Technicolor Modem Keygen

Technicolor Modem Keygen Rating: 5,9/10 9811 reviews

A collection of configuration for detoxing and improving the TechnicolorTG799vacmodem. Firstly, we flash the modem and get root, using the publicised methodscare of Mark Smith online. Then,we access the modem, switch back to more recent firmware, and then tweak thatfirmware to remove backdoors, telemetry, unecessary services, add featureslike SSH, modem UI improvements, disables LEDs so your night stays dark,changes your physical Status button, also known as the 'easy reset' button,to toggle LEDs on/off, and more.

Here is a complete list of Technicolor router passwords and usernames. Find Technicolor router passwords and usernames using this router password list for Technicolor routers. Buy Technicolor brand internet modems for high speed internet service with Comcast, Time Warner, Xfinity, Cox, + many more! Buy your own modem today! The Firewall.cx Wireless LAN Key Generator will allow the generation of a WEP or WPA ASCII based encryption key and will provide the equivalent HEX or ASCII string so it can be inserted directly into a Cisco Access Point configuration.

The configuration present may work on other devices, but it is specificallygeared for the TG799vac. There are no guarantees made that any or all of the codewill work for you or suit your needs. Test carefully and be prepared thatsome or all may not work on your device or your firmware.

Instructions are currently written for use on a *nix-style OS but havebeen successfully also used under Windows as well. If you're on Windows,you can can try with theWindows Subsystem for Linuxor simply just do things manually (such as downloading zip files from GitHubinstead of cloning and running scripts interactive using PuTTY).

Technicolor Modem Gateway

How to

Setup

Keygen

  1. Disconnect any form of WAN connection from your modem, such as the xDSLline or Ethernet connection on the WAN port. This is super important inensuring that the modem's firmware doesn't go auto-updating.

  2. Have a computer or device on hand where you can set up the following tools.If you don't have Python (with tkinter support) or Git installed, you'llneed to install them both or figure out a plan to proceed manually.

    Your device will need to have a GUI (eg not be a headless server)as well for at least when tkinter gets used for the autoflashgui tool.Everything else should work headless, if you're so inclined.

  3. Get the latest version of these scripts; you'll need them for later:

    Make sure you do this on your computer/device rather than on your modem.

  4. Get the latest version of autoflashgui, the firmware flashing and roottool. My fork has one fix awaiting a PR into the main repository whichis why I'm using that for now:

    Again, make sure this is on your computer/device and not your modem.

  5. Get thefirmwarefor your TG799vac device. You'll need the two firmwaresas indicated below. For completeness, here are the SHA-256 hashes:

  6. Setup the autoflashgui tool:

Flash and get root

If your modem happens to be running a newer firmware version (such as anOver-The-Air [OTA] upgrade that happened) or you happen to get locked out forany reason, try a factory reset with the modem physically disconnected fromthe Internet.

To factory reset, get a paperclip and hold down the reset button for 15seconds. Release the button and wait a few moments -- the modem will restore,all the LEDs will flash and the modem will reset.

  1. Start the tool:

  2. Flash vant-f_CRF683-17.2.188-820-RA.rbi with the tool. This will fail toroot (console will continually keep trying to connect and fail; this isokay). In my second attempt with a modem starting from firmware 15.3, thisactually appeared to succeed and send comamnds to the newly-booted 17.2firmware, but the SSH port wasn't open.

  3. Kill the tool in the console with Control-C.

  4. Flash vant-f_CRF687-16.3.7567-660-RG.rbi with the tool. This will take alittle while as it authenticates, then flashes, waits for a reboot of themodem and then eventually proceeds to perform command injection on themodem.

    If at this point the modem is not allowing SSH connections, then you mayneed to reflash the version of 17.2 now when on what should be a rootedversion of 16.3. This is something I observed when the firmware firststarted out at 17.2 on one specific device, so I suspect the flashing of17.2 when already on some version of 17.2 meant the flash didn't take orapply correctly. In any case, reflashing 17.2 at this point (and thenreflashing 16.3 again...) solved this for me. Once you do get an SSHsession available, you can continue on.

  5. When done, SSH to the modem as root and change the passwordimmediately:

  6. Remove the pre-existing /etc/dropbear/authorized_keys file and ideallyreplace it with your own. This is a fun little backdoor the devs leftthere, judging by the comment TCH Debug on one of the keys.

  7. Reboot the modem to complete disabling the services that were killed duringthe rooting process with autoflashgui.py

Root and switch to new firmware

By this point, your modem is now running 16.3 firmware and has the 17.2firmware on board in its inactive, secondary flash partition. We'll nowswitch over to the latter firmware after injecting the ability to giveourselves root.

  1. Re-connect to the modem's wifi network and SSH back in to run the contentsof 01-root-and-switch-fw.sh:

    There are more secure ways to run the file, like actually inspecting thecontents. It's up to you how safe you'd like to play it and mostly howmuch you trust me / GitHub.

  2. Wait several minutes for the modem to reboot.

Reconfigure new firmware

At this point, the modem is back running 17.2 and SSH is available on port6666. We can now go wild and clean up the modem.

  1. Re-connect to the modem's wifi network and SSH back in. The password iscurrently root, which you'll change immediately:

  2. Run the contents of 02-detox.sh on the modem the SSH session. The planhere is to disable and reset Telstra-based config on the device, disableOTA updates, close other security holes and backdoors, disable telemetry,replace the Telstra logo with Technicolor's logo and unlock various otherfeatures like SSH, web UI and so on. Consult the source to check thespecifics if you want to opt-in to specific changes:

    There's a bit happening here in this script so I encourage you to check outthe sourceto note what's being disabled and modified. In particular, you can confirmthat TR-069/CWMP is disabled by following the comments in the scriptso that you're sure you've protected yourself against the relevantsecurity risksassociated with this protocol.

  3. At this point, you can now SSH back into the modem whenever you'd like on thestandard port 22:

  4. Once you've confirmed you can do this, run the following in the SSH sessionon the modem to clear the original configuration we used to root the modem:

    We do this last to be entirely sure you're not going to accidentally lockyourself out.

  5. Add your own SSH public key into the file /etc/dropbear/authorized_keyson the modem. Edit on the modem via an editor like vi or SCP a file fromyour computer across.

  6. Back on your host machine, copy the technicolor-logo.svg image to yourmodem's img directory such that it becomes available for use in the web interface:

    If on Windows, you can use WinSCP to achieve this.

  7. Reboot the modem again to finalise the configuration. This implicitlyresults in the SSH server on port 6666 no longer being started.

Futher customisation

The following are specific configuration items to using the modem as a basicmodem only, with a few improvements like the ability to turn off the LEDs andspeed boosts.

  1. Run 03-configure.sh to set various additional settings:

    It does the following:

    • Disables WWAN support
    • Disables Printer sharing
    • Disables Samba / DLNA
    • Disables Telephony (MMPBX)
    • Disables Traffice Monitoring
    • Disables Time of Day ACL rules
    • Explicitly disables Wake on LAN (not enabled by default)
    • Adds ability to turn LEDs on or using the physical Status button (viathe newly added toggleleds.sh script)
    • Disables all LEDs by default (and on boot)
    • Enables OpenWrt repository feeds for opkg (only affects modems withInternet access [not bridged modems] and that there's limited storagespace unless you configureextroot)

    You can opt-in or out of any of these changes by just running the bits youwant or commenting out the bits you don't.

  2. If on VDSL2 (eg FTTN/FTTC/FTTB), run 04-vdsl2.sh as well:

    Otherwise, you can go to the xDSL Config card in the UI and select your mode(s).If you do this, click Save and close the modal; the modal will look likeit didn't work, but it will have saved.

  3. Head to the web-based UI at http://10.0.0.138 and go to the Advanced tab.Go to the Gateway card and set the timezone. Disable Network Timezoneand then choose the appropriate Current Timezone.

Getting Internet access

The last step in actually getting connected up the Internet comes down toon how you're planning on using the modem.

As a modem/router

Head to the web-based UI at http://10.0.0.138 and go to the Advanced tab.

Go to the Internet Access card and set the PPPoE username and passwordand the modem should connect automatically. You're done.

As a bridged modem

  1. Connect an Ethernet cable between port 1 (far left) of the modem and yourrouter's WAN port.

  2. Head to the web-based UI at http://10.0.0.138 and go to the Advanced tab.

  3. Go to the Local Network card and click the link in the card heading.

  4. Scroll down to Network mode and click Bridged Mode.

  5. Confirm this action and the modem will reboot automatically.

  6. Whilst it reboots, go to your router's settings and configure your WAN touse PPoE with the relevant username and password. How you do this dependson your router.

  7. Once the modem has restarted, your router should be automatically connectedto the Internet.

Modem

From here, we need to reconfigure the modem a futher time to shut a few finalservices down like dnsmasq, WiFi and so on. In truth, most things are alreadyconfigured to have been disabled (via uci configuration), but certainservices like dnsmasq and odhcpd are still running, though they're notdoing anything.

Technicolor Tc4400 Cable Modems

You can configure the setup however you'd like, but To make life simple, I putthe modem on my main network so I can still SSH to it. If you don't wantthis, you could manually plug an Ethernet cable into the modem if you everneed to access it again.

  1. Change the modem's IP address to be a static IP your router's subnet (such as192.168.1.x) so it'll work as a device on the router's network:

  2. Connect an Ethernet cable between any port on the modem to a LAN port onyour router.

  3. Access your router's network and check you now access the modem at192.168.1.x. The dashboard should load fine.

  4. Once you've confirmed this, then run the final 05-bridge-mode.sh scriptto shut down the remaining services. Note: this includes terminatingWiFi so make sure you're accessing the modem via Ethernet (eg via yourrouter) at this point. Also make sure you use your new IP address.

  5. Check out your extremely slimmed down set of open connections withnetstat -lenp: just Nginx for the web UI and Dropbear for SSH with networkconnections and underlying dependencies listening on UNIX domain sockets.

Even more

  1. Install any other OpenWRT packages you want. At this point, your bridgedmodem probably doesn't have access to the web so download packages to yourlocal computer, SCP them to the modem and run the following command onthe modem to install them:

  2. Set the admin user's password in your modem's UI under the Maintenancetab. Once this is set, the UI will prompt for login instead of just showingthe advanced dashboard automatically.

  3. Improve the security on the web interface for the modem by installing thenginx.conf file present in this repo over the top of the existing config.This requires a little tweaking because of server name-specificconfiguration to workaround redirection in nginx:

    This config hardens the Nginx instance by stopping listening on'assistance' port 55555 and port 8080 for proxying, as well as minorimprovements as well with using HSTS, redirecting port 80 to 443 andrunning only over 443 / HTTPS.

    Note that the modem generated its own self-signed certificate so you mightwant to consider setting up your own Let's Encrypt certificate on the modemvia acme.sh.

Notes

Introspection

To further investigate what's actually going on in this modem, the followingare helpful:

  • ps command - shows everything that's running
  • netstat -lenp command - shows everything that's listening on sockets (TCP,UPD, Unix etc)
  • uci show command - dumps the entire OpenWRT configuration for you to lookat
  • logread -f command - access logs for most services (which use syslog.Pass an argument of -e nginx to match log entries just related to Nginx,which is perfect for debugging errors in the web UI.
  • /etc/init.d/* files - look at the services present; some of which may beenabled or not
  • for F in /etc/init.d/* ; do $F enabled && echo $F on echo $F **disabled**; done -display the status of all init scripts
  • /etc/config/* files - generally the source files for uci show butdisplayed in a perhaps more human-readable fashion
  • /www/* files - the source files for the Lua web interface
  • /sbin/*.sh, /usr/bin/*.sh, /usr/sbin/*.sh files - the locationscontaining various executable files, many of which are custom-written forthis hardware

Services

  • transformer: critical service as it underpins the Gateway web UI.Stopping and disabling this service will crash/reboot the modem.

Compatible OpenWrt packages (opkg)

To confirm which version of OpenWrt you're running, look at the release fileby running the following command on the modem:

In my case, this looks like so:

So I can see I'm using version 15.05.1, the release called Chaos Calmer. I canalso see the chipset/architecture my OpenWrt and its packages were built for-- brcm63xx-tch. The -tch at the end implies something special forTechnicolor (assuming TCH isn't some grand coincidence since they use TCH astheir stock ticker, SSH key comments and so on) but in my experience, packagesfor the brcm63xx architecture all work fine.

The following packages fromhttps://archive.openwrt.org/chaos_calmer/15.05.1/brcm63xx/generic/packages/packages/have been confirmed to work on this device:

  • openssh-client
  • openssh-client-utils
  • openssh-keygen
  • openssh-sftp-client
  • unzip

For other release versions or differing hardware, browse up the directorystructure on that URL and find your own compatible packages.

Various backup copies of packages can be found in the pkg/ directory in thisrepository. I manually copy the packages onto my modem since my modem isconfigured as a bridge and is explicitly configured not to have Internetaccess.

Most other packages for this OpenWrt release/architecture should work, butsome may conflict with existing packages or files on the device. There's alsoonly 32MB of storage on the modem (24.3MB available on mine) so this is apretty limiting factor in installing extra software.

VDSL2 Introspection

Note that running xdslctl configure makes the DSL line resync and possiblyother things as well; reboot the modem after this to ensure any side effectsdon't persist.

From http://whrl.pl/Re6mCZ.

Bridging

Shows the current status of the bridge on the modem.

Telnet fallback

OpenWRT has a telnet fallback if your system is configured accordingly andDropbear/SSH aren't running: it'll run telnet instead. If this isn't what youwant, then you can disable it thusly:

Note that this might result in you being locked out later if say SSH were tocrash on boot. Unlikely, but you never know.

VLAN for VDSL2

It's possible to add the VLAN configuration into the UI. For now, I don'tneed this but I'll consider formalising it later. Edit the file at/www/docroot/modals/broadband-modal.lp like so:

and resart Nginx.

IPoE

There are various settings for IPoE within uci's settings (eg uci show).Evidence online says that IPoE is possible with this modem and may

Tc8305c

Power configuration

In initial testing, teaking settings appeared to drop power consumptionslightly but it's too soon to tell. The --avs (Adaptive Voltage Scaling)option doesn't appear to have any effect on the TG799vac; it always staysdisabled.

Jumbo frames

(currently untested)

Credit and thanks

The root method is care of Mark Smithhttps://forums.whirlpool.net.au/user/686 and is greatly appreciated.

The basis for the tweak instructions come from Mark Smith, fromSteve's blog athttps://www.crc.id.au/hacking-the-technicolor-tg799vac-and-unlocking-features/and various comments on this Whirlpoolthread.

Contributing

Pull requests are welcome for adding features or fixing bugs. Open an issueto discuss improving the default choices. Note this is not a support forum soany questions or requests for help will be closed.

Licence

MIT, see LICENCE.txt

TODO

  • Disable LED lights on Ethernet ports. This looks to be possible viaethswctl -c regaccess ... but we need to know the right offset and datasettings.