Hacking Online’s new modem

Online (previously Wanadoo/Orange) is currently testing a new modem to replace the ‘Livebox’. The new modem is a Speedtouch 706 (WL) and to prevent people from accidently breaking it or use the modem on different DSL networks nearly all administrative options are disabled.

Unlike the old Livebox, you only get limited access to forward ports and change the wifi SSID and password. Even DynDNS support, which was perfectly usable in the Livebox, is disabled.

Looking for a way to disable the built-in DHCP server and change the default IP address of the Speedtouch 706 I tried flashing the device with the original firmware instead of the locked one. However, the firmware updater refuses to flash because of incompatibility.

This didn’t stop me and using TFTP I tried forcing the flash, but again, this didn’t work.

After some googling I came across a vulnerability in the Speedtouch 780, that allows you to access any page of the webinterface, even the ones you shouldn’t have access to. Using this vulnerability it’s possible to download the modem’s configuration, change it in a text editor and upload it again.

Thanks to this vulnerability I was able to disable the DHCP server and change the symmetric NAT implementation to cone NAT. The default configuration makes it nearly impossible to play online games based on a player-to-player architecture. C&C3 and Supreme Commander are two games that use this technique to allow players to play against eachother. With the original configuration I was unable to connect to about 80% of players in Supreme Commander, now with the cone NAT configuration I no longer have any issues.

You can find instructions to download/upload the Speedtouch configuration here and you can find/replace these bits in the user.ini to get cone NAT instead of symmetric NAT:

connection bind application=CONE(UDP) port=0

connection appconfig application=CONE(UDP) timeout=0

ids config state disabled

6 thoughts on “Hacking Online’s new modem

  1. Hi,

    I successfully dumped the config file with the explanation provided on the gnucitizen site but I don’t know the procedure to reupload it.

    Can you send me the command ??

    Many Thanks,


  2. You need to go to the page where you can upload the configuration and save it to disk.
    Open the file in a text editor and replace the line that looks like this:
    form enctype=”multipart/form-data” method=”post” action=”/cgi/b/restore/” name=”Restore”

    Replace the action= part with:

    So you add the extra slash behind the action and you enter the full URL to that page.
    After saving the file, open that file in your browser, enter your modified configuration file and upload it 🙂

  3. Why all this trouble??? Just flash the original firmware… I did it on the 706 of Online, 780 of KPN. Works great

  4. I’m having a hard time flashing the Thomson TG787v of KPN. Are formilar with this modem

  5. The new KPN Experiabox modems only accept their own firmware, bootloader refuses other firmwares. Same for Online’s 706WL ones.

  6. Sometimes it becomes important to learn a few hacking tricks in order to stay safe. You need to learn from where your computer is opened for hacking, your router, your online data. Everything can be compromised. Learn hacking for making yourself safe.

    At: Pakhaxors.com