Originally Posted by
Dr_GrEeN
Just reading this and I know its a bit old but the serial number for those BT router are in the SSL cert. Just login goto
https://192.168.1.254 and examine the security cert. I think you have to add cp before the serial to login.
Hi Dr_GrEen!
Thank you for your advice, I was just looking on the forums for such an answer and you gave me the answer I was looking for. Great trick with the SSL cert. I examined my SSL cert and ran into a problem.
When you stated "I think you have to add cp before the serial to login", what did you mean by "cp"? Did you mean the letters "cp", or did you mean "CN" (Common Name)? Because I can not find anything called "CP" within the SSL Cert.
I tried using:
cpXXXXXXXX
&
cpXX:XX:XX:XX
X=Digit of Serial
But neither work, instead I am prompted with a popup error:
Code:
Error establishing an encrypted connection to 192.168.1.254. Error Code: -12217
So I went to Google to do some research on this "cp" that I do not understand. I came to this page:
http://www.gnucitizen.org/blog/dumpi...e-bt-home-hub/
And found the following:
REPLY-ANT-SEARCH MDAP/1.1
ANT-ID:0633EHPSL
ANT-NAME:SpeedTouch BTHH
ANT-MAC:00-14-7F-AA-BB-CC
ANT-HOSTSETUP:auto
TO-HOST:192.168.1.70:2317
TP-VERSION:2.0.0
MDAP-VERSION:1.2
43
The only difference between the ANT-ID parameter and the serial number of the Home Hub is that the serial number is prefixed with
‘CP’. So in this example, the corresponding serial number - which is the default admin password - would be CP0633EHPSL (see the screenshot for more information)
So, now I know (by looking at the full page on the link above) that the only difference between the serial and the ANT-ID is that the serial just has "cp" (without quotes) as a prefix...just like you said. Sorry Dr_GREen as I just wanted to understand this and thought I would type out my thoughts incase anyone else didnt know where "cp" came from.
So back to the problem I had earlier, where I was entering the wrong details. I checked the SSL Certificate and obviously when I viewed it, I seen the word "Serial" and automatically thought that is what it was - the serial. Infact it was not the serial at all, well not the serial of what I was pentesting.
So after doing some reading I figured out that it is actually the Organizational Unit that is used in conjunction with the CP.
Here is the information I was looking at on the SSL Certificate:
Code:
Common Name (CN) BT Home Hub
Organization (O) THOMSON
Organizational Unit 06XXXXXXX
Serial Number 7E:XX:XX:XX
Thank to you Dr_GrEen for telling us about the SSL Cert hint. Now I successfully have pwned my BTHomeHub 
So for quick reference, the serial of a BTHomeHub is the prefix "CP" + "Organizational Unit":
Example:
CP06XXXXXXX
Do not be mislead by the SSL Certificate stating the "serial" as it is not the serial you will be using, its the Organizational Unit.
This pentest was tested on the BT Home Hub using software version: 6.2.6.E
ws=^PASS^:loginpserr.stm
