Hacking the Technicolor TG799vac (and unlocking features!)

NOTE: This guide is probably not going to be updated and it will remain here as an archive. Current / new updates are published on the Whirlpool Wiki.

Check the Basics or more advanced topics.


Archived content follows:

The basics

The TG799vac, known more commonly in Australia as the “Telstra Gateway Max” is a very capable piece of equipment. It has 802.11ac, a VDSL / ADSL2 modem (meaning NBN FTTN compatibility), a DECT base station, 2 x FXS ports for analogue ports, and an FXO port, is known for getting high sync speeds for VDSL2, has a high quality internal PCB and power supply and it’s power consumption is quite good at 12 watts with WiFi on (typical router config) and 9 watts with WiFi off (typical bridge mode config). The newer verstions of this device are the TG800 “Telstra Gateway Max 2” and DJN2103 “Telstra Gateway Frontier”, which most of the following will also apply to, if the device has a firmware version low enough, or which it can still be downgraded to.

They are provided directly to Telstra – and as such, has Telstra branded firmware. There is no ‘generic’ firmware available that will just give you access to the modem as any other device you would purchase. Personally, I think this kind of sucks – as if you decide to use this device with anyone other than Telstra, you lose access to the VoIP functionality, DECT base station, FXO ports. That was the motivation to get into this device and re-enable as many features as possible.

By default, the IP address of the modem will be 10.0.0.138.

This guide is the “new version” which uses the flashing tool developed by Mark Smith as well as the input from the Whirlpool community to enable as many features as possible.

To use this guide you must be on firmware 17.2.0188-820-RA or lower (there are reports that the 17.2.0188-820-RB variant has the web flashing functionality disabled) or be able to downgrade to it.

What you will need to proceed:

  1. The AutoFlashGUI tool. This is compiled for windows but if you have Python 3 installed see the instructions at the top of the source\autoflashgui.py for installing missing modules so you can run this on any OS (the latest version will ask to install missing modules but if it fails you may have to install them manually). Make sure you can run this tool and load the GUI up before you go offline!
  2. The v16.3 firmware rbi for your modem.
  3. The v17.2.0188-820-RA rbi file for your modem (If you flash to anything newer you may lock yourself out of the modem permanently).
  4. A SSH client. The famous Putty SSH client is recommended on Windows.
  5. A copy of this web page for reference while you’re offline.
  6. Physical access to the modem so you can power cycle it and unplug the WAN/DSL while you’re going through this process.
  7. A ‘happy’ modem! If it’s in bridge mode or half the tiles are missing on the screen (which seems to be caused by corrupted config), factory reset it first.

The basic steps to getting root access to firmware v17.2 on your modem

These instructions refer to the TG799, so if you are doing this for a different modem be sure to use the correct file names for the firmare.

Run up the AutoFlashGUI tool and flash vant-f_CRF683-17.2.188-820-RA.rbi to your modem.

This will take about 3-4 minutes. The flasher will try and root your modem but it will fail (silently) – this is expected. If the flash fails to push the firmware in, try again (is the username and password correct?), and if it still fails with some permission error in the console, you may have been locked out of flashing via the web interface: bad luck. Maybe a PXE firmware load can help but you require good luck at this point. Ask for help in the whirlpool thread! (Note that firmware before v15.x may require some manual work, see ‘My firmware is so old that AutoFlashGUI can’t authenticate to the modem!’ )

Now use AutoFlashGUI to flash in vant-f_CRF687-16.3.7567-660-RG.rbi and allow it to run through including getting root.

At this point we are ready to do the procedure to activate root on 17.2 and switch over to it. This procedure works by allowing us to mod the inactive (but newer) image’s file system and config, then switch back to it without doing a factory reset or official upgrade. Note that if you factory reset while on 17.2 you will need to run the entire procedure from where you flashed v16.3 to get root back, and it could upgrade and lock you out permanently in that reset state if it has internet access!

Fire up your SSH client and connect to the modem on port 22.

Have a look at your current modem state. It should look something like this:

# find /proc/banktable -type f -print -exec cat {} ';'
/proc/banktable/notbootedoid
59b21e26bc549719f7f1bedd
/proc/banktable/bootedoid
5940db6a20338215a4c97c89
/proc/banktable/passiveversion
17.2.0188-7021004-20170908063550-00f42f11f9c253e3f1001b1558043e970a3d9b5d
/proc/banktable/activeversion
16.3.7567-2521030-20170614084458-887a8c777ed8527277d7137ed9149816c889cf1d
/proc/banktable/inactive
bank_2
/proc/banktable/active
bank_1
/proc/banktable/notbooted
bank_2
/proc/banktable/booted
bank_1

These modems use two flash partitions (bank_1 and bank_2) which can be upgraded/used almost independently.  They are digital-signature verified before boot so you can’t edit the rom image in the flash.  The config is stored in the matching folder in /overlay i.e. /overlay/bank_2 (hint: you can see your modified config files in here if you want to back stuff up or see what changes you made).  When a proper factory reset is done, the overlay partition is formatted (but not securely wiped – see section later).
Run the following to set 17.2 up for temporary root and switch back to it:

# rm -rf /overlay/`cat /proc/banktable/inactive`
# mkdir /overlay/`cat /proc/banktable/inactive`
# chmod 755 /overlay/`cat /proc/banktable/inactive`
# mkdir /overlay/`cat /proc/banktable/inactive`/etc
# chmod 775 /overlay/`cat /proc/banktable/inactive`/etc
# echo "echo root:root | chpasswd" > /overlay/`cat /proc/banktable/inactive`/etc/rc.local
# echo "dropbear -p 6666 &" >> /overlay/`cat /proc/banktable/inactive`/etc/rc.local
# chmod +x /overlay/`cat /proc/banktable/inactive`/etc/rc.local
# echo `cat /proc/banktable/inactive` > /proc/banktable/active
# sync
# cat /overlay/`cat /proc/banktable/active`/etc/rc.local

Now check it all looks right – you should get this output from the last command:

echo root:root | chpasswd
dropbear -p 6666 &

Reboot and wait 3 to 4 minutes for the modem to boot into 17.2.

Setting up firmware v17.2

Log in to the modem with SSH on port 6666 using root/root.  At this point you have temporary root on 17.2, but it’s not how we should leave things.

Run the following in SSH to turn on more functionality and clean up. Note that you can only paste so much into the terminal in one go, so if you get weird errors just cut the block back a bit and try again:

# Block 1
uci set dropbear.lan.enable='1'
uci set dropbear.lan.PasswordAuth=on
uci set dropbear.lan.RootPasswordAuth=on
uci add_list web.tvoicesipconfig.roles=admin
uci add_list web.tvoicecontacts.roles=admin
uci add_list web.tvoicecalllog.roles=admin
uci add_list web.tvoicecapability.roles=admin
uci add_list web.parentalblock.roles=admin
uci add_list web.ruleset_main.rules=mmpbxinoutgoingmapmodal
uci set web.mmpbxinoutgoingmapmodal=rule
uci set web.mmpbxinoutgoingmapmodal.target='/modals/mmpbx-inoutgoingmap-modal.lp'
uci add_list web.mmpbxinoutgoingmapmodal.roles='admin'
uci add_list web.ruleset_main.rules=mmpbxstatisticsmodal
uci set web.mmpbxstatisticsmodal=rule
uci set web.mmpbxstatisticsmodal.target='/modals/mmpbx-statistics-modal.lp'
uci add_list web.mmpbxstatisticsmodal.roles='admin'
uci set cwmpd.cwmpd_config.state=0
uci set cwmpd.cwmpd_config.upgradesmanaged=0
uci set cwmpd.cwmpd_config.periodicinform_enable=0
uci set cwmpd.cwmpd_config.acs_pass='0'
uci set cwmpd.cwmpd_config.acs_user='0'
uci set cwmpd.cwmpd_config.acs_url='invalid'
uci set wifi_doctor_agent.config.enabled=0
uci add_list web.ruleset_main.rules=cwmpconfmodal
uci set web.cwmpconfmodal=rule
uci set web.cwmpconfmodal.target='/modals/cwmpconf-modal.lp'
uci add_list web.cwmpconfmodal.roles='admin'
uci set hotspotd.main.ipv4=0
uci set hotspotd.main.enable=false
uci set hotspotd.main.deploy=false
uci set hotspotd.TLS2G.enable=0
uci set hotspotd.FON2G.enable=0
uci add_list web.ruleset_main.rules=iproutesmodal
uci set web.iproutesmodal=rule
uci set web.iproutesmodal.target='/modals/iproutes-modal.lp'
uci add_list web.iproutesmodal.roles='admin'
uci add_list web.ruleset_main.rules=systemmodal
uci set web.systemmodal=rule
uci set web.systemmodal.target='/modals/system-modal.lp'
uci add_list web.systemmodal.roles='admin'
uci add_list web.ruleset_main.rules=relaymodal
uci set web.relaymodal=rule
uci set web.relaymodal.target='/modals/relay-modal.lp'
uci add_list web.relaymodal.roles='admin'
uci add_list web.ruleset_main.rules=natalghelpermodal
uci set web.natalghelpermodal=rule
uci set web.natalghelpermodal.target='/modals/nat-alg-helper-modal.lp'
uci add_list web.natalghelpermodal.roles='admin'
uci set tls-vsparc.Config.Enabled='0'
uci set tls-vsparc.Passive.PassiveEnabled='0'

# Block 2
uci add_list web.ruleset_main.rules=diagnosticstcpdumpmodal
uci set web.diagnosticstcpdumpmodal=rule
uci set web.diagnosticstcpdumpmodal.target='/modals/diagnostics-tcpdump-modal.lp'
uci add_list web.diagnosticstcpdumpmodal.roles='admin'
uci set system.config.export_plaintext='1'
uci set system.config.export_unsigned='1'
uci set system.config.import_plaintext='1'
uci set system.config.import_unsigned='1'
uci commit
sed -e 's/session:hasAccess("\/modals\/diagnostics-network-modal.lp")/session:hasAccess("\/modals\/diagnostics-network-modal.lp") and \n session:hasAccess("\/modals\/diagnostics-tcpdump-modal.lp")/' -i /www/cards/009_diagnostics.lp
sed -e 's^alt="network"></div></td></tr>\\^alt="network"></div></td>\\\n <td><div data-toggle="modal" data-remote="modals/diagnostics-tcpdump-modal.lp" data-id="diagnostics-tcpdump-modal"><img href="#" rel="tooltip" data-original-title="TCPDUMP" src="/img/network_sans-32.png" alt="network"></div></td></tr>\\^' -i /www/cards/009_diagnostics.lp
sed -e 's/{"logviewer-modal.lp", T"Log viewer"},/{"logviewer-modal.lp", T"Log viewer"},\n {"diagnostics-tcpdump-modal.lp", T"tcpdump"},\n/' -i /www/snippets/tabs-diagnostics.lp
sed -e 's/getrole()=="guest"/getrole()=="admin"/' -i /www/snippets/tabs-voice.lp
sed -e 's/{"mmpbx-sipdevice-modal.lp", T"Sip Device"},/{"mmpbx-sipdevice-modal.lp", T"Sip Device"},\n{"mmpbx-inoutgoingmap-modal.lp", T"In-Out Mapping"},\n{"mmpbx-statistics-modal.lp", T"Statistics"},/' -i /www/snippets/tabs-voice.lp
sed -e 's/if currentuserrole == "guest" /if currentuserrole == "admin" /' -i /www/docroot/modals/gateway-modal.lp
echo > /etc/rc.local
/etc/init.d/nginx restart;
/etc/init.d/cwmpd disable;
/etc/init.d/cwmpdboot disable;
/etc/init.d/wifi-doctor-agent disable;
/etc/init.d/hotspotd disable;
/etc/init.d/tls-vsparc disable;
killall -9 hotspotd cwmpd cwmpdboot watchdog-tch wifi-doctor-agent tls-vsparc;
/etc/init.d/dropbear start
echo > /etc/dropbear/authorized_keys

Now change the root password:

passwd

Reboot now if you’re not doing any futher configuration.

At this point you should now be able to SSH in on 17.2 with root and your password (which should no longer be root at this point!)

VOIP Setup

If you want to use VOIP, the following is the quickest way to set it up and remove some broken config that causes calls to be sent out via the FXO port which will be unplugged for everyone in Australia once you are on NBN unless you are in a fixed wireless area where the voice services are still being delivered over the copper lines.  We also reset the LAN SIP inbound passwords here for security (see ‘LAN SIP client use of the mini-PABX in the modem’  to use them if you wish to but nothing else has to be done). Please don’t post the default passwords in public forums as they could be a security risk for those still using them!

#Block 1
uci set mmpbxrvsipnet.sip_net.primary_proxy='sipserver'
uci set mmpbxrvsipnet.sip_net.primary_registrar='sipserver'
uci set mmpbxrvsipnet.sip_profile_0.uri='SIPuserName'
uci set mmpbxrvsipnet.sip_profile_0.user_name='SIPuserName'
uci set mmpbxrvsipnet.sip_profile_0.password='SIPpassword'
uci set mmpbxrvsipnet.sip_net.primary_proxy_port='5060'
uci set mmpbxrvsipnet.sip_net.primary_registrar_port='5060'
uci set mmpbxrvsipnet.sip_profile_0.enabled='1'
uci set mmpbxbrcmfxsdev.fxs_dev_0.relay_state='1'
uci set mmpbxbrcmfxsdev.fxs_dev_1.relay_state='1'
uci del_list mmpbx.@outgoing_map[0].profile='fxo_profile'
uci del_list mmpbx.@outgoing_map[0].priority='2'
uci del_list mmpbx.@outgoing_map[1].profile='fxo_profile'
uci del_list mmpbx.@outgoing_map[1].priority='2'
uci del_list mmpbx.@outgoing_map[2].profile='fxo_profile'
uci del_list mmpbx.@outgoing_map[2].priority='2'
uci del_list mmpbx.@outgoing_map[3].profile='fxo_profile'
uci del_list mmpbx.@outgoing_map[3].priority='2'
uci del_list mmpbx.@outgoing_map[4].profile='fxo_profile'
uci del_list mmpbx.@outgoing_map[4].priority='2'
uci del_list mmpbx.@outgoing_map[5].profile='fxo_profile'
uci del_list mmpbx.@outgoing_map[5].priority='2'
uci del_list mmpbx.@outgoing_map[6].profile='fxo_profile'
uci del_list mmpbx.@outgoing_map[6].priority='2'
uci del_list mmpbx.@outgoing_map[7].profile='fxo_profile'
uci del_list mmpbx.@outgoing_map[7].priority='2'
uci del_list mmpbx.@outgoing_map[8].profile='fxo_profile'
uci del_list mmpbx.@outgoing_map[8].priority='2'
uci del_list mmpbx.@outgoing_map[9].profile='fxo_profile'
uci del_list mmpbx.@outgoing_map[9].priority='2'
uci del_list mmpbx.@outgoing_map[10].profile='fxo_profile'
uci del_list mmpbx.@outgoing_map[10].priority='2'
uci del_list mmpbx.@outgoing_map[11].profile='fxo_profile'
uci del_list mmpbx.@outgoing_map[11].priority='2'
uci del_list mmpbx.@outgoing_map[12].profile='fxo_profile'
uci del_list mmpbx.@outgoing_map[12].priority='2'
uci del_list mmpbx.@outgoing_map[13].profile='fxo_profile'
uci del_list mmpbx.@outgoing_map[13].priority='2'
uci del_list mmpbx.@outgoing_map[14].profile='fxo_profile'
uci del_list mmpbx.@outgoing_map[14].priority='2'

#Block 2
uci set mmpbxrvsipdev.sip_dev_0.password=`dd if=/dev/urandom bs=1 | tr -dc A-Za-z0-9 | head -c${1:-10}`
uci set mmpbxrvsipdev.sip_dev_1.password=`dd if=/dev/urandom bs=1 | tr -dc A-Za-z0-9 | head -c${1:-10}`
uci set mmpbxrvsipdev.sip_dev_2.password=`dd if=/dev/urandom bs=1 | tr -dc A-Za-z0-9 | head -c${1:-10}`
uci set mmpbxrvsipdev.sip_dev_3.password=`dd if=/dev/urandom bs=1 | tr -dc A-Za-z0-9 | head -c${1:-10}`
uci set mmpbxrvsipdev.sip_dev_4.password=`dd if=/dev/urandom bs=1 | tr -dc A-Za-z0-9 | head -c${1:-10}`
uci set mmpbxrvsipdev.sip_dev_5.password=`dd if=/dev/urandom bs=1 | tr -dc A-Za-z0-9 | head -c${1:-10}`
uci set mmpbxrvsipdev.sip_dev_6.password=`dd if=/dev/urandom bs=1 | tr -dc A-Za-z0-9 | head -c${1:-10}`
uci set mmpbxrvsipdev.sip_dev_0.push_type='none'
uci set mmpbxrvsipdev.sip_dev_1.push_type='none'
uci set mmpbxrvsipdev.sip_dev_2.push_type='none'
uci set mmpbxrvsipdev.sip_dev_3.push_type='none'
uci set mmpbxrvsipdev.sip_dev_4.push_type='none'
uci set mmpbxrvsipdev.sip_dev_5.push_type='none'
uci set mmpbxrvsipdev.sip_dev_6.push_type='none'
uci delete mmpbxrvsipdev.sip_server.apn_cert_key
uci delete mmpbxrvsipdev.sip_server.apn_interface
uci commit
/etc/init.d/mmpbxd restart

Speeding up VDSL sync times

If you’re on VDSL you may be able to speed up your sync times by removing redundant DSL profiles so the modem does not even try to use them. Don’t do this if you’re still on ADSL!

uci del_list xdsl.dsl0.profile='8a'
uci del_list xdsl.dsl0.profile='8b'
uci del_list xdsl.dsl0.profile='8c'
uci del_list xdsl.dsl0.profile='8d'
uci del_list xdsl.dsl0.profile='12a'
uci del_list xdsl.dsl0.profile='12b'
uci del_list xdsl.dsl0.multimode='gdmt'
uci del_list xdsl.dsl0.multimode='adsl2annexm'
uci del_list xdsl.dsl0.multimode='adsl2plus'
uci commit
reboot

If you wish to add the selections to the web interface to play with later, you can run the following:

uci add_list web.ruleset_main.rules=xdsllowmodal
uci set web.xdsllowmodal=rule
uci set web.xdsllowmodal.target='/modals/xdsl-low-modal.lp'
uci add_list web.xdsllowmodal.roles='admin'
uci commit

Running the TG799 as the router with a second router behind it (double nat)

Double NAT used to break many things, but testing with this configuration shows that most current applications are very tollerant of it. Most applications assume they are on a private network and that their visible IP is not the one they are visible on on the internet via, so if it’s nested one more level down via NAT with a DMZ redirecting traffic to the second router’s WAN interface it makes very little difference (if this guide is followed)!

There are many reasons you would want to do this:

  1. You have a complex network setup with a more advanced router running services such as a VPN server and you still want to use the VOIP in the TG799 so that it can manage the packet priority tagging properly.
  2. You don’t quite trust the TG799
  3. You want a simpler solution than the “Using bridge mode with a dedicated PPPoE ethernet port” section below outlines which can be a nightmare to set up and debug if something goes wrong.
  4. You want easy access to the TG799 GUI so you can get sync speeds etc at the modem’s IP. This is still possible in bridged mode but it’s less stright forward.

Here is how you go setting this up properly:

  1. Set up the TG799 as above fully including VOIP etc and make sure it works to your satisfaction.
  2. The TG799’s default LAN IP on Telstra firmware is 10.0.0.138 and subnet mask 255.255.255.0. If your inner router also has a default LAN subnet of 10.0.0.0 then it’s advised to change one of them (probably the TG799 so your network will not be disrupted) to a subnet of your choosing such as 10.0.100.0 subnet mask 255.255.255.0. The rest of this section assumes you moved the TG799’s LAN IP to 10.0.100.1 subnet mask 255.255.255.0.
  3. Add a “static lease” on the TG799 under Advanced -> Local Network -> Static Leases with your internal router’s WAN MAC address and a suitable ip such as 10.0.100.2.
  4. Connect your inner router’s WAN port to one of the TG799’s LAN ports.
  5. Confirm on the inner router that it got 10.0.100.2 as the WAN IP. If it did not, reboot both of them at the same time to get rid of any lingering DHCP leases. If that fails re-check the MAC address of the lease handed out from the TG799.
  6. On the TG799 under Advanced -> WAN Services -> DMZ enable it and set the IP to 10.0.100.2 . Set up DynDNS if you want to. Save.
  7. Turn off WiFi on the TG799.

At this point the TG799 should be transparent to incoming requests which will hit the WAN interface of your internal router and be handled normally.

Really advanced topics !

Changing max sync speeds

You can change the max values for sync speeds. The value maxusdatarate controls the upstream maximum sync speed, maxdsdatarate controls the downstream maximum sync speed, and maxaggrdatarate is the maximum combined speed. The defaults are listed below. This doesn’t change any limitations imposed by line length – or at the DSLAM. If you won the node lotto and are feeling lucky you can modify these like so:

uci set xdsl.dsl0.maxaggrdatarate='160000'
uci set xdsl.dsl0.maxdsdatarate='110000'
uci set xdsl.dsl0.maxusdatarate='40000'
uci commit xdsl
reboot

Using bridge mode with a dedicated PPPoE ethernet port

I use the AP on the device on my LAN, but I also use the modem purely in bridge mode, which means I want to dedicate a port to my router to allow it to do PPPoE to my ISP. It should also work with IPoE. Thankfully, standard OpenWRT config applies. I added a new bridge called ‘adsl_wan’ and added eth4, eth3, atm_8_35 and ptm0 to it:

config interface 'adsl_wan'
 option type 'bridge'
 option ip6hint '0'
 option force_link '0'
 list ifname 'eth4'
 list ifname 'eth3'
 list ifname 'atm_8_35'
 list ifname 'ptm0'

You’ll need to remove eth3 from the LAN vlan. This gives you the port right next to the WAN ethernet (which is eth3 – eth4 is the WAN port) on the same bridge as the VDSL/ADSL modem. I have yet to figure out how to get the WAN port to do this – as it seems to be configured differently – maybe at the switch level.

In this configuration you can use the WiFi as an access point for your LAN as it’s attached to the LAN bridge.

If you want to use the VOIP in the TG799 while in bridge mode, you will need to configure a default gateway, a nameserver, and configure the pabx to use the LAN bridge as the outgoing interface. The following example uses Google for DNS and assumes your router is at 10.0.0.254:

uci set network.lan.dns='8.8.8.8'
uci set network.lan.gateway='10.0.0.254'
uci set mmpbxrvsipnet.sip_net.interface='lan'
uci set mmpbxrvsipnet.sip_net.interface6='lan6'
uci commit

You can check the current running dns with cat /etc/resolv.conf

Enable web interface features in Bridge Mode

If you have the modem in bridge mode, the web interface is gutted compared to in routed mode.

Edit /www/lua/cards_limiter.lua and change the following function to:

function M.card_limited(info, cardname)
 ## Display all cards.
 return false
 if info.bridged then
 return not bridge_limit_list[cardname]
 end
 return false
end

Restart the web interface via: /etc/init.d/nginx restart

Note that to get out of bridged mode you will still have to factory reset (and possibly do the whole rooting procedure again) or find and reverse the config changes that were made to flick it into bridge mode.

Configuring multiple third party SIP providers

If you have multiple SIP accounts to log into – and with different providers, you can duplicate the entire sip_net section under a different name (very important, it will break VOIP completely otherwise) and configure as per above, or using the web interface. The web interface will see the section in the config once you add it in. It would be possible to add the section using UCI but it’s quicker with an editor and you will get the most recent defaults from your existing profile rather than a stale web page!

SIP call routing

Each DECT device or FXS port can be registered against one or multiple SIP accounts. Look for the incoming_map section against sip_profile_0 and edit as needed. This should also be possible via the web interface after running the above default config which adds in a web page to allow editing this config. This is my setup to route sip_profile_1 to the first registered DECT device – and FXS port 1:

config incoming_map
 option profile 'sip_profile_0'
 list device 'fxs_dev_0'
 list device 'dect_dev_1'
 list device 'dect_dev_2'
 list device 'dect_dev_3'
 list device 'dect_dev_4'
 list device 'dect_dev_5'
 list device 'sip_dev_0'
 list device 'sip_dev_1'
 list device 'sip_dev_2'
 list device 'sip_dev_3'
 list device 'sip_dev_4'
 list device 'sip_dev_5'
 list device 'sip_dev_6'
config incoming_map
 option profile 'sip_profile_1'
 list device 'dect_dev_0'
 list device 'fxs_dev_1'

Registering DECT handsets

There is a button on the modem you can hold for five seconds, or after enabling all the ‘cards’ via the web interface, the easy way is to start DECT paring via the web interface. Click on the Telephony card, then ‘Start’ the paring and follow the instructions for your handset. This was straight forward for me.

LAN SIP client use of the mini-PABX in the modem

It is possible to make calls out through the modem by registering as a SIP client. Clients 1 to 7 are configured and can be used like so for 1:

Username: 1
Password: <see below for finding the passwords>
Authentication User: phone1@telstra.gateway

To get a list of all the passwords set run this in SSH (noting that sip_dev_0 maps to phone1 etc):
uci show |grep mmpbxrvsipdev.sip_dev_..password

Please don’t post the default passwords in public forums as they could be a security risk for those still using them!

Serial Console

A serial console can be added using a 3.3v to RS232 adapter. These can be found on ebay quite cheaply. The serial console is J5 on the board, and note from the picture below, R327 and R328 need to be solder bridged to pass the serial signals to the adaptor. In the pictures shown, Black = Ground, Yellow = RX, and Green = TX.

Note that by default you can’t log in on the serial console. If you want to enable this, edit /etc/inittab and change

#ttyS0::askfirst:/bin/login

to

ttyS0::askfirst:/bin/login


NAT ALG helpers

With the above changes you should now have a tile in the advanced GUI what allows you to change the settings for NAT ALGs.
<insert screenshot when I have one>

tcpdump is now in the diagnostics?

I was very happy to find this hidden gem.  Sadly there is no icon for it so I had to reuse one. Read the memory usage warnings before using it! I tested it once and file it provided opened up OK in WireShark.

Handy info for checking what’s running in your modem

Checking what firmware is flashed and what is active:

find /proc/banktable -type f -print -exec cat {} ';'

What processes are running? (you should not see cmwpd etc on this list!)

ps

What programs are listening as network services?

netstat -tuplen

How much free space is there left for config files?

df -h

Can I see the full config? (be prepared for ~7700 lines of text hitting your console)

uci show

Can I filter that output for say just things with the word password in them?

uci show | grep password

What’s that System Extras tab and what can I do in there?

  1. You can turn on logging to an external syslog server. On windows run TFTPD64 (from http://tftpd32.jounin.net/tftpd32_download.html) and configure syslog in the settings. You can enable more logging in the VOIP subsystem by editing the logging config in /etc/config/mmpbx
  2. You can trigger a PXE firmware upgrade to bank_1. This is only for advanced users! If you click this by accident you will have to wait for it to time out and reboot, or power cycle it while the orange light is flashing.
  3. You can turn SSH access on/off from the LAN/WAN.

My firmware is so old that AutoFlashGUI can’t authenticate to the modem!

This is because they changed the web authentication method to SRPv6 with firmware v15, and this is the only method that the AutoFlashGUI tool knows how to authenticate with.  You are going to have to flash the v16.3 .rbi file via sysupgrade after using the original manual procedure to get a shell.

Visit the ‘Diagnostics’ page on the modem, and click on the Ping & Traceroute tab. (If your modem doesn’t display the Diagnostics tile, factory reset the modem. The observation is that this only happens when the config is corrupted somehow.) In the IP address section, enter and run:

:::::::;echo root:root | chpasswd; dropbear -p 6666;

Give it 30 seconds to generate SSH host keys and then try to connect to your modem with SSH on port 6666 with root/root.

Copy the .rbi to a USB stick (FAT32 formatted is most likely to work on old firmware) and insert it into the modem.

If you type “cd /mnt/” and keep hitting tab it should eventually get to the end of the USB stick path, then hit enter. (You can also run ‘mount’ and try to work out the path the USB stick is mounted on, or ‘dmesg’ to check the system log to see if there was an error automatically mounting it.)

To be on the on the safe side we will copy the rbi to RAM, then flash it. Do the following with the correct .rbi name (keeping in mind that this is case sensitive):

cp filename.rbi /tmp
cd /tmp
sysupgrade filename.rbi

All things going well you should see it progress along and reboot, then you can commence the current procedure.

I want to factory reset 17.2 but I don’t want to have to re-flash (aka Ghetto Reset!)

These modems use two roms (bank_1 and bank_2) which can be upgraded/used almost independently.  They are digital-signature verified before boot so you can’t edit the rom image in the flash.  The config is stored in the matching folder in /overlay i.e. /overlay/bank_2 (hint: you can see your modified config files in here if you want to back stuff up or see what changes you made).  When a proper factory reset is done, the overlay partition is formatted (but not securely wiped).

To reset without doing an official reset, disconnect your WAN connection (cwmpd will become acitve again temporarily), go into SSH and do the following:

rm -rf /overlay/`cat /proc/banktable/active`
mkdir /overlay/`cat /proc/banktable/active`
chmod 755 /overlay/`cat /proc/banktable/active`
mkdir /overlay/`cat /proc/banktable/active`/etc
chmod 775 /overlay/`cat /proc/banktable/active`/etc
echo "echo root:root | chpasswd" > /overlay/`cat /proc/banktable/active`/etc/rc.local
echo "dropbear -p 6666 &" >> /overlay/`cat /proc/banktable/active`/etc/rc.local
chmod +x /overlay/`cat /proc/banktable/active`/etc/rc.local
sync

Wait 5 seconds and turn the modem’s power off.  Ensure the WAN is disconnected!

Turn it back on and then resume the original procedure at “Setting up firmware v17.2”.

I’m selling this modem, how do I securely wipe all the config?

Disconnect the WAN. Log in via SSH and run:

rm -rf /overlay/*;dd if=/dev/urandom of=/overlay/garbage bs=512;sync;rm /overlay/garbage;sync;

Wait until it has completed and turn the modem’s power off.

Note that after this cwmpd will be active again so you could get upgraded against your will if it once it is connected to the internet again!

110 comments

Skip to comment form

    • TeddyRaspin on September 4, 2017 at 5:22 pm
    • Reply

    Do you know how disabling this hack and turn back modem to its default status please ?

    1. A standard factory reset should restore everything.

      While the changes survive a reboot, they should not survive the factory reset.

    • TeddyRaspin on September 5, 2017 at 1:54 am
    • Reply

    Anyway on DGA4130 (Technicolor AGTEF) SSH is enabled but using WinSCP or Putty I always get “access denied”. It seems that even if it says “password for root changed by root” and enabled the dropbear (ssh server) via the echo ‘dropbear &’ > /etc/rc.local command, after the reboot process SSH is enabled but it seems to not accepting the root password I’ve inserted before and I don’t know why.

    Maybe my Technicolor modem requires more hacking tweaks. Could you help me please ?

    1. You might need to edit the file /etc/config/dropbear and allow it to use password auth.

      Mine looks like:

      config dropbear
              option enable '1'
              option PasswordAuth 'on'
              option RootPasswordAuth 'on'
              option Port         '22'
              option IdleTimeout '600'
      #       option BannerFile   '/etc/banner'
      
        • Dale on October 5, 2017 at 3:53 pm
        • Reply

        Also works on TG797n v3 (16.1), but instead of:
        echo ‘dropbear &’ > /etc/rc.local

        To enable dropbear I had to edit the file /etc/config/dropbear, thank you.
        To do that I used the sed command to edit line 2, and then lines 3 & 4:
        sed -i '2 s/0/1/' /etc/config/dropbear
        sed -i '3,4 s/off/on/g' /etc/config/dropbear
        cat /etc/config/dropbear

    • Brian on September 7, 2017 at 10:37 pm
    • Reply

    Thanks for this….., Pity they fixed the exploit in the web pages in 17.1 but it seems I got to mine before any push happened.

    Stopped and disabled the update service, but it reappeared after reboot, so i mashed out the update URL with hashes like suggested
    #option acs_url ‘https://################################’

    1. I’m not sure there are any Telstra type modems with 17.1 firmware as yet. Of course, other countries may have a different story…

      • Greg on October 7, 2017 at 10:57 am
      • Reply

      The exploit comes from weaponizedautism.wordpress.com. He said he’d release more unlocking techniques if Technicolor fixes this one. Maybe leave a comment there somehow. I can’t find anywhere to comment.

  1. Can I also add just for the sake of the search engines that most of this also applies to the iinet / internode issued TG–789 VDSL modems?

    Can I also note that on the TG-789 at least that you can enable dropbear ssh by editing the /etc/config/dropbear file instead of adding to the /etc/rc.local file.

    *** dropbear.orig 2017-09-08 09:40:16.532696000 +1000
    — dropbear 2017-09-08 09:41:10.828503662 +1000
    ***************
    *** 1,7 ****
    config dropbear
    ! option enable ‘0’
    ! option PasswordAuth ‘off’
    ! option RootPasswordAuth ‘off’
    option Port ’22’
    # option BannerFile ‘/etc/banner’
    option IdleTimeout ‘600’
    — 1,7 —-
    config dropbear
    ! option enable ‘1’
    ! option PasswordAuth ‘on’
    ! option RootPasswordAuth ‘on’
    option Port ’22’
    # option BannerFile ‘/etc/banner’
    option IdleTimeout ‘600’

      • LucIta on December 3, 2017 at 8:11 am
      • Reply

      In addition to llllloooooo instructions for TG–789 for the italian provider Tiscali to have ssh root login working you also need to modify the line referring to root user in /etc/passwd
      from:
      root:x:0:0:root:/root:/bin/false
      to:
      root:x:0:0:root:/root:/bin/ash
      or
      root:x:0:0:root:/root:/bin/sh
      Otherwise you can’t authenticate after enabling ssh and changing root password

    • TeddyRaspin on September 10, 2017 at 7:58 pm
    • Reply

    It would be nice if someone finds out a new exploit on 17.1 to enable root access. I’ve now my modem fixed. 🙁

    • TeddyRaspin on September 15, 2017 at 9:03 pm
    • Reply

    Is there anyone who knows how switch from bank_2 to bank_1 ?

    My modem does not have telnet or ssh access. 🙁

      • MrMatthewM on October 9, 2017 at 12:11 am
      • Reply

      If you do a factory reset it may switch back to bank_1, a failsafe for a failed firmware update.

      I have not exactly confirmed this as 100% but I was watching the console after the update from 15.1 to 16.3 it had upgraded but I had lost access to the web interface (I got Internal server error) this may of been a failed firmware update but watching the console it was booting, so I held down the reset button for 10 seconds and after reboot it booted from bank_1 again and redid the firmware update to 16.3.

    • John Doe on September 25, 2017 at 9:25 pm
    • Reply

    It works also on TG789VAC V2 (16.3).

    /etc/shadow and /etc/config/dropbear changes survives in case of fw upgrade through CWMP or file is overwritten?

    1. I believe they would get over-written.

    • Brian on September 29, 2017 at 10:38 am
    • Reply

    Anyone know if this works on TG800VAC ?

    I can get the executed code to open a shell (Its saying connected), but its immediately dropping back to the Host prompt, not staying connected (i think). Any chance the TG800 is immediately dropping the session ?

      • Darren on September 29, 2017 at 11:13 pm
      • Reply

      I was able to perform the exploit on my TG800 no different from my TG799.

    • notmyname on September 29, 2017 at 4:04 pm
    • Reply

    the netcat connection didnt work for me.
    these steps did work for me:
    1. use this: :::::::;echo 'dropbear &' > /etc/rc.local to enable ssh through traceroute
    2. ssh root@10.0.0.138
    3. (the hard part) had to brute force the password (jks, the password is root)

      • Frank on September 30, 2017 at 1:31 pm
      • Reply

      Excuse my ignorance, but not that savvy with these things. Downloaded netcat and couldn’t get to work. Any chance of expanding on the steps and simplifying in plain simple terms of what you actually did?

      • MrMatthewM on October 2, 2017 at 4:49 pm
      • Reply

      What firmware are you running? still 16.3 or 17.1

      I have been wondering if it would be possible for routers that have been upgraded to 17.1 Is to do a hard reset so the modem switches back to bank 1 then log in via ssh manually switch to bank 2 enable ssh on the 17.1 file system then switch back.

    • Chipsteroo on October 7, 2017 at 12:30 pm
    • Reply

    I had no luck with nc, because on 14.1 the nc command doesn’t support the -e option

    I ended up getting shell access using

    :::::::;dropbear &
    :::::::;echo ‘root:x’ | chpasswd

    Then ssh into router as root with password = x

    • matt on October 7, 2017 at 7:20 pm
    • Reply

    A couple of notes from my recent attempts to do this:

    On a Mac running OS X 10.10 (Yosemite), the command to get netcat to listen is:

    /usr/bin/nc -l 10001

    Also might be worth noting that editing once logged into the modem requires the vi command (and knowing how to use vi) which isn’t explicitly stated in the tutorial above – eg:

    vi /www/lua/cards_limiter.lua

    My modem is still running v15.3 firmware – which greets you at the remote login with warnings about being prerelease and not for deployment. The change to enable all the cards in bridged mode locks you out of the web admin – the password is no longer accepted. sshing back in and commenting out removing that first added “return false” line returns the ability to log in.

    I’m not sure how much info Bridged Mode removed in later firmware, but on 15.3 it appears to be a fairly complete Advanced Settings version (with no simple mode option) – obviously a number of services are disabled, but going back to Routed Mode requires a factory reset, which I assume will wipe all the changes made?

      • Antonio Felleca on January 22, 2018 at 7:32 pm
      • Reply

      Hi Matt,

      can you provide me details about how did you solve the VI command problem on NC?

      Many thanks

    • Bogemon on October 26, 2017 at 11:12 am
    • Reply

    hello guys

    Just want to check if anyone found anything on doing this on 17.1. Looks like the ping box wont allow me to send it. gives a validation error now. . Any other way to do this?

    • Thisavros on October 29, 2017 at 1:04 pm
    • Reply

    Tks. ssh access worked for me.
    Got the FXS port up with continuous dial tone
    Entered the sip_profile details and maps but when attempting a call it fails after second digit.
    I note in the logs
    Sun Oct 29 11:48:10 2017 user.debug mmpbxd[7155]: [MMUCI] :E: mmUciCommonAllocateContext:248 – Error loading the UCI config from file for mmpbxbrcmsi3217x: UCI_ERR_NOTFOUND
    Sun Oct 29 11:48:10 2017 user.debug mmpbxd[7155]: [MMBRCM] :E: mmBrcmSi3217xConfigLoad:1872 – No Slic configuration is found. Endpoint Driver default config will be used.
    Sun Oct 29 11:48:10 2017 user.debug mmpbxd[7155]: [MMBRCM] :E: mmBrcmInit:590 – mmBrcmSi3217xConfigLoad has failed: MMPBX_ERROR_NOCONFIG

    Have I missed a config file?

      • Thisavros on November 2, 2017 at 11:41 pm
      • Reply

      Hey guys figured it out with some help from the AusiieBB help desk.
      After successfully root kit the router TG800vac Build 16.3.7567-660-RD
      I followed the above guide. Exception being that silly me used the IP address for the proxy & registrar

      After using the “case” sensitive fqdn: eg:
      Proxy Server: AussieBB.nms1.voice.wide.net.au
      Registrar Server: AussieBB.nms1.voice.wide.net.au
      Outbound Proxy: AussieBB.nms1.voice.wide.net.au
      Port: 5060
      VoIP is up and running.

      There are still many errors in the logs but I can make & receive calls.

      Thank you to CRCinAU

    • Sacha Weatherstone on October 30, 2017 at 6:27 pm
    • Reply

    I have the technicolor tg789vac v2 HP running firmware v16.3 (myRyrepublic) I have confirmed that the Ping RCE exploit still works (:::::::`halt` halts the system), The router also has ssh enabled by default but the password is unknown, but the main issue I am having is that I cannot get netcat working, I have confirmed the modem can ping my host but no netcat connection can ever be established, any ideas?

      • Sacha Weatherstone on November 8, 2017 at 7:57 am
      • Reply

      anyone got any ideas?

        • Geoff on December 5, 2017 at 9:28 pm
        • Reply

        I used MobaXterm on Win10 as it has nc command built in.
        Start a local terminal.
        nc -l 10001
        then in your modem do the ping and traceroute
        You wont see anything in MobaXterm but you can continue with the passwd change.
        I couldn’t get anything else to work but once I got MobaXterm and realised I wouldn’t see any responce it was easy.

    • Johnny on November 3, 2017 at 4:00 pm
    • Reply

    Does anyone know how to disable Telstra air. Can’t seem to find any mention of it throughout the router directories.

      • Johnny on November 3, 2017 at 4:22 pm
      • Reply

      /etc/init.d/hotspotd stop

  2. Hi I’m not that strong in router configuration. But I got my ssh running and all is well.

    I want my TG799vac just to be a modem, nothing else, I have a unifi USG gateway that will take care of all routing, firewall etc. but how do you get it in Bridge mode ? I made the adsl_wan as described but it doesn’t seem to take effect, in I missing something here 🙂

    • Will on November 5, 2017 at 10:36 pm
    • Reply

    I have managed to applied the hack.

    I am running the modem in Bridged mode. How can i allow the traffic on the modem connect to internet for the SIP/LAN/etc?

    • Jatz on November 7, 2017 at 1:56 pm
    • Reply

    If you apply this hack and setup a custom voip provider, can you use the Telstra t-voice 502 handset with the non-telstra voip?

    1. From what I understand, this is just a normal DECT phone – so it should work.

    • Jens TC on November 13, 2017 at 12:21 am
    • Reply

    Is it possible to install and use OpenVPN on the Technicolor. Release: Jade (16.2) ?

    • SwiftCookie on November 21, 2017 at 11:48 pm
    • Reply

    Yo, firstly does this still work? 🙂

    Secondly if it does, will this allow me to get any improvements out of my line with the sync speed fixes?
    So sick of the Telstra controlled modem but I need it to use Voip :/

    Been using a NetDuma R1 for gaming purposes, but it’s just running off the Technicolor via Ethernet.

    Cheers!

    • theDarkPotato on November 22, 2017 at 7:19 pm
    • Reply

    My router is updated to 17.2 It is fixed

    • Oldtimer on November 26, 2017 at 9:01 am
    • Reply

    I have 15.4 and would like to get 16.3, but obviously i dont want to get 17+. Is there any way to accept the update and just store the firmware without actually updating so that i can update manually if i choose to do so?

      • geoff on November 28, 2017 at 7:26 pm
      • Reply

      You can download 16.3 from 16.3.7567-660-RG (TG799) size 20.81 MB
      http://fwstore.bdms.telstra.net/Technicolor_vant-f_CRF687-16.3.7567-660-RG/vant-f_CRF687-16.3.7567-660-RG.rbi
      or
      https://cloud.crc.id.au/index.php/s/iTWJE3A1TQBhgDq?path=%2FTG799vac%20FIrmware%20Files

      Jailbreak Telstra TG799
      ssh into Telstra TG799
      scp the download 16.3 rbi file to /tmp/
      Run the command “sysupgrade -v /tmp/filename-of-downloaded-sysupgrade.rbi”
      Telstra TG799 will update and then reboot itself
      Jailbreak Telstra TG799 (required again after firmware update)
      lock Telstra TG799 down to prevent cwmpd updating to 17.x

        • Oldtimer on November 29, 2017 at 10:33 pm
        • Reply

        Thanks Geoff, but i dont have Vant-F i have Vant-W, is it still safe to do the firmware upgrade?

    • execcr on November 28, 2017 at 6:46 pm
    • Reply

    Could we have another exploit for the 17.2 firmware?

    • Vlad on November 29, 2017 at 2:57 pm
    • Reply

    Hi There,

    now that I have ssh access and all the above mods were done.

    Does anyone know how I can install net-snmp on the technicolor tg800?

    • ciciusx on December 1, 2017 at 9:30 am
    • Reply

    Hi how can I make wan port in Lan port? I have 789vac unlocked
    Thanks

    1. I haven’t found a way to do this as yet.

    • ciciusx on December 1, 2017 at 5:36 pm
    • Reply

    and to make personal password to enter in remote on modem?
    and to put USA instead eu for wifi 2,4Ghz?
    Thanks!!

    • niko on December 5, 2017 at 6:05 am
    • Reply

    Could anyone post the contents of the keys in /proc/keys for this router?
    To do so just run the following command from the root shell:

    find /proc/keys -type f -exec sh -c ‘echo $0: $(cat $0)’ {} \;

    • Geoff on December 5, 2017 at 9:33 pm
    • Reply

    Excellent Post thanks. I was able to SSH into my TG789vac v2 Firm ware 16.3.
    When I SSHed in my splash screen had a big red warning on it saying
    “Demo build, unofficial Technicolor SW, not suitable for deployment!”
    Not sure whether to laugh or be worried. 8-(

    I also closed port 3005 which was open with this command:
    iptables -D zone_wan_input -p tcp -m tcp –dport 30005 -m comment –comment Allow_CWMP_Conn_Reqs -j ACCEPT

    Thanks again
    Geoff

    • Dennis on December 6, 2017 at 7:30 pm
    • Reply

    For TG797n V3 (V15.1), got it to work using a variant of a previous post:-
    :::::::;dropbear & echo ‘root:x’ | chpasswd

    Then, ssh root@10.0.0.138 using password x.
    Then, i changed root password using ‘passwd’.

    Great…

      • Frank on February 1, 2018 at 5:18 pm
      • Reply

      I gave up on my tg799 after it upgraded itself to 17.2….. 😡 However, I have now been able to extract my Telstra NBN/FTTN SIP credentials using a tg797! 🤗

      Thank you, Dennis😇

        • John on March 14, 2018 at 11:31 pm
        • Reply

        Hi Frank,
        How do you retrieve the passwords for VoIP
        I’ve managed to register Siptalk & working great, but would like to retrieve the Helstra Voip password
        I’ve followed the above but can get the credentials

    • Dennis on December 11, 2017 at 5:14 pm
    • Reply

    TG799vac:-
    From previous tests before, i remember that PPPoE is only allowed on the ADSL port…
    Anyone try or have it working to get PPPoE on the WAN port?

    Thanks

      • Dennis on December 15, 2017 at 10:15 am
      • Reply

      Answering my own question….
      File : /etc/config/network
      Change: interface ‘wan’ from option proto ‘dhcp’ to ‘pppoe’

      From:-
      config interface ‘wan’
      ….
      option proto ‘dhcp’
      To:-
      config interface ‘wan’
      ….
      option proto ‘pppoe’

        • Dennis on December 15, 2017 at 1:18 pm
        • Reply

        One other thing to do:-
        Need to disable wansensing…. wansensing changes the “wan” interface back to DHCP after link down/up…

        config wansensing ‘global’
        option enable ‘0’ <——- '1' to '0'
        option autofailover 'readonly'
        option initmode 'L2Sense'
        option l2type 'ETH'
        option l3type 'L3Sense'

    • Wayne on December 15, 2017 at 8:22 am
    • Reply

    Anyone successfully done a MyRepublic TG789 ?

    I can do the iinet/Internode TG789 with my eyes closed and hands tied behind my back but the MyRepublic branded one is giving me the s…s!

      • Nicholas on December 22, 2017 at 6:01 pm
      • Reply

      No idea but I would also really appreciate to know. It seems the exploit still works on the installed firmware version (managed to send a message though), however I couldn’t get the root shell over netcat to work no matter what I tried…

        • Wayne on December 24, 2017 at 5:56 am
        • Reply

        The root shell never opens on the MyRepublic one it does on the iinet/Internode one so I know my software is no the issue. They only difference I can see is that the iinet ones run VANT-6 firmware and the MyRepublic ones run VBNT-L although pull both apart and the boards are identical with all the same chips. I have even tried TFTPD to flash the VANT-6 firmware onto the MyRepublic one and it will not take. Keep on trying different things eventually it will tumble.

          • Scobber on February 14, 2018 at 9:11 pm
          • Reply

          Product Name
          MediaAccess TG789MYRvac v2 HP
          Software Version
          16.3
          Firmware Version
          16.3.7190-2761005-20161004084353

          This works.
          :::::::;sed -i ‘2 s/0/1/’ /etc/config/dropbear
          :::::::;sed -i ‘3,4 s/off/on/g’ /etc/config/dropbear
          :::::::;reboot;
          :::::::;echo root:root | chpasswd; dropbear -p 6666;

          ssh to 6666 with root:root

      • Suraj Barkale on September 28, 2018 at 8:29 am
      • Reply

      Change command to following string to get root on “TG789vac v2” provided by MyRepublic.

      sed -i ‘1 s/false/ash/’ /etc/passwd; sed -i ‘1 c\root:hPXIBGD6HsMXc:17078:0:99999:7:::’ /etc/shadow; sed -i -e “s/’0’/’1’/” -e “s/’off’/’on’/” /etc/config/dropbear;/etc/init.d/cwmpd stop;/etc/init.d/cwmpd disable;/etc/init.d/cwmpdboot disable;killall dropbear;dropbear

      After running using python program, you should be able to ssh as root with password root.

    • Paul Smedley on December 26, 2017 at 8:37 am
    • Reply

    Hi All – anyone been successful adding a 2nd SIP provider? Everytime I try it here, mmpbxd fails to restart. Would love a copy of someones mmpbxrvsipnet (with passwords hashed out) to try and use here

    • Daniel on December 26, 2017 at 1:56 pm
    • Reply

    This is an amazing tutorial. I’m running the older Technicolor TG797n v3 which is just a standard old ADSL modem. Do you, or anyone else know of any guides to unlock this modem? The current feature set is trash.

    Thanks!

    • gja on January 5, 2018 at 8:41 pm
    • Reply

    Extra trivia for anyone doing this to an Internode-supplied TG789vac v2 modem running v16.3 and following the steps above for disabling cwmpd.

    There’s a watchdog daemon keeping an eye on cwmpd, which reboots the modem some tens of seconds after the cwmpd process is initially killed with “/etc/init.d/cwmpd stop”. (See see /etc/config/watchdog.)

    So be prompt with the additional “/etc/init.d/cwmpd disable” and “/etc/init.d/cwmpdboot disable” steps and cwmpd will not come back up after the reboot. (The watchdog wont subsequently complain about cwmpd never coming up, it only cares if cwmpd starts and then goes away.) But it can be a little unnerving having the ssh connection die for no apparent reason after stopping cwmpd 😉

    Probably better to do the two disable steps first, then stop the running cwmpd. Wait a minute for the reboot to happen, then log back in and continue your merry hacking…

  3. hello,
    on firmware 17.1 there is a possible exploit with the domain field of the dydns tile.

    • Mark on January 10, 2018 at 10:28 pm
    • Reply

    Has anyone had any luck with the myrepublic version TG789vac v2. I feel as though this is excellent hardware that can do so much more if it could only be unlocked.

    • Mark on January 10, 2018 at 10:34 pm
    • Reply

    Could someone please post the path of USB mounted drive. I’d like to try to run a few scripts from a USB stick using the exploit to try and add a user to ssh.

    Thanks.

    • Wayne on January 13, 2018 at 12:53 pm
    • Reply

    The guys on Whirlpool worked out how to do the MyRepublic TG789vac
    So this is none of my work so don’t thank me goto Whirlpool and thank them but I have confirmed it works and it does not survive a factory reset but does survive a on/off reset.

    Ping this first after you change what password you want (all on one line)
    :::::::;sed -i ‘s#root:/bin/false#root:/bin/ash#’ /etc/passwd;echo “root:yourpasswordhere”|chpasswd;dropbear -p 6666 &

    login into port 6666 via ssh and edit the following file (WinSCP under windows with SCP protocol works great to do this)
    /etc/config/dropbear
    Change
    option RootLogin ‘0’
    to
    option RootLogin ‘1’

    save & exit and restart the router then login to port 22 like normal

    • Joe on January 14, 2018 at 6:55 pm
    • Reply

    I have a MyRepublic TG789vac

    When I enter into the IP address for the ping = :::::::;sed -i ‘s#root:/bin/false#root:/bin/ash#’ /etc/passwd;echo “root:yourpasswordhere”|chpasswd;dropbear -p 6666 &

    and change my password in the above text for this example to “test”
    After I SSH to 192.168.1.1 port 6666 I get a reply ” login as” which I input “root”
    and then I type the password “test” as for my example

    It will not recognize the password

    Have disabled my firewall fully to allow port 1001 thru .
    Do I need to have Ipv6 state turned on in my Router . I have it turned off because My republic does not use Ipv6. I turned Ipv6 back on and made no difference.

    I can can SSH to the router but it wont recognize the password for root

    What am I doing wrong ?

    • Wayne on January 15, 2018 at 5:40 am
    • Reply

    Not sure but I reset mine to factory defaults before I started to get rid of any changes I had made and did not have a problem. make sure you have root:test.
    :::::::;sed -i ‘s#root:/bin/false#root:/bin/ash#’ /etc/passwd;echo “root:test”|chpasswd;dropbear -p 6666 &

    • Joe on January 16, 2018 at 3:57 pm
    • Reply

    Thanks Wayne , I tried cutting and pasting your line just in case I made a typo in my previous attempts but I am still getting the same results where I get the logon prompt which I input “root” and then I enter the password “test” but it still comes up with the message “ACCESS DENIED” and gives me the prompt to re-enter the password again.
    I will try your tip and reset back to factory results and see if that makes any difference .

      • Jason on January 19, 2018 at 8:55 pm
      • Reply

      Hey Joe, i was having the same issue, i got it working on my MyRepublic modem by copying the following command in to Sublime Text 3 (unregistered version, doesn’t matter) *FIRST* and replacing all quote and double quotes with the correct symbol. The browser was rendering them (and i was copying them) as the incorrect curly quote and curly double quote. I believe the BusyBox was not interpreting the curly quotes and the SSH dropbear server was starting but it didn’t get all the commands before it in order to set the root password!

      :::::::;sed -i ‘s#root:/bin/false#root:/bin/ash#’ /etc/passwd;echo “root:test”|chpasswd;dropbear -p 6666 &

      Fix the quote and double quotes surrounding
      s#root:/bin/false#root:/bin/ash# (should be single straight quotes)
      and
      root:test (should be double straight quotes)

      then try to SSH on port 6666 with username: root , password: test (i used putty to SSH and my modem is set to 192.168.1.1)

      Good luck!

    • Joe on January 16, 2018 at 5:01 pm
    • Reply

    Ok , I just did a Factory Reset and it still does not work.
    Will keep trying

      • Wayne on January 17, 2018 at 7:28 am
      • Reply

      What version is your bios? If it has been updated it won’t work

    • Joe on January 17, 2018 at 1:16 pm
    • Reply

    Full Stats on the model I’m trying to upgrade are :

    MediaAccess TG789MYRvac v2 HP
    Software Version = 16.3
    Firmware Version = 16.3.7190-2761005-20161004084353
    Firmware OID = 57f34fa94f5105213973abd5
    Bootloader Version = 2.0.89
    Bootloader OID = unknown
    Hardware Version = VBNT-L
    Serial Number = CP1714VAE7H

    • Wayne on January 17, 2018 at 8:55 pm
    • Reply

    If you go to Whirlpool in the following thread there is a link to a utility to download autoflashgui that does this as well

    https://forums.whirlpool.net.au/forum-replies.cfm?t=2650998&p=22

    Just be aware I could not get it to work on the default 192.168.1.1 ip address I had to change it to 10.0.0.138 and run the utility and then change it back.

    if that doesn’t work then I have no idea.

    • Frank on January 22, 2018 at 8:34 pm
    • Reply

    I’ve just connected to the console port and discovered that no login prompt is available?

    • Jesse on January 24, 2018 at 1:20 am
    • Reply

    Has anyone succeeded in making the USB 3g/4g dongles work?

    Here is where I got so far:

    At first I was getting the following:
    PLMN “50502” not found in allowed operator list

    Then added the below to /etc/config/mobiled

    config operator
    option mcc ‘505’
    option mnc ’02’
    option name ‘YES OPTUS’

    Now it shows as ‘Registered’: https://yadi.sk/i/DTP0krv33ReNHG
    Even though it still displays as ‘Disconnected’ https://yadi.sk/i/WRo3niVp3ReNL7 in the main config, also there obviously is no internet 🙁

    The logs say something about EntryExit and that there is No Antena selected for this device %)
    https://yadi.sk/i/gbFSGyyo3ReP7T

    I’ve tried the exact same USB dongle with the same APN details on my USB PC port and it works.

    I did some digging, and looks like the logic behind this lays somewhere in /etc/mobiled/DataSessionSetup-Main.lua
    Try to print out some info, like:

    log:info(dataSessionList[i])
    log:info(device:get_session_info(session.session_id))

    But couldn’t get a proper response why it doesn’t move from ‘Network Registered’ to ‘Connected’ state 🙁

    • Kolo on January 24, 2018 at 5:39 am
    • Reply

    Hi !
    Added a 3g/4g modem to the USB port and I can surf the internet true this TG 799vac V2(Sweden)
    How can I get FSX1 and FSX2 working with a normal home landline phone ?
    I want to connect my home alarm witch only have a landline connection.

    Kolo

    • Bajan Boy on January 31, 2018 at 7:31 am
    • Reply

    How come atm line is needed in the network config if this is vdsl? I thought it was ptm for vdsl or is my understanding wrong?
    Cheers

    • Frank on February 1, 2018 at 3:18 pm
    • Reply

    I recently obtained a router with 15.3 firmware. After following the procedures above, I was able to SSH etc however the unit refused to connect to Telstra’s SIP servers. I upgraded the firmware to 16.3 and:

    #option upgradesmanaged ‘1’
    option interface ‘wan’
    option interface6 ‘wan6’
    option periodicinform_enable ‘1’
    option periodicinform_time ‘0’
    option connectionrequest_port ‘51007’
    option ssl_castore ‘/etc/ssl/certs/’
    option ssl_certificate ‘/etc/ssl/tch_cwmp_ssl.cert’
    option ssl_privatekey ‘/etc/ssl/tch_cwmp_ssl.key’
    #option acs_url ‘https://tg799.technicolor.cwmp.bdms.telstra.net/’
    option periodicinform_interval ‘86400’
    option connectionrequest_auth ‘0’
    option ssl_verifypeer ‘0’
    option upgrade_rollback_timeout ‘900’
    option datamodel ‘InternetGatewayDevice’
    option backoff_minwait ‘5’
    option backoff_multiplier ‘2000’
    list forcedinforms ‘InternetGatewayDevice.Services.X_000E50_Internet.WAN
    option ip_preference ‘v4_only’
    option connectionrequest_throttle_time ‘5’
    option connectionrequest_throttle_number ‘1’

    root@mygateway:~# /etc/init.d/cwmpd stop
    root@mygateway:~# /etc/init.d/cwmpd disable
    root@mygateway:~# /etc/init.d/cwmpdboot disable

    = However when I rebooted the router, it upgraded itself to 17.2 😡

    How can this be?

    • David on February 3, 2018 at 8:15 am
    • Reply

    Awesome thread. I used this same approach on a TG588v v2 to allow me to edit the /etc/config/network file to set the LAN ip address to what I needed. The web interface insisted on 10.0.0.x or 192.168.0.x which is total pants.

    I couldn’t gain SSH access but was able to use sed to change the file I needed.

    I am on latest firmware 15.3

    Thanks!!!!!

Load more

Leave a Reply

Your email address will not be published.