Skip to content

SIEMENS S1621-Z220-A 🇩🇪

Dieser WLAN-Router wird von Alice unter der Bezeichnung Alice Modem WLAN 1121 ausgeliefert. Die Standard-IP im Auslieferungszustand ist 192.168.1.1. Weitere Informationen gibt's im alice-wiki.de.

Telnet-Zugang

Die Web-Oberfläche ist auf's nötigste kastriert, da Alice die Router via Fernwartung steuert.

  • Benutzername: admin
  • Kennwort: Alice??????123

Die Fragezeichen müssen durch die letzten 3 Bytes der MAC-Adresse des Routers in Großbuchstaben ersetzt werden. Diese ist leider nicht aufgedruckt, sondern muss über den Befehl arp -a ermittelt werden, nachdem der Router mindestens einmal angepingt wurde. Bei einer MAC-Adresse von 00:25:5e:18:d3:c9 ist das Kennwort also Alice18D3C9123.

dumpcfg2

Dieser Befehl wirft die komplette Konfiguration als XML aus. Im Auslieferungszustand (nach Einstellen der Zugangsdaten) sieht die etwa so aus:

<psitree>
<SystemInfo>
<protocol autoScan="enable" upnp="disable" igmpSnp ="disable" igmpMode ="disable" macFilterPolicy="forward" encodePassword="enable" siproxd="enable"/>
<sysLog state="disable" displayLevel="ERR" logLevel="DEBUG" option="local" serverIP="0.0.0.0" serverPort="514"/>
<snmp state="disable" readCommunity="public" writeCommunity="private" sysName="Broadcom" sysLocation="unknown" sysContact="unknown" trapIP="0.0.0.0"/>
<sysUserName value="admin"/>
<sysPassword value=""/>
<sptPassword value="c3VwcG9ydA=="/>
<usrPassword value="MA=="/>
<dns dynamic="enable" primary="192.168.1.1" secondary="192.168.1.1" domain="box" host="alice"/>
</SystemInfo>
<WirelessCfg>
<vars state="enabled" ssIdIndex="0" country="DE" apMode="ap"  bridgeRestrict="enabled"  wdsMAC_0=""  wdsMAC_1=""  wdsMAC_2=""  wdsMAC_3=""  band="b" channel="9" rate="auto" multicastRate="auto" basicRate="default" fragThreshold="2346" RTSThreshold="2347" DTIM="1" beacon="100" XPress="off" gMode="auto" gProtection="auto" preamble="long" AfterBurner="off" TxPowerPercent="100" WME="off" WMENoAck="off" WMEApsd="on"  RegulatoryMode="off" PreNetRadarDectTime="60" InNetRadarDectTime="60" TpcMitigation="0" AutoChannelTimer="0" globalMaxAssoc="16" />
<wlMssidVars tableSize="2">
<wlMssidEntry enblSsId="1" ssId="ALICE-WLAND8" hide="0" apIsolation="off" fltMacMode="disabled" disableWme="off" MaxAssoc = "16"  wsc_mode="enabled"  wsc_config_state="1"  authMode="psk" radiusServerIP="0.0.0.0" radiusServerPort="1812" radiusServerKey="" wep="disabled" auth="0" keyBit="128-bit" key64_1="" key64_2="" key64_3="" key64_4="" key64Index="1" key128_1=""  key128_2=""  key128_3=""  key128_4=""  key128Index="1" wpaRekey="0" wpakey="Y2QzY2U0YjhlMzJj"  Preauthentication="off" ReauthTimeout="36000" wpa="tkip" tr69cBeaconType="Basic" tr69cBasicEncryptionModes="None" tr69cBasicAuthenticationMode="None" tr69cWPAEncryptionModes="TKIPEncryption" tr69cWPAAuthenticationMode="PSKAuthentication" tr69cIEEE11iEncryptionModes="AESEncryption" tr69cIEEE11iAuthenticationMode="EAPAuthentication"/>
<wlMssidEntry enblSsId="0" ssId="Guest" hide="0" apIsolation="off" fltMacMode="disabled" disableWme="off" MaxAssoc = "16"  wsc_mode="enabled"  wsc_config_state="1"  authMode="psk" radiusServerIP="0.0.0.0" radiusServerPort="1812" radiusServerKey="" wep="disabled" auth="0" keyBit="128-bit" key64_1="" key64_2="" key64_3="" key64_4="" key64Index="1" key128_1=""  key128_2=""  key128_3=""  key128_4=""  key128Index="1" wpaRekey="0" wpakey=""  Preauthentication="off" ReauthTimeout="36000" wpa="tkip" tr69cBeaconType="Basic" tr69cBasicEncryptionModes="None" tr69cBasicAuthenticationMode="None" tr69cWPAEncryptionModes="TKIPEncryption" tr69cWPAAuthenticationMode="PSKAuthentication" tr69cIEEE11iEncryptionModes="AESEncryption" tr69cIEEE11iAuthenticationMode="EAPAuthentication"/>
</wlMssidVars>
</WirelessCfg>
<AtmCfg>
<initCfg structureId="2" threadPriority="25" freeCellQSize="10" freePktQSize="200" freePktQBufSize="1600" freePktQBufOffset="32" rxCellQSize="10" rxPktQSize="200" txFifoPriority="64" aal5MaxSduLen="64" aal2MaxSduLen="0"/>
</AtmCfg>
<AtmCfgTd>
<td1 cat="UBR" PCR="0" SCR="0" MBS="0"/>
</AtmCfgTd>
<AtmCfgVcc>
<vccId9999 portId="0" vpi="0" vci="65534" tdId="0" aalType="AAL2" adminStatus="down" encap="unknown" qos="disable" instanceId="1509949445"/>
<vccId1 portId="0" vpi="1" vci="32" tdId="1" aalType="AAL5" adminStatus="up" encap="llc" qos="disable" instanceId="1509949441"/>
<vccId2 portId="0" vpi="2" vci="32" tdId="1" aalType="AAL5" adminStatus="up" encap="llc" qos="disable" instanceId="1509949442"/>
<vccId3 portId="0" vpi="2" vci="33" tdId="1" aalType="AAL5" adminStatus="up" encap="llc" qos="disable" instanceId="1509949443"/>
<vccId4 portId="0" vpi="1" vci="34" tdId="1" aalType="AAL5" adminStatus="up" encap="llc" qos="disable" instanceId="1509949444"/>
<vccId5 portId="0" vpi="8" vci="35" tdId="1" aalType="AAL5" adminStatus="up" encap="llc" qos="disable" instanceId="1509949445"/>
</AtmCfgVcc>
<SecCfg>
<qosMgmtCfg enableQos="disable" defaultDSCPMark="-1" defaultQueue="-1"/>
<srvCtrlList ftp="lan" http="lan" icmp="lan" snmp="disable" ssh="disable" telnet="lan" tftp="disable"/>
</SecCfg>
<Lan>
<entry9999 address="1.1.1.1" mask="255.255.255.0" dhcpServer="disable" confDhcpSrv="disable" leasedTime="0" startAddr="0.0.0.0" endAddr="0.0.0.0" subnetMask="0.0.0.0" instanceId="1509949447"/>
<entry1 address="192.168.1.1" mask="255.255.255.0" dhcpServer="enable" confDhcpSrv="enable" leasedTime="168" startAddr="192.168.1.50" endAddr="192.168.1.100" subnetMask="255.255.255.0" instanceId="1509949441"/>
</Lan>
<RouteCfg>
<ripGlobal state="disable" ripIfcTableSize="1"/>
<ripIfc tableSize="1">
<ripIfcEntry id="1" name="br0" state="disable" version="2" operation="active"/>
</ripIfc>
</RouteCfg>
<PMapCfg>
<pmap tableSize="2">
<pmapEntry id="1" groupName="Default" groupKey="1" groupStatus="1" ifList="wl0:2|eth0.2:3|eth0.3:4|eth0.4:5|nas_0_8_35:10" vendorid0="" vendorid1="" vendorid2="" vendorid3="" vendorid4=""/>
<pmapEntry id="2" groupName="STB" groupKey="2" groupStatus="1" ifList="eth0.5:6|nas_0_1_34:9|nas_0_2_32:7|nas_0_2_33:8" vendorid0="" vendorid1="" vendorid2="" vendorid3="" vendorid4=""/>
</pmap>
<pmapFlt tableSize="10">
<pmapFltEntry id="1" instance="1" status="enable" bridgeRef="-1" interfaceRef="eth0"/>
<pmapFltEntry id="2" instance="2" status="enable" bridgeRef="1" interfaceRef="wl0"/>
<pmapFltEntry id="3" instance="3" status="enable" bridgeRef="1" interfaceRef="eth0.2"/>
<pmapFltEntry id="4" instance="4" status="enable" bridgeRef="1" interfaceRef="eth0.3"/>
<pmapFltEntry id="5" instance="5" status="enable" bridgeRef="1" interfaceRef="eth0.4"/>
<pmapFltEntry id="6" instance="6" status="enable" bridgeRef="2" interfaceRef="eth0.5"/>
<pmapFltEntry id="7" instance="7" status="enable" bridgeRef="2" interfaceRef="nas_0_2_32"/>
<pmapFltEntry id="8" instance="8" status="enable" bridgeRef="2" interfaceRef="nas_0_2_33"/>
<pmapFltEntry id="9" instance="9" status="enable" bridgeRef="2" interfaceRef="nas_0_1_34"/>
<pmapFltEntry id="10" instance="10" status="enable" bridgeRef="1" interfaceRef="nas_0_8_35"/>
</pmapFlt>
<pmapIfcCfg pmapIfName="eth0" pmapIfcStatus="enable"/>
</PMapCfg>
<Global>
<cfg quickbypass="1" enablefilt="0" isfirstdefault="0" rmflag="0" enableportwd="0"/>
</Global>
<ADSL>
<settings G.Dmt="enable" G.lite="disable" T1.413="disable" ADSL2="enable" AnnexL="disable" ADSL2plus="enable" AnnexM="disable" pair="inner" bitswap="enable" SRA="disable"/>
</ADSL>
<pppsrv_0_1_32>
<ppp_conId1 userName="XXXXXXXXXX" password="XXXXXXXXXX" serviceName="" idleTimeout="5" ipExt="disable" auth="auto" useStaticIpAddr="0" localIpAddr="0.0.0.0" manual="automatic" callid="" comfort="" tarif="" Debug="disable" pppAuthErrorRetry="disable" pppToBridge="enable" />
</pppsrv_0_1_32>
<wan_0_1_32>
<entry1 vccId="1" vlanMuxId="-1" conId="1" name="pppoe_0_1_32_1" protocol="PPPOE" encap="LLC" firewall="enable" nat="enable" fullcone="disable" igmp="enable" vlanId="-1" service="enable" instanceId="1509949442"/>
</wan_0_1_32>
<wan_0_2_32>
<entry1 vccId="2" vlanMuxId="-1" conId="1" name="br_0_2_32" protocol="BRIDGE" encap="LLC" firewall="disable" nat="disable" fullcone="disable" igmp="disable" vlanId="-1" service="enable" instanceId="1509949444"/>
</wan_0_2_32>
<wan_0_2_33>
<entry1 vccId="3" vlanMuxId="-1" conId="1" name="br_0_2_33" protocol="BRIDGE" encap="LLC" firewall="disable" nat="disable" fullcone="enable" igmp="disable" vlanId="-1" service="enable" instanceId="1509949445"/>
</wan_0_2_33>
<wan_0_1_34>
<entry1 vccId="4" vlanMuxId="-1" conId="1" name="br_0_1_34" protocol="BRIDGE" encap="LLC" firewall="disable" nat="disable" fullcone="enable" igmp="disable" vlanId="-1" service="enable" instanceId="1509949446"/>
</wan_0_1_34>
<wan_0_8_35>
<entry1 vccId="5" vlanMuxId="-1" conId="1" name="br_0_8_35" protocol="BRIDGE" encap="LLC" firewall="disable" nat="disable" fullcone="disable" igmp="disable" vlanId="-1" service="enable" instanceId="1509949447"/>
</wan_0_8_35>
<StaticIpCfg/>
<IPSec/>
<CertCfg/>
<DDNSCfg/>
<SNTPCfg/>
<ToDCfg/>
<ToDUrlFilter/>
<EngDbgCfg/>
<pppsrv_0_2_32/>
<pppsrv_0_2_33/>
<pppsrv_0_1_34/>
<pppsrv_0_8_35/>
</psitree>

cat

Auf dem Router ist scheinbar ein Linux-System. Der Telnet-Befehl cat /etc/passwd bringt folgende Ausgabe:

admin:0EppFIXru3Cq.:0:0:Administrator:/:/bin/sh
support:Tvs5UXTUv2zSM:0:0:Technical Support:/:/bin/sh
user:eSlI8uHnuXOGI:0:0:Normal User:/:/bin/sh
nobody:8IHfJi1cB7PZE:0:0:nobody for ftp:/:/bin/sh

swversion

Der Befehl swversion show zeigt die Versionsnummer: 3.12L.01.B2pB023k.d20k_rc2 - im Gegensatz zu der im Backend gezeigten 4.212. Schaut man hier oder hier, sieht man, dass diese Firmware scheinbar auch auf einem Beetel 110BX1 zu finden ist, was es z.B. für Airtel Kunden gibt. Eine Firmware für das Modell mit genau dieser Versionsnummer gibt's auf wiki.broadbandforum.in.

Firmware

Bisher ist keine Hersteller-Firmware speziell für das Gerät bekannt. Allerdings munkelt man im modemboard.net, dass das Gerät eigentlich ein SIEMENS SL2-141-I (mit leicht geänderter Hardware-Anordnung) in neuer Verpackung ist - und somit auch die Firmware des SL2 funktioniert.

Versteckte Konfigurationsseiten

Schaut man in der Firmware des 110BX1 nach, welche übrigens von BroadCom ist, findet man in Textform haufenweise Namen von html-Dateien. Mit diesen Namen ist es möglich, Einstellungen vorzunehmen, an die man sonst gar nicht ran kommen würde. Einige sind z.B. http://alice.box/logconfig.html, http://alice.box/scprttrg.html und http://alice.box/statsatmreset.html. Letztere leitet weiter zu http://alice.box/a1d2v3a4n5c6e7d8.html und dahinter verbirgt sich die vermisste Konfigurationsoberfläche. Nach Eingabe des Administrator-Passworts hat man plötzlich sämtliche Einstellmöglichkeiten, die man von dem alten Modell gewohnt war.

UPDATE: Wie ich gerade gesehen habe, wurde das auch schon unter blog.entheogene.de herausgefunden.

Kernel

Laut den Zeichenketten im Firmware-Image des 110BX1 könnte es sich um einen Linux-Kernel 2.6.8.1 handeln. Unter den Modulen findet sich ein br2684.ko - BroadCom. Jetzt fragt sich, ob es möglich ist, dort OpenWrt, DD-WRT oder ähnliches zu installieren.

Hardware

Oberseite

Foto Oberseite

Unterseite

Foto Unterseite

Trackbacks

No Trackbacks

Comments

Display comments as Linear | Threaded

Chris on :

Hat das teil nicht eine Serielle Kosole, sieht auf dem oberen Bild so aus.

KuleRucket on :

Sorry about the English but I'm sure the meaning will be clear. The UART output is the J5 connector and the pins from the one labelled VCC are:

1: VCC
2: RX
3: TX
4: GND

The boot loader output is:

CFE version 1.0.37-12.1 for BCM96338 (32bit,SP,BE)
Build Date: Fri Nov 14 16:18:28 CST 2008 (root@localhost.localdomain)
Copyright (C) 2000-2006 Broadcom Corporation.

Boot Address 0xbfc00000

Initializing Arena.
Initializing Devices.
Parallel flash device: name MX29LV320AB, id 0x22a8, size 4096KB
CPU type 0x29010: 240MHz
Total memory: 16777216 bytes (16MB)

Total memory used by CFE: 0x80401000 - 0x805281D0 (1208784)
Initialized Data: 0x8041D700 - 0x8041F9F0 (8944)
BSS Area: 0x8041F9F0 - 0x804261D0 (26592)
Local Heap: 0x804261D0 - 0x805261D0 (1048576)
Stack Area: 0x805261D0 - 0x805281D0 (8192)
Text (code) segment: 0x80401000 - 0x8041D6F8 (116472)
Boot area (physical): 0x00529000 - 0x00569000
Relocation Factor: I:00000000 - D:00000000

Board IP address : 192.168.1.1:ffffff00
Host IP address : 192.168.1.159
Gateway IP address :
Run from flash/host (f/h) : h
Default host run file name : 308nfs6358
Default host flash file name : bcm963xx_fs_kernel
Boot delay (0-9 seconds) : 1
Board Id (0-9) : 96338W2
Number of MAC Addresses (1-32) : 11
Base MAC Address : 00:1e:40:da:92:5a
PSI Size (1-64) KBytes : 24

*** Press any key to stop auto run (1 seconds) ***
Auto run second count down: 110
Booting from only image (0xbfc10000) ...
Code Address: 0x80010000, Entry Address: 0x801ad018
Decompression OK!
Entry at 0x801ad018
Closing network.
Starting program at 0x801ad018
Linux version 2.6.8.1 (root@localhost.localdomain) (gcc version 3.4.2) #1 Fri Nov 21 15:48:30 CST 2008
Parallel flash device: name MX29LV320AB, id 0x22a8, size 4096KB
96338W2 prom init
CPU revision is: 00029010
Determined physical RAM map:
memory: 00fa0000 @ 00000000 (usable)
On node 0 totalpages: 4000
DMA zone: 4000 pages, LIFO batch:1
Normal zone: 0 pages, LIFO batch:1
HighMem zone: 0 pages, LIFO batch:1
Built 1 zonelists
Kernel command line: root=31:0 ro noinitrd console=ttyS0,115200
brcm mips: enabling icache and dcache...
Primary instruction cache 16kB, physically tagged, 2-way, linesize 16 bytes.
Primary data cache 8kB 2-way, linesize 16 bytes.
PID hash table entries: 64 (order 6: 512 bytes)
Using 120.000 MHz high precision timer.
Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
Memory: 13924k/16000k available (1439k kernel code, 2056k reserved, 208k data, 68k init, 0k highmem)
KLOB Pool 1 Initialized: 1048576 bytes
Calibrating delay loop... 239.20 BogoMIPS
Mount-cache hash table entries: 512 (order: 0, 4096 bytes)
Checking for 'wait' instruction... unavailable.
NET: Registered protocol family 16
Total Flash size: 4096K with 71 sectors
File system address: 0xbfc10100
Blk# BlkOff Blks MemLen Partition Name
0 1408 1 1024 NVRAM
69 40960 1 24576 Config 2
70 32768 1 8192 Scratch PAD
70 40960 1 24576 Config 1
Can't analyze prologue code at 80176654
Initializing Cryptographic API
PPP generic driver version 2.4.2
NET: Registered protocol family 24
Using noop io scheduler
bcm963xx_mtd driver v1.0
brcmboard: brcm_board_init entry
SES: Button Interrupt 0x0 is enabled
SES: LED GPIO 0x8004 is enabled
initLed: led[0]: mask=0x0000, state=0
initLed: led[1]: mask=0x0002, state=0
initLed: led[2]: mask=0x0010, state=0
initLed: led[3]: mask=0x0001, state=0
initLed: led[4]: mask=0x0020, state=1
Serial: BCM63XX driver $Revision: 3.00 $
ttyS0 at MMIO 0xfffe0300 (irq = 10) is a BCM63XX
NET: Registered protocol family 2
IP: routing cache hash table of 512 buckets, 4Kbytes
TCP: Hash tables configured (established 512 bind 1024)
Initializing IPsec netlink socket
NET: Registered protocol family 1
NET: Registered protocol family 17
NET: Registered protocol family 15
Ebtables v2.0 registered
NET: Registered protocol family 8
NET: Registered protocol family 20
802.1Q VLAN Support v1.8 Ben Greear
All bugs added by David S. Miller
VFS: Mounted root (squashfs filesystem) readonly.
Freeing unused kernel memory: 68k freed
init started: BusyBox v1.00 (2008.11.21-07:57+0000) multi-call binary
Algorithmics/MIPS FPU Emulator v1.5

BusyBox v1.00 (2008.11.21-07:57+0000) Built-in shell (msh)
Enter 'help' for a list of built-in commands.

Loading drivers and kernel modules...

atmapi: module license 'Proprietary' taints kernel.
adsl: adsl_init entry
blaadd: blaa_detect entry
Broadcom BCMPROCFS v1.0 initialized
Broadcom BCM6338A2 Ethernet Network Device v0.3 Nov 21 2008 15:45:54
Config Ethernet Switch Through MDIO Pseudo PHY Interface
ethsw: found bcm5325e!
dgasp: kerSysRegisterDyingGaspHandler: eth0 registered
eth0: MAC Address: 00:1E:40:DA:92:5A
SDIOH mode switch from 1 to 2
available commands: sdio sdioh

---SDIO init SUCCEEDED--- blockmode capable

chipid 0x4014312
chip is bcm4312, use 512 bytes blksize
bcmsdh_attach, sdioh_attach successful, bcmsdh->sdioh 0x80e9a760
wl: srom not detected, using main memory mapped srom info (wombo board)
wl0: wlc_attach: use mac addr from the system pool by id: 0x776c0000
wl0: MAC Address: 00:1E:40:DA:92:5B
wl0: Broadcom BCM4318 802.11 Wireless Controller 4.170.16.0.cpe2.1sd1
dgasp: kerSysRegisterDyingGaspHandler: wl0 registered
Trying to free free IRQ25
BcmAdsl_Initialize=0xC00663E8, g_pFnNotifyCallback=0xC0080FE4
AnnexCParam=0x7FFF7EB8 AnnexAParam=0x00003981 adsl2=0x00000000
pSdramPHY=0xA0FFFFF8, 0xFFBFFFDF 0x7FFFFFFF
AdslCoreHwReset: AdslOemDataAddr = 0xA0FF9504
AnnexCParam=0x7FFF7EB8 AnnexAParam=0x00003981 adsl2=0x00000000
dgasp: kerSysRegisterDyingGaspHandler: dsl0 registered
ATM proc init !!!
ip_tables: (C) 2000-2002 Netfilter core team
ip_conntrack version 2.1 (125 buckets, 0 max) - 384 bytes per conntrack
ip_conntrack_pptp version 2.1 loaded
ip_nat_pptp version 2.0 loaded
ip_ct_h323: init success
ip_nat_h323: init success
BRCM NAT Caching v1.0 Nov 20 2007 10:22:27
BRCM NAT Cache: Hooking hit function @ c00a1088
ip_conntrack_rtsp v0.01 loading
ip_nat_rtsp v0.01 loading

==> Bcm963xx Software Version: 3.12L.01.B2pB023k.d20k_rc2

KuleRucket on :

P.S. port settings:
115200 8N1.

Add Comment

Markdown format allowed
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA

Form options