heyrick1973 -at- yahoo -dot- co -dot uk

Livebox 2 - attempting to hack

Orange has produced apps - for Android andfor iOS - that permit you to "manage" your Livebox. After a bit of poking around between that and the web UI, I uncovered the principle of how the Livebox communicates with the management software: You send this:
POST /sysbus/NMC:getWANStatus HTTP/1.1
Accept:text/javascript
Accept-Encoding:gzip, deflate
Accept-Language:en-gb,en;q=0.5
Cache-Control:no-cache
Connection:keep-alive
Content-Length:17
Content-Type:application/x-sah-ws-1-call+json; charset=UTF-8
DNT:1
Host:192.168.1.1
Pragma:no-cache
Referer:http://192.168.1.1/supportSystemInformationAdsl.html
User-Agent:Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0
X-Context:R3VYXSjjkznf6Z5DzVKCKsZssHzHYOHEEqss9Czh2NmUAhnX1YozedRuJf1vRxZm
X-Prototype-Version:1.7
X-Requested-With:XMLHttpRequest

{"parameters":{}}
And the server is supposed to reply with something like this:
{"result":
  {"status":true,"data":
    {"LinkType":"dsl",
      "LinkState":"up",
      "MACAddress":"xx:xx:xx:xx:xx:xx",
      "Protocol":"ppp",
      "ConnectionState":"Connected",
      "LastConnectionError":"ERROR_NONE",
      "IPAddress":"xx.xx.xx.xx",
      "RemoteGateway":"193.253.160.3",
      "DNSServers":"80.10.246.130,81.253.149.1",
      "IPv6Address":""}
    }
  }
This taken from a snoop on the behaviour of the Firefox Javascript interpreter.

So I send a simpler request - this:

POST /sysbus/NMC:getWANStatus HTTP/1.1
Accept:text/javascript
Content-Length:17
Content-Type:application/x-sah-ws-1-call+json; charset=UTF-8
Host:192.168.1.1

{"parameters":{}}
(a French bloke has retrieved data with less) My response? This, and immediately:
<html><head><title>Gateway Timeout</title></head>
<body><h1>504 - Gateway Timeout</h1></body></html>
You'll have to excuse me being a little bit confused as to this response.

 

Other useful things:

  • POST request to /sysbus/UserManagement:getUsers with payload "{"parameters":{}}":
    {"result":
      {"status":[
        {"name":"admin",
         "enable":true,
         "groups":["http","admin"]}
      ]}
    }
    (guess what - your login username is "admin" and you can't change it, so...)

  • This one is good. POST request to /sysbus/NeMo/Intf/data:getMIBs with payload "{"parameters":{"mibs":"dsl","flag":"","traverse":"down"}}":
    {"result":
      {"status":
        {"dsl":
          {"dsl0":
            {"LastChangeTime":173007,
             "LastChange":4595,
             "LinkStatus":"Up",
             "UpstreamCurrRate":1011,
             "DownstreamCurrRate":2424,
             "UpstreamMaxRate":1012,
             "DownstreamMaxRate":3676,
             "UpstreamNoiseMargin":60,
             "DownstreamNoiseMargin":130,
             "UpstreamAttenuation":223,
             "DownstreamAttenuation":512,
             "UpstreamPower":125,
             "DownstreamPower":0,
             "DataPath":"Interleaved",
             "InterleaveDepth":0,
             "ModulationType":"ADSL_re-adsl",
             "ModulationHint":"Auto",
             "FirmwareVersion":"0c1f0b09",
             "StandardsSupported":"G.992.1_Annex_A,G [...many others snipped...]
             "StandardUsed":"G.992.3_Annex_A",
             "CurrentProfile":"",
             "UPBOKLE":0}
          }
        }
      }
    }
Haha, like I'd ever squeeze 3.5mbit out of this wire. The box is locked to 2424 max, except for the (very frequent with the new firmware) times when it connects more slowly until I pull the phone plug out of the wall and put it back again. It's almost as if the box is trying it on with me...

  • POST to /sysbus/NeMo/Intf/dsl0:getDSLStats with the null payload ("{"parameters":{}}") tell you link status information:
    {"result":
      {"status":
        {"ReceiveBlocks":0,
         "TransmitBlocks":0,
         "CellDelin":0,
         "LinkRetrain":0,
         "InitErrors":0,
         "InitTimeouts":0,
         "LossOfFraming":0,
         "ErroredSecs":0,
         "SeverelyErroredSecs":0,
         "FECErrors":0,
         "ATUCFECErrors":0,
         "HECErrors":0,
         "ATUCHECErrors":0,
         "CRCErrors":0,
         "ATUCCRCErrors":0}
      }
    }

  • GET to /sysbus/DeviceInfo?_restDepth=-1 returns an empty response?

  • POST to /sysbus/VoiceService/VoiceApplication:listTrunks with the null payload tells you about your VoIP phone:
    {"result":
      {"status":
        [{"name":"SIP-Trunk",
         "signalingProtocol":"SIP",
         "enable":"Enabled",
         "trunk_lines":
          [{"name":"LINE1",
           "groupId":"Group1",
           "enable":"Enabled",
           "status":"Up",
           "statusInfo":"",
           "directoryNumber":"+33xxxxxxxxx",
           "uri":"+33xxxxxxxxx@orange-multimedia.fr",
           "authUserName":"xxxxxxxxxx@orange-multimedia.fr",
           "authPassword":"",
           "event_subscribe_lines":
           [{"eventSubscribeEvent":"message-summary",
             "eventSubscribeAuthUserName":"",
             "eventSubscribeAuthPassword":""
           }]
          }],
         "sip":
         {"proxyServer":"",
          "proxyServerPort":5060,
          "registrarServer":"",
          "registrarServerPort":5060,
          "outboundProxyServer":"10.5.6.51",
          "outboundProxyServerPort":5060,
          "userAgentDomain":"orange-multimedia.fr",
          "userAgentPort":5060,
          "subscriptionInfo":
          [{"event":"message-summary",
            "notifyServer":"voicemail.orange-multimedia.fr",
            "notifyServerPort":5060
          }]
         },
         "h323":{}
       },
       {"name":"H323-Trunk",
        "signalingProtocol":"H.323",
        "enable":"Disabled",
        "trunk_lines":
        [{"name":"LINE3",
          "groupId":"Group1",
          "enable":"Disabled",
          "status":"Disabled",
          "statusInfo":"",
          "directoryNumber":"",
          "uri":"",
          "authUserName":"",
          "authPassword":"",
          "event_subscribe_lines":[]
        }],
        "sip":{},
        "h323":
        {"gatekeeper":"",
         "gatekeeperPort":1719}
        }
      ]}
    }
The Livebox 2 has two VoIP telephone ports. Evidently these can be different phone lines, but it doesn't appear to be supported at this time. I didn't know my phone had an email address.

And, finally, the others I have uncovered but haven't played with.

  • POST /authenticate?username=xxxxxxxxx&password=xxxxxxxxx (in the clear? seriously?)
  • POST /ws
  • POST /sysbus/NMC/OrangeTV:getIPTVStatus
  • POST /sysbus/sah/hgw/models/DeviceManager:enableNotifications
  • GET /logout
...and undoubtably more.

If you're an expert at JSON, you might get somewhere. I'm not, so I'm throwing in the towel for now. A fun way to waste an evening, but that's all...

 

Livebox 2 - Horrible new firmware

I'll come right out and say it. It's merdique. That means shitty. Yes, it is that bad.

Here are the version numbers:

Or SoftAtHome SG20_sip-fr-4.33.5.1, step4-sip-fr.
Mine is "sip" because I don't have a real phone line, it is only there to pass ADSL data, the phone is a (SIP) VoIP phone. If you have a real phone line, I think it says "h323" instead.
Likewise, the "SG" is because it is a Sagem Livebox. The ZTE ones will say "ZT" instead.
"20" is for a Livebox 2. It'll say "30" for a Livebox 3 (Livebox Play).
Maybe the other firmware is better? Maybe it's worse?

On the face of it, the new UI is clearer and less clunky than the older style. Here is the welcome/login screen:

I include a full screenshot so you can clearly see that this is an iPad. And that the Livebox is saying nothing is connected. Other than, you know... the iPad, the Raspberry Pi, my netbook (all WiFi), a USB memory stick, a Livephone DECT transponder (USB)... Once in a while, if I flagellate myself and make blood offerings, I can see one or other of the connected devices. Generally speaking, I cannot. Makes it "interesting" to manage the recognised devices, and equally "interesting" to correctly dismount USB memory devices. If I had kids and I needed to set up times of access, I'd need to use the app (and hope it works) because the Livebox's own UI sure-as-hell doesn't.

Oh look:

It does know that there is something connected to the USB ports.

There are maybe ten other devices known to my Livebox, but unconnected. Here is a list of them:

Sometimes you need to punch a hole in the NAT to allow a machine to run a server from within the intranet. For this, services like NoIP are useful (forget DynDNS, they sold out). My server, in the very few times it is running, is available at heyrick.ddns.net - but don't bother trying, it isn't on unless something says otherwise. Anyway, does the "new" option work? Uh, no, not really.

Here's the same thing grabbed from Firefox just now (the iPad photos are about two weeks old):
It appears that the Livebox will only switch the IP addresses for a 'name' and provide an entry for the device in the drop-down list if the device has recently been seen by the Livebox. <sarcasm>Useful.</sarcasm>

In the few, rare, times when the management works and stuff appears, you can configure your devices:

which leads on to:

There's more. Ooooh so much more.

  • The Livebox has a DNLA server, so I can pop in a USB storage and watch videos on my iPad with VLC (I'll do a tutorial on this soon). The first hurdle is that the USB device is rarely recognised when the box powers up, or is rebooted. I need to remove and quickly reinsert the USB device in order for it to be 'scanned' for available content. The Livebox knows it is there (see above) but just doesn't seem to look at it.
  • The second problem with the DNLA server is best demonstrated.
    I have a Sagem Livebox 2 that I bought from a boot sale. It is identical to the main one, except that it does not get connected to the phone line (it was intended as a spare), so the firmware was never updated. Here is a status report of transferring a file. I'm about 3-4 metres away with no obstructions.
    And here is the new Livebox transferring the exact same file, with me standing right beside the Livebox.
    While the older Livebox could climb up and over 800K/sec and keep it there, the new firmware bounces around from 300K/sec to about 550K/sec. I'm not sure it's actually capable of 800K/sec. Is it still using a custom build of Twonky?
  • Due to the lethargy of the DNLA server, it pretty much struggles with 720P content. That said, there are instances where the server just "gives up" right in the middle of me watching something.
  • Let's put it like this - the DLNA server is so crappy now, the SSID of the backup Livebox is now "MediaServer". That ought to give you a clue as to what I use it for now, since punting videos and such around using iTunes is a huge huge pain in the ass. Easier to drop it on a USB stick and stream it over WiFi.

  • Phantom devices appearing to be detected and enregistered by the Livebox, as viewed with the iOS app (certainly not the broken web UI!). Here I have "new-host" and "new-host-2" and "PC2". Well? A paranoid person could think of the NSA snooping on the network, or the Israelis, or the Chinese. A person used to Orange would think that it's more likely something screwed up, although it does make me wonder how secure the Livebox is, given that the login is an HTTP POST of http://192.168.1.1/authenticate?username=admin&password=xxxxxxxxxx - yes, for all that the stats and configuration are locked up, the useless bloody thing sends the password in the clear (response is a ContextID).
    How. Unbelievably. Incompetent. I actually want to punch myself in the face, that's so offensive to common sense it hurts.

As this upgrade is forced, I can't help but feel that Orange is using us as an army of beta testers that they'll pretty much ignore. Numerous complaints in the forums about the problems with the new firmware, no further upgrade in the last fortnight. Well, the stagiaire that put together the most recent firmware has maybe moved on? :-) At any rate, it is interesting to note that the box sort of has some passing mention of IPv6 (which I think Orange wants to roll out around 2017ish), but frankly, for now, I'd really rather downgrade to the firmware that worked.

I posted a rant (one of many) on the forum and received the standard advice - to factory-reset it. Thanks, but since the UI is broken and I use some rather specific settings here (to which the UI seems incapable of dealing with now), it may be that a factory reset fixes everything. Or it may be that a factory reset breaks things even worse. I've asked on the forum if the Orange staff adviser is willing to guarantee that a factory reset will resolve these problems. I don't expect to hear a reply...

Oh, and the English translations are extremely peculiar. That said, anybody who needs this "hint" does not deserve to have a Livebox. They probably need to be placed in a small padded room instead. Or America, where you can sue because your coffee was hot (regardless of the actual temperature it was served at, who puts a hot beverage between their legs? isn't that asking for trouble?)...

There's really nothing I can say to follow that, so I'll end here.

 

 

Your comments:

Please note that while I check this page every so often, I am not able to control what users write; therefore I disclaim all liability for unpleasant and/or infringing and/or defamatory material. Undesired content will be removed as soon as it is noticed. By leaving a comment, you agree not to post material that is illegal or in bad taste, and you should be aware that the time and your IP address are both recorded, should it be necessary to find out who you are. Oh, and don't bother trying to inline HTML. I'm not that stupid! ☺
 
You can now follow comment additions with the comment RSS feed. This is distinct from the b.log RSS feed, so you can subscribe to one or both as you wish.

Thomas, 5th August 2014, 16:06
I could not agree with you more. We use the Livebox in a "residence secondaire", and after some absence I find the new firmware installed and ready to, hm, go? No. Let's leave it at installed. Now I am trying to downgrade. Would you know how to do that? 
 
Thomas
Sarah, 5th August 2014, 20:40
Hi. Is that message at the end really saying if you switch your internet box of you won't have internet?
Rick, 6th August 2014, 14:32
Thomas - no point. While you could possibly downgrade with JTAG to read the old firmware off an unupgraded box to your box....as soon as you hook it into the phone line, it'll go and upgrade itself. :-/ 
 
Sarah - yup. Patronising, isn't it?

Add a comment (v0.08) [help?] . . . try the comment feed!
Your name
Your email (optional)
Validation Are you real? Please type 58309 backwards.
Your comment
Calendar
«   August 2014   »
MonTueWedThuFriSatSun
    123
56710
111213141516
181920212223
252627283031

Japan - can you help?
Japanese Red Cross
日本 赤十字社

Earthquake relief donations have closed.

Read about the JRC
Make a general donation

Last 5 entries

List all b.log entries

Return to the site index

Search

Search Rick's b.log!

Etc...

Thank you:
  • Fred
  • Bernard
  • Michael
  • David


QR code


Valid HTML 4.01 Transitional
Valid CSS
Valid RSS 2.0

 

© 2014 Rick Murray
This web page is licenced for your personal, private, non-commercial use only. No automated processing by advertising systems is permitted.
RIPA notice: No consent is given for interception of page transmission.

 

Have you noticed the watermarks on pictures?
Next entry - 2014/08/08
Return to top of page