返回列表 發帖
gl5900as

Rank: 4Rank: 4Rank: 4Rank: 4
1# 跳轉到 » 倒序看帖
打印
tT
發表於 2022-10-13 16:22 | 只看該作者

關於HKBN HUAWEL MA5671A貓棒破解偷參數設置

本帖最後由 gl5900as 於 2024-8-8 01:02 編輯

買多枝貓棒,想轉移原來HKBN MA5671A的華為貓棒設置,不過枝貓棒只打開SSH 192.168.1.10 22,冇網頁
密碼不明無法登入,只知是OPENWRT系統

熱風槍吹左HKBN的MA5671貓棒粒FLASH落黎,讀bin file,開過ROM預設shadow的密碼SHA 512加密,唔駛睇無得解,仲有一個J2FFS分區不過掛載唔到偷參數
修改過squashfs shadow清除密碼寫入機行不過無效照樣有密碼,可能修改過
可能要修改J2FFS分區先清到密碼

share編程器固件
https://mega.nz/file/p9Z3UbhD#Kw ... s27gkmjBSufTJLKRdKM
收藏 分享

0

aoeII

Rank: 1
2#
發表於 2022-10-13 16:27 | 只看該作者
TeraTerm 透過TTL不能連接,必須吹Flash?

TOP

landfi

Rank: 3Rank: 3Rank: 3
3#
發表於 2022-10-13 16:37 | 只看該作者
好利害

TOP

Tom_jerry

Rank: 3Rank: 3Rank: 3
4#
發表於 2022-10-13 16:38 | 只看該作者
玩咁大

https://www.cvps.top/10425.html

TOP

gl5900as

Rank: 4Rank: 4Rank: 4Rank: 4
5#
發表於 2022-10-13 19:05 | 只看該作者
玩咁大
Tom_jerry 發表於 2022-10-13 16:38


Ttl能刷機,但能不能清除jffs2分區的密碼文件?

TOP

ToNg.

Rank: 3Rank: 3Rank: 3
6#
發表於 2022-10-13 22:33 | 只看該作者
貓棒

TOP

super_hkg

Rank: 3Rank: 3Rank: 3
7#
發表於 2022-10-14 08:03 | 只看該作者
binwalk 完 extract 晒D file

再用unsquashfs extract 最後果個 squashfs

乜config 都睇到晒

TOP

gl5900as

Rank: 4Rank: 4Rank: 4Rank: 4
8#
發表於 2022-10-14 08:26 | 只看該作者
binwalk 完 extract 晒D file

再用unsquashfs extract 最後果個 squashfs

乜config 都睇到晒 ...
super_hkg 發表於 2022-10-14 08:03



squashfs只係原裝預設ROM區,仲有jffs2分區,而jiffs分區先係真正hkbn文件存既地方

TOP

super_hkg

Rank: 3Rank: 3Rank: 3
9#
發表於 2022-10-14 09:38 | 只看該作者
本帖最後由 super_hkg 於 2022-10-14 09:50 編輯
squashfs只係原裝預設ROM區,仲有jffs2分區,而jiffs分區先係真正hkbn文件存既地方 ...
gl5900as 發表於 2022-10-14 08:26

jffs 一野開左,入面都係有squashfs

唔見有加密

TOP

gl5900as

Rank: 4Rank: 4Rank: 4Rank: 4
10#
發表於 2022-10-23 03:35 | 只看該作者
本帖最後由 gl5900as 於 2022-10-23 03:38 編輯

破解HKBN枝貓棒,用指令fw_printenv倒出哂d參數,唔駛打碼全部放出
之後可以用fw_setenv輸番d參數落去,仲發現hkbn根本冇乜改過預設其他config,只係指令加左D參數同改左密碼,試過清除哂JFFS2資料分區都可以成功連線認證,咁即係fw_printenv先係重要既參數,唔怪得其他點set都係唔得
  1. act_img_addr=0xBF20003C
  2. addip=setenv bootargs ${bootargs} ip=${ipaddr}:${serverip}:${gatewayip}:${netmask}:${hostname}:${netdev}:off
  3. addmisc=setenv bootargs ${bootargs} ethaddr=${ethaddr} machtype=${machtype} ignore_loglevel vpe1_load_addr=0x83f00000 vpe1_mem=1M mem=63M ${mtdparts}
  4. addmtdparts0=setenv mtdparts mtdparts=sflash:256k(uboot)ro,512k(uboot_env),7424k(linux),8192k(image1)
  5. addmtdparts1=setenv mtdparts mtdparts=sflash:256k(uboot)ro,512k(uboot_env),7424k(image0),8192k(linux)
  6. asc0=1
  7. baudrate=115200
  8. bertEnable=0
  9. boot_image=run boot_image${c_img};
  10. boot_image0=run kernel0_from_sf flashargs addip addmtdparts0 addmisc && bootm ${ram_addr}
  11. boot_image1=run kernel1_from_sf flashargs addip addmtdparts1 addmisc && bootm ${ram_addr}
  12. boot_image_err=setenv kernel_offs ${kernel0_offs};httpd && setenv image0_is_valid 1
  13. bootcmd=run flash_flash
  14. bootdelay=0
  15. committed_image=0
  16. env_offs=0x40000
  17. env_offs_redund=0x80000
  18. ethact=SERDES
  19. ethprime=SERDES
  20. fileaddr=80F00000
  21. filesize=3400AA
  22. flash_flash=run select_image boot_image
  23. flashargs=setenv bootargs rootfstype=squashfs,jffs2
  24. gDtiaGentEnable=false
  25. gatewayip=192.168.2.0
  26. goi_calibrated=1
  27. goi_config=begin-base64 644 goi_config@H4sIAB7wY1sCA+2YS2/aQBCAuZZfsVUPnOLs7MO7rtVD2qRV1FSNAqKHqLKM@vYBVzCLb6ePfdxZCMOA0VR+oD8+F9Tw8u+v51mNMlRzbRZUlxxObRVU8mplo@FpemiAozjkY48pLyY+enhKL4Qix/UXZ/KfiqA5xzqnyllOxQUCChQ2jnAHJT@VnFBSKewtvqW30P2v1SekFNL5rYiyTSeTwyppoYMviwMyVIzr7JxZorHYRh2@ne7ZxUn/7Cq6OnvpNE/IwOQLcv36fUjOqym5vjnBUf8MB++OczeO8X7X5fsu@BxZKTzIeat8D7Ye022nlzxDzLf5/Hv0f5N8HqVr+/zL+85b/f4P/j/EijUbp@L6L/O/jH8Yp/hRcc+ZdSspb/w/CfbvHvOL+lfXhyeRo9P12THpIhvhLI9dAB@LUIBnmAtyP8W/3hi/4YcjnEl5b38I/TIPx4RUikfxxSY8mXL/yGEtgj89/wn@dj7OJssDYDU8LP9MCrl5/3PX/3Ofi5b/Q0h39cQJPnzSm8zsKJ71uo/cG8HO@yYt4lo2K2I0HWW5wp7Dh7zHK6BHQI0YHDJ4KCEmZFNmiIkPl+Z4IydsXJxfu@Qnpoe/luNeS97lauwrUb5Y6ywj7DYMKbwqx60XIzmWU7UibxbPnP1Mx+Ij3q@YV3d5zHNJtM7l60saZImEfa4u8lxSmWeVZUp7rFEC/vJGdcJL2lEcT+4X1OB@U3Es95175HaeVbYWPMjiV3E2jy4vMAA2+je4iNrGr+y8KQ4eiIN74tgDcWwr@7hQ3FPeT3k6EUblng1sbB90Y5yYCvmiMczbuQ2OcmwhoaIxzNi5UzVabJPW3@9esJgtJbC/9c3W6/BwELdCB9yYONx3luU1dKSx9BPc0px6NMULqfFtehg/2s@7hnpuv86KxqOqCepVIxrrBcqmvKCw80LKH4Q+Qqz7+fFfRANeVEdaH8/LVum@FYJqrYTQVDdldQWCThQA8OPMlfd2KZu4REJzM69q8NHX0cB9IPSAyVqJDNZA@OhaFkoIFoBTTteVe9fvnEYiApnHxYe3q3hmcCQa6jvida/2uwFggaKAUMGhw@XcRFPLKzLLnz1wAcW8wg2FuazW92NCNbxpubXli7eGNTg49lx2+clNnG79Ww@j5k+j7Ge0K9tM1pppZU/UL4CJbxWZQAcAAA=@====@
  28. gphy0_phyaddr=0
  29. gphy1_phyaddr=1
  30. image0_addr=0xB00C0000
  31. image0_is_valid=1
  32. image0_version=V8R017C00S209
  33. image1_addr=0xB0800000
  34. image1_is_valid=0
  35. image_name=openwrt-lantiq-falcon-SFP
  36. ipaddr=192.168.1.10
  37. kernel0_from_sf=sf probe 0;sf read ${ram_addr} ${kernel0_offs} ${max_kernel_size}
  38. kernel0_offs=0xC0000
  39. kernel1_from_sf=sf probe 0;sf read ${ram_addr} ${kernel1_offs} ${max_kernel_size}
  40. kernel1_offs=0x800000
  41. load_kernel=tftp ${ram_addr} ${tftppath}${image_name}-uImage
  42. load_uboot=tftp ${ram_addr} ${tftppath}u-boot.img
  43. machtype=SFP
  44. magic_addr=0xBF200038
  45. magic_val=0xDEADBEEF
  46. max_kernel_size=180000
  47. nDyingGaspEnable=0
  48. nPassword=0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
  49. nSerial=KBK2000502
  50. net_nfs=run load_kernel nfsargs addip addmtdparts0 addmisc;bootm ${ram_addr}
  51. netmask=255.255.255.0
  52. nfsargs=setenv bootargs root=/dev/nfs rw nfsroot=${serverip}:${rootpath},${nfsoptions}
  53. nfsoptions=rsize=1024,wsize=1024
  54. omci_loid=loid
  55. omci_lpwd=lpasswd
  56. preboot=gpio intput 100;gpio input 105;gpio input 106;gpio input 107;gpio input 108;gpio set 3;gpio set 109;gpio set 110;gpio clear 423; gpio clear 422; gpio clear 325; gpio clear 402; gpio clear 424
  57. ram_addr=80F00000
  58. reset_uboot_env=sf probe 0;sf erase 40000 80000
  59. save_uboot=sf probe 0;sf erase 0 40000;sf write ${ram_addr} 0 ${filesize}
  60. select_image=setenv activate_image -1;if itest *${magic_addr} == ${magic_val} ; then if itest *${act_img_addr} == 0 ; then setenv activate_image 0;fi;if itest *${act_img_addr} == 1 ; then setenv activate_image 1;fi;mw ${magic_addr} 0x0;mw ${act_img_addr} 0x0;fi;if test $activate_image = -1 ; then setenv c_img $committed_image;else setenv c_img $activate_image;setenv activate_image -1;fi;if test $c_img = 0 && test $image0_is_valid = 0 ; then setenv c_img 1;fi;if test $c_img = 1 && test $image1_is_valid = 0 ; then setenv c_img 0;fi;if test $image0_is_valid = 0 && test $image1_is_valid = 0 ; then setenv c_img _err;fi;exit 0
  61. serverip=192.168.1.100
  62. stderr=serial
  63. stdin=serial
  64. stdout=serial
  65. tx_fault_pin=2
  66. update_image0=tftp ${ram_addr} ${tftppath}${image_name}-squashfs.image;sf probe 0;sf erase ${kernel0_offs} +${filesize};sf write ${ram_addr} ${kernel0_offs} ${filesize}
  67. update_image1=tftp ${ram_addr} ${tftppath}${image_name}-squashfs.image;sf probe 0;sf erase ${kernel1_offs} +${filesize};sf write ${ram_addr} ${kernel1_offs} ${filesize}
  68. update_openwrt=run update_image0 && setenv committed_image 0 && setenv image0_is_valid 1 && saveenv
  69. update_uboot=run load_uboot && run save_uboot
  70. ver=U-Boot 2011.12-lantiq-gpon-1.2.24 (Nov 03 2014 - 22:46:28)
  71. sfp_a0_low_128=begin-base64 644 sfp_a0_low_128 @AwQBAAAAAgAAAAADDAAUyAAAAABIVUFXRUkgICAgICAgICAgAAAAAE1BNTY3@MUEgICAgICAgICAwMDAwBR4AnQAaAAAwMzFRSFUxME0zMDA1Mzk3MjAxMDE5@ICBo4ANtS0JLMjAwMDUwMiAgICAgICAgICAgICAgICAgICAgICAAAAAAAAAA@AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@AAAAAAAAAAAAAA==@====@
  72. sfp_a2_info=begin-base64 644 sfp_a2_info @XwDOAFoA0wCMoHUwiLh5GK/IAACIuAAAm4Ii0HuGK9QJzwANB8sAEAAAAAAA@AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/gAAAAAAAAAEAAAABAAAAAQAAAAEA@AAAAAABMHa97SgyWAAEAAf////8CAAFA//8BQAAAcAEAAAAAEGD/////////@////////////MDMwMzFRSFUAAAAAAAD+Gv//////////////////////////@//////////8AAhQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@AAAAAAAAAAJIV1RDlPn1pf//////////////AAD//wAAAAAAAAAAAAAAAAAA@AAAAAAAAAAAAAAAAAAAAAAAAhCclxDvZrQiJ1nWe2v4Re5jJ1kyvheujpR2Y@pFJJi/SpuUOo4l6Z8f8VA3HBY4zc2PTz9fDwG950ImCC73zZ/2kaAAAAAAAA@AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAiEAz6DNjAAAAAAAAAAAAAAAAAAAA@AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@AAAAAAAAAAAAAAAAAAAAAAAAD/0P/gD/AAAAAAAAAAAAAAAAAAAAAAAAAAAA@AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@AAAAAAAAAAAAAA==@====@
  73. gSerial=HWTC94f9f5a5
  74. ethaddr=88:40:33:e8:33:63
複製代碼
/etc/config/omci
  1. config 'omci' 'default'
  2.         option 'mib_file' '/etc/mibs/data_1g_8q.ini'
  3.         option 'status_file' '/tmp/omci_status'
複製代碼

TOP

返回列表