Additional "de-telstra" options

[juzman]

I currently have a DJA0231 and was running the lates 0543 test firmware, but have rolled back to 18.1.c.0514-950-RB and re-rooted it.

Have ran the de-telstra script and tch-gui-unhide-DJA0231-18.1.c.0514, however thought of a couple little additional things to add maybe to the "de-telstra" script.

# Disable lotagent
/etc/init.d/lotagent stop
/etc/init.d/lotagent disable

# Remove Telstra NTP
uci del_list system.ntp.server=chronos.ntp.telstra.net
uci del_list system.ntp.server=chronos1.ntp.telstra.net
uci commit
/etc/init.d/sysntpd restart

# Disable LTE Doctor
SRV_ltedoctor=0

if [ "$(uci -q get ltedoctor.config.enabled)" -eq "1" ]
then
  echo [$SCRIPT]: Disabling LTE Doctor
  uci set ltedoctor.config.enabled='0'
  uci commit ltedoctor
  /etc/init.d/lte-doctor-logger stop
  /etc/init.d/lte-doctor-logger disable
  SRV_ltedoctor=$(( $SRV_ltedoctor + 1 ))
else
  echo [$SCRIPT]: LTE Doctor already disabled
fi

# Disable UPnP (https://www.forbes.com/sites/andygreenberg/2013/01/29/disable-a-protocol-called-upnp-on-your-router-now-to-avoid-a-serious-set-of-security-bugs/#12054ae876b4)
SRV_upnpd=0

if [ "$(uci get upnpd.config.enable_natpmp)" = '1' -a "$(uci get upnpd.config.enable_upnp)" = '1' ]
then
  echo [$SCRIPT]: Disabling UPnP
  uci set upnpd.config.enable_natpmp='0'
  uci set upnpd.config.enable_upnp='0'
  uci commit upnpd
  SRV_upnpd=$(( $SRV_upnpd + 1 ))
else
  echo [$SCRIPT]: UPnP already disabled
fi

Not sure if this helps, but disabling the power saving too?

pwrctl config --cpuspeed 0
pwrctl config --wait off
pwrctl config --ethapd off
pwrctl config --eee off
pwrctl config --autogreeen off

[juzman]

Here's a list of services that are currently running too, guessing since disable printer sharing and file sharing we can disable cupsd and samba too? There's probably others also.

I've also disabled wol, mmpbxbrcmdect, mmpbxd, mmpbxfwctl, dumaos, dumaos_qos_tweaks, ddns, wansensing since I don't use those.

root@DJA0231:~# for F in /etc/init.d/* ; do $F enabled && echo $F on || echo $F **disabled**; done
/etc/init.d/airiq-controller on
/etc/init.d/arpwatch on
/etc/init.d/bcm-device-nodes on
/etc/init.d/bcm-usb-support on
/etc/init.d/bcm_modules on
/etc/init.d/bcm_spdsvc on
/etc/init.d/bcmubusbridge on
/etc/init.d/boot on
/etc/init.d/brcm_kthrd_prios on
/etc/init.d/bulkdata on
/etc/init.d/cgconfig on
/etc/init.d/cgevent on
/etc/init.d/cgred on
/etc/init.d/cgroup_rt_processes on
/etc/init.d/conntrackd on
/etc/init.d/connwatch on
/etc/init.d/cron on
/etc/init.d/ctwatch on
/etc/init.d/cupsd **disabled**
/etc/init.d/ddns **disabled**
/etc/init.d/dhcpopassthrud on
/etc/init.d/dhcpsnooper on
/etc/init.d/dlnad on
/etc/init.d/dnsmasq on
/etc/init.d/done on
/etc/init.d/dosprotect on
/etc/init.d/dropbear on
/etc/init.d/dumaos **disabled**
/etc/init.d/dumaos_qos_tweaks **disabled**
/etc/init.d/ethernet on
/etc/init.d/ethoam on
/etc/init.d/firewall on
/etc/init.d/firmware-upgrade-ext on
/etc/init.d/fseventd on
/etc/init.d/hostapd on
/etc/init.d/hostmanager on
/etc/init.d/igmpproxy on
/etc/init.d/install-ipks on
/etc/init.d/intercept on
/etc/init.d/iperf on
/etc/init.d/ipset on
/etc/init.d/iqos on
/etc/init.d/lcmd on
/etc/init.d/led on
/etc/init.d/ledfw on
/etc/init.d/log on
/etc/init.d/lotagent **disabled**
/etc/init.d/lsyslogd on
/etc/init.d/lte-doctor-logger **disabled**
/etc/init.d/mcsnooper on
/etc/init.d/miniupnpd-tch **disabled**
/etc/init.d/mldproxy on
/etc/init.d/mmpbxbrcmdect **disabled**
/etc/init.d/mmpbxd **disabled**
/etc/init.d/mmpbxfwctl **disabled**
/etc/init.d/mobiled on
/etc/init.d/mosquitto on
/etc/init.d/mountd on
/etc/init.d/mud on
/etc/init.d/multiap_agent on
/etc/init.d/multiap_controller on
/etc/init.d/multiap_vendorextensions **disabled**
/etc/init.d/mvfs on
/etc/init.d/mwan on
/etc/init.d/neighm on
/etc/init.d/network on
/etc/init.d/nginx on
/etc/init.d/ngwfdd on
/etc/init.d/odhcpd on
/etc/init.d/phypower on
/etc/init.d/pinholehelper on
/etc/init.d/platform-gpl on
/etc/init.d/portmirror on
/etc/init.d/power on
/etc/init.d/pppoe-relay on
/etc/init.d/pppoe-relay-tch on
/etc/init.d/pre-mwan on
/etc/init.d/prozone on
/etc/init.d/qos on
/etc/init.d/ra on
/etc/init.d/random_seed **disabled**
/etc/init.d/redirecthelper on
/etc/init.d/restore on
/etc/init.d/rtfd on
/etc/init.d/samba **disabled**
/etc/init.d/samba-nmbd **disabled**
/etc/init.d/sensors on
/etc/init.d/softswitch on
/etc/init.d/spu on
/etc/init.d/sscert on
/etc/init.d/sudo on
/etc/init.d/supervision on
/etc/init.d/swmdk on
/etc/init.d/sysctl on
/etc/init.d/sysctl-tch on
/etc/init.d/sysfixtime on
/etc/init.d/syslog_fwd on
/etc/init.d/sysntpd on
/etc/init.d/system on
/etc/init.d/thermalProtection on
/etc/init.d/tod **disabled**
/etc/init.d/trafficmon **disabled**
/etc/init.d/transformer on
/etc/init.d/uhttpd on
/etc/init.d/umount **disabled**
/etc/init.d/usbmode on
/etc/init.d/wansensing **disabled**
/etc/init.d/warmboot on
/etc/init.d/watchdog-tch on
/etc/init.d/weburl on
/etc/init.d/wfa-testsuite-daemon on
/etc/init.d/wifi-conductor on
/etc/init.d/wol **disabled**
/etc/init.d/xdsl on
/etc/init.d/xinetd on
/etc/init.d/xl2tpd on
/etc/init.d/xtm on

[seud0nym]

Some good suggestions here.

I don't want to disable too many things, because everyone's usage is different. For example, I have 2 DJA0231, and I am setting up the 2nd one as a WiFi Booster, since those devices supports EasyMesh. And I use samba, to quickly get changes across to the multiple devices I am testing on.

I am also trying to port across GUI features from the Ansuel GUI, which will deal with some of these (e.g. I hope to bring across the Eco card, which then allows each user to choose their power saving features).

Thanks.

[juzman]

I was running the AnselGUI, but when I was testing 0543 it broke so I rolled back, then found yours.

I'm guessing it would be safe to add in disabling cupsd in the section where print sharing is disabled. Then it can be disabled/enabled.

Well possibly disabling SIP and the services, could put it into a separate script "disable-sip", then if people don't use landline they have that option there too. 😊

Of course not everyone will have the same setups. Maybe a script down the track that has options?

1. Disable/Enable Samba
2. Disable/Enable Xyz

[seud0nym]

I don't suppose you kept a backup of 0543, did you?

[juzman]

It's currently only a test firmware at the moment and still a little buggy with Geo filters and extras in DumaOS.

I can get you a copy, or wait until we've ironed out the bugs and get the next build.

[seud0nym]

If it is not going to be released, then no. I just wanted to get ahead of developing a new unhide script to deal with a new version.

I am about to start looking at changes to de-telstra, and I have a couple of questions for you:

• Do you know what lotagent is/does? I had assumed it was something to do with QoS, and therefore should it really be disabled?
• Isn't ltedoctor used by the 4G backup? I think it is what provides the Diagnostics tab on the Mobile card.

The problem with disabling samba is that it then breaks the GUI - you can't enable file sharing at all.

I agree with your suggestion of disabling/enabling services. I am thinking of an option for each service, which has probably 3 options: on/off/unchanged with the default being unchanged, so it just leaves it as is.

[juzman]

If it is not going to be released, then no. I just wanted to get ahead of developing a new unhide script to deal with a new version.

No worries, when I get a new final build I will let you know. :)

I am about to start looking at changes to de-telstra, and I have a couple of questions for you:

• Do you know what lotagent is/does? I had assumed it was something to do with QoS, and therefore should it really be disabled?
• Isn't ltedoctor used by the 4G backup? I think it is what provides the Diagnostics tab on the Mobile card.

I believe lotagent has something to do with logging and sending it off.

I have ltedoctor disabled and the only thing I don't have on the diagnostic tab is "No signal quality history available for the selected period". However I still have live Status/Signal Quality/Operator Info and Cell Info.

The problem with disabling samba is that it then breaks the GUI - you can't enable file sharing at all.

I agree with your suggestion of disabling/enabling services. I am thinking of an option for each service, which has probably 3 options: on/off/unchanged with the default being unchanged, so it just leaves it as is.

Ah, I didn't know about it breaking the GUI disabling Samba (for me personally I don't need file sharing as I have a NAS anyway).

The services with on/off/default sounds good. :)

[juzman]

I now have 18.1.c.0543-950-RA final build if you would like a copy of the .rbi file?

Almost tempted to try the "firmware upgrade" via the GUI then re-run the debloat. Haha.

However I believe last time I had 0543 the Anusel GUI broke.

[seud0nym]

Yes, please.

What is the difference between the -RA and the usual -RB?

[juzman]

http://fwstore.bdms.telstra.net/Technicolor_vcnt-a_18.1.c.0543-950-RA/vcnt-a_18.1.c.0543-950-RA.rbi

Honestly, I wouldn't a clue. Looking at it I am guessing it's just a naming thing.

18.1.c.0215-950-RA (BASE) 18.1.c.0241-950-RA (MR1) 18.1.c.0283-950-RA (MR2.1) 18.1.c.0347-950-RC (MR3.6) 18.1.c.0384-950-RB (MR4.1) 18.1.c.0443-950-RA (MR 5.1) 18.1.c.0443-950-RB (MR 5.2) 18.1.c.0462-950-RA (MR 5.3) 18.1.c.0462-950-RB (MR 5.4) 18.1.c.0514-950-RB (MR 5.3)

etc etc

[seud0nym]

Help text from new version (run on my test TG800vac):

Syntax: ./de-telstra <options>
Optional parameters:
 -h u|d|s|<hostname>
    where u            Leave hostname unchanged (Default)
          d            Set the hostname to TG800vac
          s            Set the hostname to TG800vac-CPxxxxxxxx
          <hostname>   Use the specified hostname
 -d u|g|<domainname>
    where u            Leave domain name unchanged (Default)
          g            Set the domain name to gateway
          <domainname> Set the domain name to <domainname>
 -n u|a|c|g|f|o|<n.n.n.n>
    where u            Leave DNS servers unchanged (Default)
          a            Automatically use the DNS servers from the ISP (device default)
          c            Set the DNS servers to Cloudflare
          g            Set the DNS servers to Google
          f            Set the DNS servers to OpenDNS Family Shield
          o            Set the DNS servers to OpenDNS
          <n.n.n.n>    Set the DNS servers to 1 or 2 comma-separated IPv4 addresses (e.g. 8.8.8.8,1.1.1.1)
 -a u|y|n
    where u            Leave ALGs unchanged (Default)
          y            Enable ALGs (device default)
          n            Disable ALGs (except SIP if telephony enabled)
 -c u|y|n
    where u            Leave Content Sharing unchanged (Default)
          y            Enable Content Sharing (device default)
          n            Disable Content Sharing
 -f u|y|n
    where u            Leave File Sharing unchanged (Default)
          y            Enable File Sharing (device default)
          n            Disable File Sharing
 -p u|y|n
    where u            Leave power saving unchanged (Default)
          y            Enable power saving (device default)
          n            Disable power saving
 -r u|y|n
    where u            Leave Printer Sharing unchanged (Default)
          y            Enable Printer Sharing (device default)
          n            Disable Printer Sharing
 -t u|y|n
    where u            Leave Telephony (mmpbx) unchanged (Default)
          y            Enable the telephony service (device default)
          n            Disable the telephony service
 -u u|y|n
    where u            Leave UPnP unchanged (Default)
          y            Enable the UPnP service (device default)
          n            Disable the UPnP service
 -A                    Equivalent to: -h d -d g -n c -a n -f n -p n
 -S                    Equivalent to: -h s -d g -n c -a n -f n -p n

Sample output:

[de-telstra]: Applying default hardening rules...
[de-telstra]: - Checking SSH access
[de-telstra]: - authorized_keys already replaced /etc/dropbear/authorized_keys
[de-telstra]: - dropbear re-configuration already completed
[de-telstra]: - CWMP already disabled
[de-telstra]: - Telstra monitoring already disabled
[de-telstra]: - Telstra AIR already removed
[de-telstra]: - Telstra NTP servers already removed
[de-telstra]: - lotagent already disabled
[de-telstra]: - Web GUI default user access already removed
[de-telstra]: Host name is already test
[de-telstra]: Domain name unchanged [gateway]
[de-telstra]: ISP peer DNS unchanged [Disabled]
[de-telstra]: DNS Servers unchanged [ 1.1.1.1 1.0.0.1 ]
[de-telstra]: Content sharing unchanged [Disabled]
[de-telstra]: Printer sharing unchanged [Disabled]
[de-telstra]: File sharing unchanged [Disabled]
[de-telstra]: Telephony unchanged [Enabled]
[de-telstra]: FTP ALG unchanged [Disabled]
[de-telstra]: TFTP ALG unchanged [Disabled]
[de-telstra]: SNMP ALG unchanged [Disabled]
[de-telstra]: PPTP ALG unchanged [Disabled]
[de-telstra]: SIP ALG left enabled because Telephony enabled
[de-telstra]: IRC ALG unchanged [Disabled]
[de-telstra]: AMANDA ALG unchanged [Disabled]
[de-telstra]: RTSP ALG unchanged [Disabled]
[de-telstra]: UPnP unchanged [UPnP Disabled NAT-PMP Disabled]
[de-telstra]: Power saving settings unchanged [Enabled]
[de-telstra]: Applying required service changes...
[de-telstra]: Removing packages that are no longer required
No packages removed.
[de-telstra]: Done!
[de-telstra]: NOTE: If you haven't changed the root password, you should do it now...

[juzman]

Oh, wow that looks awesome! Easy to disable everything you don't need, and setup DNS too (I use adguard), so having option to do -n x.x.x.x,x.x.x.x is great.

Will we be able to run this script over the top of the current one?

[seud0nym]

Yes, the script is re-runnable as many times as you wish.

I have just done the release.