Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: 1 ... 5 6 [7] 8 9

Author Topic: Hacking TP Link TD-W9970  (Read 83651 times)

banger

  • Kitizen
  • ****
  • Posts: 1186
  • TTB 80/20
Re: Hacking TP Link TD-W9970
« Reply #90 on: May 29, 2017, 01:43:16 AM »

Just had to reboot my W9970 after 52 days uptime, web interface became slow and unresponsive, modem and wireless were fine but DSLStats was having trouble logging in.

This sometimes happens and I have yet to fathom why but DSLStats will be 'locked' out for about 20 minutes and then resume logging in. But this time it happened for an hour so had to reboot the router. All is well after reboot.
Logged
Tim
talktalkbusiness.net & freenetname
Asus RT-AC68U and ZyXEL VMG1312-B10A Bridge on 80 Meg TTB Fibre

https://www.thinkbroadband.com/speedtest/1502566996147131655

ejs

  • Kitizen
  • ****
  • Posts: 2078
Re: Hacking TP Link TD-W9970
« Reply #91 on: May 29, 2017, 07:32:28 PM »

Sounds a bit like a memory leak (within the TP-Link) or some sort of runaway process using up the CPU time.

If it's the same as the 9980, then I think each telnetd process only allows one connection at a time - but you can launch more telnetd processes, each on a different port, and then you can have multiple connections, and use one for stats collection, and have another for generally poking around.
Logged

banger

  • Kitizen
  • ****
  • Posts: 1186
  • TTB 80/20
Re: Hacking TP Link TD-W9970
« Reply #92 on: May 29, 2017, 07:50:56 PM »

Yes not sure if a firmware problem or a hack telnet problem. Did contact TP-Link via chat but they wanted a screen shot of stats page for firmware version for their senior engineer, but this would reveal it was hacked so copied and pasted the info in.
Logged
Tim
talktalkbusiness.net & freenetname
Asus RT-AC68U and ZyXEL VMG1312-B10A Bridge on 80 Meg TTB Fibre

https://www.thinkbroadband.com/speedtest/1502566996147131655

banger

  • Kitizen
  • ****
  • Posts: 1186
  • TTB 80/20
Re: Hacking TP Link TD-W9970
« Reply #93 on: June 13, 2017, 09:48:49 PM »

Been running this modem for a couple of months and found that roughly every hour dslstats fails to login with either incorrect login/password or just times out. So when this happens I fire up the web page and it is very sluggish to login and change pages. If I leave it for about 10 minutes everything is back to normal and web page responses are instant. Could it be a wifi problem? The only way I have to test that is with a BPL set and wire up to ethernet but that might affect sync speeds.
Logged
Tim
talktalkbusiness.net & freenetname
Asus RT-AC68U and ZyXEL VMG1312-B10A Bridge on 80 Meg TTB Fibre

https://www.thinkbroadband.com/speedtest/1502566996147131655

jonhdooe

  • Just arrived
  • *
  • Posts: 1
Re: Hacking TP Link TD-W9970
« Reply #94 on: June 15, 2017, 07:11:50 PM »

Hi everyone,

i just found a usefull program which can decode many router config file and seems to be fully compatible with td-w9970
the ascii mode show you the complete xml configuration (that can be exported by a simply copy/paste)
to enable telnetd, just add one line in your xml, encrypt with StatPOSTer and upload the new binary config file (web gui => restore)
i test this way and it works like a charm :)

1. login to the web gui => http://192.168.1.1
2. backup your current configuration => current-conf.bin
3. download this tool => http://www.nirsoft.net/utils/router_password_recovery.html
4. launch RouterPassView.exe (not tested with wine under linux) and open your router config file (ctrl + o) => current-conf.bin
5. go to the options menu and change settings (f3) => text mode - ascii
6. copy your current xml configuration (ctrl + a / ctrl + c) and save it in a new file (ctrl + v) => current-conf.xml
7. insert the description line tweak with telnetd into your xml (see above)
8. launch StatPOSTer-test3.jar, select "TD-W9970" and encrypt your xml file to get the new binary config file => current-conf-with-telnetd.bin
9. login to the web gui => http://192.168.1.1 and to enable telnetd, use the restore option with this file  => current-conf-with-telnetd.bin

voilą ;)

ps : i complete this post tomorrow with some screen captures (RouterPassView, dslstats)
« Last Edit: June 15, 2017, 07:25:47 PM by jonhdooe »
Logged

GigabitEthernet

  • Kitizen
  • ****
  • Posts: 2243
Re: Hacking TP Link TD-W9970
« Reply #95 on: June 29, 2017, 04:27:20 PM »

Just wondering if there is a way to enable telnet on the v2?
Logged

banger

  • Kitizen
  • ****
  • Posts: 1186
  • TTB 80/20
Re: Hacking TP Link TD-W9970
« Reply #96 on: June 29, 2017, 04:32:31 PM »

New beta firmware to be released next week for V1.
Logged
Tim
talktalkbusiness.net & freenetname
Asus RT-AC68U and ZyXEL VMG1312-B10A Bridge on 80 Meg TTB Fibre

https://www.thinkbroadband.com/speedtest/1502566996147131655

ejs

  • Kitizen
  • ****
  • Posts: 2078
Re: Hacking TP Link TD-W9970
« Reply #97 on: June 29, 2017, 07:03:21 PM »

Just wondering if there is a way to enable telnet on the v2?

Try it and see? The method is not specific to any particular TP-Link model. It will be easier using jonhdooe's method to start from your existing config.
Logged

GigabitEthernet

  • Kitizen
  • ****
  • Posts: 2243
Re: Hacking TP Link TD-W9970
« Reply #98 on: June 29, 2017, 07:34:17 PM »

I tried it and the web interface said the file is too large :(
Logged

GigabitEthernet

  • Kitizen
  • ****
  • Posts: 2243
Re: Hacking TP Link TD-W9970
« Reply #99 on: June 30, 2017, 01:03:46 PM »

Just tried this again on the V2. I was uploading the file to the wrong place. And...it works! :)

Edit:

I've also been able to confirm the chipset is unchanged from the V1. Both use the BCM63381 chipset.

Code: [Select]
~ #  cat /proc/cpuinfo
system type             : 963381SV
processor               : 0
cpu model               : Broadcom BMIPS4350 V8.1
« Last Edit: June 30, 2017, 01:27:47 PM by GigabitEthernet »
Logged

GigabitEthernet

  • Kitizen
  • ****
  • Posts: 2243
Re: Hacking TP Link TD-W9970
« Reply #100 on: July 03, 2017, 11:44:34 AM »

New beta firmware to be released next week for V1.

Is it out yet?
Logged

banger

  • Kitizen
  • ****
  • Posts: 1186
  • TTB 80/20
Re: Hacking TP Link TD-W9970
« Reply #101 on: July 03, 2017, 01:38:43 PM »

For V1 no, they are going to send me it.
Logged
Tim
talktalkbusiness.net & freenetname
Asus RT-AC68U and ZyXEL VMG1312-B10A Bridge on 80 Meg TTB Fibre

https://www.thinkbroadband.com/speedtest/1502566996147131655

sagittarius

  • Just arrived
  • *
  • Posts: 3
Re: Hacking TP Link TD-W9970
« Reply #102 on: July 08, 2017, 08:39:48 PM »

Hi guys,

First thanks to the hackers !

I've got V2 Tp-link 9970.
By default it has these ports open:

Host is up (0.014s latency).
Not shown: 993 closed ports
PORT      STATE SERVICE
21/tcp    open  ftp
23/tcp    open  telnet
80/tcp    open  http
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
1900/tcp  open  upnp
20005/tcp open  btx

The default telnet does not have the broadcom complete cli commands:

TP-LINK(conf)#adsl

          adsl show info

          adsl show status
cmd:SUCC
TP-LINK(conf)#


So with jonhdooe method using RouterPassView.exe (with Wine under Linux), I managed to get an xml file.

<?xml version="1.0"?>
<DslCpeConfig>
  <InternetGatewayDevice>
    <DeviceSummary val="InternetGatewayDevice:1.1[](Baseline:1, EthernetLAN:1)" />
    <LANDeviceNumberOfEntries val=1 />
    <DeviceInfo>
      <ManufacturerOUI val=50C7BF />
      <SerialNumber val=50xxxxxxxxxx />
      <HardwareVersion val="TD-W9970 v2 00000000" />
      <SoftwareVersion val="0.9.1 0.1 v0076.0 Build 160912 Rel.52951n" />
      <UpTime val=8 />
      <X_TP_IsFD val=0 />
    </DeviceInfo>

Then with StatPOSTer-test2.jar I can obtain the bin file.

But before, which lines (according to this message) should I edit/modify to be able to get a plain telnet access ?
And last, where to type: adsl configure --snr N

« Last Edit: July 08, 2017, 09:39:25 PM by sagittarius »
Logged

Bestgear

  • Member
  • **
  • Posts: 88
Re: Hacking TP Link TD-W9970
« Reply #103 on: August 14, 2017, 10:06:00 AM »

Hi

Not sure whats going on with my 9970 - above hack works for DSLStats, but it reports login failure (to router) every few minutes....and fine at other times.

Have gone back to my trusty HG612 - seems a hard box to beat!
Logged

sagittarius

  • Just arrived
  • *
  • Posts: 3
Re: Hacking TP Link TD-W9970
« Reply #104 on: October 31, 2017, 10:09:02 AM »

On my 9970 v2 with last firmware dated 2017-09-19, I managed to get a telnet session on port 1023 by just adding a single line in the <DeviceInfo> section:
 
Code: [Select]
<Description val="300Mbps Wireless N USB VDSL/ADSL Modem Router`telnetd -p 1023 -l login`" />
To be able to encrypt the xml file and write it to disk, I had under linux java (Oracle v9) to pass a parameter: java --add-modules java.xml.bind -jar StatPOSTer-20160306.jar

So now an access with:  telnet modem_ip 1023 (login: admin, pass: 1234) is possible.
Therefore, I wonder how the VDSL SNR works with xdslctl configure --snr XXX (is it a percentage of the current SNR ?)
Does a tab of SNR exist somewhere ?


« Last Edit: October 31, 2017, 06:09:38 PM by sagittarius »
Logged
Pages: 1 ... 5 6 [7] 8 9