Morning guys!

I've spent my spare time the last couple of days attempting to reverse engineer and modify the firmware of the new Vigor 2760 VDSL2 modem. It quite quickly became clear the whole system is built around OpenWRT 10.03, yet it appears they have not made their sources publicly available. I've sent an email to their support days ago now but it seems they preferred to ignore me.

The system is built around a Lantiq SoC, 500MHz mips cpu, 128MB ram and 128MB flash. And from what I gather getting custom openwrt up and running on this device should be pretty easy once I've gathered enough information. Modem code and such are of course binary blobs, that being both a good and bad thing, not being able to run it out of spec and illegal power levels, but a pity to loose tweaking abilities. I've got the rootfs amongst other extracted and access to all files but the most interesting stuff is encrypted, even the basic configuration file is lzma compressed and then salted/hashed so it's hard to extract any good information, but I'm working on it.

As someone quite new in this scene, I'm making this post in the hopes of getting some help on how to approach draytek to obtain their sources of all the GPL'd software they use. I bet it's not gonna be easy.. but if someone else has gone through a similar process I'd love to hear how it went and what steps they took (especially if it was draytek).

For the hardware parts it's all quite well documented by fcc: https://apps.fcc.gov/oetcf/eas/reports/ … VGYV2760VN

(Last edited by spock on 13 Jun 2013, 04:06)

After plenty more hours poking away at it I must say this little box is pretty tightly locked down. I think I've come as far as I can go without JTAG.

root access and file modifications can be done through UART as it dumps you to a root shell, but all important stuff gets reset on reboot, such as the passwd file. Although it's possible to edit init files many/most changes will not stick passed reboot. Init files writes a passwd file to a ramdisk on boot. default passwords are unsalted, hash was easy to crack as the password was just admin.

There is also a backup copy of the whole filesystem, I believe if any changes are detected the device will start working from there.

most mtd's can be read, but uboot loader (mtd0) just gives FFFFFFFFFFFFFF.....so it's not hooked up. Not sure how to get around that. Almost certain firmware images are signed so uboot would have to be modified, so no easy flash from web interface).

The device by default lets you ssh/telnet into it dropping you into their own "draysh", but there isn't much to do except what can be done in webif. I tried replacing it with /bin/sh and busybox but then it wasn't possible to login through telnet/ssh any more, connection would just close. This change actually sticked around passed a reboot.

In their "draysh" there is a command named "enable", which asks for a password. I believe with this password you'll just get dumped to a normal shell with root access (same as can be achieved with UART).

I think I found a master password in there though, salted and hashed md5crypt. Spent some hours trying to decrypt it but it's probably quite random, and quite possible unique for each device. I believe cracking this one would only allow you to use this "enable" function to gain root access without opening the box. Or perhaps some backdoor/recovery if someone lost their password and don't want to reset the device. Further more there are some tools to modify DSL behaviour and view stats that are not exposed to webif.

I'm sitting on quite a bit of default configuration files/terminal logs/mtd-dumps, filesystem dumps and such if anyone else wants to have a go at it. But I believe the only way we could have a proper openwrt support (just flashing the image from webif) is to get into and dissect their uboot (or DrayBoot, as they call it).

I'm gonna take a break before I brick it though. Would be nice with a VDSL2 modem/router running plain OpenWRT though, wouldn't it?

(Last edited by spock on 15 Jun 2013, 04:20)

Try this: https://github.com/ammonium/draytools/

It works on the Draytek 2850 which is also VDSL2

Hi, today DrayTek has published the GPL code for the 2760 series models ... do you think we can get ... any tweaked snr settings value for my adsl line??? Thanks

ftp://ftp.draytek.com/Vigor2760/Firmware/GPL/

(Last edited by babis3g on 30 Oct 2013, 08:35)

The enable password is "drayteker", but adds few new capabilities, and doesn't give a true shell.

I'm interested that you can gain access over telnet and ssh. I am unable to with my current admin password. Nor does admin/admin work. Strange.

maybe i am going little off topic but the current firmware 1.xxx series has many issues for me such menus will not appear plus bugs
Seems draytek has bring out a newer 2760 series this time is based on dray os and not linux like the normal units we had till now
they have a new dray os frimware (seems for the newer models) 3.7.5.1 but when i am trying to load it it tells me "image check fail"
as i am not expert in programming is any idea or hack how i can load this new firmware? i have tried their utility tool this not helps either
Thanks
http://www.draytek.com/index.php?option … mp;lang=en

I was going to send this to the mailing list, but as I just discovered this thread, I'll add it here instead.

Hello,

I'll try to keep this message brief -- I'm writing about possible OpenWRT
support for the Draytek Vigor 2760 (Delight) series of
ADSL(2+)/VDSL(2)/Vectoring modems. So if you're not interested, you may stop
here.

I recently got my hands on a DrayTek Vigor 2760, which happens to run a
system based on OpenWRT Backfire. The original model was later rebranded
'Delight', which runs DrayOS on the same hardware (same board layout and
FCC ID, atleast).

With a boot loader mod DrayOS could be loaded on the original 2760 model as
well. This uboot mod and a few other files were spread earlier this year
on different forums, detailing how this process was done. This conversion
was done to my device and has been working flawlessly.

The serial console revealed that it's a VR9/VRX288, similar to other modems
that recently became a popular target for VDSL2 development.

Knowing about licensing issues, headaches and what-not, I'm writing this
mail hoping for some input on if there is any chance/plan to support this
device in particular, or if there eventually will be a more general support
for VDSL2 modems based on this SoC.
        Despite several of Drayteks products running open source systems,
I've seen no mention of Draytek products anywhere related to
OpenWRT, which leads me to believe they're very unfriendly towards OSS
projects.. which is something that inevitably just lead to headaches.

I will obviously continue to hack away on this in my spare time, but any
information provided would be greatly appreciated.

Thanks!

I'm attaching a few files for the curious:
http://sprunge.us/HIRX - Linux dmesg
http://sprunge.us/PCjO - Boot on DrayOS, syncing to ADSL
http://sprunge.us/eZIE - Boot on DrayOS, trying to sync to VDSL (no service here)
http://sprunge.us/ePeS - Boot on Linux, which fails to sync, I believe due to faulty dsl firmware/nvram.
http://sprunge.us/WjIF - General information taken out of the Linux firmware on a running system.

(Last edited by solitär on 1 Nov 2014, 15:15)