chipmunkmc/FIOS-G1100
1
0
Fork 0
mirror of https://github.com/ozwaldorf/FIOS-G1100.git synced 2024-11-14 19:04:59 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions
All the current information on reverse engineering the FIOS-G1100 Quantum Gateway router
6 commits 1 branch 0 tags 262 MiB
Find a file
ossian 25ad33f0e9 added some dumps I found from @jameshilliard
2017-05-23 23:26:13 -04:00
decryptionkey-release_01.03.02.02.pgp add pgp decryption key 2017-05-23 22:57:33 -04:00
README.md added some dumps I found from @jameshilliard 2017-05-23 23:26:13 -04:00

README.md

FIOS-G1100

All the current information on reverse engineering the FIOS-G1100 Quantum Gateway router

Most of the original info here is from the binwalk issue thread

Hardware information

The cpu is an ARMv7 Cortina G4

Current method of getting a root console (@jameshilliard)

You have to enable ssh using tr-069 on the WAN side(there's a built in remote activate-able root ssh backdoor), I set up a local genieacs server to do that. Redirecting the router to a local acs server is a bit tricky though, I originally tried to mitm it but that's not possible since the router verifies the acs server ssl certificate.

You can however change the config file to disable ssl and point it at your own acs server, the config file is aes encrypted but I have some python scripts that can decrypt and re-encrypt the config file so that it can be edited(I had to get some help with reversing the encryption scheme from the assembly for that).

These are the config file encryption/decryption scripts I'm using:

Information on serial console

The debug console is disabled for the UART pins on the router board.

In the uBoot logs, the router seems to be opening a rw console on UART0. There are apparently multiple serial ports named; UART0, UART1, UART2, and UART3

Rolling back your firmware (@Brandonv101)

I also found a few hidden firmware rollback and update links assuming that the router is using the 192.168.1.1 IP: http://192.168.1.1/#/advanced/fwupgrade & http://192.168.1.1/#/advanced/fwrestore

Firmware images/dumps

Currently nobody has a NAND dump of the older firmware that could hold the decryption/encryption keys/methods. Please make a pull request with the dump if you do!

Some dumps?

(@jameshilliard) The firmware images are both signed and encrypted with PGP, the signing key is also different from the encryption key.

I managed to find, extract and decrypt the pgp decryption key on the router for one of the firmware images(bhr4_release_01.03.02.02-FTR_firmwareupgrade.bin.signed). You can grab the key from https://github.com/The5heepDev/FIOS-G1100/blob/master/decryptionkey-release_01.03.02.02.pgp

Other potentially useful links etc