Eltel ET-5300

This router is distributed by Claro in large numbers. Manufactured by Comtrend according IEEE Standards MA-L database.

Links
Product page
 * Datasheet
 * User Manual of similar Upvel UR-314AN (TrendChip firmware)

Components
 * EM6AA160TSB-5G datasheet
 * MX25L6406E datasheet

Board, headers, etc
The board layout is somewhat similar to Upvel UR-314AN, Upvel UR-354AN4G (with USB), Huawei HG532s, ZTE ZXHN H108L, and Edimax AR-7186. Silk screen says E241819 50XX13-350.
 * J521 is likely the serial interface.
 * The circuit board is prepared for an USB connector (J500). Needs an additional 5V regulator (U601).

Bootlog
<5>Linux version 2.6.22.15 (root@linux.local) (gcc version 4.3.4 (GCC) ) #11 SMP Tue Apr 2 09:57:08 CST 2013 <6>ISPRAM0: PA=00260000,Size=00008000,enabled <4>Enable SRAM=1c000001 <4>Ralink RT63365 SOC prom init <4>[DEBUG]Fix eth led for AR-5300 <4>CPU revision is: 00019555 <4>Determined physical RAM map: <4> memory: 02000000 @ 00000000 (usable) <7>On node 0 totalpages: 8192 <7> Normal zone: 64 pages used for memmap <7> Normal zone: 0 pages reserved <7> Normal zone: 8128 pages, LIFO batch:0 <4>3 available secondary CPU TC(s) <4>Built 1 zonelists. Total pages: 8128 <5>Kernel command line: console=ttyS0 rootfstype=squashfs es=1 <4>Primary instruction cache 64kB, physically tagged, 4-way, linesize 32 bytes. <4>Primary data cache 32kB, 4-way, linesize 32 bytes. <6>Synthesized TLB refill handler (23 instructions). <6>Synthesized TLB load handler fastpath (37 instructions). <6>Synthesized TLB store handler fastpath (37 instructions). <6>Synthesized TLB modify handler fastpath (36 instructions). <6>Cache parity protection disabled <4>PID hash table entries: 128 (order: 7, 512 bytes) <4>CPU frequency 498.00 MHz <4>Using 250.000 MHz high precision timer. <6>console handover: boot [early0] -> real [ttyS0] <4>Dentry cache hash table entries: 4096 (order: 2, 16384 bytes) <4>Inode-cache hash table entries: 2048 (order: 1, 8192 bytes) <6>Memory: 29276k/32768k available (2338k kernel code, 3492k reserved, 346k data, 148k init, 0k highmem) <6>SLUB: Genslabs=17, HWalign=32, Order=0-1, MinObjects=4, CPUs=4, Nodes=1 <7>Calibrating delay loop... 332.59 BogoMIPS (lpj=1662976) <4>Mount-cache hash table entries: 512 <4>34K sync es set to 1. <4>Config7: 0x80080500 <4>FPU Affinity set after 1105 emulations <4>Limit of 4 TCs set <4>TLB of 64 entry pairs shared by 2 VPEs <4>VPE 0: TC 0 1 2, VPE 1: TC 3 <4>IPI buffer pool of 32 buffers <4>CPU revision is: 00019555 <7>Calibrating delay loop... 249.85 BogoMIPS (lpj=1249280) <4>TC 1 going on-line as CPU 1 <4>CPU revision is: 00019555 <7>Calibrating delay loop... 249.85 BogoMIPS (lpj=1249280) <4>TC 2 going on-line as CPU 2 <4>CPU revision is: 00019555 <7>Calibrating delay loop... 249.03 BogoMIPS (lpj=1245184) <4>TC 3 going on-line as CPU 3 <6>Brought up 4 CPUs <4>migration_cost=10000 <6>NET: Registered protocol family 16 <4>RT63365_pcie_init <4>registering PCI controller with io_map_base unset <6>PCI: Bridge: 0000:00:00.0 <6> IO window: disabled. <6> MEM window: 20000000-200fffff <6> PREFETCH window: disabled. <4>PCI: Enabling device 0000:00:00.0 (0000 -> 0002) <7>PCI: Setting latency timer of device 0000:00:00.0 to 64 <6>NET: Registered protocol family 8 <6>NET: Registered protocol family 20 <6>NET: Registered protocol family 2 <6>Time: MIPS clocksource has been installed. <4>IP route cache hash table entries: 1024 (order: 0, 4096 bytes) <4>TCP established hash table entries: 1024 (order: 1, 12288 bytes) <4>TCP bind hash table entries: 1024 (order: 1, 8192 bytes) <6>TCP: Hash tables configured (established 1024 bind 1024) <6>TCP reno registered <6>squashfs: version 3.0 (2006/03/15) Phillip Lougher <6>io scheduler noop registered (default) <6>ttyS0 at I/O 0xbfbf0003 (irq = 1) is a TC3162 <6>PPP generic driver version 2.4.2 <6>PPP Deflate Compression module registered <6>PPP BSD Compression module registered <6>NET: Registered protocol family 24 <6>IMQ starting with 2 devices... <6>IMQ driver loaded successfully. <6>	Hooking IMQ after NAT on PREROUTING. <6>	Hooking IMQ before NAT on POSTROUTING. <4>tc3162: flash device 0x01000000 at 0x10000000 <6>tc3162: Found SPIFLASH 8MiB MX25L6405D <5>Creating 7 MTD partitions on "tc3162": <5>0x00000000-0x00010000 : "bootloader" <5>0x00010000-0x00020000 : "romfile" <5>0x00020000-0x00104c6f : "kernel" <4>mtd: partition "kernel" doesn't end on an erase block -- force read-only <5>0x00104c6f-0x004c6c6f : "rootfs" <4>mtd: partition "rootfs" doesn't start on an erase block boundary -- force read-only <5>0x00020000-0x007c0000 : "tclinux" <5>0x007c0000-0x00800000 : "reservearea" <5>0x00000000-0x00800000 : "total_flash" <4>RT3xxx EHCI/OHCI init. <4>Netfilter messages via NETLINK v0.30. <4>nf_conntrack version 0.5.0 (256 buckets, 2048 max) <4>ctnetlink v0.93: registering with nfnetlink. <4>nf_conntrack_rtsp v0.6.21 loading <4>nf_nat_rtsp v0.6.21 loading <4>ip_tables: (C) 2000-2006 Netfilter Core Team <6>TCP cubic registered <6>Initializing XFRM netlink socket <6>NET: Registered protocol family 1 <6>NET: Registered protocol family 10 <6>lo: Disabled Privacy Extensions <6>IPv6 over IPv4 tunneling driver <6>sit0: Disabled Privacy Extensions <6>NET: Registered protocol family 17 <6>NET: Registered protocol family 15 <6>802.1Q VLAN Support v1.8 Ben Greear  <6>All bugs added by David S. Miller  <4>VFS: Mounted root (squashfs filesystem) readonly. <6>Freeing unused kernel memory: 148k freed <4>module_sel: module license 'unspecified' taints kernel. <4> <4>tcfullcone version: tcfullcone V1.1.0.0 (Mar 5 2012-08:25:25). <4>TC3162 LED Manager 0.1 init <4> <4>tcledctrl version: tcledctrl V1.1.0.0 (Apr 2 2013-09:57:18). <4>tccicmd V1.1.0.0 (Apr 2 2013-09:57:20) <4>Adapter_Interrupts_Init: Successfully hooked IRQ 29 <4> <4>Adapter_Interrupts_Init: call back registeredAdapter_EIP93_Init: CmdRing_Handle=81860ffc <4>Adapter_EIP93_Init: ResRing_Handle=81860ff8 <4>Adapter: Successfully initialized EIP93v2 in ARM mode <4>PEC_Init: PRNG is initialized <6>femac.c:v1.00-NAPI 29.Mar.2011 <6>eth0: FE MAC Ethernet address: F8:8E:85:9C:5E:F4 <4>TSARM: TC3162 ATM SAR driver 1.5 init <4> <4>tc3162sar V1.2.0.0 (Apr 2 2013-09:57:16) <4>register autopvc cmd to sys <4>TSARM: TC3162 ATM SAR driver 1.5 done <4>ADSL DMT initialization starting <4>Begin AdslTaskInit..... <4>End AdslTaskInit <4>Begin to request IRQ 20 <4>DMT:Succeed to request IRQ 20 <4>Initializing ADSL F/W 3.20.6.0 ...... <4>Initializing ADSL F/W ........ done <4>ADSL HW version: b2, HCLK 166 <4>largeD flag=2 (0:maxD=64, 1:maxD=128, 2:maxD=511) <4>SRAON <4>up right away <4> <4>tcsmux version: tcsmux V1.1.0.0 (Mar 5 2012-08:25:29). <4> <4>tcportbind version: tcportbind V1.1.0.0 (Mar 5 2012-08:25:32). <4>vlantag_drv_init <4>the number of cfg node is 68 <4>portbind_init <4>autopvc_init <4>logAccess_init LanguageSwitch_init vendorCfgFile_init The number of cache node is 5 <4>WPSActiveStatus = NULL <4>WPSOOBActive = NULL <4>ReCounterActive = NULL <4>WPSGenPinCode = NULL <4>sslca_write:get Frag Number failed! <4>The attribute is not in wifiMACTab <4> <4>lanHost_read: Create node LanHost ! <4>The remaining IMEM space cannot accommodate section .text.imem !! <4>Remaining IMEM space: -2280 bytes	Section Size: 728 bytes <4>PCI: Enabling device 0000:01:00.0 (0000 -> 0002) <7>PCI: Setting latency timer of device 0000:01:00.0 to 64 <4>Mirror/redirect action on <5>Ebtables v2.0 registered <4>igmpsnoop V1.1.0.0 (Mar 5 2012-08:25:26) <4> <4>mldsnooping V1.1.0.0 (Mar 5 2012-08:25:28) <6>eth0: starting interface. <4>alloc_sram p=bc000800 free=7800 <4>alloc_sram p=bc002800 free=5800 <4>[macInit:2049]Fix eth led for AR-5300 <4>TC2105MJ, <6>Ralink HW NAT Module Enabled <6>device eth0 entered promiscuous mode <4>0x1300 = 00064380 <4>jiffies=ffff9274, POLLING_MODE_DETECT_INTV=300 <6>device ra0 entered promiscuous mode <6>device ra1 entered promiscuous mode <6>device ra2 entered promiscuous mode <6>device ra3 entered promiscuous mode <4> <4>Enabling SSL security system <4>SSL security system enabled<7>eth0.1: add 33:33:00:00:00:01 mcast address to master interface <7>eth0.1: add 01:00:5e:00:00:01 mcast address to master interface <7>eth0.2: add 33:33:00:00:00:01 mcast address to master interface <7>eth0.2: add 01:00:5e:00:00:01 mcast address to master interface <7>eth0.3: add 33:33:00:00:00:01 mcast address to master interface <7>eth0.3: add 01:00:5e:00:00:01 mcast address to master interface <7>eth0.4: add 33:33:00:00:00:01 mcast address to master interface <7>eth0.4: add 01:00:5e:00:00:01 mcast address to master interface <6>device eth0 left promiscuous mode <6>br0: port 1(eth0) entering disabled state <4>ANNEXAIJLM <4>========================insmod iptable_filter======================= <6>br0: port 9(eth0.4) entering learning state <6>br0: port 8(eth0.3) entering learning state <6>br0: port 7(eth0.2) entering learning state <6>br0: port 6(eth0.1) entering learning state <6>br0: port 5(ra3) entering learning state <6>br0: port 4(ra2) entering learning state <6>br0: port 3(ra1) entering learning state <6>br0: port 2(ra0) entering learning state <6>br0: topology change detected, propagating <6>br0: port 9(eth0.4) entering forwarding state <6>br0: topology change detected, propagating <6>br0: port 8(eth0.3) entering forwarding state <6>br0: topology change detected, propagating <6>br0: port 7(eth0.2) entering forwarding state <6>br0: topology change detected, propagating <6>br0: port 6(eth0.1) entering forwarding state <6>br0: topology change detected, propagating <6>br0: port 5(ra3) entering forwarding state <6>br0: topology change detected, propagating <6>br0: port 4(ra2) entering forwarding state <6>br0: topology change detected, propagating <6>br0: port 3(ra1) entering forwarding state <6>br0: topology change detected, propagating <6>br0: port 2(ra0) entering forwarding state <4>Radvd function activated! <4>Enter set first loop, IP addr by radvd <4>dhcp6s parameter activated by exec! <4>read WLAN driver from rt_device failed,set with default value! <4> <4>Enter cwmp boot, we will start tr69 Process <4>Parental Control: parental_execute Enter. <4>[discovery:613]ifName=nas2, 88:43:e1:07:56:18:55679 <6>br0: starting userspace STP failed, staring kernel STP <4>Link State: LAN_1 up. <4>Failed to ioctl br0:0 <7>nas0: no IPv6 routers present <4>ThreadedTimerCheck: get last for first time <4>Failed to ioctl br0:0 <7>nas2: no IPv6 routers present
 * 1) cat /proc/kmsg

Bootloader
1.0-004 Strings extracted from bootloader partition: BootVer:1.0-004 TrendChip Technologies Corp. ADSL Modem admin 1234 AR-5302
 * 1) cfeversion
 * 1) cat /dev/mtd0

Firmware
T111-73376CAR-C01_R10
 * 1) version

Model
AR-5302
 * 1) model

Board ID
Board ID = AR-5302
 * 1) boardid

Operating system
Linux tc 2.6.22.15 #11 SMP Tue Apr 2 09:57:08 CST 2013 mips unknown
 * 1) uname -a

Build
Build Time: Apr 02 2013 10:04:17
 * 1) build

Modules
ipt_REDIRECT 800 2 - Live 0xc0156000 iptable_filter 1024 1 - Live 0xc0150000 hw_nat 50256 0 - Live 0xc018a000 (P) mldsnooping 5088 0 - Live 0xc0158000 igmpsnoop 12256 0 - Live 0xc015b000 ebtable_nat 1024 1 - Live 0xc014e000 ebtable_broute 832 1 - Live 0xc009d000 ebt_ip6 2496 0 - Live 0xc0083000 ebt_ip 1952 0 - Live 0xc0099000 ebtable_filter 992 0 - Live 0xc0081000 ebtables 19744 5 ebtable_nat,ebtable_broute,ebt_ip6,ebt_ip,ebtable_filter, Live 0xc0075000 sch_prio 3744 2 - Live 0xc0059000 sch_htb 15328 0 - Live 0xc007c000 cls_fw 3392 2 - Live 0xc0057000 act_mirred 2704 2 - Live 0xc0055000 rt5390ap 815936 4 - Live 0xc028a000 (P) brg_shortcut 4816 0 - Live 0xc002a000 (P) tcvlantag 10080 0 - Live 0xc0071000 tcportbind 3856 0 - Live 0xc0039000 tcsmux 8912 0 - Live 0xc006d000 tc3162_dmt 820720 0 [permanent], Live 0xc01c0000 (P) tc3162l2sar 61568 2 - Live 0xc0088000 (P) raeth 58400 2 tc3162_dmt,tc3162l2sar, Live 0xc0042000 (P) crypto_k 28000 0 - Live 0xc0031000 (P) tccicmd 67232 4 rt5390ap,tc3162_dmt,tc3162l2sar,raeth, Live 0xc005b000 (P) tcledctrl 20736 4 rt5390ap,tc3162l2sar,raeth,tccicmd, Live 0xc003b000 (P) tcfullcone 2160 0 - Live 0xc002f000 module_sel 1312 4 rt5390ap,tcvlantag,tcportbind,tcsmux, Live 0xc002d000 (P)
 * 1) cat /proc/modules

MTD's
dev:   size   erasesize  name mtd0: 00010000 00010000 "bootloader" mtd1: 00010000 00010000 "romfile" mtd2: 000e4c6f 00010000 "kernel" mtd3: 003c2000 00010000 "rootfs" mtd4: 007a0000 00010000 "tclinux" mtd5: 00040000 00010000 "reservearea" mtd6: 00800000 00010000 "total_flash"
 * 1) cat /proc/mtd

Filesystems
nodev	rootfs nodev	bdev nodev	proc nodev	sockfs nodev	pipefs nodev	anon_inodefs nodev	futexfs nodev	tmpfs nodev	devpts squashfs nodev	ramfs
 * 1) cat /proc/filesystems

Mounts
rootfs / rootfs rw 0 0 /dev/root / squashfs ro 0 0 proc /proc proc rw 0 0 ramfs /tmp ramfs rw 0 0 devpts /dev/pts devpts rw 0 0
 * 1) cat /proc/mounts

IOmem
00000000-01ffffff : System RAM 00020000-002688e7 : Kernel code 002688e8-002bf19f : Kernel data 1fba0000-1fbaffff : rt3xxx-ohci 1fbb0000-1fbbffff : rt3xxx-ehci 20000000-2fffffff : pcie memory space 20000000-200fffff : PCI Bus #01 20000000-2000ffff : 0000:01:00.0 20000000-2000ffff : 0000:01:00.0
 * 1) cat /proc/iomem

IOports
1f600000-1f61ffff : pcie IO space
 * 1) cat /proc/ioports

CPU's
system type		: Ralink RT63365 SOC processor		: 0 cpu model		: MIPS 34K V5.5 BogoMIPS		: 332.59 wait instruction	: yes microsecond timers	: yes tlb_entries		: 64 extra interrupt vector	: yes hardware watchpoint	: yes ASEs implemented	: mips16 dsp mt shadow register sets	: 1 VCED exceptions		: not available VCEI exceptions		: not available unaligned accesses	: 227088
 * 1) cat /proc/cpuinfo

processor		: 1 cpu model		: MIPS 34K V5.5 BogoMIPS		: 249.85 wait instruction	: yes microsecond timers	: yes tlb_entries		: 64 extra interrupt vector	: yes hardware watchpoint	: yes ASEs implemented	: mips16 dsp mt shadow register sets	: 1 VCED exceptions		: not available VCEI exceptions		: not available unaligned accesses	: 227088

processor		: 2 cpu model		: MIPS 34K V5.5 BogoMIPS		: 249.85 wait instruction	: yes microsecond timers	: yes tlb_entries		: 64 extra interrupt vector	: yes hardware watchpoint	: yes ASEs implemented	: mips16 dsp mt shadow register sets	: 1 VCED exceptions		: not available VCEI exceptions		: not available unaligned accesses	: 227088

processor		: 3 cpu model		: MIPS 34K V5.5 BogoMIPS		: 249.03 wait instruction	: yes microsecond timers	: yes tlb_entries		: 64 extra interrupt vector	: yes hardware watchpoint	: yes ASEs implemented	: mips16 dsp mt shadow register sets	: 1 VCED exceptions		: not available VCEI exceptions		: not available unaligned accesses	: 227088

Interrupts
CPU0      CPU1       CPU2       CPU3 1:      4717      10601       1043          0            MIPS  TC3162 UART 9:        84         11        546       1158            MIPS  SMTC_IPI 10:         0          0          0          0            MIPS  watchdog 14:         0          0          0          0            MIPS  performance 20:   1259488    1817925      92279          0            MIPS  dmt20 22:         0          0          0       2632            MIPS  eth0 23:         0          0          0          0            MIPS  TSARM 25:     23156      34192       1825          0            MIPS  ra0 29:         0          0          0          0            MIPS  safenet-vdriver-eip93 31:    204088      41065       6946     251974            MIPS  timer 33:         0          0          0          0            MIPS  bus timeout
 * 1) cat /proc/interrupts

ERR:         0

LAN MAC
MAC Addr: F8:8E:85:9C:5E:F4
 * 1) mac

Netstat
Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address          Foreign Address         State tcp       0      0 *:5555                  *:*                     LISTEN tcp       0      0 *:domain                *:*                     LISTEN tcp       0      0 *:ssh                   *:*                     LISTEN tcp       0      0 *:7547                  *:*                     LISTEN tcp       0      0 192.168.1.1:ssh         192.168.1.2:58897       ESTABLISHED tcp       0      0 *:http                  *:*                     LISTEN tcp       0      0 *:ftp                   *:*                     LISTEN tcp       0      0 *:domain                *:*                     LISTEN tcp       0      0 *:telnet                *:*                     LISTEN tcp       0      0 *:https                 *:*                     LISTEN udp       0      0 *:sd                    *:* udp       0      0 *:domain                *:* udp       0      0 *:bootps                *:* udp       0      0 *:1900                  *:* udp       0      0 *:32768                 *:* udp       0      0 *:dhcpv6-server         *:* udp       0      0 *:domain                *:* udp       0      0 *:tftp                  *:* raw       0      0 *:58                    *:*                     0 Active UNIX domain sockets (servers and established) Proto RefCnt Flags      Type       State         I-Node Path unix 2      [ ACC ]     STREAM     LISTENING     523    /tmp/tcapi_sock unix 2      [ ]         DGRAM                    2107 unix 3      [ ]         STREAM     CONNECTED     2089 unix 3      [ ]         STREAM     CONNECTED     2088 unix 2      [ ]         STREAM     CONNECTED     1288 unix 2      [ ]         STREAM     CONNECTED     1284   /tmp/tcapi_sock
 * 1) netstat -a

Portscan (from Internet)
$ nmap -sS xx.xx.xx.xx Starting Nmap 6.00 ( http://nmap.org ) at 2014-09-07 19:04 CDT Nmap scan report for xx.xx.xx.xx Host is up (0.44s latency). Not shown: 985 closed ports PORT    STATE    SERVICE 21/tcp  filtered ftp 22/tcp  filtered ssh 23/tcp  filtered telnet 25/tcp  filtered smtp 53/tcp  open     domain 80/tcp  filtered http 113/tcp filtered ident 135/tcp filtered msrpc 139/tcp filtered netbios-ssn 161/tcp filtered snmp 443/tcp open     https 445/tcp filtered microsoft-ds 593/tcp filtered http-rpc-epmap 4444/tcp filtered krb524 5555/tcp open    freeciv

Nmap done: 1 IP address (1 host up) scanned in 32.65 seconds

Stimulating port 5555 (from Internet)
$ nc xx.xx.xx.xx 5555 get

HTTP/1.1 405 Method Not Allowed Allow: GET, HEAD, POST, PUT Content-Length: 0 Server: RomPager/4.07 UPnP/1.0 See Wikipedia: Universal_Plug_and_Play Access_from_the_Internet and [http://seclists.org/fulldisclosure/2010/Dec/113 Full Disclosure: RomPager/4.07 UPnP/1.0. Issue: A reboot can be caused when a special crafted http request is sent]

Processes
PID Uid     VmSize Stat Command 1 admin      452 S   init 2 admin          SW< [kthreadd] 3 admin          SW< [migration/0] 4 admin          SWN [ksoftirqd/0] 5 admin          SW< [migration/1] 6 admin          SWN [ksoftirqd/1] 7 admin          SW< [migration/2] 8 admin          SWN [ksoftirqd/2] 9 admin          SW< [migration/3] 10 admin          SWN [ksoftirqd/3] 11 admin          SW< [events/0] 12 admin          SW< [events/1] 13 admin          SW< [events/2] 14 admin          SW< [events/3] 15 admin          SW< [khelper] 16 admin          SW< [kblockd/0] 17 admin          SW< [kblockd/1] 18 admin          SW< [kblockd/2] 19 admin          SW< [kblockd/3] 20 admin          SW  [pdflush] 21 admin          SW  [pdflush] 22 admin          SW< [kswapd0] 23 admin          SW< [aio/0] 24 admin          SW< [aio/1] 25 admin          SW< [aio/2] 26 admin          SW< [aio/3] 27 admin          SW< [mtdblockd] 94 admin          SW< [dmtd] 144 admin     1300 S   /userfs/bin/cfg_manager 146 admin     1300 S   /userfs/bin/cfg_manager 147 admin     1300 S   /userfs/bin/cfg_manager 318 admin          SW  [RtmpCmdQTask] 319 admin          SW  [RtmpWscTask] 368 admin      216 S   tcwdog -t 1 /dev/watchdog 372 admin      144 S   utelnetd -l /bin/login -d 379 admin      676 S   /userfs/bin/boa -c /boaroot -d 677 admin      304 S   br2684ctl -c 0 -e 0 -t ubr -p 0 -a 0.0.32 691 admin      632 S   pppd unit 0 user claro password claro nodetach holdoff 4 maxfail 0 usepeerdns lcp-echo-interval 30 lcp-echo-failure 3 plugin libpppoe.so nas0 defaultroute noipdefault persist mtu 1492 mru 1492 787 admin      304 S   br2684ctl -c 2 -e 0 -t ubr -p 0 -a 0.0.45 801 admin      636 S   pppd unit 2 user claro password claro nodetach holdoff 4 maxfail 0 usepeerdns lcp-echo-interval 30 lcp-echo-failure 3 plugin libpppoe.so nas2 defaultroute noipdefault persist mtu 1492 mru 1492 1007 admin      440 S   /userfs/bin/radvd -C /etc/radvd.conf -p /var/run/radvd.pid 1015 admin      452 S   /userfs/bin/dhcp6s -c /etc/dhcp6s.conf br0 -p /var/run/dhcp6s.pid 1039 admin      420 S   /usr/sbin/udhcpd 1049 admin      424 S   /userfs/bin/dnsmasq 1053 admin     1224 S   /userfs/bin/tr69 1235 admin      312 S   /userfs/bin/inetd 1248 admin      504 S   /userfs/bin/siproxd --config /etc/alg/siproxd.conf 1249 admin      504 S   /userfs/bin/siproxd --config /etc/alg/siproxd.conf 1250 admin      180 R   /userfs/bin/tftpd 1251 admin      504 S   /userfs/bin/siproxd --config /etc/alg/siproxd.conf 1256 admin     1224 S   /userfs/bin/tr69 1257 admin     1224 S   /userfs/bin/tr69 1279 admin      332 S   init 1508 admin      616 R   /userfs/bin/dropbear -i 1513 admin      492 R   -sh
 * ps

DNSmasq
Dnsmasq version 2.52 Copyright (c) 2000-2010 Simon Kelley Compile time options IPv6 GNU-getopt no-RTC no-DBus no-I18N no-DHCP no-TFTP
 * 1) dnsmasq --version

Dropbear
Unknown argument -v Dropbear sshd v0.52
 * 1) dropbear -v

EBtables
ebtables v2.0.8-2 (May 2007)
 * 1) ebtables --version

Wireless access
In the following description XXXXX stands for the last 3 octets (in upper case) of LAN MAC (e.g. LAN MAC=F8:8E:85:9C:5E:F4 --> XXXXXX=9C5EF4). WLAN MAC is +1 (e.g. F8:8E:85:9C:5E:F5). WAN MAC is +2 (e.g. F8:8E:85:9C:5E:F6).


 * Default SSID: TURBONETT_XXXXXX (e.g. TURBONETT_9C5EF4)
 * Default WEP key: Made of last 5 octets (in uppercase) of LAN MAC. Can be easily constructed as OUI is always F8:8E:85 (e.g. WEP key=8E859C5EF4).

The router supports 4 WLAN's in total. By default SSID2-4 are hidden but active (see screenshots), and can be identified by a specific OUI. SSID2-4 credentials are rarely changed by users, and wireless acccess is gained easily as defaults are straightforward!

WLAN2
 * Default SSID: TURBONETT_XXXXXX-1 (e.g. TURBONETT_9C5EF4-1)
 * Default WPA/WPA2 passphrase: 1234567890
 * OUI: FA:8E:85

WLAN3
 * Default SSID: TURBONETT_XXXXXX-2 (e.g. TURBONETT_9C5EF4-2)
 * Default WPA/WPA2 passphrase: 1234567890
 * OUI: FE:8E:85

WLAN4
 * Default SSID: TURBONETT_XXXXXX-3 (e.g. TURBONETT_9C5EF4-3)
 * Default WPA/WPA2 passphrase: 1234567890
 * OUI: 02:8E:85

Router login
Login to the ET-5300 is possible using the following protocols.


 * Web interface: http and https (invalid certificate)
 * Console login: telnet and ssh
 * File transfer: tftp and ftp (root directory is /var/tmp)

Many routers distributed by the Claro company use a standard default login, and the ET-5300 is no exception.


 * Default username: admin
 * Default password: c1@r0

The ET-5300 supports 3 login names in total, but only the password for login1 (admin) can be changed in the web interface.
 * The following credentials for login2 and login3 are taken from the romfile.cfg;
 * login3 works for the web interface (on a subset of functionallity) and console ssh login!

Login2
 * Username: qwertyuiop
 * Password: 1234567890

Login3
 * Username: user3
 * Password: 1234567890

(P.S. The Sitecom WLM-3500 is affected by the same backdoor accounts.
 * Another candidate might be the Aztech DSL5001EN ).

Romfile
The router's configuration can be saved to the XML formatted romfile.cfg (web interface: Maintenance >> Firmware >> Configuration Backup or simply http://192.168.1.1/romfile.cfg). Editing and then restoring the romfile.cfg offers extended configuration possibilities. Here are some ideas...

Login Credentials
As described above, login2 and login3 have some impractical usernames and passwords. This can be corrected by modifing the parameters of Entry1 and Entry2 (think of better passwords then in this example). The new credentials do work for the web interface and console ssh logins!  file $ tftp 192.168.1.1 tftp> put file Sent 6 bytes in 13.9 seconds

$ ftp 192.168.1.1 220 bftpd 2.2 at 192.168.1.1 ready. Name (192.168.1.1:xxx): admin 331 Password please. Password: ***** 230 User logged in. ftp> put file local: file remote: file 200 PORT 192.168.1.100:44443 OK 150 BINARY data connection established. The firmware is illegal!! 6 bytes sent in 0.00 secs (1813.6 kB/s)

Uploading a modified romfile.cfg via tftp allows arbitrary login. The Sent NNNNN bytes in NN seconds message should appear, otherwise the romfile was not accepted (although the router reboots).   put romfile.cfg Sent 29121 bytes in 13.5 seconds