路由器刷机突破校园网限制

免责声明

本教程大部分内容来自 github 上 drcom-generic 开源项目，以及网络上各大牛的帖子与文章，大牛众多且出名，就不一一感谢与强调其版权。只进行了测试与整理以及部分错误的修正针对小白更友好一点，由阅读者实操所产生的一切后果，一概不负责。仅供学习与交流，请勿用于商业用途！

在根据本教程进行实际操作时，如因您操作失误导致出现的一切意外，包括但不限于路由器变砖、故障、数据丢失等情况，概不负责；该技术仅供学习交流，请勿将此技术应用于任何商业行为，所产生的法律责任由您自行承担；部分学校明令禁止使用路由器上网。本教程仅用于交流使用，安装路由器的行为完全是您个人意志所决定的，如您已成功安装，请在 24 小时内重置路由器至原出产状态；请按照学校推荐的方式连接到互联网，如因个人问题受到相关校规追责，由您自行承担。

环境准备

python2.7（调试用到）wireshark（抓包工具）notepad++（修改代码用到）一款支持刷入第三方系统(openwrt)的路由器该路由器已联网并获得开发者(root)权限一根网线下载软件WinSCP下载软件putty，32位操作系统请下载putty32，64位系统请下载putty64

一、刷入固件

先刷入不死鸟控制台，再通过不死鸟控制台刷入固件，避免因操作失误造成路由器变砖

获取路由器root权限

以极路由1S HC5661A为例，在您购买满14天后，请先登录极路由器后台，然后依次开通、安装开发者插件

开通开发者模式：“云插件”>“路由器信息”>“高级设置”>“开通” 安装开发者插件：“云插件”>“全部插件”>“开发者模式”>”确定”

其他路由器可查看其他教程获取root权限。

刷入不死Breed

下载Breed

Breed是一个路由器的Bootloader（Bootloader 意为引导加载器，即为用于加载操作系统的程序。它是一大类此类功能程序的统称。现在的 BIOS、UEFI、GRUB、RedBoot、U-Boot、CFE等都是 Bootloader），装它的目的是为了下一步刷入固件（ROM）。以极路由1S HC5661A为例，不同型号下载不同的Breed，请务必对号入座，下载breed-mt7628-hiwifi-hc5661a.bin

上传到指定目录

使用WinSCP登入你的路由器后台，其中：

主机名：你的后台管理地址(比如192.168.1或者192.168.1.199)

账号：root

密码 ：你的后台管理密码

端口：1022或者22(自行测试)

模式：SCP

登陆成功后进入/tmp目录，将刚才下载的breed-mt7628-hiwifi-hc5661a.bin上传到这个目录

刷入Breed

使用putty64登入你的路由器后台，主机名、账号、密码、端口均与上述相同，登入成功后键入以下命令

mtd -r write /tmp/breed-mt7628-hiwifi-hc5661a.bin u-boot

显示rebooting后等待路由重启完成，不死uboot就完成了刷入了。（注意，为了确定百分百刷入成功，建议此时什么都不要动，等待5分钟后再进行其他操作）

请严格按照先后顺序操作

用网线让路由器的LAN口与电脑的网口相连接；PC设置为自动获取IP(一般默认自动获取IP)；路由器断电(就是拔插头)；首先按住reset不放！，确保没有松开reset键后，然后，插入路由器电源；保持按住reset 3-4秒左右，路由器灯开始一闪一闪的时候，松开reset；PC网卡获取到192.168.1.x的地址 （如未获取到手工设置），一般是192.168.1.1 ；浏览器访问 192.168.1.1，接着你就会看到一个uboot控制台的界面。

为了保险起见，首先进行固件备份，以备不时之需。严重强烈建议极路由用户刷Breed后，第一次进入后台就备份一次，这样以后想要重新刷回官方系统时原有功能不会受到影响，仍然能够访问云平台。

现在正是开始刷入OpenWrt固件，依次点击固件更新→勾选固件→点击选择文件，选择我们刚刚下载的openwrt-18.06.2-ramips-mt76x8-hc5661a-squashfs-sysupgrade.bin，然后耐心等待固件刷入完成。

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-4a9SJQNp-1638352440059)(https://raw.githubusercontent.com/Editblog/PicGo/main/img/20211201175342.png)]

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-kWceV26l-1638352440060)(https://raw.githubusercontent.com/Editblog/PicGo/main/img/20211201175350.png)]

安装完成后会自动重启，这时可以不断刷新浏览器，直到管理界面显示出来，如果没有显示，建议稍后使用192.168.1.1访问管理页面。

账号:root

密码:默认为admin

二、确定所使用客户端版本

打开学校的客户端，右上角可以看见ver5.2.0（D）

三、网络抓包

1、 先断开网络，注销并关闭drcom客户端。

2、 打开wireshark，选中你联网用的那个连接。双击开始抓包！如图所示：

软件会进入如下界面

现在打开drcom客户端，拨号连接并在线保持1分钟左右，然后注销，完全关闭drcom后，选择wireshark的停止抓包

选择File-save 选择保存路径，并重命名该文件为dr.pcapng (拓展名为.pcang)

完成抓包

四、解析数据

1.此处提供 drcom_p_config.py 与 latest-wired.py的代码

drcom_p_config.py

# -*- coding: utf-8 -*-

from binascii import hexlify

import re

def hexed(s):

ret = ''

for i in s:

ret += '\\x' + hex(ord(i))[2:].rjust(2, '0')

return ret

filename = 'dr.pcapng'

f = open(filename, 'rb')

text = f.read()

offset = re.search('\xF0\x00\xF0\x00[\x00-\xFF]{4}[\x03\x07]\x01', text).start() + 8

#print hexlify(text[offset:offset+330])

#print hexlify(text[offset:offset+338])

# print text[offset+334:offset+338].encode('hex')

if re.match('\x00\x00[\x00-\xFF]{2}', text[offset+334:offset+338]):

ror_version = True

else :

ror_version = False

# print ror_version

username_len = ord(text[offset+3]) - 20

username = text[offset+20:offset+20+username_len]

print 'server = \'%s\'' % '.'.join([str(ord(i)) for i in text[offset-12:offset-8]])

print 'username=\'%s\'' % username

print 'password=\'\''

print 'CONTROLCHECKSTATUS = \'%s\'' % hexed(text[offset+56])

print 'ADAPTERNUM = \'%s\'' % hexed(text[offset+57])

print 'host_ip = \'%s\'' % '.'.join(map(lambda x: str(ord(x)), text[offset+81:offset+85]))

print 'IPDOG = \'%s\'' % hexed(text[offset+105])

print 'host_name = \'%s\'' % 'GILIGILIEYE'

print 'PRIMARY_DNS = \'%s\'' % '.'.join(map(lambda x: str(ord(x)), text[offset+142:offset+146]))

print 'dhcp_server = \'%s\'' % '.'.join(map(lambda x: str(ord(x)), text[offset+146:offset+150]))

print 'AUTH_VERSION = \'%s\'' % hexed(text[offset+310:offset+312])

if ror_version:

print 'mac = 0x%s' % hexlify(text[offset+328:offset+334])

else:

print 'mac = 0x%s' % hexlify(text[offset+320:offset+326])

print 'host_os = \'%s\'' % 'NOTE7'

KEEP_ALIVE_VERSION = [i for i in re.findall('\xf0\x00\xf0\x00....\x07.\x5c\x28\x00\x0b\x01(..)', text) if i != '\x0f\x27'][0]

print 'KEEP_ALIVE_VERSION = \'%s\'' % hexed(KEEP_ALIVE_VERSION)

print 'ror_version = %s ' % ror_version

latest-wired.py

#!/usr/bin/env python

# -*- coding: utf-8 -*-

import socket

import struct

import time

import hashlib

import sys

import os

import random

import traceback

# CONFIG

'''

server = "192.168.100.150"

username = ""

password = ""

host_name = "LIYUANYUAN"

host_os = "8089D"

host_ip = "10.30.22.17"

PRIMARY_DNS = "114.114.114.114"

dhcp_server = "0.0.0.0"

mac = 0xb888e3051680

CONTROLCHECKSTATUS = '\x20'

ADAPTERNUM = '\x01'

KEEP_ALIVE_VERSION = '\xdc\x02'

'''

server = '10.1.1.254'

username='账号'

password='密码'

CONTROLCHECKSTATUS = '\x20'

ADAPTERNUM = '\x07'

host_ip = '172.17.19.107'

IPDOG = '\x01'

host_name = 'GILIGILIEYE'

PRIMARY_DNS = '218.196.40.9'

dhcp_server = '172.17.19.252'

AUTH_VERSION = '\x27\x00'

mac = 0x2cf05db2b380

host_os = 'NOTE7'

KEEP_ALIVE_VERSION = '\xdc\x02'

ror_version = True

'''

AUTH_VERSION:

unsigned char ClientVerInfoAndInternetMode;

unsigned char DogVersion;

'''

AUTH_VERSION = '\x0a\x00'

IPDOG = '\x01'

ror_version = False

# CONFIG_END

keep_alive1_mod = False #If you have trouble at KEEPALIVE1, turn this value to True

nic_name = '' #Indicate your nic, e.g. 'eth0.2'.nic_name

bind_ip = '0.0.0.0'

class ChallengeException (Exception):

def __init__(self):

pass

class LoginException (Exception):

def __init__(self):

pass

def bind_nic():

try:

import fcntl

def get_ip_address(ifname):

s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)

return socket.inet_ntoa(fcntl.ioctl(

s.fileno(),

0x8915, # SIOCGIFADDR

struct.pack('256s', ifname[:15])

)[20:24])

return get_ip_address(nic_name)

except ImportError as e:

print('Indicate nic feature need to be run under Unix based system.')

return '0.0.0.0'

except IOError as e:

print(nic_name + 'is unacceptable !')

return '0.0.0.0'

finally:

return '0.0.0.0'

if nic_name != '':

bind_ip = bind_nic()

s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)

# s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)

s.bind((bind_ip, 61440))

s.settimeout(3)

SALT = ''

IS_TEST = True

# specified fields based on version

CONF = "/etc/drcom.conf"

UNLIMITED_RETRY = True

EXCEPTION = False

DEBUG = False #log saves to file

LOG_PATH = '/var/log/drcom_client.log'

if IS_TEST:

DEBUG = True

LOG_PATH = 'drcom_client.log'

def log(*args, **kwargs):

s = ' '.join(args)

print s

if DEBUG:

with open(LOG_PATH,'a') as f:

f.write(s + '\n')

def challenge(svr,ran):

while True:

t = struct.pack("

s.sendto("\x01\x02"+t+"\x09"+"\x00"*15, (svr, 61440))

try:

data, address = s.recvfrom(1024)

log('[challenge] recv',data.encode('hex'))

except:

log('[challenge] timeout, retrying...')

continue

if address == (svr, 61440):

break

else:

continue

log('[DEBUG] challenge:\n' + data.encode('hex'))

if data[0] != '\x02':

raise ChallengeException

log('[challenge] challenge packet sent.')

return data[4:8]

def md5sum(s):

m = hashlib.md5()

m.update(s)

return m.digest()

def dump(n):

s = '%x' % n

if len(s) & 1:

s = '0' + s

return s.decode('hex')

def ror(md5, pwd):

ret = ''

for i in range(len(pwd)):

x = ord(md5[i]) ^ ord(pwd[i])

ret += chr(((x<<3)&0xFF) + (x>>5))

return ret

def gen_crc(data, encrypt_type):

DRCOM_DIAL_EXT_PROTO_CRC_INIT = 20000711

ret = ''

if encrypt_type == 0:

# 加密方式无

return struct.pack('

elif encrypt_type == 1:

# 加密方式为 md5

foo = hashlib.md5(data).digest()

ret += foo[2]

ret += foo[3]

ret += foo[8]

ret += foo[9]

ret += foo[5]

ret += foo[6]

ret += foo[13]

ret += foo[14]

return ret

elif encrypt_type == 2:

# md4

foo = hashlib.new('md4', data).digest()

ret += foo[1]

ret += foo[2]

ret += foo[8]

ret += foo[9]

ret += foo[4]

ret += foo[5]

ret += foo[11]

ret += foo[12]

return ret

elif encrypt_type == 3:

# sha1

foo = hashlib.sha1(data).digest()

ret += foo[2]

ret += foo[3]

ret += foo[9]

ret += foo[10]

ret += foo[5]

ret += foo[6]

ret += foo[15]

ret += foo[16]

return ret

def keep_alive_package_builder(number,random,tail,type=1,first=False):

data = '\x07'+ chr(number) + '\x28\x00\x0b' + chr(type)

if first :

data += '\x0f\x27'

else:

data += KEEP_ALIVE_VERSION

data += '\x2f\x12' + '\x00' * 6

data += tail

data += '\x00' * 4

#data += struct.pack("!H",0xdc02)

if type == 3:

foo = ''.join([chr(int(i)) for i in host_ip.split('.')]) # host_ip

#CRC

# edited on 2014/5/12, filled zeros to checksum

# crc = packet_CRC(data+foo)

crc = '\x00' * 4

#data += struct.pack("!I",crc) + foo + '\x00' * 8

data += crc + foo + '\x00' * 8

else: #packet type = 1

data += '\x00' * 16

return data

# def packet_CRC(s):

# ret = 0

# for i in re.findall('..', s):

# ret ^= struct.unpack('>h', i)[0]

# ret &= 0xFFFF

# ret = ret * 0x2c7

# return ret

def keep_alive2(*args):

#first keep_alive:

#number = number (mod 7)

#status = 1: first packet user sended

# 2: first packet user recieved

# 3: 2nd packet user sended

# 4: 2nd packet user recieved

# Codes for test

tail = ''

packet = ''

svr = server

ran = random.randint(0,0xFFFF)

ran += random.randint(1,10)

# 2014/10/15 add by latyas, maybe svr sends back a file packet

svr_num = 0

packet = keep_alive_package_builder(svr_num,dump(ran),'\x00'*4,1,True)

while True:

log('[keep-alive2] send1',packet.encode('hex'))

s.sendto(packet, (svr, 61440))

data, address = s.recvfrom(1024)

log('[keep-alive2] recv1',data.encode('hex'))

if data.startswith('\x07\x00\x28\x00') or data.startswith('\x07' + chr(svr_num) + '\x28\x00'):

break

elif data[0] == '\x07' and data[2] == '\x10':

log('[keep-alive2] recv file, resending..')

svr_num = svr_num + 1

# packet = keep_alive_package_builder(svr_num,dump(ran),'\x00'*4,1, False)

break

else:

log('[keep-alive2] recv1/unexpected',data.encode('hex'))

#log('[keep-alive2] recv1',data.encode('hex'))

ran += random.randint(1,10)

packet = keep_alive_package_builder(svr_num, dump(ran),'\x00'*4,1,False)

log('[keep-alive2] send2',packet.encode('hex'))

s.sendto(packet, (svr, 61440))

while True:

data, address = s.recvfrom(1024)

if data[0] == '\x07':

svr_num = svr_num + 1

break

else:

log('[keep-alive2] recv2/unexpected',data.encode('hex'))

log('[keep-alive2] recv2',data.encode('hex'))

tail = data[16:20]

ran += random.randint(1,10)

packet = keep_alive_package_builder(svr_num,dump(ran),tail,3,False)

log('[keep-alive2] send3',packet.encode('hex'))

s.sendto(packet, (svr, 61440))

while True:

data, address = s.recvfrom(1024)

if data[0] == '\x07':

svr_num = svr_num + 1

break

else:

log('[keep-alive2] recv3/unexpected',data.encode('hex'))

log('[keep-alive2] recv3',data.encode('hex'))

tail = data[16:20]

log("[keep-alive2] keep-alive2 loop was in daemon.")

i = svr_num

while True:

try:

time.sleep(20)

keep_alive1(*args)

ran += random.randint(1,10)

packet = keep_alive_package_builder(i,dump(ran),tail,1,False)

#log('DEBUG: keep_alive2,packet 4\n',packet.encode('hex'))

log('[keep_alive2] send',str(i),packet.encode('hex'))

s.sendto(packet, (svr, 61440))

data, address = s.recvfrom(1024)

log('[keep_alive2] recv',data.encode('hex'))

tail = data[16:20]

#log('DEBUG: keep_alive2,packet 4 return\n',data.encode('hex'))

ran += random.randint(1,10)

packet = keep_alive_package_builder(i+1,dump(ran),tail,3,False)

#log('DEBUG: keep_alive2,packet 5\n',packet.encode('hex'))

s.sendto(packet, (svr, 61440))

log('[keep_alive2] send',str(i+1),packet.encode('hex'))

data, address = s.recvfrom(1024)

log('[keep_alive2] recv',data.encode('hex'))

tail = data[16:20]

#log('DEBUG: keep_alive2,packet 5 return\n',data.encode('hex'))

i = (i+2) % 0xFF

except:

break

def checksum(s):

ret = 1234

x = 0

for i in [x*4 for x in range(0, -(-len(s)//4))]:

ret ^= int(s[i:i+4].ljust(4, '\x00')[::-1].encode('hex'), 16)

ret = (1968 * ret) & 0xffffffff

return struct.pack('

def mkpkt(salt, usr, pwd, mac):

'''

struct _tagLoginPacket

{

struct _tagDrCOMHeader Header;

unsigned char PasswordMd5[MD5_LEN];

char Account[ACCOUNT_MAX_LEN];

unsigned char ControlCheckStatus;

unsigned char AdapterNum;

unsigned char MacAddrXORPasswordMD5[MAC_LEN];

unsigned char PasswordMd5_2[MD5_LEN];

unsigned char HostIpNum;

unsigned int HostIPList[HOST_MAX_IP_NUM];

unsigned char HalfMD5[8];

unsigned char DogFlag;

unsigned int unkown2;

struct _tagHostInfo HostInfo;

unsigned char ClientVerInfoAndInternetMode;

unsigned char DogVersion;

};

'''

data = '\x03\x01\x00' + chr(len(usr) + 20)

data += md5sum('\x03\x01' + salt + pwd)

data += usr.ljust(36, '\x00')

data += CONTROLCHECKSTATUS

data += ADAPTERNUM

data += dump(int(data[4:10].encode('hex'),16)^mac).rjust(6, '\x00') #mac xor md51

data += md5sum("\x01" + pwd + salt + '\x00' * 4) #md52

data += '\x01' # number of ip

data += ''.join([chr(int(i)) for i in host_ip.split('.')]) #x.x.x.x ->

data += '\00' * 4 #your ipaddress 2

data += '\00' * 4 #your ipaddress 3

data += '\00' * 4 #your ipaddress 4

data += md5sum(data + '\x14\x00\x07\x0B')[:8] #md53

data += IPDOG

data += '\x00'*4 # unknown2

'''

struct _tagOSVERSIONINFO

{

unsigned int OSVersionInfoSize;

unsigned int MajorVersion;

unsigned int MinorVersion;

unsigned int BuildNumber;

unsigned int PlatformID;

char ServicePack[128];

};

struct _tagHostInfo

{

char HostName[HOST_NAME_MAX_LEN];

unsigned int DNSIP1;

unsigned int DHCPServerIP;

unsigned int DNSIP2;

unsigned int WINSIP1;

unsigned int WINSIP2;

struct _tagDrCOM_OSVERSIONINFO OSVersion;

};

'''

data += host_name.ljust(32, '\x00') # _tagHostInfo.HostName

data += ''.join([chr(int(i)) for i in PRIMARY_DNS.split('.')]) # _tagHostInfo.DNSIP1

data += ''.join([chr(int(i)) for i in dhcp_server.split('.')]) # _tagHostInfo.DHCPServerIP

data += '\x00\x00\x00\x00' # _tagHostInfo.DNSIP2

data += '\x00' * 4 # _tagHostInfo.WINSIP1

data += '\x00' * 4 # _tagHostInfo.WINSIP2

data += '\x94\x00\x00\x00' # _tagHostInfo.OSVersion.OSVersionInfoSize

data += '\x05\x00\x00\x00' # _tagHostInfo.OSVersion.MajorVersion

data += '\x01\x00\x00\x00' # _tagHostInfo.OSVersion.MinorVersion

data += '\x28\x0A\x00\x00' # _tagHostInfo.OSVersion.BuildNumber

data += '\x02\x00\x00\x00' # _tagHostInfo.OSVersion.PlatformID

# _tagHostInfo.OSVersion.ServicePack

data += host_os.ljust(32, '\x00')

data += '\x00' * 96

# END OF _tagHostInfo

data += AUTH_VERSION

if ror_version:

'''

struct _tagLDAPAuth

{

unsigned char Code;

unsigned char PasswordLen;

unsigned char Password[MD5_LEN];

};

'''

data += '\x00' # _tagLDAPAuth.Code

data += chr(len(pwd)) # _tagLDAPAuth.PasswordLen

data += ror(md5sum('\x03\x01' + salt + pwd), pwd) # _tagLDAPAuth.Password

'''

struct _tagDrcomAuthExtData

{

unsigned char Code;

unsigned char Len;

unsigned long CRC;

unsigned short Option;

unsigned char AdapterAddress[MAC_LEN];

};

'''

data += '\x02' # _tagDrcomAuthExtData.Code

data += '\x0C' # _tagDrcomAuthExtData.Len

data += checksum(data + '\x01\x26\x07\x11\x00\x00' + dump(mac)) # _tagDrcomAuthExtData.CRC

data += '\x00\x00' # _tagDrcomAuthExtData.Option

data += dump(mac) # _tagDrcomAuthExtData.AdapterAddress

# END OF _tagDrcomAuthExtData

if ror_version:

data += '\x00' * (8 - len(pwd))

if len(pwd)%2:

data += '\x00'

else:

data += '\x00' # auto logout / default: False

data += '\x00' # broadcast mode / default : False

data += '\xE9\x13' #unknown, filled numbers randomly =w=

log('[mkpkt]',data.encode('hex'))

return data

def login(usr, pwd, svr):

global SALT

global AUTH_INFO

i = 0

timeoutcount = 0

while True:

salt = challenge(svr,time.time()+random.randint(0xF,0xFF))

SALT = salt

packet = mkpkt(salt, usr, pwd, mac)

log('[login] send',packet.encode('hex'))

s.sendto(packet, (svr, 61440))

log('[login] packet sent.')

try:

data, address = s.recvfrom(1024)

log('[login] recv',data.encode('hex'))

if address == (svr, 61440) :

if data[0] == '\x04':

log('[login] loged in')

AUTH_INFO = data[23:39]

break

else:

log('[login] login failed.')

if IS_TEST:

time.sleep(3)

else:

time.sleep(30)

continue

else:

if i >= 5 and UNLIMITED_RETRY == False :

log('[login] exception occured.')

sys.exit(1)

else:

i += 1

continue

except socket.timeout as e:

print(e)

log('[login] recv timeout.')

timeoutcount += 1

if timeoutcount >= 5:

log('[login] recv timeout exception occured 5 times.')

sys.exit(1)

else:

continue

log('[login] login sent')

#0.8 changed:

return data[23:39]

#return data[-22:-6]

def logout(usr, pwd, svr, mac, auth_info):

salt = challenge(svr, time.time()+random.randint(0xF, 0xFF))

if salt:

data = '\x06\x01\x00' + chr(len(usr) + 20)

data += md5sum('\x03\x01' + salt + pwd)

data += usr.ljust(36, '\x00')

data += CONTROLCHECKSTATUS

data += ADAPTERNUM

data += dump(int(data[4:10].encode('hex'),16)^mac).rjust(6, '\x00')

# data += '\x44\x72\x63\x6F' # Drco

data += auth_info

s.send(data)

data, address = s.recvfrom(1024)

if data[:1] == '\x04':

log('[logout_auth] logouted.')

def keep_alive1(salt,tail,pwd,svr):

if keep_alive1_mod:

res=''

while True:

s.sendto('\x07' + struct.pack('!B',int(time.time())%0xFF) + '\x08\x00\x01\x00\x00\x00', (svr, 61440))

log('[keep_alive1_challenge] keep_alive1_challenge packet sent.')

try:

res, address = s.recvfrom(1024)

log('[keep_alive1_challenge] recv', res.encode('hex'))

except:

log('[keep_alive1_challenge] timeout, retrying...')

continue

if address == (svr, 61440):

if res[0] == '\x07':

break

else:

raise ChallengeException

else:

continue

seed = res[8:12]

# encrypt_type = int(res[5].encode('hex'))

encrypt_type = struct.unpack('

crc = gen_crc(seed, encrypt_type)

data = '\xFF' + '\x00'*7 + seed + crc + tail + struct.pack('!H', int(time.time())%0xFFFF)

log('[keep_alive1] send', data.encode('hex'))

s.sendto(data, (svr, 61440))

while True:

res, address = s.recvfrom(1024)

if res[0] == '\x07':

break

else:

log('[keep-alive1]recv/not expected', res.encode('hex'))

log('[keep-alive1]recv', res.encode('hex'))

else:

foo = struct.pack('!H',int(time.time())%0xFFFF)

data = '\xff' + md5sum('\x03\x01'+salt+pwd) + '\x00\x00\x00'

data += tail

data += foo + '\x00\x00\x00\x00'

log('[keep_alive1] send',data.encode('hex'))

s.sendto(data, (svr, 61440))

while True:

data, address = s.recvfrom(1024)

if data[0] == '\x07':

break

else:

log('[keep-alive1]recv/not expected',data.encode('hex'))

log('[keep-alive1] recv', data.encode('hex'))

def empty_socket_buffer():

#empty buffer for some fucking schools

log('starting to empty socket buffer')

try:

while True:

data, address = s.recvfrom(1024)

log('recived sth unexpected',data.encode('hex'))

if s == '':

break

except:

# get exception means it has done.

log('exception in empty_socket_buffer')

pass

log('emptyed')

def daemon():

with open('/var/run/jludrcom.pid','w') as f:

f.write(str(os.getpid()))

def main():

if not IS_TEST:

daemon()

execfile(CONF, globals())

log("auth svr: " + server + "\nusername: " + username + "\npassword: " + password + "\nmac: " + str(hex(mac))[:-1])

log("bind ip: " + bind_ip)

while True:

try:

package_tail = login(username, password, server)

except LoginException:

continue

log('package_tail',package_tail.encode('hex'))

#keep_alive1 is fucking bullshit!

empty_socket_buffer()

keep_alive1(SALT,package_tail,password,server)

keep_alive2(SALT,package_tail,password,server)

if __name__ == "__main__":

main()

2.drcom_d_config.py 和 latest-wired.py 和 dr.pcapng 放入同一个文件夹中

3.在文件夹下运行命令python drcom_d_config.py > config.txt生成config.txt文件

4.用Notepad++打开config.txt（为避免不必要的麻烦，以下操作所有的文件全部用它）得到的内容是类似这样的：

server = "192.168.100.150"

username = ""

password = ""

host_name = "LIYUANYUAN"

host_os = "8089D"

host_ip = "10.30.22.17"

PRIMARY_DNS = "114.114.114.114"

dhcp_server = "0.0.0.0"

mac = 0xb888e3051680

CONTROLCHECKSTATUS = '\x20'

ADAPTERNUM = '\x01'

KEEP_ALIVE_VERSION = '\xdc\x02'

5.全选复制config.txt的所有内容，关闭，并把config.txt重命名为drcom.conf（不要忘记填写账号和密码）

6.测试是否可以使用，运行命令行python latest-wired.py ，看看能不能上网。可以的话，就说明抓包没错。

五、路由器配置

1.进入路由器管理后台，搜索dogcom，将两个插件安装

2.在网络里面会出现dogcom选项，将步骤四中解析到的drcom.conf的内容拷贝到配置文件里面，点击 保存应用，此时手机与电脑连接WiFi就不需要进行登陆认证