These instructions have been tested on various Telstra branded devices. They should also work for other branded Technicolor devices.
To acquire root access on a Technicolor device, you need the following:
- A computer with either an Ethernet port OR a USB Ethernet adapter
- A USB Stick
- An ethernet cable
- An SSH client:
- Windows: Download PuTTY
- Mac/Linux: You can use the
ssh
command provided by your distribution
- A basic understanding of running commands in your operating system"s terminal program
- Remove the cable that connects the device to the internet. This will either be the cable into the red WAN port or the DSL/phone port.
- If the Technicolor device is 4G backup capable, remove the SIM card.
- Determine the current firmware version installed on the device:
- Log into your modem through your web browser, usually at http://192.168.0.1/ or http://10.0.0.138/
- Click on
Advanced
in the top right corner of the page (skip this step on the Smart Modem Gen 3, as it will automatically take you into the Advanced view). - Click the first box on the top left, usually called “Gateway” or “Modem”.
- Record the “Firmware Version” shown on the screen.
- Click on the “Reset” button to restore the device to factory defaults.
- Determine your firmware version Type from https://hack-technicolor.readthedocs.io/en/latest/Repository/
- Click on your device name in the right side panel menu.
- Find your version number in the table and make note of the Type (1, 2,or 3) from the first column.
- If your device has a Type 3 firmware, download any Type 2 firmware for your device.
- Download the latest release of
tch-exploit
for your operating system.- Extract the contents of the zip file into a directory on your computer.
- If you have a Telstra branded device running firmware 17.2 or later, download the latest release of
tch-gui-unhide
for your firmware version (e.g. for a firmware beginning with 20.3.c, download the20.3.c.tar.gz
file).- Copy that file to the USB stick.
- For other branded devices or Telstra devices with firmware older than 17.2, download the following scripts and copy them to the USB stick:
- Disable or turn off all network connections, including Wi-Fi, VPN, 4G USB devices, other ethernet connections, etc.
- Disable or turn off all virus and malware scanners (including Windows Defender).
- Find the name of your ethernet connection:
- Windows: Open a command prompt and use the
ipconfig | find "Ethernet adapter"
command to list your ethernet interfaces. - Mac: Open a terminal window and use either the
networksetup -listallhardwareports
orifconfig
command. - Linux: Open a terminal window and use either the
ip link
orifconfig
command, depending on your distribution.
- Windows: Open a command prompt and use the
You cannot acquire root access to a Type 3 firmware.
The only known method for acquiring root access on a device with Type 3 firmware is to downgrade the device to a Type 2 firmware first.
The first thing to try is loading the Type 2 firmware via TFTP.
There are 2 steps to loading firmware via TFTP:
- Setup a TFTP server that will download the firmware to the device; and
- Start your device in BOOTP mode so that it will automatically request the firmware from the TFTP server and install it on the device.
You should already have acquired tch-exploit
for your operating system. If you have Telstra Smart Modem Gen 3, you must use the seud0nym
version - the original BoLaMN
version will fail. The seud0nym
version also has better prompts and some bug fixes. However, one user has reported "Transfer cancelled" messages from a DJA0230 on MacOS. If affected, use the original BoLaMN
version.
- Connect an Ethernet cable into the Ethernet port on your computer, and the other end into any yellow LAN port on your device.
- On the Smart Modem Gen 3 only, you can use either a yellow LAN port or the red WAN port
- Copy the firmware file (ending with .rbi for all devices prior to the Smart Modem Gen 3, or ending with .pkgtb for the Gen 3) to the
tch-exploit
directory. - Configure networking and start the TFTP server:
- Windows: Run the following commands in an elevated (Administrator) command prompt:
- Replace
C:\Users\user\Downloads\release
with the name of the directory containing tch-exploit-win - Replace
Ethernet
with the name of your ethernet connection - Replace
<firmware_file>
with the name of the Type 2 firmware you downloaded for your device - Each line is one command. Run them separately.
cd C:\Users\user\Downloads\release netsh interface ipv4 set address name="Ethernet" static 192.168.0.254 255.255.255.0 192.168.0.1 tch-exploit-win --ip=192.168.0.254 --tftp=<firmware_file>
- Replace
- Mac: Run the following commands:
- Replace
release
with the name of the directory containing tch-exploit-macos - Replace
en0
with the name of your ethernet connection - Replace
<firmware_file>
with the name of the Type 2 firmware you downloaded for your device - Each line is one command. Run them separately.
cd release sudo ifconfig set en0 INFORM 192.168.0.254 sudo ./tch-exploit-macos --ip=192.168.0.254 --tftp=<firmware_file>
- IMPORTANT: Disable the MacOS firewall, or ensure that it will allow DHCP/TFTP requests!
- Replace
- Linux: Run the following commands:
- Replace
release
with the name of the directory containing tch-exploit-linux - Replace
eth0
with the name of your ethernet connection - Replace
<firmware_file>
with the name of the Type 2 firmware you downloaded for your device - Each line is one command. Run them separately.
cd release sudo ip addr add 192.168.0.254/24 dev eth0 sudo ./tch-exploit-linux --ip=192.168.0.254 --tftp=<firmware_file>
- Replace
- Windows: Run the following commands in an elevated (Administrator) command prompt:
- Unplug the power from the modem.
- Hold in the Reset button using a paper-clip, bamboo skewer, etc.
- Power on the modem. DO NOT RELEASE THE RESET BUTTON YET!
- The power/status LED on the front of the modem will start slowly flashing white on and off.
- Release the Reset button.
Your computer screen will show the progress of the firmware being downloaded.
One the firmware download is complete, the power/status LED on the front of the modem will start to flash more quickly. This means that it is applying the downloaded firmware. When it has completed, the modem will reboot.
If you are using the seud0nym
version of tch-exploit
, it will automatically exit when it has finished downloading the firmware. If you are using the BoLaMN
version, you will need to press Ctrl-C
to exit.
- Windows: Run the following command in an elevated (Administrator) command prompt:
- Replace
Ethernet
with the name of your ethernet connection
netsh interface ipv4 set address name="Ethernet" dhcp
- Replace
- Mac: Run the following commands:
- Replace
en0
with the name of your ethernet connection - Each line is one command. Run them separately.
sudo ipconfig set en0 DHCP sudo ifconfig en0 down sudo ifconfig en0 up
- IMPORTANT: Re-enable the MacOS firewall!
- Replace
- Linux: Run the following commands:
- Replace
eth0
with the name of your ethernet connection - Each line is one command. Run them separately.
sudo ip addr del 192.168.0.254/24 dev eth0 sudo ip link set eth0 down sudo ip link set eth0 up
- Replace
- Log into your modem, usually at http://192.168.0.1/ or http://10.0.0.138/
- Click on
Advanced
in the top right corner of the page (skip this step on the Smart Modem Gen 3, as it will automatically take you into the Advanced view). - Click the first box on the top left, usually called “Gateway” or “Modem”.
- Check the “Firmware Version”:
- If the firmware version matches the Type 2 firmware you just loaded via BOOTP/TFTP, you can proceed to acquire root access.
- If the firmware version is still the original Type 3 firmware, life has just become difficult.
If the TFTP appeared to complete successfully, then the problem is more than likely that the device is booting from the wrong firmware bank. This is explained in more detail below.
In this case, you need to force the device to switch banks to the firmware you just loaded. This is a very hit-and-miss procedure that involved forcing the device to fail to boot three times, in which case it will automatically switch to the alternate bank, containing the firmware you just loaded.
The various boot-fail bank switching techniques are explained here.
There is another bank switching technique that is not discussed, and is only applicable to current devices that still receive firmware updates over-the-air from Telstra. If the device receives a new firmware over the internet, it will always load that new firmware in the passive bank, never the active bank. Once it reboots, it will be running from the other bank, and you can redo the BOOTP/TFTP procedure to load the Type 2 firmware.
The Technicolor modems are dual-bank devices. They work in a very similar fashion to a dual-boot computer system. For example, the computer might have a data partition with personal data and two Operating System partitions that share that data. The Technicolor devices have a data partition and two firmware banks.
When you power on your device it starts loading the firmware from the so-called active bank. With no surprise, the other one gets called passive bank. Of course, only one bank at time can be used.
BOOTP flashing via TFTP writes into bank 1 only, and will do so even if the active bank is currently bank 2. The problem occurs because BOOTP/TFTP will not set bank 1 as active. (This is not true if you have a Telstra Smart Modem Gen3 - that device will switch banks to bank 1 after loading a new firmware via TFTP.)
If you are booting a Type 2 firmware (either by default or by loading one via BOOTP/TFTP), then you can acquire root access.
- Connect an Ethernet cable into the Ethernet port on your computer, and the other end into the RED WAN port on your device.
- Extract the contents of the
tch-exploit
zip file into a directory on your computer. - Configure networking and start
tch-exploit
:- Windows: Run the following commands in an elevated (Administrator) command prompt:
- Replace
C:\Users\user\Downloads\release
with the name of the directory containing tch-exploit-win - Replace
Ethernet
with the name of your ethernet connection - Each line is one command. Run them separately.
cd C:\Users\user\Downloads\release netsh interface ipv4 set address name="Ethernet" static 58.162.0.1 255.255.255.0 58.162.0.1 tch-exploit-win
- Replace
- Linux: Run the following commands:
- Replace
release
with the name of the directory containing tch-exploit-linux - Replace
eth0
with the name of your ethernet connection - Each line is one command. Run them separately.
cd release sudo ip addr add 58.162.0.1/24 dev eth0 sudo ./tch-exploit-linux
- Replace
- Mac: Run the following commands:
- Replace
release
with the name of the directory containing tch-exploit-macos - Replace
eth0
with the name of your ethernet connection - Each line is one command. Run them separately.
cd release sudo ip addr add 58.162.0.1/24 dev eth0 sudo ./tch-exploit-macos
- Replace
- Windows: Run the following commands in an elevated (Administrator) command prompt:
- At this point you have to wait a bit. It can be quick, but can also take several minutes. Eventually, the screen will start to fill up like so:
- Wait another 40-50 seconds, and the screen then fills up more with green text:
- IMPORTANT! If you fail to see the green text after 10 minutes, you probably have a Type 3 firmware.
- IMPORTANT! If you fail to see the green text after 10 minutes, you probably have a Type 3 firmware.
- After another 5-6 sec or so it will prompt you to press the WPS button:
- Press and hold the WPS button for around 3 sec before releasing. On the modem it is the PAIR button with two arrows (). The button should start to flash and within a couple of seconds the screen says everything is done:
- Restore the computer network interface:
- Windows: Run the following command in an elevated (Administrator) command prompt:
- Replace
Ethernet
with the name of your ethernet connection
netsh interface ipv4 set address name="Ethernet" dhcp
- Replace
- Linux/Mac: Run the following commands:
- Replace
eth0
with the name of your ethernet connection - Each line is one command. Run them separately.
sudo ip addr del 58.162.0.1/24 dev eth0 sudo ip link set eth0 down sudo ip link set eth0 up
- Replace
- Windows: Run the following command in an elevated (Administrator) command prompt:
You can now log in to your device using your SSH client, using a username of root
and password root
.
Do these steps, in order, before reconnecting your device to the internet after step 4.
- Insert the USB stick into your device and ensure it is the current directory by executing:
cd /mnt/usb/USB-A1/
(your mount directory may differ). - Extract the scripts by executing (replace
firmware_version
with your firmware version - e.g. 20.3.c):tar -zxvf firmware_version.tar.gz
Optimal bank planning configures the device bank layout to give you the greatest chance of recovery in case you lose root access. This involves leaving bank 1 empty, but marked as active. The passive bank (bank 2) contains the bootable firmware. When the device boots, it fails to find a valid firmware in the active bank, and fails over to the passive bank. If you encounter a situation where you lose root access, but the device has the optimal bank plan, then you can always TFTP in a valid Type 2 firmware and the device will always boot into that firmware (because TFTP firmware downloads are always written to bank 1, and bank 1 is marked as active.)
NOTE: The Telstra Smart Modem Gen 3 uses a different bank layout to previous devices, and the above technique is not compatible. The optimal configuration is to keep a rootable firmware in bank 1, and the firmware you use in bank 2. You should always switch back to bank 1 before updating bank 2 with new firmware. This will have a similar effect to the true optimal bank plan that can be implemented on previous generation devices.
See Firmware Banks Explained for more information.
- Make sure you are in the USB directory:
cd /mnt/usb/USB-A1/
(your mount directory may differ). - Check whether your bank planning is optimal by executing:
sh show-bank-plan
- If script reports that your bank plan is not optimal, run:
sh set-optimal-bank-plan
(WARNING: This will reboot your device)
- Make sure you are in the USB directory:
cd /mnt/usb/USB-A1/
(your mount directory may differ). - Check whether your bank planning is optimal by executing:
sh show-bank-plan
- If script reports that your bank plan is not optimal, then:
- If you want to run on the firmware already in bank 2, AND you have previously loaded a new firmware into bank 2, run:
sh reset-to-factory-defaults-with-root -s
(WARNING: This will switch banks and reboot your device) - If you want to run on a different firmware, OR you have never loaded a new firmware into bank 2, follow the Upgrade Firmware instructions below. On a Gen 3 device, this will automatically switch banks and make your bank plan optimal.
- If you want to run on the firmware already in bank 2, AND you have previously loaded a new firmware into bank 2, run:
NOTE: Some users have reported bricking the Gen 3 when doing a bank switch without loading firmware into the target bank at least once. The current suggestion is to use safe-firmware-upgrade
and load a new firmware, even if it is the same version as is currently reported for the target bank. Loading new firmware onto a Gen 3 will always switch banks.
You can optionally upgrade the firmware at this point. You can even install a Type 3 firmware, because the safe firmware upgrade process retains root access through a different mechanism than that used by tch-exploit
to initially gain root access.
NOTE: To keep an optimal bank plan on a Telstra Smart Modem Gen 3, you should always switch back to bank 1 before updating bank 2 with new firmware. You can switch banks with the command:sh reset-to-factory-defaults-with-root -s
However, see the note above about switching to a bank that into which you have not previously loaded a new firmware
- Download the required firmware version for your device from https://hack-technicolor.readthedocs.io/en/latest/Repository/ and save it to your USB stick.
- Make sure you are in the USB directory:
cd /mnt/usb/USB-A1/
(your mount directory may differ). - Run
sh safe-firmware-upgrade -?
to see available options.
Hardening root access involves removing the ability for the device to automatically download and apply new firmware when it becomes available, because when firmware is automatically updated in that way, you will always lose root access.
After you have hardened root access, you can reconnect WAN and 4G SIM access.
The de-telstra
script will harden your root access, and can also disable unwanted services, and apply other configuration options.
- Change the root password by executing:
passwd
- Make sure you are in the USB directory:
cd /mnt/usb/USB-A1/
(your mount directory may differ). - Run
sh de-telstra -?
to see available options. - For some sensible settings, just execute:
sh de-telstra -A
- Change the root password by executing:
passwd
- Follow the instructions at https://hack-technicolor.readthedocs.io/en/latest/Hardening/.
- If you have a Telstra branded device, you do not need to follow those instructions. The
de-telstra
script implements all those recommendations, plus other Telstra-specific hardening.
- If you have a Telstra branded device, you do not need to follow those instructions. The
- Make sure you are in the USB directory:
cd /mnt/usb/USB-A1/
(your mount directory may differ). - Optionally, download any extra feature scripts you want to install into the same directory as the scripts.
(IMPORTANT: Make sure you have installed all pre-requisites as well) - Optionally create your ipv4-DNS-Servers and/or ipv6-DNS-Servers files in the same directory as the scripts. (See Optionally Configure Additional DNS Servers)
- Apply the GUI changes.
Runsh tch-gui-unhide -?
to see available options, or just execute:sh tch-gui-unhide
- Optionally run
sh tch-gui-unhide-cards
to change card sequence and visibility (card visibility can also be changed from theManagement
card)
- https://hack-technicolor.readthedocs.io/en/latest/Unlock/ contains tips to unlock functionality on your device.
- If you have a Telstra branded device, you do not need to follow those instructions. The
tch-gui-unhide
GUI modification allows you to access most of the functionality listed, plus other features not listed there.
- If you have a Telstra branded device, you do not need to follow those instructions. The