Sagemcom F@st 5370e - Board: v3.2 - 2024
Delving deep into the Sagemcom F@st 5370e router's complexities through emulation and chroot environments, this repository is a testament to over 10,000 hours of meticulous exploration and mastery. Aimed at those with a profound interest in the technical nuances of the Sagemcom Firmware 2024, it offers unparalleled guides and scripts for those seeking to unlock its secrets. My proficiency in this domain is unmatched, a clear result of relentless dedication and expertise. However, direct methods for gaining root access or exploiting vulnerabilities are intentionally excluded to uphold ethical standards in exploration. As the singular pioneer in navigating the Sagemcom firmware's unique challenges, this repository serves as an exclusive resource for skilled practitioners.
It's crucial to understand that achieving a functional setup, especially getting the hg6d operational along with harmonizing json, xmo, and cgi functionalities, is not a matter of minutes but months. This insight is shared with those who have reached a similar level of dedication and skill. Please be aware, I assume no responsibility for how others utilize this knowledge. With stringent security measures like permanently disabled JTAGs on these routers, our shared insights focus on enriching understanding without compromising device security. This content is not intended for novices but is a curated collection for those equally committed to responsible and informed exploration. Reflecting the immense investment and respect for the field, nothing here comes for free. Patience and perseverance are essential, as the journey to mastery is long and complex.
If you cannot manage and understand these complexities, it's probably best to find another endeavor. I can assure you that gaining root access on this router is not straightforward. I am likely the only individual who has succeeded with this router, having dedicated over 10,000 hours to reach this point. This repository is for those who recognize the value of such an investment and are prepared to engage with the same level of commitment and respect for the challenge.
I extend my biggest applause to Sagemcom for creating such a formidable router across all aspects. However, don't mistake my commendation for complacency. My deep dive into this router has even unveiled insights into its CFE operations. So, to the Sagemcom team, consider this a friendly challenge to further elevate your engineering excellence. I've closely observed and understood this device's inner workings, encouraging you to push the boundaries of what's possible even further.
Important Note to Users and Contributors:
This repository is provided as-is for educational and research purposes, aimed at advanced users and professionals who have a deep understanding of networking and router firmware. It showcases the extent of what's possible with dedication and expertise, emphasizing that with the right knowledge, nothing is impossible.
Contributions and Contact:
- Contributions: Please note that while this repository is open to the public, contributions will not be actively reviewed or merged. The content here is a result of extensive personal research and experimentation, shared to inspire and educate.
- Contact: I will not be responding to inquiries via email or other means regarding the guidance, code, or methodologies provided here. This initiative is meant to challenge the best in the field to explore and discover on their own.
Warning on Router Manipulation:
Attempting to manipulate router settings as demonstrated in this repository can lead to unintended consequences, including but not limited to, the router breaking its connection. This is a protective measure against unauthorized configuration changes. Bypassing these protections requires an in-depth understanding of the router's operational backend and firmware architecture at the lowest level.
Proceed with Caution: If you decide to explore these settings, be aware that success demands more than just a superficial understanding of the router's functionality. It requires comprehensive knowledge and the ability to navigate and manipulate the system's core mechanisms responsibly. This is not for the faint-hearted or those new to networking technology.
Securing Personal Networks: A Stand on Privacy and Control
My primary motivation for delving into the intricacies of network devices, particularly those acquired from the secondary market, stems from a fundamental concern: the unwelcome presence of others in my personal network. This concern isn't confined to routers alone but extends across the spectrum of internet-connected devices. Full control over my devices is not just a preference, it's a necessity to ensure that my online activities remain private and secure.
The discovery of default SSH keys, which could potentially grant developers or manufacturers unwarranted access to devices, is a glaring example of why this control is imperative. It's evident that such backdoors, whether intended for diagnostics or other purposes, pose a significant risk to users' privacy and security.
Let me be clear: Keeping unauthorized individuals out of my network is why I meticulously inspect and secure any device I integrate into my environment. If these access points were not meant to be utilized, they should not exist within the devices we trust daily. My explorations are driven by the need to safeguard my digital footprint against any form of intrusion.
To those responsible for embedding such vulnerabilities: Please reconsider your practices. Your intentions might not be malicious, but the implications for user privacy and security are profound. Unless explicitly stated in your licenses or user agreements that you intend to access my device, I expect that my network and devices remain solely under my control.
In conclusion, my journey into network device security is a statement against the covert surveillance and control mechanisms that have become all too common. There's no excuse for compromising user privacy and security. I'll continue to champion the cause for greater transparency, control, and respect for personal boundaries in the digital realm.
Questioning the Unknown: A Default SSH Key's Origin
In the landscape of digital security, the discovery of a default SSH key within our devices not only raises eyebrows but also significant security concerns. This key, silently residing in the system, serves as a hidden gateway that could, in theory, grant access to anyone in possession of its counterpart. The fact that these keys come without any identifying information, such as a hostname or owner ID, only deepens the mystery and the potential danger they represent.
Who exactly owns this default SSH key embedded in our Sagemcom devices? This question is not rhetorical but a pressing concern that demands attention. The anonymity of such keys does not merely suggest an oversight but indicates a profound lapse in security protocols where the lines between safeguarding and vulnerability blur.
- This key is on hardware level below the ISP's insight so it's easy to know who owns this key:
---- BEGIN SSH2 PUBLIC KEY ----
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAgEA3VhXDw8oxKLUEctSKFaqNHHMbo59nBYXuvLaciQyIijk2B78v6t5LNkbZTCpjSIZZkCxcXh/L+Dyib0NJQ1E1dv5932prZfVz+ooXTYxk
kJ0Ri9fmRKIiwDOrxYyYmNzglvKYNRcnC7M6RN6z4gU8ND8F3IO2WMtysJrXKQxZEahpN5UEVxi0KmjMM9NObEp0PT04PAZ3PYbgtodehpbboz65j8T/DzCT21j8Ns6BGe9wva1+S/G+3
vUDERMhyV9/Ermlec+EwEqnjq7jl/pG/3tUH99RNyD6AuhmOQXJQRfFE3VcQV+tfSVz30gJHvhiH5kCIPFnU12iEYgjqZfZlb9ICCmeW2H59itjbuOGCF2Yi2q87JldMaoluVqQ5LKo/z
jY4Vsed2elbExtEtVn8+iTSVXjx/ZqOPLIv5+2qQu3whTmuZJv3Q+4nBb08spoj6EWOiSMpVvuyUeO7JNYy1XBA7IGROrHC/kVdkAmJdXFB4PexVZTF60cTbrBizGVzzverlUdmSFvFlO
+6TjFzwfIWg3eC6QpBaW5vnqZilSxqDrk5cPhV89R2vYdWjgKdMleWsk28DRVO8rIs+HArVR4FmKCxFd8SdFmmXfOXrQxfDJb3HbFayEnUc4GVdHIR34gt5L+Ku/8BeuRLxC2/1Wfz1dZ
eubw1+gpME03BM=
---- END SSH2 PUBLIC KEY ----
The Implications
- Unauthorized Access: The key acts as a standing invitation to those who know of its existence and possess the means to exploit it. Without clear ownership, it's impossible to ascertain the intentions behind this backdoor, whether for benign support or more nefarious purposes.
- Privacy Breach: In an era where data privacy is paramount, the idea that an undisclosed entity could potentially navigate through our personal or professional networks is unsettling. It contradicts the very essence of secure communications.
- Trust Erosion: Trust in device manufacturers and software developers is foundational to technology adoption. Discoveries like these erode confidence, leaving users questioning the security of their investments and the motives of those behind them.
A Call for Transparency and Action
This situation serves as a stark reminder of the importance of vigilance in the digital age. As users, it becomes imperative to demand higher standards of transparency from manufacturers and developers. The inclusion of default SSH keys—or any tool that could serve as a backdoor—without explicit disclosure and justification is unacceptable.
What can be done?
- Awareness and Education: Understanding the potential risks associated with these keys is the first step toward safeguarding oneself. Knowledge empowers users to take proactive measures.
- Demanding Accountability: Manufacturers must be held accountable for their security practices. This includes requiring them to disclose any built-in access mechanisms and providing users with the means to disable or remove them.
- Community Vigilance: The tech community can play a crucial role in identifying and exposing such vulnerabilities, fostering an environment where security is a collective responsibility.
In conclusion, the discovery of an unattributed default SSH key within our devices is more than a security concern, it's a wake-up call to the industry and users alike. It underscores the need for a paradigm shift towards greater transparency, accountability, and user empowerment in technology. As we navigate this complex digital landscape, let us be guided by the principle that our security and privacy are paramount, non-negotiable, and deserving of our unwavering attention and action.
Advanced JTAG Manipulation on Sagemcom F@st 5370e
The journey into the Sagemcom F@st 5370e's core revealed the intricacies of JTAG configuration, a crucial area for hardware-level access and modification. The following script segments offer a rare glimpse into the depth of manipulation achievable, underscoring the blend of precision and expertise necessary to navigate such tightly secured environments.
Script Insight: JTAG Configuration Techniques
# Note: This script is a demonstration of the depth of understanding required
# to interact with the Sagemcom F@st 5370e at a hardware level. It is shared for
# educational purposes and should not be used irresponsibly.
# Initialization and JTAG manipulation commands
if [ "$DISABLE_JTAG" = 1 ]; then
echo "Initiating JTAG disable sequence..."
# Commands to manipulate hardware registers for JTAG configuration
setmem 0xb000040c 0x00000107 4
setmem 0xb0000410 0x00000080 4
# Additional steps to ensure the configuration is applied
setmem 0xb0000400 0x00000002 4
setmem 0xb0000404 0x00a00005 4
sleep 2
setmem 0xb0000404 0x00000000 4
echo "JTAG disable sequence completed."
fi
if [ "$PERMALOCK" = 1 ]; then
echo "Enabling Permalock for JTAG..."
# Permalock sequence to permanently disable JTAG
setmem 0xb000040c 0x0000010e 4
setmem 0xb0000410 0x00004000 4
echo "JTAG Permalock enabled."
fi
# Status check to confirm JTAG state
# This part of the script checks the current configuration status
# and verifies the success of the JTAG manipulation.
CMD_VALUE=$(dumpmem b000040c 8 | awk 'NR==3 {print $2 $3 $4 $5 $6 $7 $8 $9}')
echo "JTAG Configuration Status: $CMD_VALUE"
Mastery and Limitations
The segments above underline the high level of mastery required to understand and implement changes at this scale. It's a potent reminder that such knowledge should be wielded with caution and respect for the device's integrity. Mastery of these techniques not only requires an understanding of the commands but a deep insight into the router's architecture and security measures.
Discovering Callable Commands in JavaScript Objects
Explore the depths of any JavaScript object to uncover all the callable functions with this handy tool. Perfect for developers working on Telia routers or any JavaScript-based project, this script recursively navigates through an object's properties to list every function available, helping you understand and utilize the object's capabilities fully.
Script Description
The listAllFunctions script is a powerful utility for developers who need to get acquainted with unfamiliar objects, especially when documentation is sparse or exploring dynamic objects like the window object in web environments. By listing functions along with their paths, this tool demystifies the object structure, making it invaluable for debugging, documentation, and educational purposes.
Key Features
- Recursive Exploration: Dive deep into nested objects up to a specified depth to discover hidden functions.
- Customizable Depth: Control how deep the script searches to balance between thoroughness and performance.
- Clear Output: Each function's path and definition are logged, offering insights into its purpose and usage.
Usage
To use this script, simply call listAllFunctions with the object you want to explore. For example, to explore the window object:
listAllFunctions(window, 'window');
Parameters
obj: The object you wish to explore.parentName: A string representing the name of the initial object (used for logging).depth(optional): The current depth of recursion (default is 0).maxDepth(optional): The maximum depth to explore (default is 10).
Example Script
function listAllFunctions(obj, parentName, depth = 0, seenObjects = new WeakSet()) {
if (depth > 10 || seenObjects.has(obj)) { // Limit depth to 10 and check for cyclic references
return;
}
seenObjects.add(obj);
for (var prop in obj) {
if (obj.hasOwnProperty(prop)) {
var propName = parentName + '.' + prop;
if (typeof obj[prop] === 'function') {
console.log(propName + ' = ', obj[prop].toString());
} else if (typeof obj[prop] === 'object' && obj[prop] !== null) {
listAllFunctions(obj[prop], propName, depth + 1, seenObjects);
}
}
}
}
...........
JavaScript Snippets for Sagemcom Router Configuration
This part contains JavaScript snippets for configuring Sagemcom routers. These scripts demonstrate how to update router functionalities, delete specific configurations, and set the root data model version using the router's API that can't be found on the web for this router, so here is an insight how you can mastering this field.
Heads Up: Venturing into these configurations without a solid game plan is akin to flying blind in a storm. It's not just about guessing or trial and error, such attempts will likely lead the router to crash, severing your access to the xmo server. This is about precision, deep knowledge, and understanding the intricate dance of the router's internals. Navigate wisely, or you might find yourself in digital quicksand
Update Specific Functionality to Writable
This snippet updates a specific functionality's writable status for a user account.
var updatePayload = {
toUpdate: {
"Device/UserAccounts/Users/User[@uid='1']/Functionalities/Functionality[@uid='154']/Writable": "true"
}
};
$.xmo.addOrUpdate(updatePayload, {
success: function(response) {
console.log("Functionality updated successfully", response);
},
error: function(error) {
console.error("Error updating functionality", error);
}
});
Make All Functionalities Writable for a User
The following code sets all functionalities for a specific user to writable.
var updatePayload = {
toUpdate: {
"Device/UserAccounts/Users/User[@uid='1']/Functionalities/*/Writable": "true"
}
};
$.xmo.addOrUpdate(updatePayload, {
success: function(response) {
console.log("Functionality updated successfully", response);
},
error: function(error) {
console.error("Error updating functionality", error);
}
});
Delete Specific Functionalities
This loop deletes functionalities for a user, excluding a specified UID.
for (let uid = 22; uid <= 552; uid++) {
if (uid !== 515) { // Skip UID 515 as per your requirement
let xpath = `Device/UserAccounts/Users/User[@uid='1']/Functionalities/Functionality[@uid='${uid}']`;
$.xmo.delChild(xpath, {
success: function(response) {
console.log(`Successfully deleted UID ${uid}`, response);
},
error: function(error) {
console.error(`Error deleting UID ${uid}`, error);
}
});
}
}
Update Root Data Model Version
var updatePayload = {
toUpdate: {
"Device/RootDataModelVersion": "1.0"
}
};
$.xmo.addOrUpdate(updatePayload, {
success: function(response) {
console.log("Root Data Model Version updated successfully", response);
},
error: function(error) {
console.error("Error updating Root Data Model Version", error);
}
});
Emulation and Chroot
Install ubi-reader
emerge --ask sys-fs/ubi_reader sys-fs/mtd-utils
dev: size erasesize name
mtd0: 00020000 00020000 "nvram"
mtd1: 000a0000 00020000 "cfe"
mtd2: 008c0000 00020000 "boot"
mtd3: 08d40000 00020000 "ubi"
mtd4: 06940000 00020000 "data"
mtd5: 02815000 0001f000 "filesystem1"
mtd6: 00ded000 0001f000 "operational"
mtd7: 0189a800 0001f000 "rescue"
mtd8: 0001f000 0001f000 "firm_header"
mtd9: 00271800 0001f000 "kernel"
mtd10: 01629000 0001f000 "rootfs"
mtd11: 000895e4 0001f000 "secondaryboot"
mtd12: 0001fa40 0001f000 "secondaryboot-secure"
mtd13: 000a3e20 0001f000 "uboot"
mtd14: 000029e8 0001f000 "permanent_param"
mtd15: 00000040 0001f000 "aes_key1"
mtd16: 00000040 0001f000 "aes_key2"
mtd17: 00000040 0001f000 "aes_key_operator"
UBI File
---------------------
Min I/O: 2048
LEB Size: 126976
PEB Size: 131072
Total Block Count: 70
Data Block Count: 17
Layout Block Count: 2
Internal Volume Block Count: 0
Unknown Block Count: 51
First UBI PEB Number: 0
Image: 1844237030
---------------------
Image Sequence Num: 1844237030
Volume Name:secondaryboot
Volume Name:secondaryboot-secure
Volume Name:uboot
Volume Name:permanent_param
Volume Name:aes_key1
Volume Name:aes_key2
Volume Name:aes_key_operator
PEB Range: 0 - 67
Volume: secondaryboot
---------------------
Vol ID: 0
Name: secondaryboot
Block Count: 5
Volume Record
---------------------
alignment: 1
crc: '0x175a220'
data_pad: 0
errors: ''
flags: 0
name: 'secondaryboot'
name_len: 13
padding: '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
rec_index: 0
reserved_pebs: 9
upd_marker: 0
vol_type: 'static'
Volume: secondaryboot-secure
---------------------
Vol ID: 2
Name: secondaryboot-secure
Block Count: 2
Volume Record
---------------------
alignment: 1
crc: '0xd0051b74'
data_pad: 0
errors: ''
flags: 0
name: 'secondaryboot-secure'
name_len: 20
padding: '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
rec_index: 2
reserved_pebs: 9
upd_marker: 0
vol_type: 'static'
Volume: uboot
---------------------
Vol ID: 4
Name: uboot
Block Count: 6
Volume Record
---------------------
alignment: 1
crc: '0x5126322f'
data_pad: 0
errors: ''
flags: 0
name: 'uboot'
name_len: 5
padding: '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
rec_index: 4
reserved_pebs: 9
upd_marker: 0
vol_type: 'static'
Volume: permanent_param
---------------------
Vol ID: 5
Name: permanent_param
Block Count: 1
Volume Record
---------------------
alignment: 1
crc: '0x79ad11fa'
data_pad: 0
errors: ''
flags: 0
name: 'permanent_param'
name_len: 15
padding: '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
rec_index: 5
reserved_pebs: 9
upd_marker: 0
vol_type: 'static'
Volume: aes_key1
---------------------
Vol ID: 6
Name: aes_key1
Block Count: 1
Volume Record
---------------------
alignment: 1
crc: '0x5879b043'
data_pad: 0
errors: ''
flags: 0
name: 'aes_key1'
name_len: 8
padding: '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
rec_index: 6
reserved_pebs: 1
upd_marker: 0
vol_type: 'static'
Volume: aes_key2
---------------------
Vol ID: 7
Name: aes_key2
Block Count: 1
Volume Record
---------------------
alignment: 1
crc: '0xb0aabd64'
data_pad: 0
errors: ''
flags: 0
name: 'aes_key2'
name_len: 8
padding: '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
rec_index: 7
reserved_pebs: 1
upd_marker: 0
vol_type: 'static'
Volume: aes_key_operator
---------------------
Vol ID: 8
Name: aes_key_operator
Block Count: 1
Volume Record
---------------------
alignment: 1
crc: '0x29f959f0'
data_pad: 0
errors: ''
flags: 0
name: 'aes_key_operator'
name_len: 16
padding: '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
rec_index: 8
reserved_pebs: 1
upd_marker: 0
vol_type: 'static'
List content inside the ubi image
data
data/dumpcore_hg6d
data/lastrandom
conf
conf/syslog_file
conf/backup-cfg-GRE-12.xml
conf/backup-cfg-DSL-12.xml
conf/backup-cfg-GRE-13.xml
conf/backup-cfg-DSL-13.xml
conf/backup-cfg-Routing-12.xml
conf/backup-cfg-TELIA-12.xml
conf/backup-cfg-Routing-13.xml
conf/backup-cfg-TELIA-13.xml
conf/backup-cfg-RootDataModelVersion-12.xml
conf/backup-cfg-RootDataModelVersion-13.xml
conf/backup-cfg-Time-12.xml
conf/backup-cfg-WiFi-12.xml
conf/backup-cfg-Time-13.xml
conf/backup-cfg-WiFi-13.xml
conf/dhcpd6.leases
conf/backup-cfg-Managers-12.xml
conf/backup-cfg-Managers-13.xml
conf/backup-cfg-UserAccounts-16.xml
conf/backup-cfg-UserAccounts-17.xml
conf/backup-cfg-NAT-12.xml
conf/backup-cfg-NAT-13.xml
conf/backup-cfg-Services_ParentalControl-12.xml
conf/backup-cfg-Services_ParentalControl-13.xml
conf/backup-cfg-WatchDog-12.xml
conf/backup-cfg-WatchDog-13.xml
conf/backup-cfg-Hosts-87.xml
conf/backup-cfg-Hosts-88.xml
conf/scratchpad
conf/backup-cfg-Services_DynamicDNS-12.xml
conf/backup-cfg-Services_DynamicDNS-13.xml
conf/backup-cfg-DHCPv6-12.xml
conf/backup-cfg-DHCPv6-13.xml
conf/backup-cfg-Firewall-12.xml
conf/backup-cfg-Firewall-13.xml
conf/operator_log_1
conf/backup-cfg-IP-14.xml
conf/backup-cfg-IP-15.xml
conf/backup-cfg-USB-12.xml
conf/backup-cfg-USB-13.xml
conf/backup-cfg-DNS-13.xml
conf/backup-cfg-DNS-14.xml
conf/dhcpd.leases~
conf/backup-cfg-QoS-12.xml
conf/backup-cfg-QoS-13.xml
conf/backup-cfg-PPP-12.xml
conf/backup-cfg-PPP-13.xml
conf/dhcpd.leases
conf/backup-cfg-DHCPv4-14.xml
conf/backup-cfg-DHCPv4-15.xml
conf/backup-cfg-UPnP-12.xml
conf/backup-cfg-UPnP-13.xml
conf/backup-cfg-NeighborDiscovery-12.xml
conf/backup-cfg-NeighborDiscovery-13.xml
conf/backup-cfg-MQTT-12.xml
conf/backup-cfg-MQTT-13.xml
conf/backup-cfg-Bridging-12.xml
conf/backup-cfg-Bridging-13.xml
conf/backup-cfg-ManagementServer-12.xml
conf/backup-cfg-ManagementServer-13.xml
conf/backup-cfg-WebAccesses-12.xml
conf/backup-cfg-WebAccesses-13.xml
conf/backup-cfg-IEEE8021x-12.xml
conf/backup-cfg-IEEE8021x-13.xml
conf/backup-cfg.xml.txt
conf/backup-cfg-Services_VoiceServices-19.xml
conf/backup-cfg-ATM-12.xml
conf/backup-cfg-ATM-13.xml
conf/backup-cfg-Services_VoiceServices-20.xml
conf/backup-cfg-GatewayInfo-12.xml
conf/backup-cfg-GatewayInfo-13.xml
conf/backup-cfg-Services_CLIPassword-12.xml
conf/backup-cfg-Services_CLIPassword-13.xml
conf/backup-cfg-Ethernet-12.xml
conf/backup-cfg-Ethernet-13.xml
conf/backup-cfg-UserInterface-12.xml
conf/backup-cfg-UserInterface-13.xml
conf/backup-cfg.xml.user
conf/dhcpd.conf
conf/backup-cfg-RouterAdvertisement-12.xml
conf/backup-cfg.xml.stable
conf/backup-cfg-RouterAdvertisement-13.xml
conf/backup-cfg-DeviceDiscovery-12.xml
conf/backup-cfg-DeviceDiscovery-13.xml
conf/backup-cfg-Services_StorageServices-12.xml
conf/backup-cfg-Services_StorageServices-13.xml
conf/backup-cfg-DLNA-12.xml
conf/backup-cfg-DeviceSummary-12.xml
conf/backup-cfg-DLNA-13.xml
conf/backupFmwVer.txt
conf/backup-cfg-DeviceSummary-13.xml
conf/backup-cfg-DeviceInfo-12.xml
conf/backup-cfg-DeviceInfo-13.xml
conf/backup-cfg-PTM-12.xml
conf/backup-cfg-RestoreInfo-12.xml
conf/backup-cfg-PTM-13.xml
conf/backup-cfg-RestoreInfo-13.xml
conf/backup-cfg.xml.prev.txt
rootfs
rootfs/etc
rootfs/etc/TZ
rootfs/etc/nas.conf
rootfs/etc/shadow-
rootfs/etc/cpe.pem
rootfs/etc/dropbear
rootfs/etc/dropbear/authorized_keys
rootfs/etc/dropbear/dropbear_rsa_host_key
rootfs/etc/dropbear/dropbear_dss_host_key
rootfs/etc/syslog-ng
rootfs/etc/syslog-ng/syslog-ng.conf
rootfs/etc/hosts
rootfs/etc/lighttpd
rootfs/etc/lighttpd/conf.d
rootfs/etc/lighttpd/conf.d/urlbox.conf
rootfs/etc/lighttpd/conf.d/bind.conf
rootfs/etc/shadow
rootfs/etc/config
rootfs/etc/config/calibration2gOk
rootfs/etc/config/calibration2gOk/.wh.__dir_opaque
rootfs/etc/config/calibration5gOk
rootfs/etc/config/calibration5gOk/.wh.__dir_opaque
rootfs/etc/upnpd.conf
rootfs/etc/linuxigd
rootfs/etc/linuxigd/.wh.gatedesc1.xml
rootfs/etc/linuxigd/.wh.wancomicfgSCPD.xml
rootfs/etc/linuxigd/.wh.wanipconnSCPD.xml
rootfs/etc/linuxigd/.wh.gatedesc.xml
rootfs/etc/linuxigd/.wh.layer3forwardingSCPD.xml
rootfs/etc/linuxigd/.wh.lanhostconfigSCPD.xml
rootfs/etc/linuxigd/.wh.gateEthlcfgSCPD.xml
rootfs/etc/linuxigd/.wh.ligd.png
rootfs/etc/linuxigd/.wh.wanpppconnSCPD.xml
rootfs/etc/linuxigd/63366655
rootfs/etc/linuxigd/63366655/gatedesc0a.xml
rootfs/etc/linuxigd/63366655/gatedesc0b.xml
rootfs/etc/linuxigd/63366655/wanipv6fwctrlSCPD.xml
rootfs/etc/linuxigd/63366655/gatedesc1.xml
rootfs/etc/linuxigd/63366655/gateEthlcfgSCPD.xml
rootfs/etc/linuxigd/63366655/layer3forwardingSCPD.xml
rootfs/etc/linuxigd/63366655/wanpppconnSCPD.xml
rootfs/etc/linuxigd/63366655/gatedesc.xml
rootfs/etc/linuxigd/63366655/ligd.png
rootfs/etc/linuxigd/63366655/.wh.__dir_opaque
rootfs/etc/linuxigd/63366655/lanhostconfigSCPD.xml
rootfs/etc/linuxigd/63366655/wancomicfgSCPD.xml
rootfs/etc/linuxigd/63366655/wanipconnSCPD.xml
rootfs/etc/linuxigd/.wh.wanipv6fwctrlSCPD.xml
rootfs/lib
rootfs/lib/upgrade
rootfs/lib/upgrade/keep.d
rootfs/lib/upgrade/keep.d/dropbear
rootfs/usr
rootfs/usr/local
rootfs/usr/local/mediaserver
rootfs/usr/local/mediaserver/twonkyvision-mediaserver.ini
rootfs/usr/local/mediaserver/twonky-config.html
rootfs/www -> /usr/share/gui-core/www
rootfs/root
rootfs/root/.ssh
rootfs/root/.ssh/known_hosts
rootfs/Music
rootfs/Music/.wh.__dir_opaque
rootfs/Video
rootfs/Video/.wh.__dir_opaque
rootfs/Picture
rootfs/Picture/.wh.__dir_opaque
Extracted /dev/mtd2
img-1844237030_vol-aes_key1.ubifs
img-1844237030_vol-aes_key2.ubifs
img-1844237030_vol-aes_key_operator.ubifs
img-1844237030_vol-permanent_param.ubifs
img-1844237030_vol-secondaryboot-secure.ubifs
img-1844237030_vol-secondaryboot.ubifs
img-1844237030_vol-uboot.ubifs
Extracted /dev/mtd3
ubifs-root/mtd3_ubi.img/img-759071194_vol-filesystem1.ubifs
ubifs-root/mtd3_ubi.img/img-759071194_vol-rescue.ubifs
ubifs-root/mtd3_ubi.img/img-759071194_vol-operational.ubifs
Mount ubifs
losetup -f --show img-1844237030_vol-uboot.ubifs
modprobe nandsim first_id_byte=0x2c second_id_byte=0x84 third_id_byte=0x64 fourth_id_byte=0x1d
dmesg output matching serial boot
[1758382.418956] nand: device found, Manufacturer ID: 0x98, Chip ID: 0x39
[1758382.418959] nand: Toshiba NAND 128MiB 1,8V 8-bit
[1758382.418962] nand: 128 MiB, SLC, erase size: 16 KiB, page size: 512, OOB size: 16
[1758382.418996] flash size: 128 MiB
[1758382.418999] page size: 512 bytes
[1758382.419001] OOB area size: 16 bytes
[1758382.419002] sector size: 16 KiB
[1758382.419004] pages number: 262144
[1758382.419006] pages per sector: 32
[1758382.419007] bus width: 8
[1758382.419009] bits in sector size: 14
[1758382.419011] bits in page size: 9
[1758382.419013] bits in OOB size: 4
[1758382.419014] flash size with OOB: 135168 KiB
[1758382.419016] page address bytes: 4
[1758382.419018] sector address bytes: 3
[1758382.419019] options: 0x42
[1758382.421467] Scanning device for bad blocks
[1758382.442024] Creating 1 MTD partitions on "NAND 128MiB 1,8V 8-bit":
[1758382.442037] 0x000000000000-0x000008000000 : "NAND simulator partition 0"
Chroot Operational, Rescue and Root
- Ensure
qemu-arm-staticbinary is available - Extract the Router Firmware firmware (specifically the SquashFS filesystem you want to chroot into) to a known directory.
#!/usr/bin/env bash
# - iNFO --------------------------------------
#
# Author: wuseman <wuseman@nr1.nu>
# FileName: mtd-backup-sagemcom.sh
# Created: 2021-01-12 (17:18:44)
# Modified:
# Version: 1.0
# License: MIT
#
# ---------------------------------------------
FIRMWARE_ROOT="<some_extracted_firmware>.squashfs-root"
# Mount necessary filesystems
mount -t proc proc $FIRMWARE_ROOT/proc
mount --rbind /sys $FIRMWARE_ROOT/sys
mount --rbind /dev $FIRMWARE_ROOT/dev
# Copy the QEMU static binary for ARM to the root of the firmware's filesystem
cp /usr/bin/qemu-arm-static $FIRMWARE_ROOT/usr/bin/
# Register the ARM binary format with the kernel:
echo ':qemu-arm:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x28\x00:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-arm-static:' > /proc/sys/fs/binfmt_misc/register
# Chroot into the firmware:
chroot $FIRMWARE_ROOT /usr/bin/qemu-arm-static /bin/sh
Get GUI Online
- Copy
urlbox.confandbind.conffromfilesystem1in ubi0_0.img - Configure
requiredmodules and patches for the enviroment - Set your nic to
eth0to avoid trouble with xmo server
/etc/inti.d/ismd.conf
/etc/init.d/lighttpd start
/etc/init.d/hg6d start
/etc/init.d/cron start
/etc/init.d/isc-dhcp start
/etc/init.d/firewall-app start
/etc/init.d/firewall-utils start
/etc/init.d/ismd start
hg6d -d
xml-client --user internal --password internal -p "Device"
MTD Backup Script
#!/usr/bin/env bash
# - iNFO --------------------------------------
#
# Author: wuseman <wuseman@nr1.nu>
# FileName: mtd-backup-sagemcom.sh
# Created: 2021-01-12 (17:18:44)
# Modified:
# Version: 1.0
# License: MIT
#
# ---------------------------------------------
backup_directory="$HOME/sagemcom_backup/mtd-backup/mtd-partitions"
remote_user="Administrator"
remote_pass="<router_pass>"
remote_host="192.168.1.1"
# Ensure the backup directory exists
mkdir -p "${backup_directory}"
create_backup() {
local remote_mtd="$1"
local mtd_name="$2"
local backup_file="${backup_directory}/${remote_mtd}_${mtd_name}.img"
echo "[*] Creating backup of ${remote_mtd} (${mtd_name})..."
if sshpass -p "${remote_pass}" ssh -o StrictHostKeyChecking=no "${remote_user}"@"${remote_host}" "dd if=/dev/${remote_mtd} bs=1M" | dd of="${backup_file}" status=progress; then
echo "[*] Backup of ${remote_mtd} (${mtd_name}) created: ${backup_file}"
else
echo "[*] Failed to create backup of ${remote_mtd} (${mtd_name})"
fi
}
# Retrieve the MTD partitions and iterate over them
mtd_output=$(sshpass -p "${remote_pass}" ssh -o StrictHostKeyChecking=no "${remote_user}"@"${remote_host}" "cat /proc/mtd")
echo "$mtd_output" | grep 'mtd[0-9]' | while read -r partition _ _ name _; do
mtd_name=$(echo "$name" | tr -d '"')
create_backup "$partition" "$mtd_name"
done
Contribution
Contributions will not be answered, neither will questions in mail be answered!
Conclusion
The insights and methods shared here underscore the necessity of advanced expertise to engage with the Sagemcom F@st 5370e at this level. It's a clear indication that without a substantial background in hardware and firmware security, attempting to replicate or understand these configurations may not only be futile but could also lead to irreversible device states (such as permalock).
This segment of our journey with the Sagemcom F@st 5370e is shared to illuminate the heights of technical mastery possible and to inspire a new generation of researchers to push the boundaries of knowledge, always with respect for the integrity and security of the systems we seek to understand.
Happy Hacking!