I HACKED my Internet Service Provider's router. So I could get rid of it.

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
in January of 2020 I received my optic fiber gigabit internet and the ISP provided me with this hideous device which I instantly wanted to get rid of unfortunately or should I say fortunately as you shortly discover my ISP told me there is no way I could not use it challenge [Music] accepted this is fritzbox 5491 and according to my ISP is a high-end device I mean in all seriousness it's actually not a bad one for someone who just needs the basics such as your gigabit links Wi-Fi IP TV and even classic teleph it even has a back door um sorry a management protocol called TR 069 which the ISP can access the device through without me knowing the problem I have with this though is the fact that my ISP can have full access to a device in my home and I only get base basic and proprietary web interface plus take a good look at it I mean it's hideous and I will not have a piece of ugly networking gear in my home period how do I know the ISP considers it a high-end device well because after the technician that set it up left I immediately called support asking if I can get something better and they explained that since I'm a business customer this is something better okay then as I had absolutely no experience with fiber networking prior to receiving this ugly thing I of course had to examine it more thoroughly and immediately discovered it comes with an SFP module great I thought to myself I'll take this SFP module and plug it into my UniFi switch which also had two SFP Jacks although the support told me I shouldn't yeah I guess I do have issues with authority which is why I tried it anyway and as you can probably guess by now it didn't work otherwise I wouldn't be making this video and the fact that it didn't work bothered me to no end solely because I didn't know why it didn't work or to put it differently why it does work or it did work when I put the SFP module into the router so the first course of action was to try and get root access somehow I already knew my ISP will not let me do it so I started Googling the name of the device along with your typical phrases such as root access and SSH fun fact fritzbox which is the brand of routers manufactured by a German company called AVM is quite popular in Germany so there's this IP phone Forum where German fellow nerds discuss all sorts of things fiber optic routers included there is a downside though for me at least it's all in German which I do not speak so I had to browse those forums through Google translate this took a lot of time but at that point there were lockdowns all over the place place so time was something I did have the only downside was that while I was exping with the router the internet wouldn't work so I was only allowed to do it after the rest of the family was in bed which meant after midnight after a couple of weeks of searching the Forum and getting nowhere I decided I'll turn the thing around and ask directly again using Google Translate to my surprise people replied that it is indeed possible to get root access to the device and pointed me to a particular ular GitHub repository with full instructions I'll leave the link in the description down below here's how it works you download the code from the repo and generate a USB drive which you then stick into the router that is disconnected from Power because the device needs to be somehow recoverable or accessible if it gets completely bricked it has the following Behavior built in while it's booting up if it detects a certain directory structure on the USB drive it will execute the code in inside that drive before it starts its own operating system much like you can boot from a USB drive on your PC and in my case the code on the drive basically turned on SSH demon and created a root user with full SSH access I know what you might be thinking at this point is that safe for me yes I was both a developer and assistance administrator in my past careers so I know my way around both code and shell environments so after I've set up the USB drive I turned on the router gave it a minute then tried accessing the shell and succeeded at nothing why well because I took a good look around the file structure and the processes that were running on the device and even found a watchdog program that talks to the SFP module but unfortunately that program was a compiled binary so I couldn't do anything with it it was a dead end or so I thought because after a couple of days of brainstorming my next steps it finally occurred to me the Watchdog script talks to the SFP module but how well your good old TCP IP turns out that the SFP port in fritzbox is just a w port and when logged into its web interface I quickly discovered it even has its own IP which in my case was 192168 47.1 and that's not even the best part this web interface uh frizz box I think it's called even has a packet capture utility and I hope you see now where this is going I unplugged everything from the router including the SFP module except for my PC obviously next I started the capture utility on the wport inserted the SFP module and gave it about 20 seconds or so then I stopped the capture utility and downloaded the generated file to my PC these files are called pcap files and one of the most popular utilities to open and analyze them is called wire Shar and one line caught my eye immediately because it had my router serial number in the payload and it went from 1 1921 168 47.1 to 192 168 47.2 on Port 8888 the 47.2 was the IP on the SFP module which I think was my biggest point of learning at the time the SFP module has its own IP meaning it has its own interface on its own operating system this tiny device has a Linux software on and the second realization my ISP uses the serial number which can be found on the bottom of the device by the way for authorization of the router into its Network and the SFP module that it comes with doesn't have that serial baked in but instead receives it from the Watchdog script we mentioned earlier I probably don't even need to mention I spent countless hours trying to talk to the SFP module without much success at first until a couple of weeks later when I got the idea that maybe I could just replicate the payload that the router is sending over bit by bit so using wire shark I exported the line in question from the initial packet capture cleaned it up and when I say cleaned it up I remove the unnecessary headers then moved the SFP module to my switch and ran the command with the extracted payload from my PC and got online now I wouldn't hold this very same SFP module in my hands while talking to you if this was the end of the story would I you see even with it being in my which I still had to worry that it properly received the serial number on each reboot so I started looking at other sfb gon modules knowing nothing about them at the time but enough about physics all I cared about was their wavelength and power the latter is obviously very important as I didn't want to damage any of the service providers equipment on the other side of the optic cable I ordered as many Standalone SFP modules I could find probably around seven in total but none of them worked properly this one for example from an indie gon developer got online but the IP TV didn't work the ones from ubiquity called UF instant actually come with solder points on the PCB inside so I was actually able to solder a uart interface on it but they run a proprietary firmware that unfortunately only works with their switches on the optic side that is so these were a nogo as well but eventually I did find the one this is the Fiers store.com G on onu stick with Mac SFP Optical transceiver and has been a part of my network stack for about 2 years now and I guess it's the only SFP gon module on the market that satisfies all the requirements or put it differently is a perfect replacement for the one that came with the fritz box it has the same wavelengths it has the same transmit and receive power and more importantly I can SSH into it and permanently save the serial number into its flash storage and this means the power outages don't have any effect on it and it just continues to work when the power is back on you can find it on fs.com and I'll leave the link in the description below the only drawback it's somewhat expensive for what it is coming at around €70 but given I have likely spent hundreds of hours trying to get to this point I wasn't going to let that stop me all right let's wrap this one for now if you have any questions don't hesitate to ask below and if you enjoy the video consider subscribing for more content like this toas from Slovenia signing [Music] out
Info
Channel: Tomaž Zaman
Views: 1,030,509
Rating: undefined out of 5
Keywords: isp, router
Id: Hi7JMTojT-4
Channel Id: undefined
Length: 9min 43sec (583 seconds)
Published: Tue Dec 19 2023
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.