FIOS-G1100
FIOS-G1100 copied to clipboard
ozwaldorf
General Discussion
Can you write more about confing encryption, I also have backup encrypted with AES but I cant find a key here is link to my post
That's likely implementation specific, the encryption on this router actually has multiple encryption layers(although the algo and key are the same for both layers), unfortunately I'm not particularly great with assembly and had to get someone else to help out with static disassembly of the encryption scheme for the decryption script.
Well some good news I got an GenieACS server setup now I just have to enable SSH then maybe get a NAND dump if I have the right equipment. My UART cable broke a few months back though.
If anyone knows how to do it via dd let me know.
@Brandonv101 Armorview PL2303HX USB To TTL To UART RS232 COM Cable Module Converter https://www.amazon.com/dp/B008AGDTA4/ref=cm_sw_r_cp_apa_BMDlzbFP0FZ6G
also, dd if=/dev/kmem of=<usb flash drive mountpoint>/dump should dump to a flash drive
@The5heepDev Thanks I will be giving that a try either tonight or tomorrow if I have enough time.
@jameshilliard Thanks to your script I finally got the config file decrypted! Well I am completely lost at this point. Would you be able to tell me where I can find the tr-069 server address and disable the SSL check? Also GenieACS is giving me some problems so I am going to have to find another way.
@Brandonv101 The tr-069 address is in the config file, you just edit the url from https to http I think and change it to point at your ACS server.
@jameshilliard Thanks again just asking I hope I found the right thing here: { "type": "string", "value": { "value": "https://cpe-ems3251.XXXX.com/cwmpWeb/CPEMgt" }, "name": "net.tr69_client.management_server.url"
I blocked out the verizon part of the URL just so they don't notice and patch this right away.
@jameshilliard So I now have everything setup except the configuration file. Would you be able to provide where python3 dumps the file and if it dumps as a bin? I ran gwdecrypt and it gave me a text file named -v. I tried to encrypt the file and it's not showing up.
You would do something like this to decrypt:
python3 gwdecrypt.py configfile.bin configfile.json
Then edit then json file and re-encrypt:
python3 gwencrypt.py configfile.json configfile.bin
Then upload to the router.
@jameshilliard Something doesn't seem right. So I got the firmware file uploaded to the router but it isn't showing up in GenieACS.
Do I need to edit anything else listed below? Like a username or password
Edit: Correctly formatted here https://pastebin.com/R1nXZY4G
"name": "net.tr69_client.management_server.url", "value": { "value": "http://192.168.1.226:7547" }, "type": "string" }, { "name": "net.tr69_client.management_server.forced_default_url", "value": { "value": "" }, "type": "string" }, { "name": "net.tr69_client.management_server.username", "value": { "value": "" }, "type": "string" }, { "name": "net.tr69_client.management_server.password", "value": { "value": "" }, "type": "string" }, { "name": "net.tr69_client.management_server.connection_request.port", "value": { "value": "7547" }, "type": "unsigned integer" }, { "name": "net.tr69_client.management_server.connection_request.path", "value": { "value": "cc91db8-efba-4daf-82e8-8a1c13e56fc9" }, "type": "string" }, { "name": "net.tr69_client.management_server.connection_request.url", "value": { "value": "http://:7757" }, "type": "string" }, { "name": "net.tr69_client.management_server.connection_request.username", "value": { "value": "X3B3X6YadbjlBwCwqXho8YdMQuLPaQXA5g4bxvMGDuzyGBXm" }, "type": "string" }, { "name": "net.tr69_client.management_server.connection_request.password", "value": { "value": "X3B3X1Xio1Zbk5Z4d4mzTF7n" }, "type": "string" }, {
@Brandonv101 Yes, you need to make sure the username and password matches the GenieACS settings.
@jameshilliard Sorry to bother you again I am completely lost here http://imgur.com/a/rGnn6
How do I send the getParameterValues with GenieACS to achieve an SSH shell?
@Brandonv101 I think you can just use curl with the GenieACS server. You should first make sure the router shows up in the ACS web interface.
@jameshilliard Thanks again I am working on getting it to show up in the web UI first then I will try curl.
@The5heepDev @jameshilliard My firmware version: v01.04.00.10. I backup configfile then modify it. i upload new configfile,the fios reboot. but i found other values are modified except "net.tr69_client.management_server.url". so I get root shell failed. Is there anather way to dump the flash?
@NimdaKey What do you mean by "other values are modified"? Are you pointing it at your own ACS server? Only other way I know of would be to read the flash memory directly.
"net.tr69_client.management_server.url" => "value": "http://192.168.1.12:7547" "net.tr69_client.device_info.software_version" => "value": "01.04.00.10" //original value: 01.03.01.00 but i download the changed configfile and decrypt it. "net.tr69_client.device_info.software_version" still keep the changed value.but "net.tr69_client.management_server.url" change back to "https://secure.acs.frontier.com".
Hi,
Thanks a lot for posting your decrypt/encrypt scripts. I figured I'd use them to turn off tr-69 on my G1100 by:
- Decrypting configfile.bin to to json
- In the json file, changing the following value from 1 to 0:
{
"name": "net.tr69_client.enable",
"type": "boolean",
"value": {
"value": "1"
}
},
- Re-cncrypting and uploading new configfile. However, as a test I first tried decrypting and re-encrypting with no changes, and got very different file sizes:
$ ./gwdecrypt.py configfile.bin configfile.json
$ ./gwencrypt.py configfile.json configfile_new.bin
$ ls -l
total 592
-rw-r--r-- 1 spaine spaine 262316 Aug 5 15:51 configfile.bin
-rw-r--r-- 1 spaine spaine 161192 Aug 5 15:52 configfile.json
-rw-r--r-- 1 spaine spaine 165100 Aug 5 15:53 configfile_new.bin
-rwxr-xr-x 1 spaine spaine 1700 Aug 5 15:51 gwdecrypt.py
-rwxr-xr-x 1 spaine spaine 1688 Aug 5 15:51 gwencrypt.py
$
So I'm thinking some information got lost, and worry I could brick the router by uploading the modified file. Any ideas? My router firmware version is 01.04.00.12.
Thanks
@snpaine Different size is expected and shouldn't be an issue(mine had different filesizes as well), that's just due to different whitespace encoding for the json.
@jameshilliard Thanks-- the differences were indeed just tabs vs. spaces as you said, and I've managed to go through a few cycles of changing / confirming settings without problems.
Unfortunately, changing net.tr69_client.enable from 1 to 0 doesn't seem to make a difference-- I can still access the router when logged into my account at Verizon. Either the firmware ignores this setting, or this setting doesn't affect remote admin access in the way I expected.
@snpaine Yeah I don't think I changed that setting, I changed the settings to point it at my own tr69 server.
If the router firmware is open source, why not add and/or remove features? We should be able to attach devices (storage, printers, etc.) via USB 3.0 and access them from computers on the network. We should be able to use OpenVPN configurations and block advertisements before they download on the entire network. We should be able to change the channels of the wireless network to a DFS channel, they aren't listed, but the router can choose a DFS channel if it wanted to. We should be able to change the channel width and enable or disable the DFS channels. The Fios Network Extender has some of these features, but the Gigabit router does not.
@Stellarspace The network extender could be different hardware. Although we need someone to get a NAND dump so we can start working on the firmware.
Anyone tried making port forward rules via config mod? I'm trying to make one where the source ip for the port forward is included since the current GUI does not let you restrict port forwards by ip. (Was IP Filtering in older model).
