FIOS-G1100 icon indicating copy to clipboard operation
FIOS-G1100 copied to clipboard

Published 20 hours ago verified publisher icon ozwaldorf

ACS hack for CR1000A model

Open rchen14b opened this issue 2 years ago • 7 comments

Hi,

I'm trying the ACS way to enable SSH on another FIOS router model CR1000A. Since that model config is using another encryption method and there is not a way to decrypt that yet. Is that possible to spoofing the Verizon CWMP address with a local host ACS server?

rchen14b avatar Feb 06 '23 00:02 rchen14b

Is that possible to spoofing the Verizon CWMP address with a local host ACS server?

Well for the G1100 I had to edit the config to use a local ACS address without SSL, otherwise the router would reject the ACS server as SSL certificate validation would fail when I tried to MITM the ACS connection. If the CR1000A is similar probably have to also disable SSl for it to work.

jameshilliard avatar Feb 06 '23 01:02 jameshilliard

Thanks for the clarification. Looks like the only way is to decrypt the config. Are there any method the check what kind of encryption the config is using? CR1000A using a .cfg config.

rchen14b avatar Feb 10 '23 14:02 rchen14b

Not sure if this may help but according to an Reddit thread there's a hidden firmware update page and debug page https://[Router_IP]/#/firmware_upgrade and debug page here https://[Router_IP]/cgi/cgi_basic.js

Thread: https://www.reddit.com/r/Fios/comments/10szdnd/hidden_menu_on_router

If we can get a firmware image then binwalk should be able to decrypt it or tell us what encryption method it's using

Brandonv101 avatar Feb 10 '23 15:02 Brandonv101

@jameshilliard Hi, the CR1000A config is now decrypted and I have successfully added it to my genieacs server. However, I have faced two issues:

  1. When I change parameter value or refresh it from ACS web gui and I'm getting "Connection request error: socket hang up" error.
  2. I setup the TR069 username and password as test/test on CR1000A config, how can I setup it on genie ACS side? I'm running 1.1.27 version.

rchen14b avatar Mar 19 '23 14:03 rchen14b

NVM, looks like password is not required and I can just use API to push the command.

rchen14b avatar Mar 20 '23 00:03 rchen14b

@jameshilliard Hi, the CR1000A config is now decrypted and I have successfully added it to my genieacs server. However, I have faced two issues:

  1. When I change parameter value or refresh it from ACS web gui and I'm getting "Connection request error: socket hang up" error.

  2. I setup the TR069 username and password as test/test on CR1000A config, how can I setup it on genie ACS side? I'm running 1.1.27 version.

Hello, how are you able to decrypt the config? The g3100 has a similar .cfg file i'm willing to bet the same method can be used for this

superswan avatar Nov 08 '23 23:11 superswan