Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| toh:netgear:telnet.console [2016/04/27 00:50] – [Unlocking the Netgear Telnet Console] jwh7 | toh:netgear:telnet.console [2021/08/29 15:37] – ↷ Links adapted because of a move operation tmomas | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| + | ====== Unlocking the Netgear Telnet Console ====== | ||
| + | Several [[toh: | ||
| + | - Calling the routers " | ||
| + | - Sending a magic packet to the router' | ||
| + | |||
| + | The first much simpler method should be attempted before trying the second "magic packet" | ||
| + | |||
| + | The following Netgear devices are currently known to support this hidden Telnet feature: | ||
| + | |||
| + | * DC112a v1: Works with UDP of version TelnetEnable and adminstration admin/pw, telnet does not require password. | ||
| + | * D7000 v1: Works with http unlock and telnet, using normal admin user-id and password. | ||
| + | * DGN1000v3: Router Firmware Version V1.0.0.14_0.0.14 works, gives access to a BusyBox console w/o authentication | ||
| + | * [[toh/ | ||
| + | * [[toh: | ||
| + | * EX6100: Works with original telnetenable (TCP/23) with credentials super_username/ | ||
| + | * EX6100v2: V1.0.1.50 works with new telnetenable (UDP/23). Use username " | ||
| + | * [[toh: | ||
| + | * R6700: V1.0.0.2_1.0.1 Tested and working with modified python script of telnetenable. | ||
| + | * [[toh: | ||
| + | * [[toh: | ||
| + | * WG602 (unknown version): [[http:// | ||
| + | * WGR614 v1-2: unknown; may work | ||
| + | * WGR614 v3, | ||
| + | * WGR614 v7: known to work (if it does not work for you, try to hard reset your router first) | ||
| + | * WGR614 v8 (WGR614L): works, access to a BusyBox console without authentication | ||
| + | * WGR614 v9: works, gives access to a BusyBox console without authentication | ||
| + | * WGR614 v10: works, gives access to a BusyBox 0.60.0 console without authentication | ||
| + | - normally uses the old TCP utility | ||
| + | - the latest WNR1000v3 OEM firmware (1.0.2.68_60.0.93NA) modified (board id hex edited) uses the UDP utility | ||
| + | * WGT624 (unknown version): [[http:// | ||
| + | * WGT624 v2, v3: works | ||
| + | * WGT624 V3H1: works (after 6-12 try, reboot, try again cycles) | ||
| + | * [[toh: | ||
| + | * WN3000RP v1: works; does not require username/ | ||
| + | * [[toh: | ||
| + | * [[toh: | ||
| + | * [[toh: | ||
| + | * [[toh: | ||
| + | * [[toh: | ||
| + | * [[toh/ | ||
| + | * [[toh: | ||
| + | * [[toh: | ||
| + | * [[toh: | ||
| + | - did not work initially, only having performed a GUI reset after upgrading firmware to latest | ||
| + | - BusyBox 0.60.0 worked after a hard reset (power on holding reset button until lights flash) | ||
| + | - firmware prior to latest was not tested, but expect the old TCP utility was required, per WGR614v10 | ||
| + | * [[toh: | ||
| + | * WNR2000 v2: works; does not require username/ | ||
| + | * [[toh: | ||
| + | * [[toh: | ||
| + | * [[toh: | ||
| + | * [[toh: | ||
| + | * [[toh: | ||
| + | * [[https:// | ||
| + | * [[https:// | ||
| + | * [[https:// | ||
| + | |||
| + | The router CLI is usually the busybox shell running on Linux. | ||
| + | Commands and utilities available typically include changing nvram settings, changing the running configuration, | ||
| + | |||
| + | ===== Unlocking Protocol and Algorithms ===== | ||
| + | The Netgear router CLI unlocking protocol establishes a TCP (for older Netgear routers), or UDP (for newer Netgear routers) connection on telnet port 23 to the router' | ||
| + | If the router accepts the probe packet and unlocks the CLI, then the CLI responds after a subsequent connection with a telnet client. | ||
| + | |||
| + | The TelnetEnable utility (see below) builds the probe packet using authentication data supplied on its command line. | ||
| + | The probe packet format in unencrypted form is as follows: | ||
| + | |||
| + | **For older Netgear routers that use the original TelnetEnable utility:** | ||
| + | |||
| + | Payload is sent over TCP | ||
| + | |||
| + | < | ||
| + | struct PAYLOAD_TCP_PLAINTEXT | ||
| + | { | ||
| + | char md5sum[0x10]; | ||
| + | char mac[0x10]; | ||
| + | char username[0x10]; | ||
| + | char password[0x10]; | ||
| + | char reserved[0x40]; | ||
| + | } payload; | ||
| + | </ | ||
| + | |||
| + | **For newer Netgear routers (R6700, R7000, R7500) that use the modified TelnetEnable utility:** | ||
| + | |||
| + | Payload is sent over UDP | ||
| + | |||
| + | < | ||
| + | struct PAYLOAD | ||
| + | { | ||
| + | char signature[0x10]; | ||
| + | char mac[0x10]; | ||
| + | char username[0x10]; | ||
| + | char password[0x21]; | ||
| + | char reserved[0x2F]; | ||
| + | } payload; | ||
| + | </ | ||
| + | |||
| + | The above payload formats are transformed by algorithms as follows: | ||
| + | |||
| + | The MD5 checksum, or signature, is calculated for the contents of the probe payload MAC, username, and password fields, and is done using the normal three steps (MD5init, MD5update, MD5final) with the default RSA seed. The resulting 16 byte MD5 checksum/ | ||
| + | |||
| + | The entire probe payload (including the reserved area, which is always null for this example) is then encrypted using the Blowfish algorithm, with // | ||
| + | |||
| + | The encrypted probe packet is then sent to telnet port (23) on the router using a TCP, or UDP socket in the standard manner. | ||
| + | Curiously, Netgear' | ||
| + | |||
| + | Note: The encrypted probe packet is sized as char output_Buf[0x640] but only an encoded data length of size of 0x80 appears to be used by the code. It is unknown what other capabilities may be similarly enabled via the ' | ||
| + | |||
| + | Note: It has also been discovered that the ' | ||
| + | ===== Original TelnetEnable for Windows ===== | ||
| + | Netgear formerly provided a developer tool, '' | ||
| + | It originally appeared in a firmware update for Netgear WPN824 wireless routers sold in Korea. | ||
| + | The download file was [[http:// | ||
| + | |||
| + | This old tool by itself is still available as | ||
| + | [[http:// | ||
| + | [[http:// | ||
| + | Pingbin.com also hosts this file [[http:// | ||
| + | |||
| + | TelnetEnable works with Windows NT and later. | ||
| + | Administrator privileges may be required to permit '' | ||
| + | The tool tests successfully with Windows 7 64-bit and with an ordinary (non-privileged) user account: | ||
| + | < | ||
| + | D: | ||
| + | Version: | ||
| + | Usage: | ||
| + | telnetEnable.exe <host ip> <host mac> <user name> < | ||
| + | |||
| + | D: | ||
| + | |||
| + | D: | ||
| + | Connecting To 192.168.1.1... | ||
| + | |||
| + | |||
| + | BusyBox v0.60.0 (2009.09.01-00: | ||
| + | Enter ' | ||
| + | |||
| + | # exit | ||
| + | |||
| + | |||
| + | Connection to host lost. | ||
| + | |||
| + | D:\> | ||
| + | </ | ||
| + | |||
| + | Note the Windows 7 '' | ||
| + | The telnet client is a Windows feature that users can enable via //Control Panel// -> // | ||
| + | |||
| + | Instructions for '' | ||
| + | * Extract '' | ||
| + | * Open a command line (windows console) window (Press [windows key]+[R] and enter "'' | ||
| + | * Get the MAC address of your Netgear router. You can either run "'' | ||
| + | * Take the MAC address, remove any minus signs (-) or colons (:) and replace all characters by their upper case representation (a -> A, d-> D etc.). | ||
| + | * Copy the result of your editing to the clipboard. | ||
| + | * Type "'' | ||
| + | telnetEnable.exe 192.168.1.1 000FB5A2BE26 Gearguy Geardog | ||
| + | </ | ||
| + | * Now press Enter to run the tool. It should return to a prompt pretty quickly with no error. If it takes a long time and returns a 'send failed' | ||
| + | * You should now be able to '' | ||
| + | * Some routers may prompt for additional authentication ('' | ||
| + | U12H02900> | ||
| + | </ | ||
| + | * For available commands, type: < | ||
| + | * To quit the console, type: < | ||
| + | |||
| + | ===== New TelnetEnable on Windows ===== | ||
| + | |||
| + | The old Netgear Windows '' | ||
| + | Thus, it is not compatible with newer routers and firmware introduced by Netgear after early 2014, which now require probe packets sent over UDP port 23. | ||
| + | |||
| + | For these you will need a patched version of telnetenable which supports UDP. You can find it [[https:// | ||
| + | |||
| + | For one that works on Windows 10 with the UDP / Newer netgear firmwares: [[http:// | ||
| + | |||
| + | Keep in mind that new routers no longer use Gearguy/ | ||
| + | Also, don't forget to convert the MAC address of the router to uppercase letters, and remove any colon. | ||
| + | |||
| + | ===== TelnetEnable on Unix / Linux / OS X ===== | ||
| + | The latest version of TelnetEnable for Solaris, Linux, and Apple OS X is available as part of file [[http:// | ||
| + | Included in this distribution are compiled binaries, C source code, and code for older (buggy) TelnetEnable versions. | ||
| + | |||
| + | < | ||
| + | $ ./ | ||
| + | Version: 0.4, 2009/10/18 | ||
| + | Usage: ./ | ||
| + | $ ./ | ||
| + | $ telnet 192.168.1.1 | ||
| + | Trying 192.168.1.1... | ||
| + | Connected to 192.168.1.1. | ||
| + | Escape character is ' | ||
| + | |||
| + | |||
| + | BusyBox v0.60.0 (2008.05.15-10: | ||
| + | Enter ' | ||
| + | |||
| + | # version | ||
| + | Release version : Netgear Wireless Router WGR614v8 | ||
| + | U12H07200/ | ||
| + | Time : May 15 2008 18:35:41 | ||
| + | # exit | ||
| + | Connection to 192.168.1.1 closed by foreign host. | ||
| + | $ | ||
| + | </ | ||
| + | |||
| + | Instructions for '' | ||
| + | * Extract from the tar.gz distribution, | ||
| + | * Obtain a command line session or open a command line window that displays an interactive shell (typically '' | ||
| + | * Change directory ('' | ||
| + | * The steps to run '' | ||
| + | |||
| + | This '' | ||
| + | but also supports network data redirection to another utility or file. | ||
| + | With the assistance of the [[http:// | ||
| + | can send the probe packet with UDP to newer (after early 2014) Netgear firmware and routers.< | ||
| + | $ ./ | ||
| + | $ telnet 192.168.1.1 | ||
| + | </ | ||
| + | Netgear extended the password length to 33 characters or more with routers supporting TelnetEnable UDP. Without changing the '' | ||
| + | Newer versions of TelnetEnable (see below) include these code changes. | ||
| + | |||
| + | Of note is the Unix/ | ||
| + | The information necessary to develop these TelnetEnable versions was from | ||
| + | reverse engineering the operation of Windows '' | ||
| + | |||
| + | ==== Probe packet payload generator in C by yoshac ==== | ||
| + | * {{: | ||
| + | |||
| + | Thanks to yoshac_at_member_dot_fsf_dot_org, | ||
| + | |||
| + | Source code for a ' | ||
| + | |||
| + | This payload generator is not recommended for use due to a major bug with handling md5 signatures. | ||
| + | |||
| + | Usage: | ||
| + | * Please read the README file contained in the attached ZIP archive | ||
| + | * The implementation does not provide network connectivity to finish the process from a Unix box, follow the instructions in the README to compile the software, then, run < | ||
| + | telnetenable 192.168.1.1 000FB5A2BE26 Gearguy Geardog > modpkt.pkt</ | ||
| + | * Then send the packet to the router with the [[http:// | ||
| + | nc 192.168.1.1 23 < modpkt.pkt | ||
| + | </ | ||
| + | |||
| + | ==== TelnetEnable in C by Seattle Wireless ==== | ||
| + | |||
| + | * [[http:// | ||
| + | This was the earliest known version of TelnetEnable that added networking support to | ||
| + | yoshac' | ||
| + | Archived copies of the code are still available as | ||
| + | [[http:// | ||
| + | [[http:// | ||
| + | at [[http:// | ||
| + | The file '' | ||
| + | |||
| + | This version of TelnetEnable is also not recommended for use due to a major bug with handling md5 signatures. | ||
| + | |||
| + | ==== Forks of TelnetEnable in C (telnetenable.c) ==== | ||
| + | |||
| + | TelnetEnable in C from Seattle Wireless was forked to | ||
| + | [[http:// | ||
| + | This is the only known version of TelnetEnable in C that correctly fixes a md5 payload buffer overrun and md5 result truncation bug. | ||
| + | |||
| + | On Aug 20, 2012 TelnetEnable in C was also forked to Github by Dave Jagoda under a new project name of [[https:// | ||
| + | This fork was an incomplete duplicate of the work retro98 at MyOpenRouter completed three years earlier. | ||
| + | Various fixes and improvements were made to the original telnetenable.c during the short time period 8/20/2012 to 10/08/2012. After this there were no further commits to the Github repository. | ||
| + | |||
| + | On Feb 12, 2015 [[https:// | ||
| + | |||
| + | ==== For newer Netgear routers that accept probe packet over UDP (EX2700, R6700, R7000, and R7500) ==== | ||
| + | |||
| + | The version of TelnetEnable UDP is available at this [[https:// | ||
| + | |||
| + | **Instructions: | ||
| + | |||
| + | Download the binary for telnetenable or build from source. | ||
| + | |||
| + | Execute these commands to clone the repository and build from source: | ||
| + | < | ||
| + | git clone https:// | ||
| + | gcc -o telnetenable md5.c blowfish.c telnetenable.c | ||
| + | </ | ||
| + | |||
| + | After downloading the binary or building from source: | ||
| + | |||
| + | < | ||
| + | chmod a+x telnetenable | ||
| + | </ | ||
| + | |||
| + | Then run telnetenable: | ||
| + | |||
| + | < | ||
| + | ./ | ||
| + | </ | ||
| + | IP - The IP of your Netgear device, usually 192.168.1.1 | ||
| + | |||
| + | MAC - The mac address should be the MAC address of the LAN port on your Netgear device, WITHOUT the ":" | ||
| + | |||
| + | Username - ' | ||
| + | |||
| + | Password = Use password you set in web interface | ||
| + | |||
| + | ==== Telnetenable in Python ==== | ||
| + | |||
| + | **Newer Netgear Routers (R6700, R7000, R7500)** | ||
| + | |||
| + | * Download the latest modified '' | ||
| + | * Readme.txt contains instructions on how to use the python script | ||
| + | |||
| + | **Older Netgear Routers** | ||
| + | |||
| + | * Download the latest '' | ||
| + | * Readme.txt contains instructions on how to use the python script | ||
| + | |||
| + | **Legacy Information** | ||
| + | * The information below is somewhat outdated. There are newer versions of '' | ||
| + | * See the original Project on Google Code [[http:// | ||
| + | |||
| + | How to use the '' | ||
| + | |||
| + | * After downloading '' | ||
| + | * In this example the MAC address of the router is 01: | ||
| + | < | ||
| + | * Another method of executing the command: | ||
| + | * In this example the MAC address will be piped to '' | ||
| + | < | ||
| + | |||
| + | Telnet access should be enabled on the router. | ||
| + | |||
| + | ===== Using the Netgear Router Console ===== | ||
| + | |||
| + | The Netgear hidden telnet console is an administrative back door, which implies security concerns. | ||
| + | Fortunately, | ||
| + | But unfortunately, | ||
| + | The workaround is to use TelnetEnable and the telnet console itself, then set the username and/or password to non-default values. | ||
| + | |||
| + | * The procedure to display the router' | ||
| + | * NOTE: This only works on some Netgear routers. The R7500, for example, does not use '' | ||
| + | * Some netgear routers use '' | ||
| + | < | ||
| + | # nvram | ||
| + | usage: nvram [get name] [set name=value] [unset name] [show] [commit] ... | ||
| + | # | ||
| + | # nvram show | grep username | ||
| + | size: 12006 bytes (20762 left) | ||
| + | pptp_username= | ||
| + | http_username=admin | ||
| + | bpa_username= | ||
| + | ddns_username= | ||
| + | ver_check_ftp_username=anonymous | ||
| + | pppoe_username=guest | ||
| + | super_username=Gearguy | ||
| + | # | ||
| + | # nvram show | grep passw | ||
| + | size: 12006 bytes (20762 left) | ||
| + | pptp_passwd= | ||
| + | ver_check_ftp_password=WGR614V8@ | ||
| + | super_passwd=Geardog | ||
| + | http_passwd=password | ||
| + | bpa_passwd= | ||
| + | pppoe_passwd= | ||
| + | ddns_passwd= | ||
| + | # | ||
| + | # nvram set super_username=newusername | ||
| + | # nvram set super_passwd=newpasswd | ||
| + | # nvram commit | ||
| + | # | ||
| + | # reboot | ||
| + | </ | ||
| + | |||
| + | Rebooting the router is necessary to re-lock its telnet console. Another way is from the console prompt: | ||
| + | < | ||
| + | killall utelnetd | ||
| + | </ | ||
| + | To login again, either reboot the router or apply some change in the GUI (e.g. disable UPnP, apply, then set back, then apply) and resend the telnetenable command... then telnet. | ||
| + | ===== Troubleshooting ===== | ||
| + | If you aren't able to login anymore, which may occur after firmware updates, telnet session timeouts, connection loss, or router rebooting, then repeat the unlocking procedure. | ||