WebUI Tricks
- Engineering Menu: move your mouse over the device image, then hold ctrl+shift+e and click
- Software Menu: move your mouse over the device image, then hold ctrl+alt+h
- LFI: http://192.168.15.1/cgi-bin/sysconf.cgi?page=../../[afile]&action=request&sid=[valid_sid]×tamp=[valid_timestamp]
Remote Command Execution
- load up TamperData, Charles, or some other tampering proxy
- log into the device and change the Basic->Device Name to FOO
- in your tampering proxy, change FOO to <!--#exec cmd="<your command>" -->
- using the LFI above, get /etc/hosts
- your command will be run, and you should see your results
Software Unlock (enable telnet)
- Using the above Remote Command execution trick, run the command: fw_setenv factory 1
- reboot, and you can telnet right in.
- this disabled most the startup scripts, so you need to set your own IP - try 192.168.15.2
Filesystem
Missing busybox functions
just download http://www.busybox.net/downloads/binaries/1.16.0/busybox-armv4l to the modem, then use it. It is a pre-built busybox binary that contains all the normal functions.
Teardown Instructions
thanks to Panic
To disassemble:
- Remove two T6 screws located under the round black feet on the bottom.
- Remove the colored piece from the right side of the case. On the clear modem this piece is black and has neither the logo on it nor the lights on it. To remove, use a credit card to pop it off. Begin along the vented portion at the top, move slowly along the edges starting from here, releasing the clips as you go. There are a three clips located in the center of this panel so some pulling will be required once the edges release to remove it. Note that you do not need to remove the left side panel to disassemble the modem -- in fact it appears that a few of the posts have been fused to help hold it in place.
- Remove the three T8 screws from under the panel removed in the previous step.
- Split the two halves of the modem using a credit card. This seemed to work best by beginning near the ports at the back and working outward from there. The clips are pretty heavy and require some force to release. There are two built into the bottom plastic. There are two minor clips near ports and two major clips on this side at the top. There are 3 major clips at the top. Two major clips on the front top curve. Three major clips on the front. Most of these should be identifiable in the FCC photos.
Note that you need to be careful of the antenna and its cables when working on the top edge of the modem. The antenna uses an extremely thin PCB and I could see ham handed disassembly breaking it. The main PCB is attached to the case using a single T8 screw located at the bottom rear of the case (near the power jack). This screw is not externally accessible and will require splitting the case to get to. The board is roughly 5.5" square.
Pictures?
Please,where I get the engineering software or image? Is there in the G model g4 and g3 or is the two antennas for RX TX, no duplexer? I must make me a outside antenna,I,m in a bad spot,to low.Need a 24db dish 2,5 -2.7Ghz Peter AI4UE
Peter - there is currently no firmware image for the device. The device is WiMAX on, no 3g. It does have connectors for it's antenna, so you can get a pigtail for it.
I'll post pics soon - right now this is a scratchpad for me
lokkju, can you post the contents of /bin/ipkg_verify.sh?
Also, could someone pull down this version of the firmware, so we can downgrade after clear patches the hole?
I'll dump some of the files soon. Right now working on getting a dd binary working on the device.
all ipkg_verify does is check a sig against a public key
mtd dump at http://wimax-hacking.googlecode.com/svn/trunk/homeRouter/WIXB-175/mtd_dump/
you quoted : "# in your tampering proxy, change FOO to <!--#exec cmd="<your command>" --> "
Im not able to see Device Name FOO in the tamper......only can change it in te config
please help..
How do I do this part? just download http://www.busybox.net/downloads/binaries/1.16.0/busybox-armv4l to the modem, then use it. It is a pre-built busybox binary that contains all the normal functions.
Actually what I am trying to do is put it in bridge mode. Will all this work to make it go into bridge mode?
Thanks -Dimitry
Dude this is awesome, can't wait to see what is next!!
Maybe some useful information can be gleaned from here:
https://fjallfoss.fcc.gov/oetcf/els/reports/STA_Print.cfm?mode=current&application_seq=44344&RequestTimeout=1000
iam unable to telnet bcs5200 wixb-175 can any one post any pics step by step i use all the above steps using charles but im unable to change this (tampering proxy, change FOO to <!--#exec cmd="<your command>" -->) can any one help me can some one post some noobs manual for all these steps @ lok can u please help us
I know I need what you're talking about here, but I don't know shit. You might as well be speaking Russian because I can't understand a thing. Telnet?! LOL!
How do i connect internet after entering telnet session? The telnet method given above resets to factory defaults. I want to be able to keep telnet while internet is also working. How do i achieve such a combination? Can you post youtube video on how to access hidden menus i.e. engineering menu and the software menu? The instructions on this page wont work for me. Please reply asap. :)
Clear firmware upgrade had taken away engineering mode. Anyone know a way around this?