JavaScript can compromise the user’s network devices!
pretty evil are devices/routers with security problems, that can be exploited from javascript.
so basically opening a webpage with a browser that has javascript enabled (which most browsers have)
might scan the user’s network for vulnerable devices
and then tries to conquer/own those devices
resulting in all kinds of trouble for the user or other users in form of DDoS attacks that this router then might participate in
what is pretty terrible: planned router and other IoT obsolescence
AVM and other router vendors are dishing out versions of their products by the masses
after few years (less than 5) the vendors drop support for the device, forcing users to “throw away and buy new” (which is good for the vendor, more turnover, but bad for environment (complete waste of resources) and user (costs a lot of money))
this kind of planned obsolescence need to be avoided.
ideal would probably be, that those routers, are actually replaced by “normal” embedded PCs that run GNU Linux Debian, that get updated just like any other PC + having a DSL or LTE modem connected to them.
about the hardware:
This device is NOT RECOMMENDED for future use with OpenWrt due to low flash/ram.
DO NOT BUY DEVICES WITH 4MB FLASH / 32MB RAM if you intend to flash an up-to-date and secure OpenWrt version (18.06 or later) onto it! See 4/32 warning for details. (src)
Hardware versions
Version/Model | Launch Date | S/N | OpenWrt Version Supported | Model Specific Notes | Annex |
---|---|---|---|---|---|
v1 | 2006-01 | 2000 2329 | untested | 3x Phone via one RJ-12 socket | ? |
v2 | ? | 2000 2361 | untested | 2x Phone via RJ-12 sockets, 1x via marshaling panel | ? |
? | ? | 2000 2397 | untested | 2x Phone via RJ-12 sockets, 1x via marshaling panel | A |
Hardware summary
SoC | AR7 Ohio @ 212MHz | Texas Instruments TNETD7300ZDW or Infineon/Lantiq PSB7200ZDW |
---|---|---|
CPU | 32-bit MIPSEL RISC CPU with MIPS 4KEc (?) | |
RAM | 32 MiB Sync DRAM | Zentel A3V56S40FTP-G6 |
Flash | 8 MiB | Spansion S29GL064N90TF103 |
Flash layout | Hidden root | |
Bootloader | ADAM2/EVA | |
Ethernet | 4 x 100 Mbit/s | Infineon ADM6996FC |
Phone | 2x or 3x RJ12 | Litelink CPC5621A |
DSL | ADSL2/2+ | |
USB | 1x USB 1.1 | |
Serial console | onboard | |
JTAG |
See also:
-
32 MB can work for minimal router/AP functions, but may repeatedly “crash”, depending on your hardware and use case
-
64 MB may still have issues with stability, depending on your hardware and use cases
-
128 MB or more is recommended if software past basic router/AP functionality is to be used
- (src)
let’s get started
what the user will need:
- VirtualBox installed
- freetz.ova https://sourceforge.net/projects/freetz-linux/
- ftp://ftp.avm.de/archive/fritz.box/fritzbox.fon_wlan_7170/firmware/ (link was changed, without forwarding to new location
- user has to search under new location for proper firmware https://download.avm.de/fritzbox/
- actually optional: if things go wrong to flash the stock firmware
let’s get started:
it is probably wise to factory reset before flashing
# login to the vm ssh -v freetz@ip.of.the.vm # become root su - root # update system to latest software apt udpate; apt upgrade; # probably wise to restart system then shutdown -r now # login to the vm again ssh -v freetz@ip.of.the.vm # download freetz sources git clone https://github.com/Freetz/freetz # config the build # (select target model in this example 7170, then go exit (saves .config)) cd freetz make menuconfig # start compilation process make ... stripping leftover unstripped binaries build/modified/filesystem/usr/share/ctlmgr/libctlusb.so build/modified/filesystem/lib/libm-0.9.29.so build/modified/filesystem/lib/libdl-0.9.29.so build/modified/filesystem/lib/libacgenusb.so.1.0.0 build/modified/filesystem/lib/libpop3lib.so.1.0.0 build/modified/filesystem/lib/libled2.so.2.2.0 build/modified/filesystem/lib/libusbcfg.so.1.0.0 build/modified/filesystem/lib/libluaxml.so.1.0.0 build/modified/filesystem/lib/libavmacl.so.0.0.0 build/modified/filesystem/lib/libluatextdb.so.1.0.0 build/modified/filesystem/lib/libpthread-0.9.29.so build/modified/filesystem/lib/librt-0.9.29.so build/modified/filesystem/lib/ld-uClibc-0.9.29.so build/modified/filesystem/lib/libmaillib.so.2.0.0 build/modified/filesystem/lib/libtiinterpreter.so.0.0.0 build/modified/filesystem/lib/libupnpdevusb.so.1.0.0 build/modified/filesystem/lib/libuClibc-0.9.29.so build/modified/filesystem/lib/libcrypt-0.9.29.so done. STEP 3: PACK checking for left over version-control-system files integrate freetz info file into image packing var.tar creating filesystem image (SquashFS2-lzma) SquashFS block size: 64 kB (65536 bytes) merging kernel image kernel image size: 7.4 MB, max 7.4 MB, free 0.0 MB (32512 bytes) WARNING: Not enough free flash space for answering machine! adding checksum to kernel.image packing images/7170_04.88-freetz-master--f4147ce.de_20200817-221340.image unsigned image file size: 8.2 MB (8591360 bytes) using unsigned image as the final one done. FINISHED # this will save the newly created binaries in the folder ll ./images 7170_04.88-freetz-master--f4147ce.de_20200817-221340.image # did another build with "replace kernel" 7170_04.88-freetz-master--f4147ce.de_20200817-223933.custom.kernel.image # logout of freetz vm Ctrl+D # copy freetz image files to host scp -v freetz@192.168.ip.of.vm:/home/freetz/freetz/images/* /projects/freetz.org/7170/
flash the image:
now what the user does is browser to the fritzbox 7170 http://192.168.178.1
go to “inhalt” / contents and go to “update”
where the user is asked to save the settings of the fritzbox prior to updating the firmware
then select the firmware file (both files worked for me, with and without “replace kernel”)
wait… wait…
confirm again that the user really wants to flash this firmware wait… wait… wait a bit longer… watch the green LEDs flash… watch the fritzbox reboot
now the fritzbox should be back with it’s original web interface PLUS
under http://192.168.178.1:81 the user can access
usr: admin
pwd: freetz
the newly addon interface 🙂
and do all sorts of stuff.
nice.
next recommended steps are: prepare a usb stick to be used as swap partition (gnu linux / unix systems do not work particular well without ram and swap)
strange stuff is going on in dmesg:
# there is no package mcelog anymore in Debian 10 Buster
# for whatever reason
# vie the cournal, scroll to very end
journalctl -b
Aug 17 22:39:29 giada kernel: mce: [Hardware Error]: Machine check events logged
Aug 17 22:39:29 giada kernel: mce: [Hardware Error]: CPU 0: Machine Check: 0 Bank 0: 90000040000f0005
Aug 17 22:39:29 giada kernel: mce: [Hardware Error]: TSC 5d0e34411fa2
Aug 17 22:39:29 giada kernel: mce: [Hardware Error]: PROCESSOR 0:40651 TIME 1597696769 SOCKET 0 APIC 0 microcode 17
Aug 17 22:39:29 giada kernel: mce: [Hardware Error]: Machine check events logged
Aug 17 22:39:29 giada kernel: mce: [Hardware Error]: CPU 0: Machine Check: 0 Bank 0: 90000040000f0005
Aug 17 22:39:29 giada kernel: mce: [Hardware Error]: TSC 5d0e3830c490
Aug 17 22:39:29 giada kernel: mce: [Hardware Error]: PROCESSOR 0:40651 TIME 1597696769 SOCKET 0 APIC 0 microcode 17
Aug 17 22:39:29 giada kernel: mce: [Hardware Error]: CPU 0: Machine Check: 0 Bank 0: 90000040000f0005
Aug 17 22:39:29 giada kernel: mce: [Hardware Error]: TSC 5d0e383ed355
Aug 17 22:39:29 giada kernel: mce: [Hardware Error]: PROCESSOR 0:40651 TIME 1597696769 SOCKET 0 APIC 0 microcode 17
Aug 17 22:39:29 giada kernel: mce: [Hardware Error]: CPU 0: Machine Check: 0 Bank 0: 90000040000f0005
Aug 17 22:39:29 giada kernel: mce: [Hardware Error]: TSC 5d0e3950f504
Aug 17 22:39:29 giada kernel: mce: [Hardware Error]: PROCESSOR 0:40651 TIME 1597696769 SOCKET 0 APIC 0 microcode 17
Aug 17 22:39:29 giada kernel: mce: [Hardware Error]: CPU 0: Machine Check: 0 Bank 0: 90000040000f0005
Aug 17 22:39:29 giada kernel: mce: [Hardware Error]: TSC 5d0e3a2fdfdc
Aug 17 22:39:29 giada kernel: mce: [Hardware Error]: PROCESSOR 0:40651 TIME 1597696769 SOCKET 0 APIC 0 microcode 17
Aug 17 22:39:31 giada kernel: mce: [Hardware Error]: CPU 1: Machine Check: 0 Bank 0: 90000040000f0005
Aug 17 22:39:31 giada kernel: mce: [Hardware Error]: TSC 5d0f0ffdf588
Aug 17 22:39:31 giada kernel: mce: [Hardware Error]: PROCESSOR 0:40651 TIME 1597696771 SOCKET 0 APIC 2 microcode 17
Aug 17 22:39:33 giada kernel: mce: [Hardware Error]: CPU 0: Machine Check: 0 Bank 0: 90000040000f0005
Aug 17 22:39:33 giada kernel: mce: [Hardware Error]: TSC 5d1040fbd14a
Aug 17 22:39:33 giada kernel: mce: [Hardware Error]: PROCESSOR 0:40651 TIME 1597696773 SOCKET 0 APIC 0 microcode 17
Aug 17 22:39:33 giada kernel: mce: [Hardware Error]: CPU 0: Machine Check: 0 Bank 0: 90000040000f0005
Aug 17 22:39:33 giada kernel: mce: [Hardware Error]: TSC 5d1041043b2b
Aug 17 22:39:33 giada kernel: mce: [Hardware Error]: PROCESSOR 0:40651 TIME 1597696773 SOCKET 0 APIC 0 microcode 17
OpenWRT?
yes! there seems to be some OpenWRT support and image.files for the 7170 (untested yet)
https://openwrt.org/toh/hwdata/avm/avm_fritzboxfonwlan7170
https://openwrt.org/toh/avm/fritz.box.wlan.7170
src: https://web.archive.org/web/20120325183643/http://deve.loping.net/files/FRITZ-WRT-HOWTO.html.en
See also:
Firmware
Only the squashfs version works. The jffs2 image won’t boot.
Stock firmware source: AVM’s sourcecode
HOWTO for OpenWRT on the FRITZ!Box 7170
-
Prequisites
To compile OpenWRT you will need the following Software:
- gcc
- binutils
- patch
- bzip2
- flex
- bison
- make
- gettext
- pkg-config
- unzip
- libz-dev
- libc6-dev
- libncurses5-dev
- libstring-crc32-perl
On a Debian “etch” system you can install these packets with the following command:
aptitude install build-essential binutils patch bzip2 flex bison \ gettext pkg-config unzip zlib1g-dev libncurses5-dev libstring-crc32-perl
Additionally you will need the Subversion client, which you can install with this command:
aptitude install subversion
-
Obtaining the source code
You get the source code to OpenWRT from the OpenWRT SVN trunk with this command:
svn co -r 9340 https://svn.openwrt.org/openwrt/trunk openwrt
After this you should have a folder with the name “openwrt” in the current directory. Change into this directory and patch the source code with the FRITZ!WRT patches:
cd openwrt wget -q -O - http://code.bastart.eu.org.nyud.net/files/ar7-atm-module-params.patch | patch -p0 wget -q -O - http://code.bastart.eu.org.nyud.net/files/ar7-fritz-eva-loader.patch | patch -p0 wget -q -O - http://code.bastart.eu.org.nyud.net/files/ar7-fritz-gpio-leds.patch | patch -p0 wget -q -O - http://code.bastart.eu.org.nyud.net/files/ar7-fritz-reduce-flash-size.patch | patch -p0
You now have a fully patched copy of the OpenWRT source code.
-
Configuration of the working copy
Because you now have a working copy of the OpenWRT source code, you can configure it with this command:
make menuconfig
Here you should select “TI AR7 [2.6]” as the “Target System” and select “No WiFi” as the “Target Profile”.
Under “Target Images” you only need “squashfs” and the rest can be removed.
Additionally you should select kmod-sangam-atm-annex-b under “Kernel modules” | “Network Devices” for the DSL support.
The rest of the configuration is up to you.
Now exit the menu with Exit and choose “Yes” at the question asking you if the configuration should be saved.You now have a file with the name .config in your working copy directory. You can make a backup of this file so you can restore it later. If you restore the configuration, don’t forget this command:
make oldconfig
-
Compiling the configured working copy
After you configured the working copy, you can start the compilation with this command:
make
or for users that are like me and like to see many messages because they wouldn’t believe something is going on otherwise:
make V=99
Now go get a coffee or something similar because the compilation will take some time depending on your computers speed because the complete toolchain (gcc, binutils, libc, etc…) is being compiled.
-
Installation of the firmware
Finally, after long waiting, you can install the firmware. The required version is in the directory “bin”. The relevant files for the FRITZ!Box are the following:
openwrt-ar7-2.6-squashfs.bin - ADAM2
openwrt-EVA-2.6-squashfs.bin - EVA
The former is for FRITZ!Boxes with the ADAM2 bootloader (I didn’t test this) while the latter is for FRITZ!Boxes with the EVA bootloader. The difference is that the ADAM2 version has its own LZMA loader, while the EVA version only has the EVA header because the loader can decompress LZMA and start the kernel by itself.You can now use FRITZ!Flash to flash the firmware onto your box:
~/fritz-flash -f bin/openwrt-EVA-2.6-squashfs.bin
In case you have the variable “kernel_args” set in your bootloader, you will have to modify it with this command:
setenv kernel_args init=/etc/preinit
The bootlog of the firmware over the serial port should now approximately look like this:
(AVM) EVA Revision: 1.136 Version: 1136 (C) Copyright 2005 AVM Date: Feb 2 2006 Time: 12:38:21 (1) 2 0-1111 [FLASH:] MACRONIX Top-MirrorBit-Flash 8MB 32 Bytes WriteBuffer [FLASH:](Eraseregion [0] 127 sectors a 64kB) [FLASH:](Eraseregion [1] 8 sectors a 8kB) [SYSTEM:] OHIO on 211MHz/125MHz Eva_AVM > AVM decompress Kernel: .................done start kernel Linux version 2.6.22.4 (ago@agovm) (gcc version 4.1.2) #21 Wed Aug 29 08:10:46 EDT 2007 CPU revision is: 00018448 Clocks: Async mode Clocks: Setting DSP clock Clocks: base = 25000000, frequency = 125000000, prediv = 1, postdiv = 2, postdiv2 = 1, mul = 10 Clocks: Setting CPU clock Adjusted requested frequency 211000000 to 211968000 Clocks: base = 35328000, frequency = 211968000, prediv = 1, postdiv = 1, postdiv2 = -1, mul = 6 Clocks: Setting USB clock Adjusted requested frequency 48000000 to 48076920 Clocks: base = 125000000, frequency = 48000000, prediv = 13, postdiv = 1, postdiv2 = -1, mul = 5 TI AR7 (TNETD7200), ID: 0x002b, Revision: 0x11 Determined physical RAM map: memory: 02000000 @ 14000000 (usable) Built 1 zonelists. Total pages: 8128 Kernel command line: init=/etc/preinit console=ttyS0,38400n8r Primary instruction cache 16kB, physically tagged, 4-way, linesize 16 bytes. Primary data cache 8kB, 4-way, linesize 16 bytes. Synthesized TLB refill handler (20 instructions). Synthesized TLB load handler fastpath (32 instructions). Synthesized TLB store handler fastpath (32 instructions). Synthesized TLB modify handler fastpath (31 instructions). PID hash table entries: 128 (order: 7, 512 bytes) Using 105.984 MHz high precision timer. Dentry cache hash table entries: 4096 (order: 2, 16384 bytes) Inode-cache hash table entries: 2048 (order: 1, 8192 bytes) Memory: 28804k/32768k available (2026k kernel code, 3964k reserved, 406k data, 104k init, 0k highmem) Mount-cache hash table entries: 512 NET: Registered protocol family 16 vlynq0: regs 0x08611800, irq 29, mem 0x04000000 Generic PHY: Registered new driver Time: MIPS clocksource has been installed. NET: Registered protocol family 2 IP route cache hash table entries: 1024 (order: 0, 4096 bytes) TCP established hash table entries: 1024 (order: 1, 8192 bytes) TCP bind hash table entries: 1024 (order: 0, 4096 bytes) TCP: Hash tables configured (established 1024 bind 1024) TCP reno registered squashfs: version 3.0 (2006/03/15) Phillip Lougher Registering mini_fo version $Id$ JFFS2 version 2.2. (NAND) (c) 2001-2006 Red Hat, Inc. io scheduler noop registered io scheduler deadline registered (default) ar7_wdt: timer margin 59 seconds (prescale 65535, change 57180, freq 62500000) Serial: 8250/16550 driver $Revision: 1.90 $ 2 ports, IRQ sharing disabled serial8250: ttyS0 at MMIO 0x8610e00 (irq = 15) is a TI-AR7 console handover: boot [early0] -> real [ttyS0] Fixed PHY: Registered new driver cpmac-mii: probed cpmac: device eth0 (regs: 08610000, irq: 27, phy: fixed@100:1, mac: 00:15:0c:fc:06:25) physmap platform flash device: 00400000 at 10000000 physmap-flash.0: Found 1 x16 devices at 0x0 in 16-bit bank NOR chip too large to fit in mapping. Attempting to cope... Amd/Fujitsu Extended Query Table at 0x0040 physmap-flash.0: Swapping erase regions for broken CFI table. number of CFI chips: 1 cfi_cmdset_0002: Disabling erase-suspend-program due to code brokenness. Reducing visibility of 8192KiB chip to 4096KiB cmdlinepart partition parsing not available RedBoot partition parsing not available Parsing AR7 partition map... 4 ar7part partitions found on MTD device physmap-flash.0 Creating 4 MTD partitions on "physmap-flash.0": 0x00000000-0x00010000 : "loader" 0x003f0000-0x00400000 : "config" 0x00010000-0x003f0000 : "linux" 0x000e0000-0x003f0000 : "rootfs" mtd: partition "rootfs" set to be root filesystem mtd: partition "rootfs_data" created automatically, ofs=1B0000, len=240000 0x001b0000-0x003f0000 : "rootfs_data" Registered led device: ar7:status Registered led device: avm:led0 Registered led device: avm:led1 Registered led device: avm:led2 Registered led device: avm:led3 Registered led device: avm:led4 nf_conntrack version 0.5.0 (256 buckets, 2048 max) ip_tables: (C) 2000-2006 Netfilter Core Team TCP vegas registered NET: Registered protocol family 1 NET: Registered protocol family 17 802.1Q VLAN Support v1.8 Ben Greear <greearb ÄÄÄÄT candelatech DOTTTT com> All bugs added by David S. Miller <davem ÄTTTT redhat DDOOOOOOTT com> VFS: Mounted root (squashfs filesystem) readonly. Freeing unused kernel memory: 104k freed Warning: unable to open an initial console. Algorithmics/MIPS FPU Emulator v1.5 mini_fo: using base directory: / mini_fo: using storage directory: /jffs init started: BusyBox v1.4.2 (2007-08-28 10:02:21 EDT) multi-call binary Please press Enter to activate this console. device eth0 entered promiscuous mode br-lan: port 1(eth0) entering learning state br-lan: topology change detected, propagating br-lan: port 1(eth0) entering forwarding state NET: Registered protocol family 8 NET: Registered protocol family 20 PHY: fixed@100:1 - Link is Up - 10/Half registered device TI Avalanche SAR Ohio250(7200/7100A2) detected requesting firmware image "ar0700xx.bin" Creating new root folder avalanche in the proc for the driver stats Texas Instruments ATM driver: version:[7.02.01.00] device nas0 entered promiscuous mode br-lan: port 2(nas0) entering learning state br-lan: topology change detected, propagating br-lan: port 2(nas0) entering forwarding state BusyBox v1.4.2 (2007-08-28 10:02:21 EDT) Built-in shell (ash) Enter 'help' for a list of built-in commands. _______ ________ __ | |.-----.-----.-----.| | | |.----.| |_ | - || _ | -__| || | | || _|| _| |_______|| __|_____|__|__||________||__| |____| |__| F r i t z ! B o x F R E E D O M --------------------------------------------------- root@fritz:/#
I wish you much joy with your newly installed FRITZ!WRT system!
Axel Gembe
other usecases:
- it would be possible to use the 7170 as analog-voip converter
- connect analog or isdn (?) phone or fax to 7170
- enter VoIP account (for example sipgate)
- then LAN-connect to internet router/gateway
- use old analog phone as VoIP client 🙂
https://app.sipgatebasic.de/konfiguration/127/avm-fritz-box-alle-modelle#FritzBox%207170
Links:
https://www.ip-phone-forum.de/forums/freetz.525/
https://freetz.github.io/wiki/help/howtos/common/newbie.html
https://openwrt.org/toh/avm/fritz.box.wlan.7170
https://schwart6.home.xs4all.nl/fritzbox_7170/
https://ftp.avm.de/archive/fritz.box/tools/fax4box/
liked this article?
- only together we can create a truly free world
- plz support dwaves to keep it up & running!
- (yes the info on the internet is (mostly) free but beer is still not free (still have to work on that))
- really really hate advertisement
- contribute: whenever a solution was found, blog about it for others to find!
- talk about, recommend & link to this blog and articles
- thanks to all who contribute!