Thank you! It seems like they were saved by a bug - they forgot to put base64
into the firmware.
I was hoping to use this function because it doesn't use /etc/allowlist
and has bugs in their cp -rf
calls, - but alas.
That sucks.
I tried to see if ubus is being exposed to http or tcp somewhere but didnt find anything. Considering they put a password on it, I thought maybe it would be exposed somewhere
This stock firmware is REALLY shitty. This thing generates so much log data all the time.. it is basically constantly spamming the log with useless trash. It also takes AGES to boot up all of the different verizon ARC crap. First it takes ages to decrypt the kernel, then takes ages to decrypt and check the entire rootfs (in u-boot), then takes up 90% of the rest of the boot to load different monitoring arc services and kernel modules.
I can silence some of the spam by
/etc/init.d/arc_cloud stop
@spol-eff where would you estimate are the chances of creating an acceptable firmware FIT image to upload to sysupgrade?
Im guessing that uses public key encryption and we dont have the private keys. But havent looked into that. Might be possible that they are only using the encryption you already broke.
That's probably not possible, that verification seems solid - they're not using pre-baked keys for that.
Alright, I've cracked the UCI config! After I failed with this attempt I've realized the new config restoration process has the EXACT SAME cp -rf
bug.
What it's trying to do is copy the default system config into /tmp/config/default_uci
and then apply the user's config over it.
The problem (for the OEM), is that they create /tmp/config
from the config archive - so if the archive already has a default_uci
folder it'll just copy the default system config inside it - and OpenWrt will simply ignore it! Basically we can do whatever we want in default_uci
!
So what I've done is I've taken /etc/config
from the clean image, and copied it into the config archive as default_uci
. Then I've tried naively enabling SSH but that didn't work.
But what does work is changing the TR69 endpoint to a custom one, or scheduling arbitrary commands with default_uci/cron
.
To summarize, take you backups, decrypt them, copy stock /etc/config
as default_uci
into the config directory, and start modifying it! This is how the directory structure should look like:
Also to save you some time here's a clean default_uci
from the 3.2.0.7 firmware: https://transfer.sh/xbzb2z/default_uci.zip
Thank you for find this! Does modifying default_uci works? Or we have to copy part of config to uci folder? I tried modifed SSH and CWMP on the default_uci and uploaded config. Haven't see it connects to my ACS server yet.
Looks like it's working on mine. So I only used this router as an AP but it required WAN port up to talk to ACS server. That's why it was not up on LAN.
Attached configurable Items from TR069:
Parameter Object Object timestamp Writable Writable timestamp
Device TRUE 2023-03-19T02:11:09.675Z FALSE 2023-03-19T02:11:09.675Z
Device.DeviceInfo TRUE 2023-03-19T02:11:09.675Z
Device.DeviceInfo.HardwareVersion FALSE 2023-03-19T02:11:09.675Z
Device.DeviceInfo.Manufacturer FALSE 2023-03-19T02:11:09.675Z
Device.DeviceInfo.ManufacturerOUI FALSE 2023-03-19T02:11:09.675Z
Device.DeviceInfo.MemoryStatus TRUE 2023-03-19T02:11:09.675Z
Device.DeviceInfo.MemoryStatus.Free FALSE 2023-03-19T02:11:09.675Z
Device.DeviceInfo.MemoryStatus.Total FALSE 2023-03-19T02:11:09.675Z
Device.DeviceInfo.ModelName FALSE 2023-03-19T02:11:09.675Z
Device.DeviceInfo.ProcessStatus TRUE 2023-03-19T02:11:09.675Z
Device.DeviceInfo.ProcessStatus.CPUUsage FALSE 2023-03-19T02:11:09.675Z
Device.DeviceInfo.ProductClass FALSE 2023-03-19T02:11:09.675Z
Device.DeviceInfo.ProvisioningCode FALSE 2023-03-19T02:11:09.675Z
Device.DeviceInfo.SerialNumber FALSE 2023-03-19T02:11:09.675Z
Device.DeviceInfo.SoftwareVersion FALSE 2023-03-19T02:11:09.675Z
Device.DeviceInfo.TemperatureStatus TRUE 2023-03-19T02:11:09.675Z
Device.DeviceInfo.TemperatureStatus.TemperatureSensor TRUE 2023-03-19T02:11:09.675Z
Device.DeviceInfo.TemperatureStatus.TemperatureSensor.1 TRUE 2023-03-19T02:11:09.675Z
Device.DeviceInfo.TemperatureStatus.TemperatureSensor.1.Value FALSE 2023-03-19T02:11:09.675Z
Device.DeviceInfo.TemperatureStatus.TemperatureSensor.2 TRUE 2023-03-19T02:11:09.675Z
Device.DeviceInfo.TemperatureStatus.TemperatureSensor.2.Value FALSE 2023-03-19T02:11:09.675Z
Device.DeviceInfo.TemperatureStatus.TemperatureSensor.3 TRUE 2023-03-19T02:11:09.675Z
Device.DeviceInfo.TemperatureStatus.TemperatureSensor.3.Value FALSE 2023-03-19T02:11:09.675Z
Device.DeviceInfo.TemperatureStatus.TemperatureSensor.4 TRUE 2023-03-19T02:11:09.675Z
Device.DeviceInfo.TemperatureStatus.TemperatureSensor.4.Value FALSE 2023-03-19T02:11:09.675Z
Device.DeviceInfo.UpTime FALSE 2023-03-19T02:11:09.675Z
Device.DeviceInfo.X_VZ-COM_IsCRSP FALSE 2023-03-19T02:11:09.675Z
Device.IP TRUE 2023-03-19T02:11:09.675Z
Device.IP.Interface TRUE 2023-03-19T02:11:09.675Z
Device.IP.Interface.1 TRUE 2023-03-19T02:11:09.675Z
Device.IP.Interface.1.IPv4Address TRUE 2023-03-19T02:11:09.675Z
Device.IP.Interface.1.IPv4Address.1 TRUE 2023-03-19T02:11:09.675Z
Device.IP.Interface.1.IPv4Address.1.IPAddress FALSE 2023-03-19T02:11:09.675Z
Device.IP.Interface.1.IPv6Address TRUE 2023-03-19T02:11:09.675Z
Device.IP.Interface.1.IPv6Address.1 TRUE 2023-03-19T02:11:09.675Z
Device.IP.Interface.1.IPv6Address.1.IPAddress FALSE 2023-03-19T02:11:09.675Z
Device.IP.Interface.1.Stats TRUE 2023-03-19T02:11:09.675Z
Device.IP.Interface.1.Stats.BytesReceived FALSE 2023-03-19T02:11:09.675Z
Device.IP.Interface.1.Stats.BytesSent FALSE 2023-03-19T02:11:09.675Z
Device.IP.Interface.2 TRUE 2023-03-19T02:11:09.675Z
Device.IP.Interface.2.IPv4Address TRUE 2023-03-19T02:11:09.675Z
Device.IP.Interface.2.IPv4Address.1 TRUE 2023-03-19T02:11:09.675Z
Device.IP.Interface.2.IPv4Address.1.IPAddress FALSE 2023-03-19T02:11:09.675Z
Device.IP.Interface.2.IPv6Address TRUE 2023-03-19T02:11:09.675Z
Device.IP.Interface.2.IPv6Address.1 TRUE 2023-03-19T02:11:09.675Z
Device.IP.Interface.2.IPv6Address.1.IPAddress FALSE 2023-03-19T02:11:09.675Z
Device.IP.Interface.2.Stats TRUE 2023-03-19T02:11:09.675Z
Device.IP.Interface.2.Stats.BytesReceived FALSE 2023-03-19T02:11:09.675Z
Device.IP.Interface.2.Stats.BytesSent FALSE 2023-03-19T02:11:09.675Z
Device.IP.Interface.3 TRUE 2023-03-19T02:11:09.675Z
Device.IP.Interface.3.IPv4Address TRUE 2023-03-19T02:11:09.675Z
Device.IP.Interface.3.IPv4Address.1 TRUE 2023-03-19T02:11:09.675Z
Device.IP.Interface.3.IPv4Address.1.IPAddress FALSE 2023-03-19T02:11:09.675Z
Device.IP.Interface.3.IPv6Address TRUE 2023-03-19T02:11:09.675Z
Device.IP.Interface.3.IPv6Address.1 TRUE 2023-03-19T02:11:09.675Z
Device.IP.Interface.3.IPv6Address.1.IPAddress FALSE 2023-03-19T02:11:09.675Z
Device.IP.Interface.3.Stats TRUE 2023-03-19T02:11:09.675Z
Device.IP.Interface.3.Stats.BytesReceived FALSE 2023-03-19T02:11:09.675Z
Device.IP.Interface.3.Stats.BytesSent FALSE 2023-03-19T02:11:09.675Z
Device.IP.Interface.4 TRUE 2023-03-19T02:11:09.675Z
Device.IP.Interface.4.IPv4Address TRUE 2023-03-19T02:11:09.675Z
Device.IP.Interface.4.IPv4Address.1 TRUE 2023-03-19T02:11:09.675Z
Device.IP.Interface.4.IPv4Address.1.IPAddress FALSE 2023-03-19T02:11:09.675Z
Device.IP.Interface.4.IPv6Address TRUE 2023-03-19T02:11:09.675Z
Device.IP.Interface.4.IPv6Address.1 TRUE 2023-03-19T02:11:09.675Z
Device.IP.Interface.4.IPv6Address.1.IPAddress FALSE 2023-03-19T02:11:09.675Z
Device.IP.Interface.4.Stats TRUE 2023-03-19T02:11:09.675Z
Device.IP.Interface.4.Stats.BytesReceived FALSE 2023-03-19T02:11:09.675Z
Device.IP.Interface.4.Stats.BytesSent FALSE 2023-03-19T02:11:09.675Z
Device.IP.Interface.5 TRUE 2023-03-19T02:11:09.675Z
Device.IP.Interface.5.IPv4Address TRUE 2023-03-19T02:11:09.675Z
Device.IP.Interface.5.IPv4Address.1 TRUE 2023-03-19T02:11:09.675Z
Device.IP.Interface.5.IPv4Address.1.IPAddress FALSE 2023-03-19T02:11:09.675Z
Device.IP.Interface.5.IPv6Address TRUE 2023-03-19T02:11:09.675Z
Device.IP.Interface.5.IPv6Address.1 TRUE 2023-03-19T02:11:09.675Z
Device.IP.Interface.5.IPv6Address.1.IPAddress FALSE 2023-03-19T02:11:09.675Z
Device.IP.Interface.5.Stats TRUE 2023-03-19T02:11:09.675Z
Device.IP.Interface.5.Stats.BytesReceived FALSE 2023-03-19T02:11:09.675Z
Device.IP.Interface.5.Stats.BytesSent FALSE 2023-03-19T02:11:09.675Z
Device.ManagementServer TRUE 2023-03-19T02:11:09.675Z
Device.ManagementServer.AliasBasedAddressing FALSE 2023-03-19T02:11:09.675Z FALSE 2023-03-19T02:11:09.675Z
Device.ManagementServer.ConnReqAllowedJabberIDs FALSE 2023-03-19T02:11:09.675Z TRUE 2023-03-19T02:11:09.675Z
Device.ManagementServer.ConnReqJabberID FALSE 2023-03-19T02:11:09.675Z FALSE 2023-03-19T02:11:09.675Z
Device.ManagementServer.ConnReqXMPPConnection FALSE 2023-03-19T02:11:09.675Z TRUE 2023-03-19T02:11:09.675Z
Device.ManagementServer.ConnectionRequestPassword FALSE 2023-03-19T02:11:09.675Z TRUE 2023-03-19T02:11:09.675Z
Device.ManagementServer.ConnectionRequestURL FALSE 2023-03-19T02:11:09.675Z FALSE 2023-03-19T02:11:09.675Z
Device.ManagementServer.ConnectionRequestUsername FALSE 2023-03-19T02:11:09.675Z TRUE 2023-03-19T02:11:09.675Z
Device.ManagementServer.EnableCWMP FALSE 2023-03-19T02:11:09.675Z TRUE 2023-03-19T02:11:09.675Z
Device.ManagementServer.HeartbeatPolicy TRUE 2023-03-19T02:11:09.675Z FALSE 2023-03-19T02:11:09.675Z
Device.ManagementServer.InformParameterNumberOfEntries FALSE 2023-03-19T02:11:09.675Z FALSE 2023-03-19T02:11:09.675Z
Device.ManagementServer.ManageableDevice TRUE 2023-03-19T02:11:09.675Z FALSE 2023-03-19T02:11:09.675Z
Device.ManagementServer.ManageableDeviceNumberOfEntries FALSE 2023-03-19T02:11:09.675Z FALSE 2023-03-19T02:11:09.675Z
Device.ManagementServer.ParameterKey FALSE 2023-03-19T02:11:09.675Z FALSE 2023-03-19T02:11:09.675Z
Device.ManagementServer.Password FALSE 2023-03-19T02:11:09.675Z TRUE 2023-03-19T02:11:09.675Z
Device.ManagementServer.PeriodicInformEnable FALSE 2023-03-19T02:11:09.675Z TRUE 2023-03-19T02:11:09.675Z
Device.ManagementServer.PeriodicInformInterval FALSE 2023-03-19T02:11:09.675Z TRUE 2023-03-19T02:11:09.675Z
Device.ManagementServer.PeriodicInformTime FALSE 2023-03-19T02:11:09.675Z TRUE 2023-03-19T02:11:09.675Z
Device.ManagementServer.URL FALSE 2023-03-19T02:11:09.675Z TRUE 2023-03-19T02:11:09.675Z
Device.ManagementServer.Username FALSE 2023-03-19T02:11:09.675Z TRUE 2023-03-19T02:11:09.675Z
Device.ManagementServer.X_VZ-COM_BootInformInterval FALSE 2023-03-19T02:11:09.675Z TRUE 2023-03-19T02:11:09.675Z
Device.ManagementServer.X_VZ-COM_LastTR69InformFailureCount FALSE 2023-03-19T02:11:09.675Z FALSE 2023-03-19T02:11:09.675Z
Device.ManagementServer.X_VZ-COM_PersistentURL1 FALSE 2023-03-19T02:11:09.675Z TRUE 2023-03-19T02:11:09.675Z
Device.ManagementServer.X_VZ-COM_PersistentURL2 FALSE 2023-03-19T02:11:09.675Z TRUE 2023-03-19T02:11:09.675Z
Device.ManagementServer.X_VZ-COM_TR69InformFailureCount FALSE 2023-03-19T02:11:09.675Z FALSE 2023-03-19T02:11:09.675Z
Device.ManagementServer.X_VZ-COM_TotalTR69InformFailureCount FALSE 2023-03-19T02:11:09.675Z FALSE 2023-03-19T02:11:09.675Z
Device.RootDataModelVersion FALSE 2023-03-19T02:11:09.675Z
Device.Services TRUE 2023-03-19T02:11:09.675Z
Device.Services.X_VZ-COM_DeviceConfig TRUE 2023-03-19T02:11:09.675Z
Device.Services.X_VZ-COM_DeviceConfig.BDCS TRUE 2023-03-19T02:11:09.675Z
Device.Services.X_VZ-COM_DeviceConfig.BDCS.Enable FALSE 2023-03-19T02:11:09.675Z
Device.Services.X_VZ-COM_DeviceConfig.DNSRebindProtection TRUE 2023-03-19T02:11:09.675Z
Device.Services.X_VZ-COM_DeviceConfig.DNSRebindProtection.Enable FALSE 2023-03-19T02:11:09.675Z
Device.Services.X_VZ-COM_DeviceConfig.SHP TRUE 2023-03-19T02:11:09.675Z
Device.Services.X_VZ-COM_DeviceConfig.SHP.Enabled FALSE 2023-03-19T02:11:09.675Z
Device.Services.X_VZ-COM_DeviceConfig.SON TRUE 2023-03-19T02:11:09.675Z
Device.Services.X_VZ-COM_DeviceConfig.SON.BHR TRUE 2023-03-19T02:11:09.675Z
Device.Services.X_VZ-COM_DeviceConfig.SON.BHR.UserEnable FALSE 2023-03-19T02:11:09.675Z
Device.Services.X_VZ-COM_DeviceConfig.WanMAC FALSE 2023-03-19T02:11:09.675Z
Device.Services.X_VZ-COM_DeviceConfig.WanType FALSE 2023-03-19T02:11:09.675Z
Device.Services.X_VZ-COM_DeviceConfig.X509Cert TRUE 2023-03-19T02:11:09.675Z
Device.Services.X_VZ-COM_DeviceConfig.X509Cert.CertExpiration FALSE 2023-03-19T02:11:09.675Z
Device.Services.X_VZ-COM_DeviceConfig.X509Cert.ClientSCEPStatus FALSE 2023-03-19T02:11:09.675Z
Device.Services.X_VZ-COM_DeviceConfig.X509Cert.PreviousSCEPError FALSE 2023-03-19T02:11:09.675Z
Device.Services.X_VZ-COM_DeviceConfig.X509Cert.RetryCounter FALSE 2023-03-19T02:11:09.675Z
Device.Services.X_VZ-COM_DeviceConfig.X509Cert.RetryEnabled FALSE 2023-03-19T02:11:09.675Z
Device.Services.X_VZ-COM_DeviceConfig.X509Cert.SCEPEnabled FALSE 2023-03-19T02:11:09.675Z
Device.Services.X_VZ-COM_DeviceConfig.X509Cert.SCEPError FALSE 2023-03-19T02:11:09.675Z
Device.Services.X_VZ-COM_DeviceConfig.X509Cert.SCEPReportStatus FALSE 2023-03-19T02:11:09.675Z
Device.Services.X_VZ-COM_DeviceConfig.ZRWiFi TRUE 2023-03-19T02:11:09.675Z
Device.Services.X_VZ-COM_DeviceConfig.ZRWiFi.Enable FALSE 2023-03-19T02:11:09.675Z
Device.WiFi TRUE 2023-03-19T02:11:09.675Z
Device.WiFi.Radio TRUE 2023-03-19T02:11:09.675Z
Device.WiFi.Radio.1 TRUE 2023-03-19T02:11:09.675Z
Device.WiFi.Radio.1.X_VZ-COM_ChannelOccupancy FALSE 2023-03-19T02:11:09.675Z
Device.WiFi.Radio.2 TRUE 2023-03-19T02:11:09.675Z
Device.WiFi.Radio.2.X_VZ-COM_ChannelOccupancy FALSE 2023-03-19T02:11:09.675Z
Device.WiFi.Radio.3 TRUE 2023-03-19T02:11:09.675Z
Device.WiFi.Radio.3.X_VZ-COM_ChannelOccupancy FALSE 2023-03-19T02:11:09.675Z
DeviceID.ID FALSE 2023-03-19T02:15:10.246Z FALSE 2023-03-19T02:15:10.246Z
DeviceID.Manufacturer FALSE 2023-03-19T02:15:10.246Z FALSE 2023-03-19T02:15:10.246Z
DeviceID.OUI FALSE 2023-03-19T02:15:10.246Z FALSE 2023-03-19T02:15:10.246Z
DeviceID.ProductClass FALSE 2023-03-19T02:15:10.246Z FALSE 2023-03-19T02:15:10.246Z
DeviceID.SerialNumber FALSE 2023-03-19T02:15:10.246Z FALSE 2023-03-19T02:15:10.246Z
Events.0_BOOTSTRAP FALSE 2023-03-19T02:15:10.246Z FALSE 2023-03-19T02:15:10.246Z
Events.Inform FALSE 2023-03-19T02:15:10.246Z FALSE 2023-03-19T02:15:10.246Z
Events.Registered FALSE 2023-03-19T02:15:10.246Z FALSE 2023-03-19T02:15:10.246Z
Very weird, I can pull info from the TR069 but when I push it, also getting this error. Any thought?
FYI, here are the steps I need to take to get sshd up from the shell. arc_sshd is bound to port 22 by default (running on startup), but that is networked through the cloud so its not accessible from directly connected networks, I have to kill it and use sshd. Maybe we can fix the networking somehow and arc_sshd will become accessible? I have no idea how they are binding the port to their backdoor vpn.
wget and curl are also unable to pull anything from directly connected networks, but ping works fine. As in I can ping 192.168.0.1 on the wan port, but cant wget or curl anything from 192.168.0.1.
I tried lan port too, same deal.
>/etc/ssh/sshd_config
vi sshd_config
Port 22
Protocol 2
PermitRootLogin yes
StrictModes no
AuthorizedKeysFile .ssh/authorized_keys
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
PermitEmptyPasswords yes
Subsystem sftp /opt/lib/sftp-server
/usr/bin/ssh-keygen -A
mkdir /var/empty
/etc/init.d/arc_sshd stop
/usr/sbin/sshd -d
If I do the above, I can access sshd on port 22 through a host on the lan.
How did you get SSH up on cloud side? Did you created a arc_sshd file under the default_uci folder?
You could use a different router and have this router hooked to your LAN on the WAN port to get cloud access.
I have serial shell access and they have the regular sshd binary in the firmware, so I just used that.
@spol-eff you couldnt enable ssh because either arc_sshd is taking up the port OR because they dont have keys built for the device. (/usr/bin/ssh-keygen -A)
Either will stop sshd. The case is probably both
Look like we need the cron job added via .cfg which would kill arc_sshd and run a normal one, like every minute?
No by cloud, I mean they have a tunnel vpn to verizon and arc_sshd port 22 is only accessible through that tunnel. If the device is not able to open the tunnel, 22 is not accessible. (as far as I can tell)
Setting the ssh config uci probably sets up regular sshd to run but the service will fail due to port being in use + ssh keys not configured.
It doesn't have the regular SSH config, you can only do the arc_ssh
stuff, which is supposed to set up users and manage sshd w/ keys, but the tunneling part explains a lot.
Can this actually be done via uci config? Probably not