Huawei Wimax CPE BM652
3,463 views
Skip to first unread message
Spectroplasm
Mar 26, 2011, 3:41:30 PM3/26/11
to wimax hacking
Hello everyone,
I am situated in madagascar off the coast of Africa, I was wondering I
have a Huawei Wimax CPE BM652, with an unlimited data plan, it is
severely capped at 512kb/s, the current info I do know about this box
is that the WEB UI's master login and password is:
login: admin / pass: gadcpe
it is also possible to telnet into the box via its IP address and
along with the following login and pass,
login: wimax / pass: wimax820
I've been looking for ways to remove that cap, and I have even had my
hands on a 4mb/s version. the login and such are all the same. I even
replicated the 4meg's MAC address and it's security info into mine but
it isn't able to connect to the server, (I have changed the PKM /
Authentication / and NAI, but to no avail). I have seen a tab on the
web ui about root certificates or .PEM files. no option to download
them though only upload available.
my main question is, how do I remove the limit to bandwidth? is it
liste inside the root certificates?
PS: I have gutted one and have taken pictures of the boards for anyone
interrested, it's got sammy nand flash and infineon chip inside.
thanks
I am situated in madagascar off the coast of Africa, I was wondering I
have a Huawei Wimax CPE BM652, with an unlimited data plan, it is
severely capped at 512kb/s, the current info I do know about this box
is that the WEB UI's master login and password is:
login: admin / pass: gadcpe
it is also possible to telnet into the box via its IP address and
along with the following login and pass,
login: wimax / pass: wimax820
I've been looking for ways to remove that cap, and I have even had my
hands on a 4mb/s version. the login and such are all the same. I even
replicated the 4meg's MAC address and it's security info into mine but
it isn't able to connect to the server, (I have changed the PKM /
Authentication / and NAI, but to no avail). I have seen a tab on the
web ui about root certificates or .PEM files. no option to download
them though only upload available.
my main question is, how do I remove the limit to bandwidth? is it
liste inside the root certificates?
PS: I have gutted one and have taken pictures of the boards for anyone
interrested, it's got sammy nand flash and infineon chip inside.
thanks
Romel Emperado
Mar 27, 2011, 1:14:47 PM3/27/11
to wimax-...@googlegroups.com
your mac address is registered to your provider and they have control to cap your connection.. so to remove the capping method you need to use mac address that is not registered to your provider... this is also what i did to my echolife bm622 :)
enjoy..
--
Thanks,
Romel :)
enjoy..
--
You received this message because you are subscribed to the Google Groups "wimax hacking" group.
To post to this group, send email to wimax-...@googlegroups.com.
To unsubscribe from this group, send email to wimax-hackin...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/wimax-hacking?hl=en.
--
Thanks,
Romel :)
Little Giant
Mar 27, 2011, 8:05:12 PM3/27/11
to wimax hacking
How to get access on the ISP if you are using UNREGISTERED MAC ..
ISP also have Listing of Legit MAC ... :-)
Regards,
On Mar 28, 1:14 am, Romel Emperado <romelemper...@gmail.com> wrote:
> your mac address is registered to your provider and they have control to cap
> your connection.. so to remove the capping method you need to use mac
> address that is not registered to your provider... this is also what i did
> to my echolife bm622 :)
>
> enjoy..
>
ISP also have Listing of Legit MAC ... :-)
Regards,
On Mar 28, 1:14 am, Romel Emperado <romelemper...@gmail.com> wrote:
> your mac address is registered to your provider and they have control to cap
> your connection.. so to remove the capping method you need to use mac
> address that is not registered to your provider... this is also what i did
> to my echolife bm622 :)
>
> enjoy..
>
WiMaX_user
Mar 27, 2011, 8:05:26 PM3/27/11
to wimax hacking
check the mediafire link on "wimax in philippines" thread...
> your mac address is registered to your provider and they have control to cap
> your connection.. so to remove the capping method you need to use mac
> address that is not registered to your provider... this is also what i did
> to my echolife bm622 :)
>
> enjoy..
>
> your connection.. so to remove the capping method you need to use mac
> address that is not registered to your provider... this is also what i did
> to my echolife bm622 :)
>
> enjoy..
>
Romel Emperado
Mar 27, 2011, 8:15:09 PM3/27/11
to wimax-...@googlegroups.com
you dont need to have access in your ISP.. just change the mac in your device .. :P :P :P
this group has posted tut before.. you search it .. that was posted 2 to 3 days ago.. not sure...
this group has posted tut before.. you search it .. that was posted 2 to 3 days ago.. not sure...
Little Giant
Mar 27, 2011, 8:26:37 PM3/27/11
to wimax hacking
I know ... but I mean how to get an Internet Access if your mac are
not registered to your ISP
ISP = Before you get Internet access you need a VALID REGISTERED
MAC ... if you have not REGISTERED you get "CONNECTING"
its like on your HUAWEI BM622 .. :P :P:P:P
Dont Forget .. VALID and NOT VALID Mac are the Controls of the Local
ISP
Regards,
not registered to your ISP
ISP = Before you get Internet access you need a VALID REGISTERED
MAC ... if you have not REGISTERED you get "CONNECTING"
its like on your HUAWEI BM622 .. :P :P:P:P
Dont Forget .. VALID and NOT VALID Mac are the Controls of the Local
ISP
Regards,
Romel Emperado
Mar 27, 2011, 8:34:20 PM3/27/11
to wimax-...@googlegroups.com
i see.. let's make it clear. :) :)
you find mac address that is not registered to any subscriber of wimax.. that's what i am trying to explain.. sorry for making you puzzled. :) hehe
because here in my place after you subscribe wimax they will register your mac address and if you have 1mbps plan you will have 35GB bandwidth limitation (capping of bandwidth which is against the law).
I tell you Open mac is everywhere. I did the same thing in smartbro 4 years ago
you find mac address that is not registered to any subscriber of wimax.. that's what i am trying to explain.. sorry for making you puzzled. :) hehe
because here in my place after you subscribe wimax they will register your mac address and if you have 1mbps plan you will have 35GB bandwidth limitation (capping of bandwidth which is against the law).
I tell you Open mac is everywhere. I did the same thing in smartbro 4 years ago
Spectroplasm
Mar 28, 2011, 5:25:37 AM3/28/11
to wimax hacking
Alright! I just got the working tactics on how to do it,
first of all there is a tool inside the BM652 (this is actualy a BM622
they just rebranded it to a different model) called setmacaddr this is
only valid for LAN MAC address. to have all three MAC addresses change
you need the other tool called setallmacaddr and then all you need to
set is one base address (the WAN)
so in example you want to set you MAC to an uncapped one, you need to
do the following.
1) head over the webUI of your box 192.168.1.X (the X dictates a
variable, default value is 1 and on some as I've seen is 254) in order
to find out which is the address you can DHCP your IP and DNS on the
PC and run a "ipconfig /all" under windows command prompt and look
into the gateway that is given to you.
2) once inside the login interface of the box you can log in using
"login: user" / "pass: user".
3) Once logged in type in your browser "192.168.1.X/html/management/
account.asp" (again the X is variable according to your BM622/32/52
box
4) once the page has opened up hit "ctrl+u" if you are on firefox, or
view page source. head over to line 22 and check the admin password
it's there.
5) use that login and password to login
6) go to WIMAX-->Security tab and take note (use the printscreen
button it's faster, open up paintbrush and paste it there and save) of
you current configurations.
7) go to ADVANCED-->QoS--> set both "-1" values to 63 (this will make
you connection more stable)
8) go to STATUS-->Device and jot down your MAC address (its also on
the bottom of your box in case you forgot it)
9) with all these informations down and safe you are ready to proceed.
10) open up command prompt in windows: by win+r. type "cmd"
11) type up "telnet 192.168.1.X" (X is your box's IP address digit)
12) login with: login: "wimax" pass: "wimax820"
13) at the ATP> prompt type "setallmacaddr 00:00:00:00:00:00" (THE
00:00:00:00:00:00 ARE MAC ADDRESSES YOU TYPE IN, DO NOT USE 00'S ONLY
OR YOU WILL FAIL YOUR CPE BOX)
14) you should see a "SET LAN MAC address success" three times in a
row, when this is done type "exit" twice
15) head back into your webUI with the admin password and head over to
"maintenance-->device" and hit restore default configuration.
16) it will ask you that you might not get internet connection if you
continue, hit ok twice and wait approx 1minute.
17) after the 60second wait re-log into the box via WEBUI and head
over to the WIMAX-->security section. make sure the authentication
matches your old one. IE if you had TLS then use TLS, if you had TTLS
then use TTLS.
18) if you hit a good MAC address you should be in "connected" state,
to check your bandwidth head over to "www.speedtest.net" and do a test
there, you will see how much bandwidth that certain MAC address gave
you, and if it's capped or not.
*****NOTE*********
PLEASE DO NOT POST MAC ADDRESSES YOU'VE FOUND HERE OPENLY AS THE "ISP"
WILL SEE IT AND WILL BLOCK IT RENDERING IT USELESS FOR OTHER USERS, WE
CAN SHARE MAC'S VIA E-MAIL OR PRIVATE MESSAGE, BUT NOT OPENLY AS IT
WILL SPOIL THE FUN FOR EVERYONE.
Thanks to Romel for the info and the explanation to users who did not
quite understand how it works. I did it the hard way (I tabbed in the
00's as a mac address and the box froze and wont see any connection,
even if I tried with my old MAC address).
Happy hunting to all!!!
first of all there is a tool inside the BM652 (this is actualy a BM622
they just rebranded it to a different model) called setmacaddr this is
only valid for LAN MAC address. to have all three MAC addresses change
you need the other tool called setallmacaddr and then all you need to
set is one base address (the WAN)
so in example you want to set you MAC to an uncapped one, you need to
do the following.
1) head over the webUI of your box 192.168.1.X (the X dictates a
variable, default value is 1 and on some as I've seen is 254) in order
to find out which is the address you can DHCP your IP and DNS on the
PC and run a "ipconfig /all" under windows command prompt and look
into the gateway that is given to you.
2) once inside the login interface of the box you can log in using
"login: user" / "pass: user".
3) Once logged in type in your browser "192.168.1.X/html/management/
account.asp" (again the X is variable according to your BM622/32/52
box
4) once the page has opened up hit "ctrl+u" if you are on firefox, or
view page source. head over to line 22 and check the admin password
it's there.
5) use that login and password to login
6) go to WIMAX-->Security tab and take note (use the printscreen
button it's faster, open up paintbrush and paste it there and save) of
you current configurations.
7) go to ADVANCED-->QoS--> set both "-1" values to 63 (this will make
you connection more stable)
8) go to STATUS-->Device and jot down your MAC address (its also on
the bottom of your box in case you forgot it)
9) with all these informations down and safe you are ready to proceed.
10) open up command prompt in windows: by win+r. type "cmd"
11) type up "telnet 192.168.1.X" (X is your box's IP address digit)
12) login with: login: "wimax" pass: "wimax820"
13) at the ATP> prompt type "setallmacaddr 00:00:00:00:00:00" (THE
00:00:00:00:00:00 ARE MAC ADDRESSES YOU TYPE IN, DO NOT USE 00'S ONLY
OR YOU WILL FAIL YOUR CPE BOX)
14) you should see a "SET LAN MAC address success" three times in a
row, when this is done type "exit" twice
15) head back into your webUI with the admin password and head over to
"maintenance-->device" and hit restore default configuration.
16) it will ask you that you might not get internet connection if you
continue, hit ok twice and wait approx 1minute.
17) after the 60second wait re-log into the box via WEBUI and head
over to the WIMAX-->security section. make sure the authentication
matches your old one. IE if you had TLS then use TLS, if you had TTLS
then use TTLS.
18) if you hit a good MAC address you should be in "connected" state,
to check your bandwidth head over to "www.speedtest.net" and do a test
there, you will see how much bandwidth that certain MAC address gave
you, and if it's capped or not.
*****NOTE*********
PLEASE DO NOT POST MAC ADDRESSES YOU'VE FOUND HERE OPENLY AS THE "ISP"
WILL SEE IT AND WILL BLOCK IT RENDERING IT USELESS FOR OTHER USERS, WE
CAN SHARE MAC'S VIA E-MAIL OR PRIVATE MESSAGE, BUT NOT OPENLY AS IT
WILL SPOIL THE FUN FOR EVERYONE.
Thanks to Romel for the info and the explanation to users who did not
quite understand how it works. I did it the hard way (I tabbed in the
00's as a mac address and the box froze and wont see any connection,
even if I tried with my old MAC address).
Happy hunting to all!!!
Lokkju Brennr
Mar 28, 2011, 5:35:20 AM3/28/11
to wimax-...@googlegroups.com, Spectroplasm
Hmm... so in your case, you can change MAC addresses successfully,
without modifying the certificates on the device, and still get a
connection?
without modifying the certificates on the device, and still get a
connection?
lokkju
Romel Emperado
Mar 28, 2011, 6:27:44 AM3/28/11
to wimax-...@googlegroups.com
your wimax is bm652 right?
congratulations buddy :) haha happy hunting :)
--
You received this message because you are subscribed to the Google Groups "wimax hacking" group.
To post to this group, send email to wimax-...@googlegroups.com.
To unsubscribe from this group, send email to wimax-hackin...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/wimax-hacking?hl=en.
--
Thanks,
Romel :)
Spectroplasm
Mar 28, 2011, 6:57:19 AM3/28/11
to wimax hacking
Ya I've got a BM652 box.
@Lokkju the certificate you have installed inside the box (the
root .pem file) is the certificate needed to connect to the ISP, it
contains the REALM configuration along with the favorable frequency
demiliter, the MAC address on the other hand is a long list of
connections on the ISP server. Each MAC is linked to a specific
bandwidth, and this is the reason why we need to "hunt" the fastest of
the pack. Unlike an IP address a MAC address has no collision, you can
have two identical MAC enabled devices connect on the same network and
not suffer from erratic performance, this is why router's can clone a
MAC address without lagging. I'm keeping the box I got from my ISP and
will be resigning contrat in a few days :), all the while still
keeping the ability to be connected, since when they deactivate the
original MAC address from my box I'll still be online as I'm on an
activated MAC.
Spec
On Mar 28, 1:27 pm, Romel Emperado <romelemper...@gmail.com> wrote:
> your wimax is bm652 right?
>
> congratulations buddy :) haha happy hunting :)
>
@Lokkju the certificate you have installed inside the box (the
root .pem file) is the certificate needed to connect to the ISP, it
contains the REALM configuration along with the favorable frequency
demiliter, the MAC address on the other hand is a long list of
connections on the ISP server. Each MAC is linked to a specific
bandwidth, and this is the reason why we need to "hunt" the fastest of
the pack. Unlike an IP address a MAC address has no collision, you can
have two identical MAC enabled devices connect on the same network and
not suffer from erratic performance, this is why router's can clone a
MAC address without lagging. I'm keeping the box I got from my ISP and
will be resigning contrat in a few days :), all the while still
keeping the ability to be connected, since when they deactivate the
original MAC address from my box I'll still be online as I'm on an
activated MAC.
Spec
On Mar 28, 1:27 pm, Romel Emperado <romelemper...@gmail.com> wrote:
> your wimax is bm652 right?
>
> congratulations buddy :) haha happy hunting :)
>
Lokkju Brennr
Mar 28, 2011, 11:15:00 AM3/28/11
to wimax-...@googlegroups.com, Spectroplasm
I'm aware of the root cert, but at least here (I believe) the modems
also have private keypairs that seem to be tied to the MAC address --
it's possible that your provider has that disabled. Someone else may
have a better understanding of this, as most of my work has been
gaining root/shell access to different devices.
also have private keypairs that seem to be tied to the MAC address --
it's possible that your provider has that disabled. Someone else may
have a better understanding of this, as most of my work has been
gaining root/shell access to different devices.
lokkju
Spectroplasm
Mar 28, 2011, 12:52:32 PM3/28/11
to wimax hacking
would it help you if I took screenshots of each of the devices webUI
menu? one thing that I've been pondering is how to download the
certificate out of the box? I'm talking about the root
certificate .pem file or any other. So far I'm still running on the
hacked MAC and it's still working fine.
Spec
menu? one thing that I've been pondering is how to download the
certificate out of the box? I'm talking about the root
certificate .pem file or any other. So far I'm still running on the
hacked MAC and it's still working fine.
Spec
Spectroplasm
Mar 28, 2011, 1:00:49 PM3/28/11
to wimax hacking
I think you are talking of the "WiMAX CPE Certificate" and the "WiMAX
CPE Private Key"? I see two tabs about uploading them but no option on
how to download them. On the other hand the .pem root certificate I
have an option to delete and upload a new one, sadly no download
button.
Spec
CPE Private Key"? I see two tabs about uploading them but no option on
how to download them. On the other hand the .pem root certificate I
have an option to delete and upload a new one, sadly no download
button.
Spec
philippe aka
Sep 12, 2012, 7:12:51 AM9/12/12
to wimax-...@googlegroups.com
pourrais-je avoir la procédure de crackage de la clé wimax 328 avec le certificat.quelqu'un pourrai m'aider merci a vous.
2012/9/9 zfusion <yfbot...@gmail.com>
hi there! could you help me! I have a bm652 an there is no rootca2cert.pem in the tab certificat! I don't know what to do! please! if you don't mind
To view this discussion on the web visit https://groups.google.com/d/msg/wimax-hacking/-/fOfvanbQoNoJ.
Reply all
Reply to author
Forward
0 new messages