Modifying cfgsave.dwb files from a Wanadoo Livebox (Inventel DV4210) Wireless ADSL Modem Router


The following does not work on versions v5.02.7-fr or v5.03.3-uk and greater. These newer files have an md5sum checksum added to the cfgsave file and it is checked when it is restored. If the md5sum is not correct it does not restore. I have not managed to work out what is used as the 'salt' and so I cannot easily create the checksum to allow this method to be used on those versions of firmware.

To modify the cfgsave.dwb file you first need to decode this file. This file is just a tar file that has been 'encrypted' by adding 0x1b to every byte in the file. A small program to do this, cfg_unhide was created by Benjamin and posted to brcm6345-linux-devel mailing list as cfgsave_unhide.c. I have made the source available here, cfg_unhide.c. Once you have modified the parts you want, you then need to encrypt it again. I modified the cfg_unhide.c to do this. The modified program is available here, cfg_hide. The source is available here, cfg_hide.c.

The method I use to modify the file is as follows,

  • Configure the Livebox with all the correct options you require.
  • Create a cfgsave.dwb file from the Livebox web pages Advanced section and save to a Linux box. If you only have Windows machines, you will need to compile the cfg_unhide.c and cfg_hide.c to run under either DOS or Windows. The files will need to be modified to work under DOS/Windows because in their current form they convert every 0x0D to a CRLF pair in DOS which corrupts the decoded cfgsave.tar file. Remember that all files under Linux are case sensitive.
  • Run "cfg_unhide < cfgsave.dwb > cfgsave.tar" to decode the dwb file into a regular tar file.
  • Copy this tar file into an empty directory and extract ALL the files by running "tar -xvf cfgsave.tar".
  • Edit the configuration file you want to modify. I used "wifi.conf" as it 'should' be the last one run.
  • My changes were to add the following lines to the end of the file
  • rm /etc/passwd this removes the link to the original password file.
  • echo root::0:0:root:/root:/bin/sh >/etc/passwd this creates a new password file with no password for the root account.
  • Save the modified wifi.conf file.
  • Delete any existing tar and dwb files, leaving only the extracted and modified configuration files in the current directory.
  • Build a new tar file with the command "tar -cvf cfgsave.tar *".
  • Run "cfg_hide < cfgsave.tar >cfgsavehack.dwb" to encode the tar file into a dwb file.
  • Using the Livebox web pages Advanced section, restore the modified configuration. The Livebox should reboot after restoring the configuration and once the boot has completed, with the above modification, you should be able to connect to a command prompt through either the serial port or through a telnet session by just entering root as the username name with no password.
  • Using the Livebox web pages Advanced section, restore the original saved configuration. The Livebox should reboot after restoring the configuration and once the boot has completed you should still be able to connect to a command prompt through either the serial port or through a telnet session by just entering root as the username name with no password. Doing this step removes the hacked wifi.conf file from the Livebox, otherwise every time you reboot you will delete/change the passwd file.

    • You can use this method to get the Livebox to run any command(s) that you want.

    Remember that these changes are only temporary and will be removed if the Livebox does a 'hard' reset and restores itself to the factory defaults. If this happens, just use the restore configuration option on the web page again. Please note that the Livebox checks the version of the running firmware against the file 'issue.bluedsl' contained in the cfgsave.tar(dwb) file and appears to reject a saved configuration from a previous version. If a firmware upgrade is carried you will probably need to do all the above again in order to get back to a console.

    Andy Potter.