Tilgin TG275X Router Hacking Guide¶

Screenshot_20221111_205015

This guide provides step-by-step instructions on hacking the Tilgin TG275X Router from Bredband2. By following these procedures, you will gain access to advanced features and settings of the router. Please note that hacking or unauthorized access to routers without proper authorization is illegal and unethical. This guide is for educational purposes only.

Please note that attempting to hack or gain unauthorized access to any device or network is against the law and can result in severe legal consequences. Always ensure that you have proper authorization and follow ethical guidelines when conducting any security-related activities.

tilgin/header.jpg

This is how you activate SSH once you've logged in.

tilgin_root

Do not connect the WAN cable. The device must be offline from the internet during this process until you edit the TR-069 source via the web GUI

Reset the device via the reset button.
Turn on the router.
Log in as admin:admin.
Navigate to Tools > Administrator Account. Change the admin password.
Download a backup configuration from Tools > Backup/Restore > Download configuration.
Visit Status > System Log.
Connect the WAN connection cable.
Reverse shell.

Board	Device
TX	> TX
RX	> RX
GND	> GND
3.3V	> NOT NEEDED

Serial Console¶

Enter Serial Console¶

screen /dev/ttyACM0 115200,cs8

Serial Console¶

Login: N/A
Password: N/A
Baudrate: 115200

User Accounts¶

root

Username: root
Password: ahy9mee2
Password_def: v6+i1-Q5-E5_e1$F0
Password_rev: 04_01_00_36

admin

Alltele/Bredband2 default password for admin

Before you connect your device to the internet, the default login is: admin:admin, and depending on what you have set to /etc/trol.conf, you will get the ISP password for the config you have set. As default: `

trol.conf.bb2` on this device from Bredband2.

```bash Username: admin Password: a3_Banankontakt! Password_def:

b7,T7-I7/i3/E3+i0 Password_rev: 04_01_00_36 ```

user (default)

Username: user
Password: user
Password_def: T8,b1=l9,G0
Password_rev: 04_01_00_36

SSH Access¶

Browse to: http://192.168.1.1/tools/ssh.
Login with: root: ah9mee2.
Now SSH to your router: ssh -oHostKeyAlgorithms=+ssh-dss root@192.168.1.1.

Securing the Device¶

Copy and paste the following commands:

userName="changeme"
userPassword="changeme"

for users in 1 2 3; do 
  cset ${userName} /webui/user/${users}/name 
  cset ${userPassword} /webui/user/${users}/password
done

Change Root Password¶

echo username:password | chpasswd

Identity File¶

cat /usr/var/identity.txt

cat /usr/var/dmesg.init

Factory Files

# ls /usr/var/etc/ -1
calls.crm
certstore
config
config.crm
crm_factory
factory.box.log
factory.crm
factory.sw.log
factory_config_patch.sh
recon.crm
tr069_route_idx.dat
tr104_call.log
trol
voip.crm
wlan_factory_config

Kernel command line

Linux version 4.9.218 (helen@builserver01) (gcc version 6.3.0 (GCC)) #3 SMP Sat Oct 16 15:53:20 BST 2021

MTD Partitions

dev:    size   erasesize  name
mtd0: 00100000 00020000 "U-Boot"
mtd1: 07f00000 00020000 "ubi"
mtd2: 01e08000 0001f000 "package"
mtd3: 00008000 0001f000 "Log"
mtd4: 00001f00 0001f000 "Environment"
mtd6: 00002000 0001f000 "Misc-A"
mtd7: 00002000 0001f000 "Config-C"
mtd8: 00307000 0001f000 "kernel"
mtd9: 0273c000 0001f000 "rootfs"
mtd10: 0001f000 0001f000 "appfs"
mtd11: 0001f000 0001f000 "caldata"
mtd12: 000000aa 0001f000 "test_data"
mtd13: 0000d000 0001f000 "Config-A"

Firewall¶

iptables and dropbear commands and other superuser commands won't work by default since they are not added to PATH. Fix this by copying and pasting the following:

echo 'export PATH=${PATH}:/usr/sbin' >> /etc/profile
. /etc/profile

/etc/fstab

 <file system> <mount point>   <type>          <options>               <dump>  <pass>
proc            /proc           proc           

 defaults                0       0
procbususb      /proc/bus/usb   usbfs           defaults                0       0
/dev/mtdblock/4 /               auto            defaults,remount,ro     1       1
none            /ramdisk        tmpfs           nr_inodes=2k,mode=755   0       0

??? /etc/inittab

# cat inittab 
::sysinit:/etc/init.d/rcS
::shutdown:/etc/rc.d/init.d/shutdown
#::askfirst:/bin/busybox cttyhack /bin/sh --login

cget¶

Dump Current Theme¶

cget /enum/webui_layout/bb2/value
cget /enum/webui_layout/bb2/name

Dump All Theme Layouts¶

set ("tilgin", "telekom_srbija", "hyperoptic", "o2_final", "bezeq", "bezeqint", "vtech", "golan", "hkbn", "hadara", "paltel", "sure", "ttnet", "bb2")

Dump Layouts 2

# cget -r /enum/webui_layout 
tilgin telekom_srbija hyperoptic o2_final bezeq bezeqint vtech golan hkbn hadara paltel sure ttnet bb2

Dump Valid Shells¶

cget /enum/user_shell/

cset¶

Reset Setup Wizard¶

cset /webui/wizard/set/reset true

Give Telnet Admin Access¶

cset /telnetd/admin true
cset /telnetd/port 23
cset /telnetd/enabled true

Dump Instance Running¶

cget /service/instance/table

Dump resolv.conf File¶

cget /service/class/table/management/resolv.conf

Dump ftpd¶

cget /ftpd/enabled

Dump Tunnel Info¶

cdump /security/tunnel/server/1/

Set WebUI Layout

cget -r /enum/webui_layout | tr ' ' '\n' | sort | sed 's/^/cset \/webui\/layout\//g'
cset /webui/layout/
cset /webui/layout/bb2
cset /webui/layout/bezeq
cset /webui/layout/bezeqint
cset /webui/layout/golan
cset /webui/layout/hadara
cset /webui/layout/hkbn
cset /webui/layout/hyperoptic
cset /webui/layout/o2_final
cset /webui/layout/paltel
cset /webui/layout/sure
cset /webui/layout/telekom_srbija
cset /webui/layout/tilgin
cset /webui/layout/ttnet
cset /webui/layout/vtech

Print All Sections

cget -r / | tr ' ' '\n' | sort

ac
alg
atm_vc
btc
button
cli
config
connection
console
debug


dect
dhcp
dlna
dns
dyndns
enum
ethernet
execution
extfs
firewall
ftpd
generic
hotplug
httpd
if
igmp
initial_state
ip
km
l2tp
lan
led
log


logevt
module
mproxy
mptcp
nat_pmp
net
net_diag
ntp
package
ping
pm
pmem
port
ports_shutdown
ppe
printing
process
qos
radvd
recon
rip
route
rtspproxy
samba
security
service
sniffer
snmp
sshd
storage
stun
subscription
system
telnetd
temp_sensor
term_equip
tftpd
tg
tonido
tr064
tr069
traceroute
trendmicro
type
update
upnp
usb
virtualization
voip
wdt
webui
wlan

Dump All Settings on the Device¶

cdump /

TR069 Settings¶

cdump /tr069

Dump Data: User 1

# cdump /webui/user/1
/webui/user/1/
enabled = True
name = wuseman
realname = Provider's operator
password = root
password_def = t2/H3-Y4/Z0=A8/z4
password_rev = 04_01_00_36
password_template = 
session_duration = 0
inactive_timeout = 1800
alive_check_time = 0
start_realtime = 99081
locked = False
captcha_passed = False
remote_check = False
first_login = False
start_monotonic = 99081
alive_monotonic = 99083
passwd_update = 0
logged_in = False
session_lock_time = 0
exclude = 
httpd_serv = 
access_level = /enum/webui_access_level/maintainer
shell = /enum/user_shell/BASH
auth_next_try_time = 0
auth_try_time_left = 0
auth_total_failures = 0
local_proto_str = HTTP,HTTPS,SSH
remote_proto_str = HTTP,HTTPS,SSH
local_access = True
remote_access = True
auth_fail_intervals_str = 0,1,5,10,30,60,180,300,600,900,1200,1800
local_proto/
  HTTP = True
  HTTPS = True
  SSH = True
remote_proto/
  HTTP = True
  HTTPS = True
  SSH = True
password_reset/
  execute = False
  reset = False
account_login_attempt/
  success = Invalid
  execute = False
  reset = False

Dump Initial State

/initial_state/
  unlock/
    execute = False
    reset = False
  lock/
    execute = False
    reset = False
  control/
    execute = False
    reset = False
  status = False