Vodafone Station Firmware Hack

Posted on  by 

  1. Instantly share code, notes, and snippets. Druzn3k / vodafone.md Forked from teknoraver/vodafone.md. Created Oct 29, 2018.
  2. Vodafone Station 2 Hacking Hacking Vodafone Station 2 Vodafone Station 2 is the modem/router/wifiAP provided to ADSL users who subscribe a contract with Vodafone in Italy. The firmware that runs on.

Hi all, I'm just a new on the forum. I've just changed provider (for italian Vodafone to italian TIM) and I was trying to use my 'old' Vodafone Station as VPN router at home (LAN-WAN connection to the new provider's router) and I realised that the WAN port is not working. Ubiquiti may, from time to time and at its sole option, provide patches, bug fixes, corrections, updates, upgrades, support and maintenance releases or other modifications to the Software, including certain External Software, which items shall be deemed part of the Software and External Software hereunder.

How to replace the Vodafone Station with your very own router

Vodafone forces its customers to use their modem/router, the 'Vodafone Station': using any other router is impossible because authentication is being done via a custom PPPoE setup.
In the PPPoE packet there is a field named Host-Uniq which is used to separate packets from different PPPoE sessions: Vodafone requires the Station serial number to be put in this field as authentication.

Hardware setup

A Linux router with root access is needed to replace the Station with. With an xDSL connection a modem with a custom firmware like OpenWrt has to be used, most likely one based on a Lantiq SoC.
For a FTTH internet connection then every machine with at least two gigabit ethernet interface and a decent CPU will do it.

Software setup

PPPD by default puts its PID in the Host-Uniq field, while, as previously mentioned, Vodafone requires the Station serial number in it.
PPPD needs to be patched to set an arbitrary Host-Uniq field, but in decent distributions like Debian or OpenWrt the patch is already included.

Configuration

Hack

Line setup

Two separate WAN interfaces must be configured, for data and voice. The required setup depends on the connection type, ADSL, VDSL2 or FTTH.
With an ADSL connection you should use 10/36 as VPI/VCI for data, and 10/35 for voice, both of them configured with LLC encapsulation.
With a VDSL2 or FTTH connection you have to create two tagged VLANs with VID 1036 for data and 1035 for voice.

PPPoE

Firmware

Once the ATM circuits or VLANs are configured, bring two PPPoE interfaces up for data and voice.
PPPoE configuration is a bit tricky because the Station serial number needs to be put in the Host-Uniq tag.
The serial number is in the form X12345678901234 where X is the Station manufacturer:

  • D ADB
  • C/S Sercomm
  • W Huawei

Vodafone Station Firmware Hack Password

Convert it to hex:

and pass the argument host-uniq 583132333435363738393031323334 to PPPD to bringup the PPPoE connections.
In Debian it can be put globally in /etc/ppp/options or in the providers file in /etc/ppp/peers.
In OpenWrt then edit /etc/config/network and in the wan section add host_uniq=583132333435363738393031323334.

Data

The data PPPoE connection must use the Station serial number prepended with D- as username,
and something in the form of VJ|5.4.8.1.160.12.56.1.28|RA|CGN=1|pw=Vodafone as password, which means:

VJ stands for Vodafone Jungo (now OpenRG, the closed, crappy, monolithic, obsolete software inside the Station)
5.4.8.1.160.12.56.1.28 is the Station software version
RA don't really know
CGN=1 Carrier Grade Nat enabled
pw=Vodafone lol?

For example, in Debian a provider file this in /etc/ppp/peers/data will work:

and add this line in /etc/ppp/pap-secrets:

Voice

The voice PPPoE connection must use the Station serial number prepended with V- as username, and vodafone as password.
In your beloved Debian system it can be done by creating /etc/ppp/peers/voice with this content:

Vodafone Station Firmware Hack Online

and this entry in /etc/ppp/pap-secrets:

The SIP and RTP server are accessible only via the voice WAN and belong to the 10.0.0.0/8 subnet.
To access them create a script which configures that route every time that the voice WAN brings up,
I used to put this script in /etc/ppp/ip-up.d/0002route:

Getting the SIP credentials is difficult but not impossible, you have to query the ACS server to get them.

Connect

To connect both PPPoE sessions simultaneously, the two VLAN must have different MAC addresses, so one of the two interface address mus be spoofed.
Now it should be possible to connect with pon pppoe-data and pon pppoe-voice or with ifup, if the network is configured in /etc/network/interfaces.

Here there is a working Debian configuration:

Don't ever try to use crappy software like systemd-networkd or NetworkManager to do such network configuration:
system-networkd doesn't supports PPPoE and never will because 'It's importance is questionable in modern OSs',
NetworkManager does a little better, it supports PPPoE but not over a VLAN, so no way either.

Multiple sessions

Multiple PPPoE sessions can be raised, but they must have different MAC addresses and Host-Uniq.
An option cuold be using a macvlan over the VLAN, like:

and then starting another PPPoE session over the veth1 device, with another Host-Uniq.
The session will get a public IP and extra bandwidth ;)

Vodafone station 2 firmware hack

Dyndns

A fancy hostname like vox1234567.mynet.vodafone.it is assigned to every Vodafone line, where 1234567 is the line identifier, which is written in the phone bill.
The hostname can be used as free and reliable dyndns, and it's also the ONT authentication token.

Conclusion

Vodafone Station Firmware Hack Apk

I've made this tutorial because I find the Station extremely buggy and feature limited, and I really hate that Vodafone forces me to use this crappy, OpenRG based device.
It's not my intention to harm or damage any of the parties involved in developing, selling or using this device.
I just want to use my fiber line with a customizable, reliable and powerful device, like my x86 based Debian box, nothing more, nothing less.

cheers and happy hacking,
teknoraver

Coments are closed