I am going to replace the header with a navigation header later!!!

Hacking a Sagemcom F@ST1704N Router

I decided to create this blog because I spent a good five days working on uploading custom firmware to an old router I had and also creating my own programs for it. The router I have is a Sagemcom F@ST1704N which contained a tiny system built with an unknown version of uClibc (the version was unknown as the executable called it version 0) and a tiny BusyBox.

At first, I tried to figure out how to find or compile a version of dd to be loaded onto the router so I can image it to my hard drive. I figured out that I could just use cat piped into netcat so I could copy binaries between my laptop and the router. Using dd was not longer necessary because I could use cat to copy files, but, I decided that I should still try to create binaries before trying to replace the system so I can learn more about the processor. I copied the binaries over an ethernet cable that was plugged directly into my laptop to figure out what format the programs were in. They were ELF programs which were compiled for a MIPS32 Version 1 Processor.

I couldn't figure out how to compile binaries for the stock firmware even despite asking for help, but I did search for the root filesystem and I found a device block that is 4,874,240 bytes big (4.9 MB). Checking /dev/root on OpenWRT tells me the root filesystem on the router has 6948352 bytes (6.9 MB). Checking /dev/mtdblock3 leads me to believe there is an additional 4849664 bytes (4.8 MB) on the router. I strongly suspect I now have the image for the original firmware of the router, but I haven't been able to figure out how to decompress it or boot it in QEMU. Running the strings command on the binary doesn't reveal anything that proves it's a filesystem and I don't see a recognizable filesystem when viewing it under a hex editor. I also tried the file command and partition programs, but none of them revealed anything useful to me. It could be a special squashfs image, but I currently don't know what to do with it to find out. I am planning on talking to a professor to see if he can help.

While compiling a program for the original firmware and also extracting the original firmware failed, but I did find out that the Sagemcom F@ST2704N hardware was close enough that I could flash an image from this OpenWRT.org page. I flashed the Google Drive image with Luci installed and I was able to get web access. The original firmware hosted at 192.168.254.254 and the OpenWRT firmware hosted at 192.168.0.1. I did some testing and found out that pressing the reset button removes the webserver and activates telnet. I believe this is because the router is split into jffs2 and squashfs. I believe that pressing the reset button deletes the jffs2 partition and leaves the squashfs system intact. You can see more details by navigating to /rom/rom/ and reading the note left in that directory.

While I do have a new system, I still have not managed to figure out how to compile programs for the router. The problem compiling a functional program leads to this StackExchange question. I managed to figure out the solution to cross-compiling for OpenWRT. I found this guide on OpenWRT.org which helped me learn how to install buildtools and I just modified the instructions to fit my version of OpenWRT. I checked out git commit 70255e3d624cd393612069aae0a859d1acbbeeae (tag: v18.06.1) and built it for system "Broadcom BCM63xx", subtarget "generic", and profile "Sagem F@ST2704N".

I executed mips-openwrt-linux-gcc found in git_repo/staging_dir/toolchain-mips_mips32_gcc-7.3.0_musl/bin/. I used the command "mips-openwrt-linux-gcc hello.c -o hello" to test the compiling against a hello world program. I was able to copy the program over to the router and execute it successfully. Later, for a real test, I decided to try compiling BusyBox (even though the router already had it installed). I followed the instructions under "Building Busybox from Source". I had to build BusyBox statically because the dynamic one could not find utmpxname. Since I wasn't installing BusyBox to actually use and only to test cross-compiling, I didn't bother fixing the missing file so BusyBox could be dynamic.

I have successfully put a custom program on the router with a custom system, so now I just have to decide what I want to do with the router. I am thinking about using it to forward the phone line over ethernet to one of my Raspberry Pi's so I can get virtual fax and phone. I also may hook the router up to a powerbank and use it as a portable network device. What's better than a hotspot, a full fledged router on a battery.