Let’s summarize all the information we have so far. The router makes http requests http://acs.superonline.net:8015/cwmpWeb/WGCPEMgt to get configuration server URL In the response returned, we found https://acs.superonline.net/cwmpWeb/CPEMgt (port 443) as configuration server URL which force router to use TLS connection acs.superonline.net domain has another open port to use to access configuration server which is 8010 We have PPPoE Server named ppp0, PPPoE Client named ppp1, and we forwarded all the packets through ppp1 interface using iptables With all these pieces of information collected, I was ready to start getting the data I needed in the first place.
In the previous post, I explained how I’ve got the proof that leads me to get the root password and the firmware of the ZTE H267A router. In this part of the series, I will explain the techniques I used and how I configured the environment. But before explaining the successful approach, I want to mention about failed ones briefly. The Failures At first, I tried the golang code here. Unfortunately, it didn’t work well.
The Story A couple of months ago, I wanted to replace my ISP provided ZTE H267A router with Ubiquiti USG. I already knew from my past experiences that it would be easy to configure internet connection but, what I did not know was configuring IPTV alongside with internet connection is a hell of a thing. The problem here was the missing knowledge on my side. I did know my ISP username and password, but I had no clue about what are the configurations used for the IPTV part.