w00tsec.blogspot.com - blogpost about ARRIS' nested backdoor

w00tsec: ARRIS Cable Modem has a Backdoor in the Backdoor

W00tsec.blogspot.com Spined HTML

w00tsec: ARRISSubscriptionModem has aBackstairsin theBackstairsw00tsec embedded device & webapp hacking Thursday, November 19, 2015 ARRISSubscriptionModem has aBackstairsin theBackstairsA couple of months ago, some friends invited me to requite a talk at NullByte Security Conference. I started to study well-nigh some embedded device junk hacking hot topics and decided to talk well-nigh subscription modem security. Braden Thomas keynoted at Infiltrate 2015 discussing well-nigh Practical Attacks on DOCSIS so, yeah, subscription modem hacking is still mainstream. On November 21st I'll be at Salvador speaking on "Hacking subscription modems: The Later Years". It's not a talk well-nigh theft of service and getting self-ruling Internet access. I'll focus on the security of the subscription modems, the technology used to manage them, how the data is protected and how the ISPs upgrade the firmwares. Spoiler Alert: everything's really really bad. Securing subscription modems is increasingly difficult than other embedded devices because, on most cases, you can’t segregate your own device/firmware and software updates are scrutinizingly entirely controlled by your ISP. While researching on the subject, I found a previously undisclosed backstairs on ARRIS subscription modems, well-expressed many of their devices including TG862A, TG862G, DG860A. As of this writing, Shodan searches indicate that the backstairs affects over 600.000 externally wieldy hosts and the vendor did not state whether it's going to fix it yet. ARRIS Backdoors ARRIS SOHO-grade subscription modems contain an undocumented library (libarris_password.so) that acts as a backdoor, permitting privileged logins using a custom password. The pursuit files load the backstairs library on ARRIS TG862A Firmware TS0705125D_031115_MODEL_862_GW (released on 2015): /usr/sbin/arris_init /usr/sbin/dimclient /usr/sbin/docsis_mac_manager /usr/sbin/ggncs /usr/sbin/gw_api /usr/sbin/mini_cli /usr/sbin/pacm_snmp_agent /usr/sbin/snmp_agent_cm /usr/www/cgi-bin/adv_pwd_cgi /usr/www/cgi-bin/tech_support_cgi ARRIS password of the day is a remote backstairs known since 2009. It uses a DES encoded seed (set by the ISP using the arrisCmDoc30AccessClientSeed MIB) to generate a daily backstairs password. The default seed is MPSJKMDHAI and guess what - many ISPs won't scarecrow waffly it at all. The backstairs worth can be used to enable Telnet and SSH remotely via the subconscious HTTP Administrative interface "http://192.168.100.1/cgi-bin/tech_support_cgi" or via custom SNMP MIBs. The default password for the SSH user 'root' is 'arris'. When you wangle the telnet session or demonstrate over SSH, the system spawns the 'mini_cli' shell asking for the backstairs password. When you log using the password of the day, you are redirected to a restricted technician shell ('/usr/sbin/cli') Restricted shells are ;restricted In order to understand how the backstairs works, I built an Puma5 toolchain (ARMEB) and navigate compiled some useful tools like strace, tcpdump and gdbserver. I hosted them on my Github, get them here: - https://github.com/bmaia/cross-utils/tree/master/armeb While analyzing the backstairs library and the restricted shells, I found an interesting lawmaking on the hallmark check: Yes, they put a backstairs in the backstairs (Joel from Dlink is sure to be envy). The undocumented backstairs password is based on the last five digits from the modem's serial number. You get a full busybox shell when you log on the Telnet/SSH session using these passwords. The vendor asked not to unroll details well-nigh the password generation algorithm. I'm really relieved knowing that those villainous guys from Metasploit won't be worldly-wise to reverse this in a timely manner. Vulnerability, Disclosure and Marketing Of course, we need a logo so the media can report well-nigh this with fancy graphs as well as vendors could distribute customized t-shits at Blackhat. What I like most well-nigh lcamtuf is how visionary he is. While people were still writing dumb fuzzers, he wrote AFL performed a detailed Technical wringer of Qualys' GHOST. Based on his analysis, I hired a couple of marketing specialists to find out the weightier way to unroll the ARRIS backdoor. What do we have here? - Multiple backdoors permitting full remote wangle to ARRISSubscriptionmodems - An wangle key that is generated based on theSubscriptionmodem's serial numberWithouta thoughtful analysis, the marketing committee well-considered w00tsec members to write a Keygen. In order to write a Keygen, we need a leet ascii art and a tomfool chiptune. The chosen font was ROYAFNT1.TDF, from the legendary versifier Roy/SAC and the chiptune is Toilet Story 5, by Ghidorah. Here's the POC (make sure you turn the sound on): Conclusion I reported these flaws to CERT/CC on 2015-09-13 but we didn't receive much feedback from the vendor. CERT/CC was very helpful and responsive (10/10 would unroll again!). I was asked not to release the POCs immediately so I'm going to wait for the vendor to "fix" the issue. CERT/CC set a disclosure policy of 45 days long ago. They waited for increasingly than 65 days for them to "fix" it but ARRIS didn't remove the backdoors in a timely manner. Someone needs to update the Responsible Disclosure RFC and include a note describing that vendors shall lose disclosure points whenever they plant a backstairs on the device (ARRIS modems have a third backstairs too, trammels the ConsoleCowboys Blog). I'm pretty sure bad guys had been exploiting flaws on these devices for some time (just search for ARRIS DNS on Twitter, for example). We need increasingly people bypassing EULAs and reversing end-user software and firmware. If you haven't heard well-nigh the Firmware.RE, trammels them right now. A broader view on firmwares is not only beneficial, but necessary to discover new vulnerabilities and backdoors, correlating variegated device families and showing how vulnerabilities reappear wideness variegated products. To all the vendors out there, I would like to finish this post by quoting @daveitel: Posted by Bernardo Rodrigues at 11:07 AM Email ThisBlogThis!Share to TwitterShare to FacebookShare to Pinterest Labels: arris, backdoor, subscription modem, firmware, nullbyte, tg862 168 comments: שחרNovember 19, 2015 at 3:49 PMHat's off to you, sir. love the research and writing.ReplyDeletegeocrasherNovember 19, 2015 at 6:26 PMReading this while unfluctuating to an ISP who provided me with an Arris 862TG proved much increasingly disconcerting than I expected it to be. ReplyDeleteSomeguynamedpieNovember 19, 2015 at 7:29 PMmuch easier to proceeds shell wangle than is listed hereMe and a friend reversed a tuft of arris stuff, it takes literally 2 lines entered into a terminal to get wangle to the busybox shell.ReplyDeleteRepliesUnknownNovember 20, 2015 at 3:42 PMSo you say ;)DeleteSomeguynamedpieNovember 20, 2015 at 7:13 PMThis guys exploit requires knowing some stuff that mine doesn't, but I've avoided releasing it considering the value of hacker drama going on now anyway. Nonetheless, this has been an issue for several years.You can use this to proceeds connectivity without having internet service, and to manipulate your bandwidth rate caps.DeleteSomeguynamedpieNovember 20, 2015 at 7:16 PMOn flipside note, you don't plane need the backstairs password(this isn't unquestionably a backstairs either, its a maintenance password documented in the minicli)DeleteReplyClickBrainNovember 20, 2015 at 1:49 AMCompletely clueless when it comes to what this gives wangle to, so asking what is likely to be see as a dumb question. Will the encrypted connection I have to VPN protect me from this backstairs in terms of data flowing in and out? What level of wangle does this requite someone enlightened of it on my network? ReplyDeleteRepliesBernardo RodriguesNovember 20, 2015 at 10:23 AMVPN won't help you considering your ISP needs to wangle your modem to perform management functions, for example. As long as a machine from your network (or the subscription network) can wangle the modem, there is potential to be exploited. You can fully wangle the device, sniff the network traffic, render it unusable etc...For increasingly info, trammels the HackerNews thread here: https://news.ycombinator.com/item?id=10596667 DeleteReplyFrancis KimNovember 20, 2015 at 4:05 AMLove the work, expressly the ASCII art ;)ReplyDeleteNicolás FortNovember 23, 2015 at 10:25 AMMmmm... So, what happens if the ISP changes the seed of the Password of the day? This vulnerabily dissapears? Beacuse as far as I understand, first you use that to log in to the restricted cli, and then you enable telenet/SSH to proceeds full control.Please someone correct me if I'm wrong.ReplyDeleteRepliesBernardo RodriguesNovember 24, 2015 at 10:26 AMYou can enable telnet/SSH using both the Password of the day and the SerialBackstairspassword.Wafflythe seed from the password of the day won't help considering your ISP will set it using a configuration file that is sent to your modem.If you manage to get a reprinting of this config, you can pericope the seed and hack all the modems from you ISP, for example. As far as I know, the seed is not dynamically generated (Check this -> http://docsis.org/node/1575).DeleteSomeguynamedpieNovember 24, 2015 at 4:42 PMOf note, most ISPs, including my own, have all of the modems on their own "LAN WAN" of sorts-- you can hands wangle all of them. Unfortunately, either exploit requires WAN wangle enabled; the plus side is that increasingly than often the things needed to do the exploit are usually unshut anyway, which is hilarious in of itself. The configs are transferred via TFTP, so its really easy to get the config if you save the TFTP filepath beforehand. The same config is where the bandwidth limits are stored, unfortunately it is signed but I have washed-up some work with getting the cert signer. Yay for horrible security.DeleteNicolás FortNovember 25, 2015 at 10:41 AMThanks for your answers. I'm working at an ISP, and we are concerned well-nigh this. We have obstructed HTTP LAN and WAN acces, so nobody can wangle the cablemodem. When this wangle is required, we enter to the user's cablemodem and configure it.If we enable HTTP LAN access, the user can enter to the wide configuration using the passwd of the day, and enable telnet or ssh access. But using telnet/ssh with that password is not a problem because, as you said before, it goes to a restricted cli.Is there a way to get the serial based password to proceeds full control? I couldn't find where to get the keygen you are using.Once again, thanks in advance.DeleteReplyAnonymousNovember 25, 2015 at 12:56 PMNice IDA pictures, but did you really need a utility to enter the Arris panel and then escape some poorly filtered commands in the shell? I dont plane know why you need to scarecrow with this so tabbed when door, when you can do it faster other ways. Maybe you'll get a job at Arris some day though with all this nice work, rationalization its obvious they only rent the brightest! ReplyDeleteRepliesBernardo RodriguesNovember 26, 2015 at 11:58 AMWhen I disclosed the findings to arris, they explicitly asked "how did you find the backdoors?" That's why I sent them the IDA output =)The post describes two backdoors, the Password of the day and the one based on the serial number. You don't need to escape the restricted shell on the SN backdoor, but the script was necessary to 1 - retrieve the SN, 2 - generate the SN backstairs password and 3 - shirk the EULA (see the screenshots).The grep -v was used considering arris modem will alimony ranging and displaying lots of debug msgs on the terminal (when disconnected), that would make it untellable to see anything on the video.And yes, there are easier ways to hack it like this one -> https://www.youtube.com/watch?v=KHVge3SkIoo. The motivation overdue the post is that Brazilian criminals are exploiting it to transpiration the user's DNS, for example.DeleteIng. Ricardo JoseNovember 5, 2017 at 1:44 PMBernardo, if arris is not so worried you shouldn't as well, i'm trying to learn and study to protect my own equipment, my isp has most modem with this and they don't plane scarecrow to transpiration the seed, to make some changes most person don't plane need to have root access, so making the keygen public, not plane so public as i see some people have it, will not really make world a largest place, it's pointless, maybe they will take this seriously if you make it public, so far they don't superintendency well-nigh customers, ISP neither. just my thoughtsDeleteReplyUnknownNovember 27, 2015 at 2:35 PMNice article, thank you.But is it possible to woodcut ISP wangle from this shell? Via iptables or something like that?I just installed my own Arris modem, but TWC assh*les forced a firmware update and took over the unshortened modem, disabled wi-f- and alimony resetting the password. This is extremely annoying, specially when I'm owning the hardware.ReplyDeleteNeu TronNovember 27, 2015 at 10:53 PMGood find! Thanks ReplyDeletekiko pearlNovember 29, 2015 at 3:33 AMhi bernardo!, you could share with me this backdoors (arris pasword generator and scrip in python arris_backdoor.py)thanks ReplyDeleteUnknownNovember 29, 2015 at 3:09 PMYeah, worldwide publish the generator. What a point to create it if you don't release it? Customers should have a full tenancy of their devices (specially if device is owned).ReplyDeleteUnknownNovember 29, 2015 at 7:57 PMCan you publish a secret password for serial E48BRM68K139941 ?I`m not a customer, but a engineer of ISP.User`s security is important to me/ReplyDeleteRepliesViktor SavchenkoNovember 29, 2015 at 11:24 PMThis scuttlebutt has been removed by the author.DeleteViktor SneoloNovember 29, 2015 at 11:37 PMLOL. Really? Your security is well-constructed control. Sniffing traffic and charging uneaten for build-in features like Wi-fi and USB. So f*ck off.Don't publish to him anything. If you are ISP, you should have generators or whatever you use.I will try to discover how to woodcut ISP wangle to modems OFF and prevent firmware updates, I know it's possible via SSH. So be sure, I will publish that.DeleteAnonymousDecember 1, 2015 at 3:39 PMYour pass is 88D3ECC50FBernardo, please don't publish keygen. Those who asking for it are blackhat scriptkiddies. It's easy to reverse it, those who really need it will be worldly-wise to do so. I have very little reversing wits and never seen arm turnout before, but was worldly-wise to find password generation algorithm without several hours in IDA. DeleteFreedomDecember 2, 2015 at 2:45 AMOh you such an as*hole. So your point is to let providers tenancy and sniff traffic right out of customer's hardware (how user-friendly for ISP)?But thank you, right now, from all CC/TWC 's firmwares is easy to pericope the pass seed from router.dat (simple settings dump) and generate stupid password on http://www.borfast.com/projects/arris-password-of-the-day-generator/generatoror use SNMP (if applicable). This "one-click" generator isn't needed anymore. I got a pass for myself, and it gives scrutinizingly no useful features at all, at least in TWC firmware. So don't think you are so smart here.DeleteReplyJohn DoeDecember 1, 2015 at 5:14 PMI just wrote up an wringer on Xfinity provided Arris TG862G devices, includes a fun root exploit n all. Details @ https://b.unni.es/xfinity.html :-)ReplyDeleteRepliesFreedomDecember 2, 2015 at 2:53 AMLucky you, I don't have tech_support_cgi URL anywhere, 404 Not found = No Telnet.DeleteFreedomDecember 2, 2015 at 2:56 AMSome inconsistence in your story. At first saying"Neither of those files (or /cgi-bin/) exist on http://192.168.100.1/",and then"I can enable SSH/telnet via http://192.168.100.1/cgi-bin/tech_support_cgi. So I enable telnet and SSH, then SSH into 10.0.0.1 using the default user rootb and the password arris".What a heck???DeleteSomeguynamedpieDecember 2, 2015 at 2:46 PMXfinity TG862G modems have a much sillier exploit than that that lets you run wrong-headed lawmaking from the web interface.DeleteJohn DoeDecember 2, 2015 at 6:04 PMThis scuttlebutt has been removed by the author.DeleteJohn DoeDecember 2, 2015 at 6:04 PMwhoops, that was a mistake. I meant https://172.16.12.1/cgi-bin/tech_support_cgi. Fixed on the page too.DeleteFreedomDecember 2, 2015 at 11:39 PMThe reason I can't try your method is considering I have a bug in firmware (or it's considering I use Comcast's modem with TWC). Anyway my wi-fi doesn't stay on, right without coaxial subscription is connected, the wi-fi shuts down, but TWC says they enabled wi-fi full-length from their side. So I'm thinking if I can try to dig modem without coaxial cable, as in this specimen wi-fi stays on, but in a same time I can't unshut http://192.168.100.1 page when coaxial is disconnected. A bit stuck here.DeleteJJ ChenDecember 4, 2015 at 5:15 AMIt's strange I can't see my request, so I write again!@Freedom, where did you get router.dat and how did you find the password of day seed in it?DeleteFreedomDecember 4, 2015 at 11:40 AMRouter.dat is just a replacement of settings from modem (there is such a menu). Then you executing commands "openssl enc -d -aes-256-cbc -in router.data -out backup.tar -pass pass:Sercomm" and "sudo ./sc_mix.rb -u -s backup/sc_nvram.usr.sc -d sc_nvram_dump". You probably need linux OS or OSX for this. But if you don't have tech_support_cgi page, that password is useless, there is nothing much to transpiration with it.DeleteReplymsfilhoDecember 18, 2015 at 7:01 PMCan someone help me with the secret password for Serial E1KBUCE46189173 ?ReplyDeleteRepliesIbarraDecember 19, 2015 at 4:22 PMA49E41E511, enjoy and take care!DeleteAnonymousDecember 19, 2015 at 8:39 PMThis scuttlebutt has been removed by a blog administrator.DeleteIng. Ricardo JoseNovember 5, 2017 at 2:09 PMThis scuttlebutt has been removed by the author.DeleteReplyIbarraDecember 19, 2015 at 2:27 AMThis scuttlebutt has been removed by the author.ReplyDeleteRepliesIng. Ricardo JoseNovember 5, 2017 at 2:09 PMThis scuttlebutt has been removed by the author.DeleteReplyUnknownDecember 23, 2015 at 8:28 PMHi, how did you manage to obtain the firmware? I wanted to take a squint at this but couldn't get a sample. Did you get it from device directly via JTAG? ReplyDeleteAnonymousDecember 29, 2015 at 2:08 AMCan anyone help me with the password for Serial E2BBPM79J630341 ?ReplyDeleteRepliesLitchJanuary 9, 2016 at 10:52 AMTry A2D250E6CEDeleteDiego Ernesto FaríasJanuary 27, 2017 at 11:22 PMThis scuttlebutt has been removed by the author.DeleteReplyUnknownJanuary 9, 2016 at 10:51 AMLoved this write-up, learned a lot.ReplyDeleteUnknownJanuary 9, 2016 at 12:06 PMPlease! Can anyone help me with the password for Serial EBTBP277U388369?ReplyDeleteUnknownJanuary 9, 2016 at 12:07 PMPlease! Can anyone help me with the password for Serial EBTBP277U388369?ReplyDeleteUnknownJanuary 9, 2016 at 12:25 PMYou can help me... i need enter to router by httpWangleWAN, i have Public IP but i word-stock access... Pleaseeee!!ReplyDeleteadsfdfwdfJanuary 14, 2016 at 2:58 AMCan I get the serial password for E3JBPP69K562074? ThanksReplyDeleteadsfdfwdfJanuary 14, 2016 at 3:03 AMAlso password for E3UBPM79J619635 please. For TG1672G with TWC firmware TS0800124_110614_16XX.GW_PC20_TW, SNMP requests can be sent via HTTP requests. I managed to turn on telnet, ssh and got into minicli. In this version the cgi pages have been removed, seed reverted and config replacement aes key reverted as well.This gateway uses Intel Puma6, 256MB RAM, 128MB Flash, and still, arris totally made it suck...ReplyDeleteadsfdfwdfJanuary 15, 2016 at 12:08 AMFor DG860A TS070563C_032913_MODEL_860_GW_TW, CGIs were returning 404, twc backstairs password works for wide and 8080. But the OIDs for arrisCmDoc30Access aren't misogynist and only unshut ports I see are 80, 8080 and 443. So how to hoist wangle on it?ReplyDeleteadsfdfwdfJanuary 15, 2016 at 12:11 AMIf anyone has the source, I would fathom it if you can trammels what is listening on 9081/tcp. I found this port unshut on TG1672G erouter0's public IP plane in underpass mode. Is it for ACS or some other backdoor?ReplyDeleteTechnoLinks Test-UserJanuary 26, 2016 at 1:51 AMThis scuttlebutt has been removed by the author.ReplyDeleteFilipi ViannaFebruary 19, 2016 at 9:25 AMThis scuttlebutt has been removed by the author.ReplyDeleteUnknownFebruary 24, 2016 at 1:41 AMPassword for C8PBRL47B148353 Please?ReplyDeleteAAnarchYYFebruary 29, 2016 at 1:45 AMI have managed to enable SSH and TELNET on this device, but not by the ways you describe, as they no longer work. (http://10.0.0.1/remote_management.php the settings are there if you squint nonflexible unbearable ;-) Found quite a few other interesting things as well; possible secret user).I am extremely interested in getting my hands on the firmware for this device, or at least minimally libarris_password.so, but there is much in this firmware i still want to find out about, such as why it has a hardcoded WPS pin of 42000648.ReplyDeleteJenessa WoffordMarch 3, 2016 at 9:25 PMI have a graveyard of electronic devices infected with this...I thought my POS system got hacked...I can send you samples but you will have to be very specific on how to do it...ReplyDeleteRepliesAAnarchYYMarch 3, 2016 at 11:55 PMI would be increasingly than happy to help you if you are worldly-wise to get me a dump of one of these devices. Email me at username @ gmail.comDeleteReplySadiq FraserMarch 13, 2016 at 9:26 PMfor the longest while i have been trying to wangle the certs for the arris modem. can it be washed-up ?ReplyDeleteSadiq FraserMarch 13, 2016 at 9:46 PMfor the longest while i have been trying to wangle the certs for the arris modem. can it be washed-up ?ReplyDeletetanerMarch 15, 2016 at 5:44 AMwhy you dont publish the ArrisBackstairsKeygen? do you know how many people need it? and this keygen can use only Arris users considering it wants SerialLawmakingfrom Arris Users. And hacker dont have Serials and IP from Arris costumers. Please, pls Publish the Keygen ! I need it so much for my Arris TG862S Modem! Pls Publish! PS:sorry for my bad english!ReplyDeleteAAnarchYYMarch 15, 2016 at 10:41 PMOr at least the firmware, that's all i need...Or maybe where i can download it from...ReplyDeleteUnknownMarch 20, 2016 at 1:40 PMCould you requite me password for F8UBU7LAH114777 ?ReplyDeleteraul martinesApril 7, 2016 at 9:43 AMNice information, and I am very interested to get the secret lawmaking for SN: ABEBPC47B357977 PLEASE? HAVE A GREAT DAY.!ReplyDeletePodarokApril 9, 2016 at 12:20 PMThis scuttlebutt has been removed by the author.ReplyDeleteUnknownApril 10, 2016 at 1:41 PMHi, I tried everything and none work. Can you send the password for me: E5HBSWE76158751I would like to read the source lawmaking of my router. With the telnet I can see the files?ReplyDeleteRepliesPedro Henrique PedroApril 10, 2016 at 1:44 PMLol, my name was Unknown. Anyway, I was worldly-wise to find A LOT OF internet problem in this router. You have a lot of XSS Persistent, and CSRF. If someone discovery your password, you can easly emulate all calls considering the cookie isn't random. DeleteAAnarchYYApril 13, 2016 at 11:59 PMWith telnet, no you cannot read the source lawmaking of the router.The telnet/SSH login accepts two passwords from what i can see now, both the POTD which dumps you into /bin/mini_cli(totally useless, and moreover the seed has been changed) and the one based off the serial(Which is far increasingly useful as it is a busybox ash shell). I am moreover seeing signs of a third backstairs password or setting that enables the on-board serial port to be interactive.A lot of interesting files in this firmware...DeleteReplyUnknownApril 21, 2016 at 7:22 AMcan someone post a reprinting of tech_support_cgi ? I don't have it, but i am worldly-wise to run commands on my box :) so i think if i can get the file maybe i can download it and run it on my boxReplyDeleteJoe AlbertMay 13, 2016 at 12:42 AMHello any transpiration to get the algorithm? or at least the password for my modem's serial G2ZBU5LAJ173417. Thank you.ReplyDeleteRepliesantiloopNovember 1, 2016 at 5:57 PM73417=1C4D9C5503DeleteReplyRamon ScottJune 20, 2016 at 5:07 PMPLEASE I BEG PASSWORD FOR SERIAL NUMBER : FADBPM7EW600788ReplyDeleteRepliesantiloopNovember 1, 2016 at 5:57 PM00788=C979A44131DeleteReplyLucasJuly 15, 2016 at 1:46 PMHello, is there a endangerment for password via serial number? Someone still here?ReplyDeleteJoyJuly 30, 2016 at 3:37 PMme too DA7BRR23E136691ReplyDeleteRepliesantiloopNovember 1, 2016 at 5:56 PM36691=BC3ADB7339DeleteReplySI GuyAugust 26, 2016 at 1:43 PMCan someone help me with the secret password for Serial G3CBU5LAJ163717ReplyDeleteRepliesantiloopNovember 1, 2016 at 5:56 PM63717=39A8ADA3EADeleteIng. Ricardo JoseNovember 5, 2017 at 5:28 AMThis scuttlebutt has been removed by the author.DeleteReplyUnknownSeptember 28, 2016 at 1:13 AMhow can i seeing my arris modem status when modem has online ?ReplyDeleteUnknownSeptember 28, 2016 at 1:13 AMhow can i seeing my arris modem status when modem has online ?ReplyDeletewhitecubeOctober 4, 2016 at 2:41 PMi think the provider in austria reverted the seed and modified the firmware a little bitcan you please generate a password for my sn?D34BU7E52181078funny is... when you sniff the network for the oids you will get something like this when you login:http://192.168.100.1:8080/walk?oids=1.3.6.1.4.1.4115.1.20.1.1.2.4.2;&_n=16258&_=1475602720117(you have to take your own adress without login!)then delete it to this:http://192.168.100.1:8080/walk?oids=1.3;&_n=16258&_=1475602720117let it a little bit load, you will get a lot of information...ReplyDeleteReplieswhitecubeOctober 4, 2016 at 3:30 PMThis scuttlebutt has been removed by the author.DeleteantiloopNovember 1, 2016 at 5:55 PM81078=AF5289DAA7DeleteIng. Ricardo JoseOctober 23, 2017 at 4:50 AMThis scuttlebutt has been removed by the author.DeleteReplyantiloopNovember 1, 2016 at 6:15 PMI'm a bit shocked that the same passwords are still used, that were in effect increasingly than 10 years ago that were in use for the TM402/CM450a tool exists: Arris CM Password Generator see moreover [IMG]http://i67.tinypic.com/2mgkrjd.png[/IMG]perhaps there is no use anymore for it, but I sooner have some firmware files and SNMP MIBs for the old TM402 modemsReplyDeleteRepliescjack2701December 2, 2016 at 7:01 PMpublish the generatrDeleteDiego Ernesto FaríasJanuary 27, 2017 at 11:20 PMThis scuttlebutt has been removed by the author.DeleteLostFebruary 17, 2017 at 6:45 AMantiloop hoping you're still virtually and worldly-wise to help a few increasingly of us out. staring at ida and trying to work my way through this, hitting a wall at the hmac stepDeleteJoe AlbertJuly 7, 2017 at 2:18 PMHey Lost, could you share the ida output? so pherhaps i can help you to get the algorithm for this generation, im looking to generate the password for my modem.DeleteReplysalar sikandarNovember 5, 2016 at 7:48 AMPLZ requite me password for this serial no A7NBPA47B330881 . i want to use this modem as linux machine.ReplyDeleteRepliesantiloopNovember 16, 2016 at 8:12 AM30881=80F099B9C8DeleteReplyUnknownNovember 11, 2016 at 8:08 PMMaybe this is out of scope, but is there a way to sideload a custom unshut firmware to patch the vulnerability and whinge up security? My snooping is a systematic exploit of this backstairs on a national level.ReplyDeleteLt DangleNovember 13, 2016 at 2:44 AMCan I please get a password for SN: G3BBPP8FE504152ReplyDeleteRepliesantiloopNovember 16, 2016 at 8:11 AM04152=CC849610EDDeleteReplyTodd JNovember 15, 2016 at 7:02 PMCan I get a password for sn: F89BS5579305383ReplyDeleteRepliesantiloopNovember 16, 2016 at 8:11 AM05383=106B4AD31FDeletenatrNovember 18, 2016 at 11:16 AMCan I get pw for 00163 pls?thx.DeleteReplyTim BakerNovember 16, 2016 at 9:48 AMyou guys are still going on with this? asking for passwords? There are far easier ways imho... Let me requite you some hints. Go on github, search the repository tabbed "junkyard".Moreovertrammels this out. http://www.bowe.id.au/michael/isp/docsis/mibs/arris-docsis3/If you just wanna enable telnet, try this;SnmpMib = arrisCmDoc30AccessTelnetEnable.0 enableThe OID is 1.3.6.1.4.1.4115.1.3.4.1.2.2 if you need it.Anyways, I was wondering, What if I used a MoCa wangle point and set up a server to push my own firmware updates, e.a. I pretend to be the ISP for the modems sake, I guess it'd be a man in middle wade of sorts, I was looking for information on this, and can't icon out if anyone's washed-up it, or maybe noone talks well-nigh it. I'm curious though.ReplyDeleteRepliesIng. Ricardo JoseOctober 23, 2017 at 4:51 AMThis scuttlebutt has been removed by the author.DeleteReplyTICTICNovember 17, 2016 at 7:34 PMHelloDoes this work for TM502G?Can I get a password for sn:75WBMV484271441?ReplyDeleteRick WinningjamNovember 24, 2016 at 11:23 PMThis scuttlebutt has been removed by the author.ReplyDeleteUnknownNovember 28, 2016 at 7:21 PMThis scuttlebutt has been removed by the author.ReplyDeleteUnknownNovember 28, 2016 at 7:21 PMPlease can you trammels on this serial number ? G3XBRE9DR200072Thank you a lot !!!ReplyDeleteRick WinningjamNovember 30, 2016 at 12:40 AMPLEASE I BEG PASSWORD FOR SERIAL NUMBER : D7ABSMEC8538106ReplyDeleteAngela BlairDecember 3, 2016 at 9:03 AMThank you so much how to hack wifi passwordwifi wpa2 hackReplyDeleteaustin starrDecember 8, 2016 at 7:05 PMCould somebody potential help me with a password for my SN/F5YBPP8DV505707Havent quite got the concept of this thread, but im certainly going to study a bit more! i have an ARRIS DG1670A, quite frankly im just trying to wangle an internet connection without my having an ISP...Thanks!ReplyDeleteGliXeN glixitoJanuary 15, 2017 at 3:13 PMpass for CCTBRZ46E195880 please??ReplyDeleteAnonymousJanuary 21, 2017 at 12:07 AMhaving the pass for MODEL: TM822G Serial Number: G3UBRE9DR202094 would be very helpfulReplyDeleteAnonymousJanuary 21, 2017 at 12:07 AMhaving the pass for MODEL: TM822G Serial Number: G3UBRE9DR202094 would be very helpfulReplyDeleteAnonymousJanuary 21, 2017 at 12:07 AMhaving the pass for MODEL: TM822G Serial Number: G3UBRE9DR202094 would be very helpfulReplyDeleteDiego Ernesto FaríasJanuary 26, 2017 at 6:31 AMThis scuttlebutt has been removed by the author.ReplyDeleteDiego Ernesto FaríasJanuary 26, 2017 at 6:59 AMThis scuttlebutt has been removed by the author.ReplyDeleteDiego Ernesto FaríasJanuary 26, 2017 at 7:09 AMThis scuttlebutt has been removed by the author.ReplyDeleteDiego Ernesto FaríasJanuary 28, 2017 at 2:58 AMPlease, can anyone requite me the password for my TG862 S/N: 34994, I really need it. Thanks.ReplyDeleteDarmand AgronJanuary 28, 2017 at 2:10 PMwhehre i can find passwords of the days for arris tg1672ReplyDeleteRepliesDiego Ernesto FaríasJanuary 28, 2017 at 2:55 PMhttp://bfy.tw/9kjxDeleteReplyDarmand AgronJanuary 28, 2017 at 2:11 PMFor the whole year 2017??ReplyDeleteRepliesF BaezMarch 11, 2017 at 12:39 PMmine is for 1970/01/07DeleteFabinchooJuly 8, 2018 at 5:25 PMHey How did you fix that? DeleteReplyRedacted RedacteedFebruary 8, 2017 at 7:15 PMWould you mind handing me the password for E5FBRR34T103605 ?ReplyDeleteF BaezFebruary 15, 2017 at 7:23 PMWould you mind handing me the password for EAPBS5345304952 ?THANK YOUReplyDeleteAlgore DaemonFebruary 15, 2017 at 8:44 PMPlease password for S/N: D3DBUCE42136190ReplyDeleteUnknownFebruary 17, 2017 at 6:42 AMcan i get one for 52277ReplyDeleteUnknownFebruary 23, 2017 at 4:55 PMThis scuttlebutt has been removed by the author.ReplyDeleteUnknownFebruary 23, 2017 at 4:56 PMcan somebody provide me the password for SN FBBBU3LHJ517518 moreover if possible some subtitle on how to reverse itReplyDeletepara playMarch 5, 2017 at 8:21 PMFor all serial to wangle to root shell without telnet login with PoTD: Console> systemSystem> ping ;sh#Credit Victor N. Ramos Mello https://goo.gl/wX9pWEFor last firmware without tech_support_cgi to enable telnet and ssh, transpiration 00 to 01 on 0x002A and 0x0203 addresses of file /nvram/6/1ReplyDeleteRepliesDiego Ernesto FaríasMarch 6, 2017 at 4:21 PMGenius, thanks for sharing!!! This is all I needed.DeleteIng. Ricardo JoseNovember 5, 2017 at 4:33 AMThis scuttlebutt has been removed by the author.DeleteReplyDanielMarch 14, 2017 at 8:20 PMMy internet is well-nigh to be turned off, so can I vivify it again?ReplyDeleteUnknownMarch 15, 2017 at 10:37 PMneed to password for 33373A93C79E477D thank you!ReplyDeleteTrish WalshApril 8, 2017 at 8:49 AMThank you for sharing this useful content. I had a unconfined time reading this one. I'll bookmarked and share this one to my facebook page.!!data cablingReplyDeleteLemuel AcevedoApril 9, 2017 at 4:35 PMHi, please the password for this Serial Number: FBGBSTLAJ101798 . Thank youReplyDeleteBentiedemApril 10, 2017 at 5:07 AMI moreover need the password for the Serial: 05938Maybe someone can help me out with this.ReplyDeleteSSBM FOR EVERApril 15, 2017 at 6:16 PMhi broh.. E8PBU5E86121068ReplyDeleteBryce BakerApril 18, 2017 at 2:20 AMhow tour a pw for ... E4UBRR34T105113id really fathom it, and recommend this site to my friends =DReplyDeleteQfury KrabbensaftApril 23, 2017 at 8:51 AMCan I get the password for FACBSR34J102817 thank youReplyDeleteDavid IonesiMay 1, 2017 at 2:37 PMThis scuttlebutt has been removed by the author.ReplyDeleteUnknownMay 14, 2017 at 8:53 AMC8ybps68m561281 password please?ReplyDeleteLisa DentonMay 14, 2017 at 8:53 AMC8ybps68m561281 password please?ReplyDeleteMark BowenMay 15, 2017 at 3:37 AMhave read many blogs in the net but have never come wideness such a well written blog. Good work alimony it upelectricianReplyDeleteMartinMay 18, 2017 at 8:34 AMPlease can you tell me for thisD4LBRZ46E190384?Thanks youReplyDeleteHelp AdyaJune 16, 2017 at 6:31 AMHey, that’s really a good post on pets for sale in Delhi, i really like your blog as the information is very useful if you are a pet lover. Well, there is one increasingly site for the same service www.helpadya.com you should trammels it for increasingly detail.ReplyDeletesilvaperrryJuly 1, 2017 at 9:07 AMProfessionally written blogs are rare to find, however I fathom all the points mentioned here. I moreover want to include some other writing skills which everyone must enlightened of. h07rn-fReplyDelete"Metal Mania 2008"July 28, 2017 at 3:06 AMThis scuttlebutt has been removed by the author.ReplyDelete"Metal Mania 2008"July 30, 2017 at 1:20 AM03135 May i get the backstairs serial password please?ReplyDeleteSmartCodeAugust 24, 2017 at 4:36 PMIs there a possibility to get the password for EAYBPM7BV609168?ReplyDeleteEdgar MolinaSeptember 8, 2017 at 10:44 AMCan someone help me with the secret password for Serial E93BUCE76191530?Thanks.ReplyDeleteUnknownSeptember 18, 2017 at 7:56 PMhow can i add new ARP static values ?ReplyDeleteEdward SappSeptember 24, 2017 at 4:06 PMPOD for serial FAFBSY898601729ReplyDelete"Metal Mania 2008"September 26, 2017 at 3:16 AMThese ass holes arent helping anyone.ReplyDeleteMike LoathSeptember 27, 2017 at 1:37 PMAnyone know the pass for f4fbu3khf568959 thanks in advance.ReplyDeleteheadshot50236451 freemanOctober 10, 2017 at 12:06 PMI'm begging anyone willing if I can plz have the password generator based o serial number pls? Thanks I whop and we can work something out... in the meantime plz help, need password for serial number D83BU4EC5527710ReplyDeletebx zgOctober 11, 2017 at 1:37 AMsomeone has arris serial keygen for saleReplyDeleteBryanOctober 14, 2017 at 9:48 AMEasy tip to know whether she/he unchaste on you. Click here to get his/her password and to see their chats onlineReplyDeleteAbraham DiazOctober 18, 2017 at 7:11 PMOn firmware TS0901103S5M_112816_862_GW they reverted the SN Password Algorithm, may be only the seed or there is flipside lock :(ReplyDelete"Metal Mania 2008"October 30, 2017 at 2:49 AMI know some system are still using the old firmware image. I think the key is to get a reprinting and decompile it. Try to icon out the algorithm. ReplyDeleteElton NdayisabaNovember 25, 2017 at 9:20 AMPassword for SN: E2FBPP68H567715ReplyDeleteunrealordDecember 6, 2017 at 2:21 AMPassword for SN: G4MBU5LAJ133453pleaseReplyDeleteTristan LearDecember 19, 2017 at 4:24 PME3HBPM79J613775. I love you. Please and thank you. trissypissy@gmail.comReplyDeleteGuilherme MonteloFebruary 12, 2018 at 12:46 PMPasswordS/N:517187939612P/N: TG02DA7169242MBReplyDeleteEduardo CunhaFebruary 14, 2018 at 2:09 AMCan someone help me with the secret password for Serial 516354099292 Model:TG1692A?ReplyDeleteGustavoApril 1, 2018 at 12:31 AMhelp me with the secret, serial 517150177791 model:TG1692AReplyDeleteUnknownApril 5, 2018 at 1:50 AMf3vbpm7dv01522 password pleaseReplyDeleteSCJ InformáticaMay 5, 2018 at 3:14 AMSerial 8722S26EQ1 password?ReplyDeleteKhelif BuldansyahMay 26, 2018 at 3:36 PMhelp me with the secret, serial G6NBRM79X100634 model:CM820BReplyDeletecasiuxSeptember 7, 2018 at 3:50 PMplease password for the serial number 1RBSTE56145577 of the cablemodem arris tg862aReplyDeleteUnknownSeptember 20, 2018 at 10:17 AMPassword for SN: E2F88P68H5677EDReplyDeleteAdd commentLoad more... Newer Post Older Post Home Subscribe to: Post Comments (Atom) ABOUT ME Bernardo Rodrigues Twitter @bernardomr Blog Archive ►  2018 (1) ►  April (1) ►  2016 (2) ►  September (1) ►  March (1) ▼  2015 (6) ▼  November (1) ARRISSubscriptionModem has aBackstairsin theBackstairs►  October (2) ►  September (1) ►  February (2) ►  2014 (7) ►  November (1) ►  October (1) ►  August (1) ►  July (2) ►  March (1) ►  February (1) ►  2013 (5) ►  December (1) ►  November (1) ►  September (1) ►  August (2) Links TheGoonies CTF BlahCat 4 Lyfe ADS ADS Picture Window theme. Powered by Blogger.