| reply to 420br
Re: SS5200 E240_A3J 70-52 Firmware/Account "hackin Alright.. I picked up where duress left, as the update process seemed clumsy and _very_ insecure..
You'll need a good packet sniifer to accomplish the job, since you'll need to filter _only_ port 21 to get your "magic key". 
Steps:
1) Fire up your packet sniffer on port 21
2) Take note of the login (5 numbers, NOT random - eg.: 27701, 26902, etc.. the fw has a list of "logins" to choose from)
3) Pay attention on the modem lights. As soon as PWR stops blinking red, quickly fire up your telnet and login with the ftp account - the password is the login, as you noticed on the sniffer 
4) Sit on telnet until the modem reboots, otherwise, the fw update password will _reset_ BEFORE rebooting.
5) After rebooting, keep trying to telnet the modem and login quickly before it resets the password (usualy after dsl sync starts)
6) Use the web login to set up the admin account
7) You're now ready to open up telnet access with this command: cfg sys{usr#0{pem=-1
If you don't feel like losing your current config, but, you DO want to hack up your speedstream telnet, you can cut a few steps:
1) Instead of "sitting" on telnet waiting for the upgrade proccess, ctrl-alt-del and kill it or simply take off your ethernet/usb cable. It's nothing but a file upload, don't be nervous.
2) You now need the unpacked fw (c:\windows\~cua) to decrypt the .img files with bcr.exe (bcr.exe -k="EFNTEFNT" -d XXX.img.enc XXX.img)
3) After unpacking the 3 .enc files, upload them to your modem.. otherwise, you might have a surprise after booting..
4) Do whatever you gotta do to 'free' the admin OR superuser/etc accounts..
ps: On most fw's, you can pick up the telnet login/pass on the .def.enc file (after you decrypt it), thus, eliminating the risks of f*cking up the process heh (and your modem), but, on those crippled (as A29), you gotta play a little and find out what a valid permission is for both web AND telnet (which in this case was -1).
Now you can safely reboot any time and use the admin account you just set up over the web to telnet and ftp to the modem.
You have access to all web config pages, except, Profile Wizard.
I'm pretty sure this fw can be fully unlocked - I managed to "accidentaly" enable "Advanced Properties" on the menu, but I didn't keep track of what I did (it's pretty much trial-and-error hehe).
Have fun
Cheers,
-420 |
