I tried this on Orbi 960 series firmware version 6.3.7.10 and it opens up telnet access. Meaning I can telnet to my Orbi. It however does not open up a check box on debug.htm to allow/revoke telnet access and once you reboot telnet access goes away (which I think is how it should work).

I am good with this way of working as I can access when needed and know a reboot means telnet access is gone. So the only telnet access is when I specifically want it.

Great Job!

This error occurs when running under windows

First of all, thank you for this, it worked nicely on my RBRE960.

I was looking for a way to reboot it on a schedule and since I was at it I decided to do it in docker because it makes it easier to port around.

So I have a branch with docker on my fork in case you're interested to integrate it with this: https://github.com/bkerler/netgear_telnet/compare/main...elisiano:netgear_telnet:docker?expand=1

As you'll see my entry point does not just call your script, it also takes into consideration a REBOOT variable (false by default) and if true it's gonna telnet and issue a reboot command.

?

Running qiling_emulate.py yields:

$ python qiling_emulate.py 
Traceback (most recent call last):
  File "qiling_emulate.py", line 12, in <module>
    from Library.utils import *
ModuleNotFoundError: No module named 'Library'

is there a directory missing?

Have not been successful in enabling telnet on Orbi RBS40V (Voice).
It is pretty obvious that this speaker-enabled hybrid is "different" in many ways, such as the image file extension being "chk" rather than "img". Is there a way to enable diagnostics on the Python script that might indicate how it is failing? The output seems to indicate success:

C:\Users\Dick>netgear_telnet-main\telnet-enable2.py 192.168.1.70 3C:37:86:43:14:1C admin mypassword
Netgear LBR20 Telnet enabler V2 LBR20(c) B.Kerler 2021
Done sending pw data to 192.168.1.70:23
Done sending hashed_pw data to 192.168.1.70:23

The function referenced at this line does not exist:

This only comes up when a mac address is not provided and the user is not running windows

Hi
I tested it on RBR750 and it works great, so you can add it to your list.
Do you know how to enable it on RBS750 not only RBR?

Was able to use this to get in, install entware / opkg, and then install dropbear and lots of other packages. Created a new user, can use the new user to SSH into the router! Setup a crontab so that the dropbear restarts on reboot. Great work!

(Hilariously, i posted this on the netgear forums and my posts were removed very quickly ... lol)

Hello

I am unable to enable telnet with the tool on RBR40 v2.7.3.22 (synced at latest commit)

All attempts with mode 1, 2, 3 and upper/lower cased digest failed with a timeout (no answer to the magic packet).

I am using the command below:

./telnet-enable.py 10.0.0.1 B0:39:56:76:B3:75 admin "fDZGmoc8Wk5E3eaW"

I am running macOS but same issue on three different computers.

Running the command on RBK40 router produces:
print(f"Can't connect to {ip}:{port}") ^
with the caret beneath the double quote. I have a couple questions on the command format. I'm using the MAC address with all CAPS and ":" as a separator. Is there a spec on the format? Also, How do I know which is the br0 interface? I'm using the LAN MAC from the admin interface.
I'd be glad to up date docs and issue a PR once we define it better.
Thanks

Hello,

I'm trying to gain access to the RBR20 using the script on a PC but it doesn't seems to be working for me.

I started to reply on the closed topic about the RBR20 but i believe that's probably not the best way to get an answer... And the message I posted originally was through OSX : #4

Hello sorry to re-open the thread. :) I tried it too on my RBR20 but doesn't seems to works.

I ran :

sudo python3 ./telnet-enable.py 192.168.0.2 xx:xx:xx:xx:xx:xx admin 'password'

But doesn't seems to work as I'm still not able to telnet to it. also the only output I got is :

Netgear Telnet enabler V3.1 (c) B.Kerler 2021-2023

I tried to nmap the port and have only the follwwings :

adi@adi netgear_telnet-main % nmap 192.168.0.2
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-31 07:22 CET
Nmap scan report for 192.168.0.2
Host is up (0.0034s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
443/tcp open https
For what it worth I'm running all of that on OSX and installed telnet via Brew so should be fine on that side but maybe I'm missing some libraries ? could that be possible ?

if by any chance someone landing here see that bottle sent to the sea. I would higly appreciate some direction :) <3

Trying to use the script to restore telnet to my RBR750 but I am not sure which MAC address to use for the br0 input. Is it the MAC of the LAN port connected to my router (I am running the Orbi in AP mode)? Or is it the MAC of the wifi radio that I am connected to when using a wireless client? Any and all guidance would be appreciated.

@bkerler Hi Sir, i have used this for my RBR750, the FW is what i can find the up to date on Netgear, which is 7.2.x.x.x

I run the code, it can successfully sending PW data. But i am not able to telnet the router. Is not working with the latest firmware?

Hello sir! Hope all is well with you these days. I see Netgear has changed the 'magic packet' for telnetenabled on my new router NBR750 and so sadly this 'telnet-enable2.py' is no longer working for it. Was hoping you might have a chance to take a peek at the updated binary/libraries for it so that maybe we could fork an updated version of the python script for NBR750 and newer routers.
As always happy to send some pizza your way for your valuable time. I have zipped up binary along with library dependencies in the download link that follows along with a .txt inside that gives strings, strace, and ldd output which hopefully helps. Cheers!
http://paste.c-net.org/RaquelBuffalo
(SHA-256 .zip checksum: 517f4422d3b6ac36d20bfaedb5e80d094b834927e4901d9e15f4bf96c3482430)

Hi there!

I am trying to enable telnet on an RAX50 with FW version V1.0.12.120_2.0.83 (the same as mentioned in the supported devices list). However, when I run the command, I only get this output and the script closes and telnet still is not enabled.

C:\Users\Chris\Downloads>python3.11 ./telnet-enable.py 192.168.1.1 CX:XE:X3:B4:05:XE admin 'P@ssw0rd!!'
Netgear Telnet enabler V3.1 (c) B.Kerler 2021-2023

C:\Users\Chris\Downloads>

Am I missing something? The MAC address I used is the LAN MAC address as printed on the router sticker and shown on the UI. Just fyi, I also tried the older versions of telnet-enable.py with the same result.

Would appreciate any help, thanks!

Hi, the process was nice i've made tests and the port 5000 not response to send AT commands and after rebooting the device the device it lose the telnet enabled access.

is there any way to send AT! commands from the 23 port? using busybox

Thanks

Thank you for your amazing work.

Hello,

I am sure the issue is on on my end, any suggestions on following SyntaxError?

Thanks.

Example - ./telnet-enable2.py 192.168.1.1 A0:40:A0:69:B6:30 admin “yourpass”

If “yourpass” contains an “&” then python cannot correctly parse the attributes and throws an error, I.e., for instance, if the password was 12345&67890 then bash would output the following

-bash: 67890: command not found

Any ideas why I would get a syntax error on the second zero in the MAC address?
./telnet-enable2.py 10.0.0.1 10:0C:6B:D4:72:E5 admin 'mypassword'

Does anyone know how to solve this problem?

Not sure if its because the new firmware version doesn't allow this. But the script runs without issue but still can't telnet in :'(
Hardware Version: RBR850
Firmware Version: V4.6.3.16_2.0.51
GUI Language Version: V3.0.1.2_2.1.30.3

If there's any information I can provide to make this work with this router I'd love to help. Can code python but I'm very unfamilar with the way the requests interface with the router. Didn't dig into that rabbit hole. But willing to dive in if no one else will.

Just want to separate my SSID for 2,4 and 5 so that I can connect my "Landroid WR155" to the wifi -_- my galaxy s8 will ONLY connect to 5ghz even if i "disable" 5ghz in the web interface.. So dumb and frustrating. Anywho, let me know if i can help

Just wanted to let you know that this script works with my Nighthawk AX12 / RAX120v2, run from Linux Mint 21.
I was successful (only) with the precompiled script in the pyinstaller_native_bins.

Thanks a lot for your work!

Hi @bkerler,

Thank you for your amazing work. I managed to enable telnet on RAX75 (Firmware Version | V1.0.1.58_1.0.24)

Some minor code changes required in sendtelnet though. The behaviour I observed is retval = conn.recvfrom(1024) can never finish, it hangs there forever.

According to Python doc https://docs.python.org/3/library/socket.html#notes-on-socket-timeouts It's always best to call settimeout before connect, this fixed the issue for me and made your codes continue to run.

# Before connect, set timeout
conn.settimeout(5)
conn.connect(cres)

# Skip codes in between..... 

# Now recvfrom will throw timeout exception, wrap in try catch block
# Consider timeout as failure, let program continue to try hash2 or hash3
try:
    retval = conn.recvfrom(1024)
except:
    conn.close()
    return False

Running Python 3.9.2 on Windows 10.

1st question: root@RBR20:/# brctl showmacs br0 #results in 9 unique mac addresses - ports 1-9

port no mac addr is local? ageing timer
1 78:d2:94:52:4c:8f yes 0
2 7e:d2:94:52:4c:8f yes 0
3 82:d2:94:52:4c:8f yes 0
4 86:d2:94:52:4c:8f yes 0
5 78:d2:94:52:4c:91 yes 0
6 7e:d2:94:52:4c:91 yes 0
7 82:d2:94:52:4c:91 yes 0
8 78:d2:94:52:4c:92 yes 0
9 7e:d2:94:52:4c:92 yes 0

I have tried the following command using each of the above nine mac addresses. Each time I get the same response. Am testing this on V2.5.1.16 so that I view the debug.htm to see if telnet has been enabled.

C:\Users\Owner\Desktop>py telnet-enable2.py 10.0.0.1 7E:D2:94:52:4C:8F admin
Netgear LBR20 Telnet enabler V2 LBR20(c) B.Kerler 2021
Done sending pw data to 10.0.0.1:23
Done sending hashed_pw data to 10.0.0.1:23

2nd question: Is this the expected response from the script?

Thanks for your efforts on behalf of the community. Also pretty much a NOOB here as well.

After emulation where is the results is saved in order to fuzz it?

Hello!
My router is RBR350(fw V4.4.0.10_2.10.63)，satellites are RBS350(fw V4.4.0.10).

I have installed python 3.9 and run command, it shows "Netgear LBR20 Telnet enabler V2 LBR20(c) B.Kerler 2021" .But there is no "enable telnet commands" in debug.htm.

Could you please adapt this fw? Or the latest version:
RBR350 (Orbi Router) Firmware Version 4.4.1.29
https://www.downloads.netgear.com/files/GDC/RBK352/RBR350_signed-4.4.1.29.zip
RBS350 (Orbi Satellite) Firmware Version 4.4.1.29
https://www.downloads.netgear.com/files/GDC/RBK352/RBS350_signed-V4.4.1.29.zip

Thank you very much!!

Syntax error as shown below under Python version 3.12.1:

C:\Users\rdhw>python \local\bin\telnet-enable.py 192.168.XXX.1 C8:9E:43:XX:XX:XX admin XXXXXXXXXX
C:\local\bin\telnet-enable.py:50: SyntaxWarning: invalid escape sequence '\s'
  for v in (re.split('\s+', i) for i in arp_data_raw))
C:\local\bin\telnet-enable.py:660: SyntaxWarning: invalid escape sequence '\s'
  for line in re.findall('([-.0-9]+)\s+([-0-9a-f]{17})\s+(\w+)', data):
Netgear Telnet enabler V3.1 (c) B.Kerler 2021-2023
Done sending pw data XXXXXXXXXX to 192.168.XXX.1:23

New version of the script (25 May 2024) works properly but telnet doesn't work after reboot :(
nvram commit doesn't help

FYI, after updating the firmware to version 7.2, the netgear_telnet does not work :(
To my surprise ssh service is enabled but an attempt to log in gives the following error message Permission denied (publickey) which cannot be fixed without access to the shell and correction sshd config files.

Latest version confirmed working on rax 80 w/ fw V1.0.10.140_1.0.79.

Now that there's access to console, anyone know how to permanently run utelnetd automatically on reboot and/or enable ssh to be accessible?

Is this compatible with the orbi rbk753? I've tried several telnetenables but nothing works.

Thank you very much for your amazing work!
I managed to enable telnet on my RAX70 in order to change Region (it was locked to China and I live in Europe and I really needed that 4804MHz option).

I was trying on the oldest Firmware Version 1.0.1.68 with no luck, but trying with 1.0.10.110 it worked.
I got the following Syntax Errors with latest version of Python on Win11:
\telnet-enable.py:50: SyntaxWarning: invalid escape sequence '\s'
for v in (re.split('\s+', i) for i in arp_data_raw))
\telnet-enable.py:660: SyntaxWarning: invalid escape sequence '\s'
for line in re.findall('([-.0-9]+)\s+([-0-9a-f]{17})\s+(\w+)', data):

and then the message Done sending pw data XXXXXXXXXX to 192.168.1.1:23

But finally everything worked as a charm and I connected to Telnet!

I have to notice here that I was trying using single quotes on 'password' and no quotes on password on my unsuccessful tries.
I was getting the same Syntax Errors and then the message:
Done sending pw data XXXXXXXXXX to 192.168.1.1:23 but after rebooting I could not connect to telnet.

With fw 1.0.10.110 it was the first time I tried with double quotes on "password". I cannot tell if it was the quotes or the firmware version that allowed to enable telnet.

PS: running telnet-enable.py from Ubuntu 22.04 returned no Syntax Errors at all.

This is a new orbi from netgear, recently available from costco.

https://www.costco.com/netgear---orbi-ax5400-wifi-6-mesh-system%2C-one-year-advanced-cyber-security-included.product.100942085.html

Here's a link to netgear's firmware for this

router
https://www.downloads.netgear.com/files/GDC/RBK763/RBR760-V6.3.1.0.zip

sateliite
https://www.downloads.netgear.com/files/GDC/RBK763/RBS760-V6.3.1.0.zip

Telnet or ssh access would be greatly appreciated in this device. Thank you

Hi,

I'm currently running an RBK762s set on firmware 6.3.6.4.
The script runs to completion, but does not enable Telnet (the conn.recvfrom(1024) call times out all 3 times).

RBR760: https://www.downloads.netgear.com/files/GDC/RBK763/RBR760-V6.3.2.4.zip

RBS760: https://www.downloads.netgear.com/files/GDC/RBK763/RBS760-V6.3.2.4.zip

Am I doing something wrong, or is this firmware not supported?