免责声明

本教程大部分内容来自 github 上 drcom-generic 开源项目,以及网络上各大牛的帖子与文章,大牛众多且出名,就不一一感谢与强调其版权。只进行了测试与整理以及部分错误的修正针对小白更友好一点,由阅读者实操所产生的一切后果,一概不负责。仅供学习与交流,请勿用于商业用途!

  1. 在根据本教程进行实际操作时,如因您操作失误导致出现的一切意外,包括但不限于路由器变砖、故障、数据丢失等情况,概不负责;
  2. 该技术仅供学习交流,请勿将此技术应用于任何商业行为,所产生的法律责任由您自行承担;
  3. 部分学校明令禁止使用路由器上网。本教程仅用于交流使用,安装路由器的行为完全是您个人意志所决定的,如您已成功安装,请在 24 小时内重置路由器至原出产状态;
  4. 请按照学校推荐的方式连接到互联网,如因个人问题受到相关校规追责,由您自行承担。

环境准备

  • python2.7(调试用到)
  • wireshark(抓包工具)
  • notepad++(修改代码用到)
  • 一款支持刷入第三方系统(openwrt)的路由器
  • 该路由器已联网并获得开发者(root)权限
  • 一根网线
  • 下载软件WinSCP
  • 下载软件putty,32位操作系统请下载putty32,64位系统请下载putty64

一、刷入固件

先刷入不死鸟控制台,再通过不死鸟控制台刷入固件,避免因操作失误造成路由器变砖

获取路由器root权限

极路由1S HC5661A为例,在您购买满14天后,请先登录极路由器后台,然后依次开通、安装开发者插件

  • 开通开发者模式:“云插件”>“路由器信息”>“高级设置”>“开通”
  • 安装开发者插件:“云插件”>“全部插件”>“开发者模式”>”确定”

其他路由器可查看其他教程获取root权限。

刷入不死Breed

下载Breed

Breed是一个路由器的Bootloader(Bootloader 意为引导加载器,即为用于加载操作系统的程序。它是一大类此类功能程序的统称。现在的 BIOS、UEFI、GRUB、RedBoot、U-Boot、CFE等都是 Bootloader),装它的目的是为了下一步刷入固件(ROM)。以极路由1S HC5661A为例,不同型号下载不同的Breed,请务必对号入座,下载breed-mt7628-hiwifi-hc5661a.bin

上传到指定目录

使用WinSCP登入你的路由器后台,其中:

主机名:你的后台管理地址(比如192.168.1或者192.168.1.199)

账号:root

密码 :你的后台管理密码

端口:1022或者22(自行测试)

模式:SCP

登陆成功后进入/tmp目录,将刚才下载的breed-mt7628-hiwifi-hc5661a.bin上传到这个目录

刷入Breed

使用putty64登入你的路由器后台,主机名、账号、密码、端口均与上述相同,登入成功后键入以下命令

mtd -r write /tmp/breed-mt7628-hiwifi-hc5661a.bin u-boot

显示rebooting后等待路由重启完成,不死uboot就完成了刷入了。(注意,为了确定百分百刷入成功,建议此时什么都不要动,等待5分钟后再进行其他操作)

请严格按照先后顺序操作

  1. 用网线让路由器的LAN口与电脑的网口相连接;
  2. PC设置为自动获取IP(一般默认自动获取IP);
  3. 路由器断电(就是拔插头);
  4. 首先按住reset不放!,确保没有松开reset键后,然后,插入路由器电源;
  5. 保持按住reset 3-4秒左右,路由器灯开始一闪一闪的时候,松开reset;
  6. PC网卡获取到192.168.1.x的地址 (如未获取到手工设置),一般是192.168.1.1 ;
  7. 浏览器访问 192.168.1.1,接着你就会看到一个uboot控制台的界面。

为了保险起见,首先进行固件备份,以备不时之需。严重强烈建议极路由用户刷Breed后,第一次进入后台就备份一次,这样以后想要重新刷回官方系统时原有功能不会受到影响,仍然能够访问云平台。

现在正是开始刷入OpenWrt固件,依次点击固件更新→勾选固件→点击选择文件,选择我们刚刚下载的openwrt-18.06.2-ramips-mt76x8-hc5661a-squashfs-sysupgrade.bin,然后耐心等待固件刷入完成。

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-4a9SJQNp-1638352440059)(https://raw.githubusercontent.com/Editblog/PicGo/main/img/20211201175342.png)]

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-kWceV26l-1638352440060)(https://raw.githubusercontent.com/Editblog/PicGo/main/img/20211201175350.png)]

安装完成后会自动重启,这时可以不断刷新浏览器,直到管理界面显示出来,如果没有显示,建议稍后使用192.168.1.1访问管理页面。

账号:root

密码:默认为admin

二、确定所使用客户端版本

打开学校的客户端,右上角可以看见ver5.2.0(D)

三、网络抓包

1、 先断开网络,注销并关闭drcom客户端。

2、 打开wireshark,选中你联网用的那个连接。双击开始抓包!如图所示:

软件会进入如下界面

现在打开drcom客户端,拨号连接并在线保持1分钟左右,然后注销,完全关闭drcom后,选择wireshark的停止抓包

选择File-save 选择保存路径,并重命名该文件为dr.pcapng (拓展名为.pcang)

完成抓包

四、解析数据

1.此处提供 drcom_p_config.py 与 latest-wired.py的代码

drcom_p_config.py

# -*- coding: utf-8 -*-
from binascii import hexlify
import redef hexed(s):ret = ''for i in s:ret += '\\x' + hex(ord(i))[2:].rjust(2, '0')return retfilename = 'dr.pcapng'
f = open(filename, 'rb')
text = f.read()
offset = re.search('\xF0\x00\xF0\x00[\x00-\xFF]{4}[\x03\x07]\x01', text).start() + 8
#print hexlify(text[offset:offset+330])
#print hexlify(text[offset:offset+338])
# print text[offset+334:offset+338].encode('hex')
if re.match('\x00\x00[\x00-\xFF]{2}', text[offset+334:offset+338]):ror_version = True
else :ror_version = False
# print ror_version
username_len = ord(text[offset+3]) - 20
username = text[offset+20:offset+20+username_len]
print 'server = \'%s\'' % '.'.join([str(ord(i)) for i in text[offset-12:offset-8]])
print 'username=\'%s\'' % username
print 'password=\'\''
print 'CONTROLCHECKSTATUS = \'%s\'' % hexed(text[offset+56])
print 'ADAPTERNUM = \'%s\'' % hexed(text[offset+57])
print 'host_ip = \'%s\'' % '.'.join(map(lambda x: str(ord(x)), text[offset+81:offset+85]))
print 'IPDOG = \'%s\'' % hexed(text[offset+105])
print 'host_name = \'%s\'' % 'GILIGILIEYE'
print 'PRIMARY_DNS = \'%s\'' % '.'.join(map(lambda x: str(ord(x)), text[offset+142:offset+146]))
print 'dhcp_server = \'%s\'' % '.'.join(map(lambda x: str(ord(x)), text[offset+146:offset+150]))
print 'AUTH_VERSION = \'%s\'' % hexed(text[offset+310:offset+312])
if ror_version:print 'mac = 0x%s' % hexlify(text[offset+328:offset+334])
else:print 'mac = 0x%s' % hexlify(text[offset+320:offset+326])
print 'host_os = \'%s\'' % 'NOTE7'KEEP_ALIVE_VERSION = [i for i in re.findall('\xf0\x00\xf0\x00....\x07.\x5c\x28\x00\x0b\x01(..)', text) if i != '\x0f\x27'][0]
print 'KEEP_ALIVE_VERSION = \'%s\'' % hexed(KEEP_ALIVE_VERSION)
print 'ror_version = %s ' % ror_version

latest-wired.py

#!/usr/bin/env python
# -*- coding: utf-8 -*-import socket
import struct
import time
import hashlib
import sys
import os
import random
import traceback# CONFIG
'''
server = "192.168.100.150"
username = ""
password = ""
host_name = "LIYUANYUAN"
host_os = "8089D"
host_ip = "10.30.22.17"
PRIMARY_DNS = "114.114.114.114"
dhcp_server = "0.0.0.0"
mac = 0xb888e3051680
CONTROLCHECKSTATUS = '\x20'
ADAPTERNUM = '\x01'
KEEP_ALIVE_VERSION = '\xdc\x02'
'''
server = '10.1.1.254'
username='账号'
password='密码'
CONTROLCHECKSTATUS = '\x20'
ADAPTERNUM = '\x07'
host_ip = '172.17.19.107'
IPDOG = '\x01'
host_name = 'GILIGILIEYE'
PRIMARY_DNS = '218.196.40.9'
dhcp_server = '172.17.19.252'
AUTH_VERSION = '\x27\x00'
mac = 0x2cf05db2b380
host_os = 'NOTE7'
KEEP_ALIVE_VERSION = '\xdc\x02'
ror_version = True '''
AUTH_VERSION:unsigned char ClientVerInfoAndInternetMode;unsigned char DogVersion;
'''
AUTH_VERSION = '\x0a\x00'
IPDOG = '\x01'
ror_version = False
# CONFIG_ENDkeep_alive1_mod = False #If you have trouble at KEEPALIVE1, turn this value to True
nic_name = '' #Indicate your nic, e.g. 'eth0.2'.nic_name
bind_ip = '0.0.0.0'class ChallengeException (Exception):def __init__(self):passclass LoginException (Exception):def __init__(self):passdef bind_nic():try:import fcntldef get_ip_address(ifname):s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)return socket.inet_ntoa(fcntl.ioctl(s.fileno(),0x8915,  # SIOCGIFADDRstruct.pack('256s', ifname[:15]))[20:24])return get_ip_address(nic_name)except ImportError as e:print('Indicate nic feature need to be run under Unix based system.')return '0.0.0.0'except IOError as e:print(nic_name + 'is unacceptable !')return '0.0.0.0'finally:return '0.0.0.0'if nic_name != '':bind_ip = bind_nic()s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
# s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
s.bind((bind_ip, 61440))s.settimeout(3)
SALT = ''
IS_TEST = True
# specified fields based on version
CONF = "/etc/drcom.conf"
UNLIMITED_RETRY = True
EXCEPTION = False
DEBUG = False #log saves to file
LOG_PATH = '/var/log/drcom_client.log'
if IS_TEST:DEBUG = TrueLOG_PATH = 'drcom_client.log'def log(*args, **kwargs):s = ' '.join(args)print sif DEBUG:with open(LOG_PATH,'a') as f:f.write(s + '\n')def challenge(svr,ran):while True:t = struct.pack("<H", int(ran)%(0xFFFF))s.sendto("\x01\x02"+t+"\x09"+"\x00"*15, (svr, 61440))try:data, address = s.recvfrom(1024)log('[challenge] recv',data.encode('hex'))except:log('[challenge] timeout, retrying...')continueif address == (svr, 61440):breakelse:continuelog('[DEBUG] challenge:\n' + data.encode('hex'))if data[0] != '\x02':raise ChallengeExceptionlog('[challenge] challenge packet sent.')return data[4:8]def md5sum(s):m = hashlib.md5()m.update(s)return m.digest()def dump(n):s = '%x' % nif len(s) & 1:s = '0' + sreturn s.decode('hex')def ror(md5, pwd):ret = ''for i in range(len(pwd)):x = ord(md5[i]) ^ ord(pwd[i])ret += chr(((x<<3)&0xFF) + (x>>5))return retdef gen_crc(data, encrypt_type):DRCOM_DIAL_EXT_PROTO_CRC_INIT = 20000711ret = ''if encrypt_type == 0:# 加密方式无return struct.pack('<I',DRCOM_DIAL_EXT_PROTO_CRC_INIT) + struct.pack('<I',126)elif encrypt_type == 1:# 加密方式为 md5foo = hashlib.md5(data).digest()ret += foo[2]ret += foo[3]ret += foo[8]ret += foo[9]ret += foo[5]ret += foo[6]ret += foo[13]ret += foo[14]return retelif encrypt_type == 2:# md4foo = hashlib.new('md4', data).digest()ret += foo[1]ret += foo[2]ret += foo[8]ret += foo[9]ret += foo[4]ret += foo[5]ret += foo[11]ret += foo[12]return retelif encrypt_type == 3:# sha1foo = hashlib.sha1(data).digest()ret += foo[2]ret += foo[3]ret += foo[9]ret += foo[10]ret += foo[5]ret += foo[6]ret += foo[15]ret += foo[16]return retdef keep_alive_package_builder(number,random,tail,type=1,first=False):data = '\x07'+ chr(number) + '\x28\x00\x0b' + chr(type)if first :data += '\x0f\x27'else:data += KEEP_ALIVE_VERSIONdata += '\x2f\x12' + '\x00' * 6data += taildata += '\x00' * 4#data += struct.pack("!H",0xdc02)if type == 3:foo = ''.join([chr(int(i)) for i in host_ip.split('.')]) # host_ip#CRC# edited on 2014/5/12, filled zeros to checksum# crc = packet_CRC(data+foo)crc = '\x00' * 4#data += struct.pack("!I",crc) + foo + '\x00' * 8data += crc + foo + '\x00' * 8else: #packet type = 1data += '\x00' * 16return data# def packet_CRC(s):
#     ret = 0
#     for i in re.findall('..', s):
#         ret ^= struct.unpack('>h', i)[0]
#         ret &= 0xFFFF
#     ret = ret * 0x2c7
#     return retdef keep_alive2(*args):#first keep_alive:#number = number (mod 7)#status = 1: first packet user sended#         2: first packet user recieved#         3: 2nd packet user sended#         4: 2nd packet user recieved#   Codes for testtail = ''packet = ''svr = serverran = random.randint(0,0xFFFF)ran += random.randint(1,10)   # 2014/10/15 add by latyas, maybe svr sends back a file packetsvr_num = 0packet = keep_alive_package_builder(svr_num,dump(ran),'\x00'*4,1,True)while True:log('[keep-alive2] send1',packet.encode('hex'))s.sendto(packet, (svr, 61440))data, address = s.recvfrom(1024)log('[keep-alive2] recv1',data.encode('hex'))if data.startswith('\x07\x00\x28\x00') or data.startswith('\x07' + chr(svr_num)  + '\x28\x00'):breakelif data[0] == '\x07' and data[2] == '\x10':log('[keep-alive2] recv file, resending..')svr_num = svr_num + 1# packet = keep_alive_package_builder(svr_num,dump(ran),'\x00'*4,1, False)breakelse:log('[keep-alive2] recv1/unexpected',data.encode('hex'))#log('[keep-alive2] recv1',data.encode('hex'))ran += random.randint(1,10)   packet = keep_alive_package_builder(svr_num, dump(ran),'\x00'*4,1,False)log('[keep-alive2] send2',packet.encode('hex'))s.sendto(packet, (svr, 61440))while True:data, address = s.recvfrom(1024)if data[0] == '\x07':svr_num = svr_num + 1breakelse:log('[keep-alive2] recv2/unexpected',data.encode('hex'))log('[keep-alive2] recv2',data.encode('hex'))tail = data[16:20]ran += random.randint(1,10)   packet = keep_alive_package_builder(svr_num,dump(ran),tail,3,False)log('[keep-alive2] send3',packet.encode('hex'))s.sendto(packet, (svr, 61440))while True:data, address = s.recvfrom(1024)if data[0] == '\x07':svr_num = svr_num + 1breakelse:log('[keep-alive2] recv3/unexpected',data.encode('hex'))log('[keep-alive2] recv3',data.encode('hex'))tail = data[16:20]log("[keep-alive2] keep-alive2 loop was in daemon.")i = svr_numwhile True:try:time.sleep(20)keep_alive1(*args)ran += random.randint(1,10)   packet = keep_alive_package_builder(i,dump(ran),tail,1,False)#log('DEBUG: keep_alive2,packet 4\n',packet.encode('hex'))log('[keep_alive2] send',str(i),packet.encode('hex'))s.sendto(packet, (svr, 61440))data, address = s.recvfrom(1024)log('[keep_alive2] recv',data.encode('hex'))tail = data[16:20]#log('DEBUG: keep_alive2,packet 4 return\n',data.encode('hex'))ran += random.randint(1,10)   packet = keep_alive_package_builder(i+1,dump(ran),tail,3,False)#log('DEBUG: keep_alive2,packet 5\n',packet.encode('hex'))s.sendto(packet, (svr, 61440))log('[keep_alive2] send',str(i+1),packet.encode('hex'))data, address = s.recvfrom(1024)log('[keep_alive2] recv',data.encode('hex'))tail = data[16:20]#log('DEBUG: keep_alive2,packet 5 return\n',data.encode('hex'))i = (i+2) % 0xFFexcept:breakdef checksum(s):ret = 1234x = 0for i in [x*4 for x in range(0, -(-len(s)//4))]:ret ^= int(s[i:i+4].ljust(4, '\x00')[::-1].encode('hex'), 16)ret = (1968 * ret) & 0xffffffffreturn struct.pack('<I', ret)def mkpkt(salt, usr, pwd, mac):'''struct  _tagLoginPacket{struct _tagDrCOMHeader Header;unsigned char PasswordMd5[MD5_LEN];char Account[ACCOUNT_MAX_LEN];unsigned char ControlCheckStatus;unsigned char AdapterNum;unsigned char MacAddrXORPasswordMD5[MAC_LEN];unsigned char PasswordMd5_2[MD5_LEN];unsigned char HostIpNum;unsigned int HostIPList[HOST_MAX_IP_NUM];unsigned char HalfMD5[8];unsigned char DogFlag;unsigned int unkown2;struct _tagHostInfo HostInfo;unsigned char ClientVerInfoAndInternetMode;unsigned char DogVersion;};'''data = '\x03\x01\x00' + chr(len(usr) + 20)data += md5sum('\x03\x01' + salt + pwd)data += usr.ljust(36, '\x00')data += CONTROLCHECKSTATUSdata += ADAPTERNUMdata += dump(int(data[4:10].encode('hex'),16)^mac).rjust(6, '\x00') #mac xor md51data += md5sum("\x01" + pwd + salt + '\x00' * 4) #md52data += '\x01' # number of ipdata += ''.join([chr(int(i)) for i in host_ip.split('.')]) #x.x.x.x -> data += '\00' * 4 #your ipaddress 2data += '\00' * 4 #your ipaddress 3data += '\00' * 4 #your ipaddress 4data += md5sum(data + '\x14\x00\x07\x0B')[:8] #md53data += IPDOGdata += '\x00'*4 # unknown2'''struct  _tagOSVERSIONINFO{unsigned int OSVersionInfoSize;unsigned int MajorVersion;unsigned int MinorVersion;unsigned int BuildNumber;unsigned int PlatformID;char ServicePack[128];};struct  _tagHostInfo{char HostName[HOST_NAME_MAX_LEN];unsigned int DNSIP1;unsigned int DHCPServerIP;unsigned int DNSIP2;unsigned int WINSIP1;unsigned int WINSIP2;struct _tagDrCOM_OSVERSIONINFO OSVersion;};'''data += host_name.ljust(32, '\x00') # _tagHostInfo.HostNamedata += ''.join([chr(int(i)) for i in PRIMARY_DNS.split('.')]) # _tagHostInfo.DNSIP1data += ''.join([chr(int(i)) for i in dhcp_server.split('.')]) # _tagHostInfo.DHCPServerIPdata += '\x00\x00\x00\x00' # _tagHostInfo.DNSIP2data += '\x00' * 4 # _tagHostInfo.WINSIP1data += '\x00' * 4 # _tagHostInfo.WINSIP2data += '\x94\x00\x00\x00' # _tagHostInfo.OSVersion.OSVersionInfoSizedata += '\x05\x00\x00\x00' # _tagHostInfo.OSVersion.MajorVersiondata += '\x01\x00\x00\x00' # _tagHostInfo.OSVersion.MinorVersiondata += '\x28\x0A\x00\x00' # _tagHostInfo.OSVersion.BuildNumberdata += '\x02\x00\x00\x00' # _tagHostInfo.OSVersion.PlatformID# _tagHostInfo.OSVersion.ServicePackdata += host_os.ljust(32, '\x00')data += '\x00' * 96# END OF _tagHostInfodata += AUTH_VERSIONif ror_version:'''struct  _tagLDAPAuth{unsigned char Code;unsigned char PasswordLen;unsigned char Password[MD5_LEN];};'''data += '\x00' # _tagLDAPAuth.Codedata += chr(len(pwd)) # _tagLDAPAuth.PasswordLendata += ror(md5sum('\x03\x01' + salt + pwd), pwd) # _tagLDAPAuth.Password'''struct  _tagDrcomAuthExtData{unsigned char Code;unsigned char Len;unsigned long CRC;unsigned short Option;unsigned char AdapterAddress[MAC_LEN];};'''data += '\x02' # _tagDrcomAuthExtData.Codedata += '\x0C' # _tagDrcomAuthExtData.Lendata += checksum(data + '\x01\x26\x07\x11\x00\x00' + dump(mac)) # _tagDrcomAuthExtData.CRCdata += '\x00\x00' # _tagDrcomAuthExtData.Optiondata += dump(mac) # _tagDrcomAuthExtData.AdapterAddress# END OF _tagDrcomAuthExtDataif ror_version:data += '\x00' * (8 - len(pwd))if len(pwd)%2:data += '\x00'else:data += '\x00' # auto logout / default: Falsedata += '\x00' # broadcast mode / default : Falsedata += '\xE9\x13' #unknown, filled numbers randomly =w=log('[mkpkt]',data.encode('hex'))return datadef login(usr, pwd, svr):global SALTglobal AUTH_INFOi = 0timeoutcount = 0while True:salt = challenge(svr,time.time()+random.randint(0xF,0xFF))SALT = saltpacket = mkpkt(salt, usr, pwd, mac)log('[login] send',packet.encode('hex'))s.sendto(packet, (svr, 61440))log('[login] packet sent.')try:data, address = s.recvfrom(1024)log('[login] recv',data.encode('hex'))if address == (svr, 61440) :if data[0] == '\x04':log('[login] loged in')AUTH_INFO = data[23:39]breakelse:log('[login] login failed.')if IS_TEST:time.sleep(3)else:time.sleep(30)continueelse:if i >= 5 and UNLIMITED_RETRY == False :log('[login] exception occured.')sys.exit(1)else:i += 1continueexcept socket.timeout as e:print(e)log('[login] recv timeout.')timeoutcount += 1if timeoutcount >= 5:log('[login] recv timeout exception occured 5 times.')sys.exit(1)else:continuelog('[login] login sent')#0.8 changed:return data[23:39]#return data[-22:-6]def logout(usr, pwd, svr, mac, auth_info):salt = challenge(svr, time.time()+random.randint(0xF, 0xFF))if salt:data = '\x06\x01\x00' + chr(len(usr) + 20)data += md5sum('\x03\x01' + salt + pwd)data += usr.ljust(36, '\x00')data += CONTROLCHECKSTATUSdata += ADAPTERNUMdata += dump(int(data[4:10].encode('hex'),16)^mac).rjust(6, '\x00')# data += '\x44\x72\x63\x6F' # Drcodata += auth_infos.send(data)data, address = s.recvfrom(1024)if data[:1] == '\x04':log('[logout_auth] logouted.')def keep_alive1(salt,tail,pwd,svr):if keep_alive1_mod:res=''while True:s.sendto('\x07' + struct.pack('!B',int(time.time())%0xFF) + '\x08\x00\x01\x00\x00\x00', (svr, 61440))log('[keep_alive1_challenge] keep_alive1_challenge packet sent.')try:res, address = s.recvfrom(1024)log('[keep_alive1_challenge] recv', res.encode('hex'))except:log('[keep_alive1_challenge] timeout, retrying...')continueif address == (svr, 61440):if res[0] == '\x07':breakelse:raise ChallengeExceptionelse:continueseed = res[8:12]# encrypt_type = int(res[5].encode('hex'))encrypt_type = struct.unpack('<I', seed)[0] & 3crc = gen_crc(seed, encrypt_type)data = '\xFF' + '\x00'*7 + seed + crc + tail + struct.pack('!H', int(time.time())%0xFFFF)log('[keep_alive1] send', data.encode('hex'))s.sendto(data, (svr, 61440))while True:res, address = s.recvfrom(1024)if res[0] == '\x07':breakelse:log('[keep-alive1]recv/not expected', res.encode('hex'))log('[keep-alive1]recv', res.encode('hex'))else:foo = struct.pack('!H',int(time.time())%0xFFFF)data = '\xff' + md5sum('\x03\x01'+salt+pwd) + '\x00\x00\x00'data += taildata += foo + '\x00\x00\x00\x00'log('[keep_alive1] send',data.encode('hex'))s.sendto(data, (svr, 61440))while True:data, address = s.recvfrom(1024)if data[0] == '\x07':breakelse:log('[keep-alive1]recv/not expected',data.encode('hex'))log('[keep-alive1] recv', data.encode('hex'))def empty_socket_buffer():
#empty buffer for some fucking schoolslog('starting to empty socket buffer')try:while True:data, address = s.recvfrom(1024)log('recived sth unexpected',data.encode('hex'))if s == '':breakexcept:# get exception means it has done.log('exception in empty_socket_buffer')passlog('emptyed')
def daemon():with open('/var/run/jludrcom.pid','w') as f:f.write(str(os.getpid()))def main():if not IS_TEST:daemon()execfile(CONF, globals())log("auth svr: " + server + "\nusername: " + username + "\npassword: " + password + "\nmac: " + str(hex(mac))[:-1])log("bind ip: " + bind_ip)while True:try:package_tail = login(username, password, server)except LoginException:continuelog('package_tail',package_tail.encode('hex'))#keep_alive1 is fucking bullshit!empty_socket_buffer()keep_alive1(SALT,package_tail,password,server)keep_alive2(SALT,package_tail,password,server)if __name__ == "__main__":main()

2.drcom_d_config.pylatest-wired.pydr.pcapng 放入同一个文件夹中

3.在文件夹下运行命令python drcom_d_config.py > config.txt生成config.txt文件

4.用Notepad++打开config.txt(为避免不必要的麻烦,以下操作所有的文件全部用它)得到的内容是类似这样的:

server = "192.168.100.150"
username = ""
password = ""
host_name = "LIYUANYUAN"
host_os = "8089D"
host_ip = "10.30.22.17"
PRIMARY_DNS = "114.114.114.114"
dhcp_server = "0.0.0.0"
mac = 0xb888e3051680
CONTROLCHECKSTATUS = '\x20'
ADAPTERNUM = '\x01'
KEEP_ALIVE_VERSION = '\xdc\x02'

5.全选复制config.txt的所有内容,关闭,并把config.txt重命名为drcom.conf(不要忘记填写账号和密码)

6.测试是否可以使用,运行命令行python latest-wired.py ,看看能不能上网。可以的话,就说明抓包没错。

五、路由器配置

1.进入路由器管理后台,搜索dogcom,将两个插件安装

2.在网络里面会出现dogcom选项,将步骤四中解析到的drcom.conf的内容拷贝到配置文件里面,点击 保存应用,此时手机与电脑连接WiFi就不需要进行登陆认证

路由器刷机突破校园网限制相关推荐

  1. 路由器刷机常见第三方固件及管理前端种类(OpenWrt、Tomato、DD-Wrt)

    路由器刷机常见第三方固件及管理前端种类(OpenWrt.Tomato.DD-Wrt) 目前路由器折腾刷机,除了采用各品牌的原厂固件外,第三方路由器固件,基本就是:Tomato.DD-WRT.OpenW ...

  2. linux dd 备份uboot,刷机前如何备份uboot、分区、编程器固件?路由器刷机备份命令使用方法...

    为安全着想,刷机前应该备份一下原机uboot 或者最好能备份出完整的编程器固件,以防万一. 可我手上没有ttl,听说可以通过后台来备份各个分区,于是我就试了试,但是遇到不少问题,理解不了,请各位指教. ...

  3. ac2100 反弹shell无法粘贴_手把手带你玩转NAS 篇二十一:小米Redmi AC2100路由器刷机padavan保姆级教程...

    手把手带你玩转NAS 篇二十一:小米Redmi AC2100路由器刷机padavan保姆级教程 2020-05-14 18:49:24 224点赞 1790收藏 241评论 你是AMD Yes党?还是 ...

  4. newifi y1刷PandoraBox+突破校园网上网限制

    路由器刷PandoraBox 一.准备工作 1.设备介绍: 可以刷机的路由器一台:本次刷机是用的newifi y1,它是最近几年出的产品,入手价58元,选择它的原因是价格便宜,当然也可以选择其他品牌和 ...

  5. 路由器刷机后无线模块丢失-竞斗云2.0刷机

    路由器产品: 竞斗云2.0 问题描述: 强制刷写路由器的Flash芯片后,新刷入的路由器固件无线模块异常(管理界面中关于无线的选项消失) 问题分析: 目前不清楚具体原因 猜测是无线的天线问题,经测试法 ...

  6. 斐讯K2路由器刷机问题176版

    京东0元购一直备受大家的青睐,作为穷的叮当的学生党,外加喜欢折腾的精神,很多时候,为了节省成本,我们都会选择京东0元购的斐讯路由器来作为宿舍或者实验室的上网设备,那么,现在的问题是,我们总是不服气原有 ...

  7. ac1900 linksys 恢复_Linksys-AC1900路由器 - 刷机指南

    今天先不写WLAN学习心得了, 写一篇自己试水DD-WRT的帖子. 这个也可以作为串口刷DD-WRT和openwrt镜像的方法. 前两天心血来潮想试试dd-wrt的版本,没成想一不小心把好好的Link ...

  8. 路由器刷机解决学校无线上网问题(小米4A千兆版)

    一.准备工作 1.路由器正常联网状态,(正常联网状态指的是电脑能够通过路由器上网) 2.电脑网线插入路由lan口,IP地址设置为自动获取 3.启动window10的Telent功能 控制面板 -> ...

  9. 斐讯PSG1208 K1 路由器刷机

    硬件方面,处理器和小米Mini的处理器都是MT7620,实测只要是小米Mini路由8M以下的大部分固件都能在k1上通刷.首先输入Bootloader,具体参照:http://www.right.com ...

  10. h3c 路由器 刷第三方固件_图文版*许迎果 第201期 双11路由器型号推荐之刷机路由篇...

    哈喽大家好,我是许迎果. 一年一度的双11大型剁手节马上就要到了,相信有不少小伙伴已经在摩拳擦掌,跃跃欲试,逐渐充实自己的购物车.不过话说回来,从南京到北京,买的没有卖的精,双11的套路也是越来越多, ...

最新文章

  1. linux mysql 更改MySQL数据库目录位置
  2. 常考数据结构与算法:最长回文子串
  3. jcmd,大约JDK 11
  4. Apache配置多个监听端口和访问网站的方法
  5. SpringDataRedis的简单案例使用
  6. tomcat7 1000并发量配置 tomcat7配置优化
  7. elastaticresearch 学习过程
  8. 详解Unity中的刚体和碰撞体组件
  9. 简述冯诺依曼体系结构计算机的工作原理。
  10. 库存管理系统 mysql_access数据库库存管理系统
  11. JAVA 数组降序排列思路
  12. 手把手写深度学习(18):finetune微调CLIP模型的原理、代码、调参技巧
  13. 膨胀卷积的缺点_卷积、反卷积与膨胀卷积
  14. 关于解决win10重装后右键单击一直转圈的问题
  15. DDS信号发生器原理与vivado仿真
  16. text转换成int-1.1
  17. Bootstrap 中的 aria-label 和 aria-labelledby
  18. mysql 时区设定_mysql的时区设置
  19. 卸载 MySql (基于Centos 7)
  20. 有什么软件可以把文字变成语音?声音多点更好了

热门文章

  1. 面试官揭秘世界500强面试题
  2. 邮件营销:邮件标题如何变得更有吸引力
  3. 海王星 :谈中国共享软件的发展
  4. DDcGAN:用于多分辨率图像融合的双判别器生成对抗网络
  5. 160个CrackMe破解思路合集
  6. 史上最著名的电脑病毒
  7. AI(人工智能) TensorFlow 源码下载及编译安装
  8. DirectShow之视频渲染
  9. Android Media Framework(3): Stagefright框架流程解读
  10. 【原版教材•中英对照】密度泛函理论的化学家指南(第二版)— 传统量子力学的化学家们将从这篇得到特别的启发