latonita / tenda-reverse Goto Github PK

Hi, have you encountered where after X time of uptime the WiFi connection goes unstable and starts disconnecting devices at random?

The devices get disconnected and reconnected constantly. Do you know what may be happening or how I could debug it?

Thanks for taking the time to document your findings!

One thing I'd like to do that the app doesn't allow is forwarding ranges of ports, rather than single ports.

Any ideas?

Hi,
i have the MW3 and digged a little into it.

Anybody found out yet, what these settings are for?

china_net.enable=1
login.domain_name=www.tendawifi.com
ad.enable=0

I've changed them and until now i could not see any differences on the routers neither my network.

And i could not figured out, what ucloud on the mw3 does. It started ucloud as a service listen on port 9000.

Would be nice, if we can figure that out :-)

Greetings
Markus

It would be possible to keep the telnet server active after reboot without having to press the physical reset?

How can I find out sync rate when connected over telnet?

Do you think its possible to change wifi channels (6 for 2.4ghz and 40 for 5ghz)? Thanks!

Hello

I'm using a Twibi Giga+ (Intelbras, Brazil), which is the Tenda MW6 (OEM).

On the Intelbras page, the latest firmware (1.0.12) for this Twibi Giga+ is available for download, which is practically the same as the firmware you used to do the reverse.

I'm sending the link below if you want to take a look.

https://backend.intelbras.com/sites/default/files/2021-11/Twibi_Giga%2B_v1.0.12_0.zip

Hello guys, nice talking here.

I'm a little not familiar with these tenda, so i don't need any equipment just telnet via LAN?

Since updating from the application doesn't change the DNS settings, i want to permanently change to 1.1.1.1 and 1.0.0.1

Any ideas?

Hi, I've got MW6's. They only do WPA2 TKIP instead of AES and I've read somewhere along the way they simply disabled AES.

First, can I telnet into it without doing anything special hardware wise? I get the password is just base64 encode of the default password. You say you hold reset for 3 seconds, but you were connected via UART first? Can it be done without opening it up and mucking around?

Next, did you see anything about TKIP vs AES looking around? Happy to look around myself once in.

Wow, great work, really! I understand just 1/3 of the things you wrote, my English is not very good and I'm very far from your skills, but what I understood should be enough for what I need :) that is get rid of that stupid dhcp in bridge mode, since my main openwrt router is far more complete and safe to manage than this mesh system. Oh btw I got 3 Tenda MW3, which is the older and cheaper version, i think, of yours. Hopefully they share same password and login systems.

So if I understood correctly, to check if your discovers work also with my Tenda: in order to have access, I just need to hold reset for 3 sec and telnet in using base 64 password for user root. Right?

Then when I'm in I just set 0 value to dhcps.listnum using cfm. And that's it?

Congratulations on this exploration.
It would be interesting to have a separate SID for the two WiFi channels so that a client (Amazon Echo) would not automatically switch between the two WiFi channels as signal strength varies. The Amazon Echo experiences pauses in audio streaming and this seems to be caused by this switching with Tenda mesh routers.
Have you seen any way to have separate SIDs or to switch off one of the WiFi channels?

First of all thank you very, very much my friend! As you I hate being locked out my own devices.

I have a mw3 I just bought.. And if any other users are facing dificulties like me here it goes:

• Check if your cable is plugged on the LAN port not the WAN, otherwise it won't work.
• The user is: root
• The password is you CURRENT wifi password encoded in base64, in case your default password on the stick isn't working). use this site to encode https://www.base64encode.org/
• Make sure the port is correctly ie. Port 23
• Careful with the password since the letter L and the letter i, are the same shape when lowercase and uppercase respectively.

Happy rooting to you all fellas.

Brilliant walkthrough!!

I am almost sure Nova is filtering DHCPv6 packets when in bridging mode, but without root access I can’t prove my theory...
Any chance you could add some additional info on ebtables/ip6tables?

Can you can explain how have you wired your Tendas?

I'm currently using this method:

But I don't like it because everything has to go through the Tenda device regardless if it acting as a NAT or bridged with DHCP off as you put in your study.

I would like to set all Tendas, including the "primary node" all coming from one switch. Maybe all connected directly the LAN port and not using the WAN port at all is an option?

You might want to update your firmware.
On a slightly different device (MW5c, reports as Mesh5 in the app), firmware 1.0.0.34 (8681) doesn't enable DHCP in bridge mode.

Has anyone explored the feasibility of this or accomplished this?
cfw ^.* doesn't seem to expose a way to do this easily.

`
lan.dns.auto=1
lan.dns.hand1=
lan.dns.hand2=
lan.gst.1.ip=192.168.10.1
lan.gst.1.mask=255.255.255.0
lan.ip=192.168.5.1
lan.mask=255.255.255.0
lan.portmirror=0;1;0,0,0,0
lan.snat.en=0
lan.snat.list=
lan.webip=0.0.0.0
lan.webipen=0
lan.webiplansslen=0
lan.webport=80
lan1_ifname=br0:1
lan1_ifnames=wl0-va0 wl1-va0
lan_ifname=br0
lan_ifnames=vlan1 wlan0 wlan1

wan.detecttype=5
wan.ipv6.en=0
wan1.accessen=1
wan1.connecttype=0
wan1.dhcp.dns.auto=1
wan1.dhcp.dns.hand1=
wan1.dhcp.dns.hand2=
wan1.dmzen=0
wan1.dmzip=192.168.5.100
wan1.dns1=
wan1.dns2=
wan1.downrate=128000
wan1.dynamicMTU=1500
wan1.gateway=
wan1.ip=
wan1.isp=0
wan1.l2tp.dns.auto=1
wan1.l2tp.dns.hand1=
wan1.l2tp.dns.hand2=
wan1.l2tp.double.access=0
wan1.l2tp.mode=1
wan1.l2tp.mtu=1460
wan1.l2tp.pw=
wan1.l2tp.serverip=
wan1.l2tp.user=
wan1.mac.clone.en=0
wan1.mac.clone.type=0
wan1.macaddr=CC:2D:21:3D:F2:07
wan1.manual.dns.en=0
wan1.manual.dns1=
wan1.manual.dns2=
wan1.mask=
wan1.mtutype=1
wan1.net.type=0
wan1.param=0
wan1.port=3
wan1.ppoe.ac=
wan1.ppoe.auth_code=
wan1.ppoe.conmode=
wan1.ppoe.double.access=0
wan1.ppoe.h.e=
wan1.ppoe.h.s=
wan1.ppoe.idletime=
wan1.ppoe.m.e=
wan1.ppoe.m.s=
wan1.ppoe.mode=1
wan1.ppoe.mtu=1480
wan1.ppoe.pwd=
wan1.ppoe.sev=
wan1.ppoe.userid=
wan1.pppoe.dns.auto=1
wan1.pppoe.dns.hand1=
wan1.pppoe.dns.hand2=
wan1.pptp.dns.auto=1
wan1.pptp.dns.hand1=
wan1.pptp.dns.hand2=
wan1.pptp.double.access=0
wan1.pptp.mode=1
wan1.pptp.mppe=
wan1.pptp.mtu=1452
wan1.pptp.pw=
wan1.pptp.serverip=
wan1.pptp.user=
wan1.scale=
wan1.staticMTU=1500
wan1.uprate=128000
wan2.accessen=0
wan2.connecttype=0
wan2.dmzen=0
wan2.dmzip=
wan2.dns1=
wan2.dns2=
wan2.downrate=1536
wan2.dynamicMTU=1500
wan2.gateway=
wan2.ip=
wan2.isp=0
wan2.l2tp.double.access=0
wan2.l2tp.mode=1
wan2.l2tp.mtu=1492
wan2.l2tp.pw=
wan2.l2tp.serverip=
wan2.l2tp.user=
wan2.macaddr=CC:2D:21:3D:F3:08
wan2.mask=
wan2.mtutype=1
wan2.net.type=0
wan2.param=0
wan2.ppoe.ac=
wan2.ppoe.auth_code=
wan2.ppoe.conmode=
wan2.ppoe.double.access=0
wan2.ppoe.mode=1
wan2.ppoe.mtu=1492
wan2.ppoe.pwd=
wan2.ppoe.sev=
wan2.ppoe.userid=
wan2.pptp.double.access=0
wan2.pptp.mode=1
wan2.pptp.mppe=
wan2.pptp.mtu=1492
wan2.pptp.pw=
wan2.pptp.serverip=
wan2.pptp.user=
wan2.scale=
wan2.staticMTU=1500
wan2.uprate=102
wan3.macaddr=CC:2D:21:3D:F4:09
wan4.macaddr=CC:2D:21:3D:F5:0A
wan_check=0
wan_isonln=0
wans.auto.scale=1:1
wans.flag=1
wans.ispmode=0
wans.loadbalancetype=0
wans.location=-1 0 -1 1 -1
wans.manual.enable=0
wans.manual.scale=1:1
wans.policy.list1=
wans.policy.listnum=0
wans.policymode=0
wans.wanweben=0
wans.wanwebip=0.0.0.0
wans.wanwebport=8080
wans.wanwebsslen=0
`

The linked datasheet [1] for the BOHONG BH25Q64 SPI flash is down. Has anybody a local copy and can provide it here?

[1] http://www.hhzealcore.com/upload/201807/02/201807021644551022.pdf

I was wondering if anyone has been able to remove the WIFI backhaul fallback this devices have

Sometimes, I'm not sure what happens exactly, but I found many of these AP on Wireless mode instead of the Ethernet mode. I have to switch them off, and switch them back on. Generally this happen with the regular maintenaces they do automatically at 3AM according to the app. The go back but in Wireless mode.

Anyone have found how to disable this behavior?

Not sure you know, but perhaps there's something useful here: https://down.tendacn.com/uploadfile/Tenda-GPL/MW6.tar.gz

Is it possible to port forward for a device connected to LAN port?

These devices do not show up in port forwarding screen on the app

Hi there! I have 3 mv3 from Tenda and I want to ask if during your research any of you found a way to disable the mesh to call like every second domains like qq.com, baidu.com or taobao.com. I also have RPI with Pihole and there are literary hundreds of calls to dose domains.
Thanks

I want to make tenda custom firmware, how do i compress it again? and need sign the custom firmware?
if its need to sign the custom firmware, how?