MAIN MENU
 
Main Page
 
TM
 
Router Security (DIR-615)
 
Router Config (DIR-615)
 
Router Password Dump (DIR-615)
 
Using Custom Routers (DIR-615)
 
DD-WRT Guide (DIR-615)
 
MIKROTIK
 
MikroTik RB250GS
 
ASUS
 
ASUS RT-N13U
 
OTHERS
 
FTTH Wiring
 
IPTV Information
 
Downloads
 
Router Compatibility List
 
RESOURCES
 
Broadband U2U @ LYN
 
KlSeets Unifi Site
 
LYN Unifi DC++ Hub
 
 
 
 
 

Router Password Dumping Guide (TM DIR-615 G1/G2)

UPDATE 27th January 2011 : With the release of the 7.09 firmware, many security holes (including the remote exploitation of the config file) have finally been rectified. The configuration file format for the firmware has also been updated. If you need to grab your PPPoE details, either view source on the PPPoE username/password page of the router web interface or contact TM support directly. I will only be posting the updated configuration file structure if it's absolutely necessary.

Since the Unifi service was launched, TM has enforced a policy of security through obscurity to 'lock down' the DIR-615 router which is bundled with Unifi. Users are forced to call their customer support hotline just to gain access to their own routers and other information such as the wireless AP, PPPoE username and password and 'operator' account password for the router. As of October 2010, TM began rolling out a newer DIR-615 router revision with the 7.05b firmware. Once again, they've attempted to 'secure' the bundled router with a new set of password and keep the user as far out of the loop as possible. The remote management was preserved and the secondary 'operator' account was not removed from this firmware build. According to some users, their hotline staff have even claimed that this is 'confidential' information.. they obviously have no bloody idea how their own hardware works (in my humble opinion).

This guide will list down a few methods which you can use to grab every single password off the router even if you have been completely locked out. Unfortunately, releasing this information also puts some users at risk as it allows the passwords to be grabbed remotely through the internet via their 'oh so secure' remote management interface and 'uber secret' operator account password.

Forgive me if I sound like an asshole at this point, I'm just really sick of this bullshit.

 

The Software Approach

This method uses only software to grab the required credentials off the router. It utilizes a simple exploit where the TM DIR-615 willingly gives out the router's configuration file as there is no authorization or authentication mechanism involved. This guide also highlights the importance of turning off remote management as it will allow any user on the internet to download your configuration file and extract all your Unifi account details from it (regardless if you have changed the passwords on the unit or not).

 

Prerequisites :

1. A DIR-615 G1/G2 router with firmware 7.05x

2. A network connection to the router (as in, you're able to see the router login page at http://192.168.1.1).

3. RouterPassView - This is the main tool here which performs the decryption/decompression of the router configuration file. Download it here : http://www.nirsoft.net/utils/router_password_recovery.html

 

Steps :

1. Visit your router's web configuration address. By default its either http://192.168.1.1 or http://192.168.0.1 .

2. Once you can see the login page (you do not have to be logged in), append '/config.bin' to the back of the URL and visit that page (example : http://192.168.1.1/config.bin).

3. A file download for 'config.bin' should begin. Save the file to your computer.

4. Run RouterPassView.

5. Open the downloaded 'config.bin' in RouterPassView.. you should be able to see a table with some valid values.

These are only a handful of the credentials that RouterPassView can identify. To view all the passwords that are stored on your router, you will need to switch to either ASCII or HEX view.

6. Select Options -> Text Mode ASCII or simply hit F3.

7. Scroll down and you should start seeing your PPPoE username/password as well as your operator/admin account passwords and other details such as WiFi keys. It's also easier if you Select All and Copy the contents of this window into notepad so that it's easier to navigate using the CTRL+F feature.

This is how the operator password is stored in the router. You may locate other strings by searching for values such as '@unifi' and '@hsbb' but generally once you search for 'operator' and retrieve the operator account password, you should be able to log into the web user interface and view/edit all these values anyway.

 

Other Methods

There are other methods to extract the passwords from the DIR-615 via techniques such as router memory dumping but the software method (above) should be usable till they patch it.

 

D-Link Config.bin File Format (DIR-615 G1/G2)

Unlike other routers, many new D-Link models (such as the DIR-615) store the config.bin in a GZIP compressed file. In the case of the DIR-615 G1/G2, it's an XML database which has been packed with GZIP compression.

References : http://www.gzip.org/zlib/rfc-gzip.html#header-trailer (RFC 1952 GZIP File Format Specification version 4.3)

Basically, the first 20 bytes is just metadata to identify what router the config.bin is intended for. Right after that, the signature GZIP file header is marked with the presence of "\x1F\x8B" (ID1 & ID2). The next byte contains the compression method which is used, "\x08" (deflate). Followed by some flags, a 4 byte(?) modification date and a Unix file marker (refer to RFC spec).

In order to duplicate the unpacking method which is used by the firmware of the router and applications such as RouterPassView itself, you only need to remove the first 20 bytes from the config.bin file (anything before the "\x1F\x8B" marker, really) and run a GZIP decompress function on the remainder data. Personally, I used the ZLIB library and pushed the decompressed string through an XML parser. Enjoy :)!