DG934 - Hacked - running official netgear firmware

[digitaldazz]

Hi all,

Just put a normal netgear firmware onto a dg934 and I am testing it as we speak.

Everything works wifi,lan and adsl.

seems this is just a 834 v3 as in the original sky firmware it calls for update to a dg834v3-sky-special server.

So I uploaded a V3 firmware and it works fine.

Will have to test a bit more and see if the password/username gets wiped in the process. So I will downgrade and do some tests.

Putting the firmware onto the router was easy - just a little trickery and on it went. lol

update soon.

[James67]

Quote:

Originally Posted by digitaldazz

Will have to test a bit more and see if the password/username gets wiped in the process. So I will downgrade and do some tests.

It won't be like the Sky DG834GT routers, where if you reflash with the standard Netgear firmware, it still connects to Sky. The ADSL password is calculated "on the fly" by the close-source program /usr/sbin/rc when it calls out to the pppd program, rather than being stored in a NVRAM variable.

But of course, once you've got the standard Netgear firmware on the router, you'll simply be able to type in the username and password obtained from the password page, so it's not a problem using the standard Netgear firmware to connect to Sky. Well, other than the fact that it won't attempt to contact the upgrade server, of course, which as discussed before, is a potential method that Sky might use if (or when) they decide to clamp down on people breaching the router policy.

But well done on getting the generic Netgear firmware working on the Sky hardware. That was the one missing piece in the jigsaw. We had managed to extract passwords from all three routers, but had only managed to get generic firmware installed on two of them - the new Netgear router being the odd one out. Now even that has been beaten into submission.

So how did you manage to force the DG834v3 firmware on the router? I'd guess something along the lines of copying the tools/makeImage program from the DG934G software kit, as well as the DG934G image and then doing

Code:

./build.sh DG934G-1SKUKS_V2.02.34.img target new.img

in the DG834v3 directory.

That would give a flash image that contains the kernel and rootfs from the DG834v3 build, but has a DG934G signature in the image file - i.e., "SKY2V3", rather than "DG834V3".

[digitaldazz]

Hi james,

i tried to change the id of the firmware but eventually found a much easier way to flash the router.

It's a bug in the netgear flash utility that lets it flash any 834 with any firmware you choose, might be usefull to you.

What you need to do is run the utility with a genuine 934 firmware, select the network interface and when it finds the router and shows it on the next page simply put the 834 firmware in its place and rename it to what ever the 934 firmware was called. As it has already verified the firmware it will not do so again and will flash the router as if it were a 934 firmware.

Can the update server address be used to spoof an update call ?

Anybody wishing to try this method do so at your own risk and be aware of the breach of SKY's T&C.

P.S. the new router interface logon is "admin / password" - same ip though

if you flash before getting your password and user you can get it using the mognuts utility after flashing as i have tested and it works but not for snr changes etc.

Cheers

[James67]

Ah yes, that's a cunning exploit you've found there when it comes to forcing firmware onto the router. With the way I described, the router would continue to think of itself as a Sky box, so if Netgear were to release new firmware for the DG834, you'd have to go through the rigmarole of converting the flash image to make it look like a DG934G flash image. By contrast, the way you've done it, there would be no need to do that - you'd simply be able to update the firmware using the web interface.

As for spoofing the update call, I don't know - I haven't delved into it very deeply. Looking at the update program that runs on the router, /usr/sbin/provisioning_ap, there's quite a few discrete steps and I've only ever looked at the first step where it does an HTTP GET to the appropriate update server (e.g., dg934g.skyfirmware.com), requesting a file called /001122AABBCC, where 001122AABBCC is the MAC address of the router's LAN interface. It would certainly be worth finding out what exactly it does when requesting an update..

[digitaldazz]

Hi James,

As for spoofing the update i was thinking of the repository it seems to have set up.

eg.

# cat svn.info
Path: .
URL:svn://172.31.2.251:36901/svn/Platform/DG834V3_SKY/PHASE3_NEW/Source
Repository Root: svn://172.31.2.251:36901/svn/Platform/DG834V3_SKY
Repository UUID: (********************************) removed just in case
Revision: 307
Node Kind: directory
Schedule: normal
Last Changed Author: ethan
Last Changed Rev: 307
Last Changed Date: 2007-09-07 12:02:18 +0800 (Fri, 10 Sep 2007)

I am a relative noob as far as Linux is concearned but maybe you can shed some light on this.

This is the file that led me to believe the 934 was indeed a rebadged 834v3.

Cheers

[James67]

That's just a Subversion file - nothing to do with what the update program (provisioning_ap) does.

[smudger04]

Hello, I am new to these forums but wonder if somebody can please help. I tried to flash my DG934G router, using the process mentioned above - all was going very well, until my pc decided to blue screen half way through doing the flash. Now my router appears to be in reset mode (power and tick flashing alternatly) If i run the flash utility again, it does not find the router anymore, and i cannot log in using the 192.168.0.1

Please can somebody help???

[James67]

OK, what firmware (model and version number) did you try to install on the router? It would be helpful for me to know the exact filename of the image file.

What OS are you using on your PC?

What state would you like your router to end up in? Suitable for use with Sky Broadband or suitable for use with a different ISP?