Cracking the Sagem F@ST 2504 router
Posted 20-01-08 at 09:28 PM by James67
Now don't get too excited but I've been working on the Sagem router, trying to crack it, although I'm not there yet. Actually, I'll come clean and admit that in fact, I've managed to "brick" my router.
I bought the router off eBay. I've tested it and it manages to establish a connection to Sky's network, so the username and password are still valid (they haven't been deleted from Sky's authentication server).
The CD has a router recovery utility, but the flash image accompanying it seems to be version 1.1sky rather than version 1.5sky reported by the router. I couldn't find any way of pulling the 1.5 firmware off the router so I could only actually do any work with the 1.1 version. But does the 1.1 software work? Having explored all the alternatives without success, I realised that I was going to have to try it out and see. Fortunately, it does seem to work. Whatever changes there are between 1.1sky and 1.5sky - the connection password algorithm seems to be the same. Phew.
I found a utility called nb4-unsquash with which I was able to extract the root filesystem of the 1.1sky flash image, and I put in a similar set of changes to the filesystem as I had used on the Netgear V2 router, dumping the pppd arguments at the point where the router tries to establish a connection. I rebuilt the flash image, but it wouldn't load. After many attempts, I decided to try to flash the router with the latest F@ST 2404 firmware, to see if that was more amenable to loading one of my hacked firmware images.
The first attempt at loading the 2404 firmware seemed to go well, but when the router rebooted, it was dead - or it seemed to be anyway. I noticed however, that the router had changed its address to 192.168.1.1 and was running a stripped-down webserver, which was inviting me to download a new firmware image and assign a MAC address to the device. This would appear to be the router's recovery mode which it goes into if the router's flash memory becomes corrupted. I set the MAC address to be the one on the base of the router, and tried the 2404 firmware image again. Surprisingly it worked! When the router rebooted it was configured as a standard Sagem F@ST 2404 router.
If that seemed like a success, it wasn't. Well, not as far as cracking the router was concerned. Although I'd managed to transform the Sky router into a standard Sagem router, I discovered that it was impossible to get it back to the 1.1sky firmware - it would report an error during download and just reboot with the Sagem firmware. I tried various hacked firmware images based on the 1.1sky firmware, but all I got was either the same error during download, or, if the download was successful, a router in its recovery mode.
With my final attempt to get the router back to Sky's firmware, I managed to get a flash image which was close enough to being OK that the router didn't go into its recovery mode, but not close enough not to crash. The upshot of this is that I now have a Sky branded Ethernet switch, rather than a Sky branded router. Quite a disappointment after the amount of work I'd put into this.
I've bid on another Sagem router on eBay. This time, I definitely won't be putting the 2404 firmware on it. What I'm going to do is concentrate on getting the hacked version of the Sky firmware correct. To do this, I'll unsquash the 1.1sky image, and then, without altering it in any way, try to rebuild a flash image. Only once I've mastered this process - which means getting a rebuilt flash image which is identical to Sky's image - will I attempt to modify the root filesystem.
I should be able to keep working on perfecting this image building process even without a working router, so I'll be carrying on with that. I'm pretty confident that I'll get this problem cracked, although it looks like the process of extracting the connection credentials will mean that you won't be able to get back to the 1.5sky firmware that the router came with. This is in contrast to the Netgear V2 router, where it is possible to get your router back to its original state
Ooh - and checking on eBay I see that I've won the eBay auction - £5 plus £6 postage. Bargain!
I bought the router off eBay. I've tested it and it manages to establish a connection to Sky's network, so the username and password are still valid (they haven't been deleted from Sky's authentication server).
The CD has a router recovery utility, but the flash image accompanying it seems to be version 1.1sky rather than version 1.5sky reported by the router. I couldn't find any way of pulling the 1.5 firmware off the router so I could only actually do any work with the 1.1 version. But does the 1.1 software work? Having explored all the alternatives without success, I realised that I was going to have to try it out and see. Fortunately, it does seem to work. Whatever changes there are between 1.1sky and 1.5sky - the connection password algorithm seems to be the same. Phew.
I found a utility called nb4-unsquash with which I was able to extract the root filesystem of the 1.1sky flash image, and I put in a similar set of changes to the filesystem as I had used on the Netgear V2 router, dumping the pppd arguments at the point where the router tries to establish a connection. I rebuilt the flash image, but it wouldn't load. After many attempts, I decided to try to flash the router with the latest F@ST 2404 firmware, to see if that was more amenable to loading one of my hacked firmware images.
The first attempt at loading the 2404 firmware seemed to go well, but when the router rebooted, it was dead - or it seemed to be anyway. I noticed however, that the router had changed its address to 192.168.1.1 and was running a stripped-down webserver, which was inviting me to download a new firmware image and assign a MAC address to the device. This would appear to be the router's recovery mode which it goes into if the router's flash memory becomes corrupted. I set the MAC address to be the one on the base of the router, and tried the 2404 firmware image again. Surprisingly it worked! When the router rebooted it was configured as a standard Sagem F@ST 2404 router.
If that seemed like a success, it wasn't. Well, not as far as cracking the router was concerned. Although I'd managed to transform the Sky router into a standard Sagem router, I discovered that it was impossible to get it back to the 1.1sky firmware - it would report an error during download and just reboot with the Sagem firmware. I tried various hacked firmware images based on the 1.1sky firmware, but all I got was either the same error during download, or, if the download was successful, a router in its recovery mode.
With my final attempt to get the router back to Sky's firmware, I managed to get a flash image which was close enough to being OK that the router didn't go into its recovery mode, but not close enough not to crash. The upshot of this is that I now have a Sky branded Ethernet switch, rather than a Sky branded router. Quite a disappointment after the amount of work I'd put into this.
I've bid on another Sagem router on eBay. This time, I definitely won't be putting the 2404 firmware on it. What I'm going to do is concentrate on getting the hacked version of the Sky firmware correct. To do this, I'll unsquash the 1.1sky image, and then, without altering it in any way, try to rebuild a flash image. Only once I've mastered this process - which means getting a rebuilt flash image which is identical to Sky's image - will I attempt to modify the root filesystem.
I should be able to keep working on perfecting this image building process even without a working router, so I'll be carrying on with that. I'm pretty confident that I'll get this problem cracked, although it looks like the process of extracting the connection credentials will mean that you won't be able to get back to the 1.5sky firmware that the router came with. This is in contrast to the Netgear V2 router, where it is possible to get your router back to its original state
Ooh - and checking on eBay I see that I've won the eBay auction - £5 plus £6 postage. Bargain!
Total Comments 7
Comments
|
lol
£5 for a router, good luck James! |
 
|
|
|
Thanks for all your work on this - keep it coming!!
|
|
|
|
|
Nice finds so far. Good job i didnt flash the router to the F@ST 2404 firmware as i wouldnt have had a clue what to do next and also would have no internet lol.
If you manage to crack this then it would be amazing, well worth the wait. |
|
|
|
|
Quote:
The first attempt at loading the 2404 firmware seemed to go well, but when the router rebooted, it was dead - or it seemed to be anyway. I noticed however, that the router had changed its address to 192.168.1.1 and was running a stripped-down webserver, which was inviting me to download a new firmware image and assign a MAC address to the device. This would appear to be the router's recovery mode which it goes into if the router's flash memory becomes corrupted. I set the MAC address to be the one on the base of the router, and tried the 2404 firmware image again. Surprisingly it worked! When the router rebooted it was configured as a standard Sagem F@ST 2404 router.
PS your profile pic is weird  |
|
|
|
|
It wouldn't be possible to upload Sky's firmware using the recovery screen. A Sky flash image has a digital signature, which is only understood by the update facilities in Sky firmware. The recovery screen looks at the signature and simply refuses to flash the router with what it considers to be junk data.
As for the profile picture, it's a Clanger. Clangers fold their ears over their eyes when they're feeling sad. But usually a bowl of green soup from the Soup Dragon is enough to cheer them up. |
|
|
|
|
WeirdThese forums are weird. It took 5 new pages before the post comment button would appear.
Anyway, I have a question. When you say cracking the Sagem Fast, what do you mean? What are you trying to achieve there? I have this router and find it a pain in the ass to do anything such as port forwarding etc so I'm just interested. |
|
|
|
|
I have a cracked on for sale if anyone is interested: http://www.skyuser.co.uk/forum/gener...uter-sale.html
|
|
|
Total Trackbacks 0
Trackbacks
Recent Blog Entries by James67
- Sky's router policy (27-01-08)
- Bringing a Sagem F@ST 2504 back to life (21-01-08)
- Cracking the Sagem F@ST 2504 router (20-01-08)
