Modem BBox-2
Description
This is the default modem coming with Belgacom internet solutions in Belgium.
It allows SIP and IPTV.
It's a Sagem F@st 3464 (even if the box looks different), running a customized version of Jungo Openrg.
Version information, as visible on the web interface:
Runtime Code Version 6001GR-6000GR Hardware Version 1 Serial Num LK12345DP123456 VDSL Version Firmware-VTU-R:1.0.7r57bIK105012 Time Dec 27 2007, 18:50:21
VDSL sync:
Downstream line rate 21648 kbps Upstream line rate 2848 kbps Downstream Training Margin 19.1 dB
test Speedtest.nl:
Downstream line rate 11Mbps Upstream line rate 1Mbps
Exploration
A number of services & ports are available:
web interface
You can reach it via any of those addresses:
HTTPS offers a OpenRG SSL certificate, to be explicitly accepted by your browser to go further...
Admin settings menu:
If you're logging as admin rather than user as default, you'll get an extra menu:
This allows to save and restore the whole configuration and to upload new firmwares, if any.
Once you get a dump of the configuration you can try manipulating it, there is a guide here(pdf) or here(pdf)
Other pages might be accessible, cf this thread (french) or this page (french) for the LiveBox.
For the BBox2, here is a list of pages which work properly, translated from here
- 40 about
- 50 Plan du réseau
- 60 Vue de liste du réseau
- 70 Fichier de configuration
- 110 Date et heure
- 730 tableau de commandes avancées
- 750 Système (durée de fonctionnement)
- 900 Plug and Play universel
- 1040 Assistant de Connexion
- 1210 Copie de Mac Address
- 1280 RADIUS
- 9035 DNS Dynamique
Usage: log first as admin as explained before, then enter the pseudo-URL
javascript:mimic_button('goto: **..')
where ** represents the page number.
memory sharing
Apparently you may connect a USB harddrive to the BBox-2 and share its content as with a NAS.
-> /mnt/usb internally
A webserver (lighttpd) would then expose the content via:
Or if via the admin menu, you enable memory sharing, we get the same via a WAN (accessible outside too!) https:
HTTPS offers a Sagem certificate
telnet
- telnet on 192.168.1.1 port 23 and port 8023
- telnet SSL on port 992
- login admin password BGCVDSL2
- (TODO: try user/user)
If you type the command "shell" you'll get a shell prompt and a busybox environment ;-)
[admin @ home]$ ver
Version: 4.0.21.3.3.1.32.1.1.1.6.Fast3464.60.00.GR
Platform: Sagem F@ST346X
Compilation Time: 02-Mar-09 17:18:02
[admin @ home]$ shell
BusyBox v1.01 (2009.02.19-21:18+0100) Built-in shell (ash)
Enter 'help' for a list of built-in commands.
# cat /proc/version
Linux version 2.6.15 #24 Mon Mar 2 18:21:25 CET 2009
#
# cat /proc/cpuinfo
system type : ADI Fusiv Core
processor : 0
cpu model : Lexra LX4189 V0.0
BogoMIPS : 199.47
wait instruction : no
microsecond timers : no
tlb_entries : 64
extra interrupt vector : no
hardware watchpoint : no
ASEs implemented :
VCED exceptions : not available
VCEI exceptions : not available
# ps
PID Uid VmSize Stat Command
1 0 652 S /bin/init
2 0 SWN [ksoftirqd/0]
3 0 SW< [events/0]
4 0 SW< [khelper]
5 0 SW< [kthread]
8 0 SW< [kblockd/0]
11 0 SW< [khubd]
35 0 SW [pdflush]
36 0 SW [pdflush]
38 0 SW< [aio/0]
37 0 SW [kswapd0]
559 0 SW [mtdblockd]
574 0 4436 S /bin/openrg
629 0 SWN [jffs2_gcd_mtd1]
677 0 348 S /bin/sh /etc/vdsl.sh
680 0 2208 S vdsld
686 0 560 S /bin/main_autom /etc/process_list.dat 2 9
687 0 560 S /bin/main_autom /etc/process_list.dat 2 9
688 0 560 S /bin/main_autom /etc/process_list.dat 2 9
689 0 2208 S vdsld
690 0 2208 S vdsld
691 0 2208 S vdsld
692 0 2208 S vdsld
693 0 2208 S vdsld
694 0 2208 S vdsld
695 0 2208 S vdsld
696 0 2208 S vdsld
697 0 2208 S vdsld
753 0 4436 D /bin/openrg
752 0 SW [idmaThread]
754 0 424 S hostapd /etc/hostapd.conf.eth2
757 0 764 S /bin/watchdog
758 0 560 S /bin/main_autom /etc/process_list.dat 2 9
772 0 228 S /usr/local/bin/syncloop
777 0 644 S /usr/local/sbin/lighttpd -f /mnt/ffs/A/lighttpd.conf
781 0 388 S /bin/igmpsnoop -i eth0 -l 30 -c 0x10080 -v -t
782 0 380 S /bin/oam start 5
783 0 688 S /bin/prod_autom /etc/process_list.dat 5 5
786 0 296 S /bin/syslogd-sa -b
787 0 380 S /bin/oam start 5
788 0 688 S /bin/prod_autom /etc/process_list.dat 5 5
789 0 380 S /bin/oam start 5
790 0 688 S /bin/prod_autom /etc/process_list.dat 5 5
791 0 688 S /bin/prod_autom /etc/process_list.dat 5 5
792 0 800 S /bin/tr98 5 5
795 0 1804 S /bin/tr69 --debug 5
797 0 1804 S /bin/tr69 --debug 5
798 0 1804 S /bin/tr69 --debug 5
799 0 800 S /bin/tr98 5 5
800 0 800 S /bin/tr98 5 5
801 0 1804 S /bin/tr69 --debug 5
802 0 1804 S /bin/tr69 --debug 5
803 0 800 R /bin/tr98 5 5
806 0 2424 S /bin/sipd /etc/process_list.dat 5 5
807 0 2424 S /bin/sipd /etc/process_list.dat 5 5
808 0 2424 S /bin/sipd /etc/process_list.dat 5 5
809 0 2424 S /bin/sipd /etc/process_list.dat 5 5
810 0 2424 S /bin/sipd /etc/process_list.dat 5 5
815 0 2424 S /bin/sipd /etc/process_list.dat 5 5
816 0 2424 S /bin/sipd /etc/process_list.dat 5 5
817 0 2424 S /bin/sipd /etc/process_list.dat 5 5
818 0 1804 S /bin/tr69 --debug 5
862 0 688 S /bin/prod_autom /etc/process_list.dat 5 5
1318 0 444 S /bin/sh
1327 0 320 R ps ax
#
# df
Filesystem 1k-blocks Used Available Use% Mounted on
cramfs 2560 2560 0 100% /mnt/cramfs
# cat /etc/mtab
rootfs / rootfs rw 0 0
cramfs /mnt/cramfs cramfs_mainfs ro 0 0
/proc /proc proc rw,nodiratime 0 0
usbfs /proc/bus/usb usbfs rw 0 0
/sys /sys sysfs rw 0 0
# cat /proc/mounts
rootfs / rootfs rw 0 0
cramfs /mnt/cramfs cramfs_mainfs ro 0 0
/proc /proc proc rw,nodiratime 0 0
usbfs /proc/bus/usb usbfs rw 0 0
/dev/mtdblock1 /mnt/ffs/A jffs2 rw,sync,noatime 0 0
/sys /sys sysfs rw 0 0
I got also /mnt/ffs mounted once, should check again...
Website files are in /mnt/cramfs/home/httpd/html
Trying to change the theme (this didn't bring extra menu, to the contrary)
[admin @ home]$ rg_conf_print wbm/theme (theme(Sagem)) [admin @ home]$ rg_conf_set wbm/theme OpenRG [admin @ home]$ rg_conf_print wbm/theme (theme(OpenRG))
To revert:
[admin @ home]$ rg_conf_set wbm/theme Sagem
To learn the commands to manipulate the configuration, see here (french)
others
- 2555/tcp open UPnP Internet Gateway Device implementing some serious commands such as GetPassword ...
- 7020/tcp open Apparently for Incoming Jnet (Jungo.net) requests for Remote Upgrade Server (see here
- 7021/tcp open Same, in SSL
- 8085/tcp open unknown gSOAP_Web_Service???
The modem is also running a TR-069 process:
- TR-069 TR-069 is a WAN management protocol intended for communication between Customer Premise Equipment (CPE) and an Auto-Configuration Server (ACS). It defines a mechanism that encompasses secure auto configuration of a CPE, and also incorporates other CPE management functions into a common framework.
- it's supposed to poll an ACS server on port 7547
and a TR-098 process, referring to the Internet Gateway Device data model
accessible from WAN
- pings seem to be blocked
- TCP port 631 (if ?)
- TCP port 2555 (openrg)
- TCP port 7020 (openrg)
- TCP port 7021 (openrg)
- TCP port 8085 (tr69)
- TCP port 8888 (lighttpd)
- UDP port 1024 (openrg)
- UDP port 1025 (hostapd)
- UDP port 3000 (openrg, vdsld...)
- RAW port 2 (openrg)
ss
Easier to get direct;y the info from the box: there is no netstat but ss does the job:
# #TCP
# ss -lnp
Recv-Q Send-Q Local Address:Port Peer Address:Port
0 0 217.136.xx.xx:992 *:* users:(("openrg",574,47),("openrg",753,47))
0 0 10.179.xx.xx:992 *:* users:(("openrg",574,34),("openrg",753,34))
0 0 192.168.1.1:992 *:* users:(("openrg",574,20),("openrg",753,20))
0 0 127.0.0.1:7019 *:* users:(("openrg",574,9),("openrg",753,9))
0 0 217.136.xx.xx:7020 *:* users:(("openrg",574,49),("openrg",753,49))
0 0 10.179.xx.xx:7020 *:* users:(("openrg",574,36),("openrg",753,36))
0 0 192.168.1.1:7020 *:* users:(("openrg",574,22),("openrg",753,22))
0 0 217.136.xx.xx:7021 *:* users:(("openrg",574,48),("openrg",753,48))
0 0 10.179.xx.xx:7021 *:* users:(("openrg",574,35),("openrg",753,35))
0 0 192.168.1.1:7021 *:* users:(("openrg",574,21),("openrg",753,21))
0 0 217.136.xx.xx:8080 *:* users:(("openrg",574,61),("openrg",753,61))
0 0 217.136.xx.xx:80 *:* users:(("openrg",574,50),("openrg",753,50))
0 0 10.179.xx.xx:8080 *:* users:(("openrg",574,38),("openrg",753,38))
0 0 10.179.xx.xx:80 *:* users:(("openrg",574,37),("openrg",753,37))
0 0 192.168.1.1:8080 *:* users:(("openrg",574,26),("openrg",753,26))
0 0 192.168.1.1:80 *:* users:(("openrg",574,25),("openrg",753,25))
0 0 *:8085 *:* users:(("tr69",790,9),("tr69",794,9),("tr69",795,9),("tr69",798,9),("tr69",799,9),("tr69",817,9))
0 0 217.136.xx.xx:8023 *:* users:(("openrg",574,45),("openrg",753,45))
0 0 217.136.xx.xx:23 *:* users:(("openrg",574,44),("openrg",753,44))
0 0 10.179.xx.xx:8023 *:* users:(("openrg",574,33),("openrg",753,33))
0 0 10.179.xx.xx:23 *:* users:(("openrg",574,32),("openrg",753,32))
0 0 192.168.1.1:8023 *:* users:(("openrg",574,19),("openrg",753,19))
0 0 192.168.1.1:23 *:* users:(("openrg",574,18),("openrg",753,18))
0 0 *:8888 *:* users:(("lighttpd",774,6))
0 0 127.0.0.1:7000 *:* users:(("openrg",574,6),("vdsl.sh",677,6),("vdsld",680,6),("vdsld",689,6),("vdsld",690,6),("vdsld",691,6),("vdsld",692,6),("vdsld",693,6),("vdsld",694,6),("vdsld",695,6),("vdsld",696,6),("vdsld",697,6),("openrg",753,6))
0 0 217.136.xx.xx:8443 *:* users:(("openrg",574,66),("openrg",753,66))
# #UDP
# ss -naup
State Recv-Q Send-Q Local Address:Port Peer Address:Port
UNCONN 0 0 *:1024 *:* users:(("openrg",574,8),("openrg",753,8))
UNCONN 0 0 *:1025 *:* users:(("hostapd",754,6))
UNCONN 0 0 192.168.1.1:53 *:* users:(("openrg",574,17),("openrg",753,17))
UNCONN 0 0 127.0.0.1:53 *:* users:(("openrg",574,7),("openrg",753,7))
UNCONN 0 0 *:3000 *:* users:(("openrg",574,5),("vdsl.sh",677,5),("vdsld",680,5),("vdsld",689,5),("vdsld",690,5),("vdsld",691,5),("vdsld",692,5),("vdsld",693,5),("vdsld",694,5),("vdsld",695,5),("vdsld",696,5),("vdsld",697,5),("openrg",753,5))
UNCONN 0 0 10.179.xx.xx:5060 *:* users:(("sipd",803,14),("sipd",804,14),("sipd",805,14),("sipd",806,14),("sipd",807,14),("sipd",812,14),("sipd",813,14),("sipd",814,14))
UNCONN 0 0 192.168.1.1:1900 *:* users:(("openrg",574,24),("openrg",753,24))
UNCONN 0 0 239.255.255.250:1900 *:* users:(("openrg",574,23),("openrg",753,23))
# #RAW
# ss -nawp
State Recv-Q Send-Q Local Address:Port Peer Address:Port
UNCONN 0 0 *:2 *:* users:(("openrg",574,15),("openrg",753,15))
UPnP
By default the modem has a UPnP IGD profile and I don't see how to disable it.
EDIT: actually it's possible by logging first as admin then entering the pseudo-URL "javascript:mimic_button('goto: 900..')"
If you use Skype this means Skype will tell the modem to open some ports and Skype will be reachable directly from Internet which means you become a relay-node and this can generate a lot of traffic!
One way to avoid it is to locally block the UPnP discovery multicast packets of Skype, e.g.:
iptables -A OUTPUT -d 239.255.255.250 -p udp -m string --algo bm --string "urn:schemas-upnp-org:service:WAN" -j DROP
By filtering on that string this allows other applications to send their M-SEARCH packet if they don't look for services:WANIP/WANPPP...
One can install that netfilter rule on Debian by following this howto
If you are using Windows, you can disable UPnP directly in Skype from version 4.0