TG799VAC-XTREME-17.2-MINT
TG799VAC-XTREME-17.2-MINT copied to clipboard
wuseman
Request for add VPN card in ansuel/tch-nginx-gui
i notice the VPN card... Can we include this in the main gui ? or also the telstra theme?
I see you do not have the CWMP tab either, is it something you chosed to not include or do you want info for add this tab too?
We will need to port openvpn to most of the modems as they don’t have it on them
On 5 Oct 2018, at 7:54 pm, Francesco M [email protected] wrote:
CWMP is present one of the latest card
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.
Oh, you are right @FrancYescO. This is my current setup.
Tried to install openvpn without any luck, openvpn require kmod-tun package and when i am trying to install this package i get this error msg: satisfy_dependencies_for: Cannot satisfy the following dependencies for kmod-tun: * kernel (= 3.3.8-1-3e727c51e42e8034f8ada81e0e9fe681) *
Edit: Wait, i will be back later about openvpn i got it working it seems, i will try to fix a tab for openvpn.
Have you guys fixed the VPN card yet? Maybe I missunderstood last time and thought you just wanted the card for vpn, sorry.
I have played with router for few days and i remember you asked about this so i compressed all files that probably is neded for the vpn card.
My router also have CLASH and other features you guys missing i checked the decrompressed dir from @ansuel and I got some cards you seems not have (or maybe you just didnt include them), let me know if you want them too for your gui file i can create a list when you fixed vpn. We don't downloading the firmware(rbi) file on the same way on VBNT-H it seems, we must use clash for download this file and then create a backup with sysupgrade -b i figured out this after 100000 hours.
VBNT-H USERS THAT MIGHT BE READING THIS:
BE VERY CAREFUL WITH THIS IDIOT METHOD IF YOU DONT HAVE A RBI FILE AS A BACKUP THEN YOUR DEVICE MIGHT BE BRICKED, FOREVER
For find alot of passwords, firmware and temp files I did this:
- Factory reset your router
- Get root shell as usual via nc or autogui
- ASAP !!!! ASAP !!! You are connected change name on /bin/rm > /bni/rm2 and /bin/reboot > /bin/reboot2 for ~1minute and 30 seconds then you must rename them again before you router will reboot otherwise you will get into real problems! Key files and everything in /proc not need to be cracked they are stored there since they cant be removed, also ALOT of settings in /tmp that only exist for ~2minutes after a reset. I also tried to rename /dev/null > /dev/null2 temporary after a reset this only gave me alot of .jar files for all kind of logs I never seen before(i usually do not playing with devices like this by renaming binarys but this was my last hope :P), also bootlog and such wierd things I found when i removed null BUT DONT THIS IF YOU DONT WANT TO RISK YOUR DEVICE MANY BINARYS USING DEV/NULL FOR WORK PROPERLY I had really problems to get into shell again but after few hours I finally could get acceess again so my device survived this time ^^
The result of doing this will be:
You will find your ISP password in plaintext in /tmp/tmp
You can get all configuration files files in /tmp named: dl-config-1u309ruq3oifr2q980ufrqjfh3fjh90q8fjqujfqujfq Around ^ 10 such files will be created until it will reboot after a reset(all these files wont be deleted since rm command is gone)
And there is alot more stuff that wont be deleted, there is some unreadable files in / dir aswell when you removing the RM command, also you will find all keys in /proc folder without any cracking needed. You will also find plain passwords for DLSCONFIG and some more more settings I never seen before (i dont know what this is for yet) and some other passwords in plaintext and much more things probably, atleast on VBNT-H this works very well.
If you dont wanna use my idiot method by deleting binarys use a loop I did this first but I needed reset the router so many times and my patience is so bad so above method went much faster then it did when did a factory reset for like 100 times to see figure out wich files that is being created and deleted some only exist for a second or even less like all cwmpd files, around 10 such files will be created and deletedf: '/tmp/cwmpd.ahaufa'. There is really many files that is created and removed after a factory reset until the first auto reboot after 2minutes, atleast VBNT-H rebooting after 2min when you have did a factory reset thats why i tried this, first i used below commands for log everything without risk to harm device:
while :; cat /tmp/dl-*;sleep 1 > dl-configs.txt; done
while :; cat /tmp/tmp/*;sleep 1 > random2-configs.txt; done
while :; cat /tmp/-*;sleep 1 > random-tmp-configs.txt; done
while :; cat /tmp/cwmpd-*;sleep 1 > cwmpd-configs.txt; done
......
and so on
Also used a while loop for ps command to figure out how to launch all commands and it was on this way i finally figured out I was forced to use: /usr/bin/clash-upgrade-wrapper to get the RBI file wich has a random name not a name like telia-tg799vac.rbi it was named 96f4fbf294a13f05bd5bc3f1469d13de.
And then I am able to flash the router FINALLY !!!!! in clash shell , there is alot of clash scripts in /usr/lib/lua, this is clash if you guys don't have it on your firmware, I just type clash and then i joining another shell with the options on picture:
/usr/bin/clash-iptables-wrapper
/usr/bin/clash-coredump-wrapper
/usr/bin/clash-logread-wrapper
/usr/bin/clash-mptcpkpi-wrapper
/usr/bin/clash-showinfo-wrapper
/usr/bin/clash-tcpdump-wrapper
/usr/bin/clash-upgrade-wrapper
Also i have much more folders in lib directories that I never tried to use so it would be cool to get help to enable all this since they are not enable on my default setup anyway.
# ls /usr/share/transformer/mappings/
bbf clash device2 igd rpc uci
In the bbf folder i have MANY .map files also like: X_000E50_SmartControl.map, X_000E50_ngwfdd.map, Cellular.Interface.X_000E50_Upgrade.map.
There is very many binarys on my router that is not being used maybe they are for a new version or something they are not used when I running lsof atleast.
I also was able to restore deleted files that was deleted before nginx has been started or could login on router and rename the binarys by typing, maybe some boot files or something I didnt check all files yet ;P)
lsof +L1
Output:
lua 6572 root 10u REG 0,14 42148 0 52767 /tmp/tmp/etilqs_JNW0EFhWVeQtCq8 (deleted)
lua 5104 root 17u REG 0,14 42148 0 52767 /tmp/tmp/wtilqs_p3wrEFhW2432q8 (deleted)
Restored the files by:
cp /proc/6572/fd/10 /root/etilqs_JNW0EFhWVeQtCq8
cp /proc/5104/fd/17 /root/etilqs_wtilqs_p3wrEFhW2432q8
Ahh anyway, just wanted explain if someone have a VBNT-H and wanna download the firmware file :P
Lets start with the VPN card now since i probably missunderstood last time:
You can download all default l2tp files here: https://nr1.nu/f/tg799-v3/archive/tg799-vpncard-2019-04-16.tar.gz
Im not 100% sure ALL required files has been added since I am not so involved as you guys about this router but I searched for all files that contains vpn + l2tp in filename and added them all. Hopefully the tarball is complete otherwise just let me know which files you need and i will upload them too.
link dead, btw if you just confirm that these firmwares https://github.com/wuseman/TG799VAC-XTREME-17.2-MINT/blob/master/firmware/telia-tg799vac-rbi-16.2-17.2.zip
are the latest (or at least where the VPN was working) we can use these as starting point
I see, let me find that file it's moved to another dir I belive, back in a few
I must have misspelled that filename since its 17.2 that has the VPN card. I can give you entire setup, I also have all keys and sources for bootloader. I did a copy first minute I started the router and also i did a realtime backup first time i plugged in the cable eth0 cable and I got everything this way, I dont remember exactly all files that was included in that dead link maybe that's better to just upload everything in a zip file, I don't care at all since they blocked me at telia after my wikis. (blocked for get a new router, not as customer)
I have everything uboot.img, all keys from proc and such things also the main password that is being used for all routers , Im not very involved anymore cause i can't get into my current router after the upgrade :( (yet, I working almost every day for find a way :P)
But if you know wich files it is I can just sort them out and zip them aswell if not all files is needed
Anyway, is it possible to download the rbi file without being connected to the router via shell? I tried spoof my ip and neither that works, nothing works on this firwmare i got now,17.2.0405-1441010-20181017112915 VANT-W, i find a way to list root files if you plugin a usb into the router but never find a away to execute the commands, and btw. The old exploit with with the nc command in ping field might work, I still working on it, if you cut every character it works..
Lke: 1.1.1.1[space]-e is not allowed but if you do .1.1.1.1.-e.1337. it works but it does not accept the slash wich is required for /bin/bash at end of the command
We are not allowed to enter logviewer on our firmware but if you change <a href="/gateway.lp" for < href="/modals/logviewer-modal.lp" you will be able to see all syslogs they sending to a server that belongs to ISP, I can see all keys in this log but I cant download the files it seems, this will give you alot of info what's going on. But you must be quick otherwise they are gone fast. so exactly when router is started first time then just enter 192.168.1.1/modas/logviewer-modal.lp and everything is in plain text, keyfiles and such things..
Maybe you knew this already, however maybe it helps someone that is curios.
Aug 29 06:42:00 user.notice assist.remote -t filter -D input_rule -p tcp --src 131.116.67.192/26 --dst --dport -j ACCEPT
Aug 29 06:41:59 user.notice warmboot reason:0 0:PWR
Aug 29 06:41:59 kern.warn kernel [ 99.916000] netlink: 20 bytes leftover after parsing attributes.
Aug 29 06:41:58 daemon.info transformer[5874] async run: /etc/fwdassist.sh
Aug 29 06:41:58 daemon.info cwmpd[6848] PROT_TRACE: > Download Response
Aug 29 06:41:58 daemon.info cwmpd[6848] APP_TRACE: TRANSFER
Alot of such lines with all kind of files they downloading after a reset, and for find the private key they using you must be really quick, ASAP your router has been reset it is stored in a temp file in /tmp/.dl-....... and its there for a half second or something in plain text..
However, if I find that file I let you know anyhow I just wanna know how i can downgrade to 17.2 again
if you have RBI files of your old firmware you can downgrade via TFTP https://hack-technicolor.readthedocs.io/en/stable/Recovery/#flashing-the-firmware
if you flash (downgrade to) a rootable firmware you can use the bank planning procedure to upgrade to the latest pre-rooting it https://hack-technicolor.readthedocs.io/en/stable/Hack%20Type%201&2/#bank-planning-with-firmware-upgrade
or, probably will be faster if you install tch-nginx-gui and than do an upgrade with reset config and root-only flags.
to get RBI files without stealing it from the modem is all up to your ISP and how it configured ACL and access to the firmware repository, but a common ACL is to just limit all IP outside there network, so only a telia customer could guess and download a telia firmware https://github.com/kevdagoat/hack-technicolor/issues/42#issuecomment-529215720
PS. in your comment you are talking about VANT-W Here https://github.com/wuseman/TG799VAC-XTREME-17.2-MINT/issues/3#issuecomment-483492530 you are warning about VBNT-H
i'm little confused about the right naming and board name of the device(s?) we are talking about
link dead, btw if you just confirm that these firmwares https://github.com/wuseman/TG799VAC-XTREME-17.2-MINT/blob/master/firmware/telia-tg799vac-rbi-16.2-17.2.zip are the latest
these RBI are for VANT-R
If I correctly remember, @wuseman started playing on VANT-R (telia's 799vac) a lot of time ago, then he moved to the VBNT-H (telia's 799vac Xtream - not "xtreme") he bricked, now he's mentioning a VANT-W but I suggest you check further, maybe just the family ancestor name for its VBNT-H.
We have RBIs for both VANT-R and VBNT-H. I don't have any for VANT-W.
Every VANT-R firmware I saw so far has open ssh root access from wan - with varying restrictions of IPs, ports and VIDs. I guess VBNT-H is the same, just check.
Yes, exactly like that @LuKePicci. I have the password for ACS, this secret password can be found if you hacking your router and are quick enough to get into the router first time you starting the router from factory, it is stored in /tmp/dl-config-3662336465363464316232613330323838336662356433383466313536663437 for few seconds then it gets removed (there is many of such files with all rules) but I dont know how I can download firmware without being connected to the router.
And btw, I can see everything router is doing by:
-
Right Click on any card when you are in /gateway.lp
-
Change modal/anything.lp to logserver-modal.lp
-
Now I can see all keys and such but when I am trying to download the files like TSBOOT.jar and all these it just gets disconnected after a while,
reboot off add mwan rule set mwan.@rule[-1].src=lan set mwan.@rule[-1].dest_ip=194.22.195.0/24 set mwan.@rule[-1].policy=iptv_only /etc/init.d/mwan reload reboot off add_list osgi_apps.apps.install=telia-zone reboot off add mwan rule set mwan.@rule[-1].src=lan set mwan.@rule[-1].dest_ip=81.236.63.98 set mwan.@rule[-1].policy=iptv_only /etc/init.d/mwan reload reboot off set osgi.@bundle_url[0].url=http://131.116.22.230/repo/osgi5_17_2/TSBoot.jar set osgi.config.enabled=1 set osgi.config.log_enable=1 set osgi.config.boot_interval_min_timestamp=01:00 set osgi.config.boot_interval_max_timestamp=05:00 /etc/init.d/osgi stop /etc/init.d/osgi start reboot off
I have the commandkeys too but the question is how I can get the firmware, I dont even know the name of the rbi file :(
Im working daily almost to find a way to get into the new firmware :P
password_dslfconfig=973cc8a0b4c80a1a7efa0ac8842737774 password_dslfreset=cf1ac5d83c5c1bdeb52a23ae2142eb82
What is this password_dslfreset for?
And what is these urls: cwmpd.cwmpd_config.connectionrequest_url='http://10.144.236.176:51005/fwIKCQazWIkpziPW'?
I have ALL files, i removed rm command on my old router so when it autorebooted i was busted but I found all passwords in plain text :P
Also: /usr/bin/wget http://127.0.0.1:55555/ra?remote=on_permanent__<hidden_password> -O /dev/null, what is this for? Can I do something with all these without be connected to the router?
I have all files above since my old router, I am just curios how I can download them today with my new router since in logviewer if you edit the source code and changing to logviewer-modal i see them. And how do you guys figure out firmware name? Btw, when I change it to system-modal.lp instead then i get redericted to l login page again.
I have went through ALL files including all .jar and .dex files without find anything that could give me a hint what the rbi file name is, i even extracted uboot.img without find anything.
Many questions now =)
First, you need a wan connection to management vlan. the vid is the usual one, 254, the mac address has to be set properly, the ip is retrieved by dhcp.
Second, you need a static route for any management host that explicitly say you want to go on the management wan. Of course, if you temporally setup a gateway with such connection ONLY it will be the default one.
Third, firmwares URLs from Telia's are usually in the form of http://131.116.22.230/XYZBMT.rbi; let me show you an example: 17.2.0339-1441018 for VBNT-H
| symbol | meaning | value |
|---|---|---|
| X | major version number | 17 |
| Y | minor version number | 2 |
| Z | build version number (w/out leading zeroes) | 339 |
| B | last char in board name | h |
| M | build version mask | 1441018 |
| T | telnet/shell availability | closed |
This naming conventions are from Telia only, they are free to change it whenever they want.
Fourth, do not get confused by different remote management frameworks Telia implemented. I see OSGi is implemented, CWMP of course, etc... The java stuff is OSGi related It is something the gateway sends to the OSGi management server. The jar package contains the necessary applet to give the management server enough knowledge about how to properly manage your gateway. The connection request part is related to CWMP, and this, in particular, is of no use. Even if I know your secret random CR token I could no nothing to your gateway. Usually CR ports are firewalled by the ISP, but the worst thing I could do knowing your secret CR endpoint credentials is to force your gateway to initiate an on-demand remote management session with Telia's ACS. Every CWMP management session is initiated by the gateway on some events (bootstrap, boot, value change, async task completed, periodic, connection request, etc..).
Finally, I usually see SSH access is open already from wan side on telia firmwares I looked in so far. Just set your network environment properly and try to get in.
Oh okey, I will try that, btw I did a video before I saw you reply: https://nr1.nu/teg799.gif < this must be possible to bypass?
I will try set the network and we see how it goes
It's on the management wan side, actually. In case the vlan is no more on vid 254, just let the gateway connect to your dhcp server via eth wan port, then sniff for packets belonging to a different vlan, check the correct vid.