SSH/Telnet to Fritzbox 5491

tzaman

Neuer User
Mitglied seit
4 Mai 2020
Beiträge
4
Punkte für Reaktionen
0
Punkte
1
Hi - I, unfortunately, don't speak German, but a lot of my Google searches resulted linking to this forum, so I figured I'd register and ask anyway!

But before I ask, some context:
About a month ago, I received a fiber optic (GPON) connection to the home and along with it, a Fritzbox 5491. As I already own some more advanced networking equipment from Ubiquiti and Mikrotik, I'd like to replace the Fritzbox with one of my gear, but the ISP doesn't provide any support in doing so. But because I'm a persistent bastard, I figured I'll try on my own anyway.

During my investigaion about how GPON works with my ISP is that they do serial authentication of the GPON device before the OLT allows it to come online.
Luckily, 5491 comes with a proper SFP GPON module, which can be removed from Fritzbox and inserted into any other device, which I can confirm it works and is recognized by both Unifi Switch and Mikrotik routerboard. But, it isn't allowed online just like that because I can see from various tools that the SFP module itself doesn't have the serial stored on it, inspecting the device from Mikrotik router shows the field is empty. This was odd to me, so I decided to investigate what happens when Fritzbox detects the module. For this, I used fritz.box/html/capture.html which allows you to download raw packets from any interface (WAN, in my case) and import the dump into Wireshark.

What I discovered is that once SFP module is inserted into Fritzbox it apparently has a built in IP address (192.168.47.1 - and the MAC address corresponds to the sticker on SFP module), and then it's sent some TCP packets from the IP 192.168. 47.2, which has Fritz's MAC address, and upon investigating the payload I saw that Fritz is actually "injecting" the SFP module with several relevant peices of data:
- "F!Box5491" (I imagine this gets set as sfp-vendor-name)
- "07.12_1.3.26" (probably the sfp-vendor-part-number or sfp-vendor-revision )
- "AVMGXXXXXXXX" (the serial number needed for the ONT to be authenticated with the OLT)

However, this is where my investigation skills ran out, I have no idea how to proceed from here and am wondering whether there's a way that I can enable SSH or Telnet on Fritzbox with minimal downtime (wife and kids threatened me with death if anything happens to the Fritzbox :)

I am by no means a Linux expert, but I do know my way around and if I somehow got into Fritzbox's OS, I'd most likely be able to investigate how Fritzbox pushes the settings onto the SFP module the way it does - and then replicate this behaviour on my own gear.

Thank you!
 
There's only little known about the "inner values" of a 5491 device.

If it's really the same as a 5490 device, only with a GPON module instead of an AON, you may try to "inject" a Shell-in-a-box daemon into the system.

There's a small shell script, which may be used to create a "firmware image", that copies the needed files to the device and adds the required calls to system initialization. It can be found here: https://github.com/PeterPawn/YourFritz/blob/master/toolbox/build_shellinabox_implant_image

The explanation, what this own image will do with your router, may be read here: https://www.ip-phone-forum.de/threads/modfs-squashfs-image-avm-firmware-ändern-für-nand-basierte-fritz-boxen.273304/post-2299737 (use a smart online translation tool)

But this own image can't be loaded using the GUI from vendor - you have to use the EVA loader with FTP commands to start it from memory. Some scripts as one possible solution for this task may be found here: https://github.com/PeterPawn/YourFritz/tree/master/eva_tools and I'm sure, there's somewhere in this board an english description, too.

I know, I wrote down some explanations in English, answering questions from foreign-language users - but I don't know, where and when it was in the past. So you would be in charge yourself to find those posts or - as an alternative - to read one of the various descriptions in German with an online translation tool (e.g. this post with a - not too old - example incl. GIT checkout: https://www.ip-phone-forum.de/threa...-la-avm-oder-besser-nicht.294386/post-2268717). But be aware of the needed method used to clone the whole YourFritz GitHub repo incl. its submodules: https://github.com/PeterPawn/yf_bin/blob/master/README.md

EDIT: And please ... use a "serious Linux system" to run my scripts - that means usually one, which uses a "bash" shell instead of "dash" as "/bin/sh". Some scripts rely on this.
 
Zuletzt bearbeitet:
Thanks mate for the exhaustive set of instructions on the matter, this was quite frustrating for me as I was without any "next steps", and now you've cleared the roadblock so I can continue :)

I ran the eva_discover on Arch Linux (not a virtual machine, so "serious enough" haha) and I did get a successful boot sequence interrupt, so now I'm preparing the firmware image.

Note to anyone failing at the EVA discovery: Make sure you set a static IP on your interface (I used 192.168.178.50) and more importantly, that the broadcast is correct (needs to be 192.168.178.255), otherwise it will not work. I spent a couple of hours on this :)

Thanks Peter, I'll report on my progress here :)
 
@PeterPawn I succeeded! But not with getting into the SFP - that proved to be a bit more difficult for my level of knowledge :)

So I got another idea: What if I just replayed the TCP packets that Fritzbox sends to the SFP module?

  1. I opened the Fritzbox WAN tcpdump (which I got at fritz.box/html/capture.html) in Wireshark
  2. Located the SYN packet that originated in 192.168.47.2 and went to 192:168.47.1:8888
  3. Followed the TCP stream (A function in Wireshark that extracts/focuses just on one TCP "conversation")
  4. Exported that TCP stream as a pcap file and converted it into raw data with tcptrace
  5. Plugged in the SFP module into my switch, sorted out vlans so I could ping the module
  6. Ran the raw data through netcat: cat a2b_contents.dat | nc -v 192.168.47.1 8888
  7. Boom! SFP module online, internet works perfectly, IPTV does as well.

Happy. Thanks for your help!

Here's a self-ego-boosting speedtest after the experiment :)

9425826719.png
 
Zuletzt bearbeitet:
Congratulations - now we know, that a 5491 is obviously a VR9 device, too. And it may get pwned like any other VR9 device.
 
Thanks! I still have Shell-In-A-Box installed on the 5491, so if you need anything to check out, I can do it.
 
Holen Sie sich 3CX - völlig kostenlos!
Verbinden Sie Ihr Team und Ihre Kunden Telefonie Livechat Videokonferenzen

Gehostet oder selbst-verwaltet. Für bis zu 10 Nutzer dauerhaft kostenlos. Keine Kreditkartendetails erforderlich. Ohne Risiko testen.

3CX
Für diese E-Mail-Adresse besteht bereits ein 3CX-Konto. Sie werden zum Kundenportal weitergeleitet, wo Sie sich anmelden oder Ihr Passwort zurücksetzen können, falls Sie dieses vergessen haben.