Adding Support for Verizon CR1000A

Thank you! It seems like they were saved by a bug - they forgot to put base64 into the firmware.
I was hoping to use this function because it doesn't use /etc/allowlist and has bugs in their cp -rf calls, - but alas.

That sucks.

I tried to see if ubus is being exposed to http or tcp somewhere but didnt find anything. Considering they put a password on it, I thought maybe it would be exposed somewhere

This stock firmware is REALLY shitty. This thing generates so much log data all the time.. it is basically constantly spamming the log with useless trash. It also takes AGES to boot up all of the different verizon ARC crap. First it takes ages to decrypt the kernel, then takes ages to decrypt and check the entire rootfs (in u-boot), then takes up 90% of the rest of the boot to load different monitoring arc services and kernel modules.

I can silence some of the spam by
/etc/init.d/arc_cloud stop

@spol-eff where would you estimate are the chances of creating an acceptable firmware FIT image to upload to sysupgrade?

Im guessing that uses public key encryption and we dont have the private keys. But havent looked into that. Might be possible that they are only using the encryption you already broke.

ie
http://192.168.0.1/#/firmware_upgrade

That's probably not possible, that verification seems solid - they're not using pre-baked keys for that.

Alright, I've cracked the UCI config! After I failed with this attempt I've realized the new config restoration process has the EXACT SAME cp -rf bug.

What it's trying to do is copy the default system config into /tmp/config/default_uci and then apply the user's config over it.

The problem (for the OEM), is that they create /tmp/config from the config archive - so if the archive already has a default_uci folder it'll just copy the default system config inside it - and OpenWrt will simply ignore it! Basically we can do whatever we want in default_uci!

So what I've done is I've taken /etc/config from the clean image, and copied it into the config archive as default_uci. Then I've tried naively enabling SSH but that didn't work.

But what does work is changing the TR69 endpoint to a custom one, or scheduling arbitrary commands with default_uci/cron.

To summarize, take you backups, decrypt them, copy stock /etc/config as default_uci into the config directory, and start modifying it! This is how the directory structure should look like:

image

Also to save you some time here's a clean default_uci from the 3.2.0.7 firmware: https://transfer.sh/xbzb2z/default_uci.zip

1 Like

Thank you for find this! Does modifying default_uci works? Or we have to copy part of config to uci folder? I tried modifed SSH and CWMP on the default_uci and uploaded config. Haven't see it connects to my ACS server yet.

Looks like it's working on mine. So I only used this router as an AP but it required WAN port up to talk to ACS server. That's why it was not up on LAN.

Attached configurable Items from TR069:

Parameter	Object	Object timestamp	Writable	Writable timestamp
Device	TRUE	2023-03-19T02:11:09.675Z	FALSE	2023-03-19T02:11:09.675Z
Device.DeviceInfo	TRUE	2023-03-19T02:11:09.675Z		
Device.DeviceInfo.HardwareVersion	FALSE	2023-03-19T02:11:09.675Z		
Device.DeviceInfo.Manufacturer	FALSE	2023-03-19T02:11:09.675Z		
Device.DeviceInfo.ManufacturerOUI	FALSE	2023-03-19T02:11:09.675Z		
Device.DeviceInfo.MemoryStatus	TRUE	2023-03-19T02:11:09.675Z		
Device.DeviceInfo.MemoryStatus.Free	FALSE	2023-03-19T02:11:09.675Z		
Device.DeviceInfo.MemoryStatus.Total	FALSE	2023-03-19T02:11:09.675Z		
Device.DeviceInfo.ModelName	FALSE	2023-03-19T02:11:09.675Z		
Device.DeviceInfo.ProcessStatus	TRUE	2023-03-19T02:11:09.675Z		
Device.DeviceInfo.ProcessStatus.CPUUsage	FALSE	2023-03-19T02:11:09.675Z		
Device.DeviceInfo.ProductClass	FALSE	2023-03-19T02:11:09.675Z		
Device.DeviceInfo.ProvisioningCode	FALSE	2023-03-19T02:11:09.675Z		
Device.DeviceInfo.SerialNumber	FALSE	2023-03-19T02:11:09.675Z		
Device.DeviceInfo.SoftwareVersion	FALSE	2023-03-19T02:11:09.675Z		
Device.DeviceInfo.TemperatureStatus	TRUE	2023-03-19T02:11:09.675Z		
Device.DeviceInfo.TemperatureStatus.TemperatureSensor	TRUE	2023-03-19T02:11:09.675Z		
Device.DeviceInfo.TemperatureStatus.TemperatureSensor.1	TRUE	2023-03-19T02:11:09.675Z		
Device.DeviceInfo.TemperatureStatus.TemperatureSensor.1.Value	FALSE	2023-03-19T02:11:09.675Z		
Device.DeviceInfo.TemperatureStatus.TemperatureSensor.2	TRUE	2023-03-19T02:11:09.675Z		
Device.DeviceInfo.TemperatureStatus.TemperatureSensor.2.Value	FALSE	2023-03-19T02:11:09.675Z		
Device.DeviceInfo.TemperatureStatus.TemperatureSensor.3	TRUE	2023-03-19T02:11:09.675Z		
Device.DeviceInfo.TemperatureStatus.TemperatureSensor.3.Value	FALSE	2023-03-19T02:11:09.675Z		
Device.DeviceInfo.TemperatureStatus.TemperatureSensor.4	TRUE	2023-03-19T02:11:09.675Z		
Device.DeviceInfo.TemperatureStatus.TemperatureSensor.4.Value	FALSE	2023-03-19T02:11:09.675Z		
Device.DeviceInfo.UpTime	FALSE	2023-03-19T02:11:09.675Z		
Device.DeviceInfo.X_VZ-COM_IsCRSP	FALSE	2023-03-19T02:11:09.675Z		
Device.IP	TRUE	2023-03-19T02:11:09.675Z		
Device.IP.Interface	TRUE	2023-03-19T02:11:09.675Z		
Device.IP.Interface.1	TRUE	2023-03-19T02:11:09.675Z		
Device.IP.Interface.1.IPv4Address	TRUE	2023-03-19T02:11:09.675Z		
Device.IP.Interface.1.IPv4Address.1	TRUE	2023-03-19T02:11:09.675Z		
Device.IP.Interface.1.IPv4Address.1.IPAddress	FALSE	2023-03-19T02:11:09.675Z		
Device.IP.Interface.1.IPv6Address	TRUE	2023-03-19T02:11:09.675Z		
Device.IP.Interface.1.IPv6Address.1	TRUE	2023-03-19T02:11:09.675Z		
Device.IP.Interface.1.IPv6Address.1.IPAddress	FALSE	2023-03-19T02:11:09.675Z		
Device.IP.Interface.1.Stats	TRUE	2023-03-19T02:11:09.675Z		
Device.IP.Interface.1.Stats.BytesReceived	FALSE	2023-03-19T02:11:09.675Z		
Device.IP.Interface.1.Stats.BytesSent	FALSE	2023-03-19T02:11:09.675Z		
Device.IP.Interface.2	TRUE	2023-03-19T02:11:09.675Z		
Device.IP.Interface.2.IPv4Address	TRUE	2023-03-19T02:11:09.675Z		
Device.IP.Interface.2.IPv4Address.1	TRUE	2023-03-19T02:11:09.675Z		
Device.IP.Interface.2.IPv4Address.1.IPAddress	FALSE	2023-03-19T02:11:09.675Z		
Device.IP.Interface.2.IPv6Address	TRUE	2023-03-19T02:11:09.675Z		
Device.IP.Interface.2.IPv6Address.1	TRUE	2023-03-19T02:11:09.675Z		
Device.IP.Interface.2.IPv6Address.1.IPAddress	FALSE	2023-03-19T02:11:09.675Z		
Device.IP.Interface.2.Stats	TRUE	2023-03-19T02:11:09.675Z		
Device.IP.Interface.2.Stats.BytesReceived	FALSE	2023-03-19T02:11:09.675Z		
Device.IP.Interface.2.Stats.BytesSent	FALSE	2023-03-19T02:11:09.675Z		
Device.IP.Interface.3	TRUE	2023-03-19T02:11:09.675Z		
Device.IP.Interface.3.IPv4Address	TRUE	2023-03-19T02:11:09.675Z		
Device.IP.Interface.3.IPv4Address.1	TRUE	2023-03-19T02:11:09.675Z		
Device.IP.Interface.3.IPv4Address.1.IPAddress	FALSE	2023-03-19T02:11:09.675Z		
Device.IP.Interface.3.IPv6Address	TRUE	2023-03-19T02:11:09.675Z		
Device.IP.Interface.3.IPv6Address.1	TRUE	2023-03-19T02:11:09.675Z		
Device.IP.Interface.3.IPv6Address.1.IPAddress	FALSE	2023-03-19T02:11:09.675Z		
Device.IP.Interface.3.Stats	TRUE	2023-03-19T02:11:09.675Z		
Device.IP.Interface.3.Stats.BytesReceived	FALSE	2023-03-19T02:11:09.675Z		
Device.IP.Interface.3.Stats.BytesSent	FALSE	2023-03-19T02:11:09.675Z		
Device.IP.Interface.4	TRUE	2023-03-19T02:11:09.675Z		
Device.IP.Interface.4.IPv4Address	TRUE	2023-03-19T02:11:09.675Z		
Device.IP.Interface.4.IPv4Address.1	TRUE	2023-03-19T02:11:09.675Z		
Device.IP.Interface.4.IPv4Address.1.IPAddress	FALSE	2023-03-19T02:11:09.675Z		
Device.IP.Interface.4.IPv6Address	TRUE	2023-03-19T02:11:09.675Z		
Device.IP.Interface.4.IPv6Address.1	TRUE	2023-03-19T02:11:09.675Z		
Device.IP.Interface.4.IPv6Address.1.IPAddress	FALSE	2023-03-19T02:11:09.675Z		
Device.IP.Interface.4.Stats	TRUE	2023-03-19T02:11:09.675Z		
Device.IP.Interface.4.Stats.BytesReceived	FALSE	2023-03-19T02:11:09.675Z		
Device.IP.Interface.4.Stats.BytesSent	FALSE	2023-03-19T02:11:09.675Z		
Device.IP.Interface.5	TRUE	2023-03-19T02:11:09.675Z		
Device.IP.Interface.5.IPv4Address	TRUE	2023-03-19T02:11:09.675Z		
Device.IP.Interface.5.IPv4Address.1	TRUE	2023-03-19T02:11:09.675Z		
Device.IP.Interface.5.IPv4Address.1.IPAddress	FALSE	2023-03-19T02:11:09.675Z		
Device.IP.Interface.5.IPv6Address	TRUE	2023-03-19T02:11:09.675Z		
Device.IP.Interface.5.IPv6Address.1	TRUE	2023-03-19T02:11:09.675Z		
Device.IP.Interface.5.IPv6Address.1.IPAddress	FALSE	2023-03-19T02:11:09.675Z		
Device.IP.Interface.5.Stats	TRUE	2023-03-19T02:11:09.675Z		
Device.IP.Interface.5.Stats.BytesReceived	FALSE	2023-03-19T02:11:09.675Z		
Device.IP.Interface.5.Stats.BytesSent	FALSE	2023-03-19T02:11:09.675Z		
Device.ManagementServer	TRUE	2023-03-19T02:11:09.675Z		
Device.ManagementServer.AliasBasedAddressing	FALSE	2023-03-19T02:11:09.675Z	FALSE	2023-03-19T02:11:09.675Z
Device.ManagementServer.ConnReqAllowedJabberIDs	FALSE	2023-03-19T02:11:09.675Z	TRUE	2023-03-19T02:11:09.675Z
Device.ManagementServer.ConnReqJabberID	FALSE	2023-03-19T02:11:09.675Z	FALSE	2023-03-19T02:11:09.675Z
Device.ManagementServer.ConnReqXMPPConnection	FALSE	2023-03-19T02:11:09.675Z	TRUE	2023-03-19T02:11:09.675Z
Device.ManagementServer.ConnectionRequestPassword	FALSE	2023-03-19T02:11:09.675Z	TRUE	2023-03-19T02:11:09.675Z
Device.ManagementServer.ConnectionRequestURL	FALSE	2023-03-19T02:11:09.675Z	FALSE	2023-03-19T02:11:09.675Z
Device.ManagementServer.ConnectionRequestUsername	FALSE	2023-03-19T02:11:09.675Z	TRUE	2023-03-19T02:11:09.675Z
Device.ManagementServer.EnableCWMP	FALSE	2023-03-19T02:11:09.675Z	TRUE	2023-03-19T02:11:09.675Z
Device.ManagementServer.HeartbeatPolicy	TRUE	2023-03-19T02:11:09.675Z	FALSE	2023-03-19T02:11:09.675Z
Device.ManagementServer.InformParameterNumberOfEntries	FALSE	2023-03-19T02:11:09.675Z	FALSE	2023-03-19T02:11:09.675Z
Device.ManagementServer.ManageableDevice	TRUE	2023-03-19T02:11:09.675Z	FALSE	2023-03-19T02:11:09.675Z
Device.ManagementServer.ManageableDeviceNumberOfEntries	FALSE	2023-03-19T02:11:09.675Z	FALSE	2023-03-19T02:11:09.675Z
Device.ManagementServer.ParameterKey	FALSE	2023-03-19T02:11:09.675Z	FALSE	2023-03-19T02:11:09.675Z
Device.ManagementServer.Password	FALSE	2023-03-19T02:11:09.675Z	TRUE	2023-03-19T02:11:09.675Z
Device.ManagementServer.PeriodicInformEnable	FALSE	2023-03-19T02:11:09.675Z	TRUE	2023-03-19T02:11:09.675Z
Device.ManagementServer.PeriodicInformInterval	FALSE	2023-03-19T02:11:09.675Z	TRUE	2023-03-19T02:11:09.675Z
Device.ManagementServer.PeriodicInformTime	FALSE	2023-03-19T02:11:09.675Z	TRUE	2023-03-19T02:11:09.675Z
Device.ManagementServer.URL	FALSE	2023-03-19T02:11:09.675Z	TRUE	2023-03-19T02:11:09.675Z
Device.ManagementServer.Username	FALSE	2023-03-19T02:11:09.675Z	TRUE	2023-03-19T02:11:09.675Z
Device.ManagementServer.X_VZ-COM_BootInformInterval	FALSE	2023-03-19T02:11:09.675Z	TRUE	2023-03-19T02:11:09.675Z
Device.ManagementServer.X_VZ-COM_LastTR69InformFailureCount	FALSE	2023-03-19T02:11:09.675Z	FALSE	2023-03-19T02:11:09.675Z
Device.ManagementServer.X_VZ-COM_PersistentURL1	FALSE	2023-03-19T02:11:09.675Z	TRUE	2023-03-19T02:11:09.675Z
Device.ManagementServer.X_VZ-COM_PersistentURL2	FALSE	2023-03-19T02:11:09.675Z	TRUE	2023-03-19T02:11:09.675Z
Device.ManagementServer.X_VZ-COM_TR69InformFailureCount	FALSE	2023-03-19T02:11:09.675Z	FALSE	2023-03-19T02:11:09.675Z
Device.ManagementServer.X_VZ-COM_TotalTR69InformFailureCount	FALSE	2023-03-19T02:11:09.675Z	FALSE	2023-03-19T02:11:09.675Z
Device.RootDataModelVersion	FALSE	2023-03-19T02:11:09.675Z		
Device.Services	TRUE	2023-03-19T02:11:09.675Z		
Device.Services.X_VZ-COM_DeviceConfig	TRUE	2023-03-19T02:11:09.675Z		
Device.Services.X_VZ-COM_DeviceConfig.BDCS	TRUE	2023-03-19T02:11:09.675Z		
Device.Services.X_VZ-COM_DeviceConfig.BDCS.Enable	FALSE	2023-03-19T02:11:09.675Z		
Device.Services.X_VZ-COM_DeviceConfig.DNSRebindProtection	TRUE	2023-03-19T02:11:09.675Z		
Device.Services.X_VZ-COM_DeviceConfig.DNSRebindProtection.Enable	FALSE	2023-03-19T02:11:09.675Z		
Device.Services.X_VZ-COM_DeviceConfig.SHP	TRUE	2023-03-19T02:11:09.675Z		
Device.Services.X_VZ-COM_DeviceConfig.SHP.Enabled	FALSE	2023-03-19T02:11:09.675Z		
Device.Services.X_VZ-COM_DeviceConfig.SON	TRUE	2023-03-19T02:11:09.675Z		
Device.Services.X_VZ-COM_DeviceConfig.SON.BHR	TRUE	2023-03-19T02:11:09.675Z		
Device.Services.X_VZ-COM_DeviceConfig.SON.BHR.UserEnable	FALSE	2023-03-19T02:11:09.675Z		
Device.Services.X_VZ-COM_DeviceConfig.WanMAC	FALSE	2023-03-19T02:11:09.675Z		
Device.Services.X_VZ-COM_DeviceConfig.WanType	FALSE	2023-03-19T02:11:09.675Z		
Device.Services.X_VZ-COM_DeviceConfig.X509Cert	TRUE	2023-03-19T02:11:09.675Z		
Device.Services.X_VZ-COM_DeviceConfig.X509Cert.CertExpiration	FALSE	2023-03-19T02:11:09.675Z		
Device.Services.X_VZ-COM_DeviceConfig.X509Cert.ClientSCEPStatus	FALSE	2023-03-19T02:11:09.675Z		
Device.Services.X_VZ-COM_DeviceConfig.X509Cert.PreviousSCEPError	FALSE	2023-03-19T02:11:09.675Z		
Device.Services.X_VZ-COM_DeviceConfig.X509Cert.RetryCounter	FALSE	2023-03-19T02:11:09.675Z		
Device.Services.X_VZ-COM_DeviceConfig.X509Cert.RetryEnabled	FALSE	2023-03-19T02:11:09.675Z		
Device.Services.X_VZ-COM_DeviceConfig.X509Cert.SCEPEnabled	FALSE	2023-03-19T02:11:09.675Z		
Device.Services.X_VZ-COM_DeviceConfig.X509Cert.SCEPError	FALSE	2023-03-19T02:11:09.675Z		
Device.Services.X_VZ-COM_DeviceConfig.X509Cert.SCEPReportStatus	FALSE	2023-03-19T02:11:09.675Z		
Device.Services.X_VZ-COM_DeviceConfig.ZRWiFi	TRUE	2023-03-19T02:11:09.675Z		
Device.Services.X_VZ-COM_DeviceConfig.ZRWiFi.Enable	FALSE	2023-03-19T02:11:09.675Z		
Device.WiFi	TRUE	2023-03-19T02:11:09.675Z		
Device.WiFi.Radio	TRUE	2023-03-19T02:11:09.675Z		
Device.WiFi.Radio.1	TRUE	2023-03-19T02:11:09.675Z		
Device.WiFi.Radio.1.X_VZ-COM_ChannelOccupancy	FALSE	2023-03-19T02:11:09.675Z		
Device.WiFi.Radio.2	TRUE	2023-03-19T02:11:09.675Z		
Device.WiFi.Radio.2.X_VZ-COM_ChannelOccupancy	FALSE	2023-03-19T02:11:09.675Z		
Device.WiFi.Radio.3	TRUE	2023-03-19T02:11:09.675Z		
Device.WiFi.Radio.3.X_VZ-COM_ChannelOccupancy	FALSE	2023-03-19T02:11:09.675Z		
DeviceID.ID	FALSE	2023-03-19T02:15:10.246Z	FALSE	2023-03-19T02:15:10.246Z
DeviceID.Manufacturer	FALSE	2023-03-19T02:15:10.246Z	FALSE	2023-03-19T02:15:10.246Z
DeviceID.OUI	FALSE	2023-03-19T02:15:10.246Z	FALSE	2023-03-19T02:15:10.246Z
DeviceID.ProductClass	FALSE	2023-03-19T02:15:10.246Z	FALSE	2023-03-19T02:15:10.246Z
DeviceID.SerialNumber	FALSE	2023-03-19T02:15:10.246Z	FALSE	2023-03-19T02:15:10.246Z
Events.0_BOOTSTRAP	FALSE	2023-03-19T02:15:10.246Z	FALSE	2023-03-19T02:15:10.246Z
Events.Inform	FALSE	2023-03-19T02:15:10.246Z	FALSE	2023-03-19T02:15:10.246Z
Events.Registered	FALSE	2023-03-19T02:15:10.246Z	FALSE	2023-03-19T02:15:10.246Z

I think it's getting enabled somewhere around here

Very weird, I can pull info from the TR069 but when I push it, also getting this error. Any thought?

I'm trying to push a value 1 to this parameter. It might be something like enable as well.

FYI, here are the steps I need to take to get sshd up from the shell. arc_sshd is bound to port 22 by default (running on startup), but that is networked through the cloud so its not accessible from directly connected networks, I have to kill it and use sshd. Maybe we can fix the networking somehow and arc_sshd will become accessible? I have no idea how they are binding the port to their backdoor vpn.

wget and curl are also unable to pull anything from directly connected networks, but ping works fine. As in I can ping 192.168.0.1 on the wan port, but cant wget or curl anything from 192.168.0.1.
I tried lan port too, same deal.


>/etc/ssh/sshd_config
vi sshd_config

Port 22
Protocol 2
PermitRootLogin yes
StrictModes no
AuthorizedKeysFile      .ssh/authorized_keys
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
PermitEmptyPasswords yes
Subsystem       sftp    /opt/lib/sftp-server

/usr/bin/ssh-keygen -A
mkdir /var/empty
/etc/init.d/arc_sshd stop
/usr/sbin/sshd -d

If I do the above, I can access sshd on port 22 through a host on the lan.

How did you get SSH up on cloud side? Did you created a arc_sshd file under the default_uci folder?

You could use a different router and have this router hooked to your LAN on the WAN port to get cloud access.

I have serial shell access and they have the regular sshd binary in the firmware, so I just used that.

@spol-eff you couldnt enable ssh because either arc_sshd is taking up the port OR because they dont have keys built for the device. (/usr/bin/ssh-keygen -A)
Either will stop sshd. The case is probably both

1 Like

Look like we need the cron job added via .cfg which would kill arc_sshd and run a normal one, like every minute?

1 Like

No by cloud, I mean they have a tunnel vpn to verizon and arc_sshd port 22 is only accessible through that tunnel. If the device is not able to open the tunnel, 22 is not accessible. (as far as I can tell)

Setting the ssh config uci probably sets up regular sshd to run but the service will fail due to port being in use + ssh keys not configured.

Ok, seems like I can pull those three UserInterface parameter now from TR069.

It doesn't have the regular SSH config, you can only do the arc_ssh stuff, which is supposed to set up users and manage sshd w/ keys, but the tunneling part explains a lot.

Can this actually be done via uci config? Probably not