How I have almost bricked the fastgate

I have Fastweb as ISP and the router that they gave to me is the fastgate:

Risultati immagini per fastgate

It is a great router except for the fact that is totally closed without access to ssh or telnet.

I’m trying to summarize here what I discovered thanks to the help of some tools and some other guy reported here:

https://github.com/Nimayer/fastgate-toolkit (various guides assuming that you already have shell access)

https://github.com/Depau/fastgate-python (python script to enable ssh on old firmware)

https://julians.design/2018/02/26/fastgate/ (serial access to the router)

https://slides.poul.org/2018/workshop-interni/fastgate-hacking (interesting slide about the fastgate)

I started opening ssh with the python script reported previously and from there I’ve been able to setup a simple sh script that kill cwmp and drop all the packet from the fastweb subnet:

1.253.131.0/24
10.0.120.0/23 –
10.1.120.0/24 –
10.3.120.0/24 –
10.5.120.0/24 –
10.0.248.0/24 –
10.1.248.0/24 –
10.3.248.0/24 –
30.253.131.0/24
10.252.120.0/24
26.0.123.0/24 –
26.0.125.0/24

and then just to be sure i blocked also the port 4567, 51050 and 7547 (tr069 protocol used by cwmp)

After this I have a little more control on the router but I cannot flash anything on it, the next step was to try to flash a new ubi filesystem on the router and here is where I fucked up everything 🙂

Before doing this I buyed another Fastgate just to use it as playground router.

I’ve dumped all the MTD partition with the dd command and I was able to mount the ubifs partition on a Ubuntu server with these commands:

modprobe mtdblock
modprobe ubi
modprobe nandsim first_id_byte=0x20 second_id_byte=0xaa third_id_byte=0x00 fourth_id_byte=0x15
dd if=rootfs_update of=/dev/mtdblock0 bs=2048
ubiattach /dev/ubi_ctrl -m 0 -O 2048
mount -t ubifs ubi0_0 /mnt/system/

The rootfs_update is the dump the mtd partition nunber 1 or number 0 (it depends on which image you have started on your fastgate), here are the full mtd partition map:

mtd0: 0f2c0000 00020000 “rootfs”
mtd1: 0f2c0000 00020000 “rootfs_update”
mtd2: 00400000 00020000 “data”
mtd3: 00020000 00020000 “nvram”
mtd4: 0f6e0000 00020000 “image”
mtd5: 0f6e0000 00020000 “image_update”
mtd6: 00420000 00020000 “bootfs”
mtd7: 00420000 00020000 “bootfs_update”
mtd8: 00400000 00020000 “misc3”
mtd9: 00100000 00020000 “misc2”
mtd10: 00800000 00020000 “misc1”
mtd11: 0e842000 0001f000 “rootfs_ubifs”
mtd12: 00100000 00020000 “STNVRAM”
mtd13: 00040000 00020000 “STENVRAM”
mtd14: 00100000 00020000 “STNVRAMBKP”
mtd15: 00040000 00020000 “STENVRAMBKP”

Now we have mounted the root filesystem and just for test purpose I’ve added a file called dummy on the / and then tried to flash it back on the router and here I’ve totally screw up the flash of my router.

At the moment my router cannot work because it returns a kernel panic during the startup due to the fact the it wasn’t able to mount the root filesystem.

Anyway the purpouse of the playground router was to test different possibilities without breaking my main router.

Following the julian blog I’ve discovered that this router has a CFE bootloader that is accessible via serial and it is possible to flash firmware via tftp or http and also change the image to boot.

Yeah wonderful but I don’t have any firmware at all! how can we get it?

As I said before the router is managed by Fastweb via TR069 protocol that is a pretty standard protocol and there is one command in this protocol that can be used to update the firmware in the router. The idea was to try to contact the Fastweb tr069 server pretending to be a fastgate with an old firmware and wait to receive the url path of the new firmware.

Guess what? Didnt’work, the server never answered after the inform tr069 request with anything interesting but there was another move to do:

BRUTEFORCE!

I’ve discovered that for other fastweb router version all the firmwares were stored in this path:

http://59.0.121.191:8080/ACS-server/file/

but of course the server has the directory listing disabled but the solution here was simple, the firmware file name is exactly the firmware version:

http://59.0.121.191:8080/ACS-server/file/0.00.67_FW_200_Askey

the link is working only from Fastweb network and these are the other firmware availables:

0.00.167_FW_200_Askey
0.00.267_FW_200_Askey
0.00.47_FW_200_Askey
0.00.62_FW_200_Askey
0.00.67_FW_200_Askey
0.00.81_FW_200_Askey

Now we have the original firmware! and we can flash directly via cfe!

Well not exactly if you try to do so you get a wonderfull “illegal image” and the only way to flash these images is with the router already started using the command “/usr/sbin/fw_upgrade”

Due to the fact that I cannot boot the router I have to find another way to flash one of the previously image and here is where I’m stuck right now.

I’ll update this Article if I’ll discover anything else.