Inside a Westel 9100EM Router

Verizon’s FIOS router, based on the Jungo’s OpenRG OS and Westell’s hardware has its telnet interface disabled by default. You can enable it by doing the following easy steps:

  • On the web interface, go to advanced->configuration file->export configuration. Save on a disk.
  • Change “(telnets (disabled(1)))” to (telnets (disabled(0)))”
  • Import the configuration back via the web interface
  • Restart the router and try to telnet to it. After putting your user name and a password you’ll be greeted with the OpenRG prompt. Type ‘help all’ to see all commands. ‘system shell’ is my personal favorite.

You could also use the same technique to close the 4567 port (TR-069 management). It is enabled by default and is a part of the UPnP discovery. The string to look to find this protocol is ‘tr96’. You could also cloak it by creating appropriate ACL’s and firewall rules.

CWMP is another big brother protocol, initiated by your router to talk to Verizon on a periodic basis. Look for cwmp and check if enabled is (0).

Decrypting passwords on the Westell Verizon 9100EM router

If you are of a curious type you’ll see obfuscated password in the file produced by advanced->configuration file->export configuration. The obfuscation is done by a per-byte addition of [56 F4 EF 50 34 AA EF 6B 55 4B 03 3C 9B 01 78 b4] to the original value with no overflow. Looks like all passwords in OpenRG are obfuscated in this way. BTW, the default access password, when de-obfuscated this way is “activeVOLUser1”

Tags: IoT Firmware