dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
14475
share rss forum feed


zacron
Premium
join:2008-11-26
canada

Firmware + Sagemcom Modem + Help

Hello All,

Bequested to me by a bell tech whom I will not name for his generosity to my curiosity, I have three brand new, un-opened sagemcom wireless n modems.

Now, I've managed to talk sagemcom into giving me firmware, I shall pass this on to whomever asks for it via pm only.

I REFUSE to post it online for various reasons.

Now, there aren't any menus in this modem which can help me to figure out how to losd firmware onto this buggar.

Is there anyone who knows how to go about this?

Is there anyone willing to "hack" this modem? I will provide you with a device. (Relevant experience required)

Thank you,

Zacron

**THIS IS PURELY FOR EDUCATIONAL PURPOSES, I WANT TO SEE JUST HOW MUCH THIS DEVICE OFFERS**
--
If you don't want to lag, don't "bragg"



Ott_Cable

@teksavvy.com

Not sure if this is remotely similar to your modem: »www.skyuser.co.uk/forum/technica···ter.html

Sky V3 Sagem F@ST 2504 router



HiVolt
Premium
join:2000-12-28
Toronto, ON
kudos:21
reply to zacron

wonder if it has tftp open. I doubt it, and its all done with TR-69.
--
GO LEAFS GO!



zacron
Premium
join:2008-11-26
canada
reply to Ott_Cable

no, because there is no option for firmware upgrade, I have no idea what the links are.

I'[ve tried changing the url to things such as:

?page=update
?page=upgrade
?page=routerupgrade
--
If you don't want to lag, don't "bragg"



zacron
Premium
join:2008-11-26
canada
reply to HiVolt

It does but theres no way to play with it... it seems bhell has it locked to tftp located on vlan 23 (vpi 23/vci 1)

Zacron
--
If you don't want to lag, don't "bragg"



zacron
Premium
join:2008-11-26
canada
reply to zacron

Pic of main page

Click for full size
Firmware


zacron
Premium
join:2008-11-26
canada
reply to zacron

Re: Firmware + Sagemcom Modem + Help

»192.168.2.1/upgrade.cgi

leads me to a "cannot display webpage" where as everything else just leads to a 404 error... This is promising. I wonder what the url is?

lol
--
If you don't want to lag, don't "bragg"



zacron
Premium
join:2008-11-26
canada

tried ports;

88
8080
8098
8099
22
23
21
15
28
--
If you don't want to lag, don't "bragg"



HiVolt
Premium
join:2000-12-28
Toronto, ON
kudos:21

I wonder if we can put up some bounty, for some hackers to have at it, and hack it so firmware can be replaced.
--
GO LEAFS GO!



zacron
Premium
join:2008-11-26
canada

100$ via paypal to the hacker who can sucessfully do this, more for receipted expenses... no tissue paper receipts will be accepted :P
--
If you don't want to lag, don't "bragg"



Inssomniak
The Glitch
Premium
join:2005-04-06
Cayuga, ON
kudos:2
reply to zacron

If the firmware is a flash chip binary image it would be not difficult for someone to actually flash it with a programmer, and resolder the chip.

If its an upgrade image then ya gotta find the upgrade page, if it exists.
--
OptionsDSL Wireless Internet
»www.optionsdsl.ca



Phibian

join:2009-06-01
Ottawa, ON
Reviews:
·TekSavvy DSL
reply to zacron

I spent a bunch of time looking into the options when trying to find a solution to the stupid cellpipe reboot issue.

It should be upgradeable via TR-069. You would need to setup a TR-069 server and get the device to access it. The trick there would be that the device will most likely only access the server over the dsl link so you would need a dsl "server" (not sure what the correct term is and too lazy to look it up right now). Some DSL modems can be used point to point (ie one modem connected to another modem). I'm not sure about the sagemcoms.

I believe that there is a free TR-069 server implementation available (it is basically just a web server). I also believe that you should be able to find the address that Bell is using for this so that you can fake it. I think it was actually mentioned recently in the cellpipe reboot thread. Otherwise check the logs on the modem to see if you can spot it there.

Does the sagemcom have a console port like the cellpipe does? It may have one but with no external connector (check the board for a header).

There was also a guy in the telus forum who updated the firmware on the telus version of the cellpipe (not quite the same as the bell one) who seemed to have some experience with this sort of thing.



mlerner
Premium
join:2000-11-25
Nepean, ON
kudos:5

If you can get any type of console access i.e. telnet, ssh or serial then you might be able to get enough access to upload from a TFTP server. I work with enterprise VoIP equipment where this is common but I'm not sure about DSL modems.



mlerner
Premium
join:2000-11-25
Nepean, ON
kudos:5
reply to zacron

Ok just read further, so TFTP on the DSL side.. Sounds like you need someone with a DSLAM to get at it.



mlerner
Premium
join:2000-11-25
Nepean, ON
kudos:5
reply to Phibian

said by Phibian:

It should be upgradeable via TR-069

Considering how locked down the Bell firmware is, they may have closed the option to any type of TR-069 on the LAN side.


Phibian

join:2009-06-01
Ottawa, ON
Reviews:
·TekSavvy DSL

They seem to use this method to update their modems. marknotmarc on the forums here reported his cellpipe being remotely updated so I would expect that the same applies to the sagemcoms. It seems to be the standard way of managing them nowadays. The catch of course is that you need to be on the DSL side to do it which is difficult for the average consumer...



zacron
Premium
join:2008-11-26
canada
reply to zacron

hmm, I have pulled it apart and there seems to be a correct pin header for a jtag device, I'm currently uploading some photos of the board and what not.

I am determined to "educate" myself on this device

Zacron
--
If you don't want to lag, don't "bragg"


lawrenson

join:2012-02-22
reply to zacron

I've managed to enable Telnet access on the device. You start out with some basic commands but you can drop into a normal shell. I'll post instructions in a little bit

$ telnet 192.168.2.1
Trying 192.168.2.1...
Connected to 192.168.2.1.
Escape character is '^]'.
Username: admin
Password: *****
 
HomeGateway> help all
 
Command Category pvc - PVC scan related commands
scan           Scan predefined vpi.vci to determine PPP protocol
scan_restart   Restart PVC scan
scan_status    Display PVC scan status
exit           Exit sub menu
help           Show help for commands within this menu
 
Command Category conf - Read and write HomeGateway configuration data
factory       Factory related commands
print         Print HomeGateway configuration
set           Set HomeGateway configuration path to value
set_obscure   Set HomeGateway configuration path to an obscured value
del           Delete subtree from HomeGateway configuration
ram_set       Set HomeGateway dynamic configuration
ram_print     Print HomeGateway dynamic configuration
reconf        Reconfigure the system according to the current HomeGateway
              configuration
exit          Exit sub menu
help          Show help for commands within this menu
 
Command Category FT commands - FT commands
save              Save configurating to flash
flash_chksum      Display all flash sections checksums
atm               atm
sndcp             sndcp
vdsl              VDSL commands
upnp              UPnP commands
qos               Control and display QoS data
bridge            API for managing ethernet bridge
firewall          Control and display Firewall and NAT data
connection        API for managing connections
inet_connection   API for managing internet connections
wireless          Wireless commands
misc              API for HomeGateway miscellaneous tasks
firmware_update   Firmware update commands
log               Controls HomeGateway logging behavior
dev               Device related commands
kernel            Kernel related commands
system            Commands to control HomeGateway execution
flash             Flash and loader related commands
net               Network related commands
leds              Leds control commands
exit              Exit from the current CLI session
help              Show help for commands within this menu
 
Command Category FT atm commands - FT atm commands
atm               atm
sndcp             sndcp
vdsl              VDSL commands
upnp              UPnP commands
qos               Control and display QoS data
bridge            API for managing ethernet bridge
firewall          Control and display Firewall and NAT data
connection        API for managing connections
inet_connection   API for managing internet connections
wireless          Wireless commands
misc              API for HomeGateway miscellaneous tasks
firmware_update   Firmware update commands
log               Controls HomeGateway logging behavior
dev               Device related commands
kernel            Kernel related commands
system            Commands to control HomeGateway execution
flash             Flash and loader related commands
net               Network related commands
leds              Leds control commands
exit              Exit from the current CLI session
help              Show help for commands within this menu
 
Command Category FT sndcp commands - FT sndcp commands
sndcp             sndcp
vdsl              VDSL commands
upnp              UPnP commands
qos               Control and display QoS data
bridge            API for managing ethernet bridge
firewall          Control and display Firewall and NAT data
connection        API for managing connections
inet_connection   API for managing internet connections
wireless          Wireless commands
misc              API for HomeGateway miscellaneous tasks
firmware_update   Firmware update commands
log               Controls HomeGateway logging behavior
dev               Device related commands
kernel            Kernel related commands
system            Commands to control HomeGateway execution
flash             Flash and loader related commands
net               Network related commands
leds              Leds control commands
exit              Exit from the current CLI session
help              Show help for commands within this menu
 
Command Category vdsl - VDSL commands
status                 Get VDSL line status
BmeFirmVer             Get BME Firmware versions
NeSnrAttn              Get Near End SNR Margin and Attenuation
displayAllPmCounters   Display All Performance Counters
displayUsInfos         Display Far-end informations
exit                   Exit sub menu
help                   Show help for commands within this menu
 
Command Category upnp - UPnP commands
igd      IGD commands
status   Display UPnP status
exit     Exit sub menu
help     Show help for commands within this menu
 
Command Category qos - Control and display QoS data
utilization   Connection utilization information
exit          Exit sub menu
help          Show help for commands within this menu
 
Command Category bridge - API for managing ethernet bridge
connection   connect separate network interfaces to form one seamless LAN
config       Configure bridge
info         Print bridge information
exit         Exit sub menu
help         Show help for commands within this menu
 
Command Category firewall - Control and display Firewall and NAT data
restart          Stop and start Firewall & NAT
start            Start Firewall & NAT
stop             Stop Firewall & NAT
filter           Turn Firewall packet inspection on/off
mac_cache_dump   Dump MAC cache data
dump             Display Firewall data
variable         Display variables of the firewall rules
trace            Trace packet traversal via the Firewall ruleset
fastpath         Turns firewall fastpath feature on/off (default is on)
set_tr69_rule    Creates policy rules for TR69
exit             Exit sub menu
help             Show help for commands within this menu
 
Command Category connection - API for managing connections
pppoe      Configure pppoe interface
l2tp_vpn   Configure l2tpc interface
pptp_vpn   Configure pptpc interface
pppoa      Configure pppoa interface
vlan       Configure vlan interface
exit       Exit sub menu
help       Show help for commands within this menu
 
Command Category inet_connection - API for managing internet connections
pppoe   Configure pppoe internet connection
l2tp    Configure l2tpc internet connection
pptp    Configure pptpc internet connection
pppoa   Configure pppoa internet connection
ether   Configure ethernet internet connection
exit    Exit sub menu
help    Show help for commands within this menu
 
Command Category wireless - Wireless commands
captive   Wireless captive commands
exit      Exit sub menu
help      Show help for commands within this menu
 
Command Category misc - API for HomeGateway miscellaneous tasks
pppos_start       Start PPPoS connection
pppos_close       Close PPPoS connection
print_ram         print ram consumption for each process
vlan_add          Add VLAN interface
top               Profiling over event loop and estream
knet_hooks_dump   Dump to console which knet_hooks run on each device
exit              Exit sub menu
help              Show help for commands within this menu
 
Command Category firmware_update - Firmware update commands
start    Remotely upgrade HomeGateway
cancel   Kill running remote upgrade
exit     Exit sub menu
help     Show help for commands within this menu
 
Command Category log - Controls HomeGateway logging behavior
filter   Controls the CLI session logging behavior
exit     Exit sub menu
help     Show help for commands within this menu
 
Command Category dev - Device related commands
mii_reg_get       Get Ethernet MII register value
mii_reg_set       Set Ethernet MII register value
mii_phy_reg_get   Get Ethernet MII register value
mii_phy_reg_set   Set Ethernet MII register value
exit              Exit sub menu
help              Show help for commands within this menu
 
Command Category kernel - Kernel related commands
sys_ioctl      issue openrg ioctl
meminfo        Print memory information
top            Print HomeGateway's processes memory usage
cpu_load_on    Periodically shows cpu usage.
cpu_load_off   Stop showing cpu usage (triggered by cpu_load_on).
cpu_load_avg   Shows average cpu usage of last 1, 5 and 15 minutes.
exit           Exit sub menu
help           Show help for commands within this menu
 
Command Category system - Commands to control HomeGateway execution
die                        Exit from HomeGateway and return ret
ps                         Print HomeGateway's tasks
entity_close               Close an entity
etask_list_dump            Dump back trace of all etasks
restore_factory_settings   Restore factory configuration
reboot                     Reboot the system
ver                        Display version information
print_config               Print compilation configuration. Search for option
                           if specified
exec                       Execute program
cat                        Print file contents to console
shell                      Spawn busybox shell in foreground
date                       Print the current UTC and local time
echo                       Echo arguments to console
autoip_lan_mode            Configure the lan interface using Auto-IP
igd_lan_mode               Configure the lan interface for normal IGD use
exit                       Exit sub menu
help                       Show help for commands within this menu
 
Command Category flash - Flash and loader related commands
commit   Save HomeGateway configuration to flash
erase    Erase a given section in the flash
load     Load and burn image
boot     Boot the system
bset     Configure bootloader
layout   Print the flash layout and content
dump     Dump the flash content
lock     Lock mtd region
unlock   Unlock mtd region
exit     Exit sub menu
help     Show help for commands within this menu
 
Command Category net - Network related commands
dns_route         Dyncamic Routing according to DNS replies
igmp              IGMP Proxy related commands
host              Resolve host by name
ifconfig          Configure network interface
ping              Test network connectivity
rg_ifconfig       List HomeGateway Network Devices
route             Print route table
main_wan          Print the name of the current main wan device
intercept_state   Print interception state
exit              Exit sub menu
help              Show help for commands within this menu
 
Command Category leds - Leds control commands
led_power_set      Set POWER led
led_wifi_set       Set WIRELESS led
control_all_leds   Set ALL led
led_secwifi_set    Set WIRELESS SECURITY led
led_intnet_set     Set INTENRET led
led_ftth_set       Set FTTH led
led_dsl_set        Set DSL led
led_tel1_set       Set PHONE1 led
led_tel2_set       Set PHONE2 led
led_rep1_set       Set REPONDEUR1 led
led_rep2_set       Set REPONDEUR2 led
led_usb1_set       Set USB1 led
led_usb2_set       Set USB2 led
relay_set          Set RELAY
led_hpna_set       Set HPNA led
exit               Exit sub menu
help               Show help for commands within this menu
 
Command Category cmd - Commands related to the Command module
exit   Exit from the current CLI session
help   Show help for commands within this menu
 


JCohen
Premium
join:2010-10-19
Nepean, ON
kudos:9

How'd you manage to get telnet enabled?



zacron
Premium
join:2008-11-26
canada

yes, different port? or via another protcol?

I am very interested.

Zacron
--
If you don't want to lag, don't "bragg"


lawrenson

join:2012-02-22

2 recommendations

I found a way to download & replace the working config file.

Basically to get the current config you just go to »192.168.2.1/save_rg_conf.cgi
To send a new config you have to send a POST to »192.168.2.1/replace_rg_conf.cgi with the config in an input named "new_rg_conf"

In the default config, Telnet does not have a port assigned. You'll see the following line:

(telnets(ports))
 

You'll want to replace that with something else to add a port, this is what I'm using:
    (telnets
      (ports
        (0
          (port(23))
          (ssl_mode(none))
          (remote_access(0))
        )
      )
    )
 

If you just make that change and replace the config, telnet will be enabled immediately.

I wrote a quick app that will connect to the modem and download the config, re-write the telnet line if it's still set to default, and re-upload it. It won't touch anything else so you can also use it to change other config options if you want, without having to send POSTs manually.
It looks like the device won't take a malformed config file so playing with it should be relatively harmless.

I haven't done any extensive testing so your mileage may vary with this, requires .NET 3.5:
»dl.dropbox.com/u/6483447/Bell/Telnet.zip


HiVolt
Premium
join:2000-12-28
Toronto, ON
kudos:21

Very nice.

When there's a will, there's a way!
--
GO LEAFS GO!



mlerner
Premium
join:2000-11-25
Nepean, ON
kudos:5
reply to zacron

Wow easy as pie. Guess you owe this guy $100, zacron.



HiVolt
Premium
join:2000-12-28
Toronto, ON
kudos:21

Wonder if firmware upload access can be re-enabled this way, or the firmware uploaded thru telnet.

whoops, didn't see the line there

"firmware_update Firmware update commands"
--
GO LEAFS GO!



Phibian

join:2009-06-01
Ottawa, ON
reply to lawrenson

Any chance of something similar for the cellpipe? Lots of us with non-functional cellpipes would love to be able to do something about it.


Eug

join:2007-04-14
Canada

There are still a couple of Bell Cellpipe 7130 units on Kijiji / Craigslist, and they are supposed to have the "TR-069 management interface for management and zero-touch configuration".
--
Everything Apple



derekm

join:2008-02-26
kudos:1
reply to Phibian

In »192.168.2.1/menu.js:


/*if(menuItem=='CfgStore')
{
printMenuItem('util_cfgstore.html', 'Configuration Store', red, darkBlue);
}else{
printMenuItem('util_cfgstore.html', 'Configuration Store', black, blue);
}
if(menuItem=='CfgRestore')
{
printMenuItem('util_cfgrestore.html', 'Configuration Restore', red, darkBlue);
}else{
printMenuItem('util_cfgrestore.html', 'Configuration Restore', black, blue);
}
if(menuItem=='Webfirmware')
{
printMenuItem('util_webfirmware.html', 'Web Firmware Upload', red, darkBlue);
}else{
printMenuItem('util_webfirmware.html', 'Web Firmware Upload', black, blue);
}
*/


Looks promising - although »192.168.2.1/util_cfgstore.html 404s



TSI Martin
Premium
join:2006-02-23
Chatham, ON
kudos:33
reply to zacron

We should start a similar thread for the Cellpipes


lawrenson

join:2012-02-22
reply to zacron

I was able to pull up line stats, but it really looks like they tried to hide them. The vdsl commands in the normal CLI weren't returning anything for me. It looks like the GUI was supposed to have a page called index.cgi?page=dslStats but it was removed for whatever reason.

Telnet in and drop into the shell ("system shell"):

Run "vdsl"
It will prompt for a console password, enter "superikanos"
Enter 11 for extended port status:

cpe>11
 
cpe>
Extended Port Status
=================
Bme: 1 Port: 1
Downstream line rate: 29664 kbps
Upstream line rate: 9484 kbps
Bearer0 Downstream payload rate: 0 kbps
Bearer1 Downstream payload rate: 26936 kbps
Bearer0 Upstream payload rate: 0 kbps
Bearer1 Upstream payload rate: 8128 kbps
Downstream attainable payload rate: 67108 kbps
Downstream attainable line rate: 79064 kbps
Downstream Training Margin: 25.5 dB
Downstream Line Protection (Bearer1 Path): 0.0 DMT Symbols
Upstream Line Protection (Bearer1 Path): 0.0 DMT Symbols
Near-end ITU Vendor Id: 0xb500494b4e530200
Far-end ITU Vendor Id: 0xb5004244434da194
Downstream delay: 0.0 ms
Upstream delay: 0.0 ms
Tx total power -9.0 dbm
FE Tx total power 14.0 dbm
VDSL Estimated Loop Length : 923 ft
G.Hs Estimated Near End Loop Length : 77 ft
G.Hs Estimated Far End Loop Length :0 ft
Current framing mode: 0x10 EFM
Bandplan Type...........: 2
No. of Upstream Bands...: 3
No. of Downstream Bands.: 2
Line Type: 0x04000000 VDSL2 Profile 17A
Downstream FFT Protection (Bearer1 Path): 0.0 DMT Symbols
Upstream FFT Protection (Bearer1 Path): 0.0 DMT Symbols
Upstream Line Attenuation: NA (Only for ADSL1 & T1.413)
Upstream SNR Margin: NA (Only for ADSL1 & T1413)
Upstream Retransmission status: Disabled
Downstream Retransmission status: Disabled
 


JCohen
Premium
join:2010-10-19
Nepean, ON
kudos:9
Reviews:
·Start Communicat..
·TekSavvy Cable
·Rogers Hi-Speed

@lawrenson; very nice work for figuring out all of this.

--

Bme: 1 Port: 1
Downstream line rate: 29664 kbps
Upstream line rate: 9484 kbps
Bearer0 Downstream payload rate: 0 kbps
Bearer1 Downstream payload rate: 26936 kbps
Bearer0 Upstream payload rate: 0 kbps
Bearer1 Upstream payload rate: 8128 kbps
Downstream attainable payload rate: 80476 kbps
Downstream attainable line rate: 94648 kbps
Downstream Training Margin: 32.2 dB
Downstream Line Protection (Bearer1 Path): 0.0 DMT Symbols
Upstream Line Protection (Bearer1 Path): 0.0 DMT Symbols
Near-end ITU Vendor Id: 0xb500494b4e530200
Far-end ITU Vendor Id: 0xb5004244434da194
Downstream delay: 0.0 ms
Upstream delay: 0.0 ms
Tx total power -9.5 dbm
FE Tx total power 14.2 dbm
VDSL Estimated Loop Length : 823 ft
G.Hs Estimated Near End Loop Length : 70 ft
G.Hs Estimated Far End Loop Length :0 ft
Current framing mode: 0x10 EFM
Bandplan Type...........: 2
No. of Upstream Bands...: 3
No. of Downstream Bands.: 2
Line Type: 0x04000000 VDSL2 Profile 17A
Downstream FFT Protection (Bearer1 Path): 0.0 DMT Symbols
Upstream FFT Protection (Bearer1 Path): 0.0 DMT Symbols
Upstream Line Attenuation: NA (Only for ADSL1 & T1.413)
Upstream SNR Margin: NA (Only for ADSL1 & T1413)
Upstream Retransmission status: Disabled
Downstream Retransmission status: Disabled
 

This is very interesting; Line Type: 0x04000000 VDSL2 Profile 17A