dslreports logo
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
28911
share rss forum feed


HiVolt
Premium
join:2000-12-28
Toronto, ON
kudos:22
Reviews:
·TekSavvy DSL
reply to s0dhi

Re: Sagemcom F@st 2864 unlock on *nix

said by s0dhi:

I was able to telnet in to my new Sagemcom this morning. There appear to be commands to flash firmware and do a variety of other tasks.

what firmware is it running?
--
F**K THE NHL. Go Blue Jays 2013!!!

s0dhi

join:2011-08-02
Brampton, ON
Reviews:
·TekSavvy DSL
said by HiVolt:

said by s0dhi:

I was able to telnet in to my new Sagemcom this morning. There appear to be commands to flash firmware and do a variety of other tasks.

what firmware is it running?

Firmware Version: FAST2864_v6637F
Hardware Version: 2864-000000-002


HiVolt
Premium
join:2000-12-28
Toronto, ON
kudos:22
Hrm i just dont remember if thats the latest... Did you let your modem update firmware several times when you first plugged it in?
--
F**K THE NHL. Go Blue Jays 2013!!!

s0dhi

join:2011-08-02
Brampton, ON
Reviews:
·TekSavvy DSL
said by HiVolt:

Hrm i just dont remember if thats the latest... Did you let your modem update firmware several times when you first plugged it in?

Nope, I just got it as part of the 50/10 upgrade. It's never been plugged into the line yet.

I can try to pull stuff off of it if someone can let me know how/what needs to be done.

BTW, I have a Cellpipe collecting dust, and I'm running my own Zyxel.


HiVolt
Premium
join:2000-12-28
Toronto, ON
kudos:22
Ah, so thats why you were able to get in... When/if you plug it in, it will fetch new firmware and disable the telnet hole..
--
F**K THE NHL. Go Blue Jays 2013!!!


jmck
formerly 'shaded'

join:2010-10-02
Ottawa, ON
yeah, my 50/10 service became active yesterday and i saw the modem reboot a few times after getting sync and got worried, but i guess it was just getting a new firmware.

s0dhi

join:2011-08-02
Brampton, ON
Reviews:
·TekSavvy DSL
reply to HiVolt
said by HiVolt:

Ah, so thats why you were able to get in... When/if you plug it in, it will fetch new firmware and disable the telnet hole..

Understood. I probably won't plug it in, unless my Zyxel give me some sort of issue.


Guspaz
Guspaz
Premium,MVM
join:2001-11-05
Montreal, QC
kudos:23
reply to derekm
This is what mine reports:

Firmware Version
FAST2864_v6740S

Rescue Version
FAST2864_v7740S
--
Developer: Tomato/MLPPP, Linux/MLPPP, etc »fixppp.org

s0dhi

join:2011-08-02
Brampton, ON

1 edit
Is there any way to pull anything of value (for the community) off my Sagemcom since it's sitting here?

May be there is a way to drop a script on to the device that doesn't get overwritten during the upgrade?

sibisties

join:2012-06-04
Canada
kudos:8
reply to derekm
Last summer I sucessfully dumped the firmware from my Sagemcom modem. After deep analysis, I found a flaw in the web interface that could be used to inject executable code. My goal was to use this flaw to enable a page with line stats, and I succeeded.

I released my tool here on the Bell forum but it has been removed minutes later. My work was considered "too suspicious" because I didn't want to include the source code of the injection tool.

Too bad, I guess I'll be the only person with a beautiful line stats page on my Sagemcom. And yes it is still working with the latest firmware version!

sourtimes

join:2012-12-16
York, ON
Hey guys,

I had 50/10 VDSL2 activated last week. I received the modem in the mail prior to the install date and used the method to allow telnet access into the modem to use the hidden menu commands.

After getting internet activated, when I first plugged in the modem, like all of you my Sagemcomm updated the firmware once automatically and rebooted, then updated the firmware a second time.

My modem still allows me to telnet into it and use the hidden menu commands etc. YMMV, but in my case, allowing telnet access before having ever hooked it up to the phone line persisted through firmware updates.

Cheers

corkyy

join:2008-06-01
Laval, QC
kudos:2
reply to sibisties
Not Bell here! feel free to share, it's interesting.


BTC Kevin

join:2011-10-01
Nepean, ON
kudos:1
reply to derekm
Ya telnet access lasts but only until Bell does a firmware factory recovery reset on you. they did that to me. It removed the telnet option. Or if you end up needing to trigger a factory reset because of a problem.

jmagder

join:2011-02-09
Markham, ON
reply to sibisties
Sibisties: Why did you not want to include the source code? I think there are thousands of people who would appreciate it!

MaynardKrebs
Heave Steve, for the good of the country
Premium
join:2009-06-17
kudos:4
reply to s0dhi
said by s0dhi:

said by HiVolt:

Ah, so thats why you were able to get in... When/if you plug it in, it will fetch new firmware and disable the telnet hole..

Understood. I probably won't plug it in, unless my Zyxel give me some sort of issue.

Which Zyxel are you using.... & firmware version?

s0dhi

join:2011-08-02
Brampton, ON
Reviews:
·TekSavvy DSL
said by MaynardKrebs:

Which Zyxel are you using.... & firmware version?



HiVolt
Premium
join:2000-12-28
Toronto, ON
kudos:22
That Zyxel will only work on the 7330's, not a Stinger.
--


s0dhi

join:2011-08-02
Brampton, ON
said by HiVolt:

That Zyxel will only work on the 7330's, not a Stinger.

That is correct.

rizlo100

join:2009-05-05
Aurora, ON
Reviews:
·TekSavvy DSL
reply to s0dhi
I'd be interested in a couple things if you still have access.

1) A listing of all files in the http directory (will already contain index.cgi, /js/script.js etc). Not sure where this is located though, likely something like /var/www (will need to drop into the busybox shell for this via the command 'shell' I think)
2) the command 'print_config' should dump the current modems config.
3) There is a 'dump' command that may or may not dump the contents of the flash. This may or may not be helpful.

sunday8pm

join:2010-05-24
Reviews:
·Bell Sympatico
I can't find where the CGI scripts are located.

Firmware Version: FAST2864_v6740S
Rescue Version: FAST2864_v7740S

all I could find that has to do with www files is this:
# ls -la /cramfs/home/httpd/html/
-rw-r--r--    1 38199    101         44253 Oct 29 13:52 Common.js
-rw-r--r--    1 38199    101          8112 Oct 29 13:52 Configuration.js
-rw-r--r--    1 38199    101         15035 Oct 29 13:52 Monitor.js
-rw-r--r--    1 38199    101         34168 Oct 29 13:52 NetworkTest.js
-rw-r--r--    1 38199    101          6115 Oct 29 13:52 ProgressBar.js
-rw-r--r--    1 38199    101          3325 Oct 29 13:52 Translation.js
-rwxr-xr-x    1 38199    101         26100 Oct 29 13:52 control.js
drwxr-sr-x    1 38199    101           284 Oct 29 13:52 css
-rw-r--r--    1 38199    101          2823 Oct 29 13:52 en.txt
-rwxr-xr-x    1 38199    101          1406 Oct 29 13:52 favicon.ico
-rw-r--r--    1 38199    101          3791 Oct 29 13:52 fr.txt
drwxr-sr-x    1 38199    101         12884 Oct 29 13:52 images
-rwxr-xr-x    1 38199    101         77746 Oct 29 13:52 jquery-1.4.3.min.js
-rwxr-xr-x    1 38199    101          8124 Oct 29 13:52 jquery-impromptu.3.1.min.js
drwxr-sr-x    1 38199    101           360 Oct 29 13:52 js
-rwxr-xr-x    1 38199    101          9038 Oct 29 13:52 md5.js
-rw-r--r--    1 38199    101            20 Oct 29 13:52 oui.conf
-rwxr-xr-x    1 38199    101         20012 Oct 29 13:52 script.js
 

--edit: if anyone knows a method to dump the firmware, I'd be happy to oblige

rizlo100

join:2009-05-05
Aurora, ON
Reviews:
·TekSavvy DSL
sunday8pm, this is excellent! Thank you!

Would you also mind a directory listing of /cramfs/home/httpd/html/js ?

I'm not sure about the cgi files, perhaps /cramfs/home/httpd/cgi-bin? You may need to have to a look at the httpd config file to find the cgi-bin location.

rizlo100

join:2009-05-05
Aurora, ON
Reviews:
·TekSavvy DSL
Would any also happen to have a copy of the config file that is generated by save_rg_conf.cgi before the latest update they would be willing to share? It seems the cgi for replace_rg_conf.cgi still exists so I'd like to try posting a new conf to it but don't have a working template to go from.

s0dhi

join:2011-08-02
Brampton, ON
Reviews:
·TekSavvy DSL
said by rizlo100:

Would any also happen to have a copy of the config file that is generated by save_rg_conf.cgi before the latest update they would be willing to share? It seems the cgi for replace_rg_conf.cgi still exists so I'd like to try posting a new conf to it but don't have a working template to go from.

Send me an IM, please.

sunday8pm

join:2010-05-24
Reviews:
·Bell Sympatico
reply to rizlo100
# ls js -la
-rw-r--r--    1 38199    101         44253 Oct 29 13:52 Common.js
-rw-r--r--    1 38199    101          8112 Oct 29 13:52 Configuration.js
-rw-r--r--    1 38199    101         15035 Oct 29 13:52 Monitor.js
-rw-r--r--    1 38199    101         34168 Oct 29 13:52 NetworkTest.js
-rw-r--r--    1 38199    101          6115 Oct 29 13:52 ProgressBar.js
-rw-r--r--    1 38199    101          3325 Oct 29 13:52 Translation.js
-rwxr-xr-x    1 38199    101         26100 Oct 29 13:52 control.js
-rw-r--r--    1 38199    101          2823 Oct 29 13:52 en.txt
-rw-r--r--    1 38199    101          3791 Oct 29 13:52 fr.txt
-rwxr-xr-x    1 38199    101         77746 Oct 29 13:52 jquery-1.4.3.min.js
-rwxr-xr-x    1 38199    101          8124 Oct 29 13:52 jquery-impromptu.3.1.min.js
-rwxr-xr-x    1 38199    101          9038 Oct 29 13:52 md5.js
-rw-r--r--    1 38199    101            20 Oct 29 13:52 oui.conf
-rwxr-xr-x    1 38199    101         20012 Oct 29 13:52 script.js
 

Thing is under httpd there is only html

# ls -la
drwxr-sr-x    1 38199    101           436 Oct 29 13:52 html
 

I have no idea where these CGI scripts are, nor where is the HomeGateway.conf located
I'd also like to have a look at the .htaccess protecting the save_rg_conf.cgi directory but I can't find where it is located either.

sunday8pm

join:2010-05-24
reply to rizlo100
I don't think it will work. It seems a .htaccess file has been added to lock these two scripts and admin user doesn't have access

t3st3r

join:2010-01-26
Toronto, ON
kudos:6
The password hashes stored in the config file are plain unsalted MD5. Unfortunately no one seems to have found a collision for "f93ae31b2d76afe7ae0e4efeec576ac4" which is the password for the "001BBF-NQ1032301002218" Bell admin account on the modem.

You can directly overwrite the hash in the config file with another valid MD5 hash and it should work but of course, you'd already have access to the config file, etc. at that point.

It might be interesting to try it to see if the web config is any different for that user though.


BTC Kevin

join:2011-10-01
Nepean, ON
kudos:1
I think the point is. Admin is a sudo account. that other account if not mistaken when looking in the linux configs has root access.

sibisties

join:2012-06-04
Canada
kudos:8
reply to jmagder
said by jmagder:

Sibisties: Why did you not want to include the source code? I think there are thousands of people who would appreciate it!

Back then I thought that enabling shell access to this modem could open a lot of undesired back doors.

Let me think about it again for a couple of days and I'll see if I can release it.

sibisties

join:2012-06-04
Canada
kudos:8
reply to t3st3r
...


BTC Kevin

join:2011-10-01
Nepean, ON
kudos:1
ya it's serial number and a password. probably for remote connections to manage and push firmware and config files.

This is how bell replaced my modified config for telnet with the generic on me.

it's also probably why bell wants people to give the SN when BYOM for VDSL.