Thursday, November 19, 2015

ARRIS Cable Modem has a Backdoor in the Backdoor

A couple of months ago, some friends invited me to give a talk at NullByte Security Conference. I started to study about some embedded device junk hacking hot topics and decided to talk about cable modem security. Braden Thomas keynoted at Infiltrate 2015 discussing about Practical Attacks on DOCSIS so, yeah, cable modem hacking is still mainstream.

On November 21st I'll be at Salvador speaking on "Hacking cable modems: The Later Years". It's not a talk about theft of service and getting free Internet access. I'll focus on the security of the cable modems, the technology used to manage them, how the data is protected and how the ISPs upgrade the firmwares. Spoiler Alert: everything's really really bad.


Securing cable modems is more difficult than other embedded devices because, on most cases, you can’t choose your own device/firmware and software updates are almost entirely controlled by your ISP.

While researching on the subject, I found a previously undisclosed backdoor on ARRIS cable modems, affecting many of their devices including TG862A, TG862G, DG860A. As of this writing, Shodan searches indicate that the backdoor affects over 600.000 externally accessible hosts and the vendor did not state whether it's going to fix it yet.


ARRIS Backdoors

ARRIS SOHO-grade cable modems contain an undocumented library (libarris_password.so) that acts as a backdoor, allowing privileged logins using a custom password.

The following files load the backdoor library on ARRIS TG862A Firmware TS0705125D_031115_MODEL_862_GW (released on 2015):

/usr/sbin/arris_init
/usr/sbin/dimclient
/usr/sbin/docsis_mac_manager
/usr/sbin/ggncs
/usr/sbin/gw_api
/usr/sbin/mini_cli
/usr/sbin/pacm_snmp_agent
/usr/sbin/snmp_agent_cm
/usr/www/cgi-bin/adv_pwd_cgi
/usr/www/cgi-bin/tech_support_cgi

ARRIS password of the day is a remote backdoor known since 2009. It uses a DES encoded seed (set by the ISP using the arrisCmDoc30AccessClientSeed MIB) to generate a daily backdoor password. The default seed is MPSJKMDHAI and guess what - many ISPs won't bother changing it at all.

The backdoor account can be used to enable Telnet and SSH remotely via the hidden HTTP Administrative interface "http://192.168.100.1/cgi-bin/tech_support_cgi" or via custom SNMP MIBs.



The default password for the SSH user 'root' is 'arris'. When you access the telnet session or authenticate over SSH, the system spawns the 'mini_cli' shell asking for the backdoor password.


When you log using the password of the day, you are redirected to a restricted technician shell ('/usr/sbin/cli')

Restricted shells are ;restricted

In order to understand how the backdoor works, I built an Puma5 toolchain (ARMEB) and cross compiled some useful tools like strace, tcpdump and gdbserver. I hosted them on my Github, get them here:

https://github.com/bmaia/cross-utils/tree/master/armeb

While analyzing the backdoor library and the restricted shells, I found an interesting code on the authentication check:



Yes, they put a backdoor in the backdoor (Joel from Dlink is sure to be envy). The undocumented backdoor password is based on the last five digits from the modem's serial number. You get a full busybox shell when you log on the Telnet/SSH session using these passwords.

The vendor asked not to disclose details about the password generation algorithm. I'm really relieved knowing that those awful guys from Metasploit won't be able to reverse this in a timely manner.


Vulnerability, Disclosure and Marketing

Of course, we need a logo so the media can report about this with fancy graphs as well as vendors could distribute customized t-shits at Blackhat.

What I like most about lcamtuf is how visionary he is. While people were still writing dumb fuzzers, he wrote AFL performed a detailed Technical analysis of Qualys' GHOST. Based on his analysis, I hired a couple of marketing specialists to find out the best way to disclose the ARRIS backdoor.

What do we have here?

- Multiple backdoors allowing full remote access to ARRIS Cable modems
- An access key that is generated based on the Cable modem's serial number

After a thoughtful analysis, the marketing committee advised w00tsec members to write a Keygen. In order to write a Keygen, we need a leet ascii art and a cool chiptune. The chosen font was ROYAFNT1.TDF, from the legendary artist Roy/SAC and the chiptune is Toilet Story 5, by Ghidorah.



Here's the POC (make sure you turn the sound on):




Conclusion

I reported these flaws to CERT/CC on 2015-09-13 but we didn't receive much feedback from the vendor. CERT/CC was very helpful and responsive (10/10 would disclose again!). I was asked not to release the POCs immediately so I'm going to wait for the vendor to "fix" the issue.


CERT/CC set a disclosure policy of 45 days long ago. They waited for more than 65 days for them to "fix" it but ARRIS didn't remove the backdoors in a timely manner. Someone needs to update the Responsible Disclosure RFC and include a note describing that vendors shall lose disclosure points whenever they plant a backdoor on the device (ARRIS modems have a third backdoor too, check the ConsoleCowboys Blog).

I'm pretty sure bad guys had been exploiting flaws on these devices for some time (just search for ARRIS DNS on Twitter, for example). We need more people bypassing EULAs and reversing end-user software and firmware. If you haven't heard about the Firmware.RE, check them right now. A broader view on firmwares is not only beneficial, but necessary to discover new vulnerabilities and backdoors, correlating different device families and showing how vulnerabilities reappear across different products.

To all the vendors out there, I would like to finish this post by quoting @daveitel:



199 comments:

  1. Hat's off to you, sir. love the research and writing.

    ReplyDelete
  2. Reading this while connected to an ISP who provided me with an Arris 862TG proved much more disconcerting than I expected it to be.

    ReplyDelete
  3. much easier to gain shell access than is listed here
    Me and a friend reversed a bunch of arris stuff, it takes literally 2 lines entered into a terminal to get access to the busybox shell.

    ReplyDelete
    Replies
    1. This guys exploit requires knowing some stuff that mine doesn't, but I've avoided releasing it because the amount of hacker drama going on now anyway. Nonetheless, this has been an issue for several years.
      You can use this to gain connectivity without having internet service, and to manipulate your bandwidth rate caps.

      Delete
    2. On another note, you don't even need the backdoor password(this isn't actually a backdoor either, its a maintenance password documented in the minicli)

      Delete
  4. Completely clueless when it comes to what this gives access to, so asking what is likely to be see as a dumb question. Will the encrypted connection I have to VPN protect me from this backdoor in terms of data flowing in and out? What level of access does this give someone aware of it on my network?

    ReplyDelete
    Replies
    1. VPN won't help you because your ISP needs to access your modem to perform management functions, for example. As long as a machine from your network (or the cable network) can access the modem, there is potential to be exploited. You can fully access the device, sniff the network traffic, render it unusable etc...

      For more info, check the HackerNews thread here: https://news.ycombinator.com/item?id=10596667

      Delete
  5. Love the work, especially the ASCII art ;)

    ReplyDelete
  6. Mmmm... So, what happens if the ISP changes the seed of the Password of the day? This vulnerabily dissapears? Beacuse as far as I understand, first you use that to log in to the restricted cli, and then you enable telenet/SSH to gain full control.
    Please someone correct me if I'm wrong.

    ReplyDelete
    Replies
    1. You can enable telnet/SSH using both the Password of the day and the Serial Backdoor password. Changing the seed from the password of the day won't help because your ISP will set it using a configuration file that is sent to your modem.

      If you manage to get a copy of this config, you can extract the seed and hack all the modems from you ISP, for example. As far as I know, the seed is not dynamically generated (Check this -> http://docsis.org/node/1575).

      Delete
    2. Of note, most ISPs, including my own, have all of the modems on their own "LAN WAN" of sorts-- you can easily access all of them. Unfortunately, either exploit requires WAN access enabled; the plus side is that more than often the things needed to do the exploit are usually open anyway, which is hilarious in of itself. The configs are transferred via TFTP, so its really easy to get the config if you save the TFTP filepath beforehand. The same config is where the bandwidth limits are stored, unfortunately it is signed but I have done some work with getting the cert signer. Yay for horrible security.

      Delete
    3. Thanks for your answers. I'm working at an ISP, and we are concerned about this. We have blocked HTTP LAN and WAN acces, so nobody can access the cablemodem. When this access is required, we enter to the user's cablemodem and configure it.
      If we enable HTTP LAN access, the user can enter to the advanced configuration using the passwd of the day, and enable telnet or ssh access. But using telnet/ssh with that password is not a problem because, as you said before, it goes to a restricted cli.
      Is there a way to get the serial based password to gain full control? I couldn't find where to get the keygen you are using.
      Once again, thanks in advance.

      Delete
  7. Nice IDA pictures, but did you really need a utility to enter the Arris console and then escape some poorly filtered commands in the shell?

    I dont even know why you need to bother with this so called back door, when you can do it faster other ways. Maybe you'll get a job at Arris some day though with all this nice work, cause its obvious they only hire the brightest!

    ReplyDelete
    Replies
    1. When I disclosed the findings to arris, they explicitly asked "how did you find the backdoors?" That's why I sent them the IDA output =)

      The post describes two backdoors, the Password of the day and the one based on the serial number. You don't need to escape the restricted shell on the SN backdoor, but the script was necessary to 1 - retrieve the SN, 2 - generate the SN backdoor password and 3 - bypass the EULA (see the screenshots).

      The grep -v was used because arris modem will keep ranging and displaying lots of debug msgs on the terminal (when disconnected), that would make it impossible to see anything on the video.

      And yes, there are easier ways to hack it like this one -> https://www.youtube.com/watch?v=KHVge3SkIoo. The motivation behind the post is that Brazilian criminals are exploiting it to change the user's DNS, for example.

      Delete
    2. Bernardo, if arris is not so worried you shouldn't as well, i'm trying to learn and study to protect my own equipment, my isp has most modem with this and they don't even bother to change the seed, to make some changes most person don't even need to have root access, so making the keygen public, not even so public as i see some people have it, will not really make world a better place, it's pointless, maybe they will take this seriously if you make it public, so far they don't care about customers, ISP neither.

      just my thoughts

      Delete
  8. Nice article, thank you.
    But is it possible to block ISP access from this shell? Via iptables or something like that?
    I just installed my own Arris modem, but TWC assh*les forced a firmware update and took over the entire modem, disabled wi-f- and keep resetting the password. This is extremely annoying, specially when I'm owning the hardware.

    ReplyDelete
  9. hi bernardo!, you could share with me this backdoors (arris pasword generator and scrip in python arris_backdoor.py)

    thanks

    ReplyDelete
  10. Yeah, common publish the generator. What a point to create it if you don't release it? Customers should have a full control of their devices (specially if device is owned).

    ReplyDelete
  11. Can you publish a secret password for serial E48BRM68K139941 ?
    I`m not a customer, but a engineer of ISP.
    User`s security is important to me/

    ReplyDelete
    Replies
    1. This comment has been removed by the author.

      Delete
    2. LOL. Really? Your security is complete control. Sniffing traffic and charging extra for build-in features like Wi-fi and USB. So f*ck off.
      Don't publish to him anything. If you are ISP, you should have generators or whatever you use.
      I will try to discover how to block ISP access to modems OFF and prevent firmware updates, I know it's possible via SSH. So be sure, I will publish that.

      Delete
    3. Your pass is 88D3ECC50F
      Bernardo, please don't publish keygen. Those who asking for it are blackhat scriptkiddies. It's easy to reverse it, those who really need it will be able to do so. I have very little reversing experience and never seen arm assembly before, but was able to find password generation algorithm after several hours in IDA.

      Delete
    4. Oh you such an as*hole. So your point is to let providers control and sniff traffic right out of customer's hardware (how convenient for ISP)?
      But thank you, right now, from all CC/TWC 's firmwares is easy to extract the pass seed from router.dat (simple settings dump) and generate stupid password on http://www.borfast.com/projects/arris-password-of-the-day-generator/generator
      or use SNMP (if applicable). This "one-click" generator isn't needed anymore. I got a pass for myself, and it gives almost no useful features at all, at least in TWC firmware. So don't think you are so smart here.

      Delete
  12. I just wrote up an analysis on Xfinity provided Arris TG862G devices, includes a fun root exploit n all. Details @ https://b.unni.es/xfinity.html :-)

    ReplyDelete
    Replies
    1. Lucky you, I don't have tech_support_cgi URL anywhere, 404 Not found = No Telnet.

      Delete
    2. Some inconsistence in your story. At first saying

      "Neither of those files (or /cgi-bin/) exist on http://192.168.100.1/",

      and then

      "I can enable SSH/telnet via http://192.168.100.1/cgi-bin/tech_support_cgi. So I enable telnet and SSH, then SSH into 10.0.0.1 using the default user rootb and the password arris".

      What a heck???

      Delete
    3. Xfinity TG862G modems have a much sillier exploit than that that lets you run arbitrary code from the web interface.

      Delete
    4. This comment has been removed by the author.

      Delete
    5. whoops, that was a mistake. I meant https://172.16.12.1/cgi-bin/tech_support_cgi. Fixed on the page too.

      Delete
    6. The reason I can't try your method is because I have a bug in firmware (or it's because I use Comcast's modem with TWC). Anyway my wi-fi doesn't stay on, right after coaxial cable is connected, the wi-fi shuts down, but TWC says they enabled wi-fi feature from their side. So I'm thinking if I can try to dig modem without coaxial cable, as in this case wi-fi stays on, but in a same time I can't open http://192.168.100.1 page when coaxial is disconnected. A bit stuck here.

      Delete
    7. It's strange I can't see my request, so I write again!
      @Freedom, where did you get router.dat and how did you find the password of day seed in it?

      Delete
    8. Router.dat is just a backup of settings from modem (there is such a menu).
      Then you executing commands "openssl enc -d -aes-256-cbc -in router.data -out backup.tar -pass pass:Sercomm" and "sudo ./sc_mix.rb -u -s backup/sc_nvram.usr.sc -d sc_nvram_dump". You probably need linux OS or OSX for this. But if you don't have tech_support_cgi page, that password is useless, there is nothing much to change with it.

      Delete
  13. Can someone help me with the secret password for Serial E1KBUCE46189173 ?

    ReplyDelete
    Replies
    1. A49E41E511, enjoy and take care!

      Delete
    2. This comment has been removed by the author.

      Delete
    3. This comment has been removed by the author.

      Delete
  14. This comment has been removed by the author.

    ReplyDelete
    Replies
    1. This comment has been removed by the author.

      Delete
  15. Hi, how did you manage to obtain the firmware? I wanted to take a look at this but couldn't get a sample. Did you get it from device directly via JTAG?

    ReplyDelete
  16. Can anyone help me with the password for Serial E2BBPM79J630341 ?

    ReplyDelete
  17. Loved this write-up, learned a lot.

    ReplyDelete
  18. Please! Can anyone help me with the password for Serial EBTBP277U388369?

    ReplyDelete
  19. Please! Can anyone help me with the password for Serial EBTBP277U388369?

    ReplyDelete
  20. You can help me... i need enter to router by http Access WAN, i have Public IP but i cant access... Pleaseeee!!

    ReplyDelete
  21. Can I get the serial password for E3JBPP69K562074? Thanks

    ReplyDelete
  22. Also password for E3UBPM79J619635 please. For TG1672G with TWC firmware TS0800124_110614_16XX.GW_PC20_TW, SNMP requests can be sent via HTTP requests. I managed to turn on telnet, ssh and got into minicli. In this version the cgi pages have been removed, seed changed and config backup aes key changed as well.

    This gateway uses Intel Puma6, 256MB RAM, 128MB Flash, and still, arris totally made it suck...

    ReplyDelete
  23. For DG860A TS070563C_032913_MODEL_860_GW_TW, CGIs were returning 404, twc backdoor password works for advanced and 8080. But the OIDs for arrisCmDoc30Access aren't available and only open ports I see are 80, 8080 and 443. So how to elevate access on it?

    ReplyDelete
  24. If anyone has the source, I would appreciate it if you can check what is listening on 9081/tcp. I found this port open on TG1672G erouter0's public IP even in bridge mode. Is it for ACS or some other backdoor?

    ReplyDelete
  25. This comment has been removed by the author.

    ReplyDelete
  26. This comment has been removed by the author.

    ReplyDelete
  27. Password for C8PBRL47B148353 Please?

    ReplyDelete
  28. I have managed to enable SSH and TELNET on this device, but not by the means you describe, as they no longer work. (http://10.0.0.1/remote_management.php the settings are there if you look hard enough ;-) Found quite a few other interesting things as well; possible secret user).

    I am extremely interested in getting my hands on the firmware for this device, or at least minimally libarris_password.so, but there is much in this firmware i still want to find out about, such as why it has a hardcoded WPS pin of 42000648.

    ReplyDelete
  29. I have a graveyard of electronic devices infected with this...I thought my POS system got hacked...I can send you samples but you will have to be very specific on how to do it...

    ReplyDelete
    Replies
    1. I would be more than happy to help you if you are able to get me a dump of one of these devices. Email me at username @ gmail.com

      Delete
  30. for the longest while i have been trying to access the certs for the arris modem.
    can it be done ?

    ReplyDelete
  31. for the longest while i have been trying to access the certs for the arris modem.
    can it be done ?

    ReplyDelete
  32. Or at least the firmware, that's all i need...
    Or maybe where i can download it from...

    ReplyDelete
  33. Could you give me password for F8UBU7LAH114777 ?

    ReplyDelete
  34. Nice information, and I am very interested to get the secret code for SN: ABEBPC47B357977 PLEASE? HAVE A GREAT DAY.!

    ReplyDelete
  35. This comment has been removed by the author.

    ReplyDelete
  36. Hi, I tried everything and none work. Can you send the password for me: E5HBSWE76158751

    I would like to read the source code of my router. With the telnet I can see the files?

    ReplyDelete
    Replies
    1. Lol, my name was Unknown. Anyway, I was able to find A LOT OF internet problem in this router. You have a lot of XSS Persistent, and CSRF. If someone discovery your password, you can easly emulate all calls because the cookie isn't random.

      Delete
    2. With telnet, no you cannot read the source code of the router.

      The telnet/SSH login accepts two passwords from what i can see now, both the POTD which dumps you into /bin/mini_cli(totally useless, and also the seed has been changed) and the one based off the serial(Which is far more useful as it is a busybox ash shell). I am also seeing signs of a third backdoor password or setting that enables the on-board serial port to be interactive.

      A lot of interesting files in this firmware...

      Delete
  37. can someone post a copy of tech_support_cgi ? I don't have it, but i am able to run commands on my box :) so i think if i can get the file maybe i can download it and run it on my box

    ReplyDelete
  38. Hello any change to get the algorithm? or at least the password for my modem's serial G2ZBU5LAJ173417. Thank you.

    ReplyDelete
  39. PLEASE I BEG PASSWORD FOR SERIAL NUMBER : FADBPM7EW600788

    ReplyDelete
  40. Hello, is there a chance for password via serial number? Someone still here?

    ReplyDelete
  41. Can someone help me with the secret password for Serial G3CBU5LAJ163717

    ReplyDelete
  42. how can i seeing my arris modem status when modem has online ?

    ReplyDelete
  43. how can i seeing my arris modem status when modem has online ?

    ReplyDelete
  44. i think the provider in austria changed the seed and modified the firmware a little bit

    can you please generate a password for my sn?
    D34BU7E52181078

    funny is... when you sniff the network for the oids you will get something like this when you login:

    http://192.168.100.1:8080/walk?oids=1.3.6.1.4.1.4115.1.20.1.1.2.4.2;&_n=16258&_=1475602720117

    (you have to take your own adress after login!)

    then delete it to this:

    http://192.168.100.1:8080/walk?oids=1.3;&_n=16258&_=1475602720117

    let it a little bit load, you will get a lot of information...

    ReplyDelete
  45. I'm a bit shocked that the same passwords are still used, that were in effect more than 10 years ago that were in use for the TM402/CM450

    a tool exists: Arris CM Password Generator see also [IMG]http://i67.tinypic.com/2mgkrjd.png[/IMG]

    perhaps there is no use anymore for it, but I eventually have some firmware files and SNMP MIBs for the old TM402 modems

    ReplyDelete
    Replies
    1. This comment has been removed by the author.

      Delete
    2. antiloop hoping you're still around and able to help a few more of us out. staring at ida and trying to work my way through this, hitting a wall at the hmac step

      Delete
    3. Hey Lost, could you share the ida output? so pherhaps i can help you to get the algorithm for this generation, im looking to generate the password for my modem.

      Delete
  46. PLZ give me password for this serial no A7NBPA47B330881 . i want to use this modem as linux machine.

    ReplyDelete
  47. Maybe this is out of scope, but is there a way to sideload a custom open firmware to patch the vulnerability and beef up security? My concern is a systematic exploit of this backdoor on a national level.

    ReplyDelete
  48. Can I please get a password for SN: G3BBPP8FE504152

    ReplyDelete
  49. Can I get a password for sn: F89BS5579305383

    ReplyDelete
  50. you guys are still going on with this? asking for passwords? There are far easier ways imho... Let me give you some hints. Go on github, search the repository called "junkyard". Also check this out.
    http://www.bowe.id.au/michael/isp/docsis/mibs/arris-docsis3/

    If you just wanna enable telnet, try this;

    SnmpMib = arrisCmDoc30AccessTelnetEnable.0 enable

    The OID is 1.3.6.1.4.1.4115.1.3.4.1.2.2 if you need it.

    Anyways, I was wondering, What if I used a MoCa access point and set up a server to push my own firmware updates, e.a. I pretend to be the ISP for the modems sake, I guess it'd be a man in middle attack of sorts, I was looking for information on this, and can't figure out if anyone's done it, or maybe noone talks about it. I'm curious though.

    ReplyDelete
    Replies
    1. This comment has been removed by the author.

      Delete
  51. Hello
    Does this work for TM502G?
    Can I get a password for sn:75WBMV484271441?

    ReplyDelete
  52. This comment has been removed by the author.

    ReplyDelete
  53. This comment has been removed by the author.

    ReplyDelete
  54. Please can you check on this serial number ? G3XBRE9DR200072

    Thank you a lot !!!

    ReplyDelete
  55. PLEASE I BEG PASSWORD FOR SERIAL NUMBER : D7ABSMEC8538106

    ReplyDelete
  56. Could somebody potential help me with a password for my SN/F5YBPP8DV505707
    Havent quite got the concept of this thread, but im certainly going to study a bit more! i have an ARRIS DG1670A, quite frankly im just trying to access an internet connection without my having an ISP...Thanks!

    ReplyDelete
  57. pass for CCTBRZ46E195880 please??

    ReplyDelete
  58. having the pass for MODEL: TM822G Serial Number: G3UBRE9DR202094 would be very helpful

    ReplyDelete
  59. having the pass for MODEL: TM822G Serial Number: G3UBRE9DR202094 would be very helpful

    ReplyDelete
  60. having the pass for MODEL: TM822G Serial Number: G3UBRE9DR202094 would be very helpful

    ReplyDelete
  61. This comment has been removed by the author.

    ReplyDelete
  62. This comment has been removed by the author.

    ReplyDelete
  63. This comment has been removed by the author.

    ReplyDelete
  64. Please, can anyone give me the password for my TG862 S/N: 34994, I really need it. Thanks.

    ReplyDelete
  65. whehre i can find passwords of the days for arris tg1672

    ReplyDelete
  66. Would you mind handing me the password for E5FBRR34T103605 ?

    ReplyDelete
  67. Would you mind handing me the password for EAPBS5345304952 ?
    THANK YOU

    ReplyDelete
  68. Please password for S/N: D3DBUCE42136190

    ReplyDelete
  69. This comment has been removed by the author.

    ReplyDelete
  70. can somebody provide me the password for SN FBBBU3LHJ517518 also if possible some explanation on how to reverse it

    ReplyDelete
  71. For all serial to access to root shell after telnet login with PoTD:

    Console> system
    System> ping ;sh
    #

    Credit Victor N. Ramos Mello https://goo.gl/wX9pWE

    For last firmware without tech_support_cgi to enable telnet and ssh, change 00 to 01 on 0x002A and 0x0203 addresses of file /nvram/6/1

    ReplyDelete
    Replies
    1. Genius, thanks for sharing!!! This is all I needed.

      Delete
    2. This comment has been removed by the author.

      Delete
  72. My internet is about to be turned off, so can I activate it again?

    ReplyDelete
  73. need to password for 33373A93C79E477D thank you!

    ReplyDelete
  74. Thank you for sharing this useful content. I had a great time reading this one. I'll bookmarked and share this one to my facebook page.!!

    data cabling

    ReplyDelete
  75. Hi, please the password for this Serial Number: FBGBSTLAJ101798 . Thank you

    ReplyDelete
  76. I also need the password for the Serial: 05938
    Maybe someone can help me out with this.

    ReplyDelete
  77. how bout a pw for ... E4UBRR34T105113
    id really appreciate it, and recommend this site to my friends =D

    ReplyDelete
  78. Can I get the password for FACBSR34J102817 thank you

    ReplyDelete
  79. This comment has been removed by the author.

    ReplyDelete
  80. C8ybps68m561281 password please?

    ReplyDelete
  81. C8ybps68m561281 password please?

    ReplyDelete
  82. have read many blogs in the net but have never come across such a well written blog. Good work keep it up

    electrician

    ReplyDelete
  83. Please can you tell me for thisD4LBRZ46E190384?
    Thanks you

    ReplyDelete
  84. Professionally written blogs are rare to find, however I appreciate all the points mentioned here. I also want to include some other writing skills which everyone must aware of. h07rn-f

    ReplyDelete
  85. This comment has been removed by the author.

    ReplyDelete
  86. 03135 May i get the backdoor serial password please?

    ReplyDelete
  87. Is there a possibility to get the password for EAYBPM7BV609168?

    ReplyDelete
  88. Can someone help me with the secret password for Serial E93BUCE76191530?

    Thanks.

    ReplyDelete
  89. how can i add new ARP static values ?

    ReplyDelete
  90. Anyone know the pass for f4fbu3khf568959 thanks in advance.

    ReplyDelete
  91. I'm begging anyone willing if I can plz have the password generator based o serial number pls? Thanks I advance and we can work something out... in the meantime plz help, need password for serial number D83BU4EC5527710

    ReplyDelete
  92. someone has arris serial keygen for sale

    ReplyDelete
  93. Easy tip to know whether she/he cheating on you. Click here to get his/her password and to see their chats online

    ReplyDelete
  94. On firmware TS0901103S5M_112816_862_GW they changed the SN Password Algorithm, may be only the seed or there is another lock :(

    ReplyDelete
  95. I know some system are still using the old firmware image. I think the key is to get a copy and decompile it. Try to figure out the algorithm.

    ReplyDelete
  96. Password for SN: E2FBPP68H567715

    ReplyDelete
  97. Password for SN: G4MBU5LAJ133453
    please

    ReplyDelete
  98. E3HBPM79J613775. I love you. Please and thank you.
    trissypissy@gmail.com

    ReplyDelete
  99. Password
    S/N:517187939612
    P/N: TG02DA7169242MB

    ReplyDelete
  100. Can someone help me with the secret password for Serial 516354099292 Model:TG1692A?

    ReplyDelete
  101. help me with the secret, serial 517150177791 model:TG1692A

    ReplyDelete
  102. f3vbpm7dv01522 password please

    ReplyDelete
  103. help me with the secret, serial G6NBRM79X100634 model:CM820B

    ReplyDelete
  104. please password for the serial number 1RBSTE56145577 of the cablemodem arris tg862a

    ReplyDelete
  105. I think the key is to get a copy and decompile it. Try to figure out the algorithm.

    ReplyDelete
  106. great work, could you provide a password for TG862G CB1BU3CB2575115, THANK YOU

    ReplyDelete
  107. Has anyone managed to decrypt an arris DG2460a router.data file?

    ReplyDelete
  108. Hi, thanks for your post, mi ISP providee me a Arris TG2482, I need implement a portforwarding but the ISP don`t help me, I'm trying to Log in the router but it can't, may be you have some information regarding that.

    Thanks,

    Alejandro

    ReplyDelete
  109. Where can I download the sweet password generator?

    ReplyDelete
    Replies
    1. This comment has been removed by the author.

      Delete
    2. hey riper, can you send me the link for the keygen? cheers

      Delete
  110. Can I get the password for serial 6BH3W2337102576

    ReplyDelete
  111. Can someone help me with the secret password : Serial 516354099292 Model:TG1692A?

    ReplyDelete
  112. Is there a newer version of this? like for an xb3, running

    eMTA & DOCSIS Software Version: 10.1.27B.SIP.PC20.CT

    Software Image Name: TG1682_3.5p5s1_PROD_sey

    Advanced Services: TG1682G
    Packet Cable: 2.0

    ReplyDelete
  113. Alguien podria compartir o hacer un generador publico ??

    ReplyDelete
  114. OK so, I think I know why Arris did nothing about the open backdoor; these modems were purchased by IZZI, (a Mexican internet provider based in Mexico City DF) and I believe they wanted to make sure the door stayed open. The a**holes are exceptionally controlling: there are very few settings a user can alter. Most of them are locked.
    When a technician came out I asked him why I couldn't change the DNS, or the channel (fer chris' sakes)and he wouldn't answer. I pressed the questions in more technical language and he got slippery. The only way I can make even the most basic changes is to call IZZI and talk to a group that deals with businesses and ask if I can have changes.
    Damned controlling assholes.

    ReplyDelete
  115. is there a way to reboot the modem (tm822) from the gui, ssh or telnet?

    ReplyDelete
  116. This modem may be trash. Have tried getting in, but no luck: 87K2C8132146613

    ReplyDelete
    Replies
    1. This comment has been removed by the author.

      Delete
  117. PLEASE PASSWORD SN: 88A2RL7CM204630

    THANKS :)

    ReplyDelete
  118. Please a password for S/N: 8AS2N9659201303
    THX

    ReplyDelete
  119. hello could you help me with this serial numbers password many thanks
    76G2STLBJ101238
    F9HBSTLAH101809
    Both modems are TG862
    many thanks

    ReplyDelete
  120. hello could you hel me please my serial number is
    8932NB112100923

    ReplyDelete
  121. me too pls
    MODEL: TM822S
    Serial Number: EBBBSR34J100440

    ReplyDelete
  122. Hello¡
    Please confirm the pass :)

    Serial: C79BRL465132198
    Model: 820A

    THANK YOU¡¡

    ReplyDelete
  123. I doubt this will work but can I get the password for S/N: G92BSY89D600488 or the keygen it self?

    ReplyDelete
  124. To this date he still keeps deleting comments and I really doubt he'll ever share the tool or help any of us with a password.

    ReplyDelete
  125. hi guys need a password for S/N:G59BSZ567400422
    thanks a lot for help

    ReplyDelete
  126. anyone help pw for s/n:EARBRL6BM103987
    thanks

    ReplyDelete
  127. where can obtain the software? bro!

    ReplyDelete
  128. hello could you hel me please my serial number is

    System: ARRIS DOCSIS 3.0 / PC 1.5 Touchstone Residential Gateway
    HW_REV: 5
    VENDOR: ARRIS Group, Inc.
    BOOTR: 2.2.0.45
    SW_REV: 9.1.103ES
    MODEL: TG2482AP2-85
    Serial Number: 15C4D9698502289

    ReplyDelete
  129. please help with pass for S/N F57BPM7FV601217 thx

    ReplyDelete
  130. SN E3UBRR34T103948 password please

    ReplyDelete

Note: Only a member of this blog may post a comment.