Big thanks to Arf, that – using a little voodoo – has managed to dump an older firmware from a vanilla ARGO55+!
So we can downgrade the ADSL flavour, too :)
I’ve updated the relevant post, please let me know if there’s something wrong.
A bit of joy for the 55+, too!
Amtec (ElsagDatamag) Argo 55/95 – Take 8: Firmware downgrade
Boring, usual disclaimer: the stuff you’ll read in this article can easily render your router a not-so-useful paperweight. Please take the time to read and understand it completely, and keep in mind that I cannot guarantee that it will work on your Argo.
Also, make sure you follow the instructions for the right model of router: ARGO55+ is the ADSL version, while ARGO95 is the optical fiber one.
Warning: we are investigating an issue with the ARGO55+ firmware – apparently there’s a configuration problem with the WAN, and clients are unable to reach the outside. Please be aware of that before trying a downgrade on the 55+.
Ok, so we have no way – at this time, at least – to unlock the interface of the Argo with the recent firmware revisions.
By the way, what are these revisions?
These are the firmware versions I am aware of:
1.3.19 (Mar 25 2011) [ARGO95]
1.3.20 (Mar 25 2011) [ARGO55+]
0.4.4 (Nov 20 2011) [ARGO55+/ARGO95]
1.4.4 (Jan 19 2012) [ARGO95]
0.4.52 (Feb 28 2012) [ARGO55+/ARGO95]
As you can see, the version numbering is kind of curious, but release 1.3.19 (for 95) and 1.3.20 (for 55+) are the last one with interface enabled. So, how we can downgrade to that firmware version? Well, here the bootloader of the Argo comes handy.
What you’ll need:
- A serial port connection to the Argo
- A tftp server (i.e. tftp32)
- For ARGO55+: argo55_openrg_1_n.img and argo55_openrg_2_n.img
- For ARGO95: argo95_openrg_1_n.img and argo95_openrg_2_n.img
Assign your computer a fixed ip address on the same network of the router (i.e. 192.168.1.10), connect it to the ethernet port nearest to the power supply port, fire up the tftp server and copy to its root the two *.img files. Connect to the router via serial port, log in and do a
conf download tftp://<tftp_server_ip>/my_conf_backup.conf
then do a dump of your entire flash (if you haven’t done it already) using the instructions posted here.
Finally, type system reboot and press enter.
As soon as the router restarts, you’ll see the message “Press ENTER twice to stop autoboot in 2 seconds”. Quicky press (you guessed it) the enter key two times.
You are now in the U-Boot command prompt: this nice bootloader has a load of useful features (take a look at the help command), but has also the power to render your router unusable. So, pay attention!
Now we have to set a couple of variables: I’m assuming that you used 192.168.1.10 as the ip of your tftp server, remember to adapt the commands to your setup.
Set the router ip address:
setenv ipaddr 192.168.1.1
Set the router netmask:
setenv netmask 255.255.255.0
Set the tftp server ip address:
setenv serverip 192.168.1.10
Now check if you can reach the tftp server machine with
ping 192.168.1.10
If everything is ok, you can now cross your fingers, and start the downgrade.
First downgrade the recovery image:
update_openrg argo55_openrg_1_n.img 1 (if you are downgrading an ARGO55+)
or
update_openrg argo95_openrg_1_n.img 1 (if you are downgrading an ARGO95)
Then the standard image:
update_openrg argo55_openrg_2_n.img 2 (if you are downgrading an ARGO55+)
or
update_openrg argo95_openrg_2_n.img 2 (if you are downgrading an ARGO95)
If you haven’t received any error, you can check that the images are correctly recognized with get_openrg_active
Make sure that there are two valid partitions, and the active one is the 3/7. Then, exit typing reset and pressing enter.
The Argo should now reboot and start your new-old-firmware. Keep in mind that Fastweb has still access to your router, so probably the best way to avoid an immediate upgrade is to disconnect the WAN cable (fiber or adsl) during the boot, log in to the router (via serial port) and issue a
cwmp session_stop
that should stop the remote configuration service, hopefully. Then reconnect the WAN cable, access to the Argo web interface, and follow the steps in the hardening post, before it’s too late :)
Update (02/04/2012)
Corrected a couple of mistakes (mistyped the update_openrg commands and forgot to mention to connect via ethernet). Thanks D3FenD3r and geogeo!
Update 2 (13/04/2012)
Added files and instructions for ARGO55+. Thanks Arf!
Update 3 (14/04/2012)
Added a missing command line. Thanks D3FenD3r!
Update 4 (16/04/2012)
Added a warning while we investigate problems with the ARGO55+ configuration.
Amtec (ElsagDatamag) Argo 55/95 – Take 7: Fastweb strikes back
As probably the vast majority out there already noticed, Fastweb in the past weeks has provisioned a firmware update (version 0.4.4 – we’ll came back on this) that locks out users from the interface of the Argo (web, telnet, ssh). Thanks to the user geogeo I’ve had the opportunity to take a look at the new firmware: apparently, ports (22, 23, 80, 443, etc.) are binded, but are refusing any connection (even from the Argo itself!).
A side-by-side comparison of the pre-update and post-update configurations (including firewall settings fetched with firewall dump), didn’t reveal anything relevant: the firewall, apparently, isn’t the culprit. So, in lack of other informations, we must assume that the interface has been locked out at compile time.
So, how can we regain access to the Argo? Well, in the next post we’ll talk about downgrade :)
Amtec (ElsagDatamag) Argo 55/95 – Take 6: Uncompress rg_conf
Just a quick one (thanks to purputy for pointing this out): the two configuration areas of the flash we dumped in the previous post are compressed with the deflate algorithm, and it’s quite easy to extract them.
I’ve made up a quick’n'dirty script (in php, forgive me, just because the gzinflate function was quicker to use) that you can call from command line with:
php conf_inflate.php <conf_dump> <dest_file>
In <dest_file> you’ll have the configuration in plain text.
You can get the script here.
Review: USB-BUB II
Today, you can find serial ports almost everywhere. And when you find one, you know, you cannot resist access it :)
Usually, those aren’t RS232, but so-called TTL-level serial ports: this means that they use diferent voltage levels (0 – +5v vs. -12 – +12v), and you need an adapter to connect them to your computer.
So, this nifty little device comes to hand: the USB-BUB II from Modern Device. As you can suppose, it’s at its second incarnation.
The USB-BUB II it’s based around the FT232R chip: it connects to an usb port, and provides a TTL serial, complete with DTR and CTS signals. But the board has a couple of handy – and unusual – features: first of all there’s a polyfuse, to protect the USB line from short circuits. Also, two smd LEDs – one green and one red – that shows activity on the RX and TX line.
The board can also deliver 3.3v or 5v power – but don’t count too much on that, the maximum current is 50mA. In case you need some power, however, on the back of the board there’s also space to solder an external voltage regulator.
The BUB use is straightforward: drivers are available for Windows, OS X and Windows CE (!), and recent versions of Linux kernel supports it natively. Also, the board is delivered fully mounted, you just need to solder the header, or the wires, and connect the usb. It works pretty well at all the speeds I tried, and it doesn’t suffer too much from interferences, from what I can say.
Overall, a pretty useful device – a bit pricey (€13,50, shipped in the EU, from The JeeLabs Shop), but still a good choice.