Introduction#
Background#
On January 22, 2021, I opened a mobile broadband account, and at that time, the universal password was still usable, and I successfully changed it to bridge mode, everything was normal. Later, due to an incident, I had a technician come over, and I also noted down the registration password. Later, when I moved, I was taking an exam, and the technician did not know the router password, so he reset it for me. I then found that the router had changed to automatically obtain an IP address mode, so I used the universal password to change it to bridge mode, only to find that the universal password was no longer usable, and various methods online had also failed due to patches. After nearly two days of effort, I finally found a loophole, so I share this for those who need it!
This article only provides a general idea. In theory, it can be used for all optical modems. I am not responsible for any damage caused by a damaged optical modem, cosmic explosions, alien invasions, World War III, etc. If you disagree, please close this document.
Why?#
Generally, to ensure quality, operators will give broadband some leeway, usually around 20% of the subscribed broadband. Taking my 200 Mbps broadband as an example, it can theoretically run up to around 240 Mbps. The quality of the router, the quality of the network cable (for short distances, purchasing a super six-category cable is sufficient; be careful not to be deceived by branded products; Akihabara and Datang Telecom are good choices), and the read/write speed of the computer's network port or hard drive will also affect network speed.
The optical signal transmitted through fiber will be converted into an electrical signal by a modem, also known as an optical modem (hereinafter referred to as "optical modem"). The optical modems provided by operators often have poor performance and heat dissipation, which can cause disconnections, high latency, and other issues. The emitted signal can interfere with the router's signal, and when the router obtains data from the optical modem, it undergoes a NAT forwarding process, affecting network speed (which greatly impacts online gaming). QoS services can also affect network speed (though minimally). Adjusting the optical modem to bridge mode allows a more powerful router to dial up, thereby reducing the workload of the optical modem and improving network quality.
Date: July 4, 2022 (still usable as of July 11, 2022)
Optical Modem: Gigabit GM220-S
Location: Xuchang, Henan, Mobile
Authentication Method: Password
The optical modem can be authenticated in many ways, such as LOID + password, SN serial number + MAC address, MAC address, Password, etc. This article uses Password as an example for demonstration. Different regions and operators may vary. If you do not know your optical modem's authentication method, please ask your ISP.
Purpose#
-
Obtain the optical modem user password
-
Change to bridge mode
-
Disable QoS service
-
Disable wireless service
-
Disable firewall
-
Enable IPV6
Requirements#
-
USB drive
-
Optical modem
-
Router
-
A pair of hands (If you are disabled, please forgive my insensitivity; I mean no harm, life will get better)
Practice#
1. Connect to the optical modem and obtain the Password#
Connect to the optical modem via an Ethernet cable or WiFi, open the optical modem management page, press F12, in the opened Elements page, press Ctrl + F, enter LOID, and you can find an 11-digit number in the image; this is the optical modem registration code, which we will save for later use. Of course, you can also directly ask the technician to check it for you XDDD
2. Telnet Section#
2.1 Reset the Optical Modem#
Since the Telnet vulnerability for newly registered devices has been patched, we need to reset the optical modem. Carefully unplug the fiber, find the small hole on the side of the optical modem, and press it with a pen tip until the indicator light of the optical modem goes out and then lights up completely. Wait a moment for the optical modem system to load completely. Refresh the webpage, click on Register Installation at the bottom. If you do not see text like Registered successfully, no need to register again, then the reset was successful. (If the reset was not successful, wait for the optical modem indicator light to go out and then light up completely again without releasing the button!!! Wait for it to go out and light up a second time.) Other models follow the same principle; there may be a Reset label next to the small hole.
2.2 Open Telnet#
Open http://192.168.1.1/usr=CMCCAdmin&psw=aDm8H%25MdA&cmd=1&telnet.gch, if you see the text TelnetSet Success!, then it was opened successfully.
http://192.168.1.1/getpage.gch?pid=1002&nextpage=tele_sec_tserver_t.gch
2.3 Obtain the Telnet Password#
Insert the USB drive into the optical modem and log in to the optical modem management interface using the universal password. The account is CMCCAdmin, and the password is aDm8H%MdA. Click Management > Device Management > USB Backup Configuration > Start Backup. When you see the text File saved successfully, unplug the USB drive, insert it into the computer, and find the configuration just backed up in the USB drive. The path is USB drive letter:\config_buckup\cmcc_128g.cfg. If your USB drive is a PE boot disk or a multi-partition USB drive like Ventoy, this file will be in the boot partition and that partition is hidden. Please use Windows Disk Management or software like Diskgenius to view it; I will not elaborate further here.
On the RouterPassView page, click Download RouterPassView at the bottom to download, extract, and open RouterPassView.exe. Users of scoop can use the following commands to install:
scoop bucket add nirsoft
# Add Nirsoft Bucket, ignore if you have already added this Bucket or apps Bucket
scoop install routerpassview
# Install routerpassview
After opening the software, click File > Open Router Config File (since I am using an English environment, the Chinese translation may not be accurate; please forgive me!) or File > Open Router Configuration File, and open the cmcc_128g.cfg we just backed up. Press Ctrl + F, enter telnet, and search. Find text similar to what is shown in the image; the text inside the double quotes after val is the Telnet account password (excluding the double quotes).
2.4 Register the Optical Modem#
Open the optical modem registration page, plug in the fiber (if it does not open, please enter the optical modem management page and manually click the blue text Register Installation), enter the Password obtained in step 1. Connect to the optical modem and obtain the Password and register. This process may hang; do not move the fiber, and follow the previous step 2.1 Reset the Optical Modem to execute again.
3. Use Telnet to Enter the Optical Modem and Backup Configuration#
As shown in the image, open Telnet. Specific steps: Control Panel > Programs and Features > Turn Windows features on or off > Telnet > Finish.
We will plug the USB drive into the optical modem and open cmd or another terminal to enter the following command:
telnet 192.168.1.1
# Enter the username and password obtained earlier; it is recommended to copy and paste. The password is not displayed by default. After completing, press Enter.
sidbg 1 DB p DevAuthInfo
The area covered by the mosaic is the account password. If the password is displayed as *, please continue using the following command. If the password has been found, you can proceed to the next step.
cp /userconfig/cfg/db_user_cfg.xml /mnt/usb1_1/db_user_cfg.xml
# If there is no output, the backup is successful.
Unplug the USB drive and insert it into the computer. Use the previous steps to open the configuration file with RouterPassView. Press Ctrl + F, enter CMCCAdmin, and search. The text inside the double quotes after val is the optical modem account password. If the last character of the password is a symbol, it is also counted as part of the password (excluding the double quotes). The password in the image has been replaced with xxxxxxxx.
4. Configure the Optical Modem#
Open http://192.168.1.1/ and enter the obtained username and password to log in.
Delete TR069 Connection#
Click Network > Broadband Settings > Connection Name, select 1_TR069_R_VID_4034. TR069 is the operator's configuration push channel. To prevent the optical modem firmware from upgrading or restarting, which could change the password or reset the configuration, we delete this connection. Change disabled in ③ to enabled and click delete.
Configure Bridge#
Click Network > Broadband Settings > Connection Name, select 2_INTERNET_R_VID_4031, take a screenshot of the current page to prevent future issues, and note down the VLAN Mode, VLAN ID, Username, and Password (the username and password here are your broadband account and password; if you forget the password, you can send CZKDMM to 10086 to reset it). Then delete this connection (if there is IPTV, delete the 1_IPTV_B_VID_4031 connection; deleting it will disconnect the internet ~~~be prepared to be hit~~~).
Then click Network > Broadband Settings > Connection Name, select New WAN Connection, configure and save according to the image below:
- Enable: Check
- IP Protocol Version: IPv4/v6
- Mode: Bridge Mode or Bridge
- Service Mode: INTERNET
- Port Binding: Select the optical modem interface name connected to the router, generally, LAN1 has the fastest speed.
- DHCP Enable: Can be checked (I recommend not checking it, using the router for DHCP service; if you choose not to check it, you will need to manually assign IPs when entering the optical modem backend in the future. If you are a beginner or not tech-savvy, please be sure to check it).
- VLAN Mode: Configure according to the previous screenshot.
- VLAN ID: Configure according to the previous screenshot.
Disable QoS#
Click Network > QoS > Upstream QoS Configuration, uncheck the QoS enable switch, and confirm.
Disable Firewall
Click Security > Firewall > Security Level, uncheck Firewall Protection, and confirm.
Disable DHCP Service (according to the above steps)#
If you unchecked DHCP Enable in the Bridge Configuration, please click Network > DHCP Configuration to uncheck Enable DHCP Service; click Network > DHCP Configuration (IPV6) to uncheck Enable DHCP Service.
Disable Wireless Service#
Click Network > WLAN Parameter Configuration > WLAN Network Configuration, uncheck the wireless switch, and confirm. If you need to disable WPS service, please do so here as well.
Disable Forced Push#
Click Management > Forced Push > Forced Push, uncheck Enable Forced Push to prevent the optical modem firmware from upgrading or restarting, which could change the password or reset the configuration.
5. Configure the Router#
Open the router configuration page and change the connection method to Broadband Dial-Up or PPPOE, with the account password being your broadband account password. Domestic operators may hijack DNS, so it is recommended to change the DNS to another DNS.
| IPV4 | IPV4 Backup | IPV4 DoH | IPV6 | IPV6 Backup | |
|---|---|---|---|---|---|
| Alibaba | 223.5.5.5 | 223.6.6.6 | https://dns.alidns.com/dns-query | 2400:3200::1 | 2400:3200:baba::1 |
| Tencent | 119.29.29.29 | https://doh.pub/dns-query | 2402:4e00:: | ||
| Cloudflare | 1.1.1.1 | 1.0.0.1 | 2606:4700:4700::1111 | 2606:4700:4700::1001 |
Enable IPV6#
In the router configuration page, check Reuse IPV4 Link and Connect (if this setting is not available, you need to manually enter the broadband account password).
OpenWrt users need ipv6-helper and other aids; please search online for assistance.
After completing, restart the optical modem and router and enjoy!
Some Random Thoughts#
This is my first time writing a long tutorial. So far, this blog is only viewed by me (and can only be viewed by me), it took nearly 3 hours, yes, you heard that right! Taking screenshots, practicing, and writing took a lot of time, and there are bound to be some errors in the text. Please correct me, esteemed experts!
Reference Documents#
- Mobile Optical Modem GM219S Super Password Cracking Tutorial on Enshan Wireless Forum (Original content archived on 2020-08-14)
- GM220-S Obtain Super Password on Enshan Wireless Forum (Original content archived on 2020-08-14)