# Guide: Unlocking and Modding Telstra Routers (Technicolor hardware)



## Mussels (Jul 5, 2022)

This guide will be most useful to the Aussie members of the forums here, but Technicolor modems are used in a lot of different countries under various brand names so it'll help them as well, as long as you can alter any relevant instructions yourself (Factory IP address may be different, choosing different firmware from the list, etc)

I also call these routers a Modem, Router or Gateway at various times - they all mean the same thing, in the context of this guide. Sorry.

Yes this is safe - it's all open source coding for an OS based on OpenWRT in the first place, the ultra geeks writing this stuff in the first place on the whirlpool forums would absolutely notice and kick up a fuss if there were any security concerns. In fact, one of the biggest deals is that you can now lock TELSTRA out of the router increasing security.


Why would i do this?
Because some of them are super high spec routers with AC2200, 1GB of RAM and the best VDSL modems money can buy.
Unlocked they can work with any ISP, enable a heap of useful features including being used to create high speed wifi mesh networks and are often for sale for $10 on the facebook marketplace or gumtree.

I personally have modded the Telstra Frontier (DJN2130), Telstra Smart Modem (DJA0230), and Telstra Smart Modem Gen 2 (DJA0231) with these instructions.

The super short summary:
1. Telstra lock these down tight, so tight you cant even change DNS servers
2. Telstra automatically do Firmware updates when they're online
3. You *may* get working 'free' Internet on the backup 4G SIM card so instructions are included, but they usually get disabled after a few months. This does not cost the original owner anything, but some consider it immoral.

All the information has come from a mix of the whirlpool forums, the hack-technicolor website (Generic to all technicolor routers) and finally TCH-GUI-UNHIDE, which is more exclusively useful to Telstra customers.
If any of my instructions get outdated, you can use those links to find newer information.



Prep work:
Save the instructions and relevant files first, and run two connections to your PC if you can so you can still access instructions and files as needed, while you work.

What you'll need:
1. A Technicolor router
2. PC with ethernet port and cable
3. Internet connection
4. Some software:
Putty (For entering commands into the router)
WinSCP
TCH-Exploit (to actually gain root)




Spoiler: Preparation:



Check the firmware installed onto your device in your web browser, usually http://192.168.0.1 or http://10.0.0.138
Find your Modem/Router in the list here https://hack-technicolor.readthedocs.io/en/stable/Repository/
Once you find your Router model, you'll see a list of firmwares: compare the one you have installed, and see if it's A B or C.
You can also download these firmwares to manually update the router or for recovery in case of mistakes, but this is optional.
The latest firmwares can't always be rooted, so be sure to check if root methods are available before letting it auto update.






The page here will then list links to what those letters mean - which is what method you can use to gain root access
Rooting Type 2 - Hacking Technicolor Gateways




All the ones i've used, have been type C# and thats what these instructions will follow.





Spoiler: Optional firmware update step:



You can connect the device to the internet and let it auto update to the latest version, but sometimes they cant be rooted.

Once rooted, you can use the method here to manually update:
Safe Firmware Upgrade - Hacking Technicolor Gateways
Theres some nice step by step instructions for this using winSCP to transfer the firmware and how to unpack and install it, that i see no way i can improve on - so use their guide!
The only not beginner friendly part is they forget to mention to use WinSCP to connect and transfer the file, and then use Putty to connect and run the commands

Essentially it is:

Rename and copy your firmware file to /tmp/new.rbi

preserve your root access with

```
mkdir -p /overlay/$(cat /proc/banktable/booted)/etc
chmod 755 /overlay/$(cat /proc/banktable/booted) /overlay/$(cat /proc/banktable/booted)/etc
echo -e "echo root:root | chpasswd
sed -i 's#/root:.*\$#/root:/bin/ash#' /etc/passwd
sed -i -e 's/#//' -e 's#askconsole:.*\$#askconsole:/bin/ash#' /etc/inittab
uci -q set \$(uci show firewall | grep -m 1 \$(fw3 -q print | \
egrep 'iptables -t filter -A zone_lan_input -p tcp -m tcp --dport 22 -m comment --comment \"!fw3: .+\" -j DROP' | \
sed -n -e 's/^iptables.\+fw3: \(.\+\)\".\+/\1/p') | \
sed -n -e \"s/\(.\+\).name='.\+'$/\1/p\").target='ACCEPT'
uci add dropbear dropbear
uci rename dropbear.@dropbear[-1]=afg
uci set dropbear.afg.enable='1'
uci set dropbear.afg.Interface='lan'
uci set dropbear.afg.Port='22'
uci set dropbear.afg.IdleTimeout='600'
uci set dropbear.afg.PasswordAuth='on'
uci set dropbear.afg.RootPasswordAuth='on'
uci set dropbear.afg.RootLogin='1'
uci set dropbear.lan.enable='0'
uci commit dropbear
/etc/init.d/dropbear enable
/etc/init.d/dropbear restart
rm /overlay/\$(cat /proc/banktable/booted)/etc/rc.local
source /rom/etc/rc.local
" > /overlay/$(cat /proc/banktable/booted)/etc/rc.local
chmod +x /overlay/$(cat /proc/banktable/booted)/etc/rc.local
sync
```

This unpacks your new.rbi and converts it to new.bin - this takes several minutes and may crash a router that's low on ram or free space
You can use './de-telstra -M' and './de-telstra -G' (disables guest wifi and removes its firewall rules) to reduce RAM usage for this process



```
cat "/tmp/new.rbi" | (bli_parser && echo "Please wait..." && (bli_unseal | dd bs=4 skip=1 seek=1 of="/tmp/new.bin"))
```

If you run out of free space and crash, you can also use a USB flash drive - but the location changes (Must be FAT32 formatted)
The USB version of the code is:


```
cat "/mnt/usb/USB-A1/new.rbi" | (bli_parser && echo "Please wait..." && (bli_unseal | dd bs=4 skip=1 seek=1 of="/mnt/usb/USB-A1/new.bin"))
```

Flash the firmware (make sure you edit this line if you didn't rename the file to new.rbi or copied it anywhere else!)

```
# Erase and write new firmware into booted bank
mtd -e $(cat /proc/banktable/booted) write "/tmp/new.bin" $(cat /proc/banktable/booted)
# Emulate system crash to hard reboot
echo c > /proc/sysrq-trigger
```

USB location:

```
# Erase and write new firmware into booted bank
mtd -e $(cat /proc/banktable/booted) write "/mnt/usb/USB-A1/new.bin" $(cat /proc/banktable/booted)
# Emulate system crash to hard reboot
echo c > /proc/sysrq-trigger
```






Spoiler: Getting Root access (Make sure you have the software from earlier downloaded!)



1.Power up the router, with no WAN connections. No SIM Card (you may have to remove a white sticker on the older models), no WAN cable and no phone cables.

2.Connect your PC's ethernet cord to the RED WAN port (Not the yellow LAN port!) for this first step only.

3. You need to change your network cards IP address and default gateway to 58.162.0.1 with DNS to 255.255.255.0
Exactly how to do this varies between versions of windows, but if you google "Change DNS in windows X" you'll find dozens of easy guides.



4. Once that's done, you'll need to run tch-exploit-win.exe (right click and run as admin) - further instructions are here but it's fully automatic with the exception of pressing the WPS button at a specific time
4a. At first you'll get a pretty generic looking window, but once the router connects to your custom-set IP address it thinks you're telstras update server - and gives the program full access.



4b.You'll get a wall of cool hacker text in a DOS looking window, that takes 1-5 minutes for the router to do it's thing and communicate with the program



4c. Eventually it progresses and asks you to press and hold the wifi WPS button, labelled as "pair" on some models - you may need to scroll down or expand the window to see this text



Once you've held that in for 3-5 seconds the text updates and says you're done. Revert your ethernet connection back to automatic IP and DNS, and move the LAN cable from the red WAN port to the yellow LAN port.
*Congrats! You have root access!*



Next up: tch-gui-unhide



Spoiler: Unlocking the router



If you need to do this offline, theres a guide here but it involves more putty and winSCP to transfer files into the router, as well as adapting some of the commands based on filenames and locations (root folder, USB flash drive, etc)
Theres several methods you can use to install this, but this is the simplest and doesnt require winSCP to transfer files.
It does require internet access, so this is when you connect the Technicolor routers WAN port to your existing networks LAN port, and give it internet access

Open Putty and enter the IP address of your router, SSH and port 22



You'll get a security alert on your first connection, just hit 'accept'


The next screens require you to type a login and password the default now is
	
	



```
root
```
 for both
At this point you can run ./passwd and change the root password at any time, but for this guide i'm leaving it default to make it simpler.

You can then copy-paste the following command to have the router download and unpack the installer in one easy step:

```
curl -k -L https://github.com/seud0nym/tch-gui-unhide/releases/latest/download/$(uci get version.@version[0].marketing_version).tar.gz | tar -xzvf -
```

You'll get something like this as they download, they're only scripts so it's quite fast




From here on is when you can run any of those scripts by running ./scriptname in your putty terminal. The TCH-GUI-UNHIDE page has a lot of examples and explanations of what commands can be used, but the main ones to use and in what order would be:
(Many of these will prompt you to hit Y and enter to confirm, i'm not hand-holding that much)


```
./set-optimal-bank-plan
```
   This resets your device, but makes sure the device wont lose the wrong settings from a reset and protects against corruption. After it reboots, connect with putty again by right clicking the top of the window and clicking 'restart session' and typing in the root username and password again.


```
./de-telstra -A
```
 This prevents Root being lost, and removes Telstra exclusive services and stops telstras remote access. The -A command is just recommended defaults, run without any commands to see the whole  list


```
./tch-gui-unhide
```
 this opens up all the hidden menus telstra disabled. You can use -A for recommended settings, or manually enable and disable each setting


```
./tch-gui-unhide-cards
```
 is an interactive script to help you enable or disable those cards manually, but you need to run the above command at least once before this works




This is my before image:




And after (zoomed out to fit with some pages still disabled)




Bonus page of in-progress content: Setting up spare routers as EasyMesh wifi clients! (without paying $300 to telstra)

If you're on a DJA0230 or DJA0231 You can use the following commands to set one router to be an easymesh AP instead of the controller, for that sweet sweet AC2166Mb wifi link (with ethernet out at the other end)

What should happen is router 1 has the controller active, and router 2 (with the controller disabled) should automatically pair with the network and copy wifi settings. What's happening is... not that.


```
./de-telstra -m
```
 *has commands to alter the easymesh AP settings, i'm working on the exact ones to force a device to the a 'client' now. The unlocked UI also has options for this.*

Final version: The routers need to be on the same firmware, once my second DJA0231 was updated to 20.3c easymesh functioned easily.
All i needed to do was enable "agent" on the primary and  disable "controller" on the secondary via the GUI, and connect them LAN to LAN



Wireless boosters dont seem supported via modding despite years of efforts by modders - they require a wired backhaul 

Bonus code for VDSL users:
(hashtags make the code not do anything, they're for users to understand the code)
These unlock the VDSL download, upload, and total of both rates - some firmwares had lower limits (110 down and 30 up)


```
# Increase the max sync speed
uci set xdsl.dsl0.maxaggrdatarate='200000'
uci set xdsl.dsl0.maxdsdatarate='140000'
uci set xdsl.dsl0.maxusdatarate='60000'
```


```
#Remove old ADSL profiles and modes to sync VDSL faster
uci del_list xdsl.dsl0.profile='8a'
uci del_list xdsl.dsl0.profile='8b'
uci del_list xdsl.dsl0.profile='8c'
uci del_list xdsl.dsl0.profile='8d'
uci del_list xdsl.dsl0.profile='12a'
uci del_list xdsl.dsl0.profile='12b'
uci del_list xdsl.dsl0.multimode='gdmt'
uci del_list xdsl.dsl0.multimode='adsl2annexm'
uci del_list xdsl.dsl0.multimode='adsl2plus'
```


----------



## Mussels (Jul 7, 2022)

I got doublestacked ipv6 working as well - short version, working ipv6 on a second attached router network

This was glitched as a firmware bug and the author of the mod issued a fix. The bug was that the prefix setting would vanish.

The simple fix LAN settings card, and lower the IPv6 prefix from /64 to /61
Why? I assume the google nest wifi mesh needs /3 worth of subnets, for it's 2.4GHz, 5GHz and backhaul?

All i care about, is that i beat google who said it wasnt possible


----------



## lexluthermiester (Jul 8, 2022)

Mussels said:


> The key here is that ./de-telstra -G removes guest networks and their firewall rules, and those firewall rules are what fix the ipv6 issue


Nevermind my other suggestion. This is interesting.


----------



## steen (Jul 8, 2022)

OpenWRT/Smart ROOter is very useful. Enabling 2nd SIP & USB tethering USB=>WAN is damn handy.


----------



## Mussels (Jul 8, 2022)

lexluthermiester said:


> Nevermind my other suggestion. This is interesting.


After consulting the author of the mods and doing way too much research onto IPv6, what it boils down to is each seperate subnet requires "/1" prefix allocated

/64 gives one IP to the router
/63 gives one range to share into X addresses
/62 gives an extra for the guest wifi (since its seperated to provide user isolation) - and the routers internal firewall rules must allow that traffic to flow to and from the WAN/WWAN

In this case, i have one for the telstras network, and then need two for the google setup - one for itself, and one for it's own guest network. The key here is that the google will not activate IPv6 if it doesnt get at least '/3' worth of prefix allocation (subnets? i dont know the correct terminology)

I got unlucky with removing the firewall rules breaking the subnet prefix setting (since the firewall blocked the traffic anyway), and lucky that the unlocked router allowed me to force it to a lower number - allowing more to pass through for the google/nest wifi to claim for itself.


The next time i reply to the failure of tech support google is giving me will be fun, proving they were entirely wrong about ipv6 being ever possible to work with dual stack routers. They said to just bridge my cable modem despite the fact that australia ripped up our HFC cable networks years ago since they're just objectively terrible - too prone to peak hour congestion, and upload speeds that make DSL look good (we had 100Mb down and 2Mb up, it was insanely worthless - the100/40 that replaced it is far superior... except to google)


steen said:


> OpenWRT/Smart ROOter is very useful. Enabling 2nd SIP & USB tethering USB=>WAN is damn handy.



These are apparently OpenWRT based in the first place. There are scripts to send the LTE, WAN and VDSL to a hard wired LAN port each, for example keeping them simultaneously active


----------



## mechtech (Jul 23, 2022)

Ahhh our poor Aussie brothers suffering Telstra.  Have they gotten any better over the past decade, or is the butt-hurt still in full effect??


----------



## Mussels (Jul 24, 2022)

mechtech said:


> Ahhh our poor Aussie brothers suffering Telstra.  Have they gotten any better over the past decade, or is the butt-hurt still in full effect??


The hardware on these is great, it's been ironic helping american friends on DSL (usually stuck under 8Mb/1Mb) with the best modems they can get having 256MB of RAM and low clocked dual core CPU's

Telstra are still the usual big boy company, only around because they've raised generations of people to think the only way to get a phone is on a 3 year contract...
Oh but get 5% off if you bundle that with your home internet (but pay 50% more than seperate services on other telcos)

____________________________________________________________________________________________________




Alright, next dumbass mod: installing Transmission so my Telstra gateway can download torrents to an attached USB 3.0 hard drive!
This is really heavy on the RAM usage, so i expect this would be unusable on Gen 2 devices with their low <512MB of RAM.
As i'm making this up as i go from mixing and matching various guides, i'll put down what i did,  and try it again on a second router to be sure what steps were actually neccesary.

I have my test router on 192.168.3.1 but tried to edit all the commands for the default 192.168.1.1 - if you find a 3.1 anywhere, change to 1.1 for your own uses.

A lot of info came from here, but some of it's incorrect for this router
[OpenWrt Wiki] Transmission configuration

If it's marked with an * it's likely optional and can be skipped - i'm re-doing this on a second router later, and will confirm what is needed and what is not.



Open a web browser and load the packages card
* Tick custom feeds and update now
Load available packages tab (it'll be slow)
Search for and install all packages for Transmission


Open a putty terminal and log in to the root account on the router

In putty run:
uci set transmission.@transmission[0].enabled="1"
uci commit transmission
/etc/init.d/transmission restart

Then  in web browser, go to http://192.168.1.1:9091/    (Your IP may be not be 192.168.1.1 - that's upto you to adjust the settings as you go)
You should get redirected to
http://192.168.1.1:9091/transmission/web/

Default firewall example to port forward to the transmission server:
This adds a firewall rule, but i've not confirmed it's working yet


uci add firewall rule
uci set firewall.@rule[-1].name='Allow-Transmission'
uci set firewall.@rule[-1].src='wan'
uci set firewall.@rule[-1].dest_port='51413'
uci set firewall.@rule[-1].target='ACCEPT'
uci commit firewall
service firewall restart

(These are the final settings i ended up with, i need to check how to add them via the script above)
config rule
    option name 'Allow-Transmission'
    option src 'wan'
    option proto 'tcp udp'
    option dest_port '51413'
    option dest_ip '192.168.3.1'
    option target 'ACCEPT'
    option enabled '1'




(I accidentally ran this twice, and had to use WinSCP and edit /etc/config/firewall to remove the bottom entry. oops.)


Once it's logged in and all behaving well, you change settings in the webUI itself - the wrench in the bottom left
The correct download location for a mounted USB drive on these routers is
/mnt/usb/USB-A1/

So you can use this as an example:
/mnt/usb/USB-A1/Downloads/





You can edit the settings file manually with WinSCP here: (remember, these files have no extension - so not .txt)
/etc/config/transmission

There are some 'whitelist' files here you'll need to add your IP range into, to be able to login with remote transmission clients (default is 192.168.1.* - you could set 192.168.*.* for example if you changed your IP range the router uses)

It seems they support FAT32 and NTFS but not EXFAT
You can find the web address for your drive (created based on its internal harwdare, sigh) on the "content sharing" card of the router




For whatever reason you can see this drive is now listed as sda2 - which means the location above i need to change the location to:
(I verified this was correct in winSCP by loading into the /mnt/ directory and seeing what paths showed up)
/mnt/usb/USB-A2/Downloads/


At this point the WEB UI worked and i can try to download to the hard drive, and i can remotely access it over the LAN.
The download errors due to lack of permissions for transmission to access the folder
I'm sure there are more secure ways to alter this but as a beginner to the unix? linux? file systems i just went with the root user:


(In Putty)

service transmission stop

edit the following in /etc/config/transmission

     option config_dir '/mnt/usb/USB-A2/Downloads/'
    option config_overwrite '1'
    option user 'root'
    option group 'root'

service transmission start

And now with 'transmission remote' windows software:





She's all working, webUI and transmission!





You can add this to the 'paths' setting in transmission remote so that you can 'open' a torrents folder location within the program
In my case, this was the code needed: (location the router uses = windows share location)
/mnt/usb/USB-A2/Downloads/=\\192.168.3.1\TOSHIBA_MQ01ABF050_2_23fd




random notes below:
*This might be needed (need to retest on new router/formatted drive)
chmod 777 /mnt/usb/USB-A2/Downloads/
(remember that you'll need to edit that command to A1 depending on the USB drive, or if the directory changes)


To do list:

I may need some sort of script to make this daemon start with the router, that's a future task

I'll probably want to change the config_dir, download_dir, and incomplete_dir variables to point to locations on external storage so settings are saved on the USB drive and not on the router (firmware updates can delete the temp directories)
*Once you change the config_dir you need to go to the new location (on your USB drive most likely) and edit the settings there, as the new file uses transmission defaults*


----------



## Mussels (Nov 5, 2022)

An option script to run in Putty:

This converts "Eth3" which is LAN port 4 to us mortals into part of the guest network on the 192.168.3.x range
This let me connect my next wifis WAN port to LAN4, and then LAN to LAN them allowing regular old LAN traffic to cross networks

Disabling the DHCP on the nest wifi allowed the Telstra Gateway to controll all LAN traffic, while anything google hardcoded to go through their WAN port (mostly google home controls for smart devices) still works



> uci set network.lan.ifname='eth0 eth1 eth2'
> uci set qos.eth0.classgroup='TO_LAN'
> uci set network.nest=interface
> uci set network.nest.proto='static'
> ...


----------

