Note: The encrypted probe packet is sized as char output_Buf[0x640] but only an encoded data length of size of 0x80 appears to be used by the code.
It is unknown what other capabilities may be similarly enabled via the 'reserved' field, or by other passwords.
Curiously, Netgear's Windows program also includes the necessary support to decode packets incoming from the router, but there does not appear to be any two-way handshake implemented.
On Aug 20, 2012 Telnet Enable in C was also forked to Github by Dave Jagoda under a new project name of Netgear Telnet Enable (still also referred to as telnetenable.c).
This fork was an incomplete duplicate of the work retro98 at My Open Router completed three years earlier.
This fork added major bug fixes, documentation, and compiled executables ready for immediate use.
This is the only known version of Telnet Enable in C that correctly fixes a md5 payload buffer overrun and md5 result truncation bug.
The probe packet format in unencrypted form is as follows: For older Netgear routers that use the original Telnet Enable utility: Payload is sent over TCP The above payload formats are transformed by algorithms as follows: The MD5 checksum, or signature, is calculated for the contents of the probe payload MAC, username, and password fields, and is done using the normal three steps (MD5init, MD5update, MD5final) with the default RSA seed.
The resulting 16 byte MD5 checksum/hash is then stored into the md5sum array of the probe payload.
Even though the 'reserved' field is overwritten, the abnormal packet sent to the router will still unlock telnet.
An in-depth analysis of the probe packet was recently conducted by Roberto Frenna.
For those new devices you will need a patched version of telnetenable which supports UDP.
You can find it here Keep in mind that new routers no more uses Gearguy/Geardog as username and password.
[password] $ ./telnetenable 192.168.1.1 001E3A04E2EB Gearguy Geardog $ telnet 192.168.1.1 Trying 192.168.1.1... # version Release version : Netgear Wireless Router WGR614v8 U12H07200/V1.1.11/6.0.36NA Time : May 15 2008 # exit Connection to 192.168.1.1 closed by foreign host.