Note:

Ethernet port 4: 1000Mb/s, others 10/100Mb/s
Password of TTY might NOT be 以用户名：admin，密码：v2mprt 登录
Any powerful Route compatible  with ChinaTelecom EPON and has  2 1000Mb/s ports at least?

e8-C Terminal User Manual:

Product technical specifications:

Huaqin HGU421N v3.0 broadband modem crack:

pplc #1 Old 2015-01-02, 17:39:43 Default new version of Huaqin HGU421N V3 optical cat crack

Recently, I found some old version of HGU421N V3 cracking information on the Internet, and based on the reference, I cracked the new version of HGU421N V3, and it also has IPTV on it. The cracked light cat version is as follows

Bootbase Version : V1.04
Firmware FakeVersion : 301WFA0AE0SH
Firmware RealVersion : 3.01(WFA.0)b3_20140513
Hardware Version : V3.0
Vendor : huaqin
Model Name : HGU421N v3(V3.0)

Step one: Obtain telecomadmin account password

Here, a USB to TTL board is used to connect to the circuit board through serial communication. The USB to TTL board costs 3-8 yuan on Taobao, please note that it requires 3 DuPont cables. Open the case of the optical cat, and you can see a 5-pin socket. One of the pins is missing, so use the missing pin as number 2 to position the pins.

1. GND Connect to the GND of the USB to TTL board
2. Missing pins (no wiring)
3. RXD connects to TXD of USB to TTL board
4. TXD connects to RXD of USB to TTL board
5. With pins (no wiring)

Note that it does not matter if the time modem is powered off or the optical fiber is constantly disconnected during wiring. It is best to use Putty as the serial communication software. I used HyperTerminal first, but there was no response. Later, Putty solved the problem and I did not try using HyperTerminal again. The serial port rate is set to 115200. Which serial port to use for USB to TTL conversion is up to you.

Log in with username: admin, password: v2mprt Open another Telenet backdoor to prevent Telecom from changing the telecomadmin password and re-opening the TTL communication shell. Finally, remember to type the save command to save. Don’t worry about the new version here. The service WAN is enabled and you can access it. Enter localservice and you will know why. In the old version, you need to pay attention to the problem of WAN access. Next, you can cut off the power, unplug the TTL cable, and restore the optical modem to the box. Then you can access it through the web telecomadmin account, and then you will find that the TR069 protocol cannot be deleted. This is a restriction made by the new version of Optical Cat’s web service. If you do not need to delete TR069, you can skip it directly.

dumpnvram 可以看见telecomadmin的密码（这个命令只有新版有效）
dumpcfg也可以看见telecomadmin的密码（这个对老版也有效的），但这条命令显示数据太多，建议在进入putty前设置显示全log，进入就做这条命令，做好就退出查log。
wanlimit set mode 0，直接将计算机数量限制关掉，网上的资料都是用wanlimit set totalnum 10 来增加计算机数量，但这样还是会消耗光猫的CPU资源来检测计算机数量，且这个检测消耗的CPU资源还不少了，会影响网络速度，所以关掉是最好的。

localservice telnet enable 打开telnet服务
localservice ftp enable 打开ftp服务，FTP根目录在/mnt

telnet 用户名：e8telnet 密码：e8telnet
ftp 用户名：e8ftp 密码：e8ftp

Step 2: Delete TR069

Log in to the Optical Cat IP using IE, log in with the telecomadmin account, click “Network” -> “Broadband Settings”, and select TR069 for “Connection Name”. At this time, the delete button below will turn gray. Right-click the white blank space on the web page above the delete button, and click “View Source File” in the pop-up menu. A text file called BroadBund[1] will pop up, which is full of HTML source code.

Find the line var allowTR069WANEdit = ‘0’; and change the 0 to 1 Then find the line loc = “eponwan.cmd?action=remove&rmLst=” + rmLst;. You can use eponwan.cmd?action=remove as the keyword to search and add http://192.168.1.1/，改好的行参考如下，这里的IP地址就是光猫的IP地址 in front of eponwan. Save this file as Broadbund.html. Be careful not to close IE at this time, because there is session information on it. If you close IE, the session will be invalid. Open the saved html file with IE. IE will prompt security information such as ActiveX operation. Select “Allow to run” and select the line TR069 in the “Connection name”. Be sure to make the wrong selection, and then click the “Delete” button below to delete TR069.

What you need to pay attention to in the operation here is the speed. Because there is a session parameter, the operation will fail if the operation speed exceeds the session timeout time. This time usually lasts 5-10 minutes. This is not a problem as long as you are familiar with the above operation steps. Of course, you can also copy the session value, which will not be described here. After deleting tr069 Telecom, there is no way to remotely manage this optical modem.

Internet connection can use Route mode, which means the optical modem is used without a router, or Bridge mode can be set, so that you need to install your own router. IPTV uses Bridge mode and uses VLAN TAG mode for communication, while the Internet uses VLAN Untag mode for communication. Therefore, on the port using IPTV, such as Internet using routing mode, it is actually possible to combine Internet and IPTV without interfering with each other.

loc = “http://192.168.1.1/eponwan.cmd?action=remove&rmLst=” + rmLst;