Gemtek WIXB-ODU 250B has a engineering menu which is hidden in the main page. It has a lot of options; syslog was the most useful option for me. Enabling telnet is another very useful option. You can also set a preference for a particular BSID. You can also use a software "Kannon" to directly interact with the radio. [1][2][3]
To access the engineering menu:
In Firefox (adapt these steps for other browsers like Chrome):
1. Go to modem configuration page (usually http://192.168.254.251 )
2. Right click on Status and click on "Inspect Element (Q)"
3. In the inspection pane at the bottom, click on the line that has the word "Engineering" near the end of the line.
4. In the pane on the right, hover over "display: none" and uncheck the box to the right of "display: none".
5. Engineering should appear below Status in the modem page.
6. Click on Engineering.
To enable telnet:
1. Go to engineering -> Dev Config
2. Turn on the telnet option.
3. Reboot.
Dev Config also has options for syslog and Kannon. Kannon has a tendency to crash in Windows 7 64-bit; it worked better for me in Windows XP.
Gemtek WIXB-ODU 250B is based on the Beceem BCS 5200 reference design and uses a modified OpenWRT as it's base. It is similar to WIXB-175.
There is a RCE attack vector in the modem configuration page at Advanced -> Security -> Ping. In case telnet is not available or if you want to run a command without rebooting, you can use this method. File inclusion (viewing most of the contents of files, similar to directory traversal) is also possible using the same method as for WIXB-175 modem. The sysconf.cgi executable executes code in any file if it's in the following format:
You can enable telnet using the RCE method by entering the following in the ping input box:
The telnet welcome banner is
The version of OpenWRT isn't specified, although it's likely to be very old. It reports itself to be running the armv6l architecture, however the armv6l busybox binaries don't work. busybox for armv4l works fine.
Note 1: WiMAX GCT Installer & Kannon Beceem Monitoring
Note 2: hxxp :// www. 4 shared .com/file/md50orio/Kannon.html
Note 3: Original Default Passwords Collection. - Page 9
To access the engineering menu:
In Firefox (adapt these steps for other browsers like Chrome):
1. Go to modem configuration page (usually http://192.168.254.251 )
2. Right click on Status and click on "Inspect Element (Q)"
3. In the inspection pane at the bottom, click on the line that has the word "Engineering" near the end of the line.
4. In the pane on the right, hover over "display: none" and uncheck the box to the right of "display: none".
5. Engineering should appear below Status in the modem page.
6. Click on Engineering.
To enable telnet:
1. Go to engineering -> Dev Config
2. Turn on the telnet option.
3. Reboot.
Dev Config also has options for syslog and Kannon. Kannon has a tendency to crash in Windows 7 64-bit; it worked better for me in Windows XP.
Gemtek WIXB-ODU 250B is based on the Beceem BCS 5200 reference design and uses a modified OpenWRT as it's base. It is similar to WIXB-175.
There is a RCE attack vector in the modem configuration page at Advanced -> Security -> Ping. In case telnet is not available or if you want to run a command without rebooting, you can use this method. File inclusion (viewing most of the contents of files, similar to directory traversal) is also possible using the same method as for WIXB-175 modem. The sysconf.cgi executable executes code in any file if it's in the following format:
Code:
<!--#exec cmd="<your command>" -->You can enable telnet using the RCE method by entering the following in the ping input box:
Code:
`/bin/cmscfg -s -n sys_telnetd -v enable`The telnet welcome banner is
Code:
=== IMPORTANT ============================
Use 'passwd' to set your login password
this will disable telnet and enable SSH
------------------------------------------
BusyBox v1.4.2 (2011-06-04 18:44:11 CST) Built-in shell (ash)
Enter 'help' for a list of built-in commands.
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
BECEEM COMMUNICATIONS - Build v2.4.4
---------------------------------------------------The version of OpenWRT isn't specified, although it's likely to be very old. It reports itself to be running the armv6l architecture, however the armv6l busybox binaries don't work. busybox for armv4l works fine.
Note 1: WiMAX GCT Installer & Kannon Beceem Monitoring
Note 2: hxxp :// www. 4 shared .com/file/md50orio/Kannon.html
Note 3: Original Default Passwords Collection. - Page 9
Last edited:
