Skip to content

RevEngine3r/fiberhome-an5506-tr069-removal

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
 
 
 
 

Repository files navigation

FiberHome AN5506-04-F (RP2609) — TR-069 Removal & Recovery

Device SoC/FS Status License

Why this repo?
My ISP pushed a bad config via TR-069 (ACS). Internet died, VoIP still worked.
I backed up partitions, unpacked app_extend JFFS2, neutralized /tr069/bin, repacked, flashed, restored creds, and fixed the modem.


TL;DR

  • Get root shell over telnet.
  • Backup all MTD partitions to USB.
  • On Linux host: unpack JFFS2 (app_extend + app_extend_update), zero out /tr069/bin/*.
  • Repack with mkfs.jffs2 + sumtool, flash back, reboot.
  • Restore WAN/VoIP creds. Internet returns; TR-069 is gone.

Device

Field Value
Model AN5506-04-F
Hardware Version WKF2.134.285F4G
Software Version RP2609
Description GPON

Risks & legality
You can brick the device. ISP support may break. Check local laws/ToS. Do this only on hardware you own.


Requirements

On the device (ONT):

  • Telnet access (ports 23 and 26 as used below)
  • USB port + FAT-partitioned flash drive

On the host (Ubuntu):

sudo apt update
sudo apt install -y python3-venv python3-full build-essential      liblzma5 xz-utils liblzo2-dev mtd-utils
python3 -m venv ~/jffs2-env
source ~/jffs2-env/bin/activate
python -m pip install --upgrade pip setuptools wheel
pip install jefferson

Refs: jefferson (JFFS2 extractor), Linux MTD/JFFS2 docs


Step 1 — Root shells (exact sequence)

telnet 192.168.1.1 23
gepon
gepon
ddd
shell
tshell
telnet 192.168.1.1 26
root
GEPON

Step 2 — Mount USB & back up all MTD partitions

On the device:

mkdir -p /mnt/usb
mount -t vfat /dev/sda /mnt/usb

# Optional: inspect partition map first
cat /proc/mtd

for p in /dev/mtd[0-7]; do
    name=$(grep "^${p#/dev/}:" /proc/mtd | awk -F '"' '{print $2}')
    echo "Dumping $name..."
    dd if=$p of=/mnt/usb/${name}.bin bs=1M
done
sync

Safety check
Verify partition names via /proc/mtd before flashing anything later. MTD indices vary across builds.


Step 3 — Unpack JFFS2 on host

# still in your venv
jefferson app_extend.bin ./app_extend
jefferson app_extend_update.bin ./app_extend_update  # if present
deactivate

Step 4 — Neutralize TR-069 binaries

In both extracted trees (e.g. app_extend and app_extend_update), go to:

/tr069/bin/

Make the files zero-byte (preserving names), then fix perms/ownership:

# Example for app_extend (run on host inside the extracted root):
find app_extend/tr69 -maxdepth 1 -type d -iname 'tr069' -print -quit
# zero every file under .../tr069/bin
find app_extend -type d -iname tr069 -exec bash -lc 'find "$0/bin" -type f -exec sh -c '> "$1"' _ {} \;' {} \;

# or if you know the exact path:
# find app_extend/tr069/bin -type f -exec sh -c '> "$1"' _ {} \;

sudo chown -R 0:0 app_extend
sudo chmod -R 755 app_extend

Keeping filenames but zeroing the payload prevents TR-069 daemons from running without breaking path expectations.


Step 5 — Repack with JFFS2

mkfs.jffs2 -r ./app_extend            -o app_extend.jffs2            -e 0x20000            -b -n

sumtool -e 0x20000         -i app_extend.jffs2         -o app_extend.sum.jffs2 -b

# Repeat the same for app_extend_update if applicable
mkfs.jffs2 -r ./app_extend_update            -o app_extend_update.jffs2            -e 0x20000            -b -n

sumtool -e 0x20000         -i app_extend_update.jffs2         -o app_extend_update.sum.jffs2 -b

Step 6 — Flash back on the device

# ensure original extend partitions are not mounted
umount -l /fh/extend || true
umount -l /fh/extend_update || true

mkdir -p /mnt/usb
mount -t vfat /dev/sda /mnt/usb

# WARNING: confirm mtd indices via /proc/mtd FIRST
flash_erase /dev/mtd4 0 0
flash_erase /dev/mtd5 0 0

nandwrite -p /dev/mtd4 /mnt/usb/new/app_extend.sum.jffs2
nandwrite -p /dev/mtd5 /mnt/usb/new/app_extend_update.sum.jffs2

reboot

After boot, restore WAN/VoIP credentials if needed.


Verify TR-069 is gone

On the device:

# no tr069 processes
ps | grep -i tr069

# mgmt port closed
netstat -tulpn | grep -E '7547|tr069' || echo "No TR-069 listeners"

Recovery

  • You have full MTD backups on USB. To revert, flash_erase the same partitions and nandwrite the original dumps.
  • If device fails to boot: try vendor recovery or UART—outside the scope of this doc.

Credits

  • Steps and testing: Saeed
  • Tools: jefferson, mtd-utils, mkfs.jffs2, sumtool

License

MIT

About

Fix for FiberHome AN5506-04-F (RP2609): disable TR-069 auto-provisioning by repacking JFFS2 (app_extend*), flashing back, and restoring WAN/VoIP creds.

Topics

Resources

Stars

Watchers

Forks

Packages

 
 
 

Contributors