Note

This maybe brick your ONT device, use at your own risk!

Usage

Find an exploit to load userdefined ko module

an exploit in /etc/rc.d/rc.start/1.sdk_init.sh, use kernel module .ko to run a shell script /mnt/jffs2/hw/getshell.sh when system reboot.

Logical exploit in line 200-206

# load hisi modules
if [ -f /mnt/jffs2/TranStar/hi_sysctl.ko ]; then
	  cd /mnt/jffs2/TranStar/
	  echo "Loading the Temp HISI SD511X modules: "
else
	  cd /lib/modules/hisi_sdk
	  echo "Loading the HISI SD511X modules: "
fi

if /mnt/jffs2/TranStar/hi_sysctl.ko exsit, then execute cd /mnt/jffs2/TranStar/. That means work directory is /mnt/jffs2/TranStar/ now, and /mnt/jffs2/TranStar/ is writable. so

mkdir -p /mnt/jffs2/TranStar/
cp -rf /lib/modules/hisi_sdk/* /mnt/jffs2/TranStar/

In order to excute line 261-262, change in /mnt/jffs2/hw_boardinfo

obj.id = "0x00000001" ; obj.value = "4";

Upload getshell.ko module, compiled by 0neday, only support r019

# just for gpon
cp getshell.ko /mnt/jffs2/TranStar/hi_epon.ko

# or for epon
cp getshell.ko /mnt/jffs2/TranStar/hi_gpon.ko

License

GPLv3.0