≡ Menu

bsnl

Hacking Beetel 220x ADSL router (Broadcom BCM6338)

This router is based upon Broadcom BCM6338 chipset. This router is used by Airtel, BSNL and other ISPs in India.

Hack # 1 : How to Login into Router

Login over telnet. This is a common feature of all router these days and this the only way to hack into box:
Default IP: 192.168.1.1
Default Username: admin
Default Password: password

I have changed IP of router to 192.168.1.254 so here is my first session:

$ telnet 192.168.1.254

Trying 192.168.1.254...
Connected to 192.168.1.254.
Escape character is '^]'.
BCM96338 ADSL Router
Login: admin
password: ********
Once you are logged in you will see menu:

Main Menu

1. ADSL Link State
2. LAN
3. WAN
4. DNS Server
5. Route Setup
6. NAT
7. Firewall
8. Quality Of Service
9. Management
10. Passwords
11. Reset to Default
12. Save and Reboot
13. Exit
->

Hack # 2: Get out of this stupid shell menu script/program
Yup, it is stupid stuff and don't waste your time hitting CTRL+C, CTRL+D keys, to get out of this script/program (break shell script), just type sh and hit enter key at arrow prompt ->

 -> sh

And you will be taken to shell
BusyBox v1.00 (2005.09.20-19:57+0000) Built-in shell (msh)
Enter 'help' for a list of built-in commands.
#

Hack # 3: But where is my ls command...
Type ls or dir command,

# ls

ls: not found

# dir

dir: not found

They have removed the ls and dir command. But don't worry you can use old echo command trick:

# echo *

bin dev etc lib linuxrc mnt proc sbin usr var webs

echo * is old trick which displays list of all files in current directory without using ls or dir command.

Hack #4: Looking for advanced web based configuration, use main.html
Yet another stupid thing, they have removed main.html from web based configuration. Basically main.html is use to configure advanced options of router like port forwarding, DNS setting, firewall etc.

Just type http://192.168.1.254/main.html (replace 192.168.1.254 with your actual router IP address) to get all advanced options.

Hack # 5: Get more information about router hardware and Linux
Since this is tiny device most of the userland command such as free, uname etc are removed. However /proc file system provides all information:

Display CPU Information

# cat /proc/cpuinfo

Display RAM Information

# cat /proc/meminfo

Display Linux versions

# cat /proc/version

Linux version 2.6.8.1 (root@localhost.localdomain) (gcc version 3.4.2) #1 Tue Sep 20 15:52:07 EDT 2005

Display list of running Processes:

# ps 

Display list of all kernel module (drivers):

# cat /proc/modules

Hack # 6: Get more information about your network configuration
Display list of network interfaces

# ifconfig

Get default routing information i.e. find out your ISP's router:

# route

Display Iptables rules

# iptables -L -n

Hack 6 : Secure your router
(A) Fire web browser such as firefox and login to web based interface. Type url http://192.168.1.1/ main.html (or 192.168.1.254/main.html)

(B) Enable Firewall
Click on Security > Ip filtering > Outgoing or Incoming > Click add

(C) Change default admin password
Click on Tools > Select Administrator and type the password. > Click apply

(D) Save changes and reboot router
Click on Management > Access Control > Password > Select Admin > Setup new password

Save changes and reboot router.

Quick reboot router with reboot command:

# reboot

See also:

Hacking the Dlink 502T router

I have upgraded my 256kbps ADSL to 512kbps and it is bundled with Dlink 502T router. Soon after installation I found that it runs Linux :). Hacker inside me decided to play around this router.

How do I Log in to router interface via telnet

You can login over telnet. This is common feature of all router these days and this the only way to hack into box:

=> Default IP: 192.168.1.1
=> Default Username: admin (or use root both are having UID 0)
=> Default Password: admin

WARNING! These examples are not about stealing other users bandwidth or passwords. Most A/DSL provider control many properties on their end. Hacker is a person who delights in having an intimate understanding of the internal workings of a system, computers and computer networks in particular. This article is not about stealing or cracking other users network equipment.

I have changed IP of router to 192.168.1.254 so here is my first session:
$ telnet 192.168.1.254
Sample output:

Trying 192.168.1.254...
Connected to 192.168.1.254.
Escape character is '^]'.
BusyBox on (none) login: root
Password:
BusyBox v0.61.pre (2005.05.30-08:31+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

Let us see password file, enter:
# cat /etc/passwd
Output:

root:x:0:0:Root,,,:/:/bin/sh
admin:x:0:0:Admin,,,:/:/bin/sh

Hack #3: Get more information about router hardware and Linux

Since this is tiny device most of the userland command such as free, uname etc are removed. However /proc file system provides all information.

Display CPU Information
# cat /proc/cpuinfo
Display RAM Information
# cat /proc/meminfo
OR
# free

Display Linux versions
# cat /proc/version
Output:

Linux version 2.4.17_mvl21-malta-mips_fp_le (jenny@fd6e) (gcc version 2.95.3 20010315 (release/MontaVista)) #70 Mon May 30 16:34:48 CST 2005

Display list of running Processes:
# ps

Display list of all kernel module:
# lsmod

Hack # 3: Get more information about network

Display list of all network interfaces:
# ifconfig
Get your Internet public IP info:
# ifconfig ppp0
Output:

ppp0      Link encap:Point-Point Protocol
          inet addr:61.xxx.xxx.xxx  P-t-P:61.xxx.xxx.xxx  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1492  Metric:1  ASYMMTU:1500
          RX packets:69586 errors:0 dropped:0 overruns:0 frame:0
          TX packets:62540 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:80566538 (76.8 Mb)  TX bytes:5349581 (5.1 Mb)

Get default routing information i.e. find out your ISP's router:
# route
Output:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
61.xxx.xxx.xxx  *               255.255.255.255 UH    0      0        0 ppp0
192.168.1.0     *               255.255.255.0   U     0      0        0 br0
239.0.0.0       *               255.0.0.0       U     1      0        0 br0
default         dsl-xx-00x.xx.x 0.0.0.0         UG    0      0        0 ppp0

Display ethernet statics such as speed and other details:
# cat /proc/avalanche/eth0_rfc2665_stats

Display DSL modem stats:
# cat /proc/avalanche/avsar_modem_stats

Display Iptables firewall rules:
# iptables -L -n

Flush/Stop firewall rules (don't flush untile and unless you have solid reason to do it )
# /etc/flush_firewall

Hack 4 : Secure your router

(A) Open a web browser such as firefox and login to web based interface. Type url http://192.168.1.1/

(B) Enable Firewall
By default firewall is disabled :/? turn it on to protect your router as it runs linux. Click on Home > Wan > Scroll down and select Firewall as Enabled. Click on Apply.

(C) Change default admin password
Click on Tools > Select Administrator and type the password. > Click apply

(D) Save changes and reboot router
Click on Tools > System > Click on Save and Reboot button

Please note that most ISP including Airtel, BSNL and others these days use this router. And by default admin password is not changed by user, in addition to that some software bug exists that allows remote administration via telnet/http. So turning on firewall saves your day.

Hack # 5: Miscellaneous information

Display developer information i.e. the people behind this router development:
# cat /proc/avalanche/developers

Quickly reboot the router:
# reboot

All your binary stored in /bin/ /usr/bin /sbin directory.

More Resources: