#level: classified

Sagemcom Fast3890

This is also a router from a Swedish Internet operator to find back doors and to see what is under the hood.

I got this router mailed to me as a donation from @anotherman 2022-12-03 - I really have a lot to do but I will check these routers properly this week finally (Week1, 2023). - Thanks alot @anotherman

I saw that there was some information about this router and I tried: Sagemcom F@ast v3890 Exploit but unfortunately without results, and I'm not the best at python so I'll have to try my own way eventually, does anyone know if there's already a way to get root on this device then I'd be grateful if you told me how then I'm extremely interested in entering Sagemcom's units.

Here is few things I have checked so far, I will return to this repo asap to get root!! To be continued.

20230102_053416 20230102_054110 20230102_054003 20230102_054158 20230102_053802 20230102_053254 20230102_053328 20230102_053344 20230102_053350 20230102_053359 20230102_053403 20230102_053432 20230102_053438 20230102_053830 20230102_050353 20230102_050147 20230102_045953 20221204_015103 20221204_015049 20221204_015045 20221204_015020 20221204_015012 20221202_182356 20221202_182334 20221202_182250

Username: admin
BlockedUser: guest
Maintheme: styles/themes/comhem-main.css
FeatureAccessz: acs, admin, expert, internal, sagemcom
firmwareUpgrade: Device/gen3890v3

Get HW info

Get Device Name

$.xmo.getValuesTree($.xpaths.mySagemcomBox.deviceInfo.deviceName1);
$.xmo.getValuesTree($.xpaths.mySagemcomBox.deviceInfo.deviceName2);

Priunt CPU Load Usage

$.xmo.getValuesTree($.xpaths.mySagemcomBox.deviceInfo.cpuLoadUsage);

Print Driver Version

$.xmo.getValuesTree($.xpaths.mySagemcomBox.deviceInfo.driverVersion);

Print Hardware Version

$.xmo.getValuesTree($.xpaths.mySagemcomBox.deviceInfo.hardwareVersion);

Print Model Name

$.xmo.getValuesTree($.xpaths.mySagemcomBox.deviceInfo.modelName:);

Print Model NUmber

$.xmo.getValuesTree($.xpaths.mySagemcomBox.deviceInfo.modelNumber);

Print Product Class

$.xmo.getValuesTree($.xpaths.mySagemcomBox.deviceInfo.productClass);

Print Serial NUmber

$.xmo.getValuesTree($.xpaths.mySagemcomBox.deviceInfo.serialNumber);

Print uptime

$.xmo.getValuesTree($.xpaths.mySagemcomBox.deviceInfo.upTime);

Print Software Versin

$.xmo.getValuesTree($.xpaths.mySagemcomBox.deviceInfo.softwareVersion);

Print current DNS in use

$.xmo.getValuesTree('Device/DHCPv4/Server/Pools/Pool[@uid="1"]')

Print bootfile names (try download these later)

$.xmo.getValuesTree('Device/DHCPv4/Server/Pools/Pool[@uid="1"]/BootFileName')
$.xmo.setValuesTree('test', 'Device/DHCPv4/Server/Pools/Pool[@uid="1"]/BootFileName')

Download backup works fine from anywhere on webui

$.xmo.saveConfiguration()

OR

var a = $.xmo.client.newRequest();
$.config.modules.backupConfigurationAllBackup === !0 ? a.downloadSpecificFile($.xpaths.mySagemcomBox.maintenance.saveRestore.save, "device.cfg", 1, function() {}, function(a) {}) : a.downloadFile($.xpaths.mySagemcomBox.maintenance.saveRestore.save, function() {}, function(a) {}),
    a.send()

Get all settings via xpath

$.xmo.getValuesTree($.xpaths.accessControl);
$.xmo.getValuesTree($.xpaths.accessControl.firewall);
$.xmo.getValuesTree($.xpaths.accessControl.firewall.enable);
$.xmo.getValuesTree($.xpaths.adminAdvanced);
$.xmo.getValuesTree($.xpaths.adminAdvanced.passwd);
$.xmo.getValuesTree($.xpaths.advanced);
$.xmo.getValuesTree($.xpaths.arp);
$.xmo.getValuesTree($.xpaths.availability);
$.xmo.getValuesTree($.xpaths.broadband);
$.xmo.getValuesTree($.xpaths.businessEnable);
$.xmo.getValuesTree($.xpaths.cableModem);
$.xmo.getValuesTree($.xpaths.checkFeaturesAvailable);
$.xmo.getValuesTree($.xpaths.checkHideTablesAvailable);
$.xmo.getValuesTree($.xpaths.dect);
$.xmo.getValuesTree($.xpaths.dhcpLeases);
$.xmo.getValuesTree($.xpaths.dynDhcpDns);
$.xmo.getValuesTree($.xpaths.ethernet);
$.xmo.getValuesTree($.xpaths.ethernetDevice);
$.xmo.getValuesTree($.xpaths.ethernetMode);
$.xmo.getValuesTree($.xpaths.firstConnection);
$.xmo.getValuesTree($.xpaths.forbiddenIps);
$.xmo.getValuesTree($.xpaths.gateway);
$.xmo.getValuesTree($.xpaths.gpon);
$.xmo.getValuesTree($.xpaths.greTunnel);
$.xmo.getValuesTree($.xpaths.guiAccessRights);
$.xmo.getValuesTree($.xpaths.guiLockTime);
$.xmo.getValuesTree($.xpaths.healthCheck);
$.xmo.getValuesTree($.xpaths.interfaceGrouping);
$.xmo.getValuesTree($.xpaths.internetConnectivity);
$.xmo.getValuesTree($.xpaths.internetHSI);
$.xmo.getValuesTree($.xpaths.iptv);
$.xmo.getValuesTree($.xpaths.leds);
$.xmo.getValuesTree($.xpaths.macAddressActiveInterfaces);
$.xmo.getValuesTree($.xpaths.main);
$.xmo.getValuesTree($.xpaths.management);
$.xmo.getValuesTree($.xpaths.mesh);
$.xmo.getValuesTree($.xpaths.moca);
$.xmo.getValuesTree($.xpaths.myCloud);
$.xmo.getValuesTree($.xpaths.mySagemcomBox);
$.xmo.getValuesTree($.xpaths.mymedia);
$.xmo.getValuesTree($.xpaths.neighborAps);
$.xmo.getValuesTree($.xpaths.rpc);
$.xmo.getValuesTree($.xpaths.rpc.firmwareUpgrade);      (SAME AS xmo.device)
$.xmo.getValuesTree($.xpaths.runlevel);
$.xmo.getValuesTree($.xpaths.scheduling);
$.xmo.getValuesTree($.xpaths.singleLine);
$.xmo.getValuesTree($.xpaths.splashScreen);
$.xmo.getValuesTree($.xpaths.ssidCreation);
$.xmo.getValuesTree($.xpaths.startSpeed);
$.xmo.getValuesTree($.xpaths.stats);
$.xmo.getValuesTree($.xpaths.technicalLogFast);
$.xmo.getValuesTree($.xpaths.teliaSmartWifi);
$.xmo.getValuesTree($.xpaths.teliaSmartWifiConfig);
$.xmo.getValuesTree($.xpaths.trafficStats);
$.xmo.getValuesTree($.xpaths.userRoles);
$.xmo.getValuesTree($.xpaths.variantEnable);
$.xmo.getValuesTree($.xpaths.voice);
$.xmo.getValuesTree($.xpaths.wan);
$.xmo.getValuesTree($.xpaths.wanInternetStatus);
$.xmo.getValuesTree($.xpaths.wanType);
$.xmo.getValuesTree($.xpaths.wifi);
$.xmo.getValuesTree($.xpaths.wifiAdvancedEnable);
$.xmo.getValuesTree($.xpaths.wifiBandSteering);
$.xmo.getValuesTree($.xpaths.wifiMesh);
$.xmo.getValuesTree($.xpaths.wifiReadOnly);
$.xmo.getValuesTree($.xpaths.wifiResetStats);
$.xmo.getValuesTree($.xpaths.wifiRestoreDefault);
$.xmo.getValuesTree($.xpaths.wizard);
$.xmo.getValuesTree($.xpaths.accessControl.firewall.enable);
$.xmo.setValuesTree('false', $.xpaths.accessControl.firewall.enable);

List all settiings for all users

$.xmo.getValuesTree("Device/UserAccounts/Users/*")
$.xmo.getValuesTree("Device/UserAccounts/Users/*/*")
$.xmo.getValuesTree("Device/UserAccounts/Users/*/*/*/*")
$.xmo.getValuesTree("Device/UserAccounts/Users/*/*/*/*/")

Device/UserAccounts/Users/User[Login='admin']/Role

Get role status by uid

$.xmo.getValuesTree("Device/UserAccounts/Users/User[@uid='3']/Role");

List all settings for all users, maxdepth 1

$.xmo.getValuesTree("Device/UserAccounts/Users/Role['ENDUSER']/Role");

List all settings for all users by user

```javascript $.xmo.getValuesTree("Device/UserAccounts/Users/User[@uid='3']/Profiles/Profile[@uid='2']");

Notice: 

List all settings for all users maxdepth 1, maxdepth 1>= sorted by name device_useraccounts1.png

### List profiles by username

```javascript
$.xmo.getValuesTree("Device/UserAccounts/Users/User[@uid='3']/Profiles");

List profiles by username

$.xmo.getValuesTree("Device/UserAccounts/Users/User[Login='admin']/Profiles");

List profiles for all users

$.xmo.getValuesTree("$.xmo.getValuesTree('Device/UserAccounts/Users/*/Profiles');

List remoteaccess for uid 3

$.xmo.getValuesTree("Device/UserAccounts/Users/User[@uid='3']/RemoteAccesses/RemoteAccess[@uid='1']");

List Functionalities for uid 3

$.xmo.getValuesTree("Device/UserAccounts/Users/User[@uid='3']/Functionalities");

$.xmo.getValuesTree("Device/UserAccounts/Users/*/WebAccessPriviledge");

Capture all traffic during documentation

#!/bin/bash
# Author: wuseman
tsharkDate=$(date +%Y-%m-%d)
tshark -i wlan0 -w investigation_sagemcom__3890v3_ch_comhem-${tsharkDate}.pcap

Capture all GET requests from file

tshark -r investigation_sagemcom__3890v3_ch_comhem-.pcap -T json \
    "http.request.method==GET"

Capture all POSt requests from file

tshark -r investigation_sagemcom__3890v3_ch_comhem-.pcap -T json \
    "http.request.method==POST"

Capture all POST / GET / PUT requests from file

tshark -i wlan0 -T json \
    "http.request.method==POST" or "http.request.method==GET" or "http.request.method==PUT"

Capture all hosts from file

tshark -r investigation_sagemcom__3890v3_ch_comhem-.pcap \
    -Tfields \
    -e tshark \
    -r investigation_sagemcom__3890v3_ch_comhem-.pcap \
    -T json "http.request.method==POST" or "http.request.method==GET" \
    |cut -d'"' -f2 \
    |sort \
    |uniq \
    |sed 's/^/tshark -r investigation_sagemcom__3890v3_ch_comhem-.pcap \
    -Tfields \
    -e /ghttp.host

Capture Post and GET requests in realtime

tshark -i wlan0 -f 'port 80 and 
(tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504F5354 or 
tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420)' -Ttext -z "follow,tcp,ascii,0" -w pcap

Developer Console

Get all settings for device from developer console

$.xmo.getValuesTree("Device");

Get all settings for device and values

Do not use semicolon when run multiple commands

Dot

$.xmo.getValuesTree('*/.')
$.xmo.getValuesTree('*/./.')
$.xmo.getValuesTree('*/././.')
$.xmo.getValuesTree('*/./././.')
$.xmo.getValuesTree('*/././././.')
$.xmo.getValuesTree('*/./././././.')
$.xmo.getValuesTree('*/././././././.'')
$.xmo.getValuesTree('*/./././././././.')
$.xmo.getValuesTree('*/././././././././.')
$.xmo.getValuesTree('*/./././././././././.')
$.xmo.getValuesTree('*/././././././././././.')
$.xmo.getValuesTree('*/./././././././././././.')

Do not use semicolon when run multiple commands

Astrix

Settings: : 50

$.xmo.getValuesTree('*');

Settings: 50

$.xmo.getValuesTree('*/*');

Settings: : 398

$.xmo.getValuesTree('*/*/*');

Settings: 698

$.xmo.getValuesTree('*/*/*/*');

Settings: 2562

$.xmo.getValuesTree('*/*/*/*/*');

Settings: 3557

$.xmo.getValuesTree('*/*/*/*/*/*');

Settings: 957

$*xmo.getValuesTree('*/./././././.');

Settings: 680

$.xmo.getValuesTree('*/*/*/*/*/*/*/*'');

Settings: 33

$.xmo.getValuesTree('*/./././././././.');

Settings: 22 (last)

$.xmo.getValuesTree('*/*/*/*/*/*/*/*/*/*');

Astrix + Dot"

$.xmo.getValuesTree('*/.')
$.xmo.getValuesTree('*/./*/./*/./*/./*/./*/./*')
$.xmo.getValuesTree('*/./*/./*/./*/./*/./*/./*')

Get capabilitys

Result:

Settings: N/A

$.xmo.getCapability("*")

* Settings: 50

$.xmo.getCapability("*/*")
``````
* Settings: 398

```javascript
$.xmo.getCapability("*/*/*")

* Settings: 2562

$.xmo.getCapability("*/*/*/*")

Settings: 1618

$.xmo.getCapability("*/*/*/*/*")

* Settings: 3557

$.xmo.getCapability("*/*/*/*/*/*")

Settings: 957

$.xmo.getCapability("*/*/*/*/*/*/*")

Settings: 680

$.xmo.getCapability("*/*/*/*/*/*/*/*")

Settings 33

.xmo.getCapability("*/*/*/*/*/*/*/*/*/*")

Settings: 22

.xmo.getCapability("*/*/*/*/*/*/*/*/*/*")

Get configs

$.config