 420br
@user.veloxzone.com.b | SS5200 E240_A3J 70-52 Firmware/Account "hacking" Since I shed a light on this one somewhere else and people didn't catch on, I suppose you guys here could make good use of this information.
I stumbled upon this new english/french firmware:
»ftp://80.127.205.51/download/France/52···_v1r.ZIP
It IS the newest firmware for 5200 around, it looks crippled.. but in fact.. it's not 
-- EDITING ACCOUNTS --
Alright.. so, you're fed up with cryptic ways of getting a telnet/ftp password.. so was I.
I found out how you can modify the admin, telnet AND ftp accounts.
You have "mystic" profiles.
Profile 0 = admin
Profile 1 = telnet/ftp
Profile 2 = "ghost" (what would this one access? hmm)
Profile 3 = when you add new ones, the 3rd is the first on the list..
Linkage
admin:
»192.168.254.254/pfwizardj.cgi?co···retain=f
telnet:
»192.168.254.254/pfwizardj.cgi?co···retain=f
'ghost':
»192.168.254.254/pfwizardj.cgi?co···retain=f
-- OBSERVATIONS --
Since most people here is familiar with the router interface, all I needed to outline here was the way to get full access to everything.
Before this "discovery", I three working firmwares and a fourth one crippled (needed password to update), cracking that only rendered the modem useless, since it'll update a fudged rom..
In order of appearance:
* Update_E240_A21_70-7_1086-503.exe
The "mexican" - telmex - full router
* Update_E240_A2W_70-37_6081_v1r(5).exe
The "brazilian" - telemar - full router
* Upgrade_E240_A0X__61-7_Full_Router_6045_v1 (4).exe
Believed to be the best one, but, no one managed to get this working.. It's easy to crack, but, will render your modem completely useless, and there is no way to go back. 
It's actually the oldest firmware in town. Avoid it.
* Update_E240_A29_69-24_4080_69-25_v1.exe
The "1st french" one - crippled
This is crippled beyond oblivion.. missing htms/cgis.. no profile wizard, no nothing.. Unless you know where it's from or your config is similar, you won't benefit from it. You can't change anything.
Update_E240_A3J_70-52_7080_v1r.exe
The "2nd french" one - 'superuser' - full router
The 'newest and greatest' firmware around, with additional goodies and fixes.
It comes borked, however, use the profile wizard trick and unlock everything, including FTP/Telnet access (same account).
There are new menu options and behaviors. It's possible to enable multiple connections with this one.. in theory, you can hook both eth/usb and have one serve a full-router-dmz and the other bridged, not sure on the advantages/implications (or even if the example is right hehe), but, you get more power.
The system log now behaves more like the firewall log, outlining errors/etc (yellow/red bg). I didn't pay much attention on verbosity, but, it seemed like the others..
New CGI's:
- Dynamic DNS Client - »192.168.254.254/ddnscfg.htm
- IP Passthru - »192.168.254.254/ipp_config.htm
- Remote Management Access - »192.168.254.254/ras_config.htm
There's a bunch of stuff over telnet.. type "do dumpcfg" if you're curious about the router syntax.. also, i'm pretty sure you can unlock a few goodies over telnet as well (cryptic permissions - etc.. cfg upro#0)..
The only puzzle left is the ftp structure. Everything is hidden, and, just like I said above, the telnet interface might unlock the 'ls'.. there is some space there, the decrypted firmware/boot images... etc
xsh> show sys memory
Memory Usage:
2211040 bytes in use
3678568 bytes free
5889608 total bytes available
62% free
Don't use the extra 3.6mb of the modem to upload pr0n. 
-----X------
That's it.. Hope to have helped. 
- 420
ancient "rore" |
|
 Doctor OldsI Need A Remedy For What's Ailing Me.Premium,VIP
join:2001-04-19
1970 442 W30
kudos:18 | Very Nice!
Regards,
Doctor Olds |
|
420br
@user.veloxzone.com.b | Re: SS5200 E240_A3J 70-52 Firmware/Account "hackin Thank you
Forgot one thing: how to 'unpack' the firmwares...
Just run them and zip up c:\windows\~cua... there's where they all unpacked their stuff.
Tested over XP..
Cheers,
- 420 |
|
420br
@10.100.2.118, 66.119 | reply to 420br
More goodness..
Different firmwares and their telnet outputs regarding the admin account...
* Update_E240_A2W_70-37_6081_v1r(5).exe
xsh> show sys versions
Firmware: 004-E240-A2W Build: 70-37
Config: 003-6081-508
DSL: a5.52.70_TDC
upro#[0..8]
usr
un = "admin"
pw = "***"
per = xC
cf
url#[0..29]
name = ""
en = n
alst = n
addr = 0.0.0.0
acc
ddns = n
spo = y
qsw = y
rip = y
brg = y
upnp = y
ac = y
adv = y
stat = y
fw = y
dhcp = y
user = y
imap = n
uloc = n
urem = n
napt = y
help = y
sntp = y
slog = y
home = y
oe = y
wslh = y
wslm = y
host = y
rout = y
diag = n
link = y
upro = n
epip = n
eras = n
last = y
nl = n
ne = y
hip = n
* Update_E240_A21_70-7_1086-503.exe
xsh> show sys versions
Firmware: 004-E240-A21 Build: 70-7
Config: 003-1086-503
DSL: a6.02.00
upro#[0..8]
usr
un = "admin"
pw = "***"
per = xC
cf
url#[0..29]
name = ""
en = n
alst = n
addr = 0.0.0.0
acc
ddns = n
spo = y
qsw = y
rip = y
brg = y
upnp = y
ac = y
adv = y
stat = y
fw = y
dhcp = y
user = y
imap = n
uloc = n
urem = n
napt = y
help = y
sntp = y
slog = y
home = y
oe = y
wslh = y
wslm = y
host = y
rout = y
diag = n
link = y
upro = n
last = y
nl = n
ne = y
hip = n
Next time i fully reset the modem, I'll gather default A3J values..
I found out that my connection got more stability after mixing configs.. A2W reboots the modem from time to time.. VERY annoying, but, it has the optimal config for my isp (their name is the telnet login.. so, it's theirs).. A3J seemed to take a little longer to sync.. taken A2W configs, I managed to get the best of both worlds
I'll keep updating as I find more (time to dig) stuff..
Cheers,
420 |
|
|
|
420br
@10.100.2.114, 66.119 | reply to 420br
Just to clarify what mixed configs meant... raw config on telnet..
You'll find out that from firmware to firmware the 'internals' change.. you can config your WAN stuff accordinly, but, some params are different over telnet.. They will retain some stuff from the previous default (not the important bits, but, stuff that could get _much_ more stability.. quick syncs, etc..)
Cheers,
-420 |
|
420br
@10.100.2.114, 66.119 | reply to 420br
More stuff.. I've found out a possible way to unlock _any_ firmware.. steps:
1) Run your firmware of choice
2) Find out where it unlocked the firmware (usually c:\windows\~cua - c:\winnt\~cua)
3) Backup the 'defaults' file: XXX-XXXX-XXX.def.enc and close the firmware update.
4) Run the firmware you want to try out
5) Replace its' .def.enc with the one you just backed up..
Simple, eh?
Also, found more interesting config bits over telnet...
cfg sys - lets you set the modem to router/bridge/both, plus, some other things we have no idea...
sys
mode = brtr [brg,brtr,rtr]
gw = 0.0.0.0
dns#0 = 0.0.0.0
dns#1 = 0.0.0.0
dns#2 = 0.0.0.0
prof = n
dbtw = n
disf = n
dish = n
dist = n
b1vc = n
sbm = n
kpnp = n
conf = 0
eipp = n
tnet = n
cfg dsl - set log to 1 (cfg dsl{log=1), reboot the modem, check out what else "System Log" spits
dsl
mode = mult [mult,ansi,dmt,lite,emt]
log = 0
mtm = n
msm = n
It's quite interesting.. just out of curiosity, I checked the System Log.. all of a sudden, the pwr light blinked red.. I refreshed and found this:
0000-00-00 00:02:07 E I |ATM |vcc 0/33 responding to probe (code: 0)
0000-00-00 00:02:08 E I |PPP |LCP down
0000-00-00 00:02:08 E I |PPP |IPCP down
0000-00-00 00:02:08 E I |PPPoE |tx PADT, id: 7E68, ac: (NULL), sn: (NULL)
If all of a sudden your modem gets nasty on you and decides to reboot often, you know it's coming from your lovely telco.
I've also given a try to the "IP Passthru" thing.. well, as the name pointed out.. it passed over the ip to the ethernet card... the downside? I couldn't access anything at all.. telnet/web got borked and I had to reset the modem to default configs... If anyone knows how to put it to work AND keep the router goodies up (telnet/web/ftp), let me know
Cheers,
-420 |
|
420br
@user.veloxzone.com.b | reply to 420br
Re: SS5200 E240_A3J 70-52 Firmware/Account "hackin A29 successfuly hacked..
Seems really crippled, but, very stable.. telnet commands differ a little..
If there was any interest at all, I'd post the steps to hack telnet access.. (should work with ANY speedstream modem, as they might use the same fw update process... ftp.. etc)..
Cheers,
420 |
|
Doctor OldsI Need A Remedy For What's Ailing Me.Premium,VIP
join:2001-04-19
1970 442 W30
kudos:18 | I'm interested in "all" you care to share. Please continue. Hacking Telnet access next up?
Regards,
Doctor Olds |
|
| reply to 420br
Alright.. I picked up where duress left, as the update process seemed clumsy and _very_ insecure..
You'll need a good packet sniifer to accomplish the job, since you'll need to filter _only_ port 21 to get your "magic key".
Steps:
1) Fire up your packet sniffer on port 21
2) Take note of the login (5 numbers, NOT random - eg.: 27701, 26902, etc.. the fw has a list of "logins" to choose from)
3) Pay attention on the modem lights. As soon as PWR stops blinking red, quickly fire up your telnet and login with the ftp account - the password is the login, as you noticed on the sniffer
4) Sit on telnet until the modem reboots, otherwise, the fw update password will _reset_ BEFORE rebooting.
5) After rebooting, keep trying to telnet the modem and login quickly before it resets the password (usualy after dsl sync starts)
6) Use the web login to set up the admin account
7) You're now ready to open up telnet access with this command: cfg sys{usr#0{pem=-1
If you don't feel like losing your current config, but, you DO want to hack up your speedstream telnet, you can cut a few steps:
1) Instead of "sitting" on telnet waiting for the upgrade proccess, ctrl-alt-del and kill it or simply take off your ethernet/usb cable. It's nothing but a file upload, don't be nervous.
2) You now need the unpacked fw (c:\windows\~cua) to decrypt the .img files with bcr.exe (bcr.exe -k="EFNTEFNT" -d XXX.img.enc XXX.img)
3) After unpacking the 3 .enc files, upload them to your modem.. otherwise, you might have a surprise after booting..
4) Do whatever you gotta do to 'free' the admin OR superuser/etc accounts..
ps: On most fw's, you can pick up the telnet login/pass on the .def.enc file (after you decrypt it), thus, eliminating the risks of f*cking up the process heh (and your modem), but, on those crippled (as A29), you gotta play a little and find out what a valid permission is for both web AND telnet (which in this case was -1).
Now you can safely reboot any time and use the admin account you just set up over the web to telnet and ftp to the modem.
You have access to all web config pages, except, Profile Wizard.
I'm pretty sure this fw can be fully unlocked - I managed to "accidentaly" enable "Advanced Properties" on the menu, but I didn't keep track of what I did (it's pretty much trial-and-error hehe).
Have fun
Cheers,
-420 |
|
Doctor OldsI Need A Remedy For What's Ailing Me.Premium,VIP
join:2001-04-19
1970 442 W30
kudos:18 | Thanks for sharing. Now to have some fun.
Regards,
Doctor Olds |
|
| reply to 420br
Re: SS5200 E240_A3J 70-52 Firmware/Account "hacking" 420br, vc tem icq ou messenger? |
|
1 edit | ah nvm it's fine now |
|
Doctor OldsI Need A Remedy For What's Ailing Me.Premium,VIP
join:2001-04-19
1970 442 W30
kudos:18 | Re: SS5200 E240_A3J 70-52 Firmware/Account "hackin So do you like the improvements?
Regards,
Doctor Olds |
|
Doctor OldsI Need A Remedy For What's Ailing Me.Premium,VIP
join:2001-04-19
1970 442 W30
kudos:18 | reply to 420br
said by 420br:
It IS the newest firmware for 5200 around, it looks crippled.. but in fact.. it's not
I hope you are still around.
Have you looked at/seen this Firmware before?
Update_E240_A2H_69-27_7080_v1r.exe
Regards,
Doctor Olds |
|
| Which one is that?
New? |
|
1 edit | reply to Doctor Olds
I tried this out the other week. It's pretty nice. Don't have to enable hidden options here. All menu items (except update and Profile Wizard) are enabled by default. Profile Wizard doesn't actually exist in this version.
A few things I noticed:
Used very little memory - left modem with 71% free.
Time Client defaults to disabled and has no preset time servers (though you can still enter a primary and secondary manually), also no field to enter Timezone Offset.
In Port Forwarding, enabling "Redirect selected protocol/service to this router" actually works, which I haven't seen work in any other versions.
In the VCC wizard, it skips the screen(s) that ask about enabling Auto connect, ADS, UPNP, NAPT. Sets all to enabled though.
No separate PPP menu to change user/pass. Have to logout first and then you get the change user/pass, access concentrator, auto connect, idle timeout stuff.
URL Filtering is a separate menu under Firewall.
As with the A3J firmware, you can't update this firmware straight from bridge. It won't run and will tell you something like 'No update required'. You have to upgrade first (or have already upgraded) with another version and then run the update file for it to work.
I believe A2H to be older than the A3J, but still good. |
|
