TP-Link WR886N Chinese Third Party Firmware

Here we go after we done moding the FLASH and RAM its time for us to Brush it with the third party firmware. This device WR886N version 3.0 is supported by OpenWrt, SuperWrt, DD-Wrt and Gargoyle Linux opensource firmware. What we need is a USB cheap 25Q FLASH programmer and USB to TTL for the serial console. Next is decide to which boot loader you want to be accustom with.

The first boot loader utility is BREED aka  Boot and Recovery Environment for Embedded Devices is a close source boot loader by hackpascal, its in Simplified Chinese language just use Google translate to let you understand their script. You can download it on Google filename breed-tp9343.bin.

The second boot loader is also a BREED but modified version of the Simplified Chinese language its in English version. Download on the Giant Search engine filename u-boot_tp9343.bin.

The third boot loader is from TP-Link WR940N version 3.0 stock firmware stripped u-boot, filename is u-boot_tp-link_wr940nv3.bin.

The first brushing I did is with the TP-Link stock firmware WR940N version 3.x is also identical to WR941ND version 6.x such SoC. RAM and FLASH. Likewise WR940N version 4.x and 5.x too.

This is TP-Link stock firmware version 4.x if you want to know more about the internal web graphical user interface just visit tp-link.com for the respective wireless router emulator.

Brushing with third party firmware such as OpenWrt is straight forward since you can just upload via web interface if the wireless router is in the TP-Link stock firmware, TFTP is another method on brushing the firmware its usually use for device recovery from bricked devices.

I have more favor on OpenWrt third party firmware because of its plenty packages for the wireless router. Successfully also tested on LEDE both WR940N and WR941ND. On the Chinese forum someone mention that the WR886N ver3.0 can be flashed with TP-Link WR940N version 5.x, ow true is it?

This is TP-Link new web graphical user interface that added some features like Access Point only, Repeater or Range Extender, and WISP unlike the old version this addition function is not supported except for WDS and Wireless router only. The said added features were only exclusive for the TP-Link WA series device not on WR and WDR. The firmware option brushing may depends on the users, what I like on OpenWrt firmware is SoC TP9343 can be fully enhanced to 26dBm or 398mW of power.

If you know other third party Linux firmware that I did not mention let me know I want to brush it with your firmware that you have tried.

Read More

TP-Link WR886N Chinese Version 3 Mod RAM FLASH

First we have to open the clam shell type casing of the TP-Link WR886N chinese version 3.0 it has only two small screw found at the back of the device. Unscrew it, use plastic or metal knife to open the rounded clam upper cover.

Things needed basic electronics skill, hot air gun for desoldering the RAM and the FLASH. I used portable hot air gun in my case, for FLASH at least 400 to 450 C so I can lift it with the tweezers while 500 to 550 C for the RAM.

An old RAM of my Laptop PC3200 with eight chips memory module by 64MB to substitute the TP-Link WR886N 16MB memory.

Let just swap the RAM of the memory module to the router, putting back the memory to the router is sweating it will takes time aligning it and most of the time the memory pins don't sits properly need to clean the pad and the pins before heating it back onto the circuit board.

Once it done the FLASH and the RAM are on its place, testing and power ups so we can proceed to Brushing the third party firmware.

Read More

TP-Link WR886N Chinese V3 Specs

A week before went to online store and look for a second hand wireless router that I can make used of for OpenWrt plus VPN addons or similar cheap router that support it. So here I found a used  TP-Link WR886N Chinese version 3.0 it looks like the device is good and very cheap and the specs is near to average for consumer.

Less than ten days the parcel arrived, a postmen came to deliver to the house and paid for the COD.
I ordered two pieces for me the price is reasonable it only cost 354.00 Php each while the shipping is 100 Php for the two devices.

Looking at the physical appearance it has three 5dBi flat circuit omni directional antenna, fronting single system/power  LED.

At the rear face are the power input jack it has no ON/OFF switch, pin hole RESET button, single WAN port 100Mbps and four 100Mbps LAN ports.

The FLASH is 25Q16 series this mean that the chips is 16M-bit Serial Flash or in other words its only a 2Mbytes of flash storage.

The RAM is from Zentel its A3S28D40JTP-50, further specs of the memory its a 128M Double Data Rate Synchronous DRAM. It has only a capacity of 16MB of RAM.

The TP-Link WR886N Chinese version 3.0 is equip with Qualcomm Atheros TP9343-AL3A from Taiwan. The SoC has 750 Mhz processor of speed.

The internal circuitry of the TP-Link WR886N Chinese version 3.0 seems to be have many clones but different name model.  According to Wikidevi which now Deviwiki this wireless router device known similar are TP-LINK TL-WA901ND v4.x and v5.x, TL-WR882N v1.x, TL-WR886N v1.x, TL-WR940N v3.x/v4.x/v5.x, WR941ND v6.x and TL-WR941HP v1.x.

The mention above TP-Link wireless routers are identical to WR886N version 3.0  same SoC but some others vary on RAM and FLASH have more such 4MB and 32MB. For this device it will not qualify to Brush it with third party firmware wireless router such as  OpenWrt, SuperWrt, DD-Wrt or Gargoyle. The remedy for this device WR886N ver3.0 is to modify the RAM and FLASH to make it fully functional third party opensource wireless router firmware.

Read More

PLDT Fiberhome ONU RP2684

As per request one of my commentator on this blog, a legit PLDTHOMEFIBR subscriber commented that his AN5506-04-F ONU/ONT just get recently patched with firmware RP2684 and nowhere to find the password for adminpldt account.

Yes there is few changes of  this firmware RP2684 of Fiberhome ONU AN5506-04-F one of those is the prevention from gaining the adminpldt access level to do the configurations on the web user interface so PLDT can limit the subscribers from doing so to the said FTTH device.

Here a list of the command line interface that you can do or practice. Take note that any alteration done by you or by your behalf will void the warranty of your PLDT Fiberhome ONT/ONU device when malfunction occur.

WRI(DEBUG_H)> list
0. active section [0|1]
1. bobtest read_regs slave_addr <0-255> begin_addr <0-255> count <1-32>
2. bobtest write_regs slave_addr <0-255> begin_addr <0-255> count <1-32> value1 <0-255> {value2 <0-255>}*1 {value3 <0-255>}*1 {value4 <0-255>}*1 {value5 <0-255>}*1 {value6 <0-255>}*1 {value7 <0-255>}*1 {value8 <0-255>}*1 {value9 <0-255>}*1 {value10 <0-255>}*1 {value11 <0-255>}*1 {value12 <0-255>}*1 {value13 <0-255>}*1 {value14 <0-255>}*1 {value15 <0-255>}*1 {value16 <0-255>}*1 {value17 <0-255>}*1 {value18 <0-255>}*1 {value19 <0-255>}*1 {value20 <0-255>}*1 {value21 <0-255>}*1 {value22 <0-255>}*1 {value23 <0-255>}*1 {value24 <0-255>}*1 {value25 <0-255>}*1 {value26 <0-255>}*1 {value27 <0-255>}*1 {value28 <0-255>}*1 {value29 <0-255>}*1 {value30 <0-255>}*1 {value31 <0-255>}*1 {value32 <0-255>}*1
3. clear
4. clear_save gpio
5. commit section [0|1]
6. control opticalgenerator [enable|disable] mode [prbs7|prbs15|prbs23|prbs31|alt]
7. debug cli_msg id
8. debug cli_msg send_buf
9. del port_vlan_service
10. delete onuhw version
11. exit
12. fandebug [enable|disable]
13. get image status
14. get nvram
15. get system status
16. get version info
17. get web [user|admin] username
18. help
19. i2c read
20. i2c write
21. list
22. mibreset
23. optdebug [enable|disable]
24. output redirect
25. printenv env_key FHSNOUI
26. printenv env_key ethaddr
27. quit
28. read gpio <0-256>
29. read i2c device page <0-255> addr <0-255>
30. run [local_config]
31. run [omci_tl]
32. set bar code [pcb|bosa]
33. set black_list
34. set debug_level
35. set default-printf-to [disable|console|telnet|all]
36. set dhcp_delivery [disable|enable]
37. set electricfan run temperature <0-100> stop temperature <0-100>
38. set nvram
39. set oam_print [rx|tx|stop]
40. set omci_status
41. set onuhw version
42. set opt power [enable|disable]
43. set opt rxpoweradjust1 min max offset
44. set opt rxpoweradjust2 min max offset
45. set optoutpower level <0-2>
46. set optoutpower offset
47. set optpoll [enable|disable]
48. set optrxpower offset
49. set ponrate_config_switch <0-1>
50. set port_all_isolation [disable|enable]
51. set port_attribute [L2|L3]
52. set port_igmp_state [0|1]
53. set port_isolation [disable|enable]
54. set port_vlan_service
55. set pppoe_delivery [disable|enable]
56. set print_num
57. set queue_protect [on|off]
58. set show_packets [rx|tx|rtx|stop]
59. set web [user|admin] username password
60. set web default [user|admin] username password
61. setbuttondebug [disable|enable|start]
62. setleddebug [disable|enable|on|off]
63. setlog [omci|none] [old|pkt|timer|conf|temp|info|none|warning]
64. setpmlog <0-1>
65. setusbdebug
66. shell
67. show [ponrate_config_switch]
68. show bar code [pcb|bosa]
69. show black_list
70. show catv rf
71. show debugversion
72. show electricfan work temperature
73. show history
74. show optoutpower level
75. show optoutpower offset
76. show optrxpower adjust
77. show port_info
78. show power supply
79. show print_num
80. show queue_info
81. tshell
82. updateenv ethaddr
83. updateenv fhsnoui
84. upload ftp any
85. write gpio <0-256> <0-1>
86. write i2c device page <0-255> addr <0-255> value <0-255>
87. write_save gpio

Read More

Fiberhome HG6245D PLDTs Ultimate Solution

Early this year of January 2020 I was really eager to have the PLDT Fiberhome HG6245D ONT on hand for my mini Lab as part of my Toys collection aside from the AN5506-04-XXX series devices. Luckily its first week of March and was able to hand over me this shiny dual band Optical Network Unit. It is most likely identical to AN5506-04-FA equipment with two USB ports and two POTS ports.

For the specs of HG6245D will talk about it on the other post, I want to say more now on the other issues that this ONU/ONT of PLDT will most like favors the GIANT Telco and will ease the headache from those malicious subscribers who are prone from exploiting their residential gateways (RG). There are many things on this ONU have been really restricted, such the get web access username adminpldt password is now being omittedfrom ths CLI. 

This ONT device have four (4) LAN ports as well like the AN5506-04 series to my surprise even if the LAN 2,3&4 are being tick you won't get any internet access on it. Oh men this is not the least, I will write more on this, the sad news about this ONU/ONT device you will NOT be able to migrate it to another OLT of the PLDT Fiberhome unless someone will activate its MAC and SN.

To be continue .....

Read More

PLDT Fiberhome HG6245D RP2602

Finally I was able to find one PLDT Fiberhome ONU HG6245D around the NCR area, the good thing is that the firmware is still unchanged its RP2602 so the default Super Admin username and password for the graphical user interface (GUI) is widely known no need to guess. How about adminpldt user account and password? Its by default you can just find it on this blog its identical to AN5506-04-FA/T there's no need to worry.

Looking at the menus I can see no difference with RP2627 and RP2631 of AN55-0406-FA but except of the IPTV sub-menu is already revealing.

Another sub-menu we can see under the Network Menu is the VoIP Settings, this will remind us that it would be possible for us to replicate the VoIP settings and make our own relay server and use a soft phone.

On the hardware side it is also an ARMv7 Processor but Broadcom chips only a single core.

#cat /proc/cpuinfo
processor : 0
model name : ARMv7 Processor rev 5 (v7l)
BogoMIPS : 100.00
Features : half thumb fastmult edsp tls idiva idivt lpae
CPU implementer : 0x41
CPU architecture: 7
CPU variant : 0x0
CPU part : 0xc07
CPU revision : 5
processor : 1
model name : ARMv7 Processor rev 5 (v7l)
BogoMIPS : 100.00
Features : half thumb fastmult edsp tls idiva idivt lpae
CPU implementer : 0x41
CPU architecture: 7
CPU variant : 0x0
CPU part : 0xc07
CPU revision : 5
Hardware : BCM96846
Revision : 0000
Serial : 0000000000000000
#

Going to the MTDs here is what we get

#cat /proc/mtd
dev: size erasesize name
mtd0: 03880000 00020000 "rootfsA"
mtd1: 03880000 00020000 "rootfsB"
mtd2: 00a00000 00020000 "data"
mtd3: 00100000 00020000 "nvram"
mtd4: 00200000 00020000 "PreConfigure"
mtd5: 00100000 00020000 "UserLocalCT"
mtd6: 08000000 00020000 "dummy1"
mtd7: 08000000 00020000 "dummy2"
mtd8: 01360000 0001f000 "rootfs_ubifs"
mtd9: 0001f000 0001f000 "METADATA"
mtd10: 0001f000 0001f000 "METADATACOPY"
mtd11: 01d10000 0001f000 "app_ubifs"
mtd12: 002d8484 0001f000 "filestruct_full.bin"
mtd13: 01360000 0001f000 "rootfs_ubifs"
mtd14: 0001f000 0001f000 "METADATA"
mtd15: 0001f000 0001f000 "METADATACOPY"
mtd16: 01d10000 0001f000 "app_ubifs"
mtd17: 002d8484 0001f000 "filestruct_full.bin"
mtd18: 007df000 0001f000 "data"
#

Trying to get the web username and password looks like not possible anymore on the config\web# list.

Config\web# list
0. cd [..|device|service|switch|codec|dsp|protocol|pon|gpon|omci|wlan|tr069|wan|igmp|gponl3|oam|ntp|mld|web]
1. clear
2. exit
3. help
4. list
5. show history
Config\web#

We will wait this ONU if the updates takes place will visit again to see if the CLI will most like the AN5506-04-FA/T.

Read More

SkyCable Fiberhome ONU AN5506-04-D

Another episode of Fiberhome ONU/ONT from SkyCable a semi Giant cable TV provider in the Philippines who are now integrating  its CATV to a starter ISP. Interestingly I stumble upon to its FTTH devices the ONUs are left expose to the internet and with the default username and password.

I was looking for a Converge ONU hoping to find one for experimentation, instead what I get an ONT of SkyCable AN5506-04-D. This optic residential gateway it just identical to AN5506-04-F only with telephone port. Going to the graphical user interface its not customize firmware but rather a factory default. Have a look of the few screenshots.

If you are eager to to see the CLI inside, you can use Putty for easy navigation the username and password is just default and never unchanged. I suggest that the Tech guy on the SkyCable NOC should take action of their network devices someone can just exploit it if not taken action.

Read More

Globe Fiberhome HG180U VDSL

Philippines, Globe Internet Service Provider also uses the Fiberhome VDSL HG180U device for high rise building, its not using the Fiber Optic line instead the PTSN twin copper wire. The Giant Telco PLDT likewise have this Home Gateway equipment for tall building were optic cable is not possible to deploy. This device equip with 802.11ac, three LAN port  and single WAN port.

Graphical User Interface have no differences with PLDT firmware, except for the default username and password such as admin account, and the super admin credentials.

HG180 VDSL2 802.11ac Home Gateway

http://192.168.254.254

username: admin

password: 3UJUh2VemEfUtesEchEC2d2e

Read More

PLDT Home Fibr UN-CGNAT Finally Solved

Today I finally solved the PLDT Home Fibr CGNAT to UN-CGNAT it and say goodbye to the updates, so welcome back to my Dynamic Public IP addresses.

Read More

PLDT CGNAT Forcibly Implemented To Subscribers

My Dynamic Public IP address has been for years since I migrate to the Giant Telco in the Philippines, I have been enjoying the services on hosting my Web Server, FTP, and some other stuff like IP camera alike to the public network without additional cost to my net bill. It was there for so long with the free DDNS from Duck it helps me a lot locating my online stuffs. This week a few days back all my services to the internet are all stop and no longer working. I was not well inform by my ISP that this PLDT is combating the IPv4 and has no plans to comply to the IPv6 as a major ISP in this country. 

I rush to Google and check my public IP address has not been changed as it was the usual address that I am using. But wait a minute I have to login to my AN5506-04-FA Fiberhome ONU to see if there is some changes on my settings. Yes the Holy Ghost, CGNAT is already implemented on my area, I call 171 and talk to the CSR, the person whom I have the conversation is giving me some hope that my Dynamic Public IP address will be restore in 24 to 48 hours. Guess what the next following day I give a call again to 171 the next person who pick my call doesn't knows anything about what I am talking it we last about an hour on the phone he keeps me on waiting listening to the PLDT IVRS advertisement until the call drops. 

The third day I made the call that hoping an Angel will rescue my Dynamic Public IP address and will be return as do I wish to be, I was hopeless, the girl on the other end of the telephone said I am sorry we do not have that capacity to do so, we are limited to the access only the second level can do that, you have to inquire it to the products and services (meaning you have to pay now for additional cost for that dynamic public IP address) if you really wanted to have it.

So the intention of my Giant ISP for IPv4 is not only for the conservation of the IP's but also in addition that can sum up for their annual revenue if you wish to have a public IP addresses. The CGNAT will do a favor to the PLDT. So whether you are a subscriber of PLDT Home Fibr, PLDTDSLBiz you are now subject to CGNAT. If you wish to have a Public IP Addresses you have to avail it as addons on their "Product and Services". As of the moment in time I still have no solution on how to regain my Dynamic Public IP address for my online services to stay up again. If you have something to share about CGNAT do not hesitate to comment below and post it.

Read More

Overwrite A5-V11 Qualcomm OEM Firmware With OpenWrt Image

Here are few steps to overwrite OEM firmware of a5-v11 router with openwrt.

1) Prepare a FAT formatted USB-Flash-Drive and unzip this a5-v11-openwrt.zip to USB-Flash-Drive. (Important: do not just copy a5-v11-openwrt.zip to flash-drive, unzip this file to USB-Flash-Drive, this folder contains openwrt-factory.bin with needed boot-loader and update scripts)

2) Prepare this setup as shown in the picture below.

3) After applying +5v power to a5-v11, RED-LED on this router stays ON for few seconds, and then BLUE-LED starts blinking (from power-ON to blinking-blue-led-state, it takes about 1minute)

4) By this time, your PC would get the ip in the range of 192.168.100.x from the a5-v11's dhcp server.

5) Ensure that your a5-v11 has qualcomm firmware by looking at the web-UI of this router.

NOTE: Do not continue incase if your router's web-page is different than the one shown above(Qualcomm), you might have received another variant having chinese firmware, Instructions for overwriting the chinese firmware are given in my other blog.

6) telnet to the a5-v11 using putty.exe(or telnet command) as shown below.

6) Run the following commands as shown in the picture below

7) After rebooot, wait for a minute, this time, openwrt firmware would boot on a5-v11, and your PC would get the ip in the range of 192.168.1.x

8)If everything goes well, your browser would show the following webUI of openwrt

9) As shown above, follow step-1 and 2 to login with default root user.

10) After login you will see following page

11) you can overwrite openwrt firmware with your own openwrt-variant by clicking on menu system=>Backup/Flash Firmware as shown in the picture above.Have Fun hacking your a5-v11 with opensource firmware!!!

Read More

OpenWrt Multiple SSID with VLANs

Multiple SSID with VLAN

Basic idea is to make the device tl-wr1043ND with multiple virtual SSID. Each SSID using VLANs. On the switch, will be connected to a specific operator with the corresponding vlan.

Client can opt for a specific SSID, which will correlate with a particular operator. For example, the SSID OpenWrt1, is the operator “A” which is connected with VLAN10

The following configuration below:

root@OpenWrt:~# cat /etc/config/network

config ‘interface’ ‘loopback’
option ‘ifname’ ‘lo’
option ‘proto’ ‘static’
option ‘ipaddr’ ‘127.0.0.1’
option ‘netmask’ ‘255.0.0.0’

config ‘interface’ ‘lan’
option ‘ifname’ ‘eth0’
#option ‘type’ ‘bridge’
option ‘proto’ ‘static’
option ‘netmask’ ‘255.255.255.0’
option ‘ipaddr’ ‘192.168.11.1’

config interface vlan10
option ifname eth0.10
option type bridge
option proto static
option ipaddr 192.168.10.1
option netmask 255.255.255.0
config interface vlan20
option ifname eth0.20
option type bridge
option proto static
option ipaddr 192.168.20.1
option netmask 255.255.255.0
config interface vlan30
option ifname eth0.30
option type bridge
option proto static
option ipaddr 192.168.30.1
option netmask 255.255.255.0
config interface vlan40
option ifname eth0.40
option type bridge
option proto static
option ipaddr 192.168.40.1
option netmask 255.255.255.0

config ‘interface’ ‘wan’
option ‘ifname’ ‘eth1’
option ‘proto’ ‘static’
option ‘ipaddr’ ‘192.168.1.9’
option ‘netmask’ ‘255.255.255.240’
option ‘gateway’ ‘192.168.1.1’
option ‘dns’ ‘ 192.168.2.2’

==========
root@OpenWrt:~# cat /etc/config/wireless

config ‘wifi-device’ ‘radio0’
option ‘type’ ‘mac80211’
option ‘macaddr’ ’00:15:6d:f8:f7:bb’
option ‘htmode’ ‘HT20’
list ‘ht_capab’ ‘SHORT-GI-40’
list ‘ht_capab’ ‘DSSS_CCK-40’
option ‘channel’ ’05’
option ‘disabled’ ‘0’

config ‘wifi-iface’
option ‘device’ ‘radio0’
option ‘mode’ ‘ap’
option ‘hidden’ ‘0’
option ‘encryption’ ‘none’
option ‘isolate’ ‘0’
option ‘bgscan’ ‘0’
option ‘wds’ ‘0’
option ‘macfilter’ ‘none’
option ‘ssid’ ‘OpenWrt1’
option ‘network’ ‘vlan10’

config ‘wifi-iface’
option ‘device’ ‘radio0’
option ‘mode’ ‘ap’
option ‘hidden’ ‘0’
option ‘encryption’ ‘none’
option ‘network’ ‘vlan20’
option ‘ssid’ ‘OpenWrt2’
option ‘isolate’ ‘0’
option ‘bgscan’ ‘0’
option ‘wds’ ‘0’
option ‘macfilter’ ‘none’

config ‘wifi-iface’
option ‘device’ ‘radio0’
option ‘mode’ ‘ap’
option ‘hidden’ ‘0’
option ‘encryption’ ‘none’
option ‘network’ ‘vlan30’
option ‘ssid’ ‘OpenWrt3’
option ‘isolate’ ‘0’
option ‘bgscan’ ‘0’
option ‘wds’ ‘0’
option ‘macfilter’ ‘none’

config ‘wifi-iface’
option ‘device’ ‘radio0’
option ‘mode’ ‘ap’
option ‘hidden’ ‘0’
option ‘encryption’ ‘none’
option ‘network’ ‘vlan40’
option ‘ssid’ ‘OpenWrt4’
option ‘isolate’ ‘0’
option ‘bgscan’ ‘0’
option ‘wds’ ‘0’
option ‘macfilter’ ‘none’

========
root@OpenWrt:~# cat /etc/config/dhcp

config ‘dnsmasq’
option ‘domainneeded’ ‘1’
option ‘boguspriv’ ‘1’
option ‘filterwin2k’ ‘0’
option ‘localise_queries’ ‘1’
option ‘local’ ‘/lan/’
option ‘domain’ ‘lan’
option ‘expandhosts’ ‘1’
option ‘nonegcache’ ‘0’
option ‘authoritative’ ‘1’
option ‘readethers’ ‘1’
option ‘leasefile’ ‘/tmp/dhcp.leases’
option ‘resolvfile’ ‘/tmp/resolv.conf.auto’

config ‘dhcp’ ‘lan’
option ‘interface’ ‘lan’
option ‘start’ ‘100’
option ‘limit’ ‘150’
option ‘leasetime’ ‘720m’
option ‘ignore’ ‘0’

config ‘dhcp’ ‘wan’
option ‘interface’ ‘wan’
option ‘start’ ‘100’
option ‘limit’ ‘150’
option ‘leasetime’ ‘720m’
option ‘ignore’ ‘1’

config ‘dhcp’
option ‘interface’ ‘vlan10’
option ‘start’ ‘100’
option ‘limit’ ‘150’
option ‘leasetime’ ‘720m’
option ‘ignore’ ‘0’

config ‘dhcp’
option ‘interface’ ‘vlan20’
option ‘start’ ‘100’
option ‘limit’ ‘150’
option ‘leasetime’ ‘720m’
option ‘ignore’ ‘0’

config ‘dhcp’
option ‘interface’ ‘vlan30’
option ‘start’ ‘100’
option ‘limit’ ‘150’
option ‘leasetime’ ‘720m’
option ‘ignore’ ‘0’

config ‘dhcp’
option ‘interface’ ‘vlan40’
option ‘start’ ‘100’
option ‘limit’ ‘150’
option ‘leasetime’ ‘720m’
option ‘ignore’ ‘0’
========

Read More

Hack TX Power QCA9533 to 30dbm

Hack TX power family of QCA9533 chipset to 30dbm real TX power 23-24dbm

or around 200mW.

Can be applied to TL-841ND v10 / v11, TL-WR840N v2 and TL-WR740N v6 (but only tested on TL-WR841ND v10):

Step 1 :

I assume the router is installed fw ddwrt, enable the ssh feature on the router in the service and administration tab, save, then apply settings, then reboot

Step 2 :

download the partition art that is on this link:

http://www.mediafire.com/file/8sc11lv5l36k49i/artHACKED+%281%29.bin

Then rename it to "art.bin" without quote

Step 3 :

With the WinSCP Utility send (export) to the folder / tmp router that we downloaded and renamed earlier. make sure art.bin is in the / tmp folder by checking via putty demgan command:

ls /tmp

Step 4 :

Execute files already in the router via putty with the command:

mtd -r write /tmp/art.bin board_config

Step 5 :

Login to ddwrt, then tunning so that what we do works well, in the wireless tab, change country to "Canada", then change the TX power to 30dbm, then save, apply settings and finally reboot.

NB: channels are only 1-11, do not support super channel and only work well with country code "Canada"

Read More

Getting the PPP Username and Password for CenturyLink Zyxel C1000Z Modem

My first DSL modem in 1999 required Telnetting in via serial port to USB. I had to call a network technician at Qwest, and followed by typing in what seemed like arcane commands. I had no idea what I was doing. Things have changed for the better, but most DSL modems still have the ability to log into them directly through command line interfaces. The C1000Z runs BusyBox Linux which comes loaded with your usual base Linux utilities, so if you can wield Bash, you can hack your modem.

Grabbing your PPP username

I was looking to enabled the Transparent Bridge mode for my new Netgear R6050 after a friend managed to break the internal antenna on my Zyxel C1000Z, I wasn’t home so I don’t know the physics involved. Rather than pay $99 to CenturyLink for a new modem/router I decided to buy a new WAP/Router.

Having a little network administration under my belt, I figured I could grab the PPP Password.

The following guide was indispensable and got me 95% of the way there so I suggest checking it out first and/or following it along with my more “For Dummies” guide:

How to Find Your CenturyLink PPP Password on a Zyxel C1000Z Modem

You’ll want a basic understanding of SSH and/or Telnet. OS X regardless of version come with SSH and Telnet as does (almost) every flavor of Linux. Windows users will need Putty.

You’ll want a basic understanding of SSH and/or Telnet. OS X regardless of version come with SSH and Telnet as does (almost) every flavor of Linux. Windows users will need Putty.

Step 1:

First you’ll need to enable telnet in your Router, and you’ll need PPPoe enabled (Under WAN settings), these can easily be done through the Modem’s GUI

Step 2:

Fire up your terminal (Windows users will have to use Putty, and translate the instruction) and type:

telnet YOUR-IP-ADRRESS

In this example, my router’s IP address is 192.168.0.1, this is the default address so I would type:

telnet 192.168.0.1

It make take a moment for the router to respond, once it does, respond something like “BCM963268 Broadband Router” and it should ask for your username, type in the username you entered hit return and it should then ask for your password, enter the password you typed in, hit return.

Step 3:

Using the terminal we can call all the active tasks running on the modem, to do so type:

ps

Geek stuff: Users can use sh to access the BusyBox linux Bash shell and run task monitoring software like top. If you’re feeling adventurous, type sh and poke around using commands like ls and top. You can grab the process ID using top just like we do in step 4.

Step 4:

You should see a long list of responses, that read:

PID USER       VSZ STAT COMMAND  
1 admin     1556 S    init  
2 admin        0 SW<  [kthreadd]    3
 admin        0 SW<  [migration/0]  
4 admin        0 SW   [sirq-high/0]
and so on... We’re only interested in one entry, the one that’s running the pppd (or ppp*) command. it’ll probably be at the bottom. It should read something like:
3494 admin     1808 S    pppd -c ppp0.1 -i ptm0.1 -u myusername@qwest.net -p **

The myusername@qwest.net is your username.

Step 5:

cat proc/3494/cmdline 

Next you’ll need to analyze the process ID further, take special note of the preceding number, in this example its 3494. Type in the console:

pppd-cppp0.1-iptm0.1-umyusername@qwest.net-pjlFrVNtRMtU=-f0-D0-n1-L0-X120 >

The password portion of this is encoded, the tricky part here is identifying it. We know the that this is a concatenated line by gauging from the previous line. The password portion should be between -p  and -.  In this example, the encoded password is:

jlFrVNtRMtU=

Step 6:

This password is encoded in base64, thanks to the leg work Make a new tab or new terminal window, and type:

echo "jlFrVNtRMtU=" | base64 --decode

It should spit back something like:

ac7gkDnUmac-pro:~ user$

The ac7gkDnU will be your PPP password. Congrats! You’re now ready to enable transparent bridge mode on your router.

Article posted by blog@greggant.com

Read More

PLDT Fibr ONU AN5506-04-FA Backdoor Exploit

In the late year of 2016 there was a house to house PLDT agent promoting and advertising for the PLDT Home Fibr in our town particularly on my sister area, I was in my sister's resident that time and the PLDT Home Fibr promoter belling the gate of my sister house while I were there.  I open up the gate, the PLDT Home Fibr advertiser introduces me their Fiber Internet broadband product that they are having the limited promo  for FREE installation including the WiFi once you switch from other ISP's or waived the installation fees plus the device if your are a new subscriber on the monthly billing. I recommend and encourages my sister to get the offer of the PLDT Home Fibr as it is very late  this kind of stuff for my motherland whereas in other developed countries like Singapore or Malaysia they are far from us when it comes to technology.

I noticed the PLDT Home Fibr whenever your monthly internet bills overdue they will automatically disallow you from accessing the internet totally, your PLDT Fiber ONU is blocked and you can never ever enjoy surfing the net unless you have to pay your outstanding fees. Unlike Globe and Smart wireless internet broadband even if you device is banned from accessing the net still you can trick it with the vpn apps. I was thinking perhaps the PLDT Home Fibr is just like the old legacy SmartBro Canopy wireless internet that I have enjoyed the FREE internet for a very very long period time untill the WiMAX replace it.

I have stayed in my sister house during the weekends and the internet connection was interrupted due to late monthly bills payment. So i try to tweak with the old ways like the wireless internet SmartBro Canopy  and it works and my sister said how come you have the internet and we do not have? I said this is just temporary internet connection while your PLDT account is blocked.

While I was inside the PLDT Home Fibr ONU $hell I tour around and see what I have to see looking for stuffs that is interesting while hopping by hops into some other PLDT subscriber's ONU $hell. I find it very interesting, just imagine you can get into the PLDT ONU fiber device and hops by hops from one onto the other ONU device and can copy paste the inside or wipe out the entire filesystem of the ONU's.

The backdoor of PLDT Home Fibr ONU devices such as Fiberhome AN5506-04-F, AN5506-04-FA/T is very special that I do not want to disclosed on this blog. These three Fiberhome AN5506-04-XX series of the PLDT Home Fibr ONU device is until now widely open as of the time I am writing I have tested and proven and not have been yet close for sure the PLDT Tech team will not close the backdoor where they used to enter.

I write this issue because I want to differ the comment on kbeflo's gist.github by chudyvf that.

for those still have rp2627, change iptables directly.

iptables -R INPUT 1 -p TCP --dport 7547 -j REJECT --reject-with tcp-reset
iptables -I INPUT 2 -i lo -p TCP --dport 443 -j ACCEPT
iptables -I INPUT 3 -i br0 -p TCP --dport 23 -j ACCEPT
iptables -I INPUT 4 ! -i br0 -p TCP --dport 443 -j REJECT --reject-with tcp-reset
iptables -I INPUT 5 ! -i br0 -p TCP --dport 23 -j REJECT --reject-with tcp-reset

He commented or suggested, that the PLDT Home Fibr ONU devices aka Fiberhome AN5506-04-FA/T and AN5506-04-F to be safe from the PLDT ONU firmware updates RP2631, it is highly recommended that the above mentioned iptables command is a must for us to redo the iptables. On my own opinion as I have written and commented on kbeflo's gist.github the PLDT ONU firmware updates can not and will not be prevented from patching the firmware updates regardless of what ports you closed  or iptables you redo. The PLDT can still enter your ONU deivices using the so called BACKDOOR, whether  your are connected to the internet or NOT for as long as you are hook to the PLDT Fiberhome OLT you are bound for the firmware updates patching. As I have said I have been thru that backdoor!

My ultimate recommendation or solution to all the PLDT Home Fibr subscribers that are having or using the Fiberhome ONU devices such as AN5506-04-FA/T and AN5506-04-F is on the hardware side from being forcibly firmware updates to RP2631. But you have to be an electronics hobby, this thing needs basic soldering skill. The solution is to pull up the write-protect pinouts of the NAND flash from the circuit so that whenever there is an updates your ONU devices is protected unless you switch ON the write-protect of the NAND flash pinouts.

Your thoughts and comments are welcome, to be true I don't trust the PLDT Home Fibr ONU's better give me a fiber media converter I will provide my own wireless router access point, I rather have favor on OpenWRT, DD-Wrt or Tomato.

Read More

PLDT Fibr ONU AN5506-04-FA RP2631 Super Admin

Oh Well!!! Today when I woke up something strange happen to my PLDT Fibr Optical Network Unit (ONU) AN5506-04-FA as I have been expecting the so called RP2631 firmware update will be enforce and will be force to whether I like it or you don't, it will and will really be patched including YOURS and MINE.

What is new to the PLDT Fibr ONU firmware update RP2631? The Giant Telco ISP likes and wants their AN5506-04-FA/T ONU will serve just like a sitting duck as much as possible it would be a media converter only, why because 171 is fed up already about your calls you are so annoying!!!

Here's the quick and simple summary that PLDT wants to their all-in-one device aka the Fiberhome AN5506-04-FA/T Optical Network Unit and likewise a wireless access point (WAP) router built with two WiFi frequency such as 2.4GHz and 5GHz, it is also equip with two FXS for POTS but in addition you can insert your USB media device too. SAMBA and FTP server is great on this ONU device if were not restricted on the custom PLDT Fibr firmware.

Let see on the Graphical User Interface (GUI), the AN5506-04-FA/T RP2627 firmware downward you can login on the insecure port 80 via HTTP but not here in RP2631 HTTPS is being enforce while port 443 is use.

Next let see if the http://192.168.1.1/info.asp is still vulnerable without using any credential to login to the Fiberhome AN5506-04-FA/T ONU device.

Good patching the firmware already updated, its no longer accessible unlike before you can see the details without going to login to the PLDT Fibr ONU device. Thanks for that effort!

Now the exciting one, lets login to the PLDT Fibr AN5506-04-FA/T firmware RP2631. The username "admin" with the password "1234" for ordinary user account is no longer accepted its now being omitted. So what about the account for the username "adminpldt" with the password "6GFJdY4aAuUKJjdtSn7dC2x" will it be still accessible? And another thing is what happen to the Super Admin Account the username "fiberhomesuperadmin" with the password "sfuhgu" will it still work here on the new firmware updates.

As I have tested and verified all three previous username and password for PLDT Fibr ONU device AN5506-04-FA/T is no longer valid such as username "admin" password "1234", username "adminpldt" password "6GFJdY4aAuUKJjdtSn7dC2x" and username "fiberhomesuperadmin" password "sfuhgu" after the updates. Forget about your custom username and password that you have saved its totally gone.

When I dive and go into the shell I see two account credentials is allowed to get in,  only the Administrator account and the Super Admin account that the PLDT Fibr ONU is giving the permission to do login into the device nothing else can access the Graphical User Interface as for moment in time for my ONU. 

To access the PLDT AN5506-04-FA/T RP2631 firmware GUI Administrator account you have to point your web browser to https:/192.168.1.1/fh but you have to login first as Super Admin and enable the Web Admin Switch from the Management>> Device Mangement>> Debug Switch. Once enabled the Web Admin Switch logout and login again as Administrator account you can now again enjoy the privilege that have been enjoyed before of your ONU PLDT device.

Seen the above screenshot? Yes, that is the new PLDT Fibr ONU AN5506-04-FA/T RP2631 firmware update for the Super Admin account username "f~i!b@e#r$h%o^m*esuperadmin" its a 27 character so be careful on typo error its case sensitive. For Administrator account username still its "adminpldt" the password is no longer "1234567890" nor "0123456789" and certainly not "6GFJdY4aAuUKJjdtSn7dC2x" they changed it already. I am still planning to make a tutorial for the firmware downgrade from RP2631 to RP2627 will follow it soon to write.

Read More

PLDT Fiberhome ONU AN5506-04-FA RP2627 Update Failed

Just last month  I have been reading at kbeflo's gist.github again so many Netizen shouting about their PLDT Fiberhome AN5506-04-FA/T ONU being remotely updated by the country's Giant Telco ISP. It was me who first disclosed on this blog the PLDT "fiberhomesuperadmin " account privilege to access the PLDT Fibr ONU Super Admin and later on TipidPC.com who gave the password sfuhgu that everybody's enjoyed the tweaking and manipulating of their own ONU device. Now the sadness and sorrow came again to all the PLDT Fibr Subscriber because of the so called firmware updates from RP2627 to RP2631 that gives another headache, I know for Shifu out there like you it won't be as hard for you to locate the script even without any use of web developer tools but to a newbie like me will be painful looking for the code.

I have been enjoying my PLDT Fiberhome ONU AN5506-04-FA RP2627 without any patches and still intact until today 6pm my little Princess complaining that her mini iPad is not working anymore until I notice that the internet connection was interrupted. There was no signs that the red LEDs turns ON on the PLDT ONU until I login and see to it if the WAN connection really went down. On the Status Main Menu my PLDT ONU AN5506-04-FA is still intact and NOT being updated to RP2631 but when I check on my BroadBand settings, my ONU WAN Type is now being change from INTERNET to TR069_INTERNET. On my ONU VLANID is still the same as it is 1030 and the priority is still 0 but what happen to my WAN connection type from Route mode is no longer possible to scroll it to Bridge mode. What the F*ck, go and eat your PLDT Fiberhome ONU device. Yeah you are right! now you glued it on the Web User Interface, do you think that I won't be possible on the CLI and what about the web developer tools it can be unhide, PITY on your Graphical Interface.

This is another disaster to the PLDT Fibr Subscriber who owns this kind of ONU Fiberhome AN5506-04-FA/T, on kbeflo's at gist.github thread someone is already asking for RP2627 firmware I don't know if they will be able to upload the firmware onto the ONU device if they have it on their hand. On this Blog someone also commented and ask me the RP2627 firmware, I can upload it to them I have the list of the AN5506-04-FA frimware from RP2610 to RP2627. I have written on this Blog that best and easy way to backup the AN5506-04-FA firmware on Windows machine is via winSCP you can just click and drag the files.

I will leave it as it is today until the PLDT Engineering Technical Team done their patches and firmware updates remotely to all the PLDT Fiberhome ONU devices, soon to follow the post on how to undo the PLDT Fiberhome ONU AN5506-04-FA/T from RP2631 to RP2627 again. I know its hurts really when you are really inlove to your ONU device firmware RP2627 and suddenly someone just took it away without any prior notice. If possible I will write a tutorial on how to update the AN5506-04-FA/T frimware from RP2627 to RP2631 or vice versa from RP2631 to RP2627.

Read More

PLDT HOME Fibr Multi-WAN

In February 2007 it was my very first time going out the country to work abroad for operation and maintenance in one of the International Airport in the  Kingdom of Saudi Arabia, I left my previous work in one of the famous University in my hometown. During that time the only fastest Internet broadband connection that you can get for residential was the twin copper wire that carries two carrier in a single physical line,  one for voice such as home phone and the other is data for the Internet. In contrast to my beloved Philippines the Digital Subscriber Loop (DSL) at that time is very expensive, I remember I have three (3)  Internet Cafe whom I work for part time job in 2001 till 2005 and one of the NetCafe only afford a dial-up Internet connection, but during those period of time Netscape is the fave browser and mIrc is the best messenger among all who we used to hang on the net everyday from morning until midnight.

So I experimented my company dial-up internet account whenever I am on the NetCafe during night time to see how it works, so there it goes, it works that credentials. From that moment in time every night time  I hang on my NetCafe I have a free dial-up internet connection. I did the same thing in Saudi Telecom but this time its a Asynchronous Digital Subscriber Line during my three years work period contract and it works because the technology infrastructure used by DSL is same as the dial-up connection the Plain Old Telephone Service (POTS), whereas DSL uses Public Telephone Switch Network (PTSN) is just an upgrade version of POTS using same carrier twin copper wire single physical line.

In the mid of 2009 I got an offered to pursue my MS degree in Electronic and Communications Engineering in Kuala Lumpur to one of the well known International University of that Asia Tiger States, so I did grabbed the opportunity and started new series of being a university student again. The mud city just started their Fiber Optic roll out over the busy town, and my Kondominium were I reside don't offer the Fiber Optic service because its a high rise building and we are on the 11th floor. That's how they pronounce it Kondominium not Condominium, this tall building is equip with xDSL communication infra own by the government the Telekom Malaysia. The good things about Very High Speed Digital Subscriber Line (VDSL) it offers a triple play, you have the voice internet and the video just like the Fiber To The Home (FTTH) the physical connection is twin copper wire of the PTSN whereas FTTH a Passive Optical Network (PON).

I am really eager on experimenting such things like this and I proved that it works as what I have done and mention on my previous case study. In this experiment on Telekom Malaysia xDSL its not only a single connection but multiple logical internet connections. I have a TP-Link WR-TL740N v1.2 reflashed it with OpenWRT firmware Attitude Adjustment 12.09 loaded it with Multi-WAN package and it works I tested up to twelve (12) WANs.

If it works on Saudi Telecom and Telekom Malaysia I thing it would be impossible if it will not work on PLDT or neither to GLOBE Telecom Infrastructure. But this time we are on the PON infra, whether or not the Philippines Giant Telco will of course not right away garbage their vintage SmartBro Canopy equipment  that they still keep on using the authentication technique for P1 wireless CPE an upgrade of SmartBro family brand whom we all know the long term MacDo free internet connection that GLOBE Telco also rival it.

On this case study I am still using my legacy Wireless Access Point (WAP) router WR-TL740N v1.2 it has one WAN port and four LAN ports no modem built but with WiFi BNG 150N Lite. The Processor is 350Mhz MIPS with 4MBit flash and 32MBit of RAM, reflashed with the third party Linux embedded firmware OpenWRT Attitude Adjustment 12.09 and of course the Multi-WAN package.

My final test proves that there is no difference whether the Telecommunication Infrastructure between POTS, PTSN and PON are same regardless to whatever the authentication technique are being implemented they will behave in the same passion, this is just on my observation. I was very unfortunate my dear Professor in that university is a Shifu in Fiberless Optical Communication which is opposite to my field of interest during that time of my study. This case study still unknown issue to the academe, perhaps already known but not yet been publish, not a threat but widely vulnerable.

Read More