Firmware Intelbras Twibi Giga+, same Tenda MW6

[brasil-iot]

Hello

I'm using a Twibi Giga+ (Intelbras, Brazil), which is the Tenda MW6 (OEM).

On the Intelbras page, the latest firmware (1.0.12) for this Twibi Giga+ is available for download, which is practically the same as the firmware you used to do the reverse.

I'm sending the link below if you want to take a look.

https://backend.intelbras.com/sites/default/files/2021-11/Twibi_Giga%2B_v1.0.12_0.zip

[gingerbeardman]

Is your Twibi device managed using an app or does it have a web interface?

Mirror download on GitHub: Twibi_Giga+_v1.0.12_0.zip

[brasil-iot]

Both. The APP is practically identical to the original Tenda - but it seems a little more stable. via HTTP it has a simple administration page, it is efficient - in the firmware the code of this page is in the /webroot_ro

APP INTELBRAS: https://play.google.com/store/apps/details?id=com.intelbras.intelbrasRouter&hl=pt_BR&gl=US

[brasil-iot]

About the root password: from what I could understand, the prod_change_root_passwd doesn't use Encode64, but the MAC ADDR of the LAN (please, can you confirm this?)

Here is code obtained via libcommonprod.so and decompiled via GHidra.

===============

/* WARNING: Could not reconcile some variable overlaps */
undefined4 prod_change_root_passwd(void)
{
  undefined auStack308 [64];
  undefined4 local_f4;
  undefined4 local_f0;
  char acStack236 [128];
  undefined4 local_6c;
  undefined4 local_68;
  undefined4 local_64;
  undefined4 local_60;
  undefined4 local_5c;
  undefined4 local_58;
  undefined4 local_54;
  undefined4 local_50;
  char acStack76 [68];

  memset(auStack308,0,0x40);
  local_f4 = 0;
  local_f0 = 0;
  memset(acStack236,0,0x80);
  local_6c = 0;
  local_68 = 0;
  local_64 = 0;
  local_60 = 0;
  local_5c = 0;
  local_58 = 0;
  local_54 = 0;
  local_50 = 0;
  memset(acStack76,0,0x40);
  ApmibGetValue("HW_NIC0_ADDR",&local_6c);
  sprintf(acStack76,"%c%c%c%c%c%c",(int)local_68._2_1_,(int)local_68._3_1_,(int)(char)local_64,
          (int)local_64._1_1_,(int)local_64._2_1_,(int)local_64._3_1_);
  strcpy(acStack236,acStack76);
  doSystemCmd("(echo %s;sleep 1;echo %s) | passwd root -a s> /dev/null",acStack236,acStack236);
  return 0;
}

===============

[ekos2001]

Does this firmware have DHCP reservation settings via an app or a web interface?

[brasil-iot]

DHCP Reservation: On web interface: yes On app: no

[tiagoclc]

I dont know about the twibi giga but about twibi fast the password is the last 6 digits of mac address. The twibi fast cant upgrade from version 1.1.2 to 1.1.3 and subsequently to 1.1.10. The user have to open a teamviewer connection for intelbras technician. This way he can use a telnet client to prepare the twibi fast for receive the firmware upgrades.

So I thought: what if I install a keylogger on my computer? And I did! With that I captured the password that the technician typed. and it was the last 6 digits of the mac address.

Twibi Fast telnet Port: 23 User: root Password: last 6 digits of mac address (printed on the bottom label)

Ps: You have to press the reset button for about 4s to enable the telnet service and became able to connect.

[marcosd0uglas]

Do you think it's possible to upload Tenda MW6 into Twibi Giga + web interface? If so, would work and behave like Tenda's one and get new firmware updates from Tenda OTA? Thanks in advance