Adding Support for Verizon CR1000A

There is also an mcafee option.

config mcafee 'config'
	option enable '0'
	option environment_code 'PROD'

I think these hidden sqlite databases might be useful, there's much less care about input sanitization inside custom binaries than in shell scripts.
image

Few weeks back I was able to bypass the GUI check for ping. It still does validation on backend.

There is a screen where it creates Network Objects. Those could be saved to one of the dbs listed above

Stoked to see you guys tearing this thing apart and having fun! I can't add much here, but just know someone is cheering from a distance :slight_smile:

Here are the tables from .db:

UI_FsamIconUpdate UI_parentalRule
UI_Port UI_parentalText
UI_PortRule UI_pinholeRule
UI_accessControl UI_qsw
UI_accessControl_networkObj UI_routes6
UI_accessControl_portRule UI_scheduleDate
UI_analysis UI_scheduleRule
UI_blockDevice UI_scheduleTime
UI_forwardRule UI_staticNAT
UI_item UI_staticNAT_forwardRule
UI_networkObj UI_triggerRule
UI_parentalMAC UI_triggerRule_port

@meisterlone I'm experimenting with a jailbreak and would really like your help.
Can you try running util_backup_cli restore_from_file fa6ef1063557d8da3613680e7e0f6627e94b3df2.cfg against this file? https://file.io/OUbONfOu5bNi
It fails on my router but I don't know why - hoping it'll print something useful to the console. It should enable SSH if it succeeded, but I'm targeting the latest fw version so some UCI configs might not play well with the older fw on your router.

Better to run a full backup in case something goes wrong, and remove /data/restore_uci immediately after running the command.

Cant download, says file deleted

Ugh how do they take them down so quickly, here's an alternative link: https://pastebin.com/10dv4jfu
It's a base64 text file, just save the contents as .cfg.

EDIT: aaaand it's gone.

Use google drive, seems to be most reliable

I'd need to use my google account for that, don't really wanna do it. Can you try this one?
Seems to be up for now: https://transfer.sh/dymQau/fa6ef1063557d8da3613680e7e0f6627e94b3df2.cfg

this is b64 encoded, should i decode before running?

no decoding necessary - this is a legacy config format I found inside libmapi_backup, it uses base64-encoded text

hmm im trying to think how i can get this file on the router without enabling sshd first =|

wget doesnt work

normally id enabled sshd to transfer the file over, but that would jeopardize the test.

I guess I could transfer the file to mmc then reboot and pull it from mmc to run util_backup_cli or a clean boot

There's curl inside the firmware, you can use that.

And to clarify - it doesn't enable SSH immediately, it should put a new pending UCI config to /data/restore_uci, which should be applied on the next reboot. This is why I asked you to delete /data/restore_uci so that no changes are made to your router that's running an older version of the firmware.

Just use USB drive?

the network settings on this does not allow curl or wget to pull directly from the internet. Its being routed to some local socket somehow. Probably vswitch or a vpn or something. Anyhows, heres the output

@spol-eff

root@CR1000A:~# util_backup_cli restore_from_file fa6ef1063557d8da3613680e7e0f66
27e94b3df2.cfg
EVP_DecryptFinal_ex() Error
aes-256-cbc.c-aes_256_cbc_decrypt() 103: AES Decryption Failed!
EVP_DecryptFinal_ex() Error
aes-256-cbc.c-aes_256_cbc_decrypt() 103: AES Decryption Failed!
sh: base64: not found
Input file size is invalid!
root@CR1000A:~# md5sum fa6ef1063557d8da3613680e7e0f6627e94b3df2.cfg
08ef96ec88f64ce5613812f5320345a3  fa6ef1063557d8da3613680e7e0f6627e94b3df2.cfg

root@CR1000A:/# find . -iname base64
root@CR1000A:/#