Western Digital My Net N600 - telnet

For the people who Google brought them here don't want the long story here are the steps to get in:

1) Go in your router's address in your browser
2) Sign in
3) Navagate to http://192.168.1.xxx/telnet.php
   There is no link to this page in the settings so you do have to navigate there manually
4) Turn telnet on, save
5) Open a CLI window and run telnet 192.168.1.xxx
6) Username: Alphanetworks
7) Password: wrgnd16_wd_db600
8) (if the password is not wrgnd16_wd_db600, open the firmware in a hexeditor and use the "signature") 

------------------------------------------

I got a Western Digital's "My Net N600" router that I got for free thanks to Intel. One day I got bored and wanted to play around with it. A couple hours later I finally managed to get in.
Lots of routers support telnet so I tried the command:

~$ telnet 192.168.1.1
Trying 192.168.1.1...
telnet: Unable to connect to remote host: Connection refused

I assumed I had to enable it. Nowhere in the router settings did it mention telnet. I almost gave up, but I found that Western Digital put the source up for everyone to see (they had to, it was GPL). Downloaded the source and found that there is a telnet.php in the base directory, it just looks half broken and no file links to it, but it still works.

~$ telnet 192.168.1.1
Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape character is '^]'.
login: root 
Login incorrect
login: admin
Login incorrect
login: telnet
Login incorrect for 3 times
Connection closed by foreign host.
~$ 

What could the username be? I continued to try wd, westerndigital, mynet600, and more. When those didn't work, I did a grep search for telnetd with errors suppressed:

~/Downloads/MyNetN600_GPL_v1.04.16$ grep -R -i -n 'telnetd' * 2>/dev/null
...
templates/aries/wd/pro/rc/init0.S80telnetd.sh:9: telnetd -l /usr/sbin/login -u Alphanetworks:$image_sign -i br0 &
...
~/Downloads/MyNetN600_GPL_v1.04.16$ 

Out of the 161 lines return, I found this command, which starts the telnetd server. I found my username! But it wasn't going to be easy for me. I noticed that the second half (the password) was $image_sign, a variable so I go and open that file to find that $image_sign was the contents of of file:

image_sign=`cat /etc/config/image_sign`

And that file didn't exists! When the firmware is made, the image_sign get generated, and I have no idea what the generated string would be. I consulted some people on some imageboards, one person suggested that "$image_sign should be in plaintext inside the firmware image." I grepped the file for image_sign, but it wasn't there. I couldn't give up because I was so close, so I opened up the firmware in a hex editor and this is what I first saw:

53A3A417 0000001C 00000000 7369676E ^...........sign
61747572 653D7772 676E6431 365F7764 ature=wrgnd16_wd
5F646236 30300000 5EA3A417 00000024 _db600..^......$

Ah ha! so it was saved as "signature", rather than image_sign! got the username password combo of Alphanetworks:wrgnd16_wd_db600, and we are good to go!

~$ telnet 192.168.1.1
Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape character is '^]'.
login: Alphanetworks
Password: wrgnd16_wd_db600

BusyBox v1.14.1 (2012-12-14 15:43:34 CST) built-in shell (msh)
Enter 'help' for a list of built-in commands.

# help

Built-in commands:
------------------
        . : break cd continue eval exec exit export help login newgrp
        read readonly set shift times trap umask wait

# uname -a
Linux MyNetN600 2.6.31--LSDK-9.2.0_U8.834-svn4367 #1 Fri Dec 14 15:43:09 CST 2012 mips GNU/Linux
# cat /proc/version
Linux version 2.6.31--LSDK-9.2.0_U8.834-svn4367 (bouble_hung@Zeus) (gcc version 4.3.3 (GCC) ) #1 Fri Dec 14 15:43:09 CST 2012
# exit
Connection closed by foreign host.
tachis@Tachis-LT:~$ 

Apparently a google search for wrgnd16_wd_db600 yields no results so I would have never found it if I didn't use the hex editor
I had fun, and hopefully someone else might be able to log into their router too.