Default credentials for other carriers

[neinseg]

Having a look around the firmware I found out that there other default credentials besides "admin"/"1234" in the firmware that are used depending on the "customer" "soft feature":

0x12 -> "root"/"integral" 0x13 -> "carbon"/"C@rB1N0x@m1NE" others -> "admin"/"1234"

I don't know which ISPs these two values correspond to, but this may be useful to someone acquiring a non-telekom branded version of the same Zyxel module.

[xvzf]

uh that's actually pretty interesting! I couldn't find a lot about the Zyxel module (there's no data sheet other than 3 non-saying pages). Can you hint me on where you discovered those? Does the configuration IP of the module alter as well?

[neinseg]

I'll have to check about the IP. I think I saw 192.168.something IPs somewhere.

I found these credentials in one of the binaries from /usr/local/bin. I loaded these binaries as well as the accompanying libs under /usr/local/lib into Ghidra and had a look at the strings. I think these default credentials were somewhere in the factory reset logic in the onumgr binary.

The hal binary is also interesting, as it contains all the logic interfacing with the actual Lantiq optical transceiver interface. I think one of the more interesting things is that it seems they're enforcing the contract's bandwidth limits client-side, as I found a "speed" hal property that happens to use the same 10/50/100/200/500/1G speed steps that Telekom advertises when you sign up.

[neinseg]

Also, btw, I found evidence that the module itself is capable of 2.5G speeds, and that the SFP interface can change modes somehow. Given that AFAIK SFP and SFP+ are pin-compatible, I think there is a small chance that you can "upgrade" one of these to up to 2.5G speeds.

[xvzf]

I loaded the the binaries into BinaryNinja as well, that's how I discovered the HTTP API calls; but didn't move on with that.

I got 2.5G working using HSGMII but only on my Linux server so far, my ARM-board with SFP+ doesn't like it. Unfortunately it's not 802.3bz and it doesn't negotiating speeds as such.

The speed settings are interesting, I guess I will have a closer look as well! It's likely just some "smart" QoS for VoIP and the actual enforcement is performed on the OLT, but maybe not!

[neinseg]

Looking at the code in the hal and onumgr binaries it seems like it is flipping some special function register bits depending on the speed config setting. If the speed is set to anything but 2.5G, things go as normal, but only if it is set to 2.5G magic values are written to a handful of config bytes. I suspect that this might really just force the SPF interface's speed in hardware.

[neinseg]

Found some sources for the ONU kernel module here:

• https://github.com/kbridgers/VOLTE4GFAX/blob/master/dl/gpon_omci_onu-4.5.0.tar.gz
• https://github.com/kbridgers/VOLTE4GFAX/blob/master/dl/gpon_onu_drv-4.5.0.tar.gz

[neinseg]

Re: IP Addresses. I have had a look around and I found references to both 192.168.1.1 and 192.168.2.1 in the factory reset functions in libinfra.so. The reset function decides between 192.168.2.1 and 192.168.1.1 depending on the customer soft feature, but the telekom firmware seems to contain a patch that then just always overrides this with 10.10.1.1. So a similar Zyxel module from a different carrier could conceivably have either of those IPs.

[grinco]

Hey folks, thanks for sharing your findings. I was planning to buy one such module from Italy on ebay, and am not sure if I will be able to access it in the state that it arrives. Do you know how the configuration is reset? My ISP authenticates me based on the Serial Number, and without changing it it's going to be dead metal. How did you dump the flash?

[neinseg]

@grinco Out of the box you should be able to get SSH access. Through the SSH interface, at least in the configuration that Telekom DE seells, you get both a regular linux shell as well as a configuration command line that lets you set everything including S/N, PLOAM password and up to the laser's transmission power. Through SSH you can both take a tar'ed snapshot of the root file system, and you can also just read from /dev/mtd.

[xvzf]

@neinseg found evidence for the IPs in the module as well:

That's the pre-init script passed to the kernel cmdline as init

cat /etc/preinit
#!/bin/sh
# Copyright (C) 2006 OpenWrt.org
# Copyright (C) 2010 Vertical Communications

export PATH=/bin:/sbin:/usr/bin:/usr/sbin

pi_ifname=
pi_ip=192.168.1.1
pi_broadcast=192.168.1.255
pi_netmask=255.255.255.0

fs_failsafe_ifname=
fs_failsafe_ip=192.168.1.1
fs_failsafe_broadcast=192.168.1.255
fs_failsafe_netmask=255.255.255.0

# ....

[xvzf]

@grinco Flashdumps were added with #3

[xvzf]

@neinseg

The hal binary is also interesting, as it contains all the logic interfacing with the actual Lantiq optical transceiver interface. I think one of the more interesting things is that it seems they're enforcing the contract's bandwidth limits client-side, as I found a "speed" hal property that happens to use the same 10/50/100/200/500/1G speed steps that Telekom advertises when you sign up.

Setting this in the CLI sets the interface speed at a fixed value. though there are different options to choose from (10m,100m,200m,1G,2.5G -> plain interface speed on the SFP side) Though the 200m seems a bit weird, I think this is an overclocked SGMII as well

[grinco]

@grinco Out of the box you should be able to get SSH access. Through the SSH interface, at least in the configuration that Telekom DE seells, you get both a regular linux shell as well as a configuration command line that lets you set everything including S/N, PLOAM password and up to the laser's transmission power. Through SSH you can both take a tar'ed snapshot of the root file system, and you can also just read from /dev/mtd.

This sounds awesome. Thanks very much for the information. I've ordered the module, will see how it goes once it arrives. Am quite excited.

[gionag]

@grinco Out of the box you should be able to get SSH access. Through the SSH interface, at least in the configuration that Telekom DE seells, you get both a regular linux shell as well as a configuration command line that lets you set everything including S/N, PLOAM password and up to the laser's transmission power. Through SSH you can both take a tar'ed snapshot of the root file system, and you can also just read from /dev/mtd.

This sounds awesome. Thanks very much for the information. I've ordered the module, will see how it goes once it arrives. Am quite excited.

was you able to login ?

[grinco]

Yeah, I wash thank you. It was listening over ssh and http on 10.10.1.1. logged in with admin/1234. I have experienced stability problems with the SFP, however, so not using it. The SFP would loose link every 5-7 minutes and stay down for ~10. I've reported the issue to the ISP trying to get their help, but I don't think they will be willing to use hardware not issued by them in the network.

[grinco]

So as I thought, the ISP wasn't willing to help with any of my issues saying only hardware issued by them is supported. One of the things that I noticed, is that my current terminal has ONT ID 3 in its status page, while the Zyxel SFP: 255. Any idea what that is and how to change it?

[tdmadam]

uh that's actually pretty interesting! I couldn't find a lot about the Zyxel module

Your Zyxel module is actually the T&W TW2362H-CDEL https://twsz.com/en/product/98/451.html

They also sell their design to other small and medium manufacturers. I think the most famous reincarnation is known as Zisa OP151S.