User comments on ISPs
  >> EE (Everything Everywhere) and Orange


Register (or login) on our website and you will not see this ad.


Pages in this thread: 1 | 2 | 3 | >> (show all)   Print Thread
Standard User XRaySpeX
(eat-sleep-adslguide) Sat 01-Feb-14 01:00:00
Print Post

Does BrightBox Remember your Credentials after Factory Reset


[link to this post]
 
It has been suggested here: http://forums.thinkbroadband.com/freeserve/t/4297744... that the BrightBox remembers the original user's ISP Username and Password even after a Factory Reset, so that it would be unwise to sell it on when no longer needed, e.g. on eBay. Indeed the contention is that the user's ISP Username and Password are 'baked' into the device.

Well, I have carried what I believe are exhaustive tests using 2 BrightBox 1's, one an older Orange-badged BrightBox 1 that I have been using for years and the other a brand-new EE-badged BrightBox 1 that had never connected to the Net from here. Both: Runtime Code Version: v0.09.94.0006-OT (Fri Sep 21 03:00:26 2012).

I carried out numerous Factory Resets, both hard and soft, after setting my credentials in the BrightBox. As long as the BrightBox remains unconnected to the user's BB line, as it would be in someone else's home, then the only credentials you can see are the factory settings of ISP Username = [email protected] and ISP Password = mistyview. Once it is connected to the BB line, within a few seconds the Remote Configuration (TR-069) by EE, recognising the line, will reinstate the user's credentials. This, I believe, is what's happening to the posters in the other thread finding their credentials returning.

Once the BrightBox has been Factory Reset, the only ways to get the user's credential back is either Restore settings from a saved backup or setting them manually or connecting for a few seconds to an EE BB line and allow Remote Configuration to do its thing. Otherwise the factory settings of [email protected] / mistyview remain. Should a future buyer of a Factory Reset BrightBox ever connect it to his BB line then either:
  • If he is not on EE BB, it will sync but nothing will change and it won't connect cuz the ISP Username can only end in '@fs', or
  • If he is on EE BB, it will connect to EE who will Remote Configure the new owner's credentials based on the new owner's phone no.
Logically, the original suggestion of the user's credentials being 'baked' into the BrightBox can only be true if EE were to hard-code them before the BrightBox is dispatched. Then nobody but the original user would be able to use it. But this is refuted by the constant return of [email protected] / mistyview when Factory Reset.

There were some interesting differences of behaviour between the 2 BrightBoxes when subjected to the http://192.168.1.1/cgi/cgi_wan_eth.js script (ISP user credentials) discovered by ScottHelme :
  • On the new router the ISP user credentials were always the [email protected] / mistyview pair regardless of whether it was factory or user settings.
  • On the old router the ISP user credentials were only the [email protected] / mistyview pair when it was factory reset but,
  • On the old router the ISP user credentials were both empty when it was user set, surprisingly.
Also the script also always showed the MTU = 1492 even when I had set it to 1500 as usual.

Mind you this script behaviour may only hold for ADSL not Fibre. Its name implies it is for Ethernet WAN whereas for ADSL you'd want DSL WAN. A Fibre EE user has confirmed that the script does return his true credentials.

Note: The above script does not run under IE; I used FireFox.

1999: Freeserve 48K Dial-Up => 2005: Wanadoo 1 Meg BB => 2007: Orange 2 Meg BB => 2008: Orange 8 Meg LLU => 2010: Orange 16 Meg LLU => 2011: Orange 20 Meg WBC
Standard User vimto_girl
(member) Sat 01-Feb-14 06:08:44
Print Post

Re: Does BrightBox Remember your Credentials after Factory R


[re: XRaySpeX] [link to this post]
 
The 'readytoconnect' login authenticates an internal session, it's the ACS credentials which are 'baked' and paired to the broadband account settings.

Edited by vimto_girl (Sat 01-Feb-14 06:09:14)

Standard User XRaySpeX
(eat-sleep-adslguide) Sat 01-Feb-14 10:43:48
Print Post

Re: Does BrightBox Remember your Credentials after Factory R


[re: vimto_girl] [link to this post]
 
ACS?
In reply to a post by vimto_girl:
the ACS credentials which are 'baked' and paired to the broadband account settings.
So, if they are paired then the next owner of the router, if an EE user, will connect to EE as the original owner? Isn't the phone # checked at all?

1999: Freeserve 48K Dial-Up => 2005: Wanadoo 1 Meg BB => 2007: Orange 2 Meg BB => 2008: Orange 8 Meg LLU => 2010: Orange 16 Meg LLU => 2011: Orange 20 Meg WBC


Register (or login) on our website and you will not see this ad.

Standard User ScottHelme
(newbie) Sat 01-Feb-14 14:05:03
Print Post

Re: Does BrightBox Remember your Credentials after Factory R


[re: XRaySpeX] [link to this post]
 
Hi Ray,

After some further investigation it would seem that you are correct.

If you disconnect the BrightBox from the modem and *then* perform the factory reset, it will indeed revert to the generic credentials. The config update performed via TR-069 happens so quickly that by the time the web UI is responsive, or I can access the device via the serial port, the credentials have already been retrieved. This is what was giving the impression that they were pre-existing upon device boot.

The only way to safely prepare the BrightBox for sale would be to disconnect all network cables from the device, factory reset and then not connect it to the network again prior to sale so it doesn't update with your credentials.

I'm curious at this point about what EE use to update the devices via TR-069. When supplying me with the firmware patch to update my router for testing, the only information they asked me for was the serial number of the device. Given that I can flash a new serial to the device over the serial port, I hope there's more to it than that.

Scott.

------------------------------------------------------
Catch me on my blog https://scotthelme.co.uk
Standard User XRaySpeX
(eat-sleep-adslguide) Sat 01-Feb-14 14:09:49
Print Post

Re: Does BrightBox Remember your Creds after Factory Reset?


[re: ScottHelme] [link to this post]
 
Thanks smile. And for all your help.

1999: Freeserve 48K Dial-Up => 2005: Wanadoo 1 Meg BB => 2007: Orange 2 Meg BB => 2008: Orange 8 Meg LLU => 2010: Orange 16 Meg LLU => 2011: Orange 20 Meg WBC
Standard User Oliver341
(eat-sleep-adslguide) Sat 01-Feb-14 14:10:52
Print Post

Re: Does BrightBox Remember your Credentials after Factory R


[re: ScottHelme] [link to this post]
 
In reply to a post by ScottHelme:
The config update performed via TR-069 happens so quickly that by the time the web UI is responsive, or I can access the device via the serial port, the credentials have already been retrieved. This is what was giving the impression that they were pre-existing upon device boot.

Previously you said:

In reply to a post by ScottHelme:
If I put in a wrong password, then factory reset with the long button hold, the password comes back along with resetting all other settings like WiFi SSIDs etc... My router isn't connected to the web, just my test machine so there is no communication externally.

So the router must in fact have been connected to the web?

Oliver.
Standard User ScottHelme
(newbie) Sat 01-Feb-14 14:23:21
Print Post

Re: Does BrightBox Remember your Credentials after Factory R


[re: Oliver341] [link to this post]
 
Hi Oli,

Yes you are indeed correct. Sometimes it's best not to do these kind of things late at night with a beer and a snakes nest of wires down the back of your desk wink It seems I was mistaken.

The router must have been getting network connectivity from somewhere or been connected to the modem still. By the time I could access the device, it had already updated and appeared to have retained the credentials, hence my concern. I would edit the post, but I think everyone is now aware that there isn't a problem so it can stay as it is.

Scott.

------------------------------------------------------
Catch me on my blog https://scotthelme.co.uk
Standard User XRaySpeX
(eat-sleep-adslguide) Sat 01-Feb-14 14:32:28
Print Post

Re: Does BrightBox Remember your Credentials after Factory R


[re: ScottHelme] [link to this post]
 
Still harping on that quote of yours. Why do you say:
In reply to a post by ScottHelme:
factory reset with the long button hold
Shouldn't it just be for 8-10 secs? Doesn't a long hold trigger a firmware flash? Or was that in conjunction with a Power ON?

1999: Freeserve 48K Dial-Up => 2005: Wanadoo 1 Meg BB => 2007: Orange 2 Meg BB => 2008: Orange 8 Meg LLU => 2010: Orange 16 Meg LLU => 2011: Orange 20 Meg WBC
Standard User ScottHelme
(newbie) Sat 01-Feb-14 14:38:35
Print Post

Re: Does BrightBox Remember your Credentials after Factory R


[re: XRaySpeX] [link to this post]
 
I was under the impression you just hold for 30 seconds and then the LED lights for the network ports do the 'Knight Rider' thing once you release. When the device boots, it's a clean config (or update via TR-069 if you have connectivity).

------------------------------------------------------
Catch me on my blog https://scotthelme.co.uk
Standard User ScottHelme
(newbie) Sat 01-Feb-14 14:39:14
Print Post

Re: Does BrightBox Remember your Credentials after Factory R


[re: XRaySpeX] [link to this post]
 
Isn't 8-10 seconds just to force a reboot?

------------------------------------------------------
Catch me on my blog https://scotthelme.co.uk
Standard User XRaySpeX
(eat-sleep-adslguide) Sat 01-Feb-14 14:51:36
Print Post

Re: Does BrightBox Remember your Credentials after Factory R


[re: ScottHelme] [link to this post]
 
No, a Power OFF/ON within a sec will do that. 8 sec for a Factory Reset:
3. Insert the paper clip into the reset hole as far as it will go and hold for eight seconds
It's easy to forget when you hardly do it. In my tests I had to look it up grin.

1999: Freeserve 48K Dial-Up => 2005: Wanadoo 1 Meg BB => 2007: Orange 2 Meg BB => 2008: Orange 8 Meg LLU => 2010: Orange 16 Meg LLU => 2011: Orange 20 Meg WBC
Standard User ScottHelme
(learned) Sat 01-Feb-14 14:55:24
Print Post

Re: Does BrightBox Remember your Credentials after Factory R


[re: XRaySpeX] [link to this post]
 
So it is! I have so many routers it's hard to keep track smile The 30 seconds thing certainly does 'something'.

It says on the link that the WPS and LAN light will turn on briefly, when I do it for 30 seconds they seem to light up from one end to the other and back several times. Is that what you see?

------------------------------------------------------
Catch me on my blog https://scotthelme.co.uk
Standard User XRaySpeX
(eat-sleep-adslguide) Sat 01-Feb-14 15:33:21
Print Post

Re: Does BrightBox Remember your Credentials after Factory R


[re: ScottHelme] [link to this post]
 
Yes, after holding for 8 secs, they do light from 1 end to t'other a few times.

1999: Freeserve 48K Dial-Up => 2005: Wanadoo 1 Meg BB => 2007: Orange 2 Meg BB => 2008: Orange 8 Meg LLU => 2010: Orange 16 Meg LLU => 2011: Orange 20 Meg WBC
Standard User vimto_girl
(member) Sat 01-Feb-14 17:22:47
Print Post

Re: Does BrightBox Remember your Credentials after Factory R


[re: XRaySpeX] [link to this post]
 
Auto Configuration Server. A router using TR69 can normally be plugged into another line then download the login details and even log on simultaneously such that activity and usage will be registered to that user account. I assume the same for EE until proven otherwise.
Standard User XRaySpeX
(eat-sleep-adslguide) Sat 01-Feb-14 17:29:55
Print Post

Re: Does BrightBox Remember your Credentials after Factory R


[re: vimto_girl] [link to this post]
 
I still don't understand!
In reply to a post by vimto_girl:
A router using TR69 can normally be plugged into another line then download the login details
Whose login details? The original owner's? Really?

So a router using TR69 can never be sold/passed on to anybody else w/out it impacting the original owner's a/c? I just can't believe that frown. I'm sure I've used other peeps' routers.

1999: Freeserve 48K Dial-Up => 2005: Wanadoo 1 Meg BB => 2007: Orange 2 Meg BB => 2008: Orange 8 Meg LLU => 2010: Orange 16 Meg LLU => 2011: Orange 20 Meg WBC
Standard User ukhardy07
(fountain of knowledge) Sat 01-Feb-14 19:08:34
Print Post

Re: Does BrightBox Remember your Credentials after Factory R


[re: XRaySpeX] [link to this post]
 
Just a suggestion although not entirely sure how it works on EE.

With Sky the usernames and passwords are 'baked' into the router and cannot be changed. If you sell this on via eBay then the new user will connect with your credentials.

I can't remember the exact technicalities (it was discussed on SkyUser a while back) but ultimately even though they have your login details the ISP still knows it's not you as it's going through their internet port at the exchange or something along these lines and it ends up assigned to the other users account. So it's safe to sell on a sky router apparently.

Would EE be similar I wonder?

Edited by ukhardy07 (Sat 01-Feb-14 19:11:04)

Standard User huggons
(learned) Sat 01-Feb-14 19:24:49
Print Post

Re: Does BrightBox Remember your Credentials after Factory R


[re: XRaySpeX] [link to this post]
 
I bought a BB2 off another EE customer and when it arrived it had his user name and password in the admin pages of the BB2 router. I set it up with my details and it workd just fine.

I have just tested this out for you guys.

I performed a pin hole reset and once reset completed it reverted back to the guys details that I bought it from. i.e his user name and password. The routers internet light was flashing orange and I was not able to connect to the internet, until I connected back with my own user name and password.

Hope this helps.

It would be great to remove the the guys details and replace them with my details

Steve

Edited by huggons (Sat 01-Feb-14 19:25:43)

Standard User XRaySpeX
(eat-sleep-adslguide) Sat 01-Feb-14 19:55:53
Print Post

Re: Does BrightBox Remember your Credentials after Factory R


[re: huggons] [link to this post]
 
In reply to a post by huggons:
I performed a pin hole reset and once reset completed it reverted back to the guys details that I bought it from
Was it connected to the phone/ADSL socket while you did this, even just for the last few secs?

If so, it must be the ACS credentials that vimto_girl mentioned, reporting back to base. Would you mind repeating this with BrightBox disconnected from the ADSL socket?

Else if not, it must mean the guy's creds are burnt in; contrary to my theory frown.

1999: Freeserve 48K Dial-Up => 2005: Wanadoo 1 Meg BB => 2007: Orange 2 Meg BB => 2008: Orange 8 Meg LLU => 2010: Orange 16 Meg LLU => 2011: Orange 20 Meg WBC
Standard User huggons
(learned) Sat 01-Feb-14 20:09:42
Print Post

Re: Does BrightBox Remember your Credentials after Factory R


[re: XRaySpeX] [link to this post]
 
Yes it was connected to the phone/ADSL socket when I did it the first time.

I have just repeated the pin hole reset with it disconnected and it reverted to [email protected]

Is there any way to stop the guys details pulling through to the router?

Cheers

Steve
Standard User XRaySpeX
(eat-sleep-adslguide) Sat 01-Feb-14 21:01:57
Print Post

Re: Does BrightBox Remember your Creds after Factory Reset


[re: huggons] [link to this post]
 
Thanks! You've vindicated my theory smile

At least only EE new owners will see original owner's ISP username, but who but EE users would buy a router effectively locked to EE? Anyway his username would be floating round the Net as his email addy.

As for his ISP password they can't see that unless they employ Scott's discovered script.

So the moral is to not sell/pass on any reset Brightbox until EE pushes their Security Update to it and then only after testing against that script.

1999: Freeserve 48K Dial-Up => 2005: Wanadoo 1 Meg BB => 2007: Orange 2 Meg BB => 2008: Orange 8 Meg LLU => 2010: Orange 16 Meg LLU => 2011: Orange 20 Meg WBC
Standard User vimto_girl
(member) Sat 01-Feb-14 22:54:00
Print Post

Re: Does BrightBox Remember your Credentials after Factory R


[re: XRaySpeX] [link to this post]
 
In reply to a post by XRaySpeX:
I still don't understand!
In reply to a post by vimto_girl:
A router using TR69 can normally be plugged into another line then download the login details
Whose login details? The original owner's? Really?
Yes, really.

I don't advise anyone to sell the router on ebay for the reasons I explain earlier. EE do identify an account from the login, it is not the same as Sky where the login is purely a secret share authentication.
Standard User huggons
(learned) Sun 02-Feb-14 08:50:18
Print Post

Re: Does BrightBox Remember your Credentials after Factory R


[re: vimto_girl] [link to this post]
 
In reply to a post by vimto_girl:
Auto Configuration Server. A router using TR69 can normally be plugged into another line then download the login details and even log on simultaneously such that activity and usage will be registered to that user account. I assume the same for EE until proven otherwise.


Is there any way to stop this happening. Can people not contact EE and have them update the details they hold on the router, if the details are downloaded to the router upon connecting, rather than hard baked into the router itself.

Steve

Edited by huggons (Sun 02-Feb-14 08:51:07)

Standard User vimto_girl
(member) Sun 02-Feb-14 09:02:24
Print Post

Re: Does BrightBox Remember your Credentials after Factory R


[re: huggons] [link to this post]
 
Yes, of course EE have the capability of modifying or deleting the server entry. Getting them to do it might not be so easy though.
Standard User huggons
(learned) Sun 02-Feb-14 10:12:45
Print Post

Re: Does BrightBox Remember your Credentials after Factory R


[re: vimto_girl] [link to this post]
 
Just spoke to a "manager" at EE who understood what I required. She said that there was no way for EE to update their server records! I did press the point and suggested that perhaps their 2nd / 3rd line support could make the changes, however they stuck to their guns, that there was no way to do this. It ended in them saying that they will send me a new replacement router. Lets wait and see if a new BB2 (not BB1) arrives this week in the post.

: )

Seems like a waist and a bad business model to me.
Standard User XRaySpeX
(eat-sleep-adslguide) Sun 02-Feb-14 15:01:03
Print Post

Re: Does BrightBox Remember your Creds after Factory Reset


[re: vimto_girl] [link to this post]
 
Indeed! Having the burnt-in ACS creds phoning home to look-up in an EE table the original owner's creds is almost as bad as having the original owner's creds burnt-in in the 1st place frown.

1999: Freeserve 48K Dial-Up => 2005: Wanadoo 1 Meg BB => 2007: Orange 2 Meg BB => 2008: Orange 8 Meg LLU => 2010: Orange 16 Meg LLU => 2011: Orange 20 Meg WBC
Standard User ScottHelme
(learned) Sun 02-Feb-14 17:09:38
Print Post

Re: Does BrightBox Remember your Creds after Factory Reset


[re: XRaySpeX] [link to this post]
 
This is a very worrying prospect indeed.

------------------------------------------------------
Catch me on my blog https://scotthelme.co.uk
Pages in this thread: 1 | 2 | 3 | >> (show all)   Print Thread

Jump to