+- hashcat Forum (https://hashcat.net/forum)
+-- Forum: Misc (https://hashcat.net/forum/forum-15.html)
+--- Forum: User Contributions (https://hashcat.net/forum/forum-25.html)
+--- Thread: 5268ac routers (/thread-10483.html)
RE: 5268ac routers - drsnooker - 10-01-2023
A nice even 1000 passwords for the 5268AC. I think this is a good place to leave it, unless anybody has any more ideas...
https://pastebin.com/22ZGhHg4
RE: 5268ac routers - drsnooker - 12-23-2023
Look at what Santa left in my stocking!!!!
![[Image: r6Bt8OL.jpg]](https://i.imgur.com/r6Bt8OL.jpg)
Let's crack it open and see if its firmware contains any mysteries....
RE: 5268ac routers - drsnooker - 12-29-2023
This pace edition is straight from the factory! I've got root access over UART. And check out the /usr/bin directory.... factory_set_default_wifi_passwd!
*sad trombone* It's just a script to pull the default password from elsewhere, not the algo. Now to find the elsewhere!
Code:
%factory# ls /usr/bin
battery factory_set_default_wifi_passwd
bunzip2 factory_set_default_wifi_ssid
bzcat factory_set_device_key
bzcmp factory_set_dsl_media
bzdiff factory_set_factorymode
bzegrep factory_set_ip_address
bzfgrep factory_set_led
bzgrep factory_set_led_mode
bzip2 factory_set_mac_range
bzip2recover factory_set_mfg_timestamp
bzless factory_set_model
bzmore factory_set_pca
call_qcsapi factory_set_serial
dumpmem factory_set_trusteng
factory factory_set_wifi5g_device
factory_batt factory_set_wifi5g_ipaddr
factory_battery_calib factory_set_wifi5g_mac_addr
factory_battery_daemon factory_set_wifi5g_mfg
factory_cert factory_set_wifi5g_model
factory_cert_get_file factory_set_wifi5g_netmask
factory_cert_install factory_set_wifi5g_param
factory_cert_list factory_set_wifi5g_passwd
factory_cert_remove factory_set_wifi5g_pca
factory_cert_request factory_set_wifi5g_serial
factory_cert_request_install factory_set_wifi5g_ssid
factory_cert_verify factory_set_wifi_cal
factory_disable factory_set_wifi_continuous_transmit
factory_download factory_test_usb_filecopy
factory_download_pkgstream factory_tftp_upload
factory_dsl_test_qln factory_unboot
factory_enable factory_usb_overload_status
factory_get factory_verify_credentials
factory_get_current_wifi_rx_count factory_wifi5g_finalize
factory_image_switch factory_wifi5g_update_image
factory_kmsgd feature_support
factory_log features
factory_reset_dsl jrecv
factory_reset_wifi5g jsend
factory_set_accesscode openssl
factory_set_authcode pkgstreaminstall
factory_set_current_wifi_channel quantenna_support
factory_set_current_wifi_fixed_tx_rate sendarp
factory_set_current_wifi_mode setmem
factory_set_current_wifi_ssid telnetd
factory_set_current_wifi_tx_frequency tftp_upload
factory_set_current_wifi_tx_power
%factory#RE: 5268ac routers - b1tninja - 01-12-2025
(12-06-2021, 02:03 AM)drsnooker Wrote:(11-28-2021, 03:21 AM)calexico Wrote: Looks very promising, terrific work; sorry I'm no help.
Thanks Calexico!
For everybody else: although I've pulled NAND chips and dumped them, this is all done on a vanilla modem, using an UART connection. If you want to join in, pick up a 5268ac modem from ebay ($25) and a USB UART adapter, like a PL2304HX ($4) So for less than $30, you can really pretend to be a hacker! (or just a hack LOL)
Curious if you've had any luck reading the filesystem from the NAND? I couldn't find any open source implementation of OpenTDS... so I was going to try and figure it out. I'd like to be able to modify the files, but there seems to be some checksums likely for bad block detection
My idea is to unpack a pkgstream and then compare the chunks with the NAND dump and go from there... another was to try and emulate with QEMU
RE: 5268ac routers - drsnooker - 01-12-2025
@b1tninja, I eventually got a clip and managed to get the NAND dumped in situ. However, since we know the root password as well as the algo for the password of user: rma (also with root privileges), it was no longer necessary to figure out how to binwalk the NAND dump, as you can just access the modem over UART.
RE: 5268ac routers - b1tninja - 01-12-2025
(01-12-2025, 11:37 AM)drsnooker Wrote: @b1tninja, I eventually got a clip and managed to get the NAND dumped in situ. However, since we know the root password as well as the algo for the password of user: rma (also with root privileges), it was no longer necessary to figure out how to binwalk the NAND dump, as you can just access the modem over UART.
Unfortunately the newer firmwares seem to prevent downgrade and one of the scripts at startup disables input over the debug port.
I did find a compatible connector for that the uart though which is handy: samtec MEC1-108-02-S-D-A.
Alright well thanks anyway guess I'm on my own I'll report back here when I figure it out
RE: 5268ac routers - drsnooker - 01-12-2025
Perhaps if you purchase a used one of ebay, the FW might not have been upgraded past the point that you can change the firmware to an older one. Or perhaps downgrade to 11.0 first before going for 10.5.3?