Security
Alcatel Speed Touch Patch Notes
Copyright 2001 Regents of the University of California Permission to use, copy, modify and distribute any part of this software for educational, research and non-profit purposes, without fee, and without a written agreement is hereby granted, provided that the above copyright notice, this paragraph and the following paragraphs appear in all copies. Those desiring to incorporate this into commercial products or use for commercial purposes should contact the Technology Transfer Office, University of California, San Diego, 9500 Gilman Drive, La Jolla, CA 92093-0910, Ph: (619) 534-5815, FAX: (619) 534-7345.

IN NO EVENT SHALL THE UNIVERSITY OF CALIFORNIA BE LIABLE TO ANY PARTY FOR DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES, INCLUDING LOST PROFITS, ARISING OUT OF THE USE OF THIS SOFTWARE, EVEN IF THE UNIVERSITY OF CALIFORNIA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. THE SOFTWARE PROVIDED HEREIN IS ON AN "AS IS" BASIS, AND THE UNIVERSITY OF CALIFORNIA HAS NO OBLIGATION TO PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS. THE UNIVERSITY OF CALIFORNIA MAKES NO REPRESENTATIONS AND EXTENDS NO WARRANTIES OF ANY KIND, EITHER IMPLIED OR EXPRESS, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, OR THAT THE USE OF THE SOFTWARE WILL NOT INFRINGE ANY PATENT, TRADEMARK OR OTHER RIGHTS.


Alcatel Speed Touch Home binary patches

This document describes several binary patches to particular releases of software, listed below, for the Alcatel Speed Touch Home ADSL "modem". These patches intend to address various bugs, also listed below, that have been previously reported.

These are presented here as there are currently no publicly known official software releases (from Alcatel) which address these issues.

Patches for the Alcatel Speed Touch Home:

  • to disable the cryptographic backs door in FTP, HTTP, and TELNET
  • to disable the UDP TFTP server
  • to disable the AAL5 TFTP server
  • to disable the AAL5 SNMP agent
  • to correct some minor bugs

These patches work ONLY for the following software releases:

    	KHDSBA.133	Mar 16 17:52:08 GMT 2000 
    	KHDSAA.134	Apr 24 12:48:43 GMT 2000
    	

They should NOT be applied to other versions unless they are KNOWN to have the same binary layout!

If the "Orig" bytes below do NOT match the corresponding bytes in your COFF binary, DO NOT APPLY THESE PATCHES!

These have NOT been extensively tested. Their use is NOT recommended by the author nor by anybody else, especially NOT by Alcatel or your ADSL service provider.

If you choose to use them it is at YOUR own risk, and your service provider will almost certainly refuse to give you any support, regardless of whether they work properly or disrupt your service and destroy your equipment.

Different versions of zlib may give different compressions in adnt-repack. It was developed and tested with zlib-1.1.3. It is a very good idea to first confirm that the adnt-unpack/adnt-repack sequence will give you back what you started with.

Failure to follow these instructions carefully may result in the device being damaged or becoming permanently useless.

Any errors during the patch process may result in a non-working software load for the device.

It is not known if the device cares about the name of the software file downloaded to it. To be safe, use similar file names, such as KHDSBB.133 or KHDSAA.135.

Disabling the AAL5-based services below WILL result in your service provider's inability to update your device's software, and MAY affect the ability of their network management system to manage your ADSL connection and monitor its status, resulting in your loss of service.

Remember that the processor is running in big-endian mode! 16-bit and 32-bit values will be ordered improperly on a little-endian (e.g, x86) machine!

  1. Back up all software and configuration data. Verify that your software version can be patched. Compile and build the tools. Verify their proper operation to your satisfaction.
  2. Use adnt-unpack sw to split and decompress the software file. This will result in three files: sw.head, sw.coff, and sw.tar.
  3. Prepare a patchfile, containing any desired patches from the list given below.
  4. Use adnt-patch sw.coff < patchfile to apply the patches. adnt-patch accepts byte patches from STDIN in the format given below.
  5. Use adnt-repack sw.head sw.coff sw.tar > new_sw to build a new software file.
  6. When "upgrading" the software, make sure to keep a copy of the original software locally, as you may not be able to retrieve it from elsewhere if your device becomes corrupted and your net connection is no longer working.
Theory of operation:
  1. Disabling the TCP server back doors: During device initialization, the "EXPERT" entry is installed into its "user" database. In addition to a password, each entry has a 32-bit field which specifies permissions for the entry:
    005E39C0 : 8CB83000 FFFFFFFF    lda     0xFFFFFFFF, g7
    
       Flag		File offset/bit	Description
    ----------	---------------	-----------
    0x80000000	0xcca7c / 0x80	Require password for EXPERT CLI mode
    0x00000004	0xcca7f / 0x04	Permit EXPERT TELNET login
    0x00000002	0xcca7f / 0x02	Permit EXPERT HTTP login
    0x00000001	0xcca7f / 0x01	Permit EXPERT FTP login
    
    For example, to disable all three backs doors and no longer require a password to enter EXPERT CLI mode:
    005E39C0 : 8CB83000 7FFFFFF8    lda     0x7FFFFFF8, g7
    	
  2. Disabling the UDP TFTP server: During device initialization, a SOCK_DGRAM socket is created and bound to the UDP port:
    005C18F4 : 0904F15C             call    0x610A50
    
    This call is replaced with a "success" return value:
    005C18F4 : 5C801E00             mov     0, g0
    
  3. Disabling the AAL5 TFTP server: During device initialization, a flag is set to start the AAL5 TFTP server on VPI/VCI 15/64:
    005EB194 : C2483000 0070056B    stib    r9, 0x70056B
    
    Instead, set this flag to 0 (r6 is currently 0):
    005EB194 : C2303000 0070056B    stib    r6, 0x70056B
    
  4. Disabling the AAL5 SNMP agent: During device initialization, a flag is set to start the AAL5 SNMP agent on VPI/VCI 15/16:
    005EB19C : C2403000 0070056C    stib    r8, 0x70056C
    
    Instead, set this flag to 0 (r6 is currently 0):
    005EB19C : C2303000 0070056C    stib    r6, 0x70056C
    
  5. Two completely cosmetic patches:
    • Add a CR-LF before the "Invalid Password\r\nClosing Connection" message
    • Add a CR-LF before the main "ALCATEL ADSL MODEM" banner
[an error occurred while processing this directive]