5268ac routers

[drsnooker]

A nice even 1000 passwords for the 5268AC. I think this is a good place to leave it, unless anybody has any more ideas...

https://pastebin.com/22ZGhHg4

[drsnooker]

Look at what Santa left in my stocking!!!!



Let's crack it open and see if its firmware contains any mysteries....

[drsnooker]

This pace edition is straight from the factory! I've got root access over UART. And check out the /usr/bin directory.... factory_set_default_wifi_passwd!
*sad trombone* It's just a script to pull the default password from elsewhere, not the algo. Now to find the elsewhere!

Code:

%factory# ls /usr/bin
battery                                factory_set_default_wifi_passwd
bunzip2                                factory_set_default_wifi_ssid
bzcat                                  factory_set_device_key
bzcmp                                  factory_set_dsl_media
bzdiff                                  factory_set_factorymode
bzegrep                                factory_set_ip_address
bzfgrep                                factory_set_led
bzgrep                                  factory_set_led_mode
bzip2                                  factory_set_mac_range
bzip2recover                            factory_set_mfg_timestamp
bzless                                  factory_set_model
bzmore                                  factory_set_pca
call_qcsapi                            factory_set_serial
dumpmem                                factory_set_trusteng
factory                                factory_set_wifi5g_device
factory_batt                            factory_set_wifi5g_ipaddr
factory_battery_calib                  factory_set_wifi5g_mac_addr
factory_battery_daemon                  factory_set_wifi5g_mfg
factory_cert                            factory_set_wifi5g_model
factory_cert_get_file                  factory_set_wifi5g_netmask
factory_cert_install                    factory_set_wifi5g_param
factory_cert_list                      factory_set_wifi5g_passwd
factory_cert_remove                    factory_set_wifi5g_pca
factory_cert_request                    factory_set_wifi5g_serial
factory_cert_request_install            factory_set_wifi5g_ssid
factory_cert_verify                    factory_set_wifi_cal
factory_disable                        factory_set_wifi_continuous_transmit
factory_download                        factory_test_usb_filecopy
factory_download_pkgstream              factory_tftp_upload
factory_dsl_test_qln                    factory_unboot
factory_enable                          factory_usb_overload_status
factory_get                            factory_verify_credentials
factory_get_current_wifi_rx_count      factory_wifi5g_finalize
factory_image_switch                    factory_wifi5g_update_image
factory_kmsgd                          feature_support
factory_log                            features
factory_reset_dsl                      jrecv
factory_reset_wifi5g                    jsend
factory_set_accesscode                  openssl
factory_set_authcode                    pkgstreaminstall
factory_set_current_wifi_channel        quantenna_support
factory_set_current_wifi_fixed_tx_rate  sendarp
factory_set_current_wifi_mode          setmem
factory_set_current_wifi_ssid          telnetd
factory_set_current_wifi_tx_frequency  tftp_upload
factory_set_current_wifi_tx_power
%factory#

[b1tninja]

Looks very promising, terrific work; sorry I'm no help.

Thanks Calexico! 
For everybody else: although I've pulled NAND chips and dumped them, this is all done on a vanilla modem, using an UART connection. If you want to join in, pick up a 5268ac modem from ebay ($25) and a USB UART adapter, like a PL2304HX ($4) So for less than $30, you can really pretend to be a hacker! (or just a hack LOL)

Curious if you've had any luck reading the filesystem from the NAND? I couldn't find any open source implementation of OpenTDS... so I was going to try and figure it out. I'd like to be able to modify the files, but there seems to be some checksums likely for bad block detection

My idea is to unpack a pkgstream and then compare the chunks with the NAND dump and go from there... another was to try and emulate with QEMU

[drsnooker]

@b1tninja, I eventually got a clip and managed to get the NAND dumped in situ. However, since we know the root password as well as the algo for the password of user: rma (also with root privileges), it was no longer necessary to figure out how to binwalk the NAND dump, as you can just access the modem over UART.

[b1tninja]

@b1tninja, I eventually got a clip and managed to get the NAND dumped in situ. However, since we know the root password as well as the algo for the password of user: rma  (also with root privileges), it was no longer necessary to figure out how to binwalk the NAND dump, as you can just access the modem over UART.

Unfortunately the newer firmwares seem to prevent downgrade and one of the scripts at startup disables input over the debug port. 

I did find a compatible connector for that the uart though which is handy: samtec MEC1-108-02-S-D-A.

Alright well thanks anyway guess I'm on my own I'll report back here when I figure it out

[drsnooker]

Perhaps if you purchase a used one of ebay, the FW might not have been upgraded past the point that you can change the firmware to an older one. Or perhaps downgrade to 11.0 first before going for 10.5.3?