Playing with Qwest DSL

by phobik

I was at a friend's house and he introduced me to an IP range that got my attention.

Every address within 63.224.0.x that we Telnet'd to gave us the same cbos> prompt.  My sense of curiosity immediately kicked in.  So what did I find?  Read on.

As it turns out, the routers were manufactured by Cisco and are a part of Qwest's DSL network.  Each router is placed in a customer's home and quite carelessly configured to their type of service.  These routers have three basic access levels: Exec, Enable, and debug.

When you initially log on to the router, it asks for a password.  On 80 percent of these things, there isn't one.  So just hit Enter and you're into Exec mode.  (cbos# prompt.)
cbos> enable
Password: <Enter>
cbos# 
So what can we amuse ourselves with from here?

Besides traceroute and ping utilities, there is a reboot command, and a couple of commands for getting info on the router's configuration.  Typing either of these (stats or show gives you a list of arguments to append with definitions.  Pretty simple, eh?

Once we get tired checking out the configuration info, we can move up an access level by typing enable

Again, Qwest is lazy and has neglected to set up passwords on the vast majority of these routers.  Besides all the Exec level commands, we now have access to set and write.

Briefly, set allows you to change the router's configuration file, and write writes the file to the router's NVRAM.

After the file is written to the NVRAM, you must reboot the router to activate any changes.  One thing you may want to check on before you make any modifications here is if the syslog is active (show syslog).  If it is, everything you do is being logged to a remote system.  Just disable it using set syslog disabled.  I've never run across a router with this feature enabled, but its worth checking on.

One interesting ability that you now have is that you can change the router's upstream or downstream rates.  This is done trough the following command:
cbos# set interface wan0 rate [up/down] [new rate]
In place of the first set of brackets, you choose to change either the upstream or downstream to whatever value you entered in place of the second set of brackets. The baud rates will automatically adjust to match your settings. You may also want to play with the router's transmitting power with:
cbos# set interface wan0 txpower

or 

cbos# set interface wan0 remote txpower
While I won't go into much detail about many of the specific commands (the routers' software makes it easy to figure out), there is one more thing I would like to point out.

The software image and backup config file can be downloaded, changed, and uploaded again using the TFTP protocol.

All you need to do is make sure TFTP is enabled (set tftp enabled) and then you can connect using a TFTP client.

For those of you unfamiliar with TFTP, there are no directory services, so you must know the exact filename of the file.  Lucky for you, I've already done the research.  The software image is either named c676.x.x.x.ima or c676.x.x.x where x.x.x is the version number.  As of this writing, 2.2.20 was the most current version.

The config file is stored as: nscfg.cfg

Just remember that any modifications you make will not become active until you use the write command and reboot.

Lastly, I'll point out the debug mode.

It has all kinds of nifty commands for testing the Qwest network.  I'm not going to go into detail about any of it because if you are knowledgeable enough to have a clue what you're doing in there, you don't need any of my help.  I'm sure there's some entertaining things hidden in there, though.

That's basically it.  Have fun and don't do anything blatantly destructive.  I notified the company about this problem way back when the routers were still US West property and nothing was done about it.

So maybe this will get them to wake up.  A good resource for learning more about these things is the Cisco website.

Just search for either "CBOS" or "Cisco 676 router".  Good luck!

Cisco 600 Series Installation and Operation Guide  July 2000

Cisco Broadband Operating System Commands  v2.4

Cisco Broadband Operating System User Guide  (HTML Version)
http://cholla.mmto.org/computers/home_net/cisco678/

The Cisco 678 is a little DSL (ADSL/ATM) to ethernet router that is often used in home applications (they call it a CPE, which stands for "Customer Premises Equipment" -- 
cisco loves these acronyms). There are a whole flock of 600 series routers (we resist the temptation to call them modems) with different features and even external connections. 
The 675 is almost the same as the 678, but mine is a 678 and the detailed differences are spelled out in the following Cisco 600 series manual. The 678 supports DMT 
encoding and the 675 does not, that seems to be the main difference. DMT stands for "discrete multi tone". The 678 runs at 8032 receive/864 transmit (kbps). 
The 675 runs at 7168 receive/1088 transmit (kbps).

To do anything "interesting" with a cisco router, you need to type enable. 
eBOS (the cisco operating system that runs in the router), has two modes known as exec and enable. 
Exec mode is useful for examining things, but is safe in that you cannot change any settings. Enable does require a password.

To use telnet, telnet must be enabled in CBOS. 
TFTP is used to backup configuration files, and to update CBOS firmware. 
New CBOS images for CBOS version 2.3 or higher are named c627..bin Config files may be put as the name nscfg.cfg.

To use tftp to upgrade the CBOS image:

su
tftp
mode binary
put 12.0.8.5:nsrouter.c678dmt.2.3.5.012.bin

On the CBOS side, use show errors to verify that tftp is working. reboot will activate the image (use show version to check).

CBOS version 2.4.2 and earlier had vulnerabilities, in particular the code red worm would explit the web interface on CBOS through 2.4.2ap, and would even cause a 
denial of service issue if the web service was disabled. This was fixed in CBOS 2.4.3 (My 678 shipped with version 2.4.1) A good, but not fully effective 
workaround is to set the web port number to some value greater than 1024 via:

set web port 1025

You may want to upgrade to 2.4.6 (which was available on the Qwest DSL site August 2, 2007), here is the stuff. 
Be SURE you have a 675 or a 678 to use this (I was nervous about using this with a 678, until I called qwest (August 3, 2007) and was directed to the second link, 
which provides an identical image. The short ReleaseNotes (dated 05/20/2002) simply says this is for 6xx series access routers (yep, they call them routers). 
As with any firmware upgrade, be ready for trouble if you do this. If it is good it will be simple and easy, if it is bad, you will have a dead modem. 
You probably want to save the image of your config and current OS before you do it.

 To put the modem into bridge mode (it comes, or mine did, in PPP mode), do this:

cbos> enable
Password:
cbos# set nvram erase
cbos# write
cbos# reboot
Password:  (unless you've set an exec password)
cbos> enable
Password:  (will bring up cbos# unless you've set an enable password)
cbos# set bridging rfc1483 enable
cbos# set bridging management enable (this is not required but it allows web management)
cbos# set int wan0-0 disable
cbos# set int wan0-0 vpi 0 vci 32
		(vpi - 1 for cap and 0 for DMT)
		(vci - 1 for cap and 32 for DMT or 35 for AOL)
cbos# set int wan0-0 enable
cbos# write
cbos# reboot

Return to $2600 Index