AP9210: Difference between revisions
No edit summary |
No edit summary |
||
| Line 1: | Line 1: | ||
I just won two of these in eBay auctions 151145957599 and 151145957933. (Ridiculously cheap, too.) |
I just won two of these in eBay auctions [http://www.ebay.com/itm/151145957599 151145957599] and [http://www.ebay.com/itm/151145957933 151145957933]. (Ridiculously cheap, too.) |
||
They've arrived, but I wasn't sent the credentials to log in and configure them. Not a problem. Daren Matthews has a [http://mccltd.net/blog/?p=36 blog entry] detailing a backdoor password that allows one access to some menus that can be used to dump the devices' configuration EEPROM data. This conveniently includes a user name and plain text password. (Though they are in a funny byte swapped format.) |
They've arrived, but I wasn't sent the credentials to log in and configure them. Not a problem. Daren Matthews has a [http://mccltd.net/blog/?p=36 blog entry] detailing a backdoor password that allows one access to some menus that can be used to dump the devices' configuration EEPROM data. This conveniently includes a user name and plain text password. (Though they are in a funny byte swapped format.) |
||
Revision as of 16:38, 31 October 2013
I just won two of these in eBay auctions 151145957599 and 151145957933. (Ridiculously cheap, too.)
They've arrived, but I wasn't sent the credentials to log in and configure them. Not a problem. Daren Matthews has a blog entry detailing a backdoor password that allows one access to some menus that can be used to dump the devices' configuration EEPROM data. This conveniently includes a user name and plain text password. (Though they are in a funny byte swapped format.)
So, attach a null modem cable to the AP9210's serial port (or telnet to it if you can determine its IP (a task made simple with arpwatch)). Provide any username you like and use TENmanUFactOryPOWER for the password. A menu will be printed with a "Dump EEPROM" (or similar) option. Dump the EEPROM contents.
Did I mention the strings in the EEPROMs are byteswapped? Here's an example of what was in mine:
... 000C 89 9C 30 A4 2F 33 33 32 ..0./332 0010 31 2F 39 39 00 39 50 41 1/99.9PA 0014 32 39 30 31 00 00 27 DC 2901..'. 0018 57 37 39 41 31 39 30 33 W79A1903 001C 31 30 37 32 00 34 C0 00 1072.4.. ...
These two devices are running firmware version 1.1.1 and 1.1.2. Based on the Daren Matthews blog, I'm guessing other versions of the firmware don't do that.
It almost looks like there could be a "AP9210" in there if you're dyslexic, right? Here's my fix for reading it:
cat AP9210-eeprom-contents | sed -e s'@\(.\)\(.\)\(.\)\(.\)\(.\)\(.\)\(.\)\(.\)$@\2\1\4\3\6\5\8\7@'
Which turned the 5 lines above into:
000C 89 9C 30 A4 2F 33 33 32 ...03/23 0010 31 2F 39 39 00 39 50 41 /1999.AP 0014 32 39 30 31 00 00 27 DC 9210...' 0018 57 37 39 41 31 39 30 33 7WA99130 001C 31 30 37 32 00 34 C0 00 01274...
Yes, I was lazy and didn't bother to swap the hex values.
Anyway, with this, the username and password set on the device was fairly easy to pick out, further down in the EEPROM contents...
Oh, do heed the warning about the security issues on these things. Not only is there a back door password that would allow an attacker to change the power settings of your equipment, but it can also be used to then change the admin credentials on it.