本帖最后由 LarryWons 于 2024-4-14 13:26 编辑
首先感谢恩山网友远程使用中兴xx工具帮我开启telnet,这是本帖分享内容的前提。
Telnet进去,第一件事情肯定是了解这台光猫的硬件参数信息啦!
1. 硬件信息:
- # cat /proc/capability/boardinfo
- system:LINUX
- cpufac:ZXIC
- cpumod:ZX279133
- 2gwlmod:MTK
- 5gwlmod:MTK
- cpufre:1000MHZ
- cpunum:2
- flshcap:256MB
- ddrcap:512MB
复制代码
2. Kernel分区固件版本号:
- # upgradetest getver
- Main version num: V4.3.0P1N10
- Spare version num: V4.3.0P1N10
- success!
复制代码
3. Kernel 分区:
- cat /proc/csp/versionstates
- baseaddress : 0x1700000
- current : 0
- version1states : 0x83
- version2states : 0x83
- ____________________________________________________
- Index Running Latest CRC Integrality Type
- ----------------------------------------------------
- 0 Y Y N Y Upg
- 1 N Y N Y Upg
- ----------------------------------------------------
复制代码
4. 固件版本和编译日期:
- # hexdump -C -s 0x180 -n 128 /dev/mtd9
- 00000180 5a 58 48 4e 20 46 37 78 78 78 20 55 4e 49 20 56 |ZXHN F7xxx UNI V|
- 00000190 34 2e 33 2e 30 50 31 4e 31 30 00 00 00 00 00 00 |4.3.0P1N10......|
- 000001a0 01 00 00 00 00 00 1c 00 60 85 34 02 e0 64 58 3b |........`.4..dX;|
- 000001b0 15 85 66 00 00 00 ce 01 fd 49 62 cc 00 00 00 00 |..f......Ib.....|
- 000001c0 00 00 ce 01 00 00 00 00 50 31 54 31 30 00 00 00 |........P1T10...|
- 000001d0 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 |................|
- 000001e0 1e 1c 81 d4 32 30 32 34 30 31 32 36 30 39 34 31 |....202401260941|
- 000001f0 31 30 00 00 00 00 00 00 ff ff ff ff ff ff ff ff |10..............|
- 00000200
复制代码
5.区域码信息:
- # cat /etc/init.d/regioncode
- 200:Jiangsu
- 201:Xinjiang
- 202:Hainan
- 203:Tianjin
- 204:Anhui
- 205:Shanghai
- 206:Chongqing
- 207:Beijing
- 208:Sichuan
- 209:Shandong
- 210:Guangdong
- 211:Hubei
- 212:Fujian
- 214:Zhejiang
- 215:Shanxi
- 216:Hunan
- 217:Yunnan
- 218:Xizang
- 219:Heilongjiang
- 220:Guizhou
- 221:Shanxi2
- 222:Hebei
- 223:Ningxia
- 224:Guangxi
- 225:Jiangxi
- 226:Gansu
- 227:Qinghai
- 229:Liaoning
- 230:Jilin
- 231:Neimeng
- 232:Henan
- 234:TelecomInstitute
复制代码
了解完这台光猫的基础硬件信息后,接下来就根据自己的需求小小改造一番,方便后续自己折腾。
1. 普通用户提权为admin:
- sendcmd 1 DB set DevAuthInfo 1 Level 1
- sendcmd 1 DB save
复制代码
2.修改超级用户名和密码:
- sendcmd 1 DB set DevAuthInfo 0 User XXXXXX
- sendcmd 1 DB set DevAuthInfo 0 Pass XXXXXX
复制代码
3.修改用户限制:
- sendcmd 1 DB p CltLmt
- sendcmd 1 DB set CltLmt 8 Max 20 (修改最大用户数为20,可以改成其他数目,最大数目不
- 超过255)
- sendcmd 1 DB set CltLmt 8 Enable 0
- sendcmd 1 DB save
复制代码
4. 关闭TR069与定时上报(不懂的用户慎操作):
- sendcmd 1 DB p MgtServer #查看一下当前的电信远程控制
- sendcmd 1 DB set MgtServer 0 URL http://127.0.0.1 把服务器 URL 改掉
- sendcmd 1 DB set MgtServer 0 Tr069Enable 0
- sendcmd 1 DB set MgtServer 0 PeriodicInformEnable 0
- sendcmd 1 DB save
复制代码
5. 劫持ITMS注册(不懂的用户慎操作):
- sendcmd 1 DB set PDTCTUSERINFO 0 Status 0
- sendcmd 1 DB set PDTCTUSERINFO 0 Result 1
- sendcmd 1 DB save
复制代码
6. 恢复TR069与定时上报功能(以广东电信为例,每个省份的上报服务器应该不一样)
- sendcmd 1 DB p MgtServer #查看一下当前的电信远程控制
- sendcmd 1 DB set MgtServer 0 URL http://devacs.edatahome.com:9090/ACS-server/ACS
- sendcmd 1 DB set MgtServer 0 Tr069Enable 1
- sendcmd 1 DB set MgtServer 0 PeriodicInformEnable 1
- sendcmd 1 DB save
复制代码
|