Home Networking Ditch ONU, use GPON SFP on Business Grade Router, 2.5G ONU for Unifi & Maxis, NO NEED VLAN
|
|
 Sep 24 2020, 08:59 PM
|
 
Senior Member
1,418 posts Joined: Jul 2015 
|
QUOTE(Anime4000 @ Sep 24 2020, 08:55 PM) I tried run nmap scan, none https://github.com/JackDoan/TP-Link-ArcherC5-RCE router backup config is encrypted, cannot see inside, unless I extract router flash and binwalk it, find shadow file and run password crack?  looks useful! worth a shot |
|
|
|
|
|
Sep 24 2020, 10:14 PM
Show posts by this member only | IPv6 | Post
#122
|
Senior Member
2,399 posts Joined: Jul 2009 From: /dev/null 
|
QUOTE(miloaisdino @ Sep 24 2020, 08:59 PM) it works half way, some can be read
|
|
|
Sep 24 2020, 11:25 PM
Show posts by this member only | IPv6 | Post
#123
|
Newbie
16 posts Joined: Aug 2006 From: bendang, paya, selut, parit, etc.
|
QUOTE(Anime4000 @ Sep 24 2020, 08:55 PM) I tried run nmap scan, none USB dongle connected to PC or router?» Click to show Spoiler - click again to hide... « QUOTE(Anime4000 @ Sep 24 2020, 10:14 PM) it works half way, some can be read Try with this https://github.com/sta-c0000/tpconf_bin_xml
|
|
|
Sep 24 2020, 11:30 PM
|
|
Senior Member
1,418 posts Joined: Jul 2015
|
QUOTE(Anime4000 @ Sep 24 2020, 10:14 PM) it works half way, some can be read now thats some weird encoding :/
anyways the config looks like the "TR069 xml IGD style" of config, probably because customised for maxis This post has been edited by miloaisdino: Sep 24 2020, 11:30 PM |
|
|
Sep 25 2020, 12:53 AM
Show posts by this member only | IPv6 | Post
#125
|
|
Senior Member
2,399 posts Joined: Jul 2009 From: /dev/null
|
QUOTE(pacat @ Sep 24 2020, 11:25 PM) USB dongle connected to PC or router? plug directly, so I it can print randomized device MAC AddressQUOTE(miloaisdino @ Sep 24 2020, 11:30 PM) now thats some weird encoding :/ it appear XML type.anyways the config looks like the "TR069 xml IGD style" of config, probably because customised for maxis QUOTE(pacat @ Sep 24 2020, 11:25 PM) I trying in my Linux Box:
It works!!! I love you pcat miloaisdin!!! XD I found something inside XML: CODE <User instance=2 > <Level val=2 /> <Username val=MaxSysAdm /> <Password val=Ng88Mxs@2019! /> <Allowed_LA_Protocols val=HTTP,HTTPS /> </User> Login with "administrator" & "SN" as password: 
admin Login with "MaxSysAdm" & "Ng88Mxs@2019!" as password: 
root With root, now can set "Full Cone NAT" for Xbox and PlayStation! no need UPNP or Port Forward, since automatic incoming 1:1 NAT 
I made a quick guide here: https://hitoha.ga/hack-stock-maxis-router-t...ink-archer-c5v/ Since I have extra Archer C5v, I going to sacrifice this for Research! I going to share conf.xml file while 4G Dongle attached! |
|
|
Sep 25 2020, 01:18 AM
|
|
Senior Member
1,418 posts Joined: Jul 2015
|
QUOTE(Anime4000 @ Sep 25 2020, 12:53 AM) plug directly, so I it can print randomized device MAC Address wow nice that fullcone works. but ive seen routers that dont support hw nat when fullcone is enabled, might have performance penalty for faster connections,wonder if tplink is liddatit appear XML type. I trying in my Linux Box:
It works!!! I love you pcat miloaisdin!!! XD I found something inside XML: CODE <User instance=2 > <Level val=2 /> <Username val=MaxSysAdm /> <Password val=Ng88Mxs@2019! /> <Allowed_LA_Protocols val=HTTP,HTTPS /> </User> Login with "administrator" & "SN" as password:
admin Login with "MaxSysAdm" & "Ng88Mxs@2019!" as password:
root With root, now can set "Full Cone NAT" for Xbox and PlayStation! no need UPNP or Port Forward, since automatic incoming 1:1 NAT
I made a quick guide here: https://hitoha.ga/hack-stock-maxis-router-t...ink-archer-c5v/ Since I have extra Archer C5v, I going to sacrifice this for Research! I going to share conf.xml file while 4G Dongle attached! and the packet capture filename that u blurred, was that yr mac address? quite disturbing if the router is made to silently packet capture traffic for no reason... This post has been edited by miloaisdino: Sep 25 2020, 01:23 AM |
|
|
|
|
|
Sep 25 2020, 01:23 AM
Show posts by this member only | IPv6 | Post
#127
|
|
Senior Member
2,399 posts Joined: Jul 2009 From: /dev/null
|
QUOTE(miloaisdino @ Sep 25 2020, 01:18 AM) wow nice that fullcone works. but ive seen routers that dont support hw nat when fullcone is enabled, might have performance penalty for faster connections,wonder if tplink is liddat during UART Serial sessions, I notice this router have 4 core @ 900MHz CPU |
|
|
Sep 25 2020, 01:28 AM
|
|
Senior Member
1,418 posts Joined: Jul 2015
|
QUOTE(Anime4000 @ Sep 25 2020, 01:23 AM) during UART Serial sessions, I notice this router have 4 core @ 900MHz CPU i suspect its actually dual core (2 physical core) but presented as 4 logical core in linux (not 100% sure), anyway most regular ac routers max out at about 700+ mbps without hw nat, should not be an issue unless >800mbps package!edit: good to disable tr069 and vlan 821 in case maxis releases a fw update to change the password and hash the password entry in the config file!! This post has been edited by miloaisdino: Sep 25 2020, 01:31 AM |
|
|
Sep 25 2020, 02:19 AM
Show posts by this member only | IPv6 | Post
#129
|
|
Senior Member
2,399 posts Joined: Jul 2009 From: /dev/null
|
QUOTE(miloaisdino @ Sep 25 2020, 01:28 AM) i suspect its actually dual core (2 physical core) but presented as 4 logical core in linux (not 100% sure), anyway most regular ac routers max out at about 700+ mbps without hw nat, should not be an issue unless >800mbps package! I simply disable vlan821 bridge on Mikrotik~edit: good to disable tr069 and vlan 821 in case maxis releases a fw update to change the password and hash the password entry in the config file!! here conf.xml, log.txt and putty.log dump https://gist.github.com/Anime4000/38db42c2e...a7792005420262d I notice something this section: » Click to show Spoiler - click again to hide... « Especially: » Click to show Spoiler - click again to hide... « it is possible 4G Dongle reject traffic that not come from a hostname? possible to replicate this in Mikrotik without change Mikrotik hostname, just unique hostname to USB 4G |
|
|
Sep 25 2020, 04:07 AM
Show posts by this member only | IPv6 | Post
#130
|
|
Newbie
16 posts Joined: Aug 2006 From: bendang, paya, selut, parit, etc.
|
QUOTE(Anime4000 @ Sep 25 2020, 02:19 AM) it is possible 4G Dongle reject traffic that not come from a hostname? Try these commandspossible to replicate this in Mikrotik without change Mikrotik hostname, just unique hostname to USB 4G CODE /ip dhcp-client option add name=lte_hostname code=12 value="'Maxis_Archer_C5v'" /ip dhcp-client set dhcp-options=lte_hostname,clientid [find interface=lte1] /ip dhcp-client release [find interface=lte1] /ip dhcp-client renew [find interface=lte1] |
|
|
Sep 25 2020, 04:32 AM
Show posts by this member only | IPv6 | Post
#131
|
|
Newbie
16 posts Joined: Aug 2006 From: bendang, paya, selut, parit, etc.
|
https://gist.github.com/Anime4000/38db42c2e...-conf-xml-L2291
Take note remote syslog to their server was enabled. |
|
|
Sep 25 2020, 10:09 AM
|
|
Senior Member
1,418 posts Joined: Jul 2015
|
QUOTE(Anime4000 @ Sep 25 2020, 02:19 AM) I simply disable vlan821 bridge on Mikrotik~ <ExternalIPAddress val=192.168.0.144 /> i was looking at this.. could this be static ip on mikrotik side required for lte to work?!here conf.xml, log.txt and putty.log dump https://gist.github.com/Anime4000/38db42c2e...a7792005420262d I notice something this section: » Click to show Spoiler - click again to hide... « Especially: » Click to show Spoiler - click again to hide... « it is possible 4G Dongle reject traffic that not come from a hostname? possible to replicate this in Mikrotik without change Mikrotik hostname, just unique hostname to USB 4G <APN val=internet /> must apn manually be set to "internet"? DHCPC: Send DISCOVER with request ip 0.0.0.0 and unicast flag 0 (from D8:0D:17:BB:00:00 to FF:FF:FF:FF:FF:FF) zte should assign ip 144 if this mac address is set on mikrotik somehow This post has been edited by miloaisdino: Sep 25 2020, 10:26 AM |
|
|
Sep 25 2020, 10:51 AM
Show posts by this member only | IPv6 | Post
#133
|
|
Senior Member
2,399 posts Joined: Jul 2009 From: /dev/null
|
QUOTE(pacat @ Sep 25 2020, 04:32 AM) https://gist.github.com/Anime4000/38db42c2e...-conf-xml-L2291 My TP-Link now served as VoIP Gateway, and VLAN 822 get bridgedTake note remote syslog to their server was enabled. QUOTE(miloaisdino @ Sep 25 2020, 10:09 AM) <ExternalIPAddress val=192.168.0.144 /> i was looking at this.. could this be static ip on mikrotik side required for lte to work?! To be safe:<APN val=internet /> must apn manually be set to "internet"? DHCPC: Send DISCOVER with request ip 0.0.0.0 and unicast flag 0 (from D8:0D:17:BB:00:00 to FF:FF:FF:FF:FF:FF) zte should assign ip 144 if this mac address is set on mikrotik somehow » Click to show Spoiler - click again to hide... « I run some test on some laptop: » Click to show Spoiler - click again to hide... « Now I know why  Proceed to Mikrotik LTE USB QUOTE(pacat @ Sep 25 2020, 04:07 AM) Try these commands Finally! Maxis 4G Backup Dongle works on Mikrotik!CODE /ip dhcp-client option add name=lte_hostname code=12 value="'Maxis_Archer_C5v'" /ip dhcp-client set dhcp-options=lte_hostname,clientid [find interface=lte1] /ip dhcp-client release [find interface=lte1] /ip dhcp-client renew [find interface=lte1] 
Now can configure Mikrotik dual WAN fail-over~ |
|
|
|
|
|
Sep 25 2020, 11:04 AM
|
|
Senior Member
1,418 posts Joined: Jul 2015
|
QUOTE(Anime4000 @ Sep 25 2020, 10:51 AM) My TP-Link now served as VoIP Gateway, and VLAN 822 get bridged congrats! dhcp option 12 is really sneaky by maxis To be safe: » Click to show Spoiler - click again to hide... « I run some test on some laptop: » Click to show Spoiler - click again to hide... « Now I know why Proceed to Mikrotik LTE USB Finally! Maxis 4G Backup Dongle works on Mikrotik!
Now can configure Mikrotik dual WAN fail-over~  the speedtest dl 6.53mbps is abit disappointing, maybe external antenna might help  This post has been edited by miloaisdino: Sep 25 2020, 11:08 AM Anime4000 liked this post
|
|
|
Sep 25 2020, 12:32 PM
|
|
Newbie
16 posts Joined: Aug 2006 From: bendang, paya, selut, parit, etc.
|
The dongle nat iptables might be created specifically for that hostname, or created upon successful assignment of an ip with that hostname. Still better than mac address since it can change. Anime4000 liked this post
|
|
|
Sep 25 2020, 01:28 PM
|
|
Senior Member
1,418 posts Joined: Jul 2015
|
btw does voip work over the lte dongle too?
|
|
|
Sep 25 2020, 02:05 PM
Show posts by this member only | IPv6 | Post
#137
|
|
Senior Member
2,399 posts Joined: Jul 2009 From: /dev/null
|
QUOTE(miloaisdino @ Sep 25 2020, 11:04 AM) congrats! dhcp option 12 is really sneaky by maxis this dongle don't have external antenna port, I guess buy long USB cable and put at roof for maximum signal?the speedtest dl 6.53mbps is abit disappointing, maybe external antenna might help QUOTE(pacat @ Sep 25 2020, 12:32 PM) The dongle nat iptables might be created specifically for that hostname, or created upon successful assignment of an ip with that hostname. Still better than mac address since it can change. Yea, many user know 4G dongle locked by MAC Address, CS also said same thing.After we discovered, it limit by hostname, this dongle can be plugged to any router brand with maxis stuff. QUOTE(miloaisdino @ Sep 25 2020, 01:28 PM) btw does voip work over the lte dongle too? By default, VoIP router will choose 4G if fiber down.I tested, VoIP router also work with fiber, as long VoIP have internet access. Can be override for VoIP use VLAN 822 by login as MaxSysAdm |
|
|
Sep 25 2020, 05:13 PM
|
|
Senior Member
1,418 posts Joined: Jul 2015
|
QUOTE(Anime4000 @ Sep 25 2020, 02:05 PM) this dongle don't have external antenna port, I guess buy long USB cable and put at roof for maximum signal? just realised no external port haha, i always assumed these dongles had that hidden side port.. roof sounds like a gd idea!Yea, many user know 4G dongle locked by MAC Address, CS also said same thing. After we discovered, it limit by hostname, this dongle can be plugged to any router brand with maxis stuff. By default, VoIP router will choose 4G if fiber down. I tested, VoIP router also work with fiber, as long VoIP have internet access. Can be override for VoIP use VLAN 822 by login as MaxSysAdm |
|
|
Sep 25 2020, 09:10 PM
Show posts by this member only | IPv6 | Post
#139
|
|
Senior Member
2,399 posts Joined: Jul 2009 From: /dev/null
|
pacat miloaisdino
I make a mistake, "gatal tangan" press reset button on ONT 
now I got this speed 😂 this mean, ONT control subscriber speed? This post has been edited by Anime4000: Oct 3 2020, 04:15 PM |
|
|
Sep 25 2020, 10:26 PM
|
|
Senior Member
1,418 posts Joined: Jul 2015
|
QUOTE(Anime4000 @ Sep 25 2020, 09:10 PM) pacat miloaisdino oops. for unifi users i heard (think @soonwai) if the config is cleared (but correct gpon password) the olt will auto reprovision the ont in about 5 mins. not sure abt maxis. this probably needs maxis technician and/or tm to fix onsite :/I make a mistake, "gatal tangan" press reset button on ONT
now I got this speed 😂 [attachmentid=10598074] this mean, ONT control subscriber speed? |
| Change to: |  0.0218sec
 0.47
 6 queries
 GZIP Disabled
Time is now: 9th December 2025 - 12:35 AM |
Quote
