Speedtouch fun – the root hack
Comments(14)Here’s a guide I found online with which you can ‘root’ your Speedtouch. I’ve got two Speedtouch routers on which I’ve tested this and both ‘work’, although you can’t get the much wanted ‘debug exec’ command to work with this hack with firmware version >= 6.2.x.
The debug exec command is very usefull for, well, executing debug commands :o) and gathering more information about certain settings.
1. Open a SpeedTouch webpage at ‘User Management’.
Home > Toolbox > User Management. The default IP is ‘192.168.1.254′, and the default user is “Administrator” with a blank password, although this can change from supplier-to-supplier. The process below will remove ALL usernames from the user.ini, so you may wish to back it up first from Home > SpeedTouch > Configuration > Backup & Restore.
2. Log into the SpeedTouch using Telnet (port 23)
I used PuTTY to do this, but any telnet client is fine (Windows has one called, er, ‘telnet’). CLI commands can also be issued via FTP, using the “quote site” ftp-command, but telnet is easier.
3. Login with username + password.
I’ve seen on other sites that an MLAP of at least “Administrator” is required to access telnet & ftp, but have never read that myself within any Thomson documentation.
4. Issue the (CLI) command “user flush” (no quotes).
If you then do “user list” before and after you will get the contrast; afterwards it will be empty.
5. Type “exit” (no quotes) to log out of telnet.
6. Now login again to telnet.
Simply press the return key twice if asked for username and password. You are now logged in as user “root” with full, unrestricted MLAP privileges.
7. Type “user add” (no quotes) and add a new user… with root privilege!
You *have* to add a password (as you can see below I first attempted with a blank password).
8. Type “exit” (no quotes) to log out of telnet.
At this stage, the user.ini has not changed. There is probably a CLI-command to do that, but the next steps are an easy way to update it.
9. Return to the ST webpage, and enter your (new) name and password.
(Remember that both are case-sensitive) That happened automatically for me. You may need to click on a new webpage to get the login-box.
10. Now add a new user on the webpage.
Home > Toolbox > User Management > New User. As you are now the root user, you can allocate any level of MLAP privilege to that user that you wish! The password for the new user will be the same as the username. After you press Apply, the user.ini is updated with both names. Remember that all the previous names will disappear.
This is what it should look like when you telnet to the router at step 6:
~$ telnet router Username : Password : ------------------------------------------------------------------------ ______ SpeedTouch 585 / /\ 6.1.4.3 _/ /\_____/___ \ Copyright (c) 1999-2006, THOMSON *funky ascii art removed* ------------------------------------------------------------------------ =>user list =>user add name = root password = Required parameter (use ctrl-c or ctrl-g to abort) password = **** Please retype password for verification. password = **** role = root [hash2] = [descr] = [defuser] = [defremadmin] = [deflocadmin] = :user add name=Alex password=_CYP_*hidden* role=root =>user list User Flags Role ---- ----- ---- root root
You can try the following command to see if it doesn’t give a warning (Firmware 6.1.x or lower):
debug exec cmd='tdsl getData all'
The best instructions I have found in the last months regarding this router :-) Thanks a lot!!
Hi, iv’e followed your guide, but now what good does it make to be a roor user?
Can I modify the Broadband Conection settings? Like changing the DNS server??
If so, pls tel me how!
Hi, never mind, i found the dns command on telnet haha, thanks anyway!
{Administrator}=>user list
User Flags Role
—- —– —-
Administrator U Administrator
tech R TechnicalSupport
{Administrator}=>user add
name = root
password = ****
Please retype password for verification.
password = ****
role = root
[hash2] =
[descr] =
[defuser] =
[defremadmin] =
[deflocadmin] =
:user add name=root password=_*Hiden* role=root
[mlp] Current user isn’t allowed to add another user with specified role.
{Administrator}=>user list
User Flags Role
—- —– —-
Administrator U Administrator
tech R TechnicalSupport
It seems that in newer versions of the firmware disable this feature
Another version of this router uses the following User / Pass combination: Username: speedtouch Password: administrator
Worked a treat on software version 6.2.29.2. Now am root!
Thanks.
the cli command is : saveall
Hi there,
an other easy method to do the “root hack” is to download the user.ini with FTP and modify the part @ mlpuser.ini so that it looks like this:
add name=moe25 password=_CYP_df17a2735b#######442f2f4b453b role=root hash2=39bba916791#######491014b1d1d defremadmin=enabled
just add a role=root to the username. The advantage of this method is that you can keep your other user names….
so long
m0e
Many thanks for this useful information. I was wondering about the “flush” command, but was wary of trying it without knowing the result.
I was particularly keen to gain control as I have found on a number of occasions that “other” users had logged in, not my ISP I might add.
Whilst it might be the manufacturer simply gathering stats, this is something I do not approve of at all!
Cheers,
Les.
Hi.
I wander if this works on a Thomson TG712.
I am a bit warry of using the “flush” command so I would like to try the FTP method. How can I access the router through ftp?
BR
dinis
I do have a TG712 from ISP “Online” (The Netherlands), I can’t get it working because the username and password are not accepted. Are there some “master” username and password for the thomson equipment?
Does any body knows how to chage level in new versions like :
SpeedTouch 780
Software Release: 7.4.5.1
Supamoe25 hack
“add name=moe25 password=_CYP_df17a2735b#######442f2f4b453b role=root hash2=39bba916791#######491014b1d1d defremadmin=enabled”
Does anyone know if a new line is required or is it just a replacement
i.e. replace role=EndUser_1 by role=root in the following line:
“add name=_DEV_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx password=_CYP_xxxxxxxxxxxxxxxxxxxxx role=EndUser_1 hash2=xxxxxxxxxxxxxxxxxxxxxxxxxxx defuser=enabled”