Posts Locked Technicolor Router
Post
Cancel

Locked Technicolor Router

Recently, I made the courageous jump from MyRepublic to 2degrees, and it was certainly worth every second and dollar spent. I had a 100 Mbps (down) / 20 Mbps plan with MyRepublic at the reasonable price of $65/mo, but I found that my needs had changed from when I signed up for the connection. Fortunately, I hadn’t locked myself into a yearly plan.

Moving to 2degrees brought with it a sweet 900 Mbps (down) / 400 Mbps (up) at the cost of a one year contract (which is worth it at that speed). There’s just one catch: 2degrees implements CGNAT on their new connections, which means my network wouldn’t be accessible from the outside world (not that it was before, but this was my new goal). Using dynamic DNS isn’t an option here, since CGNAT removes the one-to-one mapping of IP to internet connection.

The Contingency

Fortunately, I had another router with on the way (a super-fancy Synology RT2600ac), but it hadn’t yet arrived by the time my connection had switched over. The Apple AirPort Extreme I was running had done a wonderful job of doing all of my heavy lifting to date, but didn’t have the one feature made mandatory by 2degrees and some other ISPs: VLAN tagging.

Being fortunate enough to have a job that comes with the privilege of working remotely, it becomes a fairly urgent issue when your connection drops out in the middle of the day, so my only choice was to get my MyRepublic-provided router working with the new connection. It was a Technicolor TG789vac v2 (which suspiciously had a favicon of the Huawei logo in the web UI…), which I know has VLAN tagging support from reading through a thread or two. The only question was “Will it support the VLAN configuration of 2degrees?” The sad answer to that is “No.”

So, what to do? I was stuck with a job I needed to do work for, and no internet to do it with. I decided to get creative and see if anyone else had found workarounds for the Technicolor router to change the VLAN ID to 10 (as specified in this 2degrees article). The web UI offered no such option (unsurprisingly), so it would have to be something more technical. Custom community-driven firmware such as DD-WRT was out of the question, as was OpenWRT as seen here, and Tomato didn’t shine any light of support through the Google.

So if router firmware isn’t an option, what is? It seems like the world instead flocked to good old root access (since *nix is fun), and I found a good set of articles describing procedures and tricks for the TG789vac v2 and other related articles. This includes hacking a TG799vac, an entire website on hacking Technicolor gateways, and this Whirlpool article which set me onto the chase in the first place.

Armed with this slightly spurious and gap-filled set of articles, I set out on my perilous journey to spend my day hacking a consumer-grade router, not quite knowing what I was doing to begin with. I learned after cross-referencing multiple articles that I was to rely on a tool called autoflashgui, a Python-based tool specifically wired together to gain root access to routers.

Loading this GUI onto macOS Catalina made some text disappear that required me to look at a screenshot for the application to understand what I was clicking. Furthermore, I eventually figured out that the goal was not to download some firmware-like file for the router and then upload it using autoflashgui, but instead to select the router as a preset within the application and then allow it to use a predefined routine to gain access without external help. Pretty cool, really.

After all of that, it even told me what IP address I could SSH into, and that I should change my root password immediately. Now, the challenge was to set the VLAN ID of the WAN connection. I had an entire *nix system at my disposal, with no idea of which file to modify or how.

Just as perilous ends were nigh, this beautiful article was placed on my desk. The trick was to add the VLAN identifier to the ifname of the WAN interface, rather than using any of the VLAN flags I’ve found scattered throughout the internet. I can’t remember if I rebooted after that or not (though I imagine I did), and given that my PPPoE settings were configured as documented, it worked! I had actually managed to hack a locked router during my lunch break and connect it to a competitor’s network. Not bad.

As fate would have it, my new router arrived about an hour or two after that, and I had to reset my changes to the MyRepublic router to return it to them. As I wasn’t sure if a factory reset would do it, I did a little research, and it turns out that the method I had used to gain root access would be undone by a hard (button) reset. I’m sure it doesn’t matter all that much, but I thought it better to be safe than sorry.

Hopefully this helps you, or was at least interesting to read!

This post is licensed under CC BY-SA 4.0 by the author.