Author: Xuéyú@Duncan SecTeam

0x00: Preface

China Telecom is the largest fixed-line broadband access service provider among the three major operators, and it is also the operator that started to build fiber broadband the earliest. As shown in the figure below, from the early e8-C to the later Tianyi Smart Gateway 1.0, 2.0, 3.0, and the latest 4.0, its fixed-line terminal access equipment (hereinafter referred to as: optical modem) has always been at the forefront of the three major operators. In the early stage, I wrote some analysis articles about China Telecom's optical modems on another platform and our official WeChat account one after another, but they were very superficial. With the continuous progress of the analysis work and the 'accumulation' of time by our team, our understanding of China Telecom's optical modems has become deeper, and our research on their security has become more comprehensive. We will start from this article to continue publishing the analysis documents of China Telecom's optical modems, which will involve some security-related issues.

0x01: Article Content

Starting from the Huawei Gateway 3.0, the telecom has boldly introduced the lxc container technology in its optical network terminal, which has greatly improved the functionality of the optical network terminal. Therefore, it is impossible to fully explain this 'cat' in one article, and it is expected to take 2-3 articles. The analysis of the PT926 optical network terminal is roughly as shown in the figure below:

0x02: Source Code Acquisition

There are two channels to obtain file information in the optical network terminal: one is to directly read the firmware, and the other is to obtain the root permission of the optical network terminal by telnet or SSH. The first method obtains compressed files stored in the unpacked source files, configuration files, etc., but the information and parameters involved in the operation of the optical network terminal need to be further analyzed. The second method obtains the data of the fully expanded file system loaded into the memory of the operating system, which includes relevant source files, kernel status data, and the MIB database of the optical network terminal. Whether it is to obtain the firmware or obtain dynamic system data, obtaining the shell with root permission of the optical network terminal is a must.

2.1. Obtain the password of the optical network terminal super administrator account (telecomadmin)

Due to the特殊性 of the optical network terminal, starting from the e8-C optical network terminal (even the e8 series optical network terminals), the optical network terminals all have a built-in telecomadmin account, which is the superuser of the optical network terminal in the mouth of the optical network terminal players, and the default password of this account is: nE7jA%5m. However, after the optical network terminal runs for a period of time, the telecom backend will regularly update the password, and the updated password is: telecomadminXXXXXXXX, where XXXXXXXX is an 8-digit random number. Different manufacturers of optical network terminals have different methods to obtain the password of the telecomadmin super account, and if it really doesn't work, you can also ask the telecom customer service or the telecom installation master for it, although they may not necessarily give it to you.

For PT926G, there are at least two methods to obtain the password corresponding to the superuser. One is to copy the /var/config/lastgood.xml file to a USB drive through a vulnerability in the web access of any file. Another method is to directly read the /var/config/lastgood.xml file by exploiting the FTP server access vulnerability of the optical network terminal. This file stores the current superuser's password. Of course, as a last resort, you can also repeatedly reset the optical network terminal, and log in with the factory default password.

By using either of the two aforementioned methods, you can obtain

2.2, Enable (Allow Access) SSH or telnet in the optical cat system

For China Telecom Tianyi Gateway 3.0, there are two ways to enable telnet: one is temporary enable, and the other is permanent enable, with specific methods on the chinadsl.net forum.

Using the lastgood.xml file obtained in the previous step, you can find the password corresponding to the telecomadmin account and use this account to log in to the optical cat web portal. After confirming that the optical cat is successfully logged in with telecomadmin privileges, visit http://192.168.1.1:8080/bd/saveconf.asp to download the config.xml configuration file.

Config.xmlFile contains the logintelnetLogin to the optical cat requires2A password. Among them, the logintelnetThe account usedadminThe corresponding password isTeleCom_1234. After logging in,suThe required password isTeleCom_xxxxxxAmong whichxxxxxxRandomly allocated by the telecommunications operator6As a random number.

In addition, withtelecomadminAfter logging in to the optical cat with permission, visithttp://192.168.1.1/bd/versioninfo.aspPage, you can also obtaintelnetLogin password and enable password, as shown below:

2.3, obtain source files: firmware and runtime files

Tianyi Gateway3.0DefaultshellBased onbusyboxProvideddCommand, you can simply obtain the optical cat firmware. The specific operation process is shown in the figure below. The exported firmware can be directly saved to the mountedUDisk, or you can also save the firmware one by one to/varDirectory, throughbusybox  tftpCommand sends to the configured externalTFTPServer.

0x03: Script analysis

3.1, some necessary chatter

The Tianyi Gateway series products have always been usingLinuxAs the underlying operating system, of course, it is after a magic modificationLinux, and it has also been labeled with a pile of shiny tags by telecommunications, such as:

"Tianyi Gateway2.0Carrying the important mission of the family network center, family service center, and family data center, this time inMWCS17The first appearance on this platform even more prominently demonstrates the determination and achievements of China Telecom and operators in the smart home market. Faced with the era of everything connected, the competitive and cooperative relationship between operators and internet companies in the future will be closer and more intense. How to actively grasp the next window period of the smart home market and form a competitive ecological relationship will become a core issue that every participating enterprise must think about. [1]

Zhang Mingjie pointed out that the entire China TelecomOSOS

Can be remotely upgraded at any time, continuously optimized and iterated. Business is implemented through plug-in mode, through the platform, including user self-service, can be loaded and unloaded at any time, truly realizing from the network terminal to a high level. At the same time, it can also protect the investment in hardware for a relatively long time, rather than saying that after the hardware is issued, some changes are made and it needs to be repurchased. This is the basic capability and connection capability of the Huawei Gateway, including the connection for storage and intelligent security.”【2】

As shown above, these high-flying descriptions are easy to create illusions. On the one hand, operators and product suppliers are prone to be immersed in a kind of dizziness; on the other hand, many hackers may fall into a kind of inexplicable self-denial or fear, 'Can I hack such a cool device?' However, if we change the wording, many things will not have that illusion, such as:

Huawei Smart Gateway: = SOC + Linux + lxc + middleware 4.0 PT928 E

3.1.1FromThe evolution of the Huawei Gateway is a process of simultaneous evolution of hardware and software, from the oldestFrom the earliest Huawei Gateway，to the highly integrated Huawei GatewayThe following figure is the Youhua Huawei GatewayChip.4.0 PT928 EThe circuit board. Among them, the heat sink below is a MediaTekSOCThe circuit diagram, the difference is very obvious. From the circuit board,

Chip,

RTL9607C

Figure 3-2: Huawei Gateway 4.0 circuit boardFromFigure 3-3: Huawei Gateway 4.0 /proc/cpuinfoFromCompare with the first generation telecom optical modem of telecomFrom the earliest Huawei GatewayThe circuit diagram, the difference is very obvious. From the circuit board,

The integration is obviously not as good as the Huawei Gateway Linux

3.1.2Frome8-CFrom the earliest Huawei Gateway4.0lxc，the underlying operating system of the telecom optical modem (compared toLinuxOperating system. Specifically, for the container, it has always been deployedPT926GSpeaking of which, throughunameCommand can view kernel information.

3.1.3 lxc

From the Huawei Gateway3.0Starting fromLinuxSystem, in addition to runningOpenWrtoflxcContainer. Therefore, the functionality of the optical modem has been greatly expanded, which is also what the telecom bigwigs called the great expansion of the compatibility of the optical modem, supporting hundreds of third-party plugins. In fact,OpenWrtThe number of plugins that can run is far more than this, and the telecom bigwigs are still very modest.

3.1.4 Middleware

The Huawei Gateway middleware runs on the underlying operating system and is mainly responsible for the business logic of telecom operators, including but not limited to based ontr069Optical modem management business. This part of the content is biased towards the logic of telecom business, which is not included in the analysis content of this article. If you are interested, you can search for 'telecom'

itms”【3】

3.2Analysis of the optical modem startup script

LinuxThe execution process after the system is powered on is shown in the figure below.

According to the logic shown in the figure above, the telecom optical modem completesbootAfter that, createinitprocess, and execute/etc/inittabscript, complete the system initialization.

From the figure above “console::sysinit:/etc/init.d/rcS”From the configuration information, it can be seen that the system startup will read/etc/init.d/rcSComplete the remaining startup process.

A) rcS script

The content of the /etc/init.d/rcS script file is as follows. After the script is executed, the program will check and execute existing script programs in sequence starting from the rc0 script in the current directory.

B) rc2 script

The rc2 script performs the following operations:

—— Used to mount file systems, including proc, sysfs, tmpfs, etc.

—— Create directories required for system operation, mainly located under /var directory

—— Execute some scripts under /etc/scripts, such as /etc/scripts/mnt_tmpfs.sh, /etc/scripts/mnt_cfgfs.sh, etc.

—— Modify kernel variables, such as: /proc/sys/kernel/hotplug, /proc/sys/net/unix/max_dgram_qlen

—— Set the loopback address of the local machine

C)rc3Script

rc3The script mainly completes the following initialization tasks:

—— Determine whether the optical network unit needs to be reset

—— Start and run the configuration program in the background/bin/configd

—— Complete configuration file-related operations during the startup process, including/var/configvariousxmlConfiguration file

—— Device initialization operations, including power supply,DSPchip, etc.

—— Software version detection

—— Determine the business mode of the optical network unit (ONU),EPONorGPONand perform the corresponding initialization operations, such as loading device drivers, etc.

—— SetLinuxKernelniceValue

D) rc4 script

The rc4 script is mainly responsible for completing the initialization work of the ubi file system, including:

—— Call the /etc/scripts/mount_ubifs.sh script to mount the ubi file system (Unsorted Block Image File System, UBIFS)【4】

—— Create directory

/opt/upt/apps/etc/dbus-1/system.dand/opt/upt/apps/youhuaPurpose is unknown.

E) rc6 script

The rc6 script only creates the /var/samba directory, and files and directories will be written to this directory during the subsequent startup process of the optical network unit.

During the operation of the optical network unit (ONU)/var/sambaThe content under the directory is shown in the figure below.

F) rc10 script

rc10 script sets the kernel parameters during the operation of the optical modem, including IP4 protocol and kernel exception-related parameters.

G)rc12Script

rc12The script loads the kernel driver related to the file system, realizing the control ofNTFSKernel support for the file system to improveNTFSFile system access efficiency, as shown in the figure below.

H)rc14Script

rc14The script sets the kernel toIP v6Support, as shown in the figure below. I am very curious whyIP4andIP6Why put related kernel setting operations in the same script?

I)rc17Script

rc17The script mainly performs the following operations, as shown in the figure below:

—— Set the kernel dump path and dump method

—— Running in the background/bin/yhdiagDiagnostic program

J)rc21Script

rc21The script creates/var/run/dbusDirectories to supportdbusRunning, as shown in the figure below:

K) rc32 script

rc32 script performs the following operations, as shown in the figure below:

—— Run the /bin/startup program in the background, which is responsible for executing the network configuration, firewall configuration, and running server configurations such as ftp, samba, and other important operations. According to team analysis, operations related to lxc containers are also completed in the startup process. A comprehensive analysis of lxc container loading and running will be conducted later. If you are interested, you can follow the WeChat official account “Duncan Security Group” with the same name as freebuf.

—— Prepare the dbus running environment, for example: create directories, call dbus-uuidgen

—— Create directories related to cpus, and copy all configuration files under the /etc/cups/conf directory to the /var/cups/conf directory

L)rc34Script

rc34The script performs the following operations, as shown in the figure below:

—— Set firewall performance parameters, that isiptablesExpected table maximum valuenf_conntrack_expect_max

——socketCache maximum value, that isrmem_max

—— ExecutevoipRelated programs

—— Enable and set watchdog

M)rc35Script

rc35The script mainly completeslxcContainer-related operations, as shown in the figure below. This part of the content is extremely important for analyzing the latest model of optical modems by telecommunications companies, that is, supportinglxcContainer implementation of dualwebThe optical modem applied.

—— Execute/etc/scripts/lxc_start.shThe script is completedlxcContainer initialization operations, such as creating directories, mounting file systems

—— Running in the background/bin/ctmanagedaemon

—— Execute/etc/scripts/fw_loaded.shThe script seems to be performing checks after the firmware is loaded

—— Modifications involvelxcKernel running parameters

—— Execute/etc/scripts/vm_tuning.shscript, detect memory status, and modifylxcKernel running parameters

3.3Summary of startup script analysis

—— The team compared the startup scripts /etc/init.d/* of Tianyi Gateway 3.0 with e8-C, and the startup scripts of Tianyi Gateway 1.0 and Tianyi Gateway 2.0, and found that only Tianyi Gateway 3.0 adopts the method of executing other scripts in the /etc/init.d/ directory one by one through the /etc/init.d/rcS script. For other Tianyi Gateways, they are all completed by a single /etc/init.d/rcS script to complete all the startup operations. This change may be due to the introduction of the lxc container in Tianyi Optical Network Terminal 3.0, as well as the hope to make script writing clearer through modularization.

—— The operation team is most concerned about the lxc container, as this is the biggest feature of Tianyi Optical Network Terminal 3.0. With the support of OpenWrt, the functionality and playability of the optical network terminal itself have been greatly enhanced. After reading many posts on chinadsl.net and with the in-depth analysis of the team on the optical network terminal, the container management program /usr/sbin/saf was determined. After the optical network terminal completes most of the boot process, it executes the startup program in the background through the /etc/init.d/rc32 script, that is, 'startup&'. After the /bin/startup program is executed, it further calls the /bin/proxyDaemon program, and the program executes 'saf service 8 9 10' to start the container. This process is based on the conclusions of the current analysis work, and further analysis and confirmation of the detailed execution process, as well as the implementation logic of the saf program, are needed.

0x04: Summary

Due to the length of the article, this article briefly introduces the basic hardware and software characteristics and features of Tianyi Gateway 3.0, and then focuses on the analysis of the boot process of the optical network terminal system. If you are interested in the content of this article, welcome to leave a message to催更!

0x05: Reference

【1】MWC concluded! China Telecom's 'Tianyi Gateway' 2.0 was perfectly presented!//https://www.sohu.com/a/153967240_515599

【2】Building a new ecological connection for smart homes, China Telecom will launch the 3.0 version of Tianyi Gateway next year.//https://www.sohu.com/a/208951906_234937

【3】The position and role of ITMS in the network. // https://wenku.baidu.com/view/c546b44edeccda38376baf1ffc4ffe473368fdc5.html?fr=income3-doc-search&_wkts_=1681573923872&wkQuery=telecommunications+itms

【4】UBI File System-----Concept of UBI File System, Overhead of UBI File System, Usage Method of UBI File System// https://zhuanlan.zhihu.com/p/383367301