All the current information on reverse engineering the FIOS-G1100 Quantum Gateway router
Find a file
James Hilliard 20fde52a62
Merge pull request #10 from soxrok2212/nand
Remove oob data from g1100 02.03.00.14 dump
2023-08-11 21:12:07 -06:00
nand-dumps Remove oob data from g1100 02.03.00.14 dump 2023-08-11 23:03:28 -04:00
bhr4_release_01.03.02.02-FTR_firmwareupgrade.bin.signed Add firmware files 2022-12-03 13:42:56 -04:00
bhr4_stepstone_release_1.2.0.36.98.0_firmwareupgrade.bin.signed Add firmware files 2022-12-03 13:42:56 -04:00
decryptionkey-release_01.03.02.02.pgp add pgp decryption key 2017-05-23 22:57:33 -04:00
README.md mention genieACS for the tr-069 backdoor 2017-05-24 23:12:25 -04:00

FIOS-G1100

All the current information on reverse engineering the FIOS-G1100 Quantum Gateway router

The final goal of this project is to be able to port and install openwrt/lede to the FIOS-G1100, a router that stock firmware is awful for

Most of the original info here is from the binwalk issue thread

Verizon open source code for adherence to the gpl licence

https://www.verizon.com/support/consumer/internet/open-source-software-portal?CMP=DMC-CVZ_ZZ_ZZ_Z_DO_N_X00366 https://www.verizon.com/supportresources/docs/fqg-gpl-open-source-insert.pdf

Hardware information

The cpu is an ARMv7 Cortina G4

link found when searching the model number WPCS7542E A1

The chip is a CS7542

Documentation: 450337 CS7542/CS7522 Product Brief

Current method of getting a root console (creds)

You have to enable ssh using tr-069 on the WAN side(there's a built in remote activate-able root ssh backdoor), I set up a local genieacs server to do that. Redirecting the router to a local acs server is a bit tricky though, I originally tried to mitm it but that's not possible since the router verifies the acs server ssl certificate.

You can however change the config file to disable ssl and point it at your own acs server, the config file is aes encrypted but I have some python scripts that can decrypt and re-encrypt the config file so that it can be edited(I had to get some help with reversing the encryption scheme from the assembly for that).

These are the config file encryption/decryption scripts I'm using:

A open sourced ACS server: https://genieacs.com/

To enable the tr-069 backdoor, you need to send this setParameterValues request using the acs server

["InternetGatewayDevice.X_D4A928_SSH_State", "SSH_REMOTE",'xsd:string"]

It will then generate a temporary root ssh password available by querying getParameterValues for

InternetGatewayDevice.X_D4A928_SSH_Session_Password

The router's ssh server should listen on the wan side port 22222.

Note that disconnecting the ssh session will require you to repeat the process.

Information on serial console

The debug console is disabled for the UART pins on the router board.

In the uBoot logs, the router seems to be opening a rw console on UART0. There are apparently multiple serial ports named; UART0, UART1, UART2, and UART3

The 4 CPU UART ports are ZigBee

Rolling back your firmware (creds)

I also found a few hidden firmware rollback and update links assuming that the router is using the 192.168.1.1 IP: http://192.168.1.1/#/advanced/fwupgrade & http://192.168.1.1/#/advanced/fwrestore

Firmware images/dumps

Currently nobody has a NAND dump of the older firmware that could hold the decryption/encryption keys/methods. Please make a pull request with the dump if you do! Firmware from verizon

Some dumps?

The firmware images are both signed and encrypted with PGP, the signing key is also different from the encryption key.

I managed to find, extract and decrypt the pgp decryption key on the router for one of the firmware images(bhr4_release_01.03.02.02-FTR_firmwareupgrade.bin.signed). You can grab the key from https://github.com/The5heepDev/FIOS-G1100/blob/master/decryptionkey-release_01.03.02.02.pgp