Peel Apart Your ISP’s Router

Whether your home Internet connection comes by ADSL, fibre, cable, or even satellite, at some point in the chain between your ISP and your computer will be a router in your home. For some of us it’s a model we’ve bought ourselves and loaded up with a custom distro, but for the majority it’s a box supplied by our ISP and subject to their settings and restrictions. [Paddlesteamer] has just such a router, a Huawei model supplied by the Turkcell ISP, and decided to do a little snooping into its setup.

In a tale of three parts, we see the device unravel, from uncovering a shell to reverse engineering its update process, to delving in its firmware and finally removing all its restrictions entirely. It’s a fascinating process in which we learn a lot, such as the way a man-in-the-middle attack is performed on the router’s connection tot he ISP, or that it contains an authorised SSH key seemingly giving Huawei a back door into it. You may never do this with your ISP’s router, but it pays to be aware of what can be put in your home by them without your realising it.

The Golden Age of router hacking may be behind us as the likes of the Raspberry Pi have replaced surplus routers as a source of cheap Linux boards, but  as this shows us there’s still a need to dive inside a router from time to time. After all, locked-down routers are hardly a new phenomenon.

Via Hacker News.

35 thoughts on “Peel Apart Your ISP’s Router

        1. LOL While there’s whining, like worn out tranny, about colloquial terms. Can I ad amperage to the list before the world runs out of bits creating such a list? Thank you.

    1. Same here, using it at work with a netgate appliance. Using it with VM also. It just works. And deploying new remote people with OpenVpn with pfsense is just easy ! Wish I could hack my ISP huawei router with pfsense :-)

    2. I decided to try OPNSense based on a sysadmin friend’s recommendation. I’m running it on a tiny PC with a pair of NICs in it. My brother has been playing with pfsense and we,ve been comparing notes.
      In my case, I wanted something I could keep up to date in terms of security issues. The consumer grade routers out there are all based on silicon that makes it hard for 3rd party firmware to provide full support and full performance for. I was also getting frustrated with the messed up landscape of the various DD-WRT builds, forks, and other related projects.
      So I figured I’d build something x86 based since writing software for such a system is straightforward and does not have the same documentation and support hurdles of a router SOC.

      We don’t believe either OS is ready for the consumer market. It’s too difficult to track down issues (like with IPS rules) when things go wrong. The port forwarding systems are more complicated than consumer products as another example.
      They are a great starting point, but better UIs and built in trouble shooting tools, a mobile friendly UI, streamlined processes for home users, and some other ‘comfort’ features would really make either of these router OSes amazing.

      I’d love to see someone do for pfsense and OPNsense what Ubuntu originally did for Linus in the eyes of consumers.

    3. From the moment i first install pfsense i know it was the right tool for my needs. The difficult part was deciding the hardware, power-wise for 24/7 operation, and low noise. I finally get a pc engines apu2c4 and never looked back. In the begining i boot from sd card but it get corrupt in a while. After installing a msata drive, never had any issues.

  1. I used pfSense for a few years before swithcing to a MikroTik Routerboard (RB760iGS). Honestly it felt like a step backwards at first – but since then, I’ve been thoroughly impressed. Especially if you’re proficient with ipfilter/iptables, it’ll be very familiar to you. Hardware-wise they are really convenient with some nice features even on the lower-end boxes.

    1. Mikrotik FTW! You can get pretty mighty hardware for decent price, options are vast and big advantage compared to old computers is they use few watts instead of few dozens or even hundreds.

  2. If anyone else is looking to replicate the Person in the Middle approach, I documented one approach in some detail in this blog post: https://sensepost.com/blog/2018/mallet-in-the-middle/
    Uses a cheap GL.Inet router with 2 Ethernet ports as the PitM, and includes docs and pointers to a software tool (that I wrote) that facilitates interception and tampering with traffic of arbitrary protocols. Redsocks is also a key part of the toolset, as one end of a Linux Transparent Proxy system.

  3. I hate most of ISP’s routers, in special the routers from ONO (a sub-brand of vodafone), since one day they tought that would be a great idea to split the poor wifi connection of the users into two different wifis, one is the user wifi and the other is the “auto_ono_wifi” wich is used to give internet access to ONO clients who pay for that service. Yes, ONO turned all his clients routers into access points for a paid service without asking the clients first, and the best part is they said they increased the bandwith of their clients in order to reserve a part of It for the “auto_ono_wifi” without using the bandwith for the user wifi, but you know what? It never worked as intended, and having a parasite (i.e. a client for auto_ono_wifi) connected to your router usually would made your connection unstable and slow.

    1. I have seen this in a few countries in Europe, I think in general it is on by default, but you can turn it off. You as a client can use any other client’s connection and vice versa. I never checked what is happening with the bandwidth, but I would imagine for the majority of time the connection is not saturated by either party so it would be smooth sailing for both.

      1. British Telecom did that a few years ago, I assume they still do. Again, if you opt in to making your router one of their nationwide access points, to then you also get access to everyone else’s. I dunno if they sneakily sell part of that as an extra to other customers who aren’t contributing, it rings half a bell but I’ve got worse memory than a ZX81 RAM pack.

        As a purely optional, mutual system I think it can only be a good thing. I would imagine there’s a scheme in place where you can’t just switch it on every time you want to use it, but off again when you’re at home.

        That all said though, using Wifi for public, widespread access is pretty stupid and pointless cos it just wasn’t designed for that use. The short range and spectrum allocation are all designed with replacing office Ethernet, not a mobile phone network. It was a thing a few years ago for cities to rather optimistically stick routers up to every lamp post, I bet chaotic feedback problems ended up being the biggest net consumer of spectrum.

      2. Yes, UPC does this here in Switzerland. My router broadcasts both my secure wifi connection and the ‘free’ version that is accessible to anyone who is also a UPC customer.

        I can turn it off, but I have to log in to my online account first.

        I just discovered a few weeks ago, after upgrading to a wifi router with better signal, that I cannot disable the radio in the modem. I can ‘disable’ the wifi, but all that does is refuse to authenticate a connection, while still broadcasting.

        Didn’t Comcast and Verizon try this in the US a few years back?

          1. If it’s unsecured then it’s a WiFi hotspot provided by a business, if it’s secured then you must be an Xfinity customer and it will use your main Comcast login information to get connected. The two networks are isolated and the Xfinity connection has very limited bandwidth along with not counting towards any data caps. A word of warning – using your own hotspot (or your neighbors Xfinity hotspot) to circumvent data caps can get the hotspot turned off on the back end, you’re tracked by username and MAC address so connecting your laptop to your own hotspot is really easy to spot…

            You might not like Comcast but they opened all the (business) hotspots to anyone, turned off the data caps for everyone, and are handing out FREE internet essentials @ 25/5 for all new customers for two months! You can get cable TV and free internet while the pandemic rages on because the Comcast front line techs are still out working hard connecting everyone and maintaining the system.

        1. Comcast / Xfinity here in the US still does that. I didn’t see a quick way to opt out, so I took the combo modem/router/access point back to their store and asked for a modem-only unit since I already had a better router with wifi (Mikrotik routerboard).

          1. You can opt out in your customer account online, there is no option to do it on the web gui or through comcast’s automated setup. Hmmm I wonder why they did that? You can also use your own modem with comcast, but boy is the authorization process a treat.

          2. Comcast doesn’t offer a modem only option, you can purchase one yourself (which is highly recommended because it pays for itself in 8-12 months) and I recommend the Arris SB8200 paired up with whatever WiFi router you desire. Mine has been up and running 24/7/365 for almost 3 years on gigabit without a single problem. You’re safe, this modem doesn’t suffer from the issues of the lower class Arris SB with the Broadcom chip fiasco.

    2. Some of the cable companies in Ontario, Canada do it, but the hotspots are never really in useful places. I guess everybody near a useful place finds their connection slammed and turns it off.

  4. With lots of people with time on their hands then it would be nice to unlock all the locked down routers so they can be reused instead of them being used as landfill.

  5. I enjoyed the deep dive into the Huawei CPE and learned a few things too. Thank you!

    Most everyday people do not require anything advanced of their router. Most everyday people are not of the persuasion to be reading Hack-a-day. They just want the modem to work. Those of us that do visit Hackaday… my experience with my Telco ISP over both DSL and now Fiber is that their modem/router always supports BRIDGE mode, so I can insert any router of my choice (over the years… DDWRT, OpenWRT, Gargoyle, Sophos, now pfSense) after their modem and go. What is really nice is that my ISP supports multiple simultaneous pppoe connections through the same modem, so I can set up separate physical routers, each obtains a different dynamic public IP, so are segregated. In the case of pfSense, anything is possible after a bit of learning. Furthermore, with fiber it is the GPON SFP module serial number that is registered and authenticated, so putting the SFP into your own box will allow direct access to your broadband service usually as VLAN 35 (in my case), which eliminates the TR-069 managed CPE.

    Normal process for your ISP troubleshooting your service starts with that end-to-end managed connection and a modem box they can interrogate. If you have trouble over your delivery method, you may have to put their device back into service.

    1. Getting multiple public IPs from a single ISP account would have been really useful for Perk mining back when the IP address limits have been put in place. Back then, it was so profitable that some large mining operations signed up for second and even third ISPs. (As for why not just use a VPN/VPS, known VPN/VPS ranges are blacklisted.)

    1. That’s an interesting idea. Maybe networks over copper backhauls that are far too long for Ethernet, using hardware that’s basically surplus. Bandwidth won’t be great but many applications like remote monitoring of sensors or even IP cameras don’t need it

    2. For ASDL, the Tx and Rx occupies *different* part of the spectrum. Unless the side that act as the DSLAM can transmit on the Rx band, it won;t talk. There might be analog limitations on the driver circuits. Not sure if the DSP and the firmware support it either.

      Don’t know enough about other xDSL.

    3. Just buy xDSL master/slave modem sets for ~100-200$/€ like e.g. the AllNET ALLMC115.

      As tekkieneet stated it’s not that easy just with normal DSL modems.
      Maybe it’d be easier with SDSL modems (with a device in between that switches the TX and RX frequencies?).

  6. I was lucky enough to find the “guru script hack” in whirlpool.net.au:
    https://forums.whirlpool.net.au/forum-replies.cfm?t=1216321&p=10#r192

    There was a vulnerability in one firmware release for Telstra-supplied Thomson/Technicolour ADSL modems. You didn’t have root access, but you had sufficient privilege to run a script to create a root user at next reboot.

    I was then able to turn off remote access via TR-069, which stopped Telstra applying the firmware update which closed that loophole.

    And I was able to create a heavily-customised configuration with options that weren’t available to non-root level accounts.

    I’m going to miss that modem when we finally get the NBN here. It can live out its days as another wi-fi AP.

  7. Any chance of installing miniDLNA on a router with a USB port? Cheap media server for clients (like some Smart TVs) that just need access to a DLNA server’s shared folder to play media files with their own software.

    I did that with an old HP thin client. Works great, I can push videos to the server to play with the TV instead of having to sneakernet them to the TV on USB sticks or leaving a power sucking PC going all the time to make videos available on my LAN.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.