/ hacking

Unleash Fastgate RTV1907 VW D228

I've got the new router from fastweb: Fastgate RTV1907VW, which is a pretty fast and stable VDSL router. But the default web admin interface it's really poor.
I cannot change default DNS server, schedule reboot, log in with ssh/telnet, install other useful software, like a VPN server.

If you'd like to unleash the power of the router ...
Carefully open the case, two screws on the bottom and plastic clips. Once case is opened you can see the version of the board: RTV1907VW-D228 REV:4.


Find the UART port, to discover right pin use a multimeter, first find GND than spot for RX and TX, (it's better to weld pins on board) now connect uart pins to a USB to a serial adapter (es. CP2102). Set voltage jumper on serial adapter to 3.3V.
Pins of the serial are:
VCC (+3.3V!!)

Open putty set connection type to serial and speed to 115200. Reboot router.


A few info from boot log.
Chip ID: BCM63136B0, ARM Cortex A9 Dual Core: 1000MHz
Total Memory: 536870912 bytes (512MB)
NAND flash device: , id 0xc2dc block 128KB size 524288KB
Bootloader version: CFEROM : 2.5.2Nr1820 CFERAM : 2.5.2Nr1820
Linux version 3.4.11-rt19
CPU: ARMv7 Processor [414fc091] revision 1 (ARMv7), cr=10c53c7d
At the end of the boot log you will be prompted for username and password

Login: admin
Password: admin

than you need to launch the bash


First of all, enable SSH and telnet local connection (thanks Agenore)

iptables -A INPUT -p tcp --dport 22 -s -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -s -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j DROP
iptables -A INPUT -p tcp --dport 23 -s -j ACCEPT
iptables -A INPUT -p tcp --dport 23 -s -j ACCEPT
iptables -A INPUT -p tcp --dport 23 -j DROP

Now you can connect with telnet/ssh (lanadmin lanpasswd)


To change default DNS find dnrd service (DNS proxy server) and kill it

ps aux | grep dnrd
kill pid_number_of_process

Now restart dnrd service with google's DNS

/usr/sbin/dnrd -u 2 -a -b -r 0 -m hosts -c off -s -s -R /tmp/dnrd.lan --stats 1

Change also /etc/resolv.conf.

Password of admin it's stored in this file /var/tmp/hashpwd

Default firewall rules are applied every time router it's rebooted, and every time it losts VDSL connection. It's possible to dump the flash modify it and flash the new version back, but I don't know how to do it, and I don't have much spare time ...

Maybe there's a lazy solution ... if in the meantime they don't change all default passwords.

To be continued ...