Fully unlocking the F@ST 4315U

Published on July 12th, 2016
by Dylanger Daly

Okay, so we’ve got UART access and we’ve got a full shell, lets unlock this thing shall we!

Sagem Configs

As we all know, Sagem have xml config files, these files are loaded at boot and dictate what features are enabled, disabled as well as defaults passwords and other interesting data, if you’ve received your router from Belong or Telstra, the device will be lock down, no telnet, ssh, ftp access only a crippled WebUI.

Click here to download the unlocked config

This is where the command cfgupdate comes in, after you’ve logged in via UART as the superuser (superuser:belong) issue cfgupdate then paste in the config (Download above).

Screenshot from 2016-07-12 15-22-51

After you should see this:

Screenshot from 2016-07-12 15-23-16

New Defaults

At this point, the device has rebooted with our defaults, and our defaults have of course enabled Telnet, SSH and full WebUI access, what do we look like? Telstra?!

Lets have a look at the edits made (New config pictured left):

Screenshot from 2016-07-12 15-51-47

As you can see I’ve simply removed the Disabled under <NetworkAccess>

As well as removing the CWMP call to home

Screenshot from 2016-07-12 15-52-04

Other defaults will be:

admin:admin
SSID: Unlocked SAGEM
WPA: YouBetterChangeMe123
Router IP: 192.168.20.254
DHCP Enabled: 192.168.20.100 - 200

Show me the Money! I mean Menus!

After logging in to the WebUI at 192.168.20.254 with admin:admin we see

Screenshot from 2016-07-12 15-27-37

Note that ConfigId…

Screenshot from 2016-07-12 15-28-06

 

Look at that Advanced Setup menu…

Oh and Telnet!

Screenshot from 2016-07-12 16-09-19

N-Map scan:

Screenshot from 2016-07-12 16-10-22

 

Once again, massive shout out to Revs Per Min for sending me his 4315U, this would not have been possible without you!

 

 

 

Dylanger Daly

If its Security, I'm there. I mainly work in the Security Research Field, most of my focus is Mobile Security, anything from the hardware to TrustZone to the Modem. Bypassing checks one NOP at a time.

You've reached the end!

back to top