This repository documents my experience and the method used to successfully achieve root on a Fastweb FASTGate DGA4131FWB router running the firmware version 18.3.n.0482_FW_264_DGA4131.
I recently wanted to root my DGA4131FWB gateway. Upon checking the hack-technicolor documentation, I noticed that my specific firmware version was listed with an unknown root strategy:
| Type | Version | Timestamp |
|---|---|---|
| 2 π | 18.3.n.0462_FW_261 |
2020-07-17 |
| ??? π€ | 18.3.n.0482_FW_264 |
2021-11-12 |
Since it wasn't listed as a directly rootable Type 2 firmware, I had to find a workaround.
My initial thought was to go the hardware route. I opened the router, soldered a serial connection, and attempted to access a bootloader shell or run some initial commands.
Unfortunately, I was only able to drop the device into BOOTP mode (recovery mode). While it is technically possible to flash a vulnerable Type 2 firmware via BOOTP, I wanted to avoid taking the "easy way" of just blindly overwriting it via recovery. I wanted to see if I could exploit the current system architecture.
Through further research, I learned that Technicolor routers utilize a dual-bank layout for firmware (Bank 1 and Bank 2). When a firmware update occurs, it flashes the inactive bank and switches to it. This means that the other bank usually contains an older firmware version.
My goal was to intentionally fail the boot sequence on Bank 2 (which contained the unrootable 18.3.n.0482 firmware) to force the router to fall back to Bank 1.
I applied the logic demonstrated in this YouTube video by Aron Bezzina regarding bank switching on Telstra modems to my Fastweb FASTGate.
Here is the general process to force the fallback:
- Power on the router.
- Carefully monitor the boot sequence from the serial connection output until it starts the Linux kernel.
- Use the physical power button on the back of the router at specific intervals to interrupt the boot process (toggle it off and on very quickly).
- After repeating this boot interruption cycle 3 consecutive times, the router's failsafe triggers.
After failing the boot 3 times, the router successfully fell back to the older bank. My serial output showed:
Booting : Bank 1 (bank 2 failed 3 times)
SW Version : 18.3.n.0462-2301003-20200717112810-67ce3c757e3f702547781d807d67394ff999e50e
The router booted into 18.3.n.0462_FW_261! Looking back at the firmware table, version 18.3.n.0462_FW_261 is a Type 2 firmware, which is a known vulnerable version.
Because I was now successfully running a Type 2 firmware, the rest of the process was incredibly straightforward.
I followed the official hack-technicolor guide for Type 2 Firmwares:
π Rooting Type 2 Firmwares
If you have a Fastweb FASTGate DGA4131FWB on 18.3.n.0482_FW_264_DGA4131 (or any "Type ???" firmware) and you do not want to flash via BOOTP, check the passive bank first. There is a very high probability that the inactive bank contains an older, exploitable Type 2 firmware from before the router was updated.
Huge thanks to the maintainers of the hack-technicolor project and to Aron Bezzina for the bank switching tutorial.