SAGEMCOM-FAST-5370e-TELIA_v2023 | Part 1
I have successfully gained full root access to Sagemcom's latest variant used by Telia 2023-09-09.
Since my previous version SAGEMCOM-FAST-5370e-TELIA is quite old and already contains a wealth of information, I have decided to create a new repository. This repository is an expanded version of the latest release of their router.
Device Info
SOFTWARE RUNNING : rescue
CFE-ROM : 0.14.8 (BCM = 1.0.38.162.76.)
CFE-RAM : 0.14.8
BOOT : U-Boot ScOS 2017.09@sc-0.26.0
PERMANENT Parameters : 1.2
OPERATIONAL software : scOS Test-5370 (8g.43.5.8.1) file format is GSDF
RESCUE software : scOS SG4T1E000042 (0.18.0) file format is GSDF
!!! Example "Factory Users
```bash
User Account..........: Administrator
SagemCom Develoeprs...: internal
Telia Support.........: support
ACS...................: acs
```
!!! Example "Kernel command line
```
root=mtd:rootfs earlyprintk debug init=/etc/preinit ro rootfstype=squashfs
console=ttyS0,115200 rootfs_offset=0x291800 rootfs_size=0x1b3f000
mtdparts=nand.0:128k(nvram),640k(cfe),8960k(boot),144640k(ubi),-(data)
ubi.mtd=ubi,0 part_main=ubi part_boot=boot image_ubivol=operational
secure board_type=00030090 oek=04005578 oiv=040056b8
```
!!! Example "UBI0 Board Info
```
Base: 5.2_04
CFE version 1.0.38-162.76 for BCM963138 (32bit,SP,LE)
Build Date: vendredi 25 mai 2018, 17:47:56 (UTC+0200) (g601671@rmm-p200156.femto.urd1.local)
Copyright (C) 2000-2015 Broadcom Corporation.
Version cfe-ram: 0.14.8-sec
Boot Strap Register: 0x7dfffc2f
Chip ID: BCM63139_B0, ARM Cortex A9 Dual Core: 1000MHz
Total Memory: 536870912 bytes (512MB)
Status wait timeout: nandsts=0x50000000 mask=0x40000000, count=0
NAND ECC BCH-4, page size 0x800 bytes, spare size used 64 bytes
NAND flash device: Micron MT29F2G08ABA, id 0x2cda block 128KB size 262144KB
pmc_init:PMC using DQM mode
ERROR!!! Data pointer greater than total entry size
Board IP address : 192.168.1.1
Host IP address : 192.168.1.100
Gateway IP address :
Run from flash/host/tftp (f/h/c) : f
Default host run file name : vmlinux
Default host flash file name : bcm963xx_fs_kernel
Boot delay (0-9 seconds) : 1
Default host ramdisk file name :
Default ramdisk store address :
Default DTB file name :
Board Id : FAST5370e
Number of MAC Addresses (1-64) : 10
Base MAC Address :
PSI Size (1-128) KBytes : 128
Enable Backup PSI [0|1] : 0
System Log Size (0-256) KBytes : 0
Auxillary File System Size Percent: 0
MC memory allocation (MB) : 4
TM memory allocation (MB) : 44
DHD 0 memory allocation (MB) : 14
DHD 1 memory allocation (MB) : 7
DHD 2 memory allocation (MB) : 0
WLan Feature : 0x00
Partition 1 Size (MB) : 0M
Partition 2 Size (MB) : 0M
Partition 3 Size (MB) : 0M
Partition 4 Size (MB) (Data) : 4MB
Initalizing switch low level hardware.
pmc_switch_power_up: Rgmii Tx clock zone1 enable 0 zone2 enable 0.
Software Resetting Switch ... Done.
Waiting MAC port Rx/Tx to be enabled by hardware ...Done
Disable Switch All MAC port Rx/Tx
Initializing UBI and starting U-Boot...
Looking for UBI...
Looking for U-Boot...
Found valid GSDF
We got aes_key1
We got aes_key2 enc
Starting U-Boot from UBI at 0x00080000
```
Authorized Key stored in /.ssh/authorized_keys
---- BEGIN SSH2 PUBLIC KEY ----
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAgEA3VhXDw8oxKLUEctSKFaqNHHMbo59nBYXuvLaciQyIijk2B78v6t5LNkbZTCpjSIZZkCxcXh/L+Dyib0NJQ1E1dv5932prZfVz+ooXTYxkkJ0Ri9fmRKIiwDOrxYyYmNzglvKYNRcnC7M6RN6z4gU8ND8F3IO2WMtysJrXKQxZEahpN5UEVxi0KmjMM9NObEp0PT04PAZ3PYbgtodehpbboz65j8T/ DzCT21j8Ns6BGe9wva1+S/G+3vUDERMhyV9/Ermlec+EwEqnjq7jl/pG/3tUH99RNyD6AuhmOQXJQRfFE3VcQV+tfSVz30gJHvhiH5kCIPFnU12iEYgjqZfZlb9ICCmeW2H59itjbuOGCF2Yi2q87JldMaoluVqQ5LKo/zjY4Vsed2elbExtEtVn8+iTSVXjx/ZqOPLIv5+2qQu3whTmuZJv3Q+4nBb08spoj6EWOiSMpVvuyUeO7JNYy1XBA7IGROrHC/kVdkAmJdXFB4PexVZTF60cTbrBizGVzzverlUdmSFvFlO+6TjFzwfIWg3eC6QpBaW5vnqZilSxqDrk5cPhV89R2vYdWjgKdMleWsk28DRVO8rIs+HArVR4FmKCxFd8SdFmmXfOXrQxfDJb3HbFayEnUc4GVdHIR34gt5L+Ku/8BeuRLxC2/1Wfz1dZeubw1+gpME03BM=
---- END SSH2 PUBLIC KEY ----
!!! Example "MTD
```bash
grep . /proc/mtd
dev: size erasesize name
mtd0: 00020000 00020000 "nvram"
mtd1: 000a0000 00020000 "cfe"
mtd2: 008c0000 00020000 "boot"
mtd3: 08d40000 00020000 "ubi"
mtd4: 06940000 00020000 "data"
mtd5: 02815000 0001f000 "filesystem1"
mtd6: 00ded000 0001f000 "operational"
mtd7: 0189a800 0001f000 "rescue"
mtd8: 0001f000 0001f000 "firm_header"
mtd9: 00271800 0001f000 "kernel"
mtd10: 01629000 0001f000 "rootfs"
mtd11: 000895e4 0001f000 "secondaryboot"
mtd12: 0001fa40 0001f000 "secondaryboot-secure"
mtd13: 000a3e20 0001f000 "uboot"
mtd14: 000029e8 0001f000 "permanent_param"
mtd15: 00000040 0001f000 "aes_key1"
mtd16: 00000040 0001f000 "aes_key2"
mtd17: 00000040 0001f000 "aes_key_operator"
```
!!! Example "Uci settings
```bash
# uci show
dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].boguspriv=1
mosquitto.owrt=owrt
mosquitto.owrt.use_uci=0
mosquitto.mosquitto=mosquitto
network.loopback=interface
network.loopback.ifname=lo
network.loopback.proto=static
network.loopback.ipaddr=127.0.0.1
network.loopback.netmask=255.0.0.0
network.lan=interface
network.lan.ifname=eth0
network.lan.type=bridge
network.lan.proto=static
network.lan.ipaddr=192.168.1.1
network.lan.netmask=255.255.255.0
timeserver.@timeserver[0]=timeserver
timeserver.@timeserver[0].hostname=ac-ntp0.net.cmu.edu
timeserver.@timeserver[1]=timeserver
timeserver.@timeserver[1].hostname=ptbtime1.ptb.de
timeserver.@timeserver[2]=timeserver
timeserver.@timeserver[2].hostname=ac-ntp1.net.cmu.edu
timeserver.@timeserver[3]=timeserver
timeserver.@timeserver[3].hostname=tick.greyware.com
timeserver.@timeserver[4]=timeserver
timeserver.@timeserver[4].hostname=ntp.xs4all.nl
timeserver.@timeserver[5]=timeserver
timeserver.@timeserver[5].hostname=ptbtime2.ptb.de
timeserver.@timeserver[6]=timeserver
timeserver.@timeserver[6].hostname=cudns.cit.cornell.edu
timeserver.@timeserver[7]=timeserver
timeserver.@timeserver[7].hostname=ptbtime3.ptb.de
```
Banners
!!! Example "Rootfs
```bash
_ _ _____ _ _ ___
| | | | __ \\ | | |/ __)
| |_| | | \\/ | | / /__
| _ | | __| |/\\| | _ \\
| | | | |_\\ \\ /\\ / (_) )
\\_| |_/\\____/\\/ \\/ \\___/
Embedded Sagemcom Linux Distribution
--------------------------------------------------
Version: SG4T1E000042 (0.18.0)
Built: by g360230@compil-atr-2 on Thu Apr 26 16:47:31 CET 2018
```
!!! Example "Rescue
```bash
_ _ _____ _ _ ___
| | | | __ \\ | | |/ __)
| |_| | | \\/ | | / /__
| _ | | __| |/\\| | _ \\
| | | | |_\\ \\ /\\ / (_) )
\\_| |_/\\____/\\/ \\/ \\___/
Embedded Sagemcom Linux Distribution
--------------------------------------------------
Version: SG4T1E000042 (0.18.0)
Built: by g360230@compil-atr-2 on Thu Apr 26 16:47:31 CET 2018
```
!!! Example "Operational
```bash
_ _ _____ _ _ ___
| | | | __ \\ | | |/ __)
| |_| | | \\/ | | / /__
| _ | | __| |/\\| | _ \\
| | | | |_\\ \\ /\\ / (_) )
\\_| |_/\\____/\\/ \\/ \\___/
Embedded Sagemcom Linux Distribution
--------------------------------------------------
Version: Test-5370 (8g.43.5.8.1)
Built: by g110981@rmm-p1303058fl on Thu May 31 09:53:39 CEST 2018
```
Guide to Chrooting into Sagemcom Firmware:
1. Pre-requisites:
- Ensure you have
qemu-arm-staticbinary installed on your system. - Extract the Sagemcom firmware (specifically the SquashFS filesystem you want to chroot into) to a known directory.
2. Set up the chroot environment:
# Define your firmware root directory for easier reference
FIRMWARE_ROOT="/home/wuseman/chroot/sagemcom/operational_sagemcom/squashfs-root"
FIRMWARE_ROOT="/home/wuseman/chroot/sagemcom/rescue_sagemcom/squashfs-root"
FIRMWARE_ROOT="/home/wuseman/chroot/sagemcom/rootfs_sagemcom/squashfs-root"
# Mount necessary filesystems
mount -t proc proc $FIRMWARE_ROOT/proc
mount --rbind /sys $FIRMWARE_ROOT/sys
mount --rbind /dev $FIRMWARE_ROOT/dev
# Copy the QEMU static binary for ARM to the root of the firmware's filesystem
cp /usr/bin/qemu-arm-static $FIRMWARE_ROOT/usr/bin/
3. Register the ARM binary format with the kernel:
echo ':qemu-arm:M::\x7fELF\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x28\x00:\xff\xff\xff\xff\xff\xff\xff\x00\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff:/usr/bin/qemu-arm-static:' > /proc/sys/fs/binfmt_misc/register
4. Chroot into the firmware:
chroot $FIRMWARE_ROOT /usr/bin/qemu-arm-static /bin/sh
Now, you should be inside the firmware's environment and can interact with it as if it was running natively on ARM hardware.
Note: Always remember to unmount the proc, sys, and dev directories after you're done working in the chroot environment to clean up. This can be done using umount:
umount $FIRMWARE_ROOT/proc
umount $FIRMWARE_ROOT/sys
umount $FIRMWARE_ROOT/dev
Find all files that incldues telia
find . \( -path ./proc -o -path ./dev -o -path ./sys \) -prune -o -type f -exec grep -l "telia" {} \;
root:$1$ktZkpxnY$FLCb0GopVjc.wWfWXYSJk/:13848:0:99999:7:::
Administrator:x:13848:0:99999:7:::
support:$1$iKH6d9We$FoWQGFUv6dEi5yilOl0xA1:13848:0:99999:7:::
mosquitto:x:13848:0:99999:7:::
nobody:*:13848:0:99999:7:::
daemon:*:13848:0:99999:7:::
lighttpd:*:13848:0:99999:7:::
tr69:*:13848:0:99999:7:::
twonky:*:13848:0:99999:7:::
root:x:0:0:root:/root:/bin/ash
Administrator:x:0:0:Administrator:/root:/bin/ash
support:x:0:0:support:/root:/bin/ash
mosquitto:x:1001:1001:Linux User,,,:/home/mosquitto:/bin/sh
nobody:*:65534:65534:nobody:/var:/bin/false
daemon:*:65534:65534:daemon:/var:/bin/false
lighttpd:*:1002:1002:lighttpd:/:/bin/false
tr69:*:1003:1002:tr69:/:/bin/false
twonky:*:1004:1004:twonky:/:/bin/false