I have two vant-9 Technicolor 500-T Vodafone-DGA0130VDF-NZ boxes here I'm trying to unlock.
They run a custom firmware which I've been able to reverse engineer but not get code execution on
It runs an ssh server behind iptables. I've attached some of the firmware. Any help getting code execution here would be awesome to root these boxes get something open source running on them.
Heres some more info I've gathered on the device I'd be keen to try anything to get this unlocked
I'd be really keen to try any ideas that anyone may have. We have a heap of these in our country going to waste and it would be awesome to be able to save them from going in the trash
does anyone know if their is a way to get code execution on this device so I can build custom firmware on it
other firmware versions? CRF716 CRF725
http://downloads.vodafone.co.nz/ultrahub_crf731.rbi
Firmware-Version: 17.1.7875-2461002-CRF731
Productname: Vodafone Ultra Hub
Dual Core Broadcom 400MHz CPU with 256MB DDR3 RAM
DSL/WAN router
1x ADSL/VDSL (RJ-11)
3 x Gigabit Ethernet LAN (RJ45)
1 x Gigabit Ethernet WAN (RJ45)
2 x FXS for analogue phones, fax, pos (RJ11)
1 x USB 2.0
4G/3G HSPA via MBB USB stick
VodafoneTV support
Wi-Fi 11b/g/n/ac dual band concurrent: 5GHz Quantenna 4x4 MIMO and beam forming. 2,4GHz Broadcom 2x2
DSL chipset - Bcm6303
: busybox [function [arguments]...]
or: busybox --list
or: function [arguments]...
BusyBox is a multi-call binary that combines many common Unix
utilities into a single executable. Most people will create a
link to busybox for each function they wish to use and BusyBox
will act like whatever it was invoked as.
Currently defined functions:
[, [[, addgroup, arping, ash, awk, base64, basename, bunzip2, bzcat, cat, chgrp, chmod, chown, chpasswd,
chroot, chrt, clear, cmp, cp, crond, crontab, cut, date, dd, df, dhcprelay, dirname, dmesg, du, echo, egrep,
env, expr, false, fdisk, fgrep, find, free, fsync, grep, gunzip, gzip, halt, head, hexdump, hostid, hwclock,
id, ifconfig, insmod, kill, killall, less, ln, lock, logger, login, ls, lsmod, lsusb, md5sum, mkdir, mkfifo,
mknod, mktemp, mount, mpstat, mv, nc, netmsg, netstat, nice, nslookup, ntpd, passwd, pgrep, pidof, ping, ping6,
pivot_root, poweroff, printf, ps, pwd, readlink, reboot, reset, rm, rmdir, rmmod, route, sed, seq, sh,
sha256sum, sleep, sort, start-stop-daemon, strings, switch_root, sync, sysctl, tail, tar, taskset, tee, telnet,
test, time, timeout, top, touch, tr, traceroute, traceroute6, true, udhcpd, umount, uname, uniq, uptime,
vconfig, vi, wc, wget, which, xargs, yes, zcat
OSCK Key: 89BCC09EABE21FA738E62E6D911FA80CAF091233ECCFF88442FAA5D7AF651A30
Encrypted data starts at 0x170
Detected board name: VANT-9
Known as: DGA0130
BoardName: VANT-9
Prodname: MediaAccess TG789Bvac
varname: TG789Bvac
/etc/shadow
root::0:0:99999:7:::
daemon:*:0:0:99999:7:::
ftp:*:0:0:99999:7:::
network:*:0:0:99999:7:::
nobody:*:0:0:99999:7:::
dnsmasq:x:0:0:99999:7:::
mosquitto:x:0:0:99999:7:::
/etc/passwd
root:x:0:0:root:/root:/bin/ash
daemon:*:1:1:daemon:/var:/bin/false
ftp:*:55:55:ftp:/home/ftp:/bin/false
network:*:101:101:network:/var:/bin/false
nobody:*:65534:65534:nobody:/var:/bin/false
dnsmasq:x:453:453:dnsmasq:/var/run/dnsmasq:/bin/false
mosquitto:x:200:200:mosquitto:/var/run/mosquitto:/bin/false
# usr_admin (`Admin`) takes password based on gateway model
# The password Vodafone specifies is their commercial product name `VFH500-t`, prefixed with `VF-NZ`.
# At time of creation, Technicolor's VANT-9 is the only Vodafone board,
# hence this file is installed from that board-specific folder.
# If more Vodafone products are to be created, more customization may be needed.
# _set_salt_verifier "usr_admin" "VF-NZVFH500-t"
it said something about a management IP vlan? on eth4 (sfp) 8021q which allows access to ssh etc
192.168.10.2 255.255.255.0
192.168.2.2 255.255.255.0
#/*******************************************************************/
#/* Vodafone specific rules ACCEPT */
#/*******************************************************************/
config ipset 'trusted_network'
option external 'trusted_network'
option storage 'hash'
option match 'src_ip'
# Allow SSH
config rule 'Allow_SSH_Vodafone_wan'
option name 'Allow-SSH-Vodafone-wan'
option src 'wan'
option proto 'tcp'
option family 'ipv4'
option dest_port '22'
option ipset 'trusted_network'
option target 'DROP'
# Allow IPv4 ping from trusted networks
config rule 'Allow_Ping_Vodafone_wan_Trusted'
option name 'Allow-Ping-Vodafone-wan-Trusted'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option ipset 'trusted_network'
option target 'ACCEPT'
# Allow IPv4 ping from all networks
config rule 'Allow_Ping_Vodafone_wan'
option name 'Allow-Ping-Vodafone-wan'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
option enabled '0'
config rule 'Allow_Ping6_Vodafone_wan'
option name 'Allow-Ping6'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
# Block HTTPS from LAN
config rule 'Block_HTTPS_Vodafone_lan'
option name 'Block-HTTPS-Vodafone-lan'
option src 'lan'
option proto 'tcp'
option dest_port '443'
option target 'ACCEPT'
# Allow SSH from LAN
config rule 'Allow_SSH_Vodafone_lan'
option src 'lan'
option name 'Allow-SSH-Vodafone-lan'
option dest_port '22'
option target 'ACCEPT'
# Allow HTTP from LAN
config rule 'Allow_HTTP_Vodafone_lan'
option src 'lan'
option name 'Allow-HTTP-Vodafone-lan'
option dest_port '80'
option target 'ACCEPT'
# Allow IPv4 ping from LAN
config rule 'Allow_Ping_Vodafone_lan'
option src 'lan'
option name 'Allow-Ping-Vodafone-lan'
option proto 'icmp'
option target 'ACCEPT'
config include 'tod'
option type 'script'
option path '/lib/functions/tod.sh'
option reload '1'
config include 'intercept'
option type 'script'
option path '/usr/lib/intercept/firewall.sh'
config include 'remote'
option type 'script'
option path '/lib/functions/firewall-remoteaccess.sh'
option reload '1'
config ipset 'trusted_network'
option storage 'hash'
list match 'src_ip'
option enabled '1'
option family 'ipv4'
config ipset_entry 'trusted_networkentry1'
option ip '202.73.206.161'
option ipset 'trusted_network'
config ipset_entry 'trusted_networkentry2'
option ip '202.73.198.161'
option ipset 'trusted_network'
config ipset_entry 'trusted_networkentry3'
option ip '116.89.224.160'
option ipset 'trusted_network'
config ipset_entry 'trusted_networkentry4'
option ip '203.144.40.160'
option ipset 'trusted_network'
config rule
option target 'management_udp'
option proto 'udp'
option destports '53,67,68,500,4500'
option priority '1'
config rule
option target 'cwmpd'
option destports '7547,51007'
_______ __ __ __
|_ _|.-----.----.| |--.-----.|__|.----.-----.| |.-----.----.
| | | -__| __|| | || || __| _ || || _ | _|
|___| |_____|____||__|__|__|__||__||____|_____||__||_____|__|
N E X T G E N E R A T I O N G A T E W A Y
--------------------------------------------------------------------
NG GATEWAY SIGNATURE DRINK
--------------------------------------------------------------------
* 1 oz Vodka Pour all ingredients into mixing
* 1 oz Triple Sec tin with ice, strain into glass.
* 1 oz Orange juice
--------------------------------------------------------------------
Product: vant-9_vodafone
Release: Gold (17.1)
Version: 17.1.7988-2461029-20181022011356-cc42b789f8a7d5942c548fddfea7d5a7c0aabb4d
Hash config: cc42b789f8a7d5942c548fddfea7d5a7c0aabb4d
Hash openwrt: 0b18280c71b895607da3be171d9364fac8cffda2
Hash kernel: cccbe44b4b3c45eea532b78301202ed0e12c7ae4
Hash packages: cb0b3da905a60ee9820e422ccb4b077bc11c03f3
Hash technicolor: 0fa80d604e8c6c4964c42b8734b0a0b6d74f0bfc
Hash routing: 2dc9f5ceb468d8f9bcbcb7ac0ab7719ba4e7a876
Hash lte: 63fad0a763f5b26af14fe6df7fbfe725d92574ce
Hash mindspeed: cd5df6841bf54c8c1d7e716ce22d0afa2fef66e5
Hash custo: 47fa351dff41330b200cabf2d5d4063b24a5b1ac
RBI Firmware info
option company_name 'Technicolor'
option prod_friendly_name 'Vodafone-DGA0130VDF-NZ'
option prod_name 'MediaAccess'
option prod_number 'Vodafone-DGA0130VDF-NZ'
option ssid_prefix 'vodafone'
option CPE_MODEL 'DGA0130VDF-NZ'
option provisioning_code 'VFNZ'
option CONF_VERSION 'CRF897'
option vodafone_variant 'NZ'
config settings 'tr69clientconfiguration'
option inform '1'
option inform_interval '3600'
option acs_url http://xvfnzhdmw.xdev.motive.com/cwmpWeb/CPEMgt
option acs_username 'vfnz_hdm'
option acs_password 'VF-dkpeh43f-t'
option connection_req_username 'vfnz_hdm'
option connection_req_password 'VF-dkpeh43f-t'
/etc/cwmpd
option acs_url https://pvfnzhdmw.vfnz.motive.com/cwmpWeb/WGCPEMgt
option periodicinform_interval 3600
option acs_user "vfnz_hdm"
option acs_pass "dkpeh43f"
option state 1
option upgradesmanaged '1'
option interface 'wan'
option connectionrequest_auth '1'
option connectionrequest_allowedips '199.117.180.0/24,207.71.32.0/24,216.61.48.0/24,64.186.176.0/24,64.186.180.0/24,64.186.183.0/24,64.186.187.0/24,64.186.188.0/24,64.186.189.0/24,64.186.191.0/24'
option upgrade_rollback_timeout 300
option connectionrequest_port 51005
option ssl_castore '/etc/ssl/certs/'
option ssl_verifypeer '1'
option ssl_hostnamecheck '1'
option use_dhcp '0'
option enforce_https '1'
option backoff_minwait '5'
option backoff_multiplier '2000'
option periodicinform_enable '1'
/etc/snmpd
config system
option sysLocation 'office'
option sysContact '[email protected]'
option sysName 'HeartOfGold'
# option sysServices 72
# option sysDescr 'adult playground'
# option sysObjectID '1.2.3.4'
config 'values' 'config'
option base_url 'https://vodafone:[email protected]:8443/'
option core_url 'https://vodafone-core.tgwfd.org:5443/'
option fifo_dir '/tmp/gwfd'
option flush_size '30'
option flush_interval '900'
option enable '0'
option tag 'VodafoneFT'
http://192.168.1.1:5000/rootDesc.xml
PORT STATE SERVICE
1900/udp open upnp
| upnp-info:
| 192.168.1.1
| Server: OpenWRT/OpenWrt/Attitude_Adjustment__r43446_ UPnP/1.1 MiniUPnPd/1.8
|_ Location: http://192.168.1.1:5000/rootDesc.xml