zacron Premium Member join:2008-11-26 Frozen Hoth |
zacron
Premium Member
2012-Feb-21 8:48 pm
Firmware + Sagemcom Modem + HelpHello All,
Bequested to me by a bell tech whom I will not name for his generosity to my curiosity, I have three brand new, un-opened sagemcom wireless n modems.
Now, I've managed to talk sagemcom into giving me firmware, I shall pass this on to whomever asks for it via pm only.
I REFUSE to post it online for various reasons.
Now, there aren't any menus in this modem which can help me to figure out how to losd firmware onto this buggar.
Is there anyone who knows how to go about this?
Is there anyone willing to "hack" this modem? I will provide you with a device. (Relevant experience required)
Thank you,
Zacron
**THIS IS PURELY FOR EDUCATIONAL PURPOSES, I WANT TO SEE JUST HOW MUCH THIS DEVICE OFFERS** |
|
|
Ott_Cable
Anon
2012-Feb-21 9:01 pm
Not sure if this is remotely similar to your modem: » www.skyuser.co.uk/forum/ ··· ter.htmlSky V3 Sagem F@ST 2504 router |
|
HiVolt Premium Member join:2000-12-28 Toronto, ON |
to zacron
wonder if it has tftp open. I doubt it, and its all done with TR-69. |
|
zacron Premium Member join:2008-11-26 Frozen Hoth |
to Ott_Cable
no, because there is no option for firmware upgrade, I have no idea what the links are.
I'[ve tried changing the url to things such as:
?page=update ?page=upgrade ?page=routerupgrade |
|
zacron |
to HiVolt
It does but theres no way to play with it... it seems bhell has it locked to tftp located on vlan 23 (vpi 23/vci 1)
Zacron |
|
zacron |
zacron
Premium Member
2012-Feb-21 9:13 pm
Pic of main page Firmware |
|
|
|
zacron |
zacron
Premium Member
2012-Feb-21 9:16 pm
Re: Firmware + Sagemcom Modem + Help» 192.168.2.1/upgrade.cgileads me to a "cannot display webpage" where as everything else just leads to a 404 error... This is promising. I wonder what the url is? lol |
|
zacron |
zacron
Premium Member
2012-Feb-21 9:39 pm
tried ports;
88 8080 8098 8099 22 23 21 15 28 |
|
HiVolt Premium Member join:2000-12-28 Toronto, ON |
HiVolt
Premium Member
2012-Feb-21 10:00 pm
I wonder if we can put up some bounty, for some hackers to have at it, and hack it so firmware can be replaced. |
|
zacron Premium Member join:2008-11-26 Frozen Hoth |
zacron
Premium Member
2012-Feb-21 10:16 pm
100$ via paypal to the hacker who can sucessfully do this, more for receipted expenses... no tissue paper receipts will be accepted :P |
|
InssomniakThe Glitch Premium Member join:2005-04-06 Cayuga, ON |
to zacron
If the firmware is a flash chip binary image it would be not difficult for someone to actually flash it with a programmer, and resolder the chip.
If its an upgrade image then ya gotta find the upgrade page, if it exists. |
|
|
to zacron
I spent a bunch of time looking into the options when trying to find a solution to the stupid cellpipe reboot issue.
It should be upgradeable via TR-069. You would need to setup a TR-069 server and get the device to access it. The trick there would be that the device will most likely only access the server over the dsl link so you would need a dsl "server" (not sure what the correct term is and too lazy to look it up right now). Some DSL modems can be used point to point (ie one modem connected to another modem). I'm not sure about the sagemcoms.
I believe that there is a free TR-069 server implementation available (it is basically just a web server). I also believe that you should be able to find the address that Bell is using for this so that you can fake it. I think it was actually mentioned recently in the cellpipe reboot thread. Otherwise check the logs on the modem to see if you can spot it there.
Does the sagemcom have a console port like the cellpipe does? It may have one but with no external connector (check the board for a header).
There was also a guy in the telus forum who updated the firmware on the telus version of the cellpipe (not quite the same as the bell one) who seemed to have some experience with this sort of thing. |
|
|
If you can get any type of console access i.e. telnet, ssh or serial then you might be able to get enough access to upload from a TFTP server. I work with enterprise VoIP equipment where this is common but I'm not sure about DSL modems. |
|
BACONATOR26 |
to zacron
Ok just read further, so TFTP on the DSL side.. Sounds like you need someone with a DSLAM to get at it. |
|
BACONATOR26 |
to Phibian
said by Phibian:It should be upgradeable via TR-069 Considering how locked down the Bell firmware is, they may have closed the option to any type of TR-069 on the LAN side. |
|
|
They seem to use this method to update their modems. marknotmarc on the forums here reported his cellpipe being remotely updated so I would expect that the same applies to the sagemcoms. It seems to be the standard way of managing them nowadays. The catch of course is that you need to be on the DSL side to do it which is difficult for the average consumer... |
|
zacron Premium Member join:2008-11-26 Frozen Hoth |
zacron
Premium Member
2012-Feb-22 4:55 pm
hmm, I have pulled it apart and there seems to be a correct pin header for a jtag device, I'm currently uploading some photos of the board and what not. I am determined to "educate" myself on this device Zacron |
|
|
to zacron
I've managed to enable Telnet access on the device. You start out with some basic commands but you can drop into a normal shell. I'll post instructions in a little bit $ telnet 192.168.2.1
Trying 192.168.2.1...
Connected to 192.168.2.1.
Escape character is '^]'.
Username: admin
Password: *****
HomeGateway> help all
Command Category pvc - PVC scan related commands
scan Scan predefined vpi.vci to determine PPP protocol
scan_restart Restart PVC scan
scan_status Display PVC scan status
exit Exit sub menu
help Show help for commands within this menu
Command Category conf - Read and write HomeGateway configuration data
factory Factory related commands
print Print HomeGateway configuration
set Set HomeGateway configuration path to value
set_obscure Set HomeGateway configuration path to an obscured value
del Delete subtree from HomeGateway configuration
ram_set Set HomeGateway dynamic configuration
ram_print Print HomeGateway dynamic configuration
reconf Reconfigure the system according to the current HomeGateway
configuration
exit Exit sub menu
help Show help for commands within this menu
Command Category FT commands - FT commands
save Save configurating to flash
flash_chksum Display all flash sections checksums
atm atm
sndcp sndcp
vdsl VDSL commands
upnp UPnP commands
qos Control and display QoS data
bridge API for managing ethernet bridge
firewall Control and display Firewall and NAT data
connection API for managing connections
inet_connection API for managing internet connections
wireless Wireless commands
misc API for HomeGateway miscellaneous tasks
firmware_update Firmware update commands
log Controls HomeGateway logging behavior
dev Device related commands
kernel Kernel related commands
system Commands to control HomeGateway execution
flash Flash and loader related commands
net Network related commands
leds Leds control commands
exit Exit from the current CLI session
help Show help for commands within this menu
Command Category FT atm commands - FT atm commands
atm atm
sndcp sndcp
vdsl VDSL commands
upnp UPnP commands
qos Control and display QoS data
bridge API for managing ethernet bridge
firewall Control and display Firewall and NAT data
connection API for managing connections
inet_connection API for managing internet connections
wireless Wireless commands
misc API for HomeGateway miscellaneous tasks
firmware_update Firmware update commands
log Controls HomeGateway logging behavior
dev Device related commands
kernel Kernel related commands
system Commands to control HomeGateway execution
flash Flash and loader related commands
net Network related commands
leds Leds control commands
exit Exit from the current CLI session
help Show help for commands within this menu
Command Category FT sndcp commands - FT sndcp commands
sndcp sndcp
vdsl VDSL commands
upnp UPnP commands
qos Control and display QoS data
bridge API for managing ethernet bridge
firewall Control and display Firewall and NAT data
connection API for managing connections
inet_connection API for managing internet connections
wireless Wireless commands
misc API for HomeGateway miscellaneous tasks
firmware_update Firmware update commands
log Controls HomeGateway logging behavior
dev Device related commands
kernel Kernel related commands
system Commands to control HomeGateway execution
flash Flash and loader related commands
net Network related commands
leds Leds control commands
exit Exit from the current CLI session
help Show help for commands within this menu
Command Category vdsl - VDSL commands
status Get VDSL line status
BmeFirmVer Get BME Firmware versions
NeSnrAttn Get Near End SNR Margin and Attenuation
displayAllPmCounters Display All Performance Counters
displayUsInfos Display Far-end informations
exit Exit sub menu
help Show help for commands within this menu
Command Category upnp - UPnP commands
igd IGD commands
status Display UPnP status
exit Exit sub menu
help Show help for commands within this menu
Command Category qos - Control and display QoS data
utilization Connection utilization information
exit Exit sub menu
help Show help for commands within this menu
Command Category bridge - API for managing ethernet bridge
connection connect separate network interfaces to form one seamless LAN
config Configure bridge
info Print bridge information
exit Exit sub menu
help Show help for commands within this menu
Command Category firewall - Control and display Firewall and NAT data
restart Stop and start Firewall & NAT
start Start Firewall & NAT
stop Stop Firewall & NAT
filter Turn Firewall packet inspection on/off
mac_cache_dump Dump MAC cache data
dump Display Firewall data
variable Display variables of the firewall rules
trace Trace packet traversal via the Firewall ruleset
fastpath Turns firewall fastpath feature on/off (default is on)
set_tr69_rule Creates policy rules for TR69
exit Exit sub menu
help Show help for commands within this menu
Command Category connection - API for managing connections
pppoe Configure pppoe interface
l2tp_vpn Configure l2tpc interface
pptp_vpn Configure pptpc interface
pppoa Configure pppoa interface
vlan Configure vlan interface
exit Exit sub menu
help Show help for commands within this menu
Command Category inet_connection - API for managing internet connections
pppoe Configure pppoe internet connection
l2tp Configure l2tpc internet connection
pptp Configure pptpc internet connection
pppoa Configure pppoa internet connection
ether Configure ethernet internet connection
exit Exit sub menu
help Show help for commands within this menu
Command Category wireless - Wireless commands
captive Wireless captive commands
exit Exit sub menu
help Show help for commands within this menu
Command Category misc - API for HomeGateway miscellaneous tasks
pppos_start Start PPPoS connection
pppos_close Close PPPoS connection
print_ram print ram consumption for each process
vlan_add Add VLAN interface
top Profiling over event loop and estream
knet_hooks_dump Dump to console which knet_hooks run on each device
exit Exit sub menu
help Show help for commands within this menu
Command Category firmware_update - Firmware update commands
start Remotely upgrade HomeGateway
cancel Kill running remote upgrade
exit Exit sub menu
help Show help for commands within this menu
Command Category log - Controls HomeGateway logging behavior
filter Controls the CLI session logging behavior
exit Exit sub menu
help Show help for commands within this menu
Command Category dev - Device related commands
mii_reg_get Get Ethernet MII register value
mii_reg_set Set Ethernet MII register value
mii_phy_reg_get Get Ethernet MII register value
mii_phy_reg_set Set Ethernet MII register value
exit Exit sub menu
help Show help for commands within this menu
Command Category kernel - Kernel related commands
sys_ioctl issue openrg ioctl
meminfo Print memory information
top Print HomeGateway's processes memory usage
cpu_load_on Periodically shows cpu usage.
cpu_load_off Stop showing cpu usage (triggered by cpu_load_on).
cpu_load_avg Shows average cpu usage of last 1, 5 and 15 minutes.
exit Exit sub menu
help Show help for commands within this menu
Command Category system - Commands to control HomeGateway execution
die Exit from HomeGateway and return ret
ps Print HomeGateway's tasks
entity_close Close an entity
etask_list_dump Dump back trace of all etasks
restore_factory_settings Restore factory configuration
reboot Reboot the system
ver Display version information
print_config Print compilation configuration. Search for option
if specified
exec Execute program
cat Print file contents to console
shell Spawn busybox shell in foreground
date Print the current UTC and local time
echo Echo arguments to console
autoip_lan_mode Configure the lan interface using Auto-IP
igd_lan_mode Configure the lan interface for normal IGD use
exit Exit sub menu
help Show help for commands within this menu
Command Category flash - Flash and loader related commands
commit Save HomeGateway configuration to flash
erase Erase a given section in the flash
load Load and burn image
boot Boot the system
bset Configure bootloader
layout Print the flash layout and content
dump Dump the flash content
lock Lock mtd region
unlock Unlock mtd region
exit Exit sub menu
help Show help for commands within this menu
Command Category net - Network related commands
dns_route Dyncamic Routing according to DNS replies
igmp IGMP Proxy related commands
host Resolve host by name
ifconfig Configure network interface
ping Test network connectivity
rg_ifconfig List HomeGateway Network Devices
route Print route table
main_wan Print the name of the current main wan device
intercept_state Print interception state
exit Exit sub menu
help Show help for commands within this menu
Command Category leds - Leds control commands
led_power_set Set POWER led
led_wifi_set Set WIRELESS led
control_all_leds Set ALL led
led_secwifi_set Set WIRELESS SECURITY led
led_intnet_set Set INTENRET led
led_ftth_set Set FTTH led
led_dsl_set Set DSL led
led_tel1_set Set PHONE1 led
led_tel2_set Set PHONE2 led
led_rep1_set Set REPONDEUR1 led
led_rep2_set Set REPONDEUR2 led
led_usb1_set Set USB1 led
led_usb2_set Set USB2 led
relay_set Set RELAY
led_hpna_set Set HPNA led
exit Exit sub menu
help Show help for commands within this menu
Command Category cmd - Commands related to the Command module
exit Exit from the current CLI session
help Show help for commands within this menu
|
|
JC_ Premium Member join:2010-10-19 Nepean, ON |
JC_
Premium Member
2012-Feb-22 10:11 pm
How'd you manage to get telnet enabled? |
|
zacron Premium Member join:2008-11-26 Frozen Hoth |
zacron
Premium Member
2012-Feb-22 10:12 pm
yes, different port? or via another protcol?
I am very interested.
Zacron |
|
2 recommendations |
I found a way to download & replace the working config file. Basically to get the current config you just go to » 192.168.2.1/save_rg_conf.cgiTo send a new config you have to send a POST to » 192.168.2.1/replace_rg_conf.cgi with the config in an input named "new_rg_conf" In the default config, Telnet does not have a port assigned. You'll see the following line: (telnets(ports))
You'll want to replace that with something else to add a port, this is what I'm using: (telnets
(ports
(0
(port(23))
(ssl_mode(none))
(remote_access(0))
)
)
)
If you just make that change and replace the config, telnet will be enabled immediately. I wrote a quick app that will connect to the modem and download the config, re-write the telnet line if it's still set to default, and re-upload it. It won't touch anything else so you can also use it to change other config options if you want, without having to send POSTs manually. It looks like the device won't take a malformed config file so playing with it should be relatively harmless. I haven't done any extensive testing so your mileage may vary with this, requires .NET 3.5: » dl.dropbox.com/u/6483447 ··· lnet.zip |
|
HiVolt Premium Member join:2000-12-28 Toronto, ON |
HiVolt
Premium Member
2012-Feb-23 8:54 am
Very nice. When there's a will, there's a way! |
|
|
to zacron
Wow easy as pie. Guess you owe this guy $100, zacron. |
|
HiVolt Premium Member join:2000-12-28 Toronto, ON |
HiVolt
Premium Member
2012-Feb-23 9:01 am
Wonder if firmware upload access can be re-enabled this way, or the firmware uploaded thru telnet.
whoops, didn't see the line there
"firmware_update Firmware update commands" |
|
|
to lawrenson
Any chance of something similar for the cellpipe? Lots of us with non-functional cellpipes would love to be able to do something about it. |
|
|
Eug
Member
2012-Feb-23 9:36 am
There are still a couple of Bell Cellpipe 7130 units on Kijiji / Craigslist, and they are supposed to have the "TR-069 management interface for management and zero-touch configuration". |
|
|
to Phibian
In » 192.168.2.1/menu.js: /*if(menuItem=='CfgStore') { printMenuItem('util_cfgstore.html', 'Configuration Store', red, darkBlue); }else{ printMenuItem('util_cfgstore.html', 'Configuration Store', black, blue); } if(menuItem=='CfgRestore') { printMenuItem('util_cfgrestore.html', 'Configuration Restore', red, darkBlue); }else{ printMenuItem('util_cfgrestore.html', 'Configuration Restore', black, blue); } if(menuItem=='Webfirmware') { printMenuItem('util_webfirmware.html', 'Web Firmware Upload', red, darkBlue); }else{ printMenuItem('util_webfirmware.html', 'Web Firmware Upload', black, blue); } */
Looks promising - although » 192.168.2.1/util_cfgstore.html 404s |
|
JenSuisUn Premium Member join:2006-02-23 Chatham, ON |
to zacron
We should start a similar thread for the Cellpipes |
|
|
to zacron
I was able to pull up line stats, but it really looks like they tried to hide them. The vdsl commands in the normal CLI weren't returning anything for me. It looks like the GUI was supposed to have a page called index.cgi?page=dslStats but it was removed for whatever reason. Telnet in and drop into the shell ("system shell"): Run "vdsl" It will prompt for a console password, enter "superikanos" Enter 11 for extended port status: cpe>11
cpe>
Extended Port Status
=================
Bme: 1 Port: 1
Downstream line rate: 29664 kbps
Upstream line rate: 9484 kbps
Bearer0 Downstream payload rate: 0 kbps
Bearer1 Downstream payload rate: 26936 kbps
Bearer0 Upstream payload rate: 0 kbps
Bearer1 Upstream payload rate: 8128 kbps
Downstream attainable payload rate: 67108 kbps
Downstream attainable line rate: 79064 kbps
Downstream Training Margin: 25.5 dB
Downstream Line Protection (Bearer1 Path): 0.0 DMT Symbols
Upstream Line Protection (Bearer1 Path): 0.0 DMT Symbols
Near-end ITU Vendor Id: 0xb500494b4e530200
Far-end ITU Vendor Id: 0xb5004244434da194
Downstream delay: 0.0 ms
Upstream delay: 0.0 ms
Tx total power -9.0 dbm
FE Tx total power 14.0 dbm
VDSL Estimated Loop Length : 923 ft
G.Hs Estimated Near End Loop Length : 77 ft
G.Hs Estimated Far End Loop Length :0 ft
Current framing mode: 0x10 EFM
Bandplan Type...........: 2
No. of Upstream Bands...: 3
No. of Downstream Bands.: 2
Line Type: 0x04000000 VDSL2 Profile 17A
Downstream FFT Protection (Bearer1 Path): 0.0 DMT Symbols
Upstream FFT Protection (Bearer1 Path): 0.0 DMT Symbols
Upstream Line Attenuation: NA (Only for ADSL1 & T1.413)
Upstream SNR Margin: NA (Only for ADSL1 & T1413)
Upstream Retransmission status: Disabled
Downstream Retransmission status: Disabled
|
|
JC_ Premium Member join:2010-10-19 Nepean, ON |
JC_
Premium Member
2012-Feb-23 1:46 pm
@lawrenson; very nice work for figuring out all of this. -- Bme: 1 Port: 1
Downstream line rate: 29664 kbps
Upstream line rate: 9484 kbps
Bearer0 Downstream payload rate: 0 kbps
Bearer1 Downstream payload rate: 26936 kbps
Bearer0 Upstream payload rate: 0 kbps
Bearer1 Upstream payload rate: 8128 kbps
Downstream attainable payload rate: 80476 kbps
Downstream attainable line rate: 94648 kbps
Downstream Training Margin: 32.2 dB
Downstream Line Protection (Bearer1 Path): 0.0 DMT Symbols
Upstream Line Protection (Bearer1 Path): 0.0 DMT Symbols
Near-end ITU Vendor Id: 0xb500494b4e530200
Far-end ITU Vendor Id: 0xb5004244434da194
Downstream delay: 0.0 ms
Upstream delay: 0.0 ms
Tx total power -9.5 dbm
FE Tx total power 14.2 dbm
VDSL Estimated Loop Length : 823 ft
G.Hs Estimated Near End Loop Length : 70 ft
G.Hs Estimated Far End Loop Length :0 ft
Current framing mode: 0x10 EFM
Bandplan Type...........: 2
No. of Upstream Bands...: 3
No. of Downstream Bands.: 2
Line Type: 0x04000000 VDSL2 Profile 17A
Downstream FFT Protection (Bearer1 Path): 0.0 DMT Symbols
Upstream FFT Protection (Bearer1 Path): 0.0 DMT Symbols
Upstream Line Attenuation: NA (Only for ADSL1 & T1.413)
Upstream SNR Margin: NA (Only for ADSL1 & T1413)
Upstream Retransmission status: Disabled
Downstream Retransmission status: Disabled
This is very interesting; Line Type: 0x04000000 VDSL2 Profile 17A |
|