Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[burakkucat]

A quick introduction to nmap via Wikipedia.

It was originally a Unix/Linux kernel OS utility but now has been ported to other OS', including BGW (Billy Gates Ware).

[GunJack]

hanx b*cat, will take a look. Plus, for walter, you, and possibly especially roseway, the contents of the rights link at the bottom of the stats page

[GunJack]

nmap produced this output on a port scan...looks like the hg635 has been well and truly locked down for production

Starting Nmap 6.46 ( http://nmap.org ) at 2014-07-15 21:27 GMT Daylight Time

Nmap scan report for 192.168.1.1

Host is up (0.0020s latency).

Not shown: 996 filtered ports

PORT     STATE SERVICE

53/tcp   open  domain

80/tcp   open  http

443/tcp  open  https

5060/tcp open  sip

MAC Address: D0:7A:B5:C7:8A:6C (Huawei Technologies Co.)



Nmap done: 1 IP address (1 host up) scanned in 33.80 seconds

[burakkucat]

It does seem to be rather "locked down". 

Contrast your result with that which I obtained from my HG622 --

[Duo2 ~]$ nmap 192.168.1.254

Starting Nmap 5.51 ( http://nmap.org ) at 2014-07-15 21:51 BST
Nmap scan report for AP (192.168.1.254)
Host is up (0.019s latency).
Not shown: 993 closed ports
PORT     STATE    SERVICE
21/tcp   filtered ftp
22/tcp   filtered ssh
23/tcp   open     telnet
80/tcp   open     http
443/tcp  filtered https
631/tcp  open     ipp
8081/tcp filtered blackice-icecap

Nmap done: 1 IP address (1 host up) scanned in 2.58 seconds
[Duo2 ~]$

The "Copyright Notice and Warranty Disclaimer" gives us some idea of the software "building blocks" used in that firmware image.

If there are header pins attached to the PCB, they may provide a serial port access to the console . . . 

[les-70]

1.  Under something like parental controls / security / firewall there is often the option to enable or disable protocols on either the LAN or WAN interfaces.  I had a Chinese HG630 which started like this Hg635 but it was possible to enable  ssh access via the GUI acl tab (telnet was not running).   It would be worth searching through the gui for any hopeful screens which enable/disable access through various protocols.

2.  Also although it not common some routers have text editable config file.  e.g. in the Hg612 config file you find "<ACLInstance InstanceID="3" X_ATP_Service="TELNET" X_ATP_Direction="LAN" X_ATP_StartIpAddr="" X_ATP_EndIpAddr=""/>"

 Assuming the option is on the gui download a config file and see if is readable - if it is that might just make it possible to enable telnet.


 

[broadstairs]

My HG622 downloads a non-editable config file so I suspect the HG635 may well do the same.

Stuart

[GunJack]

can't find the config file unfortunately....

however, one question that the router interface has thrown up, do the upstream/downstream noise safety coefficient (dB) equate to snrm in English??

[roseway]

That does seem to be the case, although "coefficient" is the wrong word in this context. I get the impression that it's a Huawei term, and may be a bad English translation of the Chinese original.

[broadstairs]

can't find the config file unfortunately....

If the GUI allows it there is an option under the maintenance/device menu item on the HG622 to save a config file so I would expect the same on this router, it may have been disabled though by TT.

Stuart

[GunJack]

thanks guys, will investigate further later

[GunJack]

oh well, in typical isp fashion, it looks like pretty much the whole router is locked down, no config logs (that  can find), no nothing

[bmn]

There is a serial console (easily found) however the linux firmware only outputs to the console it doesn't accept serial input. Serial input works in the bootloader but there are no memory dump or flash commands. The bootloader has the web interface for uploading a firmware same as HG612 but no firmware image is available. Someone could request the GPL source code and make it available for download but there are no guarantees it'll be quickly hackable even with the GPL source code.

Bootloader:

Code: [Select]

CFE version 1.0.38-114.174 for BCM963268 (32bit,SP,BE)
Build Date: Sat Nov  9 13:59:00 CST 2013 (l00184769@localhost)
Copyright (C) 2000-2011 Broadcom Corporation.

NAND flash device: name , id 0x98d1 block 128KB size 131072KB
External switch id = 53125
Chip ID: BCM63168D0, MIPS: 400MHz, DDR: 400MHz, Bus: 200MHz
Main Thread: TP0
Memory Test Passed
Total Memory: 134217728 bytes (128MB)
Boot Address: 0xb8000000

 Boot :e=192.168.1.1:ffffff00 h=192.168.1.100 g= r=f f=vmlinux i=bcm963xx_fs_kernel d=1 p=0
*** Press any key to stop auto run (3 seconds) ***
Auto run second count down: 333
CFE>
web info: Waiting for connection on socket 0.
CFE> help
Available commands:

gccs                get hw chk sign mode.
p                   Print boot line and board parameter info
ccs                 hw chk sign mode.
c                   Change booline parameters
b                   Change board parameters
cg                  hw boot.
r                   Run program from flash image or from host depend on [f/h] flag
reset               Reset the board
help                Obtain help for CFE commands
Firmware (partial):

Code: [Select]

Boot :e=192.168.1.1:ffffff00 h=192.168.1.100 g= r=f f=vmlinux i=bcm963xx_fs_kernel d=1 p=0
*** Press any key to stop auto run (3 seconds) ***
Auto run second count down: 33210
Power down external PHY port.Boot from main system!
SIGN CHK ALWAYLYS.
get bootflag = 1
 check tag at block 1 crc ok
Check Image Crc Success
I have find vmlinux.lz at block 11
I have get vmlinux.lz size at block 25
Decompression OK!
Entry at 0x803bb870
Closing network.
no Disabling Switch ports.
Flushing Receive Buffers...
0 buffers found.
Closing DMA Channels.
Starting program at 0x803bb870

init started: BusyBox vv1.9.1 ()

starting pid 299, tty '': '/etc/init.d/rcS'
RCS DONE

starting pid 301, tty '': '/bin/sh'


BusyBox vv1.9.1 () built-in shell (ash)
Enter 'help' for a list of built-in commands.

rootdir=/
table='/etc/devicetable'
mount config success
mount coredump success
-/bin/sh: cannot create /proc/tty/mode: nonexistent directory
Loading drivers and kernel modules...
Start mic now ...
GlobeMac Init OKload cfm ok.
##sendmsg return 16, errno 0.
ethcmdVportEnable--------SUPPORT_ATP_ETH_BCM_EXT_SWITCH_53125-----
ARL table flush done
Success
MASK- ifconfig [eth0]**********
device eth0 is not a slave of br0
LedcmswpsChgProc :9

[les-70]

  I have the Business version of the HG635 now.  Works fine and the available setup options may be better if previous post have not missed things on the Home version.  However it is essentially just as locked down.  No telnet access and the serial is exactly as noted by bmm. Without xdsl stats/error info available I am unfortunately not prepared to actually use it as intended.  It does however have a wan port and looks OK for use with the HG612 as a wireless ac gigabit router.

   It would be great if anyone with one of the early unlocked ones could download from the Hg635 a config file and make it available.  That file might enable things on the later versions.

[clienthax]

https://mega.co.nz/#!jN9CyALT!D6553h8pN7kjmd8AmJ4zo62EaLAgaTqCngVuTMMVwcE

[les-70]

  Interesting.    Do you know anything about that source code? e.g. is it a/the TT version or another HG635 and has any one built it and tried it?