iSpot Unrestricted 2.0

This post has been in the making for over 4 months, and it’s finally able to see the light of day. The vulnerability I found has finally been disclosed and posted over at http://seclists.org/fulldisclosure/2010/Dec/213 it details the vulnerability and some of it’s uses. I was hoping to have the custom firmware finished by then with this patched, but at this time it’s still a ways away.

Before the iSpot required you to upload a firmware or config file to the device in order to remove the restrictions. However, now all you need to do is point your browser to a specific URL and it does all the work for you. The only 2 things you need to do is one, make sure you are currently connected to your iSpot with a valid service plan. And second, ensure that it has the default IP as 192.168.1.1. The best part about this new way to remove the restriction is that it works on ALL current iSpot firmwares.

If you don’t know how to check that the IP is 192.168.1.1, then you most likely already have it at 192.168.1.1. But if not, it’s just easier to do a Factory Reset (hold the power button for over 30 seconds, and let go).  Once you meet those 2 requirements, head on over to http://ispotunrestricted.com/2.0/. Once there, you just need to wait until the device restarts and it should be all ready to go.

If you have problems and you meet the 2 above requirements, the other page will have a few more steps you can do if you’re having issues. Happy unrestricting!

http://ispotunrestricted.com/2.0/

106 Comments

  • Anonymous Dude wrote:

    Will this work on the newest firmware, or do you still need to be on the August 2010 version?

  • Yes, as mentioned in the post it works with ALL current firmwares.

  • So just to be clear, I will now be able to use any device I want with this hack. Such as windows phone, macbook, etc etc….without having to mess with the mac addreses of the devices?

    Thanks for your hard work!

  • Yep, that is correct.

  • Doesn’t work for me at all. I did the two steps and when it rebooted, nothing changed. Same the same restrictions as before.

  • Looking into this now. Will email you if I make changes.

  • This vulnerability seems to makes the iSpot completely insecure. Every page I visit can take full control over my iSpot. The only way I see to mitigate this issue is to change the iSpot IP address to some random 10.x.x.x address.

  • Not even that is really enough, the device can be accessed by going to “http://ispot” when on it, so the attacker would just need to know that. I’m working as fast as I can to get the fix out to prevent this from working on newer firmwares, however much testing is needed.

  • Awesome newz. So I guess I’m gonna buy my ispot tomorrow n will let u know if it works! I hope Clearwire dot roll OTA overnight :( to patch this.

  • Once I do this I cant use the iSpot at all. I start getting self-assigned IP’s. The iSpot is green, shows its getting 4g and has wifi…but nothing can connect to it properly. I have tried this 3 times now.

  • Do a full reset “hold the power for 30+ seconds”. And try again. The script had an issue earlier.

  • Will this hack prevent Clear’s OTA and ruins the ability to connect to any devices?

  • Not sure what you mean by “ruins the ability” but it does disable the OTA updates like the previous jailbreaks and it allows all devices to connect.

  • When will you make the new firmware?

  • Honestly, I could release something tomorrow but would I want to? No. I need to test everything and make sure I don’t miss anything cause if I release a firmware that messes with the device, it’s going to be a lot harder for normal people to fix.

    Right now the safest thing is to just use the 2.0 hack and if you have issues, do a full reset. I’m not editing any files that the system replaces when you do that for a reason. I could make it so that it’s always “unrestricted” but it can cause more issues if I don’t account for something. I’ll try to get it out soon, but testing takes time.

  • Jaku,

    Is the 2.0 hack essentially an automated method of making the same changes as the 1.0 method on the old firmware? Does it do anything different?

    Finally are there any real advantages or disadvantages to do this method over the old firmware downgrade and config restore (other than this being much easier?)

    Thanks again.

  • David,

    Yes, it is essentially the same thing. It’s just a bit easier to do. No real disadvantages or advantages to doing one over the other.

  • Hey Jaku. My iSpot is not restricted at all and it came out of the box like that.

  • Bash,

    Are you using a Windows laptop or Apple? Many apple laptops will work without this. But if you are using a windows PC, I would like to take a look at your iSpot if possible.

  • Hi
    I would like to know by using this jailbreak, will my ispot be open to hackers to hack my device? Whats the potential risk? Also If I want to reverse the process, do I just do the factory rest and it will go back to normal restricted device? thanks

  • Luc,

    The iSpot is already “open” to hackers. All I am merely doing is using this attack vector to enable some extra features of the iSpot. A factory reset will take you back to the normal restrictions, but will still be vulnerable to the attack.

  • deadbears wrote:

    i don’t have any mac based devices, can i spoof my mac address in windows and then connect to the ispot so that i can preform the unrestriction, otherwise i see no way around it.

  • Deadbears,

    Yes you could spoof your MAC to do it. However you should be able to connect to the admin page from any device, so you could load up the 2.0 page first, then connect to the iSpot and click the links.

  • How do you downgrade the firmware if you need to send the device back to Clear?

  • LEI,

    You can hold the power button for over 30 seconds to do a factory restore, that will wipe any settings that cause it to unrestricted. Because I haven’t released any custom firmwares yet, this is the best and easiest way.

  • I’m thinking of getting the iSpot for my PC laptop. With this hack will WPA or WPA2 still work? Also, will these measures be effective in preventing the iSpot being easily hacked if I don’t visit poisoned sites? Thanks.

  • I’m not sure what you’re asking about for the first question. I am working on measures to prevent the iSpot from being hacked by visiting poisoned sites but don’t have anything for release yet.

  • I just want to say that I applaud your quick response times. Thank you sir for your work. I purchased one today.

  • So do you need to use a device that’s allowed on the iSpot (iPad, etc.) in order to jailbreak it?

  • Hi Jaku, When I bought it, I was under the assumption that it was MAC locked. However I have connected a 2008 MBP, Gateway NV series, new 17inch MBP, new iMac, Asus 1101ha and a Droid. So, I searched and thats when I found your site. It is using the current firmware image from Clear’s site (which I have a copy of). Please drop an email and we will touch base.

  • I’ve answered this on the site a few times, please read some of the other comments for your answer.

  • It looks like the link is broken? i get an error when connected to my ispot and trying to unlock? ” Connecting to ispotunrestricted.com (67.213.218.3:80) wget: server returned error: HTTP/1.1 307 Temporary Redirect ”

    Any ideas/suggestions?

  • Smoke,

    That is odd, you shouldn’t get the error unless the iSpot doesn’t have internet access.

  • Hi. I just got the iSpot with Aug 15 firmware and I’ve been trying to jailbreak it. I see the Clear logo and I click on it from my iPhone 3gs and get the second screen, but nothing after that.

    Am I doing something wrong or do I just need to wait? If so, how long should it take cause I’ve been on the same screen for over 30 mins.

  • Hpak,

    Please re-read the page. It mentions what you should see if it was successful. You just need to go back a page and read the next steps.

  • i cant get this hack to work. clicking on the link brings me to clears error page. the IP is also 192.168.1.1
    I don’t need to do this from a mac, do i?

  • Got the iSpot today 12/17
    Looked at my iSpot settings via IPhone:
    IP address: 192.168.1.10
    Router address: 192.168.1.1

    Instructions say IP should be 192.168.1.1 – not the router ?

    Will this go or have they changed some settings?

  • Dr. Phil,

    Those settings are correct. Just move on over to http://ispotunrestricted.com/2.0/ and follow the steps there.

  • Hi Jaku,
    Great job here. But I’m having some problem. After clicking the logo I’m getting: Connecting to ispotunrestricted.com (67.213.218.3:80) wget: server returned error: HTTP/1.1 307 Temporary Redirect. Is this normal?

  • Allen,

    That’s not normal but it sounds like the iSpot might of lost it’s internet connection when you clicked the link.

  • how do i now logon as admin? admin and the O#81…. password?

  • Manny,

    That password is for the super page not admin, the admin page is username and password is admin/admin.

  • This is Leon again. Sorry that my first question wasn’t clear enough. I just wanted to know with the hack will the WiFi security (WPA etc.) still work, or it will be wide open with no security at all. Thanks again.

  • Leon,

    Yes, all the wifi security settings will stay intact.

  • god that was simple. thank you thank you thank you.

    can this all be undone?

  • samkim,

    Yes, just hold the power button for 30 seconds to do a full reset and it will go back to normal settings.

  • Well… This is strange.
    I was reluctant to jump to the site because of my IP address numbers so I did not and waited for your reply.

    My Ispot is on it’s second day of connecting to everything out of the box!
    Windows 7 laptop and my ROKU.
    I have seen other post that stated out of the box connections to non apple devices.
    Should I still go to the site?
    Would it keep future -clear- updates away?

  • Without disabling the OTA updates by “unrestricting” the iSpot Clear could potentially push an update to fix this. They might be shipping them unrestricted while they work on the new firmware to keep new customers from complaining. But that’s just speculation.

  • Quick question on tethering – I have tethering enabled on the iSpot but on Windows 7 when I plug in the unit to the USB I get an unrecognized device. I’ve installed the RNDISInst.exe file, but still no recognition. It says it’s installing the drivers but when I plug in the unit I still get an unrecognized device. Is there a drive someone can please steer me to?

    HELP!!! Thanks!

  • It’s me,

    No idea on why Windows 7 wouldn’t work. I don’t really use windows so I can’t help to much, but I’d look for the “ClearSpot Tether Drivers” as it’s the same device with tethering part of the plan.

  • I’ve got a couple of questions – I just got an iSpot thanks to the $20 deal last week. Running 1.9.9.4.

    1) When I try to go to the /super page, I use the password built for me (O#81xxxx). I’ve tried leaving the username blank, using the username “admin”, username “super”, and none of them seem to work. Any suggestions? My last 4 of my MAC has a letter in it, and I’ve tried upper and lower case to no success.

    2) When I telnet in, the user/pw combo listed on the page doesn’t seem to work right. I’m entering the proper case.

    It does look like the MAC unlock took, as my Nook is able to get online now.

    jaku, feel free to e-mail me off thread if you don’t want to clutter the comments.

    Thanks!

  • Ben,

    1) It’s either super/super or super/0#81**** with **** the lowercase of your last 4 MAC digits.
    2) Make sure you clicked the first link to “unrestrict it”. It’s the only script that adds the user as well.

  • I’m not sure I understand the instructions. How can I go to the http://ispotunrestricted.com/2.0/ page from my laptop that is connected to the iSpot when the iSpot is restricting use to connect to the Internet at all? Do I need an Apple device first?

  • Marvin,

    If you don’t have an iDevice you have do one of the following.

    1) Find a friend with an iDevice.
    2) Spoof your MAC once on your machine and connect, and unrestrict.
    3) Goto the site first, then connect to the iSpot and click the links.

  • Where can I find the USB tethering driver. I cant access 192.168.1.1/html/rndis.html from the windows computer as I only have an iPhone

  • I am considering getting one of these- I have mostly apple stuff anyway, but was wondering- when jailbroken, will this let a Wii connect to it? My family loves watching Netflix on the wii. Thanks for all of your hard work on this!

  • Yes, all devices will be able to connect after this. I don’t know how well it will be on Netflix but it shouldn’t be to bad.

  • must50302 wrote:

    hi, great job thank you!!! what is the super user username. i have tried super and my password and it did not work,any help would be great!!

  • Must,

    Try username super, and password super. Otherwise re-read the page and make sure you type the last 4 MAC digits in lowercase.

  • Hello Jaku, I’m very amazed with your work.

    My iSpot is behaving like some others: It’s able to connect to 2 windows 7 laptops, a homebuilt windows 7 desktop, and a Wii. I would like to unrestrict it to prevent OTA Updates, but I am worried about voiding my warranty. I know it’s simple to just restore to remove your hack.

    I just want to be safe about my investment

  • Adam,

    Just to be on the safe side, your iSpot is white right?

    Either way, a full reset (hold power for 30+ seconds) will wipe out any changes made by my script.

  • like bash and dr phil, mine seems to be connecting to everything, out of the box. connected thru a macbook but could not get your 2.0 to work – no Clear logo, error if I clicked it anyways. discovered it was already unlocked when my android phone noted a new wi-fi network available… any thoughts on why 2.0 wont work?

  • Unless I get remote access or hands on with one of the iSpots that isn’t restricting access I’d have no idea.

  • I want to unlock the device using your page:

    http://ispotunrestricted.com/2.0/

    Do I have to start with an iphone (which I don’t own), or can I unlock it by connecting my laptop to the ispot’s wifi, then pointing my laptop to your web page?

  • Neil,

    You don’t need an iPhone or iDevice but it does make it easier, if you have a friend that has one have them help. Otherwise load the page on your laptop first, then connect to the iSpot and try, (this works some of the time).

  • Connecting to ispotunrestricted.com (67.213.218.3:80) wget: server returned error: HTTP/1.1 307 Temporary Redirect

  • Jay,

    Make sure your iSpot is online and you have a valid account with Clearwire.

  • Jaku,

    Thanks for the followup – I was able to resolve my issues:

    1) The telnet password you have on the page is wrong – it’s iSp0t, not iSpot. I downloaded the conf file and saw the comment there.
    2) I was still never able to get the password right for the super page, but I knew the admin password, so I just copied the hash into the super.htaccess

  • Ben,

    You are sorta right. The website actually apparently has an issue with showing zeros, if you copy and paste the password on the site the O will magically turn to a zero. Never seen that before. I will look into it.

  • After jailbreaking my iSpot, this is what happened:

    Dec. 20th:
    Got my iSpot 4G. I got speed in NYC around 3 Mbps down and 1.5 up. Signal is 3-4 bar from the admin page. Tested this for about 4 hours. Signal light is GREEN.

    Dec. 21st:
    Same location, same spot (on my desk). Now I got speed around 0.25 Mbps. Signal is suddenly 2-3 bars. I tried this throughout the day, same result. Signal light is YELLOW.

    Furthermore, in the same area, I sometimes LOST THE SIGNAL completely, with the signal light blinking red.

    Is this a defective device OR caused by the jailbreaking OR one of Clear’s tower in my area fell down?

  • Chuck,

    The changes that the jailbreak does basically turns the iSpot into a Clearspot. So it wouldn’t be the software. I wouldn’t even say a tower fell, but instead I would consider this:

    Thousands of people bought an iSpots, Clearspots and other Clearwire devices this past week due to the sale, it is certainly possible that more people received and activated their accounts on the 21st and thus less bandwidth was available for everyone.

  • Do you have step by step instructions on how to change the DNS address to Open DNS? if this is possible?

  • Was able to do it finally…
    just download this file:

    http://ispotunrestricted.com/aug5-downgrade.bin

    then connect to your ispot with any device and point your browser to http://ispot

    this will take you to the admin panel for the device where you can update your firmware. from here, upgrade your firmware with the file that you just downloaded. this effectively “downgrades” your firmware to the old version which has the ability to upload “configuration files” which brings me to the last step.

    download this file now: http://ispotunrestricted.com/cfg20100706175832.bin

    finally, go back to the control panel for your ispot (http://ispot) and upload the config file that you just downloaded!

    keep in mind that the easiest way to do this is to first download the two files (the old firmware and the new config file) first while you are connected to your old internet connection. then, connect to the ispot which will only allow you to go to http://ispot (because all other internet access is prohibited with non apple devices) and upload the files accordingly.

    Rebooting everything twice in process.
    Final trick was I had to keep signing in over and over at Clear then go thru account set up process until it believed me.

    THANK YOU SO MUCH !!!!

  • Jay,

    Any reason you did this the old way and not with 2.0?

  • jaku, just wanted to say thank you. i was here back in aug when u first started jailbreaking the ispot. i didn’t have a chance to firmware jailbreak it, but your recent post of website jailbreak is absolutely fantastic. thank you again and keep up the good work.

  • It absolutely refused to take 2.0 kept getting the same server returned error.
    But again clear made me sign in 3 times.
    Even after I had an account set up. It would say password was wrong, I would start over then it would accept it. Finally made it to the final clear page and it worked. So it is a mystery to me why 2.0 kept getting server returned error.

  • Jaku, I just wanted to say thank you as well. You should really put a paypal donate link on this site.

  • Worked like a charm!!! You are truly the best. 2.0 went perfectly. Just followed the three steps outlined and rebooted. Woohoo!!! :)

  • Has anyone found the issue in using USB tether mode on windows 7? I keep getting driver failed or unrecognized device.

  • jaku, now that i have USB tethering activated, is there a way to turn off ispot’s wireless capabilities? since i only use it for one pc at a time, I don’t want it wasting battery/resources transmitting wireless signals that i don’t use. i just need usb tethering (also a lot safer since no one can see the wireless signals). thanks 4 any info

  • John,

    You can disable the wifi. If you have telnet enabled you can edit the file in /etc/rndis.conf change the no at the bottom to yes. Otherwise you can click this link to download the updated file to disable wifi. Please note that a reboot will be needed for it to start working.

    http://ispot/cgi-bin/webmain.cgi?act=act_cmd_result&cmd=wget%20http://ispotunrestricted.com/rndis.conf%20-O%20/system/etc/rndis.conf

  • Anyone tethering with Windows 7? iSpot works fine via wireless, but doesn’t even show up in Device Mgr when tethered. I have a “normal” Clear hotspot that works tethered, so, unless the drivers are different, I don’t think the USB-tethered config is working…

  • Max,

    I know on the OS X side that detecting more than 1 iSpot with tethered USB can be a bit strange but am not sure about Windows. It should certainly be working, and you can confirm by checking your /etc/board.conf file on the iSpot. It should have ENABLE_RNDIS=1 if it is enabled. The iSpot does need to be restarted but that’s about it.

  • Clear is no longer selling the iSpot on their website. I tried to order one on 12/27 online, had a problem processing the order and called customer service. They confirmed that the iSpot would no longer be sold.

    Thankfully I was able to buy the last remaining one from a physical store that night. When I logged on to clear.com on 12/28, all mentions of the iSpot, and the $25 plan were completely gone!

  • What are the implications of this? If someone figures out the same loophole that you did, they can embed the hack into their website and hack into anyone with an ispot who visits their site right? Clear needs to patch this vulnerability soon.

  • Just received my ispot today – when trying to use your utility by clicking on the clear icon, I get an Error: Invalid Argument back (using the ipad).
    When I try to upload the old firmware and do it the manual way, I get an error that says “You cannot upgrade to an older version.” – Any ideas?
    Software Version 2.0.0.0 [R2209 (Dec 7 2010 16:08:55)]
    Firmware Version 1.9.9.4
    Device MAC Address 00:1E:31:*:*:*
    Current Time/Date 12-30-2010 / 19:49:15

  • Rob,

    I just replied to your email. But it appears you have a newer firmware that hasn’t been released to the public yet. This is very interesting, but it is still hackable. The firmware I have that downgrades isn’t the “newest” version compared to the one you have. I should be able to fix this with a quick update however I’d much rather keep your firmware the same as it’s a new “version”.

    As for the 2nd part, it sounds like they removed wget from the firmware. Which is really not the right way to do things. If you can try the reboot link and that works, then that is exactly what happened. So it’s still 100% hackable, just in a different way and so I will need some more information from you.

  • Hey Jaku,

    I tossed up a fix (or atleast a mitigation) for the seclists open issue on the iSpot. You may want to update your site to include it (Or even update your lan.conf to do this.) You seem like the best place for this info.

    You can check my post here on it:
    http://slickdeals.net/forums/showpost.php?p=35895917&postcount=436

    Let me know if you have any questions or concerns about this approach. Thanks!

  • Jon,

    Nice work, just tested it and it seems to do the trick. One thing though, with the new firmware that I tested today, Dec 7th from Clearwire they removed the ability to run most commands this way. However, they left a few things that would still make people vulnerable, so this will help a lot. I will re-host the thttpd.conf file on my site just because not all users will trust an external link. Do you have a website that I can link to and give you credit?

  • I just bought one of the ispot and it will not connect my iphone or ipad. Actually I am able to connect to device but cannot get on internet keeps saying unsupported device. Clear’s tech support says my devices mac addresses are not supported. Is there a way to unrestricted it via USB?

  • Nope, can’t unrestrict though USB.

    You will need to change your MAC address on your computer to a supported one and then unrestrict it.

  • Sounds good Jaku – feel free to host it here I know most iSpot users end up here eventually so figured it was a better place for it ;)

    No need for a link or anything. If you opened the seclists issue you can update there as well for a workaround.

    Do you have the new firmware? I haven’t seen it yet – but the old one is pretty sloppy – I’m running basically a custom firmware now and added a bunch of development and debug tools. If you have any other things you are trying to do or ideas lemme know!

    Happy new years,
    -Jon

  • Great. I’ll be updating the site in the next 24 hours or so with the update.

    What kind of development tools did you put on there? Have you gotten cross compiling working?

  • Hmm…I fired up my iSpot after a week or so of non-use, and it had somehow reset itself back to default settings (SSID had the last 3 of the MAC in it again).

    Now, you can’t access your /2.0/ page while connected to the iSpot, although the rest of your site is available. I was able to re-unrestrict mine via the old downgrade method, though, so I seem to be back in business for now.

  • So, I didn’t use my iSpot much over the holidays, and turned it on this morning to find it had somehow reset to defaults, including MAC restrictions. Clear appears to now be blocking access to your /2.0/ page, although the remainder of the site remains accessible.

    I was able to unrestrict using the old downgrade method, however, so my Nook Color is back in business.

  • i’ve activated the usb tethering option but it doesn’t recognize the device in windows 7 and requires a driver to be installed, where can one download the driver for the device so it can be used in tether mode, otherwise tether mode is useless with out the driver.

  • Instead of connecting everything I have wirelessly to the iSpot I’d prefer to retain my router, for Gigabit file transfers between clients.

    Does anyone know if there’s a way to use iSpot with a home router in bridge mode? And if so, what would the router’s requirements be? Thanks.

  • George Plympton wrote:

    Buddie’s ispot got new firmware pushed to it last night, now Macbook can’t surf – he didn’t hack it (Didn’t read the thread, I didn’t specifically say he had to – oops for him!). Trying to talk someone into Spoofing a MAC over the phone… painful (didn’t work yet, dunno why)

  • the store by my house has a bunch of these iSpots still in stock. I assume they come with the latest & greatest firmware.

    Does this hack still work or not? I have read all the comments, and am not clear on what the current situation is. Please advise.

    Thanks

  • They shouldn’t come with the latest, I only know of 1 that came with the Dec 7th firmware and that seems more like a fluke. It was in New Jersey, so if you’re anywhere else you should be ok, and can still unrestrict it.

  • hi, i have a windows xp laptop, i connected to my ispot, and i get the following when i go to your 2.0 web link:
    “Connecting to ispotunrestricted.com (67.213.218.3:80) wget: server returned error: HTTP/1.1 307 Temporary Redirect”

    any ideas? i see a couple of people had a similar issue but what is the solution?

  • jaku,

    I ran the ispotunrestricted.com/2.0 from your website (with no errors) and restarted the ispot per the directions. Unfortunately, I am not able to connect from a non-iOS device. Should I be using wpa and the password on the bottom of the ispot?

  • i have an unrestricted ispot that i purchased that way. everything is fine except it is unsecured. im trying to get the network connection secured through wpa2 but it won’t take it. anyone can help? thanks

  • Martib wrote:

    How cab i grt my imac to usw my ispot?
    Thanks,
    Martin

  • Agent86 wrote:

    Hello, what is the latest concerning ispotunrestricted , does it work with the lastest ispot firmware or not? Thank-you

  • Please check the forum for any questions about the latest firmware.

Post a Comment

Your email is never shared. Required fields are marked *