Amtec (ElsagDatamag) Argo 55/95 – Take 8: Firmware downgrade

Boring, usual disclaimer: the stuff you’ll read in this article can easily render your router a not-so-useful paperweight. Please take the time to read and understand it completely, and keep in mind that I cannot guarantee that it will work on your Argo.
Also, make sure you follow the instructions for the right model of router: ARGO55+ is the ADSL version, while ARGO95 is the optical fiber one.

Warning: we are investigating an issue with the ARGO55+ firmware – apparently there’s a configuration problem with the WAN, and clients are unable to reach the outside. Please be aware of that before trying a downgrade on the 55+.

Ok, so we have no way – at this time, at least – to unlock the interface of the Argo with the recent firmware revisions.
By the way, what are these revisions?

These are the firmware versions I am aware of:

1.3.19 (Mar 25 2011) [ARGO95]
1.3.20 (Mar 25 2011) [ARGO55+]
0.4.4 (Nov 20 2011) [ARGO55+/ARGO95]
1.4.4 (Jan 19 2012) [ARGO95]
0.4.52 (Feb 28 2012) [ARGO55+/ARGO95]

As you can see, the version numbering is kind of curious, but release 1.3.19 (for 95) and 1.3.20 (for 55+) are the last one with interface enabled. So, how we can downgrade to that firmware version? Well, here the bootloader of the Argo comes handy.

What you’ll need:

– A serial port connection to the Argo
– A tftp server (i.e. tftp32)
For ARGO55+: argo55_openrg_1_n.img and argo55_openrg_2_n.img
For ARGO95: argo95_openrg_1_n.img and argo95_openrg_2_n.img

Assign your computer a fixed ip address on the same network of the router (i.e. 192.168.1.10), connect it to the ethernet port nearest to the power supply port, fire up the tftp server and copy to its root the two *.img files. Connect to the router via serial port, log in and do a

conf download tftp://<tftp_server_ip>/my_conf_backup.conf

then do a dump of your entire flash (if you haven’t done it already) using the instructions posted here.

Finally, type system reboot and press enter.

As soon as the router restarts, you’ll see the message “Press ENTER twice to stop autoboot in 2 seconds”. Quicky press (you guessed it) the enter key two times.
You are now in the U-Boot command prompt: this nice bootloader has a load of useful features (take a look at the help command), but has also the power to render your router unusable. So, pay attention!

Now we have to set a couple of variables: I’m assuming that you used 192.168.1.10 as the ip of your tftp server, remember to adapt the commands to your setup.

Set the router ip address:
setenv ipaddr 192.168.1.1

Set the router netmask:
setenv netmask 255.255.255.0

Set the tftp server ip address:
setenv serverip 192.168.1.10

Now check if you can reach the tftp server machine with
ping 192.168.1.10

If everything is ok, you can now cross your fingers, and start the downgrade.

First downgrade the recovery image:
update_openrg argo55_openrg_1_n.img 1 (if you are downgrading an ARGO55+)
or
update_openrg argo95_openrg_1_n.img 1 (if you are downgrading an ARGO95)

Then the standard image:
update_openrg argo55_openrg_2_n.img 2 (if you are downgrading an ARGO55+)
or
update_openrg argo95_openrg_2_n.img 2
(if you are downgrading an ARGO95)

If you haven’t received any error, you can check that the images are correctly recognized with get_openrg_active 

Make sure that there are two valid partitions, and the active one is the 3/7. Then, exit typing reset and pressing enter.

The Argo should now reboot and start your new-old-firmware. Keep in mind that Fastweb has still access to your router, so probably the best way to avoid an immediate upgrade is to disconnect the WAN cable (fiber or adsl) during the boot, log in to the router (via serial port) and issue a

cwmp session_stop

that should stop the remote configuration service, hopefully. Then reconnect the WAN cable, access to the Argo web interface, and follow the steps in the hardening post, before it’s too late :)

 

Update (02/04/2012)

Corrected a couple of mistakes (mistyped the update_openrg commands and forgot to mention to connect via ethernet). Thanks D3FenD3r and geogeo!

Update 2 (13/04/2012)

Added files and instructions for ARGO55+. Thanks Arf!

Update 3 (14/04/2012)

Added a missing command line. Thanks D3FenD3r!

Update 4 (16/04/2012)

Added a warning while we investigate problems with the ARGO55+ configuration.

Written by bano on 2012/03/22 Categories: Hacking Tags: , , , , , , , , ,
110 Comments on Amtec (ElsagDatamag) Argo 55/95 – Take 8: Firmware downgrade

110 Comments

  • D3FenD3r says:

    ciao
    una volta avevo anche letto che
    se avevi un po di tempo facevi un video passo passo

  • amz1000 says:

    Hi, i’m an argo95 user and i want to downgrade.
    I think to use an arduino usb to serial converter and
    follow your procedure.
    What’s mean exactly
    ”Make sure that there are two valid partitions, and the active one is the 3/7” ?

    Congratulations for your work
    Thank you

    * * *

    Ciao, ho l’argo95 e vorrei downgradarlo.
    Penso di usare la scheda usb to serial (TTL) dell’arduino e seguire la procedura da te descritta.
    Ma non capisco cosa significa
    “Make sure that there are two valid partitions, and the active one is the 3/7”
    Credo che sia importante. mi spieghi?
    grazie e congratulazioni per il tuo lavoro

    amz

    • bano says:

      Hi! The get_openrg_active command will list all the valid boot images found, and which is the active one: prior to restart, make sure it will list two valid images (partition 2 should be the recovery image, partition 3 the standard image), and that the active image is the partition 3.
      Hope It’s more clear now :)

  • amz1000 says:

    Successfully downgraded firmware on an argo 95
    using an arduino serial(TTL) to USB converter
    http://arduino.cc/en/Main/USBSerial
    and the firmware downloaded from this site.

    Some notice :

    The flash dump command is
    dd if=/dev/mtdblock0 of=/mnt/flash/flashdump.img bs=1M
    with the CAPITAL M at the end of command. in the Take5 the ‘1M’ is written ‘1m’

    I have connected 3 wires from the argo95 to the Arduino serial2usb interface :
    Argo95:GROUND->Serial:GROUND
    Argo95:TX->Serial:RX
    Argo95:RX->Serial:TX

    I use PUTTY as serial terminal.

    I have added a firewall rule to drop any packet from the fastweb control networks (the networks found in the mentioned firewall rule on Take 4).

  • amz1000 says:

    I forget …..
    T H A N K Y O U ! ! ! !
    :)

  • Daemon says:

    Hello guys,
    This is a very interesting thread.

    I was thinking: is there any info regarding the chance, for FW, to inhibit the access to those downgraded Argo? Any chance to full dump the system so it can be completely restored?

    Potete rispondere in italiano se preferite :)

    Thank you

  • iulius says:

    Hello and sorry for the inconvenience … because I have not access to Argo 95 … I would ask those who are already in, whether it is possible to make a DMZ, to a LAN IP, or rather disable the NAT to redirect to a more performantre type pfSense router, Vyatta , Smoothwall. Thank you.

    • bano says:

      Cheers iulius!
      It’s indeed possible to set a DMZ address, where all the incoming traffic is routed. I haven’t tested that setting, but I don’t see why it shouldn’t work.

  • timewolf says:

    Uhm first of all… thanks :)

    Than.. i’ve a “little” problem..

    I’ve flashed
    update_openrg argo55_openrg_1_n.img 1
    and
    update_openrg argo55_openrg_2_n.img 2

    that’s the output
    => get_openrg_active
    Found valid Openrg image at address 0xBF060000, counter 22, image section 2, hea
    der address bf43ff6c
    Found valid Openrg image at address 0xBF440000, counter 23, image section 3, hea
    der address bff1ff6c
    Choose Openrg image in flash section 3/7 as active

    Buuuut…

    Entry Point: 81000000
    Verifying Checksum … Bad Data CRC
    ERROR: can’t get kernel image!
    Failed to boot from OpenRG image (3/2), trying (1/2)
    Warning: booting from a NOT valid OpenRG image (1/2)
    Wrong Image Format for boot_openrg command

    Bad CRC :(

    What’s wrong?

  • timewolf says:

    Nevermind…dl again the 2imgs, now works ;)

    • bano says:

      Darn… I should really add md5 hashes to these downloads.
      Happy that your router is alive :)

      • drako says:

        Hi! i’ve been done evreything but result are the same of timewolf:

        U-Boot 1.1.5.0.alpha-svn1585 (Apr 26 2010 – 11:21:38)

        CPU: IKANOS Fusiv 160 Family – Reset reason: Software
        DRAM: 64 MB
        Flash: 16 MB
        *** Warning – bad CRC, using default environment

        PCI: Bus Dev VenId DevId Class Int
        00 01 168c 001d 0200 19
        In: serial
        Out: serial
        Err: serial
        Net: voxEmac0voxEmac1
        Press ENTER twice to stop autoboot in 2 seconds
        Found valid Openrg image at address 0xBF060000, counter 109, image section 2, header address bf43ff6c
        Found valid Openrg image at address 0xBF440000, counter 111, image section 3, header address bff1ff6c
        Choose Openrg image in flash section 3/7 as active

        ## Booting kernel from Legacy Image at bf440000 …
        Image Name: Argo
        Created: 2011-03-25 13:14:40 UTC
        Image Type: MIPS Linux Kernel Image (uncompressed)
        Data Size: 9106256 Bytes = 8.7 MB
        Load Address: 81000000
        Entry Point: 81000000
        Verifying Checksum … Bad Data CRC
        ERROR: can’t get kernel image!
        Failed to boot from OpenRG image (3/2), trying (1/2)
        Warning: booting from a NOT valid OpenRG image (1/2)
        Wrong Image Format for boot_openrg command
        ERROR: can’t get kernel image!

        I have re-download two image and re-upgrade many times but nothing change…

        Some solution?

        Thank you 4 the awesome work!

        • bano says:

          Hmm… seems odd.
          It’s a 55 or a 95?
          Have you received any error following any step in the article?

          • drako says:

            Hi! Thx for answer :)

            No, the entire procedure was right, after reboot i’ve received this error.

            I’ve tried to re-download both image files and re-upload to router but the result are the same.

            It’s an argo 55+

            I’ve dump original image but unfortunately only complete dumb (16Mb) without split…
            and i don’t know to recover with Uboot shell

            Any solution?

            Thnx a lot!

          • bano says:

            Well, there’s a post for that :)
            Split your dump following the instructions found here http://goo.gl/gxHY2V then flash back the obtained images to your router.
            Hope this will bring it back, at least.

    • arf says:

      So timewolf,
      can you confirm that also with argo 55 once downgraded to that version everithing is working as expected?

      (I didn’t have time to do all the test needed :( )

  • arf says:

    … seems that a new update was sent:

    Argo> system ver
    Versions
    Main Software: EDA_0.4.53
    Bootloader: 1.1.5
    WLAN firmware: 9.2.0
    AP firmware: 5.8.0-james_04May10
    DSL firmware: 5.5.1
    DSP firmware: 5.8.0
    UPNP firmware: 1.5.0
    DLNA firmware: 1.5.1
    FXS firmware: 1.7.3
    Platform: ElsagDatamat ARGO 55+
    Distribution: FASTWEB_NGRG

    don’t know wich changes were done.
    But, of course the interface is disabled :(

    They didn’t update the standard configuration (my custom settings are still there) I hope that the very poor wireless performance are improved….

  • paolone919191 says:

    Hi, How can I send every time i reboot the command cwmp session_stop to the router? every time I reboot it, it auto-flashes :(

  • paolone919191 says:

    Scusate la mia ignoranza, l’inglese mi va stretto :)

    Ho flashato l’hag di fastweb con l’intento di ripristinare la benedetta interfaccia web, ma non riesco a bloccare il sistema di aggiornamento automatica: in pratica se faccio un reboot del router succede che questo si auto aggiorna…

    Come posso fare per impedire tutto ciò?

    Una informazione: l’interfaccia si abilita dal file di configurazione per caso? Ma siamo sicuri che nella 1.4.4 non vi sia veramente l’interfaccia? Chiedo, in quanto nella cartella /home ho trovato file di immagine della vecchia interfaccia…

    • bano says:

      Ciao!
      Ti ho risposto al commento che hai segnalato nell’altro post. In ogni caso: sei sicuro di aver applicato correttamente le rotte per le reti di manutenzione, come da post sull’hardening, con gateway 0.0.0.0?
      Quando riavvii il router, il led ‘Fastweb’ rimane rosso o diventa verde?
      Per rispondere alla tua domanda, nelle versioni recenti l’interfaccia è ancora presente – come evidenziato dagli esperimenti di un altro utente – ma non abbiamo trovato alcuna evidenza del fatto che sia possibile riottenere l’accesso in maniera comoda.
      Al momento non ho più molto tempo da dedicarvi, però, per cui ogni nuovo esperimento è ben accetto :)

    • D3FenD3r says:

      anche a me succedeva perche spegnevo e riaccendevo l’hag
      non facevo in tempo a bloccare che riprendeva il nuovo firmware, adesso fo cosi
      tiro via la fibra e spengo l’hag,metto il firmware vecchio,ecc,ecc, blocco l’aggiornamento con –> cwmp session_stop e poi NON riavvio l’hag, ma rimetto a posto l’ip della scheda di rete e inserisco il cavo della fibra……….allora ho tutto il tempo per settare il tutto
      mentre prima riavviavo l’hag e dopo un po mentre lo aggiornavo si bloccava perche aveva riscaricato da fastweb il nuovo firmware
      ciao

  • paolone919191 says:

    sisi poi ho semi risolto: il problema infatti era che nella mia ignoranza non avevo settato le rotte in modo corretto;

    ho fatto alcuni esperimenti con il factory reset dell’1.3.19, come ad esempio settare tutto dall’inizio tra DHCP, ip del router, parte voip, porte, ma ho notato che applicando rotte (questa volta in modo corretto :) ) e bloccando la 4567 (da qualunque sorgente, da qualunque porta alla porta 4567) il router comunque si riaggiorna;

    qualcuno è riuscito partendo da zero a sistemare questo problema? la 4567 va chiusa in entrata o in uscita?

    • bano says:

      Non sono sicuro di aver capito cosa intendi – quando fai un factory reset è effettivamente normale che torni ad aggiornarsi, in quanto le opzioni di fabbrica prevedono la connessione al cwmp (il servizio di controllo remoto).

      Da ciò che ho potuto provare, il metodo migliore è effettuare il reset con la WAN scollegata, accedere via seriale e lanciare un cwmp session_stop, poi ricollegare la WAN e riconfigurarlo.

      Per quanto riguarda la 4567, va chiusa in ingresso (è un servizio presente sul router).

      Ciao,
      bano

  • paolone919191 says:

    ciao, il metodo da te descritto era quello da me adottato, solo che…

    …Partendo da zero, le rotte non vanno create come rotte sulla wan (eth1) ma bensì come rotte br0… ecco perchè configurando d’accapo il tutto il router si riaggiornava: le rotte andavano impostate diversamente, o meglio, su un’interfaccia diversa :)

    Haha in questi giorni ho giochicchiato troppo con questo router: da qualche parte si riesce a trovare qualche software diverso? sai.. sono affezionato a dd-wrt :)…

    Comunque, il motivo per cui ho sbloccato questo router, è legato alla mia volontà di volerlo sostituire con un media converter: qualcuno ci ha già provato?

    • bano says:

      No, al momento non mi risulta nessuno stia lavorando ad un firmware alternativo. A dire il vero non c’è nemmeno disponibile una toolchain – anche se probabilmente sarebbe possibile usare quella del BBox2 di Belgacom.

  • labentia signa says:

    hi Bano!

    Is it possible for a n00b as I am to do all these tricks to my Argo 95?
    For example, how can i set a serial connection to the router? I assume i need something like this http://bit.ly/O2Wiw1 but, then? :(

    I was kinda able to downgrade d-link routers, as the software side is always easier with a step-by-step guide, but in this case i don’t know where i have to start.

    thanks a lot,
    LS

    • bano says:

      Cheers! It’s ineeded possible – just let me know what you don’t understand, and I’ll try to elaborate :)
      To start, you’re right, you need a cable like the one you linked, and a terminal emulator, like minicom under Linux or Hyperterminal or PuTTY (http://www.chiark.greenend.org.uk/~sgtatham/putty/) on Windows. Also, some basic soldering skills would be nice, since to access the serial connection, you’ll have to solder the wires (or an header) to the solder pads.

      • labentia signa says:

        Hi Bano, sorry for taking one month to reply your kind answer ;)

        i think i’m completely not into soldering (i do not own any soldering station)…

        so i have to give up even before start and keep that awful router so badly configured :(

        • bano says:

          Sorry to hear that – actually you don’t need big soldering skills (nor a soltering station, an iron is more than needed) but I understand you.
          You can always try using jumper wires, carefully kept in place by a bit of tape, but of course this isn’t an ideal solution.

  • iulius says:

    Hi!
    Unfortunately I can not hit all blocks, to put in the router to prevent, to the updated automatically. It is already, updating, twice, until now … Please be more specific about the rules to be added or removed and placed exactly where you should enter.
    Thanks to all who can help me.

  • iulius says:

    Hello again! Messing with the rules, I think I cut holes, and now the router does not update more with Fastweb (argo95) … I think that by not setting well, the rules … the router, rebooted, started to make updates yourself, in the background, but after a short time, has lost the connection, and also by loading several times, the images, even with the reset… no longer wanted to go. How do you set the default (fabric reset) to restart from the beginning? Or as I can from serial port to change the rules? To load the images it works … But then when it starts to load everything, I think he stops at my wrong rules.
    I can provide some images of putty. I also tried to hold for 30 sec on resset … The router starts but stops at the same point and the wireless does not start anymore.
    Thanks for your help.

  • iulius says:

    Hi! Today … I did come back alive, the router, as before … uploading, as always the first version (ARGO95_1.3.19), and after the first reboot, a reset 30/30 sec. The router has begun to load the firmware remotely … I think for the highest number of reloads are also banned, in time, the server fastweb, downloads, repeated by the config and firmware, so that after a night of rest off, I was able to first try to get him back alive.
    Remains as in another post the required help to block the update remotely … (With your experiments, I will be very helpful)
    A Thanks in advance.

    • bano says:

      Hi Iulius! Essentially, these are the steps you should follow:
      – Downgrade the router
      – Unplug the WAN (optical fiber, in your case) cable _before_ the router boots
      – Using the serial interface, login to the router and issue a cwmp session_stop command
      – Plug the WAN cable, and repeat the cwmp session_stop command, just in case
      – Access to the web interface, go to Services -> Firewall, chose “Typical Security” and press “Ok”
      – Go to Services -> Firewall -> Advanced Filtering: you’ll see a rule, edit it and chose “Drop” as operation; write down somewhere the source ip addresses, you’ll need them later
      – In the same place, add a new rule, setting Any as source and destination addresses; in Protocol select “User defined” and add a TCP protocol with source Any and destination 4567; again, select “Drop” as operation, then press Ok
      – Go to System -> Routing, then add a rule for each ip address you wrote down, setting the ip address as Destination, 255.255.255.0 as Netmask and 0.0.0.0 as Gateway

      This should cover everything, more or less… I added a couple of shots on the hardening post, so you can see how the interface appears after these steps. Hope it’s more clear, now :)

      • iulius says:

        Thanks for the reply. It is now more clear, but I was hoping for something more concrete about the ports and IP services to block … (I do not know if they are specific to each geographic area). Thank you.

        • bano says:

          Err… I don’t know it neither (though I’d guess they are nationwide), but if you look closely, you can read them from the pics I posted in the hardening post :)

  • iulius says:

    Another thing that I noticed that by applying these rules, the router will fail to download more, the configuration fastweb … in my case I’ve seen that over time different IP MAN have been changed, so if at some point our router does not go further, it is also because the config is changed and our router not having the new config will no longer be able to communicate with cisco MAN from the basement ….

    • bano says:

      Well, my router has been up for several months, right now, and is still happily online: the IP addresses configuration, from what I remember, is obtained via DHCP (and the DHCP server is still reachable after applying these rules, be assured), so this shouldn’t be an issue.

      • DERRING says:

        I’m wondering how it can accomplish all the configurations from the MyFastweb personal page if it can’t be reached internal by Fastweb.

        And I also suppose the pay Public IP feature was completely gone.

        I remember when I had access to my Argo, there were rules to switch from default public IP to paid public IP.

        • bano says:

          The answer is simple: you cannot :)
          If you try to configure your router via the MyFastPage, it returns an error.
          Not a big issue, really, since every configuration you would apply using the MyFastPage can be setted using the router’s gui.

          • DERRING says:

            It is true, then sometimes to have a second public fixed IP is usefull. For example when you have to wait in a queue for a new IP to download from some file sharing service or so. I’m just curious if allowing Fastweb to update a router, also restore all this routes and functions.

  • iulius says:

    Hello!
    Thanks for your help … Now even mine is OK. It also works the DMZ. The router in theory … to no great effort, with the first configuration is left to take the config from server fastweb … then … as you say, having DHCP, the router, upgrade it, alone.
    The speech is when / if they (fastweb) change the public IP …. in this case must be entered manually, if you do not know which is the new IP? how do you? (Fortunately, until now, has not been changed but you never know).
      One other thing … from me, the red LED is turned on for a period but then, come on even the other for the LAN and Wireless, and red becomes green as though nothing perhaps. But the firmware remains to version 1.3.19.
    To you does the same thing, the LED?
      Thank you again.

    • bano says:

      Hmm… strange behaviour – I was under the impression that the Fastweb led became green only when the remote control session was active. Can you please check what’s the output of cwmp status when the led is green?

  • samtruman says:

    Ciao a tutti, ho un argo55+ che mi avanza (dal precedente contratto) e vorrei mettergli sopra un firmware che mi faccia configurare tutto anche la parte adsl, se non ho capito male la versione 1.3.20 è vanilla quindi funziona con qualsiasi operatore, dove la posso scaricare? non ho trovato il link…
    grazie

    • bano says:

      Ciao,
      il link lo trovi all’inizio del post (leggi bene l’intera procedura prima di procedere, è importante).
      Tieni presente che, per quanto riguarda l’ARGO55+, mi sono stati segnalati alcuni problemi di connessione a seguito della procedura, che non ho mai potuto testare a causa della mancanza dell’hardware (ho un ARGO95).

  • iulius says:

    Hello! Since this morning I am without access to the network and management interface Argo.
      Until midnight … everything was working, but this morning … no access even if I tried to reboot the router Argo95.
      When I reboot the router, the left LED remains lit green while that usual, he remained on red, now will not turn on anymore. I think they updated the network again by changing the configuration of internal IPs.
      How do you take the new configuration without pecking the new firmware?
      Thank you very much.

  • iulius says:

    In fact I think they just banned my MAC … because the conclusion is also giving the hard resset 30/30/30 router loses config but it does not even updates from the network …. to think that everything has happened to between midnight and morning … all alone … after three months of normal usually use (did downgrade … because they did not want me to DMZ … they said company policy) …. that stuff you would not believe !!!!

    • bano says:

      Well, maybe for some reason the port corresponding to your connection has been put down on the Catalyst.
      Did you try to call FW technical support?

  • iulius says:

    By re-flash the router, it will stop there :

    Initializing Slics (country Italy_FastWeb)
    Activating channel: 0 1
    Enable IRQ for DSP 0
    Enable IRQ for DSP 1
    DSP System Initialized
    T38 thread started (pid 155)
    eth1: link up, device will be up
    Starting Samba version 3.4.5
    Starting Vsftpd version 2.2.2
    Username:

    ….. and not let me enter any password …. also making as hard reset.

    • bano says:

      Are you saying that it doesn’t let you enter anything? Or that it refuses the cretentials you give?

      • iulius says:

        Maybe I have not explained it well …
        There are two user accounts enabled … but who do not, login …
        1. User: lanadmin – Pass: lanpasswd
        2. User: UserName – Pass: Password

        But long ago I had changed the account on the router to be more secure … Now I do not know if doing re-flash of the router and also the hard reset … those are deleted … Then why not enter with the default ones?

        • bano says:

          Hard reset deletes the configuration partition, so all the changes you’ve done to users are lost – lanadmin / lanpasswd should work. Are you sure it’s still running firmware 1.3.19?

          • iulius says:

            When I did today re-flash the router, after loading everything correctly, i have given the command # reboot … and after a restart, leaving the whole load, and fiber disconnected I tried to enter the command # cwmp_session_stop …
            At this point the console asked me, user / pass but that did not coincide with what we know … Is this normal? or maybe I have to re-do the flash?

          • bano says:

            To be on the safe side, I would reflash the router and re-issue an hard reset.

  • iulius says:

    Hello!
    I spoke with customer service … they told me that they can see a problem with the catalyst … Now because of them, I have to redo the entire config firewire again … However, I have seen that there is a maintenance notice in my menu fast to the end of this week …

  • iulius says:

    Hi! I would like to ask those who know the answer … how do you get the config without making changes to the router’s firmware …. configuration that might be useful for someone who wants to try a media converter without touching the router fastxxx. Thank you!

  • DERRING says:

    ? Did Fastweb fixed your problem qith the catalyst and are u with the downgraded config again?

  • iulius says:

    Hello and Happy New Year!
    I would ask if there is anything new about the topic 95 and the possibility to connect a media converter in his place?
    Looking at the connector VF45 connected to the socket from the wall, which the router … the strange thing is that the laser can be seen on the same fiber (cable is a dual fiber), and when you put one hand in the other routers in the socket …. very strange thing that makes me think of a CWDM system that communicates usually over a single fiber with two different wavelengths … so the question would be if Fastweb uses this technology (CWDM)? (Which in fact is very popular in China because it saves the cost of optical cables …)

  • iulius says:

    Hello! I have for a while, put a media converter 850nm, with a pfsense router …. set OK … works well … only after 10 minutes, my connection, it can not solve most, any domain …. has something to do with VOIP? Thank you.

  • iulius says:

    Hello and sorry … but because? no one writes more here … or i have to use another language … ?

    • bano says:

      Cheers Iulius! I’ve been a bit busy, so I’ve read your comments only today, sorry.
      This morning, I’ve finally been able to do a couple of tests with a different router (a WRT54GL with OpenWRT, nothing too fancy). I used one of the media converters pictured in the “Sniffing the password” article.
      I haven’t been able to obtain an address via DHCP, so I configured the WAN parameters by hand. Well, I can reach the DNSs, for sure, but if I try to reach an address, I’m redirected to a captive portal to enter my account to enable the service (is the page displayed for non-flat contracts).
      So probably I’m missing something, here… I cloned the MAC address of the WAN port, of course, but probably there’s something more.
      You wrote that you succeeded (for the first minutes, at least)… after that, what happens? No reply from default gw? Did you try to do a traceroute?

      Cheers,
      bano

      • iulius says:

        Hello! By default … if I use DHCP … give me directly as WAN IP … the public IP assigned to my line, which usually is obtained with “what is my IP – Sites” … but then as Gateway IP … give me a wrong IP …(Since it is the IP of a HAG) then you need to set by hand the WAN IP … as Static IP where IP WAN is a Public IP … and as the Gateway to use the – tracert – IP Gateway type 10.x.x.x , then you need to do MAC cloning, with the MAC that is written on the installation CD or on the back of HAG.
        Should go … and one thing …. you have to use a QSO on router to not to exceed 100Mbps otherwise it will be the Catalyst, in the basement, to break the connection for some time with us.

      • iulius says:

        Tried and ri-tried …. It only works for 10 minutes after that, it’s the Catalyst, which disconnects the line … (No longer has any kind of traffic … seems cut) … I think there will be a special certificate into the firmware of the hag, and if the network fastxxx feels something else … crosses the line … I think, for not having to do with the updates to the hag … must have to use a Cisco router, which is usually put it for connections “Smal busines”. These usually accept them on their network (but I have to get one for testing)….

      • iulius says:

        Or maybe a test of “Vendor ID” to which my router is not giving the right answer, and …. the Catayst cuts the connection.

        • bano says:

          Hmm… You’ve a completely different result than mine: as I wrote, I never get an ip address from DHCP (and yes, I’ve cloned the MAC, of course), but the port never goes down. I really need to do a dump of the packets sent by the router during the initialization…
          Out of curiosity, have you enabled any routing protocol (RIP, BGP, etc)?

  • iulius says:

    Hello! I found a generic system manual OpenRG, which is also installed on our router … http://www.dieschmids.at/diverses/openrg_user_manual.pdf

    and discussion of the OpenRG and several other … http://disse.cting.org/blog/

  • powerdrome says:

    Hi bano, CONGRATS for your work and discovery and THANKS for sharing it!
    I came accross this blog, searching for solutions for my limited management options for my network modem/router that FastWeb sends to their customers.
    I don’t have very advanced or complicated needs, but turning on UPNP, opening range of ports, i call it basic options that every user must have.
    I sticked with Fastweb for several years and I’m about to change ISP because i feel those limitation very obsolete. But i have the fiber service against ADSL of other operators.
    So maybe here I found a solution, a kind of jailbreak for the Argo.
    I’m not so expert but i think i can do the soldering think and enter an ftp console, and maybe here I should find some help from you guys?!

    One question before starting please? will the router loose its phone capabilities after the downgrade or all the fastweb functions will be kept? intenet, phone, wifi?

    Thanks

    • bano says:

      Hi powerdrome,
      I’m glad these notes are useful for someone else :)
      If you need help don’t hesitate to post a comment here! Btw, I’m quite confident that phone capabilities are kept, but cannot guarantee, unfortunately – I’ve a ‘naked’ line with just data (no voice). All the other functions are kept, afaik, and you can configure them using a nice web interface :)

      Cheers,
      bano

  • D3FenD3r says:

    io ho la fibra con argo95
    mettendo il vecchio firmware il telefono funziona sempre
    e si ha pieno accesso al router fastweb
    ma per toccarlo il meno possibile ho messo un ip in DMZ
    e lo attaccato al mio router.
    una volta si è rotto l’HAG, basta che schiacci il pulsante reset chiami fastweb ……………
    una volta risolto riattacco il cavo e rimetto il firmware vecchio.

  • modelcar says:

    Mi chiariresti dove hai inserito IP in DMZ: sull’argo quello del tuo router o sul tuo Router quello dell’ ARGO???

    Grazie,
    Modelcar

  • massimodea says:

    Ciao, vorrei sperimentare il downgrade su argo95 in fibra, per poter così giocare direttamente in casa con le porte ecc. Constatato che dichiarano un numero massimo di ip colelgabili di 129, ma che in realtà i primi 128 possono essegere assegnati come fissi, mi piacerebbe però poter cambiare, ad esempio, la classe di ip da assegnare e non la solita 192.168.1.x, vorrei poi magari cambiare i parametri wifi, vedere se c’è la possibilità del doppio sid ecc, insomma fare quello che i router odierni permettono regolarmente. Vorrei attaccarci in cascata un fritzbox 7170 ed usare la sua parte voip (ho solo joy) e la sua parte vpn, che al momento non posso sfruttare. si blocca chissà dove la vpn, il voip invece sembra funzionare comunque con il fritz collegato in cascata.
    Ora, prima di fare il passo vorrei capire se è possibile cambiare il mac address dell’argo95. Vorrei fare un prova.
    Poi, qualcuno sà dove posso trovare dei mediaconverter della telsey o altri compatibili con la fibra di fastweb?
    Ho provato una scheda in fibra ed un mediaconverter della 3m, le volition, ma non agganciano proprio il link. Forse dipende dal tipo di segnale (i volition lavorano con led a 1300nm circa). Grazie :) poi magari arrivano altre domande ;)

  • D3FenD3r says:

    ho messo in DMZ 1 ip sull’argo(nel mio caso 192.168.1.131)
    e attaccato a un mio router (nel mio caso un Netgear r6300)
    cosi da fare arrivare nel Netgear una connessione aperta
    che poi gestisco io senza più toccare l’argo

  • modelcar says:

    @D3FenD3r
    grazie per il chiarimento.

    Purtroppo non riesco ad accedere alla web interface del mio Argo 55+ nonostante il downgrade alla versione 1.3.20 (Mar 25 2011).

    Se qualcuno ha suggerimenti sono ben accetti, ho provato di tutto ma l’interfaccia rimane inaccessibile.

    Grazie,
    Modelcar

    • bano says:

      Scusa, mi ero totalmente perso per strada questo commento… riesci a loggarti via seriale?
      Se fai un nmap sull’indirizzo pubblico del router, che porte trovi aperte?

      Ciao,
      bano

    • fratam77 says:

      Hai risolto? Ho il tuo stesso problema.la seriale va bene ma niente interfaccia web.fastweb l’ho tolto e vorrei recuperare l’argo55+.ho fatto il downgrade ma….non so che tentare.grazie

  • skrill3x says:

    Did you finished that video tutorial?

    • bano says:

      Unfortunately never had time, sorry :(
      But if you’ve any question, or there’s something unclear, don’t hesitate to ask!

      • skrill3x says:

        I want to downgrade my router (argo 55+) but.. I have some questions:
        1. I want to buy that cable (in hand) but I don’t know where I can find one..
        2. It’s possible to downgrade that router in these days?
        3. When I’ll downgrade, can you assist me? please.
        4. How I fix the cables into router?

        • bano says:

          Hi Skrill, best source for that kind of cable is eBay – but often you can find them in electronics market fairs.
          And yes, is indeed possible to downgrade. I don’t have an Argo 55 myself, but someone here reported some issues with the adsl connection reliability after the downgrade… unfortunately I haven’t received further feedback. Anyway, I’ll try to do my best to assist you :)
          I’m not sure what you mean with “fix the cables”… best thing would be to solder it to the solder pads.

  • diegus says:

    Bano,

    Hi. I’m trying to use ipsec from fw to fw, but the argo’s implicit nat gives me a lot of problems… In your opinion is there a way to simply dismiss the argo and use another router (using only Joy, no phone line) spoofing the argo wan mac and using media converters?

    Thanks,
    diegus

    • bano says:

      I did some experimentation with a mediaconverter and a router with OpenWRT. I haven’t been able to get something useful: even with the MAC address cloned, I was unable to get the public IP via DHCP. Configuring everything by hand, works to the point where you’re redirected to the captive portal used for the non-flat contracts.
      Seems like there’s an authentication session done by the router, or something like that – your best bet would be using a couple of mediaconverters to sniff the packets during the router initialization, and check what’s going on.

      Cheers,
      bano

  • iulius says:

    It would be very helpful if could be eliminate the original router . It jump through a NAT useless …
    Someone is still working to solve the problem?
    Iulius

  • pianoquintet says:

    I just got hold of a spare Argo 95 and would like to try the downgrade procedure described in this blog on that spare Argo (instead of tinkering with the one provided to me by Fastweb, which I am afraid of damaging permanently).

    What do I need to do in order for Fastweb to accept the spare Argo on its network? I suppose I need to spoof the MAC address of the Argo provided by Fastweb and if so, how do I do that? Anything else I need to change on the spare Argo (e.g. login credentials) to make it resemble the Argo provided to me by Fastweb?

    Thank you.

    • D3FenD3r says:

      ti assicuro che rompere un argo 95 e dura
      ci ho provato con un pezzo di ferro,
      poi con un bicchiere d’acqua, faceva i botti ma andava sempre
      comunque…….io da una scheda madre vecchia ho tolto dei piedini, che poi ho saldato sul router
      NON sono pratico ma ci ho messo 5 minuti
      ho comprato su ebay un Cavo USB TTL rs232
      e poi seguendo la guida qui fornita ,tutto funziona alla grande
      accesso all’argo 95
      100/100
      non finiro mai di ringraziare bano

      • pianoquintet says:

        Grazie. Sono riuscito ad accedere alla seriale dell’Argo sostitutivo e a fare il downgrade del suo firmware. Ora il problema è che Fastweb non lo autentica sulla rete perchè non lo riconosce come il mio (che non ho toccato per non rompere il sigillo). Qualcuno ha suggerimenti su come alterare il MAC address (che suppongo sia la credenziale dell’Argo sulla rete) per sostituirlo con quello dell’Argo “originale”?. Facendo setenv da uboot dice che è protetto. Grazie.

  • DERRING says:

    100/100 I think it is not quietly possible. For what I know, that is a setting in the catalyst NOT on the Argo router.

    Do Bano still read on here? What do you think about getting 100/100 from the Argo?

  • DERRING says:

    Thankx for your reply Bano. Now it could be great if the 100/100 OP can explain how he was able to get that symmetric speed, which settings in the router configuration, maybe a CLI switch, who knows… It could be usefull for all of us, if we are wrong.

  • litpack says:

    Ho un argo 55+, non mi è chiara una cosa: facendo il downgrade si riesce ad usare il modem con qualsiasi gestore o solo fastweb?

    • bano says:

      Ciao,
      teoricamente sì – non ho mai avuto modo di provare un 55, ma dovresti avere la possibilità di configurare i parametri di una qualsiasi connessione ADSL.

      Ciao,
      bano

  • mirko8395 says:

    Ciao io avrei bisogno di un aiuto per sbloccare il mio argo 55. Ti ringrazio in anticipo!

  • iulius says:

    News about these project ?

  • iulius says:

    News about these project ? It is found the method to replace this router?

  • D3FenD3r says:

    entrando nell’argo
    col comando
    leds switch_to_up_state

    si riattivano i led dell’argo95 l’unico che rimane rosso e quello fastweb,visto che sono bloccate tutte le route

  • DERRING says:

    Is this project still alive and well? Do someone still run the modified firmware and can reach his Argo? Anything new?

  • kisspachyousee says:

    Ciao a tutti! ho eseguito la procedura passo passo, ma al momento sono bloccato. Dopo aver terminato con il reset, il modem si riavvia ma non riesco ad entrare tramite browser, inoltre collegandolo tramite lan dice sempre rete non identificata(tranne con ip statico) e il WIFI inizialmente era una rete nascosta e non sono riuscito ad accedervi, dopo un factory reset non riesco ad abilitarlo. Qualcuno potrebbe postare un file di configurazione che ha tutto abilitato?

  • gnappoman says:

    Hello!
    I have two questions:
    1- Why did you stop your blog? It was one of my favourites!
    2- (a bit long to post here) http://superuser.com/questions/1015549/how-to-get-my-router-ip-address-assigned-by-isp-via-dhcp/1015667
    Is there any alternative method than scanning 255.255.0.0 – 255.255.255.255 ?
    Cheers and best regards

    • bano says:

      Hi!
      Let’s see:
      1) Mainly because I’m a lazy bastard, and not so good at sharing bits of my life with the interwebs. Nervertheless, I somewhat miss writing articles, and I’m (slowly, go figure) collecting material for new posts.
      2) I’m sorry I’ve to agree with the SU users replies: quickest way it’s probably to parse the router settings page. Out of curiosity, why you need it?

      Kind regards,
      bano

Leave a Reply