O Canada! > Canadian > TekSavvy > Firmware + Sagemcom Modem + Help

Firmware + Sagemcom Modem + Help

Not sure if this is remotely similar to your modem: »www.skyuser.co.uk/forum/technica···ter.html

Sky V3 Sagem F@ST 2504 router

reply to zacron
wonder if it has tftp open. I doubt it, and its all done with TR-69.
--
GO LEAFS GO!

reply to Ott_Cable
no, because there is no option for firmware upgrade, I have no idea what the links are.

I'[ve tried changing the url to things such as:

?page=update
?page=upgrade
?page=routerupgrade
--
If you don't want to lag, don't "bragg"

reply to HiVolt
It does but theres no way to play with it... it seems bhell has it locked to tftp located on vlan 23 (vpi 23/vci 1)

Zacron
--
If you don't want to lag, don't "bragg"

reply to zacron

Pic of main page

Firmware

reply to zacron

Re: Firmware + Sagemcom Modem + Help

tried ports;

88
8080
8098
8099
22
23
21
15
28
--
If you don't want to lag, don't "bragg"

I wonder if we can put up some bounty, for some hackers to have at it, and hack it so firmware can be replaced.
--
GO LEAFS GO!

100$ via paypal to the hacker who can sucessfully do this, more for receipted expenses... no tissue paper receipts will be accepted :P
--
If you don't want to lag, don't "bragg"

reply to zacron
If the firmware is a flash chip binary image it would be not difficult for someone to actually flash it with a programmer, and resolder the chip.

If its an upgrade image then ya gotta find the upgrade page, if it exists.
--
OptionsDSL Wireless Internet
»www.optionsdsl.ca

reply to zacron
I spent a bunch of time looking into the options when trying to find a solution to the stupid cellpipe reboot issue.

It should be upgradeable via TR-069. You would need to setup a TR-069 server and get the device to access it. The trick there would be that the device will most likely only access the server over the dsl link so you would need a dsl "server" (not sure what the correct term is and too lazy to look it up right now). Some DSL modems can be used point to point (ie one modem connected to another modem). I'm not sure about the sagemcoms.

I believe that there is a free TR-069 server implementation available (it is basically just a web server). I also believe that you should be able to find the address that Bell is using for this so that you can fake it. I think it was actually mentioned recently in the cellpipe reboot thread. Otherwise check the logs on the modem to see if you can spot it there.

Does the sagemcom have a console port like the cellpipe does? It may have one but with no external connector (check the board for a header).

There was also a guy in the telus forum who updated the firmware on the telus version of the cellpipe (not quite the same as the bell one) who seemed to have some experience with this sort of thing.

If you can get any type of console access i.e. telnet, ssh or serial then you might be able to get enough access to upload from a TFTP server. I work with enterprise VoIP equipment where this is common but I'm not sure about DSL modems.

reply to zacron
Ok just read further, so TFTP on the DSL side.. Sounds like you need someone with a DSLAM to get at it.

reply to Phibian

They seem to use this method to update their modems. marknotmarc on the forums here reported his cellpipe being remotely updated so I would expect that the same applies to the sagemcoms. It seems to be the standard way of managing them nowadays. The catch of course is that you need to be on the DSL side to do it which is difficult for the average consumer...

reply to zacron
hmm, I have pulled it apart and there seems to be a correct pin header for a jtag device, I'm currently uploading some photos of the board and what not.

I am determined to "educate" myself on this device

Zacron
--
If you don't want to lag, don't "bragg"

reply to zacron
I've managed to enable Telnet access on the device. You start out with some basic commands but you can drop into a normal shell. I'll post instructions in a little bit

$ telnet 192.168.2.1
Trying 192.168.2.1...
Connected to 192.168.2.1.
Escape character is '^]'.
Username: admin
Password: *****
 
HomeGateway> help all
 
Command Category pvc - PVC scan related commands
scan           Scan predefined vpi.vci to determine PPP protocol
scan_restart   Restart PVC scan
scan_status    Display PVC scan status
exit           Exit sub menu
help           Show help for commands within this menu
 
Command Category conf - Read and write HomeGateway configuration data
factory       Factory related commands
print         Print HomeGateway configuration
set           Set HomeGateway configuration path to value
set_obscure   Set HomeGateway configuration path to an obscured value
del           Delete subtree from HomeGateway configuration
ram_set       Set HomeGateway dynamic configuration
ram_print     Print HomeGateway dynamic configuration
reconf        Reconfigure the system according to the current HomeGateway
              configuration
exit          Exit sub menu
help          Show help for commands within this menu
 
Command Category FT commands - FT commands
save              Save configurating to flash
flash_chksum      Display all flash sections checksums
atm               atm
sndcp             sndcp
vdsl              VDSL commands
upnp              UPnP commands
qos               Control and display QoS data
bridge            API for managing ethernet bridge
firewall          Control and display Firewall and NAT data
connection        API for managing connections
inet_connection   API for managing internet connections
wireless          Wireless commands
misc              API for HomeGateway miscellaneous tasks
firmware_update   Firmware update commands
log               Controls HomeGateway logging behavior
dev               Device related commands
kernel            Kernel related commands
system            Commands to control HomeGateway execution
flash             Flash and loader related commands
net               Network related commands
leds              Leds control commands
exit              Exit from the current CLI session
help              Show help for commands within this menu
 
Command Category FT atm commands - FT atm commands
atm               atm
sndcp             sndcp
vdsl              VDSL commands
upnp              UPnP commands
qos               Control and display QoS data
bridge            API for managing ethernet bridge
firewall          Control and display Firewall and NAT data
connection        API for managing connections
inet_connection   API for managing internet connections
wireless          Wireless commands
misc              API for HomeGateway miscellaneous tasks
firmware_update   Firmware update commands
log               Controls HomeGateway logging behavior
dev               Device related commands
kernel            Kernel related commands
system            Commands to control HomeGateway execution
flash             Flash and loader related commands
net               Network related commands
leds              Leds control commands
exit              Exit from the current CLI session
help              Show help for commands within this menu
 
Command Category FT sndcp commands - FT sndcp commands
sndcp             sndcp
vdsl              VDSL commands
upnp              UPnP commands
qos               Control and display QoS data
bridge            API for managing ethernet bridge
firewall          Control and display Firewall and NAT data
connection        API for managing connections
inet_connection   API for managing internet connections
wireless          Wireless commands
misc              API for HomeGateway miscellaneous tasks
firmware_update   Firmware update commands
log               Controls HomeGateway logging behavior
dev               Device related commands
kernel            Kernel related commands
system            Commands to control HomeGateway execution
flash             Flash and loader related commands
net               Network related commands
leds              Leds control commands
exit              Exit from the current CLI session
help              Show help for commands within this menu
 
Command Category vdsl - VDSL commands
status                 Get VDSL line status
BmeFirmVer             Get BME Firmware versions
NeSnrAttn              Get Near End SNR Margin and Attenuation
displayAllPmCounters   Display All Performance Counters
displayUsInfos         Display Far-end informations
exit                   Exit sub menu
help                   Show help for commands within this menu
 
Command Category upnp - UPnP commands
igd      IGD commands
status   Display UPnP status
exit     Exit sub menu
help     Show help for commands within this menu
 
Command Category qos - Control and display QoS data
utilization   Connection utilization information
exit          Exit sub menu
help          Show help for commands within this menu
 
Command Category bridge - API for managing ethernet bridge
connection   connect separate network interfaces to form one seamless LAN
config       Configure bridge
info         Print bridge information
exit         Exit sub menu
help         Show help for commands within this menu
 
Command Category firewall - Control and display Firewall and NAT data
restart          Stop and start Firewall & NAT
start            Start Firewall & NAT
stop             Stop Firewall & NAT
filter           Turn Firewall packet inspection on/off
mac_cache_dump   Dump MAC cache data
dump             Display Firewall data
variable         Display variables of the firewall rules
trace            Trace packet traversal via the Firewall ruleset
fastpath         Turns firewall fastpath feature on/off (default is on)
set_tr69_rule    Creates policy rules for TR69
exit             Exit sub menu
help             Show help for commands within this menu
 
Command Category connection - API for managing connections
pppoe      Configure pppoe interface
l2tp_vpn   Configure l2tpc interface
pptp_vpn   Configure pptpc interface
pppoa      Configure pppoa interface
vlan       Configure vlan interface
exit       Exit sub menu
help       Show help for commands within this menu
 
Command Category inet_connection - API for managing internet connections
pppoe   Configure pppoe internet connection
l2tp    Configure l2tpc internet connection
pptp    Configure pptpc internet connection
pppoa   Configure pppoa internet connection
ether   Configure ethernet internet connection
exit    Exit sub menu
help    Show help for commands within this menu
 
Command Category wireless - Wireless commands
captive   Wireless captive commands
exit      Exit sub menu
help      Show help for commands within this menu
 
Command Category misc - API for HomeGateway miscellaneous tasks
pppos_start       Start PPPoS connection
pppos_close       Close PPPoS connection
print_ram         print ram consumption for each process
vlan_add          Add VLAN interface
top               Profiling over event loop and estream
knet_hooks_dump   Dump to console which knet_hooks run on each device
exit              Exit sub menu
help              Show help for commands within this menu
 
Command Category firmware_update - Firmware update commands
start    Remotely upgrade HomeGateway
cancel   Kill running remote upgrade
exit     Exit sub menu
help     Show help for commands within this menu
 
Command Category log - Controls HomeGateway logging behavior
filter   Controls the CLI session logging behavior
exit     Exit sub menu
help     Show help for commands within this menu
 
Command Category dev - Device related commands
mii_reg_get       Get Ethernet MII register value
mii_reg_set       Set Ethernet MII register value
mii_phy_reg_get   Get Ethernet MII register value
mii_phy_reg_set   Set Ethernet MII register value
exit              Exit sub menu
help              Show help for commands within this menu
 
Command Category kernel - Kernel related commands
sys_ioctl      issue openrg ioctl
meminfo        Print memory information
top            Print HomeGateway's processes memory usage
cpu_load_on    Periodically shows cpu usage.
cpu_load_off   Stop showing cpu usage (triggered by cpu_load_on).
cpu_load_avg   Shows average cpu usage of last 1, 5 and 15 minutes.
exit           Exit sub menu
help           Show help for commands within this menu
 
Command Category system - Commands to control HomeGateway execution
die                        Exit from HomeGateway and return ret
ps                         Print HomeGateway's tasks
entity_close               Close an entity
etask_list_dump            Dump back trace of all etasks
restore_factory_settings   Restore factory configuration
reboot                     Reboot the system
ver                        Display version information
print_config               Print compilation configuration. Search for option
                           if specified
exec                       Execute program
cat                        Print file contents to console
shell                      Spawn busybox shell in foreground
date                       Print the current UTC and local time
echo                       Echo arguments to console
autoip_lan_mode            Configure the lan interface using Auto-IP
igd_lan_mode               Configure the lan interface for normal IGD use
exit                       Exit sub menu
help                       Show help for commands within this menu
 
Command Category flash - Flash and loader related commands
commit   Save HomeGateway configuration to flash
erase    Erase a given section in the flash
load     Load and burn image
boot     Boot the system
bset     Configure bootloader
layout   Print the flash layout and content
dump     Dump the flash content
lock     Lock mtd region
unlock   Unlock mtd region
exit     Exit sub menu
help     Show help for commands within this menu
 
Command Category net - Network related commands
dns_route         Dyncamic Routing according to DNS replies
igmp              IGMP Proxy related commands
host              Resolve host by name
ifconfig          Configure network interface
ping              Test network connectivity
rg_ifconfig       List HomeGateway Network Devices
route             Print route table
main_wan          Print the name of the current main wan device
intercept_state   Print interception state
exit              Exit sub menu
help              Show help for commands within this menu
 
Command Category leds - Leds control commands
led_power_set      Set POWER led
led_wifi_set       Set WIRELESS led
control_all_leds   Set ALL led
led_secwifi_set    Set WIRELESS SECURITY led
led_intnet_set     Set INTENRET led
led_ftth_set       Set FTTH led
led_dsl_set        Set DSL led
led_tel1_set       Set PHONE1 led
led_tel2_set       Set PHONE2 led
led_rep1_set       Set REPONDEUR1 led
led_rep2_set       Set REPONDEUR2 led
led_usb1_set       Set USB1 led
led_usb2_set       Set USB2 led
relay_set          Set RELAY
led_hpna_set       Set HPNA led
exit               Exit sub menu
help               Show help for commands within this menu
 
Command Category cmd - Commands related to the Command module
exit   Exit from the current CLI session
help   Show help for commands within this menu
 

How'd you manage to get telnet enabled?

yes, different port? or via another protcol?

I am very interested.

Zacron
--
If you don't want to lag, don't "bragg"