What you really need is the value of the DeviceInfo/InternalFirmwareVersion property. If you could get someone who owns one to login to the admin interface and then use Developer Tools (usually F12) and run the command $.xmo.getValuesTree("Device/DeviceInfo") in a debug console, it will return an object with more details. This should give a few more clues if you can get it!
Details from the business hub (some info omitted from output):
AdditionalHardwareVersion: "3.00"
BackupSoftwareVersion: "SG4K1100015"
ConfigBackupRestoreEnable: false
Country: "UK"
DeploymentName: "TalkTalk"
Description: "F5364"
ExternalFirmwareVersion: "SG4K1100014"
GUIAPIVersion: "GUI v1.10.1"
GUIFirmwareVersion: ""
HardwareVersion: "FAST5364 3.00"
InternalFirmwareVersion: "6.72.44.7_Prod"
Mode: "GW"
ModelName: "F@ST 5364"
ModelNumber: "SagemcomFAST5364"
ProductClass: "F@ST 5364"
SoftwareVersion: "SG4K1100014"
SpecVersion: "1.0"
I did try and guess the link unsuccessfully using variations on SG4K1100014 and 6.72.44.7_Prod
While I don't have a residential version to compare, I can see that you can change DNS on the business hub, but not a lot else. I cant even add a static route, which is how I have ended up here "XMO_ACCESS_DENIED_ERR".
No ssh, so I tried to load a residential firmware to enable it via the Web UI from the above links and it no longer boots.
So regrettably I have managed to brick my TT business hub, when I power it on it responds to ping on 192.168.1.1 (bootloader) for about 3 seconds and disappears. If I could find the business firmware, I might be able to reload the firmware via TFTP/serial cable connected onboard, but thats about all I can think to do with it.
Why they restrict the firmwares so much is really annoying, a router that wont static route is like going back 2 decades.
Anyway, be warned trying to flash firmware's manually !
1 Like
Interesting findings! Shame it's following a different naming convention.
If you can get a serial console hooked up to the four pin header, you may get lucky. On the consumer model, the operational firmware is in mtd10 with a recovery backup in mtd9. Depending on the upgrade method, you might still have an old copy of the business firmware there which could be read out with dd if=/dev/mtd9 of=/root/tmp/backup.gsdf or at least copied back to mtd10.
Let us know how it goes!
1 Like
Might help others if you break your router with a bad firmware...
Firstly, I spent a lot of time trying to get a serial connection, I had 3 different COM to USB adaptors lying around (all used various Prolific Drivers), which I could data from, but garbaged characters (including on an XP VM with Hyper Terminal). I even tried an onboard mainboard COM port of an old PC. Same garbled characters.
In the end I purchased a £3 ebay special, "CH340" USB TTL Serial Adaptor - straight in no problem and could start playing/interacting with it.
Attached photo, just using ground, tx and rx (no VCC).
putty
COM12 (see device manager)
115200
It would start the boot process, but crash on line 1770 soon after "Run hg6d", no errors, just hung.
When the router boots, there is a
*** Press any key to stop auto run (2 seconds) ***
if you do this, it takes you to a bootloader, and I couldn't do a right lot from here as far as I could tell: help shows around 15 commands, nand/hex ish.
Let it run past that without pressing a key, and the kernel starts to boot, shortly after:
CPU: BCM63xx
Model: Sagemcom F5364v3
DRAM: 512 MiB
NAND: 512 MiB
You have about 2 seconds to press the space bar, this gets to a different prompt with more like 55 commands (again use: help).
Using printev, you can sort of see other commands the router uses when booting (gives you more detail).
Run this that and the other, recovery command are x etc.
Here you cant to a right lot in terms of hack, as it hasn't booted/mounted partitions yet, but you can switch to the rescue boot !
I found that the following allowed the router to boot.
ubi swap rescue operational
sb
Original command from printenv showed, ubi swap operational rescue, so I just switched operational and rescue around.
sb was the boot command, which starts it booting.
LAN cable connected, I am in, went into the GUI and did a factory reset. Its looking good. No need to switch back after, it seems to have fixed itself by booting into rescue.
Hope this helps someone else with there tinkering.
1 Like
Wow that's pretty good work! So are you now
successfully running residential firmware on the business hub? Also do you still have the business hub recovery backup in mtd9 partition that can be successfully read using the dd if=/dev/mtd9 of=/root/tmp/backup.gsdf command?
Hi all. Do you think it would be possible to turn this router (FAST 5364) into a wireless bridge using these xmo-client commands? I have a spare router and would love to use it to connect some wired devices to my Wifi.
So essentially I want the router to act as a wifi client and connect to my normal wifi and then bridge that to the ethernet ports so I can plug wired devices in.
@DavidBrent Excellent work as I was able to get bridge mode working as my DrayTek didn't like the Huawei cabinet my line was connecting to. Is there anyway to get access to the GUI whilst in bridge mode? At the moment I'm having to connect via Wi-Fi to access the GUI.
@ajama1 - yes, you can connect a separate cable from one of the other Ethernet ports to your existing router. Just make sure the 5364 is set to an IP on the same subnet as your network and disable DHCP. There may be a more elegant way using the single WAN cable and VLANs but I never tried!
@wasc - interesting idea, a good starting point might be to change Device/WiFi/Radios/Radio[@uid=1(or 2 for 5Ghz)]/DeviceOperationMode from 'InfrastructureAccessPoint' to something else?
Hello!
Just came across this thread while trying to tinker with my 5364 TalkTalk Hub.
This is all awesome! Super cool finds from everyone!
I want to try something which is to make my router into a VDSL bridge, and as I understand it, killing hg6d at startup might not be the greatest idea.
I would also love to have a hardwired access to the Hub for further tinkering, which leaves me wanting to try creating a bridge between ptm0.101 and the WAN port (eth0 I suppose ?). The WAN port is unused, and the other 4 LAN ports would still behave in the same way, allowing access to the router normally and allowing ssh debugging whenever needed.
Would that even work ?
How would I do this ?
Has anyone made a guide on how to use xmo-client to achieve this ?
Any help would be appreciated! And I'm following this thread closely, I love when we can claim back some ownership on our devices.
Thanks,
Adrien.
1 Like
Hi David
Thanks for the help - I've successfully changed the setting to "WirelessBridge", however I couldn't see any properties to specify the SSID and password for the wifi network I want it to join.
I did try changing the normal SSID and Passphrase to match my existing network, but that hasn't worked as the talk talk box isn't joining my existing wifi network 
I don't suppose you have any other ideas?
1 Like
Wow this is so great to read. I’ve just got my hands on one of these routers for free, and I’m very interested in seeing what you guys can achieve. I also have the idea of using it as a wireless bridge to connect non wifi enabled devices to my main wireless network. Keep it up!
This is the OpenWrt forum.
For dd-wrt related questions, please head over to the dd-wrt forum.
Small update, may or may not be useful...
Just seen that running the command iwlist scan ,
returns "Interface doesn't support scanning." for all interfaces.
Unless anyone can tell me a way to enable scanning for existing networks, could this mean the wireless bridge is not feasible?
I managed to brick my TTB router in an attempt to work around the port forwarding bug. This post helped enormously. For anyone else who may stray this way, here's how I managed to recover. BTW: I happen to have two routers without which this can't be done (without images).
Restore through TFTP
- Configure tftp server at
serverip(192.168.1.10) - Place the
.gsdffile to /srv/tftp/ (used: Linux - Ubuntu - tftpd-hpa)- I initially used this image (doesn't connect to TTB though)
-
SG4K10002816t-sagemcom-5364-talktalk-6.72.44.14_Prod-combined-squashfs.img.gsdftosc_f5364v3.scos.resc.gsdf
-
- The destination filename is important
- I initially used this image (doesn't connect to TTB though)
- Connect console to TTB (see
roboconnellspost above) - Switch on TTB router
- Wait for
Press barCPU: BCM63xx Model: Sagemcom F5364v3 DRAM: 512 MiB NAND: 512 MiB - Issue command
run upgrade_oper
This may be possible without opening the router (i.e. when it fails to boot it may resort to TFTP) - I didn't check.
Extract Firmware
To get the OEM images from a pristine TTB router.
Connect to the TTB (e.g. Linux - Ubuntu - minicom):
minicom -D /dev/ttyUSB0 -b 115200
Configure a capture log:
^AZ
L
firmware.txt
On the TTB minicom session after interrupting boot:
run _select_main
ubi info l
# used_bytes 22474752 for OEM
ubi read 0x01000000 operational 22474752
md 0x01000000 #objects = 22474752 / 4 + 100 for safety
Wait an hour or so for the dump to complete.
Remove any extraneous lines from the start of the dump:
vi firmware.txt
# md 0x01000000 0x55BC64
# 01000000: 46445347 00303120 00205101 00100000 GSDF 10..Q .....
# :
# remove up to the first memory dump line
Convert the hex to binary with `python3 hex2bin.py firmware.txt firmware.bin:
hex2bin.py:
import argparse
import sys
def hex2bin(textfile, binfile):
print(f'Txt: {textfile} Bin: {binfile}')
with open(textfile) as txtFd:
with open(binfile, 'wb') as binFd:
for line in txtFd:
if line[0] != '0':
if binFd.tell() != 0:
print(f'Format error at {line}')
sys.exit(1)
continue
data = line.split()[1:5]
for quad in data:
for idx in range(3, -1, -1):
char = quad[idx * 2:idx * 2 + 2]
byte = bytes([int(char, 16)])
binFd.write(byte)
def main():
parser = argparse.ArgumentParser(description='hex2bin tool')
parser.add_argument('textfile')
parser.add_argument('binfile')
opts = parser.parse_args()
hex2bin(opts.textfile, opts.binfile)
if __name__ == '__main__':
main()
Truncate the file:
dd if=firmware.bin of=firmware.img.gsdf bs=4096 count=5487
As a test, comparing acquired image with uploaded image:
sha1sum firmware.img.gsdf SG4K10002816t-sagemcom-5364-talktalk-6.72.44.14_Prod-combined-squashfs.img.gsdf
13a32d276d8bbee16b6758b78cf537df3e640c39 firmware.img.gsdf
13a32d276d8bbee16b6758b78cf537df3e640c39 SG4K10002816t-sagemcom-5364-talktalk-6.72.44.14_Prod-combined-squashfs.img.gsdf
Repeat for gui volume:
Volume information dump:
vol_id 1
reserved_pebs 166
alignment 1
data_pad 0
vol_type 4
name_len 3
usable_leb_size 126976
used_ebs 0
used_bytes 0
last_eb_bytes 0
corrupted 0
upd_marker 0
name gui
Stop and restart the capture.
# 126976 / 8 = 15872
ubi read 0x01000000 gui 126976
md 0x01000000 ...
dd if=gui of=gui.img.gsdf bs=4096 count=31
# 126976 bytes (127 kB, 124 KiB) copied, 0.000217451 s, 584 MB/s
Hope this helps someone. Apologies if it's a little terse.
2 Likes
I’m so glad this thread has collated so much insight – great work! Given that the long-term development on this hardware is tricky, I think the best usage is as a VDSL bridged modem for a separate OpenWrt box. I’ve tested this on TalkTalk (through DHCP) and EE (through PPPoE) and it works really well. Here’s a consolidated list of steps starting from a stock FAST 5364 on the latest firmware (SG4K10002816t at the time of writing).
Enable SSH by downgrading firmware
- Login to the web admin interface
- Navigate to Advanced Settings > Maintenance > Software Update
- Upload the 2600 image from http://cpe.ttcdn.uk/cpe/Sagemcom/SG4K10002600t/SG4K10002600t-sagemcom-5364-talktalk-6.72.40_Prod-combined-squashfs.img.gsdf
- Apply and reboot
- Log back into the admin interface
- Use F12 Developer Tools to open a JavaScript console to execute the following command:
$.xmo.setValuesTree(true,"Device/UserAccounts/Users/User[@uid=3]/RemoteAccesses/RemoteAccess[@uid=3]/Enabled") - Note: it’s normal to return undefined as output.
- Using an SSH client, connect to the router’s IP (192.168.1.1 by default) with username
adminand relevant password. - Then issue the
logincommand with usernamerootand passwordrootto elevate access.
Optional steps
- Disable remote management
xmo-client -p "Device/ManagementServer/URL" -s ""
xmo-client -p "Device/ManagementServer/TR69InternalData/Settings/Port" -s 0
- Disable both wireless radios
xmo-client -p "Device/WiFi/Radios/Radio[@uid=1]/Enable" -s "false"
xmo-client -p "Device/WiFi/Radios/Radio[@uid=2]/Enable" -s "false"
- Tidy up unnecessary services
xmo-client -p "Device/UPnP/Device/Enable" -s "false"
xmo-client -p "Device/UPnP/Settings/UPnPIGD/WanInterfaces/WanInterface/Enable" -s "false"
Create the bridge itself
- This creates a bridge on the first Ethernet port so be sure to connect to the router via a different port:
xmo-client -p "Device/Bridging/Bridges/Bridge[@uid=1]/Ports/Port[@uid=2]/Enable" -s "false"
xmo-client -p "Device/Bridging/Bridges" -a
xmo-client -p "Device/Bridging/Bridges/Bridge[@uid=3]/Ports" -a
xmo-client -p "Device/Bridging/Bridges/Bridge[@uid=3]/Ports" -a
xmo-client -p "Device/Bridging/Bridges/Bridge[@uid=3]/Ports" -a
xmo-client -p "Device/Bridging/Bridges/Bridge[@uid=3]/Alias" -s "BR_VDSL"
xmo-client -p "Device/Bridging/Bridges/Bridge[@uid=3]/Enable" -s "true"
xmo-client -p "Device/Bridging/Bridges/Bridge[@uid=3]/Ports/Port[@uid=1]/Enable" -s "true"
xmo-client -p "Device/Bridging/Bridges/Bridge[@uid=3]/Ports/Port[@uid=1]/ManagementPort" -s "true"
xmo-client -p "Device/Bridging/Bridges/Bridge[@uid=3]/Ports/Port[@uid=2]/Enable" -s "true"
xmo-client -p "Device/Bridging/Bridges/Bridge[@uid=3]/Ports/Port[@uid=3]/Enable" -s "true"
xmo-client -p "Device/Bridging/Bridges/Bridge[@uid=3]/Ports/Port[@uid=2]/LowerLayers" -s "Device/Ethernet/Interfaces/Interface[PHY1]"
xmo-client -p "Device/Bridging/Bridges/Bridge[@uid=3]/Ports/Port[@uid=3]/LowerLayers" -s "Device/Ethernet/VLANTerminations/VLANTermination[VLAN_DATA]"
xmo-client -p "Device/IP/Interfaces/Interface[@uid=2]/IPv4Addresses/IPv4Address[@uid=1]/Enable" -s "false"
Finally, connect to your broadband line and upstream router via the first ethernet port. You may need to configure your main router based on your ISP’s settings.
3 Likes
Huge thanks for these instructions!
My router has been running in bridge mode for a week now with no issues at all. It's so much easier without double NAT.
Virtual pint of beer for you @DavidBrent 
1 Like
Hey, I know it has been a while but I was wondering if you have found a solution to your issue? I've run into the exact same problem as you. As soon as I follow the steps and "activate bridge mode" by entering the xmo codes into the ssh client, the modem loses connection to the internet. Would really appreciate a reply from anyone really. Thanks in advance.
Hi @DavidBrent First of all thank you so much for all your efforts on this router. Can you advise what to do if I intend to use this router as a ethernet bridge? Let me explain what I want to do. I have the main router with only one ethernet port. I need to use this Fast 5364 router to extend that port using the additional ports on this router.
@special_beam_cannon - if the commands complete without error you should be done. Are you sure the issue isn't with your downstream router not using DHCP to pick up the WAN IP address through the first Ethernet port? FYI - the TalkTalk web interface will incorrectly report 'not connected to the Internet' when in bridge mode and isn't very useful! I'd also check your two routers aren't using the same subnet so perhaps use 192.168.0.x for the FAST 5364 and 192.168.1.x for your main router.
@senrs - do you mean just using it as an Ethernet switch to add more ports? If so, you could just leave the WAN unused and daisy chain one to the other via the LAN ports and disable DHCP and DNS on the TalkTalk router so it doesn't interfere with your main router.
I don't check here very often so you could always try the TalkTalk forums if you are stuck.
Thanks @cilusse - great to have more people being able to make use of it and avoid more e-waste!
@DavidBrent - Thank you! I made it work by daisy chaining. Can we use xmo-client commands to convert the WAN port to use as a LAN port while daisy chaining?