Support for Technicolor DWA0122 from Belong in Australia

[jmytch]

General info

My gateway is currently running firmware version 19.4.0381-RA from Belong in Australia

• Product: Technicolor DWA0122BLN
• ISP: Belong
• Countries: Australia
• Commercial name from the ISP: Belong DWA0122
• Board: VCNT-2

Did anybody ever manage to get root on that device already?

Select all applicable

• Yes, by using a root strategy listed in the wiki
• Yes, following another different strategy
• No, as far as I know it has never been rooted

@brick01 did it with strategy #C

Firmware versions

Please fill as many available info about each firmware versions you have ever heard about for this board. Leave unknown parts empty.

• Version: 19.4.0381-RA
• Full version: 19.4.0381-4961004-20200907123835-1fb704a06063557866bccdb0325b6b4a2110d4bb
• Custom firmware version strings used by ISP in addition to the above: 19.4.0381-RA
• RBI file name:
• RBI official download URL:
  • The link is restricted to ISP users or requires download password
• Other RBI download links for us to look into it:
• Raw bank dump download link:
• Serial console bootlog:
• Other potentially relevant info about this firmware version:

Product: vcnt-2_belong
Release: Damson (19.4)
Version: 19.4.0381-4961004-20200907123835-1fb704a06063557866bccdb0325b6b4a2110d4bb
Bootloader: 20.12.1317-0000000-20200320072530-eb1ed67cb9b5397ba514372850d23e0d1b4b4ff4

[LuKePicci]

You should try available strategies, expecially #C if belong uses DHCP, and #D

[brick01]

I managed to root my Technicolor DWA0122BLN version 19.4.0381-RA using strategy #C

[brick01]

Product: vcnt-2_belong
Release: Damson (19.4)
Version: 19.4.0381-4961004-20200907123835-1fb704a06063557866bccdb0325b6b4a2110d4bb
Bootloader: 20.12.1317-0000000-20200320072530-eb1ed67cb9b5397ba514372850d23e0d1b4b4ff4

There is a typo in the title of this issue, the model should be DWA0122

[LuKePicci]

Thanks, I couldn't know that was a typo until now. It's fixed.

Please consider sharing any firmware url / dump you can get from your unit as well as OSCK key.

Rrasd about extracting keys from secr repo, try r2secr ko module first, if it doesn't work you will need to dump the full ram with lime.

Use command "strings /etc/cwmpd.db" to see any RBI firmware download URLs this device received (do the same on both "/overlay/bank_1/etc/cwmpd.db" and bank_2 if any)

Lastly, get a dump of both bank_2 and bank_1 firmwares. These dumps are not needed if you manage to get both OSCK key and an RBI firmware file for the same firmware version already.

[brick01]

Sorry I am new to this, all I did for the root was followed the wiki guide including the post-root procedures. I probably don't have a lot of understanding how things work.

I followed the readme from secr repo, but got the "failed to insert" error.

root@mygateway:/tmp/run/mountd/sda1# uname -a
Linux mygateway 4.1.52 #0 SMP PREEMPT Fri Aug 14 13:15:48 2020 armv7l GNU/Linux
root@mygateway:/tmp/run/mountd/sda1# insmod r2secr.arm.4.1.ko && dmesg | tail -n 20 && rmmod r2secr
failed to insert r2secr.arm.4.1.ko

Unfortunately I don't see any download URLs for the RBI firmware in the cwmpd.db files.

root@mygateway:~# strings /etc/cwmpd.db
SQLite format 3
tabletidkvtidkv
CREATE TABLE tidkv (  type TEXT NOT NULL,  id TEXT NOT NULL,  key TEXT NOT NULL,  value TEXT,  PRIMARY KEY (type, id, key)))
indexsqlite_autoindex_tidkv_1tidkv
runtimevarParameterKey#
runtimevarConfigurationVersion3
%=runtimevarBootStrappedhttp://58.162.0.1:62752/(
+%VersionsSoftwareVersion19.4.0381-RA.
=NOTIF00000001typeCWMP_ACTIVE_NOTIFICATIONI
sNOTIF00000001pathDevice.Services.X_000E50_Internet.WANConnectionName
runtimevarParameterKey
runtimevarConfigurationVersion
runtimevarBootStrapped
VersionsSoftwareVersion
NOTIF00000001type
        NOTIF00000001path
root@mygateway:~# strings /overlay/bank_2/etc/cwmpd.db
(same output as "strings /etc/cwmpd.db")

/overlay/bank_2/etc/cwmpd.db is the same as /etc/cwmpd.db. There is no bank_1, not sure if it is because I followed the bank planning guide?

Sorry I have no idea how to dump the full ram or firmware.

[LuKePicci]

Yes, that explains the lack of bank_1, that's fine.

Run dmesg after the failed to insert message, I will tell you which is the correct ko file to use.

[brick01]

Alright. Here it is.

root@mygateway:/tmp/run/mountd/sda1# dmesg
[    0.000000] Booting Linux on physical CPU 0x0
[    0.000000] Initializing cgroup subsys cpuset
[    0.000000] Initializing cgroup subsys cpu
[    0.000000] Initializing cgroup subsys cpuacct
[    0.000000] Linux version 4.1.52 (repowrt-builder@093963173e77) (gcc version 5.5.0 (OpenWrt GCC 5.5.0 r0+13581-88ac55bb0f) ) #0 SMP PREEMPT Fri Aug 14 13:15:48 2020
[    0.000000] CPU: ARMv7 Processor [410fc075] revision 5 (ARMv7), cr=10c5387d
[    0.000000] CPU: PIPT / VIPT nonaliasing data cache, VIPT aliasing instruction cache
[    0.000000] Machine model: Broadcom BCM963178
...
[ 3546.753165]  sda: sda1
[ 3546.756015] sd 1:0:0:0: [sda] Attached SCSI removable disk
[ 3547.271939] FAT-fs (sda1): utf8 is not a recommended IO charset for FAT filesystems, filesystem will be case sensitive!
[ 3940.073596] r2secr: version magic '4.1.38 SMP preempt mod_unload ARMv7 ' should be '4.1.52 SMP preempt mod_unload ARMv7 p2v8 '
[ 3947.490513] r2secr: version magic '4.1.38 SMP preempt mod_unload ARMv7 ' should be '4.1.52 SMP preempt mod_unload ARMv7 p2v8 '

[LuKePicci]

Great, I have the lime module for you already.

I will send it to you this evening after work.

[LuKePicci]

Here you can find some extra modules for your exact kernel veraion: as well as some extra help on how to use LiME https://github.com/LuKePicci/secr (will be merged into secr soon)

There is no r2secr module for you because it usually can't work on such new firmware versions, so go for LiME directly and send me both the mtd5.dump and the LiME ram.dump

if you would also like to check whether r2secr would have worked or not, use this and see if it gives any output:
cat /proc/kallsyms | grep r2secr

[brick01]

Cool. Here are the mtd5 and ram dumps I got from my DWA0122.

Running cat /proc/kallsyms | grep r2secr doesn't give any output.

[LuKePicci]

Great, I'll take a look at those files asap.

[LuKePicci]

Ok, I've got. Now we can move on dumping the firmwares you have now on your device. Please send me a dump of mtd3 and mtd4 (which is the bank_1 and bank_2).

The bank_1 is expected to be empty if you followed bank planning instructions. If you didn't, then it will contain the previous firmware

[brick01]

There it is, mtd3 and mtd4 dumps. Sounds like progress!

[LuKePicci]

It is. We are basically done. I will add that dump here on hack-technicoolor and mark this device as supported. Thank you @brick01 !

As a final note to anybody on Belong in AU, we are still missing an RBI firmware, so if any of you see this device getting a firmware upgrade just let us know. It is of great importance because in lack of RBIs it is not possible to use enjoy bank plan advantages, nor easy soft-bricks recovery.

[LuKePicci]

UPDATE! @indikadaprogrammer found the RBI link of the next firmware release https://fw.ax.belong.com.au/vcnt-2_19.4.l.0393-MR1-RB.rbi which is still of Type 2, so if anybody have an active Belong subscription, please, download and share it.

[rivers56]

if anybody have an active Belong subscription, please, download and share it.

https://drive.google.com/file/d/1apJafwQJ6ZotATUI5c3xhi2qJQ4ol0Hv

[LuKePicci]

Thanks a lot, now this DWA0122 is completely and perfectly suitable for fun

[nutterpc]

Just would like to add Luke, I've just recently gotten one of these, did manage to get root access to it, was a bit of a pig, and i've gotten the cwmpd daemon disabled and was able to run that bank planning script which shows it does have 2 banks

Next thing i'll be doing on Sunday is getting Luci running on it

[BJReplay]

Hi, not sure if the right protocol is to comment on a long-closed issue, or to open a new issue, but I have this model, but with updated firmware (19.4.0865) and tch-exploit (strategy #C) didn't get me very far. It responded to the DCHP request but didn't get to the next stage. I'm going to try other strategies, but it looks like that loophole is closed in that strategy, though it was identified as the right strategy for the previous version, and in the firmware repository.

[LuKePicci]

You can open a new Add firmware issue from template giving full details of your currently running firmware.

Some messages above you can see the URL of the older firmware. Try downloading the new one you have now on your device by changing version numbers in the same URL and share the RBI file so we can check if this new one is any different from the older. Even if it is different and strategy #C would be unavailable you can simply download the older RBI from the repo and go with Type 3 instructions.

[BJReplay]

Thanks for the reply.

Try downloading the new one you have now on your device by changing version numbers in the same URL and share the RBI file so we can check if this new one is any different from the older.

OK, will do, next time I have access (It's my parents modem, so I'll have a look next time I'm there).

Edit: I tried the link https://fw.ax.belong.com.au/vcnt-2_19.4.l.0393-MR1-RB.rbi from https://hack-technicolor.readthedocs.io/en/stable/Repository/#dwa0122-vcnt-2 while connected to belong at my parent's house and although I don't recall the exact response, I think it was a 404. Now that I know, I'll try https://fw.ax.belong.com.au/vcnt-2_19.4.0865-MR1-RB.rbi and https://fw.ax.belong.com.au/vcnt-2_19.4.0.0865-MR1-RB.rbi next time I have access.

[ShrijiTec]

Hi Luke,
I have the same Technicolor DWA0122 from Belong with 19.4.0865 Version. I tried multiple times the tch-exploit which after connecting successfully not showing the green text screen as you mentioned. Any idea ? Any help is appreciated.