This page documents efforts to "de-obfuscate" the Linux-based Actiontec GT701 Wireless Gateway / DSL router. It was originally based on the work of mazama@absent.org (now perdurabo at gmail dot com) which used to be hosted at absent.org as Hacking the Actiontec GT701. Since then, a lot of people have added their goodness.


http://www.qwest.com/dsl/customerservice/actiontecGT701-WG.jpg

Contents

Software

Hardware

Customization

Related pages

1. Software

Source Code FOUND!!!:

This may be a partial or incomplete source code but it does appear to be available at Actiontec GPL Code Downloadalthough the Qwest code still seems to be elusive.

Qwest distributes the Actiontec with their DSL service, and says you need to run their version of the software. Source, from Qwest: ...not found, but required by the GPL... But the Montavista Linux source used by Actiontec on the GT701 can be found here. See also GPLViolation page.

Actiontec GT701 comes with ADAM2 firmware.

1.1. Users

User: admin

Password: admin

# cat /etc/passwd
admin:x:0:0:Root,,,:/:/bin/sh

Network security is not enabled by default.

1.2. Operating System

# cat /proc/version
Linux version 2.4.17_mvl21-malta-mips_fp_le (release@localhost.localdomain)
(gcc version 2.95.3 20010315 (release/MontaVista)) #1 Thu Jan 8 19:16:45 PST 2004

1.3. Running Processes

# ps aux
  PID  Uid     VmSize Stat Command
    1 admin      1272 S    init
    2 admin           S    [keventd]
    3 admin           R    [ksoftirqd_CPU0]
    4 admin           S    [kswapd]
    5 admin           S    [bdflush]
    6 admin           S    [kupdated]
    7 admin           S    [mtdblockd]
   33 admin           D    [adsl]
   38 admin      1664 S    /usr/bin/cm_pc
   40 admin      1176 S    /usr/sbin/thttpd -d /usr/www -u root -p 80 -c /cgi-b
   41 admin      2904 S    /usr/bin/cm_logic -m /dev/ticfg -c /etc/config.xml
   42 admin       672 S    ipq_act
   45 admin      1272 S    init
   46 admin      1276 S    /usr/bin/cm_monitor
   78 admin       632 S    /sbin/dproxy -c /etc/resolv.conf -d
   95 admin      1276 S    /bin/sh -c /usr/sbin/user_drv
   96 admin      4572 S    /usr/sbin/user_drv
   97 admin      4572 S    /usr/sbin/user_drv
   98 admin      4572 S    /usr/sbin/user_drv
   99 admin      4572 S    /usr/sbin/user_drv
  100 admin      4572 S    /usr/sbin/user_drv
  105 admin      4572 S    /usr/sbin/user_drv
  124 admin      2344 S    /usr/sbin/pppd plugin pppoa 0.32 user user@qwest
  154 admin      1284 S    /usr/sbin/upnpd ppp0 br0
  157 admin      1284 S    /usr/sbin/upnpd ppp0 br0
  160 admin      1284 S    /usr/sbin/upnpd ppp0 br0
  163 admin      1284 S    /usr/sbin/upnpd ppp0 br0
  168 admin      1284 S    /usr/sbin/upnpd ppp0 br0
  169 admin      1284 S    /usr/sbin/upnpd ppp0 br0
  196 admin       616 S    /sbin/utelnetd
  197 admin      1284 S    -sh

The command lines for the THTTPD and PPPD process are longer than the Busybox PS output will display. Near as I can tell the full command lines are:

/usr/sbin/thttpd -d /usr/www -u root -p 80 -c /cgi-bin/*
/usr/sbin/pppd plugin pppoa 0.32 user $user password $pass nodetach defaultroute
 \usepeerdns mru 1492 maxfail 10 vc-encaps qos UBR lcp-echo-failure 10
 \lcp-echo-interval 60

Where $user and $pass are your username and password respectively.

1.4. Modules

{{{# lsmod Module Size Used by tiwlan 66544 2 ip_nat_talk 3128 0 (unused) ip_conntrack_talk 2924 2 ip_nat_tftp 2344 0 (unused) ip_conntrack_tftp 2236 1 ip_nat_irc 3288 0 (unused) ip_conntrack_irc 3900 1 ip_nat_h323 3408 0 (unused) ip_conntrack_h323 3116 1 ip_nat_ftp 4088 0 (unused) ip_conntrack_ftp 5052 1 ipt_multiport 1020 0 (unused) ipt_REDIRECT 1092 1 ipt_iprange 1196 0 (unused) ipt_limit 1404 0 (unused) ipt_TCPMSS 3020 0 (unused) ipt_sLog 2884 1 ipt_state 968 3 ipt_MASQUERADE 1732 1 iptable_nat 23192 6 [ip_nat_talk ip_nat_tftp ip_nat_irc ip_nat_h323

iptable_filter 2124 0 (unused) ip_conntrack 29920 8 [ip_nat_talk ip_conntrack_talk ip_nat_tftp

ip_tables 14688 12 [ipt_multiport ipt_REDIRECT ipt_iprange ipt_limit

ip_queue 7760 0 (unused) tiatm 113704 1 avalanche_usb 48720 1 }}}

2. Hardware

2.1. Processor

# cat /proc/cpuinfo
processor               : 0
cpu model               : MIPS 4KEc V4.8
BogoMIPS                : 149.91
wait instruction        : no
microsecond timers      : yes
extra interrupt vector  : yes
hardware watchpoint     : yes
VCED exceptions         : not available
VCEI exceptions         : not available

2.2. Memory

# cat /proc/meminfo
        total:    used:    free:  shared: buffers:  cached:
Mem:  14983168 14032896   950272        0  1564672  5165056
Swap:        0        0        0
MemTotal:        14632 kB
MemFree:           928 kB
MemShared:           0 kB
Buffers:          1528 kB
Cached:           5044 kB
SwapCached:          0 kB
Active:           3100 kB
Inactive:         5288 kB
HighTotal:           0 kB
HighFree:            0 kB
LowTotal:        14632 kB
LowFree:           928 kB
SwapTotal:           0 kB
SwapFree:            0 kB

2.3. External Ports

3. Customization

3.1. Secondary IP address

A reader sent this bit of info in:

'Just saw your page on the gt701 at absent.org-
I have some info for you in case you're interested:

I managed to add a secondary LAN IP to the gt701.
I had to do this by hand, as the web interface would cause the modem to reset to factory defaults when I tried to do a save and restart after adding the static routes.  Besides, there's nothing in the web interface that lets you assign extra ip addresses to the device.

When logged in through Telnet, I simply issued these two commands:
ifconfig br0:1 <some.secondary.ip.address>
/sbin/route add -host <some.secondary.ip.address> dev br0:1

Then, if I attach a switch to the Ethernet port, I can have a mixed sub network: one with addresses in the 192.168.0.x range, and others in the secondary IP address range, and they're able to talk to one another.

I imagine that you could add several, simply by incrementing the supplementary device identifier (ex. br0:2)

What I'm wondering is, do you know of a way to write to the files on the GT701 so that the changes remain after a power cycle?

The file that needs to be modified is /etc/init.d/rcS but there's no editor on the GT701.

I saw that Actiontec's modified Busybox source code for the GT701 has (I believe) a copy of vi, but I'm not sure how to put this on the GT701, and I don't know if it would survive a power cycle.

Anyway, I hope this is useful, and I'd love to hear your thoughts on preserving modifications through a power cycle.

3.2. Saving the configuration (Windows)

A reader, Maurice, sent this bit of info in:

I can be reached at: MauriceS at MyRealbox dot com

One of my many concerns is that one cannot save it's configuration:
Not anymore.

It's actually pretty simple:

1) On the Support CD, change the directory to \SupportFiles
2) Execute "Recover 3.60.1.0.4.1.exe" so it extracts its files...
3) Find those files - they are in your %TEMP% directory, most likely under
    C:\Temp\WZSE0.TMP\ Another way is to use WINZIP to open the file...
You'll find the following files:

 Directory of C:\Temp\WZSE0.TMP

06/16/2004  10:36p      <DIR>          .
06/16/2004  10:36p      <DIR>          ..
02/10/2004  11:30a             278,528 GTRecovery_1_0_0_6.exe
06/16/2004  10:36p      <DIR>          image
               1 File(s)        278,528 bytes

 Directory of C:\Temp\WZSE0.TMP\image

06/16/2004  10:36p      <DIR>          .
06/16/2004  10:36p      <DIR>          ..
01/08/2004  07:37p              32,141 config.xml
01/08/2004  07:27p           1,875,968 nsp.ar7wrd.squashfs.img
01/08/2004  07:18p             655,360 ram_zimage_pad.ar7wrd.nsp.squashfs.bin
               3 File(s)      2,563,469 bytes
Save these files off in a permanent directory, for example c:\actiontec
[Closing the 2nd pop-up window deletes the original WZSE0.TMP folder.]

4) Telnet to the router
5) cat /dev/ticfg > /var/tmp/config.xxx    (/var is [the Actiontec] ramdisk)
6) cd /var/tmp
7) install a tftp server on your workstation
8) in Telnet: tftp -l config.xxx -p
9) Copy the config.xxx file to your fixed c:\actiontec\image directory as config.xxx
10) Rename the original config.xml to config.def (ault)
11) Edit the config.xxx file to remove the garbage on the beginning and end. The
valid file is between <config> and </config>, the rest is useless.
12) Rename config.xxx to config.xml
13) You can now use the recovery tool to restore your configuration.

There are some more possibilities now, you can change the DNS name to be something
usefull, and much more information.

I am working on some other stuff, recompiling the Busybox and more so more functionality is usable. However, it is not as easy to get a correct mips compiler working.
It would be nice to make a web page download of this config.xml file, as well as
updated firewall rules.

Note: DENX at www.denx.de has a packaged embedded linux development kit that has x86 hosts cross compilers for MIPS processors. I have not tried the binaries it creates on the GT701. The ELDK is free and GNU/GCC based (2005-09-19)

(Harry ~at~ glinos dot com 2005-10-4) I downloaded and used the ELDK tools and it doesn't work for the processor on the GT701. ELDK only support the 4KC MIPS chips where the GT701 uses the 4KEc. I'm trying to use some build tools from www.mips.com that might work for this chip. It has an SDE Lite version that is freely available for download (with registration). I'll report back later if this works or not.

(Harry ~at~ glinos dot com 2005-10-5) I downloaded the newest version SDE Lite. It appears that there is a minor file name problem that keeps you from compiling the simple hello example. The file ./(sde install directory)/sde/include/machine/int_type.h appears to be incorrectly named. I copied the file and called it int_types.h and it solved the first problem that came up. I'll post back later with results of running binaries on the router.

(gt701 ~at~ Gareth Vaughan dot codotuk 2007-05-14) I have successfully compiled and run binaries using the toolchain at ftp://ftp.realitydiluted.com/linux/MIPS/toolchains/uclibc/RPMS/uclibc-crosstools100-1.0.0-3.i386.rpm Everything is being downloaded to /var/tmp (the only writable directoy I found) and run from there, so a bit of tweaking is required to make sure that applications expect to find their configuration files there. The application, just dropbear so far, is downloaded using wget along with its configuration files. The download is triggered by a script running on my desktop linux machine that telnets into the router and runs the commands necessary to start the application and reconfigure the firewall.

3.3. Saving the configuration (Linux)

Contributed by KeziahW @at@ gmail .dot. com (I will test the methods outlined in step 13 and post my results later)

The Linux adaptation, with a few simplifications that apply to the Windows version too.

1) Goto http://www.qwest.com/dslhelp/modems/gt701/
 Find the section titled "Firmware Update and Recovery". Click "Download recovery file" (yes, it says it's for Windows).
2) $ unzip gt701*recovery.zip
 We will call the directory that it unzipped to (recovery)
3) Change to the "image" subdirectory of the newly created directory. You now have:
  config.xml (the default config)
  nsp.ar7wrd.squashfs.img
  ram_zimage_pad.ar7wrd.nsp.squashfs.bin
4) Telnet to the router
5) cat /dev/ticfg > /var/tmp/config.xxx
6) cd /var/tmp
7) install a tftp server on your workstation
8) in Telnet: tftp -l config.xxx -p
9) Rename the default config.xml to config.xml.default
10) Copy config.xxx to config.xml in (recovery)/image
11) Edit the config.xxx file to remove the garbage on the beginning and end. The valid file is between <config> and </config>, the rest is useless.
12) Rename config.xxx to config.xml
13) Update the firmware.

Step 13 can be done without a windoze box by using tftp (possibly also ftp).
(recovery)/gtrecovery.exe appears to be wine compatible.
More info on linux-native firmware updating can be found at the "Hacking the Actiontec" article.
It also may be possible to emulate mac for the .dmg, available at the website in step 1.

3.4. Recover utility

"Recover 3.60.1.0.4.1.exe" or corresponding utility from the CD, qwest.com, or actiontec.com

Execute from the CD, not from the extracted Recover.exe

When the "WinZip Self-Extractor - recovery qw04-3.60.2.0.6.3.exe" window appears, the program may be cancelled, leaving the temp files folder (WZSE0.TMP). Do *not* execute the reset event, else your settings will be overwritten! Do not close the "Recover 3.60.1.0.4.1.exe" window until the temp files have been saved. Once saved, cancel or close the "Recover 3.60.1.0.4.1.exe" window. The WZSE0.TMP will be deleted.

3.4.1. Install a used device in a new location.

Executing the "Reset Event" erases all user settings and restores the device to original ready for automatic setup status. It may not be necessary to change any network interface settings (IP 192.168.0.99, SUBNET 255.255.255.0, GATEWAY 192.168.0.1) unless these have been changed for some non-default reason, such as advanced security settings.

Caution: Full manual reset erases the broadband username and password (from Qwest) that allow GUI access to the gateway. Once reset, if the GUI is not accessible then it will be necessary to run the automatic CD New Setup in order to enter the broadband username and password (PPP User Name and PPP password). This automatic setup requires an Internet connection before proceeding further. Once the New Setup has completed, a working DSL line is not essential to access the gateway itself.

Full reset Restart of the gateway twice restored access to the gateway GUI without a DSL Internet connection. [Empirical test, H2G2 at cwasy dot co dot uk, 05Dec05]

3.4.2. Reset Switch

Depressing the Reset Switch for one or two seconds will power cycle the Modem (similar to unplugging and then plugging in the Modem's power cord).

Reset modem memory, restore factory default settings To restore the Modem's factory default settings [reset modem memory],

  1. {unplug all but power,}
  2. {with a paperclip pointer, gently} depress and hold the Reset Switch for approximately 10 seconds.
    • {Hold until Power light goes GN -> OR -> R before releasing.}

The reset process will start about 10 seconds after releasing the Reset Switch, or until the Power light glows amber. [Manual, p.9 of 115]

  1. Unplug power (wait ~20 sec.), reconnect all cables, wait for all lights, and solid green DSL.
  2. Go to browser IP address 192.168.0.1
  3. Go to Actiontec page--Setup Configuration--Basic Setup--Next button
    • bottom of page: username, pw per Qwest DSL account info.
  4. Next button--Save and Restart

[Detail in curly braces: addenda to manual instructions, Qwest DSL tech support Mon21Nov05]

Without a DSL Internet connection plugged in, uninstall, full reset Restart of the gateway (and the computer) twice restored access to a gateway GUI. [Empirical test, H2G2 at cwazy dot co dot uk, 05Dec05]

3.5. Transferring files back and forth

The Actiontec is actually one of the easier APs to transer files to and from. Besides tftp, the vendor firmware (Qwest QW04-3.60.2.0.6.3) also provides ftpget, ftpput, wget, and thttpd. The use of ftpget and ftpput should be obvious: you can use it to transfer files to and from using FTP. Linux users should be familiar with wget. You use it to fetch files by URL. Assuming the file you want to retrieve is accessible by URL (i.e. through a webserver somewhere), you can do something like this:

# wget http://www.seattlewireless.net/swn-proj.jpg

And speaking of webservers, thttpd isn't just for web-based administration. Observe:

# thttpd -d / -p 81 -D

/!\ Remove the final -D to have the thttpd process fork off into a parallel thread. Tht frees up your command line up, but makes you go hunt down and kill the PID associated with the process when you want to shut off this alternate webserver process.

Now you can access files on the box with your web browser, like this:  http://192.168.0.1:81/etc/config.xml 

Note the :81 after the IP address. That corresponds to the -p 81 in the command line above. You have to use some port other than 80, because that is taken by the other webserver on the box.

3.6. Adding a Serial Port

Here is a picture of the GT701 circuit board, with the appropriate pins labeled.

http://img398.imageshack.us/img398/1781/serialpins3zw.jpg

Helpful information regarding adding a serial port to another similar modem/router by nslu2-linux.org is at AddASerialPort.

Here's a narrative from somebody who successfully attached a serial console to this particular modem. He gives a fairly complete description of all the steps involved and provides updated driver links (the links on the previously mentioned page are stale).

4. Related pages

4.1. Sub's page on the Actiontec

Sub reports:

After getting my Actiontec GT701 from Qwest, I set upon a journey of finding out how to flash my own firmware. In the process, I wrote a paper detailing everything I know about the Actiontec GT701 including hardware, software, and Texas Instrument's ADAM2 boot system. This paper can be found here:

Hacking the Actiontec GT701 or mirror copy

and another one by my friend and I on how we hacked it to run custom firmware with 3rd party apps (BitchX IRC client in our example).

My only request is if you choose to duplicate this material to please link to the original copy, so as to provide the most up-to-date information possible, and of course, any changes or corrections are welcome. Thank you.

4.2. Links to utilities for "Saving the configuration"

Open Source, Freeware, Beggarware

Telnet using Teraterm Pro Download (ttermp23.zip 943,376 bytes) at

Cf. Tera Term Pro Web 3.13 by Ayera, teraterm

TFTPD32 A free tftp server and a free DHCP server for Windows recommended by Cisco, HP and other companies Drag and drop facility in client window 18 Jan 2005 v2.80 tftpd32.280.zip (176kB) tftpd32.280.zip at perso.wanadoo.fr philippe.jounin tftpd32.html

ONLamp.com: Configuring a TFTP Server by Dru Lavigne | 06/05/2003 explains how to configure configure TFTP to serve hardware images for devices such as routers [using FreeBSD; intro applies generally]. onlamp FreeBSD_Basics.html

Free TFTP Server with Security 6253 KB, 16:25 26Se05 support.solarwinds.net download at solarwinds.net TFTP_Server

This program also appears on numerous software download sites. It's big for the purpose above, but likely good for general Sys Admin of a network.

4.3. Actiontec

4.4. Qwest

4.4.1. Qwest help

If you must call, calling during traditional office hours will more likely connect with your regional call center (and more knowledgable help). Call after hours or weekends and you'll likely get an outsourced call center offshore.

4.5. Other


CategoryAccessPointHardware

ActiontecGT701 (last edited 2013-09-28 18:44:59 by JasonMcArthur)