-
-
Save thedroidgeek/80c379aa43b71015d71da130f85a435a to your computer and use it in GitHub Desktop.
| #!/usr/bin/env python3 | |
| # | |
| # Nokia/Alcatel-Lucent router backup configuration tool | |
| # | |
| # Features: | |
| # - Unpack/repack .cfg files generated from the backup and restore functionnality | |
| # in order to modify the full router configuration | |
| # - Decrypt/encrypt the passwords/secret values present in the configuration | |
| # | |
| # Blog post: https://0x41.cf/reversing/2019/10/08/unlocking-nokia-g240wa.html | |
| # | |
| # Released under the MIT License (http://opensource.org/licenses/MIT) | |
| # Copyright (c) Sami Alaoui Kendil (thedroidgeek) | |
| # | |
| import sys | |
| import zlib | |
| import struct | |
| import base64 | |
| import binascii | |
| import datetime | |
| big_endian = True | |
| encrypted_cfg = False | |
| def u32(val): | |
| return struct.unpack('>I' if big_endian else '<I', val)[0] | |
| def p32(val): | |
| return struct.pack('>I' if big_endian else '<I', val) | |
| def checkendian(cfg): | |
| if (cfg[0:4] == b'\x00\x12\x31\x23'): | |
| return True | |
| elif (cfg[0:4] == b'\x23\x31\x12\x00'): | |
| return False | |
| else: | |
| return None | |
| class RouterCrypto: | |
| def __init__(self): | |
| from Crypto.Cipher import AES | |
| # key and IV for AES | |
| key = '3D A3 73 D7 DC 82 2E 2A 47 0D EC 37 89 6E 80 D7 2C 49 B3 16 29 DD C9 97 35 4B 84 03 91 77 9E A4' | |
| iv = 'D0 E6 DC CD A7 4A 00 DF 76 0F C0 85 11 CB 05 EA' | |
| # create AES-128-CBC cipher | |
| self.cipher = AES.new(bytes(bytearray.fromhex(key)), AES.MODE_CBC, bytes(bytearray.fromhex(iv))) | |
| def decrypt(self, data): | |
| output = self.cipher.decrypt(data) | |
| # remove PKCS#7 padding | |
| return output[:-ord(output[-1:])] | |
| def encrypt(self, data): | |
| # add PKCS#7 padding for 128-bit AES | |
| pad_num = (16 - (len(data) % 16)) | |
| data += chr(pad_num).encode() * pad_num | |
| return self.cipher.encrypt(data) | |
| # | |
| # unpack xml from cfg | |
| # | |
| if (len(sys.argv) == 3 and sys.argv[1] == '-u'): | |
| # line feed | |
| print('') | |
| # read the cfg file | |
| cf = open(sys.argv[2], 'rb') | |
| cfg_data = cf.read() | |
| # check cfg file magic (0x123123) and determine endianness | |
| big_endian = checkendian(cfg_data) | |
| if big_endian == None: | |
| # check if config is encrypted | |
| decrypted = None | |
| try: | |
| # decrypt and check validity | |
| decrypted = RouterCrypto().decrypt(cfg_data) | |
| big_endian = checkendian(decrypted) | |
| except ValueError: | |
| pass | |
| # if decryption failed, or still invalid, bail out | |
| if big_endian == None: | |
| print('invalid cfg file/magic :(\n') | |
| exit() | |
| # set decrypted cfg buffer and encryption flag | |
| print('-> encrypted cfg detected') | |
| cfg_data = decrypted | |
| encrypted_cfg = True | |
| # log endianness | |
| if big_endian: | |
| print('-> big endian CPU detected') | |
| else: | |
| print('-> little endian CPU detected') | |
| # get fw_magic (unknown, could be fw version/compile time, hw serial number, etc.) | |
| fw_magic = u32(cfg_data[0x10:0x14]) | |
| print('-> fw_magic = ' + hex(fw_magic)) | |
| # get the size of the compressed data | |
| data_size = u32(cfg_data[4:8]) | |
| # get the compressed data | |
| compressed = cfg_data[0x14 : 0x14 + data_size] | |
| # get the checksum of the compressed data | |
| checksum = u32(cfg_data[8:12]) | |
| # verify the checksum | |
| if (binascii.crc32(compressed) & 0xFFFFFFFF != checksum): | |
| print('\nCRC32 checksum failed :(\n') | |
| exit() | |
| # unpack the config | |
| xml_data = zlib.decompress(compressed) | |
| # output the xml file | |
| out_filename = 'config-%s.xml' % datetime.datetime.now().strftime('%d%m%Y-%H%M%S') | |
| of = open(out_filename, 'wb') | |
| of.write(xml_data) | |
| print('\nunpacked as: ' + out_filename) | |
| print('\n# repack with:') | |
| print('%s %s %s %s\n' % (sys.argv[0], ('-pb' if big_endian else '-pl') + ('e' if encrypted_cfg else ''), out_filename, hex(fw_magic))) | |
| cf.close() | |
| of.close() | |
| # | |
| # generate cfg from xml | |
| # | |
| elif (len(sys.argv) == 4 and (sys.argv[1][:3] == '-pb' or sys.argv[1][:3] == '-pl')): | |
| fw_magic = 0 | |
| try: | |
| # parse hex string | |
| fw_magic = int(sys.argv[3], 16) | |
| # 32-bit check | |
| p32(fw_magic) | |
| except: | |
| print('\ninvalid magic value specified (32-bit hex)\n') | |
| exit() | |
| big_endian = sys.argv[1][:3] == '-pb' | |
| encrypted_cfg = sys.argv[1][3:] == 'e' | |
| out_filename = 'config-%s.cfg' % datetime.datetime.now().strftime('%d%m%Y-%H%M%S') | |
| # read the xml file | |
| xf = open(sys.argv[2], 'rb') | |
| xml_data = xf.read() | |
| xf.close() | |
| # compress using default zlib compression | |
| compressed = zlib.compress(xml_data) | |
| ## construct the header ## | |
| # magic | |
| cfg_data = p32(0x123123) | |
| # size of compressed data | |
| cfg_data += p32(len(compressed)) | |
| # crc32 checksum | |
| cfg_data += p32(binascii.crc32(compressed) & 0xFFFFFFFF) | |
| # size of xml file | |
| cfg_data += p32(len(xml_data) + 1) | |
| # fw_magic | |
| cfg_data += p32(fw_magic) | |
| # add the compressed xml | |
| cfg_data += compressed | |
| # encrypt if necessary | |
| if encrypted_cfg: | |
| cfg_data = RouterCrypto().encrypt(cfg_data) | |
| # write the cfg file | |
| of = open(out_filename, 'wb') | |
| of.write(cfg_data) | |
| of.close() | |
| print('\npacked as: ' + out_filename + '\n') | |
| # | |
| # decrypt/encrypt secret value | |
| # | |
| elif (len(sys.argv) == 3 and (sys.argv[1] == '-d' or sys.argv[1] == '-e')): | |
| decrypt_mode = sys.argv[1] == '-d' | |
| if decrypt_mode: | |
| # base64 decode + AES decrypt | |
| print('\ndecrypted: ' + RouterCrypto().decrypt(base64.b64decode(sys.argv[2])).decode('UTF-8') + '\n') | |
| else: | |
| # AES encrypt + base64 encode | |
| print('\nencrypted: ' + base64.b64encode(RouterCrypto().encrypt(sys.argv[2].encode())).decode('UTF-8') + '\n') | |
| else: | |
| print('\n#\n# Nokia/Alcatel-Lucent router backup configuration tool\n#\n') | |
| print('# unpack (cfg to xml)\n') | |
| print(sys.argv[0] + ' -u config.cfg\n') | |
| print('# pack (xml to cfg)\n') | |
| print(sys.argv[0] + ' -pb config.xml 0x13377331 # big endian, no encryption, fw_magic = 0x13377331') | |
| print(sys.argv[0] + ' -pl config.xml 0x13377331 # little endian, ...') | |
| print(sys.argv[0] + ' -pbe config.xml 0x13377331 # big endian, with encryption, ...') | |
| print(sys.argv[0] + ' -ple config.xml 0x13377331 # ...\n') | |
| print('# decrypt/encrypt secret values within xml (ealgo="ab")\n') | |
| print(sys.argv[0] + ' -d OYdLWUVDdKQTPaCIeTqniA==') | |
| print(sys.argv[0] + ' -e admin\n') |
So either run your commandline as admin or dont run it the script INSIDE OF PROGRAM FILES where you NEED ADMIN RIGHTS TO WRITE FILES ?
thanks
Manufacturer:ALCL
ProductClass:G-2425G-A
SerialNumber:ALCLB3F9XYZ
HWVer:3FE48299DEAA
SWVer:3FE49362IJHK46
IP:192.168.1.1
USERNAME/PASSWORD ONTUSER:SUGAR2A041
[alert] <129>1 1970-01-01T05:32:57.960080+05:30 AONT syslog 3731 - - ssh: [192.168.1.2] login failed
[alert] <129>1 1970-01-01T05:33:13.470119+05:30 AONT syslog 3731 - - ssh: [192.168.1.2] login failed
[alert] <129>1 1970-01-01T05:35:28.700579+05:30 AONT syslog 3731 - - ssh: [192.168.1.2] login failed
[alert] <129>1 1970-01-01T05:35:28.706195+05:30 AONT syslog 3731 - - ssh: [192.168.1.2] login failed over max times
[alert] <129>1 1970-01-01T05:35:46.179659+05:30 AONT syslog 4264 - - ssh: [192.168.1.2] login failed over max times
Hello,
I have Nokia G-2425G-A Router provided by my ISP (Airtel). But the ssh/telnet connection asks for password2.
I have tried ONTUSER direct login, but password SUGAR2A041 not working
Router Configuration:
configuration file attached :
https://drive.google.com/file/d/1T72DVCCyWS2IK5lpFrKAxyk_2yGFeS3b/view?usp=sharing
Please help me to get root access##
I've already explained this here: https://gist.github.com/rajkosto/e2b2455d457cc2be82dbb5c85e22d708?permalink_comment_id=4417229#gistcomment-4417229, you need to enable ONTUSER first (with LimitAccount_ONTUSER "false") then make the username of TelnetSSHAccount be "ONTUSER" and whatever password is under there is set for ONTUSER, SUGAR2A041 does not work on these newer models by default
How we can make current configuration as factory configuration?
like on every reset WAN setting should remained configured.
Any thoughts or suggestions.
@rajkosto @thedroidgeek
How can we lock Nokia G-140W-C.
@rajkosto @thedroidgeek
Anyone know how to set Fastmile Gateway 3 (3TG00799ABAA) to PPPoE mode using the WAN port? I have managed to do it on the wifi 5 model.
hello experts please guide me how to get configuration fil e there is no option for backup and restore or please anybody send me configuration file for my device NOKIA -G140W-F
@jaggifzr Is yours the wifi 6 model? Cause I have the same problem
@cantonalex I don't understand what u ask ..it's a locked modem from other isp
And no option for backup and restore so how can I unlock
please help me guys how to upload file there is no option for uploading file,i took file form net and edit and now i have correct file to upload for telnet access but there is no option for upload or restore so is there any software or loader through which i can upload this file
@jaggifzr did you work it out?
How to make untag vlan work on a Nokia G2425-A in route mode
Hey Anbody help me i am facing this error
PS C:\Users\The Lost Gaming Club\Desktop> python nokia.py -d OYdLWUVDdKQTPaCIeTqniA==
Traceback (most recent call last):
File "C:\Users\The Lost Gaming Club\Desktop\nokia.py", line 221, in
print('\ndecrypted: ' + RouterCrypto().decrypt(base64.b64decode(sys.argv[2])).decode('UTF-8') + '\n')
^^^^^^^^^^^^^^
File "C:\Users\The Lost Gaming Club\Desktop\nokia.py", line 50, in init
from Crypto.Cipher import AES
ModuleNotFoundError: No module named 'Crypto'
I am able to access the shell with root.
Now, how can we customise my router to enable all the features? I am unable to add new profiles. So, instead of changing the xml values, what should be the right way to make this changes?
@MrJithil What router is this for?
@MrJithil What router is this for?
G-2425G-A
Has anyone figured out a way to enable the back up and restore function on G-2425G-B or get any access to the SuperAdmin account?
@TheLazyHatGuy I haven't been able to find this out either, keep me posted if you find out!
I am unable to use the python script on 3FE49362JJIJ50
when I run the commands as per your instructions I get the below mentioned error
D:\nokia router -unlocker.py>python nokia.py
Nokia/Alcatel-Lucent router backup configuration tool
unpack (cfg to xml)
nokia.py -u config.cfg
pack (xml to cfg)
nokia.py -pb config.xml 0x13377331 # big endian, no encryption, fw_magic = 0x13377331
nokia.py -pl config.xml 0x13377331 # little endian, ...
nokia.py -pbe config.xml 0x13377331 # big endian, with encryption, ...
nokia.py -ple config.xml 0x13377331 # ...
decrypt/encrypt secret values within xml (ealgo="ab")
nokia.py -d OYdLWUVDdKQTPaCIeTqniA==
nokia.py -e admin
D:\nokia router -unlocker.py>python nokia.py -d OYdLWUVDdKQTPaCIeTqniA==
decrypted: admin
D:\nokia router -unlocker.py>python nokia.py -u config.cfg
-> little endian CPU detected
-> fw_magic = 0xffffffff
Traceback (most recent call last):
File "D:\nokia router -unlocker.py\nokia.py", line 138, in
xml_data = zlib.decompress(compressed)
zlib.error: Error -3 while decompressing data: incorrect header check
not sure what can I do next?
serial_number=ALCLFC0F3CE2 model_name=Nokia WiFi Beacon 1.1 model_number=3FE49236EAAA
NT_TYPE=beacon1_1 PON_MODE=ETHERNET SOFTWAREVERSION=HJI.I87p02 PRODUCTCLASS=beacon1_1 RELEASE=0.0.0 BUILDSTAMP= BUILDDATE=20210402_2046 COPYRIGHT=ASB WHOBUILD=buildmgr IMAGEVERSION=3FE49474HJII87 NODE=754bb9d584dc1e1dcd3b48a72a6e30800aaa69b5
ONTUSER:$1$gN5WP2Fo$6B.xGzm6kfpDOpYlY89Wp. wlinkuser:$1$IqXCkA2G$tD4LETpI3JuGqyMaxR5SH1 ONTUSER:$1$bgSEInSR$9mz9d01z5KeEqWCQDIXsw0 superadmin:$1$V2wemcad$2B/LkUQZ104dYCsTrdc5/1 ONTUSER:$1$bXtpwU3/$Qmlta87ByJOEnX0AllVJK1 superadmin:$1$JA/Lupt4$z9IvJy2VgUGL8n86.0dLx. ONTUSER:$1$4FG1vq0m$sbBHlJ44Nmoz0ADg6KKle1 superadmin:$1$8hB6r2PN$Zkl7rydE7syXwnC/V.rZc. superadmin:$1$MrZrEVDK$YqxsGcD7cYVz3.9wh2lzM1 ONTUSER:$1$Tyn/Cgvs$RdQuR6PUyfiwkwO167pDn. superadmin:$1$sfCosGGu$LKd9MUE6aJmpPy7vTHMdN1 root:$1$GTMUOzhf$mjhy6wET5re92IB4KHqXz.
web username :admin Password for this device only :KQ5bthrLZD i have dumped the firmware and shared to you
Could you share the firmware here?
please make a code for "3FE49362JJIJ54"
Hi @Padke9 , I have Nokia Airtel G-2425G-A router with Software Version
3FE49362JJIJ50 . Can you please provide the Python script for this software version? Thanks.
anyone know how to do this for Fastmile 3.2 wifi 6 version?
serial_number=ALCLFC0F3CE2 model_name=Nokia WiFi Beacon 1.1 model_number=3FE49236EAAA
(https://drive.google.com/file/d/1nrRQD-6ftSW1DlC0cpiG7CfsgFZGWa2R/view?usp=drive_link)
can I pay you to do this @Padke9 Prakesh, do you have twitter?
This is Locked to carrier
I dont have this hardware with me to reverse
Fastmile 3.2 wifi 6 version
But here is some thing you can see on other version
https://eddiez.me/hacking-the-nokia-fastmile/
serial_number=ALCLFC0F3CE2 model_name=Nokia WiFi Beacon 1.1 model_number=3FE49236EAAA
NT_TYPE=beacon1_1 PON_MODE=ETHERNET SOFTWAREVERSION=HJI.I87p02 PRODUCTCLASS=beacon1_1 RELEASE=0.0.0 BUILDSTAMP= BUILDDATE=20210402_2046 COPYRIGHT=ASB WHOBUILD=buildmgr IMAGEVERSION=3FE49474HJII87 NODE=754bb9d584dc1e1dcd3b48a72a6e30800aaa69b5
ONTUSER:$1$gN5WP2Fo$6B.xGzm6kfpDOpYlY89Wp. wlinkuser:$1$IqXCkA2G$tD4LETpI3JuGqyMaxR5SH1 ONTUSER:$1$bgSEInSR$9mz9d01z5KeEqWCQDIXsw0 superadmin:$1$V2wemcad$2B/LkUQZ104dYCsTrdc5/1 ONTUSER:$1$bXtpwU3/$Qmlta87ByJOEnX0AllVJK1 superadmin:$1$JA/Lupt4$z9IvJy2VgUGL8n86.0dLx. ONTUSER:$1$4FG1vq0m$sbBHlJ44Nmoz0ADg6KKle1 superadmin:$1$8hB6r2PN$Zkl7rydE7syXwnC/V.rZc. superadmin:$1$MrZrEVDK$YqxsGcD7cYVz3.9wh2lzM1 ONTUSER:$1$Tyn/Cgvs$RdQuR6PUyfiwkwO167pDn. superadmin:$1$sfCosGGu$LKd9MUE6aJmpPy7vTHMdN1 root:$1$GTMUOzhf$mjhy6wET5re92IB4KHqXz.
web username :admin Password for this device only :KQ5bthrLZD i have dumped the firmware and shared to you
Very happy to see someone from our country doing these stuff. Keep it up bro.
@Padke9 Did you succeed to extract the squashfs filesystem. Or if any new update?
facing this problem on Nokia G-2425G-A
C:\Program Files\Python311>python.exe C:\Users\xyz\Downloads_nokia-router-cfg-tool_nokia-router-cfg-tool.py -u config.cfg
-> encrypted cfg detected
-> little endian CPU detected
-> fw_magic = 0x4924ea46
Traceback (most recent call last):
File "C:\Users\xyz\Downloads_nokia-router-cfg-tool_nokia-router-cfg-tool.py", line 141, in
of = open(out_filename, 'wb')
^^^^^^^^^^^^^^^^^^^^^^^^
PermissionError: [Errno 13] Permission denied: 'config-03032023-182654.xml'