├── Guide ├── EN │ ├── TIM_HUB_guide_EN.html │ ├── TIM_HUB_guide_EN.md │ └── TIM_HUB_guide_EN.pdf └── IT │ ├── TIM_HUB_guide_IT.html │ ├── TIM_HUB_guide_IT.md │ └── TIM_HUB_guide_IT.pdf ├── README.md └── autoflashgui-master_timhub.zip /Guide/EN/TIM_HUB_guide_EN.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | TIM_HUB_guide_EN.md 5 | 6 | 7 | 228 | 229 | 304 | 305 | 356 | 357 | 358 | 359 | 360 | 368 |

ROOT TIM HUB DGA4132 AND ANSUEL GUI - VERSION AGTHP 2.3.3

369 |

This guide has been written to have a simple and immediate reference point in case you want to proceed with the enabling of the root user of the TIM HUB DGA4132 modem router (hereinafter "router") and the subsequent installation of the Ansuel GUI. All the steps have been taken and adapted from the websites listed in the paragraph below, then grouped on this page and set up in the correct order.

370 |

This guide is available in the following formats:

371 | 376 |

WEBSITES

377 | 384 |

USEFUL FILES

385 |

The autoflashgui-master_timhub.zip file contains the 16.02.2018 version of the AutoFlashGUI tool developed by Mark Smith (mswhirl). Once extracted, inside the autoflashgui-master/firmware folder you can find the following files needed for this guide:

386 | 391 |
392 |

GUIDE - PART 1

393 | 399 |
400 |

WARNING: To enable the Extended Configuration it's necessary to click on a tab that appears ONLY at the first login immediately after a reset. If you log out of the web GUI or close the browser window, you will need to perform another router reset to trigger the Extended configuration prompt again. Furthermore, the router must NOT be connected to the Internet in any way: disconnect the RJ11 cable, the Ethernet cable in the WAN port or the FTTH connection.

401 |
402 | 409 |

AUTOFLASHGUI.EXE

410 |

Set the following parameters with their respective values

411 | 424 |
425 |

GUIDE - PART 2

426 | 463 |

SCRIPT

464 | 467 | 
# Ensure two banks match in sizes
468 | [ $(grep -c bank_ /proc/mtd) = 2 ] && \
469 | [ "$(grep bank_1 /proc/mtd | cut -d' ' -f2)" = \
470 | "$(grep bank_2 /proc/mtd | cut -d' ' -f2)" ] && {
471 | # Clone and verify firmware into bank_2 if applicable
472 | [ "$(cat /proc/banktable/booted)" = "bank_1" ] && {
473 | mtd -e bank_2 write /dev/$(grep bank_1 /proc/mtd | cut -d: -f1) bank_2 && \
474 | mtd verify /dev/$(grep bank_1 /proc/mtd | cut -d: -f1) bank_2 || \
475 | { echo Clone verification failed, retry; exit; } }
476 | # Make a temp copy of overlay for booted firmware
477 | cp -rf /overlay/$(cat /proc/banktable/booted) /tmp/bank_overlay_backup
478 | # Clean up jffs2 space by removing existing old overlays
479 | rm -rf /overlay/*
480 | # Use the previously made temp copy as overlay for bank_2
481 | cp -rf /tmp/bank_overlay_backup /overlay/bank_2
482 | # Activate bank_1
483 | echo bank_1 > /proc/banktable/active
484 | # Make sure above changes get written to flash
485 | sync
486 | # Erase firmware in bank_1
487 | mtd erase bank_1;
488 | # Emulate system crash to hard reboot
489 | echo c > /proc/sysrq-trigger; }
490 | # end
491 |
492 | 504 |
505 |

GUIDE - PART 3

506 | 528 |

PRESERVING ROOT ACCESS

529 | 532 |
533 |

COPY AND PASTE INTO THE TERMINAL. PRESS ENTER TO EXECUTE THE LAST COMMAND.

534 |
535 | 
mkdir -p /overlay/$(cat /proc/banktable/booted)/etc
536 | chmod 755 /overlay/$(cat /proc/banktable/booted) /overlay/$(cat /proc/banktable/booted)/etc
537 | echo -e "echo root:root | chpasswd
538 | sed -i 's#/root:.*\$#/root:/bin/ash#' /etc/passwd
539 | sed -i -e 's/#//' -e 's#askconsole:.*\$#askconsole:/bin/ash#' /etc/inittab
540 | uci -q set \$(uci show firewall | grep -m 1 \$(fw3 -q print | \
541 | egrep 'iptables -t filter -A zone_lan_input -p tcp -m tcp --dport 22 -m comment --comment \"!fw3: .+\" -j DROP' | \
542 | sed -n -e 's/^iptables.\+fw3: \(.\+\)\".\+/\1/p') | \
543 | sed -n -e \"s/\(.\+\).name='.\+'$/\1/p\").target='ACCEPT'
544 | uci add dropbear dropbear
545 | uci rename dropbear.@dropbear[-1]=afg
546 | uci set dropbear.afg.enable='1'
547 | uci set dropbear.afg.Interface='lan'
548 | uci set dropbear.afg.Port='22'
549 | uci set dropbear.afg.IdleTimeout='600'
550 | uci set dropbear.afg.PasswordAuth='on'
551 | uci set dropbear.afg.RootPasswordAuth='on'
552 | uci set dropbear.afg.RootLogin='1'
553 | uci set dropbear.lan.enable='0'
554 | uci commit dropbear
555 | /etc/init.d/dropbear enable
556 | /etc/init.d/dropbear restart
557 | rm /overlay/\$(cat /proc/banktable/booted)/etc/rc.local
558 | source /rom/etc/rc.local
559 | " > /overlay/$(cat /proc/banktable/booted)/etc/rc.local
560 | chmod +x /overlay/$(cat /proc/banktable/booted)/etc/rc.local
561 | sync
562 |
563 | 567 |

FLASHING FIRMWARE

568 | 576 |

HARDENING GAINED ACCESS

577 | 580 |
581 |

COPY AND PASTE INTO THE TERMINAL. PRESS ENTER TO EXECUTE THE LAST COMMAND.

582 |
583 | 
# Disable CWMP
584 | uci delete cwmpd.cwmpd_config
585 | uci delete firewall.cwmpd
586 | uci del_list watchdog.@watchdog[0].pidfile='/var/run/cwmpd.pid'
587 | uci del_list watchdog.@watchdog[0].pidfile='/var/run/cwmpevents.pid'
588 | uci commit
589 | /etc/init.d/watchdog-tch reload
590 | /etc/init.d/cwmpd disable
591 | /etc/init.d/cwmpd stop
592 | /etc/init.d/cwmpdboot disable
593 | /etc/init.d/cwmpdboot stop
594 | /etc/init.d/zkernelpanic disable
595 | /etc/init.d/zkernelpanic stop
596 | 
597 | # Disable CWMP - extra, in case you think it may resurrect
598 | uci set cwmpd.cwmpd_config.state=0
599 | uci set cwmpd.cwmpd_config.acs_url='https://127.0.1.1:7547/'
600 | uci set cwmpd.cwmpd_config.use_dhcp=0
601 | uci set cwmpd.cwmpd_config.interface=loopback
602 | uci set cwmpd.cwmpd_config.enforce_https=1
603 | uci commit cwmpd
604 | 
605 | # Disable Telstra monitoring
606 | uci delete tls-vsparc.Config
607 | uci delete tls-vsparc.Passive
608 | uci delete autoreset.vsparc_enabled
609 | uci delete autoreset.thor_enabled
610 | uci delete wifi_doctor_agent.acs
611 | uci delete wifi_doctor_agent.config
612 | uci delete wifi_doctor_agent.as_config
613 | uci commit
614 | 
615 | # Disable Telstra Air/Fon WiFi
616 | /etc/init.d/hotspotd stop
617 | /etc/init.d/hotspotd disable
618 | uci delete dhcp.hotspot
619 | uci delete dhcp.fonopen
620 | uci commit
621 | 
622 | # Remove any default SSH pubkey
623 | echo > /etc/dropbear/authorized_keys
624 | # Disable SSH access over wan
625 | uci set dropbear.wan.enable='0'
626 | uci commit dropbear
627 | 
628 | # Free space for gateways with small flash
629 | find /rom/usr/lib/ipk -type f |xargs -n1 basename | cut -f 1 -d '_' |xargs opkg --force-removal-of-dependent-packages remove
630 |
631 | 634 |

GUI ANSUEL

635 | 647 |

CHANGE ROOT AND GUI PASSWORD

648 | 652 |

RESULT

653 |

Now you have a TIM HUB DGA4132 modem router updated to AGTHP version 2.3.3 with root permissions enabled and the Ansuel GUI.

654 | 655 | 656 | 657 | -------------------------------------------------------------------------------- /Guide/EN/TIM_HUB_guide_EN.md: -------------------------------------------------------------------------------- 1 | # ROOT TIM HUB DGA4132 AND ANSUEL GUI - VERSION AGTHP 2.3.3 2 | This guide has been written to have a simple and immediate reference point in case you want to proceed with the enabling of the root user of the TIM HUB DGA4132 modem router (hereinafter "router") and the subsequent installation of the Ansuel GUI. All the steps have been taken and adapted from the websites listed in the paragraph below, then grouped on this page and set up in the correct order. 3 | 4 | This guide is available in the following formats: 5 | - Markdown (`TIM_HUB_guide_IT.md`) 6 | - PDF (`TIM_HUB_guide_IT.pdf`) 7 | - HTML (`TIM_HUB_guide_IT.html`) 8 | 9 | 10 | ## WEBSITES 11 | - [Hacking Technicolor Gateways: Material for MkDocs](https://hack-technicolor.readthedocs.io/en/stable/) 12 | - [IlPuntoTecnico GUI Ansuel](https://www.ilpuntotecnico.com/forum/index.php?topic=81461.0) 13 | - [GitHub GUI Ansuel](https://github.com/Ansuel/gui-dev-build-auto) 14 | - [GitHub AutoFlashGUI](https://github.com/mswhirl/autoflashgui) 15 | - [WinSCP](https://winscp.net/eng/download.php) 16 | 17 | 18 | ## USEFUL FILES 19 | The `autoflashgui-master_timhub.zip` file contains the `16.02.2018` version of the AutoFlashGUI tool developed by Mark Smith (mswhirl). Once extracted, inside the *autoflashgui-master/firmware* folder you can find the following files needed for this guide: 20 | - `AGTHP_1.0.3_CLOSED.rbi.torrent`: torrent file to start the download of the firmware version AGTHP 1.0.3 downloaded from the website "Hacking Technicolor Gateways: Material for MkDocs". Move the downloaded file into the *autoflashgui-master/firmware* folder 21 | - `AGTHP_2.3.3_CLOSED.rbi.torrent`: torrent file to start the download of the firmware version AGTHP 2.3.3 downloaded from the website "Hacking Technicolor Gateways: Material for MkDocs". Move the downloaded file into the *autoflashgui-master/firmware* folder 22 | - `GUI.tar.bz2`: stable version 9.6.65 of the Ansuel GUI downloaded from Ansuel's `gui-dev-build-auto` GitHub repository. Please check for new versions before proceeding 23 | 24 | 25 | --- 26 | 27 | 28 | ## GUIDE - PART 1 29 | - Update the router to version 2.3.3 (you can do this using the "TIM Modem" smartphone app available for Android and iOS) 30 | - From the first *Gateway* tab in the web GUI, if necessary, backup configuration in `.bin` via the *Export* button. A file named "config.bin" will be downloaded 31 | - Reset the router via the *Reset* button 32 | - After reboot, login to the web page (`admin/admin`), don't change the password and activate the *Extended configuration* mode 33 | > WARNING: To enable the Extended Configuration it's necessary to click on a tab that appears ONLY at the first login immediately after a reset. If you log out of the web GUI or close the browser window, you will need to perform another router reset to trigger the Extended configuration prompt again. Furthermore, the router must NOT be connected to the Internet in any way: disconnect the RJ11 cable, the Ethernet cable in the WAN port or the FTTH connection. 34 | - To log in again in the GUI, the password is the **ACCESS KEY** on the label located at the base of the router (under the last barcode in the left column) 35 | - Enter the first *Gateway* tab and perform the downgrade to version 1.0.3 from the third tab. To do this, load the `AGTHP_1.0.3_CLOSED.rbi` file by clicking on *Choose file* and then on *Update* in the *Firmware update* section 36 | - After reboot, you won't be able to login. Reset router from the button on the back (hold for **10-12 sec.**) 37 | - After the second reboot, login to the web page (`admin/admin`) without changing the password 38 | - Run the `autoflashgui.exe` program inside *autoflashgui-master* folder 39 | 40 | 41 | ### AUTOFLASHGUI.EXE 42 | Set the following parameters with their respective values 43 | - Load default: *Generic (Advanced DDNS)* 44 | - Target IP: ip router 45 | - Username: user GUI web 46 | - Password: password GUI web 47 | - **DO NOT** select *Firmware File Name* and *Flash firmware?* 48 | - Check *Split the given command on semicolons [...]* if not already selected 49 | - Leave the other settings unchanged 50 | - Click on *Run* 51 | - Wait for result on the shell 52 | - Close the program (it will no longer be necessary) 53 | - Connect with SSH to the router and try to authenticate with `root/root` 54 | 55 | 56 | --- 57 | 58 | 59 | ## GUIDE - PART 2 60 | - Enable the Serial Console Port from the router's root shell 61 | - `sed -i -e 's/#//' -e 's#askconsole:.*\$#askconsole:/bin/ash#' /etc/inittab` 62 | - Check the banks status 63 | - `find /proc/banktable -type f -print -exec cat {} ';' -exec echo ';'` 64 | - Take note of the following parameters 65 | 66 | ... 67 | /proc/banktable/booted 68 | 69 | proc/banktable/active 70 | 71 | ... 72 | 73 | - To achieve our goal, the result of the previous command must become as follows 74 | 75 | /proc/banktable/active 76 | bank_1 77 | /proc/banktable/activeversion 78 | Unknown 79 | /proc/banktable/booted 80 | bank_2 81 | 82 | - Then proceed to the next step to set `bank_1` as active and then delete it to always boot the `bank_2` 83 | 84 | 85 | ### SCRIPT 86 | - Create a script using `vim` with the following commands 87 | 88 | ```bash 89 | # Ensure two banks match in sizes 90 | [ $(grep -c bank_ /proc/mtd) = 2 ] && \ 91 | [ "$(grep bank_1 /proc/mtd | cut -d' ' -f2)" = \ 92 | "$(grep bank_2 /proc/mtd | cut -d' ' -f2)" ] && { 93 | # Clone and verify firmware into bank_2 if applicable 94 | [ "$(cat /proc/banktable/booted)" = "bank_1" ] && { 95 | mtd -e bank_2 write /dev/$(grep bank_1 /proc/mtd | cut -d: -f1) bank_2 && \ 96 | mtd verify /dev/$(grep bank_1 /proc/mtd | cut -d: -f1) bank_2 || \ 97 | { echo Clone verification failed, retry; exit; } } 98 | # Make a temp copy of overlay for booted firmware 99 | cp -rf /overlay/$(cat /proc/banktable/booted) /tmp/bank_overlay_backup 100 | # Clean up jffs2 space by removing existing old overlays 101 | rm -rf /overlay/* 102 | # Use the previously made temp copy as overlay for bank_2 103 | cp -rf /tmp/bank_overlay_backup /overlay/bank_2 104 | # Activate bank_1 105 | echo bank_1 > /proc/banktable/active 106 | # Make sure above changes get written to flash 107 | sync 108 | # Erase firmware in bank_1 109 | mtd erase bank_1; 110 | # Emulate system crash to hard reboot 111 | echo c > /proc/sysrq-trigger; } 112 | # end 113 | ``` 114 | 115 | - Run the following command to make it executable 116 | - `chmod +x script.sh` 117 | - Run the new script 118 | - `./script.sh` 119 | 120 | 121 | --- 122 | 123 | 124 | ## GUIDE - PART 3 125 | - Now we can proceed with the firmware upgrade to return to version 2.3.3 126 | - Open WinSCP (or similar software) and connect with SCP protocol to the router with `root/root` credentials 127 | - Upload the `AGTHP_2.3.3_CLOSED.rbi` file inside the `/tmp` router directory and rename it in `new.rbi` 128 | - Run the following command from the shell 129 | - `cat "/tmp/new.rbi" | (bli_parser && echo "Please wait..." && (bli_unseal | dd bs=4 skip=1 seek=1 of="/tmp/new.bin"))` 130 | - It's necessary to proceed with a clean-up of files and configurations 131 | - Create a backup with the following command and save it on your PC via WinSCP 132 | - `tar -C /overlay -cz -f /tmp/backup-$(date -I).tar.gz $(cat /proc/banktable/booted)` 133 | - Run the following command to completely clear the currently booted bank overlay 134 | - `rm -rf /overlay/$(cat /proc/banktable/booted)` 135 | - If you change the firmware version, the root may be lost. DO NOT restart and then proceed to the next step 136 | 137 | 138 | ### PRESERVING ROOT ACCESS 139 | - Run the following block of commands via SSH to prepare a script that will only need to be run once on next boot to grant root access 140 | 141 | > COPY AND PASTE INTO THE TERMINAL. PRESS ENTER TO EXECUTE THE LAST COMMAND. 142 | 143 | ```bash 144 | mkdir -p /overlay/$(cat /proc/banktable/booted)/etc 145 | chmod 755 /overlay/$(cat /proc/banktable/booted) /overlay/$(cat /proc/banktable/booted)/etc 146 | echo -e "echo root:root | chpasswd 147 | sed -i 's#/root:.*\$#/root:/bin/ash#' /etc/passwd 148 | sed -i -e 's/#//' -e 's#askconsole:.*\$#askconsole:/bin/ash#' /etc/inittab 149 | uci -q set \$(uci show firewall | grep -m 1 \$(fw3 -q print | \ 150 | egrep 'iptables -t filter -A zone_lan_input -p tcp -m tcp --dport 22 -m comment --comment \"!fw3: .+\" -j DROP' | \ 151 | sed -n -e 's/^iptables.\+fw3: \(.\+\)\".\+/\1/p') | \ 152 | sed -n -e \"s/\(.\+\).name='.\+'$/\1/p\").target='ACCEPT' 153 | uci add dropbear dropbear 154 | uci rename dropbear.@dropbear[-1]=afg 155 | uci set dropbear.afg.enable='1' 156 | uci set dropbear.afg.Interface='lan' 157 | uci set dropbear.afg.Port='22' 158 | uci set dropbear.afg.IdleTimeout='600' 159 | uci set dropbear.afg.PasswordAuth='on' 160 | uci set dropbear.afg.RootPasswordAuth='on' 161 | uci set dropbear.afg.RootLogin='1' 162 | uci set dropbear.lan.enable='0' 163 | uci commit dropbear 164 | /etc/init.d/dropbear enable 165 | /etc/init.d/dropbear restart 166 | rm /overlay/\$(cat /proc/banktable/booted)/etc/rc.local 167 | source /rom/etc/rc.local 168 | " > /overlay/$(cat /proc/banktable/booted)/etc/rc.local 169 | chmod +x /overlay/$(cat /proc/banktable/booted)/etc/rc.local 170 | sync 171 | ``` 172 | 173 | - If the root password has been changed, it will be reset to `root/root` 174 | - The gateway is now clean. Root access via SSH will be enabled again permanently on the next boot 175 | 176 | 177 | ### FLASHING FIRMWARE 178 | - Run the following commands one at a time to write the `/tmp/new.bin` file to the booted bank and to cause a hard reboot 179 | - `mtd -e $(cat /proc/banktable/booted) write "/tmp/new.bin" $(cat /proc/banktable/booted)` 180 | - `echo c > /proc/sysrq-trigger` 181 | 182 | 183 | ### HARDENING GAINED ACCESS 184 | - Run the following in the SSH terminal to prevent your Gateway loosing root access unexpectedly 185 | 186 | > COPY AND PASTE INTO THE TERMINAL. PRESS ENTER TO EXECUTE THE LAST COMMAND. 187 | 188 | ```bash 189 | # Disable CWMP 190 | uci delete cwmpd.cwmpd_config 191 | uci delete firewall.cwmpd 192 | uci del_list watchdog.@watchdog[0].pidfile='/var/run/cwmpd.pid' 193 | uci del_list watchdog.@watchdog[0].pidfile='/var/run/cwmpevents.pid' 194 | uci commit 195 | /etc/init.d/watchdog-tch reload 196 | /etc/init.d/cwmpd disable 197 | /etc/init.d/cwmpd stop 198 | /etc/init.d/cwmpdboot disable 199 | /etc/init.d/cwmpdboot stop 200 | /etc/init.d/zkernelpanic disable 201 | /etc/init.d/zkernelpanic stop 202 | 203 | # Disable CWMP - extra, in case you think it may resurrect 204 | uci set cwmpd.cwmpd_config.state=0 205 | uci set cwmpd.cwmpd_config.acs_url='https://127.0.1.1:7547/' 206 | uci set cwmpd.cwmpd_config.use_dhcp=0 207 | uci set cwmpd.cwmpd_config.interface=loopback 208 | uci set cwmpd.cwmpd_config.enforce_https=1 209 | uci commit cwmpd 210 | 211 | # Disable Telstra monitoring 212 | uci delete tls-vsparc.Config 213 | uci delete tls-vsparc.Passive 214 | uci delete autoreset.vsparc_enabled 215 | uci delete autoreset.thor_enabled 216 | uci delete wifi_doctor_agent.acs 217 | uci delete wifi_doctor_agent.config 218 | uci delete wifi_doctor_agent.as_config 219 | uci commit 220 | 221 | # Disable Telstra Air/Fon WiFi 222 | /etc/init.d/hotspotd stop 223 | /etc/init.d/hotspotd disable 224 | uci delete dhcp.hotspot 225 | uci delete dhcp.fonopen 226 | uci commit 227 | 228 | # Remove any default SSH pubkey 229 | echo > /etc/dropbear/authorized_keys 230 | # Disable SSH access over wan 231 | uci set dropbear.wan.enable='0' 232 | uci commit dropbear 233 | 234 | # Free space for gateways with small flash 235 | find /rom/usr/lib/ipk -type f |xargs -n1 basename | cut -f 1 -d '_' |xargs opkg --force-removal-of-dependent-packages remove 236 | ``` 237 | 238 | - If you get one or more error messages from running these commands, you can ignore them: it means the command was not needed for your firmware version 239 | 240 | 241 | ### GUI ANSUEL 242 | - Connect with WinSCP to the router as described above 243 | - Copy the `GUI.tar.bz2` file to the `/tmp` directory 244 | - Connect in SSH to the router with root user 245 | - Run the following command to extract the GUI 246 | - `bzcat /tmp/GUI.tar.bz2 | tar -C / -xvf - && /etc/init.d/rootdevice force` 247 | - Wait until the procedure is finished. If necessary, the router may reboot itself. Ignore the latest error messages 248 | - In case of *Error 9* restart the router and the problem will be solved 249 | 250 | 251 | ### CHANGE ROOT AND GUI PASSWORD 252 | - Run the `passwd` command in the terminal to change the login password for the root user. This procedure is strongly recommended 253 | - Once the Ansuel GUI is installed, the username and password will be `admin/admin` again. It is also reccomended to change this password in order to prevent unauthorized access to the administration web page. To do this, after after you log into the web GUI, click on the *Advanced* button at the top right next to the username *admin* and then on *Profile settings* 254 | 255 | 256 | ### RESULT 257 | Now you have a TIM HUB DGA4132 modem router updated to AGTHP version 2.3.3 with root permissions enabled and the Ansuel GUI. 258 | 259 | 260 | -------------------------------------------------------------------------------- /Guide/EN/TIM_HUB_guide_EN.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/duskwalk/Hub_RootGuide/29a88e8dce57ce76a3e06fc5c172dba24c5d87a5/Guide/EN/TIM_HUB_guide_EN.pdf -------------------------------------------------------------------------------- /Guide/IT/TIM_HUB_guide_IT.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | TIM_HUB_guide_IT.md 5 | 6 | 7 | 228 | 229 | 304 | 305 | 356 | 357 | 358 | 359 | 360 | 368 |

ROOT TIM HUB DGA4132 E GUI ANSUEL - VERSIONE AGTHP 2.3.3

369 |

La presente guida è stata concepita per avere un punto di riferimento semplice e immediato in caso si voglia procedere con l'abilitazione dell'utenza root del modem router TIM HUB DGA4132 (di seguito "router") e della successiva installazione della GUI Ansuel. Tutti i passaggi sono stati presi e adattati dai siti web riportati nel paragrafo sottostante, successivamente raggruppati in questa pagina e impostati nell'ordine corretto.

370 |

Questa guida è disponibile nei seguenti formati:

371 | 376 |

SITI WEB

377 | 384 |

FILE UTILI

385 |

Il file autoflashgui-master_timhub.zip contiene la versione 16.02.2018 del tool AutoFlashGUI sviluppato da Mark Smith (mswhirl). Una volta estratto, all'interno della cartella autoflashgui-master/firmware è possibile trovare i seguenti file necessari a questa guida:

386 | 391 |
392 |

GUIDA - PARTE 1

393 | 399 |
400 |

ATTENZIONE: Per abilitare la Configurazione estesa è necessario cliccare su una scheda che compare SOLO al primo login subito dopo un reset. Se si esegue il logout dalla GUI web o si chiude la finestra del browser, sarà necessario procedere con un ulteriore reset del router per ottenere nuovamente il prompt Configurazione estesa. Inoltre, il router NON deve essere in alcun modo collegato a Internet: scollegare quindi il cavo RJ11, il cavo Ethernet nella porta WAN oppure la connessione in FTTH.

401 |
402 | 409 |

AUTOFLASHGUI.EXE

410 |

Impostare i seguenti parametri con i rispettivi valori

411 | 424 |
425 |

GUIDA - PARTE 2

426 | 463 |

SCRIPT

464 | 467 | 
# Ensure two banks match in sizes
468 | [ $(grep -c bank_ /proc/mtd) = 2 ] && \
469 | [ "$(grep bank_1 /proc/mtd | cut -d' ' -f2)" = \
470 | "$(grep bank_2 /proc/mtd | cut -d' ' -f2)" ] && {
471 | # Clone and verify firmware into bank_2 if applicable
472 | [ "$(cat /proc/banktable/booted)" = "bank_1" ] && {
473 | mtd -e bank_2 write /dev/$(grep bank_1 /proc/mtd | cut -d: -f1) bank_2 && \
474 | mtd verify /dev/$(grep bank_1 /proc/mtd | cut -d: -f1) bank_2 || \
475 | { echo Clone verification failed, retry; exit; } }
476 | # Make a temp copy of overlay for booted firmware
477 | cp -rf /overlay/$(cat /proc/banktable/booted) /tmp/bank_overlay_backup
478 | # Clean up jffs2 space by removing existing old overlays
479 | rm -rf /overlay/*
480 | # Use the previously made temp copy as overlay for bank_2
481 | cp -rf /tmp/bank_overlay_backup /overlay/bank_2
482 | # Activate bank_1
483 | echo bank_1 > /proc/banktable/active
484 | # Make sure above changes get written to flash
485 | sync
486 | # Erase firmware in bank_1
487 | mtd erase bank_1;
488 | # Emulate system crash to hard reboot
489 | echo c > /proc/sysrq-trigger; }
490 | # end
491 |
492 | 504 |
505 |

GUIDA - PARTE 3

506 | 528 |

PRESERVARE ACCESSO ROOT

529 | 532 |
533 |

COPIA E INCOLLA NEL TERMINALE. PREMERE INVIO PER ESEGUIRE L'ULTIMO COMANDO.

534 |
535 | 
mkdir -p /overlay/$(cat /proc/banktable/booted)/etc
536 | chmod 755 /overlay/$(cat /proc/banktable/booted) /overlay/$(cat /proc/banktable/booted)/etc
537 | echo -e "echo root:root | chpasswd
538 | sed -i 's#/root:.*\$#/root:/bin/ash#' /etc/passwd
539 | sed -i -e 's/#//' -e 's#askconsole:.*\$#askconsole:/bin/ash#' /etc/inittab
540 | uci -q set \$(uci show firewall | grep -m 1 \$(fw3 -q print | \
541 | egrep 'iptables -t filter -A zone_lan_input -p tcp -m tcp --dport 22 -m comment --comment \"!fw3: .+\" -j DROP' | \
542 | sed -n -e 's/^iptables.\+fw3: \(.\+\)\".\+/\1/p') | \
543 | sed -n -e \"s/\(.\+\).name='.\+'$/\1/p\").target='ACCEPT'
544 | uci add dropbear dropbear
545 | uci rename dropbear.@dropbear[-1]=afg
546 | uci set dropbear.afg.enable='1'
547 | uci set dropbear.afg.Interface='lan'
548 | uci set dropbear.afg.Port='22'
549 | uci set dropbear.afg.IdleTimeout='600'
550 | uci set dropbear.afg.PasswordAuth='on'
551 | uci set dropbear.afg.RootPasswordAuth='on'
552 | uci set dropbear.afg.RootLogin='1'
553 | uci set dropbear.lan.enable='0'
554 | uci commit dropbear
555 | /etc/init.d/dropbear enable
556 | /etc/init.d/dropbear restart
557 | rm /overlay/\$(cat /proc/banktable/booted)/etc/rc.local
558 | source /rom/etc/rc.local
559 | " > /overlay/$(cat /proc/banktable/booted)/etc/rc.local
560 | chmod +x /overlay/$(cat /proc/banktable/booted)/etc/rc.local
561 | sync
562 |
563 | 567 |

FLASHING DEL FIRMWARE

568 | 576 |

CONSOLIDARE L'ACCESSO OTTENUTO

577 | 580 |
581 |

COPIA E INCOLLA NEL TERMINALE. PREMERE INVIO PER ESEGUIRE L'ULTIMO COMANDO.

582 |
583 | 
# Disable CWMP
584 | uci delete cwmpd.cwmpd_config
585 | uci delete firewall.cwmpd
586 | uci del_list watchdog.@watchdog[0].pidfile='/var/run/cwmpd.pid'
587 | uci del_list watchdog.@watchdog[0].pidfile='/var/run/cwmpevents.pid'
588 | uci commit
589 | /etc/init.d/watchdog-tch reload
590 | /etc/init.d/cwmpd disable
591 | /etc/init.d/cwmpd stop
592 | /etc/init.d/cwmpdboot disable
593 | /etc/init.d/cwmpdboot stop
594 | /etc/init.d/zkernelpanic disable
595 | /etc/init.d/zkernelpanic stop
596 | 
597 | # Disable CWMP - extra, in case you think it may resurrect
598 | uci set cwmpd.cwmpd_config.state=0
599 | uci set cwmpd.cwmpd_config.acs_url='https://127.0.1.1:7547/'
600 | uci set cwmpd.cwmpd_config.use_dhcp=0
601 | uci set cwmpd.cwmpd_config.interface=loopback
602 | uci set cwmpd.cwmpd_config.enforce_https=1
603 | uci commit cwmpd
604 | 
605 | # Disable Telstra monitoring
606 | uci delete tls-vsparc.Config
607 | uci delete tls-vsparc.Passive
608 | uci delete autoreset.vsparc_enabled
609 | uci delete autoreset.thor_enabled
610 | uci delete wifi_doctor_agent.acs
611 | uci delete wifi_doctor_agent.config
612 | uci delete wifi_doctor_agent.as_config
613 | uci commit
614 | 
615 | # Disable Telstra Air/Fon WiFi
616 | /etc/init.d/hotspotd stop
617 | /etc/init.d/hotspotd disable
618 | uci delete dhcp.hotspot
619 | uci delete dhcp.fonopen
620 | uci commit
621 | 
622 | # Remove any default SSH pubkey
623 | echo > /etc/dropbear/authorized_keys
624 | # Disable SSH access over wan
625 | uci set dropbear.wan.enable='0'
626 | uci commit dropbear
627 | 
628 | # Free space for gateways with small flash
629 | find /rom/usr/lib/ipk -type f |xargs -n1 basename | cut -f 1 -d '_' |xargs opkg --force-removal-of-dependent-packages remove
630 |
631 | 634 |

INSTALLAZIONE GUI ANSUEL

635 | 647 |

CAMBIARE PASSWORD ROOT E GUI

648 | 652 |

FINE

653 |

Ora si dispone di un modem router TIM HUB DGA4132 aggiornato alla versione AGTHP 2.3.3 con i permessi di root abilitati e la GUI Ansuel.

654 | 655 | 656 | 657 | -------------------------------------------------------------------------------- /Guide/IT/TIM_HUB_guide_IT.md: -------------------------------------------------------------------------------- 1 | # ROOT TIM HUB DGA4132 E GUI ANSUEL - VERSIONE AGTHP 2.3.3 2 | La presente guida è stata concepita per avere un punto di riferimento semplice e immediato in caso si voglia procedere con l'abilitazione dell'utenza root del modem router TIM HUB DGA4132 (di seguito "router") e della successiva installazione della GUI Ansuel. Tutti i passaggi sono stati presi e adattati dai siti web riportati nel paragrafo sottostante, successivamente raggruppati in questa pagina e impostati nell'ordine corretto. 3 | 4 | Questa guida è disponibile nei seguenti formati: 5 | - Markdown (`TIM_HUB_guide_IT.md`) 6 | - PDF (`TIM_HUB_guide_IT.pdf`) 7 | - HTML (`TIM_HUB_guide_IT.html`) 8 | 9 | 10 | ## SITI WEB 11 | - [Hacking Technicolor Gateways: Material for MkDocs](https://hack-technicolor.readthedocs.io/en/stable/) 12 | - [IlPuntoTecnico GUI Ansuel](https://www.ilpuntotecnico.com/forum/index.php?topic=81461.0) 13 | - [GitHub GUI Ansuel](https://github.com/Ansuel/gui-dev-build-auto) 14 | - [GitHub AutoFlashGUI](https://github.com/mswhirl/autoflashgui) 15 | - [WinSCP](https://winscp.net/eng/download.php) 16 | 17 | 18 | ## FILE UTILI 19 | Il file `autoflashgui-master_timhub.zip` contiene la versione `16.02.2018` del tool AutoFlashGUI sviluppato da Mark Smith (mswhirl). Una volta estratto, all'interno della cartella *autoflashgui-master/firmware* è possibile trovare i seguenti file necessari a questa guida: 20 | - `AGTHP_1.0.3_CLOSED.rbi.torrent`: file torrent per avviare il download della versione AGTHP 1.0.3 del firmware scaricato dal sito web "Hacking Technicolor Gateways: Material for MkDocs". Una volta completato il download, spostare il file nella cartella *autoflashgui-master/firmware* 21 | - `AGTHP_2.3.3_CLOSED.rbi.torrent`: file torrent per avviare il download della versione AGTHP 2.3.3 del firmware scaricato dal sito web "Hacking Technicolor Gateways: Material for MkDocs". Una volta completato il download, spostare il file nella cartella *autoflashgui-master/firmware* 22 | - `GUI.tar.bz2`: versione stabile 9.6.65 della GUI Ansuel scaricata dalla repository GitHub `gui-dev-build-auto` di Ansuel. Per favore, controllare la presenza di nuove versioni prima di procedere 23 | 24 | 25 | --- 26 | 27 | 28 | ## GUIDA - PARTE 1 29 | - Aggiornare il router alla versione 2.3.3 (è possibile effettuare questa operazione tramite l'applicazione per smartphone "TIM Modem" disponibile per Android e iOS) 30 | - Dalla prima scheda *Gateway* nella GUI web, se necessario, eseguire backup configurazione in `.bin` tramite il pulsante *Esporta*. Verrà scaricato un file denominato "config.bin" 31 | - Eseguire reset router tramite il pulsante *Ripristina* 32 | - Al riavvio, login nella pagina web (`admin/admin`), non cambiare la password e attivare la modalità *Configurazione estesa* 33 | > ATTENZIONE: Per abilitare la Configurazione estesa è necessario cliccare su una scheda che compare SOLO al primo login subito dopo un reset. Se si esegue il logout dalla GUI web o si chiude la finestra del browser, sarà necessario procedere con un ulteriore reset del router per ottenere nuovamente il prompt Configurazione estesa. Inoltre, il router NON deve essere in alcun modo collegato a Internet: scollegare quindi il cavo RJ11, il cavo Ethernet nella porta WAN oppure la connessione in FTTH. 34 | - Per rifare il login nella GUI, la password è la **ACCESS KEY** sull'etichetta posta alla base del router (sotto l'ultimo codice a barre nella colonna a sinistra) 35 | - Entrare nella prima scheda *Gateway* ed eseguire dalla terza tab il downgrade alla versione 1.0.3. Per fare ciò, caricare il file `AGTHP_1.0.3_CLOSED.rbi` cliccando su *Scegli il file* e poi su *Aggiorna* nella sezione *Aggiornamento firmware* 36 | - Al riavvio, non sarà possibile fare il login. Eseguire reset router dal tasto sul retro (tenere premuto per **10-12 sec.**) 37 | - Al secondo riavvio, login nella pagina web (`admin/admin`) senza cambiare la password 38 | - Eseguire il programma `autoflashgui.exe` contenuto nella cartella *autoflashgui-master* 39 | 40 | 41 | ### AUTOFLASHGUI.EXE 42 | Impostare i seguenti parametri con i rispettivi valori 43 | - Load default: *Generic (Advanced DDNS)* 44 | - Target IP: ip router 45 | - Username: user GUI web 46 | - Password: password GUI web 47 | - **NON** selezionare *Firmware File Name* e la spunta *Flash firmware?* 48 | - Attivare *Split the given command on semicolons [...]* se non selezionato 49 | - Lasciare invariato il resto delle impostazioni 50 | - Cliccare su *Run* 51 | - Attendere risultato sulla shell 52 | - Chiudere il programma (non sarà più necessario) 53 | - Collegarsi in SSH al router e provare ad autenticarsi con `root/root` 54 | 55 | 56 | --- 57 | 58 | 59 | ## GUIDA - PARTE 2 60 | - Dalla shell root del router abilitare la Serial Console Port 61 | - `sed -i -e 's/#//' -e 's#askconsole:.*\$#askconsole:/bin/ash#' /etc/inittab` 62 | - Verificare lo stato delle bank 63 | - `find /proc/banktable -type f -print -exec cat {} ';' -exec echo ';'` 64 | - Prendere nota dei seguenti parametri 65 | 66 | ... 67 | /proc/banktable/booted 68 | 69 | proc/banktable/active 70 | 71 | ... 72 | 73 | - Per raggiungere il nostro scopo, è necessario che il risultato del comando precedente diventi come segue 74 | 75 | /proc/banktable/active 76 | bank_1 77 | /proc/banktable/activeversion 78 | Unknown 79 | /proc/banktable/booted 80 | bank_2 81 | 82 | - Proseguire quindi al passaggio successivo per impostare come active il `bank_1` per poi cancellarlo e fare in modo che vada in boot il `bank_2` 83 | 84 | 85 | ### SCRIPT 86 | - Creare con il comando `vim` uno script con i seguenti comandi 87 | 88 | ```bash 89 | # Ensure two banks match in sizes 90 | [ $(grep -c bank_ /proc/mtd) = 2 ] && \ 91 | [ "$(grep bank_1 /proc/mtd | cut -d' ' -f2)" = \ 92 | "$(grep bank_2 /proc/mtd | cut -d' ' -f2)" ] && { 93 | # Clone and verify firmware into bank_2 if applicable 94 | [ "$(cat /proc/banktable/booted)" = "bank_1" ] && { 95 | mtd -e bank_2 write /dev/$(grep bank_1 /proc/mtd | cut -d: -f1) bank_2 && \ 96 | mtd verify /dev/$(grep bank_1 /proc/mtd | cut -d: -f1) bank_2 || \ 97 | { echo Clone verification failed, retry; exit; } } 98 | # Make a temp copy of overlay for booted firmware 99 | cp -rf /overlay/$(cat /proc/banktable/booted) /tmp/bank_overlay_backup 100 | # Clean up jffs2 space by removing existing old overlays 101 | rm -rf /overlay/* 102 | # Use the previously made temp copy as overlay for bank_2 103 | cp -rf /tmp/bank_overlay_backup /overlay/bank_2 104 | # Activate bank_1 105 | echo bank_1 > /proc/banktable/active 106 | # Make sure above changes get written to flash 107 | sync 108 | # Erase firmware in bank_1 109 | mtd erase bank_1; 110 | # Emulate system crash to hard reboot 111 | echo c > /proc/sysrq-trigger; } 112 | # end 113 | ``` 114 | 115 | - Lanciare il seguente comando per renderlo eseguibile 116 | - `chmod +x script.sh` 117 | - Eseguire lo script appena creato 118 | - `./script.sh` 119 | 120 | 121 | --- 122 | 123 | 124 | ## GUIDA - PARTE 3 125 | - Adesso è possibile proseguire con l'upgrade del firmware per tornare alla versione 2.3.3 126 | - Aprire WinSCP (o software simile) e collegarsi con protocollo SCP al router con credenziali `root/root` 127 | - Caricare nella directory `/tmp` del router il file `AGTHP_2.3.3_CLOSED.rbi` rinominandolo in `new.rbi` 128 | - Eseguire da shell il seguente comando 129 | - `cat "/tmp/new.rbi" | (bli_parser && echo "Please wait..." && (bli_unseal | dd bs=4 skip=1 seek=1 of="/tmp/new.bin"))` 130 | - E' necessario procedere con un clean-up di file e configurazioni 131 | - Creare un backup con il seguente comando e salvarlo sul proprio PC tramite WinSCP 132 | - `tar -C /overlay -cz -f /tmp/backup-$(date -I).tar.gz $(cat /proc/banktable/booted)` 133 | - Eseguire il comando seguente per cancellare completamente l'overlay della bank attualmente bootata 134 | - `rm -rf /overlay/$(cat /proc/banktable/booted)` 135 | - Cambiando versione del firmware il root potrebbe andare perso. NON riavviare e procedere quindi con il passaggio successivo 136 | 137 | 138 | ### PRESERVARE ACCESSO ROOT 139 | - Eseguire tramite SSH il blocco di comandi seguente per preparare uno script che andrà eseguito una volta sola al boot successivo per garantire l'accesso con root 140 | 141 | > COPIA E INCOLLA NEL TERMINALE. PREMERE INVIO PER ESEGUIRE L'ULTIMO COMANDO. 142 | 143 | ```bash 144 | mkdir -p /overlay/$(cat /proc/banktable/booted)/etc 145 | chmod 755 /overlay/$(cat /proc/banktable/booted) /overlay/$(cat /proc/banktable/booted)/etc 146 | echo -e "echo root:root | chpasswd 147 | sed -i 's#/root:.*\$#/root:/bin/ash#' /etc/passwd 148 | sed -i -e 's/#//' -e 's#askconsole:.*\$#askconsole:/bin/ash#' /etc/inittab 149 | uci -q set \$(uci show firewall | grep -m 1 \$(fw3 -q print | \ 150 | egrep 'iptables -t filter -A zone_lan_input -p tcp -m tcp --dport 22 -m comment --comment \"!fw3: .+\" -j DROP' | \ 151 | sed -n -e 's/^iptables.\+fw3: \(.\+\)\".\+/\1/p') | \ 152 | sed -n -e \"s/\(.\+\).name='.\+'$/\1/p\").target='ACCEPT' 153 | uci add dropbear dropbear 154 | uci rename dropbear.@dropbear[-1]=afg 155 | uci set dropbear.afg.enable='1' 156 | uci set dropbear.afg.Interface='lan' 157 | uci set dropbear.afg.Port='22' 158 | uci set dropbear.afg.IdleTimeout='600' 159 | uci set dropbear.afg.PasswordAuth='on' 160 | uci set dropbear.afg.RootPasswordAuth='on' 161 | uci set dropbear.afg.RootLogin='1' 162 | uci set dropbear.lan.enable='0' 163 | uci commit dropbear 164 | /etc/init.d/dropbear enable 165 | /etc/init.d/dropbear restart 166 | rm /overlay/\$(cat /proc/banktable/booted)/etc/rc.local 167 | source /rom/etc/rc.local 168 | " > /overlay/$(cat /proc/banktable/booted)/etc/rc.local 169 | chmod +x /overlay/$(cat /proc/banktable/booted)/etc/rc.local 170 | sync 171 | ``` 172 | 173 | - Se la password di root è stata cambiata, questa verrà resettata a `root/root` 174 | - Il gateway adesso è pulito. L'accesso con root tramite SSH verrà abilitato di nuovo permanentemente al boot successivo 175 | 176 | 177 | ### FLASHING DEL FIRMWARE 178 | - Eseguire uno alla volta i seguenti comandi per scrivere il file `/tmp/new.bin` nella bank booted e per provocare un hard reboot 179 | - `mtd -e $(cat /proc/banktable/booted) write "/tmp/new.bin" $(cat /proc/banktable/booted)` 180 | - `echo c > /proc/sysrq-trigger` 181 | 182 | 183 | ### CONSOLIDARE L'ACCESSO OTTENUTO 184 | - Eseguire i seguenti comandi nel terminale SSH per prevenire che il router perda inaspettatamente la possibilità di accesso con root 185 | 186 | > COPIA E INCOLLA NEL TERMINALE. PREMERE INVIO PER ESEGUIRE L'ULTIMO COMANDO. 187 | 188 | ```bash 189 | # Disable CWMP 190 | uci delete cwmpd.cwmpd_config 191 | uci delete firewall.cwmpd 192 | uci del_list watchdog.@watchdog[0].pidfile='/var/run/cwmpd.pid' 193 | uci del_list watchdog.@watchdog[0].pidfile='/var/run/cwmpevents.pid' 194 | uci commit 195 | /etc/init.d/watchdog-tch reload 196 | /etc/init.d/cwmpd disable 197 | /etc/init.d/cwmpd stop 198 | /etc/init.d/cwmpdboot disable 199 | /etc/init.d/cwmpdboot stop 200 | /etc/init.d/zkernelpanic disable 201 | /etc/init.d/zkernelpanic stop 202 | 203 | # Disable CWMP - extra, in case you think it may resurrect 204 | uci set cwmpd.cwmpd_config.state=0 205 | uci set cwmpd.cwmpd_config.acs_url='https://127.0.1.1:7547/' 206 | uci set cwmpd.cwmpd_config.use_dhcp=0 207 | uci set cwmpd.cwmpd_config.interface=loopback 208 | uci set cwmpd.cwmpd_config.enforce_https=1 209 | uci commit cwmpd 210 | 211 | # Disable Telstra monitoring 212 | uci delete tls-vsparc.Config 213 | uci delete tls-vsparc.Passive 214 | uci delete autoreset.vsparc_enabled 215 | uci delete autoreset.thor_enabled 216 | uci delete wifi_doctor_agent.acs 217 | uci delete wifi_doctor_agent.config 218 | uci delete wifi_doctor_agent.as_config 219 | uci commit 220 | 221 | # Disable Telstra Air/Fon WiFi 222 | /etc/init.d/hotspotd stop 223 | /etc/init.d/hotspotd disable 224 | uci delete dhcp.hotspot 225 | uci delete dhcp.fonopen 226 | uci commit 227 | 228 | # Remove any default SSH pubkey 229 | echo > /etc/dropbear/authorized_keys 230 | # Disable SSH access over wan 231 | uci set dropbear.wan.enable='0' 232 | uci commit dropbear 233 | 234 | # Free space for gateways with small flash 235 | find /rom/usr/lib/ipk -type f |xargs -n1 basename | cut -f 1 -d '_' |xargs opkg --force-removal-of-dependent-packages remove 236 | ``` 237 | 238 | - Se ricevi uno o più messaggi di errore dall'esecuzione di questi comandi, è possibile ignorarli: significa che il comando non era necessario per la tua versione del firmware 239 | 240 | 241 | ### INSTALLAZIONE GUI ANSUEL 242 | - Collegarsi con WinSCP al router come descritto in precedenza 243 | - Copiare il file `GUI.tar.bz2` nella directory `/tmp` 244 | - Collegarsi in SSH al router con root 245 | - Eseguire il seguente comando per estrarre la GUI 246 | - `bzcat /tmp/GUI.tar.bz2 | tar -C / -xvf - && /etc/init.d/rootdevice force` 247 | - Attendere fino al termine della procedura. Se necessario il router potrebbe riavviarsi da solo. Ignorare gli ultimi messaggi di errore 248 | - In caso di *Errore 9* riavviare il router e il problema sarà risolto 249 | 250 | 251 | ### CAMBIARE PASSWORD ROOT E GUI 252 | - Eseguire il comando `passwd` nel terminale per cambiare la password di accesso dell'utente root. Questa procedure è fortemente consigliata 253 | - Una volta installata la GUI Ansuel, username e password saranno nuovamente `admin/admin`. E' consigliato cambiare anche questa password in modo tale da prevenire accessi non autorizzati alla pagina web di amminsitrazione. Per fare ciò, dopo essere entrati nella GUI web, cliccare sul pulsante *Avanzate* in alto a destra accanto al nome utente *admin* e poi su *Impostazioni profilo* 254 | 255 | 256 | ### FINE 257 | Ora si dispone di un modem router TIM HUB DGA4132 aggiornato alla versione AGTHP 2.3.3 con i permessi di root abilitati e la GUI Ansuel. 258 | 259 | 260 | -------------------------------------------------------------------------------- /Guide/IT/TIM_HUB_guide_IT.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/duskwalk/Hub_RootGuide/29a88e8dce57ce76a3e06fc5c172dba24c5d87a5/Guide/IT/TIM_HUB_guide_IT.pdf -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # ROOT TIM HUB DGA4132 AND ANSUEL GUI - VERSION AGTHP 2.3.3 2 | This guide has been written to have a simple and immediate reference point in case you want to proceed with the enabling of the root user of the TIM HUB DGA4132 modem router (hereinafter "router") and the subsequent installation of the Ansuel GUI. All the steps have been taken and adapted from the websites listed in the paragraph below, then grouped on this page and set up in the correct order. 3 | 4 | This guide is available in the following formats: 5 | - Markdown (`TIM_HUB_guide_IT.md`) 6 | - PDF (`TIM_HUB_guide_IT.pdf`) 7 | - HTML (`TIM_HUB_guide_IT.html`) 8 | 9 | 10 | ## WEBSITES 11 | - [Hacking Technicolor Gateways: Material for MkDocs](https://hack-technicolor.readthedocs.io/en/stable/) 12 | - [IlPuntoTecnico GUI Ansuel](https://www.ilpuntotecnico.com/forum/index.php?topic=81461.0) 13 | - [GitHub GUI Ansuel](https://github.com/Ansuel/gui-dev-build-auto) 14 | - [GitHub AutoFlashGUI](https://github.com/mswhirl/autoflashgui) 15 | - [WinSCP](https://winscp.net/eng/download.php) 16 | 17 | 18 | ## USEFUL FILES 19 | The `autoflashgui-master_timhub.zip` file contains the `16.02.2018` version of the AutoFlashGUI tool developed by Mark Smith (mswhirl). Once extracted, inside the *autoflashgui-master/firmware* folder you can find the following files needed for this guide: 20 | - `AGTHP_1.0.3_CLOSED.rbi.torrent`: torrent file to start the download of the firmware version AGTHP 1.0.3 downloaded from the website "Hacking Technicolor Gateways: Material for MkDocs". Move the downloaded file into the *autoflashgui-master/firmware* folder 21 | - `AGTHP_2.3.3_CLOSED.rbi.torrent`: torrent file to start the download of the firmware version AGTHP 2.3.3 downloaded from the website "Hacking Technicolor Gateways: Material for MkDocs". Move the downloaded file into the *autoflashgui-master/firmware* folder 22 | - `GUI.tar.bz2`: stable version 9.6.65 of the Ansuel GUI downloaded from Ansuel's `gui-dev-build-auto` GitHub repository. Please check for new versions before proceeding 23 | 24 | 25 | --- 26 | 27 | 28 | ## GUIDE - PART 1 29 | - Update the router to version 2.3.3 (you can do this using the "TIM Modem" smartphone app available for Android and iOS) 30 | - From the first *Gateway* tab in the web GUI, if necessary, backup configuration in `.bin` via the *Export* button. A file named "config.bin" will be downloaded 31 | - Reset the router via the *Reset* button 32 | - After reboot, login to the web page (`admin/admin`), don't change the password and activate the *Extended configuration* mode 33 | > WARNING: To enable the Extended Configuration it's necessary to click on a tab that appears ONLY at the first login immediately after a reset. If you log out of the web GUI or close the browser window, you will need to perform another router reset to trigger the Extended configuration prompt again. Furthermore, the router must NOT be connected to the Internet in any way: disconnect the RJ11 cable, the Ethernet cable in the WAN port or the FTTH connection. 34 | - To log in again in the GUI, the password is the **ACCESS KEY** on the label located at the base of the router (under the last barcode in the left column) 35 | - Enter the first *Gateway* tab and perform the downgrade to version 1.0.3 from the third tab. To do this, load the `AGTHP_1.0.3_CLOSED.rbi` file by clicking on *Choose file* and then on *Update* in the *Firmware update* section 36 | - After reboot, you won't be able to login. Reset router from the button on the back (hold for **10-12 sec.**) 37 | - After the second reboot, login to the web page (`admin/admin`) without changing the password 38 | - Run the `autoflashgui.exe` program inside *autoflashgui-master* folder 39 | 40 | 41 | ### AUTOFLASHGUI.EXE 42 | Set the following parameters with their respective values 43 | - Load default: *Generic (Advanced DDNS)* 44 | - Target IP: ip router 45 | - Username: user GUI web 46 | - Password: password GUI web 47 | - **DO NOT** select *Firmware File Name* and *Flash firmware?* 48 | - Check *Split the given command on semicolons [...]* if not already selected 49 | - Leave the other settings unchanged 50 | - Click on *Run* 51 | - Wait for result on the shell 52 | - Close the program (it will no longer be necessary) 53 | - Connect with SSH to the router and try to authenticate with `root/root` 54 | 55 | 56 | --- 57 | 58 | 59 | ## GUIDE - PART 2 60 | - Enable the Serial Console Port from the router's root shell 61 | - `sed -i -e 's/#//' -e 's#askconsole:.*\$#askconsole:/bin/ash#' /etc/inittab` 62 | - Check the banks status 63 | - `find /proc/banktable -type f -print -exec cat {} ';' -exec echo ';'` 64 | - Take note of the following parameters 65 | 66 | ... 67 | /proc/banktable/booted 68 | 69 | proc/banktable/active 70 | 71 | ... 72 | 73 | - To achieve our goal, the result of the previous command must become as follows 74 | 75 | /proc/banktable/active 76 | bank_1 77 | /proc/banktable/activeversion 78 | Unknown 79 | /proc/banktable/booted 80 | bank_2 81 | 82 | - Then proceed to the next step to set `bank_1` as active and then delete it to always boot the `bank_2` 83 | 84 | 85 | ### SCRIPT 86 | - Create a script using `vim` with the following commands 87 | 88 | ```bash 89 | # Ensure two banks match in sizes 90 | [ $(grep -c bank_ /proc/mtd) = 2 ] && \ 91 | [ "$(grep bank_1 /proc/mtd | cut -d' ' -f2)" = \ 92 | "$(grep bank_2 /proc/mtd | cut -d' ' -f2)" ] && { 93 | # Clone and verify firmware into bank_2 if applicable 94 | [ "$(cat /proc/banktable/booted)" = "bank_1" ] && { 95 | mtd -e bank_2 write /dev/$(grep bank_1 /proc/mtd | cut -d: -f1) bank_2 && \ 96 | mtd verify /dev/$(grep bank_1 /proc/mtd | cut -d: -f1) bank_2 || \ 97 | { echo Clone verification failed, retry; exit; } } 98 | # Make a temp copy of overlay for booted firmware 99 | cp -rf /overlay/$(cat /proc/banktable/booted) /tmp/bank_overlay_backup 100 | # Clean up jffs2 space by removing existing old overlays 101 | rm -rf /overlay/* 102 | # Use the previously made temp copy as overlay for bank_2 103 | cp -rf /tmp/bank_overlay_backup /overlay/bank_2 104 | # Activate bank_1 105 | echo bank_1 > /proc/banktable/active 106 | # Make sure above changes get written to flash 107 | sync 108 | # Erase firmware in bank_1 109 | mtd erase bank_1; 110 | # Emulate system crash to hard reboot 111 | echo c > /proc/sysrq-trigger; } 112 | # end 113 | ``` 114 | 115 | - Run the following command to make it executable 116 | - `chmod +x script.sh` 117 | - Run the new script 118 | - `./script.sh` 119 | 120 | 121 | --- 122 | 123 | 124 | ## GUIDE - PART 3 125 | - Now we can proceed with the firmware upgrade to return to version 2.3.3 126 | - Open WinSCP (or similar software) and connect with SCP protocol to the router with `root/root` credentials 127 | - Upload the `AGTHP_2.3.3_CLOSED.rbi` file inside the `/tmp` router directory and rename it in `new.rbi` 128 | - Run the following command from the shell 129 | - `cat "/tmp/new.rbi" | (bli_parser && echo "Please wait..." && (bli_unseal | dd bs=4 skip=1 seek=1 of="/tmp/new.bin"))` 130 | - It's necessary to proceed with a clean-up of files and configurations 131 | - Create a backup with the following command and save it on your PC via WinSCP 132 | - `tar -C /overlay -cz -f /tmp/backup-$(date -I).tar.gz $(cat /proc/banktable/booted)` 133 | - Run the following command to completely clear the currently booted bank overlay 134 | - `rm -rf /overlay/$(cat /proc/banktable/booted)` 135 | - If you change the firmware version, the root may be lost. DO NOT restart and then proceed to the next step 136 | 137 | 138 | ### PRESERVING ROOT ACCESS 139 | - Run the following block of commands via SSH to prepare a script that will only need to be run once on next boot to grant root access 140 | 141 | > COPY AND PASTE INTO THE TERMINAL. PRESS ENTER TO EXECUTE THE LAST COMMAND. 142 | 143 | ```bash 144 | mkdir -p /overlay/$(cat /proc/banktable/booted)/etc 145 | chmod 755 /overlay/$(cat /proc/banktable/booted) /overlay/$(cat /proc/banktable/booted)/etc 146 | echo -e "echo root:root | chpasswd 147 | sed -i 's#/root:.*\$#/root:/bin/ash#' /etc/passwd 148 | sed -i -e 's/#//' -e 's#askconsole:.*\$#askconsole:/bin/ash#' /etc/inittab 149 | uci -q set \$(uci show firewall | grep -m 1 \$(fw3 -q print | \ 150 | egrep 'iptables -t filter -A zone_lan_input -p tcp -m tcp --dport 22 -m comment --comment \"!fw3: .+\" -j DROP' | \ 151 | sed -n -e 's/^iptables.\+fw3: \(.\+\)\".\+/\1/p') | \ 152 | sed -n -e \"s/\(.\+\).name='.\+'$/\1/p\").target='ACCEPT' 153 | uci add dropbear dropbear 154 | uci rename dropbear.@dropbear[-1]=afg 155 | uci set dropbear.afg.enable='1' 156 | uci set dropbear.afg.Interface='lan' 157 | uci set dropbear.afg.Port='22' 158 | uci set dropbear.afg.IdleTimeout='600' 159 | uci set dropbear.afg.PasswordAuth='on' 160 | uci set dropbear.afg.RootPasswordAuth='on' 161 | uci set dropbear.afg.RootLogin='1' 162 | uci set dropbear.lan.enable='0' 163 | uci commit dropbear 164 | /etc/init.d/dropbear enable 165 | /etc/init.d/dropbear restart 166 | rm /overlay/\$(cat /proc/banktable/booted)/etc/rc.local 167 | source /rom/etc/rc.local 168 | " > /overlay/$(cat /proc/banktable/booted)/etc/rc.local 169 | chmod +x /overlay/$(cat /proc/banktable/booted)/etc/rc.local 170 | sync 171 | ``` 172 | 173 | - If the root password has been changed, it will be reset to `root/root` 174 | - The gateway is now clean. Root access via SSH will be enabled again permanently on the next boot 175 | 176 | 177 | ### FLASHING FIRMWARE 178 | - Run the following commands one at a time to write the `/tmp/new.bin` file to the booted bank and to cause a hard reboot 179 | - `mtd -e $(cat /proc/banktable/booted) write "/tmp/new.bin" $(cat /proc/banktable/booted)` 180 | - `echo c > /proc/sysrq-trigger` 181 | 182 | 183 | ### HARDENING GAINED ACCESS 184 | - Run the following in the SSH terminal to prevent your Gateway loosing root access unexpectedly 185 | 186 | > COPY AND PASTE INTO THE TERMINAL. PRESS ENTER TO EXECUTE THE LAST COMMAND. 187 | 188 | ```bash 189 | # Disable CWMP 190 | uci delete cwmpd.cwmpd_config 191 | uci delete firewall.cwmpd 192 | uci del_list watchdog.@watchdog[0].pidfile='/var/run/cwmpd.pid' 193 | uci del_list watchdog.@watchdog[0].pidfile='/var/run/cwmpevents.pid' 194 | uci commit 195 | /etc/init.d/watchdog-tch reload 196 | /etc/init.d/cwmpd disable 197 | /etc/init.d/cwmpd stop 198 | /etc/init.d/cwmpdboot disable 199 | /etc/init.d/cwmpdboot stop 200 | /etc/init.d/zkernelpanic disable 201 | /etc/init.d/zkernelpanic stop 202 | 203 | # Disable CWMP - extra, in case you think it may resurrect 204 | uci set cwmpd.cwmpd_config.state=0 205 | uci set cwmpd.cwmpd_config.acs_url='https://127.0.1.1:7547/' 206 | uci set cwmpd.cwmpd_config.use_dhcp=0 207 | uci set cwmpd.cwmpd_config.interface=loopback 208 | uci set cwmpd.cwmpd_config.enforce_https=1 209 | uci commit cwmpd 210 | 211 | # Disable Telstra monitoring 212 | uci delete tls-vsparc.Config 213 | uci delete tls-vsparc.Passive 214 | uci delete autoreset.vsparc_enabled 215 | uci delete autoreset.thor_enabled 216 | uci delete wifi_doctor_agent.acs 217 | uci delete wifi_doctor_agent.config 218 | uci delete wifi_doctor_agent.as_config 219 | uci commit 220 | 221 | # Disable Telstra Air/Fon WiFi 222 | /etc/init.d/hotspotd stop 223 | /etc/init.d/hotspotd disable 224 | uci delete dhcp.hotspot 225 | uci delete dhcp.fonopen 226 | uci commit 227 | 228 | # Remove any default SSH pubkey 229 | echo > /etc/dropbear/authorized_keys 230 | # Disable SSH access over wan 231 | uci set dropbear.wan.enable='0' 232 | uci commit dropbear 233 | 234 | # Free space for gateways with small flash 235 | find /rom/usr/lib/ipk -type f |xargs -n1 basename | cut -f 1 -d '_' |xargs opkg --force-removal-of-dependent-packages remove 236 | ``` 237 | 238 | - If you get one or more error messages from running these commands, you can ignore them: it means the command was not needed for your firmware version 239 | 240 | 241 | ### GUI ANSUEL 242 | - Connect with WinSCP to the router as described above 243 | - Copy the `GUI.tar.bz2` file to the `/tmp` directory 244 | - Connect in SSH to the router with root user 245 | - Run the following command to extract the GUI 246 | - `bzcat /tmp/GUI.tar.bz2 | tar -C / -xvf - && /etc/init.d/rootdevice force` 247 | - Wait until the procedure is finished. If necessary, the router may reboot itself. Ignore the latest error messages 248 | - In case of *Error 9* restart the router and the problem will be solved 249 | 250 | 251 | ### CHANGE ROOT AND GUI PASSWORD 252 | - Run the `passwd` command in the terminal to change the login password for the root user. This procedure is strongly recommended 253 | - Once the Ansuel GUI is installed, the username and password will be `admin/admin` again. It is also reccomended to change this password in order to prevent unauthorized access to the administration web page. To do this, after after you log into the web GUI, click on the *Advanced* button at the top right next to the username *admin* and then on *Profile settings* 254 | 255 | 256 | ### RESULT 257 | Now you have a TIM HUB DGA4132 modem router updated to AGTHP version 2.3.3 with root permissions enabled and the Ansuel GUI. 258 | 259 | 260 | -------------------------------------------------------------------------------- /autoflashgui-master_timhub.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/duskwalk/Hub_RootGuide/29a88e8dce57ce76a3e06fc5c172dba24c5d87a5/autoflashgui-master_timhub.zip --------------------------------------------------------------------------------