I already tried that (see comment above), the device goes into a boot loop instead of recovery.
Thanks for looking into it, folks!
My 2c contribution:
- there is CR1000A and CR1000B available, presumably identical, but from different ODMs. some details here: https://www.reddit.com/r/Fios/comments/10rappq/cr1000a_vs_cr1000b/
- Verizon has GPL downloads page if it's of any help. They have downloads for both CR1000A and CR1000b there. Could have some known exploits? https://www.verizon.com/support/residential/internet/equipment/open-source-software
Here is another hidden page, I do not see any ports open after enabled it.
https://192.168.1.1/#/zenreach_ap
I think our best chance is getting the router to somebody who can dump the eMMC so we can pull the config key out. Another possibility is figuring out that USB port - the lanes are definitely connected to something, and are not floating. LibUSB and other USB code is included in the GPL release so there's a decent chance it might be doing something.
There's also another, very remote possibility - when you're doing something in the Verizon FIOS mobile app - it connects to the router and the router connects back to the ACS to pull the requested operation (eg perform a speed test, etc). Might be useful for some attack.
another option is to go the route of this guy Commits · ozwaldorf/FIOS-G1100 · GitHub and try to use tr-069 to enable ssh
also found that cr1000a has several hardware revisions. CR1000A Router with White Verizon Logo in middle VS. CR1000A Router with Red Verizon Logo in corner : Fios (reddit.com)
Ordered one from ebay today. ready to torture it as needed 
What if someone has FIOS service with this router do a reset to force a firmware upgrade and capture the address or file with wireshark? I tried it with mine but since I don't have Fios service the CWMP address is not reachable from mine network.
I could do it once the router arrives. Need instructions though.
1 Like
This requires having cracked the config key, for which we need access to firmware files.
This is likely not possible, as all communication between the router and Verizon is TLS-encrypted.
Agreed on both accounts. Seems like we need something similar to https://www.tenable.com/security/research/tra-2019-17
Looks like there is a new version 3.2.0.7 out, and I saw someone posted this link, you should be able to download from Version network. https://cpe-ems34.verizon.com/firmware/chr2fa_fw_3.2.0.7.bin
Please let us know if this works.
2 Likes
Very interesting, it's running sys_openwrt_upgrade when update the system.
2023 Feb 7 03:45:57 info arc_tr69: [TR69.6][ADV] Tr69_ExecuteDownload URL=[https://cpe-ems34.verizon.com/firmware/chr2fa_fw_3.2.0.7.bin], FileSize=[0]
2023 Feb 7 03:46:06 info arc_tr69: [TR69.6][ADV] ExecuteDownload:ht_client_send return [61186832], content-len=[61186832]
2023 Feb 7 03:46:06 info arc_tr69: [TR69.6][ADV] S=[2023-02-07T03:45:57], E=[2023-02-07T03:46:06]
2023 Feb 7 03:46:06 info arc_tr69: [TR69.6][ADV] System upgrade /data/chr2fa_fw_3.2.0.7.bin
2023 Feb 7 03:46:06 info arc_tr69: [TR69.6][ADV] sys_openwrt_upgrade
- downloaded and uploaded to https://file.io/mSdF7DiDPxdS
- got my device, it's a version without BLE, unfortunately
Mine has TTL populated and no BLE as well(red logo one). I don't think you will need that for anything.
It was supposed to be for home automation, ZigBee and Co. Hoped to play with it 
seems its been deleted
Firmware appears to be LUKS encrypted. not much we can do with it without a key and knowing how to decrypt.
And the key is inside the current firmware? Meaning we still need to find the vulnerability in their API?
if I had to guess, its either on a TPM chip or somewhere in RPMB on emmc... sooo yes most likely will need to find a different bug