cancel
Showing results for 
Search instead for 
Did you mean: 

Unlocking the potential of Sagemcom 2704N

Darsh
Grafter
Posts: 48
Registered: ‎12-03-2015

Unlocking the potential of Sagemcom 2704N

Have been playing with the new router for a couple of days. Found the expert_user.html GUI useful, but it still has many functions blocked. The hardware itself is pretty good. Unfortunately, the firmware locks down much of its functionality.
Things I need to enable and configure:
- DHCP reserved IPs (GUI doesn't allow me to enter IPs from my home 192.168.0.0/24 network, giving error message "Invalid IP", although it is not).
- CLI access (preferably SSH).
- SNMP access (I need SNMP to get interface traffic statistics into MRTG).
- Unencrypted config backup (current config backup produces an encrypted file, and I'm not able to decrypt it).
Tried to get answers from the support team, raised a support ticket, but got the following reply: "Unfortunately this is something that we are unable to support you with. We send out our routers set up to work straight from the factory, if you wish to change advanced settings within the router then you will need to research and implement these changes yourself."
I'm trying to find the ways of enabling these things:
1) Router is listening on SSH port, but doesn't allow to connect. Therefore, SSH functionality is there (that's promising), but with the access control list. Does anyone know how to get SSH connectivity working?
2) Tried to back up the config. I was hoping that it is in clear text, so I could modify certain values in it and then upload the modified config back to the router (did it with some Thomson routers before). Unfortunately, this particular firmware encrypts the backed up config. Looks like this encryption is only present in the Plusnet firmware version, as other 2704N users post unencrypted XML configs. Does anyone know how to decrypt it?
3) Haven't tried changing the firmware yet, as I don't have the original Plusnet firmware image to be able to roll back any changes. Does anyone know how to get the original Plusnet firmware image? Unfortunately, OpenWRT image for this router is not available yet. Support page on Sagemcom website for this router doesn't exist either, so the only option is to try other users (Polish, Brasil) firmwares. But will be too risky without the roll back option.
I believe that this router has SNMP functionality, as it is present in other Sagemcom routers. However, the router is not listening on 161/udp by default (SNMP might be simply disabled).
Does anyone have any other ideas on how to unlock the full potential of this device?
Does anyone know where I can get proper support for this hardware?

Darsh
239 REPLIES
Community Veteran
Posts: 5,223
Thanks: 494
Fixes: 22
Registered: ‎10-06-2010

Re: Unlocking the potential of Sagemcom 2704N

The most interesting possibility I found earlier was from here (translation) where some people found a "super user" login user/pass I think from a generated diagnostic report file (not the config backup).
RouterPassView appears to be able to decrypt some router config files, but doesn't mention the 2704N, so it doubt it will work for this.
I don't have a 2704N, so can't really offer any further help with this.
Darsh
Grafter
Posts: 48
Registered: ‎12-03-2015

Re: Unlocking the potential of Sagemcom 2704N

These "some people" were much luckier than us - they had telnet open with default admin/admin username/password. In our case, telnet is closed, ssh is open but firewalled (effectively, same as "closed"), so there's no way to access CLI (apart from, maybe, internal COM port, if it exists at all - I used a similar thing to unbrick my TP-Link couple of years ago).
RouterPassView isn't able to decrypt the saved config either.
I thought that, maybe, Plusnet simply removed the admin pages from the GUI menu, but not from the flash, so I tried to access some of them directly, like we are accessing expert_user.html - but with no luck, looks like Plusnet removed them from the GUI completely.
So at the moment the only option is to wait for one of:
- Plusnet shares how to unlock the router (unlikely, they made quite a big effort to lock it from all the sides)
- Sagemcom publishes how to unlock it
- Sagemcom publishes new version of firmware (lucky enough, the GUI still allows this)
- OpenWRT starts to support it
- Somebody will be able to hack it somehow
Please share your ideas for the last point :-)

Darsh
Darsh
Grafter
Posts: 48
Registered: ‎12-03-2015

Re: Unlocking the potential of Sagemcom 2704N

Bypassing the "Invalid IP" check in DHCP reserved addresses
Analysing JavaScript pages of expert_user.html, found a way to get rid of silly checks resulting in "invalid IP" error. As you might remember, the GUI wasn't allowing me to add IPs from subnet 192.168.0.0/24, while 192.168.1.0/24 was OK.
Page http://router/StaticIpAdd.html has these checks in JavaScript. This page takes arguments (MAC address, IP address), checks them and produces URL http://router/dhcpdstaticlease.cmd?action=add&mac=11:22:33:44:55:66&static_ip=192.168.0.1&sessionKey...
Manually creating such URLs for each of my reserved IPs, I was able to successfully populate the DHCP reserved IPs table.
Session key changes after each request, you need to look it up in the StaticIpAdd.html yourself for every IP you are adding.

Darsh
Darsh
Grafter
Posts: 48
Registered: ‎12-03-2015

Re: Unlocking the potential of Sagemcom 2704N

Although the router saves its config in encrypted or encoded form, it processes plain xml when "restoring" the config. The router then reloads. Save your existing config before playing with this method - to be able to quickly restore the settings you currently have.
Just search for backupsettings.conf over the Internet - there are configs posted for other Sagemcom routers. I assume at least parts of these configs can be used in 2704N.

Darsh
Darsh
Grafter
Posts: 48
Registered: ‎12-03-2015

Re: Unlocking the potential of Sagemcom 2704N

Failed to turn on SNMP and/or telnet/ssh. Config update tool successfully accepts the respective xml tags in the config (<HttpdCfg>, <SshdCfg>, <TelnetdCfg> in <X_BROADCOM_COM_AppCfg>), but ignores them, which makes me think that the firmware was altered in such a way that snmp and telnet daemons were removed, while ssh daemon was modified to only accept connections from the WAN interface.
Changing the usernames/passwords using this method was unsuccessful - config updater refuses the respective xml tag <X_BROADCOM_COM_LoginCfg>, which might indicate that current user doesn't have privileges to do it.
Apart from that - fiddling with the config was successful, should allow to modify almost any part of configuration that is not available or is limited via the GUI (DHCP reservations, port forwarding) - apart from snmp/telnet/ssh and user control.
As to various XML tags for this config - the most complete list I've found in the Sagemcom 4310 config dump http://pastebin.com/jbJSWjbW
4310 is very similar to 2704N, so most of these tags should work. Have fun! :-)
The next step in unlocking this box would be to take it apart, connect to the serial port on its PCB and hope that Plusnet haven't blocked the console access. But I don't have enough passion to go this way at the moment, I need to get my network up and running, so I'm giving up and switching from Sagemcom 2704N to TP-Link TD-W8951ND, which should have telnet, snmp and other features enabled out of the box - only for £20.
Such a pity that Plusnet have limited this excellent small router so much that it is almost unusable for anything even slightly non-standard :-(

Darsh
marklkelly
Newbie
Posts: 6
Registered: ‎27-03-2015

Re: Unlocking the potential of Sagemcom 2704N

Give what you've seen so far - do you think it would be possible to switch this router to bridge mode? That would save it ending up gathering dust somewhere..
Darsh
Grafter
Posts: 48
Registered: ‎12-03-2015

Re: Unlocking the potential of Sagemcom 2704N

Of course - you just need to create a backupsettings.conf file with correct settings and upload it. I've found a number of configs for Sagemcom 2804 here (in Russian). Third config ("Sagemcom fast 2804 v7 ADSL-bridge(0/33)") is for the bridge on pvc 0/33 (for Plusnet, as far as I understand, you need to change it to 0/35). I've tried one of these configs (the PPPoA router one) on my router - they load successfully. After the load, router gets IP address 192.168.1.1, login credentials admin/admin. Wireless settings are for Rostelekom (specified in readme.txt), but you should be able to change them in the GUI after the upload.
!!! Don't forget to back up your existing config first - this will allow you to roll back in case of problems.

Darsh
marklkelly
Newbie
Posts: 6
Registered: ‎27-03-2015

Re: Unlocking the potential of Sagemcom 2704N

Well - that seemed to work remarkably well - thanks for the tip. Router is now in bridge mode.
For future reference, its pvc 0/38 rather than 0/35.
Darsh
Grafter
Posts: 48
Registered: ‎12-03-2015

Re: Unlocking the potential of Sagemcom 2704N

Returned back to 2704N, as TP-Link can only do 10 port forwards, and cannot re-map these ports.
Wrote two small scripts to get traffic and ADSL rate into MRTG, using curl and xmllint. Scripts log in, saving cookie, and then parse specific stats pages, using this cookie.
PPPoA traffic:
#!/bin/sh
cd <script dir>
curl -s --data "loginuser=admin&loginpasswd=<password>" --cookie-jar cookies.txt http://<router IP>/plusnetlogin.cgi > /dev/null
curl -s --cookie cookies.txt http://<router IP>/statswan.cmd > statswan.html
xmllint --html --xpath '//tr[last()]/td[position()=3]/text()' statswan.html 2> /dev/null
echo
xmllint --html --xpath '//tr[last()]/td[position()=7]/text()' statswan.html 2> /dev/null
echo
rm cookies.txt statswan.html

ADSL rate:
#!/bin/sh
cd <script dir>
curl -s --data "loginuser=admin&loginpasswd=<password>" --cookie-jar cookies.txt http://<router IP>/plusnetlogin.cgi > /dev/null
curl -s --cookie cookies.txt http://<router IP>/statsadsl.cmd > statsadsl.html
xmllint --html --xpath '//tr[position()=16]/td[position()=2]/text()' statsadsl.html 2> /dev/null
echo
xmllint --html --xpath '//tr[position()=16]/td[position()=3]/text()' statsadsl.html 2> /dev/null
echo
rm cookies.txt statsadsl.html

Scripts are not optimised yet - ideally they should check if the cookie still works, and only log in again if it doesn't.

Darsh
Community Veteran
Posts: 3,424
Thanks: 17
Registered: ‎18-01-2013

Re: Unlocking the potential of Sagemcom 2704N

Hey Darsh - good to see you still working on it.
Just letting you know you're not talking to yourself here - I've still been following this thread with interest Smiley
Matty123123
Grafter
Posts: 96
Thanks: 2
Registered: ‎01-04-2015

Re: Unlocking the potential of Sagemcom 2704N

Hello...
if anyone is interest I have adjusted the firmware (well mainly the filesystem) of my 2704N, to extend the expert_user.html options.
https://drive.google.com/file/d/0B4-Ln6UubyEeWUllUkFhLXJKVzg

Does anyone know where the GPL Source Code is?  or another source code with the same CPU and limited RAM ?
crazydan7
Dabbler
Posts: 22
Registered: ‎25-11-2013

Re: Unlocking the potential of Sagemcom 2704N

hi,
has anyone been able to change the password on this device with success?
i logged in to the expert_user interface, changed it, but weirdly now i can no longer log in to the device with ither the original login or the new one i set myself.
Community Veteran
Posts: 5,223
Thanks: 494
Fixes: 22
Registered: ‎10-06-2010

Re: Unlocking the potential of Sagemcom 2704N

Since Plusnet distributed the router containing software licensed under the GPL, then Plusnet should comply with the requirements of the GPL and either supply the source code or at least a written offer to provide the source code. And of course a suitable notice to inform you of your rights under the GPL.
Community Veteran
Posts: 2,286
Thanks: 109
Fixes: 4
Registered: ‎18-02-2013

Re: Unlocking the potential of Sagemcom 2704N

Quote from: crazydan7
hi,
has anyone been able to change the password on this device with success?


Yes, working for me ok, I did change mine before I connected it to plusnet though, but I don't see why it would make any difference if you was connected or not.

I would like to pass on thanks to Darsh and Matty123123 for there time and efforts, much appreciated.