This column displays the size (in KB) of a shell script file. When you apply a configuration file, the NWA/WAC uses the factory default settings for any features that the configuration file does not include. ZyXEL Passwords (valid as of December 2019) This is a complete list of user names and … But doing it all in software from the couch was an interesting challenge for me. This column displays the date and time that the individual configuration files were last changed or saved. Click Upload to begin the upload process. Suggestions? There is an easy workaround to the extension issue: symbolic links! In the mean time, the firmware mod kit, FMK, doesn't have support for extracting and then rebuilding jffs2 images so I'm going to have to try on my own with the mkfs.jffs2 command. For example, in the Windows command prompt, type ftp •       Resets to default configuration. Rather than pay $99 to CenturyLink for a new modem/router I decided to buy a new WAP/Router. You’re now ready to enable transparent bridge mode on your router. I've cracked everything that's in plaintext and unfortunately none of them work. This feature will turn out to be essential in getting a foothold in this device. Now I have access with ssh, I can use scp to copy my files over the network. Using the terminal we can call all the active tasks running on the modem, to do so type: Geek stuff: Users can use sh to access the BusyBox linux Bash shell and run task monitoring software like top. These are apparently stored on the respective USB drive partition in a file called .Zyxel/.ZyTemp. My interest was mostly focussed on the function zcfgBeCommonGenKeyBySerialNumMethod3, which is apparently intended to be used to generate a supervisor password. Given the interesting design decisions and protection mechanisms, I would not be surprised if any logic flaws or memory corruption vulnerabilities were found. Keep the console session connected in order to see when the firmware recovery finishes. This column displays the size (in KB) of a configuration file. Click a shell script file’s row to select it and click Copy to open the Copy File screen. •       Goes into CLI Configuration mode. Input below content configure terminal reboot. If your login page looks like the image below, follow Section A (p.2-5) If your login page looks like the … Use the Firmware Package screen to check your current firmware version and upload firmware to the NWA/WAC. You could use multiple write commands in a long script. FTP now also works. Transfer the configuration file on the NWA/WAC to your computer. Upload to ZyWALL/USG. Why are so many coders still using Vim and Emacs? If you make and save changes during your management session, the changes are applied to this configuration file. Is it possible to convert MIPS ASM to code? The NWA/WAC still generates a log for any errors. Router(config)# schedule-run 1 reboot_device.zysh daily 10:00 There is a “Remote Management” section, but it basically only allows toggling HTTP(S) access. Use this button to have the NWA/WAC use a specific configuration file. After a lot of digging around I found the file /data/zcfg_config.json. You can also download configuration files from the NWA/WAC to your computer and upload configuration files from your computer to the NWA/WAC. From a quick test, at least FAT32, NTFS and ext2 are supported. 2. > telnet nas 1. I installed the packages Metarepository, Random tools and ffp. The NWA/WAC still generates a log for any errors. See tangent 2. The NWA/WAC ignores any errors in the startup-config.conf file and applies all of the valid commands. SSH and FTP don’t give any special error messages (just generic failure or timeout), but telnet is a bit more verbose: At this point I wondered if the string TELNET permission denied. After five minutes, log in again and check your new firmware version in the Dashboard screen. I know you can with inittab but it doesn't seem like that is what they are doing. So now we have arbitrary filesystem read capability with root permissions, but no way to list files, no way to read non-regular files and no way to write. If you’re feeling adventurous, type sh and poke around using commands like ls and top. I ran john on them using some common wordlists and rulesets, but no luck. This process may take up to two minutes. You cannot rename a shell script to the name of another shell script in the NWA/WAC. The NWA/WAC applies configuration changes made in the Web Configurator to the configuration file when you click Apply or OK. This column displays the number for each shell script file entry. The root password of this router is not derived, and these functions are just left over from other/older models. The following example gets a configuration file named startup-config.conf from the NWA/WAC and saves it on the computer. What is the reason for the date of the Georgia runoff elections for the US Senate? Download the firmware package from and unzip it. rev 2020.11.11.37991, The best answers are voted up and rise to the top, Reverse Engineering Stack Exchange works best with JavaScript enabled, Start here for a quick overview of the site, Detailed answers to any questions you might have, Discuss the workings and policies of this site, Learn more about Stack Overflow the company, Learn more about hiring developers or posting ads with us, Brandon, if you figure out a shell password, please post same. The firmware file uses a .bin extension, for example, "420AAHY1C0.bin". Sadly, symlinks to folders and files outside of this /home/admin are ignored. '” must follow sub commands if it is to make the NWA/WAC exit sub command mode. The algorithm behind the _encrypt_ strings in the JSON configuration is quite simple. 1       Connect your computer to the NWA/WAC. Sorry, I thought your problem was in the login but your edit cleared it up. Copy. If you do not use the write command, the changes will be lost when the NWA/WAC restarts. Got a passwd: jk4blabla You cannot rename the lastgood.conf, system-default.conf and startup-config.conf files. Click OK to delete the configuration file or click Cancel to close the screen without deleting the configuration file. Click a shell script file’s row to select it and click Run to have the NWA/WAC use that shell script file. See the CLI Reference Guide for how to determine if you need to recover the firmware and how to recover it. These files have the same syntax, which is also identical to the way you run CLI commands manually. This is the date that the version of the firmware was created. Click OK to have the NWA/WAC start applying the configuration file or click Cancel to close the screen. In a configuration file or shell script, use “#” or “!” as the first character of a command line to have the NWA/WAC treat the line as a comment. logged out of the telnet, and directly back in: Router firmware modification and MIPS executable under x86_64 Ubuntu [X-POST from]. 2       The FTP server IP address of the NWA/WAC in standalone AP mode is, so set your computer to use a static IP address from ~ You can change the way a configuration file or shell script is applied. Type in the console: >. (The device will reboot at 10:00 every month on 23th). If you’re feeling adventurous, type sh and poke around using commands like ls and top. Pulled from a configuration I have overlooked. Either way, more reversing to be done… :). With e.g. I tried the following passwords: I think from what I've learned there is a 15 minute timeout after 3-4 failed logins. The key is derived from a password and seed using OpenSSL’s EVP_BytesToKey method. But I am not sure what this is. Sidenote: in the end, I used BubbleUPnP on my phone to download files from the router. Is there a finite dimensional algebra with left finitistic dimension different from its right finitistic dimension? Immediately stop applying the configuration file, Immediately stop applying the configuration file and roll back to the previous configuration, Ignore errors and finish applying the configuration file, Ignore errors and finish applying the configuration file and then roll back to the previous configuration. You will need to know then when you get a new router, or when you reset your router. I was looking to enabled the Transparent Bridge mode for my new Netgear R6050 after a friend managed to break the internal antenna on my Zyxel C1000Z, I wasn’t home so I don’t know the physics involved. The password portion should be between -p  and -. No luck. Thunar, I opened the link: made a new directory ‘old’ and moved all current files in that directory to the old directory (just in case I want it back). I requested the source code from zyxel under GPL requests and once I get that I should (hopefully) be able make my own firmware update. Specifically, it is the Password field used for the Dynamic DNS settings: Which is represented like this in the Backup_Restore file: Because the _encrypt_ mechanism is not seeded or context-dependent, this means that we have an encryption oracle and a decryption oracle! My ISP recently provided me with a new router, the Zyxel VMG8825-T50. Do not turn off or reset the NWA/WAC while the firmware update is in progress! Contact Zyxel technology support team directly! When you apply a configuration file or run a shell script, the NWA/WAC processes the file line-by-line. Now that we have the root password, we can perform the encryption and decryption routines for the _encrypt_ configuration strings offline. Enter model number to find the articles related product applications, FAQ and user experience.. You can upload shell script to ZyWALL/USG and issue command line to achieve this, 2. After digging through the Javascript, it appears that this feature was hidden and/or disabled. Specify the new name for the configuration file. Do the following after you have obtained the firmware file. is part of a standard telnet server. Use a text editor to create the shell script files. They must use a “.zysh” filename extension.