SECURITY: TPG modem admin bypass to enable DSL

February 12, 2018

Problem:

you have Huawei HG659 that came from TPG pre-configured, but it doesn’t work on ADSL. You set up bridge mode to 3rd party ADSL modem and still no success. Reason being – it’s preconfigured for VDSL and you cannot change it without root admin access. On top, TPG won’t give you the password for root.

Solution:

Forget about root admin and bypass root account by using your current user account, but with the admin interface. Then set up DSL connection instead of VDSL and you’re good to go.

The bypass process is not complicated and takes about 10 minutes to complete, a general cmd line skills are required. If you run into troubles, hit me up (e-mail).

Requirements:

  1. browser with an element inspector (safari, chrome, etc..)
  2. details about your DSL connection
  3. python compiler (https://python.org)
  4. python cryptographic toolkit (https://pypi.python.org/pypi/pycrypto
  5. python decryption script https://pastebin.com/JbZjygY3
  6. terminal / cmd line

Process:

  1. download and install all required stuff (point 3 and 4)
  2. login to router administration via internet browser (192.168.1.1) with admin/admin,
    1. bring up element inspector,
    2. find a file called cat_exember.js.jgz under resource tab,
    3. create a breakpoint on line 1,
    4. refresh a page and anytime it stops enter g_userLevel=2 into a console, hit enter and then press “continue debugger
    5. navigate yourself to Management>Device Management>”Backup and restore settings” and download config file. Place the file into the same directory like a script from step 5.
  3. run terminal/cmd line and navigate to a folder where you have a decryption script (hg635_configtool.py) as well as downloadconfigfile.conf (downloaded in the previous step).
  4. Run: hg635_configtool.py decrypt downloadconfigfile.conf output.xml
  5. Edit file output.xml, find a line starting with <UserInfoInstance InstanceID=”2″ Username=”admin” … and edit parametr Userlevel=”1″ to Userlevel=”2″. Save and exit.
  6. Run: hg635_configtool.py encrypt output.xml output.conf
  7. Upload output.conf to a router via internet browser -> router administration -> “Maintain > Device Management > Backup or Restore Settings > Restore Settings > output.conf“. Use the hack from step 2 to see the menu. Once done, re-login to your router as normal.
  8. To setup DSL, go to:
    1. Internet->Internet Settings->new WAN connection and fill your details. Once done, hit apply. 
    2. Connect your DSL cable and hit restart PPPoE, wait 2 minutes and see if you’re connected.

Below is a screenshot of settings for Telstra / Bigpond broadband if that helps. Don’t forget to replace “USERNAME” with your username;). Happy surfing.

Additional resources:

http://forums.whirlpool.net.au/archive/2572047#r52554724

http://forums.whirlpool.net.au/forum-replies.cfm?t=2572047&p=5&#r100

Tags

CRYPTO: Bitcoin is not always Bitcoin!

February 9, 2018

Bitcoin is not always Bitcoin!

Warning! Before you invest in Bitcoin, please do a proper research and/or ask people you trust for advice in this field. There is a very nasty marketing approach circling Bitcoin and has been for a while, as everyone wants to cut their piece and profit. Don’t let them profit on you.

You might come across websites, social network profiles or forum campaigns, which claim that they sell or offer services of Bitcoin, but they are actually selling a forked version of Bitcoin. Now, what is forked version? Well, it is an alternation of the original coin, which operates independently (such as it has a different aim, rules, price tag, development team, etc), sort of like a different currency. So in other words, if you buy a forked version of Bitcoin instead of the original one, you might be then surprised that you cannot spend it everywhere you wanted and that’s not cool.

To prevent this issue or confusion, alternations of Bitcoin (forked versions) supposed to be named differently and they are. Here are some of them:

The problem occurs when this rule is ignored or the original name (“Bitcoin”) is misused for the marketing purposes. So for example, Bitcoin Cash (BCH) is heavily misusing the word “Bitcoin” in order to overtake the market and fool people that BCH is Bitcoin.

BCH is Bitcoin Cash (forked Bitcoin) and BTC is Bitcoin / Bitcoin Core (the original Bitcoin).

There is even more nasty stuff going, which you can read more about in this article: https://medium.com/@MishaGuttentag/coinbase-should-stop-selling-bitcoin-cash-bch-seriously-ba601d395023

As a summary, I personally do not like the way BCH operates and their aggressive marketing is not something I want to support. Now in saying that, it doesn’t mean the coin is useless or you cannot make a money on it. It just means, it is not aligned with my values and therefore it is not for me.

WEB: webserver sizing and testing

February 7, 2018

Here are few links I recommend to start with for a web server design, load testing and performance.

  1. Web server sizing – network, processor, memory, HDD
    http://www.dell.com/content/topics/global.aspx/power/en/ps3q01_graham?c=us&l=en&cs=04
  2. Load testing – load impact – nice tool to put a web under (test)load 🙂
    https://loadimpact.com
    http://support.loadimpact.com/knowledgebase/articles/174121-how-do-i-interpret-test-results

CRYPTO: handy BTC tools for TXs and fees

Below is a list of tools you might need for checking a transaction fee or its details. Handy for cutting some TXs cost and troubleshooting crypto transactions (mostly BTC).

  1. Unconfirmed transaction and fees estimator; shows price per byte and eta for confirmation
    https://bitcoinfees.earn.com
  2. Unconfirmed transactions in mem-pool, variation of #1
    https://dedi.jochen-hoenicke.de/queue/
  3. Bitcoin Fee calculator, calculate size and fee estimation
    https://coinb.in/#fees
  4. Accelerators – for stuck transactions
    ConfirmTX – free below 300bytes, larger $5
    ViaBTC’s accelerator – free, 100 txs, starts every hour, FIFO
    Coolwave accelerator – forum, register first (bitcoinTalk forum)
  5. Block explorer – review transaction details and info about network
    Blockchain.info – info + wallet (BTC)
    Blockr.io – BTC/LTC info
    Blockexplorer.com – grandpa explorer
    Insight.is  – API tool for data
    Chain.so – multi-currency block explorer
    Blocktrail – explorer and wallet
    BitcoinChain – explorer and other info

CRYPTO: GDAX – CoinBase security flaw

January 23, 2018

Let’s assume you enabled 2FA on your GDAX/Coinbase account. Currently, you cannot withdraw funds from GDAX to outside address or bank account without two-factor authentication (2FA).

However, you can move the funds from GDAX to Coinbase account and from there you can then send them to outside address without 2FA! I consider this a security flaw and will demonstrate the issue in the example below.

If for example, you have a device (PC/MAC/Mobile, etc.) where you have activated “remember me for 30 days” feature to avoid providing 2FA everytime you log in, this device becomes a target for potential theft. Once someone will get an access to this device and steal your login credentials, they can then move the funds from GDAX to Coinbase and from there move it to an outside address to which you no longer have access. GDAX and Coinbase share the security settings (including login details), so attacker needs just your login details to access both platforms to action it.

Vulnerability above assumes that attacker will gain access to login credentials and to the device with active “remember me for 30 days”, so please make sure you have both secured very well if you happen to have this kind of set up.

@COINBASE: kindly fix it pls!

Tags

How to make public facebook posts private (the quicker way)

January 2, 2018

I randomly came across a problem related to Facebook privacy and public posts. If you have ever posted something on Facebook, you might also know that there are some privacy options available for each post. While you might have your default visibility set up to “friends” only, there still might be some older posts on your timeline with privacy set to “public“.

That essentially means that anyone who googles your profile can see your public posts, such as links, photos, videos, notes etc. Remember those pictures with your awesome hairstyle from the 80’s? Your dance creations on New Year’s Eve? Or maybe those links about political affairs? Whatever is the case, you might feel like you want to hide them all.

Unfortunately, these magic buttons do not exist in the Facebook world. Or at least I have not found one. Facebook gives you only a page with “view as…“, where you can see how general public (such as Google search) will see your profile. To change the privacy of those public posts, you have to do it one by one and you cannot do it directly from this “view as…” page either. What a pain! This could take up to several hours, depending on how many public posts you have.

So, to save you time and headaches, I have found a way to automate it, sort of. Now, before we dig into it, I do not claim it will work for you and I do not provide any support. Reason being is, that there are too many scenarios to cover and my time is limited too. So hopefully, you’re the lucky one:). So let us assume you have:

Solution:
We will use iMacros plugin, the couple of clicks and built-in loop feature. Easy peasy. Job for 3-5 minutes.

  1. Open chrome, login to your FB, click on your name and note your username from your URL
  2. Open new tab and search for: “iMacros for Chrome”, install Chrome and run it
  3. In iMacro window click on “record macro“, then click on “stop“. A new window will occur, where you replace all text with the following:
    VERSION BUILD=1001 RECORDER=CR
    URL GOTO=https://www.facebook.com/YOURUSERNAME?viewas=100000686899395&privacy_source=timeline_gear_menu#_
    WAIT SECONDS=2

    TAG POS=1 TYPE=SPAN ATTR=CLASS:timestampContent
    TAG POS=2 TYPE=I ATTR=CLASS:img<SP>sp_3OxEQobvphM<SP>sx_73cfea&&TXT:
    TAG POS=2 TYPE=SPAN ATTR=TXT:Friends*
  4.  PLEASE:
    1. Replace the bold text “YOURUSERNAME” with your “username” from step 1.
    2. If you have slow internet or too many posts, adjust “wait” parameter to a higher value such as 4, 6 or 8 depending on your needs. This will wait for your posts to load, so the script can then continue properly.
  1. Click on “Save as & close“, name it properly as a bookmark, then go back to your FB page and iMacro window.
  2. Select your macro in the upper part and then in the lower menu click on “play” -> “play macro“. It should open your facebook “view as…” page. Then it does few clicks and finishes on the post page with changed privacy. It is recommended to check your latest public post, to confirm it worked properly.
  3. Now you can try it again, but this time click “play” -> “play loop“. It should do 3 cycles and make your 3 latest posts marked as visible for “friends” only.
    Note: this script is changing the privacy from “public” to “friends“. You could tweak it to change it to another privacy group if you wish. There are infinitive improvements.
  4. If all works, simply change the value of “max” field to 10 or higher and see it working for you ten times. Run it several times under supervision or let it run for 100 repetitions and then come back. That’s it.
  5. HAPPY DAYS 🙂

IMPORTANT NOTE:
The script might not run on all types of posts. Some picture posts do not open in new window (as all other posts) and their privacy must be changed manually (click on the date next to your post -> then the “globe icon” -> select your privacy group). If you find, more scenarios that could be covered, send me an e-mail;).

I hope this saved you some time or you have tried at least something new. If you are into automation, check out iMacros website, they offer much more sophisticated tools for automation nerds. See more at iMacros Store.

Have a good one!

 

Short forecast of computing era in relation to AI

September 15, 2016

AI = artificial intelligence, has been on rapid growth during the millennium age and we are shifting into cognitive era of computing, where computer software can listen, learn and analyse unstructured data. Cognitive thinking is natural to humans but it’s been a great challenge for digital world. These limitations however, are falling apart and the future we envision and sometimes dream about, might be closer than we think. Scary and exciting at the same time.

I was interested in IBM Watson project for few years now and recently came across a question related to AI and new computer era.

Q: what will be the next computing era about? What’s next?

So here’s a thought:

I foresee the Fourth Era of Computing as the time of CREATION. Creation of knowledge, solutions, thinking. Technology itself will serve automated discovering, analysing, creating and delivering new solution to our problems. It will serve helping to reveal the unknown as well as overtake some decision making processes. Quantum physics will play major role in computing and will set us on a new path. Human intelligence, physical enhancements and integration of AI with human body and thinking might become the new field of focus.

In meantime, I believe that future steps of this third (cognitive) era for AI will be:
– expanding learning ability to human’s emotional intelligence (if it’s not there yet)
– creating decision making processes under supervision scheme (hopefully)
– integrating and changing daily lifestyle of our society & well being (AI as personal assistant – already happening).

I hope however, that I will still have some real friends even then :).

Regardless of what will actually become real from the list above, one thing remain the same – “only the strong will survive”.

What are your thoughts of future?

 

iPhone wifi issue solved by hair dryer

May 5, 2015

Ok. So this has happened to me already 4 times and technique below is not guaranteed at any circumstances. However, it worked for me all the time. So what is the issue? iPhone 4s simply stop providing me wifi feature since I updated the iOS to newer version. It has happened with any major iOS update 7.x, 8.x. Wifi was working perfectly fine, then I updated iOS and boom – wifi button grayed out. Soft reset, hard reset, factory restore, nothing helps. Apple support claiming it as a hardware fault.

Ok, let’s take a hair dryer, turn it on and smash earphone of the iphone with the heat until it “melts” or at least shows you it is overheated and it’s turning itself off. Great, we’ve?just melted the wiring and it’s time to put it in freezer for quick cool down. After 5-10 minutes I am taking it out, letting it dry off with cloth. 5 minutes later I turn it back on and VOILA – here comes the wifi feature again until next iOS update.

Hardware fix applied to software issue? Science fiction becomes reality :).

WiFi grayed out (not working, image on left) vs WiFi ON (working, image on right)

wifi grayed out wifi working

Password security

February 4, 2015

I am currently working on revision of my password management. Recently, I’ve been a victim of a scam e-mail from pretending to be from Gumtree and my password was exposed. Rookie mistake in a rush. I immediately took actions, however I realised, I don’t have a clear idea, where else have I used that password and hence those services is under potential threat.

I came up with few ideas, where one of them is to have a spreadsheet containing all services that I am using and require password for. Instead of having passwords listed there, I’ll store only security level of password, telling me which password?should I use. Actual form of password is stored only in my mind. I would have level 1 for banks, level 2?for bills, shopping and other services, and level 3 for non-important sites like forums etcetera.

Credit card maintenance section required – list of services holding credit card details and which.

I will update this post with preview, if anyone would like to do the same…

UPDATE pending…