Why this repo?
My ISP pushed a bad config via TR-069 (ACS). Internet died, VoIP still worked.
I backed up partitions, unpackedapp_extendJFFS2, neutralized/tr069/bin, repacked, flashed, restored creds, and fixed the modem.
- Get root shell over telnet.
- Backup all MTD partitions to USB.
- On Linux host: unpack JFFS2 (
app_extend+app_extend_update), zero out/tr069/bin/*. - Repack with
mkfs.jffs2+sumtool, flash back, reboot. - Restore WAN/VoIP creds. Internet returns; TR-069 is gone.
| Field | Value |
|---|---|
| Model | AN5506-04-F |
| Hardware Version | WKF2.134.285F4G |
| Software Version | RP2609 |
| Description | GPON |
Risks & legality
You can brick the device. ISP support may break. Check local laws/ToS. Do this only on hardware you own.
On the device (ONT):
- Telnet access (ports 23 and 26 as used below)
- USB port + FAT-partitioned flash drive
On the host (Ubuntu):
sudo apt update
sudo apt install -y python3-venv python3-full build-essential liblzma5 xz-utils liblzo2-dev mtd-utils
python3 -m venv ~/jffs2-env
source ~/jffs2-env/bin/activate
python -m pip install --upgrade pip setuptools wheel
pip install jeffersonRefs: jefferson (JFFS2 extractor), Linux MTD/JFFS2 docs
telnet 192.168.1.1 23
gepon
gepon
ddd
shell
tshell
telnet 192.168.1.1 26
root
GEPON
On the device:
mkdir -p /mnt/usb
mount -t vfat /dev/sda /mnt/usb
# Optional: inspect partition map first
cat /proc/mtd
for p in /dev/mtd[0-7]; do
name=$(grep "^${p#/dev/}:" /proc/mtd | awk -F '"' '{print $2}')
echo "Dumping $name..."
dd if=$p of=/mnt/usb/${name}.bin bs=1M
done
syncSafety check
Verify partition names via/proc/mtdbefore flashing anything later. MTD indices vary across builds.
# still in your venv
jefferson app_extend.bin ./app_extend
jefferson app_extend_update.bin ./app_extend_update # if present
deactivateIn both extracted trees (e.g. app_extend and app_extend_update), go to:
/tr069/bin/
Make the files zero-byte (preserving names), then fix perms/ownership:
# Example for app_extend (run on host inside the extracted root):
find app_extend/tr69 -maxdepth 1 -type d -iname 'tr069' -print -quit
# zero every file under .../tr069/bin
find app_extend -type d -iname tr069 -exec bash -lc 'find "$0/bin" -type f -exec sh -c '> "$1"' _ {} \;' {} \;
# or if you know the exact path:
# find app_extend/tr069/bin -type f -exec sh -c '> "$1"' _ {} \;
sudo chown -R 0:0 app_extend
sudo chmod -R 755 app_extendKeeping filenames but zeroing the payload prevents TR-069 daemons from running without breaking path expectations.
mkfs.jffs2 -r ./app_extend -o app_extend.jffs2 -e 0x20000 -b -n
sumtool -e 0x20000 -i app_extend.jffs2 -o app_extend.sum.jffs2 -b
# Repeat the same for app_extend_update if applicable
mkfs.jffs2 -r ./app_extend_update -o app_extend_update.jffs2 -e 0x20000 -b -n
sumtool -e 0x20000 -i app_extend_update.jffs2 -o app_extend_update.sum.jffs2 -b# ensure original extend partitions are not mounted
umount -l /fh/extend || true
umount -l /fh/extend_update || true
mkdir -p /mnt/usb
mount -t vfat /dev/sda /mnt/usb
# WARNING: confirm mtd indices via /proc/mtd FIRST
flash_erase /dev/mtd4 0 0
flash_erase /dev/mtd5 0 0
nandwrite -p /dev/mtd4 /mnt/usb/new/app_extend.sum.jffs2
nandwrite -p /dev/mtd5 /mnt/usb/new/app_extend_update.sum.jffs2
rebootAfter boot, restore WAN/VoIP credentials if needed.
On the device:
# no tr069 processes
ps | grep -i tr069
# mgmt port closed
netstat -tulpn | grep -E '7547|tr069' || echo "No TR-069 listeners"- You have full MTD backups on USB. To revert,
flash_erasethe same partitions andnandwritethe original dumps. - If device fails to boot: try vendor recovery or UART—outside the scope of this doc.
- Steps and testing: Saeed
- Tools:
jefferson,mtd-utils,mkfs.jffs2,sumtool
MIT