Sercomm FG1000B.11 web interface credentials

[jnschulze]

Hi,
I've just received a Sercomm FG1000B.11 provided by 1&1.
As opposed to the Telekom-branded variant ("Glasfaser Modem 2"), my device runs a firmware (the stock one?) which has a password-protected web interface.

I tried to access the serial console in order to gain access to the device, however, it has the same issue as the Telekom firmware - keyboard input gets ignored.

Please let me know if there's anyone out there who

• knows how to make the serial console work
• has a firmware dump available or
• just knows the credentials

Thanks for your help.

[simonebortolin]

@benoitm974 has worked with the device, we are interested in this and if you provide us with a dump we are ready to analyse it.

please note that if they are highly ISP-specific credentials, you should not publish them here.

[benoitm974]

@jnschulze I only knew from CE marking that 1&1 provides the same ONT but have no information.

So far we're stuck with:

• there seems to have no downloadable version on the internet of neither the Telekom or 1&1 version, every telekom user seems to be running the same and only firmware 090144.1.0.001
• we tried to follow the circuit lines of both TX an RX on the ONT and they seems to be getting directly to the CPU with only a resistor so it should work although we do see the TX CFE boot log but we can't seems to see the RX working.
• The Telekom web interface is very limited and I have not found an easy way to attack it and get shell access ....
• I also tried to boot with the reset bouton pressed as indicated in the broadcom chip manual, this trigger the WEB CFE interface on 192.168.1.1 BUT there seems to be a timeout and it doesn't let you time to upload binary :( ... (and anyway so far I don't have any idea of the expected firmware binary format ...)
• Also tried to shortcut the NAND flash at boot (1) or at kernel load time (2) : (1) BOOT fail, (2) load fails, then try to load "firmware 2" which (is the same version 090144.1.0.001) if you continue the shortcut fails too... but none of those try give any shell or safe mode...
• I have limited equipment myself so the next step would be to have someone with better electronic background/equipment to see:

1. What would the other 3 pins on the board be (someone told be it could be I2C for the optical/calibration part maybe?)
2. if the RX lines has some resistor or capacitor missing on the production board ?
3. if we can Unsolder the firmware and dump it to see if the web interface or binary can be use to get shell access, but this is only if the firmware is not encrypted .... yet the boot log seems not to be showing any information about decryption ... I'm not sure we would be able to change the firmware and re-solder the chip that would probably require too much NAND/reverse engineering work.

This device is very promising when you see the spec of the CPU, yet depending on the kernel and binary available in the firmware the use cases would be:

1. being able to change Serial number and model number to allow it to authenticate to wider range of OLT/ISP to replace buggy boxes.... currently I'm able to use it as replacement for my french ISP box only because my specific area is only using PLOAM 20hex password authentication
2. being able to add igmp proxy since currently it seems not to work for IPTV it simply bridge optic and ethernet
3. at last the CPU is quite powerfull and if sercom have implemented hardware / NAT fast path it could make a autonomous NAT gateway below 4w power consumption .... (this same CPU is currently use in high end ISP box supporting multi-gig ethernet) yet here the limitation would be the realtek 2.5G chipset which is not the best ever chipset that probably would be limiting factor between 1.8 and 2.0 Gb/s... (still ...)

NB1: All the testing before was done on 2 different telekom modem in case one has failure and end up with same / consistant results.

NB2: At last this device can be order as refurbished for a good price (below 40euros) on a famous worldwide website french and german sites.

[jnschulze]

@benoitm974
Thanks for your extensive response. I also tried shortening the data lines of the flash chip during boot which gave me the same results.
As my device doesn’t even allow accessing the status endpoint without authentication, I decided to buy a Telekom-branded device for now.
Looks like desoldering and dumping the flash chip is the way to go. But given that I don‘t have the necessary equipment I‘ll put the 1&1 one into a drawer for now.

[benoitm974]

Hi @jnschulze please double check that your current 1&1 is only using PLOAM password too as it is the only think you'll be able to change on an out of the box Telekom modem 2.

[jnschulze]

@benoitm974 Yes, it worked given that 1&1 uses Telekom's GPON infrastructure. There's a web-based configuration wizard which allows you to specify the ONT's serial number.

[benoitm974]

Hi @jnschulze thanks just to confirm the web page is on the Telekom service ? You can register the ONT serial number you'll connect ? Or are you talking about the ONT telekom interface where to my knowledge you can only change the PLOAM password.
Thanks.

[jnschulze]

Hi @benoitm974
exactly, it‘s a Telekom web service which allows you to map the ONT‘s serial number to a specific „home ID“ :)

[benoitm974]

Hi @jnschulze would it be possible for you to connect the 1&1 device on ethernet and give the Login pages/Url used for the login process. And possibly any network calls made for the web auth process when you submit a login pass (even a false one, I'm just interesting in the URL and POST structure/variables) ?

[benoitm974]

Hi @simonebortolin

We made progress on this device thanks to great contributor on the French forum mentioned on the GPON page. I'm willing to contribute those progress back in the page and would like guidance on option to distribute the (currently javascript) code which do very simple GET and POST on 2 ONT's URL to enable telnet/root access. As we discussed last time we can't add those JS on the gpon pages itself, since HTTPS to HTTP on different IP/url won't work. Is there a "gpon hack way" to store/distribute those piece of code and make it as easy to use as possible for others? I can see some Huawei have a python git with some tools

at last I'm looking for the template since the one you shared last time is 404 now : https://raw.githubusercontent.com/hack-gpon/hack-gpon.github.io/refactor-ont/_ont/ont-template.md

@jnschulze if you're interested/willing to test those code on the 1&1, it uses some JS/UI from the original sercomm interface which seems to still exists on the Deucth Telekom and allowed us to enable telnet/root access.

Have a great week-end.

[simonebortolin]

@benoitm974

at last I'm looking for the template since the one you shared last time is 404 now : https://raw.githubusercontent.com/hack-gpon/hack-gpon.github.io/refactor-ont/_ont/ont-template.md

yes indeed the template has now been approved and all pages modified, you can see the new template here https://raw.githubusercontent.com/hack-gpon/hack-gpon.github.io/main/_ont/ont-template.md

We made progress on this device thanks to great contributor on the French forum mentioned on the GPON page. I'm willing to contribute those progress back in the page and would like guidance on option to distribute the (currently javascript) code which do very simple GET and POST on 2 ONT's URL to enable telnet/root access. As we discussed last time we can't add those JS on the gpon pages itself, since HTTPS to HTTP on different IP/url won't work. Is there a "gpon hack way" to store/distribute those piece of code and make it as easy to use as possible for others? I can see some Huawei have a python git with some tools

I recommend a python script similar to how it was done for the zte f601