Livebox Firmware
Have you considered turning your Livebox into a Home Automation Hub ?
- Downgrade to v5.04-uk
- See Flashing the HAH firmware just below.
Flashing the HAH firmware
Grab the latest DWB from http://homeautomationhub.com/content/livebox-hah-firmware and setup just like you do for flashing the uk5.04 firmware. You are one step away.
Once you have the HAH firmware image on-board you need to have a DHCP server on your network for it to obtain an IP address. Plug your HAH livebox back into your LAN and reboot it. To help you locate your HAH's DHCP assigned IP address see Locating DHCP assigned IP.
Once the firmware is installed the following points will useful:
- Default root password is admin
- SSH enabled port 22, No telnet access.
- Webserver listens on port 80.
- Serial console login disabled.
Oh and don't forget step 5 - upgrade to the latest.
Flashing new firmware aka Livebox Recovery
There are two ways to flash new firmware onto your Livebox
- Using the shipped Inventel utilities and Windows (simple)
- Setting up your own TFTP server (advanced) - recommended for development
Using the Windows utility
The process for upgrading is to use the 'RGWRepair.exe' (run from a PC), together with a PC based 'flash image' file for the Livebox. This program (which is included inside the .zip files, above) is designed to recover the Livebox from a complete failure of the flash system. Needs a standard (not xover) RJ45 patch cable between the PC and the YELLOW (upper) RJ45 connector on the Livebox.
Next, download the zip file v5.04-uk.zip from the link above, to your PC. Unzip this to get the firmware and the RGWRepair.exe program.
Hookup everything with the Livebox powered off. Make sure that there is no ADSL feed to the Livebox. Then run the RGWRepair.exe (Note: if you are so unlucky as to be running this under Vista, be sure to launch this as 'admin' - if you are on Win7, there are reports that it might not work at all!). On the screen where you are asked to choose your network adaptor and firmware, select the network adaptor that you have plugged the patch cable into and then select the firmware file 'firmware_5_04_3-uk.dwb'.
Next, hold in button 1 on the Livebox, then apply power to the unit (button 1 is circled red in the picture) until you see 3 LEDs light up on the top of the Livebox, you can then release button 1.
Full instructions are given by the RGWRepair program. Flashing took about 5mins.
Now that you have the version of the firmware that allows the 'web backdoor' exploit, you might want to install a telnet server and then use the exploit.
TFTP Server for image downloads
Using the console_access_hardware we can see what is going on when BUTTON 1 is held down.
96432SDRAM16bit_5GX101201234Hardware version 0x90 BLUE5G.9 56+678ESA: 00:16:ae:8e:ec:d0 WEP KEY : 83BBACB123776B99AB49E0B3D3 Auto-negotiation timed-out 10 MB Half-Duplex (assumed) Ethernet eth0: MAC address 00:16:ae:8e:ec:d0 IP: 10.7.58.112, Default server: 0.0.0.0 Hardware version 0x10 BLUE5G.9 WITHOUT_OPTION Factory Settings Recovery Switch ON Ethernet default MAC address 00:07:3a:ff:ff:ff Ethernet eth0: MAC address 00:16:ae:8e:ec:d0 commande fis_delete_jffs_system : fis delete -n jffs_system, strlen : 25 ... Erase from 0xbeb50000-0xbebf0000: .......... script : load -r -v -h 10.7.58.114 -m tftp -b 0x80545FB0 inventel/blue_5g/factor y_script_crypt commande : load -r -v -h 10.7.58.114 -m tftp -b 0x80545FB0 inventel/blue_5g/fact ory_script_crypt, strlen : 85 Can't load 'inventel/blue_5g/factory_script_crypt': file not found Eth download failed, try USB
From the trace above you can see that the RedBoot loader attempts to perform an TFTP of a image file from the IP address 10.7.58.114. Perhaps we can put an image in our own TFTP server and have the box load it!
Install a TFTPD server.
TFTPD for Ubuntu
apt-get install atftpd
Remove the configuration setup that has been placed into /etc/inetd.conf we are going to use daemon mode.
#<off># smtp stream tcp nowait root /usr/sbin/sendmail sendmail -Am -bs #<off># submission stream tcp nowait root /usr/sbin/sendmail sendmail -Am -bs #<off># smtps stream tcp nowait root /usr/sbin/sendmail sendmail -Am -bs #tftp dgram udp wait nobody /usr/sbin/in.tftpd /tftpboot
Make sure that it's not running this does the trick.
# /etc/init.d/xinetd restart # lsof -i:69
Make sure this is set to FALSE in /etc/default/atftpd
USE_INETD=false OPTIONS="--daemon --port 69 --tftpd-timeout 300 --retry-timeout 5 --verbose=5 --logfile=/var/log/tftp.log /tftpboot"
Setup the logfile
touch /var/log/tftp.log chown nobody:nogroup /var/log/tftp.log
Before starting the TFTP server you need your local machine to have the IP address 10.7.58.114
You can do this as an alias in the /etc/network/interfaces file (Ubuntu)
auto eth0:0 iface eth0:0 inet static address 10.7.58.114 netmask 255.255.255.0 broadcast 10.7.58.255 network 10.7.58.0
Then immediately on the command line so save the reboot
ifconfig eth0:0 10.7.58.114 netmask 255.255.255.0
/etc/init.d/atftpd start
TFTPD for Centos/Fedora/Redhat
Download and start the tftp server
# yum install tftp-server tftp # chkconfig tftp on # service xinetd restart
Setup the network alias file
/etc/sysconfig/network-scripts/ifcfg-eth0:0
DEVICE=eth0:0 BOOTPROTO=static ONBOOT=yes IPADDR=10.7.58.114 NETMASK=255.255.255.0
and bring it up
# ifup eth0:0
Setup firmware
Now create the directory for our image and setup the linkage to the firmware that you want flashed into your box. Available Firmware:
# mkdir -p /tftpboot/inventel/blue_5g # cd /tftpboot/inventel/blue_5g # ln -s firmware.dwb factory_script_crypt # ls -l lrwxrwxrwx 1 root root 23 2008-09-17 17:58 factory_script_crypt -> firmware.dwb -rw-r--r-- 1 root root 5247032 2008-09-17 17:58 firmware.dwb -rw-r--r-- 1 root root 5247032 2008-09-17 17:55 firmware_5_04_3-uk.dwb -rw-r--r-- 1 root root 3588145 2008-09-17 18:09 firmware_v5-00-RC5.1-uk.dwb -rw-r--r-- 1 root root 5357628 2008-09-17 17:55 firmware_v5.06.2-uk.dwb #
POWER cycle the box holding the 1 button. Now in the TFTP logs you'll see a request for the factory_script_crypt
From the /var/log/tftp.log
Sep 17 15:38:53 gumby atftpd[5060.-1210337088]: Advanced Trivial FTP server started (0.7) Sep 17 15:49:24 gumby atftpd[5061.-1210496112]: Serving inventel/blue_5/factory_script_crypt to 10.7.58.112:7700
From the serial console of the livebox this is a transcript of the FLASHing session
96432SDRAM16bit_5GX101201234Hardware version 0x90 BLUE5G.9 56+678ESA: 00:16:ae:8e:ec:d0 WEP KEY : 83BBACB123776B99AB49E0B3D3 Auto-negotiation timed-out 10 MB Half-Duplex (assumed) Ethernet eth0: MAC address 00:16:ae:8e:ec:d0 IP: 10.7.58.112, Default server: 0.0.0.0 Hardware version 0x10 BLUE5G.9 WITHOUT_OPTION Factory Settings Recovery Switch ON Ethernet default MAC address 00:07:3a:ff:ff:ff Ethernet eth0: MAC address 00:16:ae:8e:ec:d0 commande fis_delete_jffs_system : fis delete -n jffs_system, strlen : 25 ... Erase from 0xbeb50000-0xbebf0000: .......... script : load -r -v -h 10.7.58.114 -m tftp -b 0x80545FB0 inventel/blue_5g/factory_script_crypt commande : load -r -v -h 10.7.58.114 -m tftp -b 0x80545FB0 inventel/blue_5g/factory_script_crypt, strlen : 85 / Raw file loaded 0x80545fb0-0x80a46fe7, assumed entry at 0x80545fb0 OKclose ptr : 0x80545fb0 Script has been loaded in ptr ! script : fis init -f fconfig boot_script true fconfig boot_script_data fis load -b 0x80010000 -m cramfs -f Image user_fs exec -c "boot_loader=RedBoot root=1F01 mem=16M" 0x80010000 fconfig boot_script_timeout 20 fis create -l 0x000A0000 -f 0xBEB50000 -n jffs_system fis create -o 0x1000 -s 0x00500000 -l 0x00720000 -f 0xBE430000 user_fs reset RedBoot(tm) bootstrap and debug environment [ROM] Non-certified release, version release-wanadoo-fr - built 16:25:10, Jun 20 2006 Platform: Blue_5g (MIPS32 4Kc) Copyright (C) 2000, 2001, 2002, Red Hat, Inc. RAM: 0x80000000-0x81000000, [0x80445fb0-0x80fe2000] available FLASH: 0xbe400000 - 0xbec00000, 128 blocks of 0x00010000 bytes each. == Executing boot script in 0.020 seconds - enter ^C twice to abort RedBoot> fis init -f *** Initialize FLASH Image System ... Erase from 0xbe430000-0xbebf0000: .......................................... .... ... Erase from 0xbec00000-0xbec00000: ... Erase from 0xbebf0000-0xbec00000: . ... Program from 0x80ff0000-0x81000000 at 0xbebf0000: . RedBoot> RedBoot> fconfig boot_script true boot_script: Setting to true RedBoot> fconfig boot_script_data boot_script_data: .. fis load -b 0x80010000 -m cramfs -f Image user_fs .. exec -c "boot_loader=RedBoot root=1F01 mem=16M" 0x80010000 Enter script, terminate with empty line >> fis load -b 0x80010000 -m cramfs -f Image user_fs >> exec -c "boot_loader=RedBoot root=1F01 mem=16M" 0x80010000 >> ... Erase from 0xbebf0000-0xbec00000: . ... Program from 0x80ff0000-0x81000000 at 0xbebf0000: . RedBoot> RedBoot> fconfig boot_script_timeout 20 boot_script_timeout: Setting to 20 RedBoot> RedBoot> fis create -l 0x000A0000 -f 0xBEB50000 -n jffs_system script : 0x805460b4 Adresse de base utilisee : 8040b464 ... Erase from 0xbebf0000-0xbec00000: . ... Program from 0x80ff0000-0x81000000 at 0xbebf0000: . RedBoot> RedBoot> fis create -o 0x1000 -s 0x00500000 -l 0x00720000 -f 0xBE430000 user_fs offset : 0x00001000 script : 0x805460fc Adresse de base utilisee : 80546fb0 ... Erase from 0xbe430000-0xbeb50000: ...................................................................... ... Program from 0x80546fb0-0x80a46fb0 at 0xbe430000: ..................................................... ... Erase from 0xbebf0000-0xbec00000: . ... Program from 0x80ff0000-0x81000000 at 0xbebf0000: . RedBoot> RedBoot> reset ... Resetting.
At this point the box reboots so there is nothing new that hasn't been seen before
tftp redboot dwbtool RGWRepair