mattimustang / optus-sagemcom-fast-3864-hacks Goto Github PK
View Code? Open in Web Editor NEWAdvanced tools and tips for the Optus Sagemcom F@st 3864 broadband router
Advanced tools and tips for the Optus Sagemcom F@st 3864 broadband router
i dont know if there is rules to issues or something like that am just gonna leave here what i did found
http://192.168.0.1/rtroutecfg.cmd?action=view
http://192.168.0.1/arpview.cmd?action=view
http://192.168.0.1/backupsettings.cmd?action=view
http://192.168.0.1/seclogreset.cmd?action=view
http://192.168.0.1/security_log.cmd?action=view
http://192.168.0.1/seclogview.cmd
http://192.168.0.1/voicelogview.cmd
http://192.168.0.1/logview.cmd
http://192.168.0.1/scvrtsrv.cmd?action=view
http://192.168.0.1/devtoapp.cmd?action=view
http://192.168.0.1/addscvrtentry.cmd?action=view
http://192.168.0.1/firewallcfg.cmd?action=view
http://192.168.0.1/wancfgplusnet.cmd?action=view
http://192.168.0.1/scprttrg.cmd?action=view
http://192.168.0.1/scoutflt.cmd?action=view
http://192.168.0.1/scinflt.cmd?action=view
http://192.168.0.1/scmacflt.cmd?action=view
http://192.168.0.1/qoscls.cmd?action=view
http://192.168.0.1/scdmz.cmd?action=view
http://192.168.0.1/dslatm.cmd?action=view
http://192.168.0.1/ethwan.cmd?action=view
http://192.168.0.1/l2tpacwan.cmd?action=view
http://192.168.0.1/storageservicecfg.cmd?action=view
http://192.168.0.1/wancfg.cmd?action=view
http://192.168.0.1/wanifc.cmd?action=view
http://192.168.0.1/wansrvc.cmd?action=view
http://192.168.0.1/wanL3Edit.cmd?action=view
http://192.168.0.1/statsxtm.cmd?action=view
http://192.168.0.1/statswan.cmd?action=view
http://192.168.0.1/adslcfgadv.cmd?action=view
http://192.168.0.1/adslcfgtone.cmd?action=view
http://192.168.0.1/engdebug.cmd?action=view
http://192.168.0.1/dumpcfgdynamic.cmd?action=view
http://192.168.0.1/dumpcfg.cmd?action=view
http://192.168.0.1/dumpmdm.cmd?action=view
http://192.168.0.1/dumpmsg.cmd?action=view
http://192.168.0.1/qospolicer.cmd?action=view
http://192.168.0.1/qosqueue.cmd?action=view
http://192.168.0.1/qosmgmt.cmd?action=view
http://192.168.0.1/dhcpdstaticlease.cmd?action=view
http://192.168.0.1/prmngr.cmd?action=view
http://192.168.0.1/urlfilter.cmd?action=view
http://192.168.0.1/portmap.cmd?action=view
http://192.168.0.1/ripcfg.cmd?action=view
http://192.168.0.1/wlmacflt.cmd?action=view
http://192.168.0.1/wlwds.cmd?action=view
http://192.168.0.1/wlstationlist.cmd?action=view
http://192.168.0.1/ddnsmngr.cmd?action=view
http://192.168.0.1/certlocal.cmd?action=view
http://192.168.0.1/certca.cmd?action=view
http://192.168.0.1/ipv6lancfg.cmd?action=view
http://192.168.0.1/tunnelcfg.cmd?action=view
http://192.168.0.1/ippcfg.cmd?action=view
http://192.168.0.1/sysinfo.cmd?action=view
http://192.168.0.1/vstatus.cmd?action=view
http://192.168.0.1/LanguageIdSet.cmd?action=view
http://192.168.0.1/LanguageIdDisplaySet.cmd?action=view
http://192.168.0.1/modconn.cmd?action=view
http://192.168.0.1/lanvlancfg.html
http://192.168.0.1/mocacfg.html
http://192.168.0.1/qosqmgmt.html
http://192.168.0.1/rtdefaultcfg.html
http://192.168.0.1/adslcfgc.html
http://192.168.0.1/xdslcfg.html
http://192.168.0.1/dslbondingcfg.html
http://192.168.0.1/upnpcfg.html
http://192.168.0.1/dnsproxycfg.html
http://192.168.0.1/standby.html
http://192.168.0.1/bmu.html
http://192.168.0.1/wlcfg.html
http://192.168.0.1/wlsecurity.html
http://192.168.0.1/wlcfgadv.html
http://192.168.0.1/wlses.html
http://192.168.0.1/wlwapias.html
http://192.168.0.1/wlfon.html
http://192.168.0.1/voicemgcp_basic.html
http://192.168.0.1/voicentr.html
http://192.168.0.1/voicesip_basic.html
http://192.168.0.1/voicesip_advanced.html
http://192.168.0.1/voicesip_debug.html
http://192.168.0.1/voicedect.html
http://192.168.0.1/updatesettings.html
http://192.168.0.1/defaultsettings.html
http://192.168.0.1/seclogintro.html
http://192.168.0.1/sntpcfg.html
http://192.168.0.1/resetrouter.html
http://192.168.0.1/qsmain.html
http://192.168.0.1/tr69cfg.html
http://192.168.0.1/logout.html
http://192.168.0.1/logintro.html
http://192.168.0.1/logconfig.html
highlights settings that i was searching for
http://192.168.0.1/tr69cfg.html
http://192.168.0.1/dumpcfg.cmd?action=view //instead of decrypting the backup use this
http://192.168.0.1/dumpmdm.cmd?action=view //same as above but with hidden settings
http://192.168.0.1/dnscfg.html
if i said anything wrong just share me your knowledge
After following the instructions, for NBN bridge mode, the Sagemcom web user interface has a yellow Internet status "Waiting for ISP". The physical modem displays a solid DSL light, but the Internet light does not light up. Is there anything else required?
I ported OpenWrt to this device, all Ethernet ports and USB ports work. Wifi, xDSL, and FXS dont. It can boot from the RAM via TFTP and a permeant NAND installation.
ย
https://openwrt.org/inbox/toh/sagem/f_st3864op
I have 100/40 (upload/download) FTTN speed with Optus FTTN NBN.
When reset the modem/router to factory defaults, I get about 77/33 (not too bad considering still using copper between home and node), but when I follow the Bridging steps I was getting 77/0.5.
I found that no change happened when I disabled QoS (under Advanced Setup -> Quality of Service), but if I went under the sub-menu option of QoS Port Shaping and set the Shaping Rate for all Interfaces to Disabled, my upload speed issue was fixed.
How do i run this using windows version of python?
Hello,
I've noted this on the Readme.
NOTE: Optus has patched out the ability to upload unencrypted configuration files, so the only way to upload them is if you re-encrypt them. Apparently the IV and the Key has also changed, which means that the decryption tool now doesn't work on newer firmwares.
I've done your walkthrough and the txt file was all in Chinese(?) letters.
Is there any way around this?
Not sure if this walkthrough covers my sagemcom firmware. See specs below.
Board ID: | F@ST3864V2 |
---|---|
Symmetric CPU Threads: | 2 |
HardWare Version: | 253552181 |
Serial Number: | N7150751F000661 |
Software Version: | 8.353.25_F@ST5350_Optus |
Bootloader (CFE) Version: | 7.253.2 |
ConfigId: | F5350_Optus_11.conf |
Completed decryption of settings and found pass code except that when I enter http://admin:"password"@192.168.0.1/main.html it presents a pop-up box prompting me to input my details. the username "root" and "admin" along with the decrypted password do not result in success.
I have the :
F@ST3864V2
with version:
8.353.1_F@ST5350_Optus
I managed to get telnet service started but I did an nmap scan and the port seems to be filtered. Is there anyway to fix this?
I have version 10.54 and the "decrypted" backupsettings.conf is indeed producing junk.
I am also unable to log in to 192.168.0.1 with admin privileges.
Is there any investigation I can do on my end to get this working?
Just got the NBN with the Optus modem using the 10.70.1_F@ST3864V3HP_Optus software. The backup won't decrypt, and all the URLs for dumping the configs just return empty pages.
Any ideas how to get into this version? I'd really like to to dump the Optus junk but I need the VOIP settings.
Are you able to locate the configuration to override the DNS server IP?
The Optus firmware restricts changing the address, and has defaulted it to 198.142.152.164/165 (Optus DNS servers).
I've tried this method on my Optus Sagemcom 3864AC, and all I get is a garbage/encrypted file at the end. Happy to provide the config backup and decrypted files if it will help.
Board ID: | F@ST3864AC |
---|---|
Symmetric CPU Threads: | 2 |
HardWare Version: | 253688887 |
Serial Number: | N7170953B002975 |
Mac Address: | f4:6b:ef:6a:ef:44 |
Build Timestamp: | 180312_1608 |
Software Version: | 8.379_F@ST3864AC_Optus |
Bootloader (CFE) Version: | 8.358 |
DSL PHY and Driver Version: | A2pv6F039x6.d26r |
Wireless Driver Version: | 6.37.14.4803.cpe4.14L04.0-kdb |
Voice Service Version: | Voice |
Uptime: | 12D 15H 50M 20S |
ConfigId: | F3864AC_Optus_5.conf |
Hopefully this project is still something you are interested in :) I'm guessing the encryption method or the key has been changed.
Update: The latest updates will be available at https://github.com/rikka0w0/fast3864op-hacks
I disassembled a Sagemcom F@at 3864OP and soldered 4-pin headers to the PCB board, then hooked it up to a USB-UART 3.3V dongle. On my PC, I started a serial monitor (the baud rate is 115200) and got an interactive console. I was able to log in with the following credentials:
user: admin
password: 0ptU%1M5
Although it is not a Linux shell, it supports several commands (listed below), and the sh
command will get you a real Linux shell.
> swversion
8.353.1_F@ST5350_Optus
> help
?
help
logout
exit
quit
reboot
adsl
xdslctl
xtm
brctl
cat
virtualserver
ddns
df
loglevel
logdest
dumpcfg
dumpmdm
dm
dumpeid
mdm
meminfo
psp
kill
dumpsysinfo
exitOnIdle
dnsproxy
syslog
echo
ifconfig
ping
ps
pwd
sntp
sysinfo
tftp
voice
dect
wlctl
arp
defaultgateway
dhcpserver
dns
lan
lanhosts
passwd
ppp
restoredefault
route
save
swversion
uptime
cfgupdate
swupdate
wan
mcpctl
The following is the demostration of the Linux shell:
> sh
BusyBox v1.17.2 (2016-07-23 18:57:58 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
# ls /bin/*
/bin/acs_cli /bin/ftl_format /bin/setmem
/bin/acsd /bin/gmac /bin/sh
/bin/adsl /bin/gmacctl /bin/sleep
/bin/adslctl /bin/grep /bin/smbd
/bin/arl /bin/gunzip /bin/smbpasswd
/bin/arlctl /bin/hotplug /bin/smd
/bin/ash /bin/hspotap /bin/sntp
/bin/bash /bin/httpd /bin/spdsvc
/bin/bcm_boot_launcher /bin/ip /bin/spu
/bin/bpm /bin/ip6tables /bin/spuctl
/bin/bpmctl /bin/ippd /bin/ss
/bin/brctl /bin/iptables /bin/ssk
/bin/bsd /bin/iq /bin/stress
/bin/busybox /bin/iqctl /bin/stty
/bin/cat /bin/kill /bin/swmdk
/bin/chmod /bin/lld2d /bin/sync
/bin/consoled /bin/ln /bin/tc
/bin/cp /bin/ls /bin/telnetd
/bin/dart /bin/mcp /bin/tmsctl
/bin/date /bin/mcpctl /bin/tr69c
/bin/ddnsd /bin/mcpd /bin/true
/bin/dectd /bin/mdkshell /bin/ubiattach
/bin/deluser /bin/mkdir /bin/ubicrc32
/bin/df /bin/mknod /bin/ubidetach
/bin/dhcp6c /bin/mount /bin/ubiformat
/bin/dhcp6s /bin/mtd_debug /bin/ubimkvol
/bin/dhcpc /bin/mtdinfo /bin/ubinfo
/bin/dhcpd /bin/nanddump /bin/ubirename
/bin/diag_ping /bin/nandtest /bin/ubirmvol
/bin/dmesg /bin/nandwrite /bin/ubirsvol
/bin/dnsproxy /bin/nas /bin/ubiupdatevol
/bin/dnsspoof /bin/nas4not /bin/udhcpd
/bin/doc_loadbios /bin/nbtscan /bin/umount
/bin/dry /bin/ntfs-3g /bin/upnp
/bin/dsldiagd /bin/nvram /bin/urlfilterd
/bin/dumpmem /bin/nvramUpdate /bin/usb_modeswitch
/bin/eapd /bin/openl2tpd /bin/vlanctl
/bin/ebtables /bin/openssl /bin/vodsl
/bin/echo /bin/ping /bin/wl
/bin/epi_ttcp /bin/ping6 /bin/wl_server
/bin/ethctl /bin/pppd /bin/wl_server_socket
/bin/ethswctl /bin/ps /bin/wlctl
/bin/false /bin/pwd /bin/wlevt
/bin/fap /bin/pwr /bin/wlmngr
/bin/fapctl /bin/pwrctl /bin/wps_monitor
/bin/fast /bin/radvd /bin/xdslctl
/bin/fc /bin/rastatus6 /bin/xtables-multi
/bin/fcctl /bin/rawSocketTest /bin/xtm
/bin/flash_erase /bin/ripd /bin/xtmctl
/bin/flash_otp_dump /bin/rm /bin/zcat
/bin/flash_otp_info /bin/scriptDaemon /bin/zebra
/bin/flashcp /bin/send_cms_msg
# cat /proc/cpuinfo
system type : F@ST3864V2
processor : 0
cpu model : Broadcom BMIPS4350 V8.0
BogoMIPS : 397.31
wait instruction : yes
microsecond timers : yes
tlb_entries : 32
extra interrupt vector : no
hardware watchpoint : no
ASEs implemented :
shadow register sets : 1
kscratch registers : 0
core : 0
VCED exceptions : not available
VCEI exceptions : not available
processor : 1
cpu model : Broadcom BMIPS4350 V8.0
BogoMIPS : 403.45
wait instruction : yes
microsecond timers : yes
tlb_entries : 32
extra interrupt vector : no
hardware watchpoint : no
ASEs implemented :
shadow register sets : 1
kscratch registers : 0
core : 0
VCED exceptions : not available
VCEI exceptions : not available
# mount
rootfs on / type rootfs (rw)
mtd:rootfs on / type jffs2 (ro,relatime)
proc on /proc type proc (rw,relatime)
tmpfs on /var type tmpfs (rw,relatime,size=420k)
tmpfs on /mnt type tmpfs (rw,relatime,size=16k)
sysfs on /sys type sysfs (rw,relatime)
debugfs on /sys/kernel/debug type debugfs (rw,relatime)
mtd:data on /data type jffs2 (rw,relatime)
none on /proc/bus/usb type usbfs (rw,relatime)
# free
sh: free: not found
# cat /proc/meminfo
MemTotal: 123396 kB
MemFree: 55004 kB
Buffers: 0 kB
Cached: 20432 kB
SwapCached: 0 kB
Active: 6400 kB
Inactive: 17564 kB
Active(anon): 3532 kB
Inactive(anon): 0 kB
Active(file): 2868 kB
Inactive(file): 17564 kB
Unevictable: 0 kB
Mlocked: 0 kB
SwapTotal: 0 kB
SwapFree: 0 kB
Dirty: 0 kB
Writeback: 0 kB
AnonPages: 3520 kB
Mapped: 3660 kB
Shmem: 0 kB
Slab: 33160 kB
SReclaimable: 624 kB
SUnreclaim: 32536 kB
KernelStack: 1168 kB
PageTables: 396 kB
NFS_Unstable: 0 kB
Bounce: 0 kB
WritebackTmp: 0 kB
CommitLimit: 61696 kB
Committed_AS: 8188 kB
VmallocTotal: 1032116 kB
VmallocUsed: 10560 kB
VmallocChunk: 1006836 kB
ip a
command is available, but uname
and whoami
are missing. The following is a snippet from the boot log:
Base: 4.14_04
CFE version 8.353.1 for BCM963268 (32bit,SP,BE)
Build Date: Sat Jul 23 18:46:20 CST 2016 ([email protected])
Copyright (C) 2005-2011 SAGEM Corporation.
Chip ID: BCM63168D0, MIPS: 400MHz, DDR: 400MHz, Bus: 200MHz
Main Thread: TP0
Memory Test Passed
Total Memory: 134217728 bytes (128MB)
Boot Address: 0xb8000000
NAND flash device: , id 0xeff1 block 128KB size 131072KB
External switch id = 53125
Board IP address : 192.168.1.1:ffffff00
Host IP address : 192.168.1.100
Gateway IP address :
Run from flash/host/tftp (f/h/c) : f
Default host run file name : vmlinux
Default host flash file name : bcm963xx_fs_kernel
Boot delay (0-9 seconds) : 1
Boot image (0=latest, 1=previous) : 0
Default host ramdisk file name :
Default ramdisk store address :
Board Id (0-38) : F@ST3864V2
I'm going to explore more on this, perhaps dump the entire firmware and share it with you guys.
Update:
I think there is a great chance of running Openwrt on this router, although it is very likely that running the xDSL and Wifi will be problematic:
openwrt/openwrt@ff2c963
https://openwrt.org/toh/sercomm/h500-s
https://github.com/micjo/bbox3
https://gist.github.com/Noltari/fa7561abbcca6acfbc279935a6bbf80c
admin password: veWdHnhC
admin login via:
http://admin:[email protected]/main.html
output of all config settings, including secrets:
http://192.168.0.1/dumpmdm.txt
with secrets encoded (base64) and less information:
http://192.168.0.1/dumpcfgdynamic.txt
NOTE: output is in HTML
The following also work:
http://192.168.0.1/dumpcfgdynamic.conf
http://192.168.0.1/dumpmdm.conf
Not an 'issue' as such: more of a workaround (and yields a plaintext XML file that can be edited).
http://[routerip]//dumpcfgdynamic.cmd?loginuser=2
Edit away, and reload. Make sure you back up the config first.
modem version is 7.276_F3864V2_Optus
NBN provider: Aussiebroadband
I was able to use the first factory password to login (http://192.168.0.1/main.html?loginuser=0)
I modified the following
after above steps, i was able to connect to internet.
After trying and failing with the decryption method, I've found a different and much more difficult alternative. What you do it solder to the UART headers in the router, then boot and reset. Login with one of the default passwords listed in the readme, then plug the router into the internet. The password will change but you'll still be logged in (This might also be possible via telnet?). Then you can use dumpcfg command to get the whole file, find the password, and base64 decode it.
I am getting a still encrypted file as an output of this script. It seems it does not work. The original one is in the attachment
backupsettings.zip
If I switch the SAGECOM router to bridge mode will I need to set my other router to PPPoE and enter my optus credentials in order to get internet?
My other Router is the "Google Wifi" system
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.