JavaScript can compromise the user’s network devices!

pretty evil are devices/routers with security problems, that can be exploited from javascript.

so basically opening a webpage with a browser that has javascript enabled (which most browsers have)

might scan the user’s network for vulnerable devices

and then tries to conquer/own those devices

resulting in all kinds of trouble for the user or other users in form of DDoS attacks that this router then might participate in

what is pretty terrible: planned router and other IoT obsolescence

AVM and other router vendors are dishing out versions of their products by the masses

after few years (less than 5) the vendors drop support for the device, forcing users to “throw away and buy new” (which is good for the vendor, more turnover, but bad for environment (complete waste of resources) and user (costs a lot of money))

this kind of planned obsolescence need to be avoided.

ideal would probably be, that those routers, are actually replaced by “normal” embedded PCs that run GNU Linux Debian, that get updated just like any other PC + having a DSL or LTE modem connected to them.

about the hardware:

This device is NOT RECOMMENDED for future use with OpenWrt due to low flash/ram.
DO NOT BUY DEVICES WITH 4MB FLASH / 32MB RAM if you intend to flash an up-to-date and secure OpenWrt version (18.06 or later) onto it! See 4/32 warning for details. (src)

Hardware versions

Version/Model Launch Date S/N OpenWrt Version Supported Model Specific Notes Annex
v1 2006-01 2000 2329 untested 3x Phone via one RJ-12 socket ?
v2 ? 2000 2361 untested 2x Phone via RJ-12 sockets, 1x via marshaling panel ?
? ? 2000 2397 untested 2x Phone via RJ-12 sockets, 1x via marshaling panel A

Hardware summary

SoC AR7 Ohio @ 212MHz Texas Instruments TNETD7300ZDW or Infineon/Lantiq PSB7200ZDW
CPU 32-bit MIPSEL RISC CPU with MIPS 4KEc (?)
RAM 32 MiB Sync DRAM Zentel A3V56S40FTP-G6
Flash 8 MiB Spansion S29GL064N90TF103
Flash layout Hidden root
Bootloader ADAM2/EVA
Ethernet 4 x 100 Mbit/s Infineon ADM6996FC
Phone 2x or 3x RJ12 Litelink CPC5621A
DSL ADSL2/2+
USB 1x USB 1.1
Serial console onboard
JTAG

See also:

 

  • 32 MB can work for minimal router/AP functions, but may repeatedly “crash”, depending on your hardware and use case
  • 64 MB may still have issues with stability, depending on your hardware and use cases
  • 128 MB or more is recommended if software past basic router/AP functionality is to be used
  • (src)

let’s get started

what the user will need:

  1. VirtualBox installed
  2. freetz.ova https://sourceforge.net/projects/freetz-linux/
    • import the appliance:
  3. ftp://ftp.avm.de/archive/fritz.box/fritzbox.fon_wlan_7170/firmware/
    • actually optional: if things go wrong to flash the stock firmware

let’s get started:

it is probably wise to factory reset before flashing

# login to the vm
ssh -v freetz@ip.of.the.vm

# become root
su - root

# update system to latest software
apt udpate;
apt upgrade;

# probably wise to restart system then
shutdown -r now

# login to the vm again
ssh -v freetz@ip.of.the.vm 

# download freetz sources
git clone https://github.com/Freetz/freetz

# config the build
# (select target model in this example 7170, then go exit (saves .config))
cd freetz
make menuconfig

# start compilation process
make

...
stripping leftover unstripped binaries
    build/modified/filesystem/usr/share/ctlmgr/libctlusb.so
    build/modified/filesystem/lib/libm-0.9.29.so
    build/modified/filesystem/lib/libdl-0.9.29.so
    build/modified/filesystem/lib/libacgenusb.so.1.0.0
    build/modified/filesystem/lib/libpop3lib.so.1.0.0
    build/modified/filesystem/lib/libled2.so.2.2.0
    build/modified/filesystem/lib/libusbcfg.so.1.0.0
    build/modified/filesystem/lib/libluaxml.so.1.0.0
    build/modified/filesystem/lib/libavmacl.so.0.0.0
    build/modified/filesystem/lib/libluatextdb.so.1.0.0
    build/modified/filesystem/lib/libpthread-0.9.29.so
    build/modified/filesystem/lib/librt-0.9.29.so
    build/modified/filesystem/lib/ld-uClibc-0.9.29.so
    build/modified/filesystem/lib/libmaillib.so.2.0.0
    build/modified/filesystem/lib/libtiinterpreter.so.0.0.0
    build/modified/filesystem/lib/libupnpdevusb.so.1.0.0
    build/modified/filesystem/lib/libuClibc-0.9.29.so
    build/modified/filesystem/lib/libcrypt-0.9.29.so
done.

STEP 3: PACK
  checking for left over version-control-system files
  integrate freetz info file into image
packing var.tar
creating filesystem image (SquashFS2-lzma)
  SquashFS block size: 64 kB (65536 bytes)
merging kernel image
  kernel image size: 7.4 MB, max 7.4 MB, free 0.0 MB (32512 bytes)
  WARNING: Not enough free flash space for answering machine!
adding checksum to kernel.image
packing images/7170_04.88-freetz-master--f4147ce.de_20200817-221340.image
  unsigned image file size: 8.2 MB (8591360 bytes)
using unsigned image as the final one
done.

FINISHED

# this will save the newly created binaries in the folder
ll ./images
7170_04.88-freetz-master--f4147ce.de_20200817-221340.image
# did another build with "replace kernel"
7170_04.88-freetz-master--f4147ce.de_20200817-223933.custom.kernel.image
# logout of freetz vm
Ctrl+D

# copy freetz image files to host
scp -v freetz@192.168.ip.of.vm:/home/freetz/freetz/images/* /projects/freetz.org/7170/

flash the image:

now what the user does is browser to the fritzbox 7170 http://192.168.178.1

go to “inhalt” / contents and go to “update”

where the user is asked to save the settings of the fritzbox prior to updating the firmware

then select the firmware file (both files worked for me, with and without “replace kernel”)

wait… wait…

confirm again that the user really wants to flash this firmware wait… wait… wait a bit longer… watch the green LEDs flash… watch the fritzbox reboot

now the fritzbox should be back with it’s original web interface PLUS

under http://192.168.178.1:81 the user can access

usr: admin

pwd: freetz

the newly addon interface 🙂

and do all sorts of stuff.

nice.

next recommended steps are: prepare a usb stick to be used as swap partition (gnu linux / unix systems do not work particular well without ram and swap)

strange stuff is going on in dmesg:

# there is no package mcelog anymore in Debian 10 Buster
# for whatever reason
# vie the cournal, scroll to very end
journalctl -b
Aug 17 22:39:29 giada kernel: mce: [Hardware Error]: Machine check events logged
Aug 17 22:39:29 giada kernel: mce: [Hardware Error]: CPU 0: Machine Check: 0 Bank 0: 90000040000f0005
Aug 17 22:39:29 giada kernel: mce: [Hardware Error]: TSC 5d0e34411fa2 
Aug 17 22:39:29 giada kernel: mce: [Hardware Error]: PROCESSOR 0:40651 TIME 1597696769 SOCKET 0 APIC 0 microcode 17
Aug 17 22:39:29 giada kernel: mce: [Hardware Error]: Machine check events logged
Aug 17 22:39:29 giada kernel: mce: [Hardware Error]: CPU 0: Machine Check: 0 Bank 0: 90000040000f0005
Aug 17 22:39:29 giada kernel: mce: [Hardware Error]: TSC 5d0e3830c490 
Aug 17 22:39:29 giada kernel: mce: [Hardware Error]: PROCESSOR 0:40651 TIME 1597696769 SOCKET 0 APIC 0 microcode 17
Aug 17 22:39:29 giada kernel: mce: [Hardware Error]: CPU 0: Machine Check: 0 Bank 0: 90000040000f0005
Aug 17 22:39:29 giada kernel: mce: [Hardware Error]: TSC 5d0e383ed355 
Aug 17 22:39:29 giada kernel: mce: [Hardware Error]: PROCESSOR 0:40651 TIME 1597696769 SOCKET 0 APIC 0 microcode 17
Aug 17 22:39:29 giada kernel: mce: [Hardware Error]: CPU 0: Machine Check: 0 Bank 0: 90000040000f0005
Aug 17 22:39:29 giada kernel: mce: [Hardware Error]: TSC 5d0e3950f504 
Aug 17 22:39:29 giada kernel: mce: [Hardware Error]: PROCESSOR 0:40651 TIME 1597696769 SOCKET 0 APIC 0 microcode 17
Aug 17 22:39:29 giada kernel: mce: [Hardware Error]: CPU 0: Machine Check: 0 Bank 0: 90000040000f0005
Aug 17 22:39:29 giada kernel: mce: [Hardware Error]: TSC 5d0e3a2fdfdc 
Aug 17 22:39:29 giada kernel: mce: [Hardware Error]: PROCESSOR 0:40651 TIME 1597696769 SOCKET 0 APIC 0 microcode 17
Aug 17 22:39:31 giada kernel: mce: [Hardware Error]: CPU 1: Machine Check: 0 Bank 0: 90000040000f0005
Aug 17 22:39:31 giada kernel: mce: [Hardware Error]: TSC 5d0f0ffdf588 
Aug 17 22:39:31 giada kernel: mce: [Hardware Error]: PROCESSOR 0:40651 TIME 1597696771 SOCKET 0 APIC 2 microcode 17
Aug 17 22:39:33 giada kernel: mce: [Hardware Error]: CPU 0: Machine Check: 0 Bank 0: 90000040000f0005
Aug 17 22:39:33 giada kernel: mce: [Hardware Error]: TSC 5d1040fbd14a 
Aug 17 22:39:33 giada kernel: mce: [Hardware Error]: PROCESSOR 0:40651 TIME 1597696773 SOCKET 0 APIC 0 microcode 17
Aug 17 22:39:33 giada kernel: mce: [Hardware Error]: CPU 0: Machine Check: 0 Bank 0: 90000040000f0005
Aug 17 22:39:33 giada kernel: mce: [Hardware Error]: TSC 5d1041043b2b 
Aug 17 22:39:33 giada kernel: mce: [Hardware Error]: PROCESSOR 0:40651 TIME 1597696773 SOCKET 0 APIC 0 microcode 17

OpenWRT?

there seems to be some OpenWRT support and image.files for the 7170 (untested yet)

https://openwrt.org/toh/avm/fritz.box.wlan.7170

src: https://web.archive.org/web/20120325183643/http://deve.loping.net/files/FRITZ-WRT-HOWTO.html.en

Firmware

Only the squashfs version works. The jffs2 image won’t boot.

Stock firmware source: AVM’s sourcecode

HOWTO for OpenWRT on the FRITZ!Box 7170

  1. Prequisites

    To compile OpenWRT you will need the following Software:

    • gcc
    • binutils
    • patch
    • bzip2
    • flex
    • bison
    • make
    • gettext
    • pkg-config
    • unzip
    • libz-dev
    • libc6-dev
    • libncurses5-dev
    • libstring-crc32-perl

    On a Debianetch” system you can install these packets with the following command:

    aptitude install build-essential binutils patch bzip2 flex bison \
        gettext pkg-config unzip zlib1g-dev libncurses5-dev libstring-crc32-perl
    

    Additionally you will need the Subversion client, which you can install with this command:

    aptitude install subversion
    
  2. Obtaining the source code

    You get the source code to OpenWRT from the OpenWRT SVN trunk with this command:

    svn co -r 9340 https://svn.openwrt.org/openwrt/trunk openwrt
    

    After this you should have a folder with the name “openwrt” in the current directory. Change into this directory and patch the source code with the FRITZ!WRT patches:

    cd openwrt
    wget -q -O - http://code.bastart.eu.org.nyud.net/files/ar7-atm-module-params.patch | patch -p0
    wget -q -O - http://code.bastart.eu.org.nyud.net/files/ar7-fritz-eva-loader.patch | patch -p0
    wget -q -O - http://code.bastart.eu.org.nyud.net/files/ar7-fritz-gpio-leds.patch | patch -p0
    wget -q -O - http://code.bastart.eu.org.nyud.net/files/ar7-fritz-reduce-flash-size.patch | patch -p0
    

    You now have a fully patched copy of the OpenWRT source code.

  3. Configuration of the working copy

    Because you now have a working copy of the OpenWRT source code, you can configure it with this command:

    make menuconfig
    

    Here you should select “TI AR7 [2.6]” as the “Target System” and select “No WiFi” as the “Target Profile”.
    Under “Target Images” you only need “squashfs” and the rest can be removed.
    Additionally you should select kmod-sangam-atm-annex-b under “Kernel modules” | “Network Devices” for the DSL support.
    The rest of the configuration is up to you.
    Now exit the menu with Exit and choose “Yes” at the question asking you if the configuration should be saved.

    You now have a file with the name .config in your working copy directory. You can make a backup of this file so you can restore it later. If you restore the configuration, don’t forget this command:

    make oldconfig
    
  4. Compiling the configured working copy

    After you configured the working copy, you can start the compilation with this command:

    make
    

    or for users that are like me and like to see many messages because they wouldn’t believe something is going on otherwise:

    make V=99
    

    Now go get a coffee or something similar because the compilation will take some time depending on your computers speed because the complete toolchain (gcc, binutils, libc, etc…) is being compiled.

  5. Installation of the firmware

    Finally, after long waiting, you can install the firmware. The required version is in the directory “bin”. The relevant files for the FRITZ!Box are the following:

    openwrt-ar7-2.6-squashfs.bin - ADAM2
    openwrt-EVA-2.6-squashfs.bin - EVA

    The former is for FRITZ!Boxes with the ADAM2 bootloader (I didn’t test this) while the latter is for FRITZ!Boxes with the EVA bootloader. The difference is that the ADAM2 version has its own LZMA loader, while the EVA version only has the EVA header because the loader can decompress LZMA and start the kernel by itself.

    You can now use FRITZ!Flash to flash the firmware onto your box:

    ~/fritz-flash -f bin/openwrt-EVA-2.6-squashfs.bin
    

    In case you have the variable “kernel_args” set in your bootloader, you will have to modify it with this command:

    setenv kernel_args init=/etc/preinit
    

    The bootlog of the firmware over the serial port should now approximately look like this:

    (AVM) EVA Revision: 1.136 Version: 1136
    (C) Copyright 2005 AVM Date: Feb  2 2006 Time: 12:38:21 (1) 2 0-1111
    
    [FLASH:] MACRONIX Top-MirrorBit-Flash 8MB 32 Bytes WriteBuffer
    [FLASH:](Eraseregion [0] 127 sectors a 64kB)
    [FLASH:](Eraseregion [1] 8 sectors a 8kB)
    [SYSTEM:] OHIO on 211MHz/125MHz
    
    Eva_AVM >
    AVM decompress Kernel:
    .................done
    start kernel
    Linux version 2.6.22.4 (ago@agovm) (gcc version 4.1.2) #21 Wed Aug 29 08:10:46 EDT 2007
    CPU revision is: 00018448
    Clocks: Async mode
    Clocks: Setting DSP clock
    Clocks: base = 25000000, frequency = 125000000, prediv = 1, postdiv = 2, postdiv2 = 1, mul = 10
    Clocks: Setting CPU clock
    Adjusted requested frequency 211000000 to 211968000
    Clocks: base = 35328000, frequency = 211968000, prediv = 1, postdiv = 1, postdiv2 = -1, mul = 6
    Clocks: Setting USB clock
    Adjusted requested frequency 48000000 to 48076920
    Clocks: base = 125000000, frequency = 48000000, prediv = 13, postdiv = 1, postdiv2 = -1, mul = 5
    TI AR7 (TNETD7200), ID: 0x002b, Revision: 0x11
    Determined physical RAM map:
     memory: 02000000 @ 14000000 (usable)
    Built 1 zonelists.  Total pages: 8128
    Kernel command line: init=/etc/preinit console=ttyS0,38400n8r
    Primary instruction cache 16kB, physically tagged, 4-way, linesize 16 bytes.
    Primary data cache 8kB, 4-way, linesize 16 bytes.
    Synthesized TLB refill handler (20 instructions).
    Synthesized TLB load handler fastpath (32 instructions).
    Synthesized TLB store handler fastpath (32 instructions).
    Synthesized TLB modify handler fastpath (31 instructions).
    PID hash table entries: 128 (order: 7, 512 bytes)
    Using 105.984 MHz high precision timer.
    Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
    Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
    Memory: 28804k/32768k available (2026k kernel code, 3964k reserved, 406k data, 104k init, 0k highmem)
    Mount-cache hash table entries: 512
    NET: Registered protocol family 16
    vlynq0: regs 0x08611800, irq 29, mem 0x04000000
    Generic PHY: Registered new driver
    Time: MIPS clocksource has been installed.
    NET: Registered protocol family 2
    IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
    TCP established hash table entries: 1024 (order: 1, 8192 bytes)
    TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
    TCP: Hash tables configured (established 1024 bind 1024)
    TCP reno registered
    squashfs: version 3.0 (2006/03/15) Phillip Lougher
    Registering mini_fo version $Id$
    JFFS2 version 2.2. (NAND) (c) 2001-2006 Red Hat, Inc.
    io scheduler noop registered
    io scheduler deadline registered (default)
    ar7_wdt: timer margin 59 seconds (prescale 65535, change 57180, freq 62500000)
    Serial: 8250/16550 driver $Revision: 1.90 $ 2 ports, IRQ sharing disabled
    serial8250: ttyS0 at MMIO 0x8610e00 (irq = 15) is a TI-AR7
    console handover: boot [early0] -> real [ttyS0]
    Fixed PHY: Registered new driver
    cpmac-mii: probed
    cpmac: device eth0 (regs: 08610000, irq: 27, phy: fixed@100:1, mac: 00:15:0c:fc:06:25)
    physmap platform flash device: 00400000 at 10000000
    physmap-flash.0: Found 1 x16 devices at 0x0 in 16-bit bank
    NOR chip too large to fit in mapping. Attempting to cope...
     Amd/Fujitsu Extended Query Table at 0x0040
    physmap-flash.0: Swapping erase regions for broken CFI table.
    number of CFI chips: 1
    cfi_cmdset_0002: Disabling erase-suspend-program due to code brokenness.
    Reducing visibility of 8192KiB chip to 4096KiB
    cmdlinepart partition parsing not available
    RedBoot partition parsing not available
    Parsing AR7 partition map...
    4 ar7part partitions found on MTD device physmap-flash.0
    Creating 4 MTD partitions on "physmap-flash.0":
    0x00000000-0x00010000 : "loader"
    0x003f0000-0x00400000 : "config"
    0x00010000-0x003f0000 : "linux"
    0x000e0000-0x003f0000 : "rootfs"
    mtd: partition "rootfs" set to be root filesystem
    mtd: partition "rootfs_data" created automatically, ofs=1B0000, len=240000
    0x001b0000-0x003f0000 : "rootfs_data"
    Registered led device: ar7:status
    Registered led device: avm:led0
    Registered led device: avm:led1
    Registered led device: avm:led2
    Registered led device: avm:led3
    Registered led device: avm:led4
    nf_conntrack version 0.5.0 (256 buckets, 2048 max)
    ip_tables: (C) 2000-2006 Netfilter Core Team
    TCP vegas registered
    NET: Registered protocol family 1
    NET: Registered protocol family 17
    802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
    All bugs added by David S. Miller <davem@redhat.com>
    VFS: Mounted root (squashfs filesystem) readonly.
    Freeing unused kernel memory: 104k freed
    Warning: unable to open an initial console.
    Algorithmics/MIPS FPU Emulator v1.5
    mini_fo: using base directory: /
    mini_fo: using storage directory: /jffs
    init started:  BusyBox v1.4.2 (2007-08-28 10:02:21 EDT) multi-call binary
    Please press Enter to activate this console. device eth0 entered promiscuous mode
    br-lan: port 1(eth0) entering learning state
    br-lan: topology change detected, propagating
    br-lan: port 1(eth0) entering forwarding state
    NET: Registered protocol family 8
    NET: Registered protocol family 20
    PHY: fixed@100:1 - Link is Up - 10/Half
    registered device TI Avalanche SAR
    Ohio250(7200/7100A2) detected
    requesting firmware image "ar0700xx.bin"
    Creating new root folder avalanche in the proc for the driver stats
    Texas Instruments ATM driver: version:[7.02.01.00]
    device nas0 entered promiscuous mode
    br-lan: port 2(nas0) entering learning state
    br-lan: topology change detected, propagating
    br-lan: port 2(nas0) entering forwarding state
    
    
    
    BusyBox v1.4.2 (2007-08-28 10:02:21 EDT) Built-in shell (ash)
    Enter 'help' for a list of built-in commands.
    
      _______                     ________        __
     |       |.-----.-----.-----.|  |  |  |.----.|  |_
     |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
     |_______||   __|_____|__|__||________||__|  |____|
              |__| F r i t z ! B o x   F R E E D O M
     ---------------------------------------------------
    root@fritz:/#
    

    I wish you much joy with your newly installed FRITZ!WRT system!

    Axel Gembe

other usecases:

  • it would be possible to use the 7170 as analog-voip converter
  • connect analog or isdn (?) phone or fax to 7170
  • enter VoIP account (for example sipgate)
  • then LAN-connect to internet router/gateway
  • use old analog phone as VoIP client 🙂

https://app.sipgatebasic.de/konfiguration/127/avm-fritz-box-alle-modelle#FritzBox%207170

Links:

https://www.ip-phone-forum.de/forums/freetz.525/

https://freetz.github.io/wiki/help/howtos/common/newbie.html

more on mce errors

https://openwrt.org/toh/avm/fritz.box.wlan.7170

https://schwart6.home.xs4all.nl/fritzbox_7170/

https://ftp.avm.de/archive/fritz.box/tools/fax4box/

 

admin