Skip to content

SAGEMCOM-FAST-5370e-TELIA_v2023 | Part 1

I have successfully gained full root access to Sagemcom's latest variant used by Telia 2023-09-09.

Since my previous version SAGEMCOM-FAST-5370e-TELIA is quite old and already contains a wealth of information, I have decided to create a new repository. This repository is an expanded version of the latest release of their router.

Device Info

SOFTWARE RUNNING     : rescue

CFE-ROM              : 0.14.8 (BCM = 1.0.38.162.76.)
CFE-RAM              : 0.14.8
BOOT                 : U-Boot ScOS 2017.09@sc-0.26.0
PERMANENT Parameters : 1.2
OPERATIONAL software : scOS Test-5370 (8g.43.5.8.1)  file format is GSDF
RESCUE software      : scOS SG4T1E000042 (0.18.0)  file format is GSDF

Factory Users

User Account..........: Administrator
SagemCom Develoeprs...: internal
Telia Support.........: support
ACS...................: acs

Kernel command line

root=mtd:rootfs earlyprintk debug init=/etc/preinit ro rootfstype=squashfs 
console=ttyS0,115200 rootfs_offset=0x291800 rootfs_size=0x1b3f000  
mtdparts=nand.0:128k(nvram),640k(cfe),8960k(boot),144640k(ubi),-(data) 
ubi.mtd=ubi,0 part_main=ubi part_boot=boot image_ubivol=operational 
secure board_type=00030090 oek=04005578 oiv=040056b8

UBI0 Board Info

Base: 5.2_04
CFE version 1.0.38-162.76 for BCM963138 (32bit,SP,LE)
Build Date: vendredi 25 mai 2018, 17:47:56 (UTC+0200) (g601671@rmm-p200156.femto.urd1.local)
Copyright (C) 2000-2015 Broadcom Corporation.
Version cfe-ram: 0.14.8-sec

Boot Strap Register:  0x7dfffc2f
Chip ID: BCM63139_B0, ARM Cortex A9 Dual Core: 1000MHz
Total Memory: 536870912 bytes (512MB)
Status wait timeout: nandsts=0x50000000 mask=0x40000000, count=0
NAND ECC BCH-4, page size 0x800 bytes, spare size used 64 bytes
NAND flash device: Micron MT29F2G08ABA, id 0x2cda block 128KB size 262144KB
pmc_init:PMC using DQM mode
ERROR!!! Data pointer greater than total entry size
Board IP address                  : 192.168.1.1  
Host IP address                   : 192.168.1.100  
Gateway IP address                :   
Run from flash/host/tftp (f/h/c)  : f  
Default host run file name        : vmlinux  
Default host flash file name      : bcm963xx_fs_kernel  
Boot delay (0-9 seconds)          : 1  
Default host ramdisk file name    :   
Default ramdisk store address     :   
Default DTB file name             :   
Board Id                          : FAST5370e  
Number of MAC Addresses (1-64)    : 10  
Base MAC Address                  : 
PSI Size (1-128) KBytes           : 128  
Enable Backup PSI [0|1]           : 0  
System Log Size (0-256) KBytes    : 0  
Auxillary File System Size Percent: 0  
MC memory allocation (MB)         : 4  
TM memory allocation (MB)         : 44  
DHD 0 memory allocation (MB)      : 14  
DHD 1 memory allocation (MB)      : 7  
DHD 2 memory allocation (MB)      : 0  
WLan Feature                      : 0x00  
Partition 1 Size (MB)             : 0M  
Partition 2 Size (MB)             : 0M  
Partition 3 Size (MB)             : 0M  
Partition 4 Size (MB) (Data)      : 4MB  

Initalizing switch low level hardware.
pmc_switch_power_up: Rgmii Tx clock zone1 enable 0 zone2 enable 0. 
Software Resetting Switch ... Done.
Waiting MAC port Rx/Tx to be enabled by hardware ...Done
Disable Switch All MAC port Rx/Tx
Initializing UBI and starting U-Boot...
Looking for UBI...
Looking for U-Boot...
Found valid GSDF
We got aes_key1
We got aes_key2 enc
Starting U-Boot from UBI at 0x00080000

Authorized Key stored in /.ssh/authorized_keys

---- BEGIN SSH2 PUBLIC KEY ----
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAgEA3VhXDw8oxKLUEctSKFaqNHHMbo59nBYXuvLaciQyIijk2B78v6t5LNkbZTCpjSIZZkCxcXh/L+Dyib0NJQ1E1dv5932prZfVz+ooXTYxkkJ0Ri9fmRKIiwDOrxYyYmNzglvKYNRcnC7M6RN6z4gU8ND8F3IO2WMtysJrXKQxZEahpN5UEVxi0KmjMM9NObEp0PT04PAZ3PYbgtodehpbboz65j8T/   DzCT21j8Ns6BGe9wva1+S/G+3vUDERMhyV9/Ermlec+EwEqnjq7jl/pG/3tUH99RNyD6AuhmOQXJQRfFE3VcQV+tfSVz30gJHvhiH5kCIPFnU12iEYgjqZfZlb9ICCmeW2H59itjbuOGCF2Yi2q87JldMaoluVqQ5LKo/zjY4Vsed2elbExtEtVn8+iTSVXjx/ZqOPLIv5+2qQu3whTmuZJv3Q+4nBb08spoj6EWOiSMpVvuyUeO7JNYy1XBA7IGROrHC/kVdkAmJdXFB4PexVZTF60cTbrBizGVzzverlUdmSFvFlO+6TjFzwfIWg3eC6QpBaW5vnqZilSxqDrk5cPhV89R2vYdWjgKdMleWsk28DRVO8rIs+HArVR4FmKCxFd8SdFmmXfOXrQxfDJb3HbFayEnUc4GVdHIR34gt5L+Ku/8BeuRLxC2/1Wfz1dZeubw1+gpME03BM=
---- END SSH2 PUBLIC KEY ----

MTD

grep . /proc/mtd
dev:    size   erasesize  name
mtd0: 00020000 00020000 "nvram"
mtd1: 000a0000 00020000 "cfe"
mtd2: 008c0000 00020000 "boot"
mtd3: 08d40000 00020000 "ubi"
mtd4: 06940000 00020000 "data"
mtd5: 02815000 0001f000 "filesystem1"
mtd6: 00ded000 0001f000 "operational"
mtd7: 0189a800 0001f000 "rescue"
mtd8: 0001f000 0001f000 "firm_header"
mtd9: 00271800 0001f000 "kernel"
mtd10: 01629000 0001f000 "rootfs"
mtd11: 000895e4 0001f000 "secondaryboot"
mtd12: 0001fa40 0001f000 "secondaryboot-secure"
mtd13: 000a3e20 0001f000 "uboot"
mtd14: 000029e8 0001f000 "permanent_param"
mtd15: 00000040 0001f000 "aes_key1"
mtd16: 00000040 0001f000 "aes_key2"
mtd17: 00000040 0001f000 "aes_key_operator"

Uci settings

# uci show
dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].boguspriv=1
mosquitto.owrt=owrt
mosquitto.owrt.use_uci=0
mosquitto.mosquitto=mosquitto
network.loopback=interface
network.loopback.ifname=lo
network.loopback.proto=static
network.loopback.ipaddr=127.0.0.1
network.loopback.netmask=255.0.0.0
network.lan=interface
network.lan.ifname=eth0
network.lan.type=bridge
network.lan.proto=static
network.lan.ipaddr=192.168.1.1
network.lan.netmask=255.255.255.0
timeserver.@timeserver[0]=timeserver
timeserver.@timeserver[0].hostname=ac-ntp0.net.cmu.edu
timeserver.@timeserver[1]=timeserver
timeserver.@timeserver[1].hostname=ptbtime1.ptb.de
timeserver.@timeserver[2]=timeserver
timeserver.@timeserver[2].hostname=ac-ntp1.net.cmu.edu
timeserver.@timeserver[3]=timeserver
timeserver.@timeserver[3].hostname=tick.greyware.com
timeserver.@timeserver[4]=timeserver
timeserver.@timeserver[4].hostname=ntp.xs4all.nl
timeserver.@timeserver[5]=timeserver
timeserver.@timeserver[5].hostname=ptbtime2.ptb.de
timeserver.@timeserver[6]=timeserver
timeserver.@timeserver[6].hostname=cudns.cit.cornell.edu
timeserver.@timeserver[7]=timeserver
timeserver.@timeserver[7].hostname=ptbtime3.ptb.de

Banners

Rootfs

       _   _ _____ _    _  ___ 
      | | | |  __ \\ |  | |/ __)
      | |_| | |  \\/ |  | / /__ 
      |  _  | | __| |/\\| |  _ \\
      | | | | |_\\ \\  /\\  / (_) )
      \\_| |_/\\____/\\/  \\/ \\___/

   Embedded Sagemcom Linux Distribution
 ---------------------------------------------------

  Version: SG4T1E000042 (0.18.0)
  Built: by g360230@compil-atr-2 on Thu Apr 26 16:47:31 CET 2018

Rescue

       _   _ _____ _    _  ___ 
      | | | |  __ \\ |  | |/ __)
      | |_| | |  \\/ |  | / /__ 
      |  _  | | __| |/\\| |  _ \\
      | | | | |_\\ \\  /\\  / (_) )
      \\_| |_/\\____/\\/  \\/ \\___/

   Embedded Sagemcom Linux Distribution
 ---------------------------------------------------

  Version: SG4T1E000042 (0.18.0)
  Built: by g360230@compil-atr-2 on Thu Apr 26 16:47:31 CET 2018

Operational

       _   _ _____ _    _  ___ 
      | | | |  __ \\ |  | |/ __)
      | |_| | |  \\/ |  | / /__ 
      |  _  | | __| |/\\| |  _ \\
      | | | | |_\\ \\  /\\  / (_) )
      \\_| |_/\\____/\\/  \\/ \\___/

   Embedded Sagemcom Linux Distribution
 ---------------------------------------------------

  Version: Test-5370 (8g.43.5.8.1)
  Built: by g110981@rmm-p1303058fl on Thu May 31 09:53:39 CEST 2018

Guide to Chrooting into Sagemcom Firmware:

1. Pre-requisites:

  • Ensure you have qemu-arm-static binary installed on your system.
  • Extract the Sagemcom firmware (specifically the SquashFS filesystem you want to chroot into) to a known directory.

2. Set up the chroot environment:

# Define your firmware root directory for easier reference
FIRMWARE_ROOT="/home/wuseman/chroot/sagemcom/operational_sagemcom/squashfs-root"
FIRMWARE_ROOT="/home/wuseman/chroot/sagemcom/rescue_sagemcom/squashfs-root"
FIRMWARE_ROOT="/home/wuseman/chroot/sagemcom/rootfs_sagemcom/squashfs-root"

# Mount necessary filesystems
mount -t proc proc $FIRMWARE_ROOT/proc
mount --rbind /sys $FIRMWARE_ROOT/sys
mount --rbind /dev $FIRMWARE_ROOT/dev

# Copy the QEMU static binary for ARM to the root of the firmware's filesystem
cp /usr/bin/qemu-arm-static $FIRMWARE_ROOT/usr/bin/

3. Register the ARM binary format with the kernel:

echo ':qemu-arm:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x28\x00:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-arm-static:' > /proc/sys/fs/binfmt_misc/register

4. Chroot into the firmware:

chroot $FIRMWARE_ROOT /usr/bin/qemu-arm-static /bin/sh

Now, you should be inside the firmware's environment and can interact with it as if it was running natively on ARM hardware.

Note: Always remember to unmount the proc, sys, and dev directories after you're done working in the chroot environment to clean up. This can be done using umount:

umount $FIRMWARE_ROOT/proc
umount $FIRMWARE_ROOT/sys
umount $FIRMWARE_ROOT/dev

Find all files that incldues telia

find . \( -path ./proc -o -path ./dev -o -path ./sys \) -prune -o -type f -exec grep -l "telia" {} \;

root:$1$ktZkpxnY$FLCb0GopVjc.wWfWXYSJk/:13848:0:99999:7:::
Administrator:x:13848:0:99999:7:::
support:$1$iKH6d9We$FoWQGFUv6dEi5yilOl0xA1:13848:0:99999:7:::
mosquitto:x:13848:0:99999:7:::
nobody:*:13848:0:99999:7:::
daemon:*:13848:0:99999:7:::
lighttpd:*:13848:0:99999:7:::
tr69:*:13848:0:99999:7:::
twonky:*:13848:0:99999:7:::

root:x:0:0:root:/root:/bin/ash
Administrator:x:0:0:Administrator:/root:/bin/ash
support:x:0:0:support:/root:/bin/ash
mosquitto:x:1001:1001:Linux User,,,:/home/mosquitto:/bin/sh
nobody:*:65534:65534:nobody:/var:/bin/false
daemon:*:65534:65534:daemon:/var:/bin/false
lighttpd:*:1002:1002:lighttpd:/:/bin/false
tr69:*:1003:1002:tr69:/:/bin/false
twonky:*:1004:1004:twonky:/:/bin/false