TECHNICOLOR ROUTER HACK CODE
With such interesting findings, the firmware code was analyzed. This means that the box was completely owned. More interestingly, the “admin” credentials also work on the telnet access and allow access to the console.Īmong a few commands, the call command allows one to execute any function with any parameter. The cable company was informed about the issue but as far as we know they have not corrected it yet. The hidden account also works remotely meaning that if you grant a visitor access to your LAN, then he can connect to the web interface and activate the previous option as a backdoor connection to the box. It is off by default for this provider, however, by activating it, it allows you to connect to the web interface from outside of the LAN with the URL. In the web interface there is a “Remote Config Management” option. This is where the first security problem arose. Nevertheless, these credentials also worked at a friend’s place who has the same operator and same box to access the web interface. It seems to be added by the cable company and not Thomson since the memory space seemed to be customized by the cable company. This is a hidden account which allows you to change the settings of the box but you can neither disable it nor change the password. But there is more, just after the account credentials, another account seems to be hard coded (value changed in the image) and this account is allowed to connect to the web interface. In addition, the WPA-PSK was also in clear text.
TECHNICOLOR ROUTER HACK PASSWORD
The firmware strings were then displayed:Ĭustomer account and password were in clear in the firmware. The flash chip was a Macronix MX25L6405D and with the help of we were able to extract the firmware.
However, the access is protected by a password and in this case, the credentials of the web interface were not accepted. In addition, a telnet server was running at this address: Then another IP address, 192.168.100.1, was noticed on the local network. However no interactive shell was available after the start-up which can happen sometimes. The operating system is RTOS eCos and runs on a MIPS BCM3380.
TECHNICOLOR ROUTER HACK SERIAL
The serial port was quickly found:Īfter hooking up the serial port, the bootloader displayed interesting information: Therefore the box was opened to hunt for a serial/jtag port. After scanning the box address no other open port was found. The standard web vulnerabilities were tested on the web interface but nothing like for previous boxes was found. The good thing about this is that the internet provider delivers the box with the customer number as the login and a randomly chosen password. A web interface is accessible on to configure it. In addition to its four Gigabit Ethernet LAN ports, the C2000T also offers an IEEE 802.11n wireless access point for Local Area Network (LAN) access.This box provides Internet access through DOCSIS and offers all the usual features found in this kind of modem. Gigabit Connections Made Possible with the C2000TĪ dedicated Gigabit Ethernet flexible WAN/LAN port and DSL WAN sensing make the C2000T also the ideal service gateway for use in mixed DSL and fiber-based networks. The C2000T is also a “future-proof” and powerful gateway, allowing VDSL2 (Bonded) connectivity and providing Voice over IP (telephone) functions for residential users. The C2000T helps get the most out of your internet service by combining all of your DSL services into one device for most “triple-play” packages while allowing you to use your existing wiring. Please call your provider prior to purchasing to confirm compatibility. Compatible with most CenturyLink DSL services. The firewall and WEP encryption security options help keep your data safe and secure. The perfect DSL modem for streaming video, music, and gaming. Quick and easy connection to the internet is made possible with this CenturyLink C2000T ADSL/VDSL modem and router combo, featuring Wireless-N technology for clear signals and enhanced range. About the Technicolor C2000T Wireless DSL Modem