Kitz Forum

Broadband Related => Broadband Hardware => Topic started by: TTT on April 05, 2016, 09:37:07 PM

Title: Unlocking Vodafone Connect 802.11ac router
Post by: TTT on April 05, 2016, 09:37:07 PM

Hi all,

has anybody had any experience with unlocking / hacking the new Vodafone Connect router?
I can be picked up for < £10 at eBay / Amazon at the moment, and I was hoping it might make a nice access point.
Sadly, no luck. It's completely locked down it seems, no telnet, no ssh. FTP is open, but anonymous login just shows an empty directory.
Won't connect on LAN port to the rest of the network, nor fetch an IP via the WAN port.
I tried connecting to the J501 port (on the right), no luck, and also wired up the J1801 port (at the top), no luck there either (using the same serial adapter I successfully used for the OpenReach Huawei modem).

It is a 'Advanced Digital Broadcast' (ADB), model ADBA-GU14001A.
The print on the inside reads 'VOX2-5/VODAFONE/ADB REV:1.06'
I can see a Broadcom BCM53124SKMMLG TE1509 P30 459517 3B W.
The CPU is a Broadcom BCM63168VKFEBG TN1503 P40 448471 N3A.
I also see a Winbond W631GG6KB-15 6431AT700012 518HUA TWN (presumably the BIOS).
On the back, I see a Spansion S34ML02G200TF100 503BB568 A
There's also some additional lettering printed: YA-4A! 94V-0 E114139 1510
It features 3 5GHz and 2 2.4GHz aerials. Unfortunately, the RF shield is soldered on, haven't been able to get underneath yet.

The saved down config file is of little use, firstly it only has the options you see in the GUI (it's plain xml), and secondly it has a hash, which seems invalidated by any change.
Seems to be made by Huawei.

Help appreciated.
Thanks,
TTT

Title: Re: Unlocking Vodafone Connect 802.11ac router
Post by: TTT on April 05, 2016, 09:42:04 PM

PS: There are some pictures in this post http://forum.kitz.co.uk/index.php/topic,15972.msg297087.html#msg297087
I hit the file size limit, will try to make mine smaller.
Really only have the back to add, and not much is going on there.

Title: Re: Unlocking Vodafone Connect 802.11ac router
Post by: ejs on April 06, 2016, 04:48:16 PM

The Winbond chip is apparently the RAM (DDR3 1Gbit = 128MiB).

J1801 looks the most likely part, that I could see in the linked photos, to be for a serial connection, but it could be very tricky such as needing to add a resistor somewhere to enable it.

Title: Re: Unlocking Vodafone Connect 802.11ac router
Post by: TTT on April 06, 2016, 06:43:18 PM

I'll keep chipping away on that J1801 port - perhaps I'm approaching it with the wrong voltage.

Title: Re: Unlocking Vodafone Connect 802.11ac router
Post by: ejs on April 06, 2016, 07:08:33 PM

I think you don't usually need to connect anything to the 3.3V pin, only work out which ones are RX, TX and GND.

Title: Re: Unlocking Vodafone Connect 802.11ac router
Post by: burakkucat on April 06, 2016, 07:18:50 PM

Quote from: ejs on April 06, 2016, 07:08:33 PM

I think you don't usually need to connect anything to the 3.3V pin, only work out which ones are RX, TX and GND.

Agreed.

The logic that I used in identifying the Tx, Rx and Gnd for a Huawei HG8240 ONT is documented in replies 9 & 10 (http://forum.kitz.co.uk/index.php/topic,15674.msg292643.html#msg292643) of my "Examining a Huawei HG8240 GPON Terminal" thread.

Title: Re: Unlocking Vodafone Connect 802.11ac router
Post by: Alex Atkin UK on December 04, 2016, 06:56:15 AM

Did nothing ever come of this?

Its such a shame to see all these devices going to waste when all they need is DHCP disabling and the 2.4Ghz/5Ghz having their own SSIDs to turn them into capable WiFi Access Points.

Has anyone tried finding out how its signing the config files?  I assume its using actual encryption with a key in the firmware, rather than a simple hash?