Netgear RBK763S telnetenable not working

[das1996]

This is a new orbi from netgear, recently available from costco.

https://www.costco.com/netgear---orbi-ax5400-wifi-6-mesh-system%2C-one-year-advanced-cyber-security-included.product.100942085.html

Here's a link to netgear's firmware for this

router https://www.downloads.netgear.com/files/GDC/RBK763/RBR760-V6.3.1.0.zip

sateliite https://www.downloads.netgear.com/files/GDC/RBK763/RBS760-V6.3.1.0.zip

Telnet or ssh access would be greatly appreciated in this device. Thank you

[bkerler]

Should work now. Please try commit e0feec0

[doegox]

Hello I've a RBR760 with fw v6.3.6.2_1.2.66 https://www.downloads.netgear.com/files/GDC/RBK763/RBR760-V6.3.6.2.zip

When trying to use the script it freezes on the retval = conn.recvfrom(1024) and never gets any UDP packet back from the router

[bkerler]

Hah, Phillipe ! @doegox it should be fixed by the latest commit

[doegox]

Thanks! Well it doesn't hang anymore but it doesn't activate telnet. The 3 calls with the 3 hashes all fail getting an answer.

[doegox]

I fetched and instrumented telnetenable from RBR760 firmware V6.3.6.2 and it produces exactly the same ciphered blob as with mode=1 (cf https://github.com/doegox/netgear_telnet/blob/tests_phil/research/ if you're interested, it's a bit different as the bin is not using ulibc anymore)

And UDP port 23 seems open according to nmap.

So :man_facepalming: I've no idea why it's not working on my router. And MAC & pwd are correct.

Any other idea by any chance ? Does it have to be executed at a particular moment or is it supposed to always work ?

BTW pwd is read from /tmp/cache/telnetenable/httpwd in this telnetenable

[doegox]

/usr/sbin/telnet_update.sh is a packed/obfuscated binary that contains and exec the following script:

#!/bin/sh

#Purpose:
#update telnet related parameters from uci
[ -d "/tmp/cache/telnetenable/" ] || mkdir -p "/tmp/cache/telnetenable".
PASSWORD_FILE="/tmp/cache/telnetenable/httpwd"
uci get system.http.password >$PASSWORD_FILE

so it's just the http password, nothing fancy here... and I still don't get why it's not working for me.

[bkerler]

I can have a look if I can spot any difference in the fw :)

[bkerler]

@doegox I think you are using the wrong mac. It has to be the mac of the router (br0).

[doegox]

It is the one of the router as seen in /sbin/arp :) I tried with specifying myself and with the script discovering it by itself.

[bkerler]

Please try if commit 4ec9e0e works for you

[doegox]

Still no success :( BTW I'm now running V6.3.6.4 so similar to https://github.com/bkerler/netgear_telnet/issues/26

[bkerler]

I've updated the script. The algo is fine by now. The only thing that can now prevent it from being enabled is : the way the password is stored, the actual mac doesn't match or a firewall does block all udp traffic

[doegox]

\o/ I confirm it works fine now on my RBR760 Thank you very much for your work and patience!

[gpz1100]

Confirmed working on fw V6.3.6.2_1.2.66 .