Tell me more x
, there is a new speed test available. Give it a try, leave feedback!
dslreports logo
 
    All Forums Hot Topics Gallery
spc

spacer

Search Topic:
uniqs
16398
share rss forum feed


zacron
Premium
join:2008-11-26
canada

Firmware + Sagemcom Modem + Help

Hello All,

Bequested to me by a bell tech whom I will not name for his generosity to my curiosity, I have three brand new, un-opened sagemcom wireless n modems.

Now, I've managed to talk sagemcom into giving me firmware, I shall pass this on to whomever asks for it via pm only.

I REFUSE to post it online for various reasons.

Now, there aren't any menus in this modem which can help me to figure out how to losd firmware onto this buggar.

Is there anyone who knows how to go about this?

Is there anyone willing to "hack" this modem? I will provide you with a device. (Relevant experience required)

Thank you,

Zacron

**THIS IS PURELY FOR EDUCATIONAL PURPOSES, I WANT TO SEE JUST HOW MUCH THIS DEVICE OFFERS**
--
If you don't want to lag, don't "bragg"


Ott_Cable

@teksavvy.com
Not sure if this is remotely similar to your modem: »www.skyuser.co.uk/forum/ ··· ter.html

Sky V3 Sagem F@ST 2504 router


HiVolt
Premium
join:2000-12-28
Toronto, ON
kudos:23
reply to zacron
wonder if it has tftp open. I doubt it, and its all done with TR-69.
--
GO LEAFS GO!


zacron
Premium
join:2008-11-26
canada
reply to Ott_Cable
no, because there is no option for firmware upgrade, I have no idea what the links are.

I'[ve tried changing the url to things such as:

?page=update
?page=upgrade
?page=routerupgrade
--
If you don't want to lag, don't "bragg"


zacron
Premium
join:2008-11-26
canada
reply to HiVolt
It does but theres no way to play with it... it seems bhell has it locked to tftp located on vlan 23 (vpi 23/vci 1)

Zacron
--
If you don't want to lag, don't "bragg"


zacron
Premium
join:2008-11-26
canada
reply to zacron

Pic of main page

Click for full size
Firmware


zacron
Premium
join:2008-11-26
canada
reply to zacron

Re: Firmware + Sagemcom Modem + Help

»192.168.2.1/upgrade.cgi

leads me to a "cannot display webpage" where as everything else just leads to a 404 error... This is promising. I wonder what the url is?

lol
--
If you don't want to lag, don't "bragg"


zacron
Premium
join:2008-11-26
canada
tried ports;

88
8080
8098
8099
22
23
21
15
28
--
If you don't want to lag, don't "bragg"


HiVolt
Premium
join:2000-12-28
Toronto, ON
kudos:23
I wonder if we can put up some bounty, for some hackers to have at it, and hack it so firmware can be replaced.
--
GO LEAFS GO!


zacron
Premium
join:2008-11-26
canada
100$ via paypal to the hacker who can sucessfully do this, more for receipted expenses... no tissue paper receipts will be accepted :P
--
If you don't want to lag, don't "bragg"


Inssomniak
The Glitch
Premium
join:2005-04-06
Cayuga, ON
kudos:2
reply to zacron
If the firmware is a flash chip binary image it would be not difficult for someone to actually flash it with a programmer, and resolder the chip.

If its an upgrade image then ya gotta find the upgrade page, if it exists.
--
OptionsDSL Wireless Internet
»www.optionsdsl.ca


Phibian

join:2009-06-01
Ottawa, ON
Reviews:
·TekSavvy DSL
reply to zacron
I spent a bunch of time looking into the options when trying to find a solution to the stupid cellpipe reboot issue.

It should be upgradeable via TR-069. You would need to setup a TR-069 server and get the device to access it. The trick there would be that the device will most likely only access the server over the dsl link so you would need a dsl "server" (not sure what the correct term is and too lazy to look it up right now). Some DSL modems can be used point to point (ie one modem connected to another modem). I'm not sure about the sagemcoms.

I believe that there is a free TR-069 server implementation available (it is basically just a web server). I also believe that you should be able to find the address that Bell is using for this so that you can fake it. I think it was actually mentioned recently in the cellpipe reboot thread. Otherwise check the logs on the modem to see if you can spot it there.

Does the sagemcom have a console port like the cellpipe does? It may have one but with no external connector (check the board for a header).

There was also a guy in the telus forum who updated the firmware on the telus version of the cellpipe (not quite the same as the bell one) who seemed to have some experience with this sort of thing.


mlerner
Premium
join:2000-11-25
Nepean, ON
kudos:5
If you can get any type of console access i.e. telnet, ssh or serial then you might be able to get enough access to upload from a TFTP server. I work with enterprise VoIP equipment where this is common but I'm not sure about DSL modems.


mlerner
Premium
join:2000-11-25
Nepean, ON
kudos:5
reply to zacron
Ok just read further, so TFTP on the DSL side.. Sounds like you need someone with a DSLAM to get at it.


mlerner
Premium
join:2000-11-25
Nepean, ON
kudos:5
reply to Phibian
said by Phibian:

It should be upgradeable via TR-069

Considering how locked down the Bell firmware is, they may have closed the option to any type of TR-069 on the LAN side.


Phibian

join:2009-06-01
Ottawa, ON
Reviews:
·TekSavvy DSL
They seem to use this method to update their modems. marknotmarc on the forums here reported his cellpipe being remotely updated so I would expect that the same applies to the sagemcoms. It seems to be the standard way of managing them nowadays. The catch of course is that you need to be on the DSL side to do it which is difficult for the average consumer...


zacron
Premium
join:2008-11-26
canada
reply to zacron
hmm, I have pulled it apart and there seems to be a correct pin header for a jtag device, I'm currently uploading some photos of the board and what not.

I am determined to "educate" myself on this device

Zacron
--
If you don't want to lag, don't "bragg"

lawrenson

join:2012-02-22
reply to zacron
I've managed to enable Telnet access on the device. You start out with some basic commands but you can drop into a normal shell. I'll post instructions in a little bit



JCohen
Premium
join:2010-10-19
Nepean, ON
kudos:13
How'd you manage to get telnet enabled?


zacron
Premium
join:2008-11-26
canada
yes, different port? or via another protcol?

I am very interested.

Zacron
--
If you don't want to lag, don't "bragg"

lawrenson

join:2012-02-22

2 recommendations

I found a way to download & replace the working config file.

Basically to get the current config you just go to »192.168.2.1/save_rg_conf.cgi
To send a new config you have to send a POST to »192.168.2.1/replace_rg_conf.cgi with the config in an input named "new_rg_conf"

In the default config, Telnet does not have a port assigned. You'll see the following line:

You'll want to replace that with something else to add a port, this is what I'm using:

If you just make that change and replace the config, telnet will be enabled immediately.

I wrote a quick app that will connect to the modem and download the config, re-write the telnet line if it's still set to default, and re-upload it. It won't touch anything else so you can also use it to change other config options if you want, without having to send POSTs manually.
It looks like the device won't take a malformed config file so playing with it should be relatively harmless.

I haven't done any extensive testing so your mileage may vary with this, requires .NET 3.5:
http://dl.dropbox.com/u/6483447/Bell/Telnet.zip


HiVolt
Premium
join:2000-12-28
Toronto, ON
kudos:23
Very nice.

When there's a will, there's a way!
--
GO LEAFS GO!


mlerner
Premium
join:2000-11-25
Nepean, ON
kudos:5
reply to zacron
Wow easy as pie. Guess you owe this guy $100, zacron.


HiVolt
Premium
join:2000-12-28
Toronto, ON
kudos:23
Wonder if firmware upload access can be re-enabled this way, or the firmware uploaded thru telnet.

whoops, didn't see the line there

"firmware_update Firmware update commands"
--
GO LEAFS GO!


Phibian

join:2009-06-01
Ottawa, ON
reply to lawrenson
Any chance of something similar for the cellpipe? Lots of us with non-functional cellpipes would love to be able to do something about it.

Eug

join:2007-04-14
Canada
There are still a couple of Bell Cellpipe 7130 units on Kijiji / Craigslist, and they are supposed to have the "TR-069 management interface for management and zero-touch configuration".
--
Everything Apple


derekm

join:2008-02-26
kudos:1
reply to Phibian
In »192.168.2.1/menu.js:


/*if(menuItem=='CfgStore')
{
printMenuItem('util_cfgstore.html', 'Configuration Store', red, darkBlue);
}else{
printMenuItem('util_cfgstore.html', 'Configuration Store', black, blue);
}
if(menuItem=='CfgRestore')
{
printMenuItem('util_cfgrestore.html', 'Configuration Restore', red, darkBlue);
}else{
printMenuItem('util_cfgrestore.html', 'Configuration Restore', black, blue);
}
if(menuItem=='Webfirmware')
{
printMenuItem('util_webfirmware.html', 'Web Firmware Upload', red, darkBlue);
}else{
printMenuItem('util_webfirmware.html', 'Web Firmware Upload', black, blue);
}
*/


Looks promising - although »192.168.2.1/util_cfgstore.html 404s


Old Martin
Premium
join:2006-02-23
kudos:33
reply to zacron
We should start a similar thread for the Cellpipes

lawrenson

join:2012-02-22
reply to zacron
I was able to pull up line stats, but it really looks like they tried to hide them. The vdsl commands in the normal CLI weren't returning anything for me. It looks like the GUI was supposed to have a page called index.cgi?page=dslStats but it was removed for whatever reason.

Telnet in and drop into the shell ("system shell"):

Run "vdsl"
It will prompt for a console password, enter "superikanos"
Enter 11 for extended port status:



JCohen
Premium
join:2010-10-19
Nepean, ON
kudos:13
Reviews:
·Start Communicat..
·TekSavvy Cable
·Rogers Hi-Speed
@lawrenson; very nice work for figuring out all of this.

--


This is very interesting; Line Type: 0x04000000 VDSL2 Profile 17A