| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision |
| toh:netgear:telnet.console [2018/04/28 19:00] – ↷ Links adapted because of a move operation | toh:netgear:telnet.console [2021/08/29 15:37] – ↷ Links adapted because of a move operation tmomas |
|---|
| Several [[toh:netgear:start|Netgear]] router models running factory firmware have a telnet daemon that listens at the router's local LAN IP address. Administrators have a couple of ways of gaining access to a hidden command line interface (CLI) with a telnet client: | Several [[toh:netgear:start|Netgear]] router models running factory firmware have a telnet daemon that listens at the router's local LAN IP address. Administrators have a couple of ways of gaining access to a hidden command line interface (CLI) with a telnet client: |
| |
| - Calling the routers "debug" endpoint, by simply going to the router's debug endpoint in a browser, i.e. at [[http://192.168.1.1/setup.cgi?todo=debug]] to enable the telnet daemon (may use username: root, and no password). | - Calling the routers "debug" endpoint, by simply going to the router's debug endpoint in a browser, i.e. at ''%%http://192.168.1.1/setup.cgi?todo=debug%%'' to enable the telnet daemon (may use username: root, and no password). |
| - Sending a magic packet to the router's telnet daemon, to unlock it (see below instructions). | - Sending a magic packet to the router's telnet daemon, to unlock it (see below instructions). |
| |
| |
| * DC112a v1: Works with UDP of version TelnetEnable and adminstration admin/pw, telnet does not require password. | * DC112a v1: Works with UDP of version TelnetEnable and adminstration admin/pw, telnet does not require password. |
| | * D7000 v1: Works with http unlock and telnet, using normal admin user-id and password. |
| * DGN1000v3: Router Firmware Version V1.0.0.14_0.0.14 works, gives access to a BusyBox console w/o authentication | * DGN1000v3: Router Firmware Version V1.0.0.14_0.0.14 works, gives access to a BusyBox console w/o authentication |
| * [[toh/netgear/dgnd3700|DGND3700v1/DGND3800B]]: < 3.0.0.8 works with original telnetenable over TCP; >= 3.0.0.8 works with any telnetenable patched for UDP | * [[toh/netgear/dgnd3700|DGND3700v1/DGND3800B]]: < 3.0.0.8 works with original telnetenable over TCP; >= 3.0.0.8 works with any telnetenable patched for UDP |
| * [[toh/netgear/netgear_ex2700|EX2700]]: firmware V1.0.1.8 works, gives access to root shell w/o authentication (telnetenable listens on UDP/23) | * [[toh:netgear:ex2700|EX2700]]: firmware V1.0.1.8 works, gives access to root shell w/o authentication (telnetenable listens on UDP/23) |
| * EX6100: Works with original telnetenable (TCP/23) with credentials super_username/super_passwd (not admin/password as one might think) or Gearguy/Geardog or both. Sometimes it doesn't unlock with first attempt (parser_enable?) | * EX6100: Works with original telnetenable (TCP/23) with credentials super_username/super_passwd (not admin/password as one might think) or Gearguy/Geardog or both. Sometimes it doesn't unlock with first attempt (parser_enable?) |
| * EX6100v2: V1.0.1.50 works with new telnetenable (UDP/23). Use username "admin" with the password set in the web interface. Does NOT ask for username/password on login. | * EX6100v2: V1.0.1.50 works with new telnetenable (UDP/23). Use username "admin" with the password set in the web interface. Does NOT ask for username/password on login. |
| * R6300v2: Tested and working with telnetenable2 (UDP Windows 10 version) (Use web interface credentials instead of Gearguy/Geardog) | * [[toh:netgear:r6300_v2|R6300v2]]: Tested and working with telnetenable2 (UDP Windows 10 version) (Use web interface credentials instead of Gearguy/Geardog) |
| * R6700: V1.0.0.2_1.0.1 Tested and working with modified python script of telnetenable. | * R6700: V1.0.0.2_1.0.1 Tested and working with modified python script of telnetenable. |
| * R7000: Assumed to be working with modified python script of telnetenable, and modified telnetenable binary for linux x86-64. V1.0.4.30_1.1.67 & V1.0.7.2_1.1.93 tested working with linux telnetenable from insanid github using web GUI credentials. Doesn't work with super_username & super_passwd nvram variables that are still present. Changing them does nothing. The telnet login ignores credentials (telnet -l //username// router_ip). | * [[toh:netgear:r7000|R7000]]: Assumed to be working with modified python script of telnetenable, and modified telnetenable binary for linux x86-64. V1.0.4.30_1.1.67 & V1.0.7.2_1.1.93 tested working with linux telnetenable from insanid github using web GUI credentials. Doesn't work with super_username & super_passwd nvram variables that are still present. Changing them does nothing. The telnet login ignores credentials (telnet -l //username// router_ip). |
| * R7500: V1.0.0.82 Tested and working with modified python script of telnetenable, and modified telnetenable binary for linux x86-64. | * [[toh:netgear:r7500|R7500]]: V1.0.0.82 Tested and working with modified python script of telnetenable, and modified telnetenable binary for linux x86-64. |
| * WG602 (unknown version): [[http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2006-1002|assumed to work]] | * WG602 (unknown version): [[http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2006-1002|assumed to work]] |
| * WGR614 v1-2: unknown; may work | * WGR614 v1-2: unknown; may work |
| * WGT624 v2, v3: works | * WGT624 v2, v3: works |
| * WGT624 V3H1: works (after 6-12 try, reboot, try again cycles) | * WGT624 V3H1: works (after 6-12 try, reboot, try again cycles) |
| | * [[toh:netgear:WN2500RP_V1]] V1.0.0.30_1.0.58: use ./telnetenable 192.168.1.250 MACADDRESS Gearguy Geardog. On connection you should be dropped on a '#' prompt. |
| * WN3000RP v1: works; does not require username/password for login, but necessary for telnetenable (Geardog/Gearguy) | * WN3000RP v1: works; does not require username/password for login, but necessary for telnetenable (Geardog/Gearguy) |
| * [[oldwiki/openwrtdocs/hardware/netgear/WNDR3300]] : works. Does not require username/password for login. On connection the '#' prompt is displayed. | * [[toh:netgear:wndr3300_v1]]: works. Does not require username/password for login. On connection the '#' prompt is displayed. |
| * [[toh/netgear/WNDR3400|WNDR3400v2]] v1.0.0.16_1.0.34 works; does not ask for username/password on login. On connection you should be dropped on a '#' prompt. | * [[toh:netgear:WNDR3400|WNDR3400v2]] v1.0.0.16_1.0.34 works; does not ask for username/password on login. On connection you should be dropped on a '#' prompt. |
| * [[toh/netgear/WNDR3700]] V1.0.7.98: known to work - does not ask for username/password. After connection you will be root at BusyBox v1.4.2. | * [[toh:netgear:WNDR3700]] V1.0.7.98: known to work - does not ask for username/password. After connection you will be root at BusyBox v1.4.2. |
| * [[toh/netgear/WNDR3800]] v1.0.0.16 Tested with the python script of telnetenable. | * [[toh:netgear:WNDR3800]] v1.0.0.16 Tested with the python script of telnetenable. |
| * [[toh/netgear/WNDR4000]] v1.0.0.88 works. Does NOT ask for username/password on login. On connection you should be dropped on a '#' prompt. | * [[toh:netgear:WNDR4000]] v1.0.0.88 works. Does NOT ask for username/password on login. On connection you should be dropped on a '#' prompt. |
| * [[toh/netgear/WNDR4300]] V1.0.1.30/34/42 works with the python script. Does NOT ask for username/password on login. On connection you should be dropped on a '#' prompt. | * [[toh/netgear/WNDR4300]] V1.0.1.30/34/42 works with the python script. Does NOT ask for username/password on login. On connection you should be dropped on a '#' prompt. |
| * [[toh/netgear/WNDR4500]] V1.0.1.40 works with the python script. Does NOT ask for username/password on login. On connection you should be dropped on a '#' prompt. | * [[toh:netgear:WNDR4500]] V1.0.1.40 works with the python script. Does NOT ask for username/password on login. On connection you should be dropped on a '#' prompt. |
| * WNR1000 v1-2: works; does not require username/password for login. On connection the '#' prompt is displayed. | * [[toh:netgear:wnr1000_v2|WNR1000 v1-2]]: works; does not require username/password for login. On connection the '#' prompt is displayed. |
| * WNR1000 v3: works using the new UDP utility with GUI user/password, using latest OEM firmware 1.0.2.68_60.0.93NA | * [[toh:netgear:wnr1000_v3|WNR1000 v3]]: works using the new UDP utility with GUI user/password, using latest OEM firmware 1.0.2.68_60.0.93NA |
| - did not work initially, only having performed a GUI reset after upgrading firmware to latest | - did not work initially, only having performed a GUI reset after upgrading firmware to latest |
| - BusyBox 0.60.0 worked after a hard reset (power on holding reset button until lights flash) | - BusyBox 0.60.0 worked after a hard reset (power on holding reset button until lights flash) |
| - firmware prior to latest was not tested, but expect the old TCP utility was required, per WGR614v10 | - firmware prior to latest was not tested, but expect the old TCP utility was required, per WGR614v10 |
| | * [[toh:netgear:wnr1000_v4|WNR1000 v4]]: works. Use username “admin” with the password set in the web interface. |
| * WNR2000 v2: works; does not require username/password for login. On connection to stock, Busybox header is shown. Use old TCP method. Gearguy/Geardog | * WNR2000 v2: works; does not require username/password for login. On connection to stock, Busybox header is shown. Use old TCP method. Gearguy/Geardog |
| * WNR2000 v4: works; does not require username/password for login. On connection the '#' prompts is displayed. | * [[toh:netgear:wnr2000v4|WNR2000 v4]]: works; does not require username/password for login. On connection the '#' prompts is displayed. |
| * WNR2200 v1: works; does not require username/password for login. Uses Gearguy/Geardog and the old TCP method. Displays OpenWrt header on connect (stock firmware) | * [[toh:netgear:wnr2200|WNR2200 v1]]: works; does not require username/password for login. Uses Gearguy/Geardog and the old TCP method. Displays OpenWrt header on connect (stock firmware) |
| * [[toh:netgear:wnr3500_v1]] v1.0.29: works; does not ask for username/password on login. On connection you should be dropped on a '#' prompt. | * [[toh:netgear:wnr3500_v1]] v1.0.29: works; does not ask for username/password on login. On connection you should be dropped on a '#' prompt. |
| * [[toh/netgear/wnr3500l|WNR3500L]] V1.2.2.44: Works. V1.2.2.48_35.0.55NA: fails. Does NOT ask for username/password on login. Dropped to '#' prompt on connection. | * [[toh:netgear:wnr3500_v2]] v1.0.2.10: use ./telnetenable 192.168.1.1 MACADDRESS Gearguy Geardog. On connection you should be dropped on a '#' prompt. |
| * WPN824 v1, V2.0.15_1.0.11: known to work | * [[toh:netgear:wnr3500l|WNR3500L]] V1.2.2.44: Works. V1.2.2.48_35.0.55NA: fails. Does NOT ask for username/password on login. Dropped to '#' prompt on connection. |
| * WPN824 v2: known to work | * [[https://oldwiki.archive.openwrt.org/toh/netgear/wpn824v1|WPN824 v1]], V2.0.15_1.0.11: known to work |
| * WPN824 V3: not needed; enable the utelnetd option in Remote Management. | * [[https://oldwiki.archive.openwrt.org/toh/netgear/wpn824v2|WPN824 v2]]: known to work |
| | * [[https://oldwiki.archive.openwrt.org/toh/netgear/wpn824v3|WPN824 v3]]: not needed; enable the utelnetd option in Remote Management. |
| |
| The router CLI is usually the busybox shell running on Linux. | The router CLI is usually the busybox shell running on Linux. |
| * Extract ''telnetEnable.exe'' from any of the zip file downloads. The ''wpn824_ko_2.12_1.2.9.zip'' includes a MS Word document with screenshots and instructions in Korean, a firmware update, and the ''telnetEnable.exe'' tool. Only the tool is necessary. | * Extract ''telnetEnable.exe'' from any of the zip file downloads. The ''wpn824_ko_2.12_1.2.9.zip'' includes a MS Word document with screenshots and instructions in Korean, a firmware update, and the ''telnetEnable.exe'' tool. Only the tool is necessary. |
| * Open a command line (windows console) window (Press [windows key]+[R] and enter "''cmd''"). | * Open a command line (windows console) window (Press [windows key]+[R] and enter "''cmd''"). |
| * Get the MAC address of your Netgear router. You can either run "''arp -a''" on the Windows command line and locate the "Physical Address" (MAC) for the router's IP address, or look it up on the [[http://192.168.1.1/|web interface of your router]] (//Maintenance// -> //Router status// -> //LAN port// -> //MAC Address//). | * Get the MAC address of your Netgear router. You can either run "''arp -a''" on the Windows command line and locate the "Physical Address" (MAC) for the router's IP address, or look it up on the web interface of your router (''%%http://192.168.1.1/%%''; //Maintenance// -> //Router status// -> //LAN port// -> //MAC Address//). |
| * Take the MAC address, remove any minus signs (-) or colons (:) and replace all characters by their upper case representation (a -> A, d-> D etc.). | * Take the MAC address, remove any minus signs (-) or colons (:) and replace all characters by their upper case representation (a -> A, d-> D etc.). |
| * Copy the result of your editing to the clipboard. | * Copy the result of your editing to the clipboard. |