User Tools

Site Tools


doc:appunti:hardware:alcatel_st_dsl

Alcatel Speed Touch Home (Pro) ADSL Modem (Router)

Web configuration: a PPPoA connection

Basic configuration can be done via a web interface, at this default address: http://10.0.0.138/. The factory password is blank.

Phonebook
Name VPI VCI Type
tiscali_pppoa 8 35 ppp


PPP (add a new entry)
Name tiscali_pppoa
Encap vc-mux
Status on


PPP Configuration
User user@tiscali.it
Password *******
Connection Sharing Everybody
Destination networks All networks
Address translation (NAT-PAT) Yes
Primary DNS 195.130.224.18
Secondary DNS 195.130.225.129
Local IP none
Remote IP none
Mode always-on
LCP echo enabled
PAP disabled
ACCOMP enabled

Command line

Here there is a manual for the Command Line Interface, it is intended for the Speed Touch Pro with Firewall, a more advanced model than the Speed Touch Pro, but most command apply the same.

Here are some examples to set a password, to set some specific NAT rules (port forward) and to set a default NAT server:

=>system setpassword password = MySecret
=>nat list
=>nat create protocol = tcp inside_addr = 192.168.1.2 inside_port = 25 outside_addr = 0 outside_port = 25
=>nat delete protocol = tcp inside_addr = 192.168.1.2 inside_port = 25 outside_addr = 0 outside_port = 25
=>nat defserver
=>nat defserver addr=192.168.1.2
=>nat defserver addr=0

The default NAT server will receive all the packets received by the router on the WAN interface (TCP, UDP, ICMP, etc.).

To be safe, save the new config:

=>config save

The EXPERT mode challenge password

If a password was set, this is the prompt for a telnet session:

$ telnet 10.0.0.138
Trying 10.0.0.138...
Connected to 10.0.0.138.
Escape character is '^]'.
User :
SpeedTouch (00-90-D0-18-5F-7E)
Password :

You can type the password, if you know it, otherwise you can type the EXPERT backdoor password if you have an earlier version of the firmware. With a new firmware the EXPERT password is no longer valid for the telnet session, but it is still valid for the EXPERT command line mode (may be it is still vulnerable on the ATM interface? Read more).

If you want to calculate your challenge/response password goto this page.

Firmware upgrade

Note: I own an Alcatel Speed Touch Home, model number 3EC18604BCAA04. I upgraded from KHDSAA.134 to KHDSAA3.290 firmare. In my experience, uploading a new firmware from the web interface failed with an Invalid file uploaded error message. This with several images, even with the original one. So I definitely prefeer to do upload and download via FTP.

I also tried to upload the firmware GXKLAB3.426 which is reported to be the SpeedTouch Pro Firewall Software. Unfortunatelly the FTP session aborted, may be for the size of the file which is 235 kb larger than the original KHDSAA.134 file.

First of all you have to delete the passive (not used) firmware image to make room for the new image. If no passive software image is present at boot time, the active image is copied as the passive one. Active image is stored into the active subdirectory, passive image is stored into dl instead.

$ telnet 10.0.0.138
=>software deletepassive

Upload the new firmware via FTP, you can log-in as normal user or EXPERT user with challenge password:

$ ftp 10.0.0.138
Connected to 10.0.0.138.
220 Inactivity timer = 120 seconds. Use 'site idle <secs>' to change.
Name (10.0.0.138): admin
230 User 'admin' OK.  No password required.
ftp> cd dl
250 Changed to
ftp> bin
200  TYPE is now 8-bit binary
ftp> put KHDSAA3.290
150 Opening data connection for KHDSAA3.290
226 File written successfully
1007232 bytes sent in 36.62 secs (26.4 kB/s)
ftp> bye

Then we have to set the just uploaded image as passive and finally we switch images:

$ telnet 10.0.0.138
=>software
software]=>setpassive file = KHDSAA3.290
[software]=>version
Active : KHDSAA.134             Passive : KHDSAA3.290
software]=>switch

After the switch command, the Alcatel automatically reboots. khdsaa3_290.tgz

Convert an Home to a Pro

I did this upgrade to use the modem as a router, after this change I was able to set a PPPoA connection, doing NAT and port forward.

The upgrade consists of changing a word (two bytes) into the the EEPROM at address 2. The value for my Speed Touch Home was 0x8604, I changed it into 0x8606.

With firmware 253 or lower

=>EXPERT
========================DISCLAIMER=========================
 Access to expert mode is intended for qualified personnel
 only. Press ENTER to return to user mode.
=====================END=OF=DISCLAIMER=====================

'SpeedTouch (00-90-D0-18-5F-7E)'
Password :

>rip
rip>drv_read 2 1 b
the data in hex is :
8604
rip>drv_write 2 1 b 8606

With newer firmware

=>td prompt

========================DISCLAIMER=========================
 Access to expert mode is intended for qualified personnel
 only. Press ENTER to return to user mode.
=====================END=OF=DISCLAIMER=====================

'SpeedTouch (00-90-D0-18-5F-7E)'
Password : *********


Switched to 'Trace & Debug' prompt.

Return to Normal mode by typing <NORMAL>

>rip
rip>drv_read 2 1 b
the data in hex is :
8604
rip>drv_write 2 1 b 8606

Deep analysis and Recipes

Some sources for Alcatel firmwares

Alcatel "EXPERT" Mode Challenge/Response

doc/appunti/hardware/alcatel_st_dsl.txt · Last modified: 2008/10/23 08:03 by 127.0.0.1