China Telecom EPON device, IPTV and TR069

After reading Wesley’s post about their problematic, data stealing router, I want to rant about mine.

In the neighbourhood I am living in, the only ISP is China Telecom.

For those who want a broadband connection, Telecom’s standard issue CPE is a combined EPON/Router device.  The device establishes EPON and PPPoE connection for you, have built-in DHCP server and Wi-Fi access point, and seems to be a good all-in-one CPE.

However the device in question has its problems. China Telecom locked the device down so that you, the user of the device, are not authorized to tinker with it too much. All settings are locked down except part of Wi-Fi, which includes only half of the SSID and the encryption key. Your SSID have to start with “ChinaNet” and only weak encryption is available.

It have extremely poor performance when switching packets across internal network. From my probing the device have 4 10/100Mbps downlink ports, one EPON uplink and the 54Mbps IEEE 802.11b/g wireless downlink (not talking about their staying on such an old wireless interface here), all sharing one USB 2.0 bus with 480Mbps total bandwidth, half duplex.

Software wise, it is even worse. It blocks DNS queries to any server but Telecom’s (which is infamous of being poisoned) and, this will be extreme, only allow 4 devices to be connected at a given time. I personally owns more than 4 devices, and I have a server running numerous virtual machines.

After some bribery to the worker who installed the system he gave me the pseudo-root credentials to the device, which allowed some mild tinkering. From there I found out the big bad, a Telnet server that can be accessed from both side of the device, with root access. Disabled by default with access to TCP port 23 firewalled but telnetd running, this port can be enabled with some command over TR069. This practically means that Telecom can run arbitrary code on the device without my consent.

Having no way of switching ISP or device, I had to hack it by disabling everything and anything that I found not appropriate or useful: Telnet, TR069 and even PPPoE. With my own router, the device can be dimmer to the Internet.

With throughput still being a bottleneck, I asked Telecom to take away this combined device and give me a set of new CPEs – a seperate EPON termination device and a router. I don’t want to ever touch that router.

However the Telecom IPTV kicks in. I still live with my family (don’t ask, in my city even middle-agers cannot afford their own place to live) and my mother absolutely loves IPTV. She demanded me not to break that. I tried all I can to ask Telecom about the details of their IPTV services but they refused to tell. Now I have a hard reverse engineering thing to do, trying to figure out what proprietary stack of protocols had Telecom used to support their IPTV services, and make my routing VM switch that traffic.

Before that, I still have to use that problematic router, hacked, trying to get my network speed up, and my traffic under the radar of Big Brother.

PS. If you are newcomer to Telecom IPTV, congratulations you are completely locked to their new Android-based IPTV which locks you into their system even tighter.

4 Replies to “China Telecom EPON device, IPTV and TR069”

  1. Wow, interesting to hear that the problem is international and not quite so uncommon as I had thought. Also nice to see that someone else came to the same conclusion about TR069. I’m surprised more malware hasn’t been written to take advantage of it. Or maybe it has, but the perpetrators are smart enough to play it low key and not get found out yet.

    (P.S. First name is Wesley. =) )

    1. The TR069 thing seems like poison to end users. When I hacked the device the first thing I do is trash the TR069 settings so that it no longer works.

        1. Actually the problem here is not TR069, but the Telnet port it can open. If someone caught the device when Telnet port open, he can plant malware.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.