烽火光猫 HG261GS 开启 telnet·破解超密

发表于 更新于 分类于 本文字数: 945 阅读时长 ≈ 3 分钟
垃圾光猫,随便玩玩,两个百兆口也不知道有什么必要上光纤(然而光收发是千兆的)。

前提

  • 江西电信
  • 软件版本 G50D1.12MC000

获取超密

打开 http://192.168.1.1/cgi-bin/baseinfoSet.cgi

得到一个 json
其中 TELECOMACCOUNTTELECOMPASSWORD 就是超密

开启 TELNET

打开控制台

1
arp -a 192.168.1.1

得到一个物理地址

打开

1
http://192.168.1.1/cgi-bin/telnetenable.cgi?telnetenable=1&key=得到的物理地址去掉-并且大写

提示 telnet 已开启

控制台登录 telent

1
telnet [email protected]

密码 hg2x0

常用命令

1
2
3
4
/rom/fhshell/misc_shell/stdaction factory precfg_in # 进入工厂模式
cat /flash/cfg/agentconf/factory.conf # 查看配置
cat /flash/cfg/agentconf/param.xml # 查看参数
/rom/fhshell/misc_shell/cfg_bak_restore.sh factory_reset remote_reset factory # 退出工厂模式

详细参数

部件型号参数
CPUSD5115 HNO DATASHEET,推测 armv7l 1core@647MHZ
STORAGESAMSUNG K9F1G08U0D-SCB01-Gbit(128M x 8bit),工作电压:3.3V
MEMORYSAMSUNG K4B4G1646D-BCH94-Gbit(256M x 16) DDR3-1333(9-9-9),工作电压:1.5V
GPONNOG22-D8C-STMentech 铭普光磁,EPON版本的是千兆的光收发
TELCOM INTERFACE ICLE89156PQCMicrochip Technology,工作电压:3.3V
OSLinux2.6.34.10_sd5115h_v100f

两个网口都是百兆的。

点击查看具体信息
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
~ # uname -a
Linux (none) 2.6.34.10_sd5115h_v100f #1 Thu Dec 22 17:08:19 CST 2016 armv7l unknown
~ # cat /proc/meminfo
MemTotal:         111372 kB
MemFree:           30340 kB
Buffers:               0 kB
Cached:            33372 kB
SwapCached:            0 kB
Active:            32632 kB
Inactive:          26628 kB
Active(anon):      29308 kB
Inactive(anon):     4624 kB
Active(file):       3324 kB
Inactive(file):    22004 kB
Unevictable:           0 kB
Mlocked:               0 kB
HighTotal:             0 kB
HighFree:              0 kB
LowTotal:         111372 kB
LowFree:           30340 kB
SwapTotal:             0 kB
SwapFree:              0 kB
Dirty:                 0 kB
Writeback:             0 kB
AnonPages:         25912 kB
Mapped:             3360 kB
Shmem:              8044 kB
Slab:              13340 kB
SReclaimable:       1128 kB
SUnreclaim:        12212 kB
KernelStack:         800 kB
PageTables:          636 kB
NFS_Unstable:          0 kB
Bounce:                0 kB
WritebackTmp:          0 kB
CommitLimit:       55684 kB
Committed_AS:     360000 kB
VmallocTotal:     139264 kB
VmallocUsed:       20548 kB
VmallocChunk:     109556 kB
~ # cat /proc/cpuinfo
Processor       : ARMv7 Processor rev 0 (v7l)
BogoMIPS        : 1297.61
Features        : swp half thumb fastmult edsp
CPU implementer : 0x41
CPU architecture: 7
CPU variant     : 0x3
CPU part        : 0xc09
CPU revision    : 0

Hardware        : hsan
Revision        : 0000
Serial          : 0000000000000000
~ # cat /proc/stat
cpu  3787 4761 7879 437002 0 2 226 0 0 0
cpu0 3787 4761 7879 437002 0 2 226 0 0 0
intr 486593 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 2257 0 453762 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 30570 0 3 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
ctxt 173469
btime 1289820569
processes 23510
procs_running 1
procs_blocked 0
softirq 579308 0 453657 4463 30793 0 0 1016 0 0 89379
~ # df -h
Filesystem                Size      Used Available Use% Mounted on
rootfs                   16.0M      8.1M      7.9M  51% /
/dev/root                16.0M      8.1M      7.9M  51% /
/dev/mtdblock2           20.0M     12.2M      7.8M  61% /rom
/dev/mtdblock8           10.0M    888.0k      9.1M   9% /flash
/dev/mtdblock9            4.0M    396.0k      3.6M  10% /usr/local/ct
/dev/mtdblock10          14.0M      3.0M     11.0M  21% /usr/local/fh
/dev/mtdblock7            2.0M    572.0k      1.4M  28% /data
tmpfs                    54.4M     16.0k     54.4M   0% /tmp
tmpfs                    54.4M      8.4M     45.9M  16% /var
tmpfs                    54.4M         0     54.4M   0% /mnt
~ # cat /etc/fstab
# /etc/fstab: static file system information.
#
# <file system> <mount pt>     <type>   <options>         <dump> <pass>
proc            /proc          proc     defaults          0      0
devpts          /dev/pts       devpts   defaults,gid=5,mode=620   0      0
tmpfs           /tmp           tmpfs    defaults          0      0
sysfs           /sys           sysfs    defaults          0      0
tmpfs           /var           tmpfs    defaults          0      0
tmpfs           /mnt           tmpfs    defaults          0      0      ~ #
~ # cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00200000 00020000 "boot"
mtd1: 00400000 00020000 "KernelA"
mtd2: 01400000 00020000 "AppA"
mtd3: 01000000 00020000 "RootfsA"
mtd4: 00400000 00020000 "KernelB"
mtd5: 01400000 00020000 "AppB"
mtd6: 01000000 00020000 "RootfsB"
mtd7: 00200000 00020000 "ConfigurationA"
mtd8: 00a00000 00020000 "ConfigurationB"
mtd9: 00400000 00020000 "UserLocalCT"
mtd10: 00e00000 00020000 "Userdata"
/ # tftp -p -l mtd0 192.168.1.2
/ # tftp -p -l mtd1 192.168.1.2
/ # tftp -p -l mtd2 192.168.1.2
/ # tftp -p -l mtd3 192.168.1.2
/ # tftp -p -l mtd4 192.168.1.2
/ # tftp -p -l mtd5 192.168.1.2
/ # tftp -p -l mtd6 192.168.1.2
/ # tftp -p -l mtd7 192.168.1.2
/ # tftp -p -l mtd8 192.168.1.2
/ # tftp -p -l mtd9 192.168.1.2
/ # tftp -p -l mtd10 192.168.1.2

参考

  • 移动烽火HG光猫超密破解

  • 【烽火】 烽火光猫开telnet及改sn教程

  • 烽火HG261GS——获取超级管理员密码

  • 【烽火】 烽火HG2861-A/HG6861-A修改运营商界面、SN、MAC、PON对称模式等信息,可以开SSH