Friday, June 21, 2013

Western Digital My Net N600 - telnet

For the people who Google brought them here don't want the long story here are the steps to get in:
1) Go in your router's address in your browser
2) Sign in
3) Navagate to http://192.168.1.xxx/telnet.php
   There is no link to this page in the settings so you do have to navigate there manually
4) Turn telnet on, save
5) Open a CLI window and run telnet 192.168.1.xxx
6) Username: Alphanetworks
7) Password: wrgnd16_wd_db600
8) (if the password is not wrgnd16_wd_db600, open the firmware in a hexeditor and use the "signature") 
------------------------------------------
I got a Western Digital's "My Net N600" router that I got for free thanks to Intel. One day I got bored and wanted to play around with it. A couple hours later I finally managed to get in.
Lots of routers support telnet so I tried the command:
~$ telnet 192.168.1.1
Trying 192.168.1.1...
telnet: Unable to connect to remote host: Connection refused
I assumed I had to enable it. Nowhere in the router settings did it mention telnet. I almost gave up, but I found that Western Digital put the source up for everyone to see (they had to, it was GPL). Downloaded the source and found that there is a telnet.php in the base directory, it just looks half broken and no file links to it, but it still works.
~$ telnet 192.168.1.1
Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape character is '^]'.
login: root 
Login incorrect
login: admin
Login incorrect
login: telnet
Login incorrect for 3 times
Connection closed by foreign host.
~$ 
What could the username be? I continued to try wd, westerndigital, mynet600, and more. When those didn't work, I did a grep search for telnetd with errors suppressed:
~/Downloads/MyNetN600_GPL_v1.04.16$ grep -R -i -n 'telnetd' * 2>/dev/null
...
templates/aries/wd/pro/rc/init0.S80telnetd.sh:9: telnetd -l /usr/sbin/login -u Alphanetworks:$image_sign -i br0 &
...
~/Downloads/MyNetN600_GPL_v1.04.16$ 
Out of the 161 lines return, I found this command, which starts the telnetd server. I found my username! But it wasn't going to be easy for me. I noticed that the second half (the password) was $image_sign, a variable so I go and open that file to find that $image_sign was the contents of of file:
image_sign=`cat /etc/config/image_sign`
And that file didn't exists! When the firmware is made, the image_sign get generated, and I have no idea what the generated string would be. I consulted some people on some imageboards, one person suggested that "$image_sign should be in plaintext inside the firmware image." I grepped the file for image_sign, but it wasn't there. I couldn't give up because I was so close, so I opened up the firmware in a hex editor and this is what I first saw:
53A3A417 0000001C 00000000 7369676E ^...........sign
61747572 653D7772 676E6431 365F7764 ature=wrgnd16_wd
5F646236 30300000 5EA3A417 00000024 _db600..^......$
Ah ha! so it was saved as "signature", rather than image_sign! got the username password combo of Alphanetworks:wrgnd16_wd_db600, and we are good to go!
~$ telnet 192.168.1.1
Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape character is '^]'.
login: Alphanetworks
Password: wrgnd16_wd_db600

BusyBox v1.14.1 (2012-12-14 15:43:34 CST) built-in shell (msh)
Enter 'help' for a list of built-in commands.

# help

Built-in commands:
------------------
        . : break cd continue eval exec exit export help login newgrp
        read readonly set shift times trap umask wait

# uname -a
Linux MyNetN600 2.6.31--LSDK-9.2.0_U8.834-svn4367 #1 Fri Dec 14 15:43:09 CST 2012 mips GNU/Linux
# cat /proc/version
Linux version 2.6.31--LSDK-9.2.0_U8.834-svn4367 (bouble_hung@Zeus) (gcc version 4.3.3 (GCC) ) #1 Fri Dec 14 15:43:09 CST 2012
# exit
Connection closed by foreign host.
tachis@Tachis-LT:~$ 
Apparently a google search for wrgnd16_wd_db600 yields no results so I would have never found it if I didn't use the hex editor
I had fun, and hopefully someone else might be able to log into their router too.

Tuesday, March 12, 2013

Evil Experts-Exchange

Without doubt when I search for a computer related problem, Experts-Exchange pop up. Taunting me with the answer, but asking me to pay to view it.

But that's not evil right? They are providing a service for money. What is particularly evil about whatever website designer made this site is they have the answers display to the search engine bots, so that their pages are more relevant and come up higher in the results. Also the sample text Google provides will usually have almost the answer, trying to pull you in to pay.

There use to be a flaw in their plan. Whenever someone found their site, they would view the cached version by google, and were able to see the "hidden" answers. However, they have pulled the cached version, so that option is not available anymore. So what do we do?

Enter User Agent Switcher. When you visit a site, your browser tells the server which browser you are using to better help the server display it's contents. Well, experts-exchange decide that they are going to display their results to the Google Bot, and by using User Agent Switcher, you can pretend to be the Google Bot. After installing User Agent Switcher, go to tools -> default user agent -> Spiders -> Google Bot 2.1, and visit the site. Scroll down the the bottom the read the results for free. Just remember to switch it back to default when you are finished.

Sunday, July 22, 2012

Background Image Location

I was looking for the current background image's location.  It took me a while to find it.

Here it is:
%AppData%\Microsoft\Windows\Themes\TranscodedWallpaper.jpg

Friday, June 22, 2012

Tixati's Secret Command Line

For a long time I've be wishing for some command line options for Tixati.

One day I enabled Tixati to start with windows hidden in system tray, with a 1 minute delay.  Windows doesn't support these options, so they had to be program specific...

Curious I investigated how it's done and I found the startup entry listed as this:

"C:\Program Files\tixati\tixati.exe" -starthiddenintray -d1

So I found some secret Command line parameters not mentioned in any guide:
-closenow: exits any running program
-starthiddenintray: start hidden in tray (self explanatory)
-startminimized: start minimized (self explanatory)
-d# delay of how long Tixati should wait before working (It still has it's icon in the tray waiting.  you can click it beforehand to launch immediately)

I wonder if there were any other command line switches?

Edit: using procexp, I searched the strings and found "closenow" near the other two strings.   Tested to work so adding to the list

Monday, May 14, 2012

Finally, a company that does something right

Some time ago my laptop charger died.  I had the choice between a new Targus charger and a generic brand charger at Best Buy.  I went for the Targus one even though it cost a little more.  Later down the road my charger had intermittent problems, and finally ceased working.  My brother has a netbook charger for the same brand (Toshiba) but was about 1/4th the amperage of mine, so it would barely keep my laptop alive.  I pulled out the voltmeter and tested each part to find that the interchangeable tip had a problem.  I didn't have a receipt so I braced for the usual company warranty bullcrap that everyone seems to give.  I was so surprised about contacting Targus, I think they deserve a pat on the back.  They didn't even ask for proof of purchase.
Here is my chat log with them:
Tachis Alopex: Hello
Tachis Alopex: The tip connector for my targus charger for my toshiba laptop is broken.
Kenneth: I am sorry that you have a broken Power Tip for your adapter. I would be happy to assist you.
Kenneth: Which model of charger do you have?
Tachis Alopex: APA31US
Kenneth: Thank you, and what is the model of your Toshiba computer?
Tachis Alopex: L505-S6946
Kenneth: "P" is the compatible tip. I would be happy to set up a part order to replace the broken tip for you.
Tachis Alopex: So that is covered under the warrenty?
Kenneth: Yes, it is, and the tip would be complimentary to you since the one you currently have is broken. When and from where was the charger purchased?
Tachis Alopex: Great! Best Buy, around the beginning of the year
Kenneth: January?
Tachis Alopex: Either January or February
Tachis Alopex: I'm not sure
Kenneth: Alright. What would be the address and phone for where the tip would be sent?
Tachis Alopex: [My home address]
Tachis Alopex: [My phone number]
Kenneth: Thank you for that information. The part order will be processed upon the conclusion of the chat session. Would there be something more with which I could assist you?
Tachis Alopex: That's it. Thank you so much! you are a life saver.
Kenneth: Thank you for contacting Targus Live Chat. Have a wonderful day.
Tachis Alopex: you too
'Tachis Alopex' disconnected ('Concluded by End-user').
Okay, that surprised me... I mean not asking for a receipt pleased me, but that wasn't the end of my pleasant surprises.  I got an email confirming the delivery the same day, and said "so you should allow up to ten (10) business days for the tip to arrive."  USPS ground.  Standard throughout companies, a little long but I ain't paying for anything so I'm not complaining.  This chat happened Thursday,  05/10.  Guess what happened to arrive in the mail today.  My connector! Monday, 5/14.  It was order, processed and shipped in technically 1 business day.  Brand loyalty went up a ton.

Why can't most companies do this?  I can bet I'll remember this and buy targus between other brands just remembering this incident.  Did it wear out? yes (but that was probably my fault), but a TWO year warranty on the charger, made it right... and made it right fast.

Lastly I want to add what would happen if my warranty ran out.  While the Targus representative was setting things up, I looked for the price of a replacement. The Targus website sells the tips for $10 with about $5 shipping.  Pretty steep price for a little tip.  So I Googled Targus coupon... and the first page I got to showed "Free charger connector tips" And sure enough I plugged it into the site and it was just the price of shipping.

Hat's off to you Targus, for not screwing over your customers when something goes wrong.  I'm glad that I could post this from my completely charged laptop.

Getting notepad to obey

I always wanted notepad to be ran as admin.  I can't think of a case where I didn't want it to be.  So I browsed to notepad.exe and was going to turn on "always run as admin" but the option was blanked out.  I figured out how to bypass that though.  Do these three easy steps if you want always admin notepad
  1. open regedit.
  2. go to:
    HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
  3. add a value (a string):
    Name: C:\Windows\system32\notepad.exe
    Value: RUNASADMIN
That's it!  I never see any privilege error messages again using notepad.  You can do this for any application, but be aware that it will always be ran with elevated privileges.

Saturday, May 12, 2012

Fix the windows OS Letter assignment

Hello!

I recently move a few partitions on my hard drive, and when I booted up windows... boot error.

That's somewhat expected so I tried to use startup repair, it worked... until I got stuck right after the loading screen.

I found that "C:" was missing, and "D:" was assigned to what "C:" should be. Here's how I fixed it:
  1. Before you shutdown, make a note of what letter is currently incorrectly assigned, in my case, it was "D"
  2. First of all, you need your windows disk, plop it in, and boot from it. When it finishes loading, do not click install. Instead, click repair.
  3. Lauch command prompt
  4. We can't just use regedit to fix the problem because we are in a windows pre-install enviroment, with it's own registry.  So we need to run a command:
    reg load HKLM\TempOS C:\windows\system32\config\system

    Now, "C" might be the wrong letter! windows preinstall enviroment automatically assigns letters to the drives and partitions of your computer.  You may need to use these commands
    cd /d [Letter]:
    dir

    the first Changes Directory.  /d means change to a different Drive, then you would type C: D: E:, etc.
    the second command lists the folders and files of the drive.  If you see "windows" and "program files" then congrats you found the drive/partition that you want to fix
  5. type regedit to open the registry editor
  6. browse to HKLM/TempOS/CurrentControlSet/MountedDevices
  7. find the value that has \DosDevice\C:
    rename that to any other untaken letter
  8. find the value that has \DosDevice\[the incorrect letter]:
    this should be the letter that you took note of in step 1.  rename that one to \DosDevice\C:
  9. Exit regedit, and run this command
    reg unload HKLM\TempOS
  10. Reboot and all should be well!
Hope that worked.  As always, comment if you have any questions or need help!