Eltel ET-5300

Overview
This router is distributed by Claro in large numbers. Manufactured by Comtrend according IEEE Standards MA-L database.

Links of Interest
Product page
 * Datasheet
 * User Manual of similar Upvel UR-314AN (TrendChip firmware)

Components
 * EM6AA160TSB-5G datasheet
 * MX25L6406E datasheet

Pictures
User Zerohero Images 

Board, headers, etc
The board layout is somewhat similar to Upvel UR-314AN, Upvel UR-354AN4G (with USB), Huawei HG532s, ZTE ZXHN H108L, and Edimax AR-7186. Silk screen says E241819 50XX13-350.
 * J521 is likely the serial interface.
 * The circuit board is prepared for an USB connector (J500). Needs an additional 5V regulator (U601).

Wireless access
In the following description XXXXX stands for the last 3 octets (in upper case) of LAN MAC (e.g. LAN MAC=F8:8E:85:9C:5E:F4 --> XXXXXX=9C5EF4). WLAN MAC is +1 (e.g. F8:8E:85:9C:5E:F5). WAN MAC is +2 (e.g. F8:8E:85:9C:5E:F6).


 * Default SSID: TURBONETT_XXXXXX (e.g. TURBONETT_9C5EF4)
 * Default WEP key: Made of last 5 octets (in uppercase) of LAN MAC. Can be easily constructed as OUI is always F8:8E:85 (e.g. WEP key=8E859C5EF4).

The router supports 4 WLAN's in total. By default SSID2-4 are hidden but active (see screenshots), and can be identified by a specific OUI. SSID2-4 credentials are rarely changed by users, and wireless acccess is gained easily as defaults are straightforward!

WLAN2
 * Default SSID: TURBONETT_XXXXXX-1 (e.g. TURBONETT_9C5EF4-1)
 * Default WPA/WPA2 passphrase: 1234567890
 * OUI: FA:8E:85

WLAN3
 * Default SSID: TURBONETT_XXXXXX-2 (e.g. TURBONETT_9C5EF4-2)
 * Default WPA/WPA2 passphrase: 1234567890
 * OUI: FE:8E:85

WLAN4
 * Default SSID: TURBONETT_XXXXXX-3 (e.g. TURBONETT_9C5EF4-3)
 * Default WPA/WPA2 passphrase: 1234567890
 * OUI: 02:8E:85

Router login
Login to the ET-5300 is possible using the following protocols.


 * Web interface: http and https (invalid certificate)
 * Console login: telnet and ssh
 * File transfer: tftp and ftp (root directory is /var/tmp)

Many routers distributed by the Claro company use a standard default login, and the ET-5300 is no exception.


 * Default username: admin
 * Default password: c1@r0

The ET-5300 supports 3 login names in total, but only the password for login1 (admin) can be changed in the web interface.
 * The following credentials for login2 and login3 are taken from the romfile.cfg;
 * login3 works for the web interface (on a subset of functionallity) and console ssh login!

Login2
 * Username: qwertyuiop
 * Password: 1234567890

Login3
 * Username: user3
 * Password: 1234567890

(P.S. The Sitecom WLM-3500 is affected by the same backdoor accounts.
 * Another candidate might be the Aztech DSL5001EN ).

Romfile
The router's configuration can be saved to the XML formatted romfile.cfg (web interface: Maintenance >> Firmware >> Configuration Backup or simply http://192.168.1.1/romfile.cfg). Editing and then restoring the romfile.cfg offers extended configuration possibilities. Here are some ideas...

Login Credentials
As described above, login2 and login3 have some impractical usernames and passwords. This can be corrected by modifing the parameters of Entry1 and Entry2 (think of better passwords then in this example). The new credentials do work for the web interface and console ssh logins!  file $ tftp 192.168.1.1 tftp> put file Sent 6 bytes in 13.9 seconds

$ ftp 192.168.1.1 220 bftpd 2.2 at 192.168.1.1 ready. Name (192.168.1.1:xxx): admin 331 Password please. Password: ***** 230 User logged in. ftp> put file local: file remote: file 200 PORT 192.168.1.100:44443 OK 150 BINARY data connection established. The firmware is illegal!! 6 bytes sent in 0.00 secs (1813.6 kB/s)

Uploading a modified romfile.cfg via tftp allows arbitrary login. The Sent NNNNN bytes in NN seconds message should appear, otherwise the romfile was not accepted (although the router reboots).   put romfile.cfg Sent 29121 bytes in 13.5 seconds