C1111-8PLTEEA
- A Cisco router configured by TeliaSonera NOA devs, they really suck at protecting and keep things safe for their customers :)
Notice:
I have neither attempted to attack nor intrude on Telia's property by for example, brute-forcing their login for get access to any logs or setups used by Telia devs. . I have had full respect for their banner message. I have just put all my energy into getting the device wiped and get the device to a default state for my friend, I do not own this device so I am NOT the owner of any devices in this wiki. My friend is and will remain anonymous no matter what.
With this said, let's go further! :)
- Ups! I was met by this message immediately when I was about to log in via cli :)
NOC = Network Operations Center - Telia Sverige AB - Solna
PASSWORD RECOVERY FUNCTIONALITY IS DISABLED
Reset button push detected
This functionality is disabled due to password protection
Resetting ..Rom image verified correctly
Current image running: Boot ROM0
Last reset cause: LocalSoft
C1111-8PLTEEA platform with 4194304 Kbytes of main memory
**PASSWORD RECOVERY IS DISABLED.**
Do you want to reset the router to the factory default
configuration and proceed y/n [n]: y
**Router continuing with existing configuration...**
no valid BOOT image found
Press RETURN to get started!
=================================================
This device is the property of TeliaSonera.
=================================================
Access is ONLY allowed for NOC personnel at
TeliaSonera Sverige AB.
=================================================
Warning: All unauthorized access is prohibited.
=================================================
User Access Verification
Username:
Device
All TCP AO KDF Tests Pass
cisco C1111-8PLTEEA (1RU) processor with 1415002K/6147K bytes of memory.
Processor board ID FCZ3435913B
Router operating mode: Autonomous
1 Virtual Ethernet interface
10 Gigabit Ethernet interfaces
2 Cellular interfaces
32768K bytes of non-volatile configuration memory.
4194304K bytes of physical memory.
2863103K bytes of flash memory at bootflash:.
- Front
Antennes are really huge. We need those for the dual sim 4G LTE
Ports - Layer 2
Those ports are: 0/1/0 -> 0/1/7
show interfaces summary
*: interface is up
IHQ: pkts in input hold queue IQD: pkts dropped from input queue
OHQ: pkts in output hold queue OQD: pkts dropped from output queue
RXBS: rx rate (bits/sec) RXPS: rx rate (pkts/sec)
TXBS: tx rate (bits/sec) TXPS: tx rate (pkts/sec)
TRTL: throttle count
Interface IHQ IQD OHQ OQD RXBS RXPS TXBS TXPS TRTL
-----------------------------------------------------------------------------------------------------------------
* GigabitEthernet0/0/0 0 0 0 0 5000 6 146000 5 0
GigabitEthernet0/0/1 0 0 0 0 0 0 0 0 0
GigabitEthernet0/1/0 0 0 0 0 0 0 0 0 0
GigabitEthernet0/1/1 0 0 0 0 0 0 0 0 0
GigabitEthernet0/1/2 0 0 0 0 0 0 0 0 0
GigabitEthernet0/1/3 0 0 0 0 0 0 0 0 0
GigabitEthernet0/1/4 0 0 0 0 0 0 0 0 0
GigabitEthernet0/1/5 0 0 0 0 0 0 0 0 0
GigabitEthernet0/1/6 0 0 0 0 0 0 0 0 0
* GigabitEthernet0/1/7 0 0 0 0 0 0 0 0 0
Cellular0/2/0 0 0 0 0 0 0 0 0 0
Cellular0/2/1 0 0 0 0 0 0 0 0 0
Misc
Some default values I use in cli for easier managment and other useful stuff
terminal length 0
show running-config
hostname <hostname>
ip domain name <domain_name>
ip default-gateway <ip>
service password-encryption
Setup Wizard - WebUI
Setup Wizard - Commandline
You will enter setup wizard by type
enable
setup
Follow and Answer the questions, see begin of the cli wizard below
Accounts / Passwords
enable password <password>
username <username> privilege 15 secret 0 <password>
Reset Router to Factory Settings
write erase
delete nvram:*
format bootflash:
format flash:
Change the configure register value to ignore the startup configuration by issuing the confreg command, as shown in this example:
confreg 0x2142
reload
After the router boots, issue the enable command at the Router > prompt. The prompt changes to Router#, indicating that the router is now in privileged mode.
config t
config-register 0x2142
reload
Controller
Router#controller ?
disable controller-mode disable
enable controller-mode enable
reset controller-mode reset
controller enable
Enabling controller mode will erase the nvram filesystem, remove all configuration files, and reload the box!
Interface
Reset an Interface really simple without alot of useless commands
default interface GigabitEthernet0/0/0
Configuring Gigabit Ethernet Interfaces - WAN - DHCP
enable
config t
interface GigabitEthernet0/0/0
ip address dhcp
no shutdown
exit
Configuring Gigabit Ethernet Interfaces - LAN - STATIC
interface GigabitEthernet0/0/1
ip address 192.168.1.1 255.255.255.0
negotiation auto
no shutdown
exit
Format / Erase / File Systems
Format File Systems:
format flash:
format bootflash:
Erase configuration files
write erase
erase nvram:
TFTP Managment
TFTP Server (gnu/gentoo linux - tftp-hsa)
cat << EOF > /etc/conf.d/in.tftpd
#/etc/init.d/in.tftpd
# Created by: wuseman
TFTPD_PATH="/mnt/tftp"
TFTPD_OPTS="-p -u nobody -s ${INTFTPD_PATH} -vvv"
EOF
Start tftp-hsa
/etc/init.d/in.tftpd start
- Tftp is now running :)
TFTP Client (Cisco Device)
IP_ADDRESS=192.168.1.164
IP_SUBNET_MASK=255.255.255.0
DEFAULT_GATEWAY=192.168.1.1
TFTP_SERVER=192.168.1.146
TFTP_FILE=cisco/firmware/c1100-universalk9_ias.17.03.03.SPA.bin
Now execute:
boot tftp: OR boot tftp://<tftp_server>/tftp_file.bin
Copy tftp binary to system
copy tftp system
copy tftp://<tftp_server>/tftp_file.bin bootflash:
Configure Boot
bootvar
show bootvar
enable
WebUI
Enable WebUI
ip http server
ip http authentication local
ip http port <http_port>
ip http secure-port <https_port>
ip http accounting commands 15 default
ip http max-connections 2
ip http client cache memory file 5
ip http client connection timeout 10
ip http client password <password>
ip http client username <username>
ip http path webui:
Access List
ip access-list standard 20
permit <ip> 0.0.0.255
permit <ip> 0.0.255.255
permit <ip> 0.255.255.255
! (Note: all other access implicitly denied)
end
Remote Managment
Setup SSH
enable
config t
crypto key generate rsa
# crypto key generate rsa general-keys modulus 2048
line vty 0 4
login local
transport input ssh
end
Verify that SSH is installed and configured correct
ctrl+c
sh ip ssh
Configure Telnet
config t
line vty 0 4
login local
transport input telnet
exit
Cellular - LTE - GPS
Unlock SIM
cellular 0/2/1 lte sim unlock <pin_code>
Activate Firmware
cellular 0/2/1 lte firmware-activate
Fota
cellular 0/2/1 lte fota
Profile
cellular 0/2/1 lte profile
cellular 0/2/0 lte profile create 1
cellular 0/2/0 lte profile delete 1
PLMNM
cellular 0/2/1 lte profile
cellular 0/2/0 lte profile create 1
cellular 0/2/0 lte profile delete 1
Copy
cellular 0/2/0 copy file
cellular 0/2/0 copy modem-crashdump
SMS
cellular 0/2/1 lte sms
cellular 0/2/0 lte sms view all
cellular 0/2/0 lte sms view summary
cellular 0/2/1 lte sim activate slot 1
cellular 0/2/0 lte sim change pin <xxxx> <xxxx>
cellular 0/2/0 lte sim lock <xxxx>
cellular 0/2/0 lte sim unblock
cellular 0/2/0 lte sim unlock <xxxx>
Technology
cellular 0/2/1 lte technology
Disable SIM
controller cellular 0/2/0
no lte firmware auto-sim
- %LINK-3-UPDOWN: Interface Cellular0/2/0, changed state to down
- %LINK-3-UPDOWN: Interface Cellular0/2/1, changed state to down
Dump Firmware and Profile
show cellular 0/2/0 profile firmware
Hardware
Router>show cellular 0/2/0 hardware
Modem Firmware Version = SWI9X30C_02.30.01.01
Device Model ID = EM7455
International Mobile Subscriber Identity (IMSI) =
International Mobile Equipment Identity (IMEI) = XXX12XXXX5XX9XX
Integrated Circuit Card ID (ICCID) =
Mobile Subscriber Integrated Services
Digital Network-Number (MSISDN) =
Factory Serial Number (FSN) = LFXXXXXXXXXXXX
Modem Status = Modem Online
Current Modem Temperature = 33 deg C
PRI SKU ID = 1102526, PRI version = 002.045_001, Carrier = GENERIC
OEM PRI version = 000.012
Interface
interface Cellular0/2/0
LTE Adv CAT6 - Multimode LTE/DC-HSPA+/HSPA+/HSPA/UMTS/EDGE/GPRS unit 2
Cellular Modem Configuration
==============================
Modem is recognized as valid
Power save mode is OFF
manufacture id = 0x00001199 product id = 0x00009071
Sierra Wireless Direct IP EM7455 modem
GPS Feature = enabled
GPS Status = NMEA Disabled
GPS Mode = not configured
Cellular Dual SIM details:
---------------------------
No SIM present
Module Reload Statistics
-------------------------
Soft OIR reloads = 0
Hard OIR reloads = 0
Logs / Syslog
Configure Syslog
no logging console
logging source-interface Loopback0
logging <syslog-server1>
logging <syslog-server2>
logging buffered 64000 debugging
logging facility <facility>
logging trap informational
logging rate-limit <#msgs/sec> except 2
Read Logs
show log last 10
show log | i Ethernet110/1/11 | i down | count
Banner / Message Of The Day
SSH Login
banner login #
+*************************************************************************+
* L E G A L N O T I C E -- Y O U M U S T R E A D *
***************************************************************************
* *
* You must have explicit permission to access or configure this *
* device. All activities performed on this device are logged and *
* violations of this policy may result in criminal prosecution. *
* *
***************************************************************************
* *
* This system is for the use of authorized users only. Individuals using *
*this computer system without authority, or in excess of their authority, *
* are subject to having all of their activities on this system monitored *
* and recorded by system personnel. *
* *
* *
* Anyone using this system expressly consents to such monitoring and is *
* advised that if such monitoring reveals possible evidence of criminal *
* activity, system personnel may provide the evidence of such monitoring *
* to law enforcement officials. *
* *
***************************************************************************
* UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED *
***************************************************************************
#
Subslots
%SPA_OIR-6-ONLINECARD: SPA (C1111-2x1GE) online in subslot 0/0
%SPA_OIR-6-ONLINECARD: SPA (C1111-ES-8) online in subslot 0/1
%SPA_OIR-6-ONLINECARD: SPA (C1111-LTE) online in subslot 0/2
Guest Shell
Bash
app-hosting appid guestshell
vnic management guest-interface 0
end
guestshell enable
guestshell run bash
Disabling Unnecessary Services
no ip bootp server
no ip source-route
no service pad
Rmmon
boot system flash:/c1100-universalk9_ias.17.03.02.SPA.bin
Rmmon - Ignore startup config
confreg 0x2142
rset
Troubleshoot
Errors / Fails / Problems / Issues
*May 25 23:32:31.037: %SYS-4-CONFIG_RESOLVE_FAILURE: System config parse from (tftp://255.255.255.255/network-confg) failed
*May 25 23:32:31.038: %SYS-4-CONFIG_RESOLVE_FAILURE: System config parse from (tftp://255.255.255.255/router-confg) failed
Below will solve the above error
enable
config t
no service config
A wierd bug with menu and https enable, but don't worry - I got you covered ;-)
Resources
- https://protocoholic.com/2018/05/29/configuring-cisco-c1111-4pltea-router-for-4g-3g-cellular-communication/
- https://ciscotips.wordpress.com/
- https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/Baseline_Security/securebasebook/appendxA.html
- https://www.ccna6rs.com/10-4-4-lab-build-a-switch-and-router-network-answers/
- https://ciscorouterreview.weebly.com/how-to-setup-cisco-router-auxiliary-console-and-telnet-passwords.html
- https://blog.router-switch.com/2012/01/how-to-recover-password-on-cisco-routerswitch/