海运的博客

重置系统用默认账号telecomadmin nE7jA%5m 登录，开启telnet http://192.168.1.1:8080/enableTelnet.html
使用设置的telnet账号密码登录，输入;提权到root：

;
sh: syntax error: unexpected ";"
echo $USER
root
qoecmd telnetadmin #获取su密码
qoecmd Register set status 0 result 1 #修改ITMS状态为注册成功

关闭插件启动：

rm -rf /opt/upt/apps/apps && touch /opt/upt/apps/apps && reboot

修改这个文件可以开机启动，要恢复插件启动：

/opt/upt/apps/apps/opt/apps/opmaintain/diagapps/ommonitord

https://www.right.com.cn/forum/thread-8416482-1-1.html
https://www.right.com.cn/forum/thread-8416453-1-1.html
https://www.right.com.cn/forum/thread-8416583-1-1.html

获取管理员密码，如果可以重置系统可使用默认账号CMCCAdmin aDm8H%MdA 登录，使用普通用户登录web，然后打开http://192.168.1.1/cgi-bin/telnetenable.cgi?telnetenable=1&key=xxxxx ，xxxxx替换为去分隔符的大写mac地址，然后登录telnet：

admin
Fh@xxxxxx  #密码 Fh@加上mac后6位

然后获取超管:

cfg_cmd get InternetGatewayDevice.DeviceInfo.X_CMCC_TeleComAccount.Username
cfg_cmd get InternetGatewayDevice.DeviceInfo.X_CMCC_TeleComAccount.Password

开启root用户登录，以管理账户登录后打开http://192.168.1.1/cgi-bin/FactoryInfoCheck.cgi 抽检模式，root账号默认密码hg2x0

一些设置：

cfg_cmd set InternetGatewayDevice.X_CMCC_UserInfo.RegMode 1 #loid认证
cfg_cmd set InternetGatewayDevice.ManagementServer.PeriodicInformEnable 0 #关闭RMS的上报
cfg_cmd set InternetGatewayDevice.ManagementServer.URL http://127.0.0.1/ #修改RMS认证地址
#查看所有参数
cfg_cmd showvalue InternetGatewayDevice. 1
#更改地区
load_cli factory
set factorymode enable
load preconfig Temp #可手工删除tr069，关闭RMS
set factorymode disable

以工厂模式启动，开机会启动telnet(root可登录)，禁用java等插件：

touch /var/factoryenable
/fhrom/bin/get_led_config
rm -rf /var/factoryenable
mount -o remount,sync,rw /fhdata
touch /fhdata/factorymodeflag
sync
mount -o remount,ro /fhdata
/fhrom/bin/get_led_config

可以关闭的软件：

pkill -9 sysmgr
pkill -9 eventmgr
pkill -9 sysproxy
pkill -9 vpnmain
pkill -9 softprober
pkill -9 cpumem_monitor
pkill -9 servicemgr
pkill -9 process_check.
pkill -9 rastatus
pkill -9 smartagent
pkill -9 lancc
pkill -9 dnsmasq
pkill -9 wancc
pkill -9 loop
pkill -9 dhcpl2
pkill -9 tr069 
pkill -9 dhcp_uni_info
pkill -9 detectHwEvent
pkill -9 local_cmd_server
pkill -9 java

pkill -9 cfgmgr
pkill -9 udhcpd
pkill -9 fh_bsp_led_act
pkill -9 sleep

iptables -F
iptables -X
iptables -Z
iptables -t nat -F
iptables -t nat -X
iptables -t nat -Z   
iptables -t mangle -F   
iptables -t mangle -X
iptables -t mangle -Z

ebtables -F
ebtables -X
ebtables -Z
ebtables -t nat -F
ebtables -t nat -X
ebtables -t nat -Z
ebtables -t broute -F
ebtables -t broute -X
ebtables -t broute -Z

#工厂模式：
pkill -9 sysmgr
pkill -9 eventmgr
pkill -9 wancc
pkill -9 lancc
pkill -9 servicemgr
pkill -9 fh_bsp_led_act
pkill -9 cfgmgr
pkill -9 detectHwEvent

ebtables -F
ebtables -X
ebtables -Z
ebtables -t nat -F
ebtables -t nat -X
ebtables -t nat -Z
ebtables -t broute -F
ebtables -t broute -X
ebtables -t broute -Z

https://www.right.com.cn/forum/thread-8405332-1-1.html
https://www.right.com.cn/forum/thread-8407535-1-1.html

1.先重置系统，开机后按住reset键20秒
2.使用web管理员 CMCCAdmin aDm8H%MdA 登录系统，开启文件共享ftp
3.开启telnet: http://192.168.1.1/system.cgi?telnet
4.使用光猫背后的普通用户登录telent，然后执行：

#提升管理员权限,密码为刚才登录输入的密码
su user_ftp
#修改web超管账号和密码
cfgcli -s InternetGatewayDevice.DeviceInfo.X_CT-COM_TeleComAccount.UserName admin
cfgcli -s InternetGatewayDevice.DeviceInfo.X_CT-COM_TeleComAccount.Password password
#root用户密码,后续可用root账号登录telnet
cfgcli -s InternetGatewayDevice.DeviceInfo.X_CT-COM_ServiceManage.SuPassword rootpass
#修改ITMS状态为注册成功
cfgcli -s InternetGatewayDevice.X_CT-COM_UserInfo.Status 0
cfgcli -s InternetGatewayDevice.X_CT-COM_UserInfo.Result 1

修改光猫型号为G-140W-UG：

ritool dump
ritool set Mnemonic G-140W-UG

登录web使用loid注册，手工配置网络信息，正常使用。
TR069默认不能点击删除，F12删除disable字段就可以了。
https://www.right.com.cn/forum/thread-8417275-1-6.html

smokeping slave同步时master出现大量错误：

RRDs::update ERROR: /data/smokeping/data/Ping/alidns-v4~test.rrd: illegal attempt to update using time 1741511679 when last update time is 1741524039 (minimum one second step)

清空/data/smokeping/data/后只运行master没问题，再次启动slave就重复出现大量上面错误。
原因是fcgiwrap的运行用户和smokeping的运行用户不一样，导致读写/data/smokeping/data/__cgi/Ping/目录下文件有权限问题。
修改fcgiwrap.service运行用户和smokeping.service一样为smokeping:

User=smokeping
Group=smokeping

并调整下面文件的权限：

chown smokeping:smokeping /etc/smokeping/smokeping_secrets
chown -R smokeping:smokeping /data/smokeping/data/__cgi/
chown -R smokeping:smokeping /usr/local/smokeping/htdocs/images/

https://github.com/oetiker/SmokePing/issues/209

在编译smartdns时开启debug模式：

make DEBUG=1

通过valgrind启动smartdns：

valgrind --log-file=valgrind.log --tool=memcheck --leak-check=full --show-leak-kinds=all ./src/smartdns -f -c ./smartdns.conf 

日志显示明显有内存泄露

==791593== 7,014 (224 direct, 6,790 indirect) bytes in 7 blocks are definitely lost in loss record 5 of 5
==791593==    at 0x48407B4: malloc (vg_replace_malloc.c:381)
==791593==    by 0x4B35018: CRYPTO_zalloc (in /usr/lib/x86_64-linux-gnu/libcrypto.so.3)
==791593==    by 0x4BB1087: OPENSSL_sk_new_reserve (in /usr/lib/x86_64-linux-gnu/libcrypto.so.3)
==791593==    by 0x49FDBEC: ??? (in /usr/lib/x86_64-linux-gnu/libcrypto.so.3)
==791593==    by 0x49FCFC5: ??? (in /usr/lib/x86_64-linux-gnu/libcrypto.so.3)
==791593==    by 0x49FE12D: ASN1_item_d2i_ex (in /usr/lib/x86_64-linux-gnu/libcrypto.so.3)
==791593==    by 0x4BD12A1: X509V3_EXT_d2i (in /usr/lib/x86_64-linux-gnu/libcrypto.so.3)
==791593==    by 0x129857: _dns_client_verify_common_name (dns_client.c:3165)
==791593==    by 0x129CF5: _dns_client_tls_verify (dns_client.c:3251)
==791593==    by 0x12A3A1: _dns_client_process_tls (dns_client.c:3372)
==791593==    by 0x12A8D4: _dns_client_process (dns_client.c:3488)
==791593==    by 0x12DF56: _dns_client_work (dns_client.c:4672)
==791593== 
==791593== LEAK SUMMARY:
==791593==    definitely lost: 224 bytes in 7 blocks
==791593==    indirectly lost: 6,790 bytes in 385 blocks
==791593==      possibly lost: 0 bytes in 0 blocks
==791593==    still reachable: 0 bytes in 0 blocks
==791593==         suppressed: 0 bytes in 0 blocks

位于src/dns_client.c文件3165行，alt_names未释放。

alt_names = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL);

解决：

--- src/dns_client.c    2025-02-27 18:49:04.252529938 +0800
+++ ../dns_client.c     2025-02-27 15:44:26.674269770 +0800
@@ -3183,6 +3183,7 @@
                        tlog(TLOG_DEBUG, "peer SAN: %s", dns->data);
                        if (_dns_client_tls_matchName(tls_host_verify, (char *)dns->data, dns->length) == 0) {
                                tlog(TLOG_DEBUG, "peer SAN match: %s", dns->data);
+                                GENERAL_NAMES_free(alt_names);
                                return 0;
                        }
                } break;
@@ -3196,6 +3197,7 @@
 errout:
        tlog(TLOG_WARN, "server %s CN is invalid, peer CN: %s, expect CN: %s", server_info->ip, peer_CN, tls_host_verify);
        server_info->prohibit = 1;
+        GENERAL_NAMES_free(alt_names);
        return -1;
 }