Cigtech G-95SP SFP GPON

I've been given a Fritz!Box 5491 by my ISP with no option of choosing anything else, and I want to get rid of it (nothing inherently wrong with it, but I do have a dedicated pfSense box with a Unifi Switch). Luckily, it comes with proper SFP stick (the one in the title of this post), which according to my investigation is based on Lantiq 98035.

I've tried moving the SFP stick to my Unifi switch, but it doesn't come online, because my ISP does authentication by serial number, and to my suprise, this number is not on the SFP stick when it boots - it gets pushed to it by Fritzbox when it detects the SFP module - on port 8888, which I discovered with Wireshark. It also seems to have a baked in ip of 192.158.47.1 (and the Fritzbox has an interface with IP 192.168.47.2)

After getting some help at ip-phone-forum.de I managed to install a rootkit on the router, so I could get full SSH access to it, but not the SFP stick - this allowed me to look around in the filesystem and found a firmware file specifically for the SFP module. Unfortunately this module doesn't have SSH or Telnet running, but is rather just listening on that one port.

The problem is I'm not that experienced with this low level stuff (I'm a developer/sysadmin), so I have no clue how to proceed in my effort to try and either get into the SFP stick or to replicate Fritzbox's behaviour when it updates the SFP with a serial number.

Binwalking the SFP firmware gave me the following info:

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             uImage header, header size: 64 bytes, header CRC: 0x73602CE4, created: 2019-04-02 14:14:21, image size: 1211797 bytes, Data Address: 0x80002000, Entry Point: 0x80002000, data CRC: 0x70B6ED00, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "SFP_7.5.13"
64            0x40            LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 3518276 bytes
1211861       0x127DD5        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 1847786 bytes, 558 inodes, blocksize: 262144 bytes, created: 2019-04-02 14:14:27

And binwalking just the "LZMA compressed data" at 0x40:

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
1040          0x410           Flattened device tree, size: 8160 bytes, version: 17
2854460       0x2B8E3C        DES SP1, big endian
2854716       0x2B8F3C        DES SP2, big endian
2905932       0x2C574C        Linux kernel version 3.10.4
2939442       0x2CDA32        Unix path: /var/run/rpcbind.sock
2948802       0x2CFEC2        Copyright string: "Copyright 2013, Lantiq Deutschland GmbH"
3022668       0x2E1F4C        xz compressed data
3037148       0x2E57DC        Unix path: /lib/firmware/updates/3.10.49
3074394       0x2EE95A        Neighborly text, "neighbor %.2x%.2x.%pM lost rename link %s to %s"
3206656       0x30EE00        CRC32 polynomial table, big endian
3517760       0x35AD40        ASCII cpio archive (SVR4 with no CRC), file name: "dev", file name length: "0x00000004", file size: "0x00000000"
3517876       0x35ADB4        ASCII cpio archive (SVR4 with no CRC), file name: "dev/console", file name length: "0x0000000C", file size: "0x00000000"
3518000       0x35AE30        ASCII cpio archive (SVR4 with no CRC), file name: "root", file name length: "0x00000005", file size: "0x00000000"
3518116       0x35AEA4        ASCII cpio archive (SVR4 with no CRC), file name: "TRAILER!!!", file name length: "0x0000000B", file size: "0x00000000"

So I'm looking for ideas about how to solve this problem without any kind of hardware manipulation - this is the only SFP module I have, so I don't dare to get the wife angry by bricking it and thus no TV or internet in the house

The reason for me binwalking the firmware image was a failed attempt at trying to run the firmware on my mac with Qemu, but haven't had any luck so far. If I succeeded, I'd have a chance to run some of the software in debug mode to see what's going on - at least I'm hoping that's the case.

Edit: Just found OpenWrt Lantiq Falcon firmware, which is quite similar to the SFP stick, from the initial check, so if someone could help me emulate that with Qemu, I'm fairly confident I can replicate it with my firmware.

You won't be able to emulate the SoC itself unless you have datasheets and time to code but you should be able to run basic userland from QEMU. What I'd suggest is extracting squashfs using binwalk, compiling https://github.com/rampageX/firmware-mod-kit, running unsquashfs_all.sh, locate the daemon that's listening on 8888 and/or any backdoors.

You should be able to chroot via squashfs and use qemu-mips-static (Deb) on some executables using options such as -strace or gdb with gdb-multiarch (Deb).

The falcon firmware won't be of much use since it's missing most of the necessary daemons, firmware, mibs, etc. which are not opensource. Where it comes in handy is building some extra packages.

Thanks for the explanation.

I already got stuck with trying to chroot:

$ chroot . ./qemu-mips-static ./bin/busybox
chroot: ./qemu-mips-static: Permission denied

I'm running the above permissions as root already, so not sure why it doesn't let me do it.

copy qemu-mips-static to /usr/bin inside the squashfs dir.

chroot . /usr/bin/qemu-mips-static -L / /bin/busybox

I have succeeded, but not with your solution. I actually tried something completely new

So as you know, based on my Wireshark analysis, my router makes a TCP request to SFP's port 8888 whenever it detects it, so what I've done, is simply moved the SFP to my switch, ran TCPreplay with exported frames from Wireshark on my computer, and to my suprise, it immediately got online. Internet works with full speed, IPTV works on all 3 TVs

Well done.

Thanks, I'm going to give that a try.