-
I think these maybe of interest to you :)
Chipset is a Lantiq VRX268
(https://forum.kitz.co.uk/proxy.php?request=http%3A%2F%2Fimg703.imageshack.us%2Fimg703%2F7703%2Fimg9956v.th.jpg&hash=43ca152baf042867c599f4b89553f8fdb92be611) (http://img703.imageshack.us/i/img9956v.jpg/)
(https://forum.kitz.co.uk/proxy.php?request=http%3A%2F%2Fimg684.imageshack.us%2Fimg684%2F7614%2Fimg9959dw.th.jpg&hash=5a8867f81a77d3c7a5c01e9cf5ec9186c8cb3b37) (http://img684.imageshack.us/i/img9959dw.jpg/)
-
Interesting and useful. Thank you for the images. :)
-
I think these maybe of interest to you :)
Chipset is a Lantiq VRX268
Excellent stuff!
The Lantiq (was Infineon) VRX268 has a MIPS32 core. The modem is almost certainly running a MIPS-Linux kernel (i.e. GPL'ed source code ). The VDSL2 AFE is the VRX208.
Located due north of the Lantiq CPU is the 64Mbit (8Mbyte) Macronix NOR flash IC. Unusually it could be on a 16-bit bus. [2]
(https://forum.kitz.co.uk/proxy.php?request=http%3A%2F%2Fwww5.picturepush.com%2Fphoto%2Fa%2F8843938%2Foimg%2Fhg612-and-eci-bfocus%2Feci-croppedsolderpads.jpg&hash=800d292ce4d26edff01887081c095cd3a1a2c16e)
JTAG/UART pins on the ECI B-Focus
(Click for full size) (http://picturepush.com/public/8843938)
Just west of that NOR flash IC are solder pads for a 7x2 set of header pins.
Those pads are labelled JP2. They almost certainly form the EJTAG test access port (TAP) interface.
The JTAG signals {TMS, TCK, TDI, TDO, TRST} will be found amongst pins {1, 2, 3, 4, 5, 6}
Pins {7, 8, 9} will probably include VCC. A voltmeter will confirm.
Pins {10, 11, 12, 13, 14} are all GND.
Further north of JP2 is JP1. It comprises 4 solder pads. That is likely a UART port running at TTL voltage levels. A serial console can often be obtained through the UART port. It provides a way to interrupt the bootstrap process.
An el cheapo way to interface a modern PC (with no RS232 port) to the UART interface is with a clone Nokia DKU5 phone data cable. The clone DKU5 cable costs as little as £1. The cable contains an integral Prolific Logic PL2303 USB-UART bridge controller. [3] The PL2303 IC performs the voltage shift and packetises the serial bitstream into USB blocks (URBs).
Linux, and maybe Windows, has a kernel device driver for the PL2303. The driver presents the USB device as a dumb serial port. A terminal program like minicom is then used to connect to the router over the serial port.
And away you go :-)
The board also has 512Mbit (64MBytes) of Samsung DDR2-800 SDRAM [4]
Thanks for posting the photos, uklad. Very interesting!
cheers, a
[1] http://www.lantiq.com/uploads/tx_abzlantiqproducts/PB-e-0027-v1_lres.pdf
[2] http://www.macronix.com/QuickPlace/hq/PageLibrary../../MX29LV640ETBver13-1.3.pdf (http://www.macronix.com/QuickPlace/hq/PageLibrary4825740B00298A3B.nsf/$defaultview/DBACA1C90564EBB248257639003A563A/$File/MX29LV640ETBver13-1.3.pdf)
[3] http://www.prolific.com.tw/eng/products.asp?id=59
[4] http://www.szyuda88.com/uploadfile/cfile/2011311171825213.pdf
EDIT: Shrunk huge photo
-
Re-instating header pins on a PCB
One trick here is to clamp the board vertically while working on it.
The solder pads need to be cleaned out to expose the thru-holes.
From one side of the board, apply heat to one of the solder pads using a fine soldering iron bit.
Simultaneously, and working from the other side of the PCB, use a desoldering pump (solder sucker) to remove the molten solder from the hole.
Repeat for each thru-hole.
Sometimes one or more of the holes isn't properly drilled out.
If so, use a 1mm HSS drill bit and twist it manually between fingers
Ensure all the holes are clean and free from grease and PCB coating materials.
Install the header pins and solder in place
Job done!
Attached are some photos showing the reinstatement of header pins for JTAG/UART on the PCB of a Huawei HG612.
-
Re-instating header pins on a PCB
One trick here is to clamp the board vertically while working on it.
The solder pads need to be cleaned out to expose the thru-holes.
From one side of the board, apply heat to one of the solder pads using a fine soldering iron bit.
Simultaneously, and working from the other side of the PCB, use a desoldering pump (solder sucker) to remove the molten solder from the hole.
Repeat for each thru-hole.
Sometimes one or more of the holes isn't properly drilled out.
If so, use a 1mm HSS drill bit and twist it manually between fingers
Ensure all the holes are clean and free from grease and PCB coating materials.
Install the header pins and solder in place
Job done!
Attached are some photos showing the reinstatement of header pins for JTAG/UART on the PCB of a Huawei HG612.
Lol thanks :) i learnt all that 16 years ago ;) i did have a JTAG somewhere but I think it was a Xilinx one the other i know is for flashing Atmega`s
-
Ok update for you..
Top header is a indeed the console header but its running at TTL 3.3v and I don't have a suitable cable
pins seem to be from left to right TX GND VCC RX
I will get a suitable cable and get back to you with the output !!
-
Sounds good!
Most JTAG cables will work fine, so long as there are generic drivers available for the cables.
It might be helpful to collect some JTAG resources together in this thread for others' benefit.
Discovering JTAG pinouts
Most JTAG cables will work fine in the pinout discovery process, so long as there is a generic driver available for the cable.
Discovering JTAG pinouts on a PCB is a very common problem. For a given board, the size of the problem can be quantified using Probability Theory.
In the worst case scenario, using ‘brute force’ to discover the JTAG pinout means testing every possible permutation of JTAG signal and header pin.
Formally, the JTAG pinout problem is an r-Permutations challenge. It is described by the notation nPr..
nPr is the number of permutations, or ways to choose, an ordered subset of r items from a set of n objects.
In the case of this board, the set of n objects are a set of 14 header pins. From that set of n pins we need to discover the ordered subset of r pins carrying the JTAG signals.
The formula for nPr is n! / (n-r)! where ! is the factorial symbol, e.g. 7! means (7 x 6 x 5 x 4 x 3 x 2 x 1)
Out of the fourteen header pins on the board, there are six candidate pins. Any of these six pins could potentially carry any of the five JTAG signals {TDO,TDI,TMS,TCK and TRST}.
Here, n is 6 (the number of candidate pins), and r is 5 (the number of JTAG signals).
So nPr = 6! / (6-5)! = 720 permutations.
However, some assumptions can be made which will radically reduce the search space.
One of the JTAG signals (TRST) is optional. TRST resets the JTAG controller when driven low. If we assume that, by default, TRST is pulled up to keep the board out of reset, it can be ignored.
Another JTAG signal (TDO) can be discovered from its floating logic state using an ohmmeter. This is very well explained by Ray “revs-per-min” Haverfield. [1]
That leaves us with just three JTAG signals to find from a choice of five header pins.
Now the scale of the problem is given by 5!/2 = 60 permutations.
That has already shrunk the search space by more than 90%.
We can now take advantage of another property of the JTAG standard. [2]
A JTAG controller will always return to its reset state when the TMS signal is asserted for five or more ticks of the TCK signal. This is illustrated in the attached diagram of the JTAG state machine.
The bit values {0,1} shown in the diagram represent the transitional states of the TMS (Test Mode Select) signal. For example, to transition the JTAG state machine from the Shift_IR state to the Exit1_IR state requires TMS to be asserted for one tick of the TCK signal.
It doesn't matter where you start in the JTAG state machine. Asserting TMS while five ticks are clocked into TCK will always see the JTAG controller returned to its Test_Logic_Reset state:
Once a JTAG device is in that reset state, the 32-bit IDCODE is loaded into the JTAG data register. This loading is done automatically. It doesn’t require any instruction to be shifted in on the TDI line.
Returning to our board. TDO was discovered earlier from its floating logic state. So what this means is that only the TMS and TCK signals need to be found at this stage. TDI can be found later.
By controlling just the TMS and TCK signals from software, the IDCODE value loaded on reset into the data register can be scanned out of the TDO pin. The TDO pin is closely monitored for output that is consistent with a device IDCODE.
Looking at this again as a combinatorial problem:
The value n remains at 5 since we still have five unknown pins. However, r, the number of signals to discover, is now just 2. These are the TMS and the TCK signals.
So nPr is 5!/3! = 20 permutations.
Using these techniques, the discovery of JTAG pinouts is trivialised.
There are software tools, such as JTAG_Finder [2] that can automate the fiddly task of swapping pins during pinout discovery. However, this is rarely necessary. Using the techniques above, the average count of pin-swaps before discovery success is reduced to a manageable number.
In summary, and using this board as an example, a total of 14 pins are reduced to 6 candidate pins. TDO is discovered with an ohmmeter. TRST is ignored. The discovery of TDI is postponed. Software (UrJTAG) is used to navigate the JTAG state machine for each permutation of TCK and TMS, chosen from the five remaining pins. Using these shortcuts, the average count of pin-swaps before discovery is reduced to just 10.
[1] http://forums.whirlpool.net.au/forum-replies.cfm?t=808533&p=9&#r176
[2] http://www.xilinx.com/support/answers/11857.htm
[3] http://elinux.org/JTAG_Finder
-
Sounds good!
& some people accuse me of being too precise :lol: :lol: :lol:
-
Serial output on boot :)
ROM VER: 1.0.5
CFG 01
DDR Access auto data-eye tuning Rev 0.3a
DDR size from 0xa0000000 - 0xa1ffffff
DDR check ok... start booting...
U-Boot 1.0.4 (Oct 18 2010 - 16:20:02)
CLOCK CPU 333M RAM 166M
DRAM: 32 MB
relocate_code start
relocate_code finish.
FLASH MANUFACT: c2
FLASH DEVICEID: cb
Flash: 8 MB
In: serial
Out: serial
Err: serial
Net: fw_addr=0xa0200000
Internal phy(FE) firmware version: 0x0108
vr9 Switch
Type "run flash_flash" to mount root filesystem over flash
Hit 'Esc' key to stop autoboot: 0
## Booting image from active region 2 at b03f0000 ...
Check RSA image magic--OK!
Please type [setenv rsa_check 1] !!!
Image Name: MIPS Linux-2.6.20
Created: 2011-08-09 3:31:37 UTC
Image Type: MIPS Linux Kernel Image (lzma compressed)
Data Size: 3629088 Bytes = 3.5 MB
Load Address: 80002000
Entry Point: 802cd000
Verifying Checksum ... OK
Uncompressing Kernel Image ... OK
No initrd
## Transferring control to Linux (at address 802cd000) ...
## Giving linux memsize in MB, 32
Starting kernel ...
Infineon xDSL CPE VR9
mips_hpt_frequency = 166666666, counter_resolution = 2
Linux version 2.6.20.19
(hyhuang@BSD7.localdomain) (gcc version 3.4.6 (OpenWrt-2.0)) #1 Tue Aug 9 11:27
:46 CST 2011
Active Region: 2
phym = 02000000, mem = 01f00000, max_pfn = 00001f00
Reserving memory for CP1 @0xa1f00000, size 0x00100000
CPU revision is: 00019555
Determined physical RAM map:
User-defined physical RAM map:
memory: 01f00000 @ 00000000 (usable)
Initrd not found or empty - disabling initrd
Built 1 zonelists. Total pages: 7874
Kernel command line: root=/dev/mtdblock2 ro rootfstype=squashfs ip=5.57.33.103:5
.57.33.111::::eth0:on console=ttyS0,115200 ethaddr=5C:33:8E:xx:xxx:xx phym=32M me
m=31M panic=1
1 MIPSR2 register sets available
Primary instruction cache 32kB, physically tagged, 4-way, linesize 32 bytes.
Primary data cache 32kB, 4-way, linesize 32 bytes.
Synthesized TLB refill handler (20 instructions).
Synthesized TLB load handler fastpath (32 instructions).
Synthesized TLB store handler fastpath (32 instructions).
Synthesized TLB modify handler fastpath (31 instructions).
Cache parity protection disabled
Lantiq ICU driver, version 3.0.1, (c) 2001-2010 Lantiq Deutschland GmbH
PID hash table entries: 128 (order: 7, 512 bytes)
Using 166.667 MHz high precision timer.
Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
Memory: 28152k/31744k available (2239k kernel code, 3592k reserved, 616k data, 1
56k init, 0k highmem)
Security Framework v1.0.0 initialized
Mount-cache hash table entries: 512
NET: Registered protocol family 16
NET: Registered protocol family 8
NET: Registered protocol family 20
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 1024 (order: 0, 4096 bytes)
TCP bind hash table entries: 512 (order: -1, 2048 bytes)
TCP: Hash tables configured (established 1024 bind 512)
TCP reno registered
gptu: totally 6 16-bit timers/counters
gptu: misc_register on minor 63
gptu: succeeded to request irq 118
gptu: succeeded to request irq 119
gptu: succeeded to request irq 120
gptu: succeeded to request irq 121
gptu: succeeded to request irq 122
gptu: succeeded to request irq 123
IFX DMA driver, version ifxmips_dma_core.c:v1.0.9
,(c)2009 Infineon Technologies AG
Lantiq CGU driver, version 1.0.9, (c) 2001-2010 Lantiq Deutschland GmbH
Wired TLB entries for Linux read_c0_wired() = 0
squashfs: version 3.2-r2 (2007/01/15) Phillip Lougher
squashfs: LZMA suppport for slax.org by jro
JFFS2 version 2.2. (NAND) (SUMMARY) (C) 2001-2006 Red Hat, Inc.
io scheduler noop registered (default)
ifx_pmu_init: Major 252
Lantiq PMU driver, version 1.1.4, (c) 2001-2010 Lantiq Deutschland GmbH
Lantiq GPIO driver, version 1.2.12, (c) 2001-2010 Lantiq Deutschland GmbH
Infineon Technologies RCU driver version 1.0.6
Lantiq LED Controller driver, version 1.0.4, (c) 2001-2010 Lantiq Deutschland Gm
bH
MEI CPE Driver, Version 1.0.2
<6>(c) Copyright 2009, Infineon Technologies AG
<6>### MEI CPE - MEI CPE - MEI CPE - MEI CPE ###
<6>ttyS0 at MMIO 0xbe100c00 (irq = 105) is a IFX_ASC
Lantiq ASC (UART) driver, version 1.0.5, (c) 2001-2010 Lantiq Deutschland GmbH
RAMDISK driver initialized: 1 RAM disks of 6144K size 1024 blocksize
loop: loaded (max 8 devices)
PPP generic driver version 2.4.2
PPP Deflate Compression module registered
PPP BSD Compression module registered
PPP MPPE Compression module registered
NET: Registered protocol family 24
IFX SWITCH API, Version 0.9.9.5
SWAPI: Registered character device [switch_api] with major no [81]
Switch API: PCE MicroCode loaded !!
Switch Auto Polling value = 0
GPHY FIRMWARE LOAD SUCCESSFULLY AT ADDR : 310000
IFX GPHY driver FE Mode, version ifxmips_vr9_gphy: V0.6 - Firmware: 109
ifx_nor0: Found 1 x16 devices at 0x0 in 16-bit bank
Amd/Fujitsu Extended Query Table at 0x0040
number of CFI chips: 1
cfi_cmdset_0002: Disabling erase-suspend-program due to code brokenness.
[ACTIVE REGION]: 2
RSA_CHECK: 0
squashfsb->s_magic=71736873 SQUASHFS_MAGIC=71736873
ifx_nor0: squashfs filesystem found at 0x4e10a0.
ifx_mtd_init flash0: Using static image partition
Creating 9 MTD partitions on "ifx_nor0":
0x00000000-0x00030000 : "uboot"
0x00030000-0x00040000 : "h/w setting"
0x004e10c0-0x007670c0 : "rootfs"
0x00040000-0x00050000 : "rgdb"
0x00050000-0x003f0000 : "upgrade"
0x003f0000-0x00790000 : "upgrade2"
0x00790000-0x007f0000 : "btagent"
0x00000000-0x00800000 : "flash"
0x00000000-0x00800000 : "<NULL>"
Lantiq MTD NOR driver, version 1.0.4, (c) 2001-2010 Lantiq Deutschland GmbH
Registered led device: broadband_led
Registered led device: internet_led
Registered led device: ledc_8
Registered led device: ledc_9
Registered led device: ledc_10
Registered led device: ledc_11
Registered led device: wps_led
Registered led device: ledc_13
Registered led device: ledc_14
Registered led device: usb2_link_led
Registered led device: ledc_16
Registered led device: ledc_17
Registered led device: usb1_link_led
Registered led device: fxo_act_led
Registered led device: internet_red_led
Registered led device: voip_led
Registered led device: warning_led
Registered led device: ledc_23
Lantiq LED driver, version 1.0.15, (c) 2001-2010 Lantiq Deutschland GmbH
Netfilter messages via NETLINK v0.30.
nf_conntrack version 0.5.0 (248 buckets, 1984 max)
GRE over IPv4 tunneling driver
ip_tables: (C) 2000-2006 Netfilter Core Team
TCP cubic registered
NET: Registered protocol family 1
NET: Registered protocol family 17
Bridge firewalling registered
NET: Registered protocol family 8
atmpvc_init() failed with -17
802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
All bugs added by David S. Miller <davem@redhat.com>
Time: MIPS clocksource has been installed.
VFS: Mounted root (squashfs filesystem) readonly.
Freeing unused kernel memory: 156k freed
init started: BusyBox v1.00 (2011.08.09-03:28+0000) multi-call binary
Algorithmics/MIPS FPU Emulator v1.5
[/etc/init.d/S03config.sh]
Starting mdev ...
Mounting proc and var ...
JFFS2 notice: (226) jffs2_build_xattr_subsystem: complete building xattr subsyst
em, 0 of xdatum (0 unchecked, 0 orphan) and 0 of xref (0 dead, 0 orphan) found.
Start xmldb ...
[/etc/scripts/misc/profile.sh] init ...
[/etc/scripts/misc/profile_action.sh] get ...
[/etc/scripts/misc/defnodes.sh] ...
SH [/etc/defnodes/S10syncnodes.sh] ...
[/etc/defnodes/S10syncnodes.sh] ...
SH [/etc/defnodes/S11setext.sh] ...
[/etc/defnodes/S11setext.sh] ...
PHP [/etc/defnodes/S12setnodes.php] ...
SH [/etc/defnodes/S13setext.sh] ...
[/etc/defnodes/S13setext.sh] ...
PHP [/etc/defnodes/S14setnodes.php] ...
PHP [/etc/defnodes/S16features.php] ...
SH [/etc/defnodes/S19setext.sh] ...
PHP [/etc/defnodes/S20setnodes.php] ...
SH [/etc/defnodes/S20upnp_igd.sh] ...
SH [/etc/defnodes/S21upnp_wfa.sh] ...
SH [/etc/defnodes/S22setext.sh] ...
PHP [/etc/defnodes/S40brand.php] ...
[/etc/scripts/misc/defnodes.sh] Done !!
[/etc/templates/timezone.sh] ...
[/etc/templates/logs.sh] ...
[/var/run/logs_run.sh] ...
ifxmips_ppa_datapath_vr9_e5: module license 'unspecified' taints kernel.
Loading D5 (MII0/1) driver ......
xuliang: warning NONE
Succeeded!
PPE datapath driver info:
Version ID: 128.3.3.1.0.0.1
Family : N/A
DR Type : Normal Data Path | Indirect-Fast Path
Interface : MII0 | MII1
Mode : Routing
Release : 0.0.1
PPE 0 firmware info:
Version ID: 7.1.5.1.0.33
Family : VR9
FW Type : Standard
Interface : MII0/1 + PTM
Mode : reserved - 1
Release : 0.33
PPE 1 firmware info:
Version ID: 7.2.1.6.1.12
Family : VR9
FW Type : Acceleration
Interface : MII0 + MII1
Mode : Bridging + IPv4 Routing
Release : 1.12
PPA API --- init successfully
Init VDSL Driver ...
- VDSL -
- llcs loading!!! -
- loading drv_ifxos.ko -
strings: not found
IFXOS, Version 1.5.11
<6>(c) Copyright 2007, Infineon Technologies AG
<6>### IFXOS - IFXOS - IFXOS - IFXOS ###
- loading drv_dsl_cpe_api.ko
- loading dsl_cpe_api (drv_dsl_cpe_api.ko device) driver -
Lantiq CPE API Driver version: DSL CPE API V4.6.3.5-pd3
Predefined debug level: 3
- create device nodes for dsl_cpe_api device driver -
- execute vdsl_cpe_control
[: missing ]
IFXOS - User Thread Startup <tcpmsg>, TID 1026 (PID 609) - ENTER
IFXOS - User Thread Startup <tcpcli>, TID 2051 (PID 610) - ENTER
IFXOS - User Thread Startup <evnthnd>, TID 3076 (PID 612) - ENTER
IFXOS - User Thread Startup <tPipe_0>, TID 4101 (PID 613) - ENTER
IFXOS - User Thread Startup <tPipe_1>, TID 5126 (PID 614) - ENTER
nReturn=0
nReturn=0
nReturn=4
nReturn=0
eth0: change MAC from 00:20:DA:86:23:74 to 5C:33:8E:xx:xx:xx
setup layout ...
[/etc/scripts/layout.sh] [start] ...
[/var/run/layout_start.sh] ...
Start modem layout ...
device eth0 entered promiscuous mode
br0: port 1(eth0) entering learning state
br0: topology change detected, propagating
br0: port 1(eth0) entering forwarding state
[/etc/templates/cfm/cfm.sh] [restart] ...
[/var/run/cfm_start.sh] ...
Enable ALPHA CFM ...
ENTER - Kernel Thread Startup <autbtex>
<7>ENTER - Kernel Thread Startup <pmex_ne>
<7>ENTER - Kernel Thread Startup <pmex_fe>
[/etc/init.d/S03config.sh] done!
[/etc/init.d/S10system.sh]
start LAN ...
[/etc/templates/lan.sh] [start] ...
[/var/run/lan_start.sh] ...
Start LAN ( br0/192.168.168.168/255.255.255.0)...
start BT Switch configurations ...
start alphaLogd
[/etc/templates/logd.sh] ...
[/var/run/logd_start.sh] ...
Starting logd ...
start Flash Agent ...
>>> ALPHA Log:
/bin/alphaLogd: create logd_ipc(3) OK !
[/etc/templates/flash_agent.sh] [start] ...
[/var/run/flash_agent_start.sh] ...
>>> ALPHA Flash Agent:
16:00:17 FLASHAGENT: Create fa_r_fa_ipc(4) OK !
start BTAgent ...
Starting BTAgent
library_load: start plugin_source/libalpha2.so
library_load: success
library_load: start plugin_source/libbtagent.so
library_load: success
File Path is /BTAgent/rw/btagent.conf
rw config file exists
Versions match
library_load: start plugin_source/libfwm.so
library_load: success
library_load: start plugin_source/liblogger.so
library_load: success
library_load: start plugin_source/libprobe.so
library_load: success
library_load: start plugin_source/librsa.so
library_load: success
main: Loaded source plugins
library_load: start plugin_transport/libsec.so
library_load: success
main: Loaded transport plugins
library_load: start plugin_parse/libxml.so
library_load: success
main: Loaded parse plugins
GPIO 18 set to 0
GPIO 17 set to 1
GPIO 16 set to 1
GPIO 6 set to 1
start alphaHousekeeper
[/etc/templates/housekeeper.sh] [start] ...
[/var/run/housekeeper_start.sh] ...
Starting housekeeper ...
BBU Status: Status Change
BBU Status: Adapter Mode
- presented Inventory information
nReturn=0
nReturn=0 nDirection=0 G994VendorID=(B5,00,49,46,54,4E,53,26) SystemVendorID=(58
,20,45,43,49,4C,20,20) VersionNumber=(35,2E,33,2E,32,2E,36,2E,31,2E,36,20,20,20,
20,20) SerialNumber=(45,35,43,33,33,38,45,38,34,38,39,44,42,20,20,20,20,20,20,20
,20,20,20,20,20,20,20,20,20,20,20,20) SelfTestResult=0 XTSECapabilities=(00,00,0
0,00,00,00,00,07)
[/etc/templates/wan_vlan.sh] [start] ...
[/var/run/wan_vlan_start.sh] ...
Start CPE SPECIFIC WAN VLAN ...
VLAN Enable...
Added VLAN with VID == 301 to IF -:ptm0:-
Set egress mapping on device -:ptm0.301:- Should be visible in /proc/net/vlan/pt
m0.301
Set egress mapping on device -:ptm0.301:- Should be visible in /proc/net/vlan/pt
m0.301
Set egress mapping on device -:ptm0.301:- Should be visible in /proc/net/vlan/pt
m0.301
Set egress mapping on device -:ptm0.301:- Should be visible in /proc/net/vlan/pt
m0.301
Set egress mapping on device -:ptm0.301:- Should be visible in /proc/net/vlan/pt
m0.301
Set egress mappingptm0.301: Setting MAC address to 5c 33 8e xx xx xx.
VLAN (ptm0.301): Underlying device (ptm0) has same MAC, not checking promisciou
s mode.
on device -:ptm0.301:- Should be visible in /proc/net/vlan/ptm0.301
Set egress mapping on device -:ptm0.301:- Should be visible in /proc/net/vlan/pt
m0.301
Set egress mapping on device -:ptm0.301:- Should be visible in /proc/net/vlan/pt
m0.301
Added VLAN with VID == 101 to IF -:ptm0:-
Added VLAN with VID == 102 to IF -:ptm0:-
Set egress mapping on device -:ptm0.101:- Should be visible in /proc/net/vlan/pt
m0.101
Set egress mapping on device -:ptm0.101:- Should be visible in /proc/netptm0.101
: add 01:00:5e:00:00:01 mcast address to master interface
/vlan/ptm0.101
Set egrptm0.102: add 01:00:5e:00:00:01 mcast address to master interface
ess mapping on device -:ptm0.102:- Should be visible in /proc/net/vlan/ptm0.102
Added VLAN with VID == 101 to IF -:eth0:-
device eth0 left promiscuous mode
br0: port 1(eth0) entering disabled state
Added VLAN with VID == 102 to IF -:eth0:-
eth0.102: dev_set_promiscuity(master, 1)
device eth0 entered promiscuous mode
device eth0.102 entered promiscuous mode
br0: port 1(eth0.101) entering learning state
br0: topology change detected, propagating
br0: port 1(eth0.101) entering forwarding state
DSL[00]: WARNING - SRA not supported by the FW
br0: port 2(eth0.102) entering learning state
br0: topology change detected, propagating
br0: port 2(eth0.102) entering forwarding state
ifx_ppa_init - init succeeded
VID 0 remove is enabled
[/etc/init.d/S10system.sh] done!
rcS done!
- presented Inventory information
- presented Inventory information
nReturn=0
nReturn=0 nDirection=0 G994VendorID=(B5,00,49,46,54,4E,53,26) SystemVendorID=(58
,20,45,43,49,4C,20,20) VersionNumber=(35,2E,33,2E,32,2E,36,2E,31,2E,36,20,20,20,
20,20) SerialNumber=(45,35,43,33,33,38,45,38,34,38,39,44,42,20,20,20,20,20,20,20
,20,20,20,20,20,20,20,20,20,20,20,20) SelfTestResult=0 XTSECapabilities=(00,00,0
0,00,00,00,00,07)
xDSL SILENT
login:
-
I interrupted the boot process and listed all images found in flash
ROM VER: 1.0.5
CFG 01
DDR Access auto data-eye tuning Rev 0.3a
DDR size from 0xa0000000 - 0xa1ffffff
DDR check ok... start booting...
U-Boot 1.0.4 (Oct 18 2010 - 16:20:02)
CLOCK CPU 333M RAM 166M
DRAM: 32 MB
relocate_code start
relocate_code finish.
FLASH MANUFACT: c2
FLASH DEVICEID: cb
Flash: 8 MB
In: serial
Out: serial
Err: serial
Net: fw_addr=0xa0200000
Internal phy(FE) firmware version: 0x0108
vr9 Switch
Type "run flash_flash" to mount root filesystem over flash
Hit 'Esc' key to stop autoboot: 0
VR9 # help
? - alias for 'help'
askenv - get environment variables from stdin
base - print or set address offset
bootm - boot application image from memory
bootp - boot image via network using BootP/TFTP protocol
cmp - memory compare
cp - memory copy
crc32 - checksum calculation
echo - echo args to console
erase - erase FLASH memory
flinfo - print FLASH memory information
go - start application at address 'addr'
help - print online help
imls - list all images found in flash
loop - infinite loop on address range
md - memory display
mm - memory modify (auto-incrementing)
mtest - simple RAM test
mw - memory write (fill)
nm - memory modify (constant address)
ping - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
protect - enable or disable FLASH write protection
rarpboot- boot image via network using RARP/TFTP protocol
reset - Perform RESET of the CPU
run - run commands in an environment variable
saveenv - save environment variables to persistent storage
setenv - set environment variables
tftpboot- boot image via network using TFTP protocol
upgrade - forward/backward copy memory to pre-defined flash location
version - print monitor version
VR9 # imls
Have RSA magic !!!
Image at B0051060:
Image Name: MIPS Linux-2.6.20
Created: 2011-02-14 6:44:17 UTC
Image Type: MIPS Linux Kernel Image (lzma compressed)
Data Size: 3624992 Bytes = 3.5 MB
Load Address: 80002000
Entry Point: 802cd000
Verifying Checksum ... OK
Have RSA magic !!!
Image at B03F1060:
Image Name: MIPS Linux-2.6.20
Created: 2011-08-09 3:31:37 UTC
Image Type: MIPS Linux Kernel Image (lzma compressed)
Data Size: 3629088 Bytes = 3.5 MB
Load Address: 80002000
Entry Point: 802cd000
Verifying Checksum ... OK
VR9 #
-
Excellent stuff, uklad! You're well on the way to cracking it.
Hopefully, the contents of that 8MByte NAND NOR flash can be (hex) dumped over the serial line using the md (memory display) command in the CLI of the uboot bootloader?
What does the flinfo (flash info) command say about the flash device, and its composition?
The definitive book on MIPS Linux is Dominic Sweetman's See MIPS Run (2nd ed). [2]
Sweetman gives a particularly good treatment to the address space, memory mapping and the memory management unit (the TLB) in the MIPS.
Let us know how you get on! Lots of people will be keenly following your trail-blazing work!
cheers, a
[1] http://www.denx.de/wiki/DULG/UBootCmdGroupMemory
[2] http://books.google.co.uk/books?id=kk8G2gK4Tw8C
-
Ok one quick question what address range do I need to dump ?
Also I did not mention I could login to the unit on the UART console, username and pass where admin admin :0)
-
Ok one quick question what address range do I need to dump ?
What does the uboot command flinfo (flash info) reveal?
Also I did not mention I could login to the unit on the UART console, username and pass where admin admin :0)
Nice one! What are the pinouts for the UART header pins? Did you use a cable with a pl2303 bridge?
cheers, a
-
This thread is getting quite interesting and, er, tasty. Excellent work to date. :)
-
This thread is getting quite interesting and, er, tasty. Excellent work to date. :)
LOL more to come...
-
output from flinfo
Bank # 1: MXIC 29LV640BB (64 Mbit, boot sector SA0~SA126 size 64k bytes,other s
ectors SA127~SA135 size 8k bytes)
Size: 8 MB in 135 Sectors
Sector Start Addresses:
B0000000 B0002000 B0004000 B0006000 B0008000
B000A000 B000C000 B000E000 B0010000 B0020000
B0030000 B0040000 B0050000 B0060000 B0070000
B0080000 B0090000 B00A0000 B00B0000 B00C0000
B00D0000 B00E0000 B00F0000 B0100000 B0110000
B0120000 B0130000 B0140000 B0150000 B0160000
B0170000 B0180000 B0190000 B01A0000 B01B0000
B01C0000 B01D0000 B01E0000 B01F0000 B0200000
B0210000 B0220000 B0230000 B0240000 B0250000
B0260000 B0270000 B0280000 B0290000 B02A0000
B02B0000 B02C0000 B02D0000 B02E0000 B02F0000
B0300000 B0310000 B0320000 B0330000 B0340000
B0350000 B0360000 B0370000 B0380000 B0390000
B03A0000 B03B0000 B03C0000 B03D0000 B03E0000
B03F0000 B0400000 B0410000 B0420000 B0430000
B0440000 B0450000 B0460000 B0470000 B0480000
B0490000 B04A0000 B04B0000 B04C0000 B04D0000
B04E0000 B04F0000 B0500000 B0510000 B0520000
B0530000 B0540000 B0550000 B0560000 B0570000
B0580000 B0590000 B05A0000 B05B0000 B05C0000
B05D0000 B05E0000 B05F0000 B0600000 B0610000
B0620000 B0630000 B0640000 B0650000 B0660000
B0670000 B0680000 B0690000 B06A0000 B06B0000
B06C0000 B06D0000 B06E0000 B06F0000 B0700000
B0710000 B0720000 B0730000 B0740000 B0750000
B0760000 B0770000 B0780000 B0790000 B07A0000
B07B0000 B07C0000 B07D0000 B07E0000 B07F0000
-
Those who enjoy such things will now be looking out for a source of ECI model B-FOCuS V-2FUb/I Rev.B modems . . .
-
Uart pin outs
i used this cable..
http://www.ebay.co.uk/itm/220935415101?ssPageName=STRK:MEWNX:IT&_trksid=p3984.m1497.l2649#ht_2421wt_1254
[attachment deleted by admin]
-
Dumping the NAND now going to take a while
-
Dumping the NAND now going to take a while
Good stuff! Cheers for the pinout! It will help a lot of others. Did you set your stopwatch? The 8Mbyte NAND in the Huawei takes about 45 mins to dump over a 115,200bps UART, if I recall correctly. That's a posh cable you got there! What is the default port speed setting on the ECI? Are you running Linux or the other one?
-
Port speed is 115,200bps N-8-1
Im a windows user, to be honest im a bit of a noob when in comes to Linux but i find doing stuff like this is the best way to learn
-
Are you running Linux or the other one?
Wassup asbokid? Were you choking too much to actually type the 'W' word? :lol:
-
Most things can be done in Windows, but it is often much harder and not worth the extra effort ??? There are some good live CDs for Linux for those who don't want to commit hard disk space.
Once the NOR flash contents are extracted, there are a couple of Linux tools useful for processing the hex dump.
First there is 'cut', a text processing tool. It can be used to strip the 16 bytes of ASCII chaff from the end of every line in the hex dump, and that leading 'b' from the TLB address mapping:
$ head eciflashdumpdemo.hex
b0000000: 2f830000 409eff38 38600000 4bffff3c /...@..88`..K..<
b0000010: 835e000c 809e0008 2b9a00ff 829e0010 .^......+.......
b0000020: 82be0014 7f45d378 409d000c 3b4000ff .....E.x@...;@..
b0000030: 38a000ff 2b9500ff 409d0008 3aa000ff 8...+...@...:...
b0000040: 8002021c 3bfb000a 7f9f0040 419d002c ....;......@A..,
b0000050: 2f9a0000 419e0014 7c1f0050 3925ffff /...A...|..P9%..
b0000060: 7f890040 419d0014 7fe3fb78 4bf1401d ...@A......xK.@.
b0000070: 7c651b78 48000014 3c00bfff 6000ffff |e.xH...<...`...
$ cut -c 2-45 eciflashdumpdemo.hex
0000000: 2f830000 409eff38 38600000 4bffff3c
0000010: 835e000c 809e0008 2b9a00ff 829e0010
0000020: 82be0014 7f45d378 409d000c 3b4000ff
0000030: 38a000ff 2b9500ff 409d0008 3aa000ff
0000040: 8002021c 3bfb000a 7f9f0040 419d002c
0000050: 2f9a0000 419e0014 7c1f0050 3925ffff
0000060: 7f890040 419d0014 7fe3fb78 4bf1401d
0000070: 7c651b78 48000014 3c00bfff 6000ffff
Another very useful Linux tool is called 'xxd'. It can reverse (-r) the hexdump back into a binary flash image:
$ cut -c 2-45 eciflashdumpdemo.hex | xxd -r > eciflashdumpdemo.bin
$ xxd eciflashdumpdemo.bin
0000000: 2f83 0000 409e ff38 3860 0000 4bff ff3c /...@..88`..K..<
0000010: 835e 000c 809e 0008 2b9a 00ff 829e 0010 .^......+.......
0000020: 82be 0014 7f45 d378 409d 000c 3b40 00ff .....E.x@...;@..
0000030: 38a0 00ff 2b95 00ff 409d 0008 3aa0 00ff 8...+...@...:...
0000040: 8002 021c 3bfb 000a 7f9f 0040 419d 002c ....;......@A..,
0000050: 2f9a 0000 419e 0014 7c1f 0050 3925 ffff /...A...|..P9%..
0000060: 7f89 0040 419d 0014 7fe3 fb78 4bf1 401d ...@A......xK.@.
0000070: 7c65 1b78 4800 0014 3c00 bfff 6000 ffff |e.xH...<...`...
cheers, a
P.S. Ignore Baldie, the agent provocateur. Microsoft secretly pays him to taunt us!
-
nand dump complete and converted to bin image
-- LINK REMOVED --
-
[nor] dump complete and converted to bin image
http://www.mediafire.com/?1tcdqu616xpfofe (http://www.mediafire.com/?1tcdqu616xpfofe) (EDIT: corrected URL)
Excellent job. You deserve a pint!
The next stage is to identify and separate the components in the flash image.
These components will include the bootloader itself, the Linux kernel image(s), the file system image(s), and usually an area for storing non-volatile configuration data.
From the Linux kernel boot log that you posted earlier, we can see that the kernel was compiled with drivers for the SquashFS file system, and for the JFFS2 file system:
squashfs: version 3.2-r2 (2007/01/15) Phillip Lougher
squashfs: LZMA suppport for slax.org by jro
JFFS2 version 2.2. (NAND) (SUMMARY) (C) 2001-2006 Red Hat, Inc.
SquashFS is a read-only file system. It was designed by Phillip Lougher, an expert embedded developer from Wale's. SquashFS is often used as the root flash file system in MIPS-based routers, including the Huawei HG612.
JFFS2 is a read-write file system. It was written especially for flash devices and includes wear-levelling to mitigate the weakness in NAND (and NOR) flash storage.
The next task is to identify the boundaries of those components in the flash image. One way to do this is to search for the 'magic numbers' that are stored at the beginning of those firmware components.
SquashFS uses several different magic numbers in the superblock of a file system. These indicate the 'endianness' of the file system (big- or little-endian) and the compression scheme used.
We can use the Linux tool 'grep' to discover those magic numbers:
$ xxd eciflash.bin | grep -A2 'qshs\|sqsh\|hsqs\|shsq'
01410c0: 7173 6873 0000 034c 0000 0000 0d69 6910 qshs...L.....ii.
01410d0: 0000 0000 0000 0008 4001 a000 0003 0000 ........@.......
01410e0: 0f94 0010 c002 014d 58cf 3e00 0000 0015 .......MX.>.....
--
04e10c0: 7173 6873 0000 034c 0000 0000 0d69 6910 qshs...L.....ii.
04e10d0: 0000 0000 0000 0008 4001 a000 0003 0000 ........@.......
04e10e0: 0f94 0010 c002 014e 40aa 1700 0000 0015 .......N@.......
$
It finds two Big Endian SquashFS file systems in the firmware that use LZMA compression. Those compressed file systems start at flash offsets 0x14,10c0 and 0x4e,10c0.
The presence of two file systems (and two kernels), a master and a slave, is a fail-safe mechanism.
The size of each squash file system image is needed now. A tool originally written by Goundoulf, lead developer for the French OpenBox project [1], can be fettled to work with the ECI flash image [2]:
$ ./ecisquash-extract eciflash.bin
Size of firmware 'eciflash.bin' : 5856192 octets
---------------------------------------------------------------
Signature of SquashFS found:
---------------------------------------------------------------
Signature : 0x71736873 ('qshs')
Format : LZMA-Big Endian
Offset : 0x1410c0
Version SquashFS : 3.0
Octets utilised : 2641669 octets
Date of creation : Mon Feb 14 06:44:14 2011
---------------------------------------------------------------
Signature of SquashFS found:
---------------------------------------------------------------
Signature : 0x71736873 ('qshs')
Format : LZMA-Big Endian
Offset : 0x4e10c0
Version SquashFS : 3.0
Octets utilised : 2642454 octets
Date of creation : Tue Aug 9 04:31:35 2011
---------------------------------------------------------------
The Linux tool 'dd' is used to isolate those SquashFS images into separate files:
$ dd if=eciflash.bin of=ecirootfs1 bs=1 skip=$((0x1410c0)) count=2641669
2641669+0 records in
2641669+0 records out
2641669 bytes (2.6 MB) copied, 5.69564 s, 464 kB/s
From the boot log, we can see that Junjiro Okajima's patch (JRO) for LZMA compression was applied to the squashfs kernel driver.
We must now search for a compatible version of the unsquashfs tool for the PC to decompress the file system, in readiness for unlocking it.
cheers, a
[1] http://svn.gna.org/svn/openbox4/trunk/tools/nb4-extract/
[2] https://docs.google.com/open?id=0B.... (https://docs.google.com/open?id=0B6wW18mYskvBZWUwZWQyYjAtNjhiMS00ZmUwLTg0ZDEtZTkzODNhZTMwNGZh)
-
Are you running Linux or the other one?
Wassup asbokid? Were you choking too much to actually type the 'W' word? :lol:
Do I detect that the Baldy_Bird is a real big closet Redmond 'doze fanatic? :tongue: :sick: :vomit:
-
nand dump complete and converted to bin image
http://dl.dropbox.com/u/6134482/ecinand.rar
Excellent job. You deserve a pint!
Let's see what is available -- :drink:
-
I will do a new dump tonight I know what I was doing wrong now :)
-
Silly question time.
As that ECI B-FOCuS modem was supplied as the active NTE for your FTTC service, with it in a disembowelled state, what are you currently using? ???
-
Silly question time.
As that ECI B-FOCuS modem was supplied as the active NTE for your FTTC service, with it in a disembowelled state, what are you currently using? ???
Its in bits until the wife wants to watch iplayer then i put it back together LOL i could do with a HG612 donation :)
-
Hi UKLad.
The Huaweis do crop up from time to time on ebay. As for hacking the ECI, now that you've obtained a full flash dump, most of the work can be done on the PC, and the ECI can be re-instated on your FTTC line.
In theory, the userspace in the firmware can even run in MIPS emulation on a PC.
We can try now to discover a compatible version of the unsquashfs tool so we can examine the file system and its contents.
That may be an interesting exercise. From discussions with Jeremy Collake and Craig Heffner, who built and maintain the Firmware Modification Kit [1], the ECI VDSL2 modem is running yet another tweaked version of the squashfs kernel driver.
Attempts at unsquashing the root file system image using existing tools, are throwing up all sorts of strange errors, mainly from the LZMA decompression code. As such, only part of the file system can be extracted.
Corporations like Lantiq and Broadcom have a history of tweaking embedded file system drivers in undocumented ways. This is done to foil independent development. The idea is to modify the file system and its compression scheme in secret ways to make it difficult to unlock for modification. This attitude is disappointing. These giant Corporations rely heavily on open source software (because of the huge cost savings) and yet they feed back very little to the open source community. It is a parasitic relationship. *sigh!*
That said, one version of the unsquashfs tool from the Kit at [1] works in part, but bombs out half way through. Amending the file system that you extracted worked correctly; the mksquashfs successfully appended new files to the existing squashfs image.
cheers, a
[1] http://bitsum.com/firmware_mod_kit.htm
-
You will have a full dump tonight I know exactly what I did wrong, soon as the kids are in bed and the wife is as work ;)
-
Nand dump done right i think
http://www.mediafire.com/?1tcdqu616xpfofe
Regards
-
excellent work, uklad! an exhilarating sensation, like donating blood?!
cheers, a
---
A bit of progress..
This is based on the 8MByte NOR flash image that UKLad kindly uploaded. The development machine is running Debian Wheezy..
The firmware for the ECI has two root file systems in it. One is a failsafe. However, the two file systems are not the same. One was built several months earlier than the other. Both file systems are read-only SquashFS format, with Big-Endian byte-sex and compressed with the JRO patch for LZMA compression A compatible version of the squashfs tools to decompress these images is yet to be found.
There is also a read-write JFFS2 file system in the flash. JFFS2 is a dedicated flash file system with wear-levelling, garbage collection and fault recovery.
Demonstrated below, is the extraction and mounting of that JFFS2 file system on a Linux AMD64 machine. The JFFS2 file system in this ECI contains just one file, btagent.conf. BTAgent is a TR-069 remote management tool. The btagent.conf file contains configuration data for the BTAgent tool.
$ md5sum eciflashdump8mb.bin
2a2db35f797546c0e3e036a469a942d4 eciflashdump8mb.bin
$ ./ecisquash-extract eciflashdump8mb.bin
Size of firmware 'eciflashdump8mb.bin' : 8388608 octets
----------------------------------------------------------------
Signature of SquashFS found:
----------------------------------------------------------------
Signature : 0x71736873 ('qshs')
Format : LZMA-Big Endian
Offset : 0x1410c0
Version SquashFS : 3.0
Octets utilised : 284f05 octets
Date of creation : Mon Feb 14 06:44:14 2011
----------------------------------------------------------------
Signature of SquashFS found:
----------------------------------------------------------------
Signature : 0x71736873 ('qshs')
Format : LZMA-Big Endian
Offset : 0x4e10c0
Version SquashFS : 3.0
Octets utilised : 285216 octets
Date of creation : Tue Aug 9 04:31:35 2011
----------------------------------------------------------------
$ dd if=eciflashdump8mb.bin of=ecirootfs1 bs=1 skip=$((0x1410c0)) count=$((0x284f05))
2641669+0 records in
2641669+0 records out
2641669 bytes (2.6 MB) copied, 3.36489 s, 785 kB/s
$ dd if=eciflashdump8mb.bin of=ecirootfs2 bs=1 skip=$((0x4e10c0)) count=$((0x285216))
2642454+0 records in
2642454+0 records out
2642454 bytes (2.6 MB) copied, 3.40498 s, 776 kB/s
$ dd if=eciflashdump8mb.bin of=jffs2 bs=1 skip=$((0x790000)) count=$((0x10000))
65536+0 records in
65536+0 records out
65536 bytes (66 kB) copied, 0.09391 s, 698 kB/s
$ sudo apt-get install mtd-tools
$ sudo jffs2dump --bigendian jffs2 --endianconvert=jffs2.le
$ sudo modprobe mtdblock
$ sudo modprobe jffs2
$ sudo modprobe mtdram total_size=30000
$ cat /proc/mtd
dev: size erasesize name
mtd0: 01d4c000 00020000 "mtdram test device"
$ sudo dd if=./jffs2.le of=/dev/mtdblock0
128+0 records in
128+0 records out
65536 bytes (66 kB) copied, 0.001695 s, 38.7 MB/s
$ sudo mount -t jffs2 /dev/mtdblock0 /mnt/
$ ls -l /mnt/
total 1
-rw-r--r-- 1 root root 681 Jan 1 2000 btagent.conf
$ cat /mnt/btagent.conf
|BTAgent.ForceReboot||1|ForceReboot
|BTAgent.Restart||1|Restart
|BTAgent.Version|1.21|4|
|BTAgent.FirmwareInformServerIP|firmware.mms.bt.com|6|
|BTAgent.FirmwareInformServerPort|80|6|
|BTAgent.FirmwareInformRequest|GET /%s.txt?modelName=%s&manufacturer=%s&serialnumber=%s&firmwareversion=%s%s HTTP/1.1|6|
|BTAgent.FirmwareInformPeriod|86400|6|
|BTAgent.Default.FirmwareInformPeriod|86400|4|
|BTAgent.Default.FirmwarePullEnable|0|4|
|BTAgent.FirmwarePullEnable|0|6|
|BTAgent.FirmwarePullDelay|0|6|
|BTAgent.FirmwareSupported||6|
|BTAgent.FirmwareAdditional1||6|
|BTAgent.FirmwareAdditional2||6|
|BTAgent.MaxAttempts|10|6|
|BTAgent.ConnectTimeout|60|6|
|BTAgent.TimeoutMultiple|2|6|
$
-
Any updates uklad?
-
Any updates uklad?
Line Status
Line Status: Connected
Operational Mode: VDSL2-17a
CO VendorID: IFTN
CO Version: 0xB201
DownStream Parameter
Max BitRate: 131990 kbps
ActualBitRate: 39998 kbps PASS
Capacity: 30.3 %
Latency: Fast
UpStream Parameter
Max BitRate: 32787 kbps
ActualBitRate: 9995 kbps PASS
Capacity: 30.5 %
Latency: Fast
Vendor id is IFTN basically Infineon (now Lantiq) and we now know the ECI openreach modems use Lantiq chipsets...
On a side note i`m liking my Max BitRates 132mbs down 32mbs up lots of scope for the future :)
-
A bit of progress with the squashfs root file system found in the ECI NOR flash image that was uploaded by uklad.
From the kernel boot log, we can see the following:
...
Kernel command line: root=/dev/mtdblock2 ro rootfstype=squashfs ip=5.57.33.103:5.57.33.111::::eth0:on console=ttyS0,115200 ethaddr=5C:33:8E:xx:xxx:xx phym=32M mem=31M panic=1
....
squashfs: version 3.2-r2 (2007/01/15) Phillip Lougher
squashfs: LZMA suppport for slax.org by jro
....
squashfsb->s_magic=71736873 SQUASHFS_MAGIC=71736873
ifx_nor0: squashfs filesystem found at 0x4e10a0.
ifx_mtd_init flash0: Using static image partition
Creating 9 MTD partitions on "ifx_nor0":
0x00000000-0x00030000 : "uboot"
0x00030000-0x00040000 : "h/w setting"
0x004e10c0-0x007670c0 : "rootfs"
0x00040000-0x00050000 : "rgdb"
0x00050000-0x003f0000 : "upgrade"
0x003f0000-0x00790000 : "upgrade2"
0x00790000-0x007f0000 : "btagent"
0x00000000-0x00800000 : "flash"
0x00000000-0x00800000 : "<NULL>"
....
VFS: Mounted root (squashfs filesystem) readonly.
The unsquashfs tool for that specific version (3.2-r2-lzma) of squashfs strangely doesn't work:
$ src/others/squashfs-3.2-r2-lzma/squashfs3.2-r2/squashfs-tools/unsquashfs -ls ecirootfs2
Reading a different endian SQUASHFS filesystem on ecirootfs2
Can't find a SQUASHFS superblock on ecirootfs2
$
Yet a slightly later version (3.3-lzma) of the tool will obtain the superblock info for the fs image.
$ ~/src/others/squashfs-3.3-lzma/squashfs3.3/squashfs-tools/unsquashfs -stat ecirootfs2
Reading a different endian SQUASHFS filesystem on ecirootfs2
Found a valid big endian SQUASHFS 3:0 superblock on ecirootfs2.
Creation or last append time Tue Aug 9 04:31:35 2011
Filesystem is exportable via NFS
Inodes are compressed
Data is compressed
Fragments are compressed
Check data is not present in the filesystem
Fragments are present in the filesystem
Always_use_fragments option is not specified
Duplicates are removed
Filesystem size 2580.52 Kbytes (2.52 Mbytes)
Block size 65536
Number of fragments 42
Number of inodes 844
Number of uids 2
Number of gids 1
$
That version will also list the full contents of the squashfs file system. (The full list is attached in a .txt file to this post.)
$ ~/src/others/squashfs-3.3-lzma/squashfs3.3/squashfs-tools/unsquashfs -lls ecirootfs2
Reading a different endian SQUASHFS filesystem on ecirootfs2
drwxr-xr-x 505/users 181 2011-08-09 04:31 squashfs-root
drwxr-xr-x 505/users 26 2011-08-09 04:31 squashfs-root/BTAgent
drwxr-xr-x 505/users 280 2011-08-09 04:31 squashfs-root/BTAgent/ro
-rwxr-xr-x 505/users 13 2011-08-09 04:31 squashfs-root/BTAgent/ro/RWPath
-rwxr-xr-x 505/users 10701 2011-08-09 04:31 squashfs-root/BTAgent/ro/btagent
-rwxr-xr-x 505/users 681 2011-08-09 04:31 squashfs-root/BTAgent/ro/btagent.conf
-rwxr-xr-x 505/users 183 2011-08-09 04:31 squashfs-root/BTAgent/ro/btagentstart.sh
-rwxr-xr-x 505/users 5392 2011-08-09 04:31 squashfs-root/BTAgent/ro/libparseplugins.so
-rwxr-xr-x 505/users 6372 2011-08-09 04:31 squashfs-root/BTAgent/ro/libplugin.so
-rwxr-xr-x 505/users 5924 2011-08-09 04:31 squashfs-root/BTAgent/ro/libplugins.so
-rwxr-xr-x 505/users 7316 2011-08-09 04:31 squashfs-root/BTAgent/ro/libsourceplugins.so
-rwxr-xr-x 505/users 8264 2011-08-09 04:31 squashfs-root/BTAgent/ro/libtcp.so
-rwxr-xr-x 505/users 5888 2011-08-09 04:31 squashfs-root/BTAgent/ro/libtransportplugins.so
drwxr-xr-x 505/users 26 2011-08-09 04:31 squashfs-root/BTAgent/ro/plugin_parse
-rwxr-xr-x 505/users 14956 2011-08-09 04:31 squashfs-root/BTAgent/ro/plugin_parse/libxml.so
drwxr-xr-x 505/users 108 2011-08-09 04:31 squashfs-root/BTAgent/ro/plugin_source
-rwxr-xr-x 505/users 7944 2011-08-09 04:31 squashfs-root/BTAgent/ro/plugin_source/libalpha2.so
-rwxr-xr-x 505/users 10212 2011-08-09 04:31 squashfs-root/BTAgent/ro/plugin_source/libbtagent.so
-rwxr-xr-x 505/users 14248 2011-08-09 04:31 squashfs-root/BTAgent/ro/plugin_source/libfwm.so
-rwxr-xr-x 505/users 14316 2011-08-09 04:31 squashfs-root/BTAgent/ro/plugin_source/liblogger.so
-rwxr-xr-x 505/users 7836 2011-08-09 04:31 squashfs-root/BTAgent/ro/plugin_source/libprobe.so
-rwxr-xr-x 505/users 27328 2011-08-09 04:31 squashfs-root/BTAgent/ro/plugin_source/librsa.so
drwxr-xr-x 505/users 26 2011-08-09 04:31 squashfs-root/BTAgent/ro/plugin_transport
-rwxr-xr-x 505/users 51820 2011-08-09 04:31 squashfs-root/BTAgent/ro/plugin_transport/libsec.so
-rwxr-xr-x 505/users 286 2011-08-09 04:31 squashfs-root/BTAgent/ro/publickeys.dat
-rwxr-xr-x 505/users 183 2011-08-09 04:31 squashfs-root/BTAgent/ro/start
drwxr-xr-x 505/users 3 2011-08-09 04:31 squashfs-root/BTAgent/rw
drwxr-xr-x 505/users 456 2011-08-09 04:31 squashfs-root/bin
-rwxr-xr-x 505/users 17992 2011-08-09 04:31 squashfs-root/bin/alphaFlashAgent
-rwxr-xr-x 505/users 33992 2011-08-09 04:31 squashfs-root/bin/alphaHousekeeper
-rwxr-xr-x 505/users 10512 2011-08-09 04:31 squashfs-root/bin/alphaLogd
-rwxr-xr-x 505/users 5272 2011-08-09 04:31 squashfs-root/bin/alpha_flash_cmd
-rwxrwxr-x 505/users 461960 2011-08-09 04:31 squashfs-root/bin/busybox
lrwxrwxrwx 505/users 7 2011-08-09 04:31 squashfs-root/bin/cat -> busybox
[..snipped..]
-rw-r--r-- 505/users 21189 2011-08-09 04:31 squashfs-root/www/layout/alpha.css
drwxr-xr-x 505/users 19 2011-08-09 04:31 squashfs-root/www/locale
drwxr-xr-x 505/users 20 2011-08-09 04:31 squashfs-root/www/locale/en
drwxr-xr-x 505/users 3 2011-08-09 04:31 squashfs-root/www/locale/en/dsc
drwxr-xr-x 505/users 230 2011-08-09 04:31 squashfs-root/www/public
-rw-r--r-- 505/users 402 2011-08-09 04:31 squashfs-root/www/public/__all_need.js
-rw-r--r-- 505/users 2775 2011-08-09 04:31 squashfs-root/www/public/__button.js
-rw-r--r-- 505/users 3173 2011-08-09 04:31 squashfs-root/www/public/__comm.js
-rw-r--r-- 505/users 2595 2011-08-09 04:31 squashfs-root/www/public/__display.js
-rw-r--r-- 505/users 227 2011-08-09 04:31 squashfs-root/www/public/__head.js
-rw-r--r-- 505/users 7992 2011-08-09 04:31 squashfs-root/www/public/__ip.js
-rw-r--r-- 505/users 10249 2011-08-09 04:31 squashfs-root/www/public/__js_comm.js
-rw-r--r-- 505/users 4252 2011-08-09 04:31 squashfs-root/www/public/__menu.js
-rw-r--r-- 505/users 2242 2011-08-09 04:31 squashfs-root/www/public/__no_changes.js
-rw-r--r-- 505/users 184 2011-08-09 04:31 squashfs-root/www/public/__session_timeout.js
-rw-r--r-- 505/users 1473 2011-08-09 04:31 squashfs-root/www/public/__tb_display.js
-rwxr-xr-x 505/users 2115 2011-08-09 04:31 squashfs-root/www/public/__tree.js
-rw-r--r-- 505/users 13508 2011-08-09 04:31 squashfs-root/www/public/__wan_adv.js
lrwxrwxrwx 505/users 17 2011-08-09 04:31 squashfs-root/www/syslog -> /var/log/messages
lrwxrwxrwx 505/users 17 2011-08-09 04:31 squashfs-root/www/tsyslog.rg -> /var/log/tlogsmsg
$
Yet, using the very same version of unsquash to actually uncompress the squashfs image, and an error is thrown by the LZMA code:
$ ~/src/others/squashfs-3.3-lzma/squashfs3.3/squashfs-tools/unsquashfs -li ecirootfs2
Reading a different endian SQUASHFS filesystem on ecirootfs2
drwxr-xr-x 505/users 181 2011-08-09 04:31 squashfs-root
drwxr-xr-x 505/users 26 2011-08-09 04:31 squashfs-root/BTAgent
drwxr-xr-x 505/users 280 2011-08-09 04:31 squashfs-root/BTAgent/ro
-rwxr-xr-x 505/users 13 2011-08-09 04:31 squashfs-root/BTAgent/ro/RWPath
-rwxr-xr-x 505/users 10701 2011-08-09 04:31 squashfs-root/BTAgent/ro/btagent
-rwxr-xr-x 505/users 681 2011-08-09 04:31 squashfs-root/BTAgent/ro/btagent.conf
-rwxr-xr-x 505/users 183 2011-08-09 04:31 squashfs-root/BTAgent/ro/btagentstart.sh
-rwxr-xr-x 505/users 5392 2011-08-09 04:31 squashfs-root/BTAgent/ro/libparseplugins.so
-rwxr-xr-x 505/users 6372 2011-08-09 04:31 squashfs-root/BTAgent/ro/libplugin.so
-rwxr-xr-x 505/users 5924 2011-08-09 04:31 squashfs-root/BTAgent/ro/libplugins.so
-rwxr-xr-x 505/users 7316 2011-08-09 04:31 squashfs-root/BTAgent/ro/libsourceplugins.so
-rwxr-xr-x 505/users 8264 2011-08-09 04:31 squashfs-root/BTAgent/ro/libtcp.so
-rwxr-xr-x 505/users 5888 2011-08-09 04:31 squashfs-root/BTAgent/ro/libtransportplugins.so
drwxr-xr-x 505/users 26 2011-08-09 04:31 squashfs-root/BTAgent/ro/plugin_parse
-rwxr-xr-x 505/users 14956 2011-08-09 04:31 squashfs-root/BTAgent/ro/plugin_parse/libxml.so
drwxr-xr-x 505/users 108 2011-08-09 04:31 squashfs-root/BTAgent/ro/plugin_source
-rwxr-xr-x 505/users 7944 2011-08-09 04:31 squashfs-root/BTAgent/ro/plugin_source/libalpha2.so
-rwxr-xr-x 505/users 10212 2011-08-09 04:31 squashfs-root/BTAgent/ro/plugin_source/libbtagent.so
-rwxr-xr-x 505/users 14248 2011-08-09 04:31 squashfs-root/BTAgent/ro/plugin_source/libfwm.so
-rwxr-xr-x 505/users 14316 2011-08-09 04:31 squashfs-root/BTAgent/ro/plugin_source/liblogger.so
-rwxr-xr-x 505/users 7836 2011-08-09 04:31 squashfs-root/BTAgent/ro/plugin_source/libprobe.so
-rwxr-xr-x 505/users 27328 2011-08-09 04:31 squashfs-root/BTAgent/ro/plugin_source/librsa.so
drwxr-xr-x 505/users 26 2011-08-09 04:31 squashfs-root/BTAgent/ro/plugin_transport
-rwxr-xr-x 505/users 51820 2011-08-09 04:31 squashfs-root/BTAgent/ro/plugin_transport/libsec.so
-rwxr-xr-x 505/users 286 2011-08-09 04:31 squashfs-root/BTAgent/ro/publickeys.dat
-rwxr-xr-x 505/users 183 2011-08-09 04:31 squashfs-root/BTAgent/ro/start
drwxr-xr-x 505/users 3 2011-08-09 04:31 squashfs-root/BTAgent/rw
drwxr-xr-x 505/users 456 2011-08-09 04:31 squashfs-root/bin
-rwxr-xr-x 505/users 17992 2011-08-09 04:31 squashfs-root/bin/alphaFlashAgent
-rwxr-xr-x 505/users 33992 2011-08-09 04:31 squashfs-root/bin/alphaHousekeeper
-rwxr-xr-x 505/users 10512 2011-08-09 04:31 squashfs-root/bin/alphaLogd
-rwxr-xr-x 505/users 5272 2011-08-09 04:31 squashfs-root/bin/alpha_flash_cmd
-rwxrwxr-x 505/users 461960 2011-08-09 04:31 squashfs-root/bin/busybox
err -22
sqlzma_un: LZMA Unknown error 18446744073709551594
Aborted
$
The saga continues!..
[attachment deleted by admin]
-
good work my friend keep at it :)
-
Any more updates mate?
-
Any more updates mate?
Any information obtained will be revealed, in good time. ;)
Advice: "Nay harry a hacker". ::)
-
Any more updates mate?
Any information obtained will be revealed, in good time. ;)
Advice: "Nay harry a hacker". ::)
;) not that im any the wiser
-
Any more updates mate?
Hi Josh,
Debug output to the squashfs tools has been enabled.
From call tracing, it looks like ECI has achieved a 'lock-down' by patching the LZMA compression code for squashfs, the root file system used in the device. [1]
Specifically, code in the file LzmaDecode.c (part of the LZMA Software Development Kit [2]) is unexpectedly returning an LZMA_RESULT_DATA_ERROR when decoding one of the squashfs data blocks to a large file.
No obvious explanations yet for why that is happening!
It may simply be that Lantiq, who built the toolchain, has cobbled together an arbitrary version of squashfs with an arbitrary version of the LZMA decoder.
We now have a compatible version of the squashfs tools (v.3.3) [3] insofar as the tools can correctly read the metadata of the file system: the superblock, the directory structures, the inodes and the data blocks.
The search now is to find a compatible version of LZMA Decode to correctly decompress those data blocks.
If the theory is correct, that version of LZMA decoder will have to be patched into squashfs, just as Lantiq is believed to have done.
cheers, a
[1] https://sourceforge.net/projects/squashfs/files/squashfs/
[2] https://sourceforge.net/projects/sevenzip/files/LZMA%20SDK/
[3] http://firmware-mod-kit.googlecode.com/svn-history/trunk/trunk/src/others/squashfs-3.3-lzma/
-
Any more updates mate?
Hi Josh,
Debug output to the squashfs tools has been enabled. From call tracing, it looks like ECI has achieved a 'vendor lock' by patching the LZMA compression code for squashfs, the root file system used in the ECI.
Specifically, code in the file LzmaDecode.c (part of the LZMA SDK) is unexpectedly returning an LZMA_RESULT_DATA_ERROR when decoding one of the squashfs data blocks to a large file.
No obvious explanations yet for why that is happening!
cheers, a
Bastardos !! I may have to have a poke around in some of the shell scripts that set-up the Vlans on the Lans ports and see if i can allocate an ip to Vlan 102 that is associated to Lan 2
-
Hi uklad!
BT locked the Huawei by firewalling all LAN-side access to the device. It is by dropping the relevant firewall rule(s) that LAN-side access is re-enabled.
In Linux, the kernel-level firewall is called netfilter. We can see from the ECI boot logs you uploaded that the code for netfilter is compiled 'monolithically' into the kernel image itself.
The kernel-side of the Linux firewalling framework is normally interfaced with the userspace using a tool called iptables. [1]
iptables is invoked by init scripts to define the firewall rule chains.
However, in the case of the ECI, that is not how it is done.
The kernel boot logs reveal the presence of the netfilter kernel modules but there is no sign of any corresponding iptables binary in the root file system. As such, it's not clear how the firewall is actually configured.
The iptables tool is not strictly needed to configure the firewall. Its functioning could be replicated through kernel calls hidden away in other userspace code. That's not a normal thing to do though. Maybe it is being used here to obfuscate?
With a serial console, it should still be possible to determine exactly what is being run at boot time. And, in particular, how and where the firewall is configured. It's just a case of following the boot sequence.
The first userspace process executed by every Unix machine is '/sbin/init'. The 'init' process is shown as process id (pid) #1.
In many embedded systems, /sbin/init is actually a symbolic link to /bin/busybox. Busybox attempts to mimic the functionality of Unix System V initscripts, but without the resource overheads.
The init process loads its configuration from the file /etc/inittab [2]
That inittab config file identifies the scripts that are to be executed by the init process.
The code invoked by those scripts will configure the firewall. ;-)
Studying those initscripts should reveal the nature of the firewalling, and how to remove the firewall rules. Ultimately this could be used to re-enable LAN-side access to the web interface.
cheers, a
[1] http://www.netfilter.org/
[2] http://www.kerneltravel.net/downloads/Building.Embedded.Linux.Systems.pdf (ch.6.8 )
-
The squashfs tools are currently running on a development machine.
Igor Pavlov's LZMA (Lempel–Ziv–Markov Algorithm) used by squashfs to compress the data blocks in the ECI file system has been isolated. The Algorithm can now be used to process an individual compressed data block from the file system. This allows each variant of LZMA to be tested for compatibility with the ECI. At this stage it is suspected that no compatible version is publicly available.
First impressions are that Pavlov's decompression code has been modified at a very low-level by ECI and/or Lantiq. Those code tweaks serve as a mechanism to lock the device.
Those source-level modifications to LZMA have not been published.
ECI has a US$2.5 billion deal to supply DSLAMs and CPE to British Telecom. Surely those whose software is used by ECI in this equipment deserve a share in that bonanza.
cheers, a
-
Bit of an update..
The squashfs root file system of the ECI can be decompressed and extracted, with the exception of just two data blocks of ~20kBytes each. [1]
$ sudo ./unsquashfs ecirootfs2
Reading a different endian SQUASHFS filesystem on ecirootfs2
err -22
sqlzma_un: LZMA Unknown error 18446744073709551594
err -22
sqlzma_un: LZMA Unknown error 18446744073709551594
created 612 files
created 83 directories
created 118 symlinks
created 31 devices
created 0 fifos
$
A tarball of the uncompressed file system contents for the ECI, including those two corrupted blocks, can be found at [1].
The extraction requires a one line patch to the read_data_block() function of the unsquashfs tool. The patch is simply to stop it aborting on error:
int read_data_block(long long start, unsigned int size, char *block) {
int res;
unsigned long bytes = block_size;
int c_byte = SQUASHFS_COMPRESSED_SIZE_BLOCK(size);
TRACE("read_data_block: block @0x%llx, %d %s bytes\n", start,
SQUASHFS_COMPRESSED_SIZE_BLOCK(c_byte),
SQUASHFS_COMPRESSED_BLOCK(c_byte) ? "compressed" : "uncompressed");
if(SQUASHFS_COMPRESSED_BLOCK(size)) {
enum {Src, Dst};
struct sized_buf sbuf[] = {
{.buf = (void *)data, .sz = c_byte},
{.buf = (void *)block, .sz = bytes}
};
if(read_bytes(start, c_byte, data) == FALSE)
return 0;
res = sqlzma_un(&un, sbuf + Src, sbuf + Dst);
if (res) {
TRACE("read_data_block: abort() because res = sqlzma_un = %08x\n", res);
// abort();
}
bytes = un.un_reslen;
return bytes;
} else {
if(read_bytes(start, c_byte, block) == FALSE)
return 0;
return c_byte;
}
}
(the code is from the squashfs-3.3-lzma version [2])
This is an unsatisfactory hack. And it still doesn't explain why the decompression of 2 data blocks is failing while decompression of the remaining 150+ blocks is successful.
There are three principal configuration parameters to LZMA Decode. These are the number of literal context bits (lc), the position bits (pb) and the literal position bits (lp) where 0<=lc<=8, 0<=pb<=4, 0<=lp<=4. I won't pretend to understand their role but in total, there are 225 (9*5*5) parameter options for the LZMA decoder.
The decoder was tested with every one of those 225 combinations against those two errant blocks. Yet no combination would work. It is likely that the unpublished modification to the LZMA code, whatever it involves, is subtle to cause this obscure incompatibility.
An authority on compression algorithms is David Salomon. He is author of the book, Data Compression: The Complete Reference (3rd 4th Edition). It is available from Amazon and as a PDF. Chapter Three is dedicated to Dictionary-based compression schemes, of which LZMA is one. [3]
Chapter Three runs to ~80 pages, so it will take some digesting. In the interim, a request has been filed with ECI for the publication of *all* the GPL'ed and LGPL'ed source code for this device.
Igor Pavlov, who originally designed LZMA, and graciously made his code open source is very accommodating to questions. Whatever it is that ECI-Lantiq-AlphaNetworks have done to nobble LZMA in this device, Pavlov may hopefully help us to find out. [4]
Another leading light in his field is Armijn Hemel. Hemel is the co-founder of the Binary Analysis Tool (BAT) project. [5] BAT is a forensic tool for discovering violations in software licensing, such as those we have uncovered in this ECI equipment. The BAT project is studying the use of file system tweaks to lock an embedded device. BAT documents the squashfs tweaks used by several manufacturers, including Realtek, RaLink and Broadcom. The ECI tweak is sadly not amongst those documented (but watch this space!)
Armijn Hemel is also lead compliance engineer at gpl-violations.org, an organisation that actively pursues errant corporations that have stolen others' software for their own enrichment. [6]
Hemel and colleagues take particular interest in securing the Intellectual Property Rights of the BusyBox project. BusyBox is an efficient, multi-function utility for embedded hardware. ECI, like many other router manufacturers, has misappropriated BusyBox for the firmware to this FTTC device. BusyBox is GPL licensed, and the terms of that licence are perfectly clear.
ECI publishes a glossy brochure affirming its Corporate Responsibilities. One of those commitments is to abide by international treaties and obligations as well as local law.
ECI must put those solemn words into practice. That means no less than the full publication of all source code for all (L)GPL'ed licensed software used in this device. In the past, ECI had a poor track record for GPL Compliance. It is time to rectify that. Today, General Counsel (and Vice President) for ECI is Arnie Taragin.
So Cough up the Code, Arnie!
[1] https://docs.google.com/leaf?id=0B6wW18m.. (https://docs.google.com/leaf?id=0B6wW18mYskvBOTU2N2E2NzUtYWM1MS00ZWI5LTg5ZmItZThiMjIzZDI4N2M3&hl=en_US)
[2] http://code.google.com/p/firmware-mod-kit/source/browse/trunk/trunk/src/others/?r=282
[3] http://www.amazon.com/Data-Compression-Reference-David-Salomon/dp/0387406972
[4] https://sourceforge.net/projects/sevenzip/forums/forum/45797
[5] http://www.binaryanalysis.org/en/home
[6] http://www.nytimes.com/2010/09/26/business/26ping.html
-
Been rummaging through your filesystem dump to look for scripts configuring the modem to be 'locked down'. No dice. Would put money on said files being in that block you can't get to.
That, or it's configured by some arbitrary binary that I've overlooked.
Edit: Also, quite an amusing and bemusing "default" response by Mr Pavlov over at Sourceforge where you raised the issue. But it does indeed look like there are no licensing issues arising from providing a mangled LZMA filesystem due to the LZMA SDK being released into the public domain.
-
Been rummaging through your filesystem dump to look for scripts configuring the modem to be 'locked down'. No dice. Would put money on said files being in that block you can't get to.
That, or it's configured by some arbitrary binary that I've overlooked.
Edit: Also, quite an amusing and bemusing "default" response by Mr Pavlov over at Sourceforge where you raised the issue.
I have been working on this at the moment, I have only just got in from work right now so i cannot elaborate, but it appears the Lan Port 2 is disabled on boot up then put on a Vlan 102 and bridged with the VDSL (i think) not only that the telnet http servers are disabled on boot, I found a script that enables the http server and telnet, but i have been unable to reactivate lan 2..
-
This is an unsatisfactory hack. And it still doesn't explain why the decompression of 2 data blocks is failing while decompression of the remaining 150+ blocks is successful.
Is it possible I have done a bad NAND dump ?
-
Hi Orbixx!
Been rummaging through your filesystem dump to look for scripts configuring the modem to be 'locked down'. No dice. Would put money on said files being in that block you can't get to.
That, or it's configured by some arbitrary binary that I've overlooked.
Indeedy. It's not all bad news though. All the web resources are accessible, and we now know there's a telnet daemon in the firmware.
Edit: Also, quite an amusing and bemusing "default" response by Mr Pavlov over at Sourceforge where you raised the issue.
Mr Pavlov seems unfamiliar with these file system locks which are built upon his own compression scheme.[1] Whoever is designing those locks for various manufacturers must have a deep working knowledge of the LZMA compression scheme.
But it does indeed look like there are no licensing issues arising from providing a mangled LZMA filesystem due to the LZMA SDK being released into the public domain.
Hmm... I ain't no lawyer (so please ignore at your pleasure) but Phillip Lougher released his squashfs Linux kernel device driver under the GNU GPL. As such, the LZMA patch to squashfs is a "derived" or "derivative" work. So the LZMA squashfs patch is surely GPL'ed, too.. This case is re-inforced when the squashfs code is compiled into the kernel image, as it is in the ECI firmware.
At least that's how I read it. But then I'm not a lawyer!
cheers, a
[1] https://tjaldur.nl:8443/repos/gpltool/trunk/bat-extratools/
-
This is an unsatisfactory hack. And it still doesn't explain why the decompression of 2 data blocks is failing while decompression of the remaining 150+ blocks is successful.
Is it possible I have done a bad NAND dump ?
You done good :-)
cheers, a
-
Not an update as such, just some links to material that may interest others.
David Salomon is the author of the book Data Compression - The Complete Reference. The book is now in its fourth edition. A small excerpt from the chapter on Dictionary Methods of compression is attached. The Dictionary-based LZMA scheme used to compress the root file system in the ECI is briefly addressed in those excerpted pages.
Igor Pavlov has kindly replied to inquiries about the tweaking of LZMA as a locking mechanism for embedded file systems. [1]
He suggests that perhaps the headers of the two corrupted data blocks from the ECI root file system and, specifically the header field containing the uncompressed size of those data blocks, may have been corrupted in some way.
This theory has yet to be tested. However, the two corrupted blocks happen to be in the middle of two files, rather than at the ends of them. It's difficult to see how corrupting the header in this way would work.
Pavlov points to a thread from 2010 from the squashfs mailing list where a similar problem was discussed. Phillip Lougher, who designed squashfs, and Lasse Collin who designed XZ, an updated compression tool, discuss the backward compatibility of LZMA(1). [2]
In that thread, Lougher helpfully lists the different tools offering LZMA decompression. This codebase includes Pavlov's LZMA SDK, Collin's liblzma, and the lzma1 decompressor from the Linux kernel.
Surprisingly, the Wikipedia entry for LZMA has a reasonably coherent article on the algorithm. [3]
In the manual for LZip which is a "simplified version of the LZMA algorithm", the author of LZip, Antonio Diaz Diaz, briefly describes the range encoder that is the engine at the heart of the LZMA compression scheme. [4]
cheers, a
[1] http://sourceforge.net/projects/sevenzip/forums/forum/45797/topic/4994244
[2] http://old.nabble.com/Squashfs-4.1-creates-invalid-.lzma-streams-td30217833.html
[3] http://en.wikipedia.org/wiki/Lempel%E2%80%93Ziv%E2%80%93Markov_chain_algorithm
[4] http://lzip.nongnu.org/manual/lzip_manual.html#Algorithm
[attachment deleted by admin]
-
maybe a stupid question but do you get the same decompression issue with the file safe firmware
-
Hi uklad,
Both of the squashfs-lzma file systems found in the ECI firmware (identified below as ecirootfs1 and eciroofs2) cause the LZMA decoder to throw an error:
$ cd ~/Documents/btinfinity/eci_asbo001/squashfs-3.3-lzma-asbo001/squashfs3.3/squashfs-tools
$ ls -ln ecirootfs*
-rw-r--r-- 1 1000 1000 2641669 Feb 14 2011 06:44 ecirootfs1
-rw-r--r-- 1 1000 1000 2642454 Aug 9 2011 04:31 ecirootfs2
Here is ecirootfs1, which is the older of the two file systems. As such it is the slave, or the 'fail-safe':
$ sudo ./unsquashfs -d ./ecirootfs1-squashfs-root/ ecirootfs1
Reading a different endian SQUASHFS filesystem on ecirootfs1
err -22: sqlzma_un: LZMA Unknown error 18446744073709551594
err -22: sqlzma_un: LZMA Unknown error 18446744073709551594
created 612 files
created 83 directories
created 118 symlinks
created 31 devices
created 0 fifos
$
And now ecirootfs2, the newer of the two squashfs images from the ECI firmware:
$ sudo ./unsquashfs -d ./ecirootfs2-squashfs-root/ ecirootfs2
Reading a different endian SQUASHFS filesystem on ecirootfs2
err -22: sqlzma_un: LZMA Unknown error 18446744073709551594
err -22: sqlzma_un: LZMA Unknown error 18446744073709551594
created 612 files
created 83 directories
created 118 symlinks
created 31 devices
created 0 fifos
$
We should check whether the decompression errors are occurring in the same block numbers in those two different file systems. This could give a better insight into the locking mechanism, and its implementation.
For curiosity's sake, here is a diff of the two root file systems - the main and the slave - from the ECI firmware. We can see that there are binary differences in the busybox binary. This causes diffs for all symlinks to busybox (e.g. /bin/cat, /bin/chmod, etc.). Once those duplicate diffs are ignored, the two file systems are very similar.
Noteworthy is that there are differences in the Lantiq DSP hardware driver blob (xcpe_hw.bin)
$ diff -r ecirootfs*-squ*
Binary files ecirootfs1-squashfs-root/bin/busybox and ecirootfs2-squashfs-root/bin/busybox differ
Binary files ecirootfs1-squashfs-root/bin/cat and ecirootfs2-squashfs-root/bin/cat differ
Binary files ecirootfs1-squashfs-root/bin/chmod and ecirootfs2-squashfs-root/bin/chmod differ
Binary files ecirootfs1-squashfs-root/bin/cp and ecirootfs2-squashfs-root/bin/cp differ
Binary files ecirootfs1-squashfs-root/bin/date and ecirootfs2-squashfs-root/bin/date differ
Binary files ecirootfs1-squashfs-root/bin/dd and ecirootfs2-squashfs-root/bin/dd differ
Binary files ecirootfs1-squashfs-root/bin/df and ecirootfs2-squashfs-root/bin/df differ
Binary files ecirootfs1-squashfs-root/bin/echo and ecirootfs2-squashfs-root/bin/echo differ
Binary files ecirootfs1-squashfs-root/bin/egrep and ecirootfs2-squashfs-root/bin/egrep differ
Binary files ecirootfs1-squashfs-root/bin/false and ecirootfs2-squashfs-root/bin/false differ
Binary files ecirootfs1-squashfs-root/bin/fgrep and ecirootfs2-squashfs-root/bin/fgrep differ
Binary files ecirootfs1-squashfs-root/bin/grep and ecirootfs2-squashfs-root/bin/grep differ
Binary files ecirootfs1-squashfs-root/bin/gunzip and ecirootfs2-squashfs-root/bin/gunzip differ
Binary files ecirootfs1-squashfs-root/bin/gzip and ecirootfs2-squashfs-root/bin/gzip differ
Binary files ecirootfs1-squashfs-root/bin/kill and ecirootfs2-squashfs-root/bin/kill differ
Binary files ecirootfs1-squashfs-root/bin/ln and ecirootfs2-squashfs-root/bin/ln differ
Binary files ecirootfs1-squashfs-root/bin/login and ecirootfs2-squashfs-root/bin/login differ
Binary files ecirootfs1-squashfs-root/bin/ls and ecirootfs2-squashfs-root/bin/ls differ
Binary files ecirootfs1-squashfs-root/bin/mkdir and ecirootfs2-squashfs-root/bin/mkdir differ
Binary files ecirootfs1-squashfs-root/bin/mknod and ecirootfs2-squashfs-root/bin/mknod differ
Binary files ecirootfs1-squashfs-root/bin/more and ecirootfs2-squashfs-root/bin/more differ
Binary files ecirootfs1-squashfs-root/bin/mount and ecirootfs2-squashfs-root/bin/mount differ
Binary files ecirootfs1-squashfs-root/bin/msh and ecirootfs2-squashfs-root/bin/msh differ
Binary files ecirootfs1-squashfs-root/bin/mv and ecirootfs2-squashfs-root/bin/mv differ
Binary files ecirootfs1-squashfs-root/bin/ping and ecirootfs2-squashfs-root/bin/ping differ
Binary files ecirootfs1-squashfs-root/bin/ps and ecirootfs2-squashfs-root/bin/ps differ
Binary files ecirootfs1-squashfs-root/bin/pwd and ecirootfs2-squashfs-root/bin/pwd differ
Binary files ecirootfs1-squashfs-root/bin/rm and ecirootfs2-squashfs-root/bin/rm differ
Binary files ecirootfs1-squashfs-root/bin/sed and ecirootfs2-squashfs-root/bin/sed differ
Binary files ecirootfs1-squashfs-root/bin/sh and ecirootfs2-squashfs-root/bin/sh differ
Binary files ecirootfs1-squashfs-root/bin/sleep and ecirootfs2-squashfs-root/bin/sleep differ
Binary files ecirootfs1-squashfs-root/bin/touch and ecirootfs2-squashfs-root/bin/touch differ
Binary files ecirootfs1-squashfs-root/bin/true and ecirootfs2-squashfs-root/bin/true differ
Binary files ecirootfs1-squashfs-root/bin/umount and ecirootfs2-squashfs-root/bin/umount differ
Binary files ecirootfs1-squashfs-root/bin/uname and ecirootfs2-squashfs-root/bin/uname differ
Binary files ecirootfs1-squashfs-root/bin/usleep and ecirootfs2-squashfs-root/bin/usleep differ
Binary files ecirootfs1-squashfs-root/bin/zcat and ecirootfs2-squashfs-root/bin/zcat differ
[..snipped - errors from missing symlinks and from reading device nodes..]
diff -r ecirootfs1-squashfs-root/etc/config/builddate ecirootfs2-squashfs-root/etc/config/builddate
1c1
< 2011-02-14 14:44
---
> 2011-08-09 11:31
diff -r ecirootfs1-squashfs-root/etc/config/buildno ecirootfs2-squashfs-root/etc/config/buildno
1c1
< b2ee
---
> b89b
diff -r ecirootfs1-squashfs-root/etc/config/buildrev ecirootfs2-squashfs-root/etc/config/buildrev
1c1
< 3067
---
> 3123
Binary files ecirootfs1-squashfs-root/etc/config/defaultvalue.gz and ecirootfs2-squashfs-root/etc/config/defaultvalue.gz differ
Binary files ecirootfs1-squashfs-root/ifx/vdsl2/drv_dsl_cpe_api.ko and ecirootfs2-squashfs-root/ifx/vdsl2/drv_dsl_cpe_api.ko differ
Binary files ecirootfs1-squashfs-root/ifx/vdsl2/drv_ifxos.ko and ecirootfs2-squashfs-root/ifx/vdsl2/drv_ifxos.ko differ
Binary files ecirootfs1-squashfs-root/ifx/vdsl2/xcpe_hw.bin and ecirootfs2-squashfs-root/ifx/vdsl2/xcpe_hw.bin differ
Binary files ecirootfs1-squashfs-root/lib/libsystem.so and ecirootfs2-squashfs-root/lib/libsystem.so differ
Binary files ecirootfs1-squashfs-root/lib/modules/2.6.20.19/kernel/drivers/connector/cn.ko and ecirootfs2-squashfs-root/lib/modules/2.6.20.19/kernel/drivers/connector/cn.ko differ
Binary files ecirootfs1-squashfs-root/lib/modules/2.6.20.19/kernel/drivers/net/dummy.ko and ecirootfs2-squashfs-root/lib/modules/2.6.20.19/kernel/drivers/net/dummy.ko differ
Binary files ecirootfs1-squashfs-root/lib/modules/2.6.20.19/kernel/drivers/net/ifxmips_ppa/platform/vr9/e5/ifxmips_ppa_datapath_vr9_e5.ko and ecirootfs2-squashfs-root/lib/modules/2.6.20.19/kernel/drivers/net/ifxmips_ppa/platform/vr9/e5/ifxmips_ppa_datapath_vr9_e5.ko differ
Binary files ecirootfs1-squashfs-root/lib/modules/2.6.20.19/kernel/drivers/net/ifxmips_ppa/platform/vr9/e5/ifxmips_ppa_hal_vr9_e5.ko and ecirootfs2-squashfs-root/lib/modules/2.6.20.19/kernel/drivers/net/ifxmips_ppa/platform/vr9/e5/ifxmips_ppa_hal_vr9_e5.ko differ
Binary files ecirootfs1-squashfs-root/lib/modules/2.6.20.19/kernel/drivers/net/ifxmips_ppa/ppa_api/ifx_ppa_api.ko and ecirootfs2-squashfs-root/lib/modules/2.6.20.19/kernel/drivers/net/ifxmips_ppa/ppa_api/ifx_ppa_api.ko differ
Binary files ecirootfs1-squashfs-root/lib/modules/2.6.20.19/kernel/drivers/net/ifxmips_ppa/ppa_api/ifx_ppa_api_proc.ko and ecirootfs2-squashfs-root/lib/modules/2.6.20.19/kernel/drivers/net/ifxmips_ppa/ppa_api/ifx_ppa_api_proc.ko differ
Binary files ecirootfs1-squashfs-root/lib/modules/2.6.20.19/kernel/fs/configfs/configfs.ko and ecirootfs2-squashfs-root/lib/modules/2.6.20.19/kernel/fs/configfs/configfs.ko differ
Binary files ecirootfs1-squashfs-root/lib/modules/2.6.20.19/kernel/security/capability.ko and ecirootfs2-squashfs-root/lib/modules/2.6.20.19/kernel/security/capability.ko differ
Binary files ecirootfs1-squashfs-root/lib/modules/2.6.20.19/kernel/security/commoncap.ko and ecirootfs2-squashfs-root/lib/modules/2.6.20.19/kernel/security/commoncap.ko differ
Binary files ecirootfs1-squashfs-root/sbin/getty and ecirootfs2-squashfs-root/sbin/getty differ
Binary files ecirootfs1-squashfs-root/sbin/ifconfig and ecirootfs2-squashfs-root/sbin/ifconfig differ
Binary files ecirootfs1-squashfs-root/sbin/init and ecirootfs2-squashfs-root/sbin/init differ
Binary files ecirootfs1-squashfs-root/sbin/insmod and ecirootfs2-squashfs-root/sbin/insmod differ
Binary files ecirootfs1-squashfs-root/sbin/lsmod and ecirootfs2-squashfs-root/sbin/lsmod differ
Binary files ecirootfs1-squashfs-root/sbin/mdev and ecirootfs2-squashfs-root/sbin/mdev differ
Binary files ecirootfs1-squashfs-root/sbin/modprobe and ecirootfs2-squashfs-root/sbin/modprobe differ
Binary files ecirootfs1-squashfs-root/sbin/reboot and ecirootfs2-squashfs-root/sbin/reboot differ
Binary files ecirootfs1-squashfs-root/sbin/rmmod and ecirootfs2-squashfs-root/sbin/rmmod differ
Binary files ecirootfs1-squashfs-root/sbin/route and ecirootfs2-squashfs-root/sbin/route differ
Binary files ecirootfs1-squashfs-root/sbin/swapoff and ecirootfs2-squashfs-root/sbin/swapoff differ
Binary files ecirootfs1-squashfs-root/sbin/swapon and ecirootfs2-squashfs-root/sbin/swapon differ
Binary files ecirootfs1-squashfs-root/sbin/sysctl and ecirootfs2-squashfs-root/sbin/sysctl differ
Binary files ecirootfs1-squashfs-root/usr/bin/[ and ecirootfs2-squashfs-root/usr/bin/[ differ
Binary files ecirootfs1-squashfs-root/usr/bin/basename and ecirootfs2-squashfs-root/usr/bin/basename differ
Binary files ecirootfs1-squashfs-root/usr/bin/cut and ecirootfs2-squashfs-root/usr/bin/cut differ
Binary files ecirootfs1-squashfs-root/usr/bin/dirname and ecirootfs2-squashfs-root/usr/bin/dirname differ
Binary files ecirootfs1-squashfs-root/usr/bin/expr and ecirootfs2-squashfs-root/usr/bin/expr differ
Binary files ecirootfs1-squashfs-root/usr/bin/free and ecirootfs2-squashfs-root/usr/bin/free differ
Binary files ecirootfs1-squashfs-root/usr/bin/killall and ecirootfs2-squashfs-root/usr/bin/killall differ
Binary files ecirootfs1-squashfs-root/usr/bin/logger and ecirootfs2-squashfs-root/usr/bin/logger differ
Binary files ecirootfs1-squashfs-root/usr/bin/mpstat and ecirootfs2-squashfs-root/usr/bin/mpstat differ
Binary files ecirootfs1-squashfs-root/usr/bin/test and ecirootfs2-squashfs-root/usr/bin/test differ
Binary files ecirootfs1-squashfs-root/usr/bin/test_agent and ecirootfs2-squashfs-root/usr/bin/test_agent differ
Binary files ecirootfs1-squashfs-root/usr/bin/tftp and ecirootfs2-squashfs-root/usr/bin/tftp differ
Binary files ecirootfs1-squashfs-root/usr/bin/top and ecirootfs2-squashfs-root/usr/bin/top differ
Binary files ecirootfs1-squashfs-root/usr/bin/tr and ecirootfs2-squashfs-root/usr/bin/tr differ
Binary files ecirootfs1-squashfs-root/usr/bin/uptime and ecirootfs2-squashfs-root/usr/bin/uptime differ
Binary files ecirootfs1-squashfs-root/usr/bin/wc and ecirootfs2-squashfs-root/usr/bin/wc differ
Binary files ecirootfs1-squashfs-root/usr/bin/wget and ecirootfs2-squashfs-root/usr/bin/wget differ
Binary files ecirootfs1-squashfs-root/usr/bin/yes and ecirootfs2-squashfs-root/usr/bin/yes differ
Binary files ecirootfs1-squashfs-root/usr/sbin/cfm and ecirootfs2-squashfs-root/usr/sbin/cfm differ
$
The file /etc/config/defaultvalue.gz also looks interesting. It is a compressed XML-based configuration file for the modem.
Note the XML element <activate> found under <lantiq_vr9_generic_asl56026><switch><port id="2"><activate>0</activate> in that config file. Presumably, by setting that element value to 1, the second ethernet port on the modem is re-activated. The element <lan_access_cpe_enable> probably needs to have a value of 1, as well.
$ cat ecirootfs2-squashfs-root/etc/config/defaultvalue.gz | gunzip
<lantiq_vr9_generic_asl56026>
<check>
<is_factory>factory</is_factory>
</check>
<vdsl2>
<infineon>
<fw_variant>VA</fw_variant>
<annex>A</annex>
<adsl_encaps>1</adsl_encaps>
<default_vpi_vci>1</default_vpi_vci>
<line_config>
<filter>0</filter>
<hw_hybrid>2</hw_hybrid>
<line_mode>102</line_mode>
</line_config>
</infineon>
</vdsl2>
<switch>
<bypass_mode>0</bypass_mode>
<lan_access_cpe_enable>0</lan_access_cpe_enable>
<discard_specific_pkt>1</discard_specific_pkt>
<igmp_queue>3</igmp_queue>
<port id="1">
<vid>101</vid>
<pri>2</pri>
<loopback>0</loopback>
<activate>1</activate>
<special_vlan>0</special_vlan>
</port>
<port id="2">
<vid>102</vid>
<pri>7</pri>
<loopback>0</loopback>
<activate>0</activate>
<special_vlan>0</special_vlan>
</port>
</switch>
<wan>
<physical_type>1</physical_type>
<enable_dhcp60>0</enable_dhcp60>
<dhcp_option60></dhcp_option60>
<enable_dhcp61>0</enable_dhcp61>
<dhcp_iaid></dhcp_iaid>
<dhcp_duid>0</dhcp_duid>
<enable_dhcp125>0</enable_dhcp125>
<dhcp_option125></dhcp_option125>
<enable_prepadt>0</enable_prepadt>
<dsl>
<defaultroute>1</defaultroute>
<inf id="1">
<mode>1</mode>
<enable>1</enable>
<atm>
<pvc>
<settings>
<vpi>8</vpi>
<vci>35</vci>
</settings>
</pvc>
</atm>
<ptm>
<vtag>
<settings>
<connection>connection1</connection>
<enable>1</enable>
<vid>301</vid>
<priority>5</priority>
<bt>
<enable>1</enable>
<wan_vid1>101</wan_vid1>
<wan_vid2>102</wan_vid2>
</bt>
</settings>
</vtag>
</ptm>
<dhcp>
<hostname></hostname>
<clonemac></clonemac>
<autodns>1</autodns>
<mtu>1500</mtu>
</dhcp>
<static>
<mode>1</mode>
<ip>5.60.39.51</ip>
<netmask>255.0.0.0</netmask>
<gateway>5.21.97.200</gateway>
<clonemac></clonemac>
<mtu>1500</mtu>
</static>
</inf>
[...snipped...]
</lantiq_vr9_generic_asl56026>
The decompressed modem config file from ecirootfs2 is attached below.
cheers, a
[attachment deleted by admin]
-
interesting i spent some time trying to get port 2 active with no luck..
do you know what files are failling during the decompression..
-
Hi uklad,
interesting i spent some time trying to get port 2 active with no luck..
One trick is as follows:
Copy that file /etc/config/defaultvalue.gz from the squashfs read-only root file system to a read-write file system (e.g. a ramdisk).
Modify that read-writable copy with the desired configurations.
Re-mount the modified file over the top of the original in the read-only squashfs.
(See the Linux/busybox manpage for mount, and the --bind option.)
Force the config software - the firmware utility that actually reads the contents of that file - to re-load it.
Since this doesn't modify the squashfs system it is non-destructive. The hack is described well by paul at sbrk.co.uk at [1].
do you know what files are failing during the decompression..
One of those two bad LZMA data blocks is in the middle of the 461,960 byte busybox binary. It is block #7 of 8, @ 0x32edc in ecirootfs2
Igor Pavlov's suggestions are currently under test. His theory is that maybe just the data block headers are corrupted, while the data in those blocks is actually okay.
Each data block in the squashfs-lzma file system is prepended with a 13-byte LZMA header. This header contains an 8-bit field in which the lc, lp and pb parameters for the LZMA decoder are stored, as well as a 32-bit field to hold the dictionary size, and a 64-bit field for the uncompressed size of the block.
Below we can see the header from a good block (test1.lzma) and then the header of a bad block (test2.lzma). Both headers are clearly identical. Both have a decoder configuration of 0x5d, both use a dictionary size of 0x800000 (8Mbytes), and both blocks apparently uncompress to a size of 0x10000 (65,536) bytes.
$ cd ~/Documents/btinfinity/eci_asbo001/lzma439_asbo002/C/7zip/Compress/LZMA_C
$ xxd -l 13 test1.lzma
0000000: 5d00 0080 0000 0001 0000 0000 00 ]............
$ xxd -l 13 test2.lzma
0000000: 5d00 0080 0000 0001 0000 0000 00 ]............
What Igor Pavlov is suggesting is that perhaps the value in the uncompressed size field of a bad block has been faked. When the LZMA decoder discovers at run-time that the uncompressed size is not what it expected, the decoder aborts with an error. Igor Pavlov says that perhaps this is the method used for locking the squashfs file system in the ECI.
The easiest way to test that theory is to repeatedly feed the same bad data block through the LZMA decoder. In each iteration, the uncompressed size field is increased. This is repeated until an error is reported by the LZMA decoder.
That's what is shown below. We can see that the compressed bitstream in the bad data block can be decoded up until byte 31,869. Remember, however, that in the header of that data block, the uncompressed size of the block was recorded as 65,536 bytes.
This identifies one of two things.
Either it reveals the genuine uncompressed size of the data block, or it reveals the point at which the compressed bitstream is corrupted (forcing the decoder to abort.)
$ ./lzmadec test2.lzma test2.bin
Opened test2.lzma
compressedSize = 17129
outSizeFull = 65536
Calling LzmaDecode(compressedSize = 17129, estimOutSize = 17079) : returned res = 0 (success) -- inProcessed = 7525, outProcessed = 17079
Calling LzmaDecode(compressedSize = 17129, estimOutSize = 17080) : returned res = 0 (success) -- inProcessed = 7525, outProcessed = 17080
Calling LzmaDecode(compressedSize = 17129, estimOutSize = 17081) : returned res = 0 (success) -- inProcessed = 7525, outProcessed = 17081
Calling LzmaDecode(compressedSize = 17129, estimOutSize = 17082) : returned res = 0 (success) -- inProcessed = 7525, outProcessed = 17082
Calling LzmaDecode(compressedSize = 17129, estimOutSize = 17083) : returned res = 0 (success) -- inProcessed = 7527, outProcessed = 17083
[.. snipped ..]
Calling LzmaDecode(compressedSize = 17129, estimUncompSize = 31866) : returned res = 0 (success) -- inProcessed = 12067, outProcessed = 31866
Calling LzmaDecode(compressedSize = 17129, estimUncompSize = 31867) : returned res = 0 (success) -- inProcessed = 12067, outProcessed = 31867
Calling LzmaDecode(compressedSize = 17129, estimUncompSize = 31868) : returned res = 0 (success) -- inProcessed = 12069, outProcessed = 31868
Calling LzmaDecode(compressedSize = 17129, estimUncompSize = 31869) : returned res = 0 (success) -- inProcessed = 12069, outProcessed = 31869
Calling LzmaDecode(compressedSize = 17129, estimUncompSize = 31870) : returned res = 1 (fail) -- inProcessed = 0, outProcessed = 0
Calling LzmaDecode(compressedSize = 17129, estimUncompSize = 31871) : returned res = 1 (fail) -- inProcessed = 0, outProcessed = 0
Calling LzmaDecode(compressedSize = 17129, estimUncompSize = 31872) : returned res = 1 (fail) -- inProcessed = 0, outProcessed = 0
Calling LzmaDecode(compressedSize = 17129, estimUncompSize = 31873) : returned res = 1 (fail) -- inProcessed = 0, outProcessed = 0
Calling LzmaDecode(compressedSize = 17129, estimUncompSize = 31874) : returned res = 1 (fail) -- inProcessed = 0, outProcessed = 0
Calling LzmaDecode(compressedSize = 17129, estimUncompSize = 31875) : returned res = 1 (fail) -- inProcessed = 0, outProcessed = 0
[.. snipped ..]
By way of reference, here is the output from the same test performed on the good data block. We can see that it successfully decodes the block up until byte 65,536. That is correct insofar as it matches the uncompressed size reported in the block header.
$ ./lzmadec test1.lzma test1.bin
Opened test1.lzma
compressedSize = 25826
outSizeFull = 65536
Calling LzmaDecode(compressedSize = 25826, estimUncompSize = 25776) : returned res = 0 (success) -- inProcessed = 10700, outProcessed = 25776
Calling LzmaDecode(compressedSize = 25826, estimUncompSize = 25777) : returned res = 0 (success) -- inProcessed = 10701, outProcessed = 25777
Calling LzmaDecode(compressedSize = 25826, estimUncompSize = 25778) : returned res = 0 (success) -- inProcessed = 10701, outProcessed = 25778
Calling LzmaDecode(compressedSize = 25826, estimUncompSize = 25779) : returned res = 0 (success) -- inProcessed = 10701, outProcessed = 25779
Calling LzmaDecode(compressedSize = 25826, estimUncompSize = 25780) : returned res = 0 (success) -- inProcessed = 10702, outProcessed = 25780
[.. snipped ..]
Calling LzmaDecode(compressedSize = 25826, estimUncompSize = 65530) : returned res = 0 (success) -- inProcessed = 25824, outProcessed = 65530
Calling LzmaDecode(compressedSize = 25826, estimUncompSize = 65531) : returned res = 0 (success) -- inProcessed = 25824, outProcessed = 65531
Calling LzmaDecode(compressedSize = 25826, estimUncompSize = 65532) : returned res = 0 (success) -- inProcessed = 25824, outProcessed = 65532
Calling LzmaDecode(compressedSize = 25826, estimUncompSize = 65533) : returned res = 0 (success) -- inProcessed = 25826, outProcessed = 65533
Calling LzmaDecode(compressedSize = 25826, estimUncompSize = 65534) : returned res = 0 (success) -- inProcessed = 25826, outProcessed = 65534
Calling LzmaDecode(compressedSize = 25826, estimUncompSize = 65535) : returned res = 0 (success) -- inProcessed = 25826, outProcessed = 65535
Calling LzmaDecode(compressedSize = 25826, estimUncompSize = 65536) : returned res = 0 (success) -- inProcessed = 25826, outProcessed = 65536
Calling LzmaDecode(compressedSize = 25826, estimUncompSize = 65537) : returned res = 1 (fail) -- inProcessed = 0, outProcessed = 0
Calling LzmaDecode(compressedSize = 25826, estimUncompSize = 65538) : returned res = 1 (fail) -- inProcessed = 0, outProcessed = 0
Calling LzmaDecode(compressedSize = 25826, estimUncompSize = 65539) : returned res = 1 (fail) -- inProcessed = 0, outProcessed = 0
Calling LzmaDecode(compressedSize = 25826, estimUncompSize = 65540) : returned res = 1 (fail) -- inProcessed = 0, outProcessed = 0
Calling LzmaDecode(compressedSize = 25826, estimUncompSize = 65541) : returned res = 1 (fail) -- inProcessed = 0, outProcessed = 0
Calling LzmaDecode(compressedSize = 25826, estimUncompSize = 65542) : returned res = 1 (fail) -- inProcessed = 0, outProcessed = 0
Calling LzmaDecode(compressedSize = 25826, estimUncompSize = 65543) : returned res = 1 (fail) -- inProcessed = 0, outProcessed = 0
[.. snipped ..]
It looks like the hack goes deeper than just faking the LZMA header fields. The compressed bitstream itself has been tweaked.
In those tests where the bad data block was repeatedly fed to the LZMA decoder, we can study the last good iteration before a decoding error occurred:
Calling LzmaDecode(compressedSize = 17129, estimUncompSize = 31869) : returned res = 0 (success) -- inProcessed = 12069, outProcessed = 31869
We can see that the decoder has only processed 12069 bytes out of 17129 bytes in the compressed datastream. For the hacked header theory to be correct, it would mean here that the compressed block has 5060 'dead' bytes of padding. (17129-12069 = 5060).
If the hack just involved a header hack, there would be no point in doing that. It would be unnecessary and wasteful. The uncompressed block size only needs to be faked by one byte. That will still cause a decode failure. There's no point in faking the size by 5060 bytes, and then padding the compressed datastream with all those pointless bytes.
It's still a working theory though, so there may be something in it.. :-)
cheers, a
[1] http://www.sbrk.co.uk/hw553/general/rofs.html
-
do you know what files are failing during the decompression..
In eciroofs1, the following two data blocks are failing to decompress.
The first data block to fail in ecirootfs1 is @0x44e35. It is the first of nine blocks used to store the file drv_dsl_cpe_api.ko. That file appears to be a character device driver providing a kernel interface to the DSL hardware (an unknown 32-bit DSP engine on the Lantiq VRX268 core). When uncompressed, that driver file should be 578,157 bytes in size, and the failed block should provide 65,536 bytes towards it when uncompressed.
The second bad data block in ecirootfs1 is @0x8e143. It is the first of twelve blocks that holds the file xcpe_hw.bin. That file is the DSP hardware device driver blob. It should be 767,376 bytes in size, and the failed block should provide 65,536 bytes when uncompressed.
Reading a different endian SQUASHFS filesystem on ecirootfs1
-rwxr-xr-x 505/users 578157 2011-02-14 06:44 squashfs-root/ifx/vdsl2/drv_dsl_cpe_api.ko
unsquashfs: dir_scan: name drv_dsl_cpe_api.ko, start_block 0, offset 7621, type 2
unsquashfs: create_inode: pathname squashfs-root/ifx/vdsl2/drv_dsl_cpe_api.ko
unsquashfs: create_inode: regular file, file_size 578157, blocks 9
unsquashfs: write_file: regular file, blocks 9
unsquashfs: read_data_block: block @0x44e35, 14351 compressed bytes
unsquashfs: read_bytes: reading from position 0x44e35, bytes 14351 (0x380f)
[...snipped...]
unsquashfs: read_data_block: block @0x4dffe, 18111 compressed bytes
unsquashfs: read_bytes: reading from position 0x4dffe, bytes 18111 (0x46bf)
00000000: 5d 00 00 80 00 00 00 01 00 00 00 00 00 00 13 af
00000010: 3c 06 45 13 7d b5 59 62 72 8f db b5 8f 8e f0 bb
[...snipped...]
000045a0: a3 d0 37 83 70 87 5c 82 2b 3a fd 66 9b d6 b6 0c
000045b0: b2 6e 0d d5 34 07 57
err -22: sqlzma_un: LZMA Unknown error 18446744073709551594
ea ae 66 04 51 9e 5e be 31
000045c0: 4c 0b 51 6f 16 63 d7 cb da 76 cb ce c5 00 69 8f
[...snipped...]
000046b0: 4d 78 5c af fa f7 81 18 0c f1 6d 19 6c 95 03
unsquashfs: read_data_block: abort() because res = sqlzma_un = ffffffea
[...snipped...]
-rwxr-xr-x 505/users 767376 2011-02-14 06:44 squashfs-root/ifx/vdsl2/xcpe_hw.bin
unsquashfs: read_fragment: reading fragment 10
unsquashfs: dir_scan: name xcpe_hw.bin, start_block 0, offset 8001, type 2
unsquashfs: create_inode: pathname squashfs-root/ifx/vdsl2/xcpe_hw.bin
unsquashfs: create_inode: regular file, file_size 767376, blocks 12
unsquashfs: write_file: regular file, blocks 12
unsquashfs: read_data_block: block @0x7af16, 40885 compressed bytes
unsquashfs: read_bytes: reading from position 0x7af16, bytes 40885 (0x9fb5)
[...snipped...]
unsquashfs: read_data_block: block @0x8e143, 40792 compressed bytes
unsquashfs: read_bytes: reading from position 0x8e143, bytes 40792 (0x9f58)
00000000: 5d 00 00 80 00 00 00 01 00 00 00 00 00 00 02 00
00000010: 09 91 c2 58 7c 6b 07 b7 bc e8 98 5f 1e 63 13 cc
[...snipped...]
00009d30: 44 e8 23 9d 7c 3c 87 30 50 9c da d2 d1 f5 84 e9
00009d40: fa f4 51 2c d8 fb 48 be 51 56 97 20 b5 e7 de 72
00009d5
err -22: sqlzma_un: LZMA Unknown error 18446744073709551594
0: 73 e3 e1 51 75 8a 59 d1 b2 73 04 4a 9b 7f 89 28
00009d60: 90 61 9f b6 9c 9b 9b b3 5f 38 6a a5 90 d5 85 11
[...snipped...]
00009f50: c0 ae c7 10 5e 2a f0 94
unsquashfs: read_data_block: abort() because res = sqlzma_un = ffffffea
In ecirootfs2, the second squashfs file system in the ECI firmware, once again we find two bad blocks that won't decompress. The first bad block is @0x32edc. That is the seventh of eight blocks storing the busybox binary. The busybox binary should be 461,960 bytes and when uncompressed, that block should hold 65,536 bytes of it.
The second bad block in ecirootfs2 is block @0x63bb1. It is the first of six blocks holding another kernel device driver. This driver is named drv_ifxos.ko and it should be 357,839 bytes uncompressed. The bad block should provide 65,536 bytes of that.
Reading a different endian SQUASHFS filesystem on ecirootfs2
-rwxrwxr-x 505/users 461960 2011-08-09 04:31 squashfs-root/bin/busybox
unsquashfs: dir_scan: name busybox, start_block 0, offset 936, type 2
unsquashfs: create_inode: pathname squashfs-root/bin/busybox
unsquashfs: create_inode: regular file, file_size 461960, blocks 8
unsquashfs: write_file: regular file, blocks 8
unsquashfs: read_data_block: block @0x10de0, 24250 compressed bytes
unsquashfs: read_bytes: reading from position 0x10de0, bytes 24250 (0x5eba)
[...snipped...]
unsquashfs: read_data_block: block @0x32edc, 17142 compressed bytes
unsquashfs: read_bytes: reading from position 0x32edc, bytes 17142 (0x42f6)
00000000: 5d 00 00 80 00 00 00 01 00 00 00 00 00 00 31 19
00000010: 40 06 32 0a 09 7e e1 df 4a af 79 8a 22 ec c1 75
[...snipped...]
00004180: 12 55 4f b3 18 02 b9 38 8d 36 1b 65 cd 44 43 f2
err -22
sqlzma_un: LZMA Unknown error 18446744073709551594
00004190: 8d f9 4a 51 0d 4a 8f 85 2d c4 95 5c 07 a9 6e e3
[...snipped...]
000042e0: 50 71 26 6b 9d 15 b9 f0 b8 bc ab 34 65 9a e4 86
000042f0: 6e f7 89 92 48 ae
unsquashfs: read_data_block: abort() because res = sqlzma_un = ffffffea
[...snipped...]
-rwxr-xr-x 505/users 357839 2011-08-09 04:31 squashfs-root/ifx/vdsl2/drv_ifxos.ko
unsquashfs: dir_scan: name drv_ifxos.ko, start_block 0, offset 7689, type 2
unsquashfs: create_inode: pathname squashfs-root/ifx/vdsl2/drv_ifxos.ko
unsquashfs: create_inode: regular file, file_size 357839, blocks 6
unsquashfs: write_file: regular file, blocks 6
unsquashfs: read_data_block: block @0x63bb1, 25245 compressed bytes
unsquashfs: read_bytes: reading from position 0x63bb1, bytes 25245 (0x629d)
00000000: 5d 00 00 80 00 00 00 01 00 00 00 00 00 00 3f 91
00000010: 45 84 68 34 8a 09 0a 41 50 57 af 46 76 b3 d7 96
[...snipped...]
00006200: 07 3b e0 a3 cb 88 2d 62 b0 6f 1e 6c 26 47 da b5
0000
err -22: sqlzma_un: LZMA Unknown error 18446744073709551594
6210: e8 90 91 68 22 96 49 a8 9f 06 19 d7 b7 50 71 2e
[...snipped...]
00006280: 4b 29 9c 2d 1f 9b 5f 33 49 de 42 43 03 45 f2 42
00006290: 1f ba 76 8a d3 b5 72 d7 34 8c f9 62 32
unsquashfs: read_data_block: abort() because res = sqlzma_un = ffffffea
I'm not sure what any of that proves.. except that there are exactly two bad blocks per file system, and they are in different places in each file system.
cheers, a
-
Hi uklad,
interesting i spent some time trying to get port 2 active with no luck..
One trick is as follows:
Copy that file /etc/config/defaultvalue.gz from the squashfs read-only root file system to a read-write file system (e.g. a ramdisk).
Modify that read-writable copy with the desired configurations.
Re-mount the modified file over the top of the original in the read-only squashfs.
(See the Linux/busybox manpage for mount, and the --bind option.)
Force the config software - the firmware utility that actually reads the contents of that file - to re-load it.
Since this doesn't modify the squashfs system it is non-destructive. The hack is described well by paul at sbrk.co.uk at [1].
I'm away all week training :( but i will try and find some time to try this at the weekend ...
-
I'm not sure what any of that proves.. except that there are exactly two bad blocks per file system, and they are in different places in each file system.
May be just pointless caterwauling on my part but if those two sqashfs' are supposed to be identical, with two defects in different places in them both, then surely a controlled merge of both will give you one complete file system. :-\
Hmm . . . am I yowling from the wrong tree-top? ???
-
I'm not sure what any of that proves.. except that there are exactly two bad blocks per file system, and they are in different places in each file system.
May be just pointless caterwauling on my part but if those two squashfs' are supposed to be identical, with two defects in different places in them both, then surely a controlled merge of both will give you one complete file system. :-\
Hmm . . . am I yowling from the wrong tree-top? ???
Hi Burakkucat.
Sure. We can certainly do that and it could help to discover how the LZMA code in the ECI kernel has been modified.
The main problem still exists, though. Even with those two file systems merged to make one good one, the squashfs driver in the pre-built kernel of the ECI is still expecting to read a file system image that has been tweaked in some way.
That fs kernel driver will perform an 'un-tweak' operation on specific 'tweaked' compressed blocks. The 'un-tweak' must be performed before those blocks are passed to the LZMA decoder for decompression. However, when the driver performs an 'un-tweak' on a data block that we have already un-tweaked (from our controlled merge), that second un-tweak will effectively corrupt the block. When the block is passed to the LZMA decoder, its decompression will subsequently fail.
Two possibilities spring to mind for overcoming this..
a) re-build the kernel with a squashfs driver that is not tweaked in any way, so that it can work with a 'clean' squashfs file system. Currently that is no mean feat since ECI/Lantiq/AlphaNetworks have shown no interest in abiding by the terms of the GPL licence, and we would need the kernel build configs to do this; or
b) try to re-make the file system so that those two tweaked blocks remain unallocated by the file system or else are masked-off in "lost+found" inodes or something similar.
We don't strictly need to do a controlled merge, since uklad has shell access to the device. He could obtain the decompressed form of any regular file in the squashfs file system. Those decompressed files would be dumped over the serial connection and chopped into blocks of 65,536 bytes (or less). Then they would be re-compressed with the LZMA encoder. In theory, those re-compressed data blocks could be inserted back into the squash file system image.
I'm a bit stuck here, since I haven't got an ECI modem to hack about with things like that.
Also it's a lot of faffing around. There are others interested in this issue of squashfs tweaking, not least for legal reasons since their code has been purloined in these firmwares. Hopefully in the dueness of time, some better ideas and suggestions will percolate out of the ether!
cheers, a
-
I have a saved eBay search that specifies this particular ECI B-FOCuS modem. It's obviously a case of "wait and see" . . . :-\
-
flamey, a FTTC subscriber from Colchester, has posted some useful exterior pictures of the ECI to the Sky User forum As flamey points out, it is very difficult to distinguish the ECI from the Huawei. The LEDs and the sockets are spaced slightly differently on the ECI, but on purely physical appearance, they are otherwise virtually identical devices.
http://www.skyuser.co.uk/forum/router-stats/47260-hacking-bt-openreach-modem-hg612.html#post358530
cheers, a
EDIT:
@uklad: did you find time to try the 'mount' hack?
-
Attached to this post is a "screen-scrape" from a BT Slide Presentation. It shows the Huawei and ECI modems side-by-side.
[attachment deleted by admin]
-
Attached to this post is a "screen-scrape" from a BT Slide Presentation. It shows the Huawei and ECI modems side-by-side.
I did think i had seen that before..
-
flamey, a FTTC subscriber from Colchester, has posted some useful exterior pictures of the ECI to the Sky User forum As flamey points out, it is very difficult to distinguish the ECI from the Huawei. The LEDs and the sockets are spaced slightly differently on the ECI, but on purely physical appearance, they are otherwise virtually identical devices.
http://www.skyuser.co.uk/forum/router-stats/47260-hacking-bt-openreach-modem-hg612.html#post358530
cheers, a
EDIT:
@uklad: did you find time to try the 'mount' hack?
Quick answer is No, unfortunatly training away for a week and being mad busy when i got back does not help, i should have some time tomorrow to play once the kids are in bed..
-
Hi uklad!
Did you get a chance to have another look?
cheers, a
-
Hi uklad!
Did you get a chance to have another look?
cheers, a
I did and to be frank im out of my depth i dont know Linux well enough to get any conectivity out of it...
where are you located asbokid ?
-
Aww! Don't give up! ??? you've already done all the hard work!
Attached is a silly bit of C code for the PC. It converts any file into an octal dump. The dump can be used in the Telnet Upload Trick.
The Trick allows any executable to be downloaded to a router or a modem using the -e escape character option of the echo command in the BusyBox ash shell. [1]
// The Telnet Upload Trick - asbokid 2012 <ballymunboy@gmail.com>
//
// How to download an arbitrary binary to an embedded device
//
// 1) convert the binary into an octal dump using the code below
// 2) paste the dump into a telnet shell or a serial console
// 3) chmod +x the dumped file (myscript.sh) and run it
// 4) the octal dump will be echoed into a binary file (mybinary)
// 5) chmod +x that new binary and run it
#include <stdio.h>
void main(int argc, char **argv) {
FILE *fp;
unsigned int c, d = 0;
if(!(fp = fopen(argv[1], "rb"))) {
fprintf(stderr, "can't open file %s\n", argv[1]);
return;
}
while(1) {
if((c = fgetc(fp)) == EOF)
break;
if(!(d++ % 0x10))
fprintf(stdout, "echo -n -e ");
fprintf(stdout, "\\\\%04o", c);
if(!(d % 0x10))
fprintf(stdout, " >> mybinary\n");
}
if (d % 0x10)
fprintf(stdout, " >> mybinary\n");
fclose(fp);
}
We can use the Trick to download any code we want to the ECI: a telnet daemon, a tool to dump the decompressed forms of those tweaked files, or anything else..
$ gcc -o octaldump octaldump.c
$ ./octaldump octaldump > myscript.sh
$ head myscript.sh
echo -n -e \\0177\\0105\\0114\\0106\\0002\\0001\\0001\\0000\\0000\\0000\\0000\\0000\\0000\\0000\\0000\\0000 >> mybinary
echo -n -e \\0002\\0000\\0076\\0000\\0001\\0000\\0000\\0000\\0300\\0005\\0100\\0000\\0000\\0000\\0000\\0000 >> mybinary
echo -n -e \\0100\\0000\\0000\\0000\\0000\\0000\\0000\\0000\\0130\\0015\\0000\\0000\\0000\\0000\\0000\\0000 >> mybinary
echo -n -e \\0000\\0000\\0000\\0000\\0100\\0000\\0070\\0000\\0010\\0000\\0100\\0000\\0037\\0000\\0034\\0000 >> mybinary
$ chmod +x myscript.sh
$ ./myscript.sh
$ xxd -l80 mybinary
0000000: 7f45 4c46 0201 0100 0000 0000 0000 0000 .ELF............
0000010: 0200 3e00 0100 0000 c005 4000 0000 0000 ..>.......@.....
0000020: 4000 0000 0000 0000 580d 0000 0000 0000 @.......X.......
0000030: 0000 0000 4000 3800 0800 4000 1f00 1c00 ....@.8...@.....
0000040: 0600 0000 0500 0000 4000 0000 0000 0000 ........@.......
$ $ md5sum mybinary octaldump
64f293a8272b7938ace5c805f6873402 mybinary
64f293a8272b7938ace5c805f6873402 octaldump
cheers, a
[1] http://stackoverflow.com/questions/5582778/writing-a-binary-file-in-shell-shell-awk
[attachment deleted by admin]
-
Aww! Don't give up! ??? you've already done all the hard work!
Im not giving up, its more to do with Time Vs Ability, i have the ability just not the time, im sourcing a HG612 should be here in few days once its stable i can set the ECI in my office or even loan it to you to speed up development..
-
Sounds good! Wasn't doubting your expertise! Lots of people will be interested to see how the ECI performs against the Huawei on the same line. cheers, a
-
Hi uklad, if you didn't end up getting a new modem I will sell you my Huawei HG612 for £20 including P&P? it's a rev b.
-
Hi uklad, if you didn't end up getting a new modem I will sell you my Huawei HG612 for £20 including P&P? it's a rev b.
Got one thanks just installed it still seem to be getting full 40/10 at the moment will pull some stats later
-
From using both the ECI and huawei hg612, I have noticed that I get more jitter using the hg612. The eci seems to perform a little better on my connection. may be different for your connection.
-
@ All,
What a splendid reason for asking BT to allow them to be purchased on the open market.
Kind regards,
Walter
-
From using both the ECI and huawei hg612, I have noticed that I get more jitter using the hg612. The eci seems to perform a little better on my connection. may be different for your connection.
Josh -- A quick couple of questions for you. When you had your FTTC service installed, which VDSL2 modem was officially provided as the active CPE? The Huawei or the ECI? As you probably realise, Openreach supply the modem to match the DSLAM in the FTTC.
If your installation was a Huawei, I wonder from where did you obtain the ECI B-FOCuS modem? Care to share the information, please? ;)
-
Josh had a ECI supplied if i remember..
-
From using both the ECI and huawei hg612, I have noticed that I get more jitter using the hg612. The eci seems to perform a little better on my connection. may be different for your connection.
Josh -- A quick couple of questions for you. When you had your FTTC service installed, which VDSL2 modem was officially provided as the active CPE? The Huawei or the ECI? As you probably realise, Openreach supply the modem to match the DSLAM in the FTTC.
If your installation was a Huawei, I wonder from where did you obtain the ECI B-FOCuS modem? Care to share the information, please? ;)
I was supplied with the ECI, and purchased the Huawei off the bay. I know ECI modems are hard to track down, I have not seen one on eBay!
-
Thank you for the update.
I know ECI modems are hard to track down, I have not seen one on eBay!
I can see that without some degree of co-ordination, when one does turn up on eBay, we will most likely be bidding against each other. :doh:
-
Excellent work! I have the ECI model B-FOCuS V-2FUb/I Rev.B) and after replacing the HH3 for something running OpenWrt (finally, real routing!) last night, I'm now shifting focus to the other mysterious black-box (the modem).
GPL advocate, not too bad with Linux, near zero embedding skills though. Always keen to get my hands dirt though, albeit usually [learning] on the job!
uklad/asbokid any thing I can do to help?
-
I'll add, there were a couple of broken links on this thread. Does anything need hosting, as I can do that.
-
Hi nimda!
Great news that you are joining us! You sound very qualified for this important voluntary position!
There are several possibilities for unlocking the ECI. The first task must be to gain shell access through the serial port, following uklad's pioneering work. A USB-TTL bridge is an easy and cheap way to do this. The controller costs less than £2. [1] [2]
It would be rewarding to crack the LZMA mechanism used to lock the embedded file system, since the same mechanism is used by many other manufacturers, but that's probably not an easy hack. Though it certainly offers the most kudos if successful!
The priority must be to re-enable web and telnet/ssh access from the LAN-side. This should be possible through the serial shell access, after the system has booted. Once an unlocking method has been discovered, then a more permanent solution will involve modifying the flash file system. uklad has generously offered his ECI for target practice for this, but the likelihood of bricking it is quite high, so it's probably wiser to find an unwanted one!
Your hosting offer is much appreciated :-) SFAICS, the dead links are uklad's original NOR flash dump from the ECI which he uploaded to mediafire, who seem to have deleted it, for lack of downloads(?), and the PDF of Sweetman's book on MIPS Linux (Morgan.Kaufmann.See.MIPS.Run.2nd.Edition.pdf) ?
Uklad's original NOR flash dump (ecinand8mb.bin) is duplicated here [3]
Welcome aboard!
cheers, a
[1] http://www.ebay.co.uk/itm/170732908199
[2] http://www.ebay.co.uk/itm/390363268951
[3] http://docs.google.com/open?id=0B6wW18mYskvBMzZkODg5NGQtNjdjOS00ZjNjLTljNTctZTJkNmYxYWFlMTk1
-
Great news that you are joining us! You sound very qualified for this important voluntary position!
Thanks, glad to be here. I'm looking forward to learning along the way too!
There are several possibilities for unlocking the ECI. The first task must be to gain shell access through the serial port, following uklad's pioneering work. A USB-TTL bridge is an easy and cheap way to do this. The controller costs less than £2. [1] [2]
I purchased the PL2303HX USB to TTL Converter Module, it'll take a while to arrive though "Estimated delivery: 12-24 working days" but it was free delivery from Hong Kong so can't complain! I'll start work on the serial link once the order arrives.
It would be rewarding to crack the LZMA mechanism used to lock the embedded file system, since the same mechanism is used by many other manufacturers, but that's probably not an easy hack. Though it certainly offers the most kudos if successful!
I'll leave this one for now, I don't feel ready for tackling algorithms just yet.
The priority must be to re-enable web and telnet/ssh access from the LAN-side. This should be possible through the serial shell access, after the system has booted. Once an unlocking method has been discovered, then a more permanent solution will involve modifying the flash file system. uklad has generously offered his ECI for target practice for this, but the likelihood of bricking it is quite high, so it's probably wiser to find an unwanted one!
I don't mind testing serial connections, but unless I had a spare, I'd not yet be prepared to put my modem on the line. So, thanks to uklad for the donation, generous indeed.
Your hosting offer is much appreciated :-) SFAICS, the dead links are uklad's original NAND dump from the ECI which he uploaded to mediafire, who seem to have deleted it, for lack of downloads(?), and the PDF of Sweetman's book on MIPS Linux (Morgan.Kaufmann.See.MIPS.Run.2nd.Edition.pdf) ?
Uklad's original NAND dump (ecinand8mb.bin) is duplicated here [3]
No problem at all, I can accommodate ANY hosting needs, especially to aid the greater good of a freed community --decentralising, and taking back control/data, is my computing MO.
[1] http://www.ebay.co.uk/itm/170732908199
[2] http://www.ebay.co.uk/itm/390363268951
[3] http://docs.google.com/open?id=0B6wW18mYskvBMzZkODg5NGQtNjdjOS00ZjNjLTljNTctZTJkNmYxYWFlMTk1
In the meantime, I'll take a read of See MIPS Run. Also, would you mind sending me (or attaching) the bin file, as I don't want a Google account --yes, one of those!
Once this is opened, what then? What are the options? Fundamental question, and possibly obvious answers, but I'm naive in this area of computing, what cool things can be done?
-
There are several possibilities for unlocking the ECI. The first task must be to gain shell access through the serial port, following uklad's pioneering work. A USB-TTL bridge is an easy and cheap way to do this. The controller costs less than £2. [1] [2]
I purchased the PL2303HX USB to TTL Converter Module, it'll take a while to arrive though "Estimated delivery: 12-24 working days" but it was free delivery from Hong Kong so can't complain! I'll start work on the serial link once the order arrives.
Am I right to assume this will require reinstating header-pins (http://forum.kitz.co.uk/index.php/topic,10635.msg208997.html#msg208997)? Is this JTAGing? I've never (knowingly) played with this before.
-
Lastly, did uklad not get shell access:-
Also I did not mention I could login to the unit on the UART console, username and pass where admin admin :0)
Is it not straight forward to "re-enable web and telnet/ssh access from the LAN-side." ?
-
Hi again, nimda,
No problem at all, I can accommodate ANY hosting needs, especially to aid the greater good of a freed community --decentralising, and taking back control/data, is my computing MO.
A man after my own heart!
..would you mind sending me (or attaching) the bin file, as I don't want a Google account --yes, one of those!
Hi.. the perms were stuck. The dump is downloadable now without a gmail account..
https://docs.google.com/leaf?id=0B6wW18mYskvBMzZkODg5NGQtNjdjOS00ZjNjLTljNTctZTJkNmYxYWFlMTk1
Once this is opened, what then? What are the options? Fundamental question, and possibly obvious answers, but I'm naive in this area of computing, what cool things can be done?
Good question.. I think people just like getting under the bonnet. Paul (Bald_Eagle) and Burakkucat have done some amazing things with graphing scripts, using the low-level diagnostic xdsl data that the unlocked Huawei provides.
My current interest is to try and 'fit' that diagnostic data, especially the channel characteristics (aka insertion loss aka attenuation) to parametised cable reference models. This would hopefully lead to an accurate analysis of loop quality, and estimated loop length. The data could be analysed for common fault conditions - bridge taps, etc.
Other options include the development of server-side scripts for graphing. This code would run on the embedded device itself.
I guess ultimately, people would like to see an open source router distribution (openwrt et al) running on these devices, but that would involve the release of the DSP drivers by Broadcom and Lantiq, who are less than forthcoming.
cheers, a
EDIT: Yes, obtaining serial port access involves soldering the header pins back onto the modem board. It's not hard with a fine-tipped soldering bit.
JTAG is a different serial protocol, primarily for debugging hardware. It's similar to SPI and has a clock signal (TCK), two data lines for input and output (TDI and TDO) and a control line (TMS) to manage the state of the JTAG engine.
Unless the bootloader gets wrecked, it should be possible to unlock the ECI using just the TTL serial port.
-
Also, would you mind sending me (or attaching) the bin file, as I don't want a Google account --yes, one of those!
For a short time only (just to allow you to download it), I have made the file available from a temporary location. Please let me know once you have got a copy. ;)
[Edited to mention that the link to the above temporary location is now deprecated.]
-
Lastly, did uklad not get shell access:-
Also I did not mention I could login to the unit on the UART console, username and pass where admin admin :0)
Yes, uklad indeed got shell access.
Is it not straight forward to "re-enable web and telnet/ssh access from the LAN-side." ?
It should be. Unfortunately before uklad got there, he was distracted by his family who obviously have no appreciation of the importance to this work!
cheers, a
-
Also, would you mind sending me (or attaching) the bin file, as I don't want a Google account --yes, one of those!
For a short time only (just to allow you to download it), I have made the file available from a temporary location (http://elrepo.org/people/ajb/tmp/ECI). Please let me know once you have got a copy. ;)
Thanks burakkucat :-)
-
Thanks burakkucat :)
I'm always willing to assist, where I can. ;D
(Though I shall pass on helping you lick that multi-coloured ice-cream! :-\ )
-
Also, would you mind sending me (or attaching) the bin file, as I don't want a Google account --yes, one of those!
For a short time only (just to allow you to download it), I have made the file available from a temporary location (http://elrepo.org/people/ajb/tmp/ECI). Please let me know once you have got a copy. ;)
Thanks, I've got the files I need.
-
Thanks, I've got the files I need.
Excellent. Thank you for letting me know. I'll now deprecate that link. :)
-
Lastly, did uklad not get shell access:-
Also I did not mention I could login to the unit on the UART console, username and pass where admin admin :0)
Yes, uklad indeed got shell access.
Is it not straight forward to "re-enable web and telnet/ssh access from the LAN-side." ?
It should be. Unfortunately before uklad got there, he was distracted by his family who obviously have no appreciation of the importance to this work!
cheers, a
Full time job one wife two kids and builders out the back is leaving me with very little spare time !! but i`m still lurking.. and you are correct I did try explaining once what i was doing with the ECI modem and she gave me the rolled eyes nod !! followed by ohhh yeah !!
-
Full time job one wife two kids and builders out the back is leaving me with very little spare time !! but i`m still lurking.. and you are correct I did try explaining once what i was doing with the ECI modem and she gave me the rolled eyes nod !! followed by ohhh yeah !!
One more child, but no builders :) You've inspired me to start, and continue the work you have done. Please continue to lurk, you are after all the thread's founder ;)
Can you give me any tips for the serial connection settings? I'll be using Linux, so the programs will be different, but same ports, speeds, etc. any information will be useful at this stage --besides, I've got a while to wait for my serial link hardware delivery, so I'm soaking up the details.
-
Port speed is 115,200bps N-8-1
-
I have recently got one of these with my FTTC install although I'm not quite ready to kill it. I have emailed sfconservancy.org and they have shown an interest in the situation. I will keep you posted on any progress relating to GPL compliance. If someone can show me the exact solder points I do have the required equipment here already for a serial-usb adapter...
-
I have recently got one of these with my FTTC install although I'm not quite ready to kill it. I have emailed sfconservancy.org and they have shown an interest in the situation. I will keep you posted on any progress relating to GPL compliance. If someone can show me the exact solder points I do have the required equipment here already for a serial-usb adapter...
See post #17 on this thread
-
Ah thanks, when I get a chance I'll see what I can do. My adapter is technically 5v but a few resistors should be good enough to get it down to 3.3V ish.
Update: Tried but as I couldnt get the solder from the holes I had to mount the header on top, it didn't work regardless. I guess someone else will have to help :(
Update 2: Just trying to work out why it didn't work, looks like I lifted the TX pad accidently :(
Update 3: Okay, so I couldn't be defeated. Turns out near the TX pad there is an unpopulated capacitor footprint, appears to be a decoupling capacitor for TX. Anyway, using that I managed to solder some flying wires to all the pads and now I think I have a working UART port. I say I think as apparently the USB->Serial I have only does 9600 baud, not the 115,200 baud, but I do get garbage outputted, and the timing seems about right. Ordered a http://cgi.ebay.co.uk/ws/eBayISAPI.dll?ViewItem&item=270805125757#ht_2480wt_952 and hopefully it'll work :)
-
Good to have you aboard! Getting stuck right in too, I see.
I'm still awaiting my Hong Kong delivery (PL2303HX), aparently dispatched on the 28th, and no doubt is on a boat or storage create somewhere between here and there!
Keep us posted though, sounds like an enthusiastic start :D
-
I should get my converter tomorrow, one advantage of paying extra for buying from the UK. From there I'm quite happy to help out as I can, although I'm not really that sure what I'm doing. What if we were to use mine to modify the firmware to enable the web interface? Surely that would give a usable image for an "upgrade" of everyone elses. Also, there are a couple of unpopulated connectors next to all the others, any ideas what they may be?
-
I wonder if it might be appropriate to suggest that you source a Huawei HG612 to use on your VDSL2 service and then you loan your current ECI B-FOCuS modem to The Maestro, Asbokid, himself? :-\
-
I should get my converter tomorrow, one advantage of paying extra for buying from the UK. From there I'm quite happy to help out as I can, although I'm not really that sure what I'm doing. What if we were to use mine to modify the firmware to enable the web interface? Surely that would give a usable image for an "upgrade" of everyone elses.
Hi ben1066!
I just passed the NOR flash image that was extracted by uklad through the latest release (0.4.3) of a tool called binwalk.
binwalk is an amazing open source utility developed by Craig Heffner. It can be downloaded from http://binwalk.googlecode.com/
The tool scans binary images for 'magic numbers' - short signatures - used in Linux to identify binary types. Binwalk can identify various compressed archives, kernel images, and many other binary components commonly found in embedded firmware.
As we discovered ourselves, there are two LZMA-compressed squashfs read-only root file system images in the NOR image, and a JFFS2 read-write flash file system. Binwalk also discovered the offsets, lengths and load addresses of the two LZMA-compressed big-endian MIPS32 Linux kernels and the U-Boot loader image.
But what's most interesting is that Binwalk has discovered an area of the flash where the gzip'ed configuration file for the ECI is stored. We already discovered the default config file in the read-only root file system. That's the config file that is loaded when the device is hard-reset. However, what BinWalk appears to have uncovered is the 'working' config file. That copy of the configuration file is modifiable without the need to rebuild and rewrite the entire root file system.
In theory, the device can be unlocked by very carefully erasing the NOR block containing that config file, and by re-programming the block with new (unlocking) contents. The U-Boot bootloader should have the necessary NOR functions to perform those operations.
The specific area of interest in the NOR device starts at offset 0x40126:
$ md5sum ecinand8mb.bin
2a2db35f797546c0e3e036a469a942d4 ecinand8mb.bin
$ binwalk ecinand8mb.bin
DECIMAL HEX DESCRIPTION
-------------------------------------------------------------------------------------------------------
17680 0x4510 uImage header, header size: 64 bytes, header CRC: 0xDCFA529A, created: Mon Oct 18 09:20:23 2010, image size: 49728 bytes, Data Address: 0xA0400000, Entry Point: 0xA0400000, data CRC: 0xC1F4907, OS: Linux, CPU: MIPS, image type: Firmware Image, compression type: lzma, image name: u-boot image
17744 0x4550 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 133532 bytes
262438 0x40126 gzip compressed data, from Unix, last modified: Sat Jan 1 00:02:13 2000, max compression
331872 0x51060 uImage header, header size: 64 bytes, header CRC: 0x6C1EFC77, created: Mon Feb 14 06:44:17 2011, image size: 3624992 bytes, Data Address: 0x80002000, Entry Point: 0x802CD000, data CRC: 0x15E32D3E, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: MIPS Linux-2.6.20
331936 0x510A0 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 3084422 bytes
1314976 0x1410A0 PackImg Tag, little endian size: 5253120 bytes; big endian size: 2641920 bytes
1315008 0x1410C0 Squashfs filesystem, big endian, lzma signature, version 3.0, size: 2641669 bytes, 844 inodes, blocksize: 65536 bytes, created: Mon Feb 14 06:44:14 2011
1315127 0x141137 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 61676 bytes
1330443 0x144D0B LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 7100 bytes
[...]
3954947 0x3C5903 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 672 bytes
3955226 0x3C5A1A LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 6752 bytes
4132960 0x3F1060 uImage header, header size: 64 bytes, header CRC: 0x55E6D872, created: Tue Aug 9 04:31:37 2011, image size: 3629088 bytes, Data Address: 0x80002000, Entry Point: 0x802CD000, data CRC: 0xC331258, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: MIPS Linux-2.6.20
4133024 0x3F10A0 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 3084421 bytes
5116064 0x4E10A0 PackImg Tag, little endian size: 6301696 bytes; big endian size: 2646016 bytes
5116096 0x4E10C0 Squashfs filesystem, big endian, lzma signature, version 3.0, size: 2642454 bytes, 844 inodes, blocksize: 65536 bytes, created: Tue Aug 9 04:31:35 2011
5116215 0x4E1137 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 50734 bytes
[...]
7757093 0x765D25 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 6752 bytes
7929856 0x790000 JFFS2 filesystem data big endian, JFFS node length: 12
[...]
8257536 0x7E0000 JFFS2 filesystem data big endian, JFFS node length: 12
The flash memory area containing the configuration file can be extracted with the Unix tools dd and gunzip:
$ dd bs=1 if=ecinand8mb.bin of=eciconfig.gz skip=$((0x40126)) count=$((0x8a4))
2212+0 records in
2212+0 records out
2212 bytes (2.2 kB) copied, 0.0065032 s, 340 kB/s
$ gunzip -v -l eciconfig.gz
method crc date time compressed uncompressed ratio uncompressed_name
defla 366d7213 Apr 5 17:45 2212 7929 72.4% eciconfig
$ cat eciconfig.gz | gunzip
<lantiq_vr9_generic_asl56026>
<check>
<is_factory>factory</is_factory>
</check>
<vdsl2>
<infineon>
<fw_variant>VA</fw_variant>
<annex>A</annex>
<adsl_encaps>1</adsl_encaps>
<default_vpi_vci>1</default_vpi_vci>
<line_config>
<filter>0</filter>
<hw_hybrid>2</hw_hybrid>
<line_mode>102</line_mode>
</line_config>
</infineon>
</vdsl2>
<switch>
<bypass_mode>0</bypass_mode>
<lan_access_cpe_enable>0</lan_access_cpe_enable>
<discard_specific_pkt>1</discard_specific_pkt>
<igmp_queue>3</igmp_queue>
<port id="1">
<vid>101</vid>
<pri>2</pri>
<loopback>0</loopback>
<activate>1</activate>
<special_vlan>0</special_vlan>
</port>
<port id="2">
<vid>102</vid>
<pri>7</pri>
<loopback>0</loopback>
<activate>0</activate>
<special_vlan>0</special_vlan>
</port>
</switch>
<wan>
<physical_type>1</physical_type>
<enable_dhcp60>0</enable_dhcp60>
<dhcp_option60></dhcp_option60>
<enable_dhcp61>0</enable_dhcp61>
<dhcp_iaid></dhcp_iaid>
<dhcp_duid>0</dhcp_duid>
<enable_dhcp125>0</enable_dhcp125>
<dhcp_option125></dhcp_option125>
<enable_prepadt>0</enable_prepadt>
<dsl>
<defaultroute>1</defaultroute>
<inf id="1">
<mode>1</mode>
<enable>1</enable>
<atm>
<pvc>
<settings>
<vpi>8</vpi>
<vci>35</vci>
</settings>
</pvc>
</atm>
<ptm>
<vtag>
<settings>
<connection>connection1</connection>
<enable>1</enable>
<vid>301</vid>
<priority>5</priority>
<bt>
<enable>1</enable>
<wan_vid1>101</wan_vid1>
<wan_vid2>102</wan_vid2>
</bt>
</settings>
</vtag>
</ptm>
<dhcp>
<hostname></hostname>
<clonemac></clonemac>
<autodns>1</autodns>
<mtu>1500</mtu>
</dhcp>
<static>
<mode>1</mode>
<ip>5.60.39.51</ip>
<netmask>255.0.0.0</netmask>
<gateway>5.21.97.200</gateway>
<clonemac></clonemac>
<mtu>1500</mtu>
</static>
</inf>
<inf id="2">
<mode>2</mode>
<enable>0</enable>
<atm>
<pvc>
<settings>
<vpi>0</vpi>
<vci>35</vci>
</settings>
</pvc>
</atm>
<ptm>
<vtag>
<settings>
<connection>connection2</connection>
<enable>0</enable>
<vid>12</vid>
<priority>0</priority>
</settings>
</vtag>
</ptm>
<dhcp>
<hostname></hostname>
<clonemac></clonemac>
<autodns>1</autodns>
<mtu>1500</mtu>
</dhcp>
<static>
<mode>1</mode>
<ip>5.55.52.52</ip>
<netmask>255.0.0.0</netmask>
<gateway>5.55.52.1</gateway>
<clonemac></clonemac>
<mtu>1500</mtu>
</static>
</inf>
</dsl>
<defaultroute>1</defaultroute>
</wan>
<lan>
<ethernet>
<inf id="1">
<enable>1</enable>
<defaultip>192.168.168.168</defaultip>
<ip>192.168.168.168</ip>
<netmask>255.255.255.0</netmask>
<dhcp>
<server>
<enable>0</enable>
</server>
</dhcp>
</inf>
</ethernet>
</lan>
<dnsrelay>
<mode>2</mode>
<server>
<primarydns>172.19.10.100</primarydns>
<secondarydns>172.19.10.99</secondarydns>
</server>
</dnsrelay>
<security>
<log>
<systeminfo>1</systeminfo>
<debuginfo>0</debuginfo>
<attackinfo>1</attackinfo>
<droppacketinfo>0</droppacketinfo>
<noticeinfo>1</noticeinfo>
</log>
</security>
<time>
<syncwith>2</syncwith>
<timezone>5</timezone>
<daylightsaving>0</daylightsaving>
<ntpserver>
<ip>pool.ntp.org</ip>
<interval>604800</interval>
</ntpserver>
</time>
<sys>
<brand>Infineon</brand>
<bridge>1</bridge>
<hostname>ECLVL05</hostname>
<type>ResidentialModem</type>
<devicename>VDSL2 2 port Modem</devicename>
<modeldescription>VDSL2 2 port Modem</modeldescription>
<modelname>ECLVL05</modelname>
<vendor>Generic</vendor>
<url></url>
<regdomain>fcc</regdomain>
<language>en</language>
<basicmode>0</basicmode>
<supportlang>auto,en,de</supportlang>
<telnetd>true</telnetd>
<sshd>true</sshd>
<sessiontimeout>600</sessiontimeout>
<user id="1">
<name>admin</name>
<defaultpassword>admin</defaultpassword>
<password>admin</password>
<group>0</group>
</user>
<user id="2">
<name>user</name>
<password>user</password>
<group>1</group>
</user>
<log>
<logserverenable>0</logserverenable>
<loglevel>0</loglevel>
<logserver></logserver>
</log>
<supporturl></supporturl>
</sys>
<function>
<tr069>1</tr069>
<httpd_upnp>1</httpd_upnp>
</function>
<tr069>
<enable>0</enable>
<getrpcmethodsenable>1</getrpcmethodsenable>
<connection_line>1</connection_line>
<route>1</route>
<authenticate>0</authenticate>
<devicesummary>InternetGatewayDevice:1.0[](Baseline:1, EthernetLAN:1, ADSLWAN:1, Time:1, IPPing:1)</devicesummary>
<max_envs>1</max_envs>
<inform_retry_mode>3</inform_retry_mode>
<connect_retry_mode>3</connect_retry_mode>
<inform_retry_interval>30</inform_retry_interval>
<connect_retry_interval>30</connect_retry_interval>
<deviceinfo>
<manufactureroui>001195</manufactureroui>
<specversion>1.0.1</specversion>
<provisioningcode></provisioningcode>
<productclass>ASL-56026</productclass>
<manufacturer>ALPHA</manufacturer>
<hardwareversion>HA1</hardwareversion>
<landevicenumberofentries>1</landevicenumberofentries>
<wandevicenumberofentries>1</wandevicenumberofentries>
</deviceinfo>
<managementserver>
<username></username>
<password></password>
<connectionrequesturl></connectionrequesturl>
<connectionrequestpath>asl56026</connectionrequestpath>
<connectionrequestusername>admin</connectionrequestusername>
<connectionrequestpassword>admin</connectionrequestpassword>
<url>http://iop-tw.workssys.com/comserver/node1/tr069</url>
<defaulturl>http://iop-tw.workssys.com/comserver/node1/tr069</defaulturl>
<periodicinformenable>1</periodicinformenable>
<periodicinforminterval>60</periodicinforminterval>
<periodicinformtime>1157436610</periodicinformtime>
<upgrade>1</upgrade>
<parameterkey></parameterkey>
</managementserver>
<misc>
<recvtimeout>20</recvtimeout>
<rebootcmdkey></rebootcmdkey>
<schedulecmdkey></schedulecmdkey>
<previousurl></previousurl>
<acsport>8082</acsport>
<debuglevel>7</debuglevel>
<pfdebuglevel>7</pfdebuglevel>
<entry id="1">
<commandkey></commandkey>
<filetype></filetype>
<url></url>
<username></username>
<password></password>
<filesize>0</filesize>
<targetfilename></targetfilename>
<starttime>0</starttime>
</entry>
<entry id="2">
<commandkey></commandkey>
<filetype></filetype>
<url></url>
<username></username>
<password></password>
<filesize>0</filesize>
<targetfilename></targetfilename>
<starttime>0</starttime>
</entry>
<entry id="3">
<commandkey></commandkey>
<filetype></filetype>
<url></url>
<username></username>
<password></password>
<filesize>0</filesize>
<targetfilename></targetfilename>
<starttime>0</starttime>
</entry>
<entry id="4">
<commandkey></commandkey>
<filetype></filetype>
<url></url>
<username></username>
<password></password>
<filesize>0</filesize>
<targetfilename></targetfilename>
<starttime>0</starttime>
</entry>
</misc>
</tr069>
<cfm>
<enable>1</enable>
<md_index>md_name</md_index>
<md_level>0</md_level>
<ma_index>ma_name</ma_index>
<mep_index>1</mep_index>
<vlan_id>1</vlan_id>
<cfm_8021p>0</cfm_8021p>
<ccm_enable>0</ccm_enable>
<direct>up</direct>
<ccm_interval>10s</ccm_interval>
<lbm>
<distination_address></distination_address>
<number_of_lbm>1</number_of_lbm>
</lbm>
<ltm>
<target_address></target_address>
</ltm>
</cfm>
<proc>
<web>
<sessionum>8</sessionum>
<authnum>6</authnum>
</web>
</proc>
</lantiq_vr9_generic_asl56026>
$
cheers, a
-
Tell me what to and I'll be happy to do it, especially if it means I get a pretty web interface and can help others in my situation. It'd also be nice to find a repair system for new firmware, if one exists...
-
maestro?! professional modem brickster, if any credit is due :-) :blush: i wouldn't like to borrow anyone's modem for that reason ???
Looking a bit closer at that interesting NOR flash region in the ECI..
The region starts at offset 0x40000 in uklad's dump and appears to run from 0x40000-0x4ffff. The 'sector size' for that address region (SA11) of the NOR device (Macronix MX29LV640EB) is 0x10000 (64KBytes). [1]
The flash region appears to hold the OpenRG board configuration partition. In the first few bytes it is labelled as such - "RGCFG1". As well as that gzip'ed CPE XML MIB file, the partition contains other configuration parameters including MAC addresses, country code, board hardware revision number, etc.
Other fields in the RGCFG1 config partition header include
header length (0x00000080)
the XML MIB offset (0x00000126)
the XML MIB length (0x000008a4)
a checksum (perhaps 0x00043c62)
As we can see those values are all stored in big-endian format to match the platform.
$ dd if=ecinand8mb.bin skip=$((0x40000)) bs=1 | xxd -l $((0x125))
0000000: 5247 4346 4731 0000 0000 0000 0000 0000 RGCFG1..........
0000010: 0000 0080 0000 0126 0000 08a4 0004 3c62 .......&......<b
0000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000030: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000040: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000050: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000060: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000070: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000080: 6163 7469 7665 7265 6769 6f6e 3d32 0a63 activeregion=2.c
0000090: 6f75 6e74 7279 636f 6465 3d38 3430 0a68 ountrycode=840.h
00000a0: 7772 6576 3d41 310a 776c 616e 6d61 633d wrev=A1.wlanmac=
00000b0: 3543 3a33 333a 3845 3a38 343a 3839 3a44 5C:33:8E:84:89:D
00000c0: 420a 6c61 6e6d 6163 3d35 433a 3333 3a38 B.lanmac=5C:33:8
00000d0: 453a 3834 3a38 393a 4442 0a77 616e 6d61 E:84:89:DB.wanma
00000e0: 633d 3030 3a45 303a 3932 3a30 303a 3031 c=00:E0:92:00:01
00000f0: 3a34 300a 666c 6173 6873 7065 6564 3d36 :40.flashspeed=6
0000100: 3230 0a3d 3162 3635 6137 3232 3764 6565 20.=1b65a7227dee
0000110: 6561 3166 3763 6331 6433 6431 3234 6236 ea1f7cc1d3d124b6
0000120: 3162 3964 0a 1b9d.
The only reference to RGCFG1 in the entire userspace of the ECI firmware is in an 80KByte binary found under /usr/sbin/rgbin for which there is, naturally, no source code.
rgbin is one of those multi-entry binaries. From running strings against the rgbin binary, this looks like a relevant excerpt:
asbokid@home:~/eci_bfocus_squashfs-root/usr/sbin$ strings rgbin
[...]
%s version %d (block size: 0x%x)
Usage: %s {operation} {OPTIONS}
operation -
dump show nvram information.
upgrade upgrade the nvram to the latest format.
get get config from nvram.
save save config to nvram.
getmac get MAC address.
setmac set MAC address.
setenv set env. variable.
getenv get the value of env. var.
delenv delete env. varialbes.
dumpenv dump env. variables.
options -
-h show this help message.
-v verbose mode.
-n {nvram} nvram (mtd block) device.
-c {config file} configuration file.
-i {index} index. (zero based)
-s {message} message to set.
-e {var=val} environment variable.
-m {mode} 0 -> 00:80:c8:ab:cd:ef (lower case, colon seperated)
1 -> 00:80:C8:AB:CD:EF (upper case, colon seperated)
2 -> 00.80.c8.ab.cd.ef (lower case, dot seperated)
3 -> 00.80.C8.AB.CD.ED (upper case, dot seperated)
-f calculate & set flash programming speed. (@ setenv only)
BlockOffset=%d(0x%x), MaxSize=%d(0x%x)
header in nvram is version %d
config size = 0x%x (%d)
config checksum = 0x%x (%d)
config offset = 0x%x (%d)
header in nvram is invalid !
PROFILE
RGCFG0
RGCFG1
%d %d %x
config data is corrupted ! (checksum = 0x%x, should be 0x%x)
Signature = RGCFG1
env size = %d (0x%x)
config size = %d (0x%x)
config checksum = 0x%x
Burning %d bytes to nvram (offset:0x%x) !
header size : %d
config offset : %d
config size : %d
config checksum : 0x%x
burn done !!!
unable to open config file!
no config file specified!
unable to open nvram!
no nvram specified!
[...]
So /usr/sbin/rgbin appears to be the userspace utility for reading and writing the "NVRAM" area of flash. In the NVRAM area is that gzip'ed XML MIB file which contains the configuration parameters to disable LAN access and lock the device.
Importantly, through the use of a checksum, the rgbin tool can detect if the NVRAM region has been corrupted. So to modify the NVRAM contents of flash by manually overwriting that flash region will involve updating the checksum field as well.
EDIT: With serial console access, it should be possible to run /usr/sbin/rgbin to get and set the NVRAM config setting using the proper method.
EDIT2: That 32-bit field in the header of the configuration partition is indeed the checksum for the gzipped XML MIB file. See the output of the attached C program.
#include <stdio.h>
#include <stdlib.h>
int main(int argc, char **argv) {
FILE *fp;
int sz, csum = 0, i;
unsigned char *buf;
if(argc!=2) {
printf("usage: %s <filename>\n", argv[0]);
goto badexit;
}
if(!(fp=fopen(argv[1], "rb"))) {
printf("Error reading file %s\n", argv[1]);
goto badexit;
}
fseek(fp,0L,SEEK_END);
sz=ftell(fp);
fseek(fp,0L,SEEK_SET);
if(!(buf=malloc(sizeof(unsigned char) * sz))) {
printf("Memory allocation error\n");
goto badexit;
}
if(fread(buf, 1, sz, fp) != sz) {
printf("Error reading %d bytes from %s\n", sz, argv[1]);
goto badexit;
}
printf("Read %08x (%d) bytes from %s\n", sz, sz, argv[1]);
fclose(fp);
for(i=0;i<sz;i++)
csum += buf[i];
printf("checksum of %s = %08x\n", argv[1], csum);
free(buf);
return 0;
badexit:
if(fp)
fclose(fp);
if(buf)
free(buf);
return -1;
}
$ ./checksum eciconfig.gz
Read 000008a4 (2212) bytes from eciconfig.gz
checksum of eciconfig.gz = 00043c62
If all else fails, we can manually re-program that raw flash block with a new XML MIB file that is configured to re-enable LAN and web GUI access :P
Slowly getting there ???
cheers, a
[1] http://www.macronix.com/..MX29LV640ETBver13-1.3.pdf (http://www.macronix.com/QuickPlace/hq/PageLibrary4825740B00298A3B.nsf/$defaultview/DBACA1C90564EBB248257639003A563A/$File/MX29LV640ETBver13-1.3.pdf) (see sector address table on page 9)
-
Tell me what to and I'll be happy to do it, especially if it means I get a pretty web interface and can help others in my situation. It'd also be nice to find a repair system for new firmware, if one exists...
Hi again Ben..
Once you've gained a shell via the serial port.. your energies could be profitably focused on that tool for modifying the NVRAM configuration data of the modem..
It looks like you would need to modify one or two XML element values in the gzip'ed CPE MIB file that is found in the "RGCFG1" NVRAM board configuration partition of the flash.
Specifically, these are the element value which probably need changing..
<switch>
..
<lan_access_cpe_enable>0</lan_access_cpe_enable>
..
<port id="2">
<vid>102</vid>
<pri>7</pri>
<loopback>0</loopback>
<activate>0</activate>
<special_vlan>0</special_vlan>
</port>
</switch>
It may be that the XML MIB file needs to be gunzipped first.. bit of tinkering necessary there..
cheers, a
-
Sterling work there, asbokid. I'm mostly in awe, don't really understand everything you say, but am diligently reading your reports, and replicating your work locally.
If you don't mind my asking, where did you get your skills, and how long did it take :)
-
Tell me what to and I'll be happy to do it, especially if it means I get a pretty web interface and can help others in my situation. It'd also be nice to find a repair system for new firmware, if one exists...
Hi again Ben..
Once you've gained a shell via the serial port.. your energies could be profitably focused on that tool for modifying the NVRAM configuration data of the modem..
It looks like you would need to modify one or two XML element values in the gzip'ed CPE MIB file that is found in the "RGCFG1" NVRAM board configuration partition of the flash.
Specifically, these are the element values which probably need changing..
<switch>
..
<lan_access_cpe_enable>0</lan_access_cpe_enable>
..
<port id="2">
<vid>102</vid>
<pri>7</pri>
<loopback>0</loopback>
<activate>0</activate>
<special_vlan>0</special_vlan>
</port>
</switch>
It may be that the XML MIB file needs to be gunzipped first.. bit of tinkering necessary there..
There appears to be a dedicated tool for modifying the XML MIB file [1] in the ECI modem..
The tool is found at /usr/sbin/xmldbc
Here are the command line options for xmldbc:
Usage: xmldbc version 2 [OPTIONS]
-h show this help message.
-H show version number.
-v verbose mode.
-a dump database include runtime and tmp.
-i ignore external function (like runtime).
-g {node path} get value from {node path}.
-s {node path} {value} set {value} in {node path}.
-d {node path} delete {node path}.
-l {XML file} reload XML file to database.
-f {XML file} set XML file to database.
-D {XML file} dump database to XML file.
-S {unix socket} specify unix socket name, default is /var/run/xmldb_sock
-A {ephp file} embeded php parse.
-V {name=value} variable for ephp.
-x {command} set extended get/set command.
-t {tag:sec:command} schedule a timer.
-k {tag} kill timers by tag.
The xmldbc tool has all the commands needed to set the elements (nodes) in the XML MIB of the ECI to re-enable LAN-side access and the web GUI.
It would probably be easiest to enable DHCP on the ECI as well, and let it assign the PC an IP address.
This is on the brink of success..
cheers, a
[1] http://en.wikipedia.org/wiki/Management_information_base
-
Hi.. An important correction...
The flash memory IC on the PCB of the ECI is a Macronix MX29LV640EB. [1] That is a NOR flash device rather than a NAND device...
As such, the IC utilises the Common Flash Interface (CFI) rather than the Open NAND flash interface (ONFI)...
On a second note..
Just a quick observation..
Whoever built the firmware for the ECI also patched the U-Boot loader to use RSA authentication.
We can see that from the boot log dumps that uklad posted to this thread. [2] [3]
Have RSA magic !!!
Image at B0051060:
Image Name: MIPS Linux-2.6.20
..
Have RSA magic !!!
Image at B03F1060:
Image Name: MIPS Linux-2.6.20
..
## Booting image from active region 2 at b03f0000 ...
Check RSA image magic--OK!
Please type [setenv rsa_check 1] !!!
..
RSA_CHECK: 0
Fortunately, it looks like RSA authentication is present but disabled.
RSA authentication of firmware is not a standard part of U-Boot. [4] It was patched into the ECI firmware by persons unknown. But it looks like this developer might have an idea who did it. [5] At the time (July 2009) he was working for SAGEM. [6]
From that mailing list thread, it's clear that Wolfgang Denk, the U-Boot developer, was resistant to the idea of RSA authentication of firmware.
Nevertheless, the code somehow wormed its way into the firmware of the ECI kit supplied as VDSL2 CPE by BT Openreach.
U-Boot is GPL licensed, so this modification for RSA is a violation of the terms under which its use is granted.
cheers, a
[1] http://www.macronix.com/../MX29LV640ETBver13-1.3.pdf (http://www.macronix.com/QuickPlace/hq/PageLibrary4825740B00298A3B.nsf/$defaultview/DBACA1C90564EBB248257639003A563A/$File/MX29LV640ETBver13-1.3.pdf)
[2] http://forum.kitz.co.uk/index.php/topic,10635.msg209378.html#msg209378
[3] http://forum.kitz.co.uk/index.php/topic,10635.msg209377.html#msg209377
[4] http://git.denx.de/?p=u-boot.git;a=tree;f=doc/uImage.FIT
[5] http://lists.denx.de/pipermail/u-boot/2009-July/057169.html
[6] http://www.doyoubuzz.com/cyrille-francois
-
Asbokid i just dropped you an email... let me know what you think ...
-
I have been in contact with the FSF about our device violating the GPL multiple times, they are working on it. Also, I am yet to receive my converter because I'm foolish, it's bank holiday today and last Friday, hence no post. I should get it tomorrow or the day after.
-
Following this with great interest as said modem is currently powering my FTTC service.
Given what asbo has said, I believe that its possible to connect by UART and use xmldbc to modify the configuration to enable LAN side access. If this indeed the case, then all of you guys in this thread have worked yet another miracle between you. Although I don't currently see that this will aid any user that cannot add the required port to the ECI, I am of the (hopeful) opinion that once its unlocked, someone may find a loophole in much the same way as asbo did for the HG612 to be able to upload over ethernet.
If not, I am quite prepared to wave my soldering iron once again, although the prospect of SWMBO being unable to access FB does fill me with dread should I lift a pad or bridge something :o
If this is gonna be my only option (other than buying an HG612), if someone could provide details of the needed cables etc I would be more than greatful. Perhaps I'm being lazy here and should just review the thread, but I don't want to jump in and then find I should have got something else.
Basically, I just want to be sure of what I'm doing before I do it !!!
Thanks for your attention
BE
-
Blackeagle: we are not there yet but making progress, judging by what we have found so far even if asbokid unlocks the firmware file I can not find any means for flashing the firmware without having access to the UART console, anyway work continues..
-
Blackeagle: we are not there yet but making progress, judging by what we have found so far even if asbokid unlocks the firmware file I can not find any means for flashing the firmware without having access to the UART console, anyway work continues..
NP uklad. I may have just sourced myself an unlocked Huawei HG612, leaving me time and space to play with the ECI !!
As an aside, I have found a source for the Dare DB120 but it would still need translating to english, which won't happen for a month or so.
Keep up the good work bud !!
Regards
BE
-
As an aside, I have found a source for the Dare DB120 but it would still need translating to english, which won't happen for a month or so.
That will be interesting. :) And will be worth a thread of its own!
-
Looks like Openreach have released code for the ECI
http://www.openreach.co.uk/orpg/home/products/super-fastfibreaccess/superfastfibre.do
scroll down to Openreach Modems @ OTN's
Or here is the direct download link - http://www.openreach.co.uk/orpg/home/products/super-fastfibreaccess/downloads/eci_alpha1B_VDSL_3048.zip
-
Looks like Openreach have released code for the ECI
http://www.openreach.co.uk/orpg/home/products/super-fastfibreaccess/superfastfibre.do
scroll down to Openreach Modems @ OTN's
Or here is the direct download link - http://www.openreach.co.uk/orpg/home/products/super-fastfibreaccess/downloads/eci_alpha1B_VDSL_3048.zip
Thank you for posting that, Josh. Well spotted!
Thank you to BT Openreach as well.
Frustratingly...the tarball (inside the zip) is corrupted, but hopefully someone at Openreach will soon remedy that.
cheers, a
p.s. uklad asked me to report that we've successfully unlocked his ECI via the UART. All credit to uklad for breaking the camel's back :)
Here are a couple of screenshots. The ECI has a really nice GUI. Great shame that it's hidden away from sight :-X
Maybe we can now do some performance tests to compare the ECI and the HG612.
(https://forum.kitz.co.uk/proxy.php?request=http%3A%2F%2Fwww4.picturepush.com%2Fphoto%2Fa%2F8002527%2F640%2F8002527.png&hash=f079a267f7ae3ce80c82d895fdb7c6a43aa34f54)
Setup | Wizard (http://picturepush.com/public/8002527)
(https://forum.kitz.co.uk/proxy.php?request=http%3A%2F%2Fwww4.picturepush.com%2Fphoto%2Fa%2F8002542%2F640%2F8002542.png&hash=eee294a558c751ee21210915c970162030f6825b)
Setup | WAN (connection #1) (http://picturepush.com/public/8002542)
(https://forum.kitz.co.uk/proxy.php?request=http%3A%2F%2Fwww5.picturepush.com%2Fphoto%2Fa%2F8002573%2F640%2F8002573.png&hash=d7b43c982813c1e8965f6759dc682b5bf2afa7e4)
Status | Device Info (http://picturepush.com/public/8002573)
(https://forum.kitz.co.uk/proxy.php?request=http%3A%2F%2Fwww4.picturepush.com%2Fphoto%2Fa%2F8002597%2F640%2F8002597.png&hash=74e30d2f1bc994d0097512a88dbee4af24f4e074)
Status | Device Info (http://picturepush.com/public/8002597)
(https://forum.kitz.co.uk/proxy.php?request=http%3A%2F%2Fwww4.picturepush.com%2Fphoto%2Fa%2F8002607%2F640%2F8002607.png&hash=a120f989de7bbaf01e3cc36a3198440697e5347f)
Port Scan (http://picturepush.com/public/8002607)
More screenshots at: http://hackingecibfocusv2fubirevb.wordpress.com/
-
The GUI seems exactly the same layout as used on the Dlink 2640B and 2740B series of ADSL routers.
-
Frustratingly...the tarball (inside the zip) is corrupted, but hopefully someone at Openreach will soon remedy that.
There only seems to be one header file missing: vr.3048/boards/lantiq_vr9/bootcode/include/asm-mips/arch-mips
All the rest is recoverable from the archive.
-
Great work guys ;)
Would it be possible to unlock the modem via the second Lan port?
-
Frustratingly...the tarball (inside the zip) is corrupted, but hopefully someone at Openreach will soon remedy that.
There only seems to be one header file missing: vr.3048/boards/lantiq_vr9/bootcode/include/asm-mips/arch-mips
All the rest is recoverable from the archive.
A lot more than one file is corrupted :'(
Nearly 75% of the gzipped tar archive (contained within the zip) is corrupted.
The .tar.gz file (contained within the zip) should be 89,684,840 bytes in length.
However, from byte 22,020,096 (0x1500000) onwards in that .gz, is all zero:
asbokid@l502x:~/eci_gpl$ wget http://www.openreach.co.uk/orpg/home/products/super-fastfibreaccess/downloads/eci_alpha1B_VDSL_3048.zip
--2012-04-10 17:02:34-- http://www.openreach.co.uk/orpg/home/products/super-fastfibreaccess/downloads/eci_alpha1B_VDSL_3048.zip
Resolving www.openreach.co.uk (www.openreach.co.uk)... 217.140.45.11
Connecting to www.openreach.co.uk (www.openreach.co.uk)|217.140.45.11|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 22016583 (21M) [application/zip]
Saving to: `eci_alpha1B_VDSL_3048.zip'
100%[===============================================================================================>] 22,016,583 1.39M/s in 20s
2012-04-10 17:02:55 (1.04 MB/s) - `eci_alpha1B_VDSL_3048.zip' saved [22016583/22016583]
asbokid@l502x:~/eci_gpl$ md5sum eci_alpha1B_VDSL_3048.zip
2016cacd7b7bd67da645f6dac57cd970 eci_alpha1B_VDSL_3048.zip
asbokid@l502x:~/eci_gpl$ unzip -v eci_alpha1B_VDSL_3048.zip
Archive: eci_alpha1B_VDSL_3048.zip
Length Method Size Cmpr Date Time CRC-32 Name
-------- ------ ------- ---- ---------- ----- -------- ----
89684840 Defl:N 22016395 76% 2012-03-16 08:08 7a4f3ff3 ECI ALPHA1B_VDSL_3048_Mar_2012.tar.gz
-------- ------- --- -------
89684840 22016395 76% 1 file
asbokid@l502x:~/eci_gpl$ unzip -t eci_alpha1B_VDSL_3048.zip
Archive: eci_alpha1B_VDSL_3048.zip
testing: ECI ALPHA1B_VDSL_3048_Mar_2012.tar.gz OK
No errors detected in compressed data of eci_alpha1B_VDSL_3048.zip.
asbokid@l502x:~/eci_gpl$ unzip eci_alpha1B_VDSL_3048.zip
Archive: eci_alpha1B_VDSL_3048.zip
inflating: ECI ALPHA1B_VDSL_3048_Mar_2012.tar.gz
asbokid@l502x:~/eci_gpl$ ls -l
total 109088
-rw-r--r-- 1 asbokid asbokid 89684840 Mar 16 08:08 ECIALPHA1B_VDSL_3048_Mar_2012.tar.gz
-rw-r--r-- 1 asbokid asbokid 22016583 Mar 20 08:02 eci_alpha1B_VDSL_3048.zip
asbokid@l502x:~/eci_gpl$ md5sum ECI\ ALPHA1B_VDSL_3048_Mar_2012.tar.gz
2cfa0976bd4318125200a7115c28380e ECI ALPHA1B_VDSL_3048_Mar_2012.tar.gz
asbokid@l502x:~/eci_gpl$ gunzip -t ECI\ ALPHA1B_VDSL_3048_Mar_2012.tar.gz
gzip: ECI ALPHA1B_VDSL_3048_Mar_2012.tar.gz: unexpected end of file
asbokid@l502x:~/eci_gpl$ dd bs=1 skip=$((0x14fff00)) if=ECI\ ALPHA1B_VDSL_3048_Mar_2012.tar.gz | xxd -l $((0x200))
0000000: 2004 72b1 c063 21ec 88c4 65f3 222e 053b .r..c!...e."..;
0000010: a63b 1817 5974 cb38 212f 3728 8c3c 156d .;..Yt.8!/7(.<.m
0000020: cfec eff1 7df5 7bda 4b04 8dd3 ee22 d2e6 ....}.{.K...."..
0000030: 04c4 9a37 2d8a cf48 cb7a de7a 81cb ea34 ...7-..H.z.z...4
0000040: b2ed efc1 db0c 73e9 dee4 e379 3100 7665 ......s....y1.ve
0000050: 3a1f b183 a2c9 3aaf 4920 c678 2f8f e1a6 :.....:.I .x/...
0000060: a6b0 06b9 4dae 00f7 6d37 2b0a f23f 54ff ....M...m7+..?T.
0000070: 458e 760e b7ee e759 3a1d dc7d ce77 30b2 E.v....Y:..}.w0.
0000080: 219a bf29 9514 13d4 7360 24d4 0806 cc19 !..)....s`$.....
0000090: 1035 4c05 83ed 74c7 c38e e037 47e8 f484 .5L...t....7G...
00000a0: dd24 3411 75ad a016 e0fb 4077 87e2 c988 .$4.u.....@w....
00000b0: 0c00 1aae baf3 017e 19ab e55d 24cc 0cee .......~...]$...
00000c0: 4ecd 1013 f489 6852 0bec 648b 9908 a6d9 N.....hR..d.....
00000d0: 6683 d985 3a88 d61c a807 f139 f0cb 2d33 f...:......9..-3
00000e0: 74c0 994c d3e2 1ad3 7971 3a0b 3e90 9858 t..L....yq:.>..X
00000f0: 181a e9ce 807d 81af f6c6 6839 933c 9709 .....}....h9.<..
0000100: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000110: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000120: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000130: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000140: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000150: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000160: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000170: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000180: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000190: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00001a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00001b0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00001c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00001d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00001e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00001f0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
...
Hopefully Openreach will notice the problem ASAP :)
cheers, a
-
p.s. uklad asked me to report that we've successfully unlocked his ECI via the UART. All credit to uklad for breaking the camel's back :)
Excellent news! :thumbs: :clap: :clap2: :dance: :silly:
Congratulations to the pair of you. :drink:
-
@ uklad & asbokid,
As you are aware we shall be ready and waiting in Ewhurst when eventually we have some service availability.
VERY well done !
Kind Regards,
Walter
-
Seems my serial adapter will be just for my benefit, unless there is still something I could help with. Nice work none the less.
-
Well done, the pair of you! I'll be following suit as soon as my serial link arrives.
The next step [ed.] chapter, surely, is to have something completely Free on there?
-
Seems my serial adapter will be just for my benefit, unless there is still something I could help with. Nice work none the less.
Hi Ben,
If you fancy a look, AlphaNetwork's tweak of the LZMA algorithm needs documenting with the aim of reverse engineering it. It is used in dozens of different routers to lock down the file systems.
Or maybe you're interested in the btagent remote management tool that is found in the ECI firmware? The same tool is used in the Huawei HG612, the Home Hub 3.0a (and probably the Business Hub 3.0 and maybe the HH 3.0b). The tool relies on an RSA-1024 key for security, so a brute-force attack is "currently infeasible", but maybe there are implementation flaws :no:
Lots of exciting opportunities!
cheers, a
-
Great work guys ;)
Would it be possible to unlock the modem via the second Lan port?
It maybe possible to squirt a modified firmware using Tftp at initial power up via uboot, right now Its not worth me looking into that until we have a working unlocked firmware something that asbokid is still working on
-
Great work guys ;)
Would it be possible to unlock the modem via the second Lan port?
Hi Josh,
Probably not. Not unless the bootloader has a network backdoor. Another possibility is to crack the btagent remote management tool (which is accessible LAN-side via udp/161). Slim prospect of success there though.
For those who don't want to solder to the PCB, maybe a strip of right angled header pins could be taped temporarily to the solder pads for the UART port.
cheers, a
EDIT: port 161 not 169..
-
Cheers a,
guess I'm out of luck then lol, I am terrible with a soldering iron. :lol:
-
@ asbokid,
I think you've just invented a reason for somebody to develop a conducting glue to be dispensed from a hypodermic type of applicator.
Kind regards,
Walter
-
@ asbokid,
I think you've just invented a reason for somebody to develop a conducting glue to be dispensed from a hypodermic type of applicator.
Kind regards,
Walter
already exists !!
http://www.ecrater.co.uk/p/7983362/silver-conductive-glue
-
Quite astonishing UKLad !
Now all we need is the robot and surgeon's microscope.
Kind regards,
Walter
-
Right so, got myself a uart connection, YAY. I've modded the config file as per the wordpress guide (you missed gzipping the config file btw). Is there anyway to set the web interface to lan 2 and the bridge to lan 1, or vice versa? I have it up on lan 1 currently, which is great, until I want to use the internet.
-
Right so, got myself a uart connection, YAY. I've modded the config file as per the wordpress guide (you missed gzipping the config file btw) but I can't work out how to connect to the web interface...
Make sure you are connected to Lan2 and the dsl is not connected !! see below..
I think I may have found a flaw in our unlock, it looks like when the Home hub or any other router establishes the PPPOE connection to BT via lan 1 the br0 ip address get changed thus loosing connectivity to the web interface on Lan 2 going to try and look into this tonight..
-
Hmm, well what I've done has given me the web interface on lan 1....
-
Hmm, well what I've done has given me the web interface on lan 1....
You should all so get it on Lan2 but I fear you may loose if once connected to the internet..
-
It's all good, with a bit of OpenWRT foo I've succeeded in being able to access the lan 1 web interface while also using lan 1 for PPPoE. http://wiki.openwrt.org/doc/howto/access.modem.through.nat The test_agent executable is interesting too... test_agent config seems to reveal the tr-069 url, maybe we could fake the server by running a dns server locally and "fool" the modem into taking our commands? Also, is there any way to get like stats? I haven't found any xdsl binary.
-
The test_agent executable is interesting too... test_agent config seems to reveal the tr-069 url, maybe we could fake the server by running a dns server locally and "fool" the modem into taking our commands?
TR-069 spoofing is something I have been occasionally thinking about . . . :-\
-
It seems to be quite open, so long as we can pretend to be the correct server...
-
My understanding is --
The modem/router will make contact with the Evil Empire, at designated times, and say: "I'm here. It's me. This is my status, current configuration and firmware. Is there anything you wish to do?"
The Evil Empire may reply: "Noted. Now bog off!"
At the next contact initiated by the modem/router, the Empire may say: "Yes. I have a little something for you. Let me have control."
The modem/router sets itself into recipient mode and says: "You have control."
The Evil Empire then initiates contact with the modem/router via the designated port and proceeds to molest, nay ravish, the CPE. :o
There are references regarding TR-069 "out there" (sorry, I don't have any links to hand) but each Empire can implement the technique in its own way. The concept of the technique is clearly defined, the precise details are proprietary.
If you now have sight of some (or all) of the inner workings, then analysis and documentation of the algorithm will be very useful. ;)
-
(you missed gzipping the config file btw)
Oops! Thanks for pointing it out. Duly corrected!
is there any way to get like stats? I haven't found any xdsl binary.
/usr/sbin/dsl_cpe_control looks promising. Please report back with info!
cheers, a
-
There are references regarding TR-069 "out there" (sorry, I don't have any links to hand) but each Empire can implement the technique in its own way. The concept of the technique is clearly defined, the precise details are proprietary.
http://www.broadband-forum.org/technical/download/TR-069_Amendment-2.pdf (http://www.broadband-forum.org/technical/download/TR-069_Amendment-2.pdf)
-
Alpha # dsl_cpe_control -h
DSL_CPE: Welcome to DSL CPI API control application
DSL_CPE: usage: [options]
DSL_CPE: following options are available:
DSL_CPE: --help (-h) - help screen
DSL_CPE: --version (-v) - display version
DSL_CPE: --init (-i) - init device w/ <xtu> Bits seperated by undersc
ore (e.g. -i05_01_04_00_04_01_00_00)
DSL_CPE: --low_cfg (-l) - low level configuration file
DSL_CPE: --console (-c) - start console
DSL_CPE: --event_cnf (-e) - configure instance activation handling <enable
/disable>[_mask] (e.g. -e1_1)
DSL_CPE: --msg_dump (-m) - enable message dump
DSL_CPE: --auto_scr_1 (-a) - autoboot start script for ADSL (empty by defau
lt)
DSL_CPE: --auto_scr_2 (-A) - autoboot start script for VDSL (empty by defau
lt)
DSL_CPE: --firmware1 (-f) - firmware file, default /opt/ifx/firmware/xcpe_
hw.bin
DSL_CPE: --notif (-n) - notification script name, default ./xdslrc.sh
DSL_CPE: --tcpmsg (-t) - enable dbgtool, listen only on <ipaddr> (optio
nal, e.g. -t0.0.0.0)
DSL_CPE: --multimode (-M) - set multimode config -M<NextMode>_<AdslSubPref
> (e.g. -M1_1)
DSL_CPE: --tc-layer (-T) - set TC-Layer options -T<TcLayer>_<TcConfigUs>_
<TcConfigDs> (e.g. -T2_0x3_0x1)
Whatever command I run it seems to kill my telnet session... Maybe it's because of how I have routing setup, I'll try something else...
This may be of interest http://pastebin.com/2D4NW2HR . In addition, if you look through /www/ there are a lot of hidden web pages, unfortunately none have any statistics.
http://svn.dd-wrt.com:8000/browser/src/router/dsl_cpe_control/src/dsl_cpe_control.c?rev=15977 seems to give us source for the dsl_cpe_control utility.
-
http://www.broadband-forum.org/technical/download/TR-069_Amendment-2.pdf (http://www.broadband-forum.org/technical/download/TR-069_Amendment-2.pdf)
Thank you for providing the link to the document. Team-work prevails, once again. I just couldn't lay my paws on it at the time of my previous post. :)
-
Alpha # dsl_cpe_control -h
DSL_CPE: Welcome to DSL CPI API control application
DSL_CPE: usage: [options]
DSL_CPE: following options are available:
DSL_CPE: --help (-h) - help screen
DSL_CPE: --version (-v) - display version
DSL_CPE: --init (-i) - init device w/ <xtu> Bits seperated by underscore (e.g. -i05_01_04_00_04_01_00_00)
DSL_CPE: --low_cfg (-l) - low level configuration file
DSL_CPE: --console (-c) - start console
DSL_CPE: --event_cnf (-e) - configure instance activation handling <enable/disable>[_mask] (e.g. -e1_1)
DSL_CPE: --msg_dump (-m) - enable message dump
DSL_CPE: --auto_scr_1 (-a) - autoboot start script for ADSL (empty by default)
DSL_CPE: --auto_scr_2 (-A) - autoboot start script for VDSL (empty by default)
DSL_CPE: --firmware1 (-f) - firmware file, default /opt/ifx/firmware/xcpe_hw.bin
DSL_CPE: --notif (-n) - notification script name, default ./xdslrc.sh
DSL_CPE: --tcpmsg (-t) - enable dbgtool, listen only on <ipaddr> (optional, e.g. -t0.0.0.0)
DSL_CPE: --multimode (-M) - set multimode config -M<NextMode>_<AdslSubPref> (e.g. -M1_1)
DSL_CPE: --tc-layer (-T) - set TC-Layer options -T<TcLayer>_<TcConfigUs>_<TcConfigDs> (e.g. -T2_0x3_0x1)
Ahh. maybe it's another multi-call binary that presents a different set of command line options depending on how it's invoked (argv[0]) ? Just a guess.
uklad has commandeered his ECI now, so no more playing with it for me :(
However, if I've got the gist right..
the CPU in the ECI is a dual core - a MIPS32 and an unknown 32-bit DSP engine - in all probability another MIPS32 with extensions to the instruction set to provide DSP hardware functionality.
The MIPS32 core#1 runs the MIPS Linux operating system. The hardware driver blob aka 'firmware' (/ifx/vdsl2/xcpe_hw.bin) for the second core is loaded by the control core (core#1) into shared memory, and the execution of that code by core#2 is started.
The Linux kernel has a loadable kernel module (/ifx/vdsl2/drv_dsl_cpe_api.ko) which provides an interface from userspace to the kernel by way of a character device (/dev/dsl_cpe_api). It is through this interface that the line statistics from the DSP32 core are obtained. There should be a userspace binary that invokes system calls (read/write/ioctl) on that device. The embedded webserver must be invoking such calls, either directly, or via some middleware (i.e. that xmldb thing).
It's much the same in the Broadcom-chipset Huawei. A userspace binary called xdslcmd is used to invoke ioctl() system calls on /dev/bcmadsl0 to obtain various xdsl stats. The Linux kernel passes these calls to an ioctl de-multiplexer in the device driver, which obtains the stats from the hardware driver (the firmware blob) running on the DSP core. This is via some form of inter-process communication (IPC), semaphores, shared memory or message passing.
This may be of interest http://pastebin.com/2D4NW2HR . In addition, if you look through /www/ there are a lot of hidden web pages, unfortunately none have any statistics.
Ahh. server-side scripting fudged together with javascript. It's very similar to the Huawei, except the ECI also uses that XML database for storing realtime data. [1]
In the excerpt of code below, we can see the embedded servlet function ConfigGetArray().
The servlet parsing engine in the embedded webserver replaces everything within the delimiters <? and ?> with the return value from the ConfigGetArray function.
And the ConfigGetArray() function must query the XML database for the statistic, in this case to obtain the line attenuation for frequency band 0.
..
var StLineAttenuation = new Array();
..
/* Line Attenuation*/
StLineAttenuation[0] = <?ConfigGetArray(/runtime/vdsl2/line/band:0/,lnatten/up,lnatten/down)?>;
You could directly obtain that statistic using xmldbc, with something like this:
xmldbc -g /runtime/vdsl2/line/band:0/lnatten/down
To get a bit closer to the kernel.. you could build strace and monitor the system calls made by xmldbc (et al) as that command is invoked. This will uncover how to communicate directly with the kernel device driver. However the API will be documented in the source code for the drv_dsl_cpe_api device driver.
Also, take a close look at the -a command line option of xmldbc. It will dump the database contents including runtime and temporary data. That could reveal the XML node names for the tonemap data.
Since I haven't got access to an ECI any more, it is with great regret that I must bow out out of the hack-fest but with the reassurance that it is left in the competent hands of uklad and yourself :)
http://svn.dd-wrt.com:8000/browser/src/router/dsl_cpe_control/src/dsl_cpe_control.c?rev=15977 seems to give us source for the dsl_cpe_control utility.
Aha.. I saw that in the corrupted source tarball published by Openreach. :police:
cheers, a
EDIT: Bit of info in the openwrt.org development mailing list. Note how you read and write to a pipe to send commands to the dsl_cpe_control daemon to request and receive stats from the xdsl layer. That will be for the AR9 (Lantiq's ADSL2 SOC family) but it's probably very similar for the VR9 (VDSL2.chipset family including the VRX268). [2]
[1] http://www.psidoc.com/showthread.php/635-busybox-quot-httpd-quot-help-needed-hacking-a-router
[2] https://lists.openwrt.org/pipermail/openwrt-devel/2012-January/013602.html
-
http://pastie.org/private/andzysdm8hhmse2groohw
xmldbc -D /tmp/db.xml -a
As you can tell a lot of data is missing for some reason. However that pipe works PERFECTLY. The command set is listed with the command "help". http://pastie.org/private/uxkq541nllsply2evizxw and it seems to work much the same as the DSL version :D
Alpha # echo "g997lsg 1 1" > /tmp/pipe/dsl_cpe0_cmd
Alpha # cat /tmp/pipe/dsl_cpe0_ack
nReturn=0 nDirection=1 nDeltDataType=1 LATN=231 SATN=178 SNR=64 ATTNDR=42533120
ACTPS=-901 ACTATP=55
for example. Still a sucky way to interface, but at least it does work :) From this we SHOULD be able to make our own shell script to get data.
Kept on poking, first is downstream rate, second is upstream, third is downstream line stats, forth is upstream line stats.
Alpha # echo "g997csg 0 1" > /tmp/pipe/dsl_cpe0_cmd
Alpha # cat /tmp/pipe/dsl_cpe0_ack
nReturn=0 nChannel=0 nDirection=1 ActualDataRate=39992000 PreviousDataRate=0 ActualInterleaveDelay=0 ActualImpulseNoiseProtection=0
Alpha # echo "g997csg 0 0" > /tmp/pipe/dsl_cpe0_cmd
Alpha # cat /tmp/pipe/dsl_cpe0_ack
nReturn=0 nChannel=0 nDirection=0 ActualDataRate=8448000 PreviousDataRate=0 ActualInterleaveDelay=0 ActualImpulseNoiseProtection=0
Alpha # echo "g997lsg 1 1" > /tmp/pipe/dsl_cpe0_cmd
Alpha # cat /tmp/pipe/dsl_cpe0_ack
nReturn=0 nDirection=1 nDeltDataType=1 LATN=231 SATN=177 SNR=65 ATTNDR=42428544 ACTPS=-901 ACTATP=55
Alpha # echo "g997lsg 0 1" > /tmp/pipe/dsl_cpe0_cmd
Alpha # cat /tmp/pipe/dsl_cpe0_ack
nReturn=0 nDirection=0 nDeltDataType=1 LATN=0 SATN=0 SNR=62 ATTNDR=8650125 ACTPS=-901 ACTATP=109
After reading through that script more all the line stats need dividing by ten, that gives me a downstream attenuation of 23.1db and SNR of 6.5db, and an upstream attenuation of 0db? and 6.2db snr.. Is that good or bad for FTTC? I'm not really convinced of that SNR, it seems really bad for the speeds I get..
My latest speedtest is
(https://forum.kitz.co.uk/proxy.php?request=http%3A%2F%2Fspeedtest.net%2Fresult%2F1892009060.png&hash=b3396d48b0f09e0c7d45312445b57b83a4ff06a9)
and that's pre 80/20. I have a forecast date of Monday for that.
-
Since I haven't got access to an ECI any more, it is with great regret that I must bow out out of the hack-fest but with the reassurance that it is left in the competent hands of uklad and yourself
I can make mine available to you again just it cannot be live on DSL at the same time.. but the offer of a loan still stands..
-
I can provide an ssh tunnel to my home server which has telnet access to my modem if it's really necessary..
-
http://pastie.org/private/andzysdm8hhmse2groohw
xmldbc -D /tmp/db.xml -a
As you can tell a lot of data is missing for some reason. However that pipe works PERFECTLY. The command set is listed with the command "help". http://pastie.org/private/uxkq541nllsply2evizxw and it seems to work much the same as the DSL version :D
Alpha # echo "g997lsg 1 1" > /tmp/pipe/dsl_cpe0_cmd
Alpha # cat /tmp/pipe/dsl_cpe0_ack
nReturn=0 nDirection=1 nDeltDataType=1 LATN=231 SATN=178 SNR=64 ATTNDR=42533120
ACTPS=-901 ACTATP=55
for example. Still a sucky way to interface, but at least it does work :) From this we SHOULD be able to make our own shell script to get data.
Whayhay! Good find, Ben! Do the values correspond with the stats in the web interface of the ECI? Maybe the missing values are populated once the device has had a reasonably long uptime?
After reading through that script more all the line stats need dividing by ten, that gives me a downstream attenuation of 23.1db and SNR of 6.5db, and an upstream attenuation of 0db? and 6.2db snr.. Is that good or bad for FTTC? I'm not really convinced of that SNR, it seems really bad for the speeds I get..
God knows! It doesn't sound very good though. Paul (Bald_Eagle) is the man with the answers. He has officially studied more VDSL2 connection stats than the rest of us have had hot dinners!
I can provide an ssh tunnel to my home server which has telnet access to my modem if it's really necessary..
I can make mine available to you again just it cannot be live on DSL at the same time.. but the offer of a loan still stands..
That's very generous of you both :)
The main interest is the LZMA tweak to the Linux kernel driver for squashfs. The tweak needs to be cracked before a fully functional file system can be re-built (in our own graven image) for the ECI. To that end, we need to dump the uncompressed form of the files that we couldn't uncompress with the open source tools.
It was hoped that this could be done with a shell script on the ECI. However the shell provided by Busybox in the ECI firmware is the lightweight msh (the Minix shell). It is very pared down so it's missing too much functionality to be useful.
The alternative is to build some native MIPS code to do the file system dumping. To build this code, there's a pre-built GNU cross-compiling toolchain for the Lantiq XWAY AR9 CPUs which should be okay for the VR9 series. It might take a little while to sort that out though. Hopefully before then Openreach will have repaired that dodgy tarball of GPL'ed code for the ECI. The tarball may well contain a toolchain.
cheers, a
-
After reading through that script more all the line stats need dividing by ten, that gives me a downstream attenuation of 23.1db and SNR of 6.5db, and an upstream attenuation of 0db? and 6.2db snr.. Is that good or bad for FTTC? I'm not really convinced of that SNR, it seems really bad for the speeds I get..
God knows! It doesn't sound very good though. Paul (Bald_Eagle) is the man with the answers. He has officially studied more VDSL2 connection stats than the rest of us have had hot dinners!
The Huawei HG612 splits attenuation/SNR etc. across the band plans & reports 0dB in its GUI where a value would be expected.
Is the ESI stats snippet posted (LATN=231 SATN=178 SNR=64 ) the only combined value shown for all the downstream band plans?
If so, I THINK it seems to report the stats in a similar way to the FritzBox! 3930.
I THINK the FritzBox! also reports 0dB for upstream attenuation.
What sync speeds are being achieved & how do they compare against Attainable Rates?
If there is not much difference between them, that COULD explain the low(ish) SNR values (assuming it really means SNR Margin).
High Attainable speed connections, still capped at 40Mb show SNRM values of up to 30dB or so.
My connection that struggles to achieve more than 30Mb (sync & attainable) has a value usually of 6dB (quite often less).
-
After reading through that script more all the line stats need dividing by ten, that gives me a downstream attenuation of 23.1db and SNR of 6.5db, and an upstream attenuation of 0db? and 6.2db snr.. Is that good or bad for FTTC? I'm not really convinced of that SNR, it seems really bad for the speeds I get..
God knows! It doesn't sound very good though. Paul (Bald_Eagle) is the man with the answers. He has officially studied more VDSL2 connection stats than the rest of us have had hot dinners!
The Huawei HG612 splits attenuation/SNR etc. across the band plans & reports 0dB in its GUI where a value would be expected.
Is the ESI stats snippet posted (LATN=231 SATN=178 SNR=64 ) the only combined value shown for all the downstream band plans?
If so, I THINK it seems to report the stats in a similar way to the FritzBox! 3930.
I THINK the FritzBox! also reports 0dB for upstream attenuation.
What sync speeds are being achieved & how do they compare against Attainable Rates?
If there is not much difference between them, that COULD explain the low(ish) SNR values (assuming it really means SNR Margin).
High Attainable speed connections, still capped at 40Mb show SNRM values of up to 30dB or so.
My connection that struggles to achieve more than 30Mb (sync & attainable) has a value usually of 6dB (quite often less).
Still waiting for the uplift, should happen Monday I ordered late. My attainable and achieved speeds are very close,
(https://forum.kitz.co.uk/proxy.php?request=http%3A%2F%2Fi44.tinypic.com%2F2potaiq.png&hash=47b8bd1527aa0ed51b69afd0bcbb8bf46cb9a135)
The GUI also displays 0 for all values like the Huawei,
(https://forum.kitz.co.uk/proxy.php?request=http%3A%2F%2Fi41.tinypic.com%2F2r23nft.png&hash=1db654fbb32f41d227b8d74e372ff2e55a191f27)
I'm not really sure what the arguments for the command are but getting them wrong causes cat to hang when reading ack sometimes. FritzBoxes seem to use Infineon/Lantiq CPUs so the same reporting would make sense.
-
FWIW, these are from a FritzBox! - I got the number wrong earlier:-
(https://forum.kitz.co.uk/proxy.php?request=http%3A%2F%2Fi1266.photobucket.com%2Falbums%2Fjj538%2Fmervl9%2FSpectrum.jpg&hash=36e555e92bfe5ddc03b0758b0416e0b08b68f96a)
(https://forum.kitz.co.uk/proxy.php?request=http%3A%2F%2Fi1266.photobucket.com%2Falbums%2Fjj538%2Fmervl9%2FDSLinfo.jpg&hash=5840a03558a8db96b4d94f26a15943d220604d57)
(https://forum.kitz.co.uk/proxy.php?request=http%3A%2F%2Fi1266.photobucket.com%2Falbums%2Fjj538%2Fmervl9%2F24hourstats.jpg&hash=ef963d877ffe046b1208445cf92707d65266c0b0)
-
Let's poke some more at that command then.
Found a magic command for per band values,
Alpha # echo "g997lspbg 1" > /tmp/pipe/dsl_cpe0_cmd
Alpha # cat /tmp/pipe/dsl_cpe0_ack
nReturn=0 nDirection=0 LATN[0]=176 LATN[1]=459 LATN[2]=641 LATN[3]=-32768 LATN[4]=-32768 SATN[0]=153 SATN[1]=448 SATN[2]=609 SATN[3]=-32768 SATN[4]=-32768 SNR[0]=65 SNR[1]=62 SNR[2]=71 SNR[3]=-32768 SNR[4]=-32768
Alpha # echo "g997lspbg 0" > /tmp/pipe/dsl_cpe0_cmd
Alpha # cat /tmp/pipe/dsl_cpe0_ack
nReturn=0 nDirection=0 LATN[0]=30 LATN[1]=320 LATN[2]=516 LATN[3]=-32768 LATN[4]=-32768 SATN[0]=32 SATN[1]=319 SATN[2]=520 SATN[3]=-32768 SATN[4]=-32768 SNR[0]=60 SNR[1]=60 SNR[2]=63 SNR[3]=-32768 SNR[4]=-32768
The issue is that seems to both be upstream? or maybe nDirection is wrong..
I've found an interesting German modem, the Speedport 221. It appears to be very similar and uses the same method of getting data, BUT it includes a utility dsl-info. I'm having trouble finding a firmware image but I have found it's released source at http://hilfe.telekom.de/hsp/cms/content/HSP/de/3388/FAQ/theme-71990825/Geraete-und-Zubehoer/theme-2000178/DSL-Geraete/theme-66139021/Speedport-Serie/theme-397804711/Sonstige-Speedports-HSPA-LTE-.../theme-157445472/Speedport-2xx-Serie/theme-157445830/Speedport-221 unfortunately it seems that linux source is absent strangely.
More detailed bitloading and SNR although I still can't get upstream SNR.... These should draw nice graphs...
http://pastie.org/private/b87fxzntuvlk3smkra
I'm working on a little tool to get data and make graphs in C#. Should work nicely and produce things similar to that FritzBox screenshot.
I've attached a graph output by my WIP utility, ZedGraph doesn't seem to like having so many values.
EDIT: Or not, got the SNR graph looking pretty :)
-
Lets make sure people notice, I've got a tool that will give you a set of graphs. I've currently got downstream SNR and bitloading. Am I missing anything? I'm having trouble with the QLN and HLOG commands, they are also aparently downstream only according to http://svn.dd-wrt.com/browser/src/linux/universal/linux-3.2/drivers/net/ethernet/ifxatm/include/drv_dsl_cpe_api_ioctl?rev=18222 If that's all I'll tidy up this program and release it. It should work under both Mono on Linux and .NET on Windows.
Edit: Hmm, I found a gain command as well, no idea the units it's measured in though... I'm now working on a DMT for the ECI modem.
-
The bit-loading graph looks right, but I'm not sure about the SNR graph.
SNR should look similar to bit-loading, but slightly less "blocky".
Also, SNR's maximum value should be around 50dB to 60dB.
It looks like you have divided the Hex value A5 (165 dec) by 10 to give 16.5, so something doesn't look quite right there.
I have no idea what gain is.
I have attached a set of graphs from a HG612 modem on an ECI DSLAM (so it shows the ECI's tone band plans rather than the usual HG612's tone band plans).
Yes, apart from bit-loading, the graphs show DS only data.
The example doesn't show anything of the D3 tone band plan, as attenuation is too high to actually use any of it at Medley Phase, but it was discovered at Discovery Phase.
-
There is definately correlation between the two graphs. I did just read something about snr(i) = y/2 - 32 which gives the following graph. http://wehavemorefun.de/fritzbox/index.php/Dsl_pipe seems to confirm that, it also says something about gain... Still no idea what it shows though.
-
The GUI also displays 0 for all values like the Huawei,
Wow! Very impressive, Ben! You've made some amazing progress!
It's very strange that the GUI continues to have unpopulated fields. There must be a missing or uninitialised component causing that.
Perhaps see what happens if a missing 'runtime' value is manually saved into the xml database (xmldbc -s) and see if that value then appears in the GUI. If so, maybe a script or binary should be performing that function periodically - retrieving line stats via the Unix socket(s) from dsl_cpe_control, and then inserting the response into the runtime sub-tree of the XML database. If that is the mechanism, the script or binary needs to be found and started. Maybe a case of grepping the firmware/available source code for other references to those sockets.
Your graphs look great, too! Did you notice a brief comment to subcarrier graphs in one of the web resources? There was no corresponding code though >:(
cheers, a
-
I'm fairly sure that'd work as the xml db doesn't have the fields populated either. Also, don't suppose anyone understands
DSL_uint8_t gain/tone [0..4095 (linear) represented as multiple of 1/512: 20*log(gain/512)]
If I know what that means I should be able to get the gain, whatever it shows. Anyway, making progress on my eDMT tool (ECI DSL modem tool). Should be totally crossplatform on Mono too for those on Linux and Mac :D
-
If I know what that means I should be able to get the gain, whatever it shows. Anyway, making progress on my eDMT tool (ECI DSL modem tool). Should be totally crossplatform on Mono too for those on Linux and Mac :D
Sounds magnificent! Can't wait to see it :) EDIT: That looks very nice indeed! What's going in the top space? The text-based stats?
DSL_uint8_t gain/tone [0..4095 (linear) represented as multiple of 1/512: 20*log(gain/512)]
It's the xmt gain table.. Apparently a logarithmic conversion (dB) of the transmit gain for each subcarrier, adapted to conform with the PSD mask, to introduce guard bands, etc..
"All values from –14.5 dB (linear value 96/512) to 18 dB. The gain value shall be represented with 3 bits before and 9 bits after the decimal point, i.e., a granularity of 1/512 in linear scale." See: G.992.3..[1]
EDIT:
The gain data is recorded by the Broadcom chipsets (e.g. the BCM6368 in the Huawei). However the xdslcmd tool does not retrieve it from the kernel. Building an open source and extensible version of the xdslcmd tool would make a very good project.
cheers, a
[1] http://www.analytic.ru/articles/lib26.pdf (old 2002 version but free-to-download)
[2] http://pastie.org/pastes/3786263/text?key=b87fxzntuvlk3smkra
-
Yes,
Fantastic work, all of you.
Are we any closer to unlocking the modem without the need for any soldering etc?
-
I've personally got a little distracted... Not quite sure the best way to display the other stats..Should I just have text or should I use some of the graphics DMT and vDMT use.
Boom, DSLAM data:
Alpha # echo "g997listrg 1" > /tmp/pipe/dsl_cpe0_cmd
Alpha # cat /tmp/pipe/dsl_cpe0_ack
nReturn=0 nDirection=1 G994VendorID=IFTN SystemVendorID=ECI tele VersionNumber=
SerialNumber=7035490556 SelfTestResult=0 XTSECapabilities=(00,00,00,00,00,00,00,
00)
-
Are we any closer to unlocking the modem without the need for any soldering etc?
There may be a network backdoor into the bootloader of the ECI, as there is with the HG612. If not, it would probably be a case of cracking the BT Agent remote management server. The cryptosystem of btagent relies on a 1024-bit 2048-bit RSA key, so it's basically uncrackable by brute force. Maybe there's something wrong with the implementation though.. Not very likely..
cheers, a
-
I've personally got a little distracted... Not quite sure the best way to display the other stats..Should I just have text or should I use some of the graphics DMT and vDMT use.
It would probably appeal to more people if it looks very similar to DMT. All a bit squashed in tho'. Any signs of the QLN and HLog data?
Boom, DSLAM data:
Alpha # echo "g997listrg 1" > /tmp/pipe/dsl_cpe0_cmd
Alpha # cat /tmp/pipe/dsl_cpe0_ack
nReturn=0 nDirection=1 G994VendorID=IFTN SystemVendorID=ECI tele VersionNumber=SerialNumber=7035490556 SelfTestResult=0 XTSECapabilities=(00,00,00,00,00,00,00,00)
That's interesting! So (unsurprisingly) it's an Infineon (IFTN) chipset (now Lantiq) in the subscriber line cards of the ECI DSLAM. Lantiq's VDSL2 CO chipset is known as the VINAX. [1]
cheers, a
[1] http://www.lantiq.com/products/broadband-access/vdsl/
-
I've currently got some tabs at the top so it isn't so squashed. I'll try and make it similar, hopefully more readable that vDMT though, it's text is really small in places. There are two commands that look like they should return HLOG and QLN data but they always seem to return with nReturn=-36 :S
-
Ben, that looks really good. Would it be difficult to modify it to work with the HG612 ?? It would save me writing a version, and you seem to have completed most of the code already !!
-
I guess if you had similar enough commands it could be made to work, the issue is that the ECI modem uses a pipe whereas the Huawei uses xdsl. That said, they both work over telnet and have similar commands. I think it could be made to work and use the same UI and such, just a fair bit of the grunt work will need redoing. I plan on making this opensource once it's usefull anyway so you can convert to your heart's content. (Please note, my code isn't that clean either since I'm working on thing I get from the modem that I do not know exactly the format, it does sometimes perform erratically but that's hard to avoid)
Got it actually reading the misc data now. Not sure how I can get profile though unfortunately, I need profile and VDSL version in addition to line status for the misc tab.
-
Hey, finished by eDMT to the point it's now usable. Make sure you ok the messageboxes otherwise it will NOT progress. To switch modems (if you happen to have multiple) just change the IP and hit login again. Make sure to report any bugs you experience, I'll need to know what you were doing, what messages had been shown, and preferably a screenshot. I also threw in eGrapher that will give you a .bmp copy of the 3 graphs. Source code will follow shortly. Please do not mirror the link, my dropbox only has very limited traffic.
http://dl.dropbox.com/u/11197643/eDMT.zip
-
Hey, finished by eDMT to the point it's now usable. Make sure you ok the messageboxes otherwise it will NOT progress. To switch modems (if you happen to have multiple) just change the IP and hit login again. Make sure to report any bugs you experience, I'll need to know what you were doing, what messages had been shown, and preferably a screenshot. I also threw in eGrapher that will give you a .bmp copy of the 3 graphs. Source code will follow shortly. Please do not mirror the link, my dropbox only has very limited traffic.
http://dl.dropbox.com/u/11197643/eDMT.zip
Amazing stuff! You've built that at an incredible speed! It would have taken me weeks. I would love to test it but that would require Windows, an ECI modem and a VDSL2 connection.. Hmm..
Can I reference your amazing work on that ECI blog, please?
cheers, a
-
Sure, also it will work just fine on Linux and OSX with Mono(http://www.mono-project.com/Main_Page). I noticed a bug, I was just throwing away precision. http://dl.dropbox.com/u/11197643/eDMT_r1.zip fixes it. I've also uploaded a screenshot of each page since you don't have an ECI modem or a VDSL2 connection.
-
Sure, also it will work just fine on Linux and OSX with Mono(http://www.mono-project.com/Main_Page). I noticed a bug, I was just throwing away precision. http://dl.dropbox.com/u/11197643/eDMT_r1.zip fixes it. I've also uploaded a screenshot of each page since you don't have an ECI modem or a VDSL2 connection.
excellent stuff :-)
a couple of hopefully constructive observations..
integer precision would be adequate in the yrange of every graph, and the subcarrier numbers are an index (i.e. integer)..
maybe trap the -32768 values and replace them with a text-based message "N/A" or similar.
a few units of measure, perhaps.. e.g. what unit is attainable rate and data rate (kbps)?.. Perhaps use that code from DMT for calculating Relative Capacity Occupation RCO (actual div attainable)..
cheers, a
-
It was also interesting to see attenuation for each band AND a single overall DS attenuation value.
Shame it doesn't report US attenuation as a single value.
Looking at Transmit Power, is it just possible than DS & US have been inadvertently switched?
I usually see around 12dBm DS & 6 dBm US from my HG612's single overall values.
FWIW, the first US band plan is named U0, before moving on to U1, U2......, in accordance with the 17a profile in use via BT.
Maybe a simple tweak to report it as such to avoid any potential confusion in any discussion?
@asbokid,
Is there anywhere hidden away in the HG612 firmware to report an overall attenuation value.
I know it has been discussaed previously, but as the ECI can do it.............?
It would also be very interesting to compare attenuation values with those reported from a JDSU.
I believe a JDSU can also be made to report attenuation etc. per band plan (just like the HG612 does already).
I intended to try to do that at the latest engineer's visit, but he turned up with an Exfo & he couldn't find them.
-
The powers aren't switched, I'll sort out the names tomorrow. And yea, I guess I can just .Replace the -32768 or w/e it is with N/A. Guess it makes for a nicer UI :)
-
Is there anywhere hidden away in the HG612 firmware to report an overall attenuation value.
I know it has been discussed previously, but as the ECI can do it.............?
The attenuation values are only available from the kernel driver on an individual subcarrier basis. So the calculation of the overall attenuation for a band or bands is a mathematical function performed by a userspace tool.
In the Broadcoms, a tool called xdslcmd calculates the aggregate attenuation value for each frequency band. In theory we could also calculate the overall attenuation value for all DS bands, just as the JDSU and Exfo devices do.
EDIT:
The equation for calculating an aggregate attenuation value is hidden in plain sight... in the G992.3 Recommendations [1]
The average attenuation for a line, a band, a channel or an aggregate of channels is calculated from the linear magnitude function Hlin(f) for each tone, rather than from the logarithmic values from Hlog(f).
However, we can convert Hlog(f) values to Hlin(f) magnitude values using antilogs.
The average attenuation for a channel is then given by the following equation, where NSC is the Number of Sub-Carriers or DMTs utilised by the channel, i is the subcarrier index and Δf is the subcarrier spacing (4.3125kHz for most xDSL standards):
(https://forum.kitz.co.uk/proxy.php?request=http%3A%2F%2Fwww.texify.com%2Fimg%2F%255CLARGE%255C%21Attn%255BdB%255D%253D10%2520%255Ccdot%2520%255Clog_%257B10%257D%2520%255C%255B%2520%255Cfrac%2520%257B%2520%255Csum%255Climits_%257Bi%3D0%257D%255E%257BNSC%257D%2520%257B%257B10%257D%255E%257B%255C%2528%255Cfrac%2520%257BHlog%2528i%2520%255Ccdot%2520%255CDelta%2520f%2529%257D%257B20%257D%255C%2529%257D%257D%255E%257B2%257D%257D%257BNSC%257D%2520%255C%255D.gif&hash=1711bb7e7da581b2db88d12a0f7ec389406ac6e6)
Attached is a ZIP containing sample Hlog data from Bald_Eagle's line, and a small C program that uses the above equation to calculate an aggregate attenuation value for each downstream frequency band using that Hlog data.
cheers, a
[1] http://huaweihg612hacking.wordpress.com/2011/10/01/measuring-line-characteristics-on-the-huawei/
-
The powers aren't switched
When dividing the values by 10 to get to dBm that would be 5.5 for DS & 10.6 for US i.e. completely opposite to how the HG612 usually reports “Output Power”.
I presume Output Power & Transmit Power are in fact the same thing?
I have to also presume (I don’t really know) that DS power would usually be much higher than US power due to the large speed differences between them?
The HG612 does get some of its other data mixed up though.
e.g. users with Interleaving, INP & delay completely OFF are seeing FEC errors in the modem’s GUI, which is reported differently via xdslcmd.
-
I've fixed the GUI as per your suggestions, all values now have units and unused bands report N/A. http://dl.dropbox.com/u/11197643/eDMT_r2.zip
-
Hi All,
Amazing looking work, and record speed!
I have an ECI and have downloaded eDMT, unfortunately I can't get it to run.
Do I need direct connect to the modem? I've tried the IP and U/Name-Pass combo in your screenshots but no joy.
Thanks and so sorry for the noob questions.
Bri
-
Currently you can't use it unless you use the UART port to enable telnet access. Until there is a "softmod" this will be the only way to enable access.
-
Hi Ben,
Thanks for the info, wish I could contribute but my skillset isn't quite in the right area (actually it's several miles off!)
I'll look forward to a softmod, if anyone can do it it's you guys.
Once again, congratulations on some great work.
Bri
-
Good work guys.. I am impressed you have shot past my abilities im not ashamed to admit..
-
PL2303HX converter finally arrived >:D
-
PL2303HX converter finally arrived >:D
excellent stuff! good things come to those who wait!
cheers, a
-
Is there any need to further document the hardware hack?
-
Is there any need to further document the hardware hack?
Hello nimda!
please do improve the docs! There's lots still to do :-)
We should be determined to find the parameters to obtain QLN and HLOG from the ECI. These are perhaps the single most important per-subcarrier measurements available from the modem.
The firmware utility dsl_cpe_control is instrumental here. Fortunately it's fully open source. So it's a case of studying that code to discover the parameter lists for the commands "g997dqlng" (G997_DeltQLNGet) and "g997dhlogg" (G997_DeltHLOGGet).
Commands to obtain line and channel data are submitted to dsl_cpe_control through a named pipe /tmp/pipe/dsl_cpe0_cmd. The response from the utility is then retrieved from another pipe /tmp/pipe/dsl_cpe0_ack.
Ben1066 reports that the device hangs when the wrong command parameters are submitted. This needs exploring.
Also, it would be good to discover why there are many fields unpopulated in the statistics page of web GUI. There is a component either missing or not yet running in the firmware. Those fields contain realtime data. This data should be retrieved from the hardware driver periodically, and inserted into the XML database. It is from the XML database that the GUI must get its dynamic data. The component which actually performs that retrieval and insertion for some reason is not functioning, or not running.
Manually inserting arbitrary realtime data into the XML database, and studying whether that data then appears in the web GUI could be a productive exercise. It should identify whether the web server is correctly retrieving realtime data from the database.
cheers, a
-
Okay, great, I'll document every step of the hardware hack process.
Note to self: when ordering a new iron from the States ensure the required input power is compatible with UK mains!
-
I've looked through documentation for the fritzbox dsl_pipe and it should work. I have a feeling our version is broken.
-
asbokid did we ever manage to get a working open source tarball ?
-
asbokid did we ever manage to get a working open source tarball ?
Hello uklad! I was wondering where you'd gone! No sign of the tarball yet, no.. We've still only got that corrupted archive from the Openreach website. Hopefully BT Openreach will get it sorted soon. Ahem!
With the full source code for that chipset - and specifically documentation for the API to the DSP hardware driver - maybe we can obtain the QLN and HLOG data. All the code that is out there at the moment relates to Lantiq's VINAX VDSL2 chipset which is normally used in Central Office kit rather than in Consumer Premises Equipment.
Maybe someone has a contact at BT Openreach to ask for an uncorrupted tarball of this open source code?
cheers, a
-
In case a soft way of enabling access to the ECI modem does not prove practical is there any chance of a Windows idiot's end to end guide to enabling access to it? Starting with opening the modem and guidance on what components to purchase through to finally using it. I note the need to do some soldering, the help in this post, and the guide in http://hackingecibfocusv2fubirevb.wordpress.com/ but to avoid a high chance of bricking the modem it would be really good to see a careful step by step procedure.
Many thanks in advance if someone is willing to do this. I have ordered the needed components and will carefully have a go anyway, I don't mind the soldering, its usually novice typo's in Linux that get me.
-
Well I have gone ahead with DKU5 cable. I added the header pins. A 1mm drill seemed essential but it is very easy to do with one to hand. I followed the permanent change instructions in the wordpress pages and now have all access working on 192.168.168.168 which seems to be the device default.
The final stage of the instructions where the changes are checked did not work for me. The command "rgcfg get -n /dev/mtdblock/3 -c /var/tmp/newreadrgdb.xml.gz" gave a blank return as I think it should but "gunzip newreadrgdb.xml.gz" gave file not found. I can't see a typo.
The web interface seems to allows the access IP to be changed. Is the change to 192.168.1.55 just to get you back to the normal IP range? and is the web interface an OK way to change it permanently? If not what extra is needed on the command line to change it permanently?
Please can someone can advise!
-
Hi Les-70,
Well I have gone ahead with DKU5 cable. I added the header pins. A 1mm drill seemed essential but it is very easy to do with one to hand. I followed the permanent change instructions in the wordpress pages and now have all access working on 192.168.168.168 which seems to be the device default.
The final stage of the instructions where the changes are checked did not work for me. The command "rgcfg get -n /dev/mtdblock/3 -c /var/tmp/newreadrgdb.xml.gz" gave a blank return as I think it should but "gunzip newreadrgdb.xml.gz" gave file not found. I can't see a typo.
That bit should have been clearer.. Just a 'cd' needed
$ rgcfg get -n /dev/mtdblock/3 -c /var/tmp/newreadrgdb.xml.gz
$ cd /var/tmp
$ gunzip newreadrgdb.xml.gz
The web interface seems to allows the access IP to be changed. Is the change to 192.168.1.55 just to get you back to the normal IP range?
Yes, it's just because few people use the 192.168.168.0/24 subnet and 192.168.1.0/24 is common.
and is the web interface an OK way to change it permanently? If not what extra is needed on the command line to change it permanently?
Please can someone can advise!
I think that was how we did it. It's been a while now though and I haven't got an ECI.
Perhaps uklad or ben1066 would remember?
cheers, a
-
Thanks for the clarification, I should have spotted that but was in "do exactly what was suggested" mode. The web GUI worked fine for changing the IP. It all looks to be working but my FTTC has yet to come. :( I bought an what was claimed to be an HG612 on ebay so I could quickly get stats when the CAB and connection went live but instead an ECI ???( which I expect to get from BT) came. Decided to keep it but unlock it, given eDMT this looks a good option. I can't get the ADSL fall back to work to work but that may be because I have annex M at the moment. I downloaded eDMT, the graphical appearance looks great but it fails on actual login as is probably inevitable with no connection.
In conclusion very many thanks to those who did all the hard work and made it available. Great work!
-
eDMT should work fine if you can access it over telnet, as that is what it uses to gather data.
-
Thanks for the reply, I was wondering if there was an issue. I have telnet working OK but NO sync. I can start edmt OK but when I try to connect to the modem it fails. I assumed this was because the router does not have any sync or useful signal. I currently have annex m on the line and even the adsl fallback fails. (FTTC on my line looks set to be delayed as apparently there are blocked ducts and no sign of work on actual fibre.) Should edmt, on the connect command, proceed to something even with no connection?
Regards
-
What does it do? It shouldn't silently fail... It may error on getting data since it could get something unexpected, but it should tell you.
-
It gives the "needs to close" and the invitation to send to microsoft. I also just tried a wrong IP or wrong password and get the same result. A debugger of mine reports an "unhandled exception" and shows me a very unhelpful disassembly of the exe. I am running windows XP. Do you know what you get if your vdsl line is not connected or you give a wrong IP etc?
I have just unzipped to a folder that contains the two exe's and the dll. I assume that is all that is needed. telnet is definitely OK -straight to login and then command prompt.
-
Its a .NET assembly, so should decompile fine with reflector or such if you're a developer. That's a wierd error though I admit.
-
Please could you say what response you get with a wrong IP or a wrong name/password? It may help to know what should happen then.
-
It should timeout.
-
Great news guys,
Looks like Openreach got there act together!
They have put all source codes out the the VDSL Modems on their site.
http://www.openreach.co.uk/orpg/home/products/super-fastfibreaccess/superfastfibre.do
Cheers,
Josh
Link to ECI: http://www.openreach.co.uk/orpg/home/products/super-fastfibreaccess/downloads/eci_alpha1B_VDSL_3048.zip
-
Great news guys,
Looks like Openreach got there act together!
They have put all source codes out the the VDSL Modems on their site.
http://www.openreach.co.uk/orpg/home/products/super-fastfibreaccess/superfastfibre.do
Cheers,
Josh
Link to ECI: http://www.openreach.co.uk/orpg/home/products/super-fastfibreaccess/downloads/eci_alpha1B_VDSL_3048.zip
Hi Josh!
Thanks for the interest.
Unfortunately, the file on the Openreach website holding the source code for the ECI modem is corrupted (and has been since April):
See: http://hackingecibfocusv2fubirevb.wordpress.com/2012/04/11/bt-openreach-releases-gpled-code-for-eci-vdsl2-modem/
The file is a gzip'ed tar archive (common to Unix), contained within a ZIP. The ZIP file uncompresses without errors. However the gzipped tar archive within it is truncated.
cheers, a
-
Hi All
I just skimmed through all the posts, I just don't get it lol.
How can I get to the GUI?
Is their just an IP address?
I am currently on Windows 7.
Is their just a simple how2guide to get to the GUI?
Or is this just all beyond me?
Thanks for looking!
-
Hi All
I just skimmed through all the posts, I just don't get it lol.
How can I get to the GUI?
Is their just an IP address?
I am currently on Windows 7.
Is their just a simple how2guide to get to the GUI?
Or is this just all beyond me?
Thanks for looking!
To get to the ECI's GUI you need to open it, solder some pins to the board and then follow the guide here (http://hackingecibfocusv2fubirevb.wordpress.com/).
TBH, if you have read all the posts here and still don't follow what to do, I would respectfully suggest that this is not an avenue that you should be exploring.
-
Ok black Blackeagle thank you for your response and honesty. :)
-
I would suggest purchasing a Huawei HG612 modem, via eBay, unlocking it and using it on your line until such time as an easier way to unlock the ECI B-FOCuS modem is developed. :)
-
To get to the ECI's GUI you need to open it, solder some pins to the board and then follow the guide here (http://hackingecibfocusv2fubirevb.wordpress.com/).
TBH, if you have read all the posts here and still don't follow what to do, I would respectfully suggest that this is not an avenue that you should be exploring.
At some time, perhaps all the relevant docs for unlocking the ECI VDSL2 modem (via the UART port) could be placed together in one place. Maybe the Kitz wiki?
Burakkucat made a fascinating discovery in an Openreach tarball of GPL'ed firmware source code for another ECI VDSL2 modem. This firmware was built by the Taiwanese company, Arcadyan. [1]
It is not even clear that these Arcadyan modems have ever reached our shores. However, the GPL'ed source code for them is still interesting because it includes a small section of code for the TR069 framework for remote management. [2]
In-house, BT calls this framework btagent. It comes in two parts. One part, the daemon, a.k.a. the network server, runs on the modem itself. The second part, the client, runs on a host PC. The framework has functions for remotely pushing firmware upgrades onto modems, for monitoring line characteristics and connection quality, and functions for getting and setting the real-time parameters of the modem, etc, etc.
btagent is found in much the same form in all recent models of BT Home Hub, as well as the current models of VDSL2 modem from BT Openreach - the Huawei HG612 and the ECI B-Focus.
The option for pushing a new firmware onto the ECI is perhaps the most interesting, since it could be used to non-invasively unlock it. However, there is a security obstacle preventing that which may never be overcome.
btagent uses 2048-bit PKI cryptography for authentication. Before a new (unlocked) firmware could be uploaded to the ECI, or to the Huawei, or the HomeHubs, using the btagent daemon, the corresponding private key has to be discovered first. ... And for that.. don't wait up!
cheers, a
[1] http://www.openreach.co.uk/orpg/home/products/super-fastfibreaccess/super-fastfibreaccess/landrgnu.do
[2] http://www.broadband-forum.org/technical/download/TR-069_Amendment-4.pdf
-
I've fixed the GUI as per your suggestions, all values now have units and unused bands report N/A. http://dl.dropbox.com/u/11197643/eDMT_r2.zip
Error (509)
This account's public links are generating too much traffic and have been temporarily disabled! :(
-
http://www.mediafire.com/?813x7gvev81vtwk
-
Great news guys,
Looks like Openreach got there act together!
They have put all source codes out the the VDSL Modems on their site.
http://www.openreach.co.uk/orpg/home/products/super-fastfibreaccess/superfastfibre.do
Cheers,
Josh
Link to ECI: http://www.openreach.co.uk/orpg/home/products/super-fastfibreaccess/downloads/eci_alpha1B_VDSL_3048.zip
Hi Josh!
Thanks for the interest.
Unfortunately, the file on the Openreach website holding the source code for the ECI modem is corrupted (and has been since April):
See: http://hackingecibfocusv2fubirevb.wordpress.com/2012/04/11/bt-openreach-releases-gpled-code-for-eci-vdsl2-modem/
The file is a gzip'ed tar archive (common to Unix), contained within a ZIP. The ZIP file uncompresses without errors. However the gzipped tar archive within it is truncated.
cheers, a
Seems like there's a new link up on their site for the source code. It's now a RAR inside a ZIP and the modified date shows it's fairly recent at 2012-06-29.
-
Thank you for the nod, Orbixx. I'll have a look as soon as I get "a round tuit". ;)
-
Great news guys,
Looks like Openreach got their act together!
They have put all source codes out for the VDSL Modems on their site.
http://www.openreach.co.uk/orpg/home/products/super-fastfibreaccess/super-fastfibreaccess/landrgnu.do (new URL)
Cheers,
Josh
Seems like there's a new link up on their site for the source code. It's now a RAR inside a ZIP and the modified date shows it's fairly recent at 2012-06-29.
Way-hay! Thank you for the info, Orbixx!
Thank you as well to Openreach for supplying the source code :)
cheers, a
-
http://www.mediafire.com/?813x7gvev81vtwk
That works. Thank you.
-
Great news guys,
Looks like Openreach got their act together!
They have put all source codes out for the VDSL Modems on their site.
http://www.openreach.co.uk/orpg/home/products/super-fastfibreaccess/super-fastfibreaccess/landrgnu.do (new URL)
Cheers,
Josh
Seems like there's a new link up on their site for the source code. It's now a RAR inside a ZIP and the modified date shows it's fairly recent at 2012-06-29.
Way-hay! Thank you for the info, Orbixx!
Thank you as well to Openreach for supplying the source code :)
cheers, a
Is this one corrupt ?
-
Is this one corrupt ?
No, it is quite innocent and pure. :P ;)
-
For those who don't want to solder to the PCB, maybe a strip of right angled header pins could be taped temporarily to the UART solder pads.
This was just tried, using a Prolific Logic pl2303 USB-UART adaptor (cost £1.50 inc P&P from ebay):
See: http://www.ebay.co.uk/itm/180836792643
(https://forum.kitz.co.uk/proxy.php?request=http%3A%2F%2Fwww3.picturepush.com%2Fphoto%2Fa%2F8967111%2F480%2FECI-B-FOCuS-VDSL2-modem---solderless-UART-connection%2FScreenshot-from-2012-08-13-18%253A03%253A56.png&hash=314f42886e2780e30fdda099c3a15371a7bba23b)
(click for full size) (http://picturepush.com/public/8967111)
(https://forum.kitz.co.uk/proxy.php?request=http%3A%2F%2Fwww3.picturepush.com%2Fphoto%2Fa%2F8966961%2F480%2FECI-B-FOCuS-VDSL2-modem---solderless-UART-connection%2FDSC-0644b.jpg&hash=e47e19559dedaf9657c818ae2470d03a6bb8ade2)
(click for full size) (http://picturepush.com/public/8966961)
(https://forum.kitz.co.uk/proxy.php?request=http%3A%2F%2Fwww5.picturepush.com%2Fphoto%2Fa%2F8966963%2F480%2FECI-B-FOCuS-VDSL2-modem---solderless-UART-connection%2FDSC-0645.jpg&hash=b930c93a932f601076a31129d366dc99b14375a4)
(click for full size) (http://picturepush.com/public/8966963)
(https://forum.kitz.co.uk/proxy.php?request=http%3A%2F%2Fwww2.picturepush.com%2Fphoto%2Fa%2F8966960%2F480%2FECI-B-FOCuS-VDSL2-modem---solderless-UART-connection%2FDSC-0639b.jpg&hash=b55ba8db5b23803a100d3ddeacd78c6d85182b42)
(click for full size) (http://picturepush.com/public/8966960)
(https://forum.kitz.co.uk/proxy.php?request=http%3A%2F%2Fwww1.picturepush.com%2Fphoto%2Fa%2F8966969%2F480%2FECI-B-FOCuS-VDSL2-modem---solderless-UART-connection%2FDSC-0648.jpg&hash=810cd5d860e1a9591720bc8961f8b1a3d0fcad83)
(click for full size) (http://picturepush.com/public/8966969)
(https://forum.kitz.co.uk/proxy.php?request=http%3A%2F%2Fwww2.picturepush.com%2Fphoto%2Fa%2F8966965%2F480%2FECI-B-FOCuS-VDSL2-modem---solderless-UART-connection%2FDSC-0646.jpg&hash=26450a19063f58c50880499d85ccf183ba97ca6c)
(click for full size) (http://picturepush.com/public/8966965)
(https://forum.kitz.co.uk/proxy.php?request=http%3A%2F%2Fwww5.picturepush.com%2Fphoto%2Fa%2F8966973%2F480%2FECI-B-FOCuS-VDSL2-modem---solderless-UART-connection%2FDSC-0650.jpg&hash=598163db6a45ca3c1a3d592410e27e26d5ffda99)
(click for full size) (http://picturepush.com/public/8966973)
Adhesive tape isn't strong enough to hold the header pins onto the PCB pads.
But Dolly the clothes peg proved just the job! She is electrostatic-safe, too :D
(https://forum.kitz.co.uk/proxy.php?request=http%3A%2F%2Fwww4.picturepush.com%2Fphoto%2Fa%2F8966982%2F480%2FECI-B-FOCuS-VDSL2-modem---solderless-UART-connection%2FDSC-0657.jpg&hash=7b4bbd77b4de7a893b71913dd6ce102296405830)
(click for full size) (http://picturepush.com/public/8966982)
(https://forum.kitz.co.uk/proxy.php?request=http%3A%2F%2Fwww3.picturepush.com%2Fphoto%2Fa%2F8966986%2F480%2FECI-B-FOCuS-VDSL2-modem---solderless-UART-connection%2FDSC-0658.jpg&hash=c6d3f769f9368641a55266adc5e3c17a547b626d)
(click for full size) (http://picturepush.com/public/8966986)
(https://forum.kitz.co.uk/proxy.php?request=http%3A%2F%2Fwww1.picturepush.com%2Fphoto%2Fa%2F8966979%2F480%2FECI-B-FOCuS-VDSL2-modem---solderless-UART-connection%2FDSC-0656.jpg&hash=5630e3e4d8859046ad9143720af91973c0dd5452)
(click for full size) (http://picturepush.com/public/8966979)
The Linux device driver for the pl2303 has been included since 2.4 kernels. The Prolific website in Taiwan carries (binary) drivers for Windows and the Macintosh.
Installing the pl2303 driver for Windows.
(https://forum.kitz.co.uk/proxy.php?request=http%3A%2F%2Fwww4.picturepush.com%2Fphoto%2Fa%2F8966927%2F480%2FECI-B-FOCuS-VDSL2-modem---solderless-UART-connection%2FScreenshot-at-2012-08-13-06%253A20%253A27.png&hash=8a9e5dde2e321434a9a1a397ef6235c5d584950f)
(click for full size) (http://picturepush.com/public/8966927)
(https://forum.kitz.co.uk/proxy.php?request=http%3A%2F%2Fwww5.picturepush.com%2Fphoto%2Fa%2F8966928%2F480%2FECI-B-FOCuS-VDSL2-modem---solderless-UART-connection%2FScreenshot-at-2012-08-13-06%253A31%253A49.png&hash=90a4c6e90fc6422e46949a6d64106522c28b7ba0)
(click for full size) (http://picturepush.com/public/8966928)
(https://forum.kitz.co.uk/proxy.php?request=http%3A%2F%2Fwww1.picturepush.com%2Fphoto%2Fa%2F8966929%2F480%2FECI-B-FOCuS-VDSL2-modem---solderless-UART-connection%2FScreenshot-at-2012-08-13-06%253A34%253A25.png&hash=562b2b9ccab5401ce32b620762629c5d45d7c8e8)
(click for full size) (http://picturepush.com/public/8966929)
Now, finally, we can log into the ECI modem via the serial console:
(https://forum.kitz.co.uk/proxy.php?request=http%3A%2F%2Fwww2.picturepush.com%2Fphoto%2Fa%2F8966930%2F480%2FECI-B-FOCuS-VDSL2-modem---solderless-UART-connection%2FScreenshot-at-2012-08-13-06%253A39%253A39.png&hash=6e53d44d5a32d9ebee372e7bc86eb5e8f7de7420)
(click for full size) (http://picturepush.com/public/8966930)
cheers, a
-
I was happily looking through this thread until I came across the last four images. :( BGW? Yucky! :tongue: It's put me right off my evening meal. :'(
-
Adhesive tape isn't strong enough to hold the header pins onto the PCB pads.
But Dolly the clothes peg proved just the job! She is electrostatic-safe, too :D
(https://forum.kitz.co.uk/proxy.php?request=http%3A%2F%2Fwww4.picturepush.com%2Fphoto%2Fa%2F8966982%2F480%2FECI-B-FOCuS-VDSL2-modem---solderless-UART-connection%2FDSC-0657.jpg&hash=7b4bbd77b4de7a893b71913dd6ce102296405830)
(click for full size) (http://picturepush.com/public/8966982)
I'm impressed. True hardware hacking in it's purest form.
Sir, I salute you!
-
Apologies to all for the cat-cursing at around 0245 hours today, b*cat was very frustrated. :-[
An ECI B-FOCuS modem was upended.
It's rubber feet were removed.
The four screws, so exposed, were undone.
The case was opened.
The PCB was removed and placed on a firm insulating surface.
The PSU was attached and the modem was powered up.
Application of meter probes to the four pads at location JP1 showed with negative probe on pad #2 from the left, 3.28 VDC on pads #1, #3 & #5.
Confirmed #2 is GND, #3 is VCC, #1 & #5 are TXD & RXD.
A block of five 90 degree header pins had leads attached.
Jake (the peg) was encouraged to hold the block of header pins against the solder infested pads.
The cat cursing started.
No matter how things were tried, no continuity could be obtained from the PCB solder pads to the ends of the fly-leads. :(
Tiny dimples were gently made in the solder infesting the pads.
The cat-cursing got louder. >:(
Offering up the header pins into the dimples was finally achieved.
Still no continuity.
The cat-cursing reached fortissimo! >:D
The soldering-iron was considered . . . and rejected.
b*cat's paws are now too fumbly and the vision is not good enough for such micro-surgery.
Fifty years ago and things were considerably different . . . :'(
I'll just have to wait for the software unlocking method to be resolved.
And now I've just seen the time. Well overdue some :sleep:
-
Hello burakkucat!
..
No matter how things were tried, no continuity could be obtained from the PCB solder pads to the ends of the fly-leads. :(
Tiny dimples were gently made in the solder infesting the pads.
..
Offering up the header pins into the dimples was finally achieved.
...
Still no continuity.
..
Damnation!
No continuity? As in no electrical continuity, according to a multimeter? Or no connectivity on the serial port? If the latter, does the pl2303 adaptor definitely work? I've had two or three which were duffs. There's a spare adaptor here if you need it, or happy to solder-in the pins if you dare entrust Royal Mail* with it?!
The tails of the right-angled header pins were facing inwards (away from the nearest PCB edge)?
And a good quality peg was used? Definitely the correct model? Type A rather than the Type B?!
(https://forum.kitz.co.uk/proxy.php?request=http%3A%2F%2Fwww2.picturepush.com%2Fphoto%2Fa%2F10172025%2F480%2FECI-B-FOCuS-VDSL2-modem---solderless-UART-connection%2Fdollypegs.png&hash=7b5e5dda96191a3084bc050bc4c85c83248fdacd) (http://picturepush.com/public/10172025)
cheers, a
-
No continuity? As in no electrical continuity, according to a multimeter?
Yes and yes. :(
does the pl2303 adaptor definitely work? I've had two or three which were duffs.
I thought a pl2303 adaptor required usage of BGW? Though there is a driver in the Linux kernel --
[bcat@Duo2 ~]$ find /lib/modules -name pl2303.ko | sort
/lib/modules/2.6.32-220.23.1.el6.x86_64/kernel/drivers/usb/serial/pl2303.ko
/lib/modules/2.6.32-279.5.2.el6.x86_64/kernel/drivers/usb/serial/pl2303.ko
/lib/modules/3.5.4-1.el6.elrepo.x86_64/kernel/drivers/usb/serial/pl2303.ko
As both my laptop and workstation computers have serial ports (I would never be without one), I have this RS232 to TTL Converter Cable (http://www.ebay.co.uk/itm/221120584720) (based on the ST micro ST3232EC chip) for the job.
happy to solder-in the pins if you dare entrust Royal Mail* with it?!
I may eventually take advantage of your kind offer. At the moment, I am a little bit concerned that your Wayne may come across it and decide it would be useful currency with which to obtain two cans of Special Brew! :-X
The tails of the right-angled header pins were facing inwards (away from the nearest PCB edge)?
Confirmed.
And a good quality peg was used? Definitely the correct model? Type A rather than the Type B?!
Yes, a Type A of plastic rather than wooden construction. You don't think that is the cause, do you? :-\
-
I thought a pl2303 adaptor required usage of BGW?
The pl2303 works fine on Linux. The kernel driver automatically inserts after the device is enumerated, and the dumb USB serial device becomes available as ttyUSB0
Sep 25 22:58:26 l502x kernel: [353464.425850] usb 2-2: New USB device found, idVendor=067b, idProduct=2303
Sep 25 22:58:26 l502x kernel: [353464.425855] usb 2-2: New USB device strings: Mfr=1, Product=2, SerialNumber=0
Sep 25 22:58:26 l502x kernel: [353464.425858] usb 2-2: Product: USB-Serial Controller
Sep 25 22:58:26 l502x kernel: [353464.425861] usb 2-2: Manufacturer: Prolific Technology Inc.
Sep 25 22:58:26 l502x kernel: [353464.427931] pl2303 2-2:1.0: pl2303 converter detected
Sep 25 22:58:26 l502x kernel: [353464.456013] usb 2-2: pl2303 converter now attached to ttyUSB0
The serial terminal program minicom is run:
$ minicom -D /dev/ttyUSB0
and away it goes..
(https://forum.kitz.co.uk/proxy.php?request=http%3A%2F%2Fwww1.picturepush.com%2Fphoto%2Fa%2F10187269%2Fimg%2FECI-B-FOCuS-VDSL2-modem---solderless-UART-connection%2Feci-boot-shot.png&hash=1737f133740bef6a5a599265624bf9ff1783adff) (http://picturepush.com/public/10187269)
Yes, a Type A of plastic rather than wooden construction. You don't think that is the cause, do you? :-\
The peg I used was of the very highest (Tesco Value) quality, but it did have a powerful snap to it. Yet when the trick was tried again just now, exactly the same problem occurred as you found. Though after giving the pads a scuff-up with my fingernail, everything worked okay once again. So maybe it's down to solder oxidisation?
Perhaps if you have the patience to try it again, maybe the pins could be clipped to the pads on the underside of the board. These are actually plated thru-holes, so there should still be continuity.
(https://forum.kitz.co.uk/proxy.php?request=http%3A%2F%2Fwww5.picturepush.com%2Fphoto%2Fa%2F10188268%2F480%2FECI-B-FOCuS-VDSL2-modem---solderless-UART-connection%2FDSC-0918.jpg&hash=4a25516756e5faac78ede8bc3a8fb0d58834d6f7) (http://picturepush.com/public/10188268)
(https://forum.kitz.co.uk/proxy.php?request=http%3A%2F%2Fwww4.picturepush.com%2Fphoto%2Fa%2F10188272%2F480%2FECI-B-FOCuS-VDSL2-modem---solderless-UART-connection%2FDSC-0921.jpg&hash=11c182da081cb1991e2ef4986e2584951ca30f40) (http://picturepush.com/public/10188272)
(https://forum.kitz.co.uk/proxy.php?request=http%3A%2F%2Fwww3.picturepush.com%2Fphoto%2Fa%2F10188276%2F480%2FECI-B-FOCuS-VDSL2-modem---solderless-UART-connection%2FDSC-0921-zoom.jpg&hash=a21e401f34520c1a63ee145c91d3aa1c8c8534a7) (http://picturepush.com/public/10188276)
(https://forum.kitz.co.uk/proxy.php?request=http%3A%2F%2Fwww1.picturepush.com%2Fphoto%2Fa%2F10188279%2F480%2FECI-B-FOCuS-VDSL2-modem---solderless-UART-connection%2FDSC-0923.jpg&hash=f569b100a5ce0a5b9d3456fa065fc123b74f42e9) (http://picturepush.com/public/10188279)
cheers, a
-
ben1066,
I'm happy to give you FTP / website space if you want somewhere to host your eDMT with no bandwidth frustrations or intrusive advertising! Pop me an email on kitzedmt@sioned.info
I have a quick query with eDMT too. When on the same LAN I can connect to the vdsl modem with eDMT but if I am not on the same subnet, and NAT to it.. I can't connect and eDMT crashes after clicking connect. Any idea why routed vs. on subnet should make a difference?
Tom (commercial link removed by admin)
-
Hey,
Great to know people are still interested in this. I can only assume that that is a modem limitation as telnet is fairly simple, I don't see why it'd fail. All code can be found at http://curlybracket.co.uk/misc/edmt.zip though thanks for the offer of hosting.
Enjoy.
-
Downloaded and will have a tinker.
As far as I could see from a packet capture the compiled program was trying to make a SMB connection to the router! Not even trying telnet.
--
link edit by admin to signature
-
After a lot of "cat cursing" throughout last night, I finally managed to unlock one of the original ECI B-FOCuS modems (supplied by Openreach as the alternative CPE to the Huawei HG612 modem) by following the published instructions (http://hackingecibfocusv2fubirevb.wordpress.com/2012/09/23/bare-instructions-to-unlock-eci-vdsl2-modem/) to the letter. [1]
As Firefox is the only browser I have installed, I was unable to call up the device's buggy GUI and so telnet access was used to confirm that successful unlocking had been achieved.
[bcat@Duo2 ~]$ telnet 192.168.168.168
Trying 192.168.168.168...
Connected to 192.168.168.168.
Escape character is '^]'.
login as: admin
password:
BusyBox v1.00 (2011.08.09-03:28+0000) Built-in shell (msh)
Enter 'help' for a list of built-in commands.
Alpha # help
Built-in commands:
-------------------
. : break cd continue eval exec exit export help login newgrp
read readonly set shift times trap umask wait
Alpha # echo $PATH
/usr/bin:/bin:/usr/sbin:/sbin
Alpha # ls /usr/bin
yes pcaccess_disable.sh
wget pcaccess.sh
wc mpstat
uptime loopback_stop
update_upgrade.sh loopback_start
update_uboot.sh logger
tr killall
top free
tftp expr
test_agent dirname
test cut
stopqos.sh cusb_modem_switch_loopback_disable.sh
startqos.sh cusb_modem_switch_loopback.sh
port2_enable cusb_modem_switch.sh
port2_disable cusb_modem_ppe.sh
port1_enable basename
port1_disable [
Alpha # ls /bin
zcat rm login df
usleep pwd logcmd dd
uname ps ln date
umount ping kill cp
true mv gzip chmod
touch msh gunzip cat
switch_utility mount grep busybox
spy more fgrep alpha_flash_cmd
sleep mknod false alphaLogd
sh mkdir egrep alphaHousekeeper
sed ls echo alphaFlashAgent
Alpha # ls /usr/sbin
xmldbc submit mfc cabletest:5
xmldb stats mem cabletest:4
wan scut in.tftpd cabletest:3
vconfig rgdb ifx_util cabletest:2
usockc rgcfg ifx_gpio cabletest:1
upgrade rgbin dsl_cpe_control brctl
udhcpr read_img diap alpha_tantos
udhcpd ppacmd diagnostic alpha_macaddr
udhcpc pmcu dayconvert alpha_inventory
time pfile chnet alpha_gen_submac
telnetd ntpclient check alpha_bdtool
syslog next_macaddr cfmctl
sys mknod_util cfm
Alpha # ls /sbin
thttpd swapon rmmod mdev insmod getty
syslogd swapoff reboot lsmod init
sysctl route modprobe klogd ifconfig
Alpha # ps
PID Uid VmSize Stat Command
1 0 172 S init
2 0 SWN [ksoftirqd/0]
3 0 SW [watchdog/0]
4 0 SW< [events/0]
5 0 SW< [khelper]
6 0 SW< [kthread]
24 0 SW< [kblockd/0]
37 0 SW [pdflush]
38 0 SW [pdflush]
39 0 SW< [kswapd0]
40 0 SW< [aio/0]
74 0 SW [mtdblockd]
227 0 SWN [jffs2_gcd_mtd6]
240 0 596 S xmldb -n lantiq_vr9_generic_asl56026 -t
505 0 260 S syslogd -F sysact -F attack -F notice
508 0 188 S klogd -l br0
605 0 664 S /usr/sbin/dsl_cpe_control -i -f /ifx/vdsl2/xcpe_hw.bi
608 0 664 S /usr/sbin/dsl_cpe_control -i -f /ifx/vdsl2/xcpe_hw.bi
609 0 664 S /usr/sbin/dsl_cpe_control -i -f /ifx/vdsl2/xcpe_hw.bi
610 0 664 S /usr/sbin/dsl_cpe_control -i -f /ifx/vdsl2/xcpe_hw.bi
612 0 664 S /usr/sbin/dsl_cpe_control -i -f /ifx/vdsl2/xcpe_hw.bi
613 0 664 S /usr/sbin/dsl_cpe_control -i -f /ifx/vdsl2/xcpe_hw.bi
614 0 664 S /usr/sbin/dsl_cpe_control -i -f /ifx/vdsl2/xcpe_hw.bi
693 0 472 S /usr/sbin/cfm ptm0 eth0
696 0 472 S /usr/sbin/cfm ptm0 eth0
697 0 472 S /usr/sbin/cfm ptm0 eth0
698 0 472 S /usr/sbin/cfm ptm0 eth0
712 0 SW [autbtex]
713 0 SW [pmex_ne]
714 0 SW [pmex_fe]
755 0 404 S /usr/sbin/diap
764 0 596 S /sbin/thttpd -d /www
778 0 264 R telnetd
793 0 336 S /bin/alphaLogd
806 0 432 S alphaFlashAgent
810 0 216 S /bin/sh /BTAgent/ro/start
815 0 740 S ./btagent
817 0 740 S ./btagent
820 0 740 S ./btagent
821 0 740 S ./btagent
841 0 392 S /bin/alphaHousekeeper
1073 0 164 S /sbin/getty -L ttyS0 115200 vt102
1280 0 252 S /bin/sh
1961 0 196 R ps
Alpha # kill 810
Alpha # killall btagent
Alpha # ps
PID Uid VmSize Stat Command
1 0 172 S init
<snip>
764 0 596 S /sbin/thttpd -d /www
778 0 264 S telnetd
793 0 336 S /bin/alphaLogd
806 0 432 S alphaFlashAgent
841 0 392 S /bin/alphaHousekeeper
1073 0 164 S /sbin/getty -L ttyS0 115200 vt102
1280 0 252 S /bin/sh
2055 0 196 R ps
Alpha # mount
/dev/mtdblock2 on / type squashfs (ro)
sysfs on /sys type sysfs (rw)
tmpfs on /dev type tmpfs (rw)
devpts on /dev/pts type devpts (rw)
none on /proc type proc (rw)
ramfs on /var type ramfs (rw)
/dev/mtdblock6 on /BTAgent/rw type jffs2 (rw)
Alpha # umount /BTAgent/rw
Alpha # mount
/dev/mtdblock2 on / type squashfs (ro)
sysfs on /sys type sysfs (rw)
tmpfs on /dev type tmpfs (rw)
devpts on /dev/pts type devpts (rw)
none on /proc type proc (rw)
ramfs on /var type ramfs (rw)
Alpha # exit
Connection closed by foreign host.
[bcat@Duo2 ~]$
I have provided that rather extensive example, above, as it shows how to turn off the Beatie Group's "busy-body", the BTAgent. Once terminated, that "unknown quantity" will remain disabled until the next power-cycle or reboot of the device. (The same technique can be used to disable the identical agent that executes within the Huawei HG612.)
Has anyone determined if the device's IP address can be changed via telnet access? By default it is 192.168.168.168 and I would like to reconfigure it to be 192.168.1.254, for consistency with my other modem/routers.
[1] http://hackingecibfocusv2fubirevb.wordpress.com/2012/09/23/bare-instructions-to-unlock-eci-vdsl2-modem/
-
As per the Asbo instructions it can be changed via telnet but I did not find how to make a permanent change via telnet. The GUI does however let you make the permanent change which survives a power on and off.
-
Thanks for that confirmation, Les. I can see I missed typing the word 'permanently' in my previous post --
Has anyone determined if the device's IP address can be permanently changed via telnet access?
:doh: D'oh!
-
Ok so I would really like to unlock my eci modem but a bit confused on how I have to do it
I know you can get the usb ttl converter off ebay but I would prefer not to spend any money if I can so can I just hook the modem straight up to the com port on my asrock z68 extreme4 gen3 mobo?
Pinout for the com port shows RRXD1, TTXD1 and ground so that's all that's needed right?
Also running windows 8 so is it easy to do from windows? which software is easiest and compatible with windows 8 to send the commands?
-
^-^ Welcome to the Kitz forum, Liam.
so can I just hook the modem straight up to the com port on my asrock z68 extreme4 gen3 mobo?
The truthful answer is no. You will still need to use an adaptor, otherwise either the modem or your computer will suffer damage. Keeping things simple, I'll say that there is a voltage and protocol difference . . .
I used this RS232 to TTL Converter Cable (http://www.ebay.co.uk/itm/221120584720) (based on the ST micro ST3232EC chip) for the task.
-
^-^ Welcome to the Kitz forum, Liam.
so can I just hook the modem straight up to the com port on my asrock z68 extreme4 gen3 mobo?
The truthful answer is no. You will still need to use an adaptor, otherwise either the modem or your computer will suffer damage. Keeping things simple, I'll say that there is a voltage and protocol difference . . .
I used this RS232 to TTL Converter Cable (http://www.ebay.co.uk/itm/221120584720) (based on the ST micro ST3232EC chip) for the task.
Thanks! I think I will have to grab a cheapo off ebay to get this done then, what program can I use on windows 8 to talk to the box and send the needed commands?
-
Cough! Asking me about BGW (a.k.a. Windoze)? :-X
Someone hasn't read my signature block! ::)
At a guess, there will be something like HyperTerm or other terminal emulator program available for use. When you get to that stage, I'm sure someone else will be able to advise you. :)
-
Thanks! I think I will have to grab a cheapo off ebay to get this done then, what program can I use on windows 8 to talk to the box and send the needed commands?
I just installed hyper terminal following this guide here (http://www.windowsitpro.com/article/windows-7/hyperterminal-windows-7-142183) on Windows 7, may well work on 8. (you'll need an XP cd)
-
Thanks! I think I will have to grab a cheapo off ebay to get this done then, what program can I use on windows 8 to talk to the box and send the needed commands?
I just installed hyper terminal following this guide here (http://www.windowsitpro.com/article/windows-7/hyperterminal-windows-7-142183) on Windows 7, may well work on 8. (you'll need an XP cd)
Thanks for the link, I forgot about putty, I will use that as ive used it before successfully
usb ttl is on the way :-P
-
Many thanks to the B*Cat, I now have an unlocked ECI modem :) (Simply used Putty in a WinXP VM I have for such things on my MacBook).
Some of you may be aware of my current setup - the modem and router are located in separate rooms, with just one cable linking the two. Not good when you're attempting to get stats... or even web gui access!
But, also playing around with the ECI modem, I dug out an old gigabit switch. So I've connected the feed from the modem, and also hooked it upto the router. Router still has access to the net, along with all other devices (as you'd expect). What I did find interesting though, is if I hook another patch lead into the switch and connect that to my laptop. If I correctly set a static IP address, I can also access the web gui of the ECI this way - whilst all other devices in the house still have access to the net!
I never actually tried this setup with the HG612, but I know that refused all access to the web gui from LAN1. When I unlocked the ECI, I could access the gui from LAN1 or LAN2 - so maybe this is something specific to the ECI?
Anyway... just because I can... I'd estimate my E side is around 350m:
Channel Status Upstream Downstream
Actual Net Data Rate 20000000 kbps 78308000 kbps
Actual Interleave Delay 0 ms 0 ms
Actual INP 0 Symbols 0 Symbols
Attainable Net Data Rate 27444204 kbps 78355520 kbps
Transmit Power 138 dBm 50 dBm
-
Many thanks to the B*Cat, I now have an unlocked ECI modem :) (Simply used Putty in a WinXP VM I have for such things on my MacBook).
Some of you may be aware of my current setup - the modem and router are located in separate rooms, with just one cable linking the two. Not good when you're attempting to get stats... or even web gui access!
But, also playing around with the ECI modem, I dug out an old gigabit switch. So I've connected the feed from the modem, and also hooked it upto the router. Router still has access to the net, along with all other devices (as you'd expect). What I did find interesting though, is if I hook another patch lead into the switch and connect that to my laptop. If I correctly set a static IP address, I can also access the web gui of the ECI this way - whilst all other devices in the house still have access to the net!
I never actually tried this setup with the HG612, but I know that refused all access to the web gui from LAN1. When I unlocked the ECI, I could access the gui from LAN1 or LAN2 - so maybe this is something specific to the ECI?
Anyway... just because I can... I'd estimate my E side is around 350m:
Channel Status Upstream Downstream
Actual Net Data Rate 20000000 kbps 78308000 kbps
Actual Interleave Delay 0 ms 0 ms
Actual INP 0 Symbols 0 Symbols
Attainable Net Data Rate 27444204 kbps 78355520 kbps
Transmit Power 138 dBm 50 dBm
Interesting. My stats are reasonably similar to yours, though astonishingly your upload speed is considerably better than mine. Here's mine to compare.
Upstream Downstream
Actual Net Data Rate 19996000 kbps 59996000 kbps
Actual Interleave Delay 0 ms 0 ms
Actual INP 0 Symbols 0 Symbols
Attainable Net Data Rat.19851744 kbps 82172688 kbps
Transmit Power 103 dBm -1 dBm
Oh, P.S. are you by any chance the person called 'givemeausername' on eBay?
-
Many thanks to the B*Cat, I now have an unlocked ECI modem :)
Don't forget Jess, Pat's black and white companion. I'm sure she had a paw in the quick delivery of those header pins . . . ;)
But, also playing around with the ECI modem, I dug out an old gigabit switch. So I've connected the feed from the modem, and also hooked it upto the router. Router still has access to the net, along with all other devices (as you'd expect). What I did find interesting though, is if I hook another patch lead into the switch and connect that to my laptop. If I correctly set a static IP address, I can also access the web gui of the ECI this way - whilst all other devices in the house still have access to the net!
Excellent news. Thank you for explaining, for it could prove to be valuable information to others in a similar situation. :thumbs:
I'd estimate my E side is around 350m
Eh? (Pun intended.) Perhaps a discrete application of sed 's/E side/D-side/' is called for? ::)
-
My eBay username (as B*Cat has correctly guessed), is my forum username plus an arbitrary number ;)
I'm not suite sure why our upload speeds are so different Ixel. I'm on underground cabling, and I'd hazard a guess that mine are actually copper and not aluminium. I've walked from the cab to my house, and the path does have a BT duct opening every so often. My estate is relatively new, so unless they dug underneath existing houses I can't see any other way of getting the cables there.
B*Cat: that's how I've worked out my E-side (cable length from house to cab yes?) is around 350m. Interestingly enough, if I put my friends address into the checker (who lives no. Ore 25m down the road) his upload speed drops below the 20mb max that mine shows... I think it's estimated around 17.5mb... Just for living an extra 25m down the road.
I wonder if that's the start of the bubble where vdsl drops off?
-
. . . my E-side (cable length from house to cab yes?)
:no: No. That is the D-side. (Distribution side.) The E-side (Exchange side) is thus from the exchange to the PCP.
I wonder if that's the start of the bubble where vdsl drops off?
Our Bald_Eagle1 has a good knowledge on such line characteristics and should readily be able to provide some figures.
-
...
I see, interesting. Very strange though, my line also goes underground, perhaps there's some interference or quality issue that's effecting my attainable upload, though my attainable download is a tad faster than yours. I also tried my 0.5m~ ADSLNation Pro+ RJ11 cable which gives me a slightly lower attainable downstream (from 85,000Kbps~ to 82,000Kbps~) but a slightly higher upstream (from about 19,000Kbps~ to around 19,900Kbps-20,200Kbps depending on time of day and weather).
I'm just waiting for DLM to hopefully uncap my downstream. Been over a week since connection uptime and no changes as yet :(.
-
:no: No. That is the D-side. (Distribution side.) The E-side (Exchange side) is thus from the exchange to the PCP.
Whoooops, that is why I am still very much a beginner to all this stuff! Can't even sort my terminology out!
That's very odd DLM still hasn't reacted yet. I'm still assuming the hg612 doesn't play brilliantly with an ECI cab, and if that is the case then DLM reacted less than 36 hours after swapping my modem back to the ECI one.
My connection from master socket to modem is about 20cm. I found a 4 core, non-twisted pair cable lying around which I cut down and crimped new RJ11 plugs on either end.
-
My connection from master socket to modem is about 20cm. I found a 4 core, non-twisted pair cable lying around which I cut down and crimped new RJ11 plugs on either end.
You only need two conductors, as one unshielded twisted pair (UTP), to do the job properly . . . :-\
-
Ah.. forgot to add that I didn't have any 2 core lying around. :angel: I didn't purposefully choose it specifically because it had 4 cores :) I think it might've been the cord from the old phone we had, and the missus preferred it because it was white!
-
Our Bald_Eagle1 has a good knowledge on such line characteristics and should readily be able to provide some figures.
I can't really comment as I haven't looked into upload speeds in any detail.
Most users seem to be more interested in download speeds & are apparently perfectly content with whatever upload speeds they are seeing on their connections.
However, a loss of 2.5Mb upload speed for only 25m extra distance does seem too much of a drop.
The estimates are only that though - estimates.
-
Has there been any update on a more simple unlock other than the current way with the RS232 to TTL Converter Cable as im not to keen on messing with my modem in that way.
-
Unfortunately there is no other way of obtaining access. :no:
It would be nice if, like the Huawei HG612, it is possible to 'bring up' a screen to allow the device to be flashed with an alternative firmware. However, that facility does not exist. Therefore one must access the device through its console, at TTL levels, via an appropriate adaptor.
-
ben1066,
I like edmt :) a lot for its convenience but would rather have the attenuation Hlog rather than power (as in e.g. the DMT versions 7 and 8 ) . I note that you provided source code in a post above but tackling that looks hard for me :-[ . Is this an easy change that you could make available for all in a different edmt version?
Thanks for the current edmt
-
Please help!!
New ECI modem arrived today ready to unlock
Got my usb serial working on windows 7, used putty to get into it, accessed it no problem, logged in, entered the commands and it hasn't worked!
Tried it a few times but still cant access it through my browser, whats going on?
I have noticed my modem reports different versions than what is listed on the hacking guide...
U-Boot 1.0.5 (Apr 6 2011 - 14:02:22)
Linux version 2.6.20.19
(gask@BSD7.localdomain) (gcc version 3.4.6 (OpenWrt-2.0)) #1 Wed Sep 14 15:14:0
8 CST 2011
BusyBox v1.00 (2011.09.14-07:14+0000)
-
Oh dear. That doesn't read too good. :o
To the best of my knowledge, there are now two variants of the ECI B-FOCuS modem in the wild. I have unlocked two of (what I call) the 'type 1' devices by following the definitive guide (http://hackingecibfocusv2fubirevb.wordpress.com/2012/09/23/bare-instructions-to-unlock-eci-vdsl2-modem/). A 'type 1' has four rubber feet on its base which, when removed, expose the four screws which hold the case together.
I understand that a 'type 2' device -- as of yet unseen in The Cattery -- only has two rubber feet and two plastic domes on its base. If I remember correctly, Ronski was having trouble establishing communication via the console serial header pins on a 'type 2' device. :-\
-
Oh dear. That doesn't read too good. :o
To the best of my knowledge, there are now two variants of the ECI B-FOCuS modem in the wild. I have unlocked two of (what I call) the 'type 1' devices by following the definitive guide (http://hackingecibfocusv2fubirevb.wordpress.com/2012/09/23/bare-instructions-to-unlock-eci-vdsl2-modem/). A 'type 1' has four rubber feet on its base which, when removed, expose the four screws which hold the case together.
I understand that a 'type 2' device -- as of yet unseen in The Cattery -- only has two rubber feet and two plastic domes on its base. If I remember correctly, Ronski was having trouble establishing communication via the console serial header pins on a 'type 2' device. :-\
Mine is the B-FOCuS V-2FUb/I Rev.B, from your description the Type 1 as it has 4 rubber feet with 4 screws under them...
If it helps following some other guides I have found the modem is reporting cpe_enable 1 and is reporting its ip is 192.168.1.55 so it seems as though it has worked but I still don't have telnet or web access...
-
Mine is the B-FOCuS V-2FUb/I Rev.B, from your description the Type 1 as it has 4 rubber feet with 4 screws under them...
If it helps following some other guides I have found the modem is reporting cpe_enable 1 and is reporting its ip is 192.168.1.55 so it seems as though it has worked but I still don't have telnet or web access...
Have you tried powering it up and with no device(s) connected to it, pressing and holding the reset button for ten seconds? Wait for the modem to re-boot and become stable, then connect a computer to the LAN1 port. Configure the computer to use a dynamic address and invoke it. Interrogate the computer for its default route and make a note of that IP address. It is that address which you should use to connect using telnet or put into your browser for GUI access.
Failing that, perform an nmap scan of IP addresses 192.168.1.55, 192.168.1.254, 192.168.168.168 and that of the default route, above.
-
Mine is the B-FOCuS V-2FUb/I Rev.B, from your description the Type 1 as it has 4 rubber feet with 4 screws under them...
If it helps following some other guides I have found the modem is reporting cpe_enable 1 and is reporting its ip is 192.168.1.55 so it seems as though it has worked but I still don't have telnet or web access...
Have you tried powering it up and with no device(s) connected to it, pressing and holding the reset button for ten seconds? Wait for the modem to re-boot and become stable, then connect a computer to the LAN1 port. Configure the computer to use a dynamic address and invoke it. Interrogate the computer for its default route and make a note of that IP address. It is that address which you should use to connect using telnet or put into your browser for GUI access.
Failing that, perform an nmap scan of IP addresses 192.168.1.55, 192.168.1.254, 192.168.168.168 and that of the default route, above.
Still no luck but then again I don't understand the default route thing your talking about lol
-
Here are a couple of links that may help --
Default route (http://en.wikipedia.org/wiki/Default_route)
Default gateway (http://en.wikipedia.org/wiki/Default_gateway)
-
Still not got it working, can someone else please chime in and help... uklad?
-
Mine is the B-FOCuS V-2FUb/I Rev.B, from your description the Type 1 as it has 4 rubber feet with 4 screws under them...
If it helps following some other guides I have found the modem is reporting cpe_enable 1 and is reporting its ip is 192.168.1.55 so it seems as though it has worked but I still don't have telnet or web access...
I've replied to your PM listing my woes, it sounds like you've got a lot further than I did.
I wonder if it's simply a matter of temporarily changing your IP address (what burakkucat was getting at I think), my networking knowledge is limited but if your PC does not have an address in the same range as the modem then you won't be able to access it.
If the modems IP is 192.168.1.55 as you say above then your PC needs a IP address in the same range, the first three numbers need to be the same. Most PCs have their IP automatically assigned from the DHCP server, you need to manually assign one to match the modem, then go into the modem and change it's IP address to match your network, then change your PC back to what it was. The modem should be directly connected to your PC whilst you do this.
Edit: This is what I did with the unlocked one that I bought, to get it accessible on my network - I used my laptop for simplicity.
Hope that helps
-
IM IN!!
Turns out that I was trying to set the wrong ip
I was settings 192.168.1.xx thinking the modem was at 192.168.1.55 but actually its still at 192.168.168.168 so simply settings my ip manually to 192.168.168.170 I got in :-D
EDIT: So I'm all setup and working but now wondering if there is a way to connect lan 1 to the wan port of my router and still access the modem through its ip?
My comp is on the lan of the router
EDIT2: Also on the modem internet and gui is available on lan 1 but lan 2 only allows gui it doesn't give internet access, any way to enable internet access on port 2?
-
lan 1 needs to be connected to your wan port for internet access, lan 2 needs to be connected to a lan port on your router to allow you to access the modem, there's no way to do it via a single cable.
-
IM IN!!
Turns out that I was trying to set the wrong ip
I was settings 192.168.1.xx thinking the modem was at 192.168.1.55 but actually its still at 192.168.168.168 so simply settings my ip manually to 192.168.168.170 I got in :-D
Excellent news! ;D
-
lan 1 needs to be connected to your wan port for internet access, lan 2 needs to be connected to a lan port on your router to allow you to access the modem, there's no way to do it via a single cable.
Wish I read this earlier lol, been playing ages to get this to work but finally found this method elsewhere and it works perfectly
My router is setup to 192.168.1.1 with 192.168.1.2 preserved for the modem and modem is 192.168.1.2 and can access them both no problems
Thanks for the reply's guys, only need a good program to access stats now, I did try eDMT but that just crashes when trying to log in
-
lan 1 needs to be connected to your wan port for internet access, lan 2 needs to be connected to a lan port on your router to allow you to access the modem, there's no way to do it via a single cable.
what happens on the newer eci modems, I been told only lan1 works, which I can access but the modme isnt connected to the line, when its connected to the line does it stop working?
-
I've no idea, in the end I gave up and bought an older type already unlocked.
-
I've no idea, in the end I gave up and bought an older type already unlocked.
seems noone wants to sell the older ones anymore :(
check the other thread I posted an update, but I guess the situation is that one can either get the stats or use the net but not both at same time, and noone knows how to get the error stats on the newer ones.
-
I think I have an older one, with the pins soldered in, but that I couldn't unlock if you're interested.
-
Would need to be pre unlocked, the ECI unlock procedure is over my head.
I am using the ECI I got now as I am fairly convinced it has a much lower crc error rate than the HG based on the lack of red specs on my tbb graph. They both sync around the same speed. The ECI reports lower attainable which I think is more accurate than the HG's attainable. As the HG reports a downstream attainable 2mbit higher than the actual sync even tho its a 6db margin.
edit
if you willing to send for postage fee I will take it, maybe I can somehow get it unlocked, thanks.
-
I think I'll put it on Ebay sometime, could do with getting some money back.
-
I have the older model unlocked I would be willing to sell if the price is right...
I find I never really access the stats anyway and could just use my newer model and access stats now and again by switching the cable
EDIT: SOLD
-
I have now spend a little time 'playing' with this 'older' type ECI device, the V-2FUb/I.
I am uncertain if Bald_Eagle1 has any plans to port his statistics harvesting and graphing code to these devices but here is some food for thought --
[bcat@Duo2 ECI]$ telnet 192.168.1.254
Trying 192.168.1.254...
Connected to 192.168.1.254.
Escape character is '^]'.
login as: admin
password:
BusyBox v1.00 (2011.08.09-03:28+0000) Built-in shell (msh)
Enter 'help' for a list of built-in commands.
Alpha # echo help > /var/tmp/pipe/dsl_cpe0_cmd
Alpha # cat /var/tmp/pipe/dsl_cpe0_ack
acog, AutobootConfigOptionGet
acos, AutobootConfigOptionSet
acs, AutobootControlSet
alf, AutobootLoadFirmware
asecg, AutobootScriptExecuteConfigGet
asecs, AutobootScriptExecuteConfigSet
asg, AutobootStatusGet
aufg, AutobootUsedFirmwareGet
alig, AuxLineInventoryGet
bbsg, BandBorderStatusGet
bpstg, BandPlanSTatusGet
bpsg, BandPlanSupportGet
dbgmlg, DBG_ModuleLevelGet
dbgmls, DBG_ModuleLevelSet
dms, DeviceMessageSend
esmcg, EventStatusMaskConfigGet
esmcs, EventStatusMaskConfigSet
fpsg, FramingParameterStatusGet
g997amdpfcg, G997_AlarmMaskDataPathFailuresConfigGet
g997amdpfcs, G997_AlarmMaskDataPathFailuresConfigSet
g997amlfcg, G997_AlarmMaskLineFailuresConfigGet
g997amlfcs, G997_AlarmMaskLineFailuresConfigSet
g997bang, G997_BitAllocationNscGet
g997bansg, G997_BitAllocationNscShortGet
g997cdrtcg, G997_ChannelDataRateThresholdConfigGet
g997cdrtcs, G997_ChannelDataRateThresholdConfigSet
g997csg, G997_ChannelStatusGet
g997dpfsg, G997_DataPathFailuresStatusGet
g997dfr, G997_DeltFreeResources
g997dhling, G997_DeltHLINGet
g997dhlinsg, G997_DeltHLINScaleGet
g997dhlogg, G997_DeltHLOGGet
g997dqlng, G997_DeltQLNGet
g997dsnrg, G997_DeltSNRGet
g997fpsg, G997_FramingParameterStatusGet
g997gang, G997_GainAllocationNscGet
g997gansg, G997_GainAllocationNscShortGet
g997lstg, G997_LastStateTransmittedGet
g997lacg, G997_LineActivateConfigGet
g997lacs, G997_LineActivateConfigSet
g997lfsg, G997_LineFailureStatusGet
g997lisg, G997_LineInitStatusGet
g997lig, G997_LineInventoryGet
g997listrg, G997_LineInventorySTRingGet
g997lis, G997_LineInventorySet
g997lsg, G997_LineStatusGet
g997lspbg, G997_LineStatusPerBandGet
g997ltsg, G997_LineTransmissionStatusGet
g997pmsft, G997_PowerManagementStateForcedTrigger
g997pmsg, G997_PowerManagementStatusGet
g997racg, G997_RateAdaptationConfigGet
g997racs, G997_RateAdaptationConfigSet
g997sang, G997_SnrAllocationNscGet
g997sansg, G997_SnrAllocationNscShortGet
g997xtusecg, G997_XTUSystemEnablingConfigGet
g997xtusecs, G997_XTUSystemEnablingConfigSet
g997xtusesg, G997_XTUSystemEnablingStatusGet
help, Help
ics, InstanceControlSet
isg, InstanceStatusGet
lecg, LastExceptionCodesGet
lfcg, LineFeatureConfigGet
lfcs, LineFeatureConfigSet
lfsg, LineFeatureStatusGet
locg, LineOptionsConfigGet
locs, LineOptionsConfigSet
lsg, LineStateGet
llcg, LowLevelConfigurationGet
llcs, LowLevelConfigurationSet
mlsg, MiscLineStatusGet
mfcg, MultimodeFsmConfigGet
mfcs, MultimodeFsmConfigSet
mfsg, MultimodeFsmStatusGet
nsecg, NotificationScriptExecuteConfigGet
nsecs, NotificationScriptExecuteConfigSet
pm15meet, PM_15MinElapsedExtTrigger
pmbms, PM_BurninModeSet
pmcc15mg, PM_ChannelCounters15MinGet
pmcc1dg, PM_ChannelCounters1DayGet
pmccsg, PM_ChannelCountersShowtimeGet
pmcctg, PM_ChannelCountersTotalGet
pmchs15mg, PM_ChannelHistoryStats15MinGet
pmchs1dg, PM_ChannelHistoryStats1DayGet
pmct15mg, PM_ChannelThresholds15MinGet
pmct15ms, PM_ChannelThresholds15MinSet
pmct1dg, PM_ChannelThresholds1DayGet
pmct1ds, PM_ChannelThresholds1DaySet
pmcg, PM_ConfigGet
pmcs, PM_ConfigSet
pmdpc15mg, PM_DataPathCounters15MinGet
pmdpc1dg, PM_DataPathCounters1DayGet
pmdpcsg, PM_DataPathCountersShowtimeGet
pmdpctg, PM_DataPathCountersTotalGet
pmdpfc15mg, PM_DataPathFailureCounters15MinGet
pmdpfc1dg, PM_DataPathFailureCounters1DayGet
pmdpfcsg, PM_DataPathFailureCountersShowtimeGet
pmdpfctg, PM_DataPathFailureCountersTotalGet
pmdpfhs15mg, PM_DataPathFailureHistoryStats15MinGet
pmdpfhs1dg, PM_DataPathFailureHistoryStats1DayGet
pmdphs15mg, PM_DataPathHistoryStats15MinGet
pmdphs1dg, PM_DataPathHistoryStats1DayGet
pmdpt15mg, PM_DataPathThresholds15MinGet
pmdpt15ms, PM_DataPathThresholds15MinSet
pmdpt1dg, PM_DataPathThresholds1DayGet
pmdpt1ds, PM_DataPathThresholds1DaySet
pmetr, PM_ElapsedTimeReset
pmlesc15mg, PM_LineEventShowtimeCounters15MinGet
pmlesc1dg, PM_LineEventShowtimeCounters1DayGet
pmlescsg, PM_LineEventShowtimeCountersShowtimeGet
pmlesctg, PM_LineEventShowtimeCountersTotalGet
pmleshs15mg, PM_LineEventShowtimeHistoryStats15MinGet
pmleshs1dg, PM_LineEventShowtimeHistoryStats1DayGet
pmlfc15mg, PM_LineFailureCounters15MinGet
pmlfc1dg, PM_LineFailureCounters1DayGet
pmlfcsg, PM_LineFailureCountersShowtimeGet
pmlfctg, PM_LineFailureCountersTotalGet
pmlfhs15mg, PM_LineFailureHistoryStats15MinGet
pmlfhs1dg, PM_LineFailureHistoryStats1DayGet
pmlic15mg, PM_LineInitCounters15MinGet
pmlic1dg, PM_LineInitCounters1DayGet
pmlicsg, PM_LineInitCountersShowtimeGet
pmlictg, PM_LineInitCountersTotalGet
pmlihs15mg, PM_LineInitHistoryStats15MinGet
pmlihs1dg, PM_LineInitHistoryStats1DayGet
pmlit15mg, PM_LineInitThresholds15MinGet
pmlit15ms, PM_LineInitThresholds15MinSet
pmlit1dg, PM_LineInitThresholds1DayGet
pmlit1ds, PM_LineInitThresholds1DaySet
pmlsc15mg, PM_LineSecCounters15MinGet
pmlsc1dg, PM_LineSecCounters1DayGet
pmlscsg, PM_LineSecCountersShowtimeGet
pmlsctg, PM_LineSecCountersTotalGet
pmlshs15mg, PM_LineSecHistoryStats15MinGet
pmlshs1dg, PM_LineSecHistoryStats1DayGet
pmlst15mg, PM_LineSecThresholds15MinGet
pmlst15ms, PM_LineSecThresholds15MinSet
pmlst1dg, PM_LineSecThresholds1DayGet
pmlst1ds, PM_LineSecThresholds1DaySet
pmrtc15mg, PM_ReTxCounters15MinGet
pmrtc1dg, PM_ReTxCounters1DayGet
pmrtcsg, PM_ReTxCountersShowtimeGet
pmrtctg, PM_ReTxCountersTotalGet
pmrths15mg, PM_ReTxHistoryStats15MinGet
pmrths1dg, PM_ReTxHistoryStats1DayGet
pmrtt15mg, PM_ReTxThresholds15MinGet
pmrtt15ms, PM_ReTxThresholds15MinSet
pmrtt1dg, PM_ReTxThresholds1DayGet
pmrtt1ds, PM_ReTxThresholds1DaySet
pmr, PM_Reset
pmsmg, PM_SyncModeGet
pmsms, PM_SyncModeSet
ptsg, PilotTonesStatusGet
quit, Quit
rccg, RebootCriteriaConfigGet
rccs, RebootCriteriaConfigSet
rusg, ResourceUsageStatisticsGet
se, ScriptExecute
sicg, SystemInterfaceConfigGet
sics, SystemInterfaceConfigSet
sisg, SystemInterfaceStatusGet
tmcs, TestModeControlSet
tmsg, TestModeStatusGet
vig, VersionInformationGet
Alpha # echo help > /var/tmp/pipe/dsl_cpe1_cmd
Alpha # cat /var/tmp/pipe/dsl_cpe1_ack
acog, AutobootConfigOptionGet
acos, AutobootConfigOptionSet
acs, AutobootControlSet
alf, AutobootLoadFirmware
asecg, AutobootScriptExecuteConfigGet
asecs, AutobootScriptExecuteConfigSet
asg, AutobootStatusGet
aufg, AutobootUsedFirmwareGet
alig, AuxLineInventoryGet
bbsg, BandBorderStatusGet
bpstg, BandPlanSTatusGet
bpsg, BandPlanSupportGet
dbgmlg, DBG_ModuleLevelGet
dbgmls, DBG_ModuleLevelSet
dms, DeviceMessageSend
esmcg, EventStatusMaskConfigGet
esmcs, EventStatusMaskConfigSet
fpsg, FramingParameterStatusGet
g997amdpfcg, G997_AlarmMaskDataPathFailuresConfigGet
g997amdpfcs, G997_AlarmMaskDataPathFailuresConfigSet
g997amlfcg, G997_AlarmMaskLineFailuresConfigGet
g997amlfcs, G997_AlarmMaskLineFailuresConfigSet
g997bang, G997_BitAllocationNscGet
g997bansg, G997_BitAllocationNscShortGet
g997cdrtcg, G997_ChannelDataRateThresholdConfigGet
g997cdrtcs, G997_ChannelDataRateThresholdConfigSet
g997csg, G997_ChannelStatusGet
g997dpfsg, G997_DataPathFailuresStatusGet
g997dfr, G997_DeltFreeResources
g997dhling, G997_DeltHLINGet
g997dhlinsg, G997_DeltHLINScaleGet
g997dhlogg, G997_DeltHLOGGet
g997dqlng, G997_DeltQLNGet
g997dsnrg, G997_DeltSNRGet
g997fpsg, G997_FramingParameterStatusGet
g997gang, G997_GainAllocationNscGet
g997gansg, G997_GainAllocationNscShortGet
g997lstg, G997_LastStateTransmittedGet
g997lacg, G997_LineActivateConfigGet
g997lacs, G997_LineActivateConfigSet
g997lfsg, G997_LineFailureStatusGet
g997lisg, G997_LineInitStatusGet
g997lig, G997_LineInventoryGet
g997listrg, G997_LineInventorySTRingGet
g997lis, G997_LineInventorySet
g997lsg, G997_LineStatusGet
g997lspbg, G997_LineStatusPerBandGet
g997ltsg, G997_LineTransmissionStatusGet
g997pmsft, G997_PowerManagementStateForcedTrigger
g997pmsg, G997_PowerManagementStatusGet
g997racg, G997_RateAdaptationConfigGet
g997racs, G997_RateAdaptationConfigSet
g997sang, G997_SnrAllocationNscGet
g997sansg, G997_SnrAllocationNscShortGet
g997xtusecg, G997_XTUSystemEnablingConfigGet
g997xtusecs, G997_XTUSystemEnablingConfigSet
g997xtusesg, G997_XTUSystemEnablingStatusGet
help, Help
ics, InstanceControlSet
isg, InstanceStatusGet
lecg, LastExceptionCodesGet
lfcg, LineFeatureConfigGet
lfcs, LineFeatureConfigSet
lfsg, LineFeatureStatusGet
locg, LineOptionsConfigGet
locs, LineOptionsConfigSet
lsg, LineStateGet
llcg, LowLevelConfigurationGet
llcs, LowLevelConfigurationSet
mlsg, MiscLineStatusGet
mfcg, MultimodeFsmConfigGet
mfcs, MultimodeFsmConfigSet
mfsg, MultimodeFsmStatusGet
nsecg, NotificationScriptExecuteConfigGet
nsecs, NotificationScriptExecuteConfigSet
pm15meet, PM_15MinElapsedExtTrigger
pmbms, PM_BurninModeSet
pmcc15mg, PM_ChannelCounters15MinGet
pmcc1dg, PM_ChannelCounters1DayGet
pmccsg, PM_ChannelCountersShowtimeGet
pmcctg, PM_ChannelCountersTotalGet
pmchs15mg, PM_ChannelHistoryStats15MinGet
pmchs1dg, PM_ChannelHistoryStats1DayGet
pmct15mg, PM_ChannelThresholds15MinGet
pmct15ms, PM_ChannelThresholds15MinSet
pmct1dg, PM_ChannelThresholds1DayGet
pmct1ds, PM_ChannelThresholds1DaySet
pmcg, PM_ConfigGet
pmcs, PM_ConfigSet
pmdpc15mg, PM_DataPathCounters15MinGet
pmdpc1dg, PM_DataPathCounters1DayGet
pmdpcsg, PM_DataPathCountersShowtimeGet
pmdpctg, PM_DataPathCountersTotalGet
pmdpfc15mg, PM_DataPathFailureCounters15MinGet
pmdpfc1dg, PM_DataPathFailureCounters1DayGet
pmdpfcsg, PM_DataPathFailureCountersShowtimeGet
pmdpfctg, PM_DataPathFailureCountersTotalGet
pmdpfhs15mg, PM_DataPathFailureHistoryStats15MinGet
pmdpfhs1dg, PM_DataPathFailureHistoryStats1DayGet
pmdphs15mg, PM_DataPathHistoryStats15MinGet
pmdphs1dg, PM_DataPathHistoryStats1DayGet
pmdpt15mg, PM_DataPathThresholds15MinGet
pmdpt15ms, PM_DataPathThresholds15MinSet
pmdpt1dg, PM_DataPathThresholds1DayGet
pmdpt1ds, PM_DataPathThresholds1DaySet
pmetr, PM_ElapsedTimeReset
pmlesc15mg, PM_LineEventShowtimeCounters15MinGet
pmlesc1dg, PM_LineEventShowtimeCounters1DayGet
pmlescsg, PM_LineEventShowtimeCountersShowtimeGet
pmlesctg, PM_LineEventShowtimeCountersTotalGet
pmleshs15mg, PM_LineEventShowtimeHistoryStats15MinGet
pmleshs1dg, PM_LineEventShowtimeHistoryStats1DayGet
pmlfc15mg, PM_LineFailureCounters15MinGet
pmlfc1dg, PM_LineFailureCounters1DayGet
pmlfcsg, PM_LineFailureCountersShowtimeGet
pmlfctg, PM_LineFailureCountersTotalGet
pmlfhs15mg, PM_LineFailureHistoryStats15MinGet
pmlfhs1dg, PM_LineFailureHistoryStats1DayGet
pmlic15mg, PM_LineInitCounters15MinGet
pmlic1dg, PM_LineInitCounters1DayGet
pmlicsg, PM_LineInitCountersShowtimeGet
pmlictg, PM_LineInitCountersTotalGet
pmlihs15mg, PM_LineInitHistoryStats15MinGet
pmlihs1dg, PM_LineInitHistoryStats1DayGet
pmlit15mg, PM_LineInitThresholds15MinGet
pmlit15ms, PM_LineInitThresholds15MinSet
pmlit1dg, PM_LineInitThresholds1DayGet
pmlit1ds, PM_LineInitThresholds1DaySet
pmlsc15mg, PM_LineSecCounters15MinGet
pmlsc1dg, PM_LineSecCounters1DayGet
pmlscsg, PM_LineSecCountersShowtimeGet
pmlsctg, PM_LineSecCountersTotalGet
pmlshs15mg, PM_LineSecHistoryStats15MinGet
pmlshs1dg, PM_LineSecHistoryStats1DayGet
pmlst15mg, PM_LineSecThresholds15MinGet
pmlst15ms, PM_LineSecThresholds15MinSet
pmlst1dg, PM_LineSecThresholds1DayGet
pmlst1ds, PM_LineSecThresholds1DaySet
pmrtc15mg, PM_ReTxCounters15MinGet
pmrtc1dg, PM_ReTxCounters1DayGet
pmrtcsg, PM_ReTxCountersShowtimeGet
pmrtctg, PM_ReTxCountersTotalGet
pmrths15mg, PM_ReTxHistoryStats15MinGet
pmrths1dg, PM_ReTxHistoryStats1DayGet
pmrtt15mg, PM_ReTxThresholds15MinGet
pmrtt15ms, PM_ReTxThresholds15MinSet
pmrtt1dg, PM_ReTxThresholds1DayGet
pmrtt1ds, PM_ReTxThresholds1DaySet
pmr, PM_Reset
pmsmg, PM_SyncModeGet
pmsms, PM_SyncModeSet
ptsg, PilotTonesStatusGet
quit, Quit
rccg, RebootCriteriaConfigGet
rccs, RebootCriteriaConfigSet
rusg, ResourceUsageStatisticsGet
se, ScriptExecute
sicg, SystemInterfaceConfigGet
sics, SystemInterfaceConfigSet
sisg, SystemInterfaceStatusGet
tmcs, TestModeControlSet
tmsg, TestModeStatusGet
vig, VersionInformationGet
Alpha # exit
Connection closed by foreign host.
[bcat@Duo2 ECI]$
I am not sure if that 'help' list is identical to the one discovered by asbokid for the 'newer' type ECI device, the V-2FUb/r, but if it is, Bald_Eagle1 will be able to (eventually) support both ECI device types. ;)
-
I am not sure if that 'help' list is identical to the one discovered by asbokid for the 'newer' type ECI device, the V-2FUb/r, but if it is, Bald_Eagle1 will be able to (eventually) support both ECI device types. ;)
It would indeed be good to support these devices, but I have to say it's not something I will be working on in the immediate future.
If anyone was to write the code in plain old 'C' for converting the data from these devices into the same (or very similar) format as the xdslcmd data obtained from the Huawei HG612 modem, it would be a relatively easy/quick exercise for me to include that within the new HG612 programs' code.
-
hi to you all.
is there a simple way for a newbie how to unlock this modem . i have got the r version with two rubber feet ( two screws) soldered the three pin to board ready for usb .....................
i have downloaded the software for the usb and installed it but when i power the modem nothing pops up on the screen.
does the modem need to be connected to the router .............
i am not hi tech guy still learning thanks for your help
-
Not sure I understand the problem but:-
1. You can check the USB to TTL etc is working by connecting RX to TX on the USB to TTL only and seeing if you get a character echo in a terminal, e.g. putty, with settings as in the /r post.
You should then connect to the three pins to the TTL side of the USB adapter checking that you have GND correct by looking closely at the pics in the /r post.
2. Power up the modem first, wait a minute, THEN open the terminal and press return a few times. If there is no response try a fresh terminal session with the wires the other way round i.e. RX TX swapped over.
I find it best to open a fresh terminal each time. Once you have a connection you should see modem output at modem power up if you power down and up leaving the connected terminal window open.
If the USB to TTL is working but all fails it may be a "soldering the pins fault".
Good luck
-
is there a simple way for a newbie how to unlock this modem .
Unfortunately both the versions of the ECI can be trouble some. Also there's a big problem with "grey" pl2303 chips according to the prolific web site.[1]
Maybe to save time (and a few extra gray hairs) is to get an unlocked one off ebay* (unlocked "I" s don't come up often though)
----------------------------------------------------------------------------------------------------------------------
* http://www.ebay.co.uk/sch/i.html?_trksid=p5197.m570.l1313&_nkw=unlocked+eci&_sacat=0&_from=R40
[1] http://www.prolific.com.tw/US/ShowProduct.aspx?p_id=225&pcid=41
-
Alternatives to the pl2303 include the cp2102, the ft232 and the ch341.
cheers, a
-
Sometimes trying the "underside" pads might just work.
As asbokid highlights on page 15
Perhaps if you have the patience to try it again, maybe the pins could be clipped to the pads on the underside of the board. These are actually plated thru-holes, so there should still be continuity.
(https://forum.kitz.co.uk/proxy.php?request=http%3A%2F%2Fwww1.picturepush.com%2Fphoto%2Fa%2F10188279%2F480%2FECI-B-FOCuS-VDSL2-modem---solderless-UART-connection%2FDSC-0923.jpg&hash=f569b100a5ce0a5b9d3456fa065fc123b74f42e9) (http://picturepush.com/public/10188279)
----------------------------------------------------------------------------------------------------------------------
If all else fails
The "well known" ebay seller has dropped the price to below £20 on the "r" on the link *
* http://www.ebay.co.uk/sch/i.html?_trksid=p5197.m570.l1313&_nkw=unlocked+eci&_sacat=0&_from=R40
-
ok sad to report the telnetd locking still happens with manually killing btagent, I had my modem powered on in this room for over a week, tried telnet today and needed to reboot to access.
if I run top, there is an indication of whats wrong.
At first the process called autbtex was consuming all cpu power, I couldnt kill it, its unkillable.
Now that process is fighting with telnetd for all cpu power.
the modem has a load avg of over 4.xx just sitting idle on my lan.
so somethign is sucking up cpu power and I expect also sucking up resources probably eventually causing telnet to lockup. The one process that is consistent is autbtex, telnet isnt constantly sucking up cpu power it goes idle after a bit of time.
I want to get an ECI running on my line now, as I am currently interleaved, last time I was it recovered in 2 days with prety much no errors, but it seems there is complications this time round, the hg lost sync about 2 hours ago (which is probably going to trash DLM recovery) and the only cause is I can see a short period of lower upload attainable (still above 20meg) which coincided with the resync, the modem actually synced higher than previous suggesting it was a very short issue that had gone by the time it had synced, so I want to see if ECI fixes these niggling issues as DLM is a pain. But I am not keen plugging in a modem that has issues with processes sucking up all its cpu power whilst idle and a telnet that will lock me out after a few days.
My new ECI v1 seems to have been sent via a dodgy courier so I am not sure when I will get it now.
-
Managed to find some time, so I've dug out my network switch just to confirm what can and can't be done whilst connected to only LAN1. As other people have mentioned, it is rather messy as it's introducing yet another device (Modem, Router and Switch now) to the mix.
Just for confirmation, my current layout is like this:
Gigabit Switch (5 Port)
^ ^ ^ ^ ^
x x | | |
| | -> ECI Modem
| |
| --- > Router WAN
|
------ > Router LAN
I let the switch power up fully, then connect the modem to the switch followed by the WAN connection, then once that's established I connect to the LAN. Not sure if it matters, but that's the method I use anyway. The ECI /I was unlocked using Asbo's method, and I've preset it to use an IP address of 192.168.1.55.
My ISP is Talktalk, and the router is the 4th Gen Apple Time Capsule.
Using solely the wireless connection to the router to avoid more wires :blush: I can remain connected to the internet whilst browsing to the router gui on 192.168.1.55 and open a telnet session to the ECI. I'm not sure there's anything else I know what to try.
If anyone does wants me to test anything out whilst I'm setup like this let me know and I shall - i'll keep this setup like this for a week or so.
-
has anyone managed to get stats with the the plunet router Technicolor TG582n FTTC
-
I'm not sure what you mean by get the stats from the Technicolor router?
The 582n doesn't do the VDSL / FTTC connection so it doesn't know or care about the sync speed or error rates.
The Openreach modem in front? of the 582n does.
Do you mean 'Has anyone managed to NAT through to an unlocked openreach modem via a 582n?' allowing access to the stats on an unlocked modem without having to plug the computer directly into the Openreach modem?
-
yes sorry i get the issue where the net goes slow and the modem web ui is not loading unplug the lan 1 on modem i can get the ui
so far the modem is unlocked and i have put it on ip 192.168.1.85
ive tried everything i can think of but still cant connect to the ui and the web goes slow
the only thing i haven't done is direct from laptop to lan 2 on modem and use the wifi on laptop for web as i am unsure how to do that
thanks for any tips
(think i am getting OCD on the modem stats )
-
Has anyone managed to be able to have the Lan1 port going to the WAN port on a router, and have the Lan2 going into the router switch to be able to access the GUI and get the line stats etc??
I have my Lan2 set up as 192.168.1.240 and it works fine as long as the Wan port is not connected - As soon as I plug in the Wan port I lose the ability to access the GUI and get my stats :(
I presume that as I cant connect to the Lan2 port whilst running, I wont be able to run eDMT?
Any assistance very much appreciated :)
Andy
-
Has anyone managed to be able to have the Lan1 port going to the WAN port on a router, and have the Lan2 going into the router switch to be able to access the GUI and get the line stats etc??
I have my Lan2 set up as 192.168.1.240 and it works fine as long as the Wan port is not connected - As soon as I plug in the Wan port I lose the ability to access the GUI and get my stats :(
I presume that as I cant connect to the Lan2 port whilst running, I wont be able to run eDMT?
Any assistance very much appreciated :)
Andy
Similiar to my experience.
-
I could only connect to one of the device (modem and router) until you removed the IP from your computer and allowed it to auto-assign now I can access both.
-
I could only connect to one of the device (modem and router) until you removed the IP from your computer and allowed it to auto-assign now I can access both.
Don't quite follow what you mean, as computer is on auto-assign?
I have got it running using a switch and just Lan1 as per biohead's post about 6 down from here, but it would be more convenient if I could just use the router and 2 cables to the modem
Would be grateful for more info on what you mean - VMT.
Andy
-
I assume you are changing your computer IP so you can connect to 1 or the other device, allowing the DHCP to assign automatically allows me to connect to both devices when plugged in LAN1 and LAN2.
-
Has anyone managed to be able to have the Lan1 port going to the WAN port on a router, and have the Lan2 going into the router switch to be able to access the GUI and get the line stats etc??
I have my Lan2 set up as 192.168.1.240 and it works fine as long as the Wan port is not connected - As soon as I plug in the Wan port I lose the ability to access the GUI and get my stats :(
I presume that as I cant connect to the Lan2 port whilst running, I wont be able to run eDMT?
Any assistance very much appreciated :)
Andy
Similiar to my experience.
This is the same problem I have as well - I can’t view the gui on my ECI B-FOCuS V-2FUb/I Rev.B modem when the internet is connected even if I use two leads.
If I connect either port 1 or 2 on the ECI to the LAN side of my Technicolor 582n I can view the ECI gui on 192.168.1.55. However as soon as I connect port 1 on the ECI to the WAN port on the Technicolor, so that the internet is available on the LAN, I am no longer able to connect to the ECI gui on 192.168.1.55 even though port 2 on the ECI modem is still connected to the LAN side of the Technicolor.
Can someone confirm that it is possible to view the ECI gui when the internet is connected and explain how they have configured it?
It seems to me that both ports on the ECI are acting as one port as with a cable in either ECI port 1 or 2 and connected to the Technicolor LAN side both ports respond on 192.168.1.55. Anyone know how the two ports should be configured and the linux commands (ifconfig?) to check my configuration?
-
Hi all
I have got hold of an ECI /I and unlocked it successfully but after going through all that i can't do the simple bit of configuring the web gui to establish a connection. it syncs fine so it's just a case of finding the right setup. could anyone assist me please step by step if possible, i would be so grateful thanks.
Another thing is as i'm currently using a HG612 in router mode, is this still possible with the ECI? i noticed DHCP is disabled.
-
Hello Richard. Welcome to the Kitz forum. :)
You have unlocked your ECI B-FOCuS /I modem. Did you try it on your line before performing the unlocking process? The reason why I ask is that unlocking it does not change any of its fundamental configuration. So if it worked before it was unlocked, it should still work after it has been unlocked. ;)
You say "it syncs fine", so does it allow a PPPoE process to be established via the LAN1 port?
Re-reading the last line of your post I take it that you have an unlocked Hauwei HG612 that you have reconfigured to operate as a modem/router? Is that what you would like to do with the ECI B-FOCuS /I? :-\
-
Hi burakkucat and thanks :)
I know it sounds silly as if i done everything else then this would be so simple.
The ECI modem was bought from ebay and soon as i received it i didn't test it on my line, i just unlocked it straight away. then onto the webgui to configure the connection settings to mirror the HG612. i found the ECI to sync with the cabinet fine at approx 71000kbps / 20000kbps but it won't establish that connection to plusnet perhaps because the settings are a little wrong.
Ideally i would like to use the ECI in router mode so it handles everything such as the pppoe connection, dhcp server etc.. i don't know if this is possible? if not i can connect to my router using the wan port (which i also tried btw).
Perhaps i should have left the settings alone soon as i unlocked it but now it appears i'm in a pickle so anyone who could guide me through it via manual setup would be great.
Thanks
-
:hmm: Hmm . . . The ECI modems are a bit of a problem. :-X
You clearly have the configuration correct in terms of the VLAN, etc, as you are able to establish synchronisation with the DSLAM.
I need to ask for clarification on one point with regards to your Huawei HG612 modem. Have you been using the HG612 to establish the PPPoE session with your ISP? Or have you just used it as a pure bridge, as Beattie originally supplied it? If the former is the case, then the relevant configuration applied to the ECI B-FOCuS /I should work. :-\
You could give the ECI a 'long reset' which will then revert it back to Beattie's original status. Then a test with your router connected to the LAN1 port will allow you to confirm the correct operation. If you were then to perform the unlocking steps, it should continue to operate in bridge mode.
As for how to configure a B-FOCuS /I to establish a PPPoE session, etc, that is something I am unable to assist you with. :no: You may be able to glean the required information by carefully scrutinising all the ECI related posts in these fora. The main problem is that the B-FOCuS /I has been superseded by the B-FOCuS /r and all work has been performed on the latter -- based around replacing the Beattie provided firmware.
Sorry that I am unable to provide any explicit details. :(
-
You have been more than helpful :)
I did that factory reset via the webgui which put it back to pre unlock status. then i tested it out by using my routers wan port to make the connection and it worked!
Seeing as it still works when unlocked now i noticed what the problem was... firstly the vlan id / priority settings are totally different to the HG612 and should of been left alone and secondly since the modem isn't fully unlocked, some of the settings like bridge mode/pppoe clearly don't work because the only Wan setting that works is Dynamic IP for some reason and it acts as a bridge. whenever i select any of them other options the tab "Wan setup" goes blank.
Anyhow since installing it i have reduced my pings by 8ms so far which is good although i have lost about 1.5MB throughput because for some reason using a Wan port always does that to me. so as it seems the ECI /I version will never get that router function i may aswell get rid of it and keep hold of my Huawei for now until the clever chaps see to the /R version.
Thanks again burakkucat for lending a hand :)
-
You have been more than helpful :)
<snip>
Thanks again burakkucat for lending a hand :)
You're welcome. ;) Sorry the help was not that fulfilling. :(
I always try to avoid causing damage with my paws . . . ;D
-
Where is asbokid at the moment need his help with somthing but ive lost his email :(
-
Precise location? I know not . . . :no:
E-mail address? It's available almost everywhere! ::)
For example, go to this page (http://huaweihg612hacking.wordpress.com/about/), scroll to the bottom of the right-hand panel and hover the cursor over / click on the 'asbokid' in the line that reads --
HuaweiHG612Hacking by asbokid is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License.
-
Is this model hakable now as got fiber installed on thursday and really want to start hacking and flashing :D
-
You will be better off getting an Huawei HG612 off eBay, much easier to unlock and there are programs available to monitor your connection.
-
I've been using this modem unlocked for the last week. I'd like to confirm that telnet and the gui remain accessible if another router acting as a switch inbetween the modem and normal router is used.
I've tested various codes from the list posted earlier in the thread. My findings are that errors such as CRC, FEC and ES are reported although probably not always accurately.
I was going to show the outputs of each code I tested but was unable to do so as the modem could not handle being asked for multiple outputs simultaneously. Doing this caused me to lose telnet access and I don't want to reboot just yet.
So if anyone tries the codes below I would advise that they are done in batches of 6-8.
echo " bpstg" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " bbsg 0" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " bbsg 1" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " fpsg 0 0" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " fpsg 0 1" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " g997amlfcg 0" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " g997amlfcg 1" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " g997fpsg 0 0" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " g997fpsg 0 1" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " g997lig 0 " > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " g997lig 1 " > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " g997listrg 0 " > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " g997listrg 1 " > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " g997lsg 0 1" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " g997lsg 1 1" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " g997lspbg 0" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " g997lspbg 1" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " lfcg 0" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " lfcg 1" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " llcg" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmcc15mg 0 0 0" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmcc15mg 0 0 1" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmcc15mg 0 0 2" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmcc15mg 0 1 0" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmcc15mg 0 1 1" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmcc15mg 0 1 2" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmcc1dg 0 0 0" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmcc1dg 0 0 1" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmcc1dg 0 0 2" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmcc1dg 0 1 0" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmcc1dg 0 1 1" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmcc1dg 0 1 2" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmccsg 0 0 0" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmccsg 0 0 1" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmccsg 0 0 2" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmccsg 0 1 0" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmccsg 0 1 1" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmccsg 0 1 2" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmcctg 0 0" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmcctg 0 1" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmdpc15mg 0 0 0" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmdpc15mg 0 0 1" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmdpc15mg 0 0 2" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmdpc15mg 0 1 0" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmdpc15mg 0 1 1" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmdpc15mg 0 1 2" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmdpc1dg 0 0 0" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmdpc1dg 0 0 1" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmdpc1dg 0 0 2" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmdpc1dg 0 1 0" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmdpc1dg 0 1 1" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmdpc1dg 0 1 2" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmdpcsg 0 0 0" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmdpcsg 0 0 1" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmdpcsg 0 0 2" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmdpcsg 0 1 0" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmdpcsg 0 1 1" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmdpcsg 0 1 2" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmdpctg 0 0" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmdpctg 0 1" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmdpfc15mg 0 0 0" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmdpfc15mg 0 0 1" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmdpfc15mg 0 0 2" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmdpfc15mg 0 1 0" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmdpfc15mg 0 1 1" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmdpfc15mg 0 1 2" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmlesc15mg 0 0 " > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmlesc15mg 0 1 " > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmlesc15mg 0 2 " > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmlesc15mg 1 0 " > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmlesc15mg 1 1 " > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmlesc15mg 1 2 " > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo "pmlesc1dg 0 0" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo "pmlesc1dg 0 1" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo "pmlesc1dg 0 2" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo "pmlesc1dg 1 0" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo "pmlesc1dg 1 1" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo "pmlesc1dg 1 2" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmlescsg 0 0" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmlescsg 0 1" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmlescsg 0 2" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmlescsg 1 0" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmlescsg 1 1" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmlescsg 1 2" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmlesctg 0" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmlesctg 1" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmlfc15mg 0 0" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmlfc15mg 0 1" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmlfc15mg 0 2" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmlfc15mg 1 0" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmlfc15mg 1 1" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmlfc15mg 1 2" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmlfc1dg 0 0" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmlfc1dg 0 1" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmlfc1dg 0 2" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmlfc1dg 1 0" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmlfc1dg 1 1" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmlfc1dg 1 2" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmlfcsg 0 0" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmlfcsg 0 1" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmlfcsg 0 2" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmlfcsg 1 0" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmlfcsg 1 1" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmlfcsg 1 2" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmlfctg 0" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmlfctg 1" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmlsc15mg 0 0 " > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmlsc15mg 0 1 " > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmlsc15mg 0 2 " > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmlsc15mg 1 0 " > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmlsc15mg 1 1 " > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmlsc15mg 1 2 " > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmlsc1dg 0 0 " > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmlsc1dg 0 1 " > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmlsc1dg 0 2" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmlsc1dg 1 0 " > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmlsc1dg 1 1 " > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmlsc1dg 1 2 " > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmlscsg 0 0 " > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmlscsg 0 1" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmlscsg 0 2" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmlscsg 1 0 " > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmlscsg 1 1" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmlscsg 1 2" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmlsctg 0 " > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmlsctg 1 " > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmrtc15mg 0 0 " > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmrtc15mg 0 1 " > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmrtc15mg 0 2 " > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmrtc1dg 0 0 " > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmrtc1dg 0 1 " > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmrtc1dg 0 2 " > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmrtcsg 0 0 " > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmrtcsg 0 1 " > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmrtcsg 0 2 " > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " pmrtctg 0 " > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " rusg" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " vig" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
-
I'd like to confirm that telnet and the gui remain accessible if another router acting as a switch inbetween the modem and normal router is used.
Few questions !!
a) Is that absolutely necessary ? I have a spare switch I could use, but I will probably be breaking t&c's by doing so!
b) Am I likely to get locked out again by a firmware upgrade, as with the HG612?
My findings are that errors such as CRC, FEC and ES are reported although probably not always accurately.
c) Is this via the GUI or telnet ? Also, what leads you to believe they are not always accurate ?
-
a) Is that absolutely necessary ? I have a spare switch I could use, but I will probably be breaking t&c's by doing so!
I can't access the modem with WAN connected unless i use the above method.
b) Am I likely to get locked out again by a firmware upgrade, as with the HG612?
Possibly but i'd wait for someone more qualified to answer
c) Is this via the GUI or telnet ? Also, what leads you to believe they are not always accurate ?
The FEC errors on both sometimes show a figure of about 49,000,0000 or something which is probably the threshold. I also have only seen HEC at 0.
-
Thanks custard for the updates -useful info :)
-
Can you please provide ARX CPU pinout for JTAG port (i.e. what pins on CPU are the JTAG signals)?
-
Hi everyone.
Obtained ECI modem not long time ago after switch over to fiber. Not being happy with my other Huawei modem i thought maybe i can somehow, get this to work, and after searching net i've come across this post.
Currently i am half way through hacking this thing but i am getting strange serial output in terminal. Instead of readable characters i am getting ASCII characters. I cant get to the bottom of this. i have tested serial adaptor and seems to work fine. It echoes character to terminal and works well with microcontroller.
Is it maybe setting in hyperterminal whats buggered?
I appreciate any help and will answer any question best to my ability.
Thanks.
-
Hi and welcome to the forums ^-^
Im afraid its way over my head when it comes to hacking the ECI so I'll leave that to the other guys would may hopefully be able to help you.
I would however be interested in any results such as line stats in comparison to the Huawei if you do manage to get it working :)
-
Check serial terminal emulator is set to 115,200 baud, no flow control, no parity.
Steve
-
Check serial terminal emulator is set to 115,200 baud, no flow control, no parity.
I have changed settings and got no difference in output until i connected rx wire. lol
Thanks!
-
Hi,
I have been trying to use the information you have kindly provided on the web/forums but I seem to have run into a hicup.
I have set my serial port to 115200 8 bit 1 stop with no flow or parity.
Although I have tried several speed settings all I get is gobble gook
»¿åëW«V©öVjìÛUÚ
ºô
ú»´Ôjjú»Ô*ª
ªtô{ë¶öÖëë+뤫MQÑ£¤aöõºê*¶«övöìûööööûööÖöÛ+ëå#[5
¿#w==
»¿åëW«V©öVjìÛUÚ
ºô
ú»´Ôjjú»Ô*ª
ªtô{ë¶öÖëë+뤫MQÑ£¤aöõºê*¶«övöìûööööûööÖöÛ+ëå#[5
¿#w==
»¿
ºô
ú»´Ôjjú»Ô*ª
ªtô{ë¶öÖëë+뤫MQÑ£¤aöõºê*¶«övöìûööööûööÖöÛ+ëå#[5
¿#w==
»¿åëW«V©öVjìÛUÚ
ºô
ú»´Ôjjú»Ô*ª
ªtô{ë¶öÖëë+뤫MQÑ£¤aöõºê*¶«övöìûööö
Where am I going wrong?
I am using PUTTY as the terminal program as Win 8.1 does not seem to have Hyper Terminal.
Thanks
-
Welcome to the Kitz forum. :)
That output clearly shows your terminal emulator is incorrectly configured.
115200 bps is correct
no parity checking is correct
no flow control is correct
Perhaps try 7 data bits rather than 8? :-\
-
You should check all the pin connections and cables involved. It is not unusual to see such output first try!!
-
Sometime a reboot can fix that. othertimes it is a slightly dodgy connection!
-
Had to register to say this forum has been a great help in unlocking my ECI B Focus /I modem.
I too got the strange characters - my soldering just needed a little extra fettling.
Thanks again. Andy
-
Hi Andy and welcome :)
Glad that you found the information useful.