Difference between revisions of "Modem BBox-2"

From YobiWiki
Jump to navigation Jump to search
 
(50 intermediate revisions by 3 users not shown)
Line 1: Line 1:
==Description==
+
==Description & versions==
 
This is the default modem coming with Belgacom internet solutions in Belgium.
 
This is the default modem coming with Belgacom internet solutions in Belgium.
 
<br>It allows SIP and IPTV.
 
<br>It allows SIP and IPTV.
   
It's a [http://www.sagem-communications.com/index.php?id=1226&L=1 Sagem F@st 3464] (even if the box looks different), running a customized version of [http://www.jungo.com/openrg/pr_openrg.html Jungo Openrg].
+
It's a [http://www.sagem-communications.com/index.php?id=1226&L=1 Sagem F@st 3464] (even if the box looks different), running a customized version of [http://www.jungo.com/products/openrg-uniform-gateway-middleware/ Jungo Openrg].
  +
  +
Version information, as visible on the web interface:
  +
Runtime Code Version 6001GR-6000GR
  +
Hardware Version 1
  +
Serial Num LK12345DP123456
  +
VDSL Version Firmware-VTU-R:1.0.7r57bIK105012 Time Dec 27 2007, 18:50:21
  +
  +
VDSL sync:
  +
Downstream line rate 21648 kbps
  +
Upstream line rate 2848 kbps
  +
Downstream Training Margin 19.1 dB
  +
  +
test Speedtest.nl:
  +
Downstream line rate 11Mbps
  +
Upstream line rate 1Mbps
  +
  +
'''2010-11-20 update''': I've finally reset the box as it never received any firmware upgrade automatically, despite letters from Belgacom inviting me to restart the modem & even a call to the technical service...
  +
<br>Now:
  +
Runtime Code Version 60R109-60A022
  +
Hardware Version 1
  +
Serial Num LK12345DP123456
  +
VDSL Version Firmware-VTU-R:5.5.1.2IK105012 Time Oct 1 2009, 14:04:47
  +
  +
VDSL sync:
  +
Downstream line rate 16536 kbps
  +
Upstream line rate 2056 kbps
  +
Downstream Training Margin 18.5 dB
  +
  +
From shell:
  +
[admin @ home]$ ver
  +
Version: 4.0.21.3.3.1.32.1.1.1.6.Fast3464.60.A0.22
  +
Platform: Sagem F@ST346X
  +
Compilation Time: 09-Apr-10 17:13:27
  +
[admin @ home]$ shell
  +
BusyBox v1.01 (2009.02.19-21:18+0100) Built-in shell (ash)
  +
# cat /proc/version
  +
Linux version 2.6.15 #66 Fri Apr 9 17:18:12 CEST 2010
  +
  +
Automatic firmware upgrades:
  +
* VLAN20 (Wan eth1.20 VoIP) must be activated (they use port 8085? for tr69)
  +
* tr98 process must be running
  +
I could never get their firmware upgrades transparently, I had to reset the box to get them
  +
  +
Some versions:
  +
* 6001GR-6000GR old
  +
* 60I118-60I918 24-Dec-09 11:47:40
  +
* 60I11U-60I01U 26-Jan-10 12:31:27
  +
* 60R109-60A022 09-Apr-10 17:13:27 (to allow the 17Mhz profile for 30 Mbps?)
   
 
==Exploration==
 
==Exploration==
Line 19: Line 67:
 
* http://192.168.1.1/index.cgi?user_name=admin&password=BGCVDSL2
 
* http://192.168.1.1/index.cgi?user_name=admin&password=BGCVDSL2
 
This allows to save and restore the whole configuration and to upload new firmwares, if any.
 
This allows to save and restore the whole configuration and to upload new firmwares, if any.
  +
<br>Once you get a dump of the configuration you can try manipulating it, there is a guide [http://wildcat.espix.org/doc/bbox2/openrg_configuration_guide.pdf here(pdf)] or [ftp://ftp.on4hu.be/Sagem-B-box2/openrg_configuration_guide.pdf here(pdf)], or better, use telnet and rg_conf commands (help rg_conf)
  +
  +
Other pages might be accessible, cf [http://forum.adsl-bc.org/viewtopic.php?t=55015 this thread (french)] or [http://liveboxsagem11.centerblog.net/6178850-Les-pages-de-configuration-cachees- this page (french)] for the LiveBox.
  +
  +
For the BBox2, here is a list of pages which work properly, inspired from [http://www.ripperjack.info/b-boxandco/spip.php?article41 here]
  +
* 730 advanced control panel
  +
** 40 about openrg
  +
** 70 configuration file
  +
** 140 restart
  +
** 150 restore defaults
  +
** 1220 diagnostics
  +
** 1210 mac cloning
  +
** 120 system settings
  +
** 900 Universal Plug and Play
  +
** 1410 scheduler rules
  +
** 110 date and time
  +
** 100 users
  +
** 810 route (same as from user menu)
  +
** 1430 network objects
  +
** 9037 dynamic DNS (9035 on old fw)
  +
** 9030 IP address distribution
  +
** 9027 DNS server
  +
** 9008 remote administration
  +
** 9024 protocols
  +
* logs
  +
** 750 system (uptime)
  +
** 752 connections
  +
** 753 traffic
  +
** 754 system logs
  +
* others
  +
** 50 network map
  +
** 60 network list view
  +
** 910 SNMP
  +
** 1040 connection wizard
  +
** 1280 RADIUS
  +
** 1450 IPv6
  +
** 9042 change Admin password
  +
** 9079 Web server
  +
  +
Usage: log first as admin as explained before, then enter the pseudo-URL
  +
javascript:mimic_button('goto: **..')
  +
where ** represents the page number.
  +
  +
  +
About page (#40):
   
  +
* About OpenRG
Other pages might be accessible, cf [http://forum.adsl-bc.org/viewtopic.php?t=55015 this thread (french)] or [http://liveboxsagem11.centerblog.net/6178850-Les-pages-de-configuration-cachees- this page (french)]
 
  +
* Version: 4.0.21.3.3.1.32.1.1.1.6.Fast3464.60.00.GR
  +
* Release Date: Mar 2 2009
  +
* Platform: Sagem F@ST346X
  +
* Tag: NRC_belgacom-multimode-fast346x_openrg_orig_3-3-1-32-1-1-1-6_4-2-1_0-0-88
  +
* Compilation Flags: CONFIG_SAGEM_PPPOE_PASSTHRU=y CONFIG_BELGACOM_BBOX=y CONFIG_BELGACOM=y CONFIG_AUTOSENSING_PAGE=y CONFIG_HW_USB_HOST_OHCI=y CONFIG_HW_USB_HOST_EHCI=y CONFIG_USB_PRINTER=y CONFIG_HW_USB_STORAGE=y CONFIG_USB=y CONFIG_RG_FW_CONN_PRIO=y CONFIG_RG_WATCHDOG_OPENRG=y CONFIG_SAGEM_WIFI_MODE_11N=y CONFIG_LIVEBOX_VOIP=y CONFIG_CSS_STANDARD=y CONFIG_SAGEM_MANAGE_CONFIG=y CONFIG_GUI_STANDARD=y CONFIG_GUI_LIVEBOX1=y CONFIG_SAGEM_CONSOLE_BAUDRATE=57600 CONFIG_MRA_SEC_SIZE=0x120000 CONFIG_JFFS2_FS_SIZE=0x100000 CONFIG_BOOTLDR_UBOOT_SECURE=y CONFIG_SOUCHE_RECONF=y CONFIG_SOUCHE_TR69=y CONFIG_SOUCHE_START_AUTOMATE=y CONFIG_SOUCHE_USE_EXTERNAL_OPENSSL=y CONFIG_DHCPS_VS=y CONFIG_DHCPS_FORCE_SEND_NTP=y CONFIG_DHCPS_NTP=y CONFIG_DHCPS_ROOT_PATH=y CONFIG_DHCPS_DOMAIN_NAME=y CONFIG_DHCPS_DNS=y CONFIG_DHCPS_SUBNET_MASK=y CONFIG_DHCPS_MULTIRANGE_BYDEVICEGROUP=y CONFIG_BOOTLDR_UBOOT_COMP=gzip CONFIG_FLASH_SIZE=16 CONFIG_SDRAM_SIZE=64 DIST=SAGEM_346X LIC=../jpkg_fast3202.lic
  +
* Hardware Version: 1
  +
* Hardware Serial Number: LK09194DP270257
  +
* Supported Features: NetFilter Linux Firewall, Ethernet over ATM (RFC2684), Classical IP, PVC Scan, WBM Evaluation License Agreement, Internet Protocol Security, PPTP Server, PPP Over ATM, PPP Over Ethernet, PPTP Client, L2TP Client, ICMP ALG, Port trigger (TFTP) ALG, FTP/FTPS ALG, QuickTime/RealAudio/RealPlayer (RTSP) ALG, H323 ALG (Netmeeting, CuSeeMe ...), SIP ALG, MGCP ALG, PPTP Client (multiuser) ALG, Microsoft Network Messenger/Windows Messenger ALG, IPSec (multiuser) ALG, L2TP ALG, AOL Instant Messenger ALG, DNS ALG, DHCP ALG, Bridge, VLAN 802.1Q bridge, VLAN 802.1Q interfaces management, PPPoE Relay, GDB Server, IGMP Proxy, Jungo Firewall, NAT, Secure HTTP (SSL), Permanent Storage, RIP V1/V2, Reverse NAT, SNMP v1/v2, SNMP v3, Universal Plug & Play, DNS, Concurrent DNS query, DNS Router. Add route rules according to which dns server answare queries, Domain routing. Route according to domains listed on a device, Dynamic DNS, Email Notification, HTTP Proxy, Generic Proxy, Mail filter, URL Keyword Filtering, SurfControl, DHCP Server, DHCP Client, DHCP Relay Agent, Static HTML Management, Web Based Management, TimeZone support, HTTP Server, Telnet Server, SysLog, Command Line Interface, TOD Client, USB RNDIS, File Server, Posix Access Control Lists (ACLs), RAID, OAM F4/F5 Loopback, Print Server, Internet Printing, Voice Over IP, SIP Signalling, H.323 Signalling, MGCP Signalling, Remote Update Management, Remote Management Server, Event Logging, WINS Server, FTP Server, Mail Server, Web Server, File System Backup and Restore, OpenRG QOS support, Bluetooth support
   
 
===memory sharing===
 
===memory sharing===
Line 32: Line 133:
   
 
===telnet===
 
===telnet===
  +
''If you wish to use telnet to view and edit the router settings, then you can use a dedicated tool in Java by Waterflames<!--Wouter De Keersmaecker-->, available [https://dl.dropboxusercontent.com/u/35774053/RouterSettingsEditor.zip here]. <br>This tool provides an easy GUI over rg_conf_print/rg_conf_set calls to login to the router and view and edit the settings.''
 
 
* telnet on 192.168.1.1 port 23 and port 8023
 
* telnet on 192.168.1.1 port 23 and port 8023
 
* telnet SSL on port 992
 
* telnet SSL on port 992
* login admin password BGCVDSL2
+
* login admin password BGCVDSL2 or for recent fw, ther serial number of your box: LK... .
 
* (TODO: try user/user)
 
* (TODO: try user/user)
   
 
If you type the command "shell" you'll get a shell prompt and a busybox environment ;-)
 
If you type the command "shell" you'll get a shell prompt and a busybox environment ;-)
  +
<pre>
<pre>[admin @ home]$ shell
 
  +
[admin @ home]$ ver
  +
Version: 4.0.21.3.3.1.32.1.1.1.6.Fast3464.60.00.GR
  +
Platform: Sagem F@ST346X
  +
Compilation Time: 02-Mar-09 17:18:02
  +
  +
[admin @ home]$ shell
   
   
Line 45: Line 152:
 
Enter 'help' for a list of built-in commands.
 
Enter 'help' for a list of built-in commands.
   
  +
# cat /proc/version
  +
Linux version 2.6.15 #24 Mon Mar 2 18:21:25 CET 2009
 
#
 
#
 
# cat /proc/cpuinfo
 
# cat /proc/cpuinfo
Line 163: Line 272:
   
 
===others===
 
===others===
  +
* 2555/tcp open UPnP Internet Gateway Device implementing some serious commands such as GetPassword ...
* 2555/tcp open unknown UPnP???
 
  +
* 7020/tcp open Apparently for Incoming Jnet (Jungo.net) requests for Remote Upgrade Server (see [http://www.jungo.com/openrg/doc/4.8/user_guide/html/html_openrg_user_manual/sect_management.html#sect_remote_admin here]
* 7020/tcp open unknown remote management rmt_mng???
 
* 7021/tcp open ssl ???
+
* 7021/tcp open Same, in SSL
 
* 8085/tcp open unknown gSOAP_Web_Service???
 
* 8085/tcp open unknown gSOAP_Web_Service???
  +
  +
The modem is also running [http://en.wikipedia.org/wiki/TR-069 a TR-069 process]:
  +
* TR-069 TR-069 is a WAN management protocol intended for communication between Customer Premise Equipment (CPE) and an Auto-Configuration Server (ACS). It defines a mechanism that encompasses secure auto configuration of a CPE, and also incorporates other CPE management functions into a common framework.
  +
* it's supposed to poll an ACS server on port 7547
  +
and a TR-098 process, referring to the Internet Gateway Device data model
  +
 
===accessible from WAN===
 
===accessible from WAN===
 
* pings seem to be blocked
 
* pings seem to be blocked
* 631 open?
+
* TCP port 631 (if ?)
* 2555 open?
+
* TCP port 2555 (openrg)
* 7020 open?
+
* TCP port 7020 (openrg)
* 7021 open?
+
* TCP port 7021 (openrg)
* 8085 open?
+
* TCP port 8085 (tr69)
  +
* TCP port 8888 (lighttpd)
  +
* UDP port 1024 (openrg)
  +
* UDP port 1025 (hostapd)
  +
* UDP port 3000 (openrg, vdsld...)
  +
* RAW port 2 (openrg)
  +
  +
===ss===
  +
Easier to get direct;y the info from the box: there is no netstat but ss does the job:
  +
<pre>
  +
# #TCP
  +
# ss -lnp
  +
Recv-Q Send-Q Local Address:Port Peer Address:Port
  +
0 0 217.136.xx.xx:992 *:* users:(("openrg",574,47),("openrg",753,47))
  +
0 0 10.179.xx.xx:992 *:* users:(("openrg",574,34),("openrg",753,34))
  +
0 0 192.168.1.1:992 *:* users:(("openrg",574,20),("openrg",753,20))
  +
0 0 127.0.0.1:7019 *:* users:(("openrg",574,9),("openrg",753,9))
  +
0 0 217.136.xx.xx:7020 *:* users:(("openrg",574,49),("openrg",753,49))
  +
0 0 10.179.xx.xx:7020 *:* users:(("openrg",574,36),("openrg",753,36))
  +
0 0 192.168.1.1:7020 *:* users:(("openrg",574,22),("openrg",753,22))
  +
0 0 217.136.xx.xx:7021 *:* users:(("openrg",574,48),("openrg",753,48))
  +
0 0 10.179.xx.xx:7021 *:* users:(("openrg",574,35),("openrg",753,35))
  +
0 0 192.168.1.1:7021 *:* users:(("openrg",574,21),("openrg",753,21))
  +
0 0 217.136.xx.xx:8080 *:* users:(("openrg",574,61),("openrg",753,61))
  +
0 0 217.136.xx.xx:80 *:* users:(("openrg",574,50),("openrg",753,50))
  +
0 0 10.179.xx.xx:8080 *:* users:(("openrg",574,38),("openrg",753,38))
  +
0 0 10.179.xx.xx:80 *:* users:(("openrg",574,37),("openrg",753,37))
  +
0 0 192.168.1.1:8080 *:* users:(("openrg",574,26),("openrg",753,26))
  +
0 0 192.168.1.1:80 *:* users:(("openrg",574,25),("openrg",753,25))
  +
0 0 *:8085 *:* users:(("tr69",790,9),("tr69",794,9),("tr69",795,9),("tr69",798,9),("tr69",799,9),("tr69",817,9))
  +
0 0 217.136.xx.xx:8023 *:* users:(("openrg",574,45),("openrg",753,45))
  +
0 0 217.136.xx.xx:23 *:* users:(("openrg",574,44),("openrg",753,44))
  +
0 0 10.179.xx.xx:8023 *:* users:(("openrg",574,33),("openrg",753,33))
  +
0 0 10.179.xx.xx:23 *:* users:(("openrg",574,32),("openrg",753,32))
  +
0 0 192.168.1.1:8023 *:* users:(("openrg",574,19),("openrg",753,19))
  +
0 0 192.168.1.1:23 *:* users:(("openrg",574,18),("openrg",753,18))
  +
0 0 *:8888 *:* users:(("lighttpd",774,6))
  +
0 0 127.0.0.1:7000 *:* users:(("openrg",574,6),("vdsl.sh",677,6),("vdsld",680,6),("vdsld",689,6),("vdsld",690,6),("vdsld",691,6),("vdsld",692,6),("vdsld",693,6),("vdsld",694,6),("vdsld",695,6),("vdsld",696,6),("vdsld",697,6),("openrg",753,6))
  +
0 0 217.136.xx.xx:8443 *:* users:(("openrg",574,66),("openrg",753,66))
  +
  +
# #UDP
  +
# ss -naup
  +
State Recv-Q Send-Q Local Address:Port Peer Address:Port
  +
UNCONN 0 0 *:1024 *:* users:(("openrg",574,8),("openrg",753,8))
  +
UNCONN 0 0 *:1025 *:* users:(("hostapd",754,6))
  +
UNCONN 0 0 192.168.1.1:53 *:* users:(("openrg",574,17),("openrg",753,17))
  +
UNCONN 0 0 127.0.0.1:53 *:* users:(("openrg",574,7),("openrg",753,7))
  +
UNCONN 0 0 *:3000 *:* users:(("openrg",574,5),("vdsl.sh",677,5),("vdsld",680,5),("vdsld",689,5),("vdsld",690,5),("vdsld",691,5),("vdsld",692,5),("vdsld",693,5),("vdsld",694,5),("vdsld",695,5),("vdsld",696,5),("vdsld",697,5),("openrg",753,5))
  +
UNCONN 0 0 10.179.xx.xx:5060 *:* users:(("sipd",803,14),("sipd",804,14),("sipd",805,14),("sipd",806,14),("sipd",807,14),("sipd",812,14),("sipd",813,14),("sipd",814,14))
  +
UNCONN 0 0 192.168.1.1:1900 *:* users:(("openrg",574,24),("openrg",753,24))
  +
UNCONN 0 0 239.255.255.250:1900 *:* users:(("openrg",574,23),("openrg",753,23))
  +
  +
# #RAW
  +
# ss -nawp
  +
State Recv-Q Send-Q Local Address:Port Peer Address:Port
  +
UNCONN 0 0 *:2 *:* users:(("openrg",574,15),("openrg",753,15))
  +
  +
</pre>
  +
  +
==UPnP==
  +
By default the modem has a UPnP IGD profile and I don't see how to disable it.
  +
<br>'''EDIT''': actually it's possible by logging first as admin then entering the pseudo-URL "javascript:mimic_button('goto: 900..')"
  +
<br>If you use Skype this means Skype will tell the modem to open some ports and Skype will be reachable directly from Internet which means you become a relay-node and this can generate a lot of traffic!
  +
<br>One way to avoid it is to locally block the UPnP discovery multicast packets of Skype, e.g.:
  +
iptables -A OUTPUT -d 239.255.255.250 -p udp -m string --algo bm --string "urn:schemas-upnp-org:service:WAN" -j DROP
  +
By filtering on that string this allows other applications to send their M-SEARCH packet if they don't look for services:WANIP/WANPPP...
  +
<br>One can install that netfilter rule on Debian by following [http://www.debian-administration.org/articles/615 this howto]
  +
<br><br>
  +
If you are using Windows, you can [http://www.mydigitallife.info/2009/08/27/how-to-disable-upnp-in-skype-to-remove-open-tcp-and-udp-ports-in-firewall/ disable UPnP directly in Skype] from version 4.0
  +
==Wi-Fi==
  +
I had stability problems when trying to communicate between two wireless clients while wireless to wired or vice versa was working properly.
  +
<br>I forced the access point to mode 802.11g only and since then it works much better:
  +
<br>telnet to the box then:
  +
rg_conf_set dev/eth2/wl_ap/wl_dot11_mode "g_only"
  +
  +
==Getting greener?==
  +
From [http://patrick.vande-walle.eu/bbox-2/belgacoms-bbox2-wastes-resources/ here]: I also chose to shut down the tr98 service as anyway fw upgrades went never properly for me and tr98 process is eating all available CPU (see "top").
  +
killall tr98
  +
==IPs attribution by DHCP==
  +
Just a short note because it's so well hidden in the configuration that I never find it back...
  +
* Advanced Settings/Network Interfaces/LAN Bridge/IP Address Distribution/Connection List
  +
You can create a new static entry or change an existing dynamic entry into a static one then edit it.
  +
<br>Better to allocate static entries out of the dynamic DHCP pool, which you can constrain via
  +
* Advanced Settings/Network Interfaces/LAN Bridge/IP Address Distribution/LAN Bridge
  +
What is stupid is that names given there are not reflected by the DNS server
  +
  +
==Misc info==
  +
* http://www.ripperjack.info/b-boxandco/ (french)
  +
* https://web.archive.org/web/20150115115640/http://patrick.vande-walle.eu/bbox-2/
  +
* http://www.zoobab.com/bbox2
  +
  +
==Belgacom & Fon==
  +
* http://www.belgacomfon.be
  +
* http://wiki.fon.com/wiki/Belgacom
  +
* http://forum.adsl-bc.org/viewtopic.php?t=74970
  +
** http://forum.adsl-bc.org/viewtopic.php?p=1137752#1137752
  +
To get access to the hotspot page if it doesn't appear in the side bar:
  +
Got to 192.168.1.1 then enter URL:
  +
javascript:mimic_button('sidebar:%20lb_sidebar_advanced_hotspot..',%200)
  +
Note that to work I had to enable in about:config of Firefox:
  +
noscript.allowURLBarJS = true
  +
Mine says
  +
Hotspot: Disabled
  +
probably because I'm still with a 16/2 connection
  +
<br>Note that actual firmware is 60R10A-60A05G
  +
<br>'''Edit''': now it's activated with SSID FON_BELGACOM
  +
* Belgacon-fon IDs work fine on Fonera boxes
  +
* Belgacom-fon IDs fail on [http://corp.fon.com/fr/login/ Fon website]
  +
* [https://market.android.com/details?id=com.belgacom.fon Belgacom-fon app] work fine on Fonera boxes (so any FON_* ssid)
  +
* Belgacom-fon app '''fails''' on Belgacom-fon BBoxes
  +
* Manual usage of Belgacon-fon IDs work fine on Belgacom-fon BBox portal
  +
* There is [https://market.android.com/details?id=com.oakley.fon another Fon application] on the Market. Seems the Belgacom one is just a rebranding. Original app seems banned in Belgium, [http://androiddev.orkitra.com/download/apps/?appid=-6579170461419207784&download=com.oakley.fon_v1.2.3 here] is a link to the apk

Latest revision as of 23:56, 18 November 2019

Description & versions

This is the default modem coming with Belgacom internet solutions in Belgium.
It allows SIP and IPTV.

It's a Sagem F@st 3464 (even if the box looks different), running a customized version of Jungo Openrg.

Version information, as visible on the web interface:

Runtime Code Version   6001GR-6000GR 
Hardware Version       1
Serial Num             LK12345DP123456 
VDSL Version           Firmware-VTU-R:1.0.7r57bIK105012 Time Dec 27 2007, 18:50:21

VDSL sync:

Downstream line rate        21648 kbps
Upstream line rate          2848 kbps
Downstream Training Margin  19.1 dB

test Speedtest.nl:

Downstream line rate        11Mbps
Upstream line rate           1Mbps

2010-11-20 update: I've finally reset the box as it never received any firmware upgrade automatically, despite letters from Belgacom inviting me to restart the modem & even a call to the technical service...
Now:

Runtime Code Version   60R109-60A022 
Hardware Version       1
Serial Num             LK12345DP123456 
VDSL Version           Firmware-VTU-R:5.5.1.2IK105012 Time Oct 1 2009, 14:04:47 

VDSL sync:

Downstream line rate 	16536 kbps
Upstream line rate 	2056 kbps  		  		 
Downstream Training Margin 	18.5 dB

From shell:

[admin @ home]$ ver
Version: 4.0.21.3.3.1.32.1.1.1.6.Fast3464.60.A0.22
Platform: Sagem F@ST346X
Compilation Time: 09-Apr-10 17:13:27
[admin @ home]$ shell
BusyBox v1.01 (2009.02.19-21:18+0100) Built-in shell (ash)
# cat /proc/version
Linux version 2.6.15 #66 Fri Apr 9 17:18:12 CEST 2010

Automatic firmware upgrades:

  • VLAN20 (Wan eth1.20 VoIP) must be activated (they use port 8085? for tr69)
  • tr98 process must be running

I could never get their firmware upgrades transparently, I had to reset the box to get them

Some versions:

  • 6001GR-6000GR old
  • 60I118-60I918 24-Dec-09 11:47:40
  • 60I11U-60I01U 26-Jan-10 12:31:27
  • 60R109-60A022 09-Apr-10 17:13:27 (to allow the 17Mhz profile for 30 Mbps?)

Exploration

A number of services & ports are available:

web interface

You can reach it via any of those addresses:

HTTPS offers a OpenRG SSL certificate, to be explicitly accepted by your browser to go further...

Admin settings menu:
If you're logging as admin rather than user as default, you'll get an extra menu:

This allows to save and restore the whole configuration and to upload new firmwares, if any.
Once you get a dump of the configuration you can try manipulating it, there is a guide here(pdf) or here(pdf), or better, use telnet and rg_conf commands (help rg_conf)

Other pages might be accessible, cf this thread (french) or this page (french) for the LiveBox.

For the BBox2, here is a list of pages which work properly, inspired from here

  • 730 advanced control panel
    • 40 about openrg
    • 70 configuration file
    • 140 restart
    • 150 restore defaults
    • 1220 diagnostics
    • 1210 mac cloning
    • 120 system settings
    • 900 Universal Plug and Play
    • 1410 scheduler rules
    • 110 date and time
    • 100 users
    • 810 route (same as from user menu)
    • 1430 network objects
    • 9037 dynamic DNS (9035 on old fw)
    • 9030 IP address distribution
    • 9027 DNS server
    • 9008 remote administration
    • 9024 protocols
  • logs
    • 750 system (uptime)
    • 752 connections
    • 753 traffic
    • 754 system logs
  • others
    • 50 network map
    • 60 network list view
    • 910 SNMP
    • 1040 connection wizard
    • 1280 RADIUS
    • 1450 IPv6
    • 9042 change Admin password
    • 9079 Web server

Usage: log first as admin as explained before, then enter the pseudo-URL

javascript:mimic_button('goto: **..')

where ** represents the page number.


About page (#40):

  • About OpenRG
  • Version: 4.0.21.3.3.1.32.1.1.1.6.Fast3464.60.00.GR
  • Release Date: Mar 2 2009
  • Platform: Sagem F@ST346X
  • Tag: NRC_belgacom-multimode-fast346x_openrg_orig_3-3-1-32-1-1-1-6_4-2-1_0-0-88
  • Compilation Flags: CONFIG_SAGEM_PPPOE_PASSTHRU=y CONFIG_BELGACOM_BBOX=y CONFIG_BELGACOM=y CONFIG_AUTOSENSING_PAGE=y CONFIG_HW_USB_HOST_OHCI=y CONFIG_HW_USB_HOST_EHCI=y CONFIG_USB_PRINTER=y CONFIG_HW_USB_STORAGE=y CONFIG_USB=y CONFIG_RG_FW_CONN_PRIO=y CONFIG_RG_WATCHDOG_OPENRG=y CONFIG_SAGEM_WIFI_MODE_11N=y CONFIG_LIVEBOX_VOIP=y CONFIG_CSS_STANDARD=y CONFIG_SAGEM_MANAGE_CONFIG=y CONFIG_GUI_STANDARD=y CONFIG_GUI_LIVEBOX1=y CONFIG_SAGEM_CONSOLE_BAUDRATE=57600 CONFIG_MRA_SEC_SIZE=0x120000 CONFIG_JFFS2_FS_SIZE=0x100000 CONFIG_BOOTLDR_UBOOT_SECURE=y CONFIG_SOUCHE_RECONF=y CONFIG_SOUCHE_TR69=y CONFIG_SOUCHE_START_AUTOMATE=y CONFIG_SOUCHE_USE_EXTERNAL_OPENSSL=y CONFIG_DHCPS_VS=y CONFIG_DHCPS_FORCE_SEND_NTP=y CONFIG_DHCPS_NTP=y CONFIG_DHCPS_ROOT_PATH=y CONFIG_DHCPS_DOMAIN_NAME=y CONFIG_DHCPS_DNS=y CONFIG_DHCPS_SUBNET_MASK=y CONFIG_DHCPS_MULTIRANGE_BYDEVICEGROUP=y CONFIG_BOOTLDR_UBOOT_COMP=gzip CONFIG_FLASH_SIZE=16 CONFIG_SDRAM_SIZE=64 DIST=SAGEM_346X LIC=../jpkg_fast3202.lic
  • Hardware Version: 1
  • Hardware Serial Number: LK09194DP270257
  • Supported Features: NetFilter Linux Firewall, Ethernet over ATM (RFC2684), Classical IP, PVC Scan, WBM Evaluation License Agreement, Internet Protocol Security, PPTP Server, PPP Over ATM, PPP Over Ethernet, PPTP Client, L2TP Client, ICMP ALG, Port trigger (TFTP) ALG, FTP/FTPS ALG, QuickTime/RealAudio/RealPlayer (RTSP) ALG, H323 ALG (Netmeeting, CuSeeMe ...), SIP ALG, MGCP ALG, PPTP Client (multiuser) ALG, Microsoft Network Messenger/Windows Messenger ALG, IPSec (multiuser) ALG, L2TP ALG, AOL Instant Messenger ALG, DNS ALG, DHCP ALG, Bridge, VLAN 802.1Q bridge, VLAN 802.1Q interfaces management, PPPoE Relay, GDB Server, IGMP Proxy, Jungo Firewall, NAT, Secure HTTP (SSL), Permanent Storage, RIP V1/V2, Reverse NAT, SNMP v1/v2, SNMP v3, Universal Plug & Play, DNS, Concurrent DNS query, DNS Router. Add route rules according to which dns server answare queries, Domain routing. Route according to domains listed on a device, Dynamic DNS, Email Notification, HTTP Proxy, Generic Proxy, Mail filter, URL Keyword Filtering, SurfControl, DHCP Server, DHCP Client, DHCP Relay Agent, Static HTML Management, Web Based Management, TimeZone support, HTTP Server, Telnet Server, SysLog, Command Line Interface, TOD Client, USB RNDIS, File Server, Posix Access Control Lists (ACLs), RAID, OAM F4/F5 Loopback, Print Server, Internet Printing, Voice Over IP, SIP Signalling, H.323 Signalling, MGCP Signalling, Remote Update Management, Remote Management Server, Event Logging, WINS Server, FTP Server, Mail Server, Web Server, File System Backup and Restore, OpenRG QOS support, Bluetooth support

memory sharing

Apparently you may connect a USB harddrive to the BBox-2 and share its content as with a NAS.
-> /mnt/usb internally A webserver (lighttpd) would then expose the content via:

Or if via the admin menu, you enable memory sharing, we get the same via a WAN (accessible outside too!) https:

HTTPS offers a Sagem certificate

telnet

If you wish to use telnet to view and edit the router settings, then you can use a dedicated tool in Java by Waterflames, available here.
This tool provides an easy GUI over rg_conf_print/rg_conf_set calls to login to the router and view and edit the settings.

  • telnet on 192.168.1.1 port 23 and port 8023
  • telnet SSL on port 992
  • login admin password BGCVDSL2 or for recent fw, ther serial number of your box: LK... .
  • (TODO: try user/user)

If you type the command "shell" you'll get a shell prompt and a busybox environment ;-)

[admin @ home]$ ver
Version: 4.0.21.3.3.1.32.1.1.1.6.Fast3464.60.00.GR
Platform: Sagem F@ST346X
Compilation Time: 02-Mar-09 17:18:02

[admin @ home]$ shell


BusyBox v1.01 (2009.02.19-21:18+0100) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

# cat /proc/version 
Linux version 2.6.15 #24 Mon Mar 2 18:21:25 CET 2009
# 
# cat /proc/cpuinfo
system type		: ADI Fusiv Core
processor		: 0
cpu model		: Lexra LX4189 V0.0
BogoMIPS		: 199.47
wait instruction	: no
microsecond timers	: no
tlb_entries		: 64
extra interrupt vector	: no
hardware watchpoint	: no
ASEs implemented	:
VCED exceptions		: not available
VCEI exceptions		: not available

# ps
  PID  Uid     VmSize Stat Command
    1 0           652 S   /bin/init 
    2 0               SWN [ksoftirqd/0]
    3 0               SW< [events/0]
    4 0               SW< [khelper]
    5 0               SW< [kthread]
    8 0               SW< [kblockd/0]
   11 0               SW< [khubd]
   35 0               SW  [pdflush]
   36 0               SW  [pdflush]
   38 0               SW< [aio/0]
   37 0               SW  [kswapd0]
  559 0               SW  [mtdblockd]
  574 0          4436 S   /bin/openrg 
  629 0               SWN [jffs2_gcd_mtd1]
  677 0           348 S   /bin/sh /etc/vdsl.sh 
  680 0          2208 S   vdsld 
  686 0           560 S   /bin/main_autom /etc/process_list.dat 2 9 
  687 0           560 S   /bin/main_autom /etc/process_list.dat 2 9 
  688 0           560 S   /bin/main_autom /etc/process_list.dat 2 9 
  689 0          2208 S   vdsld 
  690 0          2208 S   vdsld 
  691 0          2208 S   vdsld 
  692 0          2208 S   vdsld 
  693 0          2208 S   vdsld 
  694 0          2208 S   vdsld 
  695 0          2208 S   vdsld 
  696 0          2208 S   vdsld 
  697 0          2208 S   vdsld 
  753 0          4436 D   /bin/openrg 
  752 0               SW  [idmaThread]
  754 0           424 S   hostapd /etc/hostapd.conf.eth2 
  757 0           764 S   /bin/watchdog 
  758 0           560 S   /bin/main_autom /etc/process_list.dat 2 9 
  772 0           228 S   /usr/local/bin/syncloop 
  777 0           644 S   /usr/local/sbin/lighttpd -f /mnt/ffs/A/lighttpd.conf 
  781 0           388 S   /bin/igmpsnoop -i eth0 -l 30 -c 0x10080 -v -t 
  782 0           380 S   /bin/oam start 5 
  783 0           688 S   /bin/prod_autom /etc/process_list.dat 5 5 
  786 0           296 S   /bin/syslogd-sa -b 
  787 0           380 S   /bin/oam start 5 
  788 0           688 S   /bin/prod_autom /etc/process_list.dat 5 5 
  789 0           380 S   /bin/oam start 5 
  790 0           688 S   /bin/prod_autom /etc/process_list.dat 5 5 
  791 0           688 S   /bin/prod_autom /etc/process_list.dat 5 5 
  792 0           800 S   /bin/tr98 5 5 
  795 0          1804 S   /bin/tr69 --debug 5 
  797 0          1804 S   /bin/tr69 --debug 5 
  798 0          1804 S   /bin/tr69 --debug 5 
  799 0           800 S   /bin/tr98 5 5 
  800 0           800 S   /bin/tr98 5 5 
  801 0          1804 S   /bin/tr69 --debug 5 
  802 0          1804 S   /bin/tr69 --debug 5 
  803 0           800 R   /bin/tr98 5 5 
  806 0          2424 S   /bin/sipd /etc/process_list.dat 5 5 
  807 0          2424 S   /bin/sipd /etc/process_list.dat 5 5 
  808 0          2424 S   /bin/sipd /etc/process_list.dat 5 5 
  809 0          2424 S   /bin/sipd /etc/process_list.dat 5 5 
  810 0          2424 S   /bin/sipd /etc/process_list.dat 5 5 
  815 0          2424 S   /bin/sipd /etc/process_list.dat 5 5 
  816 0          2424 S   /bin/sipd /etc/process_list.dat 5 5 
  817 0          2424 S   /bin/sipd /etc/process_list.dat 5 5 
  818 0          1804 S   /bin/tr69 --debug 5 
  862 0           688 S   /bin/prod_autom /etc/process_list.dat 5 5 
 1318 0           444 S   /bin/sh 
 1327 0           320 R   ps ax 
# 
# df
Filesystem           1k-blocks      Used Available Use% Mounted on
cramfs                    2560      2560         0 100% /mnt/cramfs

# cat /etc/mtab
rootfs / rootfs rw 0 0
cramfs /mnt/cramfs cramfs_mainfs ro 0 0
/proc /proc proc rw,nodiratime 0 0
usbfs /proc/bus/usb usbfs rw 0 0
/sys /sys sysfs rw 0 0

# cat /proc/mounts 
rootfs / rootfs rw 0 0
cramfs /mnt/cramfs cramfs_mainfs ro 0 0
/proc /proc proc rw,nodiratime 0 0
usbfs /proc/bus/usb usbfs rw 0 0
/dev/mtdblock1 /mnt/ffs/A jffs2 rw,sync,noatime 0 0
/sys /sys sysfs rw 0 0

I got also /mnt/ffs mounted once, should check again...

Website files are in /mnt/cramfs/home/httpd/html

Trying to change the theme (this didn't bring extra menu, to the contrary)

[admin @ home]$ rg_conf_print wbm/theme     
(theme(Sagem))
[admin @ home]$ rg_conf_set wbm/theme OpenRG
[admin @ home]$ rg_conf_print wbm/theme     
(theme(OpenRG))

To revert:

[admin @ home]$ rg_conf_set wbm/theme Sagem

To learn the commands to manipulate the configuration, see here (french)

others

  • 2555/tcp open UPnP Internet Gateway Device implementing some serious commands such as GetPassword ...
  • 7020/tcp open Apparently for Incoming Jnet (Jungo.net) requests for Remote Upgrade Server (see here
  • 7021/tcp open Same, in SSL
  • 8085/tcp open unknown gSOAP_Web_Service???

The modem is also running a TR-069 process:

  • TR-069 TR-069 is a WAN management protocol intended for communication between Customer Premise Equipment (CPE) and an Auto-Configuration Server (ACS). It defines a mechanism that encompasses secure auto configuration of a CPE, and also incorporates other CPE management functions into a common framework.
  • it's supposed to poll an ACS server on port 7547

and a TR-098 process, referring to the Internet Gateway Device data model

accessible from WAN

  • pings seem to be blocked
  • TCP port 631 (if ?)
  • TCP port 2555 (openrg)
  • TCP port 7020 (openrg)
  • TCP port 7021 (openrg)
  • TCP port 8085 (tr69)
  • TCP port 8888 (lighttpd)
  • UDP port 1024 (openrg)
  • UDP port 1025 (hostapd)
  • UDP port 3000 (openrg, vdsld...)
  • RAW port 2 (openrg)

ss

Easier to get direct;y the info from the box: there is no netstat but ss does the job:

# #TCP
# ss -lnp
Recv-Q Send-Q             Local Address:Port               Peer Address:Port 
0      0                  217.136.xx.xx:992                           *:*      users:(("openrg",574,47),("openrg",753,47))
0      0                   10.179.xx.xx:992                           *:*      users:(("openrg",574,34),("openrg",753,34))
0      0                    192.168.1.1:992                           *:*      users:(("openrg",574,20),("openrg",753,20))
0      0                      127.0.0.1:7019                          *:*      users:(("openrg",574,9),("openrg",753,9))
0      0                  217.136.xx.xx:7020                          *:*      users:(("openrg",574,49),("openrg",753,49))
0      0                   10.179.xx.xx:7020                          *:*      users:(("openrg",574,36),("openrg",753,36))
0      0                    192.168.1.1:7020                          *:*      users:(("openrg",574,22),("openrg",753,22))
0      0                  217.136.xx.xx:7021                          *:*      users:(("openrg",574,48),("openrg",753,48))
0      0                   10.179.xx.xx:7021                          *:*      users:(("openrg",574,35),("openrg",753,35))
0      0                    192.168.1.1:7021                          *:*      users:(("openrg",574,21),("openrg",753,21))
0      0                  217.136.xx.xx:8080                          *:*      users:(("openrg",574,61),("openrg",753,61))
0      0                  217.136.xx.xx:80                            *:*      users:(("openrg",574,50),("openrg",753,50))
0      0                   10.179.xx.xx:8080                          *:*      users:(("openrg",574,38),("openrg",753,38))
0      0                   10.179.xx.xx:80                            *:*      users:(("openrg",574,37),("openrg",753,37))
0      0                    192.168.1.1:8080                          *:*      users:(("openrg",574,26),("openrg",753,26))
0      0                    192.168.1.1:80                            *:*      users:(("openrg",574,25),("openrg",753,25))
0      0                              *:8085                          *:*      users:(("tr69",790,9),("tr69",794,9),("tr69",795,9),("tr69",798,9),("tr69",799,9),("tr69",817,9))
0      0                  217.136.xx.xx:8023                          *:*      users:(("openrg",574,45),("openrg",753,45))
0      0                  217.136.xx.xx:23                            *:*      users:(("openrg",574,44),("openrg",753,44))
0      0                   10.179.xx.xx:8023                          *:*      users:(("openrg",574,33),("openrg",753,33))
0      0                   10.179.xx.xx:23                            *:*      users:(("openrg",574,32),("openrg",753,32))
0      0                    192.168.1.1:8023                          *:*      users:(("openrg",574,19),("openrg",753,19))
0      0                    192.168.1.1:23                            *:*      users:(("openrg",574,18),("openrg",753,18))
0      0                              *:8888                          *:*      users:(("lighttpd",774,6))
0      0                      127.0.0.1:7000                          *:*      users:(("openrg",574,6),("vdsl.sh",677,6),("vdsld",680,6),("vdsld",689,6),("vdsld",690,6),("vdsld",691,6),("vdsld",692,6),("vdsld",693,6),("vdsld",694,6),("vdsld",695,6),("vdsld",696,6),("vdsld",697,6),("openrg",753,6))
0      0                  217.136.xx.xx:8443                          *:*      users:(("openrg",574,66),("openrg",753,66))

# #UDP
# ss -naup
State      Recv-Q Send-Q        Local Address:Port          Peer Address:Port 
UNCONN     0      0                         *:1024                     *:*      users:(("openrg",574,8),("openrg",753,8))
UNCONN     0      0                         *:1025                     *:*      users:(("hostapd",754,6))
UNCONN     0      0               192.168.1.1:53                       *:*      users:(("openrg",574,17),("openrg",753,17))
UNCONN     0      0                 127.0.0.1:53                       *:*      users:(("openrg",574,7),("openrg",753,7))
UNCONN     0      0                         *:3000                     *:*      users:(("openrg",574,5),("vdsl.sh",677,5),("vdsld",680,5),("vdsld",689,5),("vdsld",690,5),("vdsld",691,5),("vdsld",692,5),("vdsld",693,5),("vdsld",694,5),("vdsld",695,5),("vdsld",696,5),("vdsld",697,5),("openrg",753,5))
UNCONN     0      0              10.179.xx.xx:5060                     *:*      users:(("sipd",803,14),("sipd",804,14),("sipd",805,14),("sipd",806,14),("sipd",807,14),("sipd",812,14),("sipd",813,14),("sipd",814,14))
UNCONN     0      0               192.168.1.1:1900                     *:*      users:(("openrg",574,24),("openrg",753,24))
UNCONN     0      0           239.255.255.250:1900                     *:*      users:(("openrg",574,23),("openrg",753,23))

# #RAW
# ss -nawp
State      Recv-Q Send-Q        Local Address:Port          Peer Address:Port 
UNCONN     0      0                         *:2                        *:*      users:(("openrg",574,15),("openrg",753,15))

UPnP

By default the modem has a UPnP IGD profile and I don't see how to disable it.
EDIT: actually it's possible by logging first as admin then entering the pseudo-URL "javascript:mimic_button('goto: 900..')"
If you use Skype this means Skype will tell the modem to open some ports and Skype will be reachable directly from Internet which means you become a relay-node and this can generate a lot of traffic!
One way to avoid it is to locally block the UPnP discovery multicast packets of Skype, e.g.:

iptables -A OUTPUT -d 239.255.255.250 -p udp -m string --algo bm --string "urn:schemas-upnp-org:service:WAN" -j DROP

By filtering on that string this allows other applications to send their M-SEARCH packet if they don't look for services:WANIP/WANPPP...
One can install that netfilter rule on Debian by following this howto

If you are using Windows, you can disable UPnP directly in Skype from version 4.0

Wi-Fi

I had stability problems when trying to communicate between two wireless clients while wireless to wired or vice versa was working properly.
I forced the access point to mode 802.11g only and since then it works much better:
telnet to the box then:

rg_conf_set dev/eth2/wl_ap/wl_dot11_mode "g_only"

Getting greener?

From here: I also chose to shut down the tr98 service as anyway fw upgrades went never properly for me and tr98 process is eating all available CPU (see "top").

killall tr98

IPs attribution by DHCP

Just a short note because it's so well hidden in the configuration that I never find it back...

  • Advanced Settings/Network Interfaces/LAN Bridge/IP Address Distribution/Connection List

You can create a new static entry or change an existing dynamic entry into a static one then edit it.
Better to allocate static entries out of the dynamic DHCP pool, which you can constrain via

  • Advanced Settings/Network Interfaces/LAN Bridge/IP Address Distribution/LAN Bridge

What is stupid is that names given there are not reflected by the DNS server

Misc info

Belgacom & Fon

To get access to the hotspot page if it doesn't appear in the side bar:

Got to 192.168.1.1 then enter URL:
javascript:mimic_button('sidebar:%20lb_sidebar_advanced_hotspot..',%200)

Note that to work I had to enable in about:config of Firefox:

noscript.allowURLBarJS = true

Mine says

Hotspot:	Disabled

probably because I'm still with a 16/2 connection
Note that actual firmware is 60R10A-60A05G
Edit: now it's activated with SSID FON_BELGACOM

  • Belgacon-fon IDs work fine on Fonera boxes
  • Belgacom-fon IDs fail on Fon website
  • Belgacom-fon app work fine on Fonera boxes (so any FON_* ssid)
  • Belgacom-fon app fails on Belgacom-fon BBoxes
  • Manual usage of Belgacon-fon IDs work fine on Belgacom-fon BBox portal
  • There is another Fon application on the Market. Seems the Belgacom one is just a rebranding. Original app seems banned in Belgium, here is a link to the apk