My first DSL modem in 1999 required Telnetting in via serial port to USB. I had to call a network technician at Qwest, and followed by typing in what seemed like arcane commands.  I had no idea what I was doing.  Things have changed for the better, but most DSL modems still have the ability to log into them directly through command line interfaces. The C1000Z runs BusyBox Linux which comes loaded with your usual base Linux utilities, so if you can wield Bash, you can hack your modem.

Grabbing your PPP username

I was looking to enabled the Transparent Bridge mode for my new Netgear R6050 after a friend managed to break the internal antenna on my Zyxel C1000Z, I wasn’t home so I don’t know the physics involved. Rather than pay $99 to CenturyLink for a new modem/router I decided to buy a new WAP/Router. 

Having a little network administration under my belt, I figured I could grab the PPP Password.

The following guide was indispensable and got me 95% of the way there so I suggest checking it out first and/or following it along with my more “For Dummies” guide: 

How to Find Your CenturyLink PPP Password on a Zyxel C1000Z Modem 

You’ll want a basic understanding of SSH and/or Telnet. OS X regardless of version come with SSH and Telnet as does (almost) every flavor of Linux. Windows users will need Putty. 

Step 1:

First you’ll need to enable telnet in your Router, and you’ll need PPPoe enabled (Under WAN settings), these can easily be done through the Modem’s GUI

image

 Step 2: 

Fire up your terminal (Windows users will have to use Putty, and translate the instruction) and type:

telnet YOUR-IP-ADRRESS

In this example, my router’s IP address is 192.168.0.1, this is the default address so I would type:

telnet 192.168.0.1

It make take a moment for the router to respond, once it does, respond something like “BCM963268 Broadband Router” and  it should ask for your username, type in the username you entered hit return and it should then ask for your password, enter the password you typed in, hit return.

Step 3:

Using the terminal we can call all the active tasks running on the modem, to do so type:

ps

Geek stuff: Users can use sh to access the BusyBox linux Bash shell and run task monitoring software like top. If you’re feeling adventurous, type sh and poke around using commands like ls and top. You can grab the process ID using top just like we do in step 4.

Step 4:

You should see a long list of responses, that read:


 PID USER       VSZ STAT COMMAND    

1 admin     1556 S    init    

2 admin        0 SW<  [kthreadd]    3

 admin        0 SW<  [migration/0]    

4 admin        0 SW   [sirq-high/0]   

and so on... We’re only interested in one entry, the one that’s running the pppd (or ppp*) command. it’ll probably be at the bottom. It should read something like:

3494 admin     1808 S    pppd -c ppp0.1 -i ptm0.1 -u myusername@qwest.net -p **

The myusername@qwest.net is your username.

Step 5:

Next you’ll need to analyze the process ID further, take special note of the preceding number, in this example its 3494. Type in the console:

cat proc/3494/cmdline  

It should return something like 

pppd-cppp0.1-iptm0.1-umyusername@qwest.net-pjlFrVNtRMtU=-f0-D0-n1-L0-X120 >

The password portion of this is encoded, the tricky part here is identifying it. We know the that this is a concatenated line by gauging from the previous line. The password portion should be between -p  and -.  In this example, the encoded password is:

jlFrVNtRMtU=

Step 6:

This password is encoded in base64, thanks to the leg work Make a new tab or new terminal window, and type:

echo "jlFrVNtRMtU=" | base64 --decode

It should spit back something like:

ac7gkDnUmac-pro:~ user$

the ac7gkDnU  will be your PPP password. Congrats! You’re now ready to enable transparent bridge mode on your router.