All of these hacks should be undone with a factory reset. None are permanent...
Topic: Technicolor TG799vac Dumping Nand Flash ?
The content of this topic has been archived on 23 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.
All of these hacks should be undone with a factory reset. None are permanent...
I accidentally installed an incompatible version of libc.
Which meant if there would be no backup rom with the original firmware, the device would be essentially bricked. However, the firmware I have utilizes overlays of the FS to mask important parts of the OS.
So when I held down the reset for like 1 minute of a fresh boot, it rebooted three times, then went into "failsafe mode", where it ignored the broken overlay and booted a barebones version so I could put the original libc back.
Hey guys,
I've got an unbranded TG789vac v2 from Amazon UK (amazon.co.uk/Technicolor-TG789VAC-v2-Wireless-Router/dp/B072ZTXB9S) that seems to have pretty much all features (I know of) unlocked and am using it in Switzerland with VDSL2 profile 17a - its an Annex A device.
The only customization one can find on the packaging box is "uk version"
It has:
Software 16.2.7064-2201001-20160905124029
Bootloader Version 2.0.85
Hardware Version VANT-6
SSH is open to LAN but obviously doesn't accept the admin user's login with pw.
I guess quite a bunch of people would love to have my firmware for their devices and I would love to have a regular OpenWRT on the Device or at least more control over it.
For example I'd love to get rid of TR-069 permanently. Oh and it would be nice to make the Wifi behave a little less passive in terms of DFS / TPC.
I mean heck, the neighbor's FritzBox 7390 is plastering through the wall on 5GHz at over 10dBm more than my Thompson that has line of sight to my client.
I'm confident I should manage to gain rootshell using the previously described exploit, though did not try yet, but I have no idea how to dump the firmware in a reusable to others manner.
So maybe someone more experienced can assist? And I think at least we could compile some instructions to gain more features that are locked by default.
It's not my only CPE I can use for Internet access and since I'm doing smartphone board repair I've got no issues with unsoldering the Flash if that is necessary and someone can explain how to dump it.
I wasn't aware there were any unbranded versions!
Any chance to get some screenshots of the UI?
Can you configure SIP accounts via the web interface etc?
EDIT: Oh wait, 789? or 799?
(Last edited by CRC on 29 Sep 2017, 03:47)
Hey Steve, yep its the 789 but apparently the only difference is missing DECT in 789 compared to 799.
Thompsons support was also very bummed to learn they are out in the wild and can be bought by regular retail customers through amazon. Had an interesting call with Thompsons UK support hotline. The guy promised to get back to me by mail if he finds something out but didnt hear back yet. He confirmed Thompson is very strict on this and is dealing only with ISP and the support guy said not even his department has access to firmware. The guy made a good impression though and seemed to understand what he was talking about to my surprise.
I'm in talks with my local ISP who are 7 really nice guys and they are considering to offer the device to their customers so that way I could get access to firmware. We gonna see.
Anyway here are screenshots, I tried to capture anything that might be interesting:
for fucks sake the forum wont let me post no urls at all no img nothing.
Right here you go: pste.eu/p/bsic.html
Its apparently the same firmware for the 799vac as my version contains the DECT stuff also. Besides that I learned quite a bunch about technicolor's custom openWRT implementation and tend now to like it.
I suggest to compare the binary blobs it has for the hardware to tell if there are real differences.
So for unlocking features in the GUI see /etc/config/web - its all in the roles. Just add your admin role to the config rule where it is missing and you gonna see the feature. There are a couple of Tiles/Features i did not have in my Version by default and that were reserved for a user called "engineer" i did not know it existed.
This will also allow you to configure cwmp settings in the GUI.
Further check the /w w w/docroot/ directory. Everything is self explanatory. the .lp files in the root can be called directly from the browser with routerIP/file.lp. For example see isp.lp. Customizaton features that are supposed for ISPs are also fun. Everything seems self explanatory and easy to modify / extend.
Pretty much all the settings one wants to change can be found in the /etc/config files or using openWRT UCI interfaces.
The only real limitation i ran into is that these guys used a custom architecture for opkg and used a custom repo resource that does not exist on the internet in that way. Therefore one can not easily install additional software as is.
My technicolor firmware Version 16.2 that was referred to as homeware by their support is built from downloads. openwrt. org /attitude_adjustment/12.09.1 according to the opkg repo URL.
So this is how the main Page looks for me now:
ibb.co/jtbOwG
ibb.co/ezcVbG
Just check the files in /w w w/docroot and you'll see how easy it is for example to replace the logo like I did with nyan cat.
But what really irritated me is that cwmp is enabled including firmwareupgrades and is pointing towards a working ACS I cant tell who it controls. As can be seen on the screenshots the URL is h t t p://nld-acs.com/ - a domain registered by 1and1.co.uk and an IP owned by some Provider called Entanet International ltd. I can only assume that the ACS Server is operated by technicolor themselves which I find unsettling to say the least. They also have this local user called engineer who has enough rights to login through ssh which is running by default but not accessible through WAN. Something that can easily be changed by means of cwmp (TR-069) remotely.
With my limited knowledge of openWRT I still have the impression that the web interface and its framework technicolor used / built here is prettier, easier to use and more straight forward from a frontend dev guy's perspective. I like it alot!
Interesting work so far.
I have been trying to unlock some other Tiles but no luck yet.
The extra tiles are
/SIPConfig.lp
/contacts.lp
/CallLog.lp
/capability.lp
These are reserved for user "tvoice" I changed the list roles for these to admin but no extra Tiles show up and if you try to access them through the address bar e.g 10.0.0.138/SIPConfig.lp it just shows a blank page.
Well I'll post my web config. My impression is that tiles also only appear if the associated services are not completely disabled or the associated hardware absent, not sure about that. You might want to check the config files of the associated services. I don't see any other mechanism preventing tiles to show up.
BTW you can gain easy access to that hidden user by just creating it as a new user and setting the passwort for the user, it doesnt check if the user is already present and just sets a new pass for it. I did this with the engineer user on my box and it worked. The user will still be hidden but after setting the password you gonna be able to login with that particular user given you have the original version of web config with the role settings you had of course. It seems to me passwords of GUI users are also just stored in the web config.
So thats my web config:
pastebin.com/aq4ptYdG
sorry had to put it externally, forum believes there are urls in it and its not the technicolor link.
In terms of bricking or screwing up the Software by installing unsuitable stuff and so on -> worry not!
They use overlayfs (just check mount) and overlay the whole root directory. Whatever gets changed, is changed inside of /overlay/bank_1/ and if you delete it from there, for example the whole /usr dir and reboot the device, everything is back to original.
So when you reset the device, the contents of /dev/mtdblock2 obviously get wiped which usually are mounted to /overlay and then overlayed as follows:
overlayfs:/overlay/bank_1 on / type overlayfs (rw,noatime,lowerdir=/,upperdir=/overlay/bank_1)
At least this applies to my Version and this again is very convenient and I don't know if regular openWRT uses such an approach.
I modified the opkg conf so I can install software in the following way:
root@dsldevice:~# cat /etc/opkg.conf
src/gz attitude_adjustment h ttp://downloads. openwrt . org /attitude_adjustment/12.09.1/brcm63xx-tch/VANTF/packages
src/gz generic h ttp://downloads. openwrt . org /attitude_adjustment/12.09/brcm63xx/generic/packages/
dest root /
dest ram /tmp
lists_dir ext /var/opkg-lists
option overlay_root /overlay
arch all 1
arch noarch 1
arch brcm63xx-tch 10
arch brcm63xx 300
I managed to install and have joe as an alternative to vi or vim working, but for some reason neither nano nor wget will work after installing them with opkg. I suppose something is wrong with dependencies that are already present. nano and wget just silently quit and show no output at all.
Wget is present through busybox binary but has no ssl support, that's why I tried installing it with opkg.
So anyone willing to assist to dump my unbranded firmware? I've got no idea how to do that, especially in such a way that it would be easily reusable/flashable for others.
Why the fuck is the string h ttp (without whitespace) forbidden and considered a forbidden link in this forum? Is this a joke?
If you run
strings /etc/cwmpd.db
there are URLs for firmware that can be downloaded.
Well in my firmware there is.
I get http://fwstore.bdms.telstra.net/Technic … 510-RF.rbi
Also when posting a url are you putting [ url ] [ /url ] (without white spaces) around your link
I did this already in the beginning, unfortunately the cwmpd.db does not contain anything interesting in my case.
Before first profisioning it only has:
%3runtimevarBootStrappedh ttp://nld-acs.com/-
+/VersionsSoftwareVersion16.2.7064-2201001
afterwards, I enabled cwmpd again to see if I would get a Firmware URL it got some new fields but they are empty.
I did change the firmware version in that sqlite file to see if it then would initiate something like an update but to no avail. The approach led to the device freeze and reboot, afterwards the FW version was back to normal.
The ACS in total does very little and instructs the Router to close the session after it checked that there is no never firmware for the Device, that is my interpretation of the log entries.
Further the ACS is operated by ht tp://madesimpletechnology.com/ - a SAAS provider for ACS services. I suppose the dealer providing the Devices to retail market keeps hold of them and FW upgrades them in this way, which I find very odd at best if not legally questionable since you as a customer buy a device from amazon that is fully backdoored to an unknown third party and you as a customer can't even know about this. This is troubling!
I might try to tinker further with cwmpd and the to me provided ACS and somehow convince it to give an FW Upgrade URL but Im not very keen to do that right now. I believe dumping from flash seems more attractive.
Regarding the tiles in the UI you seem to have a slightly different layout of files. When mentioning that they can be called directly in the browser i was referring to stuff in the docroot under /w ww/docroot and in the modals folder - did you check that location and looked into the files that are located there? Given your filesystem layout and your uci:web config we could try to figure stuff out.
Anyway I learned a bunch of further interesting stuff!
According to other forums with some firmware versions it helps to add a debug flag to the url like so:
ht tp://router.ip/?debug=1 - this supposedly enables more features in the GUI. Maybe that does something for you.
Further it turns out they use either the device's serial number or as in my case a so called access key that is printed on the label on the router as password to provide more sophisticated access with a special user.
In my case the built in "engineer" user that is originally the only one having ssh access, uses this "access key" as password, has limited shell access because instead of /bin/ash his shell is mapped to /usr/bin/restricted-clash. But this user has access to all Features in the GUI.
Further this user in his limited special shell has some interesting commands. Reading the output of dmesg this user can call i see the following:
0.765000] Technicolor nand flash translation layer initialized.
[ 0.771000] flash mapping initialized, size=125 Mb
[ 0.777000] parse_btab: num_banks (5)
[ 0.781000] Creating 1 MTD partitions on "technicolor-nand-tl":
[ 0.786000] 0x000002200000-0x000004e60000 : "rootfs"
[ 0.794000] Creating 5 MTD partitions on "technicolor-nand-tl":
[ 0.799000] 0x000000080000-0x000002000000 : "rootfs_data"
[ 0.807000] 0x000002000000-0x000004e60000 : "bank_1"
[ 0.814000] 0x000004e60000-0x000007cc0000 : "bank_2"
[ 0.820000] 0x000000020000-0x000000040000 : "eripv2"
[ 0.827000] 0x000000040000-0x000000080000 : "rawstorage"
[ 0.834000] Creating 1 MTD partitions on "technicolor-nand-tl":
[ 0.840000] 0x00000001fffd-0x000000020000 : "blversion"
[ 0.851000] PPP generic driver version 2.4.2
[ 0.855000] PPP BSD Compression module registered
[ 0.860000] PPP Deflate Compression module registered
[ 0.865000] NET: Registered protocol family 24
[ 0.869000] brcmboard: brcm_board_init entry
[ 0.874000] DYING GASP IRQ initialized
[ 0.878000] Serial: BCM63XX driver $Revision: 3.00 $
[ 0.883000] Magic SysRq with Auxilliary trigger char enabled (type ^ h for list of supported commands)
[ 0.893000] ttyS0 at MMIO 0xb0000180 (irq = 13) is a BCM63XX
[ 0.900000] ttyS1 at MMIO 0xb00001a0 (irq = 42) is a BCM63XX
[ 0.905000] Total # RxBds=1448
[ 0.908000] bcmPktDmaBds_init: Broadcom Packet DMA BDs initialized
and alot of other interesting stuff that should help to modify or customize firmware images to different board versions. I believe given your driver blobs they can be combined with another homeware version to a working system.
Further this user can use a command called upgrade with option -s to switch Flash banks to passive/active or -d to download an image and flash it directly.
Further i found the shell scripts that do firmware upgrading / factory resetting - basicaly assembling the production filesystem. Besides in my System located in /etc/boards/ i got custom uci defaults and uci config files in these folders:
drwxr-xr-x 4 root root 41 Aug 5 2016 VANT-4
drwxr-xr-x 1 root root 0 Jan 1 1970 VANT-6
drwxr-xr-x 4 root root 41 Aug 5 2016 VANT-7
drwxr-xr-x 4 root root 41 Aug 5 2016 VANT-8
drwxr-xr-x 4 root root 41 Aug 5 2016 VANT-D
drwxr-xr-x 4 root root 41 Aug 5 2016 VANT-E
drwxr-xr-x 4 root root 41 Aug 5 2016 VANT-F
drwxr-xr-x 4 root root 41 Aug 5 2016 VANT-R
drwxr-xr-x 4 root root 41 Aug 5 2016 VBNT-A
The scripts that do the flashing and stuff and i believe are the same that are called when engineer calls upgrade are located in /lib/upgrade
So anyone with experience in flashing and nand layout - basic understanding how this whole process works is willing to help extract my FW?
I have managed to get some extra Tiles now by adding to /etc/config/web but out of the 10 or so extra modals I added only 6 have shown up, all the modals I have added exist in /www/docroot/modals/
https://drive.google.com/open?id=0B7ln9 … VlfbkVoY0k These are the tiles I have so far
https://drive.google.com/open?id=0B7ln9 … 2xwRnF1bDg This is the system extras tile that allows to put the modem in to lan bootp mode.
https://drive.google.com/open?id=0B7ln9 … 0l4c3JKeUE I now also have direct access to disable the cwmp client.
I just got the same router here in Sweden from telia running version 15.3. It seems that most of my tiles are unlocked and I was able to set it up as a dumb AP using some instructions I found around. If anyone needs my /etc/network file I can share it. My question is with opkg it seems that mine is using a normal version but the source location for packages doesn't seem to exist anymore. My opkg.conf has this
downloads.openwrt.org/attitude_adjustment/12.09/brcm63xx/generic/packages
But whenever I try to do anything in opkg I get the error
[packageName] has no valid architecture, ignoring
My thought is that I might be able to make the router a bit more generic if I can install normal packages. That and I want nano because I find vim impossible to use.
(Last edited by robbz23 on 9 Dec 2017, 10:46)
I have got a TG799vacXTREAM from Telenor/Bredbandsbolaget in Sweden. The software version is 15.4 (Crimson) and the hardware version is VANT-W which is a dual core ARMv7 Processor rev 1 (Cortex A9).
I have installed LEDE 17.01.4 on a USB stick and am using chroot to run opkg and try out some packages. I built the root file system using the bcm53xx imagebuilder since it's the same architecture (ARM Cortex A9). (When using imagebuilder the root file system is located in build_dir/target-arm_cortex-a9_musl-1.1.16_eabi/root-bcm53xx/ after the image build completes.0
Unfortunately the TG799vacXTREAM kernel doesn't support tun/tap which means VPN is a not possible unless somebody is able to compile modules for the kernel. I have tried but but inserting the module caused the kernel to crash and and the unit to reboot. The router also reboots if there is a segmentation fault in a user space program.
EDIT: Reboots after coredumps can be disabled:
uci set system.@coredump[0].reboot='0'
uci commit system
(Last edited by mikma on 12 Dec 2017, 05:30)
I have installed LEDE 17.01.4 on a USB stick and am using chroot to run opkg and try out some packages. I built the root file system using the bcm53xx imagebuilder since it's the same architecture (ARM Cortex A9). (When using imagebuilder the root file system is located in build_dir/target-arm_cortex-a9_musl-1.1.16_eabi/root-bcm53xx/ after the image build completes.
Thanks for the info!
The discussion might have continued from here.