Hacking into a Sky router
2019-08-06
Like everyone, I have a ton of old routers lying around. It pains me to see these very useful computers go to waste, so I made it my business to hack into all of mine and replace the firmware. Maybe the title is a bit dramatic, but it's technically accurate.
My first target was an old Sky router, a Sagemcom F@ST2504n.
Which OS?
The obvious choice is OpenWRT since they have a page with easy instructions to get started.
There is one issue though, the pictures on that page don't work! This wasn't too much of an issue, since the pads on the PCB were all labelled so I was able to solder without incident.
Getting a console
I mentioned soldering. This is needed because there is no way to access the bootloader to flash the firmware without getting a console. There isn't a serial port on the case, but there are pads on the PCB conspicuously labelled VCC, Tx, Rx and GND. This is where you can solder some wires and connect your favourite 3.3V TTL UART. I used an FT232, but I'm sure others work too.
Interestingly, if you set your UART to 5V, you can actually power the whole router from the serial port! I discovered this by accident, I had my FT232 set to 5V and connected it without having power connected to the router. Rather spookily, the router powered on without any power. But this is possibly unsafe, don't do it! Who knows how much current the router needs, it's best to use the barrel jack and a real power supply!
Anyway, after changing to 3.3V, I got a console, here is what it looks like:
CFE version 5.14.7 for BCM96362 (32bit,SP,BE)
Build Date: Tue Mar 29 15:03:07 CST 2011 (zouchenbo@SZ01007.DONGGUAN.CN)
Copyright (C) 2005-2010 SAGEM Corporation.
HS Serial flash device: name MX25L64, id 0xc217 size 8192KB
Total Flash size: 8192K with 128 sectors
Chip ID: BCM6362B0, MIPS: 384MHz, DDR: 320MHz, Bus: 160MHz
Main Thread: TP0
Memory Test Passed
Total Memory: 67108864 bytes (64MB)
Boot Address: 0xb8000000
Board IP address : 192.168.1.1:ffffff00
Host IP address : 192.168.1.100
Gateway IP address :
Run from flash/host (f/h) : f
Default host run file name : vmlinux
Default host flash file name : bcm963xx_fs_kernel
Boot delay (0-9 seconds) : 1
Board Id (0-2) : F@ST2504n
Number of MAC Addresses (1-32) : 11
Base MAC Address : 7c:03:4c:ad:19:f6
PSI Size (1-64) KBytes : 40
Enable Backup PSI [0|1] : 0
System Log Size (0-256) KBytes : 0
Main Thread Number [0|1] : 0
*** Press any key to stop auto run (1 seconds) ***
Auto run second count down: 1
web info: Waiting for connection on socket 0.
CFE>
Some interesting info there, but we actually don't care about any of it except the prompt telling us to stop the auto boot. Mash enter or something and you'll end up at the CFE prompt.
I wasn't able to get minicom to work with this console, I couldn't write anything, leading me to waste some time checking my soldering. I switched to cu (from the cu package on Debian, it's in base on OpenBSD), with the recommended 115200 8N1 settings and it worked as above. I don't really know how to use minicom, so it was probably just user error.
Flashing the firmware
From here, you can follow the instructions. For a TFTP server, I used
the one from the tftpd-hpa
package on Debian. The one in the base
system on OpenBSD also works. Here is what I did, I erased the flash
then wrote the image from the TFTP server:
CFE> e a
Erase all flash (except bootrom)? (y/n):y
...............................................................................................................................
Resetting board...HELO
CPUI
L1CI
HELO
CPUI
L1CI
DRAM
----
PHYS
ZQDN
PHYE
DINT
LASY
USYN
MSYN
LMBE
PASS
----
ZBSS
CODE
DATA
L12F
MAIN
CFE version 5.14.7 for BCM96362 (32bit,SP,BE)
Build Date: Tue Mar 29 15:03:07 CST 2011 (zouchenbo@SZ01007.DONGGUAN.CN)
Copyright (C) 2005-2010 SAGEM Corporation.
HS Serial flash device: name MX25L64, id 0xc217 size 8192KB
Total Flash size: 8192K with 128 sectors
Chip ID: BCM6362B0, MIPS: 384MHz, DDR: 320MHz, Bus: 160MHz
Main Thread: TP0
Memory Test Passed
Total Memory: 67108864 bytes (64MB)
Boot Address: 0xb8000000
** Flash image not found. **
Board IP address : 192.168.1.1:ffffff00
Host IP address : 192.168.1.100
Gateway IP address :
Run from flash/host (f/h) : f
Default host run file name : vmlinux
Default host flash file name : bcm963xx_fs_kernel
Boot delay (0-9 seconds) : 1
Board Id (0-2) : F@ST2504n
Number of MAC Addresses (1-32) : 11
Base MAC Address : 7c:03:4c:ad:19:f6
PSI Size (1-64) KBytes : 40
Enable Backup PSI [0|1] : 0
System Log Size (0-256) KBytes : 0
Main Thread Number [0|1] : 0
web info: Waiting for connection on socket 0.
CFE> f 192.168.1.4:/home/kaashif/firm.bin
Loading 192.168.1.4:/home/kaashif/firm.bin ...
Finished loading 3932164 bytes
Flashing root file system and kernel at 0xb8010000: .............................................................
Flashing File Tag....
*** Image flash done *** !
192.168.1.4 is the address of my laptop, I connected to the router directly with an Ethernet cable. Now (after waiting for it to boot) you end up at the OpenWRT shell:
BusyBox v1.28.3 () built-in shell (ash)
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
-----------------------------------------------------
OpenWrt 18.06.0-rc2, r7141-e4d0ee5af5
-----------------------------------------------------
=== WARNING! ======�================
There is no root password defined on this device!
Use the "passwd" command to set up a new password
in order to prevent unauthorized SSH logins.
--------------------------------------------------
root@OpenWrt:/# uname -a
Linux OpenWrt 4.9.111 #0 SMP Sat Jul 14 13:48:14 2018 mips GNU/Linux
Fantastic. That's one router set free, I'll do the rest (and not write posts about them, since I imagine they'll all be the same as this one).
One last thing, here's a picture of the router in action, with the serial terminal connected: