      0xBD3E8D7E, 0xB9FF90C9, 0xB4BCB610, 0xB07DABA7, 0xAE3AFBA2,
      0xAAFBE615, 0xA7B8C0CC, 0xA379DD7B, 0x9B3660C6, 0x9FF77D71,
      0x92B45BA8, 0x9675461F, 0x8832161A, 0x8CF30BAD, 0x81B02D74,
      0x857130C3, 0x5D8A9099, 0x594B8D2E, 0x5408ABF7, 0x50C9B640,
      0x4E8EE645, 0x4A4FFBF2, 0x470CDD2B, 0x43CDC09C, 0x7B827D21,
      0x7F436096, 0x7200464F, 0x76C15BF8, 0x68860BFD, 0x6C47164A,
      0x61043093, 0x65C52D24, 0x119B4BE9, 0x155A565E, 0x18197087,
      0x1CD86D30, 0x029F3D35, 0x065E2082, 0x0B1D065B, 0x0FDC1BEC,
      0x3793A651, 0x3352BBE6, 0x3E119D3F, 0x3AD08088, 0x2497D08D,
      0x2056CD3A, 0x2D15EBE3, 0x29D4F654, 0xC5A92679, 0xC1683BCE,
      0xCC2B1D17, 0xC8EA00A0, 0xD6AD50A5, 0xD26C4D12, 0xDF2F6BCB,
      0xDBEE767C, 0xE3A1CBC1, 0xE760D676, 0xEA23F0AF, 0xEEE2ED18,
      0xF0A5BD1D, 0xF464A0AA, 0xF9278673, 0xFDE69BC4, 0x89B8FD09,
      0x8D79E0BE, 0x803AC667, 0x84FBDBD0, 0x9ABC8BD5, 0x9E7D9662,
      0x933EB0BB, 0x97FFAD0C, 0xAFB010B1, 0xAB710D06, 0xA6322BDF,
      0xA2F33668, 0xBCB4666D, 0xB8757BDA, 0xB5365D03, 0xB1F740B4
    };
    
    
    //from tichksum src
    unsigned long cs_calc_buf_sum(char *buf, int size)
    {
      unsigned long crc = 0;
      char *cp = buf;
      unsigned long length = size;
    
      while(size--)
        crc =(crc << 8) ^ crctab[((crc >> 24) ^ *cp++) & 0xFF];
    
      for(; length; length >>= 8)
        crc =(crc << 8) ^ crctab[((crc >> 24) ^ length) & 0xFF];
    
      crc = ~crc & 0xFFFFFFFF;
    
      return crc;
    }
    
    #define FILE "config.lmp.zlib"
    #define SIZE 5622
    
    int main () {
            unsigned char *ptr = NULL;
            int fd = 0;
            unsigned int _crc = 0;
    
            fd = open(FILE,O_RDWR);
    
            if(fd < 0) {
                    printf("could not open file\n");
                    return;
            }
    
            ptr=mmap(0,SIZE,PROT_READ,MAP_SHARED,fd,0);
    
            if(ptr == -1) {
                    printf("mmap failed\n");
                    return;
            }
    
            _crc = cs_calc_buf_sum(ptr, SIZE);
    
            printf("crc: %08X \n",_crc);
    
    }
    
    
     
  41. Anonymous

    Anonymous Guest

    Replacing the admin hash doesn't seem to do any good. I couldn't find out where to login with it. I couldn't ssh in with it either. Though the hash did update.

    You have to add a new user section to the xml:

    Code:
    <user id="4"><username>unlockme</username><password>KNOWNHASH</password><shadow>1</shadow><idle_timeout>15</idle_timeout><userlevel>ADMIN</userlevel><enabled>1</enabled></user>
    
    Recompress the xml set the crc and the rest of the header values. Read the thread.

    You can then upload the config to the router by using restore.
    If the config takes log back into the router using the regular admin account.

    Then goto: http://rtp300ipaddress/update.html

    Login with the new username and password that was just inserted.

    Then you can feel free to access the voice page all you would like.

    http://rtp300ipaddress/cgi-bin/webcm?getpage=../html/voice/Provision.html
    http://rtp300ipaddress/cgi-bin/webcm?getpage=../html/voice/voiceSip.html

    Note: I couldn't ssh in with the inserted user id.
     
  42. Anonymous

    Anonymous Guest

    Don't edit the xml with a text editor either. Since the <tikey>...</tikey> section is not raw ascii. Use a hex editor. It will not work otherwise.
     
  43. Anonymous

    Anonymous Guest

  44. mazilo

    mazilo LI Guru Member

  45. czyc

    czyc LI Guru Member

    Nice. What firmware revision?
     
  46. Anonymous

    Anonymous Guest

    I am still confused how to CRC the file after inserting the user id 4 xml entry in a hex editor.
     
  47. czyc

    czyc LI Guru Member

  48. mazilo

    mazilo LI Guru Member

    Why suddenly everyone is talking about RTP300? Is RTP300 the same as WRTP54G?

    Will the above two links work also to unlock a WRTP54G?
     
  49. pqcracker

    pqcracker Guest

    The RTP300 and the WRTP54G are based on the same hardware platform. The RTP300 doesn't have wireless capabilities, whereas the WRTP54G does. If you examine either GPL code for either the WRTP54G or the RTP300, you'll see that it's remarkably similar, and in most cases where there is a reference to the WRTP54G, you'll find a reference to the RTP300 either right before or after it. I haven't tried this yet, but I would bet that WRTP54G firmware would load and work with minimal, if any, modification on an RTP300 and vice versa.
     
  50. mazilo

    mazilo LI Guru Member

    Hi pqcracker,

    Thank you for your explantion on these RTP300 and WRTP54G units. Does this mean the RTP300 also uses the same WRT chipset as in WRTP54G?

    Anyway, I tried the above approach on my WRTP54G and it does not work. My WRTP54G returned a message saying something like can not access pages outside its ... (sorry, I don't remember the rests).

    I got a mixed feeling on posts here saying that I must let my WRTP54G connect to Internet to let Vonage provision the device with a known user with password tivonpw. Is this true?
     
  51. czyc

    czyc LI Guru Member

    Try installing 1.00.55 yourself first. http://www.vonage-forum.com/ftopic9255.html
     
  52. mazilo

    mazilo LI Guru Member

    I got the firmware; however, everytime when I tried to perform an upgrade, it asks for a username/password. I tried Admin/tivonpw and no go. Can anyone please enlighten me what I need to do? This is a virgin WRTP54G (never connected to Internet).
     
  53. enodo

    enodo Guest

    You have to login *first* with the normal administrator username/password. After you log in that way, you can try to visit upgrade.html, and login with user/tivonpw
     
  54. mazilo

    mazilo LI Guru Member

    Yes, I always login admin/admin; however, the user/tivonpw don't work when I try to perform a firmware upgrade. My WRTP54G has never been connected to the Internet. All I want is to have it unlocked so I can use it with FWD services. Can the user/tivonpw be used to access the Voice menu to disable XML provision and configure the SIP lines?
     
  55. KillaB

    KillaB LI Guru Member

    I, like mazilo have a virgin wrtp and can confirm that "user" does not exist before provisioning.....therefore no manual updating AFAIK.

    I'm hoping there may be bugs in the older fw and have been waiting for a JTAG solution so I can back up the firmware before connecting it to the net.

    Just one thing I noticed in the old 1.00.20 firmware is that it's running OpenSSH 3.6p1 (determined by using putty in raw mode). Anyone know of any expoits for this version?

    It would appear that 1.00.37 uses Dropbear instead of OpenSSH.

    http://www.frsirt.com/exploits/05.02.gossh.sh.php
    http://www.openssh.com/security.html

    Edit: Additionally from rfv3's nmap scan, I also have ports 21, 23 and 5060 show up. Telnet connects but times out after about 5 seconds (hitting enter does nothing). Can't do much with FTP either. I'm no expert in vulnerabilities in these areas, so if you have anything you think I should try, fire it my way.
     
  56. mazilo

    mazilo LI Guru Member

    From what I gathered through the posts in this thread is a virgin WRTP54G needs be provisioned by Vonage to use the user/tivonpw to login for the upgrade. Until then, the Backup and Restore options on a virgin WRTP54G are disabled.

    What does the frsirt script do? Do you care to explain?
     
  57. ironstorm

    ironstorm LI Guru Member

    Hi all,

    I just got a RTP300 from ebay, its running 1.0.52 firmware.

    I don't know if it was ever provisioned (would a phone number or something show up on the voice tab - mine says "Please contact your service provider for further information.")...

    When I try the user/tivonpw account on index2.html or update.html (after logging in with the admin/admin account first) I get "Error: User not enabled to login into the system" - so it seems the user account is present (otherwise you get "Error: Bad username/password")...

    So does that mean this unit was not provisioned or perhaps was disabled by vonage after a service cancel?

    Would I be able to TFTP an old image into the router using PSPBoot (http://wiki.openwrt.org/PSPBoot) and then use the account or do I need some config.bin to restore containing a 'enabled' user?

    I'd like to mess around with this device without signing up to Vonage immediately....

    Cheers,

    -G
     
  58. mazilo

    mazilo LI Guru Member

    I don't have RTP310 device; however, if there is a reset PIN hole on the back of the device, I believe you can reset it. Before you reset the device, see if you can perform a backup and who knows it contains some useful information to you once you have the device unlocked to restore the backup. On my virgin WRTP54G unit, there is no Backup and Restore button on the Administrator page. Also, the user/tivonpw does not work. I am getting vague responses from posts in this thread saying the user/tivonpw will work on an already provisioned WRTP54G; however, when I asked people here to confirm this, no one did reply saying to confirm it. I hope readers here will be able to let me know of this. Otherwise, I just don't have guts to get mine provisioned even though I know it can be reset through the PIN hole.

    EDIT: Just let my WRTP54G connected to Internet feed and have it provisioned by Vonage. The provisioning process also upgraded the funit with the latest firmware v1.00.55; however, when I tried to access the webpage after the provision, it was no longer there (sort of locked). So, I reset the unit through the PIN hole and now am able to gain back to the unit's webpage. Sure enough, I can now use the user/tivonpw on my unit.
     
  59. ironstorm

    ironstorm LI Guru Member

    I thought I'd try and flash using TFTP/PSPBoot... sadly I realized I don't know what file name to upload nor what hostname the RTP300 boots with...

    I managed to get the provisioning and voicesip pages open by disabling javascript, saving them locally and editing it as follows:
    Code:
    <base href="http://192.168.15.1/cgi-bin/">
    ....  <stuff before 'uiDoOnLoad()' > ....
    // if (user != "ADMIN"){
    //    document.location.href="../cgi-bin/webcm?getpage=%...
    //    return;
    //}
    and then resaving, opening browser, enable javascript, and loading saved pages.

    I see all kinds of settings pointing to vonage tftp servers some hashes of something... Provisioning Status of 'Provisioning failed' (router not connected to the internet). I wish I had some clue what all these settings meant.

    Could someone upload the source to the Update.html webpage? Maybe the server side authenication is weak enough I can POST an new image without being able to login properly. I'd also like to see what cookies you get on a successful authenication with user/tivonpw...
     
  60. Celeron

    Celeron LI Guru Member

    How did you go about saving the pages locally? Everytime I do it I only get the webcm page which has no source in it. Any tips would be greatly appreciated.
     
  61. ironstorm

    ironstorm LI Guru Member

    In my case I disabled javascript and then put in the URL of the page directly into the address bar (i.e. http://192.168.15.1/cgi-bin/webcm?getpage=/usr/www_safe/html/voice/Provision.html ), though I should think you could use view-source directly like
    view-source:http://192.168.15.1/cgi-bin/webcm?getpage=/usr/www_safe/html/voice/Provision.html

    Javascript does not execute on view-source: - you may have to login with admin/admin first to get that far... when you look at the source it looks empty accept for comments, you have to scroll down like 100 blank lines before the page content starts.
     
  62. sekhar

    sekhar Guest

    Can you please help?

    Can someone send me a firmware backup - with disabled provisioning.

    You can PM me @ mail@sekhar.net (mail at sekhar.net)

    Thanks.

    Sekhar.
     
  63. mazilo

    mazilo LI Guru Member

    Re: Can you please help?

    What did you mean by a firmware backup?
     
  64. ironstorm

    ironstorm LI Guru Member

    Re: Can you please help?

    I'll trade you a non-provisioned config back-up for a provisioned one. I'd like to see if I can get to the update.html page if I put on a provisioned config.

    Have to wait till I get home though.

    -G
     
  65. mazilo

    mazilo LI Guru Member

    Do you suppose Vonage will give you the Admin password even though you are not a Vonage customer? I have bought two units of WRTP54G from a local Staples about two months ago. I have found one unit doesn't want to provision to Vonage TFTP server to perform a firmware upgrade when I connected it to my cable modem. OTOH, the other unit has provisioned to upgrade the firmware to 1.00.55.
     
  66. mazilo

    mazilo LI Guru Member

     
  67. mazilo

    mazilo LI Guru Member

    Is anyone here still doing the unlocking of WRTP54G? BTW, I PMed to some of you recently and it looks like none of you have paid attention to your PM folder. Please check your PM folder to see if you get some PMs from me. You can always enable the Notify on new Private Message to automatically notify you through e-mails when there's a new PM.
     
  68. mazilo

    mazilo LI Guru Member

    Looks like some guys are already ahead of us in unlocking the WRTP54G (didn't see if this was an -NA version). See the post here which the unit is sold @ about $155/each (for 3+ units) and cash.
     
  69. ironstorm

    ironstorm LI Guru Member

    File System (all regular files, size > 0k) for the RTP-300 1.0.55 is now uploaded at:
    http://www.northern.ca/projects/open-rtp/

    Hopefully we can get the bits that are missing from the 1.0.37 source and build a functional distro eventually...
     
  70. mazilo

    mazilo LI Guru Member

    Does anyone know why it is necessary to have skip=576? Are these first 576bytes the header of the firmware? If so, does anyone know the composition of the header, i.e. firmware size compressed/uncompressed, etc.?
     
  71. ironstorm

    ironstorm LI Guru Member

  72. maze42

    maze42 Guest

    Mazilo and others: Please advice; I just bought a wrtp54g a couple of days ago, not realizing that it was locked by vonage. It has been online and connected to my cable modem since then. I have not signed on with vonage, and the admin interface says the firmware is 1.00.18. I would like to use the wrtp with a Voip provider i Denmark (www.telsome.dk) but I am a newbie and don't know where to start, or if it is at all possible for me to unlock this router. If it isn't, or if it's too complicated for someone like me, I'll have to take it back to RadioShack within a couple of days. Help!!
     
  73. mazilo

    mazilo LI Guru Member

    Send me a PM from which Radio Shack you bought this WRTP54G.
     
  74. ydef

    ydef LI Guru Member

    Mazillo,

    Firmware is compressed with a format known as cramfs, which is why one needs to open it with a hex editor to determine where the cramfs header ends and the real squash fs filesystem begins. The way to figure this out is by looking for what is known as the 'magic' numbers that delineate where the next filesystem begins. Each filesystem has a unique set of magic numbers specific to that filesystem. In the case of squashfs you need to find the magic letters 'hsqs' and then strip the prior cramfs to isolate squash by itself by chopping off everything up to the magic number sequence. Only after having done so is it possible to mount/access the squash filesystem.

    I hope that clears up some things for you.
     
  75. mazilo

    mazilo LI Guru Member

    ydef,

    Thank you for the clarification and information which I did not know to start with. As with the action on mouting this firmware, I had done that before; however, as we all know that the filesystem used under WRTP54G firmware is based on squashfs-1.x, how do one go about to recreate this filesystem with a squashfs? What I tried to do is to extract the firmware to an empty directory, find the shadow file and change the Admin hash key to a known password, package the directory with a squashfs utility, and upload to WRTP54G to see if the new Admin password can be used to access the Voice page. I don't know if I can use the squashfs-2.0 utilities to package the directory. Also, if you know where I can get the information on cramfs, it will be a good to start. I believe once the directory is packaged, I will also need to recreate the cramfs header to contain the file size of this newly created suashfs file.

    If you don't feel comfortable discussing this on an open forum, we can take it through PMs. IIRC, I did PM you to ask something, last month.
     
  76. ydef

    ydef LI Guru Member

    I've started a #wrtp54g channel on freenet for those interested working on the dev and porting openwrt to this router.

    Hop in this channel if you wanna discuss further.

    Beep me if i seem asleep. I'm prolly on another desktop.
     
  77. ydef

    ydef LI Guru Member

    jtr

    Can anyone who has had success so far give an assessment of the properties of the final pw?

    Alphanumeric only? Only Alpha? Does it include any special type characters, etc?

    I've had mine running on Alnum for about three days now to no avail. Was wondering if there are different optimization settings that would improve return time.
     
  78. rfv3

    rfv3 LI Guru Member

    Progress

    I've been gone for a while, but here is what I've got:

    guesses: 0 time: 25:01:10:56 c/s: 1388K trying: rHmBABv - rHmBEv$

    As you can see, for the last 25+ days there have been no actual guesses and unfortunately the version of jtr that I'm running only supports 8 character passwords (I think someone posted a password once, but it was more like 22 characters and alphanumeric :( ). At any rate, you can see that there have been no guesses (Actually it cracked the generic one as well as my password, but I've restarted it since then).

    Rob

    More to come.
     
  79. ydef

    ydef LI Guru Member

    Re: Progress

    To clarify. The reason JTR doesn't support over 8 characters on DES passwords is because traditional DES passwords don't support over eight characters, even though it might seem like it is a 10 character password .. it isn't.

    A detailed reading of the JTRipper dox spells this out and it has been confirmed by those that have gotten it so far ... the first 8 characters returned work just as well as 10.

    As far as someone posting a pw the only reference i see to that is this post by anonymous a long time ago:

    as you can see, that's a ten character password, where the 03 is obviously extra superfluous characters.

    Now as far as JTRipper optimizations, I'm using the latest development version 1.7-rc1 recompiled with the jumbo uber patch, and using --incremental=Alpha currently since those that i've confirmed that have had success seem to have pure alpha passwords (if anyone has found a working password with additional characters PLEASE PLEASE let us know so we can narrow our optimizations settings). I tried for three days on Alnum before switching over to pure alpha.
     
  80. rfv3

    rfv3 LI Guru Member

    Exercises in futility

    I was wondering how long this brute force attempt would take so I came up with the following:

    ChrsInSet ^ Digits / HashesPerSec / 60 / 60 / 24 /365

    I hope I missed something, otherwise:

    Digits: 8
    Characters: 96
    Possible Combos: 96^8
    Hashing rate: ~1300k
    Estimated time: ~176 years

    Of course if I reduced the character set to 62 (26 upper/lower plus 0-9 as seen with ‘f197mrwW03’) the time would drop to ~5 years. Once again, clusters would be so nice in times like this… 10 computers (of the same/similar specs) would take the time down to ~6 months… 20 to ~3 months!... alas :thumbdown: .

    Again, the thinking being that if one router password is found we only need use that individuals configuration backup to implement the same password on our routers :)

    Rob

    PS: Can't help but wonder if Linksys/Vonage/CyberTAN is reading any of this and if they are what they are thinking :grin:
     
  81. rfv3

    rfv3 LI Guru Member

    Char File for JTR

    I created a character file for John The Ripper. I used only a-z, A-Z, 0-9 (as mentioned on the previous post). The actual processing time should be significantly less. If anybody wants a copy, please PM me. I'll be running this version of the crack on another box shortly.

    Good luck to all,

    Rob
     
  82. rfv3

    rfv3 LI Guru Member

    New Math

    Using my previous math:
    and ...
    a different CPU (capable of a 2g+ hash rate)
    and ...
    the reduced character set: a-z, A-Z, 0-9
    and finally...
    you get :

    62^7/2,000,000/60/60/24 = 20.4 days

    For digits, 7 was used as we know the length is >8 so length=8. As I configured JtR to start and end with 8 character passwords it can skip 62^7 + 62^6 + 62^5 + ... so I used "7" digits instead of 8 for my math. That seems a little fuzzy to me as I've been away from any significant math class for too long, but it should be something like this (feel free to stomp this thread if I'm way off, I hope that I am). Anyway, 20.4 days sounds much better than previous calculations.

    The clock has started... as always I'll keep everyone posted.

    Rob
     
  83. mazilo

    mazilo LI Guru Member

    Get a PS2 that can give you a whopping 6.02GFlops to speed up the computation.
     
  84. ydef

    ydef LI Guru Member

    Actually, I was waiting for PS3 for the exact very reason of putting the new cell processor to work on parallel cracking.

    PS3 is pretty much like a supercomputer for the price of a console. :thumb:

    And it will make 6.02 flops look obsolete.
     
  85. mazilo

    mazilo LI Guru Member

    What are the PS3 CPU specs? Will it give more than 6GFlops?
     
  86. ydef

    ydef LI Guru Member

    The PS3 is based on the the CELL processor, which was a joint experiment between Sony, Hitachi, and IBM that's produced an ninacore processor. That's right, forget the dual cores by intel and amd, the ninacore will have one central 64 bit processing core, and 8 synchronous cores working in unison to total an equivalent 9 processors working together. It will feature 234 million transistors (compared to about 125 million in current processors) and 221 mm die size (compared to 122mm current processor average) and complement of 512mb of onboard RAMBUS L2 cache on its main processor with an additional 256mb of RAMBUS L2 cache native to each of the eight synchronous cores totaling 2.5 gigs of onboard memory. The main processor will be capable of 2 threads with each core adding one additional concurrent thread to allow for a total of 10 concurrent threads!!!

    Think of JTR on this baby!

    It is architecturally based on IBM's powerpc (which is what ran macs, before jobs's latest sellout jump to intel) and is backward compatible to powerpc based software.

    Current indications are that it will clock up to about 4 gigs.

    The PS3 will be the first platform to exhibit the potential of this badass new architecture, which is why those that couldn't wait and jumped on the xbox2 bandwagon is seriously hating it. :thumbup:

    Not being a gamer myself, the appeal of the PS3 for me lies in its raw computational power as a number cruncher. This might be the first gaming console i might actually buy, just so i may transform the unit into a linux based prime # finder :rockon:

    IBM has already released a dev kit for the cell processor to the open source community to get a head start in development, which is a great sign.

    But anyway, getting back to your question ... like i mentioned originally, 6GFlops on the PS3 will look like diaper rash. :rofl:
     
  87. czyc

    czyc LI Guru Member

  88. mazilo

    mazilo LI Guru Member

  89. ydef

    ydef LI Guru Member

    Has anyone figured out how to decrypt the xml encrypted provisioning file with the 64 character hash provided on the provisioning page?

    It doesn't seem to be encrypted using the aes-256-cbc algorithim thats used for the pap2.
     
  90. mazilo

    mazilo LI Guru Member

    Hi YDef,

    I sent you a little note through a PM, last night.
     
  91. meister_sd

    meister_sd Addicted to LI Member

    Now I am new here, but I am wondering why if there is the source code that the missing files be found from the dumps posted and compile a new firmware that has some of the code modified to actually show the contents of its value? Or just not look for the value.

    So if you are going to the voice page, the authentication routine is modified to just go there and not look to see if a password has been entered or if they user needs to be authenicated. Also, it seems the XML configuration file is decrypted AFTER its downloaded. Why not just create a new page, or edit an existing page, to show the contents of the XML or show it's values?

    <user id="1">
    <username>Admin</username>
    <password>x</password>
    <shadow>1</shadow>
    <idle_timeout>15</idle_timeout>
    <userlevel>ADMIN</userlevel>
    <enabled>1</enabled>
    </user>
    <user id="2">
    <username>admin</username>
    <password>AB2ChJScbtR5I</password>
    <shadow>1</shadow>
    <idle_timeout>10</idle_timeout>
    <userlevel>ROUTER</userlevel>
    <enabled>1</enabled>
    </user>
    <user id="3">
    <username>user</username>
    <password>x</password>
    <shadow>1</shadow>
    <idle_timeout>5</idle_timeout>
    <userlevel>USER</userlevel>
    <enabled>0</enabled>
    </user>
    <cli>
    <level_1>view</level_1>
    <level_2>logger</level_2>
    <level_3>nobody</level_3>
    <level_4>nobody</level_4>
    <level_5>Admin</level_5>

    and

    <path env_default="HASH_DIR"/>
    <key_code env_default="CRYPT_KEY"/>
    <adminpwd_crypt env_default="ADMIN_PWD"/>
    <userpwd_crypt>ABsFuZ3PufkXY</userpwd_crypt>
    <userstate>0</userstate>
    <interval>1</interval>


    Show those values and you have everything. Or ignore them through the XML file and hard code it in the HTML source. That way all the values are known before flashing and are known universal to the group.
     
  92. mazilo

    mazilo LI Guru Member

    This is very interesting, particularly the XML source code (located under /etc? directory). Perhaps, having the admin password hashed key changed to a known password hashed key on this file as well as the password file on a newly compiled firmware will make the device unlocked for ever once it is flashed to the router.
     
  93. meister_sd

    meister_sd Addicted to LI Member

    Yes, I thought so too....

    I got the dump from here:
    http://wiki.openwrt.org/OpenWrtDocs/Hardware/Linksys/WRTP54G

    And yes, the XML file is under "/etc/config.xml"

    So I'm wondering if there was a custom build and after picking one screen when you log in as admin/admin, a popup displaying the XML file would work. You write down the info, then load a regular image back into the router and you should be able to do everything. I am also thinking of getting an RTP300-NA to see what the screen differences are. With the encryption hash showing, you can encrypt your own file and feed it to the router changing its password. I would guess this can all be done like the unlocking of the PAP2.
     
  94. mazilo

    mazilo LI Guru Member

    AFAIK, there is no screen differences between a WRTP54G/RTP300 and a WRTP54G-NA/RTP300-NA. Perhaps, the Voice button points directly to the Voice page instead of the Contact your service provider ... message page.

    As with the password hashed key, you can generate it using the Linux password. Just create an account called Admin with a password admin and its hashed key can be used to replace the Admin hashed key on the /etc/config.xml file and/or any other pertaining files to the Admin password.

    BTW, I just check a local Fry's Electronics and it's selling this WRTP54G for $89.99 before the $50 Vonage rebate. And, if you have a local Fry's and Staples store, you can PM to Staples with 110% price matched policy to bring this down to $86. Then, using the $10 off $40 purchase, to bring this price down to $76.
     
  95. meister_sd

    meister_sd Addicted to LI Member

    That is what I was thinking. There seems to be another page called "Voice_adminPage.html" in:

    /usr/www/
    /usr/www_safe/html/

    And the restricted voice tab HTML (voice.html) is located in:

    /usr/www_save/html/voice/

    Maybe replacing voice.html in /usr/www_save/html/voice/ with the "Voice_adminPage.html" during rebuild will work.

    What I'm thinking is don't even referece the XML file. Just either hard code the UN/PW in the HTML itself, or don't even ask and just go in. With it setup this way, you can find the XML encryption key and be able to unprovision and create custom XML files to send to the router after re-flashing it back to a standard image.


    The other question is how the author if the WIKI I posted above got the info from the heading: "2.2. /proc/ticfg/env"

    Another thing I've seen in 1.00.37 is if you log in as admin/admin and then type:

    http://192.168.15.1/Voice_adminPage.html

    It will redirect you to the following link/page and this is a different UN/PW. I'm guessing this is the "Admin" account and not "admin", which means Vonage didn't totally disable the ability to make changes to the voice page and further supports my belief that the voice.html is a dummy placeholder for Vonage and the Voice_adminPage.html is the real page.

    http://192.168.15.1/cgi-bin/webcm?g....html&var:requestfrom=../Voice_adminPage.html
     
  96. ecoen

    ecoen Guest

    Logged in at ADMIN level & config'd for asterisk

    I was able to edit the backup config (XML) file (as others discussed earlier in this thread) and reload it into the WRTP54G so that it would allow me to login as "user/itvonpw" but at ADMIN level.

    Now I can edit any of the voice pages and save them back to the router. I have been able to get one voice port at a time to succesfully register and receive a call through my Asterisk server.

    I still need to iron out some parameters to be able to get a dialtone from the port and dial through the Asterisk server.

    NOTE: I still cannot ssh into the router. I have not tried to do the console port mod yet either, so I have not been able to try CLI access.
     
  97. mazilo

    mazilo LI Guru Member

    I don't know if you can have the access to read the /etc/passwd file that only contains a single account called Admin. Unless you know the password for this Admin account, you won't be able to perform an SSH login. Being able to access the Voice menu with an Admin right doesn't mean you have an access to the Admin account to change its password. Well, it sure worths the effort to give it a try. Please post your result here.
     
  98. ydef

    ydef LI Guru Member

    Re: Logged in at ADMIN level & config'd for asterisk

    console port mod won't do squat for giving you shell access since the inittab looks like this:

    # Start an "askfirst" shell on the console (whatever that may be)
    ::askfirst:-/bin/login

    Meaning that a serial port will only give you a login prompt, still requiring you to know the root password to get anywhere.
     
  99. KillaB

    KillaB LI Guru Member

    @ecoen

    I've been playing around with the latest Asterisk@Home installation and am wondering exactly what settings need to be changed in the WRTP54G to get it to successfully register.

    I have ADMIN level privledges and can change settings as well, just can't get mine to provision.

    I should have asked the simple question first: do you HAVE to use the WAN port or can it register on the LAN side? When you make changes on the SIP pages sometimes it pops up saying you need to configure an Internet IP first.

    I PM'ed you the other day but you haven't read it. Perhaps you don't have email notification turned on?
     
  100. badenoch

    badenoch Guest

    I was able to successfully disable javascript and save the html files. However, I can't figure out where to put the above code to make this work after re-enabling javascript.

    I'm assuming the BASE tag goes outside of the SCRIPT tag. I'm assuming the comment slashes should be removed. I'm a little hazy on what "stuff before 'uiDoOnLoad..." is referring to specifically. I can see the function call, but I don't know where to put the IF statement and the rest of the code in relation to it.

    Would someone be so kind as to post more specific information about how to implement (i.e. where exactly to place) this code in the html file?
     

Share This Page