Livebox Firmware

Have you considered turning your Livebox into a Home Automation Hub ?

  1. Downgrade to v5.04-uk
  2. See Flashing the HAH firmware just below.

Flashing the HAH firmware

Grab the latest DWB from http://homeautomationhub.com/content/livebox-hah-firmware and setup just like you do for flashing the uk5.04 firmware. You are one step away.

Once you have the HAH firmware image on-board you need to have a DHCP server on your network for it to obtain an IP address. Plug your HAH livebox back into your LAN and reboot it. To help you locate your HAH's DHCP assigned IP address see Locating DHCP assigned IP.

Once the firmware is installed the following points will useful:

  • Default root password is admin
  • SSH enabled port 22, No telnet access.
  • Webserver listens on port 80.
  • Serial console login disabled.

Oh and don't forget step 5 - upgrade to the latest.

Flashing new firmware aka Livebox Recovery

There are two ways to flash new firmware onto your Livebox

  • Using the shipped Inventel utilities and Windows (simple)
  • Setting up your own TFTP server (advanced) - recommended for development

The process for upgrading is to use the 'RGWRepair.exe' (run from a PC), together with a PC based 'flash image' file for the Livebox. This program (which is included inside the .zip files, above) is designed to recover the Livebox from a complete failure of the flash system. Needs a standard (not xover) RJ45 patch cable between the PC and the YELLOW (upper) RJ45 connector on the Livebox.

livebox ethernet ports

Next, download the zip file v5.04-uk.zip from the link above, to your PC. Unzip this to get the firmware and the RGWRepair.exe program.

Hookup everything with the Livebox powered off. Make sure that there is no ADSL feed to the Livebox. Then run the RGWRepair.exe (Note: if you are so unlucky as to be running this under Vista, be sure to launch this as 'admin' - if you are on Win7, there are reports that it might not work at all!). On the screen where you are asked to choose your network adaptor and firmware, select the network adaptor that you have plugged the patch cable into and then select the firmware file 'firmware_5_04_3-uk.dwb'.

Next, hold in button 1 on the Livebox, then apply power to the unit (button 1 is circled red in the picture) until you see 3 LEDs light up on the top of the Livebox, you can then release button 1.

usb and reset buttons

Full instructions are given by the RGWRepair program. Flashing took about 5mins.

Now that you have the version of the firmware that allows the 'web backdoor' exploit, you might want to install a telnet server and then use the exploit.

Using the console_access_hardware we can see what is going on when BUTTON 1 is held down.

96432SDRAM16bit_5GX101201234Hardware version 0x90 BLUE5G.9
56+678ESA: 00:16:ae:8e:ec:d0
WEP KEY : 83BBACB123776B99AB49E0B3D3
Auto-negotiation timed-out
10 MB Half-Duplex (assumed)
Ethernet eth0: MAC address 00:16:ae:8e:ec:d0
IP: 10.7.58.112, Default server: 0.0.0.0
Hardware version 0x10 BLUE5G.9 WITHOUT_OPTION
Factory Settings Recovery Switch ON
Ethernet default MAC address 00:07:3a:ff:ff:ff
Ethernet eth0: MAC address 00:16:ae:8e:ec:d0
commande fis_delete_jffs_system : fis delete -n jffs_system, strlen : 25
... Erase from 0xbeb50000-0xbebf0000: ..........
script : load -r -v -h 10.7.58.114 -m tftp -b 0x80545FB0 inventel/blue_5g/factor
y_script_crypt
commande : load -r -v -h 10.7.58.114 -m tftp -b 0x80545FB0 inventel/blue_5g/fact
ory_script_crypt, strlen : 85
Can't load 'inventel/blue_5g/factory_script_crypt': file not found
Eth download failed, try USB

From the trace above you can see that the RedBoot loader attempts to perform an TFTP of a image file from the IP address 10.7.58.114. Perhaps we can put an image in our own TFTP server and have the box load it!

Install a TFTPD server.

TFTPD for Ubuntu

apt-get install atftpd

Remove the configuration setup that has been placed into /etc/inetd.conf we are going to use daemon mode.

#<off># smtp    stream  tcp     nowait  root    /usr/sbin/sendmail sendmail -Am -bs
#<off># submission      stream  tcp     nowait  root    /usr/sbin/sendmail sendmail -Am -bs
#<off># smtps   stream  tcp     nowait  root    /usr/sbin/sendmail sendmail -Am -bs
#tftp           dgram   udp     wait    nobody  /usr/sbin/in.tftpd /tftpboot

Make sure that it's not running this does the trick.

# /etc/init.d/xinetd restart
# lsof -i:69

Make sure this is set to FALSE in /etc/default/atftpd

USE_INETD=false
OPTIONS="--daemon --port 69 --tftpd-timeout 300 --retry-timeout 5 --verbose=5 --logfile=/var/log/tftp.log /tftpboot"

Setup the logfile

touch /var/log/tftp.log
chown nobody:nogroup /var/log/tftp.log

Before starting the TFTP server you need your local machine to have the IP address 10.7.58.114
You can do this as an alias in the /etc/network/interfaces file (Ubuntu)

auto eth0:0
iface eth0:0 inet static
        address 10.7.58.114
        netmask 255.255.255.0
        broadcast 10.7.58.255
        network 10.7.58.0

Then immediately on the command line so save the reboot

ifconfig eth0:0 10.7.58.114 netmask 255.255.255.0
Start the TFTPD
/etc/init.d/atftpd start

TFTPD for Centos/Fedora/Redhat

Download and start the tftp server

# yum install tftp-server tftp
# chkconfig tftp on
# service xinetd restart

Setup the network alias file

/etc/sysconfig/network-scripts/ifcfg-eth0:0

DEVICE=eth0:0
BOOTPROTO=static
ONBOOT=yes
IPADDR=10.7.58.114
NETMASK=255.255.255.0

and bring it up

# ifup eth0:0

Setup firmware

Now create the directory for our image and setup the linkage to the firmware that you want flashed into your box. Available Firmware:

# mkdir -p /tftpboot/inventel/blue_5g
# cd /tftpboot/inventel/blue_5g
# ln -s firmware.dwb factory_script_crypt
# ls -l
lrwxrwxrwx 1 root root      23 2008-09-17 17:58 factory_script_crypt -> firmware.dwb
-rw-r--r-- 1 root root 5247032 2008-09-17 17:58 firmware.dwb
-rw-r--r-- 1 root root 5247032 2008-09-17 17:55 firmware_5_04_3-uk.dwb
-rw-r--r-- 1 root root 3588145 2008-09-17 18:09 firmware_v5-00-RC5.1-uk.dwb
-rw-r--r-- 1 root root 5357628 2008-09-17 17:55 firmware_v5.06.2-uk.dwb
#

POWER cycle the box holding the 1 button. Now in the TFTP logs you'll see a request for the factory_script_crypt

From the /var/log/tftp.log

Sep 17 15:38:53 gumby atftpd[5060.-1210337088]: Advanced Trivial FTP server started (0.7)
Sep 17 15:49:24 gumby atftpd[5061.-1210496112]: Serving inventel/blue_5/factory_script_crypt to 10.7.58.112:7700

From the serial console of the livebox this is a transcript of the FLASHing session

96432SDRAM16bit_5GX101201234Hardware version 0x90 BLUE5G.9
56+678ESA: 00:16:ae:8e:ec:d0
WEP KEY : 83BBACB123776B99AB49E0B3D3
Auto-negotiation timed-out
10 MB Half-Duplex (assumed)
Ethernet eth0: MAC address 00:16:ae:8e:ec:d0
IP: 10.7.58.112, Default server: 0.0.0.0
Hardware version 0x10 BLUE5G.9 WITHOUT_OPTION
Factory Settings Recovery Switch ON
Ethernet default MAC address 00:07:3a:ff:ff:ff
Ethernet eth0: MAC address 00:16:ae:8e:ec:d0
commande fis_delete_jffs_system : fis delete -n jffs_system, strlen : 25
... Erase from 0xbeb50000-0xbebf0000: ..........
script : load -r -v -h 10.7.58.114 -m tftp -b 0x80545FB0 inventel/blue_5g/factory_script_crypt
commande : load -r -v -h 10.7.58.114 -m tftp -b 0x80545FB0 inventel/blue_5g/factory_script_crypt, strlen : 85
/
Raw file loaded 0x80545fb0-0x80a46fe7, assumed entry at 0x80545fb0
OKclose
ptr : 0x80545fb0
Script has been loaded in ptr !
script :
fis init -f

fconfig boot_script true
fconfig boot_script_data
fis load -b 0x80010000 -m cramfs -f Image user_fs
exec -c "boot_loader=RedBoot root=1F01 mem=16M" 0x80010000


fconfig boot_script_timeout 20

fis create -l 0x000A0000 -f 0xBEB50000 -n jffs_system

fis create -o 0x1000 -s 0x00500000 -l 0x00720000 -f 0xBE430000 user_fs

reset


RedBoot(tm) bootstrap and debug environment [ROM]
Non-certified release, version release-wanadoo-fr - built 16:25:10, Jun 20 2006

Platform: Blue_5g (MIPS32 4Kc)

Copyright (C) 2000, 2001, 2002, Red Hat, Inc.

RAM: 0x80000000-0x81000000, [0x80445fb0-0x80fe2000] available
FLASH: 0xbe400000 - 0xbec00000, 128 blocks of 0x00010000 bytes each.
== Executing boot script in 0.020 seconds - enter ^C twice to abort
RedBoot> fis init -f
*** Initialize FLASH Image System
... Erase from 0xbe430000-0xbebf0000: ..........................................
....
... Erase from 0xbec00000-0xbec00000:
... Erase from 0xbebf0000-0xbec00000: .
... Program from 0x80ff0000-0x81000000 at 0xbebf0000: .
RedBoot>
RedBoot> fconfig boot_script true
boot_script: Setting to true
RedBoot> fconfig boot_script_data
boot_script_data:
.. fis load -b 0x80010000 -m cramfs -f Image user_fs
.. exec -c "boot_loader=RedBoot root=1F01 mem=16M" 0x80010000
Enter script, terminate with empty line
>> fis load -b 0x80010000 -m cramfs -f Image user_fs
>> exec -c "boot_loader=RedBoot root=1F01 mem=16M" 0x80010000
>>
... Erase from 0xbebf0000-0xbec00000: .
... Program from 0x80ff0000-0x81000000 at 0xbebf0000: .
RedBoot>
RedBoot> fconfig boot_script_timeout 20
boot_script_timeout: Setting to 20
RedBoot>
RedBoot> fis create -l 0x000A0000 -f 0xBEB50000 -n jffs_system
script : 0x805460b4
Adresse de base utilisee : 8040b464
... Erase from 0xbebf0000-0xbec00000: .
... Program from 0x80ff0000-0x81000000 at 0xbebf0000: .
RedBoot>
RedBoot> fis create -o 0x1000 -s 0x00500000 -l 0x00720000 -f 0xBE430000 user_fs
offset : 0x00001000
script : 0x805460fc
Adresse de base utilisee : 80546fb0
... Erase from 0xbe430000-0xbeb50000: ......................................................................
... Program from 0x80546fb0-0x80a46fb0 at 0xbe430000: .....................................................
... Erase from 0xbebf0000-0xbec00000: .
... Program from 0x80ff0000-0x81000000 at 0xbebf0000: .
RedBoot>
RedBoot> reset
... Resetting.

At this point the box reboots so there is nothing new that hasn't been seen before