2004/05/24 07:06: Breaking Into the CE-150

So I bought a CopperEdge-150 DSLAM on eBay for a very good price.

It didn’t come with the password.

CopperMountain is widely regarded as tight-lipped unless you have a service contract costing five figures with them.

So I broke in.

The CE-150 has two serial ports: the CRAFT port, for management, and the Diagnostic port, which is the equivalent to the console on a PC.

It has a pretty spiffy BIOS, based on vxWorks, so there’s something to work with.

First, I plugged my serial cable plus null modem adaptor plus gender changer into the Diagnostic port.

Then, found the IP address: ifShow, and looked through the output and found 63.171.192.23, with a netmask of 0xffffffe0

On my workstation, I set up an FTP server, added a temporary IP address to my machine: ip addr add dev eth0 63.171.192.24/27, and got to work.

On the CE-150, hostAdd “betelgeuse”,“63.171.192.24” sets up a host entry, then netDevCreate “betelgeuse:”,“betelgeuse”,1 sets up an FTP session device.

Then, cd “/CE200/SYSTEM”, and iam “username”,“password” for logging into the FTP server.

Then, the magic copy “CONFIG.TGZ”.“betelgeuse:cf.tgz”.

Voila, I have the config file, a gzipped text file (not a TAR file!). In it is an encrypted (hashed, I suspect) copy of the admin password.

So in the morning, I’ll have to edit the config file, re-gzip, and copy it back. With luck, it’ll take a blank. We’ll see.

(The next morning) No, no go. I was trying too hard. Just rm “CONFIG.TGZ”.

Comments