DISCLAIMER: I am not responsible for any of your broken devices. Please don’t blame me if you end up bricking your router.

Note: The following actions were carried out on firmware version SRCMTF1_JCO4032_R2.9 running on a Jio Fiber JCO4032 router.

The Problem

Ever since I’ve had fiber installed at my place, I’ve been wanting to learn more about how GPON works. Unfortunately, the current line of work I am in has nothing to do with GPON. So, until a couple of days ago, I was unable to tinker with a device that uses it. Well… that has changed.

Take a look at this link here :

Github tutorial on how to gain root access to your Jio Fiber router

This link hosts a tutorial on how to enable telnet and change the root password to ‘password’.

It works! But, these are the MAJOR problems with it :

  1. The Telnet daemon will eventually shut down after some time (even if the device isn’t powered off) because of cron jobs running in the background. The link above presents a way to enable telnet permanently but this DOES NOT work. At this point, the only option is to re-apply the configuration that was applied earlier.

  2. The Telnet daemon DOES NOT survive a reboot.

  3. The root password that is modified using the hack above DOES NOT survive a reboot.

Since the past two days, I have been messing around the device and trying to get through some of it’s code - it’s all written in LUA and SHELL.

And, I’m happy to say that I’ve found out ways to circumvent the above limitations.

The Observations

When you think of the term “embedded device”, what is the first thing that comes to your mind? For me, it’s storage. Most embedded devices have a ROM that holds the firmware. The Jio Fiber router is no exception. But, along with that, it also has persistent storage - two of them!

Let’s look at the partitions of the router:

Filesystem                Size      Used Available Use% Mounted on
/dev/root                26.1M     26.1M         0 100% /
ubi0:config_data         17.1M      1.5M     14.7M  10% /flash
ubi1:config_data2        74.4M     24.0K     70.5M   0% /flash2
/dev/mtdblock11           2.0M    428.0K      1.6M  21% /usr/config/WLan/MAP

Hmm… ubi! Let’s see if we have a command that will give us some info about this:

RIL> ubinfo
UBI version:                    1
Count of UBI devices:           2
UBI control device major/minor: 10:59
Present UBI devices:            ubi0, ubi1

Ah, ofcourse it means that we have some flash storage attached. Should’ve guessed it from the output of ‘df -h’… duh!

Writing something to /flash and /flash2, and then rebooting the router confirmed the theory that we do have persistent flash storage present.

Now, how do we use this flash storage to our advantage?

Enabling the Telnet daemon PERMANENTLY

Let’s observe an excerpt from a shell script that this router contains:

if [ -e /pfrm2.0/TELNET_ENABLE  ]; then
    #this is telnet enabled image run telnetd
    /usr/sbin/telnetd
else
    if ! [ -e /flash/telnetDisable  ]; then
        #this is telnet enabled image run telnetd
        /usr/sbin/telnetd
        /pfrm2.0/bin/iptables -I INPUT -p tcp --dport 23 -m ifgroup --ifgroup-in 0x1/0x1 -j ACCEPT
    fi
fi

See the problem here? This piece of code looks for a file called telnetDisable in /flash. If the file is not found then it proceeds to start the telnet daemon and opening up the telnet port in the iptables INPUT chain! And, this piece of code is guaranteed to run on every boot!

SOLUTION: The /flash being persistent in nature means that if we simply delete /flash/telnetDisable, we will have the telnet daemon running on every boot!

But, just enabling telnet is no fun… let’s find a way to set a custom root password on every boot!

Modifying the root password PERMANENTLY

WARNING: The below steps will make permanent modifications to your router’s flash partitions which may put it into a boot loop! Please proceed with caution!

Let’s look at another piece of code this router has:

if [ -e /flash2/pfrm2.0/etc/voipInit ]; then
/flash2/pfrm2.0/etc/voipInit &
else
[ -e ./voipInit ] && . ./voipInit &
fi
sleep 5;

(The above code is from the initialization script - the script that runs when the system finishes booting up.)

I hope the problem is obvious. This code will proceed to run /flash2/pfrm2.0/etc/voipInit if it exists! And, the cherry on top is that /flash2 is also persistent!

Now, we just create a simple shell script with a password of our choice. And rest assured we will have our password set on every boot.

SOLUTION: Create /flash2/pfrm2.0/etc/voipInit with the following contents. Make sure to mark the file as executable (chmod +x /flash2/pfrm2.0/etc/voipInit).

#!/bin/sh
echo -e "topgun\ntopgun" | passwd root
touch /tmp/nanibot_is_peeping
. /pfrm2.0/etc/voipInit &

Note: voipInit is called, just to be safe.

Closing Thoughts

Well, this does bring me a little closer to my goal - learning how an ONU/ONT communicates with an OLT. But I still don’t have a proper understanding of GPON and that makes me a bit sad 🙁. I’ve only managed to get my feet wet in what appears to be a bottomless ocean.