Unable to telnet enable RBR40 V2.7.3.22

[jlafaye]

Hello

I am unable to enable telnet with the tool on RBR40 v2.7.3.22 (synced at latest commit)

All attempts with mode 1, 2, 3 and upper/lower cased digest failed with a timeout (no answer to the magic packet).

I am using the command below:

./telnet-enable.py 10.0.0.1 B0:39:56:76:B3:75 admin "fDZGmoc8Wk5E3eaW"

I am running macOS but same issue on three different computers.

[jlafaye]

Got it working by using the hashed version of the password rather than the password itself.

The hashed password was obtained by:

• downgrading to firmware revision v2.6.2.104
• activating telnet through http://10.0.0.1/debug.htm
• telnet-ting to the router
• retrieving hashed password with command config get http_passwd_hashed

It seems that using the udp 'magic packet' does not work if telnet has been activated at least once through debug.htm. Would be great if someone could confirm this.

I'll try to investigate the code to understand why the script does not work with unwashed password.

[jlafaye]

Actually commit 8a72d89 broke the script on (at least) RBR40. At 8a72d89~1, the script works with output

Done sending new3 (RAX10/RAX50) pw data to 10.0.0.1:23

This payload computation method is called method 4 and seems to have disappeared in latest version of the script.

[wbervoets]

I can confirm @jlafaye findings, the previous version works on RBR20

[johnhainline]

Can confirm latest does not work for RBR50 firmware V2.7.4.24, and moving to commit 8z72d89~1 fixes it.

[Pawel-B7]

Could you please write exactly how to modify the script so that telnet can be enabled for RBR40 with V2.7.3.22?
Alternatively, could you upload the entire revised script for RBR40 with V2.7.3.22?
For LBR20 with V2.7.5.6 this script does not work either :(

[Pawel-B7]

New version of the script (25 May 2024) works properly with above RBR40 and LBR20 but telnet doesn't work after reboot :(
nvram commit doesn't help