[NEW] Orange "Bright Box" router hacking :-)

http://www.youtube.com/watch?v=9NIdtlEsIe8

Originally Posted by unlokia

Lmao, I feel like I've been RickRolled,

Think im going to take a step back from this BB thing now, Maybe spend some more time looking for work!, I'm sure one of you clever guys will build an openWRT image that works.

Lmao, I feel like I've been RickRolled,

Think im going to take a step back from this BB thing now, Maybe spend some more time looking for work!, I'm sure one of you clever guys will build an openWRT image that works.

Originally Posted by whitenight639

You can't gooo

You can't gooo

Originally Posted by unlokia

I'll still be around but I've been abit obsessive with this, like an autistic kid with a gameboy lol, I need to focus on other things, if I get that other brightbox I will have a quick play and send it on to darth_destroyer,

I've overlooked your contributions unlokia and for that i appologise, your first few posts pretty much had this thing hacked wide open, if only i had read more carefully.

I'll still be around but I've been abit obsessive with this, like an autistic kid with a gameboy lol, I need to focus on other things, if I get that other brightbox I will have a quick play and send it on to darth_destroyer,

I've overlooked your contributions unlokia and for that i appologise, your first few posts pretty much had this thing hacked wide open, if only i had read more carefully.

Originally Posted by whitenight639

You've no need to say sorry it's okay with me. You weren't obliged to help, and all the help you've provided is very valuable! God bless you!

oh and when upgrading the images via tftp your IP address should be 192.168.1.99, I've seen it mentioned that it should end in .2 but when I captured packets with wireshark and had serial console i (to check if tftp was working, i never had it serving anything with aftp hence the -21 error, so i used the normal tftpd ubuntu package).

So if I still had a working box i would be using openWRT image builder to build an image for this, then padding out the image to the right size and trying it via tftp and the webUI, if you cant get it accepted then try taking a CRC hash of it with jacksum and then changing the last few bytes to match that checksum, doing this will change the checksum but it worked for me somehow, also the checksum quoted by the BB is different to the checksum that jacksum will give you as it can be calculated in different ways, I have scoured the internet looking for reference to Arc Magic signature but still cannot find the software they are using, i know Arc is an old compression algorythm and some compression programs can sign / encrypt files but i couldnt find an arc related one that would do that, Arc was originally an MS-DOS program and i think it may be some old windows software? i'm not sure.

so when u get an image accepted you will see this in serial:
(im not sure if this is from preboot tftp of from webUI, as the following has been sat in notepad for days unsaved lol).

Code:

ip=192.168.1.99
userinfo[servidx][i].urn=31411
matched!!!
CGI_do_SYS_MFRESET_ps[201] 
CGI_do_SYS_MFRESET_as[215] 

 Reinit Successfully !

tar: removing leading '/' from member names
ramdisk/etc/config/
ramdisk/etc/config/glbcfg.save
Saving -1 data as erase_begin 0x00000000 is not on sector boundary 0x00000000
Saving 1 data as erase_end 0x0000ffff is not on sector boundary 0x00010000
Programming was started: (Image Size: 00001021) vs (MTD Size: 00010000) >>>
preImageSize >> Writing back -1 data as erase_begin 0x00000000 is not on sector boundary 0x00000000
Wrote back at 0x00000000 size -1
postImageSize >> Writing back 1 data as erase_end 0x0000ffff is not on sector boundary 0x00010000
Wrote back at 0x0000ffff size 1
/www
tar: removing leading '/' from member names
ramdisk/etc/config/
ramdisk/etc/config/glbcfg.save
Saving -1 data as erase_begin 0x00000000 is not on sector boundary 0x00000000
Saving 1 data as erase_end 0x0000ffff is not on sector boundary 0x00010000
Programming was started: (Image Size: 00001028) vs (MTD Size: 00010000) >>>
preImageSize >> Writing back -1 data as erase_begin 0x00000000 is not on sector boundary 0x00000000
Wrote back at 0x00000000 size -1
postImageSize >> Writing back 1 data as erase_end 0x0000ffff is not on sector boundary 0x00010000
Wrote back at 0x0000ffff size 1

As i said before the image didn't boot it gave a uboot error, invalid uboot image (via serial), but remember there are 2 images you can boot from supposidly, so maybe if you get one to boot you can change the other one to mount as a read / write and then upload it so people can flash there BB's with stock firmware but be able to make changes to the filesystem, that would be sweet.

Hey guys, I've been really busy with work these last few days, hoping to get a bit of free time soon.

Very nice work so far, whitenight639, I'm sad to see that you have to give it up! Hopefully what you've got here will help us crack it open.

Hey guys, I've been really busy with work these last few days, hoping to get a bit of free time soon.

Very nice work so far, whitenight639, I'm sad to see that you have to give it up! Hopefully what you've got here will help us crack it open.

Originally Posted by darth_stroyer

Thanks mate, This "brightbox" I was ment to be getting turned out to be an old livebox, still it was free so can't complain, will use it as a repeater / bridge.

Also there is a program for the Arduino that will probe connections to a PCB for JTAG points, I will give it a go on the bright box, although I have not found enough points that look like JTAG points, I think unlokia is better with hardware stuff looking at his youtube vids, i think if there were any JTAG points he would have found them, but I got nothing to loose on this dead BB I will solder some random likely connections and see what the program finds.

Thanks mate, This "brightbox" I was ment to be getting turned out to be an old livebox, still it was free so can't complain, will use it as a repeater / bridge.

Also there is a program for the Arduino that will probe connections to a PCB for JTAG points, I will give it a go on the bright box, although I have not found enough points that look like JTAG points, I think unlokia is better with hardware stuff looking at his youtube vids, i think if there were any JTAG points he would have found them, but I got nothing to loose on this dead BB I will solder some random likely connections and see what the program finds.

Originally Posted by whitenight639

I'm flattered you think so highly of my skills, but I've never done any JTAG on anything, so I'm sure you'll have more knowledge of this than me :-).

I'm flattered you think so highly of my skills, but I've never done any JTAG on anything, so I'm sure you'll have more knowledge of this than me :-).

Originally Posted by unlokia

I saw a thread earlier asking for brightboxes - do you still want them?

I saw a thread earlier asking for brightboxes - do you still want them?

Originally Posted by plidrock

Yes please, that's very kind - I have no dough though. What is your offer?

Thank you.

Not sure if they are any good, although new and unused. Could never get the Internet to connect. Such a waste to just bin them. Have offered them locally but no takers.

Not sure if they are any good, although new and unused. Could never get the Internet to connect. Such a waste to just bin them. Have offered them locally but no takers.

Originally Posted by plidrock

Well if you are sure? I can offer you some postage, but I won't be paid for about another week - what would you want for them? I'd love to offer you "a price", but I am skint right now - genuinely, not a pretense

Thank you.

Not sure if they are any good, although new and unused. Could never get the Internet to connect. Such a waste to just bin them. Have offered them locally but no takers.

Originally Posted by plidrock

how many have you got? How much? I'll maybe take one if you got enough but get one to unlokia and darth_destroyer first.

I did think I would try and unlock one and use it on plusnet maybe but quite honestly it's beyond me. Happy to post.

I'd love to offer you "a price", but I am skint right now - genuinely, not a pretense

Thank you.

Originally Posted by unlokia

^^ Same here literally 31p in the bank right now, sad times but i could muster a few quid for postage.

The Bright Box - a vendor-specific, LOCKED router, is for sale here:



... for ***£95***


Bless them, they must be high!

Wonder if they actually sell any at that price!

I would be interested to know if they actually connect to the Internet.
We were sent 3 and couldn't connect any, although the old belkin
Router is fine. Amazing that orange just kept sending replacements and not wanting the others back.

Stella

Wonder if they actually sell any at that price!

I would be interested to know if they actually connect to the Internet.
We were sent 3 and couldn't connect any, although the old belkin
Router is fine. Amazing that orange just kept sending replacements and not wanting the others back.

Stella

Originally Posted by plidrock

Unlikely that they sell many, I'd say. Why would anyone *pay* for something that is given away when you join Orange, and why would one buy an Orange-specific router for £95, when *not* on Orange?

Marketing failure is the key phrase here ^_^

Forgive me for posting this info if it has already been posted before, but I have just upgraded, cross-graded and downgraded my Bright Box, using the Bright Box MTD rips, using the "Upgrade Software" page:

1/ Turn box OFF, and in a browser, type:

2/ **Immediately** turn on the router, simultaneously HOLDING DOWN the reset button UNTIL you see:



3/ Once you get to ^ that page, browse for the "priimg" file for the version you want - Orange/EE

4/ Press "Update Software" button. Wait 3 mins, then repeat from step #1, except at step #3 you go to the BOTTOM part of the "Upgrade Software" page, and choose the matching Orange/EE "bootloader" file, then click the "Update Bootloader" button... and wait...


The "bootloader" flashing seems MUCH faster than the "priimg" - just keep refreshing the browser, and you'll know when it has up/downgraded, as the branding will change accordingly.



Here are my notes: Notice the different versions of "Runtime Code Version" and "Boot Code Version"





UP-grading from Orange firmware to EE firmware
================================================


"Software" (priimg) ONLY (EE priimg, Orange bootloader):
#########################


SYSTEM

Runtime Code Version: v0.09.94.0006-OT (Fri Sep 21 03:00:26 2012)
Boot Code Version: v1.00.09.0002-OT (Wed Nov 9 10:21:21 2011)
ADSL Modem Code Version: A2pD035b.d23i
Hardware Version: 01
Serial Num: J148042020
LAN MAC Address: 74-31-70-AB-27-99
Wireless MAC Address: 74-31-70-AB-27-9A



"Software" (EE priimg) *AND* "Bootloader" (EE bootloader):
################################################## ##


SYSTEM

Runtime Code Version: v0.09.94.0006-OT (Fri Sep 21 03:00:26 2012)
Boot Code Version: v1.00.10.0006-OT (Fri Sep 21 03:00:26 2012)
ADSL Modem Code Version: A2pD035b.d23i
Hardware Version: 01
Serial Num: J148042020
LAN MAC Address: 74-31-70-AB-27-99
Wireless MAC Address: 74-31-70-AB-27-9A









DOWN-grading from EE firmware to Orange Firmware
==============================================



"Software" (Orange priimg) ONLY (EE bootloader):
#########################

system

Runtime Code Version: v0.09.82.0001-OT (Mon Nov 28 17:30:50 2011)
Boot Code Version: v1.00.10.0006-OT (Fri Sep 21 03:00:26 2012)
ADSL Modem Code Version: A2pD035b.d23i
Hardware Version: 01
Serial Num: J148042020
LAN MAC Address: 74-31-70-AB-27-99
Wireless MAC Address: 74-31-70-AB-27-9A





"Software" (Orange priimg) *AND* "Bootloader" (Orange bootloader):
################################################## ##

system

Runtime Code Version: v0.09.82.0001-OT (Mon Nov 28 17:30:50 2011)
Boot Code Version: v1.00.09.0002-OT (Wed Nov 9 10:21:21 2011)
ADSL Modem Code Version: A2pD035b.d23i
Hardware Version: 01
Serial Num: J148042020
LAN MAC Address: 74-31-70-AB-27-99
Wireless MAC Address: 74-31-70-AB-27-9A













Firmware rips (needed to do this) from my old Orange box AND new EE box:

https://www.dropbox.com/s/muprip3131...rmware_Rip.zip

https://www.dropbox.com/s/r7e4zvfyyo...rmware_Rip.zip


IF anyone would like to donate, and it is by no means my motivation for this, PM me - I always need coins for new gadgets/hacking tools

Thanks

How to use the Bright Box on another ISP, using the built-in debugger in Chrome browser:




!!!! #### IMPORTANT - THIS ONLY WORKS ON THE NEWER, "EE" BRANDED BRIGHT BOX FIRMWARE, SO FAR, **NOT** ON THE "ORANGE" (ORIGINAL) FIRMWARE #### !!!!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


!!!! #### TO UPGRADE YOUR BRIGHT BOX TO THE LATEST "EE" FIRMWARE WHICH ALLOWS THIS HACK TO PROCEED, VISIT: https://the-scream.co.uk/forums/s...&postcount=229 !!!! ####
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


How to set Bright Box to other ISP:

1/ Open in Chrome

2/ Login with: "admin" as username, and your unique Bright Box login password (underneath box)

3/ Go to "Basic Set-Up" tab

4/ At the very bottom of the page, you'll see a box - "MTU" - type in the correct value (1500 for O2 and BT, 1492 for Orange/EE)

### DO NOT PRESS SAVE SETTINGS YET! ###




5/ Press "F12" key, and Chrome's de-bugger panel will appear; click "Sources" tab

6/ On the de-bugger panel, click the little square at the top left of the panel, which looks like this: [|>]

7/ You will see a list of files - DOUBLE-click the one entitled: "atmpvc.htm?t=" - this file will now open in the de-bugger panel

8/ Scroll down to line "606" (line numbers are shown in the far LEFT, in grey) and SINGLE-click it - the line number will now be highlighted in dark blue,

and have an arrow pointing to the right

### NOTE - Line 606 should have this code in it ----> "return subForm(f, cPage, subFormWANADSLETHConf, 3)" ###




9/ In the router page (which should still be open), scroll to the bottom, and click "Save Settings" button

10/ The web page will go dark transparent grey, and at the top, it should say "Paused in debugger"

11/ In the de-bugger panel, click the "Console" tab - a white background should appear, with a tiny blue ">" at the top left

12/ Click DIRECTLY next to the little blue ">", and type as below:



#### !!!! THESE ARE EXAMPLES - DO NOT USE THESE !!!! ####


In Step #4, at the start of this document, type your MTU value for your ISP into "MTU" box (remember - DO NOT press "Save Settings" button at that point!)

setCfg("ISP_Username1","your_isp_adsl_username@you r.isp") (Now press RETURN key)

setCfg("ISP_Password1","your_isp_adsl_password") (Now press RETURN key)





For BT Broadband, use these values (#### ACTUAL VALUES - YOU *CAN* USE THESE ####):


In Step #4, at the start of this document, type "1500" into "MTU" box (remember - DO NOT press "Save Settings" button at that point!)

setCfg("ISP_Username1","" ) (Now press RETURN key)

setCfg("ISP_Password1","") <---- this is what you enter if your ISP has a BLANK ADSL PASSWORD (Now press RETURN key)






13/ Go back to the "Sources" tab on the de-bugger panel, and on the FAR right of the panel, at the top, there is a little button that looks like the play button on a DVD player or VCR - like this: "|>" (if you hover over it with your mouse cursor, it will say "Resume script execution (f8)" )

14/ Click that button, and it will save all your ADSL settings into the Bright Box. You may now press "F12" again to close the de-bugger panel.

Done

:-)

How to do the above, shown as a video screencast :-)

http://www.youtube.com/watch?v=nUvgALx2Ou8

I have examined the javascript of the hidden web pages for the new EE firmware and I saw that the variable "hidepage" was read from the config. Also the protection.htm page called was referring to the variable "hidekey"

Code:

var hidepage=getCfg("hidepage");
if(hidepage==0)
{
    window_location_replace("parent.mainFrame", "protection.htm?pg=z983erv3210ba.htm");
}
else
{
    // Do original stuff here
}

My first thought was to use fiddler2 to respond with a modified page with the config checking removed. This worked a dream, but a bit complicated for a novice to setup.

I then noticed that "hidepage" and "hidekey" were among the list of TR069 parameters in the system section, so I though about setting this to something other than zero with the commands listed previously.

Code:

root@BrightBox:/ # /bin/util_ccfg_cli showcfg

Section: system
lang_code=0
time_zone=PST8PDT
gui_style=1
remote_mgmt_en=0
remote_mgnt_ip=0.0.0.0
remote_mgnt_mask=255.255.255.255
host_name=
wan_type=0
active_wan_type=1
ppp_pass_thru=0
default_ip=192.168.1.1
ccfg_bk_fname=backup.bin
hidepage=0
hidekey=5;m6ek

I though what the heck, lets try the string 5;m6ek as the password and it worked.

Hi thanks for the tut on how to use brightbox with another ISP.
But I can't get it to change for fibre username don't change can u help pls.

Hi thanks for the tut on how to use brightbox with another ISP.
But I can't get it to change for fibre username don't change can u help pls.

Originally Posted by tooter

Since I don't use fibre, I have no idea, sorry!

Ok thanks for the reply shame the hack only works for adsl but i do apreciate the efort put in to this thanks.
i have a router that i would be wiiling to donate if i could get it back hacked when u do find a way to put openwrt on them. Hope thats not being to cheeky thanks.

I have updated the software ok and tryed to follow the you tube vid,i get as far as saving the setting on the web page,i get a pop up box saying [ Connection Retry Timer Must Between 3 to 10000 sec].

Anybody no what ive done wrong,could do with some help

Thanks Pete

Hi thanks for the tut on how to use brightbox with another ISP.
But I can't get it to change for fibre username don't change can u help pls.

Originally Posted by tooter

This is possible but I don't how you will do it with the easy method (unlockias web method above)

You can fiure it out tho with firebug, or can follow my method previously posted but change
Step 11 to..

/bin/util_ccfg_cli set username@wanETH=

instead of username@wan#001

to do it the easy way you will need to find the variable that is assigned to that config value in the script, so for username@wan#001 the variable was something like ISP_Username1 so it will be different for the wanETH (might even be ISP_Username2 if your lucky).

How to use the Bright Box on another ISP, using the built-in debugger in Chrome browser:




!!!! #### IMPORTANT - THIS ONLY WORKS ON THE NEWER, "EE" BRANDED BRIGHT BOX FIRMWARE, SO FAR, **NOT** ON THE "ORANGE" (ORIGINAL) FIRMWARE #### !!!!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


!!!! #### TO UPGRADE YOUR BRIGHT BOX TO THE LATEST "EE" FIRMWARE WHICH ALLOWS THIS HACK TO PROCEED, VISIT: https://the-scream.co.uk/forums/s...&postcount=229 !!!! ####
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


How to set Bright Box to other ISP:

1/ Open in Chrome

2/ Login with: "admin" as username, and your unique Bright Box login password (underneath box)

3/ Go to "Basic Set-Up" tab

4/ At the very bottom of the page, you'll see a box - "MTU" - type in the correct value (1500 for O2 and BT, 1492 for Orange/EE)

### DO NOT PRESS SAVE SETTINGS YET! ###




5/ Press "F12" key, and Chrome's de-bugger panel will appear; click "Sources" tab

6/ On the de-bugger panel, click the little square at the top left of the panel, which looks like this: [|>]

7/ You will see a list of files - DOUBLE-click the one entitled: "atmpvc.htm?t=" - this file will now open in the de-bugger panel

8/ Scroll down to line "606" (line numbers are shown in the far LEFT, in grey) and SINGLE-click it - the line number will now be highlighted in dark blue,

and have an arrow pointing to the right

### NOTE - Line 606 should have this code in it ----> "return subForm(f, cPage, subFormWANADSLETHConf, 3)" ###




9/ In the router page (which should still be open), scroll to the bottom, and click "Save Settings" button

10/ The web page will go dark transparent grey, and at the top, it should say "Paused in debugger"

11/ In the de-bugger panel, click the "Console" tab - a white background should appear, with a tiny blue ">" at the top left

12/ Click DIRECTLY next to the little blue ">", and type as below:



#### !!!! THESE ARE EXAMPLES - DO NOT USE THESE !!!! ####


In Step #4, at the start of this document, type your MTU value for your ISP into "MTU" box (remember - DO NOT press "Save Settings" button at that point!)

setCfg("ISP_Username1","your_isp_adsl_username@you r.isp") (Now press RETURN key)

setCfg("ISP_Password1","your_isp_adsl_password") (Now press RETURN key)





For BT Broadband, use these values (#### ACTUAL VALUES - YOU *CAN* USE THESE ####):


In Step #4, at the start of this document, type "1500" into "MTU" box (remember - DO NOT press "Save Settings" button at that point!)

setCfg("ISP_Username1","" ) (Now press RETURN key)

setCfg("ISP_Password1","") <---- this is what you enter if your ISP has a BLANK ADSL PASSWORD (Now press RETURN key)






13/ Go back to the "Sources" tab on the de-bugger panel, and on the FAR right of the panel, at the top, there is a little button that looks like the play button on a DVD player or VCR - like this: "|>" (if you hover over it with your mouse cursor, it will say "Resume script execution (f8)" )

14/ Click that button, and it will save all your ADSL settings into the Bright Box. You may now press "F12" again to close the de-bugger panel.

Done

:-)

Originally Posted by unlokia

Got as far as number 9 then i get msg [ Connection Retry Timer Must Between 3 to 10000 sec] when i press the save settings button.
Is there any way round this or have i done something wrong.

Thanks Pete

hi unlokia
I am using windows 7 I bought usb adapter I solder the padin the router, I use puttytel or windows telnet the both wont give my brightbox word but
brightnox@ root ## something like that, I want ask u if this solution work on windows or only in ubuntu
if ur solution work in both system can u guide me step by step sorry I never use linux command before just write me the step from the begging if this dont disturb you I will realy appreciate your help brother

many thanx in advance

hi unlokia
I am using windows 7 cant get brightbox line under telnet
what I get is
root@BrightBox:/root #

what I did exactly
telnet 192.168.1.1
admin
password
root@BrightBox:/root #

whats wrong
can u tell me all steps under windows seven please brother big thanx in advance