Failed to parse groups `userif` and `firewall` on SAGEM F@ST 3286

[diegoe]

I happen to have a Sagem 3286, and its GatewaySettings.bin is perfectly read by bcm2-utils, except for the userif and firewall sections:

bcm2-utils:master$ ./bcm2cfg info /home/diegoe/Downloads/GatewaySettings.bin 
failed to parse group userif
failed to parse group firewall
/home/diegoe/Downloads/GatewaySettings.bin
type    : gwsettings
profile : gen2pslc
checksum: c1b7909ce7af6d88d994af488354811e (ok)
size    : 19249 (ok)

36535256  6SRV  0.1     grp_6srv        814 b
52472e2e  RG..  0.30    rg             3196 b
4d4c6f67  MLog  0.5     userif          137 b
4344502e  CDP.  1.5     dhcp           1629 b
4341502e  CAP.  1.3     grp_cap        1726 b
46495245  FIRE  0.8     firewall         86 b
4353502e  CSP.  1.4     grp_csp          53 b
50524e54  PRNT  0.5     grp_prnt       1922 b
50505053  PPPS  0.5     grp_ppps         30 b
56504e47  VPNG  1.0     grp_vpng         15 b
38303231  8021  0.38    bcmwifi         726 b
38303232  8022  0.38    bcmwifi2        729 b
57694775  WiGu  0.10    guestwifi      4063 b
57694776  WiGv  0.10    guestwifi2     4063 b

From decrypting the file myself (with XOR - 0x80), I can read my admin username and password:

00000fe0  REDACTED HEX  |.............<..|
00000ff0  REDACTED HEX  |........MLog....|
00001000  REDACTED HEX  |root..REDACTD..r|
00001010  REDACTED HEX  |oot..REDACTD..ad|
00001020  REDACTED HEX  |min..REDACTD..RE|
00001030  REDACTED HEX  |ACTED@REDCTD*..a|
00001040  REDACTED HEX  |dmin..REDACTD.te|
00001050  REDACTED HEX  |lnet..........te|

(Of course were "REDACTED" is my password / MAC auto password thing)

The header of my decrypted file looks like this:

00000000  c1 b7 90 9c e7 af 6d 88  d9 94 af 48 83 54 81 1e  |......m....H.T..|
00000010  46 41 53 54 33 32 38 36  54 4c 46 30 35 36 74 39  |FAST3286TLF056t9|
00000020  70 34 38 6a 70 34 65 65  36 75 39 65 65 36 35 39  |p48jp4ee6u9ee659|
00000030  6a 79 39 65 2d 35 34 65  34 6a 36 72 30 6a 30 36  |jy9e-54e4j6r0j06|
00000040  39 6b 2d 30 35 36 01 02  00 00 4b 31 03 2e 36 53  |9k-056....K1..6S|
00000050  52 56 00 01 00 00 00 00  00 00 00 00 00 00 00 00  |RV..............|

(Seems to be: FAST3286TLF056t9p48jp4ee6u9ee659jy9e-54e4j6r0j06)

I can send my .bin file if it helps.

Thanks for this tool. The code and research is great :star:

[jclehner]

There are two different formats for userif, but only one of these is used by the gen2pslc profile. It's possible that this causes your issues.

I can send my .bin file if it helps.

Yes please, just send it via email!

Thanks for this tool. The code and research is great.

Thanks :)

[jclehner]

Hi, I've added a profile for your device, that fixes the userif issue. Since the current method of profile detection doesn't take into account the magic value, bcm2cfg can't discern between a file from a fast3286 or fast3686. This means that you'll have to manually specify -P fast3286, otherwise it's detected as fast3686.

[diegoe]

Thank you! It seems to work just fine, but it still can't read the firewall group (although I suspect I don't have one because I have the firewall off).

Do you have any clue what's the telnet su password? I don't see a listing for it in userif and none of the passwords seem to be good enough.

Also: Is there any other useful thing I could do with the modem, to improve on the quirks/info for the repo?

[jclehner]

Thank you! It seems to work just fine, but it still can't read the firewall group (although I suspect I don't have one because I have the firewall off).

There are two totally different firewall groups, and bcm2cfg currently doesn't have a definition for the other one. That's why parsing it fails!

Do you have any clue what's the telnet su password? I don't see a listing for it in userif and none of the passwords seem to be good enough.

Have you tried $agem001 and sagem?

Also: Is there any other useful thing I could do with the modem, to improve on the quirks/info for the repo?

A firmware dump would be interesting. Are you using telnet, or a serial connection?

[diegoe]

Thank you! It seems to work just fine, but it still can't read the firewall group (although I suspect I don't have one because I have the firewall off).

There are two totally different firewall groups, and bcm2cfg currently doesn't have a definition for the other one. That's why parsing it fails!

Do you want me to enable the firewall and export a .bin with that? I can produce a few versions if it helps you figure out the format.

Do you have any clue what's the telnet su password? I don't see a listing for it in userif and none of the passwords seem to be good enough.

Have you tried $agem001 and sagem?

I grepped the source code and found these. It's $agem001 for this modem. Thanks!

Also: Is there any other useful thing I could do with the modem, to improve on the quirks/info for the repo?

A firmware dump would be interesting. Are you using telnet, or a serial connection?

I would prefer to do it via telnet. Should I just follow the current instructions?

[jclehner]

I would prefer to do it via telnet. Should I just follow the current instructions?

Using the latest commits, try the following command:

$ bcm2dump -P generic -O 'bfc:su_password=$agem001' -L io.log dump <IP>,<USERAME>,<PASSWORD> flash image1,auto image1.bin

If dumping flash doesn't work, you can try dumping the image currently loaded in RAM.

$ bcm2dump -P generic -O 'bfc:su_password=$agem001' -L io.log dump <IP>,<USERAME>,<PASSWORD> ram 0x80004000,32M image1.raw

In case of errors, please submit the io.log file.

Do you want me to enable the firewall and export a .bin with that? I can produce a few versions if it helps you figure out the format.

Yes, that would certainly help, even more so with a firmware dump!

[jclehner]

Sorry for the delay. The low/medium/high policy isn't actually located in the firewall group, but the csp group! Unfortunately, the firmware dumps you sent a few months ago were empty, which was caused by a bug in bcm2dump. This has since been fixed, and dumping the images should now work!

[jclehner]

Closing due to inactivity. Also check out #30.