Hack China Unicom Optical Modem
Normally, in Fiber-to-Home condition, optical modem will take charge of PPPoE dialing, then the router connected to it will regard it as a gateway. Such scheme will lead to 2 limitations: Double NAT and Public IP restriction. To solve them, we need to hack the modem and make it working in bridge mode.
Extract Database
Though the web page of modem can be a good hack point, we will use a much more universal and geek way: connecting to modem though TTL.
Because modem is basically an embeded board running Linux, the vendor will always preserve the serial port to do some debug conveniently. Theoretically, end users will never have anything to do with serial port, so the protection is pretty weak. For example, the password for root user is just root…
After logining into modem through TTL, what we need is the database located in
1 | /userconfig/cfg/db_user_cfg.xml |
As this file is encrypted, we need to transfer it from modem to laptop and do some decryption.
And the only transfer tool in modem is TFTP client, then a TFTP server will be required.
Mac: Transfer
WIndows: Tftpd64
Linux: tftpd-hpa
Of course, before we start transfer, we need to connect laptop with the modem through an ethernet cable firstly. And set a static IP for laptop, such as 192.168.1.2, according to the subnet of the modem.
Finally, we can start uploading the database to TFTP server by
1 | tftp -p -l /userconfig/cfg/db_user_cfg.xml 192.168.1.2 |
Decrypt Database
To decrypt the database, we will use a tool called offzip. It needs to be compiled mannually on MacOS or Linux.
1 | cd offzip |
Then decrypt with
1 | ./offzip -a ./db_user_cfg.xml ./ 0 |
There will be many files being decompressed out, what we need are the files with xml extention.
Then search admin in those xml files and find out the admin password.
Admin Account
For me, to open the web page for admin login, I need to append /cu.html after the IP of modem, such as
1 | http://192.168.1.1/cu.html |
Now, do everything you want.