Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: 1 ... 9 10 [11] 12 13 ... 21

Author Topic: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B)  (Read 154145 times)

ben1066

  • Member
  • **
  • Posts: 74
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B)
« Reply #150 on: April 14, 2012, 12:03:33 PM »

Let's poke some more at that command then.

Found a magic command for per band values,
Code: [Select]
Alpha # echo "g997lspbg 1" > /tmp/pipe/dsl_cpe0_cmd
Alpha # cat /tmp/pipe/dsl_cpe0_ack
nReturn=0 nDirection=0 LATN[0]=176 LATN[1]=459 LATN[2]=641 LATN[3]=-32768 LATN[4]=-32768 SATN[0]=153 SATN[1]=448 SATN[2]=609 SATN[3]=-32768 SATN[4]=-32768 SNR[0]=65 SNR[1]=62 SNR[2]=71 SNR[3]=-32768 SNR[4]=-32768
Alpha # echo "g997lspbg 0" > /tmp/pipe/dsl_cpe0_cmd
Alpha # cat /tmp/pipe/dsl_cpe0_ack
nReturn=0 nDirection=0 LATN[0]=30 LATN[1]=320 LATN[2]=516 LATN[3]=-32768 LATN[4]=-32768 SATN[0]=32 SATN[1]=319 SATN[2]=520 SATN[3]=-32768 SATN[4]=-32768 SNR[0]=60 SNR[1]=60 SNR[2]=63 SNR[3]=-32768 SNR[4]=-32768

The issue is that seems to both be upstream? or maybe nDirection is wrong..

I've found an interesting German modem, the Speedport 221. It appears to be very similar and uses the same method of getting data, BUT it includes a utility dsl-info. I'm having trouble finding a firmware image but I have found it's released source at http://hilfe.telekom.de/hsp/cms/content/HSP/de/3388/FAQ/theme-71990825/Geraete-und-Zubehoer/theme-2000178/DSL-Geraete/theme-66139021/Speedport-Serie/theme-397804711/Sonstige-Speedports-HSPA-LTE-.../theme-157445472/Speedport-2xx-Serie/theme-157445830/Speedport-221 unfortunately it seems that linux source is absent strangely.

More detailed bitloading and SNR although I still can't get upstream SNR.... These should draw nice graphs...
http://pastie.org/private/b87fxzntuvlk3smkra

I'm working on a little tool to get data and make graphs in C#. Should work nicely and produce things similar to that FritzBox screenshot.

I've attached a graph output by my WIP utility, ZedGraph doesn't seem to like having so many values.

EDIT: Or not, got the SNR graph looking pretty :)
« Last Edit: April 14, 2012, 04:59:46 PM by ben1066 »
Logged

ben1066

  • Member
  • **
  • Posts: 74
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B)
« Reply #151 on: April 14, 2012, 05:19:21 PM »

Lets make sure people notice, I've got a tool that will give you a set of graphs. I've currently got downstream SNR and bitloading. Am I missing anything? I'm having trouble with the QLN and HLOG commands, they are also aparently downstream only according to http://svn.dd-wrt.com/browser/src/linux/universal/linux-3.2/drivers/net/ethernet/ifxatm/include/drv_dsl_cpe_api_ioctl?rev=18222 If that's all I'll tidy up this program and release it. It should work under both Mono on Linux and .NET on Windows.

Edit: Hmm, I found a gain command as well, no idea the units it's measured in though... I'm now working on a DMT for the ECI modem.
« Last Edit: April 14, 2012, 07:41:50 PM by ben1066 »
Logged

Bald_Eagle1

  • Helpful
  • Kitizen
  • *
  • Posts: 2720
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B)
« Reply #152 on: April 14, 2012, 07:49:11 PM »

The bit-loading graph looks right, but I'm not sure about the SNR graph.

SNR should look similar to bit-loading, but slightly less "blocky".

Also, SNR's maximum value should be around 50dB to 60dB.

It looks like you have divided the Hex value A5 (165 dec) by 10 to give 16.5, so something doesn't look quite right there.

I have no idea what gain is.

I have attached a set of graphs from a HG612 modem on an ECI DSLAM (so it shows the ECI's tone band plans rather than the usual HG612's tone band plans).

Yes, apart from bit-loading, the graphs show DS only data.

The example doesn't show anything of the D3 tone band plan, as attenuation is too high to actually use any of it at Medley Phase, but it was discovered at Discovery Phase.


Logged

ben1066

  • Member
  • **
  • Posts: 74
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B)
« Reply #153 on: April 14, 2012, 08:10:51 PM »

There is definately correlation between the two graphs. I did just read something about snr(i) = y/2 - 32 which gives the following graph. http://wehavemorefun.de/fritzbox/index.php/Dsl_pipe seems to confirm that, it also says something about gain... Still no idea what it shows though.
Logged

asbokid

  • Kitizen
  • ****
  • Posts: 1286
    • Hacking the 2Wire
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B)
« Reply #154 on: April 14, 2012, 08:33:47 PM »

The GUI also displays 0 for all values like the Huawei,

Wow! Very impressive, Ben! You've made some amazing progress!

It's very strange that the GUI continues to have unpopulated fields.   There must be a missing or uninitialised component causing that.

Perhaps see what happens if a missing 'runtime' value is manually saved into the xml database (xmldbc -s) and see if that value then appears in the GUI.    If so, maybe a script or binary should be performing that function periodically - retrieving line stats via the Unix socket(s) from dsl_cpe_control, and then inserting the response into the runtime sub-tree of the XML database.   If that is the mechanism, the script or binary needs to be found and started. Maybe a case of grepping the firmware/available source code for other references to those sockets.

Your graphs look great, too! Did you notice a brief comment to subcarrier graphs in one of the web resources?  There was no corresponding code though  >:(

cheers, a
« Last Edit: April 15, 2012, 02:31:06 AM by asbokid »
Logged

ben1066

  • Member
  • **
  • Posts: 74
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B)
« Reply #155 on: April 14, 2012, 08:44:51 PM »

I'm fairly sure that'd work as the xml db doesn't have the fields populated either. Also, don't suppose anyone understands
Code: [Select]
DSL_uint8_t gain/tone [0..4095 (linear) represented as multiple of 1/512: 20*log(gain/512)]
If I know what that means I should be able to get the gain, whatever it shows. Anyway, making progress on my eDMT tool (ECI DSL modem tool). Should be totally crossplatform on Mono too for those on Linux and Mac :D
« Last Edit: April 14, 2012, 10:15:30 PM by ben1066 »
Logged

asbokid

  • Kitizen
  • ****
  • Posts: 1286
    • Hacking the 2Wire
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B)
« Reply #156 on: April 14, 2012, 10:31:48 PM »


If I know what that means I should be able to get the gain, whatever it shows. Anyway, making progress on my eDMT tool (ECI DSL modem tool). Should be totally crossplatform on Mono too for those on Linux and Mac :D

Sounds magnificent!  Can't wait to see it  :)  EDIT: That looks very nice indeed!   What's going in the top space?  The text-based stats?

Code: [Select]
DSL_uint8_t gain/tone [0..4095 (linear) represented as multiple of 1/512: 20*log(gain/512)]

It's the xmt gain table.. Apparently a logarithmic conversion (dB) of the transmit gain for each subcarrier, adapted to conform with the PSD mask, to introduce guard bands, etc..

"All values from 14.5 dB (linear value 96/512) to 18 dB. The gain value shall be represented with 3 bits before and 9 bits after the decimal point, i.e., a granularity of 1/512 in linear scale."   See: G.992.3..[1]

EDIT:
The gain data is recorded by the Broadcom chipsets (e.g. the BCM6368 in the Huawei). However the xdslcmd tool does not retrieve it from the kernel.  Building an open source and extensible version of the xdslcmd tool would make a very good project.


cheers, a

[1] http://www.analytic.ru/articles/lib26.pdf  (old 2002 version but free-to-download)
[2] http://pastie.org/pastes/3786263/text?key=b87fxzntuvlk3smkra
« Last Edit: April 15, 2012, 01:16:40 PM by asbokid »
Logged

Bald_Eagle1

  • Helpful
  • Kitizen
  • *
  • Posts: 2720
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B)
« Reply #157 on: April 15, 2012, 11:27:09 AM »

Yes,

Fantastic work, all of you.

Are we any closer to unlocking the modem without the need for any soldering etc?

Logged

ben1066

  • Member
  • **
  • Posts: 74
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B)
« Reply #158 on: April 15, 2012, 11:51:29 AM »

I've personally got a little distracted... Not quite sure the best way to display the other stats..Should I just have text or should I use some of the graphics DMT and vDMT use.

Boom, DSLAM data:
Code: [Select]
Alpha # echo "g997listrg 1" > /tmp/pipe/dsl_cpe0_cmd
Alpha # cat /tmp/pipe/dsl_cpe0_ack
nReturn=0 nDirection=1 G994VendorID=IFTN SystemVendorID=ECI tele VersionNumber=
SerialNumber=7035490556 SelfTestResult=0 XTSECapabilities=(00,00,00,00,00,00,00,
00)
« Last Edit: April 15, 2012, 12:39:01 PM by ben1066 »
Logged

asbokid

  • Kitizen
  • ****
  • Posts: 1286
    • Hacking the 2Wire
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B)
« Reply #159 on: April 15, 2012, 01:19:49 PM »

Are we any closer to unlocking the modem without the need for any soldering etc?

There may be a network backdoor into the bootloader of the ECI, as there is with the HG612.  If not, it would probably be a case of cracking the BT Agent remote management server.  The cryptosystem of btagent relies on a 1024-bit 2048-bit RSA key, so it's basically uncrackable by brute force.  Maybe there's something wrong with the implementation though.. Not very likely..

cheers, a
« Last Edit: April 15, 2012, 03:25:41 PM by asbokid »
Logged

asbokid

  • Kitizen
  • ****
  • Posts: 1286
    • Hacking the 2Wire
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B)
« Reply #160 on: April 15, 2012, 01:25:20 PM »

I've personally got a little distracted... Not quite sure the best way to display the other stats..Should I just have text or should I use some of the graphics DMT and vDMT use.

It would probably appeal to more people if it looks very similar to DMT.  All a bit squashed in tho'.  Any signs of the QLN and HLog data?

Quote
Boom, DSLAM data:
Code: [Select]
Alpha # echo "g997listrg 1" > /tmp/pipe/dsl_cpe0_cmd
Alpha # cat /tmp/pipe/dsl_cpe0_ack
nReturn=0 nDirection=1 G994VendorID=IFTN SystemVendorID=ECI tele VersionNumber=SerialNumber=7035490556 SelfTestResult=0 XTSECapabilities=(00,00,00,00,00,00,00,00)

That's interesting!  So (unsurprisingly) it's an Infineon (IFTN) chipset (now Lantiq) in the subscriber line cards of the ECI DSLAM.  Lantiq's VDSL2 CO chipset is known as the VINAX. [1]

cheers, a

[1] http://www.lantiq.com/products/broadband-access/vdsl/
« Last Edit: April 15, 2012, 01:39:24 PM by asbokid »
Logged

ben1066

  • Member
  • **
  • Posts: 74
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B)
« Reply #161 on: April 15, 2012, 02:03:47 PM »

I've currently got some tabs at the top so it isn't so squashed. I'll try and make it similar, hopefully more readable that vDMT though, it's text is really small in places. There are two commands that look like they should return HLOG and QLN data but they always seem to return with nReturn=-36 :S
Logged

Blackeagle

  • Reg Member
  • ***
  • Posts: 257
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B)
« Reply #162 on: April 15, 2012, 02:35:10 PM »

Ben, that looks really good.  Would it be difficult to modify it to work with the HG612 ??  It would save me writing a version, and you seem to have completed most of the code already !!
Logged
ASCII stupid question, get a stupid ANSI -- TalkTalk Broadband since 2006

ben1066

  • Member
  • **
  • Posts: 74
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B)
« Reply #163 on: April 15, 2012, 02:51:07 PM »

I guess if you had similar enough commands it could be made to work, the issue is that the ECI modem uses a pipe whereas the Huawei uses xdsl. That said, they both work over telnet and have similar commands. I think it could be made to work and use the same UI and such, just a fair bit of the grunt work will need redoing. I plan on making this opensource once it's usefull anyway so you can convert to your heart's content. (Please note, my code isn't that clean either since I'm working on thing I get from the modem that I do not know exactly the format, it does sometimes perform erratically but that's hard to avoid)

Got it actually reading the misc data now. Not sure how I can get profile though unfortunately, I need profile and VDSL version in addition to line status for the misc tab.
« Last Edit: April 15, 2012, 04:11:30 PM by ben1066 »
Logged

ben1066

  • Member
  • **
  • Posts: 74
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B)
« Reply #164 on: April 15, 2012, 07:22:02 PM »

Hey, finished by eDMT to the point it's now usable. Make sure you ok the messageboxes otherwise it will NOT progress. To switch modems (if you happen to have multiple) just change the IP and hit login again. Make sure to report any bugs you experience, I'll need to know what you were doing, what messages had been shown, and preferably a screenshot. I also threw in eGrapher that will give you a .bmp copy of the 3 graphs. Source code will follow shortly. Please do not mirror the link, my dropbox only has very limited traffic.

http://dl.dropbox.com/u/11197643/eDMT.zip
Logged
Pages: 1 ... 9 10 [11] 12 13 ... 21