Sagemcom F@st 5370e
Emulation and Chroot
Install ubi-reader
emerge --ask sys-fs/ubi_reader sys-fs/mtd-utils
MTD Partitions
dev: size erasesize name
mtd0: 00020000 00020000 "nvram"
mtd1: 000a0000 00020000 "cfe"
mtd2: 008c0000 00020000 "boot"
mtd3: 08d40000 00020000 "ubi"
mtd4: 06940000 00020000 "data"
mtd5: 02815000 0001f000 "filesystem1"
mtd6: 00ded000 0001f000 "operational"
mtd7: 0189a800 0001f000 "rescue"
mtd8: 0001f000 0001f000 "firm_header"
mtd9: 00271800 0001f000 "kernel"
mtd10: 01629000 0001f000 "rootfs"
mtd11: 000895e4 0001f000 "secondaryboot"
mtd12: 0001fa40 0001f000 "secondaryboot-secure"
mtd13: 000a3e20 0001f000 "uboot"
mtd14: 000029e8 0001f000 "permanent_param"
mtd15: 00000040 0001f000 "aes_key1"
mtd16: 00000040 0001f000 "aes_key2"
mtd17: 00000040 0001f000 "aes_key_operator"
Reverse Engineering UBI Files
UBI File
---------------------
Min I/O: 2048
LEB Size: 126976
PEB Size: 131072
Total Block Count: 70
Data Block Count: 17
Layout Block Count: 2
Internal Volume Block Count: 0
Unknown Block Count: 51
First UBI PEB Number: 0
Image: 1844237030
---------------------
Image Sequence Num: 1844237030
Volume Name:secondaryboot
Volume Name:secondaryboot-secure
Volume Name:uboot
Volume Name:permanent_param
Volume Name:aes_key1
Volume Name:aes_key2
Volume Name:aes_key_operator
PEB Range: 0 - 67
Volume: secondaryboot
---------------------
Vol ID: 0
Name: secondaryboot
Block Count: 5
Volume Record
---------------------
alignment: 1
crc: '0x175a220'
data_pad: 0
errors: ''
flags: 0
name: 'secondaryboot'
name_len: 13
padding: '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x 00\x00'
rec_index: 0
reserved_pebs: 9
upd_marker: 0
vol_type: 'static'
Volume: secondaryboot-secure
---------------------
Vol ID: 2
Name: secondaryboot-secure
Block Count: 2
Volume Record
---------------------
alignment: 1
crc: '0xd0051b74'
data_pad: 0
errors: ''
flags: 0
name: 'secondaryboot-secure'
name_len: 20
padding: '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x 00\x00'
rec_index: 2
reserved_pebs: 9
upd_marker: 0
vol_type: 'static'
Volume: uboot
---------------------
Vol ID: 4
Name: uboot
Block Count: 6
Volume Record
---------------------
alignment: 1
crc: '0x5126322f'
data_pad: 0
errors: ''
flags: 0
name: 'uboot'
name_len: 5
padding: '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x 00\x00'
rec_index: 4
reserved_pebs: 9
upd_marker: 0
vol_type: 'static'
Volume: permanent_param
---------------------
Vol ID: 5
Name: permanent_param
Block Count: 1
Volume Record
---------------------
alignment: 1
crc: '0x79ad11fa'
data_pad: 0
errors: ''
flags: 0
name: 'permanent_param'
name_len: 15
padding: '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x 00\x00'
rec_index: 5
reserved_pebs: 9
upd_marker: 0
vol_type: 'static'
Volume: aes_key1
---------------------
Vol ID: 6
Name: aes_key1
Block Count: 1
Volume Record
---------------------
alignment: 1
crc: '0x5879b043'
data_pad: 0
errors: ''
flags: 0
name: 'aes_key1'
name_len: 8
padding: '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x 00\x00'
rec_index: 6
reserved_pebs: 1
upd_marker: 0
vol_type: 'static'
Volume: aes_key2
---------------------
Vol ID: 7
Name: aes_key2
Block Count: 1
Volume Record
---------------------
alignment: 1
crc: '0xb0aabd64'
data_pad: 0
errors: ''
flags: 0
name: 'aes_key2'
name_len: 8
padding: '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x 00\x00'
rec_index: 7
reserved_pebs: 1
upd_marker: 0
vol_type: 'static'
Volume: aes_key_operator
---------------------
Vol ID: 8
Name: aes_key_operator
Block Count: 1
Volume Record
---------------------
alignment: 1
crc: '0x29f959f0'
data_pad: 0
errors: ''
flags: 0
name: 'aes_key_operator'
name_len: 16
padding: '\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x 00\x00'
rec_index: 8
reserved_pebs: 1
upd_marker: 0
vol_type: 'static'
List Content Inside The Ubi Images
data
data/dumpcore_hg6d
data/lastrandom
conf
conf/syslog_file
conf/backup-cfg-GRE-12.xml
conf/backup-cfg-DSL-12.xml
conf/backup-cfg-GRE-13.xml
conf/backup-cfg-DSL-13.xml
conf/backup-cfg-Routing-12.xml
conf/backup-cfg-TELIA-12.xml
conf/backup-cfg-Routing-13.xml
conf/backup-cfg-TELIA-13.xml
conf/backup-cfg-RootDataModelVersion-12.xml
conf/backup-cfg-RootDataModelVersion-13.xml
conf/backup-cfg-Time-12.xml
conf/backup-cfg-WiFi-12.xml
conf/backup-cfg-Time-13.xml
conf/backup-cfg-WiFi-13.xml
conf/dhcpd6.leases
conf/backup-cfg-Managers-12.xml
conf/backup-cfg-Managers-13.xml
conf/backup-cfg-UserAccounts-16.xml
conf/backup-cfg-UserAccounts-17.xml
conf/backup-cfg-NAT-12.xml
conf/backup-cfg-NAT-13.xml
conf/backup-cfg-Services_ParentalControl-12.xml
conf/backup-cfg-Services_ParentalControl-13.xml
conf/backup-cfg-WatchDog-12.xml
conf/backup-cfg-WatchDog-13.xml
conf/backup-cfg-Hosts-87.xml
conf/backup-cfg-Hosts-88.xml
conf/scratchpad
conf/backup-cfg-Services_DynamicDNS-12.xml
conf/backup-cfg-Services_DynamicDNS-13.xml
conf/backup-cfg-DHCPv6-12.xml
conf/backup-cfg-DHCPv6-13.xml
conf/backup-cfg-Firewall-12.xml
conf/backup-cfg-Firewall-13.xml
conf/operator_log_1
conf/backup-cfg-IP-14.xml
conf/backup-cfg-IP-15.xml
conf/backup-cfg-USB-12.xml
conf/backup-cfg-USB-13.xml
conf/backup-cfg-DNS-13.xml
conf/backup-cfg-DNS-14.xml
conf/dhcpd.leases~
conf/backup-cfg-QoS-12.xml
conf/backup-cfg-QoS-13.xml
conf/backup-cfg-PPP-12.xml
conf/backup-cfg-PPP-13.xml
conf/dhcpd.leases
conf/backup-cfg-DHCPv4-14.xml
conf/backup-cfg-DHCPv4-15.xml
conf/backup-cfg-UPnP-12.xml
conf/backup-cfg-UPnP-13.xml
conf/backup-cfg-NeighborDiscovery-12.xml
conf/backup-cfg-NeighborDiscovery-13.xml
conf/backup-cfg-MQTT-12.xml
conf/backup-cfg-MQTT-13.xml
conf/backup-cfg-Bridging-12.xml
conf/backup-cfg-Bridging-13.xml
conf/backup-cfg-ManagementServer-12.xml
conf/backup-cfg-ManagementServer-13.xml
conf/backup-cfg-WebAccesses-12.xml
conf/backup-cfg-WebAccesses-13.xml
conf/backup-cfg-IEEE8021x-12.xml
conf/backup-cfg-IEEE8021x-13.xml
conf/backup-cfg.xml.txt
conf/backup-cfg-Services_VoiceServices-19.xml
conf/backup-cfg-ATM-12.xml
conf/backup-cfg-ATM-13.xml
conf/backup-cfg-Services_VoiceServices-20.xml
conf/backup-cfg-GatewayInfo-12.xml
conf/backup-cfg-GatewayInfo-13.xml
conf/backup-cfg-Services_CLIPassword-12.xml
conf/backup-cfg-Services_CLIPassword-13.xml
conf/backup-cfg-Ethernet-12.xml
conf/backup-cfg-Ethernet-13.xml
conf/backup-cfg-UserInterface-12.xml
conf/backup-cfg-UserInterface-13.xml
conf/backup-cfg.xml.user
conf/dhcpd.conf
conf/backup-cfg-RouterAdvertisement-12.xml
conf/backup-cfg.xml.stable
conf/backup-cfg-RouterAdvertisement-13.xml
conf/backup-cfg-DeviceDiscovery-12.xml
conf/backup-cfg-DeviceDiscovery-13.xml
conf/backup-cfg-Services_StorageServices-12.xml
conf/backup-cfg-Services_StorageServices-13.xml
conf/backup-cfg-DLNA-12.xml
conf/backup-cfg-DeviceSummary-12.xml
conf/backup-cfg-DLNA-13.xml
conf/backupFmwVer.txt
conf/backup-cfg-DeviceSummary-13.xml
conf/backup-cfg-DeviceInfo-12.xml
conf/backup-cfg-DeviceInfo-13.xml
conf/backup-cfg-PTM-12.xml
conf/backup-cfg-RestoreInfo-12.xml
conf/backup-cfg-PTM-13.xml
conf/backup-cfg-RestoreInfo-13.xml
conf/backup-cfg.xml.prev.txt
rootfs
rootfs/etc
rootfs/etc/TZ
rootfs/etc/nas.conf
rootfs/etc/shadow-
rootfs/etc/cpe.pem
rootfs/etc/dropbear
rootfs/etc/dropbear/authorized_keys
rootfs/etc/dropbear/dropbear_rsa_host_key
rootfs/etc/dropbear/dropbear_dss_host_key
rootfs/etc/syslog-ng
rootfs/etc/syslog-ng/syslog-ng.conf
rootfs/etc/hosts
rootfs/etc/lighttpd
rootfs/etc/lighttpd/conf.d
rootfs/etc/lighttpd/conf.d/urlbox.conf
rootfs/etc/lighttpd/conf.d/bind.conf
rootfs/etc/shadow
rootfs/etc/config
rootfs/etc/config/calibration2gOk
rootfs/etc/config/calibration2gOk/.wh.__dir_opaque
rootfs/etc/config/calibration5gOk
rootfs/etc/config/calibration5gOk/.wh.__dir_opaque
rootfs/etc/upnpd.conf
rootfs/etc/linuxigd
rootfs/etc/linuxigd/.wh.gatedesc1.xml
rootfs/etc/linuxigd/.wh.wancomicfgSCPD.xml
rootfs/etc/linuxigd/.wh.wanipconnSCPD.xml
rootfs/etc/linuxigd/.wh.gatedesc.xml
rootfs/etc/linuxigd/.wh.layer3forwardingSCPD.xml
rootfs/etc/linuxigd/.wh.lanhostconfigSCPD.xml
rootfs/etc/linuxigd/.wh.gateEthlcfgSCPD.xml
rootfs/etc/linuxigd/.wh.ligd.png
rootfs/etc/linuxigd/.wh.wanpppconnSCPD.xml
rootfs/etc/linuxigd/63366655
rootfs/etc/linuxigd/63366655/gatedesc0a.xml
rootfs/etc/linuxigd/63366655/gatedesc0b.xml
rootfs/etc/linuxigd/63366655/wanipv6fwctrlSCPD.xml
rootfs/etc/linuxigd/63366655/gatedesc1.xml
rootfs/etc/linuxigd/63366655/gateEthlcfgSCPD.xml
rootfs/etc/linuxigd/63366655/layer3forwardingSCPD.xml
rootfs/etc/linuxigd/63366655/wanpppconnSCPD.xml
rootfs/etc/linuxigd/63366655/gatedesc.xml
rootfs/etc/linuxigd/63366655/ligd.png
rootfs/etc/linuxigd/63366655/.wh.__dir_opaque
rootfs/etc/linuxigd/63366655/lanhostconfigSCPD.xml
rootfs/etc/linuxigd/63366655/wancomicfgSCPD.xml
rootfs/etc/linuxigd/63366655/wanipconnSCPD.xml
rootfs/etc/linuxigd/.wh.wanipv6fwctrlSCPD.xml
rootfs/lib
rootfs/lib/upgrade
rootfs/lib/upgrade/keep.d
rootfs/lib/upgrade/keep.d/dropbear
rootfs/usr
rootfs/usr/local
rootfs/usr/local/mediaserver
rootfs/usr/local/mediaserver/twonkyvision-mediaserver.ini
rootfs/usr/local/mediaserver/twonky-config.html
rootfs/www -> /usr/share/gui-core/www
rootfs/root
rootfs/root/.ssh
rootfs/root/.ssh/known_hosts
rootfs/Music
rootfs/Music/.wh.__dir_opaque
rootfs/Video
rootfs/Video/.wh.__dir_opaque
rootfs/Picture
rootfs/Picture/.wh.__dir_opaque
Extracted /dev/mtd2 ending up with ubifs files
img-1844237030_vol-aes_key1.ubifs
img-1844237030_vol-aes_key2.ubifs
img-1844237030_vol-aes_key_operator.ubifs
img-1844237030_vol-permanent_param.ubifs
img-1844237030_vol-secondaryboot-secure.ubifs
img-1844237030_vol-secondaryboot.ubifs
img-1844237030_vol-uboot.ubifs
Extracted /dev/mtd3
ubifs-root/mtd3_ubi.img/img-759071194_vol-filesystem1.ubifs
ubifs-root/mtd3_ubi.img/img-759071194_vol-rescue.ubifs
ubifs-root/mtd3_ubi.img/img-759071194_vol-operational.ubifs
Mount ubifs
losetup -f --show img-1844237030_vol-uboot.ubifs
modprobe nandsim first_id_byte=0x2c second_id_byte=0x84 third_id_byte=0x64 fourth_id_byte=0x1d
dmesg output matching serial boot
[1758382.418956] nand: device found, Manufacturer ID: 0x98, Chip ID: 0x39
[1758382.418959] nand: Toshiba NAND 128MiB 1,8V 8-bit
[1758382.418962] nand: 128 MiB, SLC, erase size: 16 KiB, page size: 512, OOB size: 16
[1758382.418996] flash size: 128 MiB
[1758382.418999] page size: 512 bytes
[1758382.419001] OOB area size: 16 bytes
[1758382.419002] sector size: 16 KiB
[1758382.419004] pages number: 262144
[1758382.419006] pages per sector: 32
[1758382.419007] bus width: 8
[1758382.419009] bits in sector size: 14
[1758382.419011] bits in page size: 9
[1758382.419013] bits in OOB size: 4
[1758382.419014] flash size with OOB: 135168 KiB
[1758382.419016] page address bytes: 4
[1758382.419018] sector address bytes: 3
[1758382.419019] options: 0x42
[1758382.421467] Scanning device for bad blocks
[1758382.442024] Creating 1 MTD partitions on "NAND 128MiB 1,8V 8-bit":
[1758382.442037] 0x000000000000-0x000008000000 : "NAND simulator partition 0"
Chroot Operational, Rescue and Root
- Ensure
qemu-arm-staticbinary is available - Extract the Router Firmware firmware (specifically the SquashFS filesystem you want to chroot into) to a known directory.
#!/usr/bin/env bash
# - iNFO --------------------------------------
#
# Author: wuseman <wuseman@nr1.nu>
# FileName: mtd-backup-sagemcom.sh
# Created: 2021-01-12 (17:18:44)
# Modified:
# Version: 1.0
# License: MIT
#
# ---------------------------------------------
FIRMWARE_ROOT="<some_extracted_firmware>.squashfs-root"
# Mount necessary filesystems
mount -t proc proc $FIRMWARE_ROOT/proc
mount --rbind /sys $FIRMWARE_ROOT/sys
mount --rbind /dev $FIRMWARE_ROOT/dev
# Copy the QEMU static binary for ARM to the root of the firmware's filesystem
cp /usr/bin/qemu-arm-static $FIRMWARE_ROOT/usr/bin/
# Register the ARM binary format with the kernel:
echo ':qemu-arm:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x28\x00:\xff\xff\xff\xff\xff\xff\xff\x00\xff\ xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-arm-static:' > /proc/sys/fs/binfmt_misc/register
# Chroot into the firmware:
chroot $FIRMWARE_ROOT /usr/bin/qemu-arm-static /bin/sh
Get WebUI Server from Lighttpd up and running
- Copy
urlbox.confandbind.conffromfilesystem1in ubi0_0.img - Configure
requiredmodules and patches for the enviroment - Set your nic to
eth0to avoid trouble with xmo server
/etc/inti.d/ismd.conf
/etc/init.d/lighttpd start
/etc/init.d/hg6d start
/etc/init.d/cron start
/etc/init.d/isc-dhcp start
/etc/init.d/firewall-app start
/etc/init.d/firewall-utils start
/etc/init.d/ismd start
hg6d -d
xml-client --user internal --password internal -p "Device"
MTD Backup Script
#!/usr/bin/env bash
# - iNFO --------------------------------------
#
# Author: wuseman <wuseman@nr1.nu>
# FileName: mtd-backup-sagemcom.sh
# Created: 2021-01-12 (17:18:44)
# Modified:
# Version: 1.0
# License: MIT
#
# ---------------------------------------------
backup_directory="$HOME/sagemcom_backup/mtd-backup/mtd-partitions"
remote_user="Administrator"
remote_pass="<router_pass>"
remote_host="192.168.1.1"
# Ensure the backup directory exists
mkdir -p "${backup_directory}"
create_backup() {
local remote_mtd="$1"
local mtd_name="$2"
local backup_file="${backup_directory}/${remote_mtd}_${mtd_name}.img"
echo "[*] Creating backup of ${remote_mtd} (${mtd_name})..."
if sshpass -p "${remote_pass}" ssh -o StrictHostKeyChecking=no "${remote_user}"@"${remote_host}" "dd if=/dev/${remote_mtd} bs=1M" | dd of="${backup_file}" status=progress; then
echo "[*] Backup of ${remote_mtd} (${mtd_name}) created: ${backup_file}"
else
echo "[*] Failed to create backup of ${remote_mtd} (${mtd_name})"
fi
}
# Retrieve the MTD partitions and iterate over them
mtd_output=$(sshpass -p "${remote_pass}" ssh -o StrictHostKeyChecking=no "${remote_user}"@"${remote_host}" "cat /proc/mtd")
echo "$mtd_output" | grep 'mtd[0-9]' | while read -r partition _ _ name _; do
mtd_name=$(echo "$name" | tr -d '"')
create_backup "$partition" "$mtd_name"
done