Folge dem weißen Kanninchen::/Nützliches
Nützliches2017-09-01T12:57:31+00:00

Easy as ABC: How to jailbreak your modem/router from China Telecom - shown exemplarily for an E-140W-P

First of all: According to Chinese law (including the CSL — the Cybersecurity Law) and China Telecom’s Terms and Conditions the following instruction is certainly not intended to be executed in China, with high probability illegal and prosecution by the authorities cannot be excluded. I decline any responsibility for the consequences.

In China, China Telecom’s internet connection usually comes with non-transparent access via a combination of modem and router (including 3 or 4 LAN ports). The modem uses a DHCP client to get a public IP assigned via ADSL or fiberglass. If required, the integrated router uses a DHCP server to set up a network in the 192.168.1.x segment. The modem/router reserves itself the IP 192.168.1.1 and serves as gateway and DNS in the intranet.

A total of 253 clients can log on via LAN ports and WiFi (ID 2 to 254). If you want to set up additional networks within your apartment, you can connect additional routers to each LAN port.

The problem

In case of doubt, you might find your devices even be behind two NAT masquerades, but you only have control over one. Port forwarding and port triggering end at China Telecom’s modem/router combination. However, it is possible to switch the modem to bridge mode and operate it standalone. A technician comes out and manipulates the modem. Now, however, the internal router can no longer be used and you have to connect your own router to the modem. After that, only one router can be operated with the modem. The internal LAN ports are useless then. But at least you get your access data to the network of China Telecom from the technician. For most people that should be the easier and legal way to gain control over the routing tables.

I had the bridge mode switched on temporarily, but couldn’t make it clear to the technician that I wanted to operate a router a few meters away and not behind the wall panel. Either he lacked the imagination, but my wife’s attempts at mediation and translation rather indicate that he assumed that a private customer did not have the technical knowledge to operate a router independently (or even several in one apartment). Anyway, I let the modem run unbridged again. In the short time, I could not try out whether it would be possible in bridge mode to address a certain computer under a certain port behind the NAT under the public IP. My only goal was to get control over the port forwarding and the internal firewall of the modem/router.

On the modem itself, there is a sticker with the credentials for the customer to log on to the router — usually the user useradmin and a 5-digit combination of numbers and letters. The settings for useradmin are very limited and port forwarding between public IP and IP assigned by DHCP in the intranet is completely disabled. Therefore also DynDNS services do not work in China.

Access to the modem as user ‘telecomadmin’ promises further options. The password seems to be an 8 to 10-digit combination of numbers and letters, but after several unsuccessful logins, the router prohibits further login attempts for several minutes. Brute-force attacks may be possible, but seem to be time-consuming. Anyway, I prefer a set of lockpicks to a crowbar.

In the past, a user useradmin could create a dump of the modem settings in which the telecomadmin’s password was stored as plain text. After waiting for you some time stopping facepalming I’ll tell you that this is definitely not possible anymore but shows the lax handling of China Telecom’s hardware security settings. However, access via a serial interface appeared even more promising, although the connectors were not made externally accessible. To get access to the pins the case has to be opened which results in a loss of warranty. How good, if you already have experience with logging the serial service interfaces on a WRT54G and some ASUS routers.

Physical — let’s get physical …

Armed with an adapter kit for reading serial data I started to work. In the absence of a computer with a RS232 interface, I took an additionally RS232 to USB converter to hand. You only have to loosen two screws, one of which is covered by a sticker. Stickers can be easily loosened and later they have properly stuck on again. The case can be opened damage-free with a spatula and some skill.

A jailbreak for a China Telecom modem simply means finding out the password for the user telecomadmin, who can finally change all settings on the modem. While the term “jailbreak” suggests the idea of breaking out of a prison, it means nothing more than hacking the device. China Telecom seems to rely entirely on the ignorance and technical inability of its customers. Since I have put on the white hat here and only planned the private (test) operation of several Lighting Network nodes behind a NAT firewall, I don’t think my action attracted the attention of the gatekeepers.

I don’t know what other routers/modems China Telecom ships, but I assume that they are all configured very similarly. The software which allows access to the backend is from 2012.

PAWNED!

After opening the case you find some lonely but properly labeled pins for maintenance purposes. You connect

GND/GND,
TXD/RXD, and eventually
RXD/TXD to connect your router through adapter with your computer.

Whatever adapter device and operating system you may use the driver will provide access to a (virtual) COM port. I used windows and plugging in the adapter and installing the driver results in a note that the device was accessible by COM port com4.

Open a terminal (I used putty) with setting like this:

After powering on the router the console is spammed with the modem’s, respectively router’s log.

You can stop that by pressing the return button. A prompt is shown to enter a username and password. It was hard to believe but the first try of the combination admin/admin worked fine. Your prompt shows ‘S304’ which is a usual ‘user’ for a router like this.

With the command

show mdm config

you can force the machine to dump all the system config. Rightclick upper left corner of putty and select “copy all to clipboard” and eventually paste in the editor of your choice. Mine was notepad++.

Then search for the term

COM_TeleComAccount

You will get the super admin password

XXXXXXXXXX

Login with

telecomadmin/XXXXXXXXXX

Now we get the super admin control panel, lean back, and enjoy satisfaction to have been a little bit smarter than China Telecom.

The bottom line is that …

Again, this procedure is certainly not legal in China! As far as I know, the entire internet traffic in China is subjected to a Deep Packet Inspection (DPI), but China Telecom apparently does not spend much importance to the security of devices provided by them. Standard usernames and password combinations, cleartext password in plain text files which every owner of a screwdriver can access and the complete lack of any state-of-the-art encryption make it easy as ABC to jailbreak their hardware.

I published this article first on MEDIUM.


I operate my own little Lightning Node

Feel free to open a channel e.g. with

clightning
lightning-cli connect 03f810ac5ca2edf9e­7908b4edf98411a26b­555d8aee6b1c9a0a­5ad62b9359aa546 81.7.17.202 9735
lnd
lncli connect 03f810ac5ca2edf9e­7908b4edf98411a26b­555d8aee6b1c9a0a­5ad62b9359aa546­@81.7.17.202:9735
eclair
eclair-cli connect 03f810ac5ca2edf9e­7908b4edf98411a26b­555d8aee6b1c9a0a­5ad62b9359aa546­@81.7.17.202:9735

(please be note that you have to remove hyphens from the line above, after copy/paste  somewhere) or try my already working online tipping tool. Check it out! Send me some Satoshi throught the Lightning Network, please! (Beta)

7. Oktober 2018|Schlagwörter: , , , , , , |0 Kommentare

DIY: #RaspiBlitz – bau Dir Deine eigene #Bitcoin und Lightning Network ⚡ Full Node für den Hausgebrauch

Auf Github bin ich auf das Repository eines Projektes names raspiblitz des Users rootzoll gestoßen und habe gleich mal davon geforked. Das Projekt beschreibt den Aufbau einer Bitcoin Full Node mit darauf aufbauendem Lighting Network Client (lnd) auf einem Raspberry Pi. Es enthält Amazon Shopping Listen für Frankreich, Großbritannien und die USA. Mein Fork bietet  auch eine Shopping Liste für China von Taobao/T-Mall. Hardwarekosten (inkl. Versandkosten innerhalb Chinas) belaufen sich umgerechnet auf etwa 111 Euro.

Das besondere an dem Projekt ist, daß die ganze Installation schon vorkompiliert für den Raspi ist und das Setup komplett scriptgesteuert abläuft. Ich hoffe, dass man später nicht nur eine Full Node zur Entwicklung und Test weiterer externen Anwendungen hat, sondern darauf aufbauend den RaspiBlitz direkt als POS oder Zahlungsterminal nutzen kann. Der von mir verbaute Bildschirm ist ein Touchscreen und so könnte man sowohl Benutzereingaben verarbeiten als auch eine für den User angenehme Ausgabe bewerkstelligen. 

Das kleine Kästchen könnte einfach in einen Automaten eingebaut werden, man könnte Zahlunsginformationen anzeigen (QR-Code) und die anschießend via Lightning auf dem Telefon mit Bitcoin bezahlen. Ideal auch für Bitcoinautomaten (Bitcoin ATM), aber der Raspiblitz könnte auch ein Zahlungsterminal für Bitcoin in einem Geschäft oder Restaurant sein oder mit einem Kassensystem im Supermarkt verbunden werden. 

Die Möglichkeiten sind beinahe grenzenlos! 

Impressionen

12. September 2018|0 Kommentare

@rogerkver and @JihanWu: Offends, bad meme and even relaxed dialog could not convince you that sticking to Bitcoin Cash is an obsession. Can scientific research?

Downside in BCH ($268), and cryptoassets which attempt to inherit brand recognition and provide minimal technological advantage to incumbents

Seems legit.

@rogerkver and @JihanWu: Offends, bad meme and even relaxed dialog could not convince you that sticking to Bitcoin Cash is an obsession. Can scientific research?

It is humans’ nature that one wants to repeat events one was very successful or felt very comfortable with. There is a tiny reward center in our brains which teaches us that way. That’s why never an ice cream tastes like the first ice cream you ever licked had, no heartbeat while kissing will ever be stronger than the one you had while your first kiss, and all the parachuters are searching for the kick of their first jump with every time jumping out of a plane afterwards. Your dad’s respect, a good meal, sex, drugs … The list of examples is countless.

But seldom a second part of a movie is granted the same success than the the first one.

Consider the following facts:

  • According to Bitmex’s report Bitmain, world’s monopolist in hardware supply of Bitcoin mining hardware and one of Bitcoin Cash’s biggest supporters, already lost about $328 M in attemps to turn the altcoin Bitcoin Cash (BCH) into a success.
  • The Lightning Network, a peer-to-peer network supporting Bitcoin and other participating cryptocurrencies, has not reached a reasonable version number but already more active nodes on the mainnet than BCH.
  • In the recently published analysis of the cryptocurrencies market by the research firm SATIS GROUP (published on bloomberg.com) in the author’s opinion Bitcoin Cash ist sentenced to sink in insignificance within the next 10 years. Hence Bitcoin Crash was the better name.

Who will call a halt before it is too late?

1. September 2018|Schlagwörter: , , , , , , , , , |0 Kommentare

How the monopolist Bitmain exploits his supremacy to milk the world

My findings are based on first-hand experience. I have lived in China since late 2011. I operated home mining from 2013–2016 with equipment from Bitmain (S3, S3+, S5, S7), bought hash power from Hashnest (Bitmain) and had cloud mining contracts with Genesis mining and Hashflare.

During this time Bitmain has always pushed itself further than to the top of the mining industry and displaced all another concurrence. Fraudulent companies that announced hardware but never built it contributed to Bitmain’s success.

The process to collect transactions, to put them in blocks and validate them is called mining. As an incentive to complete this task properly, one may prescribe oneself a reward if successful. This reward is also used to bring new Bitcoin into circulation. Roughly every four years, the reward is halved. This is supposed to simulate, similar to gold digging, that it becomes more and more difficult to mine values. This is not to be confused with the difficulty, which is adjusted approximately every 14 days (2016 blocks) to smooth significant increases or decreases in the global hash rate and provide an average block processing time of 10 minutes.

In the early days of Bitcoin, mining took place on CPUs. With a rising exchange rate of Bitcoin, the use of GPU became efficient. But the invention of ASIC, highly specialized chips, changed the circumstances dramatically. Satoshi Nakamoto does not seem to have foreseen the possible development, his whitepaper practically only talks about CPU power. Bitmain focused very early on the development and use of ASIC. The company is headquartered in China and has close business relationships with a large number of mining pools located there. Bitmain mines in large facilities themselves, develops new hardware at relatively short intervals and sells it worldwide. With China-based mining pools depending on Bitmain’s hardware you could already start a 51%-attack. Don’t worry — below more about that.

In the long and exhaustive scaling debate that ended in the activation of SetWit in 2017 and resulted in several hard forks, Bitmain spoke out against SegWit activation but later joined SegWit2x. It seems obvious that they promote Bitcoin Cash and other altcoins — probably for reasons that become clear below.

How could a Chinese Hardware supplier monopolize a whole industry?

Bitmain’s strategy is very simple but requires continued growth. It is based on technology and knowledge advantages and a unique position to manipulate the market and the “raw material” market at the source almost arbitrarily. The strategy below does not claim to be complete, and a $4 billion company has certainly purchased a few experts to optimize its processes and cover up any traces as best it can.

  1. It all starts with the development of a new hardware generation of mining machines
  2. Bitmain starts mining with its own hardware but takes care that difficulty raises only slowly. at raising exchange rate Bitmain earns a lot of wealth already
  3. At a time when ROI is relatively low (low difficulty, high exchange rate) Bitmain starts selling this hardware generation in mass. They earn again lots of money with, but the risk of investment shifts to the buyer
  4. The latest generation of hardware is sold for months until the market is saturated or the ROI reaches the limit of the buyers’ willingness to take risks.
  5. Over the entire period it makes sense for Bitmain to push the price of Bitcoin through sales on all markets
  6. The hardware buyers make only small profits, their hardware just reaches the ROI.
  7. Now follows the death blow: By using additional hardware the difficulty is significantly increased and at the same time the bitcoin exchange rate is extremely pressed for 4–6 weeks.
  8. a) Mining is no longer efficient for a large part of the worldwide mining pools at the same energy costs. They have to switch off their devices because the electricity costs are higher than the yields.
    b) Cloud miners, follow a similar strategy and after a trial period, the contracts end with the clients. However, it can be assumed that the devices will not really be switched off, but will continue to be operated in the hope of a strongly rising exchange rate in the near future.
  9. Since Bitmain, due to its high volume on the international trading platforms, can keep the price down for as long as it likes (probably with a silent agreement or even in cooperation with the large trading platforms), they can also cash-in by “betting on falling share prices”- with high leverage!
  10. If the global hash rate should drop, it will be compensated by additional hardware by Bitmain and kept stable.

Now Bitmain can let the exchange rate rise again in a controlled manner, the majority of the hardware now works for Bitmain, they have the proceeds from the hardware sale and from the speculative business, and mining revenues flow directly to Bitmain as the exchange rate rises.

Sometime in the meantime, Bitmain has developed a new hardware generation, which may even already be in use. A new cycle of exactly the same game begins. Big non-Chinese mining pools have no choice but to play along and try to make maximum profit from the situation. The risk is permanently shifted to the customer through cloud mining contracts.

Bitmain is a monopolist who skilfully and mercilessly exploits its unique supremacy to maximize its profits. I don’t want to take that further at this point, but any commitment to decentralization hides Bitmain’s real ambitions only. It’s a multibillion-dollar company and they’re just looking at the profit.

They already applied the same strategy to dash, zcash and bitcoin gold. The fact that this business model works brilliantly makes Bitmain’s negative attitude to developments such as the Lightning Network easy to understand.

The Lightning Network removes the foundation of their business model by shifting trust in the individual transaction to the network and degrading validation to a simple recording device — a distributed database. In this sense, Bitmain’s strategy is a game on time and is already shifting to other cryptocurrencies that work with a PoW consensus mechanisms and refuse SetWit and the Lightning Network. So the problem should go away on its own, or?

What to do?

If you want to break Bitmain’s preeminence, you can only develop ASIC-based hardware yourself. Corresponding efforts have failed in the past. The high initial investments and the high risk let all efforts fizzle out.

The PR China is forcing large mining facilities to move gradually by slowly increasing energy costs, but as long as energy costs are below the global average and Bitmain can move its mining farms to appropriate areas, the game will continue.

However, for bitcoin the limit of minting output will soon be reached, it will become unprofitable to operate large facilities because there is not much more Bitcoin to get. Even if the Bitcoin price rises exorbitantly, the increase in the global hash rate is no longer worthwhile. One can only hope that at this point in time, the hash rate is distributed as evenly as possible across the globe.

Bitcoin found:

  • Today ~80%
  • ~ Year 2030 95%
  • ~Year 2140 all Bitcoin in circulation (21m)

As you see, Bitmain has a long way to go, if they want to continue their game. In the meantime, an article like this may shed some light on their machinations.

By the way: No worries about a 51% attack or a sudden failure of large hash capacities or even an attempt by China to expropriate Bitmain and/or all miners in China. Bitcoin is not determined by the miners or developers and certainly not by a hardware manufacturer — even if they like to think so. Bitcoin is operated by the nodes, in case of doubt by the wallet operators. In case of a hostile takeover, the hash algorithm would simply be changed and/or a fork to another consensus algorithm. All mining hardware worldwide would be worthless at a stroke and all Bitmain’s investments would be gone.

But the best thing to beat Bitmain is the Lightning Network! As described above and in my other articles, the Lightning Network will adjust the balance of power and move it back to the user. I am convinced that this is the reason why Bitmain is increasingly focusing their activities on “classic PoW” coins. Here Bitmain can expect to abuse and the position of power and to continue this devil’s game.

The future will show who has the staying power.


This article first appeared on Medium.


I operate my own little Lightning Node

Feel free to open a channel e.g. with

clightning
lightning-cli connect 03f810ac5ca2edf9e­7908b4edf98411a26b­555d8aee6b1c9a0a­5ad62b9359aa546 81.7.17.202 9735
lnd
lncli connect 03f810ac5ca2edf9e­7908b4edf98411a26b­555d8aee6b1c9a0a­5ad62b9359aa546­@81.7.17.202:9735
eclair
eclair-cli connect 03f810ac5ca2edf9e­7908b4edf98411a26b­555d8aee6b1c9a0a­5ad62b9359aa546­@81.7.17.202:9735

(please be note that you have to remove hyphens from the line above, after copy/paste  somewhere) or try my already working online tipping tool. Check it out! Send me some Satoshi throught the Lightning Network, please! (Beta)

25. Juli 2018|Schlagwörter: , , , , , , |0 Kommentare
Load More Posts