Written in Advance#
Many friends might be quite averse to writing articles that name names, which is likely why such articles are relatively rare. On one hand, the use of this technology exists in a gray area; although the laws in China are not very effective, according to its claims, there is indeed suspicion of unauthorized intrusion into computer systems and aiding in pocket crimes. On the other hand, at the very least, it exposes your spatiotemporal location, and being "opened" is not good.
I actually don't care much because I have always been online with my real name. Moreover, in the current environment, if you have enough enemies who are strong enough, being online with your real name can protect you from being "opened," because you have already achieved a state of being "boxless." As for the former, it depends on how fast you can run.
Background#
A long time ago, I had already set up this optical modem once. However, Unicom secretly replaced the optical switch in the building, which changed the VLAN, resulting in no internet connection. So, the technician came to reboot the optical modem, and the original bridge mode was lost.
I was actually quite lazy to take action, as it is a matter with potential criminal risks. I made a few calls, hoping to solve this issue with some connections. Shandong Unicom had already arranged it, and the provincial office directly sent a work order to the service hall. However, the polite young lady at the service hall called me to say it couldn't be done because there was a document restriction at the Yantai municipal level.
As we all know, the distribution of power among the three major telecom operators is extremely complex, comparable to a railway system. Mobile used to have thousands of provincial units, while Unicom has thousands of municipal units. The provincial company cannot manage the municipal company in all matters.
So, I had to take matters into my own hands.
Preparation#
First of all, after normal network registration, the optical modem from Yantai Unicom will receive a random CUadmin password and a fixed user-mode password via TR069. The user-mode password is always consistent with the one on the sticker on the modem, bound to the device ID.
For the F657GV9, we can use the user mode to access the stripped-down user page and obtain the information we need:
- VLAN ID
- LOID
Of course, you also need to know your PPPoE account name and password.
In the old days, Shandong Unicom had various interfaces at the municipal/provincial level to obtain/modify the PPPoE password, but now it seems... there isn't any intuitive method; you can ask 10010.
Reset#
If you happen to be like me and accidentally disconnected the fiber optic cable while the F657GV9 was powered on, and then pressed the reset button with a toothpick for ten seconds, then the modem will be reset to factory settings.
At this point, the administrator space password for the modem is CUAdmin.
If you happen to log in via http://192.168.1.1/cu.html, you will find a cute little TR069 under network connections, but you cannot delete it, even if you use CUAdmin.
So, we need to have a factorymode_crack tool. This tool can be obtained randomly from the internet.
On Windows, use the command
./factorymode_crack.exe -l fuck open -i 192.168.1.1
You will get an output like
version:3.1
Enter 192.168.1.1 FactoryMode Success:FactoryModeAuth.gch?user=PH7g5g7k&pass=Lag3xO3J
This is not cracking the modem; it just happens that the PH7g5g7k displayed on the screen is the telnet username, and Lag3xO3J is the password.
BusyBox v1.17.2 (2021-12-25 16:19:26 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
/ # uname
Linux
/ # uname -a
Linux F657GV9 4.1.25 #1 SMP Sat Dec 25 16:07:46 CST 2021 armv7l GNU/Linux
If you happen to press a few keys randomly, you will find that its Linux kernel is quite new.
This place can actually happen to open the modem's shell; accidentally connecting a Dupont line can use TTL to obtain a shell.
References#
- https://www.jarvisw.com/?p=1517
https://archive.ph/8HSFV - A magical file discovered by chance!
https://archive.org/details/factorymode_crack
Check the Body#
If you happen to have read the article in reference 1, you will find,
/# sendcmd 1 DB
all:print all table
p [tablename] :print table info
pv:print view info
rreset:remote reset
lreset:local reset
lplreset:long press local reset
reset:local reset
save
debug [0/1]: not reboot to see the file of critical param
set [tablename][rownum][dm][dmvalue] :
addr [tablename]: add ROW to table
delr [tablename][rownum]:delete ROW of table
pti [tablename]: print the detail information of the table
fc [bin-file-name]:compress user config to bin-file-name
fuc [bin-file-name]:uncompress bin-file-name to user config
bckinterval [0]: time of backup 0:syn
bcktype [0/1/2]: backup type 0:no bck 1:all bck 2:part bck
backup : backup now!
partrst [ModName]: part restore now!
prtpdt : print all of product interface.
pcl : print cfg list.
pvf [ViewID]: print View Fun.
aset1 :
aget1 : print View Fun.
aset1w :
aget1w :
aset1wnl :
aget1wnl :
aset1wp :
aget1wp :
addv :
lck1w :
find1w :
pshm : show shmpool infomation
pstate : show state_machine infomation
saveasy : Asy save
dbStati : 0:show Stati info; 1:clean Stati info[0/1]
killdog : kill watchdog
reject :reject db save
unreject: unreject db save
hcget [filepath] [key]
You can peek into the modem's tender body.
We just happen to type in
/ # sendcmd 1 DB p WANC
<Tbl name="WANC" RowCount="2">
<Row No="0">
<DM name="ViewName" val="IGD.WD1.WCD1.WCIP1"/>
<DM name="WANCDViewName" val="IGD.WD1.WCD1"/>
<DM name="Enable" val="1"/>
<DM name="WANCType" val="1"/>
<DM name="ConnType" val="1"/>
<DM name="MediaType" val="0"/>
<DM name="TriggerEnable" val="0"/>
<DM name="LANDViewName" val=""/>
<DM name="WANCName" val="1_TR069_R_VID_50"/>
<DM name="WANCNameExt" val=""/>
<DM name="IPAddr" val="0.0.0.0"/>
<DM name="SubMask" val="0.0.0.0"/>
<DM name="Gateway" val="0.0.0.0"/>
<DM name="StrServList" val="TR069"/>
<DM name="ServList" val="2"/>
<DM name="WorkIFName" val=""/>
<DM name="RealIFName" val=""/>
<DM name="WorkIFMac" val="00:00:00:00:00:00"/>
<DM name="DNS1" val="0.0.0.0"/>
<DM name="DNS2" val="0.0.0.0"/>
<DM name="DNS3" val="0.0.0.0"/>
<DM name="IsNAT" val="1"/>
<DM name="IsForward" val="1"/>
<DM name="IsDefGW" val="0"/>
<DM name="IsNAT6" val="0"/>
<DM name="IsDefGW6" val="0"/>
<DM name="DSCP" val="-1"/>
<DM name="DSCP6" val="-1"/>
<DM name="TC" val="-1"/>
<DM name="VLANID" val="50"/>
<DM name="MCVLANID" val="-1"/>
<DM name="IgmpProxyEnable" val="1"/>
<DM name="UpstreamWAN" val="0"/>
<DM name="MLDProxyEnable" val="1"/>
<DM name="Priority" val="6"/>
<DM name="WBDMode" val="2"/>
<DM name="OnLineTime" val="0"/>
<DM name="Status" val="0"/>
<DM name="HideListView" val="0"/>
<DM name="IPMode" val="1"/>
<DM name="IsDel" val="0"/>
<DM name="DNSEnabled" val="1"/>
<DM name="WancIndex" val="1"/>
</Row>
<Row No="1">
<DM name="ViewName" val="IGD.WD1.WCD2.WCIP1"/>
<DM name="WANCDViewName" val="IGD.WD1.WCD2"/>
<DM name="Enable" val="1"/>
<DM name="WANCType" val="1"/>
<DM name="ConnType" val="2"/>
<DM name="MediaType" val="0"/>
<DM name="TriggerEnable" val="0"/>
<DM name="LANDViewName" val=""/>
<DM name="WANCName" val="2_IPTV_B_VID_43"/>
<DM name="WANCNameExt" val=""/>
<DM name="IPAddr" val="0.0.0.0"/>
<DM name="SubMask" val="0.0.0.0"/>
<DM name="Gateway" val="0.0.0.0"/>
<DM name="StrServList" val="IPTV"/>
<DM name="ServList" val="8"/>
<DM name="WorkIFName" val=""/>
<DM name="RealIFName" val=""/>
<DM name="WorkIFMac" val="00:00:00:00:00:00"/>
<DM name="DNS1" val="0.0.0.0"/>
<DM name="DNS2" val="0.0.0.0"/>
<DM name="DNS3" val="0.0.0.0"/>
<DM name="IsNAT" val="1"/>
<DM name="IsForward" val="1"/>
<DM name="IsDefGW" val="0"/>
<DM name="IsNAT6" val="0"/>
<DM name="IsDefGW6" val="0"/>
<DM name="DSCP" val="-1"/>
<DM name="DSCP6" val="-1"/>
<DM name="TC" val="-1"/>
<DM name="VLANID" val="43"/>
<DM name="MCVLANID" val="80"/>
<DM name="IgmpProxyEnable" val="1"/>
<DM name="UpstreamWAN" val="0"/>
<DM name="MLDProxyEnable" val="1"/>
<DM name="Priority" val="3"/>
<DM name="WBDMode" val="2"/>
<DM name="OnLineTime" val="0"/>
<DM name="Status" val="0"/>
<DM name="HideListView" val="0"/>
<DM name="IPMode" val="1"/>
<DM name="IsDel" val="0"/>
<DM name="DNSEnabled" val="1"/>
<DM name="WancIndex" val="2"/>
</Row>
</Tbl>
You can see that Row No="0", the first row, is indeed 1_TR069_R_VID_50.
You can use this command to help remove the positive energy from it.
sendcmd 1 DB delr WANC 0
sendcmd 1 DB save
Again, sendcmd 1 DB p WANC, and indeed it is gone. (You can restart to verify if it has been written to flash.)
References#
Inject New Positive Energy#
Insert the fiber optic cable!
Register using user space; Yantai Unicom does not require a password, only LOID.
Or, in the advanced configuration under the administrator space, there is a LOID setting.
Getting stuck here is normal because we removed the TR; it will never have a management IP in its lifetime.
Create a new internet connection, bridge mode, and the bound LAN port needs to be specified manually. The VLAN tag ID is what was seen in the user mode earlier.
If there is IPTV at home, then go to Unicom to cancel this paid brainwashing service. If you need to continue using it, configure the LAN port and VLAN ID similarly.
Dial verification on macOS, successful.
Dialing on the router (this main router is Padavan).
I prefer to manually set the main IP, but it can also work without setting it.
Mar 26 15:58:10 pppd[2864]: Plugin rp-pppoe.so loaded.
Mar 26 15:58:10 pppd[2864]: RP-PPPoE plugin version 3.12 compiled against pppd 2.4.7
Mar 26 15:58:10 pppd[2896]: pppd 2.4.7 started by admin, uid 0
Mar 26 15:58:10 crond[2915]: crond (busybox 1.29.3) started, log level 8
Mar 26 15:58:45 pppd[2896]: Timeout waiting for PADS packets
Mar 26 15:58:50 pppd[2896]: PPP session is 8176 (0x1ff0)
Mar 26 15:58:50 pppd[2896]: Connected to 34:a2:a2:d3:0b:7e via interface eth3
Mar 26 15:58:50 pppd[2896]: Using interface ppp0
Mar 26 15:58:50 pppd[2896]: Connect: ppp0 <--> eth3
Mar 26 15:58:53 pppd[2896]: syncppp not active
Mar 26 15:58:53 pppd[2896]: Remote message: Authentication success, Welcome!
Mar 26 15:58:53 pppd[2896]: PAP authentication succeeded
Mar 26 15:58:53 pppd[2896]: peer from calling number 34:A2:A2:D3:0B:7E authorized
Mar 26 15:58:53 pppd[2896]: local IP address 112.249.999.999
Mar 26 15:58:53 pppd[2896]: remote IP address 112.249.999.1
Thus, we accidentally achieved bridging.
Written at the End#
In fact, this is just using this thing as a cat stick; this is its most beautiful appearance, isn't it?
And at this point, the user-mode password does not exist; you can set it. However, this user mode is useless. The password for CUadmin will not be changed and can be used indefinitely.