Difference between revisions of "Modem BBox-2"

From YobiWiki
Jump to navigation Jump to search
Line 198: Line 198:
 
===accessible from WAN===
 
===accessible from WAN===
 
* pings seem to be blocked
 
* pings seem to be blocked
* 631 open?
+
* TCP port 631 (if ?)
* 2555 open?
+
* TCP port 2555 (openrg)
* 7020 open?
+
* TCP port 7020 (openrg)
* 7021 open?
+
* TCP port 7021 (openrg)
* 8085 open?
+
* TCP port 8085 (tr69)
  +
* UDP port 1024 (openrg)
  +
* UDP port 1025 (hostapd)
  +
* UDP port 3000 (openrg, vdsld...)
  +
* RAW port 2
  +
 
===ss===
 
===ss===
 
Easier to get direct;y the info from the box: there is no netstat but ss does the job:
 
Easier to get direct;y the info from the box: there is no netstat but ss does the job:

Revision as of 23:59, 17 January 2010

Description

This is the default modem coming with Belgacom internet solutions in Belgium.
It allows SIP and IPTV.

It's a Sagem F@st 3464 (even if the box looks different), running a customized version of Jungo Openrg.

Version information, as visible on the web interface:

Runtime Code Version   6001GR-6000GR 
Hardware Version       1
Serial Num             LK12345DP123456 
VDSL Version           Firmware-VTU-R:1.0.7r57bIK105012 Time Dec 27 2007, 18:50:21

VDSL sync:

Downstream line rate        21648 kbps
Upstream line rate          2848 kbps
Downstream Training Margin  19.1 dB

test Speedtest.nl:

Downstream line rate        11Mbps
Upstream line rate           1Mbps

Exploration

A number of services & ports are available:

web interface

You can reach it via any of those addresses:

HTTPS offers a OpenRG SSL certificate, to be explicitly accepted by your browser to go further...

Admin settings menu:
If you're logging as admin rather than user as default, you'll get an extra menu:

This allows to save and restore the whole configuration and to upload new firmwares, if any.

Other pages might be accessible, cf this thread (french) or this page (french)

memory sharing

Apparently you may connect a USB harddrive to the BBox-2 and share its content as with a NAS.
-> /mnt/usb internally A webserver (lighttpd) would then expose the content via:

Or if via the admin menu, you enable memory sharing, we get the same via a WAN (accessible outside too!) https:

HTTPS offers a Sagem certificate

telnet

  • telnet on 192.168.1.1 port 23 and port 8023
  • telnet SSL on port 992
  • login admin password BGCVDSL2
  • (TODO: try user/user)

If you type the command "shell" you'll get a shell prompt and a busybox environment ;-)

[admin @ home]$ ver
Version: 4.0.21.3.3.1.32.1.1.1.6.Fast3464.60.00.GR
Platform: Sagem F@ST346X
Compilation Time: 02-Mar-09 17:18:02

[admin @ home]$ shell


BusyBox v1.01 (2009.02.19-21:18+0100) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

# cat /proc/version 
Linux version 2.6.15 #24 Mon Mar 2 18:21:25 CET 2009
# 
# cat /proc/cpuinfo
system type		: ADI Fusiv Core
processor		: 0
cpu model		: Lexra LX4189 V0.0
BogoMIPS		: 199.47
wait instruction	: no
microsecond timers	: no
tlb_entries		: 64
extra interrupt vector	: no
hardware watchpoint	: no
ASEs implemented	:
VCED exceptions		: not available
VCEI exceptions		: not available

# ps
  PID  Uid     VmSize Stat Command
    1 0           652 S   /bin/init 
    2 0               SWN [ksoftirqd/0]
    3 0               SW< [events/0]
    4 0               SW< [khelper]
    5 0               SW< [kthread]
    8 0               SW< [kblockd/0]
   11 0               SW< [khubd]
   35 0               SW  [pdflush]
   36 0               SW  [pdflush]
   38 0               SW< [aio/0]
   37 0               SW  [kswapd0]
  559 0               SW  [mtdblockd]
  574 0          4436 S   /bin/openrg 
  629 0               SWN [jffs2_gcd_mtd1]
  677 0           348 S   /bin/sh /etc/vdsl.sh 
  680 0          2208 S   vdsld 
  686 0           560 S   /bin/main_autom /etc/process_list.dat 2 9 
  687 0           560 S   /bin/main_autom /etc/process_list.dat 2 9 
  688 0           560 S   /bin/main_autom /etc/process_list.dat 2 9 
  689 0          2208 S   vdsld 
  690 0          2208 S   vdsld 
  691 0          2208 S   vdsld 
  692 0          2208 S   vdsld 
  693 0          2208 S   vdsld 
  694 0          2208 S   vdsld 
  695 0          2208 S   vdsld 
  696 0          2208 S   vdsld 
  697 0          2208 S   vdsld 
  753 0          4436 D   /bin/openrg 
  752 0               SW  [idmaThread]
  754 0           424 S   hostapd /etc/hostapd.conf.eth2 
  757 0           764 S   /bin/watchdog 
  758 0           560 S   /bin/main_autom /etc/process_list.dat 2 9 
  772 0           228 S   /usr/local/bin/syncloop 
  777 0           644 S   /usr/local/sbin/lighttpd -f /mnt/ffs/A/lighttpd.conf 
  781 0           388 S   /bin/igmpsnoop -i eth0 -l 30 -c 0x10080 -v -t 
  782 0           380 S   /bin/oam start 5 
  783 0           688 S   /bin/prod_autom /etc/process_list.dat 5 5 
  786 0           296 S   /bin/syslogd-sa -b 
  787 0           380 S   /bin/oam start 5 
  788 0           688 S   /bin/prod_autom /etc/process_list.dat 5 5 
  789 0           380 S   /bin/oam start 5 
  790 0           688 S   /bin/prod_autom /etc/process_list.dat 5 5 
  791 0           688 S   /bin/prod_autom /etc/process_list.dat 5 5 
  792 0           800 S   /bin/tr98 5 5 
  795 0          1804 S   /bin/tr69 --debug 5 
  797 0          1804 S   /bin/tr69 --debug 5 
  798 0          1804 S   /bin/tr69 --debug 5 
  799 0           800 S   /bin/tr98 5 5 
  800 0           800 S   /bin/tr98 5 5 
  801 0          1804 S   /bin/tr69 --debug 5 
  802 0          1804 S   /bin/tr69 --debug 5 
  803 0           800 R   /bin/tr98 5 5 
  806 0          2424 S   /bin/sipd /etc/process_list.dat 5 5 
  807 0          2424 S   /bin/sipd /etc/process_list.dat 5 5 
  808 0          2424 S   /bin/sipd /etc/process_list.dat 5 5 
  809 0          2424 S   /bin/sipd /etc/process_list.dat 5 5 
  810 0          2424 S   /bin/sipd /etc/process_list.dat 5 5 
  815 0          2424 S   /bin/sipd /etc/process_list.dat 5 5 
  816 0          2424 S   /bin/sipd /etc/process_list.dat 5 5 
  817 0          2424 S   /bin/sipd /etc/process_list.dat 5 5 
  818 0          1804 S   /bin/tr69 --debug 5 
  862 0           688 S   /bin/prod_autom /etc/process_list.dat 5 5 
 1318 0           444 S   /bin/sh 
 1327 0           320 R   ps ax 
# 
# df
Filesystem           1k-blocks      Used Available Use% Mounted on
cramfs                    2560      2560         0 100% /mnt/cramfs

# cat /etc/mtab
rootfs / rootfs rw 0 0
cramfs /mnt/cramfs cramfs_mainfs ro 0 0
/proc /proc proc rw,nodiratime 0 0
usbfs /proc/bus/usb usbfs rw 0 0
/sys /sys sysfs rw 0 0

# cat /proc/mounts 
rootfs / rootfs rw 0 0
cramfs /mnt/cramfs cramfs_mainfs ro 0 0
/proc /proc proc rw,nodiratime 0 0
usbfs /proc/bus/usb usbfs rw 0 0
/dev/mtdblock1 /mnt/ffs/A jffs2 rw,sync,noatime 0 0
/sys /sys sysfs rw 0 0

I got also /mnt/ffs mounted once, should check again...

Website files are in /mnt/cramfs/home/httpd/html

Trying to change the theme (this didn't bring extra menu, to the contrary)

[admin @ home]$ rg_conf_print wbm/theme     
(theme(Sagem))
[admin @ home]$ rg_conf_set wbm/theme OpenRG
[admin @ home]$ rg_conf_print wbm/theme     
(theme(OpenRG))

To revert:

[admin @ home]$ rg_conf_set wbm/theme Sagem

To learn the commands to manipulate the configuration, see here (french)

others

  • 2555/tcp open UPnP Internet Gateway Device implementing some serious commands such as GetPassword ...
  • 7020/tcp open Apparently for Incoming Jnet (Jungo.net) requests for Remote Upgrade Server (see here
  • 7021/tcp open Same, in SSL
  • 8085/tcp open unknown gSOAP_Web_Service???

The modem is also running a TR-069 process:

  • TR-069 TR-069 is a WAN management protocol intended for communication between Customer Premise Equipment (CPE) and an Auto-Configuration Server (ACS). It defines a mechanism that encompasses secure auto configuration of a CPE, and also incorporates other CPE management functions into a common framework.
  • it's supposed to poll an ACS server on port 7547

and a TR-098 process, referring to the Internet Gateway Device data model

accessible from WAN

  • pings seem to be blocked
  • TCP port 631 (if ?)
  • TCP port 2555 (openrg)
  • TCP port 7020 (openrg)
  • TCP port 7021 (openrg)
  • TCP port 8085 (tr69)
  • UDP port 1024 (openrg)
  • UDP port 1025 (hostapd)
  • UDP port 3000 (openrg, vdsld...)
  • RAW port 2

ss

Easier to get direct;y the info from the box: there is no netstat but ss does the job:

# #TCP
# ss -lnp
Recv-Q Send-Q             Local Address:Port               Peer Address:Port 
0      0                  217.136.xx.xx:992                           *:*      users:(("openrg",574,47),("openrg",753,47))
0      0                   10.179.xx.xx:992                           *:*      users:(("openrg",574,34),("openrg",753,34))
0      0                    192.168.1.1:992                           *:*      users:(("openrg",574,20),("openrg",753,20))
0      0                      127.0.0.1:7019                          *:*      users:(("openrg",574,9),("openrg",753,9))
0      0                  217.136.xx.xx:7020                          *:*      users:(("openrg",574,49),("openrg",753,49))
0      0                   10.179.xx.xx:7020                          *:*      users:(("openrg",574,36),("openrg",753,36))
0      0                    192.168.1.1:7020                          *:*      users:(("openrg",574,22),("openrg",753,22))
0      0                  217.136.xx.xx:7021                          *:*      users:(("openrg",574,48),("openrg",753,48))
0      0                   10.179.xx.xx:7021                          *:*      users:(("openrg",574,35),("openrg",753,35))
0      0                    192.168.1.1:7021                          *:*      users:(("openrg",574,21),("openrg",753,21))
0      0                  217.136.xx.xx:8080                          *:*      users:(("openrg",574,61),("openrg",753,61))
0      0                  217.136.xx.xx:80                            *:*      users:(("openrg",574,50),("openrg",753,50))
0      0                   10.179.xx.xx:8080                          *:*      users:(("openrg",574,38),("openrg",753,38))
0      0                   10.179.xx.xx:80                            *:*      users:(("openrg",574,37),("openrg",753,37))
0      0                    192.168.1.1:8080                          *:*      users:(("openrg",574,26),("openrg",753,26))
0      0                    192.168.1.1:80                            *:*      users:(("openrg",574,25),("openrg",753,25))
0      0                              *:8085                          *:*      users:(("tr69",790,9),("tr69",794,9),("tr69",795,9),("tr69",798,9),("tr69",799,9),("tr69",817,9))
0      0                  217.136.xx.xx:8023                          *:*      users:(("openrg",574,45),("openrg",753,45))
0      0                  217.136.xx.xx:23                            *:*      users:(("openrg",574,44),("openrg",753,44))
0      0                   10.179.xx.xx:8023                          *:*      users:(("openrg",574,33),("openrg",753,33))
0      0                   10.179.xx.xx:23                            *:*      users:(("openrg",574,32),("openrg",753,32))
0      0                    192.168.1.1:8023                          *:*      users:(("openrg",574,19),("openrg",753,19))
0      0                    192.168.1.1:23                            *:*      users:(("openrg",574,18),("openrg",753,18))
0      0                              *:8888                          *:*      users:(("lighttpd",774,6))
0      0                      127.0.0.1:7000                          *:*      users:(("openrg",574,6),("vdsl.sh",677,6),("vdsld",680,6),("vdsld",689,6),("vdsld",690,6),("vdsld",691,6),("vdsld",692,6),("vdsld",693,6),("vdsld",694,6),("vdsld",695,6),("vdsld",696,6),("vdsld",697,6),("openrg",753,6))
0      0                  217.136.xx.xx:8443                          *:*      users:(("openrg",574,66),("openrg",753,66))

# #UDP
# ss -naup
State      Recv-Q Send-Q        Local Address:Port          Peer Address:Port 
UNCONN     0      0                         *:1024                     *:*      users:(("openrg",574,8),("openrg",753,8))
UNCONN     0      0                         *:1025                     *:*      users:(("hostapd",754,6))
UNCONN     0      0               192.168.1.1:53                       *:*      users:(("openrg",574,17),("openrg",753,17))
UNCONN     0      0                 127.0.0.1:53                       *:*      users:(("openrg",574,7),("openrg",753,7))
UNCONN     0      0                         *:3000                     *:*      users:(("openrg",574,5),("vdsl.sh",677,5),("vdsld",680,5),("vdsld",689,5),("vdsld",690,5),("vdsld",691,5),("vdsld",692,5),("vdsld",693,5),("vdsld",694,5),("vdsld",695,5),("vdsld",696,5),("vdsld",697,5),("openrg",753,5))
UNCONN     0      0              10.179.xx.xx:5060                     *:*      users:(("sipd",803,14),("sipd",804,14),("sipd",805,14),("sipd",806,14),("sipd",807,14),("sipd",812,14),("sipd",813,14),("sipd",814,14))
UNCONN     0      0               192.168.1.1:1900                     *:*      users:(("openrg",574,24),("openrg",753,24))
UNCONN     0      0           239.255.255.250:1900                     *:*      users:(("openrg",574,23),("openrg",753,23))

# #RAW
# ss -nawp
State      Recv-Q Send-Q        Local Address:Port          Peer Address:Port 
UNCONN     0      0                         *:2                        *:*      users:(("openrg",574,15),("openrg",753,15))

UPnP

By default the modem has a UPnP IGD profile and I don't see how to disable it.
If you use Skype this means Skype will tell the modem to open some ports and Skype will be reachable directly from Internet which means you become a relay-node and this can generate a lot of traffic!
One way to avoid it is to locally block the UPnP discovery multicast packets of Skype, e.g.:

iptables -A OUTPUT -d 239.255.255.250 -p udp -m string --algo bm --string "urn:schemas-upnp-org:service:WAN" -j DROP

By filtering on that string this allows other applications to send their M-SEARCH packet if they don't look for services:WANIP/WANPPP...
One can install that netfilter rule on Debian by following this howto