latonita / tenda-reverse Goto Github PK
View Code? Open in Web Editor NEWReverse engineering, getting root access to Tenda MW6 wifi mesh router
Reverse engineering, getting root access to Tenda MW6 wifi mesh router
Hi, have you encountered where after X time of uptime the WiFi connection goes unstable and starts disconnecting devices at random?
The devices get disconnected and reconnected constantly. Do you know what may be happening or how I could debug it?
Thanks for taking the time to document your findings!
One thing I'd like to do that the app doesn't allow is forwarding ranges of ports, rather than single ports.
Any ideas?
Hi,
i have the MW3 and digged a little into it.
Anybody found out yet, what these settings are for?
china_net.enable=1
login.domain_name=www.tendawifi.com
ad.enable=0
I've changed them and until now i could not see any differences on the routers neither my network.
And i could not figured out, what ucloud on the mw3 does. It started ucloud as a service listen on port 9000.
Would be nice, if we can figure that out :-)
Greetings
Markus
It would be possible to keep the telnet server active after reboot without having to press the physical reset?
How can I find out sync rate when connected over telnet?
Do you think its possible to change wifi channels (6 for 2.4ghz and 40 for 5ghz)? Thanks!
Hello
I'm using a Twibi Giga+ (Intelbras, Brazil), which is the Tenda MW6 (OEM).
On the Intelbras page, the latest firmware (1.0.12) for this Twibi Giga+ is available for download, which is practically the same as the firmware you used to do the reverse.
I'm sending the link below if you want to take a look.
https://backend.intelbras.com/sites/default/files/2021-11/Twibi_Giga%2B_v1.0.12_0.zip
Hello guys, nice talking here.
I'm a little not familiar with these tenda, so i don't need any equipment just telnet via LAN?
Since updating from the application doesn't change the DNS settings, i want to permanently change to 1.1.1.1 and 1.0.0.1
Any ideas?
Hi, I've got MW6's. They only do WPA2 TKIP instead of AES and I've read somewhere along the way they simply disabled AES.
First, can I telnet into it without doing anything special hardware wise? I get the password is just base64 encode of the default password. You say you hold reset for 3 seconds, but you were connected via UART first? Can it be done without opening it up and mucking around?
Next, did you see anything about TKIP vs AES looking around? Happy to look around myself once in.
Wow, great work, really! I understand just 1/3 of the things you wrote, my English is not very good and I'm very far from your skills, but what I understood should be enough for what I need :) that is get rid of that stupid dhcp in bridge mode, since my main openwrt router is far more complete and safe to manage than this mesh system. Oh btw I got 3 Tenda MW3, which is the older and cheaper version, i think, of yours. Hopefully they share same password and login systems.
So if I understood correctly, to check if your discovers work also with my Tenda: in order to have access, I just need to hold reset for 3 sec and telnet in using base 64 password for user root. Right?
Then when I'm in I just set 0 value to dhcps.listnum using cfm. And that's it?
Congratulations on this exploration.
It would be interesting to have a separate SID for the two WiFi channels so that a client (Amazon Echo) would not automatically switch between the two WiFi channels as signal strength varies. The Amazon Echo experiences pauses in audio streaming and this seems to be caused by this switching with Tenda mesh routers.
Have you seen any way to have separate SIDs or to switch off one of the WiFi channels?
First of all thank you very, very much my friend! As you I hate being locked out my own devices.
I have a mw3 I just bought.. And if any other users are facing dificulties like me here it goes:
Happy rooting to you all fellas.
Brilliant walkthrough!!
I am almost sure Nova is filtering DHCPv6 packets when in bridging mode, but without root access I can’t prove my theory...
Any chance you could add some additional info on ebtables/ip6tables?
Can you can explain how have you wired your Tendas?
I'm currently using this method:
But I don't like it because everything has to go through the Tenda device regardless if it acting as a NAT or bridged with DHCP off as you put in your study.
I would like to set all Tendas, including the "primary node" all coming from one switch. Maybe all connected directly the LAN port and not using the WAN port at all is an option?
You might want to update your firmware.
On a slightly different device (MW5c, reports as Mesh5 in the app), firmware 1.0.0.34 (8681) doesn't enable DHCP in bridge mode.
Has anyone explored the feasibility of this or accomplished this?
cfw ^.* doesn't seem to expose a way to do this easily.
`
lan.dns.auto=1
lan.dns.hand1=
lan.dns.hand2=
lan.gst.1.ip=192.168.10.1
lan.gst.1.mask=255.255.255.0
lan.ip=192.168.5.1
lan.mask=255.255.255.0
lan.portmirror=0;1;0,0,0,0
lan.snat.en=0
lan.snat.list=
lan.webip=0.0.0.0
lan.webipen=0
lan.webiplansslen=0
lan.webport=80
lan1_ifname=br0:1
lan1_ifnames=wl0-va0 wl1-va0
lan_ifname=br0
lan_ifnames=vlan1 wlan0 wlan1
wan.detecttype=5
wan.ipv6.en=0
wan1.accessen=1
wan1.connecttype=0
wan1.dhcp.dns.auto=1
wan1.dhcp.dns.hand1=
wan1.dhcp.dns.hand2=
wan1.dmzen=0
wan1.dmzip=192.168.5.100
wan1.dns1=
wan1.dns2=
wan1.downrate=128000
wan1.dynamicMTU=1500
wan1.gateway=
wan1.ip=
wan1.isp=0
wan1.l2tp.dns.auto=1
wan1.l2tp.dns.hand1=
wan1.l2tp.dns.hand2=
wan1.l2tp.double.access=0
wan1.l2tp.mode=1
wan1.l2tp.mtu=1460
wan1.l2tp.pw=
wan1.l2tp.serverip=
wan1.l2tp.user=
wan1.mac.clone.en=0
wan1.mac.clone.type=0
wan1.macaddr=CC:2D:21:3D:F2:07
wan1.manual.dns.en=0
wan1.manual.dns1=
wan1.manual.dns2=
wan1.mask=
wan1.mtutype=1
wan1.net.type=0
wan1.param=0
wan1.port=3
wan1.ppoe.ac=
wan1.ppoe.auth_code=
wan1.ppoe.conmode=
wan1.ppoe.double.access=0
wan1.ppoe.h.e=
wan1.ppoe.h.s=
wan1.ppoe.idletime=
wan1.ppoe.m.e=
wan1.ppoe.m.s=
wan1.ppoe.mode=1
wan1.ppoe.mtu=1480
wan1.ppoe.pwd=
wan1.ppoe.sev=
wan1.ppoe.userid=
wan1.pppoe.dns.auto=1
wan1.pppoe.dns.hand1=
wan1.pppoe.dns.hand2=
wan1.pptp.dns.auto=1
wan1.pptp.dns.hand1=
wan1.pptp.dns.hand2=
wan1.pptp.double.access=0
wan1.pptp.mode=1
wan1.pptp.mppe=
wan1.pptp.mtu=1452
wan1.pptp.pw=
wan1.pptp.serverip=
wan1.pptp.user=
wan1.scale=
wan1.staticMTU=1500
wan1.uprate=128000
wan2.accessen=0
wan2.connecttype=0
wan2.dmzen=0
wan2.dmzip=
wan2.dns1=
wan2.dns2=
wan2.downrate=1536
wan2.dynamicMTU=1500
wan2.gateway=
wan2.ip=
wan2.isp=0
wan2.l2tp.double.access=0
wan2.l2tp.mode=1
wan2.l2tp.mtu=1492
wan2.l2tp.pw=
wan2.l2tp.serverip=
wan2.l2tp.user=
wan2.macaddr=CC:2D:21:3D:F3:08
wan2.mask=
wan2.mtutype=1
wan2.net.type=0
wan2.param=0
wan2.ppoe.ac=
wan2.ppoe.auth_code=
wan2.ppoe.conmode=
wan2.ppoe.double.access=0
wan2.ppoe.mode=1
wan2.ppoe.mtu=1492
wan2.ppoe.pwd=
wan2.ppoe.sev=
wan2.ppoe.userid=
wan2.pptp.double.access=0
wan2.pptp.mode=1
wan2.pptp.mppe=
wan2.pptp.mtu=1492
wan2.pptp.pw=
wan2.pptp.serverip=
wan2.pptp.user=
wan2.scale=
wan2.staticMTU=1500
wan2.uprate=102
wan3.macaddr=CC:2D:21:3D:F4:09
wan4.macaddr=CC:2D:21:3D:F5:0A
wan_check=0
wan_isonln=0
wans.auto.scale=1:1
wans.flag=1
wans.ispmode=0
wans.loadbalancetype=0
wans.location=-1 0 -1 1 -1
wans.manual.enable=0
wans.manual.scale=1:1
wans.policy.list1=
wans.policy.listnum=0
wans.policymode=0
wans.wanweben=0
wans.wanwebip=0.0.0.0
wans.wanwebport=8080
wans.wanwebsslen=0
`
The linked datasheet [1] for the BOHONG BH25Q64 SPI flash is down. Has anybody a local copy and can provide it here?
[1] http://www.hhzealcore.com/upload/201807/02/201807021644551022.pdf
I was wondering if anyone has been able to remove the WIFI backhaul fallback this devices have
Sometimes, I'm not sure what happens exactly, but I found many of these AP on Wireless mode instead of the Ethernet mode. I have to switch them off, and switch them back on. Generally this happen with the regular maintenaces they do automatically at 3AM according to the app. The go back but in Wireless mode.
Anyone have found how to disable this behavior?
Not sure you know, but perhaps there's something useful here: https://down.tendacn.com/uploadfile/Tenda-GPL/MW6.tar.gz
Is it possible to port forward for a device connected to LAN port?
These devices do not show up in port forwarding screen on the app
Hi there! I have 3 mv3 from Tenda and I want to ask if during your research any of you found a way to disable the mesh to call like every second domains like qq.com, baidu.com or taobao.com. I also have RPI with Pihole and there are literary hundreds of calls to dose domains.
Thanks
I want to make tenda custom firmware, how do i compress it again? and need sign the custom firmware?
if its need to sign the custom firmware, how?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.