I recently bought a wireless / phone adapter / VDSL modem from my Internet Service Provider (ISP) during my last outage. It generally works fine as a VDSL modem, but unfortunately, I can't seem to get used to configuring the device through their clickety web user interface... Furthermore, I am worried that I can't backup the config in a meaningful way, that is: if the device fails, I will probably not find the same model again and because they run a custom Linux distributions, the chances of the backup being possible to restore on another machine are basically zero. No way i will waste my time configuring this black box. So I started looking at running a distribution like OpenWRT on it.

(Unfortunately, I don't even dare hoping to run a decent operating system like Debian on those devices, if only because of the exotic chipsets that require all sorts of nasty hacks to run...)

The machine is a SmartRG SR630n (specs). I am linking to third party site, because the SmartRG site doesn't seem to know about their own product (!). I paid extra for this device to get one that would do both Wifi and VoIP, so i could replace two machines: my current Soekris net5501 router and a Cisco ATA 186 phone adapter that seems to mysteriously defy the challenges of time. (I don't remember when I got that thing, but it's at least from 2006.)

Unfortunately, it seems that SmartRG are running a custom, proprietary Linux distribution. According to my ISP, init is a complete rewrite that reads an XML config file (and indeed it's the format of the backup files) and does the configuration through a shared memory scheme (!?). According to DSL reports, the device seems to be running a Broadcom 63168 SOC (system on a chip) that is unsupported in Linux. There are some efforts to write drivers for those from scratch, but they have been basically stalled for years now.

Here are more details on the sucker:

Now the next step would logically be to "simply" build a new image with OpenWRT and install it in place. Then I would need to figure out a way to load the binary blobs into the OpenWRT kernel and run all the ADSL utilities as well. It's basically impossible: the odds of the binary modules being compatible with another arbitrary release of the Linux kernel are near zero. Furthermore, the userland tool are most likely custom as well. And worse of all: it seems that Bell Canada deployed a custom "Lucent Stinger" DSLAM which requires a custom binary firmware in the modem. This could be why the SmartRG is so bizarre in the first place. As long as the other end is non-standard, we are all screwed. And those Stinger DSLAM will stick around for a long time, thanks to bell.

See this other good explanation of Stinger.

Which means this machine is now yet another closed box sitting on the internet without firmware upgrades, totally handicapped. I will probably end up selling it back for another machine that has OpenWRT support for their VDSL modems. But there are very few such machines, and with a lot of those, VDSL support is often marked as "spotty" or "in progress". Some machines are supported but are basically impossible to find. There's the Draytek modems are also interesting because, apparently, some models run OpenWRT out of the box too, which is a huge benefit. This is because they use the more open Lantiq SOC. Which are probably not going to support Stinger lines.

Still, there are some very interesting projects out there... The Omnia is one I am definitely interested in right now. I really like their approach... But then they don't have a VDSL chipset in there (I asked for one, actually). And the connectors are only mini-PCIe, which makes it impossible to connect a VDSL PCI card into it.

I could find a single VDSL2 PCI card online, and it could be supported, but only the annex B is available, not the annex A, and it seems the network is using "annex A" according to the ADSL stats i had in 2015-05-28-anarcat-back-again. With such a card, I could use my existing Soekris net5501 router, slam a DSL card into it, and just use the SmartRG as a dumb wifi router/phone adapter. Then it will remain to see how supported are those VDSL cards in FreeBSD (they provide Linux source code, so that's cool). And of course, all this assumes the card works with the "Stinger" mode, which is probably not the case anyways. Besides, I have VDSL2 here, not the lowly ADSL2+.

By the way, Soekris keeps on pushing new interesting products out: their net6501, with 2 extra Gig-E cards could be a really interesting high-end switch, all working with free software tools.

A friend has a SmartRG 505n modem, which looks quite similar, except without the ATA connectors. And those modems are the ones that Teksavvy recommends ("You may use a Cellpipe 7130 or Sagemcom F@ST 2864 in lieu of our SmartRG SR505N for our DSL 15/10, DSL 25 or DSL 50 services."). Furthermore, Teksavvy provides a firmware update for the 505n - again, no idea if it works with the 630n. Of course, the 505n doesn't run OpenWRT either.

So, long story short, again I got screwed by my ISP: I thought i would get a pretty hackable device, "running Linux" that my ISP said over the phone. I got weeks of downtime, no refund, and while i got a better line (more reliable, higher bandwidth), my costs doubled. And I have yet another computing device to worry about: instead of simplifying and reducing waste, I actually just added crap on top of my already cluttered desk.

Next time, maybe I'll tell you about how my ISP overbilled me, broke IPv6 and drops large packets to the floor. I haven't had a response from them in months now... hopefully they will either answer and fix all of this (doubtful) or I'll switch to some other provider, probably Teksavvy.

Many thanks to the numerous people in the DSL reports Teksavvy forum that have amazing expertise. They are even building a map of Bell COs... Thanks also to Taggart for helping me figure out how the firmware images work and encouraging me to figure out how my machine works overall.

Note: all the information shared here is presented in the spirit of the fair use conditions of copyright law.

comment 1
Take a look on sagem3764xt project - Sagemcom F@st 3764 is fairly available, yet I've switched to DGT VDSL2 FG4B which is not that open, but a bit better.
Comment by boskar
comment 2
Here in Belgium you're required to use the ISP's stupid modem/router combo. Luckily it has passthrough, so you can run whichever router you want behind it. I wish they just gave out dumb modems instead.
Comment by Frans
Re: @Frans

Required by what? By law?

In Poland we are provided with modems by ISP, but there is still a chance to buy a compatibile modem on our own.

Comment by boskar
comment 4
They (Belgacom/Proximus) block unapproved modems. There's a minute list of white-listed modems. That means you can only use theirs or one of the two modems an alternative ISP (EDPNet) got approved: the FRITZ!Box 7360 and the FRITZ!Box 7490. I imagine that means you could buy those from wherever and use them regardless of your actual ISP, but don't quote me on that.
Comment by Frans
stinger + where to find?

@boskar so the Sagem project looks interesting, and it would be great to see an open platform like this. There are various modems supported by OpenWRT, as I mentionned before: the problem is where to find those devices. Do you know where I could buy such a router?

Furthermore, would it support the Stinger extensions required by Bell Canada?

Thanks for the feedback!

Comment by anarcat [id.koumbit.net]
Layer 2 is the answer.
Crap with bad OS/firmware/software is best left to layer 2. I have one of those modems. I use it at layer 2. I use a real machine to do pppoe. Similarly I have a 3512 GigE switch in the core network. Layer 2 only. I use serial to manage it :). It's crap that we can't change. Until we have something approaching standards for home access. Maybe GigE?
Comment by Dave
Modem with Voip

I own the Thimson TG784. It is ADSL2 and has 2 Voip lines. I have had no issues in the past year or so and they are easily configured. I recently tried the SmartRg-sr630n being VDSL and have seen minimal change if any. Needless to say I have decided to return the SMARTRG and am going to direct Cable.

That being said, if you are looking the a good solution, my Thomson is up for grabs. Still with all the papers, cables and originally Box. It hasn't moved since day 1 and is in perfect condition from a non smoking home.

Comment by Mike
Sagemcom 3764

Hello again I came across this post again and found out my own comments, with your replies.

If You are really interested in sagemcom 3764 I could send You one from Poland, I can get one for ~15-20 euro and ship it.

DGT RGW VDSL2 FG4 are nice too (less preconfigured, more configurable).

If You wish I could expose You the interface to play with.

I have absolutely no idea how to deal with Stinger. My devices use Broadcom chipsets and Profile 17A of G.993.2.

Comment by boskar
Source Code?

Hi,

Has anyone been successful in obtaining the GPL source code for any particular firmware image for this device?

In my case, I'm using the following firmware version

Build Timestamp:    160513_1721
Software Version:   2.5.0.11

of which I have identified (at minimum) the following GPL software components without published source code:

  • Linux version 2.6.30 (root@cpebuild.smartrg.local) (gcc version 4.4.2 (Buildroot 2010.02-git) ) #1 SMP PREEMPT Fri May 13 17:20:03 PDT 2016
  • BusyBox v1.17.2 (2016-05-13 17:24:35 PDT) multi-call binary. Copyright (C) 1998-2009 Erik Andersen, Rob Landley, Denys Vlasenko and others. Licensed under GPLv2.
  • iptables v1.4.0

There are likely many, many more GPL products contained in each firmware image.

I've made the request to SmartRG and received an automated reply but nothing concrete.

From my understanding, it's actually the ISP who is legally responsible for supplying customers with the GPL source code for this device, because they end up selling the products. It seems as though SmartRG may use this caveat as a sort of stalling tactic, as it seems they have avoided supplying any source code for their products at all.

This thread apparently lists the email address of a SmartRG employee who likely can get access to the Linux kernel source code.

http://lists.genieacs.com/pipermail/users/2015-January/000016.html

I, for one, am quite worried that there are likely thousands of security vulnerabilities embedded in these devices due to the sheer age of the linux kernel version.

If anyone is interested in obtaining the source code for their SmartRG product and sees this thread, please take a moment to to list your

Board ID / Build Timestamp / Software Version / ISP / GPL Source Requested

in the replies. E.g.

963168MBV_17AZZ / 160513_1721 / 2.5.0.11 / TekSavvy / Linux 2.6.30, busybox v1.17.2, iptables v1.4.0

I'd be happy to include your information in my dialogue with SmartRG. Hopefully doing so also preempts them to publish ALL of their GPL source code.

Comment by cfriedt
how to get that info and methods

Has anyone been successful in obtaining the GPL source code for any particular firmware image for this device?

I have not been able to obtain source code for this device, nor have I tried very hard. If we make an organized effort here, we should probably contact Software Freedom Conservancy for assistance and guidance.

From my understanding, it's actually the ISP who is legally responsible for supplying customers with the GPL source code for this device, because they end up selling the products.

It's tricky: I got my device from another ISP. They are really just resellers, and probably don't have access to the source code themselves. If you sue your ISP, the only thing they could do in response would be to counter-sue SmartRG - I doubt that could actually work.

It seems as though SmartRG may use this caveat as a sort of stalling tactic, as it seems they have avoided supplying any source code for their products at all.

I'm not sure this is a deliberate tactic. You can, after all, buy SmartRG modems from other online stores (e.g. Amazon sells some). I don't know if they sell directly to customers, but they do have resellers that may be better targets than ISPs.

But here's my entry, extracted from the walkthrough I did in the original article:

  • Board ID: ?
  • Build Timestamp: ?
  • Software Version: 4.12L.08?
  • ISP: EI Catalyst (AKA Tower Networks?)
  • GPL Source Requested: not yet (Linux 2.6.30, Busybox 1.17.2, iptables?)

I don't see exactly how you've extracted the fields you are refering to, unfortunately. I don't have direct access to the modem at the moment either, but if you explain how that was done, I'd be happy to update this entry with the missing fields. It would also be useful for others to provide this information...

I, for one, am quite worried that there are likely thousands of security vulnerabilities embedded in these devices due to the sheer age of the linux kernel version.

It's pretty much absolutely certain there are a number of exploitable flaws on those machines. The question is: how many are exploitable and in which scenario. I use the modem in "bridge" mode which means it's only passing packets around. While I could have used it as a fully featured device (with the ATA, Wifi and everything else), I decided against it when I realized how the device was built, and I never came to regret that decision, even if it means more power usage and an extra device (the omnia router).

So in bridge mode, I am not sure what exactly the attack surface is, as the modem:

  • ... is not accessible on the network directly: it has no publicly routable IP address - that's the router's job

  • ... doesn't negociate the PPPoE session, that's also the router's job.

  • ... does negociate the ADSL session, so presumably it would be vulnerable to ADSL-specific attacks on the Linux kernel driver.

  • .. also passes ethernet frames around and so it may also be vulnerable to Ethernet-level attacks, but I'm not sure this could be leveraged by an arbitrary attacker on any network: those frames are probably crafted by the other end of the ADSL link and the insides are not examined by the modem, in theory.

Comment by anarcat
re: how to get that info and methods

To get the Board ID, Build Timestamp, & Software Version, from the modem main page, follow the link that says "Advanced Configuration". Alternatively, if your modem has the IP address 192.168.1.2, you could use http://192.168.1.2/admin/ .

To extract the remaining fields, do this (my comments are prefixed with '#')

IP=192.168.1.2

ssh into IP (alternatively, use telnet)

ssh admin@${IP}

enter your admin password when prompted

you are now in the 'stupid' shell, list all available commands with 'help'

just a guess, that 'sh' would open a busybox shell. I was right!

sh

you are now in the busybox shell

Get the Linux kernel version. Normally this is done with uname -a, but that's broken

cat /proc/version

Get the busybox version

busybox

Get the iptables version (either command below is fine)

iptables -V ip6tables -V

I've been working with embedded Linux since the 2.4 days. Had I bothered to upstream some of my kernel hacks back then, SmartRG would most certainly be violating copyright terms of my own personal work. That's not the case though, and I didn't bother upstreaming anything until fairly recently. However, you can be sure that by not releasing their source code, they ARE violating copyright terms of the GPL software components.

As I said previously, you can look through most of the binaries & scripts and you'll likely find more GPL code than just Linux, busybox, & iptables. Here is a list of binaries, some of which may or may not be GPL. If the binary exists as a GPL project, I would bet on the former.

/bin/acs_cli /bin/acsd /bin/arlctl /bin/bftpd /bin/bpmctl /bin/brctl /bin/busybox /bin/caBandwidthMonitor /bin/caCaptivePortal /bin/caCdm /bin/caCns /bin/caContFilt /bin/caStun /bin/caTmBlk /bin/consoled /bin/cutter /bin/ddnsd /bin/dhcp6c /bin/dhcp6s /bin/dnsproxy /bin/dnsspoof /bin/dry /bin/dsldiagd /bin/eapd /bin/ebtables /bin/epi_ttcp /bin/ethctl /bin/ethswctl /bin/fapctl /bin/fcctl /bin/hotplug /bin/hspotap /bin/httpd /bin/ip /bin/ip6tables /bin/iptables /bin/iqctl /bin/lld2d /bin/mcpctl /bin/mcpd /bin/mdkshell /bin/mroute /bin/nas /bin/nvram /bin/nvramUpdate /bin/openssl /bin/pppd /bin/racoon /bin/radvd /bin/rastatus6 /bin/rawSocketTest /bin/ripd /bin/setkey /bin/smd /bin/snmpd /bin/sntp /bin/spuctl /bin/ssh /bin/sshd /bin/ssk /bin/stress /bin/swmdk /bin/tc /bin/telnetd /bin/tinyproxy /bin/tr69c /bin/udhcpd /bin/upnp /bin/urlfilterd /bin/vlanctl /bin/wl_server_socket /bin/wlctl /bin/wlevt /bin/wlmngr /bin/wps_monitor /bin/xdslctl /bin/xtmctl /bin/zebra /usr/bin/iostat /usr/bin/mpstat /usr/bin/pidstat /usr/bin/sadf /usr/bin/sar

List of libraries:

/lib/ld-uClibc.so.0 /lib/libc.so.0 /lib/libcrypt.so.0 /lib/libdl.so.0 /lib/libgcc_s.so.1 /lib/libhspotap.so /lib/libm.so.0 /lib/libnvram.so /lib/libpthread.so.0 /lib/libresolv.so.0 /lib/libutil.so.0 /lib/libwl_server_socket.so /lib/libwlbcmcrypto.so /lib/libwlbcmshared.so /lib/libwlctl.so /lib/libwlmngr.so /lib/libwlupnp.so /lib/libwps.so

HA!

Might as well add uClibc and gcc to the list.

Comment by cfriedt
comment 12
I'm doing research on doing the same here in the UK - looks like VigorNIC 132 might be an option - PCIe vdsl2 card, which seems to be compatible with linux. Also supports Annex A. Again though, depends if the ISP is gonna be standards compliant..
Comment by mark
Created . Edited .