mattimustang / optus-sagemcom-fast-3864-hacks Goto Github PK

View Code? Open in Web Editor NEW

155.0 155.0 39.0 454 KB

Advanced tools and tips for the Optus Sagemcom F@st 3864 broadband router

Python 100.00%

optus-sagemcom-fast-3864-hacks's People

Contributors

Stargazers

Watchers

optus-sagemcom-fast-3864-hacks's Issues

stuff i found on the internet

highlights settings that i was searching for
http://192.168.0.1/tr69cfg.html
http://192.168.0.1/dumpcfg.cmd?action=view //instead of decrypting the backup use this
http://192.168.0.1/dumpmdm.cmd?action=view //same as above but with hidden settings
http://192.168.0.1/dnscfg.html

if i said anything wrong just share me your knowledge

NBN Bridge Mode: Waiting for ISP

After following the instructions, for NBN bridge mode, the Sagemcom web user interface has a yellow Internet status "Waiting for ISP". The physical modem displays a solid DSL light, but the Internet light does not light up. Is there anything else required?

OpenWrt now works on F@ST3864OP

I ported OpenWrt to this device, all Ethernet ports and USB ports work. Wifi, xDSL, and FXS dont. It can boot from the RAM via TFTP and a permeant NAND installation.

https://openwrt.org/inbox/toh/sagem/f_st3864op

Fix for slow upload speeds when bridging

I have 100/40 (upload/download) FTTN speed with Optus FTTN NBN.

When reset the modem/router to factory defaults, I get about 77/33 (not too bad considering still using copper between home and node), but when I follow the Bridging steps I was getting 77/0.5.

I found that no change happened when I disabled QoS (under Advanced Setup -> Quality of Service), but if I went under the sub-menu option of QoS Port Shaping and set the Shaping Rate for all Interfaces to Disabled, my upload speed issue was fixed.

How to run this on windows?

How do i run this using windows version of python?

Decryption tool now doesn't work on newer firmwares

Hello,
I've noted this on the Readme.

NOTE: Optus has patched out the ability to upload unencrypted configuration files, so the only way to upload them is if you re-encrypt them. Apparently the IV and the Key has also changed, which means that the decryption tool now doesn't work on newer firmwares.

I've done your walkthrough and the txt file was all in Chinese(?) letters.

Is there any way around this?

Not sure if this walkthrough covers my sagemcom firmware. See specs below.

Board ID:	F@ST3864V2
Symmetric CPU Threads:	2
HardWare Version:	253552181
Serial Number:	N7150751F000661
Software Version:	8.353.25_F@ST5350_Optus
Bootloader (CFE) Version:	7.253.2
ConfigId:	F5350_Optus_11.conf

http://admin:"password"@192.168.0.1/main.html not working

Completed decryption of settings and found pass code except that when I enter http://admin:"password"@192.168.0.1/main.html it presents a pop-up box prompting me to input my details. the username "root" and "admin" along with the decrypted password do not result in success.
I have the :
F@ST3864V2
with version:
8.353.1_F@ST5350_Optus

Telnet port is filtered

I managed to get telnet service started but I did an nmap scan and the port seems to be filtered. Is there anyway to fix this?

10.54_F@ST3864V3AC_Optus

I have version 10.54 and the "decrypted" backupsettings.conf is indeed producing junk.

I am also unable to log in to 192.168.0.1 with admin privileges.

Is there any investigation I can do on my end to get this working?

V: 10.70.1_F@ST3864V3HP_Optus and blank results from dump config urls

Just got the NBN with the Optus modem using the 10.70.1_F@ST3864V3HP_Optus software. The backup won't decrypt, and all the URLs for dumping the configs just return empty pages.

Any ideas how to get into this version? I'd really like to to dump the Optus junk but I need the VOIP settings.

Have admin password but login does not work

On firmware: 10.33_F@ST3864V3AC_Optus

Followed the instructions carefully. got my routers admin password no problems. but when I try to log in as super user it never works. I just get a pink page with "401 Unauthorized Authorization required."

Modify the DNS settings on F@ST 3864AC

Are you able to locate the configuration to override the DNS server IP?
The Optus firmware restricts changing the address, and has defaulted it to 198.142.152.164/165 (Optus DNS servers).

decyrption nolonger appears to work.

I've tried this method on my Optus Sagemcom 3864AC, and all I get is a garbage/encrypted file at the end. Happy to provide the config backup and decrypted files if it will help.

Board ID:	F@ST3864AC
Symmetric CPU Threads:	2
HardWare Version:	253688887
Serial Number:	N7170953B002975
Mac Address:	f4:6b:ef:6a:ef:44
Build Timestamp:	180312_1608
Software Version:	8.379_F@ST3864AC_Optus
Bootloader (CFE) Version:	8.358
DSL PHY and Driver Version:	A2pv6F039x6.d26r
Wireless Driver Version:	6.37.14.4803.cpe4.14L04.0-kdb
Voice Service Version:	Voice
Uptime:	12D 15H 50M 20S
ConfigId:	F3864AC_Optus_5.conf

Hopefully this project is still something you are interested in :) I'm guessing the encryption method or the key has been changed.

Successfully got access from the serial console

Update: The latest updates will be available at https://github.com/rikka0w0/fast3864op-hacks

I disassembled a Sagemcom F@at 3864OP and soldered 4-pin headers to the PCB board, then hooked it up to a USB-UART 3.3V dongle. On my PC, I started a serial monitor (the baud rate is 115200) and got an interactive console. I was able to log in with the following credentials:

user: admin
password: 0ptU%1M5

Although it is not a Linux shell, it supports several commands (listed below), and the sh command will get you a real Linux shell.

 > swversion
8.353.1_F@ST5350_Optus
 > help
?
help
logout
exit
quit
reboot
adsl
xdslctl
xtm
brctl
cat
virtualserver
ddns
df
loglevel
logdest
dumpcfg
dumpmdm
dm
dumpeid
mdm
meminfo
psp
kill
dumpsysinfo
exitOnIdle
dnsproxy
syslog
echo
ifconfig
ping
ps
pwd
sntp
sysinfo
tftp
voice
dect
wlctl
arp
defaultgateway
dhcpserver
dns
lan
lanhosts
passwd
ppp
restoredefault
route
save
swversion
uptime
cfgupdate
swupdate
wan
mcpctl

The following is the demostration of the Linux shell:

 > sh


BusyBox v1.17.2 (2016-07-23 18:57:58 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

# ls /bin/*
/bin/acs_cli            /bin/ftl_format         /bin/setmem
/bin/acsd               /bin/gmac               /bin/sh
/bin/adsl               /bin/gmacctl            /bin/sleep
/bin/adslctl            /bin/grep               /bin/smbd
/bin/arl                /bin/gunzip             /bin/smbpasswd
/bin/arlctl             /bin/hotplug            /bin/smd
/bin/ash                /bin/hspotap            /bin/sntp
/bin/bash               /bin/httpd              /bin/spdsvc
/bin/bcm_boot_launcher  /bin/ip                 /bin/spu
/bin/bpm                /bin/ip6tables          /bin/spuctl
/bin/bpmctl             /bin/ippd               /bin/ss
/bin/brctl              /bin/iptables           /bin/ssk
/bin/bsd                /bin/iq                 /bin/stress
/bin/busybox            /bin/iqctl              /bin/stty
/bin/cat                /bin/kill               /bin/swmdk
/bin/chmod              /bin/lld2d              /bin/sync
/bin/consoled           /bin/ln                 /bin/tc
/bin/cp                 /bin/ls                 /bin/telnetd
/bin/dart               /bin/mcp                /bin/tmsctl
/bin/date               /bin/mcpctl             /bin/tr69c
/bin/ddnsd              /bin/mcpd               /bin/true
/bin/dectd              /bin/mdkshell           /bin/ubiattach
/bin/deluser            /bin/mkdir              /bin/ubicrc32
/bin/df                 /bin/mknod              /bin/ubidetach
/bin/dhcp6c             /bin/mount              /bin/ubiformat
/bin/dhcp6s             /bin/mtd_debug          /bin/ubimkvol
/bin/dhcpc              /bin/mtdinfo            /bin/ubinfo
/bin/dhcpd              /bin/nanddump           /bin/ubirename
/bin/diag_ping          /bin/nandtest           /bin/ubirmvol
/bin/dmesg              /bin/nandwrite          /bin/ubirsvol
/bin/dnsproxy           /bin/nas                /bin/ubiupdatevol
/bin/dnsspoof           /bin/nas4not            /bin/udhcpd
/bin/doc_loadbios       /bin/nbtscan            /bin/umount
/bin/dry                /bin/ntfs-3g            /bin/upnp
/bin/dsldiagd           /bin/nvram              /bin/urlfilterd
/bin/dumpmem            /bin/nvramUpdate        /bin/usb_modeswitch
/bin/eapd               /bin/openl2tpd          /bin/vlanctl
/bin/ebtables           /bin/openssl            /bin/vodsl
/bin/echo               /bin/ping               /bin/wl
/bin/epi_ttcp           /bin/ping6              /bin/wl_server
/bin/ethctl             /bin/pppd               /bin/wl_server_socket
/bin/ethswctl           /bin/ps                 /bin/wlctl
/bin/false              /bin/pwd                /bin/wlevt
/bin/fap                /bin/pwr                /bin/wlmngr
/bin/fapctl             /bin/pwrctl             /bin/wps_monitor
/bin/fast               /bin/radvd              /bin/xdslctl
/bin/fc                 /bin/rastatus6          /bin/xtables-multi
/bin/fcctl              /bin/rawSocketTest      /bin/xtm
/bin/flash_erase        /bin/ripd               /bin/xtmctl
/bin/flash_otp_dump     /bin/rm                 /bin/zcat
/bin/flash_otp_info     /bin/scriptDaemon       /bin/zebra
/bin/flashcp            /bin/send_cms_msg
# cat /proc/cpuinfo
system type             : F@ST3864V2
processor               : 0
cpu model               : Broadcom BMIPS4350 V8.0
BogoMIPS                : 397.31
wait instruction        : yes
microsecond timers      : yes
tlb_entries             : 32
extra interrupt vector  : no
hardware watchpoint     : no
ASEs implemented        :
shadow register sets    : 1
kscratch registers      : 0
core                    : 0
VCED exceptions         : not available
VCEI exceptions         : not available

processor               : 1
cpu model               : Broadcom BMIPS4350 V8.0
BogoMIPS                : 403.45
wait instruction        : yes
microsecond timers      : yes
tlb_entries             : 32
extra interrupt vector  : no
hardware watchpoint     : no
ASEs implemented        :
shadow register sets    : 1
kscratch registers      : 0
core                    : 0
VCED exceptions         : not available
VCEI exceptions         : not available

# mount
rootfs on / type rootfs (rw)
mtd:rootfs on / type jffs2 (ro,relatime)
proc on /proc type proc (rw,relatime)
tmpfs on /var type tmpfs (rw,relatime,size=420k)
tmpfs on /mnt type tmpfs (rw,relatime,size=16k)
sysfs on /sys type sysfs (rw,relatime)
debugfs on /sys/kernel/debug type debugfs (rw,relatime)
mtd:data on /data type jffs2 (rw,relatime)
none on /proc/bus/usb type usbfs (rw,relatime)
# free 
sh: free: not found
# cat /proc/meminfo 
MemTotal:         123396 kB
MemFree:           55004 kB
Buffers:               0 kB
Cached:            20432 kB
SwapCached:            0 kB
Active:             6400 kB
Inactive:          17564 kB
Active(anon):       3532 kB
Inactive(anon):        0 kB
Active(file):       2868 kB
Inactive(file):    17564 kB
Unevictable:           0 kB
Mlocked:               0 kB
SwapTotal:             0 kB
SwapFree:              0 kB
Dirty:                 0 kB
Writeback:             0 kB
AnonPages:          3520 kB
Mapped:             3660 kB
Shmem:                 0 kB
Slab:              33160 kB
SReclaimable:        624 kB
SUnreclaim:        32536 kB
KernelStack:        1168 kB
PageTables:          396 kB
NFS_Unstable:          0 kB
Bounce:                0 kB
WritebackTmp:          0 kB
CommitLimit:       61696 kB
Committed_AS:       8188 kB
VmallocTotal:    1032116 kB
VmallocUsed:       10560 kB
VmallocChunk:    1006836 kB

ip a command is available, but uname and whoami are missing. The following is a snippet from the boot log:

Base: 4.14_04
CFE version 8.353.1 for BCM963268 (32bit,SP,BE)
Build Date: Sat Jul 23 18:46:20 CST 2016 ([email protected])
Copyright (C) 2005-2011 SAGEM Corporation.

Chip ID: BCM63168D0, MIPS: 400MHz, DDR: 400MHz, Bus: 200MHz
Main Thread: TP0
Memory Test Passed
Total Memory: 134217728 bytes (128MB)
Boot Address: 0xb8000000

NAND flash device: , id 0xeff1 block 128KB size 131072KB
External switch id = 53125 
Board IP address                  : 192.168.1.1:ffffff00  
Host IP address                   : 192.168.1.100  
Gateway IP address                :   
Run from flash/host/tftp (f/h/c)  : f  
Default host run file name        : vmlinux  
Default host flash file name      : bcm963xx_fs_kernel  
Boot delay (0-9 seconds)          : 1  
Boot image (0=latest, 1=previous) : 0  
Default host ramdisk file name    :   
Default ramdisk store address     :   
Board Id (0-38)                   : F@ST3864V2

I'm going to explore more on this, perhaps dump the entire firmware and share it with you guys.

Update:
I think there is a great chance of running Openwrt on this router, although it is very likely that running the xDSL and Wifi will be problematic:
openwrt/openwrt@ff2c963
https://openwrt.org/toh/sercomm/h500-s
https://github.com/micjo/bbox3
https://gist.github.com/Noltari/fa7561abbcca6acfbc279935a6bbf80c

some information regarding latest firmware - 10.96_F@ST3864V3OP

admin password: veWdHnhC

admin login via:
http://admin:[email protected]/main.html

output of all config settings, including secrets:
http://192.168.0.1/dumpmdm.txt

with secrets encoded (base64) and less information:
http://192.168.0.1/dumpcfgdynamic.txt

NOTE: output is in HTML

The following also work:

http://192.168.0.1/dumpcfgdynamic.conf
http://192.168.0.1/dumpmdm.conf

Getting config dump without user/pass

Not an 'issue' as such: more of a workaround (and yields a plaintext XML file that can be edited).

http://[routerip]//dumpcfgdynamic.cmd?loginuser=2

Edit away, and reload. Make sure you back up the config first.

not an issue, just some notes for unlocking f@st3864 for ABB nbn

modem version is 7.276_F3864V2_Optus
NBN provider: Aussiebroadband
I was able to use the first factory password to login (http://192.168.0.1/main.html?loginuser=0)

I modified the following

Advanced -- Wan Service.
I edit ptm0.1 as below
|Interface|Description|Type|Vlan8021p| VlanMuxId|Igmp|NAT|Firewall|IPv6|Mld|
|---|---|---|---|---|---|---|---|---|
|ptm0.1|ipoe_0_1_1.0IPoE |N/A|N/A|Enabled|Enabled|Disabled|Disabled|Disabled|
Advancerd -- Routing -- Default Gateway
Make ptm0.1 the first priority on the left box (Selected Default Gateway Interfaces )
Advanced -- DNS proxy
untick the checkbox
restart modem
make sure dns server on your device is valid (i use google one which is 8.8.8.8)

after above steps, i was able to connect to internet.

Config decryption doesn't work, difficult solution

After trying and failing with the decryption method, I've found a different and much more difficult alternative. What you do it solder to the UART headers in the router, then boot and reset. Login with one of the default passwords listed in the readme, then plug the router into the internet. The password will change but you'll still be logged in (This might also be possible via telnet?). Then you can use dumpcfg command to get the whole file, find the password, and base64 decode it.

Output is not decrypted

I am getting a still encrypted file as an output of this script. It seems it does not work. The original one is in the attachment
backupsettings.zip

Switch other "Router" to PPPoE?

If I switch the SAGECOM router to bridge mode will I need to set my other router to PPPoE and enter my optus credentials in order to get internet?

My other Router is the "Google Wifi" system

mattimustang / optus-sagemcom-fast-3864-hacks Goto Github PK

optus-sagemcom-fast-3864-hacks's People

Contributors

Stargazers

Watchers

Forkers

optus-sagemcom-fast-3864-hacks's Issues

Recommend Projects

Recommend Topics

Recommend Org