Equipos y materiales > Openwrt & LEDE
Compilando Openwrt para ZTE ZXHN H108N
barriteleves:
aunque yo no he hablado de hakin si de un script, depende de que link puedas haber mirado no ostante te pongo al que me he referido un tal jalal sela este es el link directo. lo que contiene o corresponda, no lo se bien, como he dicho antes por si puede ayudar algo.
http://jalalsela.wordpress.com/2014/10/31/hacking-zte-router-zxhn-h108n/
este script puede utilizarse para averiguar la tercera pass... en este otro modelo de zte ?? h218n ?? https://foro.seguridadwireless.net/openwrt/datos-e-info-sobre-router-h218n-298n/
geminis_demon:
Por lo que veo lo que intentas es llegar a la shell de busybox..
En el h108n me basta con entrar por telnel con 1234/1234 y teclear sh:
--- Código: ---Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape character is '^]'.
username:1234
password:****
Authenticate Success!
TBS>>sh
~ $ ls /
bin etc linuxrc pool root sys usr
dev lib mnt proc sbin tmp var
~ $ cat /etc/shadow
#root:$1$BOYmzSKq$ePjEPSpkQGeBcZjlEeLqI.:13796:0:99999:7:::
root:$1$BOYmzSKq$ePjEPSpkQGeBcZjlEeLqI.:13796:0:99999:7:::
#tw:$1$zxEm2v6Q$qEbPfojsrrE/YkzqRm7qV/:13796:0:99999:7:::
admin:!:15840:0:99999:7:::
--- Fin del código ---
El h218n no lo tengo así que en ese no sabría decirte..
lockerecca:
bueno. ya que desmonte el aparato me encontre con la sorpresa de REALTEK... os mando foto del router de telefonica h108N
http://i.imgur.com/FiMZHCU.jpg gran tamaño de la foto
y su boot log
Cable Amarillo GND nego R y verde S
--- Código: ---
TBS bootloader V1.0 Build19936 for ZTE_Spain(Feb 19 2013-18:54:27)
DRAM: 64 MB
Flash: SPI S25FL128P size=16M id=0x00012018
IP: 192.168.1.1 MAC: cc:7b:35:b6:e2:58
Hit Space or Enter key to stop autoboot: 0
Checking ethernet link state... DOWN!
Request for massive upgrade...Timed out!
Checking version 1 image... Second image OK
Uncompress linux from 0x80600000 to 0x80010000... OK!
Booting the kernel ...
Linux version 2.6.30.9 (wangjing@soft) (gcc version 4.4.6 (Realtek RSDK-1.5.6p2)) #245 Tue Jul 30 16:13:38 CST 2013
CPU revision is: 0000dc02
Determined physical RAM map:
memory: 04000000 @ 00000000 (usable)
User-defined physical RAM map:
memory: 04000000 @ 00000000 (usable)
Zone PFN ranges:
Normal 0x00000000 -> 0x00004000
Movable zone start PFN for each node
early_node_map[1] active PFN ranges
0: 0x00000000 -> 0x00004000
Built 1 zonelists in Zone order, mobility grouping on. Total pages: 16256
Kernel command line: console=ttyS0,115200 mem=64M root=31:2 mtdparts=rtl8676_spi flash:8519680(boot),1680384(kernel),6258688(rootfs),-(data)
icache: 16kB/32B, dcache: 8kB/32B, scache: 0kB/0B
NR_IRQS:128
PID hash table entries: 256 (order: 8, 1024 bytes)
console [ttyS0] enabled
Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
Memory: 56348k/65536k available (4032k kernel code, 9120k reserved, 1089k data, 124k init, 0k highmem)
Calibrating delay loop... 458.75 BogoMIPS (lpj=2293760)
Mount-cache hash table entries: 512
IMEM section size = 0x8574
net_namespace: 796 bytes
NET: Registered protocol family 16
bio: create slab <bio-0> at 0
SCSI subsystem initialized
usb_enable_IP: ipsel = 0x0008d7ef, phyCtrl2 = 0x008020c0
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
Sangoma WANPIPE Router v1.1 (c) 1995-2000 Sangoma Technologies Inc.
NET: Registered protocol family 8
NET: Registered protocol family 20
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 2048 (order: 2, 16384 bytes)
TCP bind hash table entries: 2048 (order: 1, 8192 bytes)
TCP: Hash tables configured (established 2048 bind 2048)
TCP reno registered
NET: Registered protocol family 1
NET: Registered protocol family 27
netlog: listening on port 4660
squashfs: version 4.0 (2009/01/31) Phillip Lougher
NTFS driver 2.1.29 [Flags: R/W].
fuse init (API version 7.11)
msgmni has been set to 110
alg: No test for stdrng (krng)
Block layer SCSI generic (bsg) driver version 0.4 loaded (major 254)
io scheduler noop registered
io scheduler deadline registered
io scheduler cfq registered (default)
Serial: 8250/16550 driver, 1 ports, IRQ sharing disabled
serial8250: ttyS0 at MMIO 0x0 (irq = 13) is a 16550A
Driver 'sd' needs updating - please use bus_type methods
Driver 'sr' needs updating - please use bus_type methods
SPI probe: Found SPI flash S25FL128P[ID:0x12018] with 16M bytes!
4 cmdlinepart partitions found on MTD device rtl8676_spiflash
Creating 4 MTD partitions on "rtl8676_spiflash":
0x000000000000-0x000000820000 : "boot"
0x000000820000-0x0000009ba400 : "kernel"
mtd: partition "kernel" doesn't end on an erase block -- force read-only
0x0000009ba400-0x000000fb2400 : "rootfs"
mtd: partition "rootfs" doesn't start on an erase block boundary -- force read-only
0x000000fb2400-0x000001000000 : "data"
mtd: partition "data" doesn't start on an erase block boundary -- force read-only
PPP generic driver version 2.4.2
NET: Registered protocol family 24
IMQ driver loaded successfully.
Hooking IMQ before NAT on PREROUTING.
Hooking IMQ after NAT on POSTROUTING.
RTL8192C/RTL8188C driver version 1.1 (2010-03-31/2012-04-09)
=====>>INSIDE rtl8192cd_init_one <<=====
vendor_deivce_id=819110ec
Wlan MACAddress: f8:7f:35:b6:e2:61
=====>>EXIT rtl8192cd_init_one <<=====
=====>>INSIDE rtl8192cd_init_one <<=====
Wlan MACAddress: f8:7f:35:b6:e2:62
=====>>EXIT rtl8192cd_init_one <<=====
=====>>INSIDE rtl8192cd_init_one <<=====
Wlan MACAddress: f8:7f:35:b6:e2:63
=====>>EXIT rtl8192cd_init_one <<=====
=====>>INSIDE rtl8192cd_init_one <<=====
Wlan MACAddress: f8:7f:35:b6:e2:64
=====>>EXIT rtl8192cd_init_one <<=====
=====>>INSIDE rtl8192cd_init_one <<=====
Wlan MACAddress: f8:7f:35:b6:e2:65
=====>>EXIT rtl8192cd_init_one <<=====
val=5
val=c6
_
Probing RTL8186 10/100 NIC-kenel stack size order[2]...
chip name: 8196B, chip revid: 0
NOT YET
Set threshold idx 0
Set threshold idx 1
vport1 added. vid=9 Member port 0x2...
nas0 added. vid=8 Member port 0x1...
vport2 added. vid=9 Member port 0x4...
vport3 added. vid=9 Member port 0x8...
vport4 added. vid=9 Member port 0x10...
[peth0] added, mapping to [nas0]...
ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
rtl8676-ehci rtl8676-ehci: EHCI Host Controller
rtl8676-ehci rtl8676-ehci: new USB bus registered, assigned bus number 1
rtl8676-ehci rtl8676-ehci: irq 10, io mem 0xb8021000
rtl8676-ehci rtl8676-ehci: USB 0.0 started, EHCI 1.00
usb usb1: configuration #1 chosen from 1 choice
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 2 ports detected
ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver
rtl8676-ohci rtl8676-ohci: OHCI Host Controller
rtl8676-ohci rtl8676-ohci: new USB bus registered, assigned bus number 2
rtl8676-ohci rtl8676-ohci: irq 10, io mem 0xb8020000
usb usb2: configuration #1 chosen from 1 choice
hub 2-0:1.0: USB hub found
hub 2-0:1.0: 2 ports detected
usbcore: registered new interface driver cdc_acm
cdc_acm: v0.26:USB Abstract Control Model driver for USB modems and ISDN adapters
TBS button driver for rtl8676 initialized
Mirror/redirect action on
u32 classifier
Performance counters on
input device check on
Actions configured
nf_conntrack version 0.5.0 (1024 buckets, 4096 max)
xt_time: kernel timezone is -0000
Allocate memory success!. The phy mem addr=03a65000, size=4096
ip_tables: (C) 2000-2006 Netfilter Core Team
ipt_conenat_init for cone nat nf_conntrack
TCP cubic registered
Realtek SD2-FastPath v1.00beta_2.4.26-uc0
/proc/FastPath created
Realtek MCast FastPath
/proc/mc_FastPath created
NET: Registered protocol family 10
lo: Disabled Privacy Extensions
ip6_tables: (C) 2000-2006 Netfilter Core Team
IPv6 over IPv4 tunneling driver
sit0: Disabled Privacy Extensions
ip6tnl0: Disabled Privacy Extensions
NET: Registered protocol family 17
Bridge firewalling registered
Ebtables v2.0 registered
ratm: RTL8670 SAR v0.0.2 (Jun 17, 2003)
/proc/AUTO_PVC_SEARCH created
802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
All bugs added by David S. Miller <davem@redhat.com>
VFS: Mounted root (squashfs filesystem) readonly on device 31:2.
Freeing unused kernel memory: 124k freed
init started: BusyBox v1.6.1 (2013-07-30 16:14:25 CST) multi-call binary
starting pid 196, tty '/dev/console': '/etc/init.d/rcS'
@@@@@@@Welcome to TBS System@@@@@@@
mount: mounting /dev/mtdblock3 on /usr/local/ct failed
Loading led modules
TBS leds core driver initialized
Register led device for rtl8676: 1 2 4 5 6 15 16 17 18 7 8 9 10 11 12 13 14 21 23 24
=============Begin Load Modules==============
modprobe usb-storage
Initializing USB Mass Storage driver...
usbcore: registered new interface driver usb-storage
USB Mass Storage support registered.
modprobe usblp
usbcore: registered new interface driver usblp
modprobe usbserial
usbcore: registered new interface driver usbserial
USB Serial support registered for generic
usbcore: registered new interface driver usbserial_generic
usbserial: USB Serial Driver core
=============End Load Modules================
extWrite phyId(0), pageId(0), regId(24), regData:0x8310
extWrite phyId(0), pageId(0), regId(26), regData:0x4000
extWrite phyId(0), pageId(1), regId(28), regData:0x8f60
extWrite phyId(0), pageId(4), regId(16), regData:0x6377
extWrite phyId(1), pageId(0), regId(24), regData:0x8310
extWrite phyId(1), pageId(0), regId(26), regData:0x4000
extWrite phyId(1), pageId(1), regId(28), regData:0x8f60
extWrite phyId(1), pageId(4), regId(16), regData:0x6377
extWrite phyId(2), pageId(0), regId(24), regData:0x8310
extWrite phyId(2), pageId(0), regId(26), regData:0x4000
extWrite phyId(2), pageId(1), regId(28), regData:0x8f60
extWrite phyId(2), pageId(4), regId(16), regData:0x6377
extWrite phyId(3), pageId(0), regId(24), regData:0x8310
extWrite phyId(3), pageId(0), regId(26), regData:0x4000
extWrite phyId(3), pageId(1), regId(28), regData:0x8f60
extWrite phyId(3), pageId(4), regId(16), regData:0x6377
extWrite phyId(4), pageId(0), regId(24), regData:0x8310
extWrite phyId(4), pageId(0), regId(26), regData:0x4000
extWrite phyId(4), pageId(1), regId(28), regData:0x8f60
extWrite phyId(4), pageId(4), regId(16), regData:0x6377
*** TBS ver:24621, compile time:Jul 30 2013,16:35:51 ***
Item size 24667 too big to fit in memory 20480!
ifconfig: SIOCGIFFLAGS: No such device
ifconfig: SIOCSIFHWADDR: No such device
ifconfig: SIOCGIFFLAGS: No such device
starting pid 595, tty '/dev/ttyS0': '/bin/sh'
/ $
gSocObcIntBit=2462390000
remove REG32(0xb8000114)=0x1400
InitAdslMode....
InitAdsl
inter_system.sachemIntSource=7
867x ver = N, (0412 ver)=0x62390000, (ver)=0x2e
Thu May 16 00:00:00 UTC 2013
RTNETLINK answers: Cannot assign requested address
--- 4bit Rx_in read = 0x373b, 2bit Rx_in read =0x408 , DDRuse=0
AFE_ver=0x687
8676(>M) + 6256/6257 decide use DDR mode
2684d started
PVC Number = 8. Set Desc number per VC = 126
Creat Interface = 2684ctl -t 0 -c nas1 -e 1 -q ubr,aal5:pcr=301 -a 0.8.36
Interface "nas1" created sucessfully
optarg : ubr,aal5:pcr=301
applying workaround...done
device nas1 entered promiscuous mode
VNET: Setting underlying device(nas1) to promiscious mode.
Creat Interface = 2684ctl -t 0 -c nas2 -e 1 -q ubr,aal5:pcr=0 -a 0.8.32
Interface "nas2" created sucessfully
optarg : ubr,aal5:pcr=0
applying workaround...done
device nas2 entered promiscuous mode
VNET: Setting underlying device(nas2) to promiscious mode.
br0 set netif mac to: cc:7b:35:b6:e2:58
ADDRCONF(NETDEV_UP): vport1: link is not ready
eth2 set netif mac to: cc:7b:35:b6:e2:58
ADDRCONF(NETDEV_UP): vport2: link is not ready
eth3 set netif mac to: cc:7b:35:b6:e2:58
ADDRCONF(NETDEV_UP): vport3: link is not ready
eth4 set netif mac to: cc:7b:35:b6:e2:58
ADDRCONF(NETDEV_UP): vport4: link is not ready
Sorry, rule does not exist.
Sorry, rule does not exist.
Sorry, rule does not exist.
Sorry, rule does not exist.
device vport1 entered promiscuous mode
RTNETLINK answers: File exists
device vport2 entered promiscuous mode
RTNETLINK answers: File exists
device vport3 entered promiscuous mode
RTNETLINK answers: File exists
device vport4 entered promiscuous mode
RTNETLINK answers: File exists
device wlan0 entered promiscuous mode
RTNETLINK answers: File exists
device wlan0-vap0 entered promiscuous mode
RTNETLINK answers: File exists
device wlan0-vap1 entered promiscuous mode
RTNETLINK answers: File exists
device wlan0-vap2 entered promiscuous mode
RTNETLINK answers: File exists
WLAN Init : InternetGatewayDevice.LANDevice.1.WLANConfiguration.1.
iptables: Bad rule (does a matching rule exist in that chain?).
Interface doesn't accept private ioctl...
set_mib (89F1): Operation not permitted
Interface doesn't accept private ioctl...
set_mib (89F1): Operation not permitted
Interface doesn't accept private ioctl...
set_mib (89F1): Operation not permitted
Interface doesn't accept private ioctl...
set_mib (89F1): Operation not permitted
killall: iwcontrol: no process killed
Undefined state... using AP mode as default
val=4
val=c6
br0: port 5(wlan0) entering learning state
killall: mini_upnpd: no process killed
stProcInfo.ucExecCount:9
br0: port 5(wlan0) entering forwarding state
nf_conntrack_l2tp version 3.1 loaded
nf_conntrack_ipsec loaded
ch:1 cca=283, fa:245, rx_count:16, rx_count_40M:0
ch:2 cca=272, fa:238, rx_count:10, rx_count_40M:0
ch:3 cca=414, fa:441, rx_count:16, rx_count_40M:12
ch:4 cca=219, fa:214, rx_count:4, rx_count_40M:11
ch:5 cca=577, fa:583, rx_count:10, rx_count_40M:16
ch:6 cca=226, fa:160, rx_count:17, rx_count_40M:11
ch:7 cca=1039, fa:1034, rx_count:8, rx_count_40M:11
ch:8 cca=300, fa:236, rx_count:6, rx_count_40M:10
ch:9 cca=228, fa:150, rx_count:18, rx_count_40M:74
ch:10 cca=314, fa:244, rx_count:11, rx_count_40M:0
ch:11 cca=348, fa:264, rx_count:12, rx_count_40M:0
ch1,1011,ch2,1163,ch3,1613,ch4,1829,ch5,2321,ch6,1896,ch7,2918,ch8,2105,ch9,1921,ch10,1708,ch11,1543,
iptables: Bad rule (does a matching rule exist in that chain?).
iptables: Bad rule (does a matching rule exist in that chain?).
killall: dproxy: no process killed
Load DNS is Fake mode = 0!!
open: No such device
lpDevId_Pickup - 225: Failed to open file: [/dev/usb/lp/lp0]
Deleted user root.
Len: 1 Opt: 2
Verify inactive image 1 for dual image sync...CRC OK!
USB Serial support registered for 3G_USB_modem
usbcore: registered new interface driver 3g_modem
[USB MODEM SERIAL modem_usb_id_proc_write:211] Do attach...
APAGADO
ÿÿdB
fæf& B@@BB!@@@BB@B@B@@BB@@@B
@@
@@B@@@@@@@@@@@B" B@B@B @@@B@@@@BBBB@B@@B@@@
@B@@@@@@@@!@@B@@@@@@@@B@@ B
ENCENDIDO DE NUEVO
TBS bootloader V1.0 Build19936 for ZTE_Spain(Feb 19 2013-18:54:27)
DRAM: 64 MB
Flash: SPI S25FL128P size=16M id=0x00012018
IP: 192.168.1.1 MAC: cc:7b:35:b6:e2:58
Hit Space or Enter key to stop autoboot: 0
Checking ethernet link state... DOWN!
Request for massive upgrade...Timed out!
Checking version 1 image... Second image OK
Uncompress linux from 0x80600000 to 0x80010000... æf
TBS bootloader V1.0 Build19936 for ZTE_Spain(Feb 19 2013-18:54:27)
DRAM: 64 MB
Flash: SPI S25FL128P size=16M id=0x00012018
IP: 192.168.1.1 MAC: cc:7b:35:b6:e2:58
Hit Space or Enter key to stop autoboot: 0
Checking ethernet link state... ÿ
TBS bootloader V1.0 Build19936 for ZTE_Spain(Feb 19 2013-18:54:27)
DRAM: 64 MB
Flash: SPI S25FL128P size=16M id=0x00012018
IP: 192.168.1.1 MAC: cc:7b:35:b6:e2:58
Hit Space or Enter key to stop autoboot: 0
Checking ethernet link state... DOWN!
Request for massive upgrade...ÿf ç ¢bffò"ÿ&âfbf&fþfffffîæf"fff¢nfffffffffffþfæffffæfæfffffbfffffþffffîbfîffæfffffîâæêîffffòffffff&&®àD&
TBS bootloader V1.0 Build19936 for ZTE_Spain(Feb 19 2013-18:54:27)
DRAM: 64 MB
Flash: SPI S25FL128P size=16M id=0x00012018
IP: 192.168.1.1 MAC: cc:7b:35:b6:e2:58
Hit Space or Enter key to stop autoboot: 0
Listening on local port 80
RTL8676#
RTL8676#
RTL8676# ffff $ϯö
TBS bootloader V1.0 Build19936 for ZTE_Spain(Feb 19 2013-18:54:27)
DRAM: 64 MB
Flash: SPI S25FL128P size=16M id=0x00012018
IP: 192.168.1.1 MAC: cc:7b:35:b6:e2:58
Hit Space or Enter key to stop autoboot: 0
Listening on local port 80
RTL8676# help
? - alias for 'help'
base - print or set address offset
booth - boot kernel from host
bootm - boot application image from memory
cmp - memory compare
cp - memory copy
crc32 - checksum calculation
erase - erase FLASH memory
flinfo - print FLASH memory information
fltest - test FLASH chip by write and read data
go - start application at address 'addr'
help - print online help
loadb - load binary file over serial line (kermit mode)
loop - infinite loop on address range
md - memory display
mm - memory modify (auto-incrementing)
modify_sysc - sysc modify
mtest - simple RAM test
mw - memory write (fill)
nm - memory modify (constant address)
ping - send ICMP ECHO_REQUEST to network host
protect - enable or disable FLASH write protection
reboot - Perform system reboot
reg - read[write] register at address 'addr'
reset - Perform RESET of the CPU
saveb - download BIN image via network using TFTP protocol and save it to flash
saves - save image file over serial line (kermit mode)
savet - download IMG image via network using TFTP protocol and save it to flash
tftp - download image via network using TFTP protocol
unlzma - decompress code with LZMADecoder
version - print monitor version
RTL8676# version
TBS bootloader V1.0 Build19936 for ZTE_Spain(Feb 19 2013-18:54:27)
RTL8676#
--- Fin del código ---
fernando3k:
el que distribuye arnet tiene chipset broadcom y corre openwrt, salvo que no he logrado hacer andar el wifi, pero el modelo del que te hablo es el h108n SIN ANTENAS EXTERNAS
atiencilla:
Sabeis si con este aparatejo (con antenas) se puede utilizar de repetidor por wifi?
Navegación
[#] Página Siguiente
[*] Página Anterior
Ir a la versión completa