Old thread message removed, archived here: http://pastebin.com/AUuDbjfs

So, point of this thread is to share information how we could unbrand the Zyxel P8702N.
Main wiki page: https://wiki.openwrt.org/toh/zyxel/zyxel_p8702n

Some small info:
Busybox
Kernel: bcm963xx_fs_kernel
Zyxel CFE

(Last edited by coldice on 26 Apr 2016, 19:46)

Can you give more info on that?

Default is:

 <X_5067F0_AutoexecCmd instance="1">
      <Command>echo 3600\\> /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_established;echo 3600\\> /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established</Command>
    </X_5067F0_AutoexecCmd>
    <X_5067F0_AutoexecCmd instance="2">
      <Command>echo 180\\>  /proc/sys/net/netfilter/nf_conntrack_udp_timeout_stream;echo 180\\> /proc/sys/net/ipv4/netfilter/ip_conntrack_udp_timeout_stream</Command>
    </X_5067F0_AutoexecCmd>

So you can actually run commands.

I tried some commands myself:

busybox telnetd -l /bin/sh

Bootloop

busybox telnetd -l /bin/sh -p 24

Command didn't execute

busybox telnetd -p 24

Command executed without a shell

mkdir /mnt/usb1_1/test

Created a dir on my USB-thing

cp *some_file* /mnt/usb1_1/

Didn't work...

Sleep 30 && *command*

Bootloop

I've ordered a USB to TTL. Gonna try to get shell and maybe find an exploit. So far I've found nothing on the GUI (but I'm a noob )

Currently stuck on a bootloop, to lazy to fix it.
To fix bootloop do a 30-30-30 reset. Something like: Hold reset-button in while powered on, hold it in then power it of, then power it on while you holding in reset button on for like 10 seconds.

If anyone wants to help me, I can provide Skype.

I've asked support to provide med source-code.

(Last edited by coldice on 21 Jun 2014, 21:32)

/bin/telnetd doesn't seem to be a symlink to busybox, while /sbin/telnetd is. there must be something special with the telnetd binary.
You also have a /sbin/chpasswd.

echo root:secret | /sbin/chpasswd

can change the root password.

Anyway, a few files which could be copied to usb to study the bootprocess for vulnerabilities:/etc/init.d/rcS (shows the bootprocess itself), /proc/mounts (shows all mounts), /sbin/hotplug-usb.sh (might be executed as soon as you insert/remove an usb device). /etc/passwd, (to see which users are available, and what their shell is.)

Other attack vectors: It should be possible to do something with /bin/nc. Futher you could try to bindmount your own script on, for instance /sbin/hotplug-usb.sh:

mount --bind /mnt/usb1_1/myscript /sbin/hotplug-usb.sh

Plugin some extra device (using a hub, if the box has only one port), and presto, your script is executed.

Your bootloops might be caused by rebooting on an error in one of the commands. In that case you can just add a second command

command_which_fails || command_which_succeeds
# eg 
busybox telnetd -l /bin/sh || echo hello

The second command is evaluated.

Thank you
rcS - from the decompressed firmware:
http://pastebin.com/zvkWNDZK

/sbin/hotplug-usb.sh - from the decompressed firmware:
http://pastebin.com/m5niKsrD

Strange, doesn't seem USB is ready at when config loads.. So I can't actually use it to cat things out...
There is syslog tho, I tried to use it earlier to use "logger" to output things to my syslog server (using TCPDump). Didn't work as expected.

No success using chpasswd.

Tried:

/sbin/telnetd -l /bin/sh -p 10024 || mkdir /mnt/usb1_1/telnetd_failed

Didn't work... But atleast it booted without a bootloop

profile - from the decompressed firmware:
http://pastebin.com/2rZvhrZL

Not sure, but from the rcS:

if [ -e /data/Config/user_startup_parameters.sh ]; then
sh /data/Config/user_startup_parameters.sh
fi

I could MAYBE try to create the file with the config-hack?
What should I then write? Something like:

echo #!/bin/sh \\>> /data/Config/user_startup_parameters.sh;

?

What worries me tho is that I may brick the device using this .sh script as it says through resets...

(Last edited by coldice on 21 Jun 2014, 22:44)

Strange boot process. rcS is *much* shorter than I expected, and the contents I expected there is in profile. I think some shell is started (maybe on the serial port?), and this shell executing the profile script brings up the firmware.

OK, I guess this proves that the return value of one of the AutoexecCmd commands is evaluated, and the box reboots on an error.

/sbin/hotplug-usb.sh looks promising. When I read it well, the script runs to the end when an usb device is inserted. If the rootfs is writable (any idea?), you could add a line:

[ -e /mnt/usb1_1/myscript.sh ] && sh /mnt/usb1_1/myscript.sh

I *think* that should be done this way:

echo "[ -e /mnt/usb1_1/myscript.sh ] && sh /mnt/usb1_1/myscript.sh" \\>\\> /sbin/hotplug-usb.sh

The > has to be escaped by a \ because it else would close the XML key, and the \ has to be escaped because the data is preprocessed.

The return value of that script is not evaluated, and the script runs in it's own command processor, so you can't crash rcS. What can go wrong is:

• You somehow reboot the box in user_startup_parameters.sh. (Calling 'reboot' is the easiest way to do so)

• You start a process which consumes all cpu cycles or memory, rendering the box useless.

• Your script never exits, which means rcS never exits either. That means ln -s /customer /mnt/customer is never executed, but maybe also that shell invoking profile is never started.

On my P2812HNU I used this script to add a hotplug script which executes a script on an usb stick, if exists. So if I somehow bork it up, I can simply pull the stick.

That's not strange at all. Why would the usb device be mounted before the init script is executed?
But it is strange that you can create a directory on the stick, but not a file. Maybe the stick is mounted, but you have to add some escapes in your command, to get it through the XML parser?

Thank you again!
Waiting for my USB to TTL cable

Also, bootloop with:

echo "[ -e /mnt/usb1_1/myscript.sh ] && sh /mnt/usb1_1/myscript.sh" \\>\\> /sbin/hotplug-usb.sh

So then it's up to debug-shell I guess....

So I got my USB cable, and I got Bootloader-console.
Sadly it requries password for the real console too

(Last edited by coldice on 15 Nov 2014, 01:15)

Should be user/user

I'm getting a P8702N in a few days and i'll start tearing it apart :-)

Started work on TOH for Zyxel P8702N
https://wiki.openwrt.org/toh/zyxel/zyxel_p8702n

How comes that this device isn't known by the manufacturer?
Zero results when searching in zyxel.com.

Please add pictures of the case to the wiki, especially pictures of the label showing the model-number etc.

(Last edited by tmo26 on 21 Jan 2016, 07:55)

Added some more pictures.

Filesystem of the P8702N:
https://mega.nz/#!UYomhCjQ!JBFllHuzLEwL … G2InfPaaXA

Thanks!

Keyword for searching is "Telenor".

GPL Source:

https://mega.nz/#!1MA0xLrT!Jf3_aUjrTZiZ … AGVsPKe45c
PROFILE=DSL-2492GNAU-B3BC

Anyone who can manage to build this for me? Since it seems to fail building for me...

Look 2nd post below for correct GPL code.

(Last edited by ZyNTaX on 5 Feb 2016, 00:27)

So, can this modem-router thing be unbranded? Somehow it is not clear for me after reading posts in this thread... I have one from Telenor with some hardcoded settings for VoIP and I'm curious if this can be unbranded or have Openwrt installed?

https://drive.google.com/folderview?id= … sp=sharing
Correct GPL code for this box.

Needs some adjusting though to get rid of the customization in build parameters.
If anyone can help me out building a clean build (without customization) that would be great!

(Last edited by ZyNTaX on 5 Feb 2016, 00:28)

It seems to me like the web ui has been stripped down, so to remove that customization will be hard.
Building an image with an opened dropbear would be much easier, and at least we'll have root access on the thing.
Openwrt will need a lot of work to get wifi and DSL working, but it might be doable (haven't looked too much into it yet)

does anybody know what is the password for SSH access? original firmware has settings for SSH/telnet access but router password (used to login via www) doesn't work... neither classic admin/admin nor admin/1234. any chances to get ssh access to this box?

I noticed that ZyXEL VMG1312-B30A has the same SoC and Wi-Fi chip, and no supported version.

Also I noticed that Inteno DG301B has the same Wi-Fi chip. And comes with OpenWRT, maybe that can help?

PS! Apparently I am not allowed to post with URLs...

I used to change it with the config file to be able to log in as telenorsupport user, basicly gets u full root priv on the device.

But on newer firmwares i think they have disabled this option, you would have to revert to an old old firmware from them.

Has anyone installed openwrt yet on this device? Is the adsl/adsl2/vdsl/vdsl2 working? would love to change the firmware, i only use the device as a bridge before pfsense as a gateway.

Im sitting here with the device watching it blink connected to my computer via usb serial and have unlocked the bootloader.

Could anyone post; ATBL                Print boot line and board parameter info for me? i managed to fuck things up in there.

(Last edited by antonkristensen on 5 Feb 2018, 01:20)