tenda-reverse
tenda-reverse copied to clipboard
latonita
Firmware Intelbras Twibi Giga+, same Tenda MW6
Hello
I'm using a Twibi Giga+ (Intelbras, Brazil), which is the Tenda MW6 (OEM).
On the Intelbras page, the latest firmware (1.0.12) for this Twibi Giga+ is available for download, which is practically the same as the firmware you used to do the reverse.
I'm sending the link below if you want to take a look.
https://backend.intelbras.com/sites/default/files/2021-11/Twibi_Giga%2B_v1.0.12_0.zip
Is your Twibi device managed using an app or does it have a web interface?
Mirror download on GitHub: Twibi_Giga+_v1.0.12_0.zip
Both. The APP is practically identical to the original Tenda - but it seems a little more stable. via HTTP it has a simple administration page, it is efficient - in the firmware the code of this page is in the /webroot_ro
APP INTELBRAS: https://play.google.com/store/apps/details?id=com.intelbras.intelbrasRouter&hl=pt_BR&gl=US
About the root password: from what I could understand, the prod_change_root_passwd doesn't use Encode64, but the MAC ADDR of the LAN (please, can you confirm this?)
Here is code obtained via libcommonprod.so and decompiled via GHidra.
===============
/* WARNING: Could not reconcile some variable overlaps */
undefined4 prod_change_root_passwd(void)
{
undefined auStack308 [64];
undefined4 local_f4;
undefined4 local_f0;
char acStack236 [128];
undefined4 local_6c;
undefined4 local_68;
undefined4 local_64;
undefined4 local_60;
undefined4 local_5c;
undefined4 local_58;
undefined4 local_54;
undefined4 local_50;
char acStack76 [68];
memset(auStack308,0,0x40);
local_f4 = 0;
local_f0 = 0;
memset(acStack236,0,0x80);
local_6c = 0;
local_68 = 0;
local_64 = 0;
local_60 = 0;
local_5c = 0;
local_58 = 0;
local_54 = 0;
local_50 = 0;
memset(acStack76,0,0x40);
ApmibGetValue("HW_NIC0_ADDR",&local_6c);
sprintf(acStack76,"%c%c%c%c%c%c",(int)local_68._2_1_,(int)local_68._3_1_,(int)(char)local_64,
(int)local_64._1_1_,(int)local_64._2_1_,(int)local_64._3_1_);
strcpy(acStack236,acStack76);
doSystemCmd("(echo %s;sleep 1;echo %s) | passwd root -a s> /dev/null",acStack236,acStack236);
return 0;
}
===============
Does this firmware have DHCP reservation settings via an app or a web interface?
I dont know about the twibi giga but about twibi fast the password is the last 6 digits of mac address. The twibi fast cant upgrade from version 1.1.2 to 1.1.3 and subsequently to 1.1.10. The user have to open a teamviewer connection for intelbras technician. This way he can use a telnet client to prepare the twibi fast for receive the firmware upgrades.
So I thought: what if I install a keylogger on my computer? And I did! With that I captured the password that the technician typed. and it was the last 6 digits of the mac address.
Twibi Fast telnet Port: 23 User: root Password: last 6 digits of mac address (printed on the bottom label)
Ps: You have to press the reset button for about 4s to enable the telnet service and became able to connect.
Do you think it's possible to upload Tenda MW6 into Twibi Giga + web interface? If so, would work and behave like Tenda's one and get new firmware updates from Tenda OTA? Thanks in advance
