Author Archives: hph

O Factor, Where Art Thou?

The DHL Packstation is a great thing. Think of it as a vending machine. But instead of sweets and soda, this one dispenses precious DHL parcels. And instead of quarters and dimes it takes a swipe card and a one-time-password … Continue reading

Posted in default | Leave a comment

#Phreaking2016: Authentication Flaw in O2 (Telefónica) ACS

Today, the details on a major authentication flaw in the Auto Configuration Server (ACS) of the German ISP O2 (Telefónica) were released. A tl;dr could be “Tell me your IPv4 address and I may place and accept phone calls on your behalf!”. … Continue reading

Posted in default | Tagged , , | 2 Comments

New domain, new certificate, new server

Recently, I have purchased the domain heinrichs.io as the IO top-level domain was one of the very few which still had “heinrichs” (my surname) available as a second-level domain. It is meant as the successor of hph.name. Simultaneously, I purchased a … Continue reading

Posted in default | Leave a comment

Rooting the Sphairon Speedlink 5501

Last week I was asked if I knew how to enable SSH access on a Sphairon (ZyXEL) Speedlink 5501. My previous technique for the HomeBox 3232 (also manufactured by Sphairon) did not work as the expected magic bytes in the … Continue reading

Posted in default | Tagged , , | Leave a comment

Rooting and Looting of the o2 HomeBox 3232

In November 2012 I published a tool which decrypts configuration backup files of Sphairon-based routers. This tool was mainly used by o2 customers who wanted to extract their VoIP login data so they could use any router they prefer – … Continue reading

Posted in default | Tagged , , | Leave a comment

AVM FRITZ!Box remote command injection vuln

Today I am featured in an article on heise.de. Have fun reading and do not forget to update your FRITZ!Box 😉

Posted in default | Tagged , | 1 Comment

Arcadyan IAD Decrypter v0.05 released

Today I would like to announce a major update to the Arcadyan IAD Decrypter which you might know from the IP-Phone-Forum or from my previous blog post. It is now capable of decrypting the new “OBC6” configuration backup file format … Continue reading

Posted in default | Tagged , , , | Leave a comment

Extract VoIP login data from o2 Box 4421 and o2 Box 6431

Please note, that the information presented in this post may be outdated. An updated technique has been posted here. The German ISP o2 (which has acquired the brand “Alice” from HanseNet in 2010) tries to prevent its customers from installing … Continue reading

Posted in default | Tagged , , , | 1 Comment

Extract VoIP login data from an Alice IAD 3232 backup file

Please note, that the information presented in this post may be outdated. An updated technique has been posted here. The German ISP o2 Alice Hansenet enforces their customers to use the router that is distributed to them along with the … Continue reading

Posted in default | Tagged , , , | 2 Comments

How FTPRush encrypts site passwords

FTPRush (formerly known as “UltraFXP”) is a  popular closed-source freeware FTP Client for Windows and comes with some handy features. If the user chooses to store site passwords FTPRush applies some cryptography to the plaintext password before writing it to … Continue reading

Posted in default | Tagged , | Leave a comment