Introduction
This paper is our attempt to deobfuscate the Actiontec GT701 wireless gateway. There are a couple of other websites out there with the same goal in mind, however, our intent was to provide accurate information based off of various sources including both official and un-official documentation, kernel source, configuration files, and just plain hacking.
Hardware
The hardware making up this unit revolves around the AR7, the AR7 is Texas Instruments’ “system on a chip” solution for DSL routers. The hardware of the GT701 (or any other AR7-based device for that matter,) consists of a power supply, the 160Mhz MIPS 4KEc V4.8 processor, 16Mb of SDRAM, and 4Mb of FLASH. For your input/output, there’s the RJ-11 for your DSL, your ethernet device (TI Avalanche CPMAC) jack, a USB port, and an ACX-11x based (chip # TNETW130) wireless setup as well as 6 status LEDs. On the board, there are also two separate sets of 5 pins each. These are mostly believed to be serial (JTAG is also possible) due to Texas Instruments displaying a serial/UART interface on the AR7 diagrams, several pins being attached to the board, and due to the following ADAM2 variables:
1 2 3 |
|
ADAM2
To be perfectly honest, we’re still not entirely too sure what ADAM2 really is. We know that it’s stored on block 2 of the MTD device. We also know that that it appears to be some sort of system for storing environment variables in flash used during both boot-time and run-time, as well as a boot-loader of some sort. We also know that it’s responsible for storing the MAC addresses, as found in our mtd dump:
1 2 |
|
The following is a dump of /proc/ticfg/env
, which is the /proc
interface to ADAM2.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 |
|
When you hold down the Reset button during boot, an FTP server is spawned on the default port (TCP/21) typically allowing you to flash new firmware, as well as set and unset different ADAM2 environment variables.
The following is a list of commands that the ADAM2 FTP server supports.
1 2 3 4 |
|
When Actiontec’s recovery app is run, it also sends a UDP packet to port 5035, and then initiates a connection to the FTP port. The following is the output of a sniffed connection of a typical firmware upgrade.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 |
|
The Actiontec GT701′s MTD blocks are set up as follows:
1 2 3 4 5 |
|
We’re not too sure what else it is capable of, but there are some hints of it being able to boot off the network (DHCP,) and/or booting specified images. Here are some ADAM2 commands, though we haven’t actually been able to test these yet:
1 2 3 4 5 6 7 8 9 |
|
There are others, but some of the command names didn’t show up, only the descriptions, and we don’t have a console hooked up to see them for ourselves yet.
Software
The Actiontec GT701 runs off of Linux kernel 2.4.17 patched for MIPS, ATM, SquashFS, and pre-empt (not enabled.) The kernel is provided by MontaVista and is believed to be the MontaVista Carrier Grade Linux kernel version 2.1.
1
|
|
Along with the kernel, the GT701 also runs on top of Busybox 0.61.pre with uClibc libraries (version 0.9.19.) The root filesystem uses SquashFS 1.x, which is a compressed, read-only filesystem stored on the MTD block. One should note that SquashFS 2.x is not backwards-compatible with 1.x. A ramdisk is mounted at /var and any files that require write access or either stored there, or symlinked to that tree.
In order to retrieve and edit the file system one would first have to
download SquashFS and compile it into their kernel, as well as build the
user-land tools. Once this is complete your first step would be to
either extract nsp.ar7wrd.squashfs.img
from the recovery tool, or do
something similar to the following (while running a tftp server):
1 2 3 4 |
|
This will give you a mountable SquashFS image wherever you you placed your tftp root. In order to to write to it though, you will need to copy a mounted SquashFS directory to a non-SquashFS directory as follows:
1 2 3 |
|
And you now have a write-able directory to edit/delete or whatever else may please you. Re-creating the image is just as easy:
1 2 3 4 5 6 7 |
|
There are two things to keep in mind while building filesystem images. The first is that the GT701 can only STORE 3,136KB (compressed) on the FLASH chip. You should at this point, also realize that the filesystem is decompressed and stored in RAM when mounted, and you only have 16MB RAM to begin with, so either way, it’s a tight fit.
Actiontec uses a set of utilities to manage your configuration files.
They manage the XML file stored on mtd3 as well as handle your web-based
configuraiton changes. There is also supposed to be a CLI client for it,
however, I haven’t quite figured out how that works yet. These utilities
can usually be identified by having cm_
as a prefix, although the CGI
program for the web-based configuration is called webcm
, and of
course, we can’t forget libcm.so
. The XML file contains all of your
coniguration, including IP addresses, authentication, networking
settings, and probably just about everything else. You can extract a
current version of the file the same way we demonstrated dumping the
filesystem above, but by replacing mtd0
with mtd3
. You will also need to
strip all of the excess garbage at the end of the file. I should also
note that that mtd3 is monitored regularly for corruption, and if mtd3
happens to become corrupted, it will repopulate the block with
/etc/config.xml
.
The list of configuration programs is as follows:
1 2 3 4 5 |
|
Webcm is used in conjunction with thttpd
to provide a small, yet
working, web-based interface to allow you to make changes to your
gateway’s configuration.
As far as networking is concerned, the GT701 used pppd with a PPPoA
plugin for your connection to your ISP. For telnet and DHCP, the gateway
uses utelnetd
and udhcpd
, respectively. The Actiontec GT701 also
supports UPNP through the use of upnpd on interfaces ppp0
and br0
.
br0
consists of the USB device, the Ethernet device, and the wireless
device.
The wireless drivers are not compiled into the kernel or as a kernel
module, rather, they are handled by a userland driver called user_drv
.
On the original firmware, the user_drv_cli
utility provided a very
capable command line interface that allowed you to change many settings
pertaining to the wireless network device. Some of these settings
included what Regulatory domain you were in, for instane, one could take
their access point out of the FCC domain, and place it under the French
domain, or better yet, a custom domain, and change power levels, as well
as usable channels. In the newer firmware, it seems this software has
been crippled, and will not allow you to access the CLI.
Conclusion
The Actiontec GT701-wg is a powerful embedded Linux device running on a MIPS platform based off of Texas Instruments’ AR7 “one-chip” solution. It is relatively easy to hack the GT701. The firmware images are squashFS 1.x images and the base Linux system is run on BusyBox with the uClibc libraries. If one were to set up a cross-compile environment and use the squashFS tools they could generate new firmware images with great ease.