cancel
Showing results for 
Search instead for 
Did you mean: 

Unlocking the potential of Sagemcom 2704N

Matty123123
Grafter
Posts: 96
Thanks: 2
Registered: ‎01-04-2015

Re: Unlocking the potential of Sagemcom 2704N

Quote from: Darsh
is ssh process running on the box?

Yes the process is (sort of) running, but there is something I dont understand...  I'll try to explain, perhaps you can shed some light on it......
I added this in the config (to be sure)
<InternetGatewayDevice>
  <X_BROADCOM_COM_AppCfg>
    <SshdCfg>
      <NetworkAccess>LAN</NetworkAccess>
    </SshdCfg>
  </X_BROADCOM_COM_AppCfg>
</InternetGatewayDevice>

Then I can (sort-of) connect via IP6 - using fe80::46e9:ddff:feXX:XXXX (using the device MAC address)
login as: admin
admin@fe80::46e9:ddff:feXX:XXXX's password:
Access denied
admin@fe80::46e9:ddff:feXX:XXXX's password:
Access denied
admin@fe80::46e9:ddff:feXX:XXXX's password:
Access denied
admin@fe80::46e9:ddff:feXX:XXXX's password:

No username/password I tried worked.....
If I look at the log it says:
Failed loading /etc/dropbear/dropbear_dss_host_key
Failed loading /etc/dropbear/dropbear_ecdsa_host_key
sshd:error:472.597:cmsNet_isHostInSameSubnet:283:Invalid address prefix
Child connection from (null):63715
login attempt for nonexistent user from fe80::46e9:ddff:fe11:1111:64050
login attempt for nonexistent user from fe80::46e9:ddff:fe11:1111:64050
login attempt for nonexistent user from fe80::46e9:ddff:fe11:1111:64050
login attempt for nonexistent user from fe80::46e9:ddff:fe11:1111:64050

"login attempt for nonexistent user" Huh
the "sshd --help" says its from here: Dropbear server v2014.65 https://matt.ucc.asn.au/dropbear/dropbear.html
I had a look at the source code on the web, and it appears that the server will not run as root?, (assuming they have not adjusted it) but almost all routers run as root all the time?
Still no luck with ICMP Echo...
Darsh
Grafter
Posts: 48
Registered: ‎12-03-2015

Re: Unlocking the potential of Sagemcom 2704N

I think just enabling it in AppCfg is not enough, you need to open firewall for it, configuring FirewallException on LAN interface. Will try it tonight.
As to the log entries - my guess is that dropbear is expecting connections on IPv4, and although it is responding on IPv6, it might not be configured/enabled to work on IPv6.
I reckon we need to try getting to it on IPv4.

Darsh
Darsh
Grafter
Posts: 48
Registered: ‎12-03-2015

Re: Unlocking the potential of Sagemcom 2704N

Quote from: Matty123123
Still no luck with ICMP Echo...

Well, at least it works on your router. To secure it, you can set the destination IP to the IP of your WAN interface, and limit the source IP to the sources you want to allow pings from. Src/dst syntax can be taken from here: http://pastebin.com/jbJSWjbW
          <X_BROADCOM_COM_FirewallException instance="1">
            <Enable>TRUE</Enable>
            <FilterName>ICMP</FilterName>
            <IPVersion>4</IPVersion>
            <Protocol>ICMP</Protocol>
            <SourcePortStart>0</SourcePortStart>
            <SourcePortEnd>0</SourcePortEnd>
            <DestinationPortStart>0</DestinationPortStart>
            <DestinationPortEnd>0</DestinationPortEnd>
            <SourceIPAddress>(null)</SourceIPAddress>
            <SourceNetMask>(null)</SourceNetMask>
            <DestinationIPAddress>(null)</DestinationIPAddress>
            <DestinationNetMask>(null)</DestinationNetMask>
            <X_SAGEM_COM_HideForWEBGUI>FALSE</X_SAGEM_COM_HideForWEBGUI>
          </X_BROADCOM_COM_FirewallException>


Darsh
Matty123123
Grafter
Posts: 96
Thanks: 2
Registered: ‎01-04-2015

Re: Unlocking the potential of Sagemcom 2704N

SSH:
Quote from: Darsh
http://pastebin.com/jbJSWjbW

Darsh Brilliant !!! I was not aware of the 'dumpmdm' command, I've attached a dump from this router.
(Still using IP6) I was able to get SSH access.
Add this in the config:
<InternetGatewayDevice>
<X_BROADCOM_COM_AppCfg>
  <SshdCfg>
    <NetworkAccess>LAN</NetworkAccess>
  </SshdCfg>
</X_BROADCOM_COM_AppCfg>
<SshControl>
  <Enable>TRUE</Enable>
  <UserName>username-here</UserName>
  <Password>password-here</Password>
</SshControl>
</InternetGatewayDevice>

I hope it works for you.

Note for other people, using Windows:
Enable IP6  (Although it should be already)
Download PUTTY http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
Connect to fe80::XXXX:XXff:feXX:XXXX,  where the X's are the routers MAC Address.  ( I Hope )
Darsh
Grafter
Posts: 48
Registered: ‎12-03-2015

Re: Unlocking the potential of Sagemcom 2704N

Quote from: Matty123123
Connect to fe80::XXXX:XXff:feXX:XXXX,   where the X's are the routers MAC Address.  ( I Hope )

Almost the MAC address. IPv6 link-local addresses are formed according to EUI-64, where the seventh bit of the MAC address is inverted, resulting in the first octet of the MAC address to either increase (usually) or decrease by two.
Example: MAC 0012.7feb.6b40 will produce IPv6 link-local address fe80::0212:7fff:feeb:6b40.
More info here: http://packetlife.net/blog/2008/aug/4/eui-64-ipv6/
For connecting from Linux, you need to specify the local interface you are connecting from, as link-local addresses are not meant for normal traffic use. The syntax is (with the above address and eth0 as local interface): "ssh -l <username> fe80::0212:7fff:feeb:6b40%eth0".
UPD0: Wow! It works!
UPD1: Matt, from examining the router internals dumpsysinfo command looks much more interesting than dumpmdm. :-)
UPD2: Found a hidden iptables command, which should allow to change the firewall settings.
UPD3: And hidden sh command brings you directly to the BusyBox shell. Ah! Finally! :-)
UPD4: Eh, pity - no snmpd anywhere :-(

Darsh
Matty123123
Grafter
Posts: 96
Thanks: 2
Registered: ‎01-04-2015

Re: Unlocking the potential of Sagemcom 2704N

Darsh, cheers for the MAC info.

I've made a couple more adjusted firmwares if anyone is interested in the future:
Revision 3-A:
https://drive.google.com/file/d/0B4-Ln6UubyEeeEtPMEZzUTB2bDg/
Went overboard and added more pages in 'expert_user.html'
Deleted Telnet
Enabled SSH (IPv6), cheers Darsh
Changed default MTU to 1492
BUG: when switching between ADSL <> Fibre, it sometimes does not remember large configs
Revision 3-B:
https://drive.google.com/file/d/0B4-Ln6UubyEeSU1oelhUY1ZRS0U/
Same as 3-A, with:
Deleted the TR69 binary  (for the paranoid, like me)
Closed port 7457            (I changed the binary, so a minor error will appear in the log)

Darsh
Grafter
Posts: 48
Registered: ‎12-03-2015

Re: Unlocking the potential of Sagemcom 2704N

Confirmed, to enable pings to the WAN interface, you need to add the following lines to your config:
<DslCpeConfig version="3.0">
  <InternetGatewayDevice>
    <X_BROADCOM_COM_AppCfg>
      <IcmpCfg>
        <NetworkAccess>LAN or WAN</NetworkAccess>
      </IcmpCfg>
    </X_BROADCOM_COM_AppCfg>
    <WANDevice instance="1">
      <WANConnectionDevice instance="1">
        <WANPPPConnection instance="1">
          <X_BROADCOM_COM_FirewallException instance="1">
            <Enable>TRUE</Enable>
            <FilterName>ICMP</FilterName>
            <Protocol>ICMP</Protocol>
          </X_BROADCOM_COM_FirewallException>
          <X_BROADCOM_COM_FirewallException nextInstance="2" ></X_BROADCOM_COM_FirewallException>
        </WANPPPConnection>
      </WANConnectionDevice>
    </WANDevice>
  </InternetGatewayDevice>
</DslCpeConfig>

Works now.

Darsh
Community Gaffer
Community Gaffer
Posts: 13,575
Thanks: 1,252
Fixes: 103
Registered: ‎04-04-2007

Re: Unlocking the potential of Sagemcom 2704N

Quote from: Matty123123
Revision 3-A:
https://drive.google.com/file/d/0B4-Ln6UubyEeeEtPMEZzUTB2bDg/
Went overboard and added more pages in 'expert_user.html'

I don't have access to one of these devices at present, but I'm curious to see what options this opens up. Would anybody care to share a screen grab? (don't worry, I have no sinister reasons for asking Wink)

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵

Darsh
Grafter
Posts: 48
Registered: ‎12-03-2015

Re: Unlocking the potential of Sagemcom 2704N

Ah, I forgot to share a link to the Sagemcom manual for this router: http://lgsagem.free.fr/drivers__fast1704.htm
The manual is for Sagemcom's original firmware, so a number of GUI pages is different. Still, a good hint on what this router is capable of :-)

Darsh
Community Veteran
Posts: 2,286
Thanks: 109
Fixes: 4
Registered: ‎18-02-2013

Re: Unlocking the potential of Sagemcom 2704N

Is it possible to view firewall logs with the stock firmware by any chance.
Darsh
Grafter
Posts: 48
Registered: ‎12-03-2015

Re: Unlocking the potential of Sagemcom 2704N

It is, but not via the web GUI.
Add this config:
<DslCpeConfig version="3.0">
 <InternetGatewayDevice>
   <X_BROADCOM_COM_SyslogCfg>
     <Status>Enabled</Status>
     <Option>local buffer</Option>
     <LocalDisplayLevel>Error</LocalDisplayLevel>
     <LocalLogLevel>Debug</LocalLogLevel>
   </X_BROADCOM_COM_SyslogCfg>
 </InternetGatewayDevice>
</DslCpeConfig>

Voila! All logs (not only firewall logs) can now be seen, connecting via ssh and running syslog dump command. Firewall intrusions look like this:
Apr 16 20:37:29 (none) daemon.alert kernel: Intrusion -> IN=pppoa1 OUT= MAC= SRC=<attacker IP> DST=<your IP> LEN=60 TOS=0x00 PREC=0x80 TTL=58 ID=38967 DF PROTO=TCP SPT=45347 DPT=25555 WINDOW=29200 RES=0x00 SYN URGP=0 MARK=0x8000000
Apr 16 20:37:30 (none) daemon.alert kernel: Intrusion -> IN=pppoa1 OUT= MAC= SRC=<attacker IP> DST=<your IP> LEN=60 TOS=0x00 PREC=0x80 TTL=58 ID=38968 DF PROTO=TCP SPT=45347 DPT=25555 WINDOW=29200 RES=0x00 SYN URGP=0 MARK=0x8000000

(I've hidden the IPs).

Darsh
Community Veteran
Posts: 2,286
Thanks: 109
Fixes: 4
Registered: ‎18-02-2013

Re: Unlocking the potential of Sagemcom 2704N

Cheers Darsh, I'll have a mooch at adding ssh as well then.
[tt]<InternetGatewayDevice>
<X_BROADCOM_COM_AppCfg>
  <SshdCfg>
    <NetworkAccess>LAN</NetworkAccess>
  </SshdCfg>
</X_BROADCOM_COM_AppCfg>
<SshControl>
  <Enable>TRUE</Enable>
  <UserName>username-here</UserName>
  <Password>password-here</Password>
</SshControl>
</InternetGatewayDevice>[/tt]

[tt]<DslCpeConfig version="3.0">
  <InternetGatewayDevice>
    <X_BROADCOM_COM_SyslogCfg>
      <Status>Enabled</Status>
      <Option>local buffer</Option>
      <LocalDisplayLevel>Error</LocalDisplayLevel>
      <LocalLogLevel>Debug</LocalLogLevel>
    </X_BROADCOM_COM_SyslogCfg>
  </InternetGatewayDevice>
</DslCpeConfig>[/tt]
Quote from: Darsh
Quote from: Matty123123
Connect to fe80::XXXX:XXff:feXX:XXXX,  where the X's are the routers MAC Address.  ( I Hope )

Almost the MAC address. IPv6 link-local addresses are formed according to EUI-64, where the seventh bit of the MAC address is inverted, resulting in the first octet of the MAC address to either increase (usually) or decrease by two.
Example: MAC 0012.7feb.6b40 will produce IPv6 link-local address fe80::0212:7fff:feeb:6b40.
More info here: http://packetlife.net/blog/2008/aug/4/eui-64-ipv6/
For connecting from Linux, you need to specify the local interface you are connecting from, as link-local addresses are not meant for normal traffic use. The syntax is (with the above address and eth0 as local interface): "ssh -l <username> fe80::0212:7fff:feeb:6b40%eth0".
UPD0: Wow! It works!
UPD1: Matt, from examining the router internals dumpsysinfo command looks much more interesting than dumpmdm. :-)
UPD2: Found a hidden iptables command, which should allow to change the firewall settings.
UPD3: And hidden sh command brings you directly to the BusyBox shell. Ah! Finally! :-)
UPD4: Eh, pity - no snmpd anywhere :-(

Darsh

grm
Dabbler
Posts: 14
Registered: ‎04-04-2015

Re: Unlocking the potential of Sagemcom 2704N

Been following this thread with interest, can I ask a semi-dumb question?
If I was to put my 2704N into bridge mode and connect it to my existing wired router would the 2704N in effect work as a WiFi AP for the existing router?
TIA.
Darsh
Grafter
Posts: 48
Registered: ‎12-03-2015

Re: Unlocking the potential of Sagemcom 2704N

What are you trying to achieve? Connect your existing router to the 2704N via WiFi? Yes, this should be possible (given than your existing router can work in wifi client mode). As far as I understand, 2704N in bridge mode simply bridges all packets on Layer2 between atm interface (or adsl, as ADSL is just a form of ATM) and ethernet interfaces. Since ethernet and wifi interfaces are already in this bridge - it shouldn't really matter how do you connect your existing router to this bridge, via ethernet or wifi.
If, however, you are trying to use 2704N as a bridge and also as an additional AP in your home network - I'm afraid this won't work. In this scenario the 2704N will be on the WAN side of your existing router, while your existing router is, obviously, serving its wifi on the LAN side.
Unless you try to configure vlans, set trunk on the WAN interface of your router and ethernet interface of the 2704N, remove 2704N's wifi interface from the bridge and put it into the vlan that corresponds to your existing router's LAN. Theoretically possible (and practically pretty simple on Cisco/Juniper/whatever), the real implementation highly depends on what your existing router and 2704N are capable of. I've seen vlans in the 2704N's config, but haven't played with them yet, so I don't know whether this is possible to configure on it. I reckon the chances are pretty low.
Or do you simply want to use the 2704N as an AP? Then you don't even need to convert it into bridge mode. Just connect ethernet from your existing router to it, configure the same SSID and security parameters - and there you go. 2704N is already bridging between wifi and ethernet interfaces, no need to add adsl interface to this bridge.

Darsh
grm
Dabbler
Posts: 14
Registered: ‎04-04-2015

Re: Unlocking the potential of Sagemcom 2704N

Hi Darsh, thanks for replying.
I have PN fibre, a Draytek 2830n and a 2704N. The Draytek does everything I want in a router bar its WiFi performance - my 2704N seems to deliver great WiFi speeds.
I was hoping that via bridging I could connect the 2704N to the LAN side of the 2830n via ethernet, disable WiFi on the Draytek and use the 2704N as an AP.