OpenWrt Based TalkTalk Sagemcom FAST 5364 Tinkering

cilusse · March 2, 2021, 11:04pm

Hello!

Just came across this thread while trying to tinker with my 5364 TalkTalk Hub.
This is all awesome! Super cool finds from everyone!

I want to try something which is to make my router into a VDSL bridge, and as I understand it, killing hg6d at startup might not be the greatest idea.
I would also love to have a hardwired access to the Hub for further tinkering, which leaves me wanting to try creating a bridge between ptm0.101 and the WAN port (eth0 I suppose ?). The WAN port is unused, and the other 4 LAN ports would still behave in the same way, allowing access to the router normally and allowing ssh debugging whenever needed.

Would that even work ?
How would I do this ?
Has anyone made a guide on how to use xmo-client to achieve this ?

Any help would be appreciated! And I'm following this thread closely, I love when we can claim back some ownership on our devices.

Thanks,
Adrien.

wasc · March 22, 2021, 9:48am

Hi David

Thanks for the help - I've successfully changed the setting to "WirelessBridge", however I couldn't see any properties to specify the SSID and password for the wifi network I want it to join.

I did try changing the normal SSID and Passphrase to match my existing network, but that hasn't worked as the talk talk box isn't joining my existing wifi network

I don't suppose you have any other ideas?

003miles · March 23, 2021, 6:07pm

Wow this is so great to read. I’ve just got my hands on one of these routers for free, and I’m very interested in seeing what you guys can achieve. I also have the idea of using it as a wireless bridge to connect non wifi enabled devices to my main wireless network. Keep it up!

tmomas · March 24, 2021, 6:48am

This is the OpenWrt forum.
For dd-wrt related questions, please head over to the dd-wrt forum.

003miles · March 24, 2021, 8:16pm

Small update, may or may not be useful...

Just seen that running the command iwlist scan ,
returns "Interface doesn't support scanning." for all interfaces.

Unless anyone can tell me a way to enable scanning for existing networks, could this mean the wireless bridge is not feasible?

andy_apcs · April 14, 2021, 7:09am

I managed to brick my TTB router in an attempt to work around the port forwarding bug. This post helped enormously. For anyone else who may stray this way, here's how I managed to recover. BTW: I happen to have two routers without which this can't be done (without images).

Restore through TFTP

Configure tftp server at serverip (192.168.1.10)
Place the .gsdf file to /srv/tftp/ (used: Linux - Ubuntu - tftpd-hpa)
- I initially used this image (doesn't connect to TTB though)
  - SG4K10002816t-sagemcom-5364-talktalk-6.72.44.14_Prod-combined-squashfs.img.gsdf to sc_f5364v3.scos.resc.gsdf
- The destination filename is important
Connect console to TTB (see roboconnells post above)
Switch on TTB router

Wait for

CPU: BCM63xx
Model: Sagemcom F5364v3
DRAM: 512 MiB
NAND: 512 MiB

Press bar

Issue command run upgrade_oper

This may be possible without opening the router (i.e. when it fails to boot it may resort to TFTP) - I didn't check.

Extract Firmware

To get the OEM images from a pristine TTB router.

Connect to the TTB (e.g. Linux - Ubuntu - minicom):

minicom -D /dev/ttyUSB0 -b 115200

Configure a capture log:

^AZ
L
firmware.txt

On the TTB minicom session after interrupting boot:

run _select_main
ubi info l
# used_bytes 22474752 for OEM
ubi read 0x01000000 operational 22474752
md 0x01000000 #objects = 22474752 / 4 + 100 for safety

Wait an hour or so for the dump to complete.

Remove any extraneous lines from the start of the dump:

vi firmware.txt
# md 0x01000000 0x55BC64
# 01000000: 46445347 00303120 00205101 00100000    GSDF 10..Q .....
# :

# remove up to the first memory dump line

Convert the hex to binary with `python3 hex2bin.py firmware.txt firmware.bin:

hex2bin.py:

import argparse
import sys


def hex2bin(textfile, binfile):
    print(f'Txt: {textfile} Bin: {binfile}')

    with open(textfile) as txtFd:
        with open(binfile, 'wb') as binFd:
            for line in txtFd:
                if line[0] != '0':
                    if binFd.tell() != 0:
                        print(f'Format error at {line}')
                        sys.exit(1)
                    continue
                data = line.split()[1:5]
                for quad in data:
                    for idx in range(3, -1, -1):
                        char = quad[idx * 2:idx * 2 + 2]
                        byte = bytes([int(char, 16)])
                        binFd.write(byte)


def main():
    parser = argparse.ArgumentParser(description='hex2bin tool')
    parser.add_argument('textfile')
    parser.add_argument('binfile')

    opts = parser.parse_args()

    hex2bin(opts.textfile, opts.binfile)


if __name__ == '__main__':
    main()

Truncate the file:

dd if=firmware.bin of=firmware.img.gsdf bs=4096 count=5487

As a test, comparing acquired image with uploaded image:

sha1sum firmware.img.gsdf SG4K10002816t-sagemcom-5364-talktalk-6.72.44.14_Prod-combined-squashfs.img.gsdf

13a32d276d8bbee16b6758b78cf537df3e640c39  firmware.img.gsdf
13a32d276d8bbee16b6758b78cf537df3e640c39  SG4K10002816t-sagemcom-5364-talktalk-6.72.44.14_Prod-combined-squashfs.img.gsdf

Repeat for gui volume:

Volume information dump:
        vol_id          1
        reserved_pebs   166
        alignment       1
        data_pad        0
        vol_type        4
        name_len        3
        usable_leb_size 126976
        used_ebs        0
        used_bytes      0
        last_eb_bytes   0
        corrupted       0
        upd_marker      0
        name            gui

Stop and restart the capture.

# 126976 / 8 = 15872
ubi read 0x01000000 gui 126976
md 0x01000000 ...

 dd if=gui of=gui.img.gsdf bs=4096 count=31
# 126976 bytes (127 kB, 124 KiB) copied, 0.000217451 s, 584 MB/s

Hope this helps someone. Apologies if it's a little terse.

DavidBrent · June 29, 2021, 8:08pm

I’m so glad this thread has collated so much insight – great work! Given that the long-term development on this hardware is tricky, I think the best usage is as a VDSL bridged modem for a separate OpenWrt box. I’ve tested this on TalkTalk (through DHCP) and EE (through PPPoE) and it works really well. Here’s a consolidated list of steps starting from a stock FAST 5364 on the latest firmware (SG4K10002816t at the time of writing).

Enable SSH by downgrading firmware

Login to the web admin interface
Navigate to Advanced Settings > Maintenance > Software Update
Upload the 2600 image from http://cpe.ttcdn.uk/cpe/Sagemcom/SG4K10002600t/SG4K10002600t-sagemcom-5364-talktalk-6.72.40_Prod-combined-squashfs.img.gsdf
Apply and reboot
Log back into the admin interface
Use F12 Developer Tools to open a JavaScript console to execute the following command:
$.xmo.setValuesTree(true,"Device/UserAccounts/Users/User[@uid=3]/RemoteAccesses/RemoteAccess[@uid=3]/Enabled")
Note: it’s normal to return undefined as output.
Using an SSH client, connect to the router’s IP (192.168.1.1 by default) with username admin and relevant password.
Then issue the login command with username root and password root to elevate access.

Optional steps

Disable remote management

xmo-client -p "Device/ManagementServer/URL" -s ""
xmo-client -p "Device/ManagementServer/TR69InternalData/Settings/Port" -s 0

Disable both wireless radios

xmo-client -p "Device/WiFi/Radios/Radio[@uid=1]/Enable" -s "false"
xmo-client -p "Device/WiFi/Radios/Radio[@uid=2]/Enable" -s "false"

Tidy up unnecessary services

xmo-client -p "Device/UPnP/Device/Enable" -s "false"
xmo-client -p "Device/UPnP/Settings/UPnPIGD/WanInterfaces/WanInterface/Enable" -s "false"

Create the bridge itself

This creates a bridge on the first Ethernet port so be sure to connect to the router via a different port:

xmo-client -p "Device/Bridging/Bridges/Bridge[@uid=1]/Ports/Port[@uid=2]/Enable" -s "false"
xmo-client -p "Device/Bridging/Bridges" -a
xmo-client -p "Device/Bridging/Bridges/Bridge[@uid=3]/Ports" -a
xmo-client -p "Device/Bridging/Bridges/Bridge[@uid=3]/Ports" -a
xmo-client -p "Device/Bridging/Bridges/Bridge[@uid=3]/Ports" -a
xmo-client -p "Device/Bridging/Bridges/Bridge[@uid=3]/Alias" -s "BR_VDSL"
xmo-client -p "Device/Bridging/Bridges/Bridge[@uid=3]/Enable" -s "true"
xmo-client -p "Device/Bridging/Bridges/Bridge[@uid=3]/Ports/Port[@uid=1]/Enable" -s "true"
xmo-client -p "Device/Bridging/Bridges/Bridge[@uid=3]/Ports/Port[@uid=1]/ManagementPort" -s "true"
xmo-client -p "Device/Bridging/Bridges/Bridge[@uid=3]/Ports/Port[@uid=2]/Enable" -s "true"
xmo-client -p "Device/Bridging/Bridges/Bridge[@uid=3]/Ports/Port[@uid=3]/Enable" -s "true"
xmo-client -p "Device/Bridging/Bridges/Bridge[@uid=3]/Ports/Port[@uid=2]/LowerLayers" -s "Device/Ethernet/Interfaces/Interface[PHY1]"
xmo-client -p "Device/Bridging/Bridges/Bridge[@uid=3]/Ports/Port[@uid=3]/LowerLayers" -s "Device/Ethernet/VLANTerminations/VLANTermination[VLAN_DATA]"
xmo-client -p "Device/IP/Interfaces/Interface[@uid=2]/IPv4Addresses/IPv4Address[@uid=1]/Enable" -s "false"

Finally, connect to your broadband line and upstream router via the first ethernet port. You may need to configure your main router based on your ISP’s settings.

cilusse · July 18, 2021, 12:25pm

Huge thanks for these instructions!
My router has been running in bridge mode for a week now with no issues at all. It's so much easier without double NAT.

Virtual pint of beer for you @DavidBrent

special_beam_cannon · August 31, 2021, 7:46pm

Hey, I know it has been a while but I was wondering if you have found a solution to your issue? I've run into the exact same problem as you. As soon as I follow the steps and "activate bridge mode" by entering the xmo codes into the ssh client, the modem loses connection to the internet. Would really appreciate a reply from anyone really. Thanks in advance.

senrs · September 9, 2021, 7:39pm

Hi @DavidBrent First of all thank you so much for all your efforts on this router. Can you advise what to do if I intend to use this router as a ethernet bridge? Let me explain what I want to do. I have the main router with only one ethernet port. I need to use this Fast 5364 router to extend that port using the additional ports on this router.

DavidBrent · September 10, 2021, 9:13am

@special_beam_cannon - if the commands complete without error you should be done. Are you sure the issue isn't with your downstream router not using DHCP to pick up the WAN IP address through the first Ethernet port? FYI - the TalkTalk web interface will incorrectly report 'not connected to the Internet' when in bridge mode and isn't very useful! I'd also check your two routers aren't using the same subnet so perhaps use 192.168.0.x for the FAST 5364 and 192.168.1.x for your main router.

@senrs - do you mean just using it as an Ethernet switch to add more ports? If so, you could just leave the WAN unused and daisy chain one to the other via the LAN ports and disable DHCP and DNS on the TalkTalk router so it doesn't interfere with your main router.

I don't check here very often so you could always try the TalkTalk forums if you are stuck.

Thanks @cilusse - great to have more people being able to make use of it and avoid more e-waste!

senrs · September 11, 2021, 11:05am

@DavidBrent - Thank you! I made it work by daisy chaining. Can we use xmo-client commands to convert the WAN port to use as a LAN port while daisy chaining?

DavidBrent · September 13, 2021, 7:14pm

Technically possible I'd say but could take a bit of fiddling. You'd need to add eth6 to the LAN bridge. However, there's a number of services that run on the WAN port that would need to be disabled so could take a while to figure out!

senrs · September 13, 2021, 11:14pm

Thanks @DavidBrent , let me see if I can fiddle around with it and figure it out.

francisuk1989 · September 20, 2021, 4:49pm

Could you also show us how to setup a Fibre/VDSL2 line that needs a authentication username and password as there a few UK ISPs that need it, e.g A&A (Andrews & Arnold Ltd) Zen Internet with IPv6

XXXXXX@zen
password

slh · September 21, 2021, 12:35am

https://openwrt.ebilan.co.uk/viewtopic.php?f=7&t=266

xtendtech · November 22, 2021, 5:20pm

were u able to put the password? i am moving into fibre Aquiss and would like to use password option!

francisuk1989 · November 23, 2021, 8:47pm

Sorry i don't own this device anymore @xtendtech as i bought a draytek vigor 130 and put this into bridge mode (as you need this for fibre vdsl2 modem) and then using a linksys ea8300 via openwrt 21.02.1 for all my routing needs.
I hope your move to Aquiss goes well

@DavidBrent
When putting the sagemcom fast 5364 into bridge mode, can you still access the router page via 192.168.1.1 on LAN ports 2 to 4? or is it completely blocked from ports 2-4 because of the bridge mode been on LAN port 1

DavidBrent · December 6, 2021, 12:27pm

Yes, you can still access the router admin page (although it'll incorrectly report no Internet access as it can't check). I ran in this configuration with one cable from Port 1 to main router WAN and one cable from Port 2 to main router LAN to retain access for VDSL monitoring. Maybe there's a fancy way of doing it with VLANs down one cable but it worked for me!

CM1 · December 12, 2021, 11:18am

Any chance someone has SG4K100130 available for download?