Skip to content

F@st 5566 SSH

up-n-atom edited this page Oct 9, 2023 · 55 revisions

F@st 5566 SSH

Prior to performing any of the following instructions, back-up your config.


Config Mods

Already applied to bellyflop3k.xml and bellyflop3k.cfg

The F@st 5566 start config requires a single mod to the root and/or admin user accounts for SSH access.

Enable SSH

Enable SSH access on the LAN interface.

<RemoteAccesses element-count="1" new-id="2">
	<RemoteAccess uid="1" Service="SSH">
-		<LANRestriction>ACCESS_DISABLE</LANRestriction>
+		<LANRestriction>ACCESS_ENABLE_ALL</LANRestriction>

Restore Config

Use web UI

Restore using bellyflop3k.cfg; When asked for a password, enter: admin.


SSH will use the root password stored in /etc/passwd for 1st access ie. root

upnatom@belfast:~$ sshpass -p 'root' ssh root@

Semi-Permanent SSH

bellyflop3k.cfg exploits the start config or /opt/squashfs/etc/start-cfg.xml to gain SSH access via restore, and in doing so, overwrites the generated settings retrieved from the permanent parameters.

To keep SSH enabled and also the generated settings, one needs to exploit the restore script.


Copy all the required files from the read-only fs over to the overlay fs.

root@mynetwork:~# cp /opt/squashfs/etc/start-cfg.xml /opt/filesystem1/rootfs/etc/
root@mynetwork:~# cp /opt/squashfs/etc/init.d/check_restore_default /opt/filesystem1/rootfs/etc/init.d/


Use vi

Re-enable SSH for both root and admin user accounts in /opt/filesystem1/rootfs/etc/start-cfg.xml

upnatom@belfast:~$ vi /opt/filesystem1/rootfs/etc/start-cfg.xml
--- /opt/squashfs/etc/start-cfg.xml
+++ /opt/filesystem1/rootfs/etc/start-cfg.xml
@@ -7620,7 +7620,7 @@
-              <LANRestriction>ACCESS_DISABLE</LANRestriction>
+              <LANRestriction>ACCESS_ENABLE_ALL</LANRestriction>
             <RemoteAccess uid="2" Service="HTTP">
@@ -7670,7 +7670,7 @@
-                             <LANRestriction>ACCESS_DISABLE</LANRestriction>
+                             <LANRestriction>ACCESS_ENABLE_ALL</LANRestriction>

Prevent /opt/filesystem1/rootfs/etc/init.d/check_restore_default from removing /opt/filesystem1/rootfs/etc/start-cfg.xml

upnatom@belfast:~$ vi /opt/filesystem1/rootfs/etc/init.d/check_restore_default
--- /opt/squashfs/etc/init.d/check_restore_default
+++ /opt/filesystem1/rootfs/etc/init.d/check_restore_default
@@ -19,7 +19,7 @@
        if [ -f $SYSCONF_DIR/conf_erased ]; then
         cp $SYSCONF_DIR/scratchpad /opt/data/scratchpad
        rm -fr $SYSCONF_DIR/* 2> /dev/null
-        find /opt/filesystem2/rootfs -type f | xargs rm -f
+        find /opt/filesystem2/rootfs -type f | grep -vF -e "/etc/start-cfg.xml" -e "/etc/init.d/check_restore_default" | xargs rm -f
         find /opt/filesystem2/rootfs -type l | xargs rm -f
 # to be used by mgmt-smu and removed
                  touch /opt/filesystem1/rstdone

Dump PP

It's imperative to retrieve the root password prior to a factory reset from the permanent parameters; It's stored as clear-text under VENDOR_INFO1.

root@mynetwork:~# get_pp all

Optionally, modify the root password, eg. root

Not Recommended

root@mynetwork:~# get_pp all | sed "/VENDOR_INFO1=/c\VENDOR_INFO1=root" > /tmp/pp
root@mynetwork:~# /tmp/pp
root@mynetwork:~# rm -f /tmp/pp

Factory Reset

Use the web UI whenever possible, or...

root@mynetwork:~# xmo-client -x restore-partial

Verify SSH

upnatom@belfast:~$ sshpass -p 'pp_root_password' ssh root@

Backup Gen Config

upnatom@belfast:~$ scp root@ ~/

Create restore config

upnatom@belfast:~$ gsdfcrypt -c -k 128 -p admin ~/backup-cfg.xml.stable ~/backup-cfg.cfg

Trigger TR-069

Navigate your ISP walled garden.