Sunday, August 19, 2007

Cracking C3 RTL 8186 Firmware

Some proprietary firmwares are available to provide alot of useful features and options for the RTL8186-based accesspoints. Mine is Senao/Engenius NCB/ECB-3220. From examining the log produced by the firmware (Management->Log), one can see several lines mentioning the firmware, eg:

8186NIC Ethernet driver v0.0.5 (Mar 3, 2006)
rtl8186_crypto_init()...

One of the most popular proprietary firmwares is AP router, however, cracking this firmware requires the availability of a serial connection to the accesspoint, a luxury i didn't have. So i searched for other firmwares, C3 popped up. C3 is a Brazilian-only rtl-8186 firmware, that supports much of the features provided by AP router (actually, there is great similarity between the two, even filenames of web server HTML files seem to be identical in a number of respects).

In addition cracking C3 firmware is alot easier than AP router and doesn't require the cable.
It seems that when unlicensed the firmware prevents any change to the flash of the accesspoint. upon uploading a firmware of any other accesspoint, the firmware will display Update successful and will change your accesspoint MAC address to that of the license file, disabling the protection on the flash memory of the AP. All you have to do is to change that MAC address to our original address and voila, you have cracked C3 firmware.

The Major disadvantage of C3 firmware is that it doesn't have English support and you

have to get accustomed to see the Portuguese equivalent for some words.

1. Obtain the MAC address of your AP, either from the default firmware or by using SSH

(eg by using Putty for example) Username and password are root, and writing,

flash get HW_NIC1_ADDR
flash get ELAN_MAC_ADDR (<- this line is not required for my AP type)

write ur MAC address or save it somewhere safe.
* to install the c3 firmware, either select update firmware from original firmware or check this for the TFTP mode
** mind that there are 2 versions of c3 firmware, so select the one that suits ur AP, for me this one did the trick. this however is for Dlink G700AP)
2. select Upload de Licença and upload this file to it
3. Connect via Putty to the AP and write the following
flash set HW_NIC1_ADDR [ur MAC address without brackets and semicolons]
flash set ELAN_MAC_ADDR [ur MAC address without brackets and semicolons]

4. Reboot ur AP, either from the web interface or by writing reboot at the SSH prompt.
5. Congrats ur done, grab a dictionary!

This work is done based on AreaWireless.Net efforts

Labels: ,

Smilar pages

8 Comments:

Anonymous Anonymous said...

Good effort, Keep up the good work!

10:47 AM  
Anonymous Anonymous said...

On versions 7,Your method does not work...:(

8:20 PM  
Anonymous Anonymous said...

Hey Guy,

Can you post a link to download a older version that work with your method? The version that in www.cetres.com.br did not work anymore.
THX.

5:36 AM  
Anonymous Anonymous said...

on version 7 use the menu gerenciamento > comandos do sistema intead of ssh(putty)
worked for me

8:35 AM  
Anonymous Anonymous said...

Works for me using a comando do sistema. Thanks a lot.

12:00 PM  
Anonymous Anonymous said...

License file is not online anymore.

10:40 AM  
Blogger EffE said...

This comment has been removed by the author.

1:22 PM  
Blogger EffE said...

Is there any possibility to have the firmware for the D-link DWL-G700AP?
The site cetres.com.br isn't up anymore...

1:26 PM  

Post a Comment

<< Home