I haven't seen a lot of resources on the TalkTalk provided Sagemcom FAST 5364 so wanted to share a few collated findings from around the web in case it's useful to anyone. Thanks to all the work on similar devices that helped me get this far!
SSH Access is possible by enabling remote access on the default Admin account through a JavaScript developer console once logged in to the web interface:
$.xmo.setValuesTree(true,"Device/UserAccounts/Users/User[@uid=3]/RemoteAccesses/RemoteAccess[@uid=3]/Enabled")
Then SSH as admin with your password. Then use the login command with username root
and password root
for complete access.
The Sagemcom default SG4K10001400t firmware seems 'inspired by' an old OpenWrt build.
cat /proc/version
Linux version 3.4.11-rt19 (g361146@compil-atr-1) (gcc version 4.6.2 (GCC) ) #1 SMP PREEMPT Fri Mar 16 20:29:03 CET 2018
cat /proc/cpuinfo
Processor : ARMv7 Processor rev 1 (v7l)
processor : 0
BogoMIPS : 1990.65
processor : 1
BogoMIPS : 1990.65
Features : swp half thumb fastmult edsp tls
CPU implementer : 0x41
CPU architecture: 7
CPU variant : 0x4
CPU part : 0xc09
CPU revision : 1
Hardware : BCM963138
Revision : 0000
Serial : 0000000000000000
xmo-client
is the main interface to the configuration XML and can be used to disable subsequent updates:
xmo-client -p "Device\ManagementServer\URL" -s ""
xmo-client -p "Device\ManagementServer\TR69InternalData\Settings\Port" -s 0
Or re-enable:
xmo-client -p "Device\ManagementServer\URL" -s "https://acs.talktalk.co.uk:7443/ACS-server/ACS"
xmo-client -p "Device\ManagementServer\TR69InternalData\Settings\Port" -s 7547
Firmware can be read out of mtd10
and saved to a file that can be uploaded using the web interface:
dd if=/dev/mtd10 of=/root/tmp/SG4K10002808t.gsdf
Using the router as a pure VDSL bridge is possible but clunky using the following commands in a startup script:
rmmod hard_watchdog
killall hg6d
killall dhclient
killall dhcpd
brctl addif BR_LAN ptm0.101
ifconfig ptm0.101 0.0.0.0
The public WAN IP is then exposed via DHCP on the local interfaces.
The static ARM binaries at https://github.com/therealsaumil/static-arm-bins/ are useful for further investigations. curl can be used to transfer files to the router and a symlink to the web interface a quick way of getting files off:
ln -s /root/tmp /usr/share/gui-core/www/gui/tmp
Then download via http://192.168.1.1/0.1/gui/tmp/filename
I'm not sure if a clean build of OpenWrt is feasible for this model as the VDSL binaries are unlikely to port across I guess? I'd value other opinions to see if custom firmware is possible at all?