05-17-2022, 02:47 AM
To continue the howto guide but a little more specific for this modem.
First you'll have to get your grubby hands on a modem, plenty for sale on ebay, facebook and all the usual places you go for used electronics. Next step is to crack open the case. Not an easy task and will require quite a bit of force.
There are 4 pegs you have to push in simultaneously on the back (plug side) of the router.
Once that's done, you'll see the UART edge connector. The leads are pretty skinny, so if you don't feel up to the soldering work, you can purchase a MEC1-108-02-F-D-EM2 connector instead.
All of this came from the spun.io link in message #7 up thread.
Combine this with a cheap ($3.00) PL2303HX USB-UART adapter, connect pin 2 to the black lead of the USB adapter, 13 to the green and 15 to the white wire. Set minicom to 115200 baud, 8bits, no parity, 1 stop bit, and watch the data come in!
Now for the root access part:
The nomotion.net pages seem to have expired but are still available through the way back machine.
The actual root password is the MD5crypt hash that starts with $1$xyz
After firmware version 10.5.6 this changes to a sha512crypt and in firmware version 11.1 they turn off keyboard entry so the first thing you'll probably have to do is downgrade the firmware.
Download the firmware from the link shown on this page (after replacing all the x's with t's)
https://web.archive.org/web/202104211411...em-part-1/
Then plug your ethernet cable into the modem and in your favorite browser go to 192.168.1.254/upgrade, click upgrade and browse to the downloaded firmware.
You'll also have to do some actual cracking, it's time to pop that MD5crypt hash! I will give you a clue here, it consists of 3 upper case, 3 lower case and 2 numbers. Now if you've seen all the unique codes for the 5268AC as well as the remoteSSH password, I'm sure you can guess where one of the numbers is. The rest is upto you!
As a side note, the nomotion page also shows a root password hash that starts with $1$LXs... It is overwritten, but if you want to have a little fun, in that case it is just 7 chars (again, upper case, lower case, and numbers). Again, a good guess where one of the numbers is....
Connect to the modem over the UART connection. Press a key after it booted up and it'll ask for a login.
Just use username root and the 8 char password you found above. Et viola: root shell!
The other thing I'll add here is that you also can get into u-boot (to dump the NAND), but you need root access first.
From the root shell, type:
factorytool --setfactorymode true<enter>
Now during the boot sequence, where it says "Hit any key to stop autoboot: 5" just press a key and you're in u-boot.
From another terminal window you could type: printf "nand dump 1f000" > dev/ttyUSB0 <enter> to have to router dump all the various router unique data.
The paramtool binary is used to actually make the user a factory technician with additional access, but I have not spent time to figure out how to do that.
First you'll have to get your grubby hands on a modem, plenty for sale on ebay, facebook and all the usual places you go for used electronics. Next step is to crack open the case. Not an easy task and will require quite a bit of force.
There are 4 pegs you have to push in simultaneously on the back (plug side) of the router.
Once that's done, you'll see the UART edge connector. The leads are pretty skinny, so if you don't feel up to the soldering work, you can purchase a MEC1-108-02-F-D-EM2 connector instead.
All of this came from the spun.io link in message #7 up thread.
Combine this with a cheap ($3.00) PL2303HX USB-UART adapter, connect pin 2 to the black lead of the USB adapter, 13 to the green and 15 to the white wire. Set minicom to 115200 baud, 8bits, no parity, 1 stop bit, and watch the data come in!
Now for the root access part:
The nomotion.net pages seem to have expired but are still available through the way back machine.
The actual root password is the MD5crypt hash that starts with $1$xyz
After firmware version 10.5.6 this changes to a sha512crypt and in firmware version 11.1 they turn off keyboard entry so the first thing you'll probably have to do is downgrade the firmware.
Download the firmware from the link shown on this page (after replacing all the x's with t's)
https://web.archive.org/web/202104211411...em-part-1/
Then plug your ethernet cable into the modem and in your favorite browser go to 192.168.1.254/upgrade, click upgrade and browse to the downloaded firmware.
You'll also have to do some actual cracking, it's time to pop that MD5crypt hash! I will give you a clue here, it consists of 3 upper case, 3 lower case and 2 numbers. Now if you've seen all the unique codes for the 5268AC as well as the remoteSSH password, I'm sure you can guess where one of the numbers is. The rest is upto you!
As a side note, the nomotion page also shows a root password hash that starts with $1$LXs... It is overwritten, but if you want to have a little fun, in that case it is just 7 chars (again, upper case, lower case, and numbers). Again, a good guess where one of the numbers is....
Connect to the modem over the UART connection. Press a key after it booted up and it'll ask for a login.
Just use username root and the 8 char password you found above. Et viola: root shell!
The other thing I'll add here is that you also can get into u-boot (to dump the NAND), but you need root access first.
From the root shell, type:
factorytool --setfactorymode true<enter>
Now during the boot sequence, where it says "Hit any key to stop autoboot: 5" just press a key and you're in u-boot.
From another terminal window you could type: printf "nand dump 1f000" > dev/ttyUSB0 <enter> to have to router dump all the various router unique data.
The paramtool binary is used to actually make the user a factory technician with additional access, but I have not spent time to figure out how to do that.