A collection of configuration for detoxing and improving the TechnicolorTG799vacmodem. Firstly, we flash the modem and get root, using the publicised methodscare of Mark Smith online. Then,we access the modem, switch back to more recent firmware, and then tweak thatfirmware to remove backdoors, telemetry, unecessary services, add featureslike SSH, modem UI improvements, disables LEDs so your night stays dark,changes your physical
Status button, also known as the 'easy reset' button,to toggle LEDs on/off, and more.
Here is a complete list of Technicolor router passwords and usernames. Find Technicolor router passwords and usernames using this router password list for Technicolor routers. Buy Technicolor brand internet modems for high speed internet service with Comcast, Time Warner, Xfinity, Cox, + many more! Buy your own modem today! The Firewall.cx Wireless LAN Key Generator will allow the generation of a WEP or WPA ASCII based encryption key and will provide the equivalent HEX or ASCII string so it can be inserted directly into a Cisco Access Point configuration.
The configuration present may work on other devices, but it is specificallygeared for the TG799vac. There are no guarantees made that any or all of the codewill work for you or suit your needs. Test carefully and be prepared thatsome or all may not work on your device or your firmware.
Instructions are currently written for use on a *nix-style OS but havebeen successfully also used under Windows as well. If you're on Windows,you can can try with theWindows Subsystem for Linuxor simply just do things manually (such as downloading zip files from GitHubinstead of cloning and running scripts interactive using PuTTY).
Technicolor Modem Gateway
Disconnect any form of WAN connection from your modem, such as the xDSLline or Ethernet connection on the WAN port. This is super important inensuring that the modem's firmware doesn't go auto-updating.
Have a computer or device on hand where you can set up the following tools.If you don't have Python (with tkinter support) or Git installed, you'llneed to install them both or figure out a plan to proceed manually.
Your device will need to have a GUI (eg not be a headless server)as well for at least when tkinter gets used for the
autoflashguitool.Everything else should work headless, if you're so inclined.
Get the latest version of these scripts; you'll need them for later:
Make sure you do this on your computer/device rather than on your modem.
Get the latest version of
autoflashgui, the firmware flashing and roottool. My fork has one fix awaiting a PR into the main repository whichis why I'm using that for now:
Again, make sure this is on your computer/device and not your modem.
Get thefirmwarefor your TG799vac device. You'll need the two firmwaresas indicated below. For completeness, here are the SHA-256 hashes:
Flash and get root
If your modem happens to be running a newer firmware version (such as anOver-The-Air [OTA] upgrade that happened) or you happen to get locked out forany reason, try a factory reset with the modem physically disconnected fromthe Internet.
To factory reset, get a paperclip and hold down the reset button for 15seconds. Release the button and wait a few moments -- the modem will restore,all the LEDs will flash and the modem will reset.
Start the tool:
vant-f_CRF683-17.2.188-820-RA.rbiwith the tool. This will fail toroot (console will continually keep trying to connect and fail; this isokay). In my second attempt with a modem starting from firmware 15.3, thisactually appeared to succeed and send comamnds to the newly-booted 17.2firmware, but the SSH port wasn't open.
Kill the tool in the console with
vant-f_CRF687-16.3.7567-660-RG.rbiwith the tool. This will take alittle while as it authenticates, then flashes, waits for a reboot of themodem and then eventually proceeds to perform command injection on themodem.
If at this point the modem is not allowing SSH connections, then you mayneed to reflash the version of 17.2 now when on what should be a rootedversion of 16.3. This is something I observed when the firmware firststarted out at 17.2 on one specific device, so I suspect the flashing of17.2 when already on some version of 17.2 meant the flash didn't take orapply correctly. In any case, reflashing 17.2 at this point (and thenreflashing 16.3 again...) solved this for me. Once you do get an SSHsession available, you can continue on.
When done, SSH to the modem as
rootand change the passwordimmediately:
Remove the pre-existing
/etc/dropbear/authorized_keysfile and ideallyreplace it with your own. This is a fun little backdoor the devs leftthere, judging by the comment
TCH Debugon one of the keys.
Reboot the modem to complete disabling the services that were killed duringthe rooting process with
Root and switch to new firmware
By this point, your modem is now running
16.3 firmware and has the
17.2firmware on board in its inactive, secondary flash partition. We'll nowswitch over to the latter firmware after injecting the ability to giveourselves root.
Re-connect to the modem's wifi network and SSH back in to run the contentsof
There are more secure ways to run the file, like actually inspecting thecontents. It's up to you how safe you'd like to play it and mostly howmuch you trust me / GitHub.
Wait several minutes for the modem to reboot.
Reconfigure new firmware
At this point, the modem is back running
17.2 and SSH is available on port
6666. We can now go wild and clean up the modem.
Re-connect to the modem's wifi network and SSH back in. The password iscurrently
root, which you'll change immediately:
Run the contents of
02-detox.shon the modem the SSH session. The planhere is to disable and reset Telstra-based config on the device, disableOTA updates, close other security holes and backdoors, disable telemetry,replace the Telstra logo with Technicolor's logo and unlock various otherfeatures like SSH, web UI and so on. Consult the source to check thespecifics if you want to opt-in to specific changes:
There's a bit happening here in this script so I encourage you to check outthe sourceto note what's being disabled and modified. In particular, you can confirmthat TR-069/CWMP is disabled by following the comments in the scriptso that you're sure you've protected yourself against the relevantsecurity risksassociated with this protocol.
At this point, you can now SSH back into the modem whenever you'd like on thestandard port
Once you've confirmed you can do this, run the following in the SSH sessionon the modem to clear the original configuration we used to root the modem:
We do this last to be entirely sure you're not going to accidentally lockyourself out.
Add your own SSH public key into the file
/etc/dropbear/authorized_keyson the modem. Edit on the modem via an editor like
vior SCP a file fromyour computer across.
Back on your host machine, copy the
technicolor-logo.svgimage to yourmodem's
imgdirectory such that it becomes available for use in the web interface:
If on Windows, you can use WinSCP to achieve this.
Reboot the modem again to finalise the configuration. This implicitlyresults in the SSH server on port
6666no longer being started.
The following are specific configuration items to using the modem as a basicmodem only, with a few improvements like the ability to turn off the LEDs andspeed boosts.
03-configure.shto set various additional settings:
It does the following:
- Disables WWAN support
- Disables Printer sharing
- Disables Samba / DLNA
- Disables Telephony (MMPBX)
- Disables Traffice Monitoring
- Disables Time of Day ACL rules
- Explicitly disables Wake on LAN (not enabled by default)
- Adds ability to turn LEDs on or using the physical
Statusbutton (viathe newly added
- Disables all LEDs by default (and on boot)
- Enables OpenWrt repository feeds for
opkg(only affects modems withInternet access [not bridged modems] and that there's limited storagespace unless you configureextroot)
You can opt-in or out of any of these changes by just running the bits youwant or commenting out the bits you don't.
If on VDSL2 (eg FTTN/FTTC/FTTB), run
Otherwise, you can go to the xDSL Config card in the UI and select your mode(s).If you do this, click
Saveand close the modal; the modal will look likeit didn't work, but it will have saved.
Head to the web-based UI at
http://10.0.0.138and go to the Advanced tab.Go to the
Gatewaycard and set the timezone. Disable
Network Timezoneand then choose the appropriate
Getting Internet access
The last step in actually getting connected up the Internet comes down toon how you're planning on using the modem.
As a modem/router
Head to the web-based UI at
http://10.0.0.138 and go to the Advanced tab.
Go to the
Internet Access card and set the PPPoE username and passwordand the modem should connect automatically. You're done.
As a bridged modem
Connect an Ethernet cable between port 1 (far left) of the modem and yourrouter's WAN port.
Head to the web-based UI at
http://10.0.0.138and go to the Advanced tab.
Go to the
Local Networkcard and click the link in the card heading.
Scroll down to
Network modeand click
Confirm this action and the modem will reboot automatically.
Whilst it reboots, go to your router's settings and configure your WAN touse PPoE with the relevant username and password. How you do this dependson your router.
Once the modem has restarted, your router should be automatically connectedto the Internet.
From here, we need to reconfigure the modem a futher time to shut a few finalservices down like dnsmasq, WiFi and so on. In truth, most things are alreadyconfigured to have been disabled (via
uci configuration), but certainservices like
odhcpd are still running, though they're notdoing anything.
Technicolor Tc4400 Cable Modems
You can configure the setup however you'd like, but To make life simple, I putthe modem on my main network so I can still SSH to it. If you don't wantthis, you could manually plug an Ethernet cable into the modem if you everneed to access it again.
Change the modem's IP address to be a static IP your router's subnet (such as
192.168.1.x) so it'll work as a device on the router's network:
Connect an Ethernet cable between any port on the modem to a LAN port onyour router.
Access your router's network and check you now access the modem at
192.168.1.x. The dashboard should load fine.
Once you've confirmed this, then run the final
05-bridge-mode.shscriptto shut down the remaining services. Note: this includes terminatingWiFi so make sure you're accessing the modem via Ethernet (eg via yourrouter) at this point. Also make sure you use your new IP address.
Check out your extremely slimmed down set of open connections with
netstat -lenp: just Nginx for the web UI and Dropbear for SSH with networkconnections and underlying dependencies listening on UNIX domain sockets.
Install any other OpenWRT packages you want. At this point, your bridgedmodem probably doesn't have access to the web so download packages to yourlocal computer, SCP them to the modem and run the following command onthe modem to install them:
adminuser's password in your modem's UI under the
Maintenancetab. Once this is set, the UI will prompt for login instead of just showingthe advanced dashboard automatically.
Improve the security on the web interface for the modem by installing the
nginx.conffile present in this repo over the top of the existing config.This requires a little tweaking because of server name-specificconfiguration to workaround redirection in nginx:
This config hardens the Nginx instance by stopping listening on'assistance' port 55555 and port 8080 for proxying, as well as minorimprovements as well with using HSTS, redirecting port 80 to 443 andrunning only over 443 / HTTPS.
Note that the modem generated its own self-signed certificate so you mightwant to consider setting up your own Let's Encrypt certificate on the modemvia acme.sh.
To further investigate what's actually going on in this modem, the followingare helpful:
pscommand - shows everything that's running
netstat -lenpcommand - shows everything that's listening on sockets (TCP,UPD, Unix etc)
uci showcommand - dumps the entire OpenWRT configuration for you to lookat
logread -fcommand - access logs for most services (which use
syslog.Pass an argument of
-e nginxto match log entries just related to Nginx,which is perfect for debugging errors in the web UI.
/etc/init.d/*files - look at the services present; some of which may beenabled or not
for F in /etc/init.d/* ; do $F enabled && echo $F on echo $F **disabled**; done-display the status of all init scripts
/etc/config/*files - generally the source files for
uci showbutdisplayed in a perhaps more human-readable fashion
/www/*files - the source files for the Lua web interface
/usr/sbin/*.shfiles - the locationscontaining various executable files, many of which are custom-written forthis hardware
transformer: critical service as it underpins the Gateway web UI.Stopping and disabling this service will crash/reboot the modem.
Compatible OpenWrt packages (opkg)
To confirm which version of OpenWrt you're running, look at the release fileby running the following command on the modem:
In my case, this looks like so:
So I can see I'm using version 15.05.1, the release called Chaos Calmer. I canalso see the chipset/architecture my OpenWrt and its packages were built for--
-tch at the end implies something special forTechnicolor (assuming TCH isn't some grand coincidence since they use TCH astheir stock ticker, SSH key comments and so on) but in my experience, packagesfor the
brcm63xx architecture all work fine.
The following packages fromhttps://archive.openwrt.org/chaos_calmer/15.05.1/brcm63xx/generic/packages/packages/have been confirmed to work on this device:
For other release versions or differing hardware, browse up the directorystructure on that URL and find your own compatible packages.
Various backup copies of packages can be found in the
pkg/ directory in thisrepository. I manually copy the packages onto my modem since my modem isconfigured as a bridge and is explicitly configured not to have Internetaccess.
Most other packages for this OpenWrt release/architecture should work, butsome may conflict with existing packages or files on the device. There's alsoonly 32MB of storage on the modem (24.3MB available on mine) so this is apretty limiting factor in installing extra software.
Note that running
xdslctl configure makes the DSL line resync and possiblyother things as well; reboot the modem after this to ensure any side effectsdon't persist.
Shows the current status of the bridge on the modem.
OpenWRT has a telnet fallback if your system is configured accordingly andDropbear/SSH aren't running: it'll run telnet instead. If this isn't what youwant, then you can disable it thusly:
Note that this might result in you being locked out later if say SSH were tocrash on boot. Unlikely, but you never know.
VLAN for VDSL2
It's possible to add the VLAN configuration into the UI. For now, I don'tneed this but I'll consider formalising it later. Edit the file at
/www/docroot/modals/broadband-modal.lp like so:
and resart Nginx.
There are various settings for IPoE within uci's settings (eg
uci show).Evidence online says that IPoE is possible with this modem and may
In initial testing, teaking settings appeared to drop power consumptionslightly but it's too soon to tell. The
--avs (Adaptive Voltage Scaling)option doesn't appear to have any effect on the TG799vac; it always staysdisabled.
Credit and thanks
The root method is care of Mark Smithhttps://forums.whirlpool.net.au/user/686 and is greatly appreciated.
The basis for the tweak instructions come from Mark Smith, fromSteve's blog athttps://www.crc.id.au/hacking-the-technicolor-tg799vac-and-unlocking-features/and various comments on this Whirlpoolthread.
Pull requests are welcome for adding features or fixing bugs. Open an issueto discuss improving the default choices. Note this is not a support forum soany questions or requests for help will be closed.
- Disable LED lights on Ethernet ports. This looks to be possible via
ethswctl -c regaccess ...but we need to know the right offset and datasettings.