|
|
||
|---|---|---|
| nand-dumps | ||
| bhr4_release_01.03.02.02-FTR_firmwareupgrade.bin.signed | ||
| bhr4_stepstone_release_1.2.0.36.98.0_firmwareupgrade.bin.signed | ||
| decryptionkey-release_01.03.02.02.pgp | ||
| README.md | ||
FIOS-G1100
All the current information on reverse engineering the FIOS-G1100 Quantum Gateway router
The final goal of this project is to be able to port and install openwrt/lede to the FIOS-G1100, a router that stock firmware is awful for
Most of the original info here is from the binwalk issue thread
Verizon open source code for adherence to the gpl licence
https://www.verizon.com/support/consumer/internet/open-source-software-portal?CMP=DMC-CVZ_ZZ_ZZ_Z_DO_N_X00366 https://www.verizon.com/supportresources/docs/fqg-gpl-open-source-insert.pdf
Hardware information
The cpu is an ARMv7 Cortina G4
link found when searching the model number WPCS7542E A1
The chip is a CS7542
Documentation: 450337 CS7542/CS7522 Product Brief
Current method of getting a root console (creds)
You have to enable ssh using tr-069 on the WAN side(there's a built in remote activate-able root ssh backdoor), I set up a local genieacs server to do that. Redirecting the router to a local acs server is a bit tricky though, I originally tried to mitm it but that's not possible since the router verifies the acs server ssl certificate.
You can however change the config file to disable ssl and point it at your own acs server, the config file is aes encrypted but I have some python scripts that can decrypt and re-encrypt the config file so that it can be edited(I had to get some help with reversing the encryption scheme from the assembly for that).
These are the config file encryption/decryption scripts I'm using:
A open sourced ACS server: https://genieacs.com/
To enable the tr-069 backdoor, you need to send this setParameterValues request using the acs server
["InternetGatewayDevice.X_D4A928_SSH_State", "SSH_REMOTE",'xsd:string"]
It will then generate a temporary root ssh password available by querying getParameterValues for
InternetGatewayDevice.X_D4A928_SSH_Session_Password
The router's ssh server should listen on the wan side port 22222.
Note that disconnecting the ssh session will require you to repeat the process.
Information on serial console
The debug console is disabled for the UART pins on the router board.
In the uBoot logs, the router seems to be opening a rw console on UART0. There are apparently multiple serial ports named; UART0, UART1, UART2, and UART3
The 4 CPU UART ports are ZigBee
Rolling back your firmware (creds)
I also found a few hidden firmware rollback and update links assuming that the router is using the 192.168.1.1 IP: http://192.168.1.1/#/advanced/fwupgrade & http://192.168.1.1/#/advanced/fwrestore
Firmware images/dumps
Currently nobody has a NAND dump of the older firmware that could hold the decryption/encryption keys/methods. Please make a pull request with the dump if you do! Firmware from verizon
Some dumps?
- https://github.com/paulhkhsu/bhr4
- https://github.com/jameshilliard/bhr4_release_0-17-51
- https://github.com/jameshilliard/bhr4_release_1.3.0.47.64
- https://github.com/jameshilliard/bhr4_release_01_04_00_10
The firmware images are both signed and encrypted with PGP, the signing key is also different from the encryption key.
I managed to find, extract and decrypt the pgp decryption key on the router for one of the firmware images(bhr4_release_01.03.02.02-FTR_firmwareupgrade.bin.signed). You can grab the key from https://github.com/The5heepDev/FIOS-G1100/blob/master/decryptionkey-release_01.03.02.02.pgp