Login details for Alcatel-Lucent I-240G-D

roligov

Well-Known Member
Joined
Dec 11, 2007
Messages
438
While Telkom were installing my Fibre, I managed to get to the ONT login page before the install was complete. The url was http://192.168.1.254/login.cgi and the title of the login box was "GPON Login".
After the install was complete, I'm assuming a firmware upgrade took place as the title of the page has now changed to "SFU Login".
I've tried googled without much luck. Also tried the usual (admin:admin admin:password admin:conf etc..). Just interested to see what stats I can get from it once I'm in, plus I own the device so I want full control :D

Anyone know the login details for it?
 

roligov

Well-Known Member
Joined
Dec 11, 2007
Messages
438
Phoned the Telkom technician who installed my line, he doesn't know the login details. He said they login to the VNX modem and work on that. Phoned 10210 Fibre support and they don't know either.

I still don't understand why Telkom have chosen to gimp this Alcatel ONT. It's a full blown router, with Wifi, multiple ethernet points and 2 phone jacks. There is no point to have a 2nd modem/router at all if they left the device stock :confused: :confused: :confused: Do they not wish to train their technicians on a new device?
 

StoneCold

Expert Member
Joined
Jul 18, 2006
Messages
3,799
Phoned the Telkom technician who installed my line, he doesn't know the login details. He said they login to the VNX modem and work on that. Phoned 10210 Fibre support and they don't know either.

I still don't understand why Telkom have chosen to gimp this Alcatel ONT. It's a full blown router, with Wifi, multiple ethernet points and 2 phone jacks. There is no point to have a 2nd modem/router at all if they left the device stock :confused: :confused: :confused: Do they not wish to train their technicians on a new device?

See this: http://setuprouter.com/router/alcatel-lucent/i-240g-d/login.htm

There you'll notice the interface for the router. It sure as hell doesn't have Wi-Fi, so I don't know where you came up with that. Anyhow, I tired multiple username / passwords myself by to no avail on mine. Just accept it and move on, they obviously don't want consumers messing about in there.
 

roligov

Well-Known Member
Joined
Dec 11, 2007
Messages
438
Yes it does, Wifi setup would be under the network section. Also the password tip is a give away "Password Tip: Default web password is WiFi WPA password". I can't except not having access to a device I own. I ran an NMAP on it and got 3 results:

Nmap scan report for 192.168.1.254
Host is up (0.000010s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
23/tcp open telnet
80/tcp open http

I'm currently bruceforcing SSH with Hydra. Will feedback with results if any.

Worst case I'm going to factory reset this device, willing to risk the possible downtime.
 

hjlinde

Active Member
Joined
Oct 30, 2015
Messages
46
I'm currently bruceforcing SSH with Hydra. Will feedback with results if any.

Worst case I'm going to factory reset this device, willing to risk the possible downtime.

Well by now I would hope your brute force revealed something, we in 2018 now xD. Any luck?
 

nDdKING

Active Member
Joined
Jul 6, 2008
Messages
35
Have you ever managed to find a way into this ONT?

Have found two accounts that work for my Nokia/Alcatel-Lucent ONT (G-240G-C):

username: ONTUSER
password: SUGAR2A041

Only works for telnet/SSH and provides a zebrabox shell for configuration (commands can be listed by entering a '?').

username: adminadmin
password: ALC#FGU

Works for the web interface (192.168.1.254) and gives a root busybox shell via telnet/SSH. Found in the manual submitted to the US FCC here.

There is also a 'superadmin' folder in /configs/home but this user does not exist in the shadow file.

Appears to be a pretty standard Linux MIPS Broadcom box with remote software updating supported. Remote config is achieved through TR-069. Kernel is 3.4.11-rt19 with Busybox version v1.15.3. It seems all G-240G-* ONTs are grouped into the g440ga family.

Some rather interesting scripts in /bcm/script/. Looks like like a lot of the important setup is done from here.

Device config is stored in /configs/config.cfg and the file appears to be encrypted. Configuration can be achieved through the cfgcli utility.

To view config do:
# cfgcli -a
This is where the credentials for the web interface are stored. The 'userAdmin' account mentioned in the manual doesn't appear anywhere here, I assume it has been removed. Password of the database user is 'AK47&M16'. Guess there is an Alcatel engineer who likes his FA's.

Appears that the Bosa optics are controlled through the /sbin/bob utility.
eg: To authorize yourself and disable the laser:
# bob pwd 31853211
# bob txctrl 0

GPON status can be viewed with:
# bs /b/e gpon format:line
Some very interesting stuff here (PON encryption key).

An FTP server can be started with:
# tcpsvd -vE 0.0.0.0 21 ftpd /
This allows FTP access to the root directory (FTP credentials are the same as SSH) and a full dump of the filesystem can be made (just make sure not to copy /proc/). This makes it a lot easier to explore than ls-ing and vi-ing all over the place.

Still more digging to do.
 
Last edited:
Top