reminder:
The content described in this article is dependent and may differ from the expectation due to different soft and hard conditions, so please take the actual situation as the criterion for reference only.
At home, the new version of the Optical Cat is very new, and does not include the U port. Therefore, many methods to obtain the configuration file through the U disk on the Internet are not applicable.
Occasionally, the steward of the packet capturing winglet found that the telcomadmin administrator password of the Telecom Optical Cat can be viewed through some device interfaces. If the optical cat used supports binding the winglet steward, you can theoretically view the telcomadmin administrator password.
matters needing attention
The role of login super administrator is basically to change the bridge and open IPv6. It is recommended to add a dial in the way of changing the bridge, otherwise the Xiaoyi steward cannot adjust the interface offline. Or delete the management item and record the password
1、 Install and bind the winglet steward
It is available in all major application markets. Search and install it directly, or download and install it by scanning the QR code below:
After installation, log in and bind your own optical cat. The binding method refers to the binding method in APP (such as connecting the optical cat WIFI and scanning the code):
2、 Start packet capture analysis
Use the packet capture tool to capture the small wing steward. There is no limit to the method of packet capture, and you can choose your own. Some packet capture software may need to install a trust certificate first.
After packet capturing is enabled, use the gateway setting function ->indicator light in the small wing butler or operate the optical cat function at will:
3、 Extract analysis data
Find the corresponding request in the packet capture results (different packet capture software display interfaces are different, subject to the actual situation, and do not stick to the screenshot):
We can see the request of 189cube.com. This is the domain name of the direct operating device, followed by the authentication data, which is needed in the next step (if the packet capture software is not enabled, the MITM may not be visible). Click in to see the request packet:
4、 Construct request data
Some packet capturing software can directly edit the above request and send it again. In short, it uses various methods to build the request, Header
and UR
Use the header and URL obtained from the above packet capture, and the request packet body is the following parameter (directly copied), and then send the request:
{ "Params": [], "MethodName": "GetTAPasswd", "RPCMethod": "CallMethod", "ObjectPath": "/com/ctc/igd1/Telecom/System", "InterfaceName": "com.ctc.igd1.SysCmd", "ServiceName": "com.ctc.igd1" }
5、 Return Data
The data returned after the request is sent is roughly as follows:
{ "Ack": "CallMethod", "ID": "***", "Status": "0", "Params": ["telecomadmin***", 0, "get GetTAPasswd success"] }
In Params telecomadmin***
It is the super tube password of the light cat.
This interface can also call other functions, such as restarting the optical cat. Refer to Technical Requirements for China Telecom Smart Home Gateway for details
Reference article:
1、《 Obtain the telcomadmin super administrator password of the Telecom Optical Cat through the small wing steward, which theoretically supports all versions of the Telecom Optical Cat 》