iirc tm doesnt do auth based on gpon sn anymore. as long as the password is correct it should work

This post has been edited by miloaisdino: Jun 25 2020, 03:45 PM

https://blog.csdn.net/zhidc/article/details...Pai2-4.nonecase
Some gpon sticks are actually full fledged onts, even come with web interface. omci might work then

it might.. but some gpon sticks come without user interface with "locked loid and password" so you cant really use it unless someone has access to the olt side for whitelisting.. bummer

It's like some gpon sticks have their passwords locked to 123456780 so the only way is loid/sn auth but we know thats not what tm does.

nice. looking at the ui screenshots from the reviews, it is an unlocked rebranded zte onu stick!
edit: it seems to be quite beefy, with 600mhz cpu and 256mb of ram. heck i wonder if it can hardware nat too!

also i used RED qos algorithm to improve bufferbloat on my mikrotik. needs quite a bit of tuning tho

This post has been edited by miloaisdino: Jun 27 2020, 01:27 AM

sounds good that omci can be bypassed just by using a 3rd party onu. hopefully the huawei olt wont know how to provision the hard cap on the zte onu stick (actually the maxis issued btu should be tm property, maybe the hard cap is tm's way of unfairly limiting maxis bw?)

any idea what brand of onu that maxis user used?

This post has been edited by miloaisdino: Jun 27 2020, 01:23 PM

ah that makes sense. at first when you connect without pppoe login your line will be capped to 4mbps (probably for hypptv stb), then upon pppoe login the olt will retroactively increase the speed cap of the ont by omci.

i wonder having 2 pppoe dialers behind the ont to different accounts can confuse the olt

edit: maybe thats the key, omci configures a speed limit for port 2 on the huawei onu for maxis, but if the onu can be hacked for maxis to be on eg port 3 instead maybe omci will fail to speed cap?

This post has been edited by miloaisdino: Jun 28 2020, 07:32 PM

i meant there will be a time lag between pppoe login and increase of speed cap.. all the onts in the same area share the same pw so i guess the speed cap is by detecting your account on pppoe?

taken from tm alcatel ont provisioning guide online:
Service Provisioning – Sample Service Configuration
7.1 Create ONT Infrastructure
Create ONTs using SLID Password.
configure equipment ont interface 1/1/5/1/10 sw-ver-pland AUTO
sernum ALCL:00000000 subslocid 0000000001 voip-allowed enable enable-aes enable

so any match for alcl sn or huawei sn ont will be allowed as long the pw (replaced by 0000000001) is correct for any speed

is the dongle even receiving an ip address from maxis? if no maybe it could be an apn issue, or might need to clone the imei of the maxis router onto the dongle. if ip address received but still cant access internet, might need to mangle the TTL setting for requests through the dongle on the mikrotik

i suspect this is a TTL issue! its similar to how people used TTL changers to bypass tethering caps. try incrementing/decrementing the ttl of traffic destined to the dongle under "mangle" in mikrotik until it works

hmm so currently:
dongle +sim works when connected to pc --> maxis tplink
dongle doesnt work on mikrotik, sim doesnt work on phone

maxis detects ttl via Outgoing packets to their gateway, so Out Interface should be used instead of In Interface for mangle
https://forum.mikrotik.com/viewtopic.php?t=144140 (example of working for mikrotik dongle).

https://answers.microsoft.com/en-us/windows...3e-92fa5ca0bd16 the ttl from the ping is actually the "final" decremented ttl at the destination and is not what maxis receives! what i suspected was that the "original source" ttl value when dongle is connected to tplink is different from when dongle/sim is plugged anywhere else, so we need to "offset" the ttl somehow...

maybe can try connecting dongle by usb directly into pc instead then ping? that might rule out dongle detect mac address or other problems?

This post has been edited by miloaisdino: Sep 21 2020, 11:43 PM

haha. maybe try static ttl first, easier than cracking tplink (there are only 255 combinations to try! (much fewer since ttl 1-35 will pretty much kill lots of websites)try near 64, 128, 255 +- or other common ttl maybe?)


This post has been edited by miloaisdino: Sep 22 2020, 12:32 AM

for traffic destined to the dongle only, yes! anyway 4g isnt that fast shouldn't have any bottlenecks
hmm could be mac address? maybe clone the tplink mac onto mikrotik too?!
https://wiki.mikrotik.com/wiki/Manual:Interface/LTE

confirm mac address!! not TTL!! mac address for maxis usb should be maxis router mac +- a few digits on the last octet!

This post has been edited by miloaisdino: Sep 22 2020, 12:46 AM

maybe the dongle sees the mac address of the tplink/mikrotik and decides whether to block the connection. so maybe try using /interface on mikrotik to set the mac address of the maxis router facing the dongle to "fool" the dongle? arp -a shows the mac address of the dongle itself after every reboot (not the pc)

or maybe theres a hidden mac address filtering page on the dongle webui itself that can be found by inspect element. then we can just disable it!

This post has been edited by miloaisdino: Sep 22 2020, 11:23 AM

https://forum.mikrotik.com/viewtopic.php?t=113569#p614298
this might be helpful!

can't switch usb device
sd 0:0:0:1: [sda] we have tried 10 times, but the USB device is still not ready, just return here!
sd 0:0:0:1: [sda] media is not present, wait for 0.5 seconds
getConfigFromMergeFile 150 decrypt mode_switch.conf successfully

and

usbcore: registered new interface driver cdc_ether
usbcore: registered new interface driver rndis_host
Failed to to open /proc/tty/driver/usbserial

clue from here onwards

and maybe the uart password can be found from router backup config file (downloaded from webui)?

This post has been edited by miloaisdino: Sep 24 2020, 10:09 AM

https://github.com/JackDoan/TP-Link-ArcherC5-RCE
looks useful! worth a shot

now thats some weird encoding :/
anyways the config looks like the "TR069 xml IGD style" of config, probably because customised for maxis

This post has been edited by miloaisdino: Sep 24 2020, 11:30 PM

wow nice that fullcone works. but ive seen routers that dont support hw nat when fullcone is enabled, might have performance penalty for faster connections,wonder if tplink is liddat

and the packet capture filename that u blurred, was that yr mac address? quite disturbing if the router is made to silently packet capture traffic for no reason...

This post has been edited by miloaisdino: Sep 25 2020, 01:23 AM

i suspect its actually dual core (2 physical core) but presented as 4 logical core in linux (not 100% sure), anyway most regular ac routers max out at about 700+ mbps without hw nat, should not be an issue unless >800mbps package!

edit: good to disable tr069 and vlan 821 in case maxis releases a fw update to change the password and hash the password entry in the config file!!

This post has been edited by miloaisdino: Sep 25 2020, 01:31 AM