Nokia/Alcatel-Lucent router backup configuration tool

nokia-router-cfg-tool.py

#!/usr/bin/env python3


#
# Nokia/Alcatel-Lucent router backup configuration tool
#
# Features:
# - Unpack/repack .cfg files generated from the backup and restore functionnality
#   in order to modify the full router configuration
# - Decrypt/encrypt the passwords/secret values present in the configuration
#
# Blog post: https://0x41.cf/reversing/2019/10/08/unlocking-nokia-g240wa.html
#
# Released under the MIT License (http://opensource.org/licenses/MIT)
# Copyright (c) Sami Alaoui Kendil (thedroidgeek)
#


import sys
import zlib
import struct
import base64
import binascii
import datetime


big_endian = True
encrypted_cfg = False


def u32(val):
    return struct.unpack('>I' if big_endian else '<I', val)[0]

def p32(val):
    return struct.pack('>I' if big_endian else '<I', val)

def checkendian(cfg):
    if (cfg[0:4] == b'\x00\x12\x31\x23'):
        return True
    elif (cfg[0:4] == b'\x23\x31\x12\x00'):
        return False
    else:
        return None


class RouterCrypto:

    def __init__(self):

        from Crypto.Cipher import AES

        # key and IV for AES
        key = '3D A3 73 D7 DC 82 2E 2A 47 0D EC 37 89 6E 80 D7 2C 49 B3 16 29 DD C9 97 35 4B 84 03 91 77 9E A4'
        iv  = 'D0 E6 DC CD A7 4A 00 DF 76 0F C0 85 11 CB 05 EA'

        # create AES-128-CBC cipher
        self.cipher = AES.new(bytes(bytearray.fromhex(key)), AES.MODE_CBC, bytes(bytearray.fromhex(iv)))

    def decrypt(self, data):

        output = self.cipher.decrypt(data)

        # remove PKCS#7 padding
        return output[:-ord(output[-1:])]

    def encrypt(self, data):

        # add PKCS#7 padding for 128-bit AES
        pad_num = (16 - (len(data) % 16))
        data += chr(pad_num).encode() * pad_num

        return self.cipher.encrypt(data)


#
# unpack xml from cfg
#

if (len(sys.argv) == 3 and sys.argv[1] == '-u'):

    # line feed
    print('')

    # read the cfg file
    cf = open(sys.argv[2], 'rb')
    cfg_data = cf.read()

    # check cfg file magic (0x123123) and determine endianness
    big_endian = checkendian(cfg_data)

    if big_endian == None:

        # check if config is encrypted
        decrypted = None
        try:
            # decrypt and check validity
            decrypted = RouterCrypto().decrypt(cfg_data)
            big_endian = checkendian(decrypted)
        except ValueError:
            pass

        # if decryption failed, or still invalid, bail out
        if big_endian == None:
            print('invalid cfg file/magic :(\n')
            exit()

        # set decrypted cfg buffer and encryption flag
        print('-> encrypted cfg detected')
        cfg_data = decrypted
        encrypted_cfg = True

    # log endianness
    if big_endian:
        print('-> big endian CPU detected')
    else:
        print('-> little endian CPU detected')

    # get fw_magic (unknown, could be fw version/compile time, hw serial number, etc.)
    fw_magic = u32(cfg_data[0x10:0x14])
    print('-> fw_magic = ' + hex(fw_magic))

    # get the size of the compressed data
    data_size = u32(cfg_data[4:8])

    # get the compressed data
    compressed = cfg_data[0x14 : 0x14 + data_size]

    # get the checksum of the compressed data
    checksum = u32(cfg_data[8:12])

    # verify the checksum
    if (binascii.crc32(compressed) & 0xFFFFFFFF != checksum):
        print('\nCRC32 checksum failed :(\n')
        exit()

    # unpack the config
    xml_data = zlib.decompress(compressed)

    # output the xml file
    out_filename = 'config-%s.xml' % datetime.datetime.now().strftime('%d%m%Y-%H%M%S')
    of = open(out_filename, 'wb')
    of.write(xml_data)

    print('\nunpacked as: ' + out_filename)

    print('\n# repack with:')
    print('%s %s %s %s\n' % (sys.argv[0], ('-pb' if big_endian else '-pl') + ('e' if encrypted_cfg else ''), out_filename, hex(fw_magic)))

    cf.close()
    of.close()


#
# generate cfg from xml
#

elif (len(sys.argv) == 4 and (sys.argv[1][:3] == '-pb' or sys.argv[1][:3] == '-pl')):

    fw_magic = 0

    try:
        # parse hex string
        fw_magic = int(sys.argv[3], 16)
        # 32-bit check
        p32(fw_magic)
    except:
        print('\ninvalid magic value specified (32-bit hex)\n')
        exit()

    big_endian = sys.argv[1][:3] == '-pb'
    encrypted_cfg = sys.argv[1][3:] == 'e'

    out_filename = 'config-%s.cfg' % datetime.datetime.now().strftime('%d%m%Y-%H%M%S')

    # read the xml file
    xf = open(sys.argv[2], 'rb')
    xml_data = xf.read()
    xf.close()

    # compress using default zlib compression
    compressed = zlib.compress(xml_data)

    ## construct the header ##
    # magic
    cfg_data = p32(0x123123)
    # size of compressed data
    cfg_data += p32(len(compressed))
    # crc32 checksum
    cfg_data += p32(binascii.crc32(compressed) & 0xFFFFFFFF)
    # size of xml file
    cfg_data += p32(len(xml_data) + 1)
    # fw_magic
    cfg_data += p32(fw_magic)

    # add the compressed xml
    cfg_data += compressed

    # encrypt if necessary
    if encrypted_cfg:
        cfg_data = RouterCrypto().encrypt(cfg_data)

    # write the cfg file
    of = open(out_filename, 'wb')
    of.write(cfg_data)
    of.close()

    print('\npacked as: ' + out_filename + '\n')


#
# decrypt/encrypt secret value
#

elif (len(sys.argv) == 3 and (sys.argv[1] == '-d' or sys.argv[1] == '-e')):

    decrypt_mode = sys.argv[1] == '-d'

    if decrypt_mode:

        # base64 decode + AES decrypt
        print('\ndecrypted: ' + RouterCrypto().decrypt(base64.b64decode(sys.argv[2])).decode('UTF-8') + '\n')

    else:

        # AES encrypt + base64 encode
        print('\nencrypted: ' + base64.b64encode(RouterCrypto().encrypt(sys.argv[2].encode())).decode('UTF-8') + '\n')


else:

    print('\n#\n# Nokia/Alcatel-Lucent router backup configuration tool\n#\n')
    print('# unpack (cfg to xml)\n')
    print(sys.argv[0] + ' -u config.cfg\n')
    print('# pack (xml to cfg)\n')
    print(sys.argv[0] + ' -pb  config.xml 0x13377331 # big endian, no encryption, fw_magic = 0x13377331')
    print(sys.argv[0] + ' -pl  config.xml 0x13377331 # little endian, ...')
    print(sys.argv[0] + ' -pbe config.xml 0x13377331 # big endian, with encryption, ...')
    print(sys.argv[0] + ' -ple config.xml 0x13377331 # ...\n')
    print('# decrypt/encrypt secret values within xml (ealgo="ab")\n')
    print(sys.argv[0] + ' -d OYdLWUVDdKQTPaCIeTqniA==')
    print(sys.argv[0] + ' -e admin\n')

@SymenDruid

here is a thing var all_nodes= { name:"all_nodes", target:0, nodes:[ { name:"<%T('Status')%>", target:0, nodes:[ { name:"<%T('Device Information')%>", target:"device_status.cgi" }, { name:"<%T('LAN Status')%>", target:"lan_status.cgi?lan" }, { name:"<%T('WAN Status')%>", target:"show_wan_status.cgi?ipv4" }, { name:"<%T('WAN Status IPv6')%>", target:"show_wan_status.cgi?ipv6" }, <% if is_hybrid then %> { name:"<%T('LTE Status')%>", target:"lte_management.cgi?status" }, <% end %> { name:"<%T('Home Networking')%>", target:"lan_status.cgi?wlan" }, { name:"<%T('DSL Statistics')%>", target:"dsl_status.cgi?dsl" }, <% if has_voice_info then %> { name:"<%T('Voice Information')%>", target:"voice_info.cgi" }, <% end %> ] }, { name:"<%T('Network')%>", target:0, nodes:[ <% if shown_in_route then %> { name:"<%T('LAN')%>", target:"lan_ipv4.cgi" }, <% end %> <% if shown_in_route then %> { name:"<%T('LAN_IPv6')%>", target:"lan_ipv6.cgi" }, <% end %> { name:"<%T('WAN')%>", target:"wan_config_glb.cgi" }, <% if shown_in_route then %> { name:"<%T('WAN DHCP')%>", target:"wan_dhcp.cgi" }, <% end %> <% if has_wifi_24G then %> { name:"<%T('Wireless (2.4GHz)')%>", target:"wlan_config.cgi" }, <% end %> <% if has_wifi_5G then %> { name:"<%T('Wireless (5GHz)')%>", target:"wlan_config.cgi?v=11ac" }, <% end %> <% if has_wifi_24G then %> { name:"<%T('Wireless Schedule')%>", target:"wifi_schedule.cgi" }, <% end %> { name:"<%T('IP Routing')%>", target:"route.cgi" }, <% if shown_in_route then %> { name:"<%T('DNS')%>", target:"dns.cgi" }, <% end %> <% if has_TR then %> { name:"<%T('TR-069')%>", target:"tr69.cgi" }, <% end %> { name:"<%T('QoS Config')%>", target:"qos.cgi" }, <% if has_mesh then %> { name:"<%T('MESH')%>", target:"mesh.cgi" }, <% end %> <% if is_hybrid then %> { name:"<%T('MPTCP Config')%>", target:"wanport_mptcp_config.cgi" }, <% end %> { name:"<%T('Vlan Binding')%>", target:"wan_config_glb.cgi?vbinding" }, ] }, { name:"<%T('Security')%>", target:0, nodes:[ <% if shown_in_route then %> { name:"<%T('Firewall')%>", target:"firewall.cgi?fire" }, <% end %> <% if shown_in_route then %> { name:"<%T('MAC Filter')%>", target:"macfilter.cgi" }, <% end %> <% if has_gfast_protocol then %> { name:"<%T('Service Access Control')%>", target:"protocolcfg.cgi" }, <% end %> <% if shown_in_route then %> { name:"<%T('IP Filter')%>", target:"ipfilter.cgi" }, <% end %> <% if shown_in_route then %> { name:"<%T('URL Filter')%>", target:"urlfilter.cgi" }, <% end %> <% if shown_in_route then %> { name:"<%T('Parental Control')%>", target:"parental_control.cgi" }, <% end %> <% if shown_in_route then %> { name:"<%T('DMZ and ALG')%>", target:"nat_glb.cgi?v=alg" }, <% end %> ] }, { name:"<%T('Application')%>", target:0, nodes:[ <% if shown_in_route then %> { name:"<%T('Port Forwarding')%>", target:"nat_glb.cgi?v=vhost" }, <% end %> <% if has_port_trigger then %> { name:"<%T('Port Triggering')%>", target:"nat_glb.cgi?v=thost" }, <% end %> <% if shown_in_route then %> { name:"<%T('DDNS')%>", target:"ddns.cgi" }, <% end %> <% if shown_in_route then %> { name:"<%T('NTP')%>", target:"sntp.cgi" }, <% end %> <% if has_usb then %> { name:"<%T('USB')%>", target:"storage.cgi" }, <% end %> <% if shown_in_route then %> { name:"<%T('UPNP and DLNA')%>", target:"upnp.cgi" }, <% end %> <% if has_voice_setting then %> { name:"<%T('Voice Setting')%>", target:"voice_setting.cgi?v=cfg_line" }, <% end %> ] }, { name:"<%T('Maintenance')%>", target:0, nodes:[ { name:"<%T('Password')%>", target:"user_glb.cgi" }, { name:"<%T('Device Management')%>", target:"device_name.cgi" }, <% if is_hybrid then %> { name:"<%T('LTE management')%>", target:"lte_management.cgi" }, <% end %> { name:"<%T('Backup and Restore')%>", target:"usb.cgi?backup" }, <% if has_pse then %> { name:"<%T('Reverse Power')%>", target:"reverse_power.cgi" }, <% end %> { name:"<%T('Firmware Upgrade')%>", target:"upgrade.cgi" }, { name:"<%T('Reboot Device')%>", target:"reboot.cgi" }, { name:"<%T('Factory Default')%>", target:"restore.cgi" }, { name:"<%T('Diagnostics')%>", target:"diag.cgi?ping" }, { name:"<%T('Log')%>", target:"log.cgi" }, ] }, ] }

so You have to be an admin to restore or backup the cfg fie

you can try 192.168.x.x/usb.cgi?backup
or
192.168.x.x/Maintenance/usb.cgi?backup

<LimitAccount_ONTUSER rw="RW" t="boolean" v="true"/> <CLIPrompt ml="256" rw="RW" t="string" v=""/> <DebugDyPass. n="DyPass" t="staticObject"> <Enable rw="RW" t="boolean" v="fasle"/> <PriKey ml="256" rw="R" t="string" v="ned+vPtd724opgH7hIHoF+4da0cGg8guyqlJonlqrdOST4xztVZiRk81QjH5Ob1nA5ApNMSRdczSg6/tWYjRSdrcdIW0qqUM50ssnttq742JVBSCU9IPYyA7vvZDsj4Vat7nP8Nzo69yN1r6G78ibLVVaLVa9U+jH7JJJ1YfPZI=" ealgo="ab"/>

Hello, im recieving an Import "Crypto.Cipher" could not be resolved error

@Padke9 me have G-2426G-A router admin page backup location locked. please help to unlock root password link: https://drive.google.com/file/d/18RRiX4jbvCGwzyCAbn9ld8QxKHbJ_Pij/view
TRCL

@tolgagazii

i just found this but i cant decrypt -ONTUSER

root:$1$GTMUOzhf$mjhy6wET5re92IB4KHqXz.:0:0:99999:7::: --------------pass: LA(ImvZx%8
ONTUSER:$1$ojmCYQtx$ktc5DH0Kvu/jCpuUSAQB0.:0:0:99999:7:::

v="telecomadmin"/>
<Password ml="64" rw="RW" t="string" v="/7gLS1GVEOV6CH6F5sfXx6YH0ZOGNiRMRg==" ealgo="sab
v="admin"/>
<TelnetPassword ml="256" rw="RW" t="string" v="/5pRT3y/bKs7NPPBQDg3A5IXoRjkQVVa8Q=="

<DebugDyPass. n="DyPass" t="staticObject">

<PriKey ml="256" rw="R" t="string" v="/9V0FWUXFGBWWBtSAOXfXAxHkfN9crFgNgCkvuL0UAqnawF/RUgAry3AsVTFpUrOyUIcHsIInz73p8Q8HnijRALZrp6BcEaAe6lJ5Sw3khd4hy2hJ2Hhfea9Y8cVpUcI3Te/XQXxYQCBt3F+44Y1PD97QKju8PwUd1qPK7+7ArgoHZSkxRdNPWs=" ealgo="sab

G-02425-B

Did you get the password to this ?

Tolong bantu carikan kata sandi PPPoE. Nama perangkat: G-1425G-B

Apakah anda punya

Hello everybody:

I've been lurking this thread quite a bit the past few weeks. I'm trying to decode my ISP's configurations of my G-1425G-A ONT and I'm getting a grasp of the configuration file. I actually just want to bridge my ONT so I can bypass it and handle my internet connection with my Archer X64, and leaving the VoIP handling to my ISP's ONT (if it's possible to bridge the internet connection only, and it should be since I do see some configuration parameters in the file).

However, doing my due diligence, I believe the passwords in the config files are encrypted, but not by using ealgo, but ckn="key3". I have tried to decode my password using the script, but I get a padding error message. Is there anyway to give the script some parameters so it will be able to crack the password?

Note: I know the passwords are encrypted because when I look up for my WebAccount username and password, I don't see my real password, but a series of random characters:

Currently I'm using @rajkosto fork here: https://gist.github.com/thedroidgeek/80c379aa43b71015d71da130f85a435a?permalink_comment_id=4375352#gistcomment-4375352

Has anyone unlocked NOKIA G-2425G-A?? Need help.

which is ont is that?

…

On Mon, Oct 28, 2024 at 8:03 PM Rupak Kumar Sahu ***@***.***> wrote: ***@***.**** commented on this gist. ------------------------------ Hello all has anyone unlocked NOKIA G-2425G-A?? Need help. Screenshot.2024-10-28.194658.png (view on web) <https://gist.github.com/user-attachments/assets/dcd1ed89-1c42-4f81-a951-208652abbfe3> — Reply to this email directly, view it on GitHub <https://gist.github.com/thedroidgeek/80c379aa43b71015d71da130f85a435a#gistcomment-5255941> or unsubscribe <https://github.com/notifications/unsubscribe-auth/BDMIW4MULTNMR27JRTU7NYDZ5ZBTHBFKMF2HI4TJMJ2XIZLTSKBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDHNFZXJJDOMFWWLK3UNBZGKYLEL52HS4DFVRZXKYTKMVRXIX3UPFYGLK2HNFZXIQ3PNVWWK3TUUZ2G64DJMNZZDAVEOR4XAZNEM5UXG5FFOZQWY5LFVA4TQNZVGAZTENNHORZGSZ3HMVZKMY3SMVQXIZI> . You are receiving this email because you commented on the thread. Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub> .

i mean which isp ont airtel or others? On Mon, Oct 28, 2024 at 10:25 PM Suman shrestha ***@***.***> wrote:

…

which is ont is that? On Mon, Oct 28, 2024 at 8:03 PM Rupak Kumar Sahu ***@***.***> wrote: > ***@***.**** commented on this gist. > ------------------------------ > > Hello all has anyone unlocked NOKIA G-2425G-A?? Need help. > Screenshot.2024-10-28.194658.png (view on web) > <https://gist.github.com/user-attachments/assets/dcd1ed89-1c42-4f81-a951-208652abbfe3> > > — > Reply to this email directly, view it on GitHub > <https://gist.github.com/thedroidgeek/80c379aa43b71015d71da130f85a435a#gistcomment-5255941> > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/BDMIW4MULTNMR27JRTU7NYDZ5ZBTHBFKMF2HI4TJMJ2XIZLTSKBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDHNFZXJJDOMFWWLK3UNBZGKYLEL52HS4DFVRZXKYTKMVRXIX3UPFYGLK2HNFZXIQ3PNVWWK3TUUZ2G64DJMNZZDAVEOR4XAZNEM5UXG5FFOZQWY5LFVA4TQNZVGAZTENNHORZGSZ3HMVZKMY3SMVQXIZI> > . > You are receiving this email because you commented on the thread. > > Triage notifications on the go with GitHub Mobile for iOS > <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> > or Android > <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub> > . > >

airtel

you can search in google must be there

…

On Mon, Oct 28, 2024 at 11:09 PM Rupak Kumar Sahu ***@***.***> wrote: ***@***.**** commented on this gist. ------------------------------ airtel — Reply to this email directly, view it on GitHub <https://gist.github.com/thedroidgeek/80c379aa43b71015d71da130f85a435a#gistcomment-5256141> or unsubscribe <https://github.com/notifications/unsubscribe-auth/BDMIW4IN5C7X6LAGGZGV2VDZ5ZXLHBFKMF2HI4TJMJ2XIZLTSKBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDHNFZXJJDOMFWWLK3UNBZGKYLEL52HS4DFVRZXKYTKMVRXIX3UPFYGLK2HNFZXIQ3PNVWWK3TUUZ2G64DJMNZZDAVEOR4XAZNEM5UXG5FFOZQWY5LFVA4TQNZVGAZTENNHORZGSZ3HMVZKMY3SMVQXIZI> . You are receiving this email because you commented on the thread. Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub> .

not yet for this software version.

share config file

…

On Mon, Oct 28, 2024, 23:15 Rupak Kumar Sahu ***@***.***> wrote: ***@***.**** commented on this gist. ------------------------------ not yet for this software version. — Reply to this email directly, view it on GitHub <https://gist.github.com/thedroidgeek/80c379aa43b71015d71da130f85a435a#gistcomment-5256146> or unsubscribe <https://github.com/notifications/unsubscribe-auth/BDMIW4KTICWZ5TCJF2HMZJLZ5ZYC3BFKMF2HI4TJMJ2XIZLTSKBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDHNFZXJJDOMFWWLK3UNBZGKYLEL52HS4DFVRZXKYTKMVRXIX3UPFYGLK2HNFZXIQ3PNVWWK3TUUZ2G64DJMNZZDAVEOR4XAZNEM5UXG5FFOZQWY5LFVA4TQNZVGAZTENNHORZGSZ3HMVZKMY3SMVQXIZI> . You are receiving this email because you commented on the thread. Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub> .

the problem is airtel has locked the device in such a way, I cant save the config file. Or if am not aware of a method then assist.

sad

…

On Tue, Oct 29, 2024, 16:56 Rupak Kumar Sahu ***@***.***> wrote: ***@***.**** commented on this gist. ------------------------------ the problem is airtel has locked the device in such a way, I cant save the config file. Or if am not aware of a method then assist. Screenshot.2024-10-29.163936.png (view on web) <https://gist.github.com/user-attachments/assets/905d3469-00a4-4e0d-8634-498b0babcc15> Screenshot.2024-10-29.163952.png (view on web) <https://gist.github.com/user-attachments/assets/ba149266-6d71-41a6-b274-688bd9dd2af3> — Reply to this email directly, view it on GitHub <https://gist.github.com/thedroidgeek/80c379aa43b71015d71da130f85a435a#gistcomment-5256882> or unsubscribe <https://github.com/notifications/unsubscribe-auth/BDMIW4PKZYCNSLQJUC6ROZTZ55UPZBFKMF2HI4TJMJ2XIZLTSKBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDHNFZXJJDOMFWWLK3UNBZGKYLEL52HS4DFVRZXKYTKMVRXIX3UPFYGLK2HNFZXIQ3PNVWWK3TUUZ2G64DJMNZZDAVEOR4XAZNEM5UXG5FFOZQWY5LFVA4TQNZVGAZTENNHORZGSZ3HMVZKMY3SMVQXIZI> . You are receiving this email because you commented on the thread. Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub> .

Hello everybody:

I've been lurking this thread quite a bit the past few weeks. I'm trying to decode my ISP's configurations of my G-1425G-A ONT and I'm getting a grasp of the configuration file. I actually just want to bridge my ONT so I can bypass it and handle my internet connection with my Archer X64, and leaving the VoIP handling to my ISP's ONT (if it's possible to bridge the internet connection only, and it should be since I do see some configuration parameters in the file).

However, doing my due diligence, I believe the passwords in the config files are encrypted, but not by using ealgo, but ckn="key3". I have tried to decode my password using the script, but I get a padding error message. Is there anyway to give the script some parameters so it will be able to crack the password?

Note: I know the passwords are encrypted because when I look up for my WebAccount username and password, I don't see my real password, but a series of random characters:

Currently I'm using @rajkosto fork here: https://gist.github.com/thedroidgeek/80c379aa43b71015d71da130f85a435a?permalink_comment_id=4375352#gistcomment-4375352

Did you manage to find how to decrypt? I have the same problem I need my pppoe access

how could i decrypt these

<DebugDyPass. n="DyPass" t="staticObject">
<Enable rw="RW" t="boolean" v="false"/>
<PriKey ml="256" rw="R" t="string" v="/9dZA08iJtpdxQwLEN/PXRuvp/W8vthrcznIfPpvWl1bW71HTLPxGcvLgXbMSCT80n0uIV8m4a7D73M2jManOPCJHIGQ/oFNQAEY794iUXOMacgsEJKWycVv59paSz/8SJsjdjMHx4JooJIDXScEWRpxQ2MDCfKOFneBr37u3gtVsWbCwF333Jo=" ealgo="sab" kn="key11" ckn="key3"/>



<UserName ml="64" rw="RW" t="string" v="superadmin"/>
<Password ml="64" rw="RW" t="string" v="/9Iyf1nuW9Jvqbpt0rKmF14mMp9S6stqWg==" ealgo="sab" kn="key11" ckn="key3"/>
<PresetPassword ml="64" rw="RW" t="string" v="/+7bmhokKmku68N3wd0D7q1lQhQzGyBm/w==" ealgo="sab" kn="key11" ckn="key3"/>



<UserName ml="64" rw="RW" t="string" v="superuser"/>
<Password ml="64" rw="RW" t="string" v="/+FSdhRkyEVTdqnlACIuZqb+JEOjo2W9AQ==" ealgo="sab" kn="key11" ckn="key3"/>



<Username ml="256" rw="RW" t="string" v="hgw"/>
<Password ml="256" rw="RW" t="string" v="//buUg3QO21FJsSkPuSqUO+IAeZqYNQbpA==" ealgo="sab" kn="key11" ckn="key3"/>


<ServerPort dv="1813" max="65535" min="1" rw="RW" t="unsignedInt" v="1813"/>
<SecondaryServerPort dv="1813" max="65535" min="1" rw="RW" t="unsignedInt" v="1813"/>
<Secret dv="/wUulBnBDCo+gskG5zJ6oBSZkt1BuY3XKA==" ml="128" rw="RW" t="string" v="/2ctMVcrsk94G9fTQV0aZb5Uj8+CfA+a5Q==" ealgo="sab" kn="key11" ckn="key3"/>
<SecondarySecret dv="/8Lc9Ew+5WA61Wch0ChNpc73lgZkV3Dyzg==" ml="128" rw="RW" t="string" v="/wzcD2XHnlc4ohWWh22hMn3RD3TuSDXc3A==" ealgo="sab" kn="key11" ckn="key3"/>

Did you manage to decrypt the password?

@tolgagazii

i just found this but i cant decrypt -ONTUSER

root:$1$GTMUOzhf$mjhy6wET5re92IB4KHqXz.:0:0:99999:7::: --------------pass: LA(ImvZx%8 ONTUSER:$1$ojmCYQtx$ktc5DH0Kvu/jCpuUSAQB0.:0:0:99999:7:::

v="telecomadmin"/> <Password ml="64" rw="RW" t="string" v="/7gLS1GVEOV6CH6F5sfXx6YH0ZOGNiRMRg==" ealgo="sab v="admin"/> <TelnetPassword ml="256" rw="RW" t="string" v="/5pRT3y/bKs7NPPBQDg3A5IXoRjkQVVa8Q=="

<DebugDyPass. n="DyPass" t="staticObject"> <PriKey ml="256" rw="R" t="string" v="/9V0FWUXFGBWWBtSAOXfXAxHkfN9crFgNgCkvuL0UAqnawF/RUgAry3AsVTFpUrOyUIcHsIInz73p8Q8HnijRALZrp6BcEaAe6lJ5Sw3khd4hy2hJ2Hhfea9Y8cVpUcI3Te/XQXxYQCBt3F+44Y1PD97QKju8PwUd1qPK7+7ArgoHZSkxRdNPWs=" ealgo="sab

Hi!

When running hascat on the publicly known passwords, I was able to find a match for your hash:

$1$GTMUOzhf$mjhy6wET5re92IB4KHqXz. : LA(ImvZx%8
$1$ojmCYQtx$ktc5DH0Kvu/jCpuUSAQB0. : SUGAR2A041

@tolgagazii
i just found this but i cant decrypt -ONTUSER
root:$1$GTMUOzhf$mjhy6wET5re92IB4KHqXz.:0:0:99999:7::: --------------pass: LA(ImvZx%8 ONTUSER:$1$ojmCYQtx$ktc5DH0Kvu/jCpuUSAQB0.:0:0:99999:7:::

v="telecomadmin"/> <Password ml="64" rw="RW" t="string" v="/7gLS1GVEOV6CH6F5sfXx6YH0ZOGNiRMRg==" ealgo="sab v="admin"/> <TelnetPassword ml="256" rw="RW" t="string" v="/5pRT3y/bKs7NPPBQDg3A5IXoRjkQVVa8Q=="
<DebugDyPass. n="DyPass" t="staticObject"> <PriKey ml="256" rw="R" t="string" v="/9V0FWUXFGBWWBtSAOXfXAxHkfN9crFgNgCkvuL0UAqnawF/RUgAry3AsVTFpUrOyUIcHsIInz73p8Q8HnijRALZrp6BcEaAe6lJ5Sw3khd4hy2hJ2Hhfea9Y8cVpUcI3Te/XQXxYQCBt3F+44Y1PD97QKju8PwUd1qPK7+7ArgoHZSkxRdNPWs=" ealgo="sab

Hi!

When running hascat on the publicly known passwords, I was able to find a match for your hash:

$1$GTMUOzhf$mjhy6wET5re92IB4KHqXz. : LA(ImvZx%8 $1$ojmCYQtx$ktc5DH0Kvu/jCpuUSAQB0. : SUGAR2A041

how to generate genpwd_longpasswd ?

Hi,
That "genpwd_longpasswd" should return the default password printed on the bottom sticker/label (10 symbols, unique for each device, used as default password for both Wi-Fi and Web user account).
There is also fri="genpwd_wlanpasswd" function, the exact meaning of which I have not yet found...
Do you have any information about that?

Also, this blog post/article is a very good resource!
https://git.lsd.cat/g/nokia-keygen

https://git.lsd.cat/g/nokia-keygen/src/branch/master/poc

Any Idea where i can Find the list of OperatorID in the router itself ? Also for anyone Looking Info on Nokia G-1425-MA specially from Classictech : Web Username : classicadmin Web Password : Cr3d3nti@lofNok!aONT0061_P@SSW)RD https://github.com/diwash5/nokia_G-1425-MA

@diwash5
Hi Friend,
Thank you very much for this very useful information! Could you, please, also share your firmware dump?
I want to extract the kernel (and maybe u-boot) partitions from it and replace these partitions in my firware dump.
My ONT has updated (newer) firmware, in which Nokia has disabled Serial console (UART port access)...
To reactivate it, I need an older firmware's kernel with active UART, which, jugdging from you bootlog, is active on your unit!

Thank you!

@UCWQv_nlzS9C2gr7h8nJOBTg Report issues at https://termux.dev/issues
~ $ cd /storage/emulated/0/nokia/
.../0/nokia $ python nokia-router-cfg-tool.py

Nokia/Alcatel-Lucent router backup configuration tool

unpack (cfg to xml)

nokia-router-cfg-tool.py -u config.cfg

pack (xml to cfg)

nokia-router-cfg-tool.py -pb config.xml 0x13377331 # big endian, no encryption, fw_magic = 0x13377331
nokia-router-cfg-tool.py -pl config.xml 0x13377331 # little endian, ...
nokia-router-cfg-tool.py -pbe config.xml 0x13377331 # big endian, with encryption, ...
nokia-router-cfg-tool.py -ple config.xml 0x13377331 # ...

decrypt/encrypt secret values within xml (ealgo="ab")

nokia-router-cfg-tool.py -d OYdLWUVDdKQTPaCIeTqniA==
nokia-router-cfg-tool.py -e admin

.../0/nokia $ python nokia_tool.py -u config.cfgpython: can't open file '/storage/emulated/0/nokia/nokia_tool.py': [Errno 2] No such file or directory
.../0/nokia $ python nokia-router-cfg-tool.py -u config.cfg

-> little endian CPU detected
-> fw_magic = 0xffffffff

unpacked as: config-16122024-155528.xml

repack with:

nokia-router-cfg-tool.py -pleS23l7nZm47XyMGs6y6oJpN9CR4nbfIZHJ4VRwp7HcdV6o2YvUmeNYFlz08Otwz78 config-16122024-155528.xml 0xffffffff

.../0/nokia $

Repack not working 😭 😞

hey so i got a nokia g-240w-f router from a isp and i disconnected the router from them and so currently its not use for me so what i was trying to do is trying to make it a access point for my main router the problem is i cant change the gateway ip and such i dont know why the isp disabled those is there a way that i can reflash the firmware and if so where do i find a firmware also my gpon dashboard does not have a update firmware option on the maintance tab

here is the lan tab

i managed it to disable the dhcp by removing the disable tag from the inspect menu so currently dhcp is not there but i tried to do the same on the IPv4 Address and it gives me error lan ip as a alert

Hi,

Does this work for the 5G14-B device as well? I would like to export the settings, but I can't access them. I believe the ISP has blocked it. I can only overwrite the firmware.

hey so i got a nokia g-240w-f router from a isp and i disconnected the router from them and so currently its not use for me so what i was trying to do is trying to make it a access point for my main router the problem is i cant change the gateway ip and such i dont know why the isp disabled those is there a way that i can reflash the firmware and if so where do i find a firmware also my gpon dashboard does not have a update firmware option on the maintance tab here is the lan tab i managed it to disable the dhcp by removing the disable tag from the inspect menu so currently dhcp is not there but i tried to do the same on the IPv4 Address and it gives me error lan ip as a alert

Hey I have the same router and my DHCP is enabled by default and the setting to turn it off is greyed out, neither am I able to allocate any static IPs, please help.

what i did was use the inspect menu and remove the disabled tag and save and it works for the disableing the dhcp and the nat but not the subnets and other things

@achiragaming hey man, thanks for the reply! I did the same and removed disabled from save button and the DHCP checkbox, but after clicking on save it says "The normal user is not allowed to do this!)". Maybe they patched it to needing superuser auth?