本教程大部分内容来自 github 上 drcom-generic 开源项目,以及网络上各大牛的帖子与文章,大牛众多且出名,就不一一感谢与强调其版权。只进行了测试与整理以及部分错误的修正针对小白更友好一点,由阅读者实操所产生的一切后果,一概不负责。仅供学习与交流,请勿用于商业用途!
- 在根据本教程进行实际操作时,如因您操作失误导致出现的一切意外,包括但不限于路由器变砖、故障、数据丢失等情况,概不负责;
- 该技术仅供学习交流,请勿将此技术应用于任何商业行为,所产生的法律责任由您自行承担;
- 部分学校明令禁止使用路由器上网。本教程仅用于交流使用,安装路由器的行为完全是您个人意志所决定的,如您已成功安装,请在 24 小时内重置路由器至原出产状态;
- 请按照学校推荐的方式连接到互联网,如因个人问题受到相关校规追责,由您自行承担。
先刷入不死鸟控制台,再通过不死鸟控制台刷入固件,避免因操作失误造成路由器变砖
以极路由1S HC5661A
为例,在您购买满14天后,请先登录极路由器后台,然后依次开通、安装开发者插件
其他路由器可查看其他教程获取root权限。
Breed是一个路由器的Bootloader(Bootloader 意为引导加载器,即为用于加载操作系统的程序。它是一大类此类功能程序的统称。现在的 BIOS、UEFI、GRUB、RedBoot、U-Boot、CFE等都是 Bootloader),装它的目的是为了下一步刷入固件(ROM)。以极路由1S HC5661A
为例,不同型号下载不同的Breed,请务必对号入座,下载breed-mt7628-hiwifi-hc5661a.bin
使用WinSCP登入你的路由器后台,其中:
主机名:你的后台管理地址(比如192.168.1或者192.168.1.199)
账号:root
密码 :你的后台管理密码
端口:1022或者22(自行测试)
模式:SCP
登陆成功后进入/tmp目录
,将刚才下载的breed-mt7628-hiwifi-hc5661a.bin上传到这个目录
使用putty64登入你的路由器后台,主机名、账号、密码、端口均与上述相同,登入成功后键入以下命令
mtd -r write /tmp/breed-mt7628-hiwifi-hc5661a.bin u-boot
显示rebooting后等待路由重启完成,不死uboot就完成了刷入了。(注意,为了确定百分百刷入成功,建议此时什么都不要动,等待5分钟后再进行其他操作)
为了保险起见,首先进行固件备份,以备不时之需。严重强烈建议极路由用户刷Breed后,第一次进入后台就备份一次,这样以后想要重新刷回官方系统时原有功能不会受到影响,仍然能够访问云平台。
现在正是开始刷入OpenWrt固件,依次点击固件更新→勾选固件→点击选择文件,选择我们刚刚下载的openwrt-18.06.2-ramips-mt76x8-hc5661a-squashfs-sysupgrade.bin,然后耐心等待固件刷入完成。
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-4a9SJQNp-1638352440059)(https://raw.githubusercontent.com/Editblog/PicGo/main/img/20211201175342.png)]
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-kWceV26l-1638352440060)(https://raw.githubusercontent.com/Editblog/PicGo/main/img/20211201175350.png)]
安装完成后会自动重启,这时可以不断刷新浏览器,直到管理界面显示出来,如果没有显示,建议稍后使用192.168.1.1访问管理页面。
账号:root
密码:默认为admin
打开学校的客户端,右上角可以看见ver5.2.0(D)
1、 先断开网络,注销并关闭drcom客户端。
2、 打开wireshark,选中你联网用的那个连接。双击开始抓包!如图所示:
软件会进入如下界面
现在打开drcom客户端,拨号连接并在线保持1分钟左右,然后注销,完全关闭drcom后,选择wireshark的停止抓包
选择File-save 选择保存路径,并重命名该文件为dr.pcapng (拓展名为.pcang)
完成抓包
1.此处提供 drcom_p_config.py 与 latest-wired.py的代码
# -*- coding: utf-8 -*-
from binascii import hexlify
import re
def hexed(s):
ret = ''
for i in s:
ret += '\\x' + hex(ord(i))[2:].rjust(2, '0')
return ret
filename = 'dr.pcapng'
f = open(filename, 'rb')
text = f.read()
offset = re.search('\xF0\x00\xF0\x00[\x00-\xFF]{4}[\x03\x07]\x01', text).start() + 8
#print hexlify(text[offset:offset+330])
#print hexlify(text[offset:offset+338])
# print text[offset+334:offset+338].encode('hex')
if re.match('\x00\x00[\x00-\xFF]{2}', text[offset+334:offset+338]):
ror_version = True
else :
ror_version = False
# print ror_version
username_len = ord(text[offset+3]) - 20
username = text[offset+20:offset+20+username_len]
print 'server = \'%s\'' % '.'.join([str(ord(i)) for i in text[offset-12:offset-8]])
print 'username=\'%s\'' % username
print 'password=\'\''
print 'CONTROLCHECKSTATUS = \'%s\'' % hexed(text[offset+56])
print 'ADAPTERNUM = \'%s\'' % hexed(text[offset+57])
print 'host_ip = \'%s\'' % '.'.join(map(lambda x: str(ord(x)), text[offset+81:offset+85]))
print 'IPDOG = \'%s\'' % hexed(text[offset+105])
print 'host_name = \'%s\'' % 'GILIGILIEYE'
print 'PRIMARY_DNS = \'%s\'' % '.'.join(map(lambda x: str(ord(x)), text[offset+142:offset+146]))
print 'dhcp_server = \'%s\'' % '.'.join(map(lambda x: str(ord(x)), text[offset+146:offset+150]))
print 'AUTH_VERSION = \'%s\'' % hexed(text[offset+310:offset+312])
if ror_version:
print 'mac = 0x%s' % hexlify(text[offset+328:offset+334])
else:
print 'mac = 0x%s' % hexlify(text[offset+320:offset+326])
print 'host_os = \'%s\'' % 'NOTE7'
KEEP_ALIVE_VERSION = [i for i in re.findall('\xf0\x00\xf0\x00....\x07.\x5c\x28\x00\x0b\x01(..)', text) if i != '\x0f\x27'][0]
print 'KEEP_ALIVE_VERSION = \'%s\'' % hexed(KEEP_ALIVE_VERSION)
print 'ror_version = %s ' % ror_version
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import socket
import struct
import time
import hashlib
import sys
import os
import random
import traceback
# CONFIG
'''
server = "192.168.100.150"
username = ""
password = ""
host_name = "LIYUANYUAN"
host_os = "8089D"
host_ip = "10.30.22.17"
PRIMARY_DNS = "114.114.114.114"
dhcp_server = "0.0.0.0"
mac = 0xb888e3051680
CONTROLCHECKSTATUS = '\x20'
ADAPTERNUM = '\x01'
KEEP_ALIVE_VERSION = '\xdc\x02'
'''
server = '10.1.1.254'
username='账号'
password='密码'
CONTROLCHECKSTATUS = '\x20'
ADAPTERNUM = '\x07'
host_ip = '172.17.19.107'
IPDOG = '\x01'
host_name = 'GILIGILIEYE'
PRIMARY_DNS = '218.196.40.9'
dhcp_server = '172.17.19.252'
AUTH_VERSION = '\x27\x00'
mac = 0x2cf05db2b380
host_os = 'NOTE7'
KEEP_ALIVE_VERSION = '\xdc\x02'
ror_version = True
'''
AUTH_VERSION:
unsigned char ClientVerInfoAndInternetMode;
unsigned char DogVersion;
'''
AUTH_VERSION = '\x0a\x00'
IPDOG = '\x01'
ror_version = False
# CONFIG_END
keep_alive1_mod = False #If you have trouble at KEEPALIVE1, turn this value to True
nic_name = '' #Indicate your nic, e.g. 'eth0.2'.nic_name
bind_ip = '0.0.0.0'
class ChallengeException (Exception):
def __init__(self):
pass
class LoginException (Exception):
def __init__(self):
pass
def bind_nic():
try:
import fcntl
def get_ip_address(ifname):
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
return socket.inet_ntoa(fcntl.ioctl(
s.fileno(),
0x8915, # SIOCGIFADDR
struct.pack('256s', ifname[:15])
)[20:24])
return get_ip_address(nic_name)
except ImportError as e:
print('Indicate nic feature need to be run under Unix based system.')
return '0.0.0.0'
except IOError as e:
print(nic_name + 'is unacceptable !')
return '0.0.0.0'
finally:
return '0.0.0.0'
if nic_name != '':
bind_ip = bind_nic()
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
# s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
s.bind((bind_ip, 61440))
s.settimeout(3)
SALT = ''
IS_TEST = True
# specified fields based on version
CONF = "/etc/drcom.conf"
UNLIMITED_RETRY = True
EXCEPTION = False
DEBUG = False #log saves to file
LOG_PATH = '/var/log/drcom_client.log'
if IS_TEST:
DEBUG = True
LOG_PATH = 'drcom_client.log'
def log(*args, **kwargs):
s = ' '.join(args)
print s
if DEBUG:
with open(LOG_PATH,'a') as f:
f.write(s + '\n')
def challenge(svr,ran):
while True:
t = struct.pack(", int(ran)%(0xFFFF))
s.sendto("\x01\x02"+t+"\x09"+"\x00"*15, (svr, 61440))
try:
data, address = s.recvfrom(1024)
log('[challenge] recv',data.encode('hex'))
except:
log('[challenge] timeout, retrying...')
continue
if address == (svr, 61440):
break
else:
continue
log('[DEBUG] challenge:\n' + data.encode('hex'))
if data[0] != '\x02':
raise ChallengeException
log('[challenge] challenge packet sent.')
return data[4:8]
def md5sum(s):
m = hashlib.md5()
m.update(s)
return m.digest()
def dump(n):
s = '%x' % n
if len(s) & 1:
s = '0' + s
return s.decode('hex')
def ror(md5, pwd):
ret = ''
for i in range(len(pwd)):
x = ord(md5[i]) ^ ord(pwd[i])
ret += chr(((x<<3)&0xFF) + (x>>5))
return ret
def gen_crc(data, encrypt_type):
DRCOM_DIAL_EXT_PROTO_CRC_INIT = 20000711
ret = ''
if encrypt_type == 0:
# 加密方式无
return struct.pack(',DRCOM_DIAL_EXT_PROTO_CRC_INIT) + struct.pack(',126)
elif encrypt_type == 1:
# 加密方式为 md5
foo = hashlib.md5(data).digest()
ret += foo[2]
ret += foo[3]
ret += foo[8]
ret += foo[9]
ret += foo[5]
ret += foo[6]
ret += foo[13]
ret += foo[14]
return ret
elif encrypt_type == 2:
# md4
foo = hashlib.new('md4', data).digest()
ret += foo[1]
ret += foo[2]
ret += foo[8]
ret += foo[9]
ret += foo[4]
ret += foo[5]
ret += foo[11]
ret += foo[12]
return ret
elif encrypt_type == 3:
# sha1
foo = hashlib.sha1(data).digest()
ret += foo[2]
ret += foo[3]
ret += foo[9]
ret += foo[10]
ret += foo[5]
ret += foo[6]
ret += foo[15]
ret += foo[16]
return ret
def keep_alive_package_builder(number,random,tail,type=1,first=False):
data = '\x07'+ chr(number) + '\x28\x00\x0b' + chr(type)
if first :
data += '\x0f\x27'
else:
data += KEEP_ALIVE_VERSION
data += '\x2f\x12' + '\x00' * 6
data += tail
data += '\x00' * 4
#data += struct.pack("!H",0xdc02)
if type == 3:
foo = ''.join([chr(int(i)) for i in host_ip.split('.')]) # host_ip
#CRC
# edited on 2014/5/12, filled zeros to checksum
# crc = packet_CRC(data+foo)
crc = '\x00' * 4
#data += struct.pack("!I",crc) + foo + '\x00' * 8
data += crc + foo + '\x00' * 8
else: #packet type = 1
data += '\x00' * 16
return data
# def packet_CRC(s):
# ret = 0
# for i in re.findall('..', s):
# ret ^= struct.unpack('>h', i)[0]
# ret &= 0xFFFF
# ret = ret * 0x2c7
# return ret
def keep_alive2(*args):
#first keep_alive:
#number = number (mod 7)
#status = 1: first packet user sended
# 2: first packet user recieved
# 3: 2nd packet user sended
# 4: 2nd packet user recieved
# Codes for test
tail = ''
packet = ''
svr = server
ran = random.randint(0,0xFFFF)
ran += random.randint(1,10)
# 2014/10/15 add by latyas, maybe svr sends back a file packet
svr_num = 0
packet = keep_alive_package_builder(svr_num,dump(ran),'\x00'*4,1,True)
while True:
log('[keep-alive2] send1',packet.encode('hex'))
s.sendto(packet, (svr, 61440))
data, address = s.recvfrom(1024)
log('[keep-alive2] recv1',data.encode('hex'))
if data.startswith('\x07\x00\x28\x00') or data.startswith('\x07' + chr(svr_num) + '\x28\x00'):
break
elif data[0] == '\x07' and data[2] == '\x10':
log('[keep-alive2] recv file, resending..')
svr_num = svr_num + 1
# packet = keep_alive_package_builder(svr_num,dump(ran),'\x00'*4,1, False)
break
else:
log('[keep-alive2] recv1/unexpected',data.encode('hex'))
#log('[keep-alive2] recv1',data.encode('hex'))
ran += random.randint(1,10)
packet = keep_alive_package_builder(svr_num, dump(ran),'\x00'*4,1,False)
log('[keep-alive2] send2',packet.encode('hex'))
s.sendto(packet, (svr, 61440))
while True:
data, address = s.recvfrom(1024)
if data[0] == '\x07':
svr_num = svr_num + 1
break
else:
log('[keep-alive2] recv2/unexpected',data.encode('hex'))
log('[keep-alive2] recv2',data.encode('hex'))
tail = data[16:20]
ran += random.randint(1,10)
packet = keep_alive_package_builder(svr_num,dump(ran),tail,3,False)
log('[keep-alive2] send3',packet.encode('hex'))
s.sendto(packet, (svr, 61440))
while True:
data, address = s.recvfrom(1024)
if data[0] == '\x07':
svr_num = svr_num + 1
break
else:
log('[keep-alive2] recv3/unexpected',data.encode('hex'))
log('[keep-alive2] recv3',data.encode('hex'))
tail = data[16:20]
log("[keep-alive2] keep-alive2 loop was in daemon.")
i = svr_num
while True:
try:
time.sleep(20)
keep_alive1(*args)
ran += random.randint(1,10)
packet = keep_alive_package_builder(i,dump(ran),tail,1,False)
#log('DEBUG: keep_alive2,packet 4\n',packet.encode('hex'))
log('[keep_alive2] send',str(i),packet.encode('hex'))
s.sendto(packet, (svr, 61440))
data, address = s.recvfrom(1024)
log('[keep_alive2] recv',data.encode('hex'))
tail = data[16:20]
#log('DEBUG: keep_alive2,packet 4 return\n',data.encode('hex'))
ran += random.randint(1,10)
packet = keep_alive_package_builder(i+1,dump(ran),tail,3,False)
#log('DEBUG: keep_alive2,packet 5\n',packet.encode('hex'))
s.sendto(packet, (svr, 61440))
log('[keep_alive2] send',str(i+1),packet.encode('hex'))
data, address = s.recvfrom(1024)
log('[keep_alive2] recv',data.encode('hex'))
tail = data[16:20]
#log('DEBUG: keep_alive2,packet 5 return\n',data.encode('hex'))
i = (i+2) % 0xFF
except:
break
def checksum(s):
ret = 1234
x = 0
for i in [x*4 for x in range(0, -(-len(s)//4))]:
ret ^= int(s[i:i+4].ljust(4, '\x00')[::-1].encode('hex'), 16)
ret = (1968 * ret) & 0xffffffff
return struct.pack(', ret)
def mkpkt(salt, usr, pwd, mac):
'''
struct _tagLoginPacket
{
struct _tagDrCOMHeader Header;
unsigned char PasswordMd5[MD5_LEN];
char Account[ACCOUNT_MAX_LEN];
unsigned char ControlCheckStatus;
unsigned char AdapterNum;
unsigned char MacAddrXORPasswordMD5[MAC_LEN];
unsigned char PasswordMd5_2[MD5_LEN];
unsigned char HostIpNum;
unsigned int HostIPList[HOST_MAX_IP_NUM];
unsigned char HalfMD5[8];
unsigned char DogFlag;
unsigned int unkown2;
struct _tagHostInfo HostInfo;
unsigned char ClientVerInfoAndInternetMode;
unsigned char DogVersion;
};
'''
data = '\x03\x01\x00' + chr(len(usr) + 20)
data += md5sum('\x03\x01' + salt + pwd)
data += usr.ljust(36, '\x00')
data += CONTROLCHECKSTATUS
data += ADAPTERNUM
data += dump(int(data[4:10].encode('hex'),16)^mac).rjust(6, '\x00') #mac xor md51
data += md5sum("\x01" + pwd + salt + '\x00' * 4) #md52
data += '\x01' # number of ip
data += ''.join([chr(int(i)) for i in host_ip.split('.')]) #x.x.x.x ->
data += '\00' * 4 #your ipaddress 2
data += '\00' * 4 #your ipaddress 3
data += '\00' * 4 #your ipaddress 4
data += md5sum(data + '\x14\x00\x07\x0B')[:8] #md53
data += IPDOG
data += '\x00'*4 # unknown2
'''
struct _tagOSVERSIONINFO
{
unsigned int OSVersionInfoSize;
unsigned int MajorVersion;
unsigned int MinorVersion;
unsigned int BuildNumber;
unsigned int PlatformID;
char ServicePack[128];
};
struct _tagHostInfo
{
char HostName[HOST_NAME_MAX_LEN];
unsigned int DNSIP1;
unsigned int DHCPServerIP;
unsigned int DNSIP2;
unsigned int WINSIP1;
unsigned int WINSIP2;
struct _tagDrCOM_OSVERSIONINFO OSVersion;
};
'''
data += host_name.ljust(32, '\x00') # _tagHostInfo.HostName
data += ''.join([chr(int(i)) for i in PRIMARY_DNS.split('.')]) # _tagHostInfo.DNSIP1
data += ''.join([chr(int(i)) for i in dhcp_server.split('.')]) # _tagHostInfo.DHCPServerIP
data += '\x00\x00\x00\x00' # _tagHostInfo.DNSIP2
data += '\x00' * 4 # _tagHostInfo.WINSIP1
data += '\x00' * 4 # _tagHostInfo.WINSIP2
data += '\x94\x00\x00\x00' # _tagHostInfo.OSVersion.OSVersionInfoSize
data += '\x05\x00\x00\x00' # _tagHostInfo.OSVersion.MajorVersion
data += '\x01\x00\x00\x00' # _tagHostInfo.OSVersion.MinorVersion
data += '\x28\x0A\x00\x00' # _tagHostInfo.OSVersion.BuildNumber
data += '\x02\x00\x00\x00' # _tagHostInfo.OSVersion.PlatformID
# _tagHostInfo.OSVersion.ServicePack
data += host_os.ljust(32, '\x00')
data += '\x00' * 96
# END OF _tagHostInfo
data += AUTH_VERSION
if ror_version:
'''
struct _tagLDAPAuth
{
unsigned char Code;
unsigned char PasswordLen;
unsigned char Password[MD5_LEN];
};
'''
data += '\x00' # _tagLDAPAuth.Code
data += chr(len(pwd)) # _tagLDAPAuth.PasswordLen
data += ror(md5sum('\x03\x01' + salt + pwd), pwd) # _tagLDAPAuth.Password
'''
struct _tagDrcomAuthExtData
{
unsigned char Code;
unsigned char Len;
unsigned long CRC;
unsigned short Option;
unsigned char AdapterAddress[MAC_LEN];
};
'''
data += '\x02' # _tagDrcomAuthExtData.Code
data += '\x0C' # _tagDrcomAuthExtData.Len
data += checksum(data + '\x01\x26\x07\x11\x00\x00' + dump(mac)) # _tagDrcomAuthExtData.CRC
data += '\x00\x00' # _tagDrcomAuthExtData.Option
data += dump(mac) # _tagDrcomAuthExtData.AdapterAddress
# END OF _tagDrcomAuthExtData
if ror_version:
data += '\x00' * (8 - len(pwd))
if len(pwd)%2:
data += '\x00'
else:
data += '\x00' # auto logout / default: False
data += '\x00' # broadcast mode / default : False
data += '\xE9\x13' #unknown, filled numbers randomly =w=
log('[mkpkt]',data.encode('hex'))
return data
def login(usr, pwd, svr):
global SALT
global AUTH_INFO
i = 0
timeoutcount = 0
while True:
salt = challenge(svr,time.time()+random.randint(0xF,0xFF))
SALT = salt
packet = mkpkt(salt, usr, pwd, mac)
log('[login] send',packet.encode('hex'))
s.sendto(packet, (svr, 61440))
log('[login] packet sent.')
try:
data, address = s.recvfrom(1024)
log('[login] recv',data.encode('hex'))
if address == (svr, 61440) :
if data[0] == '\x04':
log('[login] loged in')
AUTH_INFO = data[23:39]
break
else:
log('[login] login failed.')
if IS_TEST:
time.sleep(3)
else:
time.sleep(30)
continue
else:
if i >= 5 and UNLIMITED_RETRY == False :
log('[login] exception occured.')
sys.exit(1)
else:
i += 1
continue
except socket.timeout as e:
print(e)
log('[login] recv timeout.')
timeoutcount += 1
if timeoutcount >= 5:
log('[login] recv timeout exception occured 5 times.')
sys.exit(1)
else:
continue
log('[login] login sent')
#0.8 changed:
return data[23:39]
#return data[-22:-6]
def logout(usr, pwd, svr, mac, auth_info):
salt = challenge(svr, time.time()+random.randint(0xF, 0xFF))
if salt:
data = '\x06\x01\x00' + chr(len(usr) + 20)
data += md5sum('\x03\x01' + salt + pwd)
data += usr.ljust(36, '\x00')
data += CONTROLCHECKSTATUS
data += ADAPTERNUM
data += dump(int(data[4:10].encode('hex'),16)^mac).rjust(6, '\x00')
# data += '\x44\x72\x63\x6F' # Drco
data += auth_info
s.send(data)
data, address = s.recvfrom(1024)
if data[:1] == '\x04':
log('[logout_auth] logouted.')
def keep_alive1(salt,tail,pwd,svr):
if keep_alive1_mod:
res=''
while True:
s.sendto('\x07' + struct.pack('!B',int(time.time())%0xFF) + '\x08\x00\x01\x00\x00\x00', (svr, 61440))
log('[keep_alive1_challenge] keep_alive1_challenge packet sent.')
try:
res, address = s.recvfrom(1024)
log('[keep_alive1_challenge] recv', res.encode('hex'))
except:
log('[keep_alive1_challenge] timeout, retrying...')
continue
if address == (svr, 61440):
if res[0] == '\x07':
break
else:
raise ChallengeException
else:
continue
seed = res[8:12]
# encrypt_type = int(res[5].encode('hex'))
encrypt_type = struct.unpack(', seed)[0] & 3
crc = gen_crc(seed, encrypt_type)
data = '\xFF' + '\x00'*7 + seed + crc + tail + struct.pack('!H', int(time.time())%0xFFFF)
log('[keep_alive1] send', data.encode('hex'))
s.sendto(data, (svr, 61440))
while True:
res, address = s.recvfrom(1024)
if res[0] == '\x07':
break
else:
log('[keep-alive1]recv/not expected', res.encode('hex'))
log('[keep-alive1]recv', res.encode('hex'))
else:
foo = struct.pack('!H',int(time.time())%0xFFFF)
data = '\xff' + md5sum('\x03\x01'+salt+pwd) + '\x00\x00\x00'
data += tail
data += foo + '\x00\x00\x00\x00'
log('[keep_alive1] send',data.encode('hex'))
s.sendto(data, (svr, 61440))
while True:
data, address = s.recvfrom(1024)
if data[0] == '\x07':
break
else:
log('[keep-alive1]recv/not expected',data.encode('hex'))
log('[keep-alive1] recv', data.encode('hex'))
def empty_socket_buffer():
#empty buffer for some fucking schools
log('starting to empty socket buffer')
try:
while True:
data, address = s.recvfrom(1024)
log('recived sth unexpected',data.encode('hex'))
if s == '':
break
except:
# get exception means it has done.
log('exception in empty_socket_buffer')
pass
log('emptyed')
def daemon():
with open('/var/run/jludrcom.pid','w') as f:
f.write(str(os.getpid()))
def main():
if not IS_TEST:
daemon()
execfile(CONF, globals())
log("auth svr: " + server + "\nusername: " + username + "\npassword: " + password + "\nmac: " + str(hex(mac))[:-1])
log("bind ip: " + bind_ip)
while True:
try:
package_tail = login(username, password, server)
except LoginException:
continue
log('package_tail',package_tail.encode('hex'))
#keep_alive1 is fucking bullshit!
empty_socket_buffer()
keep_alive1(SALT,package_tail,password,server)
keep_alive2(SALT,package_tail,password,server)
if __name__ == "__main__":
main()
2.drcom_d_config.py
和 latest-wired.py
和 dr.pcapng
放入同一个文件夹中
3.在文件夹下运行命令python drcom_d_config.py > config.txt
生成config.txt
文件
4.用Notepad++打开config.txt
(为避免不必要的麻烦,以下操作所有的文件全部用它)得到的内容是类似这样的:
server = "192.168.100.150"
username = ""
password = ""
host_name = "LIYUANYUAN"
host_os = "8089D"
host_ip = "10.30.22.17"
PRIMARY_DNS = "114.114.114.114"
dhcp_server = "0.0.0.0"
mac = 0xb888e3051680
CONTROLCHECKSTATUS = '\x20'
ADAPTERNUM = '\x01'
KEEP_ALIVE_VERSION = '\xdc\x02'
5.全选复制config.txt
的所有内容,关闭,并把config.txt
重命名为drcom.conf
(不要忘记填写账号和密码)
6.测试是否可以使用,运行命令行python latest-wired.py
,看看能不能上网。可以的话,就说明抓包没错。
1.进入路由器管理后台,搜索dogcom,将两个插件安装
2.在网络里面会出现dogcom选项,将步骤四中解析到的drcom.conf
的内容拷贝到配置文件里面,点击 保存应用,此时手机与电脑连接WiFi就不需要进行登陆认证