Thursday, 10 March 2016

f@st3864 Telnet/Serial

R.e F@st3864v2


Optus F@st3864


The quickest way to openly access this routers administration tools is to log in via
http://192.168.0.1/main.html?loginuser=0

logging in with the default

admin/Y3s0ptus loginuser=0
***support/support***loginuser=1
***user/user*****loginuser=2

***To Activate telnet***

going to management/system settings " download this file " sysinfo.f24
open the file in notepad

the file splits into two sections

the section we want is headed by
backup config:

<?xml version="1.0"?>
<DslCpeConfig version="3.0">

and closed by

</InternetGatewayDevice>
</DslCpeConfig>

so by copying all the xml information between these two points and pasting into a new notepad

you have created our new backup file,
before we save it and close find

<X_GVT_Telnet_Enable>FALSE</X_GVT_Telnet_Enable>
Change FALSE to TRUE
then save the file as backupconfig.xml
then use this XML file to update the settings,


also i wouldnt advise trying to change the admin password directly thru this XML
unless you encrypted it first into base64 and place the encrypted password in the XML.

telnet to your routers ip using
telnet
open 192.168.x.y

logging in with the default admin/Y3s0ptus
and press ? for telnetd help
or type in sh for shell access(ash)
typing help for commands
also typing busybox for a larger set of commands
ls for list
cat to read files
cp to copy to usb
tftp to move files on and off via a tftp server(this is also how the router hides the cgi files)
use ./ to run any executables that arent listed in busybox. i.e bin files
use chmod to change the file permissions to files you cant access but first try cat so you do not have to change them back
passwd to change the passwords of accounts

Please note changing the admin password does not stop a normal user from checking the passwords which are in plain text and can be found by browsing to the password change utillity and pressing f12 then using the debugger to read the password out of the passwords cgi webpage which we have read in order to load the password utillity





the change of passwords will also be reflected on serial and telnet logins
also the samba servers can be shut down via the menus as well


telnet is easily closed by reuploading the backup config and changing the telnet value
or more easily by power cycling


 
the serial port is accessed via 4 pins on the main board using a usb to serial you simply need to connect the rx(white)/tx(green)/gnd to out/in/gnd
as the board is self powered , but a 3.3 v power supply could be used to serial the main chip with out power but this disables all the other accessorys
  1. stty
    speed 115200 baud;
    intr = ^C; quit = ^\; erase = ^?; kill = ^U; eof = ^D; eol = <undef>;
    eol2 = <undef>; swtch = <undef>; start = ^Q; stop = ^S; susp = ^Z; rprnt = ^R;
    werase = ^W; lnext = ^V; flush = ^O; min = 1; time =0;
    -brkint ixoff -imaxbel
some times you can gain a shell access without logging in this is a major security failure ,
im still figuring out how the shell is gained but pressing ^D(backspace) or enter after the bootloader is finished you will receive a login prompt, your routers homepage admin details is the login/pass


on a side note

Has anyone worked out the Optus Fast program that is in the router it appears to need a password but is capable of restoring the firmware to sagem unbranded firmware,
location : ~/bin/ file: ~/bin/fast
# fast
Usage:
singled command:
fast unlock-next-reboot -p password
there is also commands to read out other infomation,
factory info / serial number / psi-config R/W/Clear / back-up config R/w/ hw – version/ base-mac/
SW version / config id / customer name / scratchpad R/Clear / led commands / factory-test[enable|disable|status] / factory eth test / flash-lastKB R/W / flash-data read -a address(hex) -l length(dec)


has anyone looked into how they create this password, i have looked into the file in IDa and found it is dynamical created from several memory locations that are only created at runtime. any help would be great