diff --git a/Guide/EN/TIM_HUB_guide_EN.html b/Guide/EN/TIM_HUB_guide_EN.html new file mode 100644 index 0000000..7d2cab1 --- /dev/null +++ b/Guide/EN/TIM_HUB_guide_EN.html @@ -0,0 +1,656 @@ + + + +TIM_HUB_guide_EN.md + + + + + + + + + + + + +

ROOT TIM HUB DGA4132 AND ANSUEL GUI - VERSION AGTHP 2.3.3

+

This guide has been written to have a simple and immediate reference point in case you want to proceed with the enabling of the root user of the TIM HUB DGA4132 modem router (hereinafter "router") and the subsequent installation of the Ansuel GUI. All the steps have been taken and adapted from the websites listed in the paragraph below, then grouped on this page and set up in the correct order.

+

This guide is available in the following formats:

+ +

WEBSITES

+ +

USEFUL FILES

+

The autoflashgui-master_timhub.zip file contains the 16.02.2018 version of the AutoFlashGUI tool developed by Mark Smith (mswhirl). Once extracted, inside the autoflashgui-master/firmware folder you can find the following files needed for this guide:

+ +
+

GUIDE - PART 1

+ +
+

WARNING: To enable the Extended Configuration it's necessary to click on a tab that appears ONLY at the first login immediately after a reset. If you log out of the web GUI or close the browser window, you will need to perform another router reset to trigger the Extended configuration prompt again. Furthermore, the router must NOT be connected to the Internet in any way: disconnect the RJ11 cable, the Ethernet cable in the WAN port or the FTTH connection.

+
+ +

AUTOFLASHGUI.EXE

+

Set the following parameters with their respective values

+ +
+

GUIDE - PART 2

+ +

SCRIPT

+ +
# Ensure two banks match in sizes
+[ $(grep -c bank_ /proc/mtd) = 2 ] && \
+[ "$(grep bank_1 /proc/mtd | cut -d' ' -f2)" = \
+"$(grep bank_2 /proc/mtd | cut -d' ' -f2)" ] && {
+# Clone and verify firmware into bank_2 if applicable
+[ "$(cat /proc/banktable/booted)" = "bank_1" ] && {
+mtd -e bank_2 write /dev/$(grep bank_1 /proc/mtd | cut -d: -f1) bank_2 && \
+mtd verify /dev/$(grep bank_1 /proc/mtd | cut -d: -f1) bank_2 || \
+{ echo Clone verification failed, retry; exit; } }
+# Make a temp copy of overlay for booted firmware
+cp -rf /overlay/$(cat /proc/banktable/booted) /tmp/bank_overlay_backup
+# Clean up jffs2 space by removing existing old overlays
+rm -rf /overlay/*
+# Use the previously made temp copy as overlay for bank_2
+cp -rf /tmp/bank_overlay_backup /overlay/bank_2
+# Activate bank_1
+echo bank_1 > /proc/banktable/active
+# Make sure above changes get written to flash
+sync
+# Erase firmware in bank_1
+mtd erase bank_1;
+# Emulate system crash to hard reboot
+echo c > /proc/sysrq-trigger; }
+# end
+
+ +
+

GUIDE - PART 3

+ +

PRESERVING ROOT ACCESS

+ +
+

COPY AND PASTE INTO THE TERMINAL. PRESS ENTER TO EXECUTE THE LAST COMMAND.

+
+
mkdir -p /overlay/$(cat /proc/banktable/booted)/etc
+chmod 755 /overlay/$(cat /proc/banktable/booted) /overlay/$(cat /proc/banktable/booted)/etc
+echo -e "echo root:root | chpasswd
+sed -i 's#/root:.*\$#/root:/bin/ash#' /etc/passwd
+sed -i -e 's/#//' -e 's#askconsole:.*\$#askconsole:/bin/ash#' /etc/inittab
+uci -q set \$(uci show firewall | grep -m 1 \$(fw3 -q print | \
+egrep 'iptables -t filter -A zone_lan_input -p tcp -m tcp --dport 22 -m comment --comment \"!fw3: .+\" -j DROP' | \
+sed -n -e 's/^iptables.\+fw3: \(.\+\)\".\+/\1/p') | \
+sed -n -e \"s/\(.\+\).name='.\+'$/\1/p\").target='ACCEPT'
+uci add dropbear dropbear
+uci rename dropbear.@dropbear[-1]=afg
+uci set dropbear.afg.enable='1'
+uci set dropbear.afg.Interface='lan'
+uci set dropbear.afg.Port='22'
+uci set dropbear.afg.IdleTimeout='600'
+uci set dropbear.afg.PasswordAuth='on'
+uci set dropbear.afg.RootPasswordAuth='on'
+uci set dropbear.afg.RootLogin='1'
+uci set dropbear.lan.enable='0'
+uci commit dropbear
+/etc/init.d/dropbear enable
+/etc/init.d/dropbear restart
+rm /overlay/\$(cat /proc/banktable/booted)/etc/rc.local
+source /rom/etc/rc.local
+" > /overlay/$(cat /proc/banktable/booted)/etc/rc.local
+chmod +x /overlay/$(cat /proc/banktable/booted)/etc/rc.local
+sync
+
+ +

FLASHING FIRMWARE

+ +

HARDENING GAINED ACCESS

+ +
+

COPY AND PASTE INTO THE TERMINAL. PRESS ENTER TO EXECUTE THE LAST COMMAND.

+
+
# Disable CWMP
+uci delete cwmpd.cwmpd_config
+uci delete firewall.cwmpd
+uci del_list watchdog.@watchdog[0].pidfile='/var/run/cwmpd.pid'
+uci del_list watchdog.@watchdog[0].pidfile='/var/run/cwmpevents.pid'
+uci commit
+/etc/init.d/watchdog-tch reload
+/etc/init.d/cwmpd disable
+/etc/init.d/cwmpd stop
+/etc/init.d/cwmpdboot disable
+/etc/init.d/cwmpdboot stop
+/etc/init.d/zkernelpanic disable
+/etc/init.d/zkernelpanic stop
+
+# Disable CWMP - extra, in case you think it may resurrect
+uci set cwmpd.cwmpd_config.state=0
+uci set cwmpd.cwmpd_config.acs_url='https://127.0.1.1:7547/'
+uci set cwmpd.cwmpd_config.use_dhcp=0
+uci set cwmpd.cwmpd_config.interface=loopback
+uci set cwmpd.cwmpd_config.enforce_https=1
+uci commit cwmpd
+
+# Disable Telstra monitoring
+uci delete tls-vsparc.Config
+uci delete tls-vsparc.Passive
+uci delete autoreset.vsparc_enabled
+uci delete autoreset.thor_enabled
+uci delete wifi_doctor_agent.acs
+uci delete wifi_doctor_agent.config
+uci delete wifi_doctor_agent.as_config
+uci commit
+
+# Disable Telstra Air/Fon WiFi
+/etc/init.d/hotspotd stop
+/etc/init.d/hotspotd disable
+uci delete dhcp.hotspot
+uci delete dhcp.fonopen
+uci commit
+
+# Remove any default SSH pubkey
+echo > /etc/dropbear/authorized_keys
+# Disable SSH access over wan
+uci set dropbear.wan.enable='0'
+uci commit dropbear
+
+# Free space for gateways with small flash
+find /rom/usr/lib/ipk -type f |xargs -n1 basename | cut -f 1 -d '_' |xargs opkg --force-removal-of-dependent-packages remove
+
+ +

GUI ANSUEL

+ +

CHANGE ROOT AND GUI PASSWORD

+ +

RESULT

+

Now you have a TIM HUB DGA4132 modem router updated to AGTHP version 2.3.3 with root permissions enabled and the Ansuel GUI.

+ + + diff --git a/Guide/EN/TIM_HUB_guide_EN.md b/Guide/EN/TIM_HUB_guide_EN.md new file mode 100644 index 0000000..c1cfa02 --- /dev/null +++ b/Guide/EN/TIM_HUB_guide_EN.md @@ -0,0 +1,259 @@ +# ROOT TIM HUB DGA4132 AND ANSUEL GUI - VERSION AGTHP 2.3.3 +This guide has been written to have a simple and immediate reference point in case you want to proceed with the enabling of the root user of the TIM HUB DGA4132 modem router (hereinafter "router") and the subsequent installation of the Ansuel GUI. All the steps have been taken and adapted from the websites listed in the paragraph below, then grouped on this page and set up in the correct order. + +This guide is available in the following formats: +- Markdown (`TIM_HUB_guide_IT.md`) +- PDF (`TIM_HUB_guide_IT.pdf`) +- HTML (`TIM_HUB_guide_IT.html`) + + +## WEBSITES +- [Hacking Technicolor Gateways: Material for MkDocs](https://hack-technicolor.readthedocs.io/en/stable/) +- [IlPuntoTecnico GUI Ansuel](https://www.ilpuntotecnico.com/forum/index.php?topic=81461.0) +- [GitHub GUI Ansuel](https://github.com/Ansuel/gui-dev-build-auto) +- [GitHub AutoFlashGUI](https://github.com/mswhirl/autoflashgui) +- [WinSCP](https://winscp.net/eng/download.php) + + +## USEFUL FILES +The `autoflashgui-master_timhub.zip` file contains the `16.02.2018` version of the AutoFlashGUI tool developed by Mark Smith (mswhirl). Once extracted, inside the *autoflashgui-master/firmware* folder you can find the following files needed for this guide: +- `AGTHP_1.0.3_CLOSED.rbi.torrent`: torrent file to start the download of the firmware version AGTHP 1.0.3 downloaded from the website "Hacking Technicolor Gateways: Material for MkDocs". Move the downloaded file into the *autoflashgui-master/firmware* folder +- `AGTHP_2.3.3_CLOSED.rbi.torrent`: torrent file to start the download of the firmware version AGTHP 2.3.3 downloaded from the website "Hacking Technicolor Gateways: Material for MkDocs". Move the downloaded file into the *autoflashgui-master/firmware* folder +- `GUI.tar.bz2`: stable version 9.6.65 of the Ansuel GUI downloaded from Ansuel's `gui-dev-build-auto` GitHub repository. Please check for new versions before proceeding + + +--- + + +## GUIDE - PART 1 +- Update the router to version 2.3.3 (you can do this using the "TIM Modem" smartphone app available for Android and iOS) +- From the first *Gateway* tab in the web GUI, if necessary, backup configuration in `.bin` via the *Export* button. A file named "config.bin" will be downloaded +- Reset the router via the *Reset* button +- After reboot, login to the web page (`admin/admin`), don't change the password and activate the *Extended configuration* mode +> WARNING: To enable the Extended Configuration it's necessary to click on a tab that appears ONLY at the first login immediately after a reset. If you log out of the web GUI or close the browser window, you will need to perform another router reset to trigger the Extended configuration prompt again. Furthermore, the router must NOT be connected to the Internet in any way: disconnect the RJ11 cable, the Ethernet cable in the WAN port or the FTTH connection. +- To log in again in the GUI, the password is the **ACCESS KEY** on the label located at the base of the router (under the last barcode in the left column) +- Enter the first *Gateway* tab and perform the downgrade to version 1.0.3 from the third tab. To do this, load the `AGTHP_1.0.3_CLOSED.rbi` file by clicking on *Choose file* and then on *Update* in the *Firmware update* section +- After reboot, you won't be able to login. Reset router from the button on the back (hold for **10-12 sec.**) +- After the second reboot, login to the web page (`admin/admin`) without changing the password +- Run the `autoflashgui.exe` program inside *autoflashgui-master* folder + + +### AUTOFLASHGUI.EXE +Set the following parameters with their respective values +- Load default: *Generic (Advanced DDNS)* +- Target IP: ip router +- Username: user GUI web +- Password: password GUI web +- **DO NOT** select *Firmware File Name* and *Flash firmware?* +- Check *Split the given command on semicolons [...]* if not already selected +- Leave the other settings unchanged +- Click on *Run* +- Wait for result on the shell +- Close the program (it will no longer be necessary) +- Connect with SSH to the router and try to authenticate with `root/root` + + +--- + + +## GUIDE - PART 2 +- Enable the Serial Console Port from the router's root shell + - `sed -i -e 's/#//' -e 's#askconsole:.*\$#askconsole:/bin/ash#' /etc/inittab` +- Check the banks status + - `find /proc/banktable -type f -print -exec cat {} ';' -exec echo ';'` +- Take note of the following parameters + + ... + /proc/banktable/booted + + proc/banktable/active + + ... + +- To achieve our goal, the result of the previous command must become as follows + + /proc/banktable/active + bank_1 + /proc/banktable/activeversion + Unknown + /proc/banktable/booted + bank_2 + +- Then proceed to the next step to set `bank_1` as active and then delete it to always boot the `bank_2` + + +### SCRIPT +- Create a script using `vim` with the following commands + +```bash +# Ensure two banks match in sizes +[ $(grep -c bank_ /proc/mtd) = 2 ] && \ +[ "$(grep bank_1 /proc/mtd | cut -d' ' -f2)" = \ +"$(grep bank_2 /proc/mtd | cut -d' ' -f2)" ] && { +# Clone and verify firmware into bank_2 if applicable +[ "$(cat /proc/banktable/booted)" = "bank_1" ] && { +mtd -e bank_2 write /dev/$(grep bank_1 /proc/mtd | cut -d: -f1) bank_2 && \ +mtd verify /dev/$(grep bank_1 /proc/mtd | cut -d: -f1) bank_2 || \ +{ echo Clone verification failed, retry; exit; } } +# Make a temp copy of overlay for booted firmware +cp -rf /overlay/$(cat /proc/banktable/booted) /tmp/bank_overlay_backup +# Clean up jffs2 space by removing existing old overlays +rm -rf /overlay/* +# Use the previously made temp copy as overlay for bank_2 +cp -rf /tmp/bank_overlay_backup /overlay/bank_2 +# Activate bank_1 +echo bank_1 > /proc/banktable/active +# Make sure above changes get written to flash +sync +# Erase firmware in bank_1 +mtd erase bank_1; +# Emulate system crash to hard reboot +echo c > /proc/sysrq-trigger; } +# end +``` + +- Run the following command to make it executable + - `chmod +x script.sh` +- Run the new script + - `./script.sh` + + +--- + + +## GUIDE - PART 3 +- Now we can proceed with the firmware upgrade to return to version 2.3.3 +- Open WinSCP (or similar software) and connect with SCP protocol to the router with `root/root` credentials +- Upload the `AGTHP_2.3.3_CLOSED.rbi` file inside the `/tmp` router directory and rename it in `new.rbi` +- Run the following command from the shell + - `cat "/tmp/new.rbi" | (bli_parser && echo "Please wait..." && (bli_unseal | dd bs=4 skip=1 seek=1 of="/tmp/new.bin"))` +- It's necessary to proceed with a clean-up of files and configurations +- Create a backup with the following command and save it on your PC via WinSCP + - `tar -C /overlay -cz -f /tmp/backup-$(date -I).tar.gz $(cat /proc/banktable/booted)` +- Run the following command to completely clear the currently booted bank overlay + - `rm -rf /overlay/$(cat /proc/banktable/booted)` +- If you change the firmware version, the root may be lost. DO NOT restart and then proceed to the next step + + +### PRESERVING ROOT ACCESS +- Run the following block of commands via SSH to prepare a script that will only need to be run once on next boot to grant root access + +> COPY AND PASTE INTO THE TERMINAL. PRESS ENTER TO EXECUTE THE LAST COMMAND. + +```bash +mkdir -p /overlay/$(cat /proc/banktable/booted)/etc +chmod 755 /overlay/$(cat /proc/banktable/booted) /overlay/$(cat /proc/banktable/booted)/etc +echo -e "echo root:root | chpasswd +sed -i 's#/root:.*\$#/root:/bin/ash#' /etc/passwd +sed -i -e 's/#//' -e 's#askconsole:.*\$#askconsole:/bin/ash#' /etc/inittab +uci -q set \$(uci show firewall | grep -m 1 \$(fw3 -q print | \ +egrep 'iptables -t filter -A zone_lan_input -p tcp -m tcp --dport 22 -m comment --comment \"!fw3: .+\" -j DROP' | \ +sed -n -e 's/^iptables.\+fw3: \(.\+\)\".\+/\1/p') | \ +sed -n -e \"s/\(.\+\).name='.\+'$/\1/p\").target='ACCEPT' +uci add dropbear dropbear +uci rename dropbear.@dropbear[-1]=afg +uci set dropbear.afg.enable='1' +uci set dropbear.afg.Interface='lan' +uci set dropbear.afg.Port='22' +uci set dropbear.afg.IdleTimeout='600' +uci set dropbear.afg.PasswordAuth='on' +uci set dropbear.afg.RootPasswordAuth='on' +uci set dropbear.afg.RootLogin='1' +uci set dropbear.lan.enable='0' +uci commit dropbear +/etc/init.d/dropbear enable +/etc/init.d/dropbear restart +rm /overlay/\$(cat /proc/banktable/booted)/etc/rc.local +source /rom/etc/rc.local +" > /overlay/$(cat /proc/banktable/booted)/etc/rc.local +chmod +x /overlay/$(cat /proc/banktable/booted)/etc/rc.local +sync +``` + +- If the root password has been changed, it will be reset to `root/root` +- The gateway is now clean. Root access via SSH will be enabled again permanently on the next boot + + +### FLASHING FIRMWARE +- Run the following commands one at a time to write the `/tmp/new.bin` file to the booted bank and to cause a hard reboot + - `mtd -e $(cat /proc/banktable/booted) write "/tmp/new.bin" $(cat /proc/banktable/booted)` + - `echo c > /proc/sysrq-trigger` + + +### HARDENING GAINED ACCESS +- Run the following in the SSH terminal to prevent your Gateway loosing root access unexpectedly + +> COPY AND PASTE INTO THE TERMINAL. PRESS ENTER TO EXECUTE THE LAST COMMAND. + +```bash +# Disable CWMP +uci delete cwmpd.cwmpd_config +uci delete firewall.cwmpd +uci del_list watchdog.@watchdog[0].pidfile='/var/run/cwmpd.pid' +uci del_list watchdog.@watchdog[0].pidfile='/var/run/cwmpevents.pid' +uci commit +/etc/init.d/watchdog-tch reload +/etc/init.d/cwmpd disable +/etc/init.d/cwmpd stop +/etc/init.d/cwmpdboot disable +/etc/init.d/cwmpdboot stop +/etc/init.d/zkernelpanic disable +/etc/init.d/zkernelpanic stop + +# Disable CWMP - extra, in case you think it may resurrect +uci set cwmpd.cwmpd_config.state=0 +uci set cwmpd.cwmpd_config.acs_url='https://127.0.1.1:7547/' +uci set cwmpd.cwmpd_config.use_dhcp=0 +uci set cwmpd.cwmpd_config.interface=loopback +uci set cwmpd.cwmpd_config.enforce_https=1 +uci commit cwmpd + +# Disable Telstra monitoring +uci delete tls-vsparc.Config +uci delete tls-vsparc.Passive +uci delete autoreset.vsparc_enabled +uci delete autoreset.thor_enabled +uci delete wifi_doctor_agent.acs +uci delete wifi_doctor_agent.config +uci delete wifi_doctor_agent.as_config +uci commit + +# Disable Telstra Air/Fon WiFi +/etc/init.d/hotspotd stop +/etc/init.d/hotspotd disable +uci delete dhcp.hotspot +uci delete dhcp.fonopen +uci commit + +# Remove any default SSH pubkey +echo > /etc/dropbear/authorized_keys +# Disable SSH access over wan +uci set dropbear.wan.enable='0' +uci commit dropbear + +# Free space for gateways with small flash +find /rom/usr/lib/ipk -type f |xargs -n1 basename | cut -f 1 -d '_' |xargs opkg --force-removal-of-dependent-packages remove +``` + +- If you get one or more error messages from running these commands, you can ignore them: it means the command was not needed for your firmware version + + +### GUI ANSUEL +- Connect with WinSCP to the router as described above +- Copy the `GUI.tar.bz2` file to the `/tmp` directory +- Connect in SSH to the router with root user +- Run the following command to extract the GUI + - `bzcat /tmp/GUI.tar.bz2 | tar -C / -xvf - && /etc/init.d/rootdevice force` +- Wait until the procedure is finished. If necessary, the router may reboot itself. Ignore the latest error messages +- In case of *Error 9* restart the router and the problem will be solved + + +### CHANGE ROOT AND GUI PASSWORD +- Run the `passwd` command in the terminal to change the login password for the root user. This procedure is strongly recommended +- Once the Ansuel GUI is installed, the username and password will be `admin/admin` again. It is also reccomended to change this password in order to prevent unauthorized access to the administration web page. To do this, after after you log into the web GUI, click on the *Advanced* button at the top right next to the username *admin* and then on *Profile settings* + + +### RESULT +Now you have a TIM HUB DGA4132 modem router updated to AGTHP version 2.3.3 with root permissions enabled and the Ansuel GUI. + + diff --git a/Guide/EN/TIM_HUB_guide_EN.pdf b/Guide/EN/TIM_HUB_guide_EN.pdf new file mode 100644 index 0000000..01489a4 Binary files /dev/null and b/Guide/EN/TIM_HUB_guide_EN.pdf differ diff --git a/Guide/IT/TIM_HUB_guide_IT.html b/Guide/IT/TIM_HUB_guide_IT.html new file mode 100644 index 0000000..d3a967f --- /dev/null +++ b/Guide/IT/TIM_HUB_guide_IT.html @@ -0,0 +1,656 @@ + + + +TIM_HUB_guide_IT.md + + + + + + + + + + + + +

ROOT TIM HUB DGA4132 E GUI ANSUEL - VERSIONE AGTHP 2.3.3

+

La presente guida è stata concepita per avere un punto di riferimento semplice e immediato in caso si voglia procedere con l'abilitazione dell'utenza root del modem router TIM HUB DGA4132 (di seguito "router") e della successiva installazione della GUI Ansuel. Tutti i passaggi sono stati presi e adattati dai siti web riportati nel paragrafo sottostante, successivamente raggruppati in questa pagina e impostati nell'ordine corretto.

+

Questa guida è disponibile nei seguenti formati:

+ +

SITI WEB

+ +

FILE UTILI

+

Il file autoflashgui-master_timhub.zip contiene la versione 16.02.2018 del tool AutoFlashGUI sviluppato da Mark Smith (mswhirl). Una volta estratto, all'interno della cartella autoflashgui-master/firmware è possibile trovare i seguenti file necessari a questa guida:

+ +
+

GUIDA - PARTE 1

+ +
+

ATTENZIONE: Per abilitare la Configurazione estesa è necessario cliccare su una scheda che compare SOLO al primo login subito dopo un reset. Se si esegue il logout dalla GUI web o si chiude la finestra del browser, sarà necessario procedere con un ulteriore reset del router per ottenere nuovamente il prompt Configurazione estesa. Inoltre, il router NON deve essere in alcun modo collegato a Internet: scollegare quindi il cavo RJ11, il cavo Ethernet nella porta WAN oppure la connessione in FTTH.

+
+ +

AUTOFLASHGUI.EXE

+

Impostare i seguenti parametri con i rispettivi valori

+ +
+

GUIDA - PARTE 2

+ +

SCRIPT

+ +
# Ensure two banks match in sizes
+[ $(grep -c bank_ /proc/mtd) = 2 ] && \
+[ "$(grep bank_1 /proc/mtd | cut -d' ' -f2)" = \
+"$(grep bank_2 /proc/mtd | cut -d' ' -f2)" ] && {
+# Clone and verify firmware into bank_2 if applicable
+[ "$(cat /proc/banktable/booted)" = "bank_1" ] && {
+mtd -e bank_2 write /dev/$(grep bank_1 /proc/mtd | cut -d: -f1) bank_2 && \
+mtd verify /dev/$(grep bank_1 /proc/mtd | cut -d: -f1) bank_2 || \
+{ echo Clone verification failed, retry; exit; } }
+# Make a temp copy of overlay for booted firmware
+cp -rf /overlay/$(cat /proc/banktable/booted) /tmp/bank_overlay_backup
+# Clean up jffs2 space by removing existing old overlays
+rm -rf /overlay/*
+# Use the previously made temp copy as overlay for bank_2
+cp -rf /tmp/bank_overlay_backup /overlay/bank_2
+# Activate bank_1
+echo bank_1 > /proc/banktable/active
+# Make sure above changes get written to flash
+sync
+# Erase firmware in bank_1
+mtd erase bank_1;
+# Emulate system crash to hard reboot
+echo c > /proc/sysrq-trigger; }
+# end
+
+ +
+

GUIDA - PARTE 3

+ +

PRESERVARE ACCESSO ROOT

+ +
+

COPIA E INCOLLA NEL TERMINALE. PREMERE INVIO PER ESEGUIRE L'ULTIMO COMANDO.

+
+
mkdir -p /overlay/$(cat /proc/banktable/booted)/etc
+chmod 755 /overlay/$(cat /proc/banktable/booted) /overlay/$(cat /proc/banktable/booted)/etc
+echo -e "echo root:root | chpasswd
+sed -i 's#/root:.*\$#/root:/bin/ash#' /etc/passwd
+sed -i -e 's/#//' -e 's#askconsole:.*\$#askconsole:/bin/ash#' /etc/inittab
+uci -q set \$(uci show firewall | grep -m 1 \$(fw3 -q print | \
+egrep 'iptables -t filter -A zone_lan_input -p tcp -m tcp --dport 22 -m comment --comment \"!fw3: .+\" -j DROP' | \
+sed -n -e 's/^iptables.\+fw3: \(.\+\)\".\+/\1/p') | \
+sed -n -e \"s/\(.\+\).name='.\+'$/\1/p\").target='ACCEPT'
+uci add dropbear dropbear
+uci rename dropbear.@dropbear[-1]=afg
+uci set dropbear.afg.enable='1'
+uci set dropbear.afg.Interface='lan'
+uci set dropbear.afg.Port='22'
+uci set dropbear.afg.IdleTimeout='600'
+uci set dropbear.afg.PasswordAuth='on'
+uci set dropbear.afg.RootPasswordAuth='on'
+uci set dropbear.afg.RootLogin='1'
+uci set dropbear.lan.enable='0'
+uci commit dropbear
+/etc/init.d/dropbear enable
+/etc/init.d/dropbear restart
+rm /overlay/\$(cat /proc/banktable/booted)/etc/rc.local
+source /rom/etc/rc.local
+" > /overlay/$(cat /proc/banktable/booted)/etc/rc.local
+chmod +x /overlay/$(cat /proc/banktable/booted)/etc/rc.local
+sync
+
+ +

FLASHING DEL FIRMWARE

+ +

CONSOLIDARE L'ACCESSO OTTENUTO

+ +
+

COPIA E INCOLLA NEL TERMINALE. PREMERE INVIO PER ESEGUIRE L'ULTIMO COMANDO.

+
+
# Disable CWMP
+uci delete cwmpd.cwmpd_config
+uci delete firewall.cwmpd
+uci del_list watchdog.@watchdog[0].pidfile='/var/run/cwmpd.pid'
+uci del_list watchdog.@watchdog[0].pidfile='/var/run/cwmpevents.pid'
+uci commit
+/etc/init.d/watchdog-tch reload
+/etc/init.d/cwmpd disable
+/etc/init.d/cwmpd stop
+/etc/init.d/cwmpdboot disable
+/etc/init.d/cwmpdboot stop
+/etc/init.d/zkernelpanic disable
+/etc/init.d/zkernelpanic stop
+
+# Disable CWMP - extra, in case you think it may resurrect
+uci set cwmpd.cwmpd_config.state=0
+uci set cwmpd.cwmpd_config.acs_url='https://127.0.1.1:7547/'
+uci set cwmpd.cwmpd_config.use_dhcp=0
+uci set cwmpd.cwmpd_config.interface=loopback
+uci set cwmpd.cwmpd_config.enforce_https=1
+uci commit cwmpd
+
+# Disable Telstra monitoring
+uci delete tls-vsparc.Config
+uci delete tls-vsparc.Passive
+uci delete autoreset.vsparc_enabled
+uci delete autoreset.thor_enabled
+uci delete wifi_doctor_agent.acs
+uci delete wifi_doctor_agent.config
+uci delete wifi_doctor_agent.as_config
+uci commit
+
+# Disable Telstra Air/Fon WiFi
+/etc/init.d/hotspotd stop
+/etc/init.d/hotspotd disable
+uci delete dhcp.hotspot
+uci delete dhcp.fonopen
+uci commit
+
+# Remove any default SSH pubkey
+echo > /etc/dropbear/authorized_keys
+# Disable SSH access over wan
+uci set dropbear.wan.enable='0'
+uci commit dropbear
+
+# Free space for gateways with small flash
+find /rom/usr/lib/ipk -type f |xargs -n1 basename | cut -f 1 -d '_' |xargs opkg --force-removal-of-dependent-packages remove
+
+ +

INSTALLAZIONE GUI ANSUEL

+ +

CAMBIARE PASSWORD ROOT E GUI

+ +

FINE

+

Ora si dispone di un modem router TIM HUB DGA4132 aggiornato alla versione AGTHP 2.3.3 con i permessi di root abilitati e la GUI Ansuel.

+ + + diff --git a/Guide/IT/TIM_HUB_guide_IT.md b/Guide/IT/TIM_HUB_guide_IT.md new file mode 100644 index 0000000..6f01320 --- /dev/null +++ b/Guide/IT/TIM_HUB_guide_IT.md @@ -0,0 +1,259 @@ +# ROOT TIM HUB DGA4132 E GUI ANSUEL - VERSIONE AGTHP 2.3.3 +La presente guida è stata concepita per avere un punto di riferimento semplice e immediato in caso si voglia procedere con l'abilitazione dell'utenza root del modem router TIM HUB DGA4132 (di seguito "router") e della successiva installazione della GUI Ansuel. Tutti i passaggi sono stati presi e adattati dai siti web riportati nel paragrafo sottostante, successivamente raggruppati in questa pagina e impostati nell'ordine corretto. + +Questa guida è disponibile nei seguenti formati: +- Markdown (`TIM_HUB_guide_IT.md`) +- PDF (`TIM_HUB_guide_IT.pdf`) +- HTML (`TIM_HUB_guide_IT.html`) + + +## SITI WEB +- [Hacking Technicolor Gateways: Material for MkDocs](https://hack-technicolor.readthedocs.io/en/stable/) +- [IlPuntoTecnico GUI Ansuel](https://www.ilpuntotecnico.com/forum/index.php?topic=81461.0) +- [GitHub GUI Ansuel](https://github.com/Ansuel/gui-dev-build-auto) +- [GitHub AutoFlashGUI](https://github.com/mswhirl/autoflashgui) +- [WinSCP](https://winscp.net/eng/download.php) + + +## FILE UTILI +Il file `autoflashgui-master_timhub.zip` contiene la versione `16.02.2018` del tool AutoFlashGUI sviluppato da Mark Smith (mswhirl). Una volta estratto, all'interno della cartella *autoflashgui-master/firmware* è possibile trovare i seguenti file necessari a questa guida: +- `AGTHP_1.0.3_CLOSED.rbi.torrent`: file torrent per avviare il download della versione AGTHP 1.0.3 del firmware scaricato dal sito web "Hacking Technicolor Gateways: Material for MkDocs". Una volta completato il download, spostare il file nella cartella *autoflashgui-master/firmware* +- `AGTHP_2.3.3_CLOSED.rbi.torrent`: file torrent per avviare il download della versione AGTHP 2.3.3 del firmware scaricato dal sito web "Hacking Technicolor Gateways: Material for MkDocs". Una volta completato il download, spostare il file nella cartella *autoflashgui-master/firmware* +- `GUI.tar.bz2`: versione stabile 9.6.65 della GUI Ansuel scaricata dalla repository GitHub `gui-dev-build-auto` di Ansuel. Per favore, controllare la presenza di nuove versioni prima di procedere + + +--- + + +## GUIDA - PARTE 1 +- Aggiornare il router alla versione 2.3.3 (è possibile effettuare questa operazione tramite l'applicazione per smartphone "TIM Modem" disponibile per Android e iOS) +- Dalla prima scheda *Gateway* nella GUI web, se necessario, eseguire backup configurazione in `.bin` tramite il pulsante *Esporta*. Verrà scaricato un file denominato "config.bin" +- Eseguire reset router tramite il pulsante *Ripristina* +- Al riavvio, login nella pagina web (`admin/admin`), non cambiare la password e attivare la modalità *Configurazione estesa* +> ATTENZIONE: Per abilitare la Configurazione estesa è necessario cliccare su una scheda che compare SOLO al primo login subito dopo un reset. Se si esegue il logout dalla GUI web o si chiude la finestra del browser, sarà necessario procedere con un ulteriore reset del router per ottenere nuovamente il prompt Configurazione estesa. Inoltre, il router NON deve essere in alcun modo collegato a Internet: scollegare quindi il cavo RJ11, il cavo Ethernet nella porta WAN oppure la connessione in FTTH. +- Per rifare il login nella GUI, la password è la **ACCESS KEY** sull'etichetta posta alla base del router (sotto l'ultimo codice a barre nella colonna a sinistra) +- Entrare nella prima scheda *Gateway* ed eseguire dalla terza tab il downgrade alla versione 1.0.3. Per fare ciò, caricare il file `AGTHP_1.0.3_CLOSED.rbi` cliccando su *Scegli il file* e poi su *Aggiorna* nella sezione *Aggiornamento firmware* +- Al riavvio, non sarà possibile fare il login. Eseguire reset router dal tasto sul retro (tenere premuto per **10-12 sec.**) +- Al secondo riavvio, login nella pagina web (`admin/admin`) senza cambiare la password +- Eseguire il programma `autoflashgui.exe` contenuto nella cartella *autoflashgui-master* + + +### AUTOFLASHGUI.EXE +Impostare i seguenti parametri con i rispettivi valori +- Load default: *Generic (Advanced DDNS)* +- Target IP: ip router +- Username: user GUI web +- Password: password GUI web +- **NON** selezionare *Firmware File Name* e la spunta *Flash firmware?* +- Attivare *Split the given command on semicolons [...]* se non selezionato +- Lasciare invariato il resto delle impostazioni +- Cliccare su *Run* +- Attendere risultato sulla shell +- Chiudere il programma (non sarà più necessario) +- Collegarsi in SSH al router e provare ad autenticarsi con `root/root` + + +--- + + +## GUIDA - PARTE 2 +- Dalla shell root del router abilitare la Serial Console Port + - `sed -i -e 's/#//' -e 's#askconsole:.*\$#askconsole:/bin/ash#' /etc/inittab` +- Verificare lo stato delle bank + - `find /proc/banktable -type f -print -exec cat {} ';' -exec echo ';'` +- Prendere nota dei seguenti parametri + + ... + /proc/banktable/booted + + proc/banktable/active + + ... + +- Per raggiungere il nostro scopo, è necessario che il risultato del comando precedente diventi come segue + + /proc/banktable/active + bank_1 + /proc/banktable/activeversion + Unknown + /proc/banktable/booted + bank_2 + +- Proseguire quindi al passaggio successivo per impostare come active il `bank_1` per poi cancellarlo e fare in modo che vada in boot il `bank_2` + + +### SCRIPT +- Creare con il comando `vim` uno script con i seguenti comandi + +```bash +# Ensure two banks match in sizes +[ $(grep -c bank_ /proc/mtd) = 2 ] && \ +[ "$(grep bank_1 /proc/mtd | cut -d' ' -f2)" = \ +"$(grep bank_2 /proc/mtd | cut -d' ' -f2)" ] && { +# Clone and verify firmware into bank_2 if applicable +[ "$(cat /proc/banktable/booted)" = "bank_1" ] && { +mtd -e bank_2 write /dev/$(grep bank_1 /proc/mtd | cut -d: -f1) bank_2 && \ +mtd verify /dev/$(grep bank_1 /proc/mtd | cut -d: -f1) bank_2 || \ +{ echo Clone verification failed, retry; exit; } } +# Make a temp copy of overlay for booted firmware +cp -rf /overlay/$(cat /proc/banktable/booted) /tmp/bank_overlay_backup +# Clean up jffs2 space by removing existing old overlays +rm -rf /overlay/* +# Use the previously made temp copy as overlay for bank_2 +cp -rf /tmp/bank_overlay_backup /overlay/bank_2 +# Activate bank_1 +echo bank_1 > /proc/banktable/active +# Make sure above changes get written to flash +sync +# Erase firmware in bank_1 +mtd erase bank_1; +# Emulate system crash to hard reboot +echo c > /proc/sysrq-trigger; } +# end +``` + +- Lanciare il seguente comando per renderlo eseguibile + - `chmod +x script.sh` +- Eseguire lo script appena creato + - `./script.sh` + + +--- + + +## GUIDA - PARTE 3 +- Adesso è possibile proseguire con l'upgrade del firmware per tornare alla versione 2.3.3 +- Aprire WinSCP (o software simile) e collegarsi con protocollo SCP al router con credenziali `root/root` +- Caricare nella directory `/tmp` del router il file `AGTHP_2.3.3_CLOSED.rbi` rinominandolo in `new.rbi` +- Eseguire da shell il seguente comando + - `cat "/tmp/new.rbi" | (bli_parser && echo "Please wait..." && (bli_unseal | dd bs=4 skip=1 seek=1 of="/tmp/new.bin"))` +- E' necessario procedere con un clean-up di file e configurazioni +- Creare un backup con il seguente comando e salvarlo sul proprio PC tramite WinSCP + - `tar -C /overlay -cz -f /tmp/backup-$(date -I).tar.gz $(cat /proc/banktable/booted)` +- Eseguire il comando seguente per cancellare completamente l'overlay della bank attualmente bootata + - `rm -rf /overlay/$(cat /proc/banktable/booted)` +- Cambiando versione del firmware il root potrebbe andare perso. NON riavviare e procedere quindi con il passaggio successivo + + +### PRESERVARE ACCESSO ROOT +- Eseguire tramite SSH il blocco di comandi seguente per preparare uno script che andrà eseguito una volta sola al boot successivo per garantire l'accesso con root + +> COPIA E INCOLLA NEL TERMINALE. PREMERE INVIO PER ESEGUIRE L'ULTIMO COMANDO. + +```bash +mkdir -p /overlay/$(cat /proc/banktable/booted)/etc +chmod 755 /overlay/$(cat /proc/banktable/booted) /overlay/$(cat /proc/banktable/booted)/etc +echo -e "echo root:root | chpasswd +sed -i 's#/root:.*\$#/root:/bin/ash#' /etc/passwd +sed -i -e 's/#//' -e 's#askconsole:.*\$#askconsole:/bin/ash#' /etc/inittab +uci -q set \$(uci show firewall | grep -m 1 \$(fw3 -q print | \ +egrep 'iptables -t filter -A zone_lan_input -p tcp -m tcp --dport 22 -m comment --comment \"!fw3: .+\" -j DROP' | \ +sed -n -e 's/^iptables.\+fw3: \(.\+\)\".\+/\1/p') | \ +sed -n -e \"s/\(.\+\).name='.\+'$/\1/p\").target='ACCEPT' +uci add dropbear dropbear +uci rename dropbear.@dropbear[-1]=afg +uci set dropbear.afg.enable='1' +uci set dropbear.afg.Interface='lan' +uci set dropbear.afg.Port='22' +uci set dropbear.afg.IdleTimeout='600' +uci set dropbear.afg.PasswordAuth='on' +uci set dropbear.afg.RootPasswordAuth='on' +uci set dropbear.afg.RootLogin='1' +uci set dropbear.lan.enable='0' +uci commit dropbear +/etc/init.d/dropbear enable +/etc/init.d/dropbear restart +rm /overlay/\$(cat /proc/banktable/booted)/etc/rc.local +source /rom/etc/rc.local +" > /overlay/$(cat /proc/banktable/booted)/etc/rc.local +chmod +x /overlay/$(cat /proc/banktable/booted)/etc/rc.local +sync +``` + +- Se la password di root è stata cambiata, questa verrà resettata a `root/root` +- Il gateway adesso è pulito. L'accesso con root tramite SSH verrà abilitato di nuovo permanentemente al boot successivo + + +### FLASHING DEL FIRMWARE +- Eseguire uno alla volta i seguenti comandi per scrivere il file `/tmp/new.bin` nella bank booted e per provocare un hard reboot + - `mtd -e $(cat /proc/banktable/booted) write "/tmp/new.bin" $(cat /proc/banktable/booted)` + - `echo c > /proc/sysrq-trigger` + + +### CONSOLIDARE L'ACCESSO OTTENUTO +- Eseguire i seguenti comandi nel terminale SSH per prevenire che il router perda inaspettatamente la possibilità di accesso con root + +> COPIA E INCOLLA NEL TERMINALE. PREMERE INVIO PER ESEGUIRE L'ULTIMO COMANDO. + +```bash +# Disable CWMP +uci delete cwmpd.cwmpd_config +uci delete firewall.cwmpd +uci del_list watchdog.@watchdog[0].pidfile='/var/run/cwmpd.pid' +uci del_list watchdog.@watchdog[0].pidfile='/var/run/cwmpevents.pid' +uci commit +/etc/init.d/watchdog-tch reload +/etc/init.d/cwmpd disable +/etc/init.d/cwmpd stop +/etc/init.d/cwmpdboot disable +/etc/init.d/cwmpdboot stop +/etc/init.d/zkernelpanic disable +/etc/init.d/zkernelpanic stop + +# Disable CWMP - extra, in case you think it may resurrect +uci set cwmpd.cwmpd_config.state=0 +uci set cwmpd.cwmpd_config.acs_url='https://127.0.1.1:7547/' +uci set cwmpd.cwmpd_config.use_dhcp=0 +uci set cwmpd.cwmpd_config.interface=loopback +uci set cwmpd.cwmpd_config.enforce_https=1 +uci commit cwmpd + +# Disable Telstra monitoring +uci delete tls-vsparc.Config +uci delete tls-vsparc.Passive +uci delete autoreset.vsparc_enabled +uci delete autoreset.thor_enabled +uci delete wifi_doctor_agent.acs +uci delete wifi_doctor_agent.config +uci delete wifi_doctor_agent.as_config +uci commit + +# Disable Telstra Air/Fon WiFi +/etc/init.d/hotspotd stop +/etc/init.d/hotspotd disable +uci delete dhcp.hotspot +uci delete dhcp.fonopen +uci commit + +# Remove any default SSH pubkey +echo > /etc/dropbear/authorized_keys +# Disable SSH access over wan +uci set dropbear.wan.enable='0' +uci commit dropbear + +# Free space for gateways with small flash +find /rom/usr/lib/ipk -type f |xargs -n1 basename | cut -f 1 -d '_' |xargs opkg --force-removal-of-dependent-packages remove +``` + +- Se ricevi uno o più messaggi di errore dall'esecuzione di questi comandi, è possibile ignorarli: significa che il comando non era necessario per la tua versione del firmware + + +### INSTALLAZIONE GUI ANSUEL +- Collegarsi con WinSCP al router come descritto in precedenza +- Copiare il file `GUI.tar.bz2` nella directory `/tmp` +- Collegarsi in SSH al router con root +- Eseguire il seguente comando per estrarre la GUI + - `bzcat /tmp/GUI.tar.bz2 | tar -C / -xvf - && /etc/init.d/rootdevice force` +- Attendere fino al termine della procedura. Se necessario il router potrebbe riavviarsi da solo. Ignorare gli ultimi messaggi di errore +- In caso di *Errore 9* riavviare il router e il problema sarà risolto + + +### CAMBIARE PASSWORD ROOT E GUI +- Eseguire il comando `passwd` nel terminale per cambiare la password di accesso dell'utente root. Questa procedure è fortemente consigliata +- Una volta installata la GUI Ansuel, username e password saranno nuovamente `admin/admin`. E' consigliato cambiare anche questa password in modo tale da prevenire accessi non autorizzati alla pagina web di amminsitrazione. Per fare ciò, dopo essere entrati nella GUI web, cliccare sul pulsante *Avanzate* in alto a destra accanto al nome utente *admin* e poi su *Impostazioni profilo* + + +### FINE +Ora si dispone di un modem router TIM HUB DGA4132 aggiornato alla versione AGTHP 2.3.3 con i permessi di root abilitati e la GUI Ansuel. + + diff --git a/Guide/IT/TIM_HUB_guide_IT.pdf b/Guide/IT/TIM_HUB_guide_IT.pdf new file mode 100644 index 0000000..3896f2a Binary files /dev/null and b/Guide/IT/TIM_HUB_guide_IT.pdf differ diff --git a/autoflashgui-master_timhub.zip b/autoflashgui-master_timhub.zip new file mode 100644 index 0000000..62b0c6e Binary files /dev/null and b/autoflashgui-master_timhub.zip differ