====== Alcatel Speed Touch Home (Pro) ADSL Modem (Router) ======
===== Web configuration: a PPPoA connection =====
Basic configuration can be done via a web interface, at this default address: ''**%%http://10.0.0.138/%%**''. The factory password is blank.
^ Phonebook ^^^^
^ Name ^ VPI ^ VCI ^ Type ^
| tiscali_pppoa | 8 | 35 | ppp |
\\
^ PPP (add a new entry) ^^
^ Name | tiscali_pppoa |
^ Encap | vc-mux |
^ Status | on |
\\
^ PPP Configuration ^^
^ User | user@tiscali.it |
^ Password | %%*******%% |
^ Connection Sharing | Everybody |
^ Destination networks | All networks |
^ Address translation (NAT-PAT) | Yes |
^ Primary DNS | 195.130.224.18 |
^ Secondary DNS | 195.130.225.129 |
^ Local IP | none |
^ Remote IP | none |
^ Mode | always-on |
^ LCP echo | enabled |
^ PAP | disabled |
^ ACCOMP | enabled |
===== Command line =====
Here there is a {{.alcatel:stprowf_cli_guide.pdf|manual for the Command Line Interface}}, it is intended for the //Speed Touch Pro with Firewall//, a more advanced model than the Speed Touch Pro, but most command apply the same.
Here are some examples to set a password, to set some specific NAT rules (port forward) and to set a default NAT server:
=>system setpassword password = MySecret
=>nat list
=>nat create protocol = tcp inside_addr = 192.168.1.2 inside_port = 25 outside_addr = 0 outside_port = 25
=>nat delete protocol = tcp inside_addr = 192.168.1.2 inside_port = 25 outside_addr = 0 outside_port = 25
=>nat defserver
=>nat defserver addr=192.168.1.2
=>nat defserver addr=0
The default NAT server will receive all the packets received by the router on the WAN interface (TCP, UDP, ICMP, etc.).
To be safe, save the new config:
=>config save
===== The EXPERT mode challenge password =====
If a password was set, this is the prompt for a telnet session:
$ telnet 10.0.0.138
Trying 10.0.0.138...
Connected to 10.0.0.138.
Escape character is '^]'.
User :
SpeedTouch (00-90-D0-18-5F-7E)
Password :
You can type the password, if you know it, otherwise you can type the **EXPERT backdoor** password if you have an earlier version of the firmware. With a new firmware the EXPERT password is no longer valid for the telnet session, but it is still valid for the EXPERT command line mode (may be it is still vulnerable on the ATM interface? [[#web_links|Read more]]).
If you want to calculate your challenge/response password goto **[[http://www.rigacci.org/alcatel/|this page]]**.
===== Firmware upgrade =====
**Note**: I own an Alcatel Speed Touch Home, model number 3EC18604BCAA04. I upgraded from **{{.alcatel:khdsaa_134.tgz|KHDSAA.134}}** to **{{.alcatel:khdsaa3_290.tgz|KHDSAA3.290}}** firmare. In my experience, uploading a new firmware from the web interface failed with an **Invalid file uploaded** error message. This with several images, even with the original one. So I definitely prefeer to do upload and download via FTP.
I also tried to upload the firmware ''**GXKLAB3.426**'' which is reported to be the //SpeedTouch Pro Firewall Software//. Unfortunatelly the FTP session aborted, may be for the size of the file which is 235 kb larger than the original ''KHDSAA.134'' file.
First of all you have to delete the //passive// (not used) firmware image to make room for the new image. If no passive software image is present at boot time, the active image is copied as the passive one. Active image is stored into the **active** subdirectory, passive image is stored into **dl** instead.
$ telnet 10.0.0.138
=>software deletepassive
Upload the new firmware via FTP, you can log-in as normal user or EXPERT user with challenge password:
$ ftp 10.0.0.138
Connected to 10.0.0.138.
220 Inactivity timer = 120 seconds. Use 'site idle ' to change.
Name (10.0.0.138): admin
230 User 'admin' OK. No password required.
ftp> cd dl
250 Changed to
ftp> bin
200 TYPE is now 8-bit binary
ftp> put KHDSAA3.290
150 Opening data connection for KHDSAA3.290
226 File written successfully
1007232 bytes sent in 36.62 secs (26.4 kB/s)
ftp> bye
Then we have to set the just uploaded image as //passive// and finally we switch images:
$ telnet 10.0.0.138
=>software
software]=>setpassive file = KHDSAA3.290
[software]=>version
Active : KHDSAA.134 Passive : KHDSAA3.290
software]=>switch
After the ''**switch**'' command, the Alcatel automatically reboots.
{{hardware:alcatel:khdsaa3_290.tgz}}
===== Convert an Home to a Pro =====
I did this upgrade to use the modem as a router, after this change I was able to set a PPPoA connection, doing NAT and port forward.
The upgrade consists of changing a word (two bytes) into the the EEPROM at address 2. The value for my Speed Touch Home was **0x8604**, I changed it into **0x8606**.
==== With firmware 253 or lower ====
=>EXPERT
========================DISCLAIMER=========================
Access to expert mode is intended for qualified personnel
only. Press ENTER to return to user mode.
=====================END=OF=DISCLAIMER=====================
'SpeedTouch (00-90-D0-18-5F-7E)'
Password :
>rip
rip>drv_read 2 1 b
the data in hex is :
8604
rip>drv_write 2 1 b 8606
==== With newer firmware ====
=>td prompt
========================DISCLAIMER=========================
Access to expert mode is intended for qualified personnel
only. Press ENTER to return to user mode.
=====================END=OF=DISCLAIMER=====================
'SpeedTouch (00-90-D0-18-5F-7E)'
Password : *********
Switched to 'Trace & Debug' prompt.
Return to Normal mode by typing
>rip
rip>drv_read 2 1 b
the data in hex is :
8604
rip>drv_write 2 1 b 8606
===== Web links =====
=== Deep analysis and Recipes ===
* [[http://www.s0ftpj.org/bfi/online/bfi10/BFi10-14.html]] ({{.alcatel:bfi10-14.html|local copy}})
* [[http://www.petri.co.il/upgrade_from_alcatel_speedtouch_home_to_pro.htm]]
=== Some sources for Alcatel firmwares ===
* [[http://www.thomsontelecom.com.au/speedtouch/resources/Home_Pro_Upgrde.zip]]
* [[http://www.nzdsl.co.nz/software/alcatel/Default.htm]]
* [[http://www.bruring.com/nuke/modules.php?op=modload&name=Downloads&file=index&req=viewsdownload&sid=8]]
=== Alcatel "EXPERT" Mode Challenge/Response ===
* [[http://www.rigacci.org/alcatel/]]
* [[http://security.sdsc.edu/self-help/alcatel/challenge.cgi]]