search

xvzf / zyxel-gpon-sfp

Telekom FTTH with OpenWRT/PfSense/VyOS/Mikrotik/... (Reverse engineering Zyxel PMG3000-D20B GPON SFP)
178 stars 23 forks source link

different username/password #6

Closed gionag closed 3 months ago

gionag commented 2 years ago

Hello, i have the same zyxel gpon.. but the admin/1234 combo don't work as login. Can someone explain how they were discovered in the first place so i can replicate the same tecnique on my module ?

thanks

gionag commented 2 years ago

useful trick, maybe for others. mine was shipped with admin account enabled but with different password than "1234". i have found a trick to reset that to 1234.

first, login to 10.10.1.1 as guest/guest (mine was enabled) then, in the same session, enter this :

http://10.10.1.1/cgi/set_admin?rand=0.7041383755617387&type=2&username=admin&password=31rmzl323334m&level=0 it should respond with "1".

(rand param can be whatever you want from 0 to 1 (1 excluded) as per JS Math.random() output)

After that, re-login with admin/1234 and "save settings" to store that change.

xvzf commented 2 years ago

Feel free to create a PR and update the readme @gionag

k0xak commented 2 years ago

I have two modules purchased as used from Italy (Wind3 ISP probably)

First module works with 10.10.1.1 and admin/admin + admin/1234

Second module is listeing on 10.10.1.1 and initial login admin/admin work as well but than am unable to login with admin/1234. Root is identified as not existing user and guest/guest is not working as well.

Any tip for how to get in?

LucaDev commented 2 years ago

useful trick, maybe for others. mine was shipped with admin account enabled but with different password than "1234". i have found a trick to reset that to 1234.

first, login to 10.10.1.1 as guest/guest (mine was enabled) then, in the same session, enter this :

http://10.10.1.1/cgi/set_admin?rand=0.7041383755617387&type=2&username=admin&password=31rmzl323334m&level=0 it should respond with "1".

(rand param can be whatever you want from 0 to 1 (1 excluded) as per JS Math.random() output)

After that, re-login with admin/1234 and "save settings" to store that change.

Thank you so much for that information! I was able to reset the admin password and it works like a charm!

gionag commented 2 years ago

useful trick, maybe for others. mine was shipped with admin account enabled but with different password than "1234". i have found a trick to reset that to 1234. first, login to 10.10.1.1 as guest/guest (mine was enabled) then, in the same session, enter this : http://10.10.1.1/cgi/set_admin?rand=0.7041383755617387&type=2&username=admin&password=31rmzl323334m&level=0 it should respond with "1". (rand param can be whatever you want from 0 to 1 (1 excluded) as per JS Math.random() output) After that, re-login with admin/1234 and "save settings" to store that change.

Thank you so much for that information! I was able to reset the admin password and it works like a charm!

Glad it helped. In the end i was unable to use the module to properly connect to "TIM" (IT) GPON network... so i switched for another module alltogether

slemke76 commented 1 year ago

Hello,

the admin Password for newer builds is "9dsxsqcq6t" - knowing this stops the need for resetting the password every time after config reset / loss.

"show version" of my firmware: Build Time: 2020-12-23 18:07:36 GIT Info: TW2362H-CDEL_lantiq98035/customize/TW2362H-CDEL_lantiq98035_general_20150131:ff6e8bf8

How to reproduce:

Reset the module to defaults Open Webinterface, login with guest / guest. This will write the actual config: http://10.10.1.1/cgi/set_save?rand=0.4798344808717123 Set the admin Password to '1234': http://10.10.1.1/cgi/set_admin?rand=0.7041383755617387&type=2&username=admin&password=31rmzl323334m&level=0 Login with SSH to the Module - ssh Login is "admin/admin" the CLI Login (as previous set) "admin/1234" Open the shell with "linuxshell" Display the previous saved default password: grep -ie "admin Password" /var/config/mib.conf

When I find some time I will make a PR.

Regards, Sebastian

wagman77 commented 11 months ago

Hi, I purchased this module from Telekom in summer 2023 and I was also facing the password issue. Furthermore I was unable to redirect the web interface via ssh command. I hope that one of the given passwords will work so that I have access to the device.

nullinger commented 8 months ago

Strange. I purchased the module some days ago and could still use the old credentials. Firmware: V1.00(ABVJ.0)b3v

3DJupp commented 6 months ago

Hey, i have "V1.00(ABVJ.1)b1e" but i can't access ssh. The connection will be refused all the time. I did this:

ssh -o HostKeyAlgorithms=+ssh-rsa admin@10.10.1.1 -v

jaseg commented 6 months ago

@3DJupp Which specific error do you get? Could you paste a log here? If it actually says "connection refused", then that's not a problem with username/password, but instead means that SSH can't even open a TCP connection to the module (perhaps because of a bad routing table or a firewall interfering?).

3DJupp commented 6 months ago

@3DJupp Which specific error do you get? Could you paste a log here? If it actually says "connection refused", then that's not a problem with username/password, but instead means that SSH can't even open a TCP connection to the module (perhaps because of a bad routing table or a firewall interfering?).

Hey, I want to draw back my question, the interface was broken and I got a new one. Didn't want to tinker (3.3V Serial adapter) with it, as it was new, I got another one from my ISP which has SSH in place. The Web If was working all the time at 10.10.1.1/24

slemke76 commented 3 months ago

I have just created a pull request which also describes how to (re-)set the password permanently.

slemke76 commented 3 months ago

The pull request has been merged, I guess the ticket can be closed?