lekernel.net - scrapbook » frontpage ~ forums ~ about

electronics

• USB logic analyzer
• digital power audio amp
• cheap magnetic card reader
• yet another theremin (fr)
• electronic tubes (en+fr)

software

• freshtel driver
• PictoSniff (en/fr)
• Madrigal
• hacking the Inventel Livebox
• Opie on the Nokia 770
• framebuffer consoles and boot menu for the N770
• misc. software

ti89 projects

• IR messenger
• kDriver
• Lua89
• reading SPI memories (fr)

inside electronics

• alcatel webtouch easy
• isiconnect set-top boxes
• photos of an old IBM hard disk
• plasma globe (en/fr)

chemistry !

• making biodiesel

links

• some links

lekernel.net - scrapbook

This page only applies to the Inventel DV4210 Livebox

Flashing the Livebox under an Unix OS

Wanadoo distributes a rescue CD for reflashing a Livebox which suffered a failed auto-upgrade (and I think that's what happened to me, my Livebox stopped working after some time on the internet). This CD contains a Windows tool which is just a TFTP server from which the Livebox downloads the firmware. So flashing it under FreeBSD is trivial :

1. create a directory which contains the file "inventel/blue_5g/factory_script" :
   # mkdir -p /liveflash/inventel/blue_5g
   # cp factory_script /liveflash/inventel/blue_5g
   
2. connect your Livebox to your network using its yellow ethernet port, and set the IP of your ethernet card to 10.7.58.114 :
   # ifconfig sis0 10.7.58.114
   
3. configure TFTP in inetd.conf, as follows :
   tftp dgram udp wait root /usr/libexec/tftpd tftpd -l -s /liveflash
   
4. reconfigure inetd :
   # killall -HUP inetd
   
5. power cycle your Livebox, while maintaining the "1" button pressed. When the three middle LEDs are on (this happens after about 10s), release the button. The "warning" LED will blink fast, while the Livebox downloads the firmware from your TFTP server...

The lame protections of the Livebox

The Livebox runs Linux 2.4 on a Broadcom chip, but Wanadoo doesn't want you to have full access to it (the Livebox is even locked so that you can't connect to another ISP with it). See http://www.agp.dsl.pipex.com/inventel.html for information about how to get a shell (requires some hardware).
The first configuration save files were in fact tarballs encrypted using a weak substitution cipher (see website above). The firmware upgrades (the factory_script file) are slightly more complicated, they use XOR encryption. But since the cleartext contains wide ranges of 0's, it's easy to find out the XOR key :
94 00 03 02 00 14 E8 15 3F A6 D8 A2 D8 14 71 46
FF 80 09 38 76 08 E0 C0 5C 3C 00 14 63 4A CD F8
96 C6 C2 0D BD E7 E7 BB 12 CF 3C 21 F7 05 CF 77

> Download firmware ciphering tool
Syntax : livecrypt input_file output_file

The firmware upgrades are commands for Redboot (thus the filename), padded with zeros to 0x1000, plus standard cramfs filesystem image.
Unfortunately, I found out later that the keys sometimes vary from one firmware to another. Therefore, I have modified livecrypt so that it probes the key (by reading data right before 0x1000, assuming the cleartext is all zeros there).
> Download updated livecrypt

We have even better : there is information about encryption at the end of the firmware.
> Download latest decryption program
(Contributed by Pierre Michon)

© 2003-2008 Sébastien Bourdeauducq
Questions ? Comments ? Feel free to use the forums.