Here’s a guide I found online with which you can ‘root’ your Speedtouch. I’ve got two Speedtouch routers on which I’ve tested this and both ‘work’, although you can’t get the much wanted ‘debug exec’ command to work with this hack with firmware version >= 6.2.x.
The debug exec command is very usefull for, well, executing debug commands :o) and gathering more information about certain settings.
1. Open a SpeedTouch webpage at ‘User Management’.
Home > Toolbox > User Management. The default IP is ’192.168.1.254′, and the default user is “Administrator” with a blank password, although this can change from supplier-to-supplier. The process below will remove ALL usernames from the user.ini, so you may wish to back it up first from Home > SpeedTouch > Configuration > Backup & Restore.
2. Log into the SpeedTouch using Telnet (port 23)
I used PuTTY to do this, but any telnet client is fine (Windows has one called, er, ‘telnet’). CLI commands can also be issued via FTP, using the “quote site” ftp-command, but telnet is easier.
3. Login with username + password.
I’ve seen on other sites that an MLAP of at least “Administrator” is required to access telnet & ftp, but have never read that myself within any Thomson documentation.
4. Issue the (CLI) command “user flush” (no quotes).
If you then do “user list” before and after you will get the contrast; afterwards it will be empty.
5. Type “exit” (no quotes) to log out of telnet.
6. Now login again to telnet.
Simply press the return key twice if asked for username and password. You are now logged in as user “root” with full, unrestricted MLAP privileges.
7. Type “user add” (no quotes) and add a new user… with root privilege!
You *have* to add a password (as you can see below I first attempted with a blank password).
8. Type “exit” (no quotes) to log out of telnet.
At this stage, the user.ini has not changed. There is probably a CLI-command to do that, but the next steps are an easy way to update it.
9. Return to the ST webpage, and enter your (new) name and password.
(Remember that both are case-sensitive) That happened automatically for me. You may need to click on a new webpage to get the login-box.
10. Now add a new user on the webpage.
Home > Toolbox > User Management > New User. As you are now the root user, you can allocate any level of MLAP privilege to that user that you wish! The password for the new user will be the same as the username. After you press Apply, the user.ini is updated with both names. Remember that all the previous names will disappear.
This is what it should look like when you telnet to the router at step 6:
~$ telnet router Username : Password : ------------------------------------------------------------------------ ______ SpeedTouch 585 / /\ 6.1.4.3 _/ /\_____/___ \ Copyright (c) 1999-2006, THOMSON *funky ascii art removed* ------------------------------------------------------------------------ =>user list =>user add name = root password = Required parameter (use ctrl-c or ctrl-g to abort) password = **** Please retype password for verification. password = **** role = root [hash2] = [descr] = [defuser] = [defremadmin] = [deflocadmin] = :user add name=Alex password=_CYP_*hidden* role=root =>user list User Flags Role ---- ----- ---- root root
You can try the following command to see if it doesn’t give a warning (Firmware 6.1.x or lower):
debug exec cmd='tdsl getData all'
The best instructions I have found in the last months regarding this router :-) Thanks a lot!!
Hi, iv’e followed your guide, but now what good does it make to be a roor user?
Can I modify the Broadband Conection settings? Like changing the DNS server??
If so, pls tel me how!
Hi, never mind, i found the dns command on telnet haha, thanks anyway!
{Administrator}=>user list
User Flags Role
—- —– —-
Administrator U Administrator
tech R TechnicalSupport
{Administrator}=>user add
name = root
password = ****
Please retype password for verification.
password = ****
role = root
[hash2] =
[descr] =
[defuser] =
[defremadmin] =
[deflocadmin] =
:user add name=root password=_*Hiden* role=root
[mlp] Current user isn’t allowed to add another user with specified role.
{Administrator}=>user list
User Flags Role
—- —– —-
Administrator U Administrator
tech R TechnicalSupport
It seems that in newer versions of the firmware disable this feature
Another version of this router uses the following User / Pass combination: Username: speedtouch Password: administrator
Worked a treat on software version 6.2.29.2. Now am root!
Thanks.
the cli command is : saveall
Hi there,
an other easy method to do the “root hack” is to download the user.ini with FTP and modify the part @ mlpuser.ini so that it looks like this:
add name=moe25 password=_CYP_df17a2735b#######442f2f4b453b role=root hash2=39bba916791#######491014b1d1d defremadmin=enabled
just add a role=root to the username. The advantage of this method is that you can keep your other user names….
so long
m0e
Many thanks for this useful information. I was wondering about the “flush” command, but was wary of trying it without knowing the result.
I was particularly keen to gain control as I have found on a number of occasions that “other” users had logged in, not my ISP I might add.
Whilst it might be the manufacturer simply gathering stats, this is something I do not approve of at all!
Cheers,
Les.
Hi.
I wander if this works on a Thomson TG712.
I am a bit warry of using the “flush” command so I would like to try the FTP method. How can I access the router through ftp?
BR
dinis
I do have a TG712 from ISP “Online” (The Netherlands), I can’t get it working because the username and password are not accepted. Are there some “master” username and password for the thomson equipment?
Does any body knows how to chage level in new versions like :
SpeedTouch 780
Software Release: 7.4.5.1
Supamoe25 hack
“add name=moe25 password=_CYP_df17a2735b#######442f2f4b453b role=root hash2=39bba916791#######491014b1d1d defremadmin=enabled”
Does anyone know if a new line is required or is it just a replacement
i.e. replace role=EndUser_1 by role=root in the following line:
“add name=_DEV_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx password=_CYP_xxxxxxxxxxxxxxxxxxxxx role=EndUser_1 hash2=xxxxxxxxxxxxxxxxxxxxxxxxxxx defuser=enabled”
The hack worked with Speedtouch 510 (v5.4.0.14) used in Brazil!
Thanks for sharing!
Hi ,I use Speedtouch 510 firmware (v5.4.0.17) used in Brazil . Whe I try access the device via telnet or ftp it ask me for a user and a password, even if a reset the modem the password its still asked.
In my mpluser.ini
add name=Administrator password=_CYP_d41d8cd98f00b204e9800998ecf8427e role=Administrator hash2=a2e279ed6671666bed7738338c8c849f defuser=enabled
add name=Guest password=_CYP_d41d8cd98f00b204e9800998ecf8427e role=User hash2=4151d4258ae0457efac593de8eb05316
add name=tech password=_CYP_3688413e7376b264776760ff69bdfbff role=SuperUser hash2=021d27c7681d2f907af0e6aea955843d defremadmin=enabled
How to gain access with the tech password ?
Thanks in advance.
Im at the same ISP (online, netherlands) but when i connect to the speedtouch 712 on telnet, using putty it asks me to enter username
i entered username: online (thats the only user in user management) theres no password but when i press enter it kicks me out?
Any help appericiated
To backup user.ini go to your web interface to “Speedtouch” > “Configuration” and at the bottom “Save or Restore Configuration” then click [Backup Configuration Now...]
Open the user.ini file you downloaded from the backup and search for “role=” without quotes. Replace the “role=some default role” with “role=root” and then restore the user.ini on the same page you backed it up at.
Also, it is handy to note that when you telnet to your device you can type menu to get a handy little menu. Use tab and arrow keys and ctrl+g or ctrl+c to cancel. Modifying connections is really nice with the menu because it fills everything in for you automatically. Very cool!
You can also type help as a command to get all the commands you can type.
I have an mlap of Poweruser so Telnet Is disabled. How do i hack it?
[...] Help would be much appreiciated. Check out our user posted comments/solutions, or post your own! Darren T asks, I have a speedtouch 585 v6 router and i can not connect to the internet,my ipod is ab…se it can't find the server. Help would be much appreiciated. Check out our user posted [...]
im very tnx fo hack tril