Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: [1] 2 3 ... 21

Author Topic: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B  (Read 217970 times)

uklad

  • Member
  • **
  • Posts: 55
Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« on: January 19, 2012, 06:44:03 PM »

I think these maybe of interest to you :)

Chipset is a Lantiq VRX268



« Last Edit: February 02, 2012, 08:09:02 AM by roseway »
Logged

burakkucat

  • Respected
  • Senior Kitizen
  • *
  • Posts: 38300
  • Over the Rainbow Bridge
    • The ELRepo Project
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #1 on: January 19, 2012, 09:34:23 PM »

Interesting and useful. Thank you for the images.  :)
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

asbokid

  • Kitizen
  • ****
  • Posts: 1286
    • Hacking the 2Wire
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #2 on: January 19, 2012, 10:14:14 PM »

I think these maybe of interest to you :)

Chipset is a Lantiq VRX268

Excellent stuff!

The Lantiq (was Infineon) VRX268 has a MIPS32 core.  The modem is almost certainly running a MIPS-Linux kernel  (i.e. GPL'ed source code ).   The VDSL2 AFE is the VRX208.

Located due north of the Lantiq CPU is the 64Mbit (8Mbyte) Macronix NOR flash IC. Unusually it could be on a 16-bit bus. [2]

Just west of that NOR flash IC are solder pads for a 7x2 set of header pins.

Those pads are labelled JP2. They almost certainly form the EJTAG test access port (TAP) interface.

The JTAG signals {TMS, TCK, TDI, TDO, TRST} will be found amongst pins {1, 2, 3, 4, 5, 6}
Pins {7, 8, 9} will probably include VCC.  A voltmeter will confirm.
Pins {10, 11, 12, 13, 14} are all GND.

Further north of JP2 is JP1. It comprises 4 solder pads.  That is likely a UART port running at TTL voltage levels.  A serial console can often be obtained through the UART port. It provides a way to interrupt the bootstrap process.

An el cheapo way to interface a modern PC (with no RS232 port) to the UART interface is with a clone Nokia DKU5 phone data cable. The clone DKU5 cable costs as little as £1.  The cable contains an integral Prolific Logic PL2303 USB-UART bridge controller. [3]   The PL2303 IC performs the voltage shift and packetises the serial bitstream into USB blocks (URBs).

Linux, and maybe Windows, has a kernel device driver for the PL2303. The driver presents the USB device as a dumb serial port.  A terminal program like minicom is then used to connect to the router over the serial port.

And away you go :-)

The board also has 512Mbit (64MBytes) of Samsung DDR2-800 SDRAM [4]

Thanks for posting the photos, uklad.  Very interesting!

cheers, a

[1] http://www.lantiq.com/uploads/tx_abzlantiqproducts/PB-e-0027-v1_lres.pdf
[2] http://www.macronix.com/QuickPlace/hq/PageLibrary../../MX29LV640ETBver13-1.3.pdf
[3] http://www.prolific.com.tw/eng/products.asp?id=59
[4] http://www.szyuda88.com/uploadfile/cfile/2011311171825213.pdf

EDIT: Shrunk huge photo
« Last Edit: July 29, 2012, 04:54:31 AM by asbokid »
Logged

asbokid

  • Kitizen
  • ****
  • Posts: 1286
    • Hacking the 2Wire
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #3 on: January 20, 2012, 02:38:38 AM »

Re-instating header pins on a PCB

One trick here is to clamp the board vertically while working on it.

The solder pads need to be cleaned out to expose the thru-holes.

From one side of the board, apply heat to one of the solder pads using a fine soldering iron bit.

Simultaneously, and working from the other side of the PCB, use a desoldering pump (solder sucker) to remove the molten solder from the hole.

Repeat for each thru-hole.

Sometimes one or more of the holes isn't properly drilled out.

If so, use a 1mm HSS drill bit and twist it manually between fingers

Ensure all the holes are clean and free from grease and PCB coating materials.

Install the header pins and solder in place

Job done!

Attached are some photos showing the reinstatement of header pins for JTAG/UART on the PCB of a Huawei HG612.
« Last Edit: January 20, 2012, 04:08:27 AM by asbokid »
Logged

uklad

  • Member
  • **
  • Posts: 55
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #4 on: January 20, 2012, 02:13:24 PM »

Re-instating header pins on a PCB

One trick here is to clamp the board vertically while working on it.

The solder pads need to be cleaned out to expose the thru-holes.

From one side of the board, apply heat to one of the solder pads using a fine soldering iron bit.

Simultaneously, and working from the other side of the PCB, use a desoldering pump (solder sucker) to remove the molten solder from the hole.

Repeat for each thru-hole.

Sometimes one or more of the holes isn't properly drilled out.

If so, use a 1mm HSS drill bit and twist it manually between fingers

Ensure all the holes are clean and free from grease and PCB coating materials.

Install the header pins and solder in place

Job done!

Attached are some photos showing the reinstatement of header pins for JTAG/UART on the PCB of a Huawei HG612.

Lol thanks :) i learnt all that 16 years ago ;) i did have a JTAG somewhere but I think it was a Xilinx one the other i know is for flashing Atmega`s
Logged

uklad

  • Member
  • **
  • Posts: 55
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #5 on: January 20, 2012, 05:05:53 PM »

Ok update for you..

Top header is a indeed the console header but its running at TTL 3.3v and I don't have a suitable cable

pins seem to be from left to right TX GND VCC   RX

I will get a suitable cable and get back to you with the output !!

« Last Edit: January 24, 2012, 05:53:48 PM by uklad »
Logged

asbokid

  • Kitizen
  • ****
  • Posts: 1286
    • Hacking the 2Wire
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #6 on: January 20, 2012, 08:27:11 PM »

Sounds good!

Most JTAG cables will work fine, so long as there are generic drivers available for the cables.

It might be helpful to collect some JTAG resources together in this thread for others' benefit.

Discovering JTAG pinouts

Most JTAG cables will work fine in the pinout discovery process, so long as there is a generic driver available for the cable.

Discovering JTAG pinouts on a PCB is a very common problem.  For a given board, the size of the problem can be quantified using Probability Theory.

In the worst case scenario, using ‘brute force’ to discover the JTAG pinout means testing every possible permutation of JTAG signal and header pin.

Formally, the JTAG pinout problem is an r-Permutations challenge.  It is described by the notation nPr..

nPr is the number of permutations, or ways to choose, an ordered subset of r items from a set of n objects.

In the case of this board, the set of n objects are a set of 14 header pins. From that set of n pins we need to discover the ordered subset of r pins carrying the JTAG signals.

The formula for nPr is   n! / (n-r)!    where ! is the factorial symbol, e.g. 7! means (7 x 6 x 5 x 4 x 3 x 2 x 1)

Out of the fourteen header pins on the board, there are six candidate pins. Any of these six pins could potentially carry any of the five JTAG signals {TDO,TDI,TMS,TCK and TRST}.

Here, n is 6 (the number of candidate pins), and r is 5 (the number of JTAG signals).

So nPr = 6! / (6-5)! = 720 permutations.

However, some assumptions can be made which will radically reduce the search space.

One of the JTAG signals (TRST) is optional. TRST resets the JTAG controller when driven low. If we assume that, by default, TRST is pulled up to keep the board out of reset, it can be ignored.

Another JTAG signal (TDO) can be discovered from its floating logic state using an ohmmeter. This is very well explained by Ray “revs-per-min” Haverfield. [1]

That leaves us with just three JTAG signals to find from a choice of five header pins.

Now the scale of the problem is given by 5!/2 = 60 permutations.

That has already shrunk the search space by more than 90%.

We can now take advantage of another property of the JTAG standard. [2]

A JTAG controller will always return to its reset state when the TMS signal is asserted for five or more ticks of the TCK signal.  This is illustrated in the attached diagram of the JTAG state machine.

The bit values {0,1} shown in the diagram represent the transitional states of the TMS (Test Mode Select) signal.    For example,  to transition the JTAG state machine from the Shift_IR state to the Exit1_IR state requires TMS to be asserted for one tick of the TCK signal.

It doesn't matter where you start in the JTAG state machine. Asserting TMS while five ticks are clocked into TCK will always see the JTAG controller returned to its Test_Logic_Reset state:

Once a JTAG device is in that reset state, the 32-bit IDCODE is loaded into the JTAG data register.  This loading is done automatically.  It doesn’t require any instruction to be shifted in on the TDI line.

Returning to our board. TDO was discovered earlier from its floating logic state. So what this means is that only the TMS and TCK signals need to be found at this stage.  TDI can be found later.

By controlling just the TMS and TCK signals from software, the IDCODE value loaded on reset into the data register can be scanned out of the TDO pin. The TDO pin is closely monitored for output that is consistent with a device IDCODE.

Looking at this again as a combinatorial problem:

The value n remains at 5 since we still have five unknown pins. However, r, the number of signals to discover, is now just 2. These are the TMS and the TCK signals.

So nPr is 5!/3! = 20 permutations.

Using these techniques, the discovery of JTAG pinouts is trivialised.

There are software tools, such as JTAG_Finder [2] that can automate the fiddly task of swapping pins during pinout discovery. However,  this is rarely necessary. Using the techniques above, the average count of pin-swaps before discovery success is reduced to a manageable number.

In summary, and using this board as an example, a total of 14 pins are reduced to 6 candidate pins. TDO is discovered with an ohmmeter. TRST is ignored. The discovery of TDI is postponed. Software (UrJTAG) is used to navigate the JTAG state machine for each permutation of TCK and TMS, chosen from the five remaining pins. Using these shortcuts, the average count of pin-swaps before discovery is reduced to just 10.

[1] http://forums.whirlpool.net.au/forum-replies.cfm?t=808533&p=9&#r176
[2] http://www.xilinx.com/support/answers/11857.htm
[3] http://elinux.org/JTAG_Finder
« Last Edit: January 29, 2012, 04:37:05 AM by asbokid »
Logged

Bald_Eagle1

  • Helpful
  • Kitizen
  • *
  • Posts: 2721
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #7 on: January 20, 2012, 08:54:13 PM »

Sounds good!

& some people accuse me of being too precise  :lol: :lol: :lol:
Logged

uklad

  • Member
  • **
  • Posts: 55
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #8 on: January 24, 2012, 12:50:13 PM »

Serial output on boot :)

Code: [Select]
ROM VER: 1.0.5
CFG 01
DDR Access auto data-eye tuning Rev 0.3a
DDR size from 0xa0000000 - 0xa1ffffff
DDR check ok... start booting...



U-Boot 1.0.4 (Oct 18 2010 - 16:20:02)

CLOCK CPU 333M RAM 166M
DRAM:  32 MB

 relocate_code start
 relocate_code finish.

FLASH MANUFACT: c2

FLASH DEVICEID: cb
Flash:  8 MB
In:    serial
Out:   serial
Err:   serial
Net:   fw_addr=0xa0200000
Internal phy(FE) firmware version: 0x0108
vr9 Switch

Type "run flash_flash" to mount root filesystem over flash

Hit 'Esc' key to stop autoboot:  0
## Booting image from active region 2 at b03f0000 ...
Check RSA image magic--OK!
Please type [setenv rsa_check 1] !!!
   Image Name:   MIPS Linux-2.6.20
   Created:      2011-08-09   3:31:37 UTC
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    3629088 Bytes =  3.5 MB
   Load Address: 80002000
   Entry Point:  802cd000
   Verifying Checksum ... OK
   Uncompressing Kernel Image ... OK
No initrd
## Transferring control to Linux (at address 802cd000) ...
## Giving linux memsize in MB, 32

Starting kernel ...

Infineon xDSL CPE VR9
mips_hpt_frequency = 166666666, counter_resolution = 2
Linux version 2.6.20.19
 (hyhuang@BSD7.localdomain) (gcc version 3.4.6 (OpenWrt-2.0)) #1 Tue Aug 9 11:27
:46 CST 2011
Active Region: 2
phym = 02000000, mem = 01f00000, max_pfn = 00001f00
Reserving memory for CP1 @0xa1f00000, size 0x00100000
CPU revision is: 00019555
Determined physical RAM map:
User-defined physical RAM map:
 memory: 01f00000 @ 00000000 (usable)
Initrd not found or empty - disabling initrd
Built 1 zonelists.  Total pages: 7874
Kernel command line: root=/dev/mtdblock2 ro rootfstype=squashfs ip=5.57.33.103:5
.57.33.111::::eth0:on console=ttyS0,115200 ethaddr=5C:33:8E:xx:xxx:xx phym=32M me
m=31M panic=1
1 MIPSR2 register sets available
Primary instruction cache 32kB, physically tagged, 4-way, linesize 32 bytes.
Primary data cache 32kB, 4-way, linesize 32 bytes.
Synthesized TLB refill handler (20 instructions).
Synthesized TLB load handler fastpath (32 instructions).
Synthesized TLB store handler fastpath (32 instructions).
Synthesized TLB modify handler fastpath (31 instructions).
Cache parity protection disabled
Lantiq ICU driver, version 3.0.1, (c) 2001-2010 Lantiq Deutschland GmbH
PID hash table entries: 128 (order: 7, 512 bytes)
Using 166.667 MHz high precision timer.
Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
Memory: 28152k/31744k available (2239k kernel code, 3592k reserved, 616k data, 1
56k init, 0k highmem)
Security Framework v1.0.0 initialized
Mount-cache hash table entries: 512
NET: Registered protocol family 16
NET: Registered protocol family 8
NET: Registered protocol family 20
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 1024 (order: 0, 4096 bytes)
TCP bind hash table entries: 512 (order: -1, 2048 bytes)
TCP: Hash tables configured (established 1024 bind 512)
TCP reno registered
gptu: totally 6 16-bit timers/counters
gptu: misc_register on minor 63
gptu: succeeded to request irq 118
gptu: succeeded to request irq 119
gptu: succeeded to request irq 120
gptu: succeeded to request irq 121
gptu: succeeded to request irq 122
gptu: succeeded to request irq 123
IFX DMA driver, version ifxmips_dma_core.c:v1.0.9
,(c)2009 Infineon Technologies AG
Lantiq CGU driver, version 1.0.9, (c) 2001-2010 Lantiq Deutschland GmbH
Wired TLB entries for Linux read_c0_wired() = 0
squashfs: version 3.2-r2 (2007/01/15) Phillip Lougher
squashfs: LZMA suppport for slax.org by jro
JFFS2 version 2.2. (NAND) (SUMMARY)  (C) 2001-2006 Red Hat, Inc.
io scheduler noop registered (default)
ifx_pmu_init: Major 252
Lantiq PMU driver, version 1.1.4, (c) 2001-2010 Lantiq Deutschland GmbH
Lantiq GPIO driver, version 1.2.12, (c) 2001-2010 Lantiq Deutschland GmbH
Infineon Technologies RCU driver version 1.0.6
Lantiq LED Controller driver, version 1.0.4, (c) 2001-2010 Lantiq Deutschland Gm
bH
MEI CPE Driver, Version 1.0.2
<6>(c) Copyright 2009, Infineon Technologies AG
<6>### MEI CPE - MEI CPE - MEI CPE - MEI CPE ###
<6>ttyS0 at MMIO 0xbe100c00 (irq = 105) is a IFX_ASC
Lantiq ASC (UART) driver, version 1.0.5, (c) 2001-2010 Lantiq Deutschland GmbH
RAMDISK driver initialized: 1 RAM disks of 6144K size 1024 blocksize
loop: loaded (max 8 devices)
PPP generic driver version 2.4.2
PPP Deflate Compression module registered
PPP BSD Compression module registered
PPP MPPE Compression module registered
NET: Registered protocol family 24
IFX SWITCH API, Version 0.9.9.5
SWAPI: Registered character device [switch_api] with major no [81]
Switch API: PCE MicroCode loaded !!
Switch Auto Polling value = 0
GPHY FIRMWARE LOAD SUCCESSFULLY AT ADDR : 310000
IFX GPHY driver FE Mode, version ifxmips_vr9_gphy: V0.6 - Firmware: 109
ifx_nor0: Found 1 x16 devices at 0x0 in 16-bit bank
 Amd/Fujitsu Extended Query Table at 0x0040
number of CFI chips: 1
cfi_cmdset_0002: Disabling erase-suspend-program due to code brokenness.
[ACTIVE REGION]:  2
RSA_CHECK:  0
squashfsb->s_magic=71736873 SQUASHFS_MAGIC=71736873
ifx_nor0: squashfs filesystem found at 0x4e10a0.
ifx_mtd_init flash0: Using static image partition
Creating 9 MTD partitions on "ifx_nor0":
0x00000000-0x00030000 : "uboot"
0x00030000-0x00040000 : "h/w setting"
0x004e10c0-0x007670c0 : "rootfs"
0x00040000-0x00050000 : "rgdb"
0x00050000-0x003f0000 : "upgrade"
0x003f0000-0x00790000 : "upgrade2"
0x00790000-0x007f0000 : "btagent"
0x00000000-0x00800000 : "flash"
0x00000000-0x00800000 : "<NULL>"
Lantiq MTD NOR driver, version 1.0.4, (c) 2001-2010 Lantiq Deutschland GmbH
Registered led device: broadband_led
Registered led device: internet_led
Registered led device: ledc_8
Registered led device: ledc_9
Registered led device: ledc_10
Registered led device: ledc_11
Registered led device: wps_led
Registered led device: ledc_13
Registered led device: ledc_14
Registered led device: usb2_link_led
Registered led device: ledc_16
Registered led device: ledc_17
Registered led device: usb1_link_led
Registered led device: fxo_act_led
Registered led device: internet_red_led
Registered led device: voip_led
Registered led device: warning_led
Registered led device: ledc_23
Lantiq LED driver, version 1.0.15, (c) 2001-2010 Lantiq Deutschland GmbH
Netfilter messages via NETLINK v0.30.
nf_conntrack version 0.5.0 (248 buckets, 1984 max)
GRE over IPv4 tunneling driver
ip_tables: (C) 2000-2006 Netfilter Core Team
TCP cubic registered
NET: Registered protocol family 1
NET: Registered protocol family 17
Bridge firewalling registered
NET: Registered protocol family 8
atmpvc_init() failed with -17
802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
All bugs added by David S. Miller <davem@redhat.com>
Time: MIPS clocksource has been installed.
VFS: Mounted root (squashfs filesystem) readonly.
Freeing unused kernel memory: 156k freed
init started:  BusyBox v1.00 (2011.08.09-03:28+0000) multi-call binary
Algorithmics/MIPS FPU Emulator v1.5
[/etc/init.d/S03config.sh]
Starting mdev ...
Mounting proc and var ...
JFFS2 notice: (226) jffs2_build_xattr_subsystem: complete building xattr subsyst
em, 0 of xdatum (0 unchecked, 0 orphan) and 0 of xref (0 dead, 0 orphan) found.
Start xmldb ...
[/etc/scripts/misc/profile.sh] init ...
[/etc/scripts/misc/profile_action.sh] get ...
[/etc/scripts/misc/defnodes.sh] ...
SH [/etc/defnodes/S10syncnodes.sh] ...
[/etc/defnodes/S10syncnodes.sh] ...
SH [/etc/defnodes/S11setext.sh] ...
[/etc/defnodes/S11setext.sh] ...
PHP [/etc/defnodes/S12setnodes.php] ...
SH [/etc/defnodes/S13setext.sh] ...
[/etc/defnodes/S13setext.sh] ...
PHP [/etc/defnodes/S14setnodes.php] ...
PHP [/etc/defnodes/S16features.php] ...
SH [/etc/defnodes/S19setext.sh] ...
PHP [/etc/defnodes/S20setnodes.php] ...
SH [/etc/defnodes/S20upnp_igd.sh] ...
SH [/etc/defnodes/S21upnp_wfa.sh] ...
SH [/etc/defnodes/S22setext.sh] ...
PHP [/etc/defnodes/S40brand.php] ...
[/etc/scripts/misc/defnodes.sh] Done !!
[/etc/templates/timezone.sh] ...
[/etc/templates/logs.sh] ...
[/var/run/logs_run.sh] ...
ifxmips_ppa_datapath_vr9_e5: module license 'unspecified' taints kernel.
Loading D5 (MII0/1) driver ......
xuliang: warning NONE
Succeeded!
PPE datapath driver info:
  Version ID: 128.3.3.1.0.0.1
  Family    : N/A
  DR Type   : Normal Data Path | Indirect-Fast Path
  Interface : MII0 | MII1
  Mode      : Routing
  Release   : 0.0.1
PPE 0 firmware info:
  Version ID: 7.1.5.1.0.33
  Family    : VR9
  FW Type   : Standard
  Interface : MII0/1 + PTM
  Mode      : reserved - 1
  Release   : 0.33
PPE 1 firmware info:
  Version ID: 7.2.1.6.1.12
  Family    : VR9
  FW Type   : Acceleration
  Interface : MII0 + MII1
  Mode      : Bridging + IPv4 Routing
  Release   : 1.12
PPA API --- init successfully
Init VDSL Driver ...
- VDSL -
- llcs loading!!! -
- loading drv_ifxos.ko -
strings: not found
IFXOS, Version 1.5.11
<6>(c) Copyright 2007, Infineon Technologies AG
<6>### IFXOS - IFXOS - IFXOS - IFXOS ###
- loading drv_dsl_cpe_api.ko
- loading dsl_cpe_api (drv_dsl_cpe_api.ko device) driver -


Lantiq CPE API Driver version: DSL CPE API V4.6.3.5-pd3

Predefined debug level: 3
- create device nodes for dsl_cpe_api device driver -
- execute vdsl_cpe_control
[: missing ]
IFXOS - User Thread Startup <tcpmsg>, TID 1026 (PID 609) - ENTER
IFXOS - User Thread Startup <tcpcli>, TID 2051 (PID 610) - ENTER
IFXOS - User Thread Startup <evnthnd>, TID 3076 (PID 612) - ENTER
IFXOS - User Thread Startup <tPipe_0>, TID 4101 (PID 613) - ENTER
IFXOS - User Thread Startup <tPipe_1>, TID 5126 (PID 614) - ENTER
nReturn=0

nReturn=0

nReturn=4

nReturn=0

eth0: change MAC from 00:20:DA:86:23:74 to 5C:33:8E:xx:xx:xx
setup layout ...
[/etc/scripts/layout.sh] [start] ...
[/var/run/layout_start.sh] ...
Start modem layout ...
device eth0 entered promiscuous mode
br0: port 1(eth0) entering learning state
br0: topology change detected, propagating
br0: port 1(eth0) entering forwarding state
[/etc/templates/cfm/cfm.sh] [restart] ...
[/var/run/cfm_start.sh] ...
Enable ALPHA CFM ...
ENTER - Kernel Thread Startup <autbtex>
<7>ENTER - Kernel Thread Startup <pmex_ne>
<7>ENTER - Kernel Thread Startup <pmex_fe>
[/etc/init.d/S03config.sh] done!
[/etc/init.d/S10system.sh]
start LAN ...
[/etc/templates/lan.sh] [start] ...
[/var/run/lan_start.sh] ...
Start LAN ( br0/192.168.168.168/255.255.255.0)...
start BT Switch configurations ...
start alphaLogd
[/etc/templates/logd.sh] ...
[/var/run/logd_start.sh] ...
Starting logd ...
start Flash Agent ...
>>> ALPHA Log:
/bin/alphaLogd: create logd_ipc(3) OK !
[/etc/templates/flash_agent.sh] [start] ...
[/var/run/flash_agent_start.sh] ...
>>> ALPHA Flash Agent:
16:00:17 FLASHAGENT: Create fa_r_fa_ipc(4) OK !
start BTAgent ...
Starting BTAgent
library_load: start plugin_source/libalpha2.so
library_load: success
library_load: start plugin_source/libbtagent.so
library_load: success
File Path is /BTAgent/rw/btagent.conf
rw config file exists
Versions match
library_load: start plugin_source/libfwm.so
library_load: success
library_load: start plugin_source/liblogger.so
library_load: success
library_load: start plugin_source/libprobe.so
library_load: success
library_load: start plugin_source/librsa.so
library_load: success
main: Loaded source plugins
library_load: start plugin_transport/libsec.so
library_load: success
main: Loaded transport plugins
library_load: start plugin_parse/libxml.so
library_load: success
main: Loaded parse plugins
GPIO 18 set to 0
GPIO 17 set to 1
GPIO 16 set to 1
GPIO 6 set to 1
start alphaHousekeeper
[/etc/templates/housekeeper.sh] [start] ...
[/var/run/housekeeper_start.sh] ...
Starting housekeeper ...
BBU Status: Status Change
BBU Status: Adapter Mode
- presented Inventory information
nReturn=0

nReturn=0 nDirection=0 G994VendorID=(B5,00,49,46,54,4E,53,26) SystemVendorID=(58
,20,45,43,49,4C,20,20) VersionNumber=(35,2E,33,2E,32,2E,36,2E,31,2E,36,20,20,20,
20,20) SerialNumber=(45,35,43,33,33,38,45,38,34,38,39,44,42,20,20,20,20,20,20,20
,20,20,20,20,20,20,20,20,20,20,20,20) SelfTestResult=0 XTSECapabilities=(00,00,0
0,00,00,00,00,07)

[/etc/templates/wan_vlan.sh] [start] ...
[/var/run/wan_vlan_start.sh] ...
Start CPE SPECIFIC WAN VLAN ...
VLAN Enable...
Added VLAN with VID == 301 to IF -:ptm0:-
Set egress mapping on device -:ptm0.301:- Should be visible in /proc/net/vlan/pt
m0.301
Set egress mapping on device -:ptm0.301:- Should be visible in /proc/net/vlan/pt
m0.301
Set egress mapping on device -:ptm0.301:- Should be visible in /proc/net/vlan/pt
m0.301
Set egress mapping on device -:ptm0.301:- Should be visible in /proc/net/vlan/pt
m0.301
Set egress mapping on device -:ptm0.301:- Should be visible in /proc/net/vlan/pt
m0.301
Set egress mappingptm0.301: Setting MAC address to  5c 33 8e xx xx xx.
VLAN (ptm0.301):  Underlying device (ptm0) has same MAC, not checking promisciou
s mode.
 on device -:ptm0.301:- Should be visible in /proc/net/vlan/ptm0.301
Set egress mapping on device -:ptm0.301:- Should be visible in /proc/net/vlan/pt
m0.301
Set egress mapping on device -:ptm0.301:- Should be visible in /proc/net/vlan/pt
m0.301
Added VLAN with VID == 101 to IF -:ptm0:-
Added VLAN with VID == 102 to IF -:ptm0:-
Set egress mapping on device -:ptm0.101:- Should be visible in /proc/net/vlan/pt
m0.101
Set egress mapping on device -:ptm0.101:- Should be visible in /proc/netptm0.101
: add 01:00:5e:00:00:01 mcast address to master interface
/vlan/ptm0.101
Set egrptm0.102: add 01:00:5e:00:00:01 mcast address to master interface
ess mapping on device -:ptm0.102:- Should be visible in /proc/net/vlan/ptm0.102
Added VLAN with VID == 101 to IF -:eth0:-
device eth0 left promiscuous mode
br0: port 1(eth0) entering disabled state
Added VLAN with VID == 102 to IF -:eth0:-
eth0.102: dev_set_promiscuity(master, 1)
device eth0 entered promiscuous mode
device eth0.102 entered promiscuous mode
br0: port 1(eth0.101) entering learning state
br0: topology change detected, propagating
br0: port 1(eth0.101) entering forwarding state
DSL[00]: WARNING - SRA not supported by the FW
br0: port 2(eth0.102) entering learning state
br0: topology change detected, propagating
br0: port 2(eth0.102) entering forwarding state
ifx_ppa_init - init succeeded


VID 0 remove is enabled


[/etc/init.d/S10system.sh] done!
rcS done!
- presented Inventory information
- presented Inventory information
nReturn=0

nReturn=0 nDirection=0 G994VendorID=(B5,00,49,46,54,4E,53,26) SystemVendorID=(58
,20,45,43,49,4C,20,20) VersionNumber=(35,2E,33,2E,32,2E,36,2E,31,2E,36,20,20,20,
20,20) SerialNumber=(45,35,43,33,33,38,45,38,34,38,39,44,42,20,20,20,20,20,20,20
,20,20,20,20,20,20,20,20,20,20,20,20) SelfTestResult=0 XTSECapabilities=(00,00,0
0,00,00,00,00,07)

xDSL SILENT

login:
« Last Edit: January 24, 2012, 07:39:46 PM by uklad »
Logged

uklad

  • Member
  • **
  • Posts: 55
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #9 on: January 24, 2012, 12:52:59 PM »

I interrupted the boot process and listed all images found in flash

Code: [Select]
ROM VER: 1.0.5
CFG 01
DDR Access auto data-eye tuning Rev 0.3a
DDR size from 0xa0000000 - 0xa1ffffff
DDR check ok... start booting...



U-Boot 1.0.4 (Oct 18 2010 - 16:20:02)

CLOCK CPU 333M RAM 166M
DRAM:  32 MB

 relocate_code start
 relocate_code finish.

FLASH MANUFACT: c2

FLASH DEVICEID: cb
Flash:  8 MB
In:    serial
Out:   serial
Err:   serial
Net:   fw_addr=0xa0200000
Internal phy(FE) firmware version: 0x0108
vr9 Switch

Type "run flash_flash" to mount root filesystem over flash

Hit 'Esc' key to stop autoboot:  0
VR9 # help
?       - alias for 'help'
askenv  - get environment variables from stdin
base    - print or set address offset
bootm   - boot application image from memory
bootp   - boot image via network using BootP/TFTP protocol
cmp     - memory compare
cp      - memory copy
crc32   - checksum calculation
echo    - echo args to console
erase   - erase FLASH memory
flinfo  - print FLASH memory information
go      - start application at address 'addr'
help    - print online help
imls    - list all images found in flash
loop    - infinite loop on address range
md      - memory display
mm      - memory modify (auto-incrementing)
mtest   - simple RAM test
mw      - memory write (fill)
nm      - memory modify (constant address)
ping    - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
protect - enable or disable FLASH write protection
rarpboot- boot image via network using RARP/TFTP protocol
reset   - Perform RESET of the CPU
run     - run commands in an environment variable
saveenv - save environment variables to persistent storage
setenv  - set environment variables
tftpboot- boot image via network using TFTP protocol
upgrade - forward/backward copy memory to pre-defined flash location
version - print monitor version
VR9 # imls
Have RSA magic !!!
Image at B0051060:
   Image Name:   MIPS Linux-2.6.20
   Created:      2011-02-14   6:44:17 UTC
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    3624992 Bytes =  3.5 MB
   Load Address: 80002000
   Entry Point:  802cd000
   Verifying Checksum ... OK
Have RSA magic !!!
Image at B03F1060:
   Image Name:   MIPS Linux-2.6.20
   Created:      2011-08-09   3:31:37 UTC
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    3629088 Bytes =  3.5 MB
   Load Address: 80002000
   Entry Point:  802cd000
   Verifying Checksum ... OK
VR9 #
Logged

asbokid

  • Kitizen
  • ****
  • Posts: 1286
    • Hacking the 2Wire
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #10 on: January 24, 2012, 04:47:27 PM »

Excellent stuff, uklad!  You're well on the way to cracking it.

Hopefully, the contents of that 8MByte NAND NOR flash can be (hex) dumped over the serial line using the md (memory display) command in the CLI of the uboot bootloader?

What does the flinfo (flash info) command say about the flash device, and its composition?

The definitive book on MIPS Linux is Dominic Sweetman's See MIPS Run (2nd ed). [2]

Sweetman gives a particularly good treatment to the address space, memory mapping and the memory management unit (the TLB) in the MIPS.

Let us know how you get on!  Lots of people will be keenly following your trail-blazing work!

cheers, a

[1] http://www.denx.de/wiki/DULG/UBootCmdGroupMemory
[2] http://books.google.co.uk/books?id=kk8G2gK4Tw8C
« Last Edit: June 19, 2012, 01:02:10 AM by asbokid »
Logged

uklad

  • Member
  • **
  • Posts: 55
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #11 on: January 24, 2012, 05:52:31 PM »

Ok one quick question what address range do I need to dump ?

Also I did not mention I could login to the unit on the UART console, username and pass where admin admin :0)
Logged

asbokid

  • Kitizen
  • ****
  • Posts: 1286
    • Hacking the 2Wire
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #12 on: January 24, 2012, 06:47:31 PM »

Ok one quick question what address range do I need to dump ?

What does the uboot command flinfo (flash info) reveal?

Quote
Also I did not mention I could login to the unit on the UART console, username and pass where admin admin :0)

Nice one!  What are the pinouts for the UART header pins? Did you use a cable with a pl2303 bridge?

cheers, a
« Last Edit: January 24, 2012, 07:01:35 PM by asbokid »
Logged

burakkucat

  • Respected
  • Senior Kitizen
  • *
  • Posts: 38300
  • Over the Rainbow Bridge
    • The ELRepo Project
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #13 on: January 24, 2012, 07:13:58 PM »

This thread is getting quite interesting and, er, tasty. Excellent work to date.  :)
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

uklad

  • Member
  • **
  • Posts: 55
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #14 on: January 24, 2012, 07:18:54 PM »

This thread is getting quite interesting and, er, tasty. Excellent work to date.  :)

LOL more to come...
Logged
Pages: [1] 2 3 ... 21