bkerler/netgear_telnet

Netgear RBK763S telnetenable not working

das1996 opened this issue · 14 comments

das1996 commented

This is a new orbi from netgear, recently available from costco.

https://www.costco.com/netgear---orbi-ax5400-wifi-6-mesh-system%2C-one-year-advanced-cyber-security-included.product.100942085.html

Here's a link to netgear's firmware for this

router
https://www.downloads.netgear.com/files/GDC/RBK763/RBR760-V6.3.1.0.zip

sateliite
https://www.downloads.netgear.com/files/GDC/RBK763/RBS760-V6.3.1.0.zip

Telnet or ssh access would be greatly appreciated in this device. Thank you

bkerler commented

Should work now. Please try commit e0feec0

doegox commented

Hello I've a RBR760 with fw v6.3.6.2_1.2.66
https://www.downloads.netgear.com/files/GDC/RBK763/RBR760-V6.3.6.2.zip

When trying to use the script it freezes on the retval = conn.recvfrom(1024) and never gets any UDP packet back from the router

bkerler commented

Hah, Phillipe ! @doegox it should be fixed by the latest commit

doegox commented

Thanks!
Well it doesn't hang anymore but it doesn't activate telnet.
The 3 calls with the 3 hashes all fail getting an answer.

doegox commented

I fetched and instrumented telnetenable from RBR760 firmware V6.3.6.2 and it produces exactly the same ciphered blob as with mode=1
(cf https://github.com/doegox/netgear_telnet/blob/tests_phil/research/ if you're interested, it's a bit different as the bin is not using ulibc anymore)

And UDP port 23 seems open according to nmap.

So 🤦‍♂️ I've no idea why it's not working on my router. And MAC & pwd are correct.

Any other idea by any chance ? Does it have to be executed at a particular moment or is it supposed to always work ?

BTW pwd is read from /tmp/cache/telnetenable/httpwd in this telnetenable

doegox commented

/usr/sbin/telnet_update.sh is a packed/obfuscated binary that contains and exec the following script:

#!/bin/sh

#Purpose:
#update telnet related parameters from uci
[ -d "/tmp/cache/telnetenable/" ] || mkdir -p "/tmp/cache/telnetenable".
PASSWORD_FILE="/tmp/cache/telnetenable/httpwd"
uci get system.http.password >$PASSWORD_FILE

so it's just the http password, nothing fancy here... and I still don't get why it's not working for me.

bkerler commented

I can have a look if I can spot any difference in the fw :)

bkerler commented

@doegox I think you are using the wrong mac. It has to be the mac of the router (br0).

doegox commented

It is the one of the router as seen in /sbin/arp :) I tried with specifying myself and with the script discovering it by itself.

bkerler commented

Please try if commit 4ec9e0e works for you

doegox commented

Still no success :( BTW I'm now running V6.3.6.4 so similar to #26

bkerler commented

I've updated the script. The algo is fine by now. The only thing that can now prevent it from being enabled is : the way the password is stored, the actual mac doesn't match or a firewall does block all udp traffic

  • 👍1
doegox commented

\o/ I confirm it works fine now on my RBR760
Thank you very much for your work and patience!

  • 👍1
gpz1100 commented

Confirmed working on fw V6.3.6.2_1.2.66 .