DMT: DMT is a fabulous utility for Windows that allows diagnostics on numerous routers, including a large range of Alcatel/Thomson routers & gateways. It is so useful that at least one British ISP complained to Thomson that the number of support requests from folks using it was a drain on their Help-Desk resources. In response, Thomson at first (r6.1.4.6) reduced functionality of certain CLI-commands critical to DMT, then removed user-access altogether (r6.1.4.7). The relevant part of the Release Note (p14, same for all models, and all versions r6.1.4.7 & later) states:
Quote:
Debug commands
Description
On all platforms, usage of the debug commands will lead to loss of DSL or IP connectivity. Use these
commands only when specifically approved by Thomson.
Workaround
None.
That specific command is essential for DMT to produce some of it's most useful info and graphs. You will notice, however, that it does not say that the command has been removed, and that gives me hope. We simply need to find a way to become "specifically approved by Thomson".
For those that remember, these debug commands are uncannily similar to the 'Trace & Debug' prompt that is used via Telnet in the ST-Home to convert it to a ST-Pro (see these Israeli or Netherlands sites).
MLAP:
Starting with r5.3.0 firmware, Thomson introduced 9 standard privileges that can be assigned to users. Curiously, nothing was reported in the r5.3.0 Release Note about this, although it is mentioned briefly within the r5.3.0 User Guide (p13). That was March 2005.
r5.3.0 was an important release for Thomson, and was even back-ported into various r4 firmware. The MLAP setup has been continued into all subsequent firmware. These are the 9 privileges, as reported in the XS4ALL Wiki [added: you will also find them within the r5.3 or later CLI-manual (p459), "mlp role list"]:
Quote:
MLAP User Privileges
root : Root (master) account. This user has all privileges without any exceptions or limitations.
SuperUser: Can perform any service via any access channel from any access origin.
TechnicalSupport : Can perform any service via any access channel from WAN origin only.
Administrator: Can perform any service via any access channel from LAN (local) origin only.
LAN_Admin: Can perform only LAN related configurations via any access channel from any origin.
Poweruser: Has access to the GUI (Service/overview page) via HTTP or HTTPS access channel from LAN origin only.
WAN_Admin: Can perform only WAN related configurations via any access channel from any origin.
User: Has access to the GUI (Overview pages, remote assistance) via HTTP or HTTPS access channel from LAN origin only.
Guest: This user does not have any privileges.
One obvious thought is that this is how to become "specifically approved by Thomson". Looking at screen-shots on the DSL-Modem Hilfe forum, Administrator has insufficient privileges. TechnicalSupport (usually established as username 'tech' with a default password of 'tech') may have, but can only access from the WAN side. SuperUser should have, and root definately will have, sufficient privilege. This needs more research... _________________ Alex Kemp
Last edited by Alex Kemp on Sat Dec 08, 2007 9:09 pm; edited 1 time in total
Joined: 30 Jun 2004 Posts: 2858 Location: Nottingham, England
Posted: Fri Dec 07, 2007 10:38 pm Post subject: Part 2
The first post introduced the problem of Thomson shafting anybody that wants to make use of DMT and also has an Alcatel router with Firmware of r6.1.4.6 or higher. That post also introduced the MLAP, introduced at r5.3.0 firmware and present in all subsequent firmware, as a possible route to side-stepping the restrictions. This post covers some more detail on the MLAP, with some discoveries that may take us a little way down the road to hacking it.
What follows are drawn from investigations on a SpeedTouch 585v6 with r6.1.4.3 firmware.
In what follows, it will help everyone's understanding to point out that the ST-585 (like all ADSL Routers/Gateways) is a fully-fledged computer, designed to carry out out specific functions. It has a RISC cpu (MIPS32), a single-partition file-system (early Alcatel routers were dual-partition, later ones are not), sub-directories, and a Unix-like OS. This latter is important, as all names--including directories, filenames, usernames & passwords--are case-sensitive.
The router has a CLI ('Command-Line Interface') that is accessible via Telnet (port 23). It also contains a FTP server, which means that it is accessible via ftp (port 25). The directories and files that can be seen via FTP are limited according to the privileges assigned via the MLAP. With Administrator privileges, you can see the "dl" directory + a few files that reside inside it (the software image is in this dir, but an Administrator cannot see it), and that is it. Pretty pathetic. The router also contains a web-server (port 80 and 443). This latter allows the browser-interface that most people will use to configure it.
Inside the "dl" directory is a very important file: "user.ini". Entries within that file indicate that it is used massively in setting up the router at startup. A very interesting question is whether it is the sole arbiter in setting up users within the router (in other words, are the router-users stored between sessions, or are they setup each time on startup?). I do not have the final answer to that question yet, but I do have some insights into the format of that section.
"user.ini" is so important to the router that you are well advised to copy it and store it somewhere safe in case of file-corruption (remember, the router only has a single partition, with no backup partition). That can be done from the web-interface:
Quote:
(requires a minimum of Administrator privileges):
Home > SpeedTouch > Configuration > Backup & Restore
The same page is used to restore the file from backup.
If you have a look at the file within a text-editor, you will find the following section (I have placed a newline between the original entries, and some extra users that I added later; you will see why later on):
So, on delivery the router was setup with 3 users, then I setup 6 more; note that any user can add (and delete) new users with the same MLAP user-privilege or less (not more):
Quote:
name: Administrator; password: (blank); MLAP privilege: Administrator; this is the default local user.
name: tech; password: (unknown, NOT `tech`); MLAP privilege: TechnicalSupport ; this is the default remote user.
name: admin; password: (unknown, NOT `admin`); MLAP privilege: Administrator.
...and here are 6 more that I setup to test the password formats:
Joined: 30 Jun 2004 Posts: 2858 Location: Nottingham, England
Posted: Sat Dec 08, 2007 10:42 pm Post subject: Found it!
Well, blimey, that was easier than I expected (although it still needs to be tested, since I do not have the anti-DMT restriction on my router's firmware).
Check out this new [ mlpuser.ini ] section in my new ST-585v6 user.ini:
I've found a simple way to provide oneself with any MLAP privilege desired, right up to "root". It requires only (AFAIK) that a user with a privilege of "Administrator" already exists.
The process is reasonably simple, and involves use of CLI-commands; these commands exist in all firmware from r5.3.0 up until at least r6.2.H:
Quote:
Open a SpeedTouch webpage at 'User Management'.
Home > Toolbox > User Management. The default IP is '192.168.1.254', and the default user is "Administrator" with a blank password, although this can change from supplier-to-supplier. The process below will remove ALL usernames from the user.ini, so you may wish to back it up first from Home > SpeedTouch > Configuration > Backup & Restore.
Log into the SpeedTouch using Telnet (port 23)
I used PuTTY to do this, but any telnet client is fine (Windows has one called, er, 'telnet'). CLI commands can also be issued via FTP, using the "quote site" ftp-command, but telnet is easier.
Login with username + password.
I've seen on other sites that an MLAP of at least "Administrator" is required to access telnet & ftp, but have never read that myself within any Thomson documentation.
Issue the (CLI) command "user flush" (no quotes).
If you then do "user list" before and after you will get the contrast; afterwards it will be empty.
Type "exit" (no quotes) to log out of telnet.
Now login again to telnet.
Simply press the return key twice if asked for username and password. You are now logged in as user "root" with full, unrestricted MLAP privileges.
Type "user add" (no quotes) and add a new user... with root privilege!
You *have* to add a password (as you can see below I first attempted with a blank password).
Type "exit" (no quotes) to log out of telnet.
At this stage, the user.ini has not changed. There is probably a CLI-command to do that, but the next steps are an easy way to update it.
Return to the ST webpage, and enter your (new) name and password.
(Remember that both are case-sensitive) That happened automatically for me. You may need to click on a new webpage to get the login-box.
Now add a new user on the webpage.
Home > Toolbox > User Management > New User. As you are now the root user, you can allocate any level of MLAP privilege to that user that you wish! The password for the new user will be the same as the username. After you press Apply, the user.ini is updated with both names. Remember that all the previous names will disappear.
Here is what my second telnet session looked like; I tried at first to enter a blank password for the new user, but it would not let me do that:
------------------------------------------------------------------------
_=>user list
=>user add
name = Alex
password =
Required parameter (use ctrl-c or ctrl-g to abort)
password = ****
Please retype password for verification.
password = ****
role = root
[hash2] =
[descr] =
[defuser] =
[defremadmin] =
[deflocadmin] =
:user add name=Alex password=_CYP_a08372b70196c21a9229cf04db6b7ceb role=root
=>user list
User Flags Role
---- ----- ----
Alex root
What now remains is to confirm that a root or SuperUser role will allow the DMT commands to be used (my router has r6.1.4.3 firmware, which is unaffected by the r6.1.4.6+ restrictions). I certainly hope so, as it will leave the way clear for me to upgrade. _________________ Alex Kemp
Joined: 30 Jun 2004 Posts: 2858 Location: Nottingham, England
Posted: Mon Dec 10, 2007 7:02 pm Post subject: And here is why a fix is required.
A long-time poster in the Australian Whirlpool forums told me that he was using DMT on a ST-585v6 (same as mine) with r6.1.9 firmware without problems. I took him at his word, and this was the result on DMT first startup after upgrading to r6.1.9.6:
Oh dear!
Well, OK:
Code:
Choose menu:
Special => Misc. Options => Firmware Specific => Command04
(option "adsl debug bitloadinginfo" in drop-down box)
Restart DMT and select the 'Get Data for Graph' (which is now available) and restart again and now:
Hmm.
German:
Quote:
Fehler in BLV-Tabelle entdeckt
Werte für Diagrammdarstellung sind ungültig oder nicht vorhanden
SNR-Tabelle nicht vorhanden oder fehlerhaft
Werte für Diagrammdarstellung sind ungültig oder nicht vorhanden
Error in BLV table discovers
Values for diagram representation are invalid or missing
SNR table missing or incorrectly
Values for diagram representation are invalid or missing
(`adsl debug bitloadinginfo' is within r6.2.F 585v6 firmware, but not r6.1.9) (it looks like Thomson threw DMT a small lifeline. _________________ Alex Kemp
Joined: 30 Jun 2004 Posts: 2858 Location: Nottingham, England
Posted: Mon Dec 10, 2007 7:50 pm Post subject: SuperUser? Pants!
Here was my chance to test out the MLAP privilege system live.
I went through the steps detailed in post#3:
Code:
(using telnet)
Flush user
exit
(telnet again;
we are supposed to be in root mode at this stage;
login--which means press return twice)
debug exec cmd='tdsl getData all'
=====================DISCLAIMER======================
Access to expert commands is intended for qualified
personnel only.
==================END=OF=DISCLAIMER==================
Command not allowed
add user
(everything else as before)
Then use the web-interface to add a SuperUser (exactly as before), and also another SuperUser called `su'. And here is a great surprise.
Now, not only are those first two entries identical to the original ones, but so is the third. If you look at this Whirlpool post from 'Biggles', you will see the identical "password" value. Yet Biggles has a different model of SpeedTouch, with a different firmware. So, whatever the variance, it is independant of model and firmware. How very curious. (Added later: The value stored in user.ini for password is a plain md5 of the password, with `_CYP_' added at the front; my tests were adding a newline to every string that I tested for md5, and I was getting wrong values (sigh), and making wrong assumptions because of it.)
No change to DMT whatsoever. Completely shafted by the r6.1.9.6 firmware, with a small lifeline added by Thomson with r6.2+ firmware that allows at least the top graph back. _________________ Alex Kemp
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
