SoylentNews

upstart [soylentnews.org] writes:

████ # This file was generated bot-o-matically! Edit at your own risk. ████

upstart [soylentnews.org] writes in with an IRC submission for GrandFireWizard:

Sorry Telstra but this is my F@ST 5355 router [medium.com]:

Sorry Telstra but this is my F@ST 5355 router ThaFresh [medium.com]FollowSep 17, 2018 [medium.com] · 4 min read

Roughly a week ago I decided to give https://pi-hole.net/ [pi-hole.net] a go having endured yet another ad laden website. All went we’ll, installation was smooth and was up and running 15 minutes later.

All that remained was to set my routers DNS server to the pi’s and my home devices would be safe. I remember seeing the option in there for it.

WTF, it was now disabled. A quick google around revealed that about a year ago (June 2017) Telstra simply decided to remove that functionality.

Surely it had nothing to do with the Australian government implementing DNS based censorship in June 2017?

So fuck you Telstra, that’s my router you made me purchase. Time to find out how to take it back.

I found some incredible hacking work done previously at https://noconroy.net/blog/ [noconroy.net] however that used the devices Backup/Restore functionality, which was recently removed by our Telstra overlords via another firmware update. Issued not long after his work was posted. Just more coincidences it seems.

Another site that had lots of great info was https://www.tripleoxygen.net/post/sagemcom-fst-5350-gv-desbloqueio/ [tripleoxygen.net]

They had found the webui’s framework allowed directly logging in as the ‘internal’ admin (not you the owner) appearing to skip some of the checks and essentially gaining root access. And once again those tricks had been disabled via a firmware update. While the functions could still be called to make config changes, most of the built in accounts lacked remote access settings, and trying to update config for almost anything but your own user resulting in the router logging you out to start again.

$.xmo.getValuesTree(“Device”);still returned a 1mb json config object full of interesting stuff including 8 other accounts and their poorly hashed passwords, plenty of username/password/url’s for Telstra services and lots of other config settings to try and change.

However what was allowed and what wasn't seemed a little hit or miss, for example I could re-enable the daily backup functionality but the path for the backups seemed to be locked, could re-enable ftp but not sftp, it all seemed a little half arsed.

Finally I found the account ‘assist’ had remote access settings that were disabled, trying to alter the remote access settings for the other accounts resulted in the logout thing but this one didn't, and it had a SSH entry! To get to the point.

Enable the remote access$.xmo.setValuesTree(true, “Device/UserAccounts/Users/User[@uid=’6']/RemoteAccesses/RemoteAccess[@uid=’2']/Enabled”);

Give it a port$.xmo.setValuesTree(22, “Device/UserAccounts/Users/User[@uid [twitter.com]=’6']/RemoteAccesses/RemoteAccess[@uid [twitter.com]=’2']/Port”);

Let lowlife router owners log in via Lan$.xmo.setValuesTree(“ACCESS_ENABLE_ALL”, “Device/UserAccounts/Users/User[@uid [twitter.com]=’6']/RemoteAccesses/RemoteAccess[@uid [twitter.com]=’2']/LANRestriction”);

Give the ‘assist’ account a webui password. Just an md5 hash of ‘assist’$.xmo.setValuesTree(“8213d162ea32a3fcfec2aae5538c48e5”, “Device/UserAccounts/Users/User[@uid [twitter.com]=’6']/Password”);

Set the SSH password$.xmo.setValuesTree(“assist”, “Device/UserAccounts/Users/User[@uid [twitter.com]=’6']/ClearTextPassword”);

And reboot, when it comes back up you’ll have a SSH server waiting on port 22. Login with assist:assist. Once in ‘su’ and the password is root. And bingo you have control of your router again.

I’m still making sense of whats here as there’s a lot to go through, your SIP settings so you can plug them into another device for your home phone are there and lots more Telstra api user/passes that I’m yet to look into.

However to get started, almost the same xmo interface is available via cli and as root you wont have any troubles making changes. I did a few things like

Change the port Telstra’s update app listens on to prevent undesirable updatesxmo-client -s 50806 -p “Device/ManagementServer/TR69InternalData/Settings/Port”

Turn off the CWMP check in with Telstra’s servers that your router does every night, another update/intrusion preventionxmo-client -s false -p “Device/ManagementServer/EnableCWMP”

Turn off the stupid Telstra AIR wifi that allows any other Telstra user to connect the net via your connectionxmo-client -s false -p “Device/WiFi/SSIDs/SSID[@uid [twitter.com]=’5']/Enable”xmo-client -s false -p “Device/WiFi/SSIDs/SSID[@uid [twitter.com]=’7']/Enable”

And finally!!xmo-client -s “10.0.0.40” -p ‘Device/DHCPv4/Server/Pools/Pool[@uid [twitter.com]=”1"]/DNSServers’

Change my DNS server option to the pi-hole’s and enjoy sweet sweet (mostly) ad free internet. Safe in the knowledge my router is mine again.

hilarious

hilarious

hilarious

hilarious

hilarious

Original Submission