Romantis UHP-1000 Satellite Router

Via a saved Shodan search the Romantis UHP-1000 Satellite Router does not require a password for telnet access by default! An admin can optionally set a password for basic access and a separate password for the admin access. As you can see, just the basic access gives you a lot of info!

df ~$ telnet 1.2.3.4
Trying 1.2.3.4…
Connected to 1.2.3.4.
Escape character is ‘^]’.
UHP VSAT Terminal Software 2.5.0-31 (13.11.2012)

Router# help
———- Interface control
interface ethernet|serial|demod|modulator disable|enable – IF Control
clear interface ethernet|serial|demod|mod – Reinitialize interface
———- Ethernet interface parameters
ethernet mode ehalf|efull|fhalf|ffull|auto – Speed and duplex selection
arp timeout 30-3600 – ARP table purge interval
———- Demodulator common parameters
demodulator lnb power off|on – LNB power control
demodulator search 0-20000 – Carrier search bandwidth (+/-KHz)
demodulator reference off|on – TDMA RX connector 10 MHz output
———- Demodulator profile parameters
demodulator profile a|b disable|enable – Enable/disable profile
demodulator polarization a|b vertical|horizontal – Polarization
demodulator frequency a|b 950000-2150000 – Central frequency (KHz)
demodulator symbolrate a|b 50-34000 – Symbol rate (KSps)
demodulator mode a|b s1|s2 – DVB-S1 or DVB-S2 mode select
demodulator viterbi a|b 1/2|2/3|3/4|5/6|6/7|7/8|auto – FEC: Viterbi
demodulator spectrum a|b off|on|auto – Spectrum Inversion
———- Demodulator control & diagnostics
demodulator activate a|b – Start carrier profile search
demodulator compensate – Compensate LNB frequency offset
demodulator phase-graph 0-255 – Display phase constellation
demodulator bert qpsk|re|data – Bit error rate meter
demodulator voltage 0-10 – Pointing signal output to USB, dB/V (0-off)
demodulator antenna [0-800] [0-800] – Antenna pointing mode [RF min] [RF max]
demodulator inetvu off|on [0-1] [0-1] – iNetVu mode, GetTX, GetCoords
———- Modulator parameters
modulator mode s1|s2 – Modulator mode
modulator frequency 950000-1750000 – Central frequency (KHz)
modulator symrate 1-33000 – Symbol rate (KSps)
modulator level [0-360] – TX power level (x -0.1 dBm)
modulator tx off|on|pure-carrier|balance – Tx carrier control
modulator inversion off|on – Spectrum inversion
modulator reference off|on – Modulator 10 MHz output
modulator power off|on – Modulator 24V BUC power
modulator tlc range 0-360 0-360 – Max/min allowed auto TX level
modulator tlc mode off|on – Automatic transmit level control
———- DVB-S modulator parameters
modulator fec uncoded|1/2|2/3|3/4|5/6|7/8 – FEC mode
———- DVB-S2 modulator parameters
s2modulator mode ccm|along|ashort – CCM / ACM mode, ACM frame size
s2modulator pilots off|on – Pilots insertion
s2modulator roloff 35|25 – Roloff factor (0.XX)
s2modulator qpsk 13|25|12|35|23|34|45|56|89|910 – QPSK FEC mode
s2modulator 8psk 35|23|34|56|89|910 – 8PSK FEC mode
s2modulator 16apsk 23|34|45|56|89|910 – 16APSK FEC mode
———- IP & SVLAN parameters
ip address IP_ADDR IP_MASK [1-1020] – Add IP address to interface [VLAN]
ip route IP_ADDR IP_MASK IP_ADDR [1-1020] – Add static route [VLAN]
ip map IP_ADDR IP_MASK ml|mm|mh|md 0-1020 [0-500] [1-1020] – Route network to TX SVLAN [TrSh] [VLAN]
ip delete IP_ADDR IP_MASK [1-1020] – Delete IP address, route or map [VLAN]
ip dscp low|med|high STRING – DSCP values priority assignment
ip proxyarp off|on – Answer ARP requests for TX mapped networks
svlan receive serial|demod|tdma 0-1020 [1-1020] – Add RX SVLAN [VLAN]
svlan delete serial|demod|tdma 0-1020 [1-1020] – Delete SVLAN [VLAN]
udp ports 1-65535 1-65535 – UDP ports mapping for RTP compression FROM TO
udp delete 0-65535 – Delete UDP port mapping
ip screening auto|off|on – IP screening control
ip update off|on – Routing table update prevention
———- Multicast parameters
multicast mode off|static|igmp – Multicast routing mode
multicast igmp timeout 1-30 :IGMP mappings lifetime (minutes)
———- TCP acceleration parameters
tcp acceleration off|on – Acceleration state
tcp mtu 400-1460 – Advertized MTU
tcp window 4096-65535 – Advertized TCP window
———- DHCP parameters
dhcp mode off|on – Protocol state
dhcp range IP_ADDR IP_ADDR – IP address range for DHCP
dhcp dns IP_ADDR IP_ADDR – DNS servers list
———- RIP protocol parameters
rip advertise none|static|maps|all – RIP route types to advertise
rip next-hop IP_ADDR – RIP next hop to advertise
———- SNMP protocol parameters
snmp community read|write STRING – Set community strings
snmp access IP_ADDR IP_ADDR – Allow access from
———- L2 bridge parameters
bridge map ml|mm|mh|md 1-1020 [0-500] [1-1020] – Bridge VLAN to TX SVLAN [TrSh] [VLAN]
bridge delete [1-1020] – Delete bridged VLAN [VLAN]
———- Traffic Shaper parameters
shaper stream 0-500 0-64000 [0-64000] [0-500] – TS stream CIR(Kbps) [MAXSPEED(Kbps)] [UpStr]
shaper delete 0-500 – Delete TS stream
shaper total bandwidth 0-128000 – Composite channel bandwidth (Kbps)
shaper slope 1-64 – Shaper algorithm slope factor
———- Time related parameters
time shift -24-24 – Local time zone
time set 0-24 0-60 1-31 1-12 0-99 – Set date/time HH MM DD MM YY
time sntp mode off|client|server|both – SNTP operation mode
time sntp access IP_ADDR [0-1023] – SNTP server access IP VLAN
———- Overall control
admin – Switch to Administrator mode
password user|administrator – Set passwords
idle timeout 10-30000 – Console or Telnet session timeout
prompt STRING – Set system prompt
unit mode scpc|hub|outroute|inroute|remote|hmesh|fhub|frem|span – Terminal mode
unit key 0-15 [0-65535] [0-65535] [0-65535] – Set features key
speed-interval 1-250 – Time for averaging interface traffic
queues 20-800 20-400 20-200 – TX queues length in packets
watchdog reset|interrupt – Watchdog timer overflow action
reboot stop – Stop delayed reboot
reboot auto 0-120 – Reboot if TDMA down [delay/minutes, <5 – disable]
reboot [0-1000] – Reboot device [delay in minutes]
exit – Log out from console
———- TDMA common parameters
tdma network 1-7 – Network number
tdma tx inroute 1-31 – Remote TX inroute channel
tdma rx inroute 1-31 – Hub/Mesh RX inroute channel
———- TDMA hub acquisition parameters
tdma satellite 0-179 0-59 E|W – Satellite position (DEG MIN)
tdma location 0-89 0-59 N|S 0-179 0-59 E|W – Location LAT LON (DEG MIN)
tdma tts source measure|value|location|snmp|gps – Hub TTS source
tdma tts 0-150000 – Manual hub TTS value (us)
tdma command 00000000-00000000 STRING – Command to terminal by SN
$gprmc – Location setting via NMEA-183 GPRMC string
———- TDMA configuration manager connection
tdma server mode off|routing|tdma|all – Server controlled mode
tdma server access IP_ADDR 0-1000 STRING – Server IP address, VLAN, password
———- TDMA remote station parameters
station number 1-252 – Remote station number
station dtts source value|location|snmp|gps – Station DTTS source
station location 0-89 0-59 N|S 0-179 0-59 E|W – Location LAT LON (DEG MIN)
station dtts -64000-64000 – Manual station DTTS value (us)
station transmit correction -30000-30000 – TX freq. correction (KHz)
station receive correction -30000-30000 – RX freq. correction (KHz)
station codec 1-2048 – Realtime codec speed KBps
station threshold 1-255 – Realtime speed threshold KBps
station timeout 1-100 – Realtime timeout (s)
station report auto|scpc|tdma – Which C/N level report to hub
———- TDMA hub/mesh RF parameters
tdma receive 950000-2150000 – Receive central frequency (KHz)
tdma bandwidth x1|x2|x4|x8 – RX acquisition bw. (x +/-6kHz)
tdma transmit 950000-1750000 – Transmit central frequency (KHz)
tdma mesh receive 950000-2150000 – Mesh receive central frequency (KHz)
tdma symbol-rate 50-4000 – Symbol rate (KSps)
tdma fec 2/3|5/6 – FEC rate
tdma spectrum normal|inverted – Receive spectrum inversion
———- TDMA hub protocol parameters
tdma stations number 1-252 – Stations number
tdma frame 16-252 – Frame length in bursts
tdma length 1-10 – Burst length (x192 symbols)
tdma station state on|off 1-252 [1-252] – Turn on or off station [range]
———- TDMA bandwidth allocation parameters
tdma active-rate 1-255 – Active stations request rate
tdma idle-rate 1-255 – Idle stations request rate
tdma down-rate 1-255 – Down stations request rate
tdma timeout 2-60 – Stations idling timeout (frames)
tdma guaranteed 1-252 0-252 – Guaranteed bandwidth for station (STN BW)
———- TDMA transmit level control parameters
tlc hub 20-200 – Desired hub-side receive level (x 0.1dB)
tlc remotes 20-200 – Desired remotes receive level (x 0.1dB)
tlc strategies 0-9 0-9 – Hub TX averageminimum networkown
———- AMIP protocol parameters
amip mode off|on – AMIP control
amip peer IP_ADDR 1-64000 0-1023 – Controller IP address TCP Port and VLAN
amip message STRING – Send AMIP message
———- SCPC TLC mode
tlc mode off|on – Mode control
tlc peer IP_ADDR 0-1020 STRING – Peer IP address, VLAN, password
tlc nominal 20-200 – Desired local receive level (x 0.1dB)
tlc acm off|on – ACM mode control
———- Controlled SCPC mode parameters
cscpc mode off|demod|master|slave – Modulator TX on/off auto-control
cscpc frequency 950000-1700000 – Transmit central frequency (KHz)
cscpc symbol-rate 250-32000 – Symbol rate (KSps)
cscpc standard s1|ccm|along|ashort – Transmission standard S1/S2
cscpc s1 uncoded|1/2|2/3|3/4|5/6|7/8 – FEC mode
cscpc s2 qpsk 12|35|23|34|45|56|89|910 – QPSK FEC mode
cscpc s2 8psk 35|23|34|56|89|910 – 8PSK FEC mode
cscpc qpsk 13|25|12|35|23|34|45|56|89|910 – QPSK FEC mode
cscpc 8psk 35|23|34|56|89|910 – 8PSK FEC mode
cscpc 16apsk 23|34|45|56|89|910 – 16APSK FEC mode
cscpc level 0-360 – TX power level (x -0.1 dBm) 0-default
cscpc activate 00000000-40000000 – Active slave serial number
———- Redundancy backup parameters
backup mode off|on – Backup mode control
backup timeout 5-250 – Mode switching timeout (s)
backup fault timeout 5-250 – Fault timeout (s)
backup local address IP_ADDR – Local address for independent access
backup remote address IP_ADDR – Peer IP address
———- Configuration management
config description STRING – Describe current configuration
config load tftp IP_ADDR 0-1000 STRING – Load config from TFTP [VLAN]
config load default – Load default configuration
config load 0-1 – Load configuration from specified profile
config save tftp IP_ADDR 0-1000 STRING – Save config to TFTP [VLAN]
config save 0-1 – Save current configuration to specified profile
———- Statistics
show interface ethernet|serial|demod|modulator – Interface stats
show errors – Show device errors
show ip [0-1020] – Routing table and forwarding stats [VLAN]
show rtp – RTP header compression stats
show dhcp – DHCP parameters
show snmp – SNMP parameters
show multicast – Multicast stats
show acceleration – TCP acceleration stats
show arp – ARP table
show system – System parameters
show boot – Software boot options
show config – Current configuration
show memory ram|flash|eeprom – Memory state
show shaper – Print Traffic Shaper stats
show tdma – TDMA parameters
show remotes traffic [1-252] – Remotes traffic stats
show remotes [1-252] – Remotes statistics
show cscpc – Display CSCPC parameters
show tlc – SCPC TLC statistics
show backup – Redundancy backup stats
show amip – AMIP stats
clear arp-table – Purge contents of ARP table
clear counters all|ethernet|serial|demod|modulator|ip|tdma – Reset stats
clear log – Purge logs
———- Logging & debug management
show log – Display logs
logging interface|demod|config|system|tdma off|on – Logging events
debug packets|arp|rtp|ping|igmp|dhcp|backup|otg|rip off|on – Debugging
———- Diagnostics
ping IP_ADDR [1-1000000] [40-1500] [1-10000] [0-1020] – IP Number Size Interval(ms) VLAN
traffic-generator off – Disable traffic generator
traffic-generator IP_ADDR 1-50000 36-1500 [0-1020] – IP packets/second packet_length [VLAN]
———- Image management
image load tftp IP_ADDR 0-1000 STRING – Load image by TFTP to RAM [VLAN]
image load xmodem – Load image with X-modem to RAM buffer
image load flash – Copy image from flash to RAM
image write – Write image from RAM to Flash
erase flash – Erase flash bank
———- Boot control
boot main 0-3 0-1 – Main boot profile FLASH_BANK(0-auto) CONF_BANK
boot temp 0-3 0-1 – Temp boot profile FLASH_BANK(0-none) CONF_BANK
boot fallback timeout 1-10000 – Temp image auto fallback period (min)
boot fallback reason uptime|link-up – Auto fallback reason
boot fallback stop – Abandon auto fallback
———- Help
help – Print this help
Router# admin
Administrator password:

Router#
telnet> close
Connection closed.
df ~$

Advertisements

Tags: ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: