Kitz Forum

Broadband Related => Broadband Hardware => Topic started by: uklad on January 19, 2012, 06:44:03 PM

Title: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: uklad on January 19, 2012, 06:44:03 PM
I think these maybe of interest to you :)

Chipset is a Lantiq VRX268

(http://img703.imageshack.us/img703/7703/img9956v.th.jpg) (http://img703.imageshack.us/i/img9956v.jpg/)
(http://img684.imageshack.us/img684/7614/img9959dw.th.jpg) (http://img684.imageshack.us/i/img9959dw.jpg/)
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: burakkucat on January 19, 2012, 09:34:23 PM
Interesting and useful. Thank you for the images.  :)
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: asbokid on January 19, 2012, 10:14:14 PM
I think these maybe of interest to you :)

Chipset is a Lantiq VRX268

Excellent stuff!

The Lantiq (was Infineon) VRX268 has a MIPS32 core.  The modem is almost certainly running a MIPS-Linux kernel  (i.e. GPL'ed source code ).   The VDSL2 AFE is the VRX208.

Located due north of the Lantiq CPU is the 64Mbit (8Mbyte) Macronix NOR flash IC. Unusually it could be on a 16-bit bus. [2]

(http://www5.picturepush.com/photo/a/8843938/oimg/hg612-and-eci-bfocus/eci-croppedsolderpads.jpg)
JTAG/UART pins on the ECI B-Focus
(Click for full size) (http://picturepush.com/public/8843938)

Just west of that NOR flash IC are solder pads for a 7x2 set of header pins.

Those pads are labelled JP2. They almost certainly form the EJTAG test access port (TAP) interface.

The JTAG signals {TMS, TCK, TDI, TDO, TRST} will be found amongst pins {1, 2, 3, 4, 5, 6}
Pins {7, 8, 9} will probably include VCC.  A voltmeter will confirm.
Pins {10, 11, 12, 13, 14} are all GND.

Further north of JP2 is JP1. It comprises 4 solder pads.  That is likely a UART port running at TTL voltage levels.  A serial console can often be obtained through the UART port. It provides a way to interrupt the bootstrap process.

An el cheapo way to interface a modern PC (with no RS232 port) to the UART interface is with a clone Nokia DKU5 phone data cable. The clone DKU5 cable costs as little as £1.  The cable contains an integral Prolific Logic PL2303 USB-UART bridge controller. [3]   The PL2303 IC performs the voltage shift and packetises the serial bitstream into USB blocks (URBs).

Linux, and maybe Windows, has a kernel device driver for the PL2303. The driver presents the USB device as a dumb serial port.  A terminal program like minicom is then used to connect to the router over the serial port.

And away you go :-)

The board also has 512Mbit (64MBytes) of Samsung DDR2-800 SDRAM [4]

Thanks for posting the photos, uklad.  Very interesting!

cheers, a

[1] http://www.lantiq.com/uploads/tx_abzlantiqproducts/PB-e-0027-v1_lres.pdf
[2] http://www.macronix.com/QuickPlace/hq/PageLibrary../../MX29LV640ETBver13-1.3.pdf (http://www.macronix.com/QuickPlace/hq/PageLibrary4825740B00298A3B.nsf/$defaultview/DBACA1C90564EBB248257639003A563A/$File/MX29LV640ETBver13-1.3.pdf)
[3] http://www.prolific.com.tw/eng/products.asp?id=59
[4] http://www.szyuda88.com/uploadfile/cfile/2011311171825213.pdf

EDIT: Shrunk huge photo
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: asbokid on January 20, 2012, 02:38:38 AM
Re-instating header pins on a PCB

One trick here is to clamp the board vertically while working on it.

The solder pads need to be cleaned out to expose the thru-holes.

From one side of the board, apply heat to one of the solder pads using a fine soldering iron bit.

Simultaneously, and working from the other side of the PCB, use a desoldering pump (solder sucker) to remove the molten solder from the hole.

Repeat for each thru-hole.

Sometimes one or more of the holes isn't properly drilled out.

If so, use a 1mm HSS drill bit and twist it manually between fingers

Ensure all the holes are clean and free from grease and PCB coating materials.

Install the header pins and solder in place

Job done!

Attached are some photos showing the reinstatement of header pins for JTAG/UART on the PCB of a Huawei HG612.
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: uklad on January 20, 2012, 02:13:24 PM
Re-instating header pins on a PCB

One trick here is to clamp the board vertically while working on it.

The solder pads need to be cleaned out to expose the thru-holes.

From one side of the board, apply heat to one of the solder pads using a fine soldering iron bit.

Simultaneously, and working from the other side of the PCB, use a desoldering pump (solder sucker) to remove the molten solder from the hole.

Repeat for each thru-hole.

Sometimes one or more of the holes isn't properly drilled out.

If so, use a 1mm HSS drill bit and twist it manually between fingers

Ensure all the holes are clean and free from grease and PCB coating materials.

Install the header pins and solder in place

Job done!

Attached are some photos showing the reinstatement of header pins for JTAG/UART on the PCB of a Huawei HG612.

Lol thanks :) i learnt all that 16 years ago ;) i did have a JTAG somewhere but I think it was a Xilinx one the other i know is for flashing Atmega`s
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: uklad on January 20, 2012, 05:05:53 PM
Ok update for you..

Top header is a indeed the console header but its running at TTL 3.3v and I don't have a suitable cable

pins seem to be from left to right TX GND VCC   RX

I will get a suitable cable and get back to you with the output !!

Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: asbokid on January 20, 2012, 08:27:11 PM
Sounds good!

Most JTAG cables will work fine, so long as there are generic drivers available for the cables.

It might be helpful to collect some JTAG resources together in this thread for others' benefit.

Discovering JTAG pinouts

Most JTAG cables will work fine in the pinout discovery process, so long as there is a generic driver available for the cable.

Discovering JTAG pinouts on a PCB is a very common problem.  For a given board, the size of the problem can be quantified using Probability Theory.

In the worst case scenario, using ‘brute force’ to discover the JTAG pinout means testing every possible permutation of JTAG signal and header pin.

Formally, the JTAG pinout problem is an r-Permutations challenge.  It is described by the notation nPr..

nPr is the number of permutations, or ways to choose, an ordered subset of r items from a set of n objects.

In the case of this board, the set of n objects are a set of 14 header pins. From that set of n pins we need to discover the ordered subset of r pins carrying the JTAG signals.

The formula for nPr is   n! / (n-r)!    where ! is the factorial symbol, e.g. 7! means (7 x 6 x 5 x 4 x 3 x 2 x 1)

Out of the fourteen header pins on the board, there are six candidate pins. Any of these six pins could potentially carry any of the five JTAG signals {TDO,TDI,TMS,TCK and TRST}.

Here, n is 6 (the number of candidate pins), and r is 5 (the number of JTAG signals).

So nPr = 6! / (6-5)! = 720 permutations.

However, some assumptions can be made which will radically reduce the search space.

One of the JTAG signals (TRST) is optional. TRST resets the JTAG controller when driven low. If we assume that, by default, TRST is pulled up to keep the board out of reset, it can be ignored.

Another JTAG signal (TDO) can be discovered from its floating logic state using an ohmmeter. This is very well explained by Ray “revs-per-min” Haverfield. [1]

That leaves us with just three JTAG signals to find from a choice of five header pins.

Now the scale of the problem is given by 5!/2 = 60 permutations.

That has already shrunk the search space by more than 90%.

We can now take advantage of another property of the JTAG standard. [2]

A JTAG controller will always return to its reset state when the TMS signal is asserted for five or more ticks of the TCK signal.  This is illustrated in the attached diagram of the JTAG state machine.

The bit values {0,1} shown in the diagram represent the transitional states of the TMS (Test Mode Select) signal.    For example,  to transition the JTAG state machine from the Shift_IR state to the Exit1_IR state requires TMS to be asserted for one tick of the TCK signal.

It doesn't matter where you start in the JTAG state machine. Asserting TMS while five ticks are clocked into TCK will always see the JTAG controller returned to its Test_Logic_Reset state:

Once a JTAG device is in that reset state, the 32-bit IDCODE is loaded into the JTAG data register.  This loading is done automatically.  It doesn’t require any instruction to be shifted in on the TDI line.

Returning to our board. TDO was discovered earlier from its floating logic state. So what this means is that only the TMS and TCK signals need to be found at this stage.  TDI can be found later.

By controlling just the TMS and TCK signals from software, the IDCODE value loaded on reset into the data register can be scanned out of the TDO pin. The TDO pin is closely monitored for output that is consistent with a device IDCODE.

Looking at this again as a combinatorial problem:

The value n remains at 5 since we still have five unknown pins. However, r, the number of signals to discover, is now just 2. These are the TMS and the TCK signals.

So nPr is 5!/3! = 20 permutations.

Using these techniques, the discovery of JTAG pinouts is trivialised.

There are software tools, such as JTAG_Finder [2] that can automate the fiddly task of swapping pins during pinout discovery. However,  this is rarely necessary. Using the techniques above, the average count of pin-swaps before discovery success is reduced to a manageable number.

In summary, and using this board as an example, a total of 14 pins are reduced to 6 candidate pins. TDO is discovered with an ohmmeter. TRST is ignored. The discovery of TDI is postponed. Software (UrJTAG) is used to navigate the JTAG state machine for each permutation of TCK and TMS, chosen from the five remaining pins. Using these shortcuts, the average count of pin-swaps before discovery is reduced to just 10.

[1] http://forums.whirlpool.net.au/forum-replies.cfm?t=808533&p=9&#r176
[2] http://www.xilinx.com/support/answers/11857.htm
[3] http://elinux.org/JTAG_Finder
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: Bald_Eagle1 on January 20, 2012, 08:54:13 PM
Sounds good!

& some people accuse me of being too precise  :lol: :lol: :lol:
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: uklad on January 24, 2012, 12:50:13 PM
Serial output on boot :)

Code: [Select]
ROM VER: 1.0.5
CFG 01
DDR Access auto data-eye tuning Rev 0.3a
DDR size from 0xa0000000 - 0xa1ffffff
DDR check ok... start booting...



U-Boot 1.0.4 (Oct 18 2010 - 16:20:02)

CLOCK CPU 333M RAM 166M
DRAM:  32 MB

 relocate_code start
 relocate_code finish.

FLASH MANUFACT: c2

FLASH DEVICEID: cb
Flash:  8 MB
In:    serial
Out:   serial
Err:   serial
Net:   fw_addr=0xa0200000
Internal phy(FE) firmware version: 0x0108
vr9 Switch

Type "run flash_flash" to mount root filesystem over flash

Hit 'Esc' key to stop autoboot:  0
## Booting image from active region 2 at b03f0000 ...
Check RSA image magic--OK!
Please type [setenv rsa_check 1] !!!
   Image Name:   MIPS Linux-2.6.20
   Created:      2011-08-09   3:31:37 UTC
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    3629088 Bytes =  3.5 MB
   Load Address: 80002000
   Entry Point:  802cd000
   Verifying Checksum ... OK
   Uncompressing Kernel Image ... OK
No initrd
## Transferring control to Linux (at address 802cd000) ...
## Giving linux memsize in MB, 32

Starting kernel ...

Infineon xDSL CPE VR9
mips_hpt_frequency = 166666666, counter_resolution = 2
Linux version 2.6.20.19
 (hyhuang@BSD7.localdomain) (gcc version 3.4.6 (OpenWrt-2.0)) #1 Tue Aug 9 11:27
:46 CST 2011
Active Region: 2
phym = 02000000, mem = 01f00000, max_pfn = 00001f00
Reserving memory for CP1 @0xa1f00000, size 0x00100000
CPU revision is: 00019555
Determined physical RAM map:
User-defined physical RAM map:
 memory: 01f00000 @ 00000000 (usable)
Initrd not found or empty - disabling initrd
Built 1 zonelists.  Total pages: 7874
Kernel command line: root=/dev/mtdblock2 ro rootfstype=squashfs ip=5.57.33.103:5
.57.33.111::::eth0:on console=ttyS0,115200 ethaddr=5C:33:8E:xx:xxx:xx phym=32M me
m=31M panic=1
1 MIPSR2 register sets available
Primary instruction cache 32kB, physically tagged, 4-way, linesize 32 bytes.
Primary data cache 32kB, 4-way, linesize 32 bytes.
Synthesized TLB refill handler (20 instructions).
Synthesized TLB load handler fastpath (32 instructions).
Synthesized TLB store handler fastpath (32 instructions).
Synthesized TLB modify handler fastpath (31 instructions).
Cache parity protection disabled
Lantiq ICU driver, version 3.0.1, (c) 2001-2010 Lantiq Deutschland GmbH
PID hash table entries: 128 (order: 7, 512 bytes)
Using 166.667 MHz high precision timer.
Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
Memory: 28152k/31744k available (2239k kernel code, 3592k reserved, 616k data, 1
56k init, 0k highmem)
Security Framework v1.0.0 initialized
Mount-cache hash table entries: 512
NET: Registered protocol family 16
NET: Registered protocol family 8
NET: Registered protocol family 20
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 1024 (order: 0, 4096 bytes)
TCP bind hash table entries: 512 (order: -1, 2048 bytes)
TCP: Hash tables configured (established 1024 bind 512)
TCP reno registered
gptu: totally 6 16-bit timers/counters
gptu: misc_register on minor 63
gptu: succeeded to request irq 118
gptu: succeeded to request irq 119
gptu: succeeded to request irq 120
gptu: succeeded to request irq 121
gptu: succeeded to request irq 122
gptu: succeeded to request irq 123
IFX DMA driver, version ifxmips_dma_core.c:v1.0.9
,(c)2009 Infineon Technologies AG
Lantiq CGU driver, version 1.0.9, (c) 2001-2010 Lantiq Deutschland GmbH
Wired TLB entries for Linux read_c0_wired() = 0
squashfs: version 3.2-r2 (2007/01/15) Phillip Lougher
squashfs: LZMA suppport for slax.org by jro
JFFS2 version 2.2. (NAND) (SUMMARY)  (C) 2001-2006 Red Hat, Inc.
io scheduler noop registered (default)
ifx_pmu_init: Major 252
Lantiq PMU driver, version 1.1.4, (c) 2001-2010 Lantiq Deutschland GmbH
Lantiq GPIO driver, version 1.2.12, (c) 2001-2010 Lantiq Deutschland GmbH
Infineon Technologies RCU driver version 1.0.6
Lantiq LED Controller driver, version 1.0.4, (c) 2001-2010 Lantiq Deutschland Gm
bH
MEI CPE Driver, Version 1.0.2
<6>(c) Copyright 2009, Infineon Technologies AG
<6>### MEI CPE - MEI CPE - MEI CPE - MEI CPE ###
<6>ttyS0 at MMIO 0xbe100c00 (irq = 105) is a IFX_ASC
Lantiq ASC (UART) driver, version 1.0.5, (c) 2001-2010 Lantiq Deutschland GmbH
RAMDISK driver initialized: 1 RAM disks of 6144K size 1024 blocksize
loop: loaded (max 8 devices)
PPP generic driver version 2.4.2
PPP Deflate Compression module registered
PPP BSD Compression module registered
PPP MPPE Compression module registered
NET: Registered protocol family 24
IFX SWITCH API, Version 0.9.9.5
SWAPI: Registered character device [switch_api] with major no [81]
Switch API: PCE MicroCode loaded !!
Switch Auto Polling value = 0
GPHY FIRMWARE LOAD SUCCESSFULLY AT ADDR : 310000
IFX GPHY driver FE Mode, version ifxmips_vr9_gphy: V0.6 - Firmware: 109
ifx_nor0: Found 1 x16 devices at 0x0 in 16-bit bank
 Amd/Fujitsu Extended Query Table at 0x0040
number of CFI chips: 1
cfi_cmdset_0002: Disabling erase-suspend-program due to code brokenness.
[ACTIVE REGION]:  2
RSA_CHECK:  0
squashfsb->s_magic=71736873 SQUASHFS_MAGIC=71736873
ifx_nor0: squashfs filesystem found at 0x4e10a0.
ifx_mtd_init flash0: Using static image partition
Creating 9 MTD partitions on "ifx_nor0":
0x00000000-0x00030000 : "uboot"
0x00030000-0x00040000 : "h/w setting"
0x004e10c0-0x007670c0 : "rootfs"
0x00040000-0x00050000 : "rgdb"
0x00050000-0x003f0000 : "upgrade"
0x003f0000-0x00790000 : "upgrade2"
0x00790000-0x007f0000 : "btagent"
0x00000000-0x00800000 : "flash"
0x00000000-0x00800000 : "<NULL>"
Lantiq MTD NOR driver, version 1.0.4, (c) 2001-2010 Lantiq Deutschland GmbH
Registered led device: broadband_led
Registered led device: internet_led
Registered led device: ledc_8
Registered led device: ledc_9
Registered led device: ledc_10
Registered led device: ledc_11
Registered led device: wps_led
Registered led device: ledc_13
Registered led device: ledc_14
Registered led device: usb2_link_led
Registered led device: ledc_16
Registered led device: ledc_17
Registered led device: usb1_link_led
Registered led device: fxo_act_led
Registered led device: internet_red_led
Registered led device: voip_led
Registered led device: warning_led
Registered led device: ledc_23
Lantiq LED driver, version 1.0.15, (c) 2001-2010 Lantiq Deutschland GmbH
Netfilter messages via NETLINK v0.30.
nf_conntrack version 0.5.0 (248 buckets, 1984 max)
GRE over IPv4 tunneling driver
ip_tables: (C) 2000-2006 Netfilter Core Team
TCP cubic registered
NET: Registered protocol family 1
NET: Registered protocol family 17
Bridge firewalling registered
NET: Registered protocol family 8
atmpvc_init() failed with -17
802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
All bugs added by David S. Miller <davem@redhat.com>
Time: MIPS clocksource has been installed.
VFS: Mounted root (squashfs filesystem) readonly.
Freeing unused kernel memory: 156k freed
init started:  BusyBox v1.00 (2011.08.09-03:28+0000) multi-call binary
Algorithmics/MIPS FPU Emulator v1.5
[/etc/init.d/S03config.sh]
Starting mdev ...
Mounting proc and var ...
JFFS2 notice: (226) jffs2_build_xattr_subsystem: complete building xattr subsyst
em, 0 of xdatum (0 unchecked, 0 orphan) and 0 of xref (0 dead, 0 orphan) found.
Start xmldb ...
[/etc/scripts/misc/profile.sh] init ...
[/etc/scripts/misc/profile_action.sh] get ...
[/etc/scripts/misc/defnodes.sh] ...
SH [/etc/defnodes/S10syncnodes.sh] ...
[/etc/defnodes/S10syncnodes.sh] ...
SH [/etc/defnodes/S11setext.sh] ...
[/etc/defnodes/S11setext.sh] ...
PHP [/etc/defnodes/S12setnodes.php] ...
SH [/etc/defnodes/S13setext.sh] ...
[/etc/defnodes/S13setext.sh] ...
PHP [/etc/defnodes/S14setnodes.php] ...
PHP [/etc/defnodes/S16features.php] ...
SH [/etc/defnodes/S19setext.sh] ...
PHP [/etc/defnodes/S20setnodes.php] ...
SH [/etc/defnodes/S20upnp_igd.sh] ...
SH [/etc/defnodes/S21upnp_wfa.sh] ...
SH [/etc/defnodes/S22setext.sh] ...
PHP [/etc/defnodes/S40brand.php] ...
[/etc/scripts/misc/defnodes.sh] Done !!
[/etc/templates/timezone.sh] ...
[/etc/templates/logs.sh] ...
[/var/run/logs_run.sh] ...
ifxmips_ppa_datapath_vr9_e5: module license 'unspecified' taints kernel.
Loading D5 (MII0/1) driver ......
xuliang: warning NONE
Succeeded!
PPE datapath driver info:
  Version ID: 128.3.3.1.0.0.1
  Family    : N/A
  DR Type   : Normal Data Path | Indirect-Fast Path
  Interface : MII0 | MII1
  Mode      : Routing
  Release   : 0.0.1
PPE 0 firmware info:
  Version ID: 7.1.5.1.0.33
  Family    : VR9
  FW Type   : Standard
  Interface : MII0/1 + PTM
  Mode      : reserved - 1
  Release   : 0.33
PPE 1 firmware info:
  Version ID: 7.2.1.6.1.12
  Family    : VR9
  FW Type   : Acceleration
  Interface : MII0 + MII1
  Mode      : Bridging + IPv4 Routing
  Release   : 1.12
PPA API --- init successfully
Init VDSL Driver ...
- VDSL -
- llcs loading!!! -
- loading drv_ifxos.ko -
strings: not found
IFXOS, Version 1.5.11
<6>(c) Copyright 2007, Infineon Technologies AG
<6>### IFXOS - IFXOS - IFXOS - IFXOS ###
- loading drv_dsl_cpe_api.ko
- loading dsl_cpe_api (drv_dsl_cpe_api.ko device) driver -


Lantiq CPE API Driver version: DSL CPE API V4.6.3.5-pd3

Predefined debug level: 3
- create device nodes for dsl_cpe_api device driver -
- execute vdsl_cpe_control
[: missing ]
IFXOS - User Thread Startup <tcpmsg>, TID 1026 (PID 609) - ENTER
IFXOS - User Thread Startup <tcpcli>, TID 2051 (PID 610) - ENTER
IFXOS - User Thread Startup <evnthnd>, TID 3076 (PID 612) - ENTER
IFXOS - User Thread Startup <tPipe_0>, TID 4101 (PID 613) - ENTER
IFXOS - User Thread Startup <tPipe_1>, TID 5126 (PID 614) - ENTER
nReturn=0

nReturn=0

nReturn=4

nReturn=0

eth0: change MAC from 00:20:DA:86:23:74 to 5C:33:8E:xx:xx:xx
setup layout ...
[/etc/scripts/layout.sh] [start] ...
[/var/run/layout_start.sh] ...
Start modem layout ...
device eth0 entered promiscuous mode
br0: port 1(eth0) entering learning state
br0: topology change detected, propagating
br0: port 1(eth0) entering forwarding state
[/etc/templates/cfm/cfm.sh] [restart] ...
[/var/run/cfm_start.sh] ...
Enable ALPHA CFM ...
ENTER - Kernel Thread Startup <autbtex>
<7>ENTER - Kernel Thread Startup <pmex_ne>
<7>ENTER - Kernel Thread Startup <pmex_fe>
[/etc/init.d/S03config.sh] done!
[/etc/init.d/S10system.sh]
start LAN ...
[/etc/templates/lan.sh] [start] ...
[/var/run/lan_start.sh] ...
Start LAN ( br0/192.168.168.168/255.255.255.0)...
start BT Switch configurations ...
start alphaLogd
[/etc/templates/logd.sh] ...
[/var/run/logd_start.sh] ...
Starting logd ...
start Flash Agent ...
>>> ALPHA Log:
/bin/alphaLogd: create logd_ipc(3) OK !
[/etc/templates/flash_agent.sh] [start] ...
[/var/run/flash_agent_start.sh] ...
>>> ALPHA Flash Agent:
16:00:17 FLASHAGENT: Create fa_r_fa_ipc(4) OK !
start BTAgent ...
Starting BTAgent
library_load: start plugin_source/libalpha2.so
library_load: success
library_load: start plugin_source/libbtagent.so
library_load: success
File Path is /BTAgent/rw/btagent.conf
rw config file exists
Versions match
library_load: start plugin_source/libfwm.so
library_load: success
library_load: start plugin_source/liblogger.so
library_load: success
library_load: start plugin_source/libprobe.so
library_load: success
library_load: start plugin_source/librsa.so
library_load: success
main: Loaded source plugins
library_load: start plugin_transport/libsec.so
library_load: success
main: Loaded transport plugins
library_load: start plugin_parse/libxml.so
library_load: success
main: Loaded parse plugins
GPIO 18 set to 0
GPIO 17 set to 1
GPIO 16 set to 1
GPIO 6 set to 1
start alphaHousekeeper
[/etc/templates/housekeeper.sh] [start] ...
[/var/run/housekeeper_start.sh] ...
Starting housekeeper ...
BBU Status: Status Change
BBU Status: Adapter Mode
- presented Inventory information
nReturn=0

nReturn=0 nDirection=0 G994VendorID=(B5,00,49,46,54,4E,53,26) SystemVendorID=(58
,20,45,43,49,4C,20,20) VersionNumber=(35,2E,33,2E,32,2E,36,2E,31,2E,36,20,20,20,
20,20) SerialNumber=(45,35,43,33,33,38,45,38,34,38,39,44,42,20,20,20,20,20,20,20
,20,20,20,20,20,20,20,20,20,20,20,20) SelfTestResult=0 XTSECapabilities=(00,00,0
0,00,00,00,00,07)

[/etc/templates/wan_vlan.sh] [start] ...
[/var/run/wan_vlan_start.sh] ...
Start CPE SPECIFIC WAN VLAN ...
VLAN Enable...
Added VLAN with VID == 301 to IF -:ptm0:-
Set egress mapping on device -:ptm0.301:- Should be visible in /proc/net/vlan/pt
m0.301
Set egress mapping on device -:ptm0.301:- Should be visible in /proc/net/vlan/pt
m0.301
Set egress mapping on device -:ptm0.301:- Should be visible in /proc/net/vlan/pt
m0.301
Set egress mapping on device -:ptm0.301:- Should be visible in /proc/net/vlan/pt
m0.301
Set egress mapping on device -:ptm0.301:- Should be visible in /proc/net/vlan/pt
m0.301
Set egress mappingptm0.301: Setting MAC address to  5c 33 8e xx xx xx.
VLAN (ptm0.301):  Underlying device (ptm0) has same MAC, not checking promisciou
s mode.
 on device -:ptm0.301:- Should be visible in /proc/net/vlan/ptm0.301
Set egress mapping on device -:ptm0.301:- Should be visible in /proc/net/vlan/pt
m0.301
Set egress mapping on device -:ptm0.301:- Should be visible in /proc/net/vlan/pt
m0.301
Added VLAN with VID == 101 to IF -:ptm0:-
Added VLAN with VID == 102 to IF -:ptm0:-
Set egress mapping on device -:ptm0.101:- Should be visible in /proc/net/vlan/pt
m0.101
Set egress mapping on device -:ptm0.101:- Should be visible in /proc/netptm0.101
: add 01:00:5e:00:00:01 mcast address to master interface
/vlan/ptm0.101
Set egrptm0.102: add 01:00:5e:00:00:01 mcast address to master interface
ess mapping on device -:ptm0.102:- Should be visible in /proc/net/vlan/ptm0.102
Added VLAN with VID == 101 to IF -:eth0:-
device eth0 left promiscuous mode
br0: port 1(eth0) entering disabled state
Added VLAN with VID == 102 to IF -:eth0:-
eth0.102: dev_set_promiscuity(master, 1)
device eth0 entered promiscuous mode
device eth0.102 entered promiscuous mode
br0: port 1(eth0.101) entering learning state
br0: topology change detected, propagating
br0: port 1(eth0.101) entering forwarding state
DSL[00]: WARNING - SRA not supported by the FW
br0: port 2(eth0.102) entering learning state
br0: topology change detected, propagating
br0: port 2(eth0.102) entering forwarding state
ifx_ppa_init - init succeeded


VID 0 remove is enabled


[/etc/init.d/S10system.sh] done!
rcS done!
- presented Inventory information
- presented Inventory information
nReturn=0

nReturn=0 nDirection=0 G994VendorID=(B5,00,49,46,54,4E,53,26) SystemVendorID=(58
,20,45,43,49,4C,20,20) VersionNumber=(35,2E,33,2E,32,2E,36,2E,31,2E,36,20,20,20,
20,20) SerialNumber=(45,35,43,33,33,38,45,38,34,38,39,44,42,20,20,20,20,20,20,20
,20,20,20,20,20,20,20,20,20,20,20,20) SelfTestResult=0 XTSECapabilities=(00,00,0
0,00,00,00,00,07)

xDSL SILENT

login:
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: uklad on January 24, 2012, 12:52:59 PM
I interrupted the boot process and listed all images found in flash

Code: [Select]
ROM VER: 1.0.5
CFG 01
DDR Access auto data-eye tuning Rev 0.3a
DDR size from 0xa0000000 - 0xa1ffffff
DDR check ok... start booting...



U-Boot 1.0.4 (Oct 18 2010 - 16:20:02)

CLOCK CPU 333M RAM 166M
DRAM:  32 MB

 relocate_code start
 relocate_code finish.

FLASH MANUFACT: c2

FLASH DEVICEID: cb
Flash:  8 MB
In:    serial
Out:   serial
Err:   serial
Net:   fw_addr=0xa0200000
Internal phy(FE) firmware version: 0x0108
vr9 Switch

Type "run flash_flash" to mount root filesystem over flash

Hit 'Esc' key to stop autoboot:  0
VR9 # help
?       - alias for 'help'
askenv  - get environment variables from stdin
base    - print or set address offset
bootm   - boot application image from memory
bootp   - boot image via network using BootP/TFTP protocol
cmp     - memory compare
cp      - memory copy
crc32   - checksum calculation
echo    - echo args to console
erase   - erase FLASH memory
flinfo  - print FLASH memory information
go      - start application at address 'addr'
help    - print online help
imls    - list all images found in flash
loop    - infinite loop on address range
md      - memory display
mm      - memory modify (auto-incrementing)
mtest   - simple RAM test
mw      - memory write (fill)
nm      - memory modify (constant address)
ping    - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
protect - enable or disable FLASH write protection
rarpboot- boot image via network using RARP/TFTP protocol
reset   - Perform RESET of the CPU
run     - run commands in an environment variable
saveenv - save environment variables to persistent storage
setenv  - set environment variables
tftpboot- boot image via network using TFTP protocol
upgrade - forward/backward copy memory to pre-defined flash location
version - print monitor version
VR9 # imls
Have RSA magic !!!
Image at B0051060:
   Image Name:   MIPS Linux-2.6.20
   Created:      2011-02-14   6:44:17 UTC
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    3624992 Bytes =  3.5 MB
   Load Address: 80002000
   Entry Point:  802cd000
   Verifying Checksum ... OK
Have RSA magic !!!
Image at B03F1060:
   Image Name:   MIPS Linux-2.6.20
   Created:      2011-08-09   3:31:37 UTC
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    3629088 Bytes =  3.5 MB
   Load Address: 80002000
   Entry Point:  802cd000
   Verifying Checksum ... OK
VR9 #
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: asbokid on January 24, 2012, 04:47:27 PM
Excellent stuff, uklad!  You're well on the way to cracking it.

Hopefully, the contents of that 8MByte NAND NOR flash can be (hex) dumped over the serial line using the md (memory display) command in the CLI of the uboot bootloader?

What does the flinfo (flash info) command say about the flash device, and its composition?

The definitive book on MIPS Linux is Dominic Sweetman's See MIPS Run (2nd ed). [2]

Sweetman gives a particularly good treatment to the address space, memory mapping and the memory management unit (the TLB) in the MIPS.

Let us know how you get on!  Lots of people will be keenly following your trail-blazing work!

cheers, a

[1] http://www.denx.de/wiki/DULG/UBootCmdGroupMemory
[2] http://books.google.co.uk/books?id=kk8G2gK4Tw8C
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: uklad on January 24, 2012, 05:52:31 PM
Ok one quick question what address range do I need to dump ?

Also I did not mention I could login to the unit on the UART console, username and pass where admin admin :0)
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: asbokid on January 24, 2012, 06:47:31 PM
Ok one quick question what address range do I need to dump ?

What does the uboot command flinfo (flash info) reveal?

Quote
Also I did not mention I could login to the unit on the UART console, username and pass where admin admin :0)

Nice one!  What are the pinouts for the UART header pins? Did you use a cable with a pl2303 bridge?

cheers, a
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: burakkucat on January 24, 2012, 07:13:58 PM
This thread is getting quite interesting and, er, tasty. Excellent work to date.  :)
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: uklad on January 24, 2012, 07:18:54 PM
This thread is getting quite interesting and, er, tasty. Excellent work to date.  :)

LOL more to come...
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: uklad on January 24, 2012, 07:23:06 PM
output from flinfo

Code: [Select]
Bank # 1: MXIC  29LV640BB (64 Mbit, boot sector SA0~SA126 size 64k bytes,other s
ectors SA127~SA135 size 8k bytes)
  Size: 8 MB in 135 Sectors
  Sector Start Addresses:
    B0000000      B0002000      B0004000      B0006000      B0008000
    B000A000      B000C000      B000E000      B0010000      B0020000
    B0030000      B0040000      B0050000      B0060000      B0070000
    B0080000      B0090000      B00A0000      B00B0000      B00C0000
    B00D0000      B00E0000      B00F0000      B0100000      B0110000
    B0120000      B0130000      B0140000      B0150000      B0160000
    B0170000      B0180000      B0190000      B01A0000      B01B0000
    B01C0000      B01D0000      B01E0000      B01F0000      B0200000
    B0210000      B0220000      B0230000      B0240000      B0250000
    B0260000      B0270000      B0280000      B0290000      B02A0000
    B02B0000      B02C0000      B02D0000      B02E0000      B02F0000
    B0300000      B0310000      B0320000      B0330000      B0340000
    B0350000      B0360000      B0370000      B0380000      B0390000
    B03A0000      B03B0000      B03C0000      B03D0000      B03E0000
    B03F0000      B0400000      B0410000      B0420000      B0430000
    B0440000      B0450000      B0460000      B0470000      B0480000
    B0490000      B04A0000      B04B0000      B04C0000      B04D0000
    B04E0000      B04F0000      B0500000      B0510000      B0520000
    B0530000      B0540000      B0550000      B0560000      B0570000
    B0580000      B0590000      B05A0000      B05B0000      B05C0000
    B05D0000      B05E0000      B05F0000      B0600000      B0610000
    B0620000      B0630000      B0640000      B0650000      B0660000
    B0670000      B0680000      B0690000      B06A0000      B06B0000
    B06C0000      B06D0000      B06E0000      B06F0000      B0700000
    B0710000      B0720000      B0730000      B0740000      B0750000
    B0760000      B0770000      B0780000      B0790000      B07A0000
    B07B0000      B07C0000      B07D0000      B07E0000      B07F0000
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: burakkucat on January 24, 2012, 07:24:08 PM
Those who enjoy such things will now be looking out for a source of ECI model B-FOCuS V-2FUb/I Rev.B modems . . .
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: uklad on January 24, 2012, 07:35:40 PM
Uart pin outs

i used this cable..

http://www.ebay.co.uk/itm/220935415101?ssPageName=STRK:MEWNX:IT&_trksid=p3984.m1497.l2649#ht_2421wt_1254

[attachment deleted by admin]
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: uklad on January 24, 2012, 07:43:57 PM
Dumping the NAND now going to take a while
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: asbokid on January 24, 2012, 07:56:01 PM
Dumping the NAND now going to take a while

Good stuff! Cheers for the pinout! It will help a lot of others.   Did you set your stopwatch?  The 8Mbyte NAND in the Huawei takes about 45 mins to dump over a 115,200bps UART, if I recall correctly. That's a posh cable you got there!  What is the default port speed setting on the ECI?   Are you running Linux or the other one?
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: uklad on January 24, 2012, 08:11:12 PM
Port speed is 115,200bps N-8-1

Im a windows user, to be honest im a bit of a noob when in comes to Linux but i find doing stuff like this is the best way to learn
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: Bald_Eagle1 on January 24, 2012, 08:29:29 PM

Are you running Linux or the other one?


Wassup asbokid? Were you choking too much to actually type the 'W' word?  :lol:
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: asbokid on January 24, 2012, 08:45:37 PM
Most things can be done in Windows, but it is often much harder and not worth the extra effort  ???  There are some good live CDs for Linux for those who don't want to commit hard disk space.

Once the NOR flash contents are extracted, there are a couple of Linux tools useful for processing the hex dump.

First there is 'cut', a text processing tool. It can be used to strip the 16 bytes of ASCII chaff from the end of every line in the hex dump, and that leading 'b' from the TLB address mapping:

Code: [Select]

$ head eciflashdumpdemo.hex

b0000000: 2f830000 409eff38 38600000 4bffff3c    /...@..88`..K..<
b0000010: 835e000c 809e0008 2b9a00ff 829e0010    .^......+.......
b0000020: 82be0014 7f45d378 409d000c 3b4000ff    .....E.x@...;@..
b0000030: 38a000ff 2b9500ff 409d0008 3aa000ff    8...+...@...:...
b0000040: 8002021c 3bfb000a 7f9f0040 419d002c    ....;......@A..,
b0000050: 2f9a0000 419e0014 7c1f0050 3925ffff    /...A...|..P9%..
b0000060: 7f890040 419d0014 7fe3fb78 4bf1401d    ...@A......xK.@.
b0000070: 7c651b78 48000014 3c00bfff 6000ffff    |e.xH...<...`...

$ cut -c 2-45 eciflashdumpdemo.hex

0000000: 2f830000 409eff38 38600000 4bffff3c
0000010: 835e000c 809e0008 2b9a00ff 829e0010
0000020: 82be0014 7f45d378 409d000c 3b4000ff
0000030: 38a000ff 2b9500ff 409d0008 3aa000ff
0000040: 8002021c 3bfb000a 7f9f0040 419d002c
0000050: 2f9a0000 419e0014 7c1f0050 3925ffff
0000060: 7f890040 419d0014 7fe3fb78 4bf1401d
0000070: 7c651b78 48000014 3c00bfff 6000ffff

Another very useful Linux tool is called 'xxd'.  It can reverse (-r) the hexdump back into a binary flash image:

Code: [Select]
$ cut -c 2-45 eciflashdumpdemo.hex  | xxd -r > eciflashdumpdemo.bin

$ xxd eciflashdumpdemo.bin

0000000: 2f83 0000 409e ff38 3860 0000 4bff ff3c  /...@..88`..K..<
0000010: 835e 000c 809e 0008 2b9a 00ff 829e 0010  .^......+.......
0000020: 82be 0014 7f45 d378 409d 000c 3b40 00ff  .....E.x@...;@..
0000030: 38a0 00ff 2b95 00ff 409d 0008 3aa0 00ff  8...+...@...:...
0000040: 8002 021c 3bfb 000a 7f9f 0040 419d 002c  ....;......@A..,
0000050: 2f9a 0000 419e 0014 7c1f 0050 3925 ffff  /...A...|..P9%..
0000060: 7f89 0040 419d 0014 7fe3 fb78 4bf1 401d  ...@A......xK.@.
0000070: 7c65 1b78 4800 0014 3c00 bfff 6000 ffff  |e.xH...<...`...

cheers, a

P.S. Ignore Baldie, the agent provocateur.  Microsoft secretly pays him to taunt us!
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: uklad on January 24, 2012, 11:19:48 PM
nand dump complete and converted to bin image

-- LINK REMOVED --
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: asbokid on January 25, 2012, 03:18:28 AM
[nor] dump complete and converted to bin image

http://www.mediafire.com/?1tcdqu616xpfofe (http://www.mediafire.com/?1tcdqu616xpfofe)     (EDIT: corrected URL)

Excellent job.  You deserve a pint!

The next stage is to identify and separate the components in the flash image.

These components will include the bootloader itself, the Linux kernel image(s), the file system image(s), and usually an area for storing non-volatile configuration data.

From the Linux kernel boot log that you posted earlier, we can see that the kernel was compiled with drivers for the SquashFS file system, and for the JFFS2 file system:

Code: [Select]
squashfs: version 3.2-r2 (2007/01/15) Phillip Lougher
squashfs: LZMA suppport for slax.org by jro
JFFS2 version 2.2. (NAND) (SUMMARY)  (C) 2001-2006 Red Hat, Inc.

SquashFS is a read-only file system. It was designed by Phillip Lougher, an expert embedded developer from Wale's.  SquashFS is often used as the root flash file system in MIPS-based routers, including the Huawei HG612.

JFFS2 is a read-write file system. It was written especially for flash devices and includes wear-levelling to mitigate the weakness in NAND (and NOR) flash storage.

The next task is to identify the boundaries of those components in the flash image. One way to do this is to search for the 'magic numbers' that are stored at the beginning of those firmware components.

SquashFS uses several different magic numbers in the superblock of a file system. These indicate the 'endianness' of the file system (big- or little-endian) and the compression scheme used.

We can use the Linux tool 'grep' to discover those magic numbers:

Code: [Select]
$ xxd eciflash.bin | grep -A2 'qshs\|sqsh\|hsqs\|shsq'

01410c0: 7173 6873 0000 034c 0000 0000 0d69 6910  qshs...L.....ii.
01410d0: 0000 0000 0000 0008 4001 a000 0003 0000  ........@.......
01410e0: 0f94 0010 c002 014d 58cf 3e00 0000 0015  .......MX.>.....
--
04e10c0: 7173 6873 0000 034c 0000 0000 0d69 6910  qshs...L.....ii.
04e10d0: 0000 0000 0000 0008 4001 a000 0003 0000  ........@.......
04e10e0: 0f94 0010 c002 014e 40aa 1700 0000 0015  .......N@.......
$

It finds two Big Endian SquashFS file systems in the firmware that use LZMA compression. Those compressed file systems start at flash offsets 0x14,10c0 and 0x4e,10c0.

The presence of two file systems (and two kernels), a master and a slave, is a fail-safe mechanism.

The size of each squash file system image is needed now. A tool originally written by Goundoulf, lead developer for the French OpenBox project [1], can be fettled to work with the ECI flash image [2]:

Code: [Select]
$ ./ecisquash-extract eciflash.bin

Size of firmware 'eciflash.bin' : 5856192 octets
---------------------------------------------------------------

Signature of SquashFS found:
---------------------------------------------------------------
Signature : 0x71736873 ('qshs')
Format : LZMA-Big Endian
Offset : 0x1410c0
Version SquashFS : 3.0
Octets utilised : 2641669 octets
Date of creation : Mon Feb 14 06:44:14 2011
---------------------------------------------------------------

Signature of SquashFS found:
---------------------------------------------------------------
Signature : 0x71736873 ('qshs')
Format : LZMA-Big Endian
Offset : 0x4e10c0
Version SquashFS : 3.0
Octets utilised : 2642454 octets
Date of creation : Tue Aug  9 04:31:35 2011
---------------------------------------------------------------

The Linux tool 'dd' is used to isolate those SquashFS images into separate files:

Code: [Select]
$ dd if=eciflash.bin of=ecirootfs1 bs=1 skip=$((0x1410c0)) count=2641669
2641669+0 records in
2641669+0 records out
2641669 bytes (2.6 MB) copied, 5.69564 s, 464 kB/s

From the boot log, we can see that Junjiro Okajima's patch (JRO) for LZMA compression was applied to the squashfs kernel driver.

We must now search for a compatible version of the unsquashfs tool for the PC to decompress the file system, in readiness for unlocking it.

cheers, a

[1] http://svn.gna.org/svn/openbox4/trunk/tools/nb4-extract/
[2] https://docs.google.com/open?id=0B.... (https://docs.google.com/open?id=0B6wW18mYskvBZWUwZWQyYjAtNjhiMS00ZmUwLTg0ZDEtZTkzODNhZTMwNGZh)
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: burakkucat on January 25, 2012, 03:37:36 AM

Are you running Linux or the other one?


Wassup asbokid? Were you choking too much to actually type the 'W' word?  :lol:

Do I detect that the Baldy_Bird is a real big closet Redmond 'doze fanatic?  :tongue:  :sick:  :vomit:
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: burakkucat on January 25, 2012, 03:43:43 AM
nand dump complete and converted to bin image

http://dl.dropbox.com/u/6134482/ecinand.rar

Excellent job.  You deserve a pint!

Let's see what is available --  :drink:
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: uklad on January 25, 2012, 07:23:27 AM
I will do a new dump tonight I know what I was doing wrong now :)
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: burakkucat on January 25, 2012, 11:29:09 AM
Silly question time.

As that ECI B-FOCuS modem was supplied as the active NTE for your FTTC service, with it in a disembowelled state, what are you currently using?  ???
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: uklad on January 25, 2012, 12:06:56 PM
Silly question time.

As that ECI B-FOCuS modem was supplied as the active NTE for your FTTC service, with it in a disembowelled state, what are you currently using?  ???

Its in bits until the wife wants to watch iplayer then i put it back together LOL i could do with a HG612 donation :)
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: asbokid on January 25, 2012, 05:16:26 PM
Hi UKLad.

The Huaweis do crop up from time to time on ebay.   As for hacking the ECI, now that you've obtained a full flash dump, most of the work can be done on the PC, and the ECI can be re-instated on your FTTC line.

In theory, the userspace in the firmware can even run in MIPS emulation on a PC.

We can try now to discover a compatible version of the unsquashfs tool so we can examine the file system and its contents.

That may be an interesting exercise.  From discussions with Jeremy Collake and Craig Heffner, who built and maintain the Firmware Modification Kit [1], the ECI VDSL2 modem is running yet another tweaked version of the squashfs kernel driver.

Attempts at unsquashing the root file system image using existing tools, are throwing up all sorts of strange errors, mainly from the LZMA decompression code. As such, only part of the file system can be extracted.

Corporations like Lantiq and Broadcom have a history of tweaking embedded file system drivers in undocumented ways. This is done to foil independent development. The idea is to modify the file system and its compression scheme in secret ways to make it difficult to unlock for modification. This attitude is disappointing. These giant Corporations rely heavily on open source software (because of the huge cost savings) and yet they feed back very little to the open source community. It is a parasitic relationship.  *sigh!*

That said, one version of the unsquashfs tool from the Kit at [1] works in part, but bombs out half way through. Amending the file system that you extracted worked correctly;  the mksquashfs successfully appended new files to the existing squashfs image.

cheers, a

[1] http://bitsum.com/firmware_mod_kit.htm
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: uklad on January 25, 2012, 05:45:47 PM
You will have a full dump tonight I know exactly what I did wrong, soon as the kids are in bed and the wife is as work ;)
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: uklad on January 25, 2012, 10:14:47 PM
Nand dump done right i think

http://www.mediafire.com/?1tcdqu616xpfofe

Regards
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: asbokid on January 28, 2012, 04:17:10 AM
excellent work, uklad!  an exhilarating sensation, like donating blood?!

cheers, a
---

A bit of progress..

This is based on the 8MByte NOR flash image that UKLad kindly uploaded. The development machine is running Debian Wheezy..

The firmware for the ECI has two root file systems in it.  One is a failsafe.  However, the two file systems are not the same. One was built several months earlier than the other.   Both file systems are read-only SquashFS format, with Big-Endian byte-sex and compressed with the JRO patch for LZMA compression  A compatible version of the squashfs tools to decompress these images is yet to be found.

There is also a read-write JFFS2 file system in the flash. JFFS2 is a dedicated flash file system with wear-levelling, garbage collection and fault recovery.

Demonstrated below, is the extraction and mounting of that JFFS2 file system on a Linux AMD64 machine.  The JFFS2 file system in this ECI contains just one file, btagent.conf.   BTAgent is a TR-069 remote management tool.   The btagent.conf file contains configuration data for the BTAgent tool.

Code: [Select]
$ md5sum eciflashdump8mb.bin
2a2db35f797546c0e3e036a469a942d4  eciflashdump8mb.bin

$ ./ecisquash-extract eciflashdump8mb.bin
Size of firmware 'eciflashdump8mb.bin' : 8388608 octets
----------------------------------------------------------------

Signature of SquashFS found:
----------------------------------------------------------------
Signature : 0x71736873 ('qshs')
Format : LZMA-Big Endian
Offset : 0x1410c0
Version SquashFS : 3.0
Octets utilised : 284f05 octets
Date of creation : Mon Feb 14 06:44:14 2011
----------------------------------------------------------------

Signature of SquashFS found:
----------------------------------------------------------------
Signature : 0x71736873 ('qshs')
Format : LZMA-Big Endian
Offset : 0x4e10c0
Version SquashFS : 3.0
Octets utilised : 285216 octets
Date of creation : Tue Aug  9 04:31:35 2011
----------------------------------------------------------------

$ dd if=eciflashdump8mb.bin of=ecirootfs1 bs=1 skip=$((0x1410c0)) count=$((0x284f05))
2641669+0 records in
2641669+0 records out
2641669 bytes (2.6 MB) copied, 3.36489 s, 785 kB/s

$ dd if=eciflashdump8mb.bin of=ecirootfs2 bs=1 skip=$((0x4e10c0)) count=$((0x285216))
2642454+0 records in
2642454+0 records out
2642454 bytes (2.6 MB) copied, 3.40498 s, 776 kB/s

$ dd if=eciflashdump8mb.bin of=jffs2 bs=1 skip=$((0x790000)) count=$((0x10000))
65536+0 records in
65536+0 records out
65536 bytes (66 kB) copied, 0.09391 s, 698 kB/s

$ sudo apt-get install mtd-tools

$ sudo jffs2dump --bigendian jffs2 --endianconvert=jffs2.le

$ sudo modprobe mtdblock

$ sudo modprobe jffs2

$ sudo modprobe mtdram total_size=30000

$ cat /proc/mtd
dev:    size   erasesize  name
mtd0: 01d4c000 00020000 "mtdram test device"

$ sudo dd if=./jffs2.le of=/dev/mtdblock0
128+0 records in
128+0 records out
65536 bytes (66 kB) copied, 0.001695 s, 38.7 MB/s

$ sudo mount -t jffs2 /dev/mtdblock0 /mnt/

$ ls -l /mnt/
total 1
-rw-r--r-- 1 root root 681 Jan  1  2000 btagent.conf

$ cat /mnt/btagent.conf
|BTAgent.ForceReboot||1|ForceReboot
|BTAgent.Restart||1|Restart
|BTAgent.Version|1.21|4|
|BTAgent.FirmwareInformServerIP|firmware.mms.bt.com|6|
|BTAgent.FirmwareInformServerPort|80|6|
|BTAgent.FirmwareInformRequest|GET /%s.txt?modelName=%s&manufacturer=%s&serialnumber=%s&firmwareversion=%s%s HTTP/1.1|6|
|BTAgent.FirmwareInformPeriod|86400|6|
|BTAgent.Default.FirmwareInformPeriod|86400|4|
|BTAgent.Default.FirmwarePullEnable|0|4|
|BTAgent.FirmwarePullEnable|0|6|
|BTAgent.FirmwarePullDelay|0|6|
|BTAgent.FirmwareSupported||6|
|BTAgent.FirmwareAdditional1||6|
|BTAgent.FirmwareAdditional2||6|
|BTAgent.MaxAttempts|10|6|
|BTAgent.ConnectTimeout|60|6|
|BTAgent.TimeoutMultiple|2|6|

$
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: JoshShep on January 29, 2012, 05:29:20 PM
Any updates uklad?
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: uklad on January 29, 2012, 07:14:06 PM
Any updates uklad?

Code: [Select]
Line Status
Line Status:   Connected
Operational Mode:   VDSL2-17a
CO VendorID:   IFTN
CO Version:   0xB201

DownStream Parameter
Max BitRate:   131990 kbps
ActualBitRate: 39998 kbps PASS
Capacity:   30.3 %
Latency:   Fast

UpStream Parameter
Max BitRate:   32787 kbps
ActualBitRate: 9995 kbps PASS
Capacity:   30.5 %
Latency:   Fast

Vendor id is IFTN basically Infineon (now Lantiq) and we now know the ECI openreach modems use Lantiq chipsets...

On a side note i`m liking my Max BitRates 132mbs down 32mbs up lots of scope for the future :)

Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: asbokid on January 30, 2012, 12:01:15 AM
A bit of progress with the squashfs root file system found in the ECI NOR flash image that was uploaded by uklad.

From the kernel boot log, we can see the following:
Code: [Select]
...
Kernel command line: root=/dev/mtdblock2 ro rootfstype=squashfs ip=5.57.33.103:5.57.33.111::::eth0:on console=ttyS0,115200 ethaddr=5C:33:8E:xx:xxx:xx phym=32M mem=31M panic=1
....
squashfs: version 3.2-r2 (2007/01/15) Phillip Lougher
squashfs: LZMA suppport for slax.org by jro
....
squashfsb->s_magic=71736873 SQUASHFS_MAGIC=71736873
ifx_nor0: squashfs filesystem found at 0x4e10a0.
ifx_mtd_init flash0: Using static image partition
Creating 9 MTD partitions on "ifx_nor0":
0x00000000-0x00030000 : "uboot"
0x00030000-0x00040000 : "h/w setting"
0x004e10c0-0x007670c0 : "rootfs"
0x00040000-0x00050000 : "rgdb"
0x00050000-0x003f0000 : "upgrade"
0x003f0000-0x00790000 : "upgrade2"
0x00790000-0x007f0000 : "btagent"
0x00000000-0x00800000 : "flash"
0x00000000-0x00800000 : "<NULL>"
....
VFS: Mounted root (squashfs filesystem) readonly.

The unsquashfs tool for that specific version (3.2-r2-lzma) of squashfs strangely doesn't work:

Code: [Select]
$ src/others/squashfs-3.2-r2-lzma/squashfs3.2-r2/squashfs-tools/unsquashfs -ls ecirootfs2
Reading a different endian SQUASHFS filesystem on ecirootfs2
Can't find a SQUASHFS superblock on ecirootfs2
$

Yet a slightly later version (3.3-lzma) of the tool will obtain the superblock info for the fs image.

Code: [Select]
$ ~/src/others/squashfs-3.3-lzma/squashfs3.3/squashfs-tools/unsquashfs -stat ecirootfs2
Reading a different endian SQUASHFS filesystem on ecirootfs2
Found a valid big endian SQUASHFS 3:0 superblock on ecirootfs2.
Creation or last append time Tue Aug  9 04:31:35 2011
Filesystem is exportable via NFS
Inodes are compressed
Data is compressed
Fragments are compressed
Check data is not present in the filesystem
Fragments are present in the filesystem
Always_use_fragments option is not specified
Duplicates are removed
Filesystem size 2580.52 Kbytes (2.52 Mbytes)
Block size 65536
Number of fragments 42
Number of inodes 844
Number of uids 2
Number of gids 1
$

That version will also list the full contents of the squashfs file system. (The full list is attached in a .txt file to this post.)

Code: [Select]
$ ~/src/others/squashfs-3.3-lzma/squashfs3.3/squashfs-tools/unsquashfs -lls ecirootfs2
Reading a different endian SQUASHFS filesystem on ecirootfs2
drwxr-xr-x 505/users               181 2011-08-09 04:31 squashfs-root
drwxr-xr-x 505/users                26 2011-08-09 04:31 squashfs-root/BTAgent
drwxr-xr-x 505/users               280 2011-08-09 04:31 squashfs-root/BTAgent/ro
-rwxr-xr-x 505/users                13 2011-08-09 04:31 squashfs-root/BTAgent/ro/RWPath
-rwxr-xr-x 505/users             10701 2011-08-09 04:31 squashfs-root/BTAgent/ro/btagent
-rwxr-xr-x 505/users               681 2011-08-09 04:31 squashfs-root/BTAgent/ro/btagent.conf
-rwxr-xr-x 505/users               183 2011-08-09 04:31 squashfs-root/BTAgent/ro/btagentstart.sh
-rwxr-xr-x 505/users              5392 2011-08-09 04:31 squashfs-root/BTAgent/ro/libparseplugins.so
-rwxr-xr-x 505/users              6372 2011-08-09 04:31 squashfs-root/BTAgent/ro/libplugin.so
-rwxr-xr-x 505/users              5924 2011-08-09 04:31 squashfs-root/BTAgent/ro/libplugins.so
-rwxr-xr-x 505/users              7316 2011-08-09 04:31 squashfs-root/BTAgent/ro/libsourceplugins.so
-rwxr-xr-x 505/users              8264 2011-08-09 04:31 squashfs-root/BTAgent/ro/libtcp.so
-rwxr-xr-x 505/users              5888 2011-08-09 04:31 squashfs-root/BTAgent/ro/libtransportplugins.so
drwxr-xr-x 505/users                26 2011-08-09 04:31 squashfs-root/BTAgent/ro/plugin_parse
-rwxr-xr-x 505/users             14956 2011-08-09 04:31 squashfs-root/BTAgent/ro/plugin_parse/libxml.so
drwxr-xr-x 505/users               108 2011-08-09 04:31 squashfs-root/BTAgent/ro/plugin_source
-rwxr-xr-x 505/users              7944 2011-08-09 04:31 squashfs-root/BTAgent/ro/plugin_source/libalpha2.so
-rwxr-xr-x 505/users             10212 2011-08-09 04:31 squashfs-root/BTAgent/ro/plugin_source/libbtagent.so
-rwxr-xr-x 505/users             14248 2011-08-09 04:31 squashfs-root/BTAgent/ro/plugin_source/libfwm.so
-rwxr-xr-x 505/users             14316 2011-08-09 04:31 squashfs-root/BTAgent/ro/plugin_source/liblogger.so
-rwxr-xr-x 505/users              7836 2011-08-09 04:31 squashfs-root/BTAgent/ro/plugin_source/libprobe.so
-rwxr-xr-x 505/users             27328 2011-08-09 04:31 squashfs-root/BTAgent/ro/plugin_source/librsa.so
drwxr-xr-x 505/users                26 2011-08-09 04:31 squashfs-root/BTAgent/ro/plugin_transport
-rwxr-xr-x 505/users             51820 2011-08-09 04:31 squashfs-root/BTAgent/ro/plugin_transport/libsec.so
-rwxr-xr-x 505/users               286 2011-08-09 04:31 squashfs-root/BTAgent/ro/publickeys.dat
-rwxr-xr-x 505/users               183 2011-08-09 04:31 squashfs-root/BTAgent/ro/start
drwxr-xr-x 505/users                 3 2011-08-09 04:31 squashfs-root/BTAgent/rw
drwxr-xr-x 505/users               456 2011-08-09 04:31 squashfs-root/bin
-rwxr-xr-x 505/users             17992 2011-08-09 04:31 squashfs-root/bin/alphaFlashAgent
-rwxr-xr-x 505/users             33992 2011-08-09 04:31 squashfs-root/bin/alphaHousekeeper
-rwxr-xr-x 505/users             10512 2011-08-09 04:31 squashfs-root/bin/alphaLogd
-rwxr-xr-x 505/users              5272 2011-08-09 04:31 squashfs-root/bin/alpha_flash_cmd
-rwxrwxr-x 505/users            461960 2011-08-09 04:31 squashfs-root/bin/busybox
lrwxrwxrwx 505/users                 7 2011-08-09 04:31 squashfs-root/bin/cat -> busybox
       [..snipped..]
-rw-r--r-- 505/users             21189 2011-08-09 04:31 squashfs-root/www/layout/alpha.css
drwxr-xr-x 505/users                19 2011-08-09 04:31 squashfs-root/www/locale
drwxr-xr-x 505/users                20 2011-08-09 04:31 squashfs-root/www/locale/en
drwxr-xr-x 505/users                 3 2011-08-09 04:31 squashfs-root/www/locale/en/dsc
drwxr-xr-x 505/users               230 2011-08-09 04:31 squashfs-root/www/public
-rw-r--r-- 505/users               402 2011-08-09 04:31 squashfs-root/www/public/__all_need.js
-rw-r--r-- 505/users              2775 2011-08-09 04:31 squashfs-root/www/public/__button.js
-rw-r--r-- 505/users              3173 2011-08-09 04:31 squashfs-root/www/public/__comm.js
-rw-r--r-- 505/users              2595 2011-08-09 04:31 squashfs-root/www/public/__display.js
-rw-r--r-- 505/users               227 2011-08-09 04:31 squashfs-root/www/public/__head.js
-rw-r--r-- 505/users              7992 2011-08-09 04:31 squashfs-root/www/public/__ip.js
-rw-r--r-- 505/users             10249 2011-08-09 04:31 squashfs-root/www/public/__js_comm.js
-rw-r--r-- 505/users              4252 2011-08-09 04:31 squashfs-root/www/public/__menu.js
-rw-r--r-- 505/users              2242 2011-08-09 04:31 squashfs-root/www/public/__no_changes.js
-rw-r--r-- 505/users               184 2011-08-09 04:31 squashfs-root/www/public/__session_timeout.js
-rw-r--r-- 505/users              1473 2011-08-09 04:31 squashfs-root/www/public/__tb_display.js
-rwxr-xr-x 505/users              2115 2011-08-09 04:31 squashfs-root/www/public/__tree.js
-rw-r--r-- 505/users             13508 2011-08-09 04:31 squashfs-root/www/public/__wan_adv.js
lrwxrwxrwx 505/users                17 2011-08-09 04:31 squashfs-root/www/syslog -> /var/log/messages
lrwxrwxrwx 505/users                17 2011-08-09 04:31 squashfs-root/www/tsyslog.rg -> /var/log/tlogsmsg
$

Yet, using the very same version of unsquash to actually uncompress the squashfs image, and an error is thrown by the LZMA code:

Code: [Select]
$ ~/src/others/squashfs-3.3-lzma/squashfs3.3/squashfs-tools/unsquashfs -li ecirootfs2
Reading a different endian SQUASHFS filesystem on ecirootfs2
drwxr-xr-x 505/users               181 2011-08-09 04:31 squashfs-root
drwxr-xr-x 505/users                26 2011-08-09 04:31 squashfs-root/BTAgent
drwxr-xr-x 505/users               280 2011-08-09 04:31 squashfs-root/BTAgent/ro
-rwxr-xr-x 505/users                13 2011-08-09 04:31 squashfs-root/BTAgent/ro/RWPath
-rwxr-xr-x 505/users             10701 2011-08-09 04:31 squashfs-root/BTAgent/ro/btagent
-rwxr-xr-x 505/users               681 2011-08-09 04:31 squashfs-root/BTAgent/ro/btagent.conf
-rwxr-xr-x 505/users               183 2011-08-09 04:31 squashfs-root/BTAgent/ro/btagentstart.sh
-rwxr-xr-x 505/users              5392 2011-08-09 04:31 squashfs-root/BTAgent/ro/libparseplugins.so
-rwxr-xr-x 505/users              6372 2011-08-09 04:31 squashfs-root/BTAgent/ro/libplugin.so
-rwxr-xr-x 505/users              5924 2011-08-09 04:31 squashfs-root/BTAgent/ro/libplugins.so
-rwxr-xr-x 505/users              7316 2011-08-09 04:31 squashfs-root/BTAgent/ro/libsourceplugins.so
-rwxr-xr-x 505/users              8264 2011-08-09 04:31 squashfs-root/BTAgent/ro/libtcp.so
-rwxr-xr-x 505/users              5888 2011-08-09 04:31 squashfs-root/BTAgent/ro/libtransportplugins.so
drwxr-xr-x 505/users                26 2011-08-09 04:31 squashfs-root/BTAgent/ro/plugin_parse
-rwxr-xr-x 505/users             14956 2011-08-09 04:31 squashfs-root/BTAgent/ro/plugin_parse/libxml.so
drwxr-xr-x 505/users               108 2011-08-09 04:31 squashfs-root/BTAgent/ro/plugin_source
-rwxr-xr-x 505/users              7944 2011-08-09 04:31 squashfs-root/BTAgent/ro/plugin_source/libalpha2.so
-rwxr-xr-x 505/users             10212 2011-08-09 04:31 squashfs-root/BTAgent/ro/plugin_source/libbtagent.so
-rwxr-xr-x 505/users             14248 2011-08-09 04:31 squashfs-root/BTAgent/ro/plugin_source/libfwm.so
-rwxr-xr-x 505/users             14316 2011-08-09 04:31 squashfs-root/BTAgent/ro/plugin_source/liblogger.so
-rwxr-xr-x 505/users              7836 2011-08-09 04:31 squashfs-root/BTAgent/ro/plugin_source/libprobe.so
-rwxr-xr-x 505/users             27328 2011-08-09 04:31 squashfs-root/BTAgent/ro/plugin_source/librsa.so
drwxr-xr-x 505/users                26 2011-08-09 04:31 squashfs-root/BTAgent/ro/plugin_transport
-rwxr-xr-x 505/users             51820 2011-08-09 04:31 squashfs-root/BTAgent/ro/plugin_transport/libsec.so
-rwxr-xr-x 505/users               286 2011-08-09 04:31 squashfs-root/BTAgent/ro/publickeys.dat
-rwxr-xr-x 505/users               183 2011-08-09 04:31 squashfs-root/BTAgent/ro/start
drwxr-xr-x 505/users                 3 2011-08-09 04:31 squashfs-root/BTAgent/rw
drwxr-xr-x 505/users               456 2011-08-09 04:31 squashfs-root/bin
-rwxr-xr-x 505/users             17992 2011-08-09 04:31 squashfs-root/bin/alphaFlashAgent
-rwxr-xr-x 505/users             33992 2011-08-09 04:31 squashfs-root/bin/alphaHousekeeper
-rwxr-xr-x 505/users             10512 2011-08-09 04:31 squashfs-root/bin/alphaLogd
-rwxr-xr-x 505/users              5272 2011-08-09 04:31 squashfs-root/bin/alpha_flash_cmd
-rwxrwxr-x 505/users            461960 2011-08-09 04:31 squashfs-root/bin/busybox
err -22
sqlzma_un: LZMA Unknown error 18446744073709551594
Aborted
$

The saga continues!..

[attachment deleted by admin]
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: uklad on January 30, 2012, 08:25:41 AM
good work my friend keep at it :)
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: JoshShep on January 31, 2012, 06:42:27 PM
Any more updates mate?
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: burakkucat on January 31, 2012, 09:15:21 PM
Any more updates mate?

Any information obtained will be revealed, in good time.  ;)

Advice: "Nay harry a hacker".  ::)
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: uklad on January 31, 2012, 09:19:06 PM
Any more updates mate?

Any information obtained will be revealed, in good time.  ;)

Advice: "Nay harry a hacker".  ::)

;) not that im any the wiser
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: asbokid on January 31, 2012, 09:21:37 PM
Any more updates mate?

Hi Josh,

Debug output to the squashfs tools has been enabled.

From call tracing, it looks like ECI has achieved a 'lock-down' by patching the LZMA compression code for squashfs, the root file system used in the device. [1]

Specifically, code in the file LzmaDecode.c (part of the LZMA Software Development Kit [2]) is unexpectedly returning an LZMA_RESULT_DATA_ERROR when decoding one of the squashfs data blocks to a large file.

No obvious explanations yet for why that is happening!

It may simply be that Lantiq, who built the toolchain, has cobbled together an arbitrary version of squashfs with an arbitrary version of the LZMA decoder. 

We now have a compatible version of the squashfs tools (v.3.3) [3] insofar as the tools can correctly read the metadata of the file system: the superblock, the directory structures, the inodes and the data blocks.

The search now is to find a compatible version of LZMA Decode to correctly decompress those data blocks.

If the theory is correct, that version of LZMA decoder will have to be patched into squashfs, just as Lantiq is believed to have done.

cheers, a


[1] https://sourceforge.net/projects/squashfs/files/squashfs/
[2] https://sourceforge.net/projects/sevenzip/files/LZMA%20SDK/
[3] http://firmware-mod-kit.googlecode.com/svn-history/trunk/trunk/src/others/squashfs-3.3-lzma/
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: uklad on January 31, 2012, 09:35:33 PM
Any more updates mate?
Hi Josh,

Debug output to the squashfs tools has been enabled. From call tracing, it looks like ECI has achieved a 'vendor lock' by patching the LZMA compression code for squashfs, the root file system used in the ECI.

Specifically, code in the file LzmaDecode.c (part of the LZMA SDK) is unexpectedly returning an LZMA_RESULT_DATA_ERROR when decoding one of the squashfs data blocks to a large file.

No obvious explanations yet for why that is happening!

cheers, a

Bastardos !! I may have to have a poke around in some of the shell scripts that set-up the Vlans on the Lans ports and see if i can allocate an ip to Vlan 102 that is associated to Lan 2
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: asbokid on January 31, 2012, 10:24:36 PM
Hi uklad!

BT locked the Huawei by firewalling all LAN-side access to the device.   It is by dropping the relevant firewall rule(s) that LAN-side access is re-enabled.

In Linux, the kernel-level firewall is called netfilter. We can see from the ECI boot logs you uploaded that the code for netfilter is compiled 'monolithically' into the kernel image itself.

The kernel-side of the Linux firewalling framework is normally interfaced with the userspace using a tool called iptables. [1]

iptables is invoked by init scripts to define the firewall rule chains.

However, in the case of the ECI, that is not how it is done.

The kernel boot logs reveal the presence of the netfilter kernel modules but there is no sign of any corresponding iptables binary in the root file system.   As such, it's not clear how the firewall is actually configured.

The iptables tool is not strictly needed to configure the firewall. Its functioning could be replicated through kernel calls hidden away in other userspace code.  That's not a normal thing to do though.  Maybe it is being used here to obfuscate?

With a serial console, it should still be possible to determine exactly what is being run at boot time. And, in particular,  how and where the firewall is configured.  It's just a case of following the boot sequence.

The first userspace process executed by every Unix machine is '/sbin/init'.  The 'init' process is shown as process id (pid) #1.

In many embedded systems, /sbin/init is actually a symbolic link to /bin/busybox.  Busybox attempts to mimic the functionality of Unix System V initscripts, but without the resource overheads.

The init process loads its configuration from the file /etc/inittab [2]

That inittab config file identifies the scripts that are to be executed by the init process.

The code invoked by those scripts will configure the firewall.  ;-)

Studying those initscripts should reveal the nature of the firewalling, and how to remove the firewall rules. Ultimately this could be used to re-enable LAN-side access to the web interface.

cheers, a

[1] http://www.netfilter.org/
[2] http://www.kerneltravel.net/downloads/Building.Embedded.Linux.Systems.pdf  (ch.6.8 )
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: asbokid on February 01, 2012, 06:09:47 PM
The squashfs tools are currently running on a development machine.

Igor Pavlov's LZMA (Lempel–Ziv–Markov Algorithm) used by squashfs to compress the data blocks in the ECI file system has been isolated. The Algorithm can now be used to process an individual compressed data block from the file system. This allows each variant of LZMA to be tested for compatibility with the ECI.  At this stage it is suspected that no compatible version is publicly available.

First impressions are that Pavlov's decompression code has been modified at a very low-level by ECI and/or Lantiq. Those code tweaks serve as a mechanism to lock the device.

Those source-level modifications to LZMA have not been published.

ECI has a US$2.5 billion deal to supply DSLAMs and CPE to British Telecom. Surely those whose software is used by ECI in this equipment deserve a share in that bonanza.

cheers, a

Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: asbokid on February 03, 2012, 01:09:22 AM
Bit of an update..

The squashfs root file system of the ECI can be decompressed and extracted, with the exception of just two data blocks of ~20kBytes each. [1]

Code: [Select]
$ sudo ./unsquashfs ecirootfs2
Reading a different endian SQUASHFS filesystem on ecirootfs2
err -22
sqlzma_un: LZMA Unknown error 18446744073709551594
err -22
sqlzma_un: LZMA Unknown error 18446744073709551594

created 612 files
created 83 directories
created 118 symlinks
created 31 devices
created 0 fifos

$

A tarball of the uncompressed file system contents for the ECI, including those two corrupted blocks, can be found at [1].

The extraction requires a one line patch to the read_data_block() function of the unsquashfs tool. The patch is simply to stop it aborting on error:

Code: [Select]
int read_data_block(long long start, unsigned int size, char *block) {
int res;
unsigned long bytes = block_size;
int c_byte = SQUASHFS_COMPRESSED_SIZE_BLOCK(size);

TRACE("read_data_block: block @0x%llx, %d %s bytes\n", start,
              SQUASHFS_COMPRESSED_SIZE_BLOCK(c_byte),
              SQUASHFS_COMPRESSED_BLOCK(c_byte) ? "compressed" : "uncompressed");
if(SQUASHFS_COMPRESSED_BLOCK(size)) {
enum {Src, Dst};
struct sized_buf sbuf[] = {
{.buf = (void *)data, .sz = c_byte},
{.buf = (void *)block, .sz = bytes}
};

if(read_bytes(start, c_byte, data) == FALSE)
return 0;

res = sqlzma_un(&un, sbuf + Src, sbuf + Dst);
if (res) {
            TRACE("read_data_block: abort() because res = sqlzma_un = %08x\n", res);
// abort();
        }
bytes = un.un_reslen;
return bytes;
} else {
if(read_bytes(start, c_byte, block) == FALSE)
return 0;

return c_byte;
}
}
  (the code is from the squashfs-3.3-lzma version [2])

This is an unsatisfactory hack. And it still doesn't explain why the decompression of 2 data blocks is failing while decompression of the remaining 150+ blocks is successful.

There are three principal configuration parameters to LZMA Decode. These are the number of literal context bits (lc), the position bits (pb) and the literal position bits (lp) where  0<=lc<=8, 0<=pb<=4, 0<=lp<=4.  I won't pretend to understand their role but in total, there are 225 (9*5*5) parameter options for the LZMA decoder.

The decoder was tested with every one of those 225 combinations against those two errant blocks. Yet no combination would work.  It is likely that the unpublished modification to the LZMA code, whatever it involves, is subtle to cause this obscure incompatibility.

An authority on compression algorithms is David Salomon. He is author of the book, Data Compression: The Complete Reference (3rd 4th Edition).  It is available from Amazon and as a PDF.   Chapter Three is dedicated to Dictionary-based compression schemes, of which LZMA is one. [3]

Chapter Three runs to ~80 pages, so it will take some digesting.   In the interim, a request has been filed with ECI for the publication of *all* the GPL'ed and LGPL'ed source code for this device.

Igor Pavlov, who originally designed LZMA, and graciously made his code open source is very accommodating to questions. Whatever it is that ECI-Lantiq-AlphaNetworks have done to nobble LZMA in this device, Pavlov may hopefully help us to find out.  [4]

Another leading light in his field is Armijn Hemel.  Hemel is the co-founder of the Binary Analysis Tool (BAT) project. [5]   BAT is a forensic tool for discovering violations in software licensing, such as those we have uncovered in this ECI equipment.   The BAT project is studying the use of file system tweaks to lock an embedded device.  BAT documents the squashfs tweaks used by several manufacturers, including Realtek, RaLink and Broadcom. The ECI tweak is sadly not amongst those documented (but watch this space!)

Armijn Hemel is also lead compliance engineer at gpl-violations.org, an organisation that actively pursues errant corporations that have stolen others' software for their own enrichment. [6]

Hemel and colleagues take particular interest in securing the Intellectual Property Rights of the BusyBox project. BusyBox is an efficient, multi-function utility for embedded hardware.  ECI, like many other router manufacturers, has misappropriated BusyBox for the firmware to this FTTC device. BusyBox is GPL licensed, and the terms of that licence are perfectly clear.

ECI publishes a glossy brochure affirming its Corporate Responsibilities. One of those commitments is to abide by international treaties and obligations as well as local law.

ECI must put those solemn words into practice. That means no less than the full publication of all source code for all (L)GPL'ed licensed software used in this device.  In the past, ECI had a poor track record for GPL Compliance. It is time to rectify that. Today, General Counsel (and Vice President) for ECI is Arnie Taragin.

So Cough up the Code, Arnie!


[1] https://docs.google.com/leaf?id=0B6wW18m.. (https://docs.google.com/leaf?id=0B6wW18mYskvBOTU2N2E2NzUtYWM1MS00ZWI5LTg5ZmItZThiMjIzZDI4N2M3&hl=en_US)
[2] http://code.google.com/p/firmware-mod-kit/source/browse/trunk/trunk/src/others/?r=282
[3] http://www.amazon.com/Data-Compression-Reference-David-Salomon/dp/0387406972
[4] https://sourceforge.net/projects/sevenzip/forums/forum/45797
[5] http://www.binaryanalysis.org/en/home
[6] http://www.nytimes.com/2010/09/26/business/26ping.html
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: Orbixx on February 03, 2012, 06:44:51 PM
Been rummaging through your filesystem dump to look for scripts configuring the modem to be 'locked down'. No dice. Would put money on said files being in that block you can't get to.

That, or it's configured by some arbitrary binary that I've overlooked.

Edit: Also, quite an amusing and bemusing "default" response by Mr Pavlov over at Sourceforge where you raised the issue. But it does indeed look like there are no licensing issues arising from providing a mangled LZMA filesystem due to the LZMA SDK being released into the public domain.
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: uklad on February 03, 2012, 07:09:00 PM
Been rummaging through your filesystem dump to look for scripts configuring the modem to be 'locked down'. No dice. Would put money on said files being in that block you can't get to.

That, or it's configured by some arbitrary binary that I've overlooked.

Edit: Also, quite an amusing and bemusing "default" response by Mr Pavlov over at Sourceforge where you raised the issue.

I have been working on this at the moment, I have only just got in from work right now so i cannot elaborate, but it appears the Lan Port 2 is disabled on boot up then put on a Vlan 102 and bridged with the VDSL (i think) not only that the telnet http servers are disabled on boot, I found a script that enables the http server and telnet, but i have been unable to reactivate lan 2..
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: uklad on February 03, 2012, 07:11:22 PM
This is an unsatisfactory hack. And it still doesn't explain why the decompression of 2 data blocks is failing while decompression of the remaining 150+ blocks is successful.

Is it possible I have done a bad NAND dump ?
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: asbokid on February 03, 2012, 11:06:33 PM
Hi Orbixx!

Been rummaging through your filesystem dump to look for scripts configuring the modem to be 'locked down'. No dice. Would put money on said files being in that block you can't get to.

That, or it's configured by some arbitrary binary that I've overlooked.

Indeedy.  It's not all bad news though. All the web resources are accessible, and we now know there's a telnet daemon in the firmware.

Quote
Edit: Also, quite an amusing and bemusing "default" response by Mr Pavlov over at Sourceforge where you raised the issue.

Mr Pavlov seems unfamiliar with these file system locks which are built upon his own compression scheme.[1]  Whoever is designing those locks for various manufacturers must have a deep working knowledge of the LZMA compression scheme.

Quote
But it does indeed look like there are no licensing issues arising from providing a mangled LZMA filesystem due to the LZMA SDK being released into the public domain.

Hmm... I ain't no lawyer (so please ignore at your pleasure) but Phillip Lougher released his squashfs Linux kernel device driver under the GNU GPL. As such, the LZMA patch to squashfs is a "derived" or "derivative" work.  So the LZMA squashfs patch is surely GPL'ed, too.. This case is re-inforced when the squashfs code is compiled into the kernel image, as it is in the ECI firmware.

At least that's how I read it.   But then I'm not a lawyer!

cheers, a

[1] https://tjaldur.nl:8443/repos/gpltool/trunk/bat-extratools/
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: asbokid on February 03, 2012, 11:10:14 PM
This is an unsatisfactory hack. And it still doesn't explain why the decompression of 2 data blocks is failing while decompression of the remaining 150+ blocks is successful.

Is it possible I have done a bad NAND dump ?

You done good :-)

cheers, a
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: asbokid on February 12, 2012, 11:27:40 PM
Not an update as such, just some links to material that may interest others.

David Salomon is the author of the book Data Compression - The Complete Reference. The book is now in its fourth edition.  A small excerpt from the chapter on Dictionary Methods of compression is attached.  The Dictionary-based LZMA scheme used to compress the root file system in the ECI is briefly addressed in those excerpted pages.

Igor Pavlov has kindly replied to inquiries about the tweaking of LZMA as a locking mechanism for embedded file systems.  [1]

He suggests that perhaps the headers of the two corrupted data blocks from the ECI root file system and, specifically the header field containing the uncompressed size of those data blocks, may have been corrupted in some way.

This theory has yet to be tested. However, the two corrupted blocks happen to be in the middle of two files, rather than at the ends of them. It's difficult to see how corrupting the header in this way would work.

Pavlov points to a thread from 2010 from the squashfs mailing list where a similar problem was discussed.  Phillip Lougher, who designed squashfs, and Lasse Collin who designed XZ, an updated compression tool, discuss the backward compatibility of LZMA(1).  [2]

In that thread, Lougher helpfully lists the different tools offering LZMA decompression. This codebase includes Pavlov's LZMA SDK,  Collin's liblzma, and the lzma1 decompressor from the Linux kernel.

Surprisingly, the Wikipedia entry for LZMA has a reasonably coherent article on the algorithm. [3]

In the manual for LZip which is a "simplified version of the LZMA algorithm", the author of LZip, Antonio Diaz Diaz, briefly describes the range encoder that is the engine at the heart of the LZMA compression scheme.   [4]

cheers, a

[1] http://sourceforge.net/projects/sevenzip/forums/forum/45797/topic/4994244
[2] http://old.nabble.com/Squashfs-4.1-creates-invalid-.lzma-streams-td30217833.html
[3] http://en.wikipedia.org/wiki/Lempel%E2%80%93Ziv%E2%80%93Markov_chain_algorithm
[4] http://lzip.nongnu.org/manual/lzip_manual.html#Algorithm


[attachment deleted by admin]
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: uklad on February 13, 2012, 04:12:27 PM
maybe a stupid question but do you get the same decompression issue with the file safe firmware
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: asbokid on February 13, 2012, 07:58:31 PM
Hi uklad,

Both of the squashfs-lzma file systems found in the ECI firmware (identified below as ecirootfs1 and eciroofs2) cause the LZMA decoder to throw an error:

Code: [Select]
$ cd ~/Documents/btinfinity/eci_asbo001/squashfs-3.3-lzma-asbo001/squashfs3.3/squashfs-tools

$ ls -ln ecirootfs*
-rw-r--r--  1 1000 1000 2641669 Feb 14  2011 06:44 ecirootfs1
-rw-r--r--  1 1000 1000 2642454 Aug  9  2011 04:31 ecirootfs2

Here is ecirootfs1, which is the older of the two file systems. As such it is the slave, or the 'fail-safe':

Code: [Select]
$ sudo ./unsquashfs -d ./ecirootfs1-squashfs-root/ ecirootfs1
Reading a different endian SQUASHFS filesystem on ecirootfs1
err -22: sqlzma_un: LZMA Unknown error 18446744073709551594
err -22: sqlzma_un: LZMA Unknown error 18446744073709551594

created 612 files
created 83 directories
created 118 symlinks
created 31 devices
created 0 fifos
$

And now ecirootfs2, the newer of the two squashfs images from the ECI firmware:

Code: [Select]
$ sudo ./unsquashfs -d ./ecirootfs2-squashfs-root/ ecirootfs2
Reading a different endian SQUASHFS filesystem on ecirootfs2
err -22: sqlzma_un: LZMA Unknown error 18446744073709551594
err -22: sqlzma_un: LZMA Unknown error 18446744073709551594

created 612 files
created 83 directories
created 118 symlinks
created 31 devices
created 0 fifos
$

We should check whether the decompression errors are occurring in the same block numbers in those two different file systems.  This could give a better insight into the locking mechanism, and its implementation.

For curiosity's sake, here is a diff of the two root file systems - the main and the slave - from the ECI firmware. We can see that there are binary differences in the busybox binary. This causes diffs for all symlinks to busybox (e.g. /bin/cat, /bin/chmod, etc.).  Once those duplicate diffs are ignored, the two file systems are very similar.

Noteworthy is that there are differences in the Lantiq DSP hardware driver blob (xcpe_hw.bin)

Code: [Select]
$ diff -r ecirootfs*-squ*
Binary files ecirootfs1-squashfs-root/bin/busybox and ecirootfs2-squashfs-root/bin/busybox differ
Binary files ecirootfs1-squashfs-root/bin/cat and ecirootfs2-squashfs-root/bin/cat differ
Binary files ecirootfs1-squashfs-root/bin/chmod and ecirootfs2-squashfs-root/bin/chmod differ
Binary files ecirootfs1-squashfs-root/bin/cp and ecirootfs2-squashfs-root/bin/cp differ
Binary files ecirootfs1-squashfs-root/bin/date and ecirootfs2-squashfs-root/bin/date differ
Binary files ecirootfs1-squashfs-root/bin/dd and ecirootfs2-squashfs-root/bin/dd differ
Binary files ecirootfs1-squashfs-root/bin/df and ecirootfs2-squashfs-root/bin/df differ
Binary files ecirootfs1-squashfs-root/bin/echo and ecirootfs2-squashfs-root/bin/echo differ
Binary files ecirootfs1-squashfs-root/bin/egrep and ecirootfs2-squashfs-root/bin/egrep differ
Binary files ecirootfs1-squashfs-root/bin/false and ecirootfs2-squashfs-root/bin/false differ
Binary files ecirootfs1-squashfs-root/bin/fgrep and ecirootfs2-squashfs-root/bin/fgrep differ
Binary files ecirootfs1-squashfs-root/bin/grep and ecirootfs2-squashfs-root/bin/grep differ
Binary files ecirootfs1-squashfs-root/bin/gunzip and ecirootfs2-squashfs-root/bin/gunzip differ
Binary files ecirootfs1-squashfs-root/bin/gzip and ecirootfs2-squashfs-root/bin/gzip differ
Binary files ecirootfs1-squashfs-root/bin/kill and ecirootfs2-squashfs-root/bin/kill differ
Binary files ecirootfs1-squashfs-root/bin/ln and ecirootfs2-squashfs-root/bin/ln differ
Binary files ecirootfs1-squashfs-root/bin/login and ecirootfs2-squashfs-root/bin/login differ
Binary files ecirootfs1-squashfs-root/bin/ls and ecirootfs2-squashfs-root/bin/ls differ
Binary files ecirootfs1-squashfs-root/bin/mkdir and ecirootfs2-squashfs-root/bin/mkdir differ
Binary files ecirootfs1-squashfs-root/bin/mknod and ecirootfs2-squashfs-root/bin/mknod differ
Binary files ecirootfs1-squashfs-root/bin/more and ecirootfs2-squashfs-root/bin/more differ
Binary files ecirootfs1-squashfs-root/bin/mount and ecirootfs2-squashfs-root/bin/mount differ
Binary files ecirootfs1-squashfs-root/bin/msh and ecirootfs2-squashfs-root/bin/msh differ
Binary files ecirootfs1-squashfs-root/bin/mv and ecirootfs2-squashfs-root/bin/mv differ
Binary files ecirootfs1-squashfs-root/bin/ping and ecirootfs2-squashfs-root/bin/ping differ
Binary files ecirootfs1-squashfs-root/bin/ps and ecirootfs2-squashfs-root/bin/ps differ
Binary files ecirootfs1-squashfs-root/bin/pwd and ecirootfs2-squashfs-root/bin/pwd differ
Binary files ecirootfs1-squashfs-root/bin/rm and ecirootfs2-squashfs-root/bin/rm differ
Binary files ecirootfs1-squashfs-root/bin/sed and ecirootfs2-squashfs-root/bin/sed differ
Binary files ecirootfs1-squashfs-root/bin/sh and ecirootfs2-squashfs-root/bin/sh differ
Binary files ecirootfs1-squashfs-root/bin/sleep and ecirootfs2-squashfs-root/bin/sleep differ
Binary files ecirootfs1-squashfs-root/bin/touch and ecirootfs2-squashfs-root/bin/touch differ
Binary files ecirootfs1-squashfs-root/bin/true and ecirootfs2-squashfs-root/bin/true differ
Binary files ecirootfs1-squashfs-root/bin/umount and ecirootfs2-squashfs-root/bin/umount differ
Binary files ecirootfs1-squashfs-root/bin/uname and ecirootfs2-squashfs-root/bin/uname differ
Binary files ecirootfs1-squashfs-root/bin/usleep and ecirootfs2-squashfs-root/bin/usleep differ
Binary files ecirootfs1-squashfs-root/bin/zcat and ecirootfs2-squashfs-root/bin/zcat differ

[..snipped - errors from missing symlinks and from reading device nodes..]

diff -r ecirootfs1-squashfs-root/etc/config/builddate ecirootfs2-squashfs-root/etc/config/builddate
1c1
< 2011-02-14 14:44
---
> 2011-08-09 11:31
diff -r ecirootfs1-squashfs-root/etc/config/buildno ecirootfs2-squashfs-root/etc/config/buildno
1c1
< b2ee
---
> b89b
diff -r ecirootfs1-squashfs-root/etc/config/buildrev ecirootfs2-squashfs-root/etc/config/buildrev
1c1
< 3067
---
> 3123
Binary files ecirootfs1-squashfs-root/etc/config/defaultvalue.gz and ecirootfs2-squashfs-root/etc/config/defaultvalue.gz differ
Binary files ecirootfs1-squashfs-root/ifx/vdsl2/drv_dsl_cpe_api.ko and ecirootfs2-squashfs-root/ifx/vdsl2/drv_dsl_cpe_api.ko differ
Binary files ecirootfs1-squashfs-root/ifx/vdsl2/drv_ifxos.ko and ecirootfs2-squashfs-root/ifx/vdsl2/drv_ifxos.ko differ
Binary files ecirootfs1-squashfs-root/ifx/vdsl2/xcpe_hw.bin and ecirootfs2-squashfs-root/ifx/vdsl2/xcpe_hw.bin differ
Binary files ecirootfs1-squashfs-root/lib/libsystem.so and ecirootfs2-squashfs-root/lib/libsystem.so differ
Binary files ecirootfs1-squashfs-root/lib/modules/2.6.20.19/kernel/drivers/connector/cn.ko and ecirootfs2-squashfs-root/lib/modules/2.6.20.19/kernel/drivers/connector/cn.ko differ
Binary files ecirootfs1-squashfs-root/lib/modules/2.6.20.19/kernel/drivers/net/dummy.ko and ecirootfs2-squashfs-root/lib/modules/2.6.20.19/kernel/drivers/net/dummy.ko differ
Binary files ecirootfs1-squashfs-root/lib/modules/2.6.20.19/kernel/drivers/net/ifxmips_ppa/platform/vr9/e5/ifxmips_ppa_datapath_vr9_e5.ko and ecirootfs2-squashfs-root/lib/modules/2.6.20.19/kernel/drivers/net/ifxmips_ppa/platform/vr9/e5/ifxmips_ppa_datapath_vr9_e5.ko differ
Binary files ecirootfs1-squashfs-root/lib/modules/2.6.20.19/kernel/drivers/net/ifxmips_ppa/platform/vr9/e5/ifxmips_ppa_hal_vr9_e5.ko and ecirootfs2-squashfs-root/lib/modules/2.6.20.19/kernel/drivers/net/ifxmips_ppa/platform/vr9/e5/ifxmips_ppa_hal_vr9_e5.ko differ
Binary files ecirootfs1-squashfs-root/lib/modules/2.6.20.19/kernel/drivers/net/ifxmips_ppa/ppa_api/ifx_ppa_api.ko and ecirootfs2-squashfs-root/lib/modules/2.6.20.19/kernel/drivers/net/ifxmips_ppa/ppa_api/ifx_ppa_api.ko differ
Binary files ecirootfs1-squashfs-root/lib/modules/2.6.20.19/kernel/drivers/net/ifxmips_ppa/ppa_api/ifx_ppa_api_proc.ko and ecirootfs2-squashfs-root/lib/modules/2.6.20.19/kernel/drivers/net/ifxmips_ppa/ppa_api/ifx_ppa_api_proc.ko differ
Binary files ecirootfs1-squashfs-root/lib/modules/2.6.20.19/kernel/fs/configfs/configfs.ko and ecirootfs2-squashfs-root/lib/modules/2.6.20.19/kernel/fs/configfs/configfs.ko differ
Binary files ecirootfs1-squashfs-root/lib/modules/2.6.20.19/kernel/security/capability.ko and ecirootfs2-squashfs-root/lib/modules/2.6.20.19/kernel/security/capability.ko differ
Binary files ecirootfs1-squashfs-root/lib/modules/2.6.20.19/kernel/security/commoncap.ko and ecirootfs2-squashfs-root/lib/modules/2.6.20.19/kernel/security/commoncap.ko differ
Binary files ecirootfs1-squashfs-root/sbin/getty and ecirootfs2-squashfs-root/sbin/getty differ
Binary files ecirootfs1-squashfs-root/sbin/ifconfig and ecirootfs2-squashfs-root/sbin/ifconfig differ
Binary files ecirootfs1-squashfs-root/sbin/init and ecirootfs2-squashfs-root/sbin/init differ
Binary files ecirootfs1-squashfs-root/sbin/insmod and ecirootfs2-squashfs-root/sbin/insmod differ
Binary files ecirootfs1-squashfs-root/sbin/lsmod and ecirootfs2-squashfs-root/sbin/lsmod differ
Binary files ecirootfs1-squashfs-root/sbin/mdev and ecirootfs2-squashfs-root/sbin/mdev differ
Binary files ecirootfs1-squashfs-root/sbin/modprobe and ecirootfs2-squashfs-root/sbin/modprobe differ
Binary files ecirootfs1-squashfs-root/sbin/reboot and ecirootfs2-squashfs-root/sbin/reboot differ
Binary files ecirootfs1-squashfs-root/sbin/rmmod and ecirootfs2-squashfs-root/sbin/rmmod differ
Binary files ecirootfs1-squashfs-root/sbin/route and ecirootfs2-squashfs-root/sbin/route differ
Binary files ecirootfs1-squashfs-root/sbin/swapoff and ecirootfs2-squashfs-root/sbin/swapoff differ
Binary files ecirootfs1-squashfs-root/sbin/swapon and ecirootfs2-squashfs-root/sbin/swapon differ
Binary files ecirootfs1-squashfs-root/sbin/sysctl and ecirootfs2-squashfs-root/sbin/sysctl differ
Binary files ecirootfs1-squashfs-root/usr/bin/[ and ecirootfs2-squashfs-root/usr/bin/[ differ
Binary files ecirootfs1-squashfs-root/usr/bin/basename and ecirootfs2-squashfs-root/usr/bin/basename differ
Binary files ecirootfs1-squashfs-root/usr/bin/cut and ecirootfs2-squashfs-root/usr/bin/cut differ
Binary files ecirootfs1-squashfs-root/usr/bin/dirname and ecirootfs2-squashfs-root/usr/bin/dirname differ
Binary files ecirootfs1-squashfs-root/usr/bin/expr and ecirootfs2-squashfs-root/usr/bin/expr differ
Binary files ecirootfs1-squashfs-root/usr/bin/free and ecirootfs2-squashfs-root/usr/bin/free differ
Binary files ecirootfs1-squashfs-root/usr/bin/killall and ecirootfs2-squashfs-root/usr/bin/killall differ
Binary files ecirootfs1-squashfs-root/usr/bin/logger and ecirootfs2-squashfs-root/usr/bin/logger differ
Binary files ecirootfs1-squashfs-root/usr/bin/mpstat and ecirootfs2-squashfs-root/usr/bin/mpstat differ
Binary files ecirootfs1-squashfs-root/usr/bin/test and ecirootfs2-squashfs-root/usr/bin/test differ
Binary files ecirootfs1-squashfs-root/usr/bin/test_agent and ecirootfs2-squashfs-root/usr/bin/test_agent differ
Binary files ecirootfs1-squashfs-root/usr/bin/tftp and ecirootfs2-squashfs-root/usr/bin/tftp differ
Binary files ecirootfs1-squashfs-root/usr/bin/top and ecirootfs2-squashfs-root/usr/bin/top differ
Binary files ecirootfs1-squashfs-root/usr/bin/tr and ecirootfs2-squashfs-root/usr/bin/tr differ
Binary files ecirootfs1-squashfs-root/usr/bin/uptime and ecirootfs2-squashfs-root/usr/bin/uptime differ
Binary files ecirootfs1-squashfs-root/usr/bin/wc and ecirootfs2-squashfs-root/usr/bin/wc differ
Binary files ecirootfs1-squashfs-root/usr/bin/wget and ecirootfs2-squashfs-root/usr/bin/wget differ
Binary files ecirootfs1-squashfs-root/usr/bin/yes and ecirootfs2-squashfs-root/usr/bin/yes differ
Binary files ecirootfs1-squashfs-root/usr/sbin/cfm and ecirootfs2-squashfs-root/usr/sbin/cfm differ
$

The file /etc/config/defaultvalue.gz also looks interesting.  It is a compressed XML-based configuration file for the modem.

Note the XML element <activate> found under <lantiq_vr9_generic_asl56026><switch><port id="2"><activate>0</activate> in that config file.   Presumably, by setting that element value to 1, the second ethernet port on the modem is re-activated.  The element <lan_access_cpe_enable> probably needs to have a value of 1, as well.

Code: [Select]
$ cat ecirootfs2-squashfs-root/etc/config/defaultvalue.gz | gunzip

<lantiq_vr9_generic_asl56026>
<check>
<is_factory>factory</is_factory>
</check>
<vdsl2>
<infineon>
<fw_variant>VA</fw_variant>
<annex>A</annex>
<adsl_encaps>1</adsl_encaps>
<default_vpi_vci>1</default_vpi_vci>
<line_config>
<filter>0</filter>
<hw_hybrid>2</hw_hybrid>
<line_mode>102</line_mode>
</line_config>
</infineon>
</vdsl2>
<switch>
<bypass_mode>0</bypass_mode>
<lan_access_cpe_enable>0</lan_access_cpe_enable>
<discard_specific_pkt>1</discard_specific_pkt>
<igmp_queue>3</igmp_queue>
<port id="1">
<vid>101</vid>
<pri>2</pri>
<loopback>0</loopback>
<activate>1</activate>
<special_vlan>0</special_vlan>
</port>
<port id="2">
<vid>102</vid>
<pri>7</pri>
<loopback>0</loopback>
<activate>0</activate>
<special_vlan>0</special_vlan>
</port>
</switch>
<wan>
<physical_type>1</physical_type>
<enable_dhcp60>0</enable_dhcp60>
<dhcp_option60></dhcp_option60>
<enable_dhcp61>0</enable_dhcp61>
<dhcp_iaid></dhcp_iaid>
<dhcp_duid>0</dhcp_duid>
<enable_dhcp125>0</enable_dhcp125>
<dhcp_option125></dhcp_option125>
<enable_prepadt>0</enable_prepadt>
<dsl>
<defaultroute>1</defaultroute>
<inf id="1">
<mode>1</mode>
<enable>1</enable>
<atm>
<pvc>
<settings>
<vpi>8</vpi>
<vci>35</vci>
</settings>
</pvc>
</atm>
<ptm>
<vtag>
<settings>
<connection>connection1</connection>
<enable>1</enable>
<vid>301</vid>
<priority>5</priority>
<bt>
<enable>1</enable>
<wan_vid1>101</wan_vid1>
<wan_vid2>102</wan_vid2>
</bt>
</settings>
</vtag>
</ptm>
<dhcp>
<hostname></hostname>
<clonemac></clonemac>
<autodns>1</autodns>
<mtu>1500</mtu>
</dhcp>
<static>
<mode>1</mode>
<ip>5.60.39.51</ip>
<netmask>255.0.0.0</netmask>
<gateway>5.21.97.200</gateway>
<clonemac></clonemac>
<mtu>1500</mtu>
</static>
</inf>

[...snipped...]

</lantiq_vr9_generic_asl56026>

The decompressed modem config file from ecirootfs2 is attached below.

cheers, a

[attachment deleted by admin]
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: uklad on February 14, 2012, 04:14:28 PM
interesting i spent some time trying to get port 2 active with no luck..

do you know what files are failling during the decompression..
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: asbokid on February 14, 2012, 07:46:51 PM
Hi uklad,

interesting i spent some time trying to get port 2 active with no luck..

One trick is as follows:

Copy that file /etc/config/defaultvalue.gz from the squashfs read-only root file system to a read-write file system (e.g. a ramdisk).

Modify that read-writable copy with the desired configurations.

Re-mount the modified file over the top of the original in the read-only squashfs.

(See the Linux/busybox manpage for mount, and the --bind option.)

Force the config software - the firmware utility that actually reads the contents of that file - to re-load it.

Since this doesn't modify the squashfs system it is non-destructive.  The hack is described well by paul at sbrk.co.uk at [1].

Quote
do you know what files are failing during the decompression..

One of those two bad LZMA data blocks is in the middle of the 461,960 byte busybox binary.  It is block #7 of 8, @ 0x32edc in ecirootfs2

Igor Pavlov
's suggestions are currently under test.  His theory is that maybe just the data block headers are corrupted, while the data in those blocks is actually okay.

Each data block in the squashfs-lzma file system is prepended with a 13-byte LZMA header. This header contains an 8-bit field in which the lc, lp and pb parameters for the LZMA decoder are stored, as well as a 32-bit field to hold the dictionary size, and a 64-bit field for the uncompressed size of the block.

Below we can see the header from a good block (test1.lzma) and then the header of a bad block (test2.lzma).  Both headers are clearly identical.   Both have a decoder configuration of 0x5d, both use a dictionary size of 0x800000 (8Mbytes), and both blocks apparently uncompress to a size of 0x10000 (65,536) bytes.

Code: [Select]
$ cd ~/Documents/btinfinity/eci_asbo001/lzma439_asbo002/C/7zip/Compress/LZMA_C

$ xxd -l 13 test1.lzma
0000000: 5d00 0080 0000 0001 0000 0000 00         ]............

$ xxd -l 13 test2.lzma
0000000: 5d00 0080 0000 0001 0000 0000 00         ]............

What Igor Pavlov is suggesting is that perhaps the value in the uncompressed size field of a bad block has been faked. When the LZMA decoder discovers at run-time that the uncompressed size is not what it expected, the decoder aborts with an error.   Igor Pavlov says that perhaps this is the method used for locking the squashfs file system in the ECI.

The easiest way to test that theory is to repeatedly feed the same bad data block through the LZMA decoder.  In each iteration, the uncompressed size field is increased.  This is repeated until an error is reported by the LZMA decoder.

That's what is shown below.   We can see that the compressed bitstream in the bad data block can be decoded up until byte 31,869.  Remember, however, that in the header of that data block, the uncompressed size of the block was recorded as 65,536 bytes.

This identifies one of two things. 

Either it reveals the genuine uncompressed size of the data block, or it reveals the point at which the compressed bitstream is corrupted (forcing the decoder to abort.)

Code: [Select]
$ ./lzmadec test2.lzma test2.bin
Opened test2.lzma
compressedSize = 17129
outSizeFull = 65536
Calling LzmaDecode(compressedSize = 17129, estimOutSize = 17079) : returned res = 0 (success) -- inProcessed = 7525, outProcessed = 17079
Calling LzmaDecode(compressedSize = 17129, estimOutSize = 17080) : returned res = 0 (success) -- inProcessed = 7525, outProcessed = 17080
Calling LzmaDecode(compressedSize = 17129, estimOutSize = 17081) : returned res = 0 (success) -- inProcessed = 7525, outProcessed = 17081
Calling LzmaDecode(compressedSize = 17129, estimOutSize = 17082) : returned res = 0 (success) -- inProcessed = 7525, outProcessed = 17082
Calling LzmaDecode(compressedSize = 17129, estimOutSize = 17083) : returned res = 0 (success) -- inProcessed = 7527, outProcessed = 17083
 [.. snipped ..]
Calling LzmaDecode(compressedSize = 17129, estimUncompSize = 31866) : returned res = 0 (success) -- inProcessed = 12067, outProcessed = 31866
Calling LzmaDecode(compressedSize = 17129, estimUncompSize = 31867) : returned res = 0 (success) -- inProcessed = 12067, outProcessed = 31867
Calling LzmaDecode(compressedSize = 17129, estimUncompSize = 31868) : returned res = 0 (success) -- inProcessed = 12069, outProcessed = 31868
Calling LzmaDecode(compressedSize = 17129, estimUncompSize = 31869) : returned res = 0 (success) -- inProcessed = 12069, outProcessed = 31869
Calling LzmaDecode(compressedSize = 17129, estimUncompSize = 31870) : returned res = 1 (fail) -- inProcessed = 0, outProcessed = 0
Calling LzmaDecode(compressedSize = 17129, estimUncompSize = 31871) : returned res = 1 (fail) -- inProcessed = 0, outProcessed = 0
Calling LzmaDecode(compressedSize = 17129, estimUncompSize = 31872) : returned res = 1 (fail) -- inProcessed = 0, outProcessed = 0
Calling LzmaDecode(compressedSize = 17129, estimUncompSize = 31873) : returned res = 1 (fail) -- inProcessed = 0, outProcessed = 0
Calling LzmaDecode(compressedSize = 17129, estimUncompSize = 31874) : returned res = 1 (fail) -- inProcessed = 0, outProcessed = 0
Calling LzmaDecode(compressedSize = 17129, estimUncompSize = 31875) : returned res = 1 (fail) -- inProcessed = 0, outProcessed = 0
 [.. snipped ..]

By way of reference, here is the output from the same test performed on the good data block.  We can see that it successfully decodes the block up until byte 65,536. That is correct insofar as it matches the uncompressed size reported in the block header.

Code: [Select]
$ ./lzmadec test1.lzma test1.bin
Opened test1.lzma
compressedSize = 25826
outSizeFull = 65536
Calling LzmaDecode(compressedSize = 25826, estimUncompSize = 25776) : returned res = 0 (success) -- inProcessed = 10700, outProcessed = 25776
Calling LzmaDecode(compressedSize = 25826, estimUncompSize = 25777) : returned res = 0 (success) -- inProcessed = 10701, outProcessed = 25777
Calling LzmaDecode(compressedSize = 25826, estimUncompSize = 25778) : returned res = 0 (success) -- inProcessed = 10701, outProcessed = 25778
Calling LzmaDecode(compressedSize = 25826, estimUncompSize = 25779) : returned res = 0 (success) -- inProcessed = 10701, outProcessed = 25779
Calling LzmaDecode(compressedSize = 25826, estimUncompSize = 25780) : returned res = 0 (success) -- inProcessed = 10702, outProcessed = 25780
 [.. snipped ..]
Calling LzmaDecode(compressedSize = 25826, estimUncompSize = 65530) : returned res = 0 (success) -- inProcessed = 25824, outProcessed = 65530
Calling LzmaDecode(compressedSize = 25826, estimUncompSize = 65531) : returned res = 0 (success) -- inProcessed = 25824, outProcessed = 65531
Calling LzmaDecode(compressedSize = 25826, estimUncompSize = 65532) : returned res = 0 (success) -- inProcessed = 25824, outProcessed = 65532
Calling LzmaDecode(compressedSize = 25826, estimUncompSize = 65533) : returned res = 0 (success) -- inProcessed = 25826, outProcessed = 65533
Calling LzmaDecode(compressedSize = 25826, estimUncompSize = 65534) : returned res = 0 (success) -- inProcessed = 25826, outProcessed = 65534
Calling LzmaDecode(compressedSize = 25826, estimUncompSize = 65535) : returned res = 0 (success) -- inProcessed = 25826, outProcessed = 65535
Calling LzmaDecode(compressedSize = 25826, estimUncompSize = 65536) : returned res = 0 (success) -- inProcessed = 25826, outProcessed = 65536
Calling LzmaDecode(compressedSize = 25826, estimUncompSize = 65537) : returned res = 1 (fail) -- inProcessed = 0, outProcessed = 0
Calling LzmaDecode(compressedSize = 25826, estimUncompSize = 65538) : returned res = 1 (fail) -- inProcessed = 0, outProcessed = 0
Calling LzmaDecode(compressedSize = 25826, estimUncompSize = 65539) : returned res = 1 (fail) -- inProcessed = 0, outProcessed = 0
Calling LzmaDecode(compressedSize = 25826, estimUncompSize = 65540) : returned res = 1 (fail) -- inProcessed = 0, outProcessed = 0
Calling LzmaDecode(compressedSize = 25826, estimUncompSize = 65541) : returned res = 1 (fail) -- inProcessed = 0, outProcessed = 0
Calling LzmaDecode(compressedSize = 25826, estimUncompSize = 65542) : returned res = 1 (fail) -- inProcessed = 0, outProcessed = 0
Calling LzmaDecode(compressedSize = 25826, estimUncompSize = 65543) : returned res = 1 (fail) -- inProcessed = 0, outProcessed = 0
 [.. snipped ..]

It looks like the hack goes deeper than just faking the LZMA header fields. The compressed bitstream itself has been tweaked.

In those tests where the bad data block was repeatedly fed to the LZMA decoder, we can study the last good iteration before a decoding error occurred:

Code: [Select]
Calling LzmaDecode(compressedSize = 17129, estimUncompSize = 31869) : returned res = 0 (success) -- inProcessed = 12069, outProcessed = 31869

We can see that the decoder has only processed 12069 bytes out of 17129 bytes in the compressed datastream. For the hacked header theory to be correct, it would mean here that the compressed block has 5060 'dead' bytes of padding.  (17129-12069 = 5060).

If the hack just involved a header hack, there would be no point in doing that.  It would be unnecessary and wasteful. The uncompressed block size only needs to be faked by one byte. That will still cause a decode failure. There's no point in faking the size by 5060 bytes, and then padding the compressed datastream with all those pointless bytes.

It's still a working theory though, so there may be something in it.. :-)

cheers, a

[1] http://www.sbrk.co.uk/hw553/general/rofs.html
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: asbokid on February 15, 2012, 03:48:27 AM
do you know what files are failing during the decompression..

In eciroofs1, the following two data blocks are failing to decompress. 

The first data block to fail in ecirootfs1 is @0x44e35. It is the first of nine blocks used to store the file drv_dsl_cpe_api.ko.  That file appears to be a character device driver providing a kernel interface to the DSL hardware (an unknown 32-bit DSP engine on the Lantiq VRX268 core). When uncompressed, that driver file should be 578,157 bytes in size, and the failed block should provide 65,536 bytes towards it when uncompressed.

The second bad data block in ecirootfs1 is @0x8e143. It is the first of twelve blocks that holds the file xcpe_hw.bin.  That file is the DSP hardware device driver blob.  It should be 767,376 bytes in size, and the failed block should provide 65,536 bytes when uncompressed.

Code: [Select]
Reading a different endian SQUASHFS filesystem on ecirootfs1

-rwxr-xr-x 505/users            578157 2011-02-14 06:44 squashfs-root/ifx/vdsl2/drv_dsl_cpe_api.ko
unsquashfs: dir_scan: name drv_dsl_cpe_api.ko, start_block 0, offset 7621, type 2
unsquashfs: create_inode: pathname squashfs-root/ifx/vdsl2/drv_dsl_cpe_api.ko
unsquashfs: create_inode: regular file, file_size 578157, blocks 9
unsquashfs: write_file: regular file, blocks 9
unsquashfs: read_data_block: block @0x44e35, 14351 compressed bytes
unsquashfs: read_bytes: reading from position 0x44e35, bytes 14351 (0x380f)

[...snipped...]

unsquashfs: read_data_block: block @0x4dffe, 18111 compressed bytes
unsquashfs: read_bytes: reading from position 0x4dffe, bytes 18111 (0x46bf)

00000000: 5d 00 00 80 00 00 00 01 00 00 00 00 00 00 13 af
00000010: 3c 06 45 13 7d b5 59 62 72 8f db b5 8f 8e f0 bb

[...snipped...]

000045a0: a3 d0 37 83 70 87 5c 82 2b 3a fd 66 9b d6 b6 0c
000045b0: b2 6e 0d d5 34 07 57
err -22: sqlzma_un: LZMA Unknown error 18446744073709551594
                               ea ae 66 04 51 9e 5e be 31
000045c0: 4c 0b 51 6f 16 63 d7 cb da 76 cb ce c5 00 69 8f

[...snipped...]

000046b0: 4d 78 5c af fa f7 81 18 0c f1 6d 19 6c 95 03

unsquashfs: read_data_block: abort() because res = sqlzma_un = ffffffea

[...snipped...]

-rwxr-xr-x 505/users            767376 2011-02-14 06:44 squashfs-root/ifx/vdsl2/xcpe_hw.bin
unsquashfs: read_fragment: reading fragment 10
unsquashfs: dir_scan: name xcpe_hw.bin, start_block 0, offset 8001, type 2
unsquashfs: create_inode: pathname squashfs-root/ifx/vdsl2/xcpe_hw.bin
unsquashfs: create_inode: regular file, file_size 767376, blocks 12
unsquashfs: write_file: regular file, blocks 12
unsquashfs: read_data_block: block @0x7af16, 40885 compressed bytes
unsquashfs: read_bytes: reading from position 0x7af16, bytes 40885 (0x9fb5)

[...snipped...]

unsquashfs: read_data_block: block @0x8e143, 40792 compressed bytes
unsquashfs: read_bytes: reading from position 0x8e143, bytes 40792 (0x9f58)

00000000: 5d 00 00 80 00 00 00 01 00 00 00 00 00 00 02 00
00000010: 09 91 c2 58 7c 6b 07 b7 bc e8 98 5f 1e 63 13 cc

[...snipped...]

00009d30: 44 e8 23 9d 7c 3c 87 30 50 9c da d2 d1 f5 84 e9
00009d40: fa f4 51 2c d8 fb 48 be 51 56 97 20 b5 e7 de 72
00009d5
err -22: sqlzma_un: LZMA Unknown error 18446744073709551594
       0: 73 e3 e1 51 75 8a 59 d1 b2 73 04 4a 9b 7f 89 28
00009d60: 90 61 9f b6 9c 9b 9b b3 5f 38 6a a5 90 d5 85 11

[...snipped...]

00009f50: c0 ae c7 10 5e 2a f0 94

unsquashfs: read_data_block: abort() because res = sqlzma_un = ffffffea

In ecirootfs2, the second squashfs file system in the ECI firmware, once again we find two bad blocks that won't decompress.  The first bad block is @0x32edc. That is the seventh of eight blocks storing the busybox binary. The busybox binary should be 461,960 bytes and when uncompressed, that block should hold 65,536 bytes of it.

The second bad block in ecirootfs2 is block @0x63bb1.  It is the first of six blocks holding another kernel device driver. This driver is named drv_ifxos.ko and it should be 357,839 bytes uncompressed. The bad block should provide 65,536 bytes of that.

Code: [Select]
Reading a different endian SQUASHFS filesystem on ecirootfs2

-rwxrwxr-x 505/users            461960 2011-08-09 04:31 squashfs-root/bin/busybox
unsquashfs: dir_scan: name busybox, start_block 0, offset 936, type 2
unsquashfs: create_inode: pathname squashfs-root/bin/busybox
unsquashfs: create_inode: regular file, file_size 461960, blocks 8
unsquashfs: write_file: regular file, blocks 8
unsquashfs: read_data_block: block @0x10de0, 24250 compressed bytes
unsquashfs: read_bytes: reading from position 0x10de0, bytes 24250 (0x5eba)

[...snipped...]

unsquashfs: read_data_block: block @0x32edc, 17142 compressed bytes
unsquashfs: read_bytes: reading from position 0x32edc, bytes 17142 (0x42f6)

00000000: 5d 00 00 80 00 00 00 01 00 00 00 00 00 00 31 19
00000010: 40 06 32 0a 09 7e e1 df 4a af 79 8a 22 ec c1 75

[...snipped...]

00004180: 12 55 4f b3 18 02 b9 38 8d 36 1b 65 cd 44 43 f2
err -22
sqlzma_un: LZMA Unknown error 18446744073709551594
00004190: 8d f9 4a 51 0d 4a 8f 85 2d c4 95 5c 07 a9 6e e3

[...snipped...]

000042e0: 50 71 26 6b 9d 15 b9 f0 b8 bc ab 34 65 9a e4 86
000042f0: 6e f7 89 92 48 ae

unsquashfs: read_data_block: abort() because res = sqlzma_un = ffffffea

[...snipped...]

-rwxr-xr-x 505/users            357839 2011-08-09 04:31 squashfs-root/ifx/vdsl2/drv_ifxos.ko
unsquashfs: dir_scan: name drv_ifxos.ko, start_block 0, offset 7689, type 2
unsquashfs: create_inode: pathname squashfs-root/ifx/vdsl2/drv_ifxos.ko
unsquashfs: create_inode: regular file, file_size 357839, blocks 6
unsquashfs: write_file: regular file, blocks 6
unsquashfs: read_data_block: block @0x63bb1, 25245 compressed bytes
unsquashfs: read_bytes: reading from position 0x63bb1, bytes 25245 (0x629d)

00000000: 5d 00 00 80 00 00 00 01 00 00 00 00 00 00 3f 91
00000010: 45 84 68 34 8a 09 0a 41 50 57 af 46 76 b3 d7 96

[...snipped...]

00006200: 07 3b e0 a3 cb 88 2d 62 b0 6f 1e 6c 26 47 da b5
0000
    err -22: sqlzma_un: LZMA Unknown error 18446744073709551594
    6210: e8 90 91 68 22 96 49 a8 9f 06 19 d7 b7 50 71 2e

[...snipped...]

00006280: 4b 29 9c 2d 1f 9b 5f 33 49 de 42 43 03 45 f2 42
00006290: 1f ba 76 8a d3 b5 72 d7 34 8c f9 62 32

unsquashfs: read_data_block: abort() because res = sqlzma_un = ffffffea


I'm not sure what any of that proves.. except that there are exactly two bad blocks per file system, and they are in different places in each file system.

cheers, a
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: uklad on February 15, 2012, 10:29:30 AM
Hi uklad,

interesting i spent some time trying to get port 2 active with no luck..

One trick is as follows:

Copy that file /etc/config/defaultvalue.gz from the squashfs read-only root file system to a read-write file system (e.g. a ramdisk).

Modify that read-writable copy with the desired configurations.

Re-mount the modified file over the top of the original in the read-only squashfs.

(See the Linux/busybox manpage for mount, and the --bind option.)

Force the config software - the firmware utility that actually reads the contents of that file - to re-load it.

Since this doesn't modify the squashfs system it is non-destructive.  The hack is described well by paul at sbrk.co.uk at [1].

I'm away all week training :( but i will try and find some time to try this at the weekend ...
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: burakkucat on February 15, 2012, 02:22:46 PM
Quote
I'm not sure what any of that proves.. except that there are exactly two bad blocks per file system, and they are in different places in each file system.

May be just pointless caterwauling on my part but if those two sqashfs' are supposed to be identical, with two defects in different places in them both, then surely a controlled merge of both will give you one complete file system.  :-\

Hmm . . . am I yowling from the wrong tree-top?  ???
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: asbokid on February 15, 2012, 08:47:47 PM
Quote
I'm not sure what any of that proves.. except that there are exactly two bad blocks per file system, and they are in different places in each file system.

May be just pointless caterwauling on my part but if those two squashfs' are supposed to be identical, with two defects in different places in them both, then surely a controlled merge of both will give you one complete file system.  :-\

Hmm . . . am I yowling from the wrong tree-top?  ???

Hi Burakkucat.

Sure. We can certainly do that and it could help to discover how the LZMA code in the ECI kernel has been modified.   

The main problem still exists, though.  Even with those two file systems merged to make one good one,  the squashfs driver in the pre-built kernel of the ECI is still expecting to read a file system image that has been tweaked in some way.

That fs kernel driver will perform an 'un-tweak' operation on specific 'tweaked' compressed blocks. The 'un-tweak' must be performed before those blocks are passed to the LZMA decoder for decompression.  However, when the driver performs an 'un-tweak' on a data block that we have already un-tweaked (from our controlled merge), that second un-tweak will effectively corrupt the block.  When the block is passed to the LZMA decoder, its decompression will subsequently fail.

Two possibilities spring to mind for overcoming this..

a) re-build the kernel with a squashfs driver that is not tweaked in any way, so that it can work with a 'clean' squashfs file system.  Currently that is no mean feat since ECI/Lantiq/AlphaNetworks have shown no interest in abiding by the terms of the GPL licence, and we would need the kernel build configs to do this; or

b) try to re-make the file system so that those two tweaked blocks remain unallocated by the file system or else are masked-off in "lost+found" inodes or something similar.

We don't strictly need to do a controlled merge, since uklad has shell access to the device. He could obtain the decompressed form of any regular file in the squashfs file system.  Those decompressed files would be dumped over the serial connection and chopped into blocks of 65,536 bytes (or less). Then they would be re-compressed with the LZMA encoder.  In theory, those re-compressed data blocks could be inserted back into the squash file system image.

I'm a bit stuck here, since I haven't got an ECI modem to hack about with things like that.

Also it's a lot of faffing around.  There are others interested in this issue of squashfs tweaking, not least for legal reasons since their code has been purloined in these firmwares.  Hopefully in the dueness of time, some better ideas and suggestions will percolate out of the ether!

cheers, a
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: burakkucat on February 15, 2012, 09:01:34 PM
I have a saved eBay search that specifies this particular ECI B-FOCuS modem. It's obviously a case of "wait and see" . . .  :-\
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: asbokid on March 01, 2012, 03:41:53 AM
flamey, a FTTC subscriber from Colchester, has posted some useful exterior pictures of the ECI to the Sky User forum  As flamey points out, it is very difficult to distinguish the ECI from the Huawei.  The LEDs and the sockets are spaced slightly differently on the ECI, but on purely physical appearance, they are otherwise virtually identical devices.

http://www.skyuser.co.uk/forum/router-stats/47260-hacking-bt-openreach-modem-hg612.html#post358530

cheers, a

EDIT: 

@uklad:  did you find time to try the 'mount' hack?
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: burakkucat on March 01, 2012, 04:07:53 AM
Attached to this post is a "screen-scrape" from a BT Slide Presentation. It shows the Huawei and ECI modems side-by-side.

[attachment deleted by admin]
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: uklad on March 01, 2012, 04:03:53 PM
Attached to this post is a "screen-scrape" from a BT Slide Presentation. It shows the Huawei and ECI modems side-by-side.

I did think i had seen that before..

Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: uklad on March 01, 2012, 04:05:16 PM
flamey, a FTTC subscriber from Colchester, has posted some useful exterior pictures of the ECI to the Sky User forum  As flamey points out, it is very difficult to distinguish the ECI from the Huawei.  The LEDs and the sockets are spaced slightly differently on the ECI, but on purely physical appearance, they are otherwise virtually identical devices.

http://www.skyuser.co.uk/forum/router-stats/47260-hacking-bt-openreach-modem-hg612.html#post358530

cheers, a

EDIT: 

@uklad:  did you find time to try the 'mount' hack?

Quick answer is No, unfortunatly training away for a week and being mad busy when i got back does not help, i should have some time tomorrow to play once the kids are in bed..
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: asbokid on March 02, 2012, 08:40:38 PM
Hi uklad!

Did you get a chance to have another look?
cheers, a
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: uklad on March 02, 2012, 09:00:29 PM
Hi uklad!

Did you get a chance to have another look?
cheers, a

I did and to be frank im out of my depth i dont know Linux well enough to get any conectivity out of it...

where are you located asbokid ?
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: asbokid on March 04, 2012, 02:59:31 AM
Aww! Don't give up!  ??? you've already done all the hard work!

Attached is a silly bit of C code for the PC.  It converts any file into an octal dump.  The dump can be used in the Telnet Upload Trick.

The Trick allows any executable to be downloaded to a router or a modem using the -e escape character option of the echo command in the BusyBox ash shell. [1]

Code: [Select]
// The Telnet Upload Trick - asbokid 2012 <ballymunboy@gmail.com>
//
// How to download an arbitrary binary to an embedded device
//
// 1) convert the binary into an octal dump using the code below
// 2) paste the dump into a telnet shell or a serial console
// 3) chmod +x the dumped file (myscript.sh) and run it
// 4) the octal dump will be echoed into a binary file (mybinary)
// 5) chmod +x that new binary and run it

#include <stdio.h>

void main(int argc, char **argv) {
    FILE *fp;
    unsigned int c, d = 0;

    if(!(fp = fopen(argv[1], "rb"))) {
        fprintf(stderr, "can't open file %s\n", argv[1]);
        return;
    }
    while(1) {
        if((c = fgetc(fp)) == EOF)
            break;
        if(!(d++ % 0x10))
            fprintf(stdout, "echo -n -e ");
        fprintf(stdout, "\\\\%04o", c);
        if(!(d % 0x10))
            fprintf(stdout, " >> mybinary\n");
    }
    if (d % 0x10)
        fprintf(stdout, " >> mybinary\n");
    fclose(fp);
}

We can use the Trick to download any code we want to the ECI:  a telnet daemon, a tool to dump the decompressed forms of those tweaked files, or anything else..

Code: [Select]
$ gcc -o octaldump octaldump.c

$ ./octaldump octaldump > myscript.sh

$ head myscript.sh
echo -n -e \\0177\\0105\\0114\\0106\\0002\\0001\\0001\\0000\\0000\\0000\\0000\\0000\\0000\\0000\\0000\\0000 >> mybinary
echo -n -e \\0002\\0000\\0076\\0000\\0001\\0000\\0000\\0000\\0300\\0005\\0100\\0000\\0000\\0000\\0000\\0000 >> mybinary
echo -n -e \\0100\\0000\\0000\\0000\\0000\\0000\\0000\\0000\\0130\\0015\\0000\\0000\\0000\\0000\\0000\\0000 >> mybinary
echo -n -e \\0000\\0000\\0000\\0000\\0100\\0000\\0070\\0000\\0010\\0000\\0100\\0000\\0037\\0000\\0034\\0000 >> mybinary

$ chmod +x myscript.sh

$ ./myscript.sh

$ xxd -l80 mybinary
0000000: 7f45 4c46 0201 0100 0000 0000 0000 0000  .ELF............
0000010: 0200 3e00 0100 0000 c005 4000 0000 0000  ..>.......@.....
0000020: 4000 0000 0000 0000 580d 0000 0000 0000  @.......X.......
0000030: 0000 0000 4000 3800 0800 4000 1f00 1c00  ....@.8...@.....
0000040: 0600 0000 0500 0000 4000 0000 0000 0000  ........@.......

$ $ md5sum mybinary octaldump
64f293a8272b7938ace5c805f6873402  mybinary
64f293a8272b7938ace5c805f6873402  octaldump


cheers, a



[1] http://stackoverflow.com/questions/5582778/writing-a-binary-file-in-shell-shell-awk

[attachment deleted by admin]
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: uklad on March 05, 2012, 08:42:35 AM
Aww! Don't give up!  ??? you've already done all the hard work!

Im not giving up, its more to do with Time Vs Ability, i have the ability just not the time, im sourcing a HG612 should be here in few days once its stable i can set the ECI in my office or even loan it to you to speed up development..

Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: asbokid on March 05, 2012, 08:10:49 PM
Sounds good! Wasn't doubting your expertise!  Lots of people will be interested to see how the ECI performs against the Huawei on the same line.  cheers, a
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: JoshShep on March 09, 2012, 09:46:37 PM
Hi uklad, if you didn't end up getting a new modem I will sell you my Huawei HG612 for £20 including P&P? it's a rev b.
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: uklad on March 10, 2012, 09:08:04 AM
Hi uklad, if you didn't end up getting a new modem I will sell you my Huawei HG612 for £20 including P&P? it's a rev b.

Got one thanks just installed it still seem to be getting full 40/10 at the moment will pull some stats later
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: JoshShep on March 10, 2012, 05:05:37 PM
From using both the ECI and huawei hg612, I have noticed that I get more jitter using the hg612. The eci seems to perform a little better on my connection. may be different for your connection.
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: waltergmw on March 10, 2012, 06:27:18 PM
@ All,

What a splendid reason for asking BT to allow them to be purchased on the open market.

Kind regards,
Walter
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: burakkucat on March 11, 2012, 12:34:06 AM
From using both the ECI and huawei hg612, I have noticed that I get more jitter using the hg612. The eci seems to perform a little better on my connection. may be different for your connection.

Josh -- A quick couple of questions for you. When you had your FTTC service installed, which VDSL2 modem was officially provided as the active CPE? The Huawei or the ECI? As you probably realise, Openreach supply the modem to match the DSLAM in the FTTC.

If your installation was a Huawei, I wonder from where did you obtain the ECI B-FOCuS modem? Care to share the information, please?  ;)
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: uklad on March 11, 2012, 09:30:23 AM
Josh had a ECI supplied if i remember..

Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: JoshShep on March 11, 2012, 02:57:58 PM
From using both the ECI and huawei hg612, I have noticed that I get more jitter using the hg612. The eci seems to perform a little better on my connection. may be different for your connection.

Josh -- A quick couple of questions for you. When you had your FTTC service installed, which VDSL2 modem was officially provided as the active CPE? The Huawei or the ECI? As you probably realise, Openreach supply the modem to match the DSLAM in the FTTC.

If your installation was a Huawei, I wonder from where did you obtain the ECI B-FOCuS modem? Care to share the information, please?  ;)

I was supplied with the ECI, and purchased the Huawei off the bay. I know ECI modems are hard to track down, I have not seen one on eBay!
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: burakkucat on March 11, 2012, 11:27:59 PM
Thank you for the update.

Quote
I know ECI modems are hard to track down, I have not seen one on eBay!

I can see that without some degree of co-ordination, when one does turn up on eBay, we will most likely be bidding against each other. :doh:
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: nimda on March 25, 2012, 11:23:16 AM
Excellent work!  I have the ECI model B-FOCuS V-2FUb/I Rev.B) and after replacing the HH3 for something running OpenWrt (finally, real routing!) last night, I'm now shifting focus to the other mysterious black-box (the modem).

GPL advocate, not too bad with Linux, near zero embedding skills though.  Always keen to get my hands dirt though, albeit usually [learning] on the job!

uklad/asbokid any thing I can do to help?
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: nimda on March 25, 2012, 02:53:24 PM
I'll add, there were a couple of broken links on this thread.  Does anything need hosting, as I can do that.
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: asbokid on March 25, 2012, 07:33:14 PM
Hi nimda!

Great news that you are joining us!  You sound very qualified for this important voluntary position!

There are several possibilities for unlocking the ECI.   The first task must be to gain shell access through the serial port, following uklad's pioneering work.   A USB-TTL bridge is an easy and cheap way to do this. The controller costs less than £2. [1] [2]

It would be rewarding to crack the LZMA mechanism used to lock the embedded file system, since the same mechanism is used by many other manufacturers, but that's probably not an easy hack. Though it certainly offers the most kudos if successful!

The priority must be to re-enable web and telnet/ssh access from the LAN-side. This should be possible through the serial shell access, after the system has booted. Once an unlocking method has been discovered, then a more permanent solution will involve modifying the flash file system.   uklad has generously offered his ECI for target practice for this, but the likelihood of bricking it is quite high, so it's probably wiser to find an unwanted one!

Your hosting offer is much appreciated :-)  SFAICS, the dead links are uklad's original NOR flash dump from the ECI which he uploaded to mediafire, who seem to have deleted it, for lack of downloads(?), and the PDF of Sweetman's book on MIPS Linux (Morgan.Kaufmann.See.MIPS.Run.2nd.Edition.pdf) ?

Uklad's original NOR flash dump (ecinand8mb.bin) is duplicated here [3]

Welcome aboard!

cheers, a

[1] http://www.ebay.co.uk/itm/170732908199
[2] http://www.ebay.co.uk/itm/390363268951
[3] http://docs.google.com/open?id=0B6wW18mYskvBMzZkODg5NGQtNjdjOS00ZjNjLTljNTctZTJkNmYxYWFlMTk1


Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: nimda on March 25, 2012, 11:39:09 PM
Quote
Great news that you are joining us!  You sound very qualified for this important voluntary position!

Thanks, glad to be here.  I'm looking forward to learning along the way too!

Quote
There are several possibilities for unlocking the ECI.   The first task must be to gain shell access through the serial port, following uklad's pioneering work.   A USB-TTL bridge is an easy and cheap way to do this. The controller costs less than £2. [1] [2]

I purchased the PL2303HX USB to TTL Converter Module, it'll take a while to arrive though "Estimated delivery: 12-24 working days" but it was free delivery from Hong Kong so can't complain!  I'll start work on the serial link once the order arrives.

Quote
It would be rewarding to crack the LZMA mechanism used to lock the embedded file system, since the same mechanism is used by many other manufacturers, but that's probably not an easy hack. Though it certainly offers the most kudos if successful!

I'll leave this one for now, I don't feel ready for tackling algorithms just yet.

Quote
The priority must be to re-enable web and telnet/ssh access from the LAN-side. This should be possible through the serial shell access, after the system has booted. Once an unlocking method has been discovered, then a more permanent solution will involve modifying the flash file system.   uklad has generously offered his ECI for target practice for this, but the likelihood of bricking it is quite high, so it's probably wiser to find an unwanted one!

I don't mind testing serial connections, but unless I had a spare, I'd not yet be prepared to put my modem on the line.  So, thanks to uklad for the donation, generous indeed.

Quote
Your hosting offer is much appreciated :-)  SFAICS, the dead links are uklad's original NAND dump from the ECI which he uploaded to mediafire, who seem to have deleted it, for lack of downloads(?), and the PDF of Sweetman's book on MIPS Linux (Morgan.Kaufmann.See.MIPS.Run.2nd.Edition.pdf) ?

Uklad's original NAND dump (ecinand8mb.bin) is duplicated here [3]

No problem at all, I can accommodate ANY hosting needs, especially to aid the greater good of a freed community --decentralising, and taking back control/data, is my computing MO.

Quote from: For reference
[1] http://www.ebay.co.uk/itm/170732908199
[2] http://www.ebay.co.uk/itm/390363268951
[3] http://docs.google.com/open?id=0B6wW18mYskvBMzZkODg5NGQtNjdjOS00ZjNjLTljNTctZTJkNmYxYWFlMTk1

In the meantime, I'll take a read of See MIPS Run.  Also, would you mind sending me (or attaching) the bin file, as I don't want a Google account --yes, one of those!

Once this is opened, what then?  What are the options?  Fundamental question, and possibly obvious answers, but I'm naive in this area of computing, what cool things can be done?
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: nimda on March 25, 2012, 11:44:52 PM
Quote
Quote
There are several possibilities for unlocking the ECI.   The first task must be to gain shell access through the serial port, following uklad's pioneering work.   A USB-TTL bridge is an easy and cheap way to do this. The controller costs less than £2. [1] [2]

I purchased the PL2303HX USB to TTL Converter Module, it'll take a while to arrive though "Estimated delivery: 12-24 working days" but it was free delivery from Hong Kong so can't complain!  I'll start work on the serial link once the order arrives.

Am I right to assume this will require reinstating header-pins (http://forum.kitz.co.uk/index.php/topic,10635.msg208997.html#msg208997)?  Is this JTAGing?  I've never (knowingly) played with this before.
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: nimda on March 26, 2012, 12:30:00 AM
Lastly, did uklad not get shell access:-

Quote
Also I did not mention I could login to the unit on the UART console, username and pass where admin admin :0)

Is it not straight forward to "re-enable web and telnet/ssh access from the LAN-side." ?
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: asbokid on March 26, 2012, 12:33:28 AM
Hi again, nimda,

No problem at all, I can accommodate ANY hosting needs, especially to aid the greater good of a freed community --decentralising, and taking back control/data, is my computing MO.
A man after my own heart!

Quote
..would you mind sending me (or attaching) the bin file, as I don't want a Google account --yes, one of those!

Hi.. the perms were stuck. The dump is downloadable now without a gmail account..

https://docs.google.com/leaf?id=0B6wW18mYskvBMzZkODg5NGQtNjdjOS00ZjNjLTljNTctZTJkNmYxYWFlMTk1

Quote
Once this is opened, what then?  What are the options?  Fundamental question, and possibly obvious answers, but I'm naive in this area of computing, what cool things can be done?

Good question.. I think people just like getting under the bonnet.  Paul (Bald_Eagle) and Burakkucat have done some amazing things with graphing scripts, using the low-level diagnostic xdsl data that the unlocked Huawei provides.

My current interest is to try and 'fit' that diagnostic data, especially the channel characteristics (aka insertion loss aka attenuation) to parametised cable reference models.   This would hopefully lead to an accurate analysis of loop quality, and estimated loop length.  The data could be analysed for common fault conditions - bridge taps, etc.

Other options include the development of server-side scripts for graphing. This code would run on the embedded device itself.

I guess ultimately, people would like to see an open source router distribution (openwrt et al) running on these devices, but that would involve the release of the DSP drivers by Broadcom and Lantiq, who are less than forthcoming.

cheers, a

EDIT:  Yes, obtaining serial port access involves soldering the header pins back onto the modem board.  It's not hard with a fine-tipped soldering bit.

JTAG is a different serial protocol, primarily for debugging hardware. It's similar to SPI and has a clock signal (TCK), two data lines for input and output (TDI and TDO) and a control line (TMS) to manage the state of the JTAG engine. 

Unless the bootloader gets wrecked, it should be possible to unlock the ECI using just the TTL serial port.



Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: burakkucat on March 26, 2012, 12:34:57 AM
Quote
Also, would you mind sending me (or attaching) the bin file, as I don't want a Google account --yes, one of those!

For a short time only (just to allow you to download it), I have made the file available from a temporary location. Please let me know once you have got a copy.  ;)

[Edited to mention that the link to the above temporary location is now deprecated.]
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: asbokid on March 26, 2012, 12:36:30 AM
Lastly, did uklad not get shell access:-

Also I did not mention I could login to the unit on the UART console, username and pass where admin admin :0)

Yes, uklad indeed got shell access.

Quote
Is it not straight forward to "re-enable web and telnet/ssh access from the LAN-side." ?

It should be. Unfortunately before uklad got there, he was distracted by his family who obviously have no appreciation of the importance to this work!

cheers, a
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: asbokid on March 26, 2012, 12:38:24 AM
Quote
Also, would you mind sending me (or attaching) the bin file, as I don't want a Google account --yes, one of those!

For a short time only (just to allow you to download it), I have made the file available from a temporary location (http://elrepo.org/people/ajb/tmp/ECI). Please let me know once you have got a copy.  ;)

Thanks burakkucat :-)
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: burakkucat on March 26, 2012, 12:46:10 AM
Thanks burakkucat  :)

I'm always willing to assist, where I can.  ;D

(Though I shall pass on helping you lick that multi-coloured ice-cream!  :-\  )
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: nimda on March 26, 2012, 10:23:06 AM
Quote
Also, would you mind sending me (or attaching) the bin file, as I don't want a Google account --yes, one of those!

For a short time only (just to allow you to download it), I have made the file available from a temporary location (http://elrepo.org/people/ajb/tmp/ECI). Please let me know once you have got a copy.  ;)

Thanks, I've got the files I need.
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: burakkucat on March 26, 2012, 05:09:16 PM
Quote
Thanks, I've got the files I need.

Excellent. Thank you for letting me know. I'll now deprecate that link.  :)
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: uklad on March 26, 2012, 09:13:20 PM
Lastly, did uklad not get shell access:-

Also I did not mention I could login to the unit on the UART console, username and pass where admin admin :0)

Yes, uklad indeed got shell access.

Quote
Is it not straight forward to "re-enable web and telnet/ssh access from the LAN-side." ?

It should be. Unfortunately before uklad got there, he was distracted by his family who obviously have no appreciation of the importance to this work!

cheers, a

Full time job one wife two kids and builders out the back is leaving me with very little spare time !! but i`m still lurking.. and you are correct I did try explaining once what i was doing with the ECI modem and she gave me the rolled eyes nod !! followed by ohhh yeah !!

Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: nimda on March 26, 2012, 11:03:18 PM
Full time job one wife two kids and builders out the back is leaving me with very little spare time !! but i`m still lurking.. and you are correct I did try explaining once what i was doing with the ECI modem and she gave me the rolled eyes nod !! followed by ohhh yeah !!

One more child, but no builders :)  You've inspired me to start, and continue the work you have done.  Please continue to lurk, you are after all the thread's founder ;)

Can you give me any tips for the serial connection settings?  I'll be using Linux, so the programs will be different, but same ports, speeds, etc.  any information will be useful at this stage --besides, I've got a while to wait for my serial link hardware delivery, so I'm soaking up the details.
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: uklad on March 27, 2012, 09:23:56 PM
Port speed is 115,200bps N-8-1
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: ben1066 on April 03, 2012, 02:22:41 PM
I have recently got one of these with my FTTC install although I'm not quite ready to kill it. I have emailed sfconservancy.org and they have shown an interest in the situation. I will keep you posted on any progress relating to GPL compliance. If someone can show me the exact solder points I do have the required equipment here already for a serial-usb adapter...
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: uklad on April 03, 2012, 03:43:28 PM
I have recently got one of these with my FTTC install although I'm not quite ready to kill it. I have emailed sfconservancy.org and they have shown an interest in the situation. I will keep you posted on any progress relating to GPL compliance. If someone can show me the exact solder points I do have the required equipment here already for a serial-usb adapter...

See post #17 on this thread
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: ben1066 on April 03, 2012, 03:58:18 PM
Ah thanks, when I get a chance I'll see what I can do. My adapter is technically 5v but a few resistors should be good enough to get it down to 3.3V ish.

Update: Tried but as I couldnt get the solder from the holes I had to mount the header on top, it didn't work regardless. I guess someone else will have to help :(

Update 2: Just trying to work out why it didn't work, looks like I lifted the TX pad accidently :(

Update 3: Okay, so I couldn't be defeated. Turns out near the TX pad there is an unpopulated capacitor footprint, appears to be a decoupling capacitor for TX. Anyway, using that I managed to solder some flying wires to all the pads and now I think I have a working UART port. I say I think as apparently the USB->Serial I have only does 9600 baud, not the 115,200 baud, but I do get garbage outputted, and the timing seems about right. Ordered a http://cgi.ebay.co.uk/ws/eBayISAPI.dll?ViewItem&item=270805125757#ht_2480wt_952 and hopefully it'll work :)
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: nimda on April 05, 2012, 01:22:31 AM
Good to have you aboard!  Getting stuck right in too, I see.

I'm still awaiting my Hong Kong delivery (PL2303HX), aparently dispatched on the 28th, and no doubt is on a boat or storage create somewhere between here and there!

Keep us posted though, sounds like an enthusiastic start :D
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: ben1066 on April 05, 2012, 10:20:56 AM
I should get my converter tomorrow, one advantage of paying extra for buying from the UK. From there I'm quite happy to help out as I can, although I'm not really that sure what I'm doing. What if we were to use mine to modify the firmware to enable the web interface? Surely that would give a usable image for an "upgrade" of everyone elses. Also, there are a couple of unpopulated connectors next to all the others, any ideas what they may be?
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: burakkucat on April 05, 2012, 05:15:22 PM
I wonder if it might be appropriate to suggest that you source a Huawei HG612 to use on your VDSL2 service and then you loan your current ECI B-FOCuS modem to The Maestro, Asbokid, himself?  :-\
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: asbokid on April 05, 2012, 05:52:20 PM
I should get my converter tomorrow, one advantage of paying extra for buying from the UK. From there I'm quite happy to help out as I can, although I'm not really that sure what I'm doing. What if we were to use mine to modify the firmware to enable the web interface? Surely that would give a usable image for an "upgrade" of everyone elses.

Hi ben1066!

I just passed the NOR flash image that was extracted by uklad through the latest release (0.4.3) of a tool called binwalk.

binwalk is an amazing open source utility developed by Craig Heffner. It can be downloaded from http://binwalk.googlecode.com/   

The tool scans binary images for 'magic numbers' -  short signatures - used in Linux to identify binary types.  Binwalk can identify various compressed archives, kernel images, and many other binary components commonly found in embedded firmware.

As we discovered ourselves, there are two LZMA-compressed squashfs read-only root file system images in the NOR image, and a JFFS2 read-write flash file system. Binwalk also discovered the offsets, lengths and load addresses of the two LZMA-compressed big-endian MIPS32 Linux kernels and the U-Boot loader image.   

But what's most interesting is that Binwalk has discovered an area of the flash where the gzip'ed configuration file for the ECI is stored.   We already discovered the default config file in the read-only root file system. That's the config file that is loaded when the device is hard-reset.    However, what BinWalk appears to have uncovered is the 'working' config file. That copy of the configuration file is modifiable without the need to rebuild and rewrite the entire root file system.   

In theory, the device can be unlocked by very carefully erasing the NOR block containing that config file, and by re-programming the block with new (unlocking) contents.   The U-Boot bootloader should have the necessary NOR functions to perform those operations.

The specific area of interest in the NOR device starts at offset 0x40126:

Code: [Select]
$ md5sum ecinand8mb.bin
2a2db35f797546c0e3e036a469a942d4  ecinand8mb.bin

$ binwalk ecinand8mb.bin

DECIMAL    HEX        DESCRIPTION
-------------------------------------------------------------------------------------------------------
17680      0x4510    uImage header, header size: 64 bytes, header CRC: 0xDCFA529A, created: Mon Oct 18 09:20:23 2010, image size: 49728 bytes, Data Address: 0xA0400000, Entry Point: 0xA0400000, data CRC: 0xC1F4907, OS: Linux, CPU: MIPS, image type: Firmware Image, compression type: lzma, image name: u-boot image
17744      0x4550    LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 133532 bytes
262438    0x40126    gzip compressed data, from Unix, last modified: Sat Jan  1 00:02:13 2000, max compression
331872    0x51060    uImage header, header size: 64 bytes, header CRC: 0x6C1EFC77, created: Mon Feb 14 06:44:17 2011, image size: 3624992 bytes, Data Address: 0x80002000, Entry Point: 0x802CD000, data CRC: 0x15E32D3E, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: MIPS Linux-2.6.20
331936    0x510A0    LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 3084422 bytes
1314976    0x1410A0  PackImg Tag, little endian size: 5253120 bytes; big endian size: 2641920 bytes
1315008    0x1410C0  Squashfs filesystem, big endian, lzma signature, version 3.0, size: 2641669 bytes, 844 inodes, blocksize: 65536 bytes, created: Mon Feb 14 06:44:14 2011
1315127    0x141137  LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 61676 bytes
1330443    0x144D0B  LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 7100 bytes
[...]
3954947    0x3C5903  LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 672 bytes
3955226    0x3C5A1A  LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 6752 bytes
4132960    0x3F1060  uImage header, header size: 64 bytes, header CRC: 0x55E6D872, created: Tue Aug  9 04:31:37 2011, image size: 3629088 bytes, Data Address: 0x80002000, Entry Point: 0x802CD000, data CRC: 0xC331258, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: MIPS Linux-2.6.20
4133024    0x3F10A0  LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 3084421 bytes
5116064    0x4E10A0  PackImg Tag, little endian size: 6301696 bytes; big endian size: 2646016 bytes
5116096    0x4E10C0  Squashfs filesystem, big endian, lzma signature, version 3.0, size: 2642454 bytes, 844 inodes, blocksize: 65536 bytes, created: Tue Aug  9 04:31:35 2011
5116215    0x4E1137  LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 50734 bytes
[...]
7757093    0x765D25  LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 6752 bytes
7929856    0x790000  JFFS2 filesystem data big endian, JFFS node length: 12
[...]
8257536    0x7E0000  JFFS2 filesystem data big endian, JFFS node length: 12


The flash memory area containing the configuration file can be extracted with the Unix tools dd and gunzip:

Code: [Select]
$ dd bs=1 if=ecinand8mb.bin of=eciconfig.gz skip=$((0x40126)) count=$((0x8a4))
2212+0 records in
2212+0 records out
2212 bytes (2.2 kB) copied, 0.0065032 s, 340 kB/s

$ gunzip -v -l eciconfig.gz
method  crc     date  time           compressed        uncompressed  ratio uncompressed_name
defla 366d7213 Apr  5 17:45                2212                7929  72.4% eciconfig

$ cat eciconfig.gz | gunzip

<lantiq_vr9_generic_asl56026>
<check>
<is_factory>factory</is_factory>
</check>
<vdsl2>
<infineon>
<fw_variant>VA</fw_variant>
<annex>A</annex>
<adsl_encaps>1</adsl_encaps>
<default_vpi_vci>1</default_vpi_vci>
<line_config>
<filter>0</filter>
<hw_hybrid>2</hw_hybrid>
<line_mode>102</line_mode>
</line_config>
</infineon>
</vdsl2>
<switch>
<bypass_mode>0</bypass_mode>
<lan_access_cpe_enable>0</lan_access_cpe_enable>
<discard_specific_pkt>1</discard_specific_pkt>
<igmp_queue>3</igmp_queue>
<port id="1">
<vid>101</vid>
<pri>2</pri>
<loopback>0</loopback>
<activate>1</activate>
<special_vlan>0</special_vlan>
</port>
<port id="2">
<vid>102</vid>
<pri>7</pri>
<loopback>0</loopback>
<activate>0</activate>
<special_vlan>0</special_vlan>
</port>
</switch>
<wan>
<physical_type>1</physical_type>
<enable_dhcp60>0</enable_dhcp60>
<dhcp_option60></dhcp_option60>
<enable_dhcp61>0</enable_dhcp61>
<dhcp_iaid></dhcp_iaid>
<dhcp_duid>0</dhcp_duid>
<enable_dhcp125>0</enable_dhcp125>
<dhcp_option125></dhcp_option125>
<enable_prepadt>0</enable_prepadt>
<dsl>
<defaultroute>1</defaultroute>
<inf id="1">
<mode>1</mode>
<enable>1</enable>
<atm>
<pvc>
<settings>
<vpi>8</vpi>
<vci>35</vci>
</settings>
</pvc>
</atm>
<ptm>
<vtag>
<settings>
<connection>connection1</connection>
<enable>1</enable>
<vid>301</vid>
<priority>5</priority>
<bt>
<enable>1</enable>
<wan_vid1>101</wan_vid1>
<wan_vid2>102</wan_vid2>
</bt>
</settings>
</vtag>
</ptm>
<dhcp>
<hostname></hostname>
<clonemac></clonemac>
<autodns>1</autodns>
<mtu>1500</mtu>
</dhcp>
<static>
<mode>1</mode>
<ip>5.60.39.51</ip>
<netmask>255.0.0.0</netmask>
<gateway>5.21.97.200</gateway>
<clonemac></clonemac>
<mtu>1500</mtu>
</static>
</inf>
<inf id="2">
<mode>2</mode>
<enable>0</enable>
<atm>
<pvc>
<settings>
<vpi>0</vpi>
<vci>35</vci>
</settings>
</pvc>
</atm>
<ptm>
<vtag>
<settings>
<connection>connection2</connection>
<enable>0</enable>
<vid>12</vid>
<priority>0</priority>
</settings>
</vtag>
</ptm>
<dhcp>
<hostname></hostname>
<clonemac></clonemac>
<autodns>1</autodns>
<mtu>1500</mtu>
</dhcp>
<static>
<mode>1</mode>
<ip>5.55.52.52</ip>
<netmask>255.0.0.0</netmask>
<gateway>5.55.52.1</gateway>
<clonemac></clonemac>
<mtu>1500</mtu>
</static>
</inf>
</dsl>
<defaultroute>1</defaultroute>
</wan>
<lan>
<ethernet>
<inf id="1">
<enable>1</enable>
<defaultip>192.168.168.168</defaultip>
<ip>192.168.168.168</ip>
<netmask>255.255.255.0</netmask>
<dhcp>
<server>
<enable>0</enable>
</server>
</dhcp>
</inf>
</ethernet>
</lan>
<dnsrelay>
<mode>2</mode>
<server>
<primarydns>172.19.10.100</primarydns>
<secondarydns>172.19.10.99</secondarydns>
</server>
</dnsrelay>
<security>
<log>
<systeminfo>1</systeminfo>
<debuginfo>0</debuginfo>
<attackinfo>1</attackinfo>
<droppacketinfo>0</droppacketinfo>
<noticeinfo>1</noticeinfo>
</log>
</security>
<time>
<syncwith>2</syncwith>
<timezone>5</timezone>
<daylightsaving>0</daylightsaving>
<ntpserver>
<ip>pool.ntp.org</ip>
<interval>604800</interval>
</ntpserver>
</time>
<sys>
<brand>Infineon</brand>
<bridge>1</bridge>
<hostname>ECLVL05</hostname>
<type>ResidentialModem</type>
<devicename>VDSL2 2 port Modem</devicename>
<modeldescription>VDSL2 2 port Modem</modeldescription>
<modelname>ECLVL05</modelname>
<vendor>Generic</vendor>
<url></url>
<regdomain>fcc</regdomain>
<language>en</language>
<basicmode>0</basicmode>
<supportlang>auto,en,de</supportlang>
<telnetd>true</telnetd>
<sshd>true</sshd>
<sessiontimeout>600</sessiontimeout>
<user id="1">
<name>admin</name>
<defaultpassword>admin</defaultpassword>
<password>admin</password>
<group>0</group>
</user>
<user id="2">
<name>user</name>
<password>user</password>
<group>1</group>
</user>
<log>
<logserverenable>0</logserverenable>
<loglevel>0</loglevel>
<logserver></logserver>
</log>
<supporturl></supporturl>
</sys>
<function>
<tr069>1</tr069>
<httpd_upnp>1</httpd_upnp>
</function>
<tr069>
<enable>0</enable>
<getrpcmethodsenable>1</getrpcmethodsenable>
<connection_line>1</connection_line>
<route>1</route>
<authenticate>0</authenticate>
<devicesummary>InternetGatewayDevice:1.0[](Baseline:1, EthernetLAN:1, ADSLWAN:1, Time:1, IPPing:1)</devicesummary>
<max_envs>1</max_envs>
<inform_retry_mode>3</inform_retry_mode>
<connect_retry_mode>3</connect_retry_mode>
<inform_retry_interval>30</inform_retry_interval>
<connect_retry_interval>30</connect_retry_interval>
<deviceinfo>
<manufactureroui>001195</manufactureroui>
<specversion>1.0.1</specversion>
<provisioningcode></provisioningcode>
<productclass>ASL-56026</productclass>
<manufacturer>ALPHA</manufacturer>
<hardwareversion>HA1</hardwareversion>
<landevicenumberofentries>1</landevicenumberofentries>
<wandevicenumberofentries>1</wandevicenumberofentries>
</deviceinfo>
<managementserver>
<username></username>
<password></password>
<connectionrequesturl></connectionrequesturl>
<connectionrequestpath>asl56026</connectionrequestpath>
<connectionrequestusername>admin</connectionrequestusername>
<connectionrequestpassword>admin</connectionrequestpassword>
<url>http://iop-tw.workssys.com/comserver/node1/tr069</url>
<defaulturl>http://iop-tw.workssys.com/comserver/node1/tr069</defaulturl>
<periodicinformenable>1</periodicinformenable>
<periodicinforminterval>60</periodicinforminterval>
<periodicinformtime>1157436610</periodicinformtime>
<upgrade>1</upgrade>
<parameterkey></parameterkey>
</managementserver>
<misc>
<recvtimeout>20</recvtimeout>
<rebootcmdkey></rebootcmdkey>
<schedulecmdkey></schedulecmdkey>
<previousurl></previousurl>
<acsport>8082</acsport>
<debuglevel>7</debuglevel>
<pfdebuglevel>7</pfdebuglevel>
<entry id="1">
<commandkey></commandkey>
<filetype></filetype>
<url></url>
<username></username>
<password></password>
<filesize>0</filesize>
<targetfilename></targetfilename>
<starttime>0</starttime>
</entry>
<entry id="2">
<commandkey></commandkey>
<filetype></filetype>
<url></url>
<username></username>
<password></password>
<filesize>0</filesize>
<targetfilename></targetfilename>
<starttime>0</starttime>
</entry>
<entry id="3">
<commandkey></commandkey>
<filetype></filetype>
<url></url>
<username></username>
<password></password>
<filesize>0</filesize>
<targetfilename></targetfilename>
<starttime>0</starttime>
</entry>
<entry id="4">
<commandkey></commandkey>
<filetype></filetype>
<url></url>
<username></username>
<password></password>
<filesize>0</filesize>
<targetfilename></targetfilename>
<starttime>0</starttime>
</entry>
</misc>
</tr069>
<cfm>
<enable>1</enable>
<md_index>md_name</md_index>
<md_level>0</md_level>
<ma_index>ma_name</ma_index>
<mep_index>1</mep_index>
<vlan_id>1</vlan_id>
<cfm_8021p>0</cfm_8021p>
<ccm_enable>0</ccm_enable>
<direct>up</direct>
<ccm_interval>10s</ccm_interval>
<lbm>
<distination_address></distination_address>
<number_of_lbm>1</number_of_lbm>
</lbm>
<ltm>
<target_address></target_address>
</ltm>
</cfm>
<proc>
<web>
<sessionum>8</sessionum>
<authnum>6</authnum>
</web>
</proc>
</lantiq_vr9_generic_asl56026>

$


cheers, a
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: ben1066 on April 05, 2012, 07:21:13 PM
Tell me what to and I'll be happy to do it, especially if it means I get a pretty web interface and can help others in my situation. It'd also be nice to find a repair system for new firmware, if one exists...
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: asbokid on April 05, 2012, 09:54:07 PM
maestro?! professional modem brickster, if any credit is due :-)  :blush:  i wouldn't like to borrow anyone's modem for that reason  ???

Looking a bit closer at that interesting NOR flash region in the ECI..

The region starts at offset 0x40000 in uklad's dump and appears to run from 0x40000-0x4ffff.    The 'sector size' for that address region (SA11) of the NOR device (Macronix MX29LV640EB) is 0x10000 (64KBytes). [1]

The flash region appears to hold the OpenRG board configuration partition. In the first few bytes it is labelled as such - "RGCFG1".   As well as that gzip'ed CPE XML MIB file, the partition contains other configuration parameters including MAC addresses, country code, board hardware revision number, etc.

Other fields in the RGCFG1 config partition header include

header length (0x00000080)
the XML MIB offset (0x00000126)
the XML MIB length (0x000008a4)
a checksum (perhaps 0x00043c62)

As we can see those values are all stored in big-endian format to match the platform.

Code: [Select]
$ dd if=ecinand8mb.bin skip=$((0x40000)) bs=1 | xxd -l $((0x125))
0000000: 5247 4346 4731 0000 0000 0000 0000 0000  RGCFG1..........
0000010: 0000 0080 0000 0126 0000 08a4 0004 3c62  .......&......<b
0000020: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000030: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000040: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000050: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000060: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000070: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000080: 6163 7469 7665 7265 6769 6f6e 3d32 0a63  activeregion=2.c
0000090: 6f75 6e74 7279 636f 6465 3d38 3430 0a68  ountrycode=840.h
00000a0: 7772 6576 3d41 310a 776c 616e 6d61 633d  wrev=A1.wlanmac=
00000b0: 3543 3a33 333a 3845 3a38 343a 3839 3a44  5C:33:8E:84:89:D
00000c0: 420a 6c61 6e6d 6163 3d35 433a 3333 3a38  B.lanmac=5C:33:8
00000d0: 453a 3834 3a38 393a 4442 0a77 616e 6d61  E:84:89:DB.wanma
00000e0: 633d 3030 3a45 303a 3932 3a30 303a 3031  c=00:E0:92:00:01
00000f0: 3a34 300a 666c 6173 6873 7065 6564 3d36  :40.flashspeed=6
0000100: 3230 0a3d 3162 3635 6137 3232 3764 6565  20.=1b65a7227dee
0000110: 6561 3166 3763 6331 6433 6431 3234 6236  ea1f7cc1d3d124b6
0000120: 3162 3964 0a                             1b9d.

The only reference to RGCFG1 in the entire userspace of the ECI firmware is in an 80KByte binary found under /usr/sbin/rgbin for which there is, naturally, no source code.

rgbin is one of those multi-entry binaries.  From running strings against the rgbin binary, this looks like a relevant excerpt:

Code: [Select]
asbokid@home:~/eci_bfocus_squashfs-root/usr/sbin$ strings rgbin
[...]
%s version %d (block size: 0x%x)
Usage: %s {operation} {OPTIONS}
  operation -
    dump                     show nvram information.
    upgrade                  upgrade the nvram to the latest format.
    get                      get config from nvram.
    save                     save config to nvram.
    getmac                   get MAC address.
    setmac                   set MAC address.
    setenv                   set env. variable.
    getenv                   get the value of env. var.
    delenv                   delete env. varialbes.
    dumpenv                  dump env. variables.
  options -
    -h                       show this help message.
    -v                       verbose mode.
    -n {nvram}               nvram (mtd block) device.
    -c {config file}         configuration file.
    -i {index}               index. (zero based)
    -s {message}             message to set.
    -e {var=val}             environment variable.
    -m {mode}                0 -> 00:80:c8:ab:cd:ef (lower case, colon seperated)
                             1 -> 00:80:C8:AB:CD:EF (upper case, colon seperated)
                             2 -> 00.80.c8.ab.cd.ef (lower case, dot seperated)
                             3 -> 00.80.C8.AB.CD.ED (upper case, dot seperated)
    -f                       calculate & set flash programming speed. (@ setenv only)
BlockOffset=%d(0x%x), MaxSize=%d(0x%x)
header in nvram is version %d
   config size     = 0x%x (%d)
   config checksum = 0x%x (%d)
   config offset   = 0x%x (%d)
header in nvram is invalid !
PROFILE
RGCFG0
RGCFG1
%d %d %x
config data is corrupted ! (checksum = 0x%x, should be 0x%x)
Signature       = RGCFG1
env size        = %d (0x%x)
config size     = %d (0x%x)
config checksum = 0x%x
Burning %d bytes to nvram (offset:0x%x) !
header size     : %d
config offset   : %d
config size     : %d
config checksum : 0x%x
burn done !!!
unable to open config file!
no config file specified!
unable to open nvram!
no nvram specified!
[...]

So /usr/sbin/rgbin appears to be the userspace utility for reading and writing the "NVRAM" area of flash. In the NVRAM area is that gzip'ed XML MIB file which contains the configuration parameters to disable LAN access and lock the device.

Importantly, through the use of a checksum, the rgbin tool can detect if the NVRAM region has been corrupted.  So to modify the NVRAM contents of flash by manually overwriting that flash region will involve updating the checksum field as well.

EDIT: With serial console access, it should be possible to run /usr/sbin/rgbin to get and set the NVRAM config setting using the proper method.

EDIT2: That 32-bit field in the header of the configuration partition is indeed the checksum for the gzipped XML MIB file. See the output of the attached C program.

Code: [Select]
#include <stdio.h>
#include <stdlib.h>

int main(int argc, char **argv) {
    FILE *fp;

    int sz, csum = 0, i;
    unsigned char *buf;
   
    if(argc!=2) {
        printf("usage: %s <filename>\n", argv[0]);
        goto badexit;
    }

    if(!(fp=fopen(argv[1], "rb"))) {
        printf("Error reading file %s\n", argv[1]);
        goto badexit;
    }

    fseek(fp,0L,SEEK_END);
    sz=ftell(fp);
    fseek(fp,0L,SEEK_SET);

    if(!(buf=malloc(sizeof(unsigned char) * sz))) {
        printf("Memory allocation error\n");
        goto badexit;
    }

    if(fread(buf, 1, sz, fp) != sz) {
        printf("Error reading %d bytes from %s\n", sz, argv[1]);
        goto badexit;
    }
    printf("Read %08x (%d) bytes from %s\n", sz, sz, argv[1]);

    fclose(fp);

    for(i=0;i<sz;i++)
        csum += buf[i];

    printf("checksum of %s = %08x\n", argv[1], csum);
    free(buf);
    return 0;

badexit:
    if(fp)
        fclose(fp);
    if(buf)
        free(buf);
    return -1;

}

$ ./checksum eciconfig.gz
Read 000008a4 (2212) bytes from eciconfig.gz
checksum of eciconfig.gz = 00043c62

If all else fails, we can manually re-program that raw flash block with a new XML MIB file that is configured to re-enable LAN and web GUI access  :P

Slowly getting there  ???

cheers, a

[1] http://www.macronix.com/..MX29LV640ETBver13-1.3.pdf (http://www.macronix.com/QuickPlace/hq/PageLibrary4825740B00298A3B.nsf/$defaultview/DBACA1C90564EBB248257639003A563A/$File/MX29LV640ETBver13-1.3.pdf)   (see sector address table on page 9)
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: asbokid on April 05, 2012, 10:54:24 PM
Tell me what to and I'll be happy to do it, especially if it means I get a pretty web interface and can help others in my situation. It'd also be nice to find a repair system for new firmware, if one exists...

Hi again Ben..

Once you've gained a shell via the serial port.. your energies could be profitably focused on that tool for modifying the NVRAM configuration data of the modem..

It looks like you would need to modify one or two XML element values in the gzip'ed CPE MIB file that is found in the "RGCFG1" NVRAM board configuration partition of the flash.

Specifically, these are the element value which probably need changing..

   <switch>
..
      <lan_access_cpe_enable>0</lan_access_cpe_enable>
..
      <port id="2">
         <vid>102</vid>
         <pri>7</pri>
         <loopback>0</loopback>
         <activate>0</activate>
         <special_vlan>0</special_vlan>
      </port>
   </switch>

It may be that the XML MIB file needs to be gunzipped first.. bit of tinkering necessary there..

cheers, a
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: nimda on April 06, 2012, 01:48:45 AM
Sterling work there, asbokid.  I'm mostly in awe, don't really understand everything you say, but am diligently reading your reports, and replicating your work locally.

If you don't mind my asking, where did you get your skills, and how long did it take :)
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: asbokid on April 06, 2012, 01:56:32 AM
Tell me what to and I'll be happy to do it, especially if it means I get a pretty web interface and can help others in my situation. It'd also be nice to find a repair system for new firmware, if one exists...

Hi again Ben..

Once you've gained a shell via the serial port.. your energies could be profitably focused on that tool for modifying the NVRAM configuration data of the modem..

It looks like you would need to modify one or two XML element values in the gzip'ed CPE MIB file that is found in the "RGCFG1" NVRAM board configuration partition of the flash.

Specifically, these are the element values which probably need changing..

   <switch>
..
      <lan_access_cpe_enable>0</lan_access_cpe_enable>
..
      <port id="2">
         <vid>102</vid>
         <pri>7</pri>
         <loopback>0</loopback>
         <activate>0</activate>
         <special_vlan>0</special_vlan>
      </port>
   </switch>

It may be that the XML MIB file needs to be gunzipped first.. bit of tinkering necessary there..

There appears to be a dedicated tool for modifying the XML MIB file [1] in the ECI modem..

The tool is found at /usr/sbin/xmldbc

Here are the command line options for xmldbc:

Code: [Select]
Usage: xmldbc version 2 [OPTIONS]
  -h                     show this help message.
  -H                     show version number.
  -v                     verbose mode.
  -a                     dump database include runtime and tmp.
  -i                     ignore external function (like runtime).
  -g {node path}         get value from {node path}.
  -s {node path} {value} set  {value} in {node path}.
  -d {node path}         delete {node path}.
  -l {XML file}          reload XML file to database.
  -f {XML file}          set XML file to database.
  -D {XML file}          dump database to XML file.
  -S {unix socket}       specify unix socket name, default is /var/run/xmldb_sock
  -A {ephp file}         embeded php parse.
  -V {name=value}        variable for ephp.
  -x {command}           set extended get/set command.
  -t {tag:sec:command}   schedule a timer.
  -k {tag}               kill timers by tag.

The xmldbc tool has all the commands needed to set the elements (nodes) in the XML MIB of the ECI to re-enable LAN-side access and the web GUI.

It would probably be easiest to enable DHCP on the ECI as well, and let it assign the PC an IP address.

This is on the brink of success..

cheers, a

[1] http://en.wikipedia.org/wiki/Management_information_base
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: asbokid on April 06, 2012, 04:30:49 PM
Hi.. An important correction...

The flash memory IC on the PCB of the ECI is a Macronix MX29LV640EB. [1] That is a NOR flash device rather than a NAND device...

As such, the IC utilises the Common Flash Interface (CFI) rather than the Open NAND flash interface (ONFI)...

On a second note..

Just a quick observation..

Whoever built the firmware for the ECI also patched the U-Boot loader to use RSA authentication.

We can see that from the boot log dumps that uklad posted to this thread. [2] [3]

Code: [Select]
Have RSA magic !!!
Image at B0051060:
   Image Name:   MIPS Linux-2.6.20
..
Have RSA magic !!!
Image at B03F1060:
   Image Name:   MIPS Linux-2.6.20
..
## Booting image from active region 2 at b03f0000 ...
Check RSA image magic--OK!
Please type [setenv rsa_check 1] !!!
..
RSA_CHECK:  0

Fortunately, it looks like RSA authentication is present but disabled.

RSA authentication of firmware is not a standard part of U-Boot. [4]  It was patched into the ECI firmware by persons unknown. But it looks like this developer might have an idea who did it. [5]   At the time (July 2009) he was working for SAGEM. [6]

From that mailing list thread, it's clear that Wolfgang Denk, the U-Boot developer, was resistant to the idea of RSA authentication of firmware.

Nevertheless, the code somehow wormed its way into the firmware of the ECI kit supplied as VDSL2 CPE by BT Openreach.

U-Boot is GPL licensed, so this modification for RSA is a violation of the terms under which its use is granted.

cheers, a

[1] http://www.macronix.com/../MX29LV640ETBver13-1.3.pdf (http://www.macronix.com/QuickPlace/hq/PageLibrary4825740B00298A3B.nsf/$defaultview/DBACA1C90564EBB248257639003A563A/$File/MX29LV640ETBver13-1.3.pdf)
[2] http://forum.kitz.co.uk/index.php/topic,10635.msg209378.html#msg209378
[3] http://forum.kitz.co.uk/index.php/topic,10635.msg209377.html#msg209377
[4] http://git.denx.de/?p=u-boot.git;a=tree;f=doc/uImage.FIT
[5] http://lists.denx.de/pipermail/u-boot/2009-July/057169.html
[6] http://www.doyoubuzz.com/cyrille-francois
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: uklad on April 08, 2012, 09:46:59 PM
Asbokid i just dropped you an email... let me know what you think ...
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: ben1066 on April 09, 2012, 08:06:50 PM
I have been in contact with the FSF about our device violating the GPL multiple times, they are working on it. Also, I am yet to receive my converter because I'm foolish, it's bank holiday today and last Friday, hence no post. I should get it tomorrow or the day after.
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: Blackeagle on April 09, 2012, 08:50:50 PM
Following this with great interest as said modem is currently powering my FTTC service.

Given what asbo has said, I believe that its possible to connect by UART and use xmldbc to modify the configuration to enable LAN side access.  If this indeed the case, then all of you guys in this thread have worked yet another miracle between you.  Although I don't currently see that this will aid any user that cannot add the required port to the ECI,  I am of the (hopeful) opinion that once its unlocked, someone may find a loophole in much the same way as asbo did for the HG612 to be able to upload over ethernet.

If not, I am quite prepared to wave my soldering iron once again, although the prospect of SWMBO being unable to access FB does fill me with dread should I lift a pad or bridge something  :o

If this is gonna be my only option (other than buying an HG612), if someone could provide details of the needed cables etc I would be more than greatful.  Perhaps I'm being lazy here and should just review the thread, but I don't want to jump in and then find I should have got something else.

Basically, I just want to be sure of what I'm doing before I do it !!!

Thanks for your attention

BE
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: uklad on April 09, 2012, 09:50:42 PM
Blackeagle: we are not there yet but making progress, judging by what we have found so far even if asbokid unlocks the firmware file I can not find any means for flashing the firmware without having access to the UART console, anyway work continues..
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: Blackeagle on April 09, 2012, 09:57:47 PM
Blackeagle: we are not there yet but making progress, judging by what we have found so far even if asbokid unlocks the firmware file I can not find any means for flashing the firmware without having access to the UART console, anyway work continues..

NP uklad.  I may have just sourced myself an unlocked Huawei HG612, leaving me time and space to play with the ECI !!

As an aside, I have found a source for the Dare DB120 but it would still need translating to english, which won't happen for a month or so.

Keep up the good work bud !!

Regards

BE
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: burakkucat on April 10, 2012, 03:33:39 AM
Quote
As an aside, I have found a source for the Dare DB120 but it would still need translating to english, which won't happen for a month or so.

That will be interesting.  :)  And will be worth a thread of its own!
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: JoshShep on April 10, 2012, 12:43:50 PM
Looks like Openreach have released code for the ECI

http://www.openreach.co.uk/orpg/home/products/super-fastfibreaccess/superfastfibre.do

scroll down to Openreach Modems @ OTN's

Or here is the direct download link - http://www.openreach.co.uk/orpg/home/products/super-fastfibreaccess/downloads/eci_alpha1B_VDSL_3048.zip
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: asbokid on April 10, 2012, 03:26:06 PM
Looks like Openreach have released code for the ECI

http://www.openreach.co.uk/orpg/home/products/super-fastfibreaccess/superfastfibre.do

scroll down to Openreach Modems @ OTN's

Or here is the direct download link - http://www.openreach.co.uk/orpg/home/products/super-fastfibreaccess/downloads/eci_alpha1B_VDSL_3048.zip

Thank you for posting that, Josh. Well spotted!

Thank you to BT Openreach as well.

Frustratingly...the tarball (inside the zip) is corrupted, but hopefully someone at Openreach will soon remedy that.

cheers, a



p.s. uklad asked me to report that we've successfully unlocked his ECI via the UART.   All credit to uklad for breaking the camel's back  :)

Here are a couple of screenshots. The ECI has a really nice GUI. Great shame that it's hidden away from sight  :-X

Maybe we can now do some performance tests to compare the ECI and the HG612.

(http://www4.picturepush.com/photo/a/8002527/640/8002527.png)
Setup | Wizard (http://picturepush.com/public/8002527)

(http://www4.picturepush.com/photo/a/8002542/640/8002542.png)
Setup | WAN (connection #1) (http://picturepush.com/public/8002542)

(http://www5.picturepush.com/photo/a/8002573/640/8002573.png)
Status | Device Info (http://picturepush.com/public/8002573)

(http://www4.picturepush.com/photo/a/8002597/640/8002597.png)
Status | Device Info (http://picturepush.com/public/8002597)

(http://www4.picturepush.com/photo/a/8002607/640/8002607.png)
Port Scan (http://picturepush.com/public/8002607)

More screenshots at: http://hackingecibfocusv2fubirevb.wordpress.com/
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: c6em on April 10, 2012, 04:03:09 PM

The GUI seems exactly the same layout as used on the Dlink 2640B and 2740B series of ADSL routers.
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: roseway on April 10, 2012, 04:35:21 PM
Quote
Frustratingly...the tarball (inside the zip) is corrupted, but hopefully someone at Openreach will soon remedy that.

There only seems to be one header file missing: vr.3048/boards/lantiq_vr9/bootcode/include/asm-mips/arch-mips

All the rest is recoverable from the archive.
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: JoshShep on April 10, 2012, 04:39:46 PM
Great work guys  ;)

Would it be possible to unlock the modem via the second Lan port?
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: asbokid on April 10, 2012, 05:11:56 PM
Quote
Frustratingly...the tarball (inside the zip) is corrupted, but hopefully someone at Openreach will soon remedy that.

There only seems to be one header file missing: vr.3048/boards/lantiq_vr9/bootcode/include/asm-mips/arch-mips

All the rest is recoverable from the archive.

A lot more than one file is corrupted  :'(

Nearly 75% of the gzipped tar archive (contained within the zip) is corrupted.

The .tar.gz file (contained within the zip) should be 89,684,840 bytes in length.

However, from byte 22,020,096 (0x1500000) onwards in that .gz, is all zero:

Code: [Select]
asbokid@l502x:~/eci_gpl$ wget http://www.openreach.co.uk/orpg/home/products/super-fastfibreaccess/downloads/eci_alpha1B_VDSL_3048.zip
--2012-04-10 17:02:34--  http://www.openreach.co.uk/orpg/home/products/super-fastfibreaccess/downloads/eci_alpha1B_VDSL_3048.zip
Resolving www.openreach.co.uk (www.openreach.co.uk)... 217.140.45.11
Connecting to www.openreach.co.uk (www.openreach.co.uk)|217.140.45.11|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 22016583 (21M) [application/zip]
Saving to: `eci_alpha1B_VDSL_3048.zip'

100%[===============================================================================================>] 22,016,583  1.39M/s   in 20s     

2012-04-10 17:02:55 (1.04 MB/s) - `eci_alpha1B_VDSL_3048.zip' saved [22016583/22016583]

asbokid@l502x:~/eci_gpl$ md5sum eci_alpha1B_VDSL_3048.zip
2016cacd7b7bd67da645f6dac57cd970  eci_alpha1B_VDSL_3048.zip

asbokid@l502x:~/eci_gpl$ unzip -v eci_alpha1B_VDSL_3048.zip
Archive:  eci_alpha1B_VDSL_3048.zip
 Length   Method    Size  Cmpr    Date    Time   CRC-32   Name
--------  ------  ------- ---- ---------- ----- --------  ----
89684840  Defl:N 22016395  76% 2012-03-16 08:08 7a4f3ff3  ECI ALPHA1B_VDSL_3048_Mar_2012.tar.gz
--------          -------  ---                            -------
89684840         22016395  76%                            1 file

asbokid@l502x:~/eci_gpl$ unzip -t eci_alpha1B_VDSL_3048.zip
Archive:  eci_alpha1B_VDSL_3048.zip
    testing: ECI ALPHA1B_VDSL_3048_Mar_2012.tar.gz   OK
No errors detected in compressed data of eci_alpha1B_VDSL_3048.zip.

asbokid@l502x:~/eci_gpl$ unzip eci_alpha1B_VDSL_3048.zip
Archive:  eci_alpha1B_VDSL_3048.zip
  inflating: ECI ALPHA1B_VDSL_3048_Mar_2012.tar.gz 

asbokid@l502x:~/eci_gpl$ ls -l
total 109088
-rw-r--r-- 1 asbokid asbokid 89684840 Mar 16 08:08 ECIALPHA1B_VDSL_3048_Mar_2012.tar.gz
-rw-r--r-- 1 asbokid asbokid 22016583 Mar 20 08:02 eci_alpha1B_VDSL_3048.zip

asbokid@l502x:~/eci_gpl$ md5sum ECI\ ALPHA1B_VDSL_3048_Mar_2012.tar.gz
2cfa0976bd4318125200a7115c28380e  ECI ALPHA1B_VDSL_3048_Mar_2012.tar.gz

asbokid@l502x:~/eci_gpl$ gunzip -t ECI\ ALPHA1B_VDSL_3048_Mar_2012.tar.gz

gzip: ECI ALPHA1B_VDSL_3048_Mar_2012.tar.gz: unexpected end of file

asbokid@l502x:~/eci_gpl$ dd bs=1 skip=$((0x14fff00)) if=ECI\ ALPHA1B_VDSL_3048_Mar_2012.tar.gz | xxd -l $((0x200))
0000000: 2004 72b1 c063 21ec 88c4 65f3 222e 053b   .r..c!...e."..;
0000010: a63b 1817 5974 cb38 212f 3728 8c3c 156d  .;..Yt.8!/7(.<.m
0000020: cfec eff1 7df5 7bda 4b04 8dd3 ee22 d2e6  ....}.{.K...."..
0000030: 04c4 9a37 2d8a cf48 cb7a de7a 81cb ea34  ...7-..H.z.z...4
0000040: b2ed efc1 db0c 73e9 dee4 e379 3100 7665  ......s....y1.ve
0000050: 3a1f b183 a2c9 3aaf 4920 c678 2f8f e1a6  :.....:.I .x/...
0000060: a6b0 06b9 4dae 00f7 6d37 2b0a f23f 54ff  ....M...m7+..?T.
0000070: 458e 760e b7ee e759 3a1d dc7d ce77 30b2  E.v....Y:..}.w0.
0000080: 219a bf29 9514 13d4 7360 24d4 0806 cc19  !..)....s`$.....
0000090: 1035 4c05 83ed 74c7 c38e e037 47e8 f484  .5L...t....7G...
00000a0: dd24 3411 75ad a016 e0fb 4077 87e2 c988  .$4.u.....@w....
00000b0: 0c00 1aae baf3 017e 19ab e55d 24cc 0cee  .......~...]$...
00000c0: 4ecd 1013 f489 6852 0bec 648b 9908 a6d9  N.....hR..d.....
00000d0: 6683 d985 3a88 d61c a807 f139 f0cb 2d33  f...:......9..-3
00000e0: 74c0 994c d3e2 1ad3 7971 3a0b 3e90 9858  t..L....yq:.>..X
00000f0: 181a e9ce 807d 81af f6c6 6839 933c 9709  .....}....h9.<..
0000100: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000110: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000120: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000130: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000140: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000150: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000160: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000170: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000180: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000190: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00001a0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00001b0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00001c0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00001d0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00001e0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00001f0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
...

Hopefully Openreach will notice the problem ASAP  :)

cheers, a
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: burakkucat on April 10, 2012, 06:09:44 PM
Quote
p.s. uklad asked me to report that we've successfully unlocked his ECI via the UART.   All credit to uklad for breaking the camel's back  :)

Excellent news!  :thumbs:  :clap:  :clap2:  :dance:  :silly:

Congratulations to the pair of you.  :drink:
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: waltergmw on April 10, 2012, 06:57:58 PM
@ uklad & asbokid,

As you are aware we shall be ready and waiting in Ewhurst when eventually we have some service availability.

VERY well done !

Kind Regards,
Walter
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: ben1066 on April 10, 2012, 07:15:33 PM
Seems my serial adapter will be just for my benefit, unless there is still something I could help with. Nice work none the less.
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: nimda on April 10, 2012, 07:24:21 PM
Well done, the pair of you!  I'll be following suit as soon as my serial link arrives.

The next step [ed.] chapter, surely, is to have something completely Free on there?
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: asbokid on April 10, 2012, 08:56:06 PM
Seems my serial adapter will be just for my benefit, unless there is still something I could help with. Nice work none the less.

Hi Ben,

If you fancy a look, AlphaNetwork's tweak of the LZMA algorithm needs documenting with the aim of reverse engineering it. It is used in dozens of different routers to lock down the file systems.

Or maybe you're interested in the btagent remote management tool that is found in the ECI firmware?  The same tool is used in the Huawei HG612, the Home Hub 3.0a (and probably the Business Hub 3.0 and maybe the HH 3.0b).  The tool relies on an RSA-1024 key for security, so a brute-force attack is "currently infeasible", but maybe there are implementation flaws  :no:

Lots of exciting opportunities!

cheers, a
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: uklad on April 10, 2012, 09:00:45 PM
Great work guys  ;)

Would it be possible to unlock the modem via the second Lan port?

It maybe possible to squirt a modified firmware using Tftp at initial power up via uboot, right now Its not worth me looking into that until we have a working unlocked firmware something that asbokid is still working on
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: asbokid on April 10, 2012, 11:11:53 PM
Great work guys  ;)

Would it be possible to unlock the modem via the second Lan port?

Hi Josh,

Probably not. Not unless the bootloader has a network backdoor.  Another possibility is to crack the btagent remote management tool (which is accessible LAN-side via udp/161).  Slim prospect of success there though.

For those who don't want to solder to the PCB, maybe a strip of right angled header pins could be taped temporarily to the solder pads for the UART port.

cheers, a

EDIT:  port 161 not 169..
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: JoshShep on April 11, 2012, 07:36:12 AM
Cheers a,

guess I'm out of luck then lol, I am terrible with a soldering iron.  :lol:
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: waltergmw on April 11, 2012, 07:52:28 AM
@ asbokid,

I think you've just invented a reason for somebody to develop a conducting glue to be dispensed from a hypodermic type of applicator.

Kind regards,
Walter
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: uklad on April 11, 2012, 02:39:32 PM
@ asbokid,

I think you've just invented a reason for somebody to develop a conducting glue to be dispensed from a hypodermic type of applicator.

Kind regards,
Walter

already exists !!

http://www.ecrater.co.uk/p/7983362/silver-conductive-glue
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: waltergmw on April 11, 2012, 05:21:37 PM
Quite astonishing UKLad !

Now all we need is the robot and surgeon's microscope.

Kind regards,
Walter

Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: ben1066 on April 11, 2012, 05:23:47 PM
Right so, got myself a uart connection, YAY. I've modded the config file as per the wordpress guide (you missed gzipping the config file btw). Is there anyway to set the web interface to lan 2 and the bridge to lan 1, or vice versa? I have it up on lan 1 currently, which is great, until I want to use the internet.
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: uklad on April 11, 2012, 06:33:00 PM
Right so, got myself a uart connection, YAY. I've modded the config file as per the wordpress guide (you missed gzipping the config file btw) but I can't work out how to connect to the web interface...

Make sure you are connected to Lan2 and the dsl is not connected !! see below..

I think I may have found a flaw in our unlock, it looks like when the Home hub or any other router establishes the PPPOE connection to BT via lan 1 the br0 ip address get changed thus loosing connectivity to the web interface on Lan 2 going to try and look into this tonight..
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: ben1066 on April 11, 2012, 07:11:07 PM
Hmm, well what I've done has given me the web interface on lan 1....
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: uklad on April 11, 2012, 07:13:01 PM
Hmm, well what I've done has given me the web interface on lan 1....

You should all so get it on Lan2 but I fear you may loose if once connected to the internet..
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: ben1066 on April 11, 2012, 07:43:31 PM
It's all good, with a bit of OpenWRT foo I've succeeded in being able to access the lan 1 web interface while also using lan 1 for PPPoE. http://wiki.openwrt.org/doc/howto/access.modem.through.nat The test_agent executable is interesting too... test_agent config seems to reveal the tr-069 url, maybe we could fake the server by running a dns server locally and "fool" the modem into taking our commands? Also, is there any way to get like stats? I haven't found any xdsl binary.
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: burakkucat on April 11, 2012, 08:25:47 PM
Quote
The test_agent executable is interesting too... test_agent config seems to reveal the tr-069 url, maybe we could fake the server by running a dns server locally and "fool" the modem into taking our commands?

TR-069 spoofing is something I have been occasionally thinking about . . .  :-\
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: ben1066 on April 11, 2012, 09:00:50 PM
It seems to be quite open, so long as we can pretend to be the correct server...
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: burakkucat on April 11, 2012, 11:07:39 PM
My understanding is --

The modem/router will make contact with the Evil Empire, at designated times, and say: "I'm here. It's me. This is my status, current configuration and firmware. Is there anything you wish to do?"

The Evil Empire may reply: "Noted. Now bog off!"

At the next contact initiated by the modem/router, the Empire may say: "Yes. I have a little something for you. Let me have control."

The modem/router sets itself into recipient mode and says: "You have control."

The Evil Empire then initiates contact with the modem/router via the designated port and proceeds to molest, nay ravish, the CPE.  :o

There are references regarding TR-069 "out there" (sorry, I don't have any links to hand) but each Empire can implement the technique in its own way. The concept of the technique is clearly defined, the precise details are proprietary.

If you now have sight of some (or all) of the inner workings, then analysis and documentation of the algorithm will be very useful.  ;)
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: asbokid on April 12, 2012, 03:32:30 AM
(you missed gzipping the config file btw)

Oops!  Thanks for pointing it out. Duly corrected!

is there any way to get like stats? I haven't found any xdsl binary.

/usr/sbin/dsl_cpe_control looks promising. Please report back with info!

cheers, a

Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: nimda on April 12, 2012, 06:17:59 PM
There are references regarding TR-069 "out there" (sorry, I don't have any links to hand) but each Empire can implement the technique in its own way. The concept of the technique is clearly defined, the precise details are proprietary.

http://www.broadband-forum.org/technical/download/TR-069_Amendment-2.pdf (http://www.broadband-forum.org/technical/download/TR-069_Amendment-2.pdf)
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: ben1066 on April 12, 2012, 06:48:25 PM
Code: [Select]
Alpha # dsl_cpe_control -h
DSL_CPE: Welcome to DSL CPI API control application
DSL_CPE: usage: [options]
DSL_CPE: following options are available:
DSL_CPE:  --help        (-h)    - help screen
DSL_CPE:  --version     (-v)    - display version
DSL_CPE:  --init        (-i)    - init device w/ <xtu> Bits seperated by undersc
ore (e.g. -i05_01_04_00_04_01_00_00)
DSL_CPE:  --low_cfg     (-l)    - low level configuration file
DSL_CPE:  --console     (-c)    - start console
DSL_CPE:  --event_cnf   (-e)    - configure instance activation handling <enable
/disable>[_mask] (e.g. -e1_1)
DSL_CPE:  --msg_dump    (-m)    - enable message dump
DSL_CPE:  --auto_scr_1  (-a)    - autoboot start script for ADSL (empty by defau
lt)
DSL_CPE:  --auto_scr_2  (-A)    - autoboot start script for VDSL (empty by defau
lt)
DSL_CPE:  --firmware1   (-f)    - firmware file, default /opt/ifx/firmware/xcpe_
hw.bin
DSL_CPE:  --notif       (-n)    - notification script name, default ./xdslrc.sh
DSL_CPE:  --tcpmsg      (-t)    - enable dbgtool, listen only on <ipaddr> (optio
nal, e.g. -t0.0.0.0)
DSL_CPE:  --multimode   (-M)    - set multimode config -M<NextMode>_<AdslSubPref
> (e.g. -M1_1)
DSL_CPE:  --tc-layer    (-T)    - set TC-Layer options -T<TcLayer>_<TcConfigUs>_
<TcConfigDs> (e.g. -T2_0x3_0x1)

Whatever command I run it seems to kill my telnet session... Maybe it's because of how I have routing setup, I'll try something else...

This may be of interest http://pastebin.com/2D4NW2HR . In addition, if you look through /www/ there are a lot of hidden web pages, unfortunately none have any statistics.

http://svn.dd-wrt.com:8000/browser/src/router/dsl_cpe_control/src/dsl_cpe_control.c?rev=15977 seems to give us source for the dsl_cpe_control utility.
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: burakkucat on April 12, 2012, 09:29:08 PM
http://www.broadband-forum.org/technical/download/TR-069_Amendment-2.pdf (http://www.broadband-forum.org/technical/download/TR-069_Amendment-2.pdf)

Thank you for providing the link to the document. Team-work prevails, once again. I just couldn't lay my paws on it at the time of my previous post.  :)
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: asbokid on April 12, 2012, 10:35:34 PM
Code: [Select]
Alpha # dsl_cpe_control -h
DSL_CPE: Welcome to DSL CPI API control application
DSL_CPE: usage: [options]
DSL_CPE: following options are available:
DSL_CPE:  --help        (-h)    - help screen
DSL_CPE:  --version     (-v)    - display version
DSL_CPE:  --init        (-i)    - init device w/ <xtu> Bits seperated by underscore (e.g. -i05_01_04_00_04_01_00_00)
DSL_CPE:  --low_cfg     (-l)    - low level configuration file
DSL_CPE:  --console     (-c)    - start console
DSL_CPE:  --event_cnf   (-e)    - configure instance activation handling <enable/disable>[_mask] (e.g. -e1_1)
DSL_CPE:  --msg_dump    (-m)    - enable message dump
DSL_CPE:  --auto_scr_1  (-a)    - autoboot start script for ADSL (empty by default)
DSL_CPE:  --auto_scr_2  (-A)    - autoboot start script for VDSL (empty by default)
DSL_CPE:  --firmware1   (-f)    - firmware file, default /opt/ifx/firmware/xcpe_hw.bin
DSL_CPE:  --notif       (-n)    - notification script name, default ./xdslrc.sh
DSL_CPE:  --tcpmsg      (-t)    - enable dbgtool, listen only on <ipaddr> (optional, e.g. -t0.0.0.0)
DSL_CPE:  --multimode   (-M)    - set multimode config -M<NextMode>_<AdslSubPref> (e.g. -M1_1)
DSL_CPE:  --tc-layer    (-T)    - set TC-Layer options -T<TcLayer>_<TcConfigUs>_<TcConfigDs> (e.g. -T2_0x3_0x1)

Ahh. maybe it's another multi-call binary that presents a different set of command line options depending on how it's invoked (argv[0]) ?  Just a guess.

uklad has commandeered his ECI now, so no more playing with it for me :(

However, if I've got the gist right..

the CPU in the ECI is a dual core  - a MIPS32 and an unknown 32-bit DSP engine - in all probability another MIPS32 with extensions to the instruction set to provide DSP hardware functionality.

The MIPS32 core#1 runs the MIPS Linux operating system.  The hardware driver blob aka 'firmware'  (/ifx/vdsl2/xcpe_hw.bin) for the second core is loaded by the control core (core#1) into shared memory, and the execution of that code by core#2 is started.

The Linux kernel has a loadable kernel module (/ifx/vdsl2/drv_dsl_cpe_api.ko) which provides an interface from userspace to the kernel by way of a character device (/dev/dsl_cpe_api). It is through this interface that the line statistics from the DSP32 core are obtained.   There should be a userspace binary that invokes system calls (read/write/ioctl) on that device. The embedded webserver must be invoking such calls, either directly, or via some middleware (i.e. that xmldb thing).

It's much the same in the Broadcom-chipset Huawei. A userspace binary called xdslcmd is used to invoke ioctl() system calls on /dev/bcmadsl0 to obtain various xdsl stats.  The Linux kernel passes these calls to an ioctl de-multiplexer in the device driver, which obtains the stats from the hardware driver (the firmware blob) running on the DSP core. This is via some form of inter-process communication (IPC), semaphores, shared memory or message passing.

Quote
This may be of interest http://pastebin.com/2D4NW2HR . In addition, if you look through /www/ there are a lot of hidden web pages, unfortunately none have any statistics.

Ahh. server-side scripting fudged together with javascript.  It's very similar to the Huawei, except the ECI also uses that XML database for storing realtime data. [1]

In the excerpt of code below, we can see the embedded servlet function ConfigGetArray().

The servlet parsing engine in the embedded webserver replaces everything within the delimiters <? and ?> with the return value from the ConfigGetArray function.

And the ConfigGetArray() function must query the XML database for the statistic, in this case to obtain the line attenuation for frequency band 0.

Code: [Select]
..
var StLineAttenuation = new Array();
..
/* Line Attenuation*/
StLineAttenuation[0] = <?ConfigGetArray(/runtime/vdsl2/line/band:0/,lnatten/up,lnatten/down)?>;

You could directly obtain that statistic using xmldbc, with something like this:

Code: [Select]
xmldbc -g /runtime/vdsl2/line/band:0/lnatten/down

To get a bit closer to the kernel..  you could build strace and monitor the system calls made by xmldbc (et al) as that command is invoked. This will uncover how to communicate directly with the kernel device driver.  However the API will be documented in the source code for the drv_dsl_cpe_api device driver.

Also, take a close look at the -a command line option of xmldbc. It will dump the database contents including runtime and temporary data. That could reveal the XML node names for the tonemap data.

Since I haven't got access to an ECI any more, it is with great regret that I must bow out out of the hack-fest but with the reassurance that it is left in the competent hands of uklad and yourself  :)

Quote
http://svn.dd-wrt.com:8000/browser/src/router/dsl_cpe_control/src/dsl_cpe_control.c?rev=15977 seems to give us source for the dsl_cpe_control utility.

Aha.. I saw that in the corrupted source tarball published by Openreach.  :police:

cheers, a

EDIT:  Bit of info in the openwrt.org development mailing list.   Note how you read and write to a pipe to send commands to the dsl_cpe_control daemon to request and receive stats from the xdsl layer.  That will be for the AR9 (Lantiq's ADSL2 SOC family) but it's probably very similar for the VR9 (VDSL2.chipset family including the VRX268). [2]

[1] http://www.psidoc.com/showthread.php/635-busybox-quot-httpd-quot-help-needed-hacking-a-router
[2] https://lists.openwrt.org/pipermail/openwrt-devel/2012-January/013602.html
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: ben1066 on April 13, 2012, 10:47:58 AM
http://pastie.org/private/andzysdm8hhmse2groohw
xmldbc -D /tmp/db.xml -a

As you can tell a lot of data is missing for some reason. However that pipe works PERFECTLY. The command set is listed with the command "help". http://pastie.org/private/uxkq541nllsply2evizxw and it seems to work much the same as the DSL version :D

Code: [Select]
Alpha # echo "g997lsg 1 1" > /tmp/pipe/dsl_cpe0_cmd
Alpha # cat /tmp/pipe/dsl_cpe0_ack
nReturn=0 nDirection=1 nDeltDataType=1 LATN=231 SATN=178 SNR=64 ATTNDR=42533120
ACTPS=-901 ACTATP=55
for example. Still a sucky way to interface, but at least it does work :) From this we SHOULD be able to make our own shell script to get data.

Kept on poking, first is downstream rate, second is upstream, third is downstream line stats, forth is upstream line stats.
Code: [Select]
Alpha # echo "g997csg 0 1" > /tmp/pipe/dsl_cpe0_cmd
Alpha # cat /tmp/pipe/dsl_cpe0_ack
nReturn=0 nChannel=0 nDirection=1 ActualDataRate=39992000 PreviousDataRate=0 ActualInterleaveDelay=0 ActualImpulseNoiseProtection=0


Alpha # echo "g997csg 0 0" > /tmp/pipe/dsl_cpe0_cmd
Alpha # cat /tmp/pipe/dsl_cpe0_ack
nReturn=0 nChannel=0 nDirection=0 ActualDataRate=8448000 PreviousDataRate=0 ActualInterleaveDelay=0 ActualImpulseNoiseProtection=0


Alpha # echo "g997lsg 1 1" > /tmp/pipe/dsl_cpe0_cmd
Alpha # cat /tmp/pipe/dsl_cpe0_ack
nReturn=0 nDirection=1 nDeltDataType=1 LATN=231 SATN=177 SNR=65 ATTNDR=42428544 ACTPS=-901 ACTATP=55


Alpha # echo "g997lsg 0 1" > /tmp/pipe/dsl_cpe0_cmd
Alpha # cat /tmp/pipe/dsl_cpe0_ack
nReturn=0 nDirection=0 nDeltDataType=1 LATN=0 SATN=0 SNR=62 ATTNDR=8650125 ACTPS=-901 ACTATP=109

After reading through that script more all the line stats need dividing by ten, that gives me a downstream attenuation of 23.1db and SNR of 6.5db, and an upstream attenuation of 0db? and 6.2db snr.. Is that good or bad for FTTC? I'm not really convinced of that SNR, it seems really bad for the speeds I get..

My latest speedtest is
(http://speedtest.net/result/1892009060.png)
and that's pre 80/20. I have a forecast date of Monday for that.
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: uklad on April 13, 2012, 03:07:04 PM
Since I haven't got access to an ECI any more, it is with great regret that I must bow out out of the hack-fest but with the reassurance that it is left in the competent hands of uklad and yourself

I can make mine available to you again just it cannot be live on DSL at the same time.. but the offer of a loan still stands..
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: ben1066 on April 13, 2012, 03:11:25 PM
I can provide an ssh tunnel to my home server which has telnet access to my modem if it's really necessary..
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: asbokid on April 13, 2012, 11:06:36 PM
http://pastie.org/private/andzysdm8hhmse2groohw
xmldbc -D /tmp/db.xml -a

As you can tell a lot of data is missing for some reason. However that pipe works PERFECTLY. The command set is listed with the command "help". http://pastie.org/private/uxkq541nllsply2evizxw and it seems to work much the same as the DSL version :D

Code: [Select]
Alpha # echo "g997lsg 1 1" > /tmp/pipe/dsl_cpe0_cmd
Alpha # cat /tmp/pipe/dsl_cpe0_ack
nReturn=0 nDirection=1 nDeltDataType=1 LATN=231 SATN=178 SNR=64 ATTNDR=42533120
ACTPS=-901 ACTATP=55
for example. Still a sucky way to interface, but at least it does work :) From this we SHOULD be able to make our own shell script to get data.

Whayhay!  Good find, Ben!   Do the values correspond with the stats in the web interface of the ECI?  Maybe the missing values are populated once the device has had a reasonably long uptime?

Quote
After reading through that script more all the line stats need dividing by ten, that gives me a downstream attenuation of 23.1db and SNR of 6.5db, and an upstream attenuation of 0db? and 6.2db snr.. Is that good or bad for FTTC? I'm not really convinced of that SNR, it seems really bad for the speeds I get..

God knows! It doesn't sound very good though.   Paul (Bald_Eagle) is the man with the answers. He has officially studied more VDSL2 connection stats than the rest of us have had hot dinners!

I can provide an ssh tunnel to my home server which has telnet access to my modem if it's really necessary..

I can make mine available to you again just it cannot be live on DSL at the same time.. but the offer of a loan still stands..

That's very generous of you both  :)

The main interest is the LZMA tweak to the Linux kernel driver for squashfs.    The tweak needs to be cracked before a fully functional file system can be re-built (in our own graven image) for the ECI.   To that end, we need to dump the uncompressed form of the files that we couldn't uncompress with the open source tools.

It was hoped that this could be done with a shell script on the ECI. However the shell provided by Busybox in the ECI firmware is the lightweight msh (the Minix shell).  It is very pared down so it's missing too much functionality to be useful.

The alternative is to build some native MIPS code to do the file system dumping. To build this code, there's a pre-built GNU cross-compiling toolchain for the Lantiq XWAY AR9 CPUs which should be okay for the VR9 series. It might take a little while to sort that out though.  Hopefully before then Openreach will have repaired that dodgy tarball of GPL'ed code for the ECI.  The tarball may well contain a toolchain.

cheers, a

Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: Bald_Eagle1 on April 14, 2012, 08:50:07 AM

Quote
After reading through that script more all the line stats need dividing by ten, that gives me a downstream attenuation of 23.1db and SNR of 6.5db, and an upstream attenuation of 0db? and 6.2db snr.. Is that good or bad for FTTC? I'm not really convinced of that SNR, it seems really bad for the speeds I get..

God knows! It doesn't sound very good though.   Paul (Bald_Eagle) is the man with the answers. He has officially studied more VDSL2 connection stats than the rest of us have had hot dinners!


The Huawei HG612 splits attenuation/SNR etc. across the band plans & reports 0dB in its GUI where a value would be expected.
Is the ESI stats snippet posted (LATN=231 SATN=178 SNR=64 ) the only combined value shown for all the downstream band plans?

If so, I THINK it seems to report the stats in a similar way to the FritzBox! 3930.
I THINK the FritzBox! also reports 0dB for upstream attenuation.

What sync speeds are being achieved & how do they compare against Attainable Rates?
If there is not much difference between them, that COULD explain the low(ish) SNR values (assuming it really means SNR Margin).

High Attainable speed connections, still capped at 40Mb show SNRM values of up to 30dB or so.
My connection that struggles to achieve more than 30Mb (sync & attainable) has a value usually of 6dB (quite often less).
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: ben1066 on April 14, 2012, 11:14:15 AM

Quote
After reading through that script more all the line stats need dividing by ten, that gives me a downstream attenuation of 23.1db and SNR of 6.5db, and an upstream attenuation of 0db? and 6.2db snr.. Is that good or bad for FTTC? I'm not really convinced of that SNR, it seems really bad for the speeds I get..

God knows! It doesn't sound very good though.   Paul (Bald_Eagle) is the man with the answers. He has officially studied more VDSL2 connection stats than the rest of us have had hot dinners!


The Huawei HG612 splits attenuation/SNR etc. across the band plans & reports 0dB in its GUI where a value would be expected.
Is the ESI stats snippet posted (LATN=231 SATN=178 SNR=64 ) the only combined value shown for all the downstream band plans?

If so, I THINK it seems to report the stats in a similar way to the FritzBox! 3930.
I THINK the FritzBox! also reports 0dB for upstream attenuation.

What sync speeds are being achieved & how do they compare against Attainable Rates?
If there is not much difference between them, that COULD explain the low(ish) SNR values (assuming it really means SNR Margin).

High Attainable speed connections, still capped at 40Mb show SNRM values of up to 30dB or so.
My connection that struggles to achieve more than 30Mb (sync & attainable) has a value usually of 6dB (quite often less).

Still waiting for the uplift, should happen Monday I ordered late. My attainable and achieved speeds are very close,
(http://i44.tinypic.com/2potaiq.png)

The GUI also displays 0 for all values like the Huawei,
(http://i41.tinypic.com/2r23nft.png)
I'm not really sure what the arguments for the command are but getting them wrong causes cat to hang when reading ack sometimes. FritzBoxes seem to use Infineon/Lantiq CPUs so the same reporting would make sense.
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: Bald_Eagle1 on April 14, 2012, 12:02:24 PM


FWIW, these are from a FritzBox! - I got the number wrong earlier:-

(http://i1266.photobucket.com/albums/jj538/mervl9/Spectrum.jpg)

(http://i1266.photobucket.com/albums/jj538/mervl9/DSLinfo.jpg)

(http://i1266.photobucket.com/albums/jj538/mervl9/24hourstats.jpg)
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: ben1066 on April 14, 2012, 12:03:33 PM
Let's poke some more at that command then.

Found a magic command for per band values,
Code: [Select]
Alpha # echo "g997lspbg 1" > /tmp/pipe/dsl_cpe0_cmd
Alpha # cat /tmp/pipe/dsl_cpe0_ack
nReturn=0 nDirection=0 LATN[0]=176 LATN[1]=459 LATN[2]=641 LATN[3]=-32768 LATN[4]=-32768 SATN[0]=153 SATN[1]=448 SATN[2]=609 SATN[3]=-32768 SATN[4]=-32768 SNR[0]=65 SNR[1]=62 SNR[2]=71 SNR[3]=-32768 SNR[4]=-32768
Alpha # echo "g997lspbg 0" > /tmp/pipe/dsl_cpe0_cmd
Alpha # cat /tmp/pipe/dsl_cpe0_ack
nReturn=0 nDirection=0 LATN[0]=30 LATN[1]=320 LATN[2]=516 LATN[3]=-32768 LATN[4]=-32768 SATN[0]=32 SATN[1]=319 SATN[2]=520 SATN[3]=-32768 SATN[4]=-32768 SNR[0]=60 SNR[1]=60 SNR[2]=63 SNR[3]=-32768 SNR[4]=-32768

The issue is that seems to both be upstream? or maybe nDirection is wrong..

I've found an interesting German modem, the Speedport 221. It appears to be very similar and uses the same method of getting data, BUT it includes a utility dsl-info. I'm having trouble finding a firmware image but I have found it's released source at http://hilfe.telekom.de/hsp/cms/content/HSP/de/3388/FAQ/theme-71990825/Geraete-und-Zubehoer/theme-2000178/DSL-Geraete/theme-66139021/Speedport-Serie/theme-397804711/Sonstige-Speedports-HSPA-LTE-.../theme-157445472/Speedport-2xx-Serie/theme-157445830/Speedport-221 unfortunately it seems that linux source is absent strangely.

More detailed bitloading and SNR although I still can't get upstream SNR.... These should draw nice graphs...
http://pastie.org/private/b87fxzntuvlk3smkra

I'm working on a little tool to get data and make graphs in C#. Should work nicely and produce things similar to that FritzBox screenshot.

I've attached a graph output by my WIP utility, ZedGraph doesn't seem to like having so many values.

EDIT: Or not, got the SNR graph looking pretty :)
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: ben1066 on April 14, 2012, 05:19:21 PM
Lets make sure people notice, I've got a tool that will give you a set of graphs. I've currently got downstream SNR and bitloading. Am I missing anything? I'm having trouble with the QLN and HLOG commands, they are also aparently downstream only according to http://svn.dd-wrt.com/browser/src/linux/universal/linux-3.2/drivers/net/ethernet/ifxatm/include/drv_dsl_cpe_api_ioctl?rev=18222 If that's all I'll tidy up this program and release it. It should work under both Mono on Linux and .NET on Windows.

Edit: Hmm, I found a gain command as well, no idea the units it's measured in though... I'm now working on a DMT for the ECI modem.
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: Bald_Eagle1 on April 14, 2012, 07:49:11 PM
The bit-loading graph looks right, but I'm not sure about the SNR graph.

SNR should look similar to bit-loading, but slightly less "blocky".

Also, SNR's maximum value should be around 50dB to 60dB.

It looks like you have divided the Hex value A5 (165 dec) by 10 to give 16.5, so something doesn't look quite right there.

I have no idea what gain is.

I have attached a set of graphs from a HG612 modem on an ECI DSLAM (so it shows the ECI's tone band plans rather than the usual HG612's tone band plans).

Yes, apart from bit-loading, the graphs show DS only data.

The example doesn't show anything of the D3 tone band plan, as attenuation is too high to actually use any of it at Medley Phase, but it was discovered at Discovery Phase.


Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: ben1066 on April 14, 2012, 08:10:51 PM
There is definately correlation between the two graphs. I did just read something about snr(i) = y/2 - 32 which gives the following graph. http://wehavemorefun.de/fritzbox/index.php/Dsl_pipe seems to confirm that, it also says something about gain... Still no idea what it shows though.
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: asbokid on April 14, 2012, 08:33:47 PM
The GUI also displays 0 for all values like the Huawei,

Wow! Very impressive, Ben! You've made some amazing progress!

It's very strange that the GUI continues to have unpopulated fields.   There must be a missing or uninitialised component causing that.

Perhaps see what happens if a missing 'runtime' value is manually saved into the xml database (xmldbc -s) and see if that value then appears in the GUI.    If so, maybe a script or binary should be performing that function periodically - retrieving line stats via the Unix socket(s) from dsl_cpe_control, and then inserting the response into the runtime sub-tree of the XML database.   If that is the mechanism, the script or binary needs to be found and started. Maybe a case of grepping the firmware/available source code for other references to those sockets.

Your graphs look great, too! Did you notice a brief comment to subcarrier graphs in one of the web resources?  There was no corresponding code though  >:(

cheers, a
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: ben1066 on April 14, 2012, 08:44:51 PM
I'm fairly sure that'd work as the xml db doesn't have the fields populated either. Also, don't suppose anyone understands
Code: [Select]
DSL_uint8_t gain/tone [0..4095 (linear) represented as multiple of 1/512: 20*log(gain/512)]
If I know what that means I should be able to get the gain, whatever it shows. Anyway, making progress on my eDMT tool (ECI DSL modem tool). Should be totally crossplatform on Mono too for those on Linux and Mac :D
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: asbokid on April 14, 2012, 10:31:48 PM

If I know what that means I should be able to get the gain, whatever it shows. Anyway, making progress on my eDMT tool (ECI DSL modem tool). Should be totally crossplatform on Mono too for those on Linux and Mac :D

Sounds magnificent!  Can't wait to see it  :)  EDIT: That looks very nice indeed!   What's going in the top space?  The text-based stats?

Code: [Select]
DSL_uint8_t gain/tone [0..4095 (linear) represented as multiple of 1/512: 20*log(gain/512)]

It's the xmt gain table.. Apparently a logarithmic conversion (dB) of the transmit gain for each subcarrier, adapted to conform with the PSD mask, to introduce guard bands, etc..

"All values from –14.5 dB (linear value 96/512) to 18 dB. The gain value shall be represented with 3 bits before and 9 bits after the decimal point, i.e., a granularity of 1/512 in linear scale."   See: G.992.3..[1]

EDIT:
The gain data is recorded by the Broadcom chipsets (e.g. the BCM6368 in the Huawei). However the xdslcmd tool does not retrieve it from the kernel.  Building an open source and extensible version of the xdslcmd tool would make a very good project.


cheers, a

[1] http://www.analytic.ru/articles/lib26.pdf  (old 2002 version but free-to-download)
[2] http://pastie.org/pastes/3786263/text?key=b87fxzntuvlk3smkra
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: Bald_Eagle1 on April 15, 2012, 11:27:09 AM
Yes,

Fantastic work, all of you.

Are we any closer to unlocking the modem without the need for any soldering etc?

Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: ben1066 on April 15, 2012, 11:51:29 AM
I've personally got a little distracted... Not quite sure the best way to display the other stats..Should I just have text or should I use some of the graphics DMT and vDMT use.

Boom, DSLAM data:
Code: [Select]
Alpha # echo "g997listrg 1" > /tmp/pipe/dsl_cpe0_cmd
Alpha # cat /tmp/pipe/dsl_cpe0_ack
nReturn=0 nDirection=1 G994VendorID=IFTN SystemVendorID=ECI tele VersionNumber=
SerialNumber=7035490556 SelfTestResult=0 XTSECapabilities=(00,00,00,00,00,00,00,
00)
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: asbokid on April 15, 2012, 01:19:49 PM
Are we any closer to unlocking the modem without the need for any soldering etc?

There may be a network backdoor into the bootloader of the ECI, as there is with the HG612.  If not, it would probably be a case of cracking the BT Agent remote management server.  The cryptosystem of btagent relies on a 1024-bit 2048-bit RSA key, so it's basically uncrackable by brute force.  Maybe there's something wrong with the implementation though.. Not very likely..

cheers, a
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: asbokid on April 15, 2012, 01:25:20 PM
I've personally got a little distracted... Not quite sure the best way to display the other stats..Should I just have text or should I use some of the graphics DMT and vDMT use.

It would probably appeal to more people if it looks very similar to DMT.  All a bit squashed in tho'.  Any signs of the QLN and HLog data?

Quote
Boom, DSLAM data:
Code: [Select]
Alpha # echo "g997listrg 1" > /tmp/pipe/dsl_cpe0_cmd
Alpha # cat /tmp/pipe/dsl_cpe0_ack
nReturn=0 nDirection=1 G994VendorID=IFTN SystemVendorID=ECI tele VersionNumber=SerialNumber=7035490556 SelfTestResult=0 XTSECapabilities=(00,00,00,00,00,00,00,00)

That's interesting!  So (unsurprisingly) it's an Infineon (IFTN) chipset (now Lantiq) in the subscriber line cards of the ECI DSLAM.  Lantiq's VDSL2 CO chipset is known as the VINAX. [1]

cheers, a

[1] http://www.lantiq.com/products/broadband-access/vdsl/
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: ben1066 on April 15, 2012, 02:03:47 PM
I've currently got some tabs at the top so it isn't so squashed. I'll try and make it similar, hopefully more readable that vDMT though, it's text is really small in places. There are two commands that look like they should return HLOG and QLN data but they always seem to return with nReturn=-36 :S
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: Blackeagle on April 15, 2012, 02:35:10 PM
Ben, that looks really good.  Would it be difficult to modify it to work with the HG612 ??  It would save me writing a version, and you seem to have completed most of the code already !!
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: ben1066 on April 15, 2012, 02:51:07 PM
I guess if you had similar enough commands it could be made to work, the issue is that the ECI modem uses a pipe whereas the Huawei uses xdsl. That said, they both work over telnet and have similar commands. I think it could be made to work and use the same UI and such, just a fair bit of the grunt work will need redoing. I plan on making this opensource once it's usefull anyway so you can convert to your heart's content. (Please note, my code isn't that clean either since I'm working on thing I get from the modem that I do not know exactly the format, it does sometimes perform erratically but that's hard to avoid)

Got it actually reading the misc data now. Not sure how I can get profile though unfortunately, I need profile and VDSL version in addition to line status for the misc tab.
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: ben1066 on April 15, 2012, 07:22:02 PM
Hey, finished by eDMT to the point it's now usable. Make sure you ok the messageboxes otherwise it will NOT progress. To switch modems (if you happen to have multiple) just change the IP and hit login again. Make sure to report any bugs you experience, I'll need to know what you were doing, what messages had been shown, and preferably a screenshot. I also threw in eGrapher that will give you a .bmp copy of the 3 graphs. Source code will follow shortly. Please do not mirror the link, my dropbox only has very limited traffic.

http://dl.dropbox.com/u/11197643/eDMT.zip
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: asbokid on April 15, 2012, 09:39:47 PM
Hey, finished by eDMT to the point it's now usable. Make sure you ok the messageboxes otherwise it will NOT progress. To switch modems (if you happen to have multiple) just change the IP and hit login again. Make sure to report any bugs you experience, I'll need to know what you were doing, what messages had been shown, and preferably a screenshot. I also threw in eGrapher that will give you a .bmp copy of the 3 graphs. Source code will follow shortly. Please do not mirror the link, my dropbox only has very limited traffic.

http://dl.dropbox.com/u/11197643/eDMT.zip

Amazing stuff!  You've built that at an incredible speed! It would have taken me weeks.   I would love to test it but that would require Windows, an ECI modem and a VDSL2 connection.. Hmm.. 

Can I reference your amazing work on that ECI blog, please?

cheers, a



Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: ben1066 on April 15, 2012, 09:51:45 PM
Sure, also it will work just fine on Linux and OSX with Mono(http://www.mono-project.com/Main_Page). I noticed a bug, I was just throwing away precision. http://dl.dropbox.com/u/11197643/eDMT_r1.zip fixes it. I've also uploaded a screenshot of each page since you don't have an ECI modem or a VDSL2 connection.
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: asbokid on April 15, 2012, 10:28:25 PM
Sure, also it will work just fine on Linux and OSX with Mono(http://www.mono-project.com/Main_Page). I noticed a bug, I was just throwing away precision. http://dl.dropbox.com/u/11197643/eDMT_r1.zip fixes it. I've also uploaded a screenshot of each page since you don't have an ECI modem or a VDSL2 connection.

excellent stuff :-)

a couple of hopefully constructive observations..

integer precision would be adequate in the yrange of every graph, and the subcarrier numbers are an index (i.e. integer)..
maybe trap the -32768 values and replace them with a text-based message "N/A" or similar.
a few units of measure, perhaps.. e.g. what unit is attainable rate and data rate (kbps)?.. Perhaps use that code from DMT for calculating Relative Capacity Occupation RCO (actual div attainable)..


cheers, a
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: Bald_Eagle1 on April 15, 2012, 10:46:20 PM
It was also interesting to see attenuation for each band AND a single overall DS attenuation value.
Shame it doesn't report US attenuation as a single value.

Looking at Transmit Power, is it just possible than DS & US have been inadvertently switched?
I usually see around 12dBm DS & 6 dBm US from my HG612's single overall values.

FWIW, the first US band plan is named U0, before moving on to U1, U2......, in accordance with the 17a profile in use via BT.
Maybe a simple tweak to report it as such to avoid any potential confusion in any discussion?

@asbokid,


Is there anywhere hidden away in the HG612 firmware to report an overall attenuation value.
I know it has been discussaed previously, but as the ECI can do it.............?

It would also be very interesting to compare attenuation values with those reported from a JDSU.
I believe a JDSU can also be made to report attenuation etc. per band plan (just like the HG612 does already).

I intended to try to do that at the latest engineer's visit, but he turned up with an Exfo & he couldn't find them.
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: ben1066 on April 15, 2012, 11:10:24 PM
The powers aren't switched, I'll sort out the names tomorrow. And yea, I guess I can just .Replace the -32768 or w/e it is with N/A. Guess it makes for a nicer UI :)
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: asbokid on April 15, 2012, 11:20:21 PM

Is there anywhere hidden away in the HG612 firmware to report an overall attenuation value.
I know it has been discussed previously, but as the ECI can do it.............?

The attenuation values are only available from the kernel driver on an individual subcarrier basis. So the calculation of the overall attenuation for a band or bands is a mathematical function performed by a userspace tool.

In the Broadcoms, a tool called xdslcmd calculates the aggregate attenuation value for each frequency band.  In theory we could also calculate the overall attenuation value for all DS bands, just as the JDSU and Exfo devices do.

EDIT:

The equation for calculating an aggregate attenuation value is hidden in plain sight... in the G992.3 Recommendations [1]

The average attenuation for a line, a band, a channel or an aggregate of channels is calculated from the linear magnitude function Hlin(f) for each tone, rather than from the logarithmic values from Hlog(f).

However, we can convert Hlog(f) values to Hlin(f) magnitude values using antilogs.

The average attenuation for a channel is then given by the following equation, where NSC is the Number of Sub-Carriers or DMTs utilised by the channel, i is the subcarrier index and Δf is the subcarrier spacing (4.3125kHz for most xDSL standards):

(http://www.texify.com/img/%5CLARGE%5C!Attn%5BdB%5D%3D10%20%5Ccdot%20%5Clog_%7B10%7D%20%5C%5B%20%5Cfrac%20%7B%20%5Csum%5Climits_%7Bi=0%7D%5E%7BNSC%7D%20%7B%7B10%7D%5E%7B%5C%28%5Cfrac%20%7BHlog%28i%20%5Ccdot%20%5CDelta%20f%29%7D%7B20%7D%5C%29%7D%7D%5E%7B2%7D%7D%7BNSC%7D%20%5C%5D.gif)


Attached is a ZIP containing sample Hlog data from Bald_Eagle's line, and a small C program that uses the above equation to calculate an aggregate attenuation value for each downstream frequency band using that Hlog data.

cheers, a

[1] http://huaweihg612hacking.wordpress.com/2011/10/01/measuring-line-characteristics-on-the-huawei/
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: Bald_Eagle1 on April 16, 2012, 12:43:22 AM

The powers aren't switched


When dividing the values by 10 to get to dBm that would be 5.5 for DS & 10.6 for US i.e. completely opposite to how the HG612 usually reports “Output Power”.

I presume Output Power & Transmit Power are in fact the same thing?

I have to also presume (I don’t really know) that DS power would usually be much higher than US power due to the large speed differences between them?

The HG612 does get some of its other data mixed up though.
e.g. users with Interleaving, INP & delay completely OFF are seeing FEC errors in the modem’s GUI, which is reported differently via xdslcmd.

Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: ben1066 on April 16, 2012, 04:27:51 PM
I've fixed the GUI as per your suggestions, all values now have units and unused bands report N/A. http://dl.dropbox.com/u/11197643/eDMT_r2.zip
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: Synner on April 16, 2012, 07:32:21 PM
Hi All,

Amazing looking work, and record speed!

I have an ECI and have downloaded eDMT, unfortunately I can't get it to run.
Do I need direct connect to the modem?  I've tried the IP and U/Name-Pass combo in your screenshots but no joy.

Thanks and so sorry for the noob questions.

Bri
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: ben1066 on April 16, 2012, 07:34:02 PM
Currently you can't use it unless you use the UART port to enable telnet access. Until there is a "softmod" this will be the only way to enable access.
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: Synner on April 16, 2012, 07:37:18 PM
Hi Ben,

Thanks for the info, wish I could contribute but my skillset isn't quite in the right area (actually it's several miles off!)

I'll look forward to a softmod, if anyone can do it it's you guys.

Once again, congratulations on some great work.

Bri
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: uklad on April 16, 2012, 11:28:12 PM
Good work guys.. I am impressed you have shot past my abilities im not ashamed to admit..
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: nimda on April 17, 2012, 01:43:10 AM
PL2303HX converter finally arrived >:D
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: asbokid on April 17, 2012, 08:49:27 PM
PL2303HX converter finally arrived >:D

excellent stuff!  good things come to those who wait!

cheers, a
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: nimda on April 19, 2012, 12:29:44 AM
Is there any need to further document the hardware hack?
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: asbokid on April 19, 2012, 12:58:18 AM
Is there any need to further document the hardware hack?

Hello nimda!

please do improve the docs! There's lots still to do :-)

We should be determined to find the parameters to obtain QLN and HLOG from the ECI.  These are perhaps the single most important per-subcarrier measurements available from the modem.

The firmware utility dsl_cpe_control is instrumental here. Fortunately it's fully open source.  So it's a case of studying that code to discover the parameter lists for the commands "g997dqlng" (G997_DeltQLNGet) and "g997dhlogg"    (G997_DeltHLOGGet).

Commands to obtain line and channel data are submitted to dsl_cpe_control through a named pipe /tmp/pipe/dsl_cpe0_cmd.  The response from the utility is then retrieved from another pipe /tmp/pipe/dsl_cpe0_ack.

Ben1066 reports that the device hangs when the wrong command parameters are submitted.  This needs exploring.

Also, it would be good to discover why there are many fields unpopulated in the statistics page of web GUI.  There is a component either missing or not yet running in the firmware.  Those fields contain realtime data. This data should be retrieved from the hardware driver periodically, and inserted into the XML database. It is from the XML database that the GUI must get its dynamic data. The component which actually performs that retrieval and insertion for some reason is not functioning, or not running. 

Manually inserting arbitrary realtime data into the XML database, and studying whether that data then appears in the web GUI could be a productive exercise.  It should identify whether the web server is correctly retrieving realtime data from the database.

cheers, a
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: nimda on April 19, 2012, 02:55:09 PM
Okay, great, I'll document every step of the hardware hack process.

Note to self: when ordering a new iron from the States ensure the required input power is compatible with UK mains!
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: ben1066 on April 19, 2012, 04:01:42 PM
I've looked through documentation for the fritzbox dsl_pipe and it should work. I have a feeling our version is broken.
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: uklad on May 14, 2012, 07:24:17 PM
asbokid did we ever manage to get a working open source tarball ?
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: asbokid on May 14, 2012, 09:23:40 PM
asbokid did we ever manage to get a working open source tarball ?

Hello uklad!  I was wondering where you'd gone! No sign of the tarball yet, no.. We've still only got that corrupted archive from the Openreach website.  Hopefully BT Openreach will get it sorted soon.  Ahem!

With the full source code for that chipset - and specifically documentation for the API to the DSP hardware driver - maybe we can obtain the QLN and HLOG data.   All the code that is out there at the moment relates to Lantiq's VINAX VDSL2 chipset which is normally used in Central Office kit rather than in Consumer Premises Equipment.

Maybe someone has a contact at BT Openreach to ask for an uncorrupted tarball of this open source code?

cheers, a
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: les-70 on June 01, 2012, 05:13:51 PM
 In case a soft way of enabling access to the ECI modem does not prove practical is there any chance of a Windows idiot's end to end guide to enabling access to it?  Starting with opening the modem  and guidance on what components to purchase through to finally using it.  I note the need to do some soldering, the help in this post, and the guide in http://hackingecibfocusv2fubirevb.wordpress.com/ but to avoid a high chance of bricking the modem it would be really good to see a careful step by step procedure. 

Many thanks in advance if someone is willing to do this.  I have ordered the needed components and will carefully have a go anyway, I don't mind the soldering, its usually novice typo's in Linux that get me.
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: les-70 on June 09, 2012, 11:46:47 AM
  Well I have gone ahead with DKU5 cable.  I added the header pins. A 1mm drill seemed essential but it is very easy to do with one to hand.  I followed the permanent change instructions in the wordpress pages and now have all access working on 192.168.168.168 which seems to be the device default. 

The final stage of the instructions where the changes are checked did not work for me.  The command "rgcfg get -n /dev/mtdblock/3 -c /var/tmp/newreadrgdb.xml.gz" gave a blank return as I think it should but "gunzip newreadrgdb.xml.gz" gave file not found. I can't see a typo.


 The web interface seems to allows the access IP to be changed.  Is the change to 192.168.1.55 just to get you back to the normal IP range?  and is the web interface an OK way to change it permanently?  If not what extra is needed  on the command line to change it permanently?

   Please can someone can advise!
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: asbokid on June 09, 2012, 03:29:07 PM
Hi Les-70,

  Well I have gone ahead with DKU5 cable.  I added the header pins. A 1mm drill seemed essential but it is very easy to do with one to hand.  I followed the permanent change instructions in the wordpress pages and now have all access working on 192.168.168.168 which seems to be the device default. 

The final stage of the instructions where the changes are checked did not work for me.  The command "rgcfg get -n /dev/mtdblock/3 -c /var/tmp/newreadrgdb.xml.gz" gave a blank return as I think it should but "gunzip newreadrgdb.xml.gz" gave file not found. I can't see a typo.

That bit should have been clearer..  Just a 'cd' needed

Code: [Select]
$ rgcfg get -n /dev/mtdblock/3 -c /var/tmp/newreadrgdb.xml.gz
$ cd /var/tmp
$ gunzip newreadrgdb.xml.gz

Quote
The web interface seems to allows the access IP to be changed.  Is the change to 192.168.1.55 just to get you back to the normal IP range?

Yes, it's just because few people use the 192.168.168.0/24 subnet and 192.168.1.0/24 is common.

Quote
  and is the web interface an OK way to change it permanently?  If not what extra is needed  on the command line to change it permanently?
   Please can someone can advise!

I think that was how we did it.  It's been a while now though and I haven't got an ECI.   

Perhaps uklad or ben1066 would remember?

cheers, a
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: les-70 on June 10, 2012, 11:17:39 AM
  Thanks for the clarification, I should have spotted that but was in "do exactly what was suggested" mode.  The web GUI worked fine for changing the IP.  It all looks to be working but my FTTC has yet to come. :(  I bought an what was claimed to be an HG612 on ebay so I could quickly get stats when the CAB and connection went live but instead an ECI  ???( which I expect to get from BT) came.  Decided to keep it but unlock it, given eDMT this looks a good option.  I can't get the ADSL fall back to work to work but that may be because I have annex M at the moment.  I downloaded eDMT, the graphical appearance looks great but it fails on actual login as is probably inevitable with no connection.

    In conclusion very many thanks to those who did all the hard work and made it available.  Great work!
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: ben1066 on June 24, 2012, 12:00:03 PM
eDMT should work fine if you can access it over telnet, as that is what it uses to gather data.
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: les-70 on June 24, 2012, 06:58:45 PM
  Thanks for the reply, I was wondering if there was an issue.  I have telnet working OK but NO sync.  I can start edmt OK but when I try to connect to the modem it fails.  I assumed this was because the router does not have any sync or useful signal.  I currently have annex m on the line and even the adsl fallback fails.   (FTTC on my line looks set to be delayed as apparently there are blocked ducts and no sign of work on actual fibre.)  Should edmt, on the connect command, proceed to something even with no connection?

  Regards
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: ben1066 on June 24, 2012, 09:12:05 PM
What does it do? It shouldn't silently fail... It may error on getting data since it could get something unexpected, but it should tell you.
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: les-70 on June 24, 2012, 09:40:44 PM
  It gives the "needs to close" and the  invitation to send to microsoft.  I also just tried a wrong IP or wrong password and get the same result.  A debugger of mine reports an "unhandled exception" and shows me a very unhelpful disassembly of the exe.   I am running windows XP.  Do you know what you get if your vdsl line is not connected or you give a wrong IP etc?

   I have just unzipped to a folder that contains the two exe's and the dll. I assume that is all that is needed.  telnet is definitely OK -straight to login and then command prompt.
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: ben1066 on June 25, 2012, 08:15:39 PM
Its a .NET assembly, so should decompile fine with reflector or such if you're a developer. That's a wierd error though I admit.
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: les-70 on June 25, 2012, 08:38:18 PM
  Please could you say what response you get with a wrong IP or a wrong name/password?  It may help to know what should happen then.
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: ben1066 on June 26, 2012, 09:01:13 PM
It should timeout.
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: JoshShep on July 05, 2012, 12:08:36 AM
Great news guys,

Looks like Openreach got there act together!

They have put all source codes out the the VDSL Modems on their site.

http://www.openreach.co.uk/orpg/home/products/super-fastfibreaccess/superfastfibre.do

Cheers,

Josh

Link to ECI: http://www.openreach.co.uk/orpg/home/products/super-fastfibreaccess/downloads/eci_alpha1B_VDSL_3048.zip
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: asbokid on July 06, 2012, 08:30:48 PM
Great news guys,

Looks like Openreach got there act together!

They have put all source codes out the the VDSL Modems on their site.

http://www.openreach.co.uk/orpg/home/products/super-fastfibreaccess/superfastfibre.do

Cheers,

Josh

Link to ECI: http://www.openreach.co.uk/orpg/home/products/super-fastfibreaccess/downloads/eci_alpha1B_VDSL_3048.zip


Hi Josh!

Thanks for the interest.

Unfortunately, the file on the Openreach website holding the source code for the ECI modem is corrupted (and has been since April):

See: http://hackingecibfocusv2fubirevb.wordpress.com/2012/04/11/bt-openreach-releases-gpled-code-for-eci-vdsl2-modem/

The file is a gzip'ed tar archive (common to Unix), contained within a ZIP.  The ZIP file uncompresses without errors. However the gzipped tar archive within it is truncated.

cheers, a
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: justAn00b on July 10, 2012, 07:01:43 AM
Hi All

I just skimmed through all the posts, I just don't get it lol.

How can I get to the GUI?

Is their just an IP address?

I am currently on Windows 7.

Is their just a simple how2guide to get to the GUI?

Or is this just all beyond me?

Thanks for looking!
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: Blackeagle on July 10, 2012, 08:47:21 PM
Hi All

I just skimmed through all the posts, I just don't get it lol.

How can I get to the GUI?

Is their just an IP address?

I am currently on Windows 7.

Is their just a simple how2guide to get to the GUI?

Or is this just all beyond me?

Thanks for looking!

To get to the ECI's GUI you need to open it, solder some pins to the board and then follow the guide here (http://hackingecibfocusv2fubirevb.wordpress.com/).

TBH, if you have read all the posts here and still don't follow what to do, I would respectfully suggest that this is not an avenue that you should be exploring.
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: justAn00b on July 10, 2012, 09:57:39 PM
Ok black Blackeagle thank you for your response and honesty.  :)
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: burakkucat on July 11, 2012, 01:57:50 AM
I would suggest purchasing a Huawei HG612 modem, via eBay, unlocking it and using it on your line until such time as an easier way to unlock the ECI B-FOCuS modem is developed.  :)
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: asbokid on July 11, 2012, 04:14:59 AM
To get to the ECI's GUI you need to open it, solder some pins to the board and then follow the guide here (http://hackingecibfocusv2fubirevb.wordpress.com/).

TBH, if you have read all the posts here and still don't follow what to do, I would respectfully suggest that this is not an avenue that you should be exploring.

At some time, perhaps all the relevant docs for unlocking the ECI VDSL2 modem (via the UART port) could be placed together in one place. Maybe the Kitz wiki?

Burakkucat made a fascinating discovery in an Openreach tarball of GPL'ed firmware source code for another ECI VDSL2 modem. This firmware was built by the Taiwanese company, Arcadyan.  [1]

It is not even clear that these Arcadyan modems have ever reached our shores. However, the GPL'ed source code for them is still interesting because it includes a small section of code for the TR069 framework for remote management.  [2]

In-house, BT calls this framework btagent. It comes in two parts.  One part, the daemon, a.k.a. the network server, runs on the modem itself.  The second part, the client, runs on a host PC.  The framework has functions for remotely pushing firmware upgrades onto modems, for monitoring line characteristics and connection quality, and functions for getting and setting the real-time parameters of the modem, etc, etc.

btagent is found in much the same form in all recent models of BT Home Hub, as well as the current models of VDSL2 modem from BT Openreach - the Huawei HG612 and the ECI B-Focus.

The option for pushing a new firmware onto the ECI is perhaps the most interesting, since it could be used to non-invasively unlock it. However, there is a security obstacle preventing that which may never be overcome.

btagent uses 2048-bit PKI cryptography for authentication.   Before a new (unlocked) firmware could be uploaded to the ECI, or to the Huawei, or the HomeHubs, using the btagent daemon,  the corresponding private key has to be discovered first. ... And for that.. don't wait up!

cheers, a

[1] http://www.openreach.co.uk/orpg/home/products/super-fastfibreaccess/super-fastfibreaccess/landrgnu.do
[2] http://www.broadband-forum.org/technical/download/TR-069_Amendment-4.pdf
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: Ktor on July 17, 2012, 12:40:22 AM
I've fixed the GUI as per your suggestions, all values now have units and unused bands report N/A. http://dl.dropbox.com/u/11197643/eDMT_r2.zip

Error (509)
This account's public links are generating too much traffic and have been temporarily disabled!  :(
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: ben1066 on July 17, 2012, 03:03:18 PM
http://www.mediafire.com/?813x7gvev81vtwk
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: Orbixx on July 17, 2012, 11:05:19 PM
Great news guys,

Looks like Openreach got there act together!

They have put all source codes out the the VDSL Modems on their site.

http://www.openreach.co.uk/orpg/home/products/super-fastfibreaccess/superfastfibre.do

Cheers,

Josh

Link to ECI: http://www.openreach.co.uk/orpg/home/products/super-fastfibreaccess/downloads/eci_alpha1B_VDSL_3048.zip


Hi Josh!

Thanks for the interest.

Unfortunately, the file on the Openreach website holding the source code for the ECI modem is corrupted (and has been since April):

See: http://hackingecibfocusv2fubirevb.wordpress.com/2012/04/11/bt-openreach-releases-gpled-code-for-eci-vdsl2-modem/

The file is a gzip'ed tar archive (common to Unix), contained within a ZIP.  The ZIP file uncompresses without errors. However the gzipped tar archive within it is truncated.

cheers, a

Seems like there's a new link up on their site for the source code. It's now a RAR inside a ZIP and the modified date shows it's fairly recent at 2012-06-29.
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: burakkucat on July 17, 2012, 11:14:22 PM
Thank you for the nod, Orbixx. I'll have a look as soon as I get "a round tuit".  ;)
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: asbokid on July 18, 2012, 05:39:12 PM
Great news guys,
Looks like Openreach got their act together!

They have put all source codes out for the VDSL Modems on their site.

http://www.openreach.co.uk/orpg/home/products/super-fastfibreaccess/super-fastfibreaccess/landrgnu.do  (new URL)

Cheers,
Josh

Seems like there's a new link up on their site for the source code. It's now a RAR inside a ZIP and the modified date shows it's fairly recent at 2012-06-29.

Way-hay!  Thank you for the info, Orbixx!

Thank you as well to Openreach for supplying the source code :)

cheers, a
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: Ktor on July 18, 2012, 09:29:05 PM
http://www.mediafire.com/?813x7gvev81vtwk

That works. Thank you.
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: uklad on August 04, 2012, 06:15:12 PM
Great news guys,
Looks like Openreach got their act together!

They have put all source codes out for the VDSL Modems on their site.

http://www.openreach.co.uk/orpg/home/products/super-fastfibreaccess/super-fastfibreaccess/landrgnu.do  (new URL)

Cheers,
Josh

Seems like there's a new link up on their site for the source code. It's now a RAR inside a ZIP and the modified date shows it's fairly recent at 2012-06-29.

Way-hay!  Thank you for the info, Orbixx!

Thank you as well to Openreach for supplying the source code :)

cheers, a

Is this one corrupt ?
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: burakkucat on August 04, 2012, 08:13:28 PM
Quote
Is this one corrupt ?

No, it is quite innocent and pure.  :P  ;)
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: asbokid on August 13, 2012, 05:59:37 PM

For those who don't want to solder to the PCB, maybe a strip of right angled header pins could be taped temporarily to the UART solder pads.

This was just tried, using a Prolific Logic pl2303 USB-UART adaptor (cost £1.50 inc P&P from ebay):

See: http://www.ebay.co.uk/itm/180836792643

(http://www3.picturepush.com/photo/a/8967111/480/ECI-B-FOCuS-VDSL2-modem---solderless-UART-connection/Screenshot-from-2012-08-13-18%3A03%3A56.png)
(click for full size) (http://picturepush.com/public/8967111)

(http://www3.picturepush.com/photo/a/8966961/480/ECI-B-FOCuS-VDSL2-modem---solderless-UART-connection/DSC-0644b.jpg)
(click for full size) (http://picturepush.com/public/8966961)

(http://www5.picturepush.com/photo/a/8966963/480/ECI-B-FOCuS-VDSL2-modem---solderless-UART-connection/DSC-0645.jpg)
(click for full size) (http://picturepush.com/public/8966963)

(http://www2.picturepush.com/photo/a/8966960/480/ECI-B-FOCuS-VDSL2-modem---solderless-UART-connection/DSC-0639b.jpg)
(click for full size) (http://picturepush.com/public/8966960)

(http://www1.picturepush.com/photo/a/8966969/480/ECI-B-FOCuS-VDSL2-modem---solderless-UART-connection/DSC-0648.jpg)
(click for full size) (http://picturepush.com/public/8966969)

(http://www2.picturepush.com/photo/a/8966965/480/ECI-B-FOCuS-VDSL2-modem---solderless-UART-connection/DSC-0646.jpg)
(click for full size) (http://picturepush.com/public/8966965)

(http://www5.picturepush.com/photo/a/8966973/480/ECI-B-FOCuS-VDSL2-modem---solderless-UART-connection/DSC-0650.jpg)
(click for full size) (http://picturepush.com/public/8966973)

Adhesive tape isn't strong enough to hold the header pins onto the PCB pads.

But Dolly the clothes peg proved just the job! She is electrostatic-safe, too  :D

(http://www4.picturepush.com/photo/a/8966982/480/ECI-B-FOCuS-VDSL2-modem---solderless-UART-connection/DSC-0657.jpg)
(click for full size) (http://picturepush.com/public/8966982)

(http://www3.picturepush.com/photo/a/8966986/480/ECI-B-FOCuS-VDSL2-modem---solderless-UART-connection/DSC-0658.jpg)
(click for full size) (http://picturepush.com/public/8966986)

(http://www1.picturepush.com/photo/a/8966979/480/ECI-B-FOCuS-VDSL2-modem---solderless-UART-connection/DSC-0656.jpg)
(click for full size) (http://picturepush.com/public/8966979)

The Linux device driver for the pl2303 has been included since 2.4 kernels. The Prolific website in Taiwan carries (binary) drivers for Windows and the Macintosh.

Installing the pl2303 driver for Windows. 

(http://www4.picturepush.com/photo/a/8966927/480/ECI-B-FOCuS-VDSL2-modem---solderless-UART-connection/Screenshot-at-2012-08-13-06%3A20%3A27.png)
(click for full size) (http://picturepush.com/public/8966927)

(http://www5.picturepush.com/photo/a/8966928/480/ECI-B-FOCuS-VDSL2-modem---solderless-UART-connection/Screenshot-at-2012-08-13-06%3A31%3A49.png)
(click for full size) (http://picturepush.com/public/8966928)

(http://www1.picturepush.com/photo/a/8966929/480/ECI-B-FOCuS-VDSL2-modem---solderless-UART-connection/Screenshot-at-2012-08-13-06%3A34%3A25.png)
(click for full size) (http://picturepush.com/public/8966929)

Now, finally, we can log into the ECI modem via the serial console:

(http://www2.picturepush.com/photo/a/8966930/480/ECI-B-FOCuS-VDSL2-modem---solderless-UART-connection/Screenshot-at-2012-08-13-06%3A39%3A39.png)
(click for full size) (http://picturepush.com/public/8966930)

cheers, a
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: burakkucat on August 13, 2012, 06:17:35 PM
I was happily looking through this thread until I came across the last four images.  :(   BGW? Yucky!  :tongue:  It's put me right off my evening meal.  :'(
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: Howlingwolf on August 24, 2012, 07:13:36 PM
Adhesive tape isn't strong enough to hold the header pins onto the PCB pads.

But Dolly the clothes peg proved just the job! She is electrostatic-safe, too  :D

(http://www4.picturepush.com/photo/a/8966982/480/ECI-B-FOCuS-VDSL2-modem---solderless-UART-connection/DSC-0657.jpg)
(click for full size) (http://picturepush.com/public/8966982)

I'm impressed. True hardware hacking in it's purest form.

Sir, I salute you!
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: burakkucat on September 25, 2012, 03:25:34 AM
Apologies to all for the cat-cursing at around 0245 hours today, b*cat was very frustrated.  :-[

An ECI B-FOCuS modem was upended.
It's rubber feet were removed.
The four screws, so exposed, were undone.
The case was opened.
The PCB was removed and placed on a firm insulating surface.
The PSU was attached and the modem was powered up.
Application of meter probes to the four pads at location JP1 showed with negative probe on pad #2 from the left, 3.28 VDC on pads #1, #3 & #5.
Confirmed #2 is GND, #3 is VCC, #1 & #5 are TXD & RXD.
A block of five 90 degree header pins had leads attached.
Jake (the peg) was encouraged to hold the block of header pins against the solder infested pads.
The cat cursing started.
No matter how things were tried, no continuity could be obtained from the PCB solder pads to the ends of the fly-leads.  :(
Tiny dimples were gently made in the solder infesting the pads.
The cat-cursing got louder.  >:(
Offering up the header pins into the dimples was finally achieved.
Still no continuity.
The cat-cursing reached fortissimo!  >:D
The soldering-iron was considered . . . and rejected.
b*cat's paws are now too fumbly and the vision is not good enough for such micro-surgery.
Fifty years ago and things were considerably different . . .  :'(
I'll just have to wait for the software unlocking method to be resolved.

And now I've just seen the time. Well overdue some  :sleep:
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: asbokid on September 25, 2012, 07:06:38 PM
Hello burakkucat!

..
No matter how things were tried, no continuity could be obtained from the PCB solder pads to the ends of the fly-leads.  :(
Tiny dimples were gently made in the solder infesting the pads.
..
Offering up the header pins into the dimples was finally achieved.
...
Still no continuity.
..

Damnation!

No continuity? As in no electrical continuity, according to a multimeter?  Or no connectivity on the serial port?  If the latter, does the pl2303 adaptor definitely work? I've had two or three which were duffs. There's a spare adaptor here if you need it, or happy to solder-in the pins if you dare entrust Royal Mail* with it?!

The tails of the right-angled header pins were facing inwards (away from the nearest PCB edge)?
And a good quality peg was used? Definitely the correct model? Type A rather than the Type B?!

(http://www2.picturepush.com/photo/a/10172025/480/ECI-B-FOCuS-VDSL2-modem---solderless-UART-connection/dollypegs.png) (http://picturepush.com/public/10172025)

cheers, a
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: burakkucat on September 25, 2012, 10:45:06 PM
No continuity? As in no electrical continuity, according to a multimeter?

Yes and yes.  :(

Quote
does the pl2303 adaptor definitely work? I've had two or three which were duffs.

I thought a pl2303 adaptor required usage of BGW? Though there is a driver in the Linux kernel --

Quote
[bcat@Duo2 ~]$ find /lib/modules -name pl2303.ko | sort
/lib/modules/2.6.32-220.23.1.el6.x86_64/kernel/drivers/usb/serial/pl2303.ko
/lib/modules/2.6.32-279.5.2.el6.x86_64/kernel/drivers/usb/serial/pl2303.ko
/lib/modules/3.5.4-1.el6.elrepo.x86_64/kernel/drivers/usb/serial/pl2303.ko

As both my laptop and workstation computers have serial ports (I would never be without one), I have this RS232 to TTL Converter Cable (http://www.ebay.co.uk/itm/221120584720) (based on the ST micro ST3232EC chip) for the job.

Quote
happy to solder-in the pins if you dare entrust Royal Mail* with it?!

I may eventually take advantage of your kind offer. At the moment, I am a little bit concerned that your Wayne may come across it and decide it would be useful currency with which to obtain two cans of Special Brew!  :-X

Quote
The tails of the right-angled header pins were facing inwards (away from the nearest PCB edge)?

Confirmed.

Quote
And a good quality peg was used? Definitely the correct model? Type A rather than the Type B?!

Yes, a Type A of plastic rather than wooden construction. You don't think that is the cause, do you?  :-\
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: asbokid on September 26, 2012, 02:11:49 AM

I thought a pl2303 adaptor required usage of BGW?

The pl2303 works fine on Linux. The kernel driver automatically inserts after the device is enumerated, and the dumb USB serial device becomes available as ttyUSB0

Code: [Select]
Sep 25 22:58:26 l502x kernel: [353464.425850] usb 2-2: New USB device found, idVendor=067b, idProduct=2303
Sep 25 22:58:26 l502x kernel: [353464.425855] usb 2-2: New USB device strings: Mfr=1, Product=2, SerialNumber=0
Sep 25 22:58:26 l502x kernel: [353464.425858] usb 2-2: Product: USB-Serial Controller
Sep 25 22:58:26 l502x kernel: [353464.425861] usb 2-2: Manufacturer: Prolific Technology Inc.
Sep 25 22:58:26 l502x kernel: [353464.427931] pl2303 2-2:1.0: pl2303 converter detected
Sep 25 22:58:26 l502x kernel: [353464.456013] usb 2-2: pl2303 converter now attached to ttyUSB0

The serial terminal program minicom is run:

Code: [Select]
$ minicom -D /dev/ttyUSB0

and away it goes..

(http://www1.picturepush.com/photo/a/10187269/img/ECI-B-FOCuS-VDSL2-modem---solderless-UART-connection/eci-boot-shot.png) (http://picturepush.com/public/10187269)

Quote
Yes, a Type A of plastic rather than wooden construction. You don't think that is the cause, do you?  :-\

The peg I used was of the very highest (Tesco Value) quality, but it did have a powerful snap to it.   Yet when the trick was tried again just now, exactly the same problem occurred as you found.  Though after giving the pads a scuff-up with my fingernail, everything worked okay once again.  So maybe it's down to solder oxidisation?

Perhaps if you have the patience to try it again, maybe the pins could be clipped to the pads on the underside of the board. These are actually plated thru-holes, so there should still be continuity.

(http://www5.picturepush.com/photo/a/10188268/480/ECI-B-FOCuS-VDSL2-modem---solderless-UART-connection/DSC-0918.jpg) (http://picturepush.com/public/10188268)

(http://www4.picturepush.com/photo/a/10188272/480/ECI-B-FOCuS-VDSL2-modem---solderless-UART-connection/DSC-0921.jpg) (http://picturepush.com/public/10188272)

(http://www3.picturepush.com/photo/a/10188276/480/ECI-B-FOCuS-VDSL2-modem---solderless-UART-connection/DSC-0921-zoom.jpg) (http://picturepush.com/public/10188276)

(http://www1.picturepush.com/photo/a/10188279/480/ECI-B-FOCuS-VDSL2-modem---solderless-UART-connection/DSC-0923.jpg) (http://picturepush.com/public/10188279)

cheers, a
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: drsox on October 06, 2012, 08:59:52 PM
ben1066,

I'm happy to give you FTP / website space if you want somewhere to host your eDMT with no bandwidth frustrations or intrusive advertising! Pop me an email on kitzedmt@sioned.info

I have a quick query with eDMT too. When on the same LAN I can connect to the vdsl modem with eDMT but if I am not on the same subnet, and NAT to it.. I can't connect and eDMT crashes after clicking connect. Any idea why routed vs. on subnet should make a difference?

Tom (commercial link removed by admin)
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: ben1066 on October 26, 2012, 04:49:42 PM
Hey,
Great to know people are still interested in this. I can only assume that that is a modem limitation as telnet is fairly simple, I don't see why it'd fail. All code can be found at http://curlybracket.co.uk/misc/edmt.zip though thanks for the offer of hosting.
Enjoy.
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: drsox on October 26, 2012, 05:46:39 PM
Downloaded and will have a tinker.

As far as I could see from a packet capture the compiled program was trying to make a SMB connection to the router! Not even trying telnet.

--
link edit by admin to signature
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: burakkucat on November 03, 2012, 06:54:18 PM
After a lot of "cat cursing" throughout last night, I finally managed to unlock one of the original ECI B-FOCuS modems (supplied by Openreach as the alternative CPE to the Huawei HG612 modem) by following the published instructions (http://hackingecibfocusv2fubirevb.wordpress.com/2012/09/23/bare-instructions-to-unlock-eci-vdsl2-modem/) to the letter. [1]

As Firefox is the only browser I have installed, I was unable to call up the device's buggy GUI and so telnet access was used to confirm that successful unlocking had been achieved.

Code: [Select]
[bcat@Duo2 ~]$ telnet 192.168.168.168
Trying 192.168.168.168...
Connected to 192.168.168.168.
Escape character is '^]'.
login as: admin
password:

BusyBox v1.00 (2011.08.09-03:28+0000) Built-in shell (msh)
Enter 'help' for a list of built-in commands.

Alpha # help

Built-in commands:
-------------------
        . : break cd continue eval exec exit export help login newgrp
        read readonly set shift times trap umask wait

Alpha # echo $PATH
/usr/bin:/bin:/usr/sbin:/sbin
Alpha # ls /usr/bin
yes                                    pcaccess_disable.sh
wget                                   pcaccess.sh
wc                                     mpstat
uptime                                 loopback_stop
update_upgrade.sh                      loopback_start
update_uboot.sh                        logger
tr                                     killall
top                                    free
tftp                                   expr
test_agent                             dirname
test                                   cut
stopqos.sh                             cusb_modem_switch_loopback_disable.sh
startqos.sh                            cusb_modem_switch_loopback.sh
port2_enable                           cusb_modem_switch.sh
port2_disable                          cusb_modem_ppe.sh
port1_enable                           basename
port1_disable                          [
Alpha # ls /bin
zcat              rm                login             df
usleep            pwd               logcmd            dd
uname             ps                ln                date
umount            ping              kill              cp
true              mv                gzip              chmod
touch             msh               gunzip            cat
switch_utility    mount             grep              busybox
spy               more              fgrep             alpha_flash_cmd
sleep             mknod             false             alphaLogd
sh                mkdir             egrep             alphaHousekeeper
sed               ls                echo              alphaFlashAgent
Alpha # ls /usr/sbin
xmldbc            submit            mfc               cabletest:5
xmldb             stats             mem               cabletest:4
wan               scut              in.tftpd          cabletest:3
vconfig           rgdb              ifx_util          cabletest:2
usockc            rgcfg             ifx_gpio          cabletest:1
upgrade           rgbin             dsl_cpe_control   brctl
udhcpr            read_img          diap              alpha_tantos
udhcpd            ppacmd            diagnostic        alpha_macaddr
udhcpc            pmcu              dayconvert        alpha_inventory
time              pfile             chnet             alpha_gen_submac
telnetd           ntpclient         check             alpha_bdtool
syslog            next_macaddr      cfmctl
sys               mknod_util        cfm
Alpha # ls /sbin
thttpd    swapon    rmmod     mdev      insmod    getty
syslogd   swapoff   reboot    lsmod     init
sysctl    route     modprobe  klogd     ifconfig
Alpha # ps
  PID  Uid     VmSize Stat Command
    1 0           172 S   init       
    2 0               SWN [ksoftirqd/0]
    3 0               SW  [watchdog/0]
    4 0               SW< [events/0]
    5 0               SW< [khelper]
    6 0               SW< [kthread]
   24 0               SW< [kblockd/0]
   37 0               SW  [pdflush]
   38 0               SW  [pdflush]
   39 0               SW< [kswapd0]
   40 0               SW< [aio/0]
   74 0               SW  [mtdblockd]
  227 0               SWN [jffs2_gcd_mtd6]
  240 0           596 S   xmldb -n lantiq_vr9_generic_asl56026 -t
  505 0           260 S   syslogd -F sysact -F attack -F notice
  508 0           188 S   klogd -l br0
  605 0           664 S   /usr/sbin/dsl_cpe_control -i -f /ifx/vdsl2/xcpe_hw.bi
  608 0           664 S   /usr/sbin/dsl_cpe_control -i -f /ifx/vdsl2/xcpe_hw.bi
  609 0           664 S   /usr/sbin/dsl_cpe_control -i -f /ifx/vdsl2/xcpe_hw.bi
  610 0           664 S   /usr/sbin/dsl_cpe_control -i -f /ifx/vdsl2/xcpe_hw.bi
  612 0           664 S   /usr/sbin/dsl_cpe_control -i -f /ifx/vdsl2/xcpe_hw.bi
  613 0           664 S   /usr/sbin/dsl_cpe_control -i -f /ifx/vdsl2/xcpe_hw.bi
  614 0           664 S   /usr/sbin/dsl_cpe_control -i -f /ifx/vdsl2/xcpe_hw.bi
  693 0           472 S   /usr/sbin/cfm ptm0 eth0
  696 0           472 S   /usr/sbin/cfm ptm0 eth0
  697 0           472 S   /usr/sbin/cfm ptm0 eth0
  698 0           472 S   /usr/sbin/cfm ptm0 eth0
  712 0               SW  [autbtex]
  713 0               SW  [pmex_ne]
  714 0               SW  [pmex_fe]
  755 0           404 S   /usr/sbin/diap
  764 0           596 S   /sbin/thttpd -d /www
  778 0           264 R   telnetd
  793 0           336 S   /bin/alphaLogd
  806 0           432 S   alphaFlashAgent
  810 0           216 S   /bin/sh /BTAgent/ro/start
  815 0           740 S   ./btagent
  817 0           740 S   ./btagent
  820 0           740 S   ./btagent
  821 0           740 S   ./btagent
  841 0           392 S   /bin/alphaHousekeeper
 1073 0           164 S   /sbin/getty -L ttyS0 115200 vt102
 1280 0           252 S   /bin/sh
 1961 0           196 R   ps
Alpha # kill 810
Alpha # killall btagent
Alpha # ps
  PID  Uid     VmSize Stat Command
    1 0           172 S   init       

<snip>

  764 0           596 S   /sbin/thttpd -d /www
  778 0           264 S   telnetd
  793 0           336 S   /bin/alphaLogd
  806 0           432 S   alphaFlashAgent
  841 0           392 S   /bin/alphaHousekeeper
 1073 0           164 S   /sbin/getty -L ttyS0 115200 vt102
 1280 0           252 S   /bin/sh
 2055 0           196 R   ps
Alpha # mount
/dev/mtdblock2 on / type squashfs (ro)
sysfs on /sys type sysfs (rw)
tmpfs on /dev type tmpfs (rw)
devpts on /dev/pts type devpts (rw)
none on /proc type proc (rw)
ramfs on /var type ramfs (rw)
/dev/mtdblock6 on /BTAgent/rw type jffs2 (rw)
Alpha # umount /BTAgent/rw
Alpha # mount
/dev/mtdblock2 on / type squashfs (ro)
sysfs on /sys type sysfs (rw)
tmpfs on /dev type tmpfs (rw)
devpts on /dev/pts type devpts (rw)
none on /proc type proc (rw)
ramfs on /var type ramfs (rw)
Alpha # exit
Connection closed by foreign host.
[bcat@Duo2 ~]$

I have provided that rather extensive example, above, as it shows how to turn off the Beatie Group's "busy-body", the BTAgent. Once terminated, that "unknown quantity" will remain disabled until the next power-cycle or reboot of the device. (The same technique can be used to disable the identical agent that executes within the Huawei HG612.)

Has anyone determined if the device's IP address can be changed via telnet access? By default it is 192.168.168.168 and I would like to reconfigure it to be 192.168.1.254, for consistency with my other modem/routers.

[1] http://hackingecibfocusv2fubirevb.wordpress.com/2012/09/23/bare-instructions-to-unlock-eci-vdsl2-modem/
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: les-70 on November 03, 2012, 09:48:31 PM
  As per the Asbo instructions it can be changed via telnet but I did not find how to make a permanent change via telnet.  The GUI does however let you make the permanent change which survives a power on and off.
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: burakkucat on November 03, 2012, 10:09:41 PM
Thanks for that confirmation, Les. I can see I missed typing the word 'permanently' in my previous post --

Quote
Has anyone determined if the device's IP address can be permanently changed via telnet access?

 :doh:  D'oh!
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: liamstears on November 06, 2012, 10:50:42 PM
Ok so I would really like to unlock my eci modem but a bit confused on how I have to do it

I know you can get the usb ttl converter off ebay but I would prefer not to spend any money if I can so can I just hook the modem straight up to the com port on my asrock z68 extreme4 gen3 mobo?

Pinout for the com port shows RRXD1, TTXD1 and ground so that's all that's needed right?

Also running windows 8 so is it easy to do from windows? which software is easiest and compatible with windows 8 to send the commands?
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: burakkucat on November 06, 2012, 11:35:49 PM
  ^-^  Welcome to the Kitz forum, Liam.

Quote
so can I just hook the modem straight up to the com port on my asrock z68 extreme4 gen3 mobo?

The truthful answer is no. You will still need to use an adaptor, otherwise either the modem or your computer will suffer damage. Keeping things simple, I'll say that there is a voltage and protocol difference . . .

I used this RS232 to TTL Converter Cable (http://www.ebay.co.uk/itm/221120584720) (based on the ST micro ST3232EC chip) for the task.
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: liamstears on November 07, 2012, 11:12:01 AM
  ^-^  Welcome to the Kitz forum, Liam.

Quote
so can I just hook the modem straight up to the com port on my asrock z68 extreme4 gen3 mobo?

The truthful answer is no. You will still need to use an adaptor, otherwise either the modem or your computer will suffer damage. Keeping things simple, I'll say that there is a voltage and protocol difference . . .

I used this RS232 to TTL Converter Cable (http://www.ebay.co.uk/itm/221120584720) (based on the ST micro ST3232EC chip) for the task.

Thanks! I think I will have to grab a cheapo off ebay to get this done then, what program can I use on windows 8 to talk to the box and send the needed commands?
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: burakkucat on November 07, 2012, 07:09:33 PM
Cough! Asking me about BGW (a.k.a. Windoze)?  :-X

Someone hasn't read my signature block!  ::)

At a guess, there will be something like HyperTerm or other terminal emulator program available for use. When you get to that stage, I'm sure someone else will be able to advise you.  :)
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: Ronski on November 07, 2012, 07:44:56 PM
Thanks! I think I will have to grab a cheapo off ebay to get this done then, what program can I use on windows 8 to talk to the box and send the needed commands?

I just installed hyper terminal following this guide here (http://www.windowsitpro.com/article/windows-7/hyperterminal-windows-7-142183) on Windows 7, may well work on 8. (you'll need an XP cd)
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: liamstears on November 08, 2012, 09:18:42 PM
Thanks! I think I will have to grab a cheapo off ebay to get this done then, what program can I use on windows 8 to talk to the box and send the needed commands?

I just installed hyper terminal following this guide here (http://www.windowsitpro.com/article/windows-7/hyperterminal-windows-7-142183) on Windows 7, may well work on 8. (you'll need an XP cd)

Thanks for the link, I forgot about putty, I will use that as ive used it before successfully

usb ttl is on the way :-P
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: biohead on November 13, 2012, 10:31:35 PM
Many thanks to the B*Cat, I now have an unlocked ECI modem  :) (Simply used Putty in a WinXP VM I have for such things on my MacBook).

Some of you may be aware of my current setup - the modem and router are located in separate rooms, with just one cable linking the two. Not good when you're attempting to get stats... or even web gui access!

But, also playing around with the ECI modem, I dug out an old gigabit switch. So I've connected the feed from the modem, and also hooked it upto the router. Router still has access to the net, along with all other devices (as you'd expect). What I did find interesting though, is if I hook another patch lead into the switch and connect that to my laptop. If I correctly set a static IP address, I can also access the web gui of the ECI this way - whilst all other devices in the house still have access to the net!

I never actually tried this setup with the HG612, but I know that refused all access to the web gui from LAN1. When I unlocked the ECI, I could access the gui from LAN1 or LAN2 - so maybe this is something specific to the ECI?

Anyway... just because I can... I'd estimate my E side is around 350m:
Quote
Channel Status   Upstream   Downstream
Actual Net Data Rate   20000000 kbps   78308000 kbps
Actual Interleave Delay   0 ms   0 ms
Actual INP   0 Symbols   0 Symbols
Attainable Net Data Rate   27444204 kbps   78355520 kbps
Transmit Power   138 dBm   50 dBm
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: Ixel on November 14, 2012, 12:19:59 AM
Many thanks to the B*Cat, I now have an unlocked ECI modem  :) (Simply used Putty in a WinXP VM I have for such things on my MacBook).

Some of you may be aware of my current setup - the modem and router are located in separate rooms, with just one cable linking the two. Not good when you're attempting to get stats... or even web gui access!

But, also playing around with the ECI modem, I dug out an old gigabit switch. So I've connected the feed from the modem, and also hooked it upto the router. Router still has access to the net, along with all other devices (as you'd expect). What I did find interesting though, is if I hook another patch lead into the switch and connect that to my laptop. If I correctly set a static IP address, I can also access the web gui of the ECI this way - whilst all other devices in the house still have access to the net!

I never actually tried this setup with the HG612, but I know that refused all access to the web gui from LAN1. When I unlocked the ECI, I could access the gui from LAN1 or LAN2 - so maybe this is something specific to the ECI?

Anyway... just because I can... I'd estimate my E side is around 350m:
Quote
Channel Status   Upstream   Downstream
Actual Net Data Rate   20000000 kbps   78308000 kbps
Actual Interleave Delay   0 ms   0 ms
Actual INP   0 Symbols   0 Symbols
Attainable Net Data Rate   27444204 kbps   78355520 kbps
Transmit Power   138 dBm   50 dBm

Interesting. My stats are reasonably similar to yours, though astonishingly your upload speed is considerably better than mine. Here's mine to compare.

Code: [Select]
Upstream Downstream
Actual Net Data Rate 19996000 kbps 59996000 kbps
Actual Interleave Delay 0 ms 0 ms
Actual INP 0 Symbols 0 Symbols
Attainable Net Data Rat.19851744 kbps 82172688 kbps
Transmit Power 103 dBm -1 dBm

Oh, P.S. are you by any chance the person called 'givemeausername' on eBay?
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: burakkucat on November 14, 2012, 04:29:58 AM
Many thanks to the B*Cat, I now have an unlocked ECI modem  :)

Don't forget Jess, Pat's black and white companion. I'm sure she had a paw in the quick delivery of those header pins . . .  ;)

Quote
But, also playing around with the ECI modem, I dug out an old gigabit switch. So I've connected the feed from the modem, and also hooked it upto the router. Router still has access to the net, along with all other devices (as you'd expect). What I did find interesting though, is if I hook another patch lead into the switch and connect that to my laptop. If I correctly set a static IP address, I can also access the web gui of the ECI this way - whilst all other devices in the house still have access to the net!

Excellent news. Thank you for explaining, for it could prove to be valuable information to others in a similar situation.  :thumbs:

Quote
I'd estimate my E side is around 350m

Eh? (Pun intended.) Perhaps a discrete application of sed 's/E side/D-side/' is called for?  ::)
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: biohead on November 14, 2012, 08:07:27 AM
My eBay username (as B*Cat has correctly guessed), is my forum username plus an arbitrary number ;)

I'm not suite sure why our upload speeds are so different Ixel. I'm on underground cabling, and I'd hazard a guess that mine are actually copper and not aluminium. I've walked from the cab to my house, and the path does have a BT duct opening every so often. My estate is relatively new, so unless they dug underneath existing houses I can't see any other way of getting the cables there.

B*Cat: that's how I've worked out my E-side (cable length from house to cab yes?) is around 350m. Interestingly enough, if I put my friends address into the checker (who lives no. Ore 25m down the road) his upload speed drops below the 20mb max that mine shows... I think it's estimated around 17.5mb... Just for living an extra 25m down the road.
I wonder if that's the start of the bubble where vdsl drops off?
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: burakkucat on November 14, 2012, 09:46:42 AM
Quote
. . . my E-side (cable length from house to cab yes?)

 :no:  No. That is the D-side. (Distribution side.) The E-side (Exchange side) is thus from the exchange to the PCP.

Quote
I wonder if that's the start of the bubble where vdsl drops off?

Our Bald_Eagle1 has a good knowledge on such line characteristics and should readily be able to provide some figures.
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: Ixel on November 14, 2012, 11:56:01 AM
...

I see, interesting. Very strange though, my line also goes underground, perhaps there's some interference or quality issue that's effecting my attainable upload, though my attainable download is a tad faster than yours. I also tried my 0.5m~ ADSLNation Pro+ RJ11 cable which gives me a slightly lower attainable downstream (from 85,000Kbps~ to 82,000Kbps~) but a slightly higher upstream (from about 19,000Kbps~ to around 19,900Kbps-20,200Kbps depending on time of day and weather).

I'm just waiting for DLM to hopefully uncap my downstream. Been over a week since connection uptime and no changes as yet :(.
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: biohead on November 14, 2012, 01:39:57 PM

 :no:  No. That is the D-side. (Distribution side.) The E-side (Exchange side) is thus from the exchange to the PCP.
Whoooops, that is why I am still very much a beginner to all this stuff! Can't even sort my terminology out!

That's very odd DLM still hasn't reacted yet. I'm still assuming the hg612 doesn't play brilliantly with an ECI cab, and if that is the case then DLM reacted less than 36 hours after swapping my modem back to the ECI one.
My connection from master socket to modem is about 20cm. I found a 4 core, non-twisted pair cable lying around which I cut down and crimped new RJ11 plugs on either end.
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: burakkucat on November 14, 2012, 04:01:34 PM
Quote
My connection from master socket to modem is about 20cm. I found a 4 core, non-twisted pair cable lying around which I cut down and crimped new RJ11 plugs on either end.

You only need two conductors, as one unshielded twisted pair (UTP), to do the job properly . . .  :-\
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: biohead on November 14, 2012, 04:24:06 PM
Ah.. forgot to add that I didn't have any 2 core lying around.  :angel: I didn't purposefully choose it specifically because it had 4 cores :)  I think it might've been the cord from the old phone we had, and the missus preferred it because it was white!
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: Bald_Eagle1 on November 14, 2012, 05:23:05 PM

Our Bald_Eagle1 has a good knowledge on such line characteristics and should readily be able to provide some figures.


I can't really comment as I haven't looked into upload speeds in any detail.
Most users seem to be more interested in download speeds & are apparently perfectly content with whatever upload speeds they are seeing on their connections.

However, a loss of 2.5Mb upload speed for only 25m extra distance does seem too much of a drop.
The estimates are only that though - estimates.
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: antonyfrn on December 15, 2012, 10:37:26 AM
Has there been any update on a more simple unlock other than the current way with the RS232 to TTL Converter Cable  as im not to keen on messing with my modem in that way.
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: burakkucat on December 15, 2012, 06:40:45 PM
Unfortunately there is no other way of obtaining access.  :no:

It would be nice if, like the Huawei HG612, it is possible to 'bring up' a screen to allow the device to be flashed with an alternative firmware. However, that facility does not exist. Therefore one must access the device through its console, at TTL levels, via an appropriate adaptor.
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: les-70 on December 18, 2012, 03:25:20 PM
  ben1066,

   I like edmt :) a lot for its convenience but would rather have the attenuation Hlog rather than power (as in e.g. the DMT versions 7 and 8 ) .  I note that you provided source code in a post above but tackling that looks hard for me :-[ .   Is this an easy change that you could make available for all in a different edmt version?

    Thanks for the current edmt
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: liamstears on January 07, 2013, 05:44:04 PM
Please help!!

New ECI modem arrived today ready to unlock

Got my usb serial working on windows 7, used putty to get into it, accessed it no problem, logged in, entered the commands and it hasn't worked!

Tried it a few times but still cant access it through my browser, whats going on?


I have noticed my modem reports different versions than what is listed on the hacking guide...

U-Boot 1.0.5 (Apr  6 2011 - 14:02:22)

Linux version 2.6.20.19
 (gask@BSD7.localdomain) (gcc version 3.4.6 (OpenWrt-2.0)) #1 Wed Sep 14 15:14:0
8 CST 2011

BusyBox v1.00 (2011.09.14-07:14+0000)
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: burakkucat on January 07, 2013, 10:11:57 PM
Oh dear. That doesn't read too good.  :o

To the best of my knowledge, there are now two variants of the ECI B-FOCuS modem in the wild. I have unlocked two of (what I call) the 'type 1' devices by following the definitive guide (http://hackingecibfocusv2fubirevb.wordpress.com/2012/09/23/bare-instructions-to-unlock-eci-vdsl2-modem/). A 'type 1' has four rubber feet on its base which, when removed, expose the four screws which hold the case together.

I understand that a 'type 2' device -- as of yet unseen in The Cattery -- only has two rubber feet and two plastic domes on its base. If I remember correctly, Ronski was having trouble establishing communication via the console serial header pins on a 'type 2' device.  :-\
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: liamstears on January 08, 2013, 10:10:43 AM
Oh dear. That doesn't read too good.  :o

To the best of my knowledge, there are now two variants of the ECI B-FOCuS modem in the wild. I have unlocked two of (what I call) the 'type 1' devices by following the definitive guide (http://hackingecibfocusv2fubirevb.wordpress.com/2012/09/23/bare-instructions-to-unlock-eci-vdsl2-modem/). A 'type 1' has four rubber feet on its base which, when removed, expose the four screws which hold the case together.

I understand that a 'type 2' device -- as of yet unseen in The Cattery -- only has two rubber feet and two plastic domes on its base. If I remember correctly, Ronski was having trouble establishing communication via the console serial header pins on a 'type 2' device.  :-\

Mine is the B-FOCuS V-2FUb/I Rev.B, from your description the Type 1 as it has 4 rubber feet with 4 screws under them...

If it helps following some other guides I have found the modem is reporting cpe_enable 1 and is reporting its ip is 192.168.1.55 so it seems as though it has worked but I still don't have telnet or web access...
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: burakkucat on January 08, 2013, 05:52:08 PM
Mine is the B-FOCuS V-2FUb/I Rev.B, from your description the Type 1 as it has 4 rubber feet with 4 screws under them...

If it helps following some other guides I have found the modem is reporting cpe_enable 1 and is reporting its ip is 192.168.1.55 so it seems as though it has worked but I still don't have telnet or web access...

Have you tried powering it up and with no device(s) connected to it, pressing and holding the reset button for ten seconds? Wait for the modem to re-boot and become stable, then connect a computer to the LAN1 port. Configure the computer to use a dynamic address and invoke it. Interrogate the computer for its default route and make a note of that IP address. It is that address which you should use to connect using telnet or put into your browser for GUI access.

Failing that, perform an nmap scan of IP addresses 192.168.1.55, 192.168.1.254, 192.168.168.168 and that of the default route, above.
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: liamstears on January 08, 2013, 07:06:50 PM
Mine is the B-FOCuS V-2FUb/I Rev.B, from your description the Type 1 as it has 4 rubber feet with 4 screws under them...

If it helps following some other guides I have found the modem is reporting cpe_enable 1 and is reporting its ip is 192.168.1.55 so it seems as though it has worked but I still don't have telnet or web access...

Have you tried powering it up and with no device(s) connected to it, pressing and holding the reset button for ten seconds? Wait for the modem to re-boot and become stable, then connect a computer to the LAN1 port. Configure the computer to use a dynamic address and invoke it. Interrogate the computer for its default route and make a note of that IP address. It is that address which you should use to connect using telnet or put into your browser for GUI access.

Failing that, perform an nmap scan of IP addresses 192.168.1.55, 192.168.1.254, 192.168.168.168 and that of the default route, above.

Still no luck but then again I don't understand the default route thing your talking about lol
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: burakkucat on January 08, 2013, 09:12:52 PM
Here are a couple of links that may help --

Default route (http://en.wikipedia.org/wiki/Default_route)
Default gateway (http://en.wikipedia.org/wiki/Default_gateway)
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: liamstears on January 09, 2013, 11:10:20 PM
Still not got it working, can someone else please chime in and help... uklad?
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: Ronski on January 10, 2013, 08:30:16 AM
Mine is the B-FOCuS V-2FUb/I Rev.B, from your description the Type 1 as it has 4 rubber feet with 4 screws under them...

If it helps following some other guides I have found the modem is reporting cpe_enable 1 and is reporting its ip is 192.168.1.55 so it seems as though it has worked but I still don't have telnet or web access...

I've replied to your PM listing my woes, it sounds like you've got a lot further than I did.

I wonder if it's simply a matter of temporarily changing your IP address (what burakkucat was getting at I think), my networking knowledge is limited but if your PC does not have an address in the same range as the modem then you won't be able to access it.

If the modems IP is 192.168.1.55 as you say above then your PC needs a IP address in the same range, the first three numbers need to be the same. Most PCs have their IP automatically assigned from the DHCP server, you need to manually assign one to match the modem, then go into the modem and change it's IP address to match your network, then change your PC back to what it was. The modem should be directly connected to your PC whilst you do this.

Edit: This is what I did with the unlocked one that I bought, to get it accessible on my network - I used my laptop for simplicity.

Hope that helps
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: liamstears on January 10, 2013, 06:53:18 PM
IM IN!!

Turns out that I was trying to set the wrong ip

I was settings 192.168.1.xx thinking the modem was at 192.168.1.55 but actually its still at 192.168.168.168 so simply settings my ip manually to 192.168.168.170 I got in :-D

EDIT: So I'm all setup and working but now wondering if there is a way to connect lan 1 to the wan port of my router and still access the modem through its ip?

My comp is on the lan of the router

EDIT2: Also on the modem internet and gui is available on lan 1 but lan 2 only allows gui it doesn't give internet access, any way to enable internet access on port 2?
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: Ronski on January 10, 2013, 08:33:05 PM
lan 1 needs to be connected to your wan port for internet access, lan 2 needs to be connected to a lan port on your router to allow you to access the modem,  there's no way to do it via a single cable.
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: burakkucat on January 10, 2013, 09:15:03 PM
IM IN!!

Turns out that I was trying to set the wrong ip

I was settings 192.168.1.xx thinking the modem was at 192.168.1.55 but actually its still at 192.168.168.168 so simply settings my ip manually to 192.168.168.170 I got in :-D

Excellent news!  ;D
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: liamstears on January 11, 2013, 07:56:47 PM
lan 1 needs to be connected to your wan port for internet access, lan 2 needs to be connected to a lan port on your router to allow you to access the modem,  there's no way to do it via a single cable.

Wish I read this earlier lol, been playing ages to get this to work but finally found this method elsewhere and it works perfectly

My router is setup to 192.168.1.1 with 192.168.1.2 preserved for the modem and modem is 192.168.1.2 and can access them both no problems

Thanks for the reply's guys, only need a good program to access stats now, I did try eDMT but that just crashes when trying to log in
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: Chrysalis on January 23, 2013, 04:04:49 PM
lan 1 needs to be connected to your wan port for internet access, lan 2 needs to be connected to a lan port on your router to allow you to access the modem,  there's no way to do it via a single cable.

what happens on the newer eci modems, I been told only lan1 works, which I can access but the modme isnt connected to the line, when its connected to the line does it stop working?
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: Ronski on January 23, 2013, 06:02:40 PM
I've no idea, in the end I gave up and bought an older type already unlocked.
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: Chrysalis on January 24, 2013, 02:18:10 PM
I've no idea, in the end I gave up and bought an older type already unlocked.

seems noone wants to sell the older ones anymore :(

check the other thread I posted an update, but I guess the situation is that one can either get the stats or use the net but not both at same time, and noone knows how to get the error stats on the newer ones.
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: Ronski on January 24, 2013, 03:40:23 PM
I think I have an older one, with the pins soldered in, but that I couldn't unlock if you're interested.
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: Chrysalis on January 24, 2013, 04:30:46 PM
Would need to be pre unlocked, the ECI unlock procedure is over my head.

I am using the ECI I got now as I am fairly convinced it has a much lower crc error rate than the HG based on the lack of red specs on my tbb graph.  They both sync around the same speed.  The ECI reports lower attainable which I think is more accurate than the HG's attainable. As the HG reports a downstream attainable 2mbit higher than the actual sync even tho its a 6db margin.

edit

if you willing to send for postage fee I will take it, maybe I can somehow get it unlocked, thanks.
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: Ronski on January 24, 2013, 08:17:29 PM
I think I'll put it on Ebay sometime, could do with getting some money back.
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: liamstears on February 08, 2013, 09:04:35 PM
I have the older model unlocked I would be willing to sell if the price is right...

I find I never really access the stats anyway and could just use my newer model and access stats now and again by switching the cable

EDIT: SOLD
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: burakkucat on March 08, 2013, 03:55:33 AM
I have now spend a little time 'playing' with this 'older' type ECI device, the V-2FUb/I.

I am uncertain if Bald_Eagle1 has any plans to port his statistics harvesting and graphing code to these devices but here is some food for thought --

Code: [Select]
[bcat@Duo2 ECI]$ telnet 192.168.1.254
Trying 192.168.1.254...
Connected to 192.168.1.254.
Escape character is '^]'.
login as: admin
password:

BusyBox v1.00 (2011.08.09-03:28+0000) Built-in shell (msh)
Enter 'help' for a list of built-in commands.

Alpha # echo help > /var/tmp/pipe/dsl_cpe0_cmd
Alpha # cat /var/tmp/pipe/dsl_cpe0_ack
   acog,          AutobootConfigOptionGet
   acos,          AutobootConfigOptionSet
   acs,           AutobootControlSet
   alf,           AutobootLoadFirmware
   asecg,         AutobootScriptExecuteConfigGet
   asecs,         AutobootScriptExecuteConfigSet
   asg,           AutobootStatusGet
   aufg,          AutobootUsedFirmwareGet
   alig,          AuxLineInventoryGet
   bbsg,          BandBorderStatusGet
   bpstg,         BandPlanSTatusGet
   bpsg,          BandPlanSupportGet
   dbgmlg,        DBG_ModuleLevelGet
   dbgmls,        DBG_ModuleLevelSet
   dms,           DeviceMessageSend
   esmcg,         EventStatusMaskConfigGet
   esmcs,         EventStatusMaskConfigSet
   fpsg,          FramingParameterStatusGet
   g997amdpfcg,   G997_AlarmMaskDataPathFailuresConfigGet
   g997amdpfcs,   G997_AlarmMaskDataPathFailuresConfigSet
   g997amlfcg,    G997_AlarmMaskLineFailuresConfigGet
   g997amlfcs,    G997_AlarmMaskLineFailuresConfigSet
   g997bang,      G997_BitAllocationNscGet
   g997bansg,     G997_BitAllocationNscShortGet
   g997cdrtcg,    G997_ChannelDataRateThresholdConfigGet
   g997cdrtcs,    G997_ChannelDataRateThresholdConfigSet
   g997csg,       G997_ChannelStatusGet
   g997dpfsg,     G997_DataPathFailuresStatusGet
   g997dfr,       G997_DeltFreeResources
   g997dhling,    G997_DeltHLINGet
   g997dhlinsg,   G997_DeltHLINScaleGet
   g997dhlogg,    G997_DeltHLOGGet
   g997dqlng,     G997_DeltQLNGet
   g997dsnrg,     G997_DeltSNRGet
   g997fpsg,      G997_FramingParameterStatusGet
   g997gang,      G997_GainAllocationNscGet
   g997gansg,     G997_GainAllocationNscShortGet
   g997lstg,      G997_LastStateTransmittedGet
   g997lacg,      G997_LineActivateConfigGet
   g997lacs,      G997_LineActivateConfigSet
   g997lfsg,      G997_LineFailureStatusGet
   g997lisg,      G997_LineInitStatusGet
   g997lig,       G997_LineInventoryGet
   g997listrg,    G997_LineInventorySTRingGet
   g997lis,       G997_LineInventorySet
   g997lsg,       G997_LineStatusGet
   g997lspbg,     G997_LineStatusPerBandGet
   g997ltsg,      G997_LineTransmissionStatusGet
   g997pmsft,     G997_PowerManagementStateForcedTrigger
   g997pmsg,      G997_PowerManagementStatusGet
   g997racg,      G997_RateAdaptationConfigGet
   g997racs,      G997_RateAdaptationConfigSet
   g997sang,      G997_SnrAllocationNscGet
   g997sansg,     G997_SnrAllocationNscShortGet
   g997xtusecg,   G997_XTUSystemEnablingConfigGet
   g997xtusecs,   G997_XTUSystemEnablingConfigSet
   g997xtusesg,   G997_XTUSystemEnablingStatusGet
   help,          Help
   ics,           InstanceControlSet
   isg,           InstanceStatusGet
   lecg,          LastExceptionCodesGet
   lfcg,          LineFeatureConfigGet
   lfcs,          LineFeatureConfigSet
   lfsg,          LineFeatureStatusGet
   locg,          LineOptionsConfigGet
   locs,          LineOptionsConfigSet
   lsg,           LineStateGet
   llcg,          LowLevelConfigurationGet
   llcs,          LowLevelConfigurationSet
   mlsg,          MiscLineStatusGet
   mfcg,          MultimodeFsmConfigGet
   mfcs,          MultimodeFsmConfigSet
   mfsg,          MultimodeFsmStatusGet
   nsecg,         NotificationScriptExecuteConfigGet
   nsecs,         NotificationScriptExecuteConfigSet
   pm15meet,      PM_15MinElapsedExtTrigger
   pmbms,         PM_BurninModeSet
   pmcc15mg,      PM_ChannelCounters15MinGet
   pmcc1dg,       PM_ChannelCounters1DayGet
   pmccsg,        PM_ChannelCountersShowtimeGet
   pmcctg,        PM_ChannelCountersTotalGet
   pmchs15mg,     PM_ChannelHistoryStats15MinGet
   pmchs1dg,      PM_ChannelHistoryStats1DayGet
   pmct15mg,      PM_ChannelThresholds15MinGet
   pmct15ms,      PM_ChannelThresholds15MinSet
   pmct1dg,       PM_ChannelThresholds1DayGet
   pmct1ds,       PM_ChannelThresholds1DaySet
   pmcg,          PM_ConfigGet
   pmcs,          PM_ConfigSet
   pmdpc15mg,     PM_DataPathCounters15MinGet
   pmdpc1dg,      PM_DataPathCounters1DayGet
   pmdpcsg,       PM_DataPathCountersShowtimeGet
   pmdpctg,       PM_DataPathCountersTotalGet
   pmdpfc15mg,    PM_DataPathFailureCounters15MinGet
   pmdpfc1dg,     PM_DataPathFailureCounters1DayGet
   pmdpfcsg,      PM_DataPathFailureCountersShowtimeGet
   pmdpfctg,      PM_DataPathFailureCountersTotalGet
   pmdpfhs15mg,   PM_DataPathFailureHistoryStats15MinGet
   pmdpfhs1dg,    PM_DataPathFailureHistoryStats1DayGet
   pmdphs15mg,    PM_DataPathHistoryStats15MinGet
   pmdphs1dg,     PM_DataPathHistoryStats1DayGet
   pmdpt15mg,     PM_DataPathThresholds15MinGet
   pmdpt15ms,     PM_DataPathThresholds15MinSet
   pmdpt1dg,      PM_DataPathThresholds1DayGet
   pmdpt1ds,      PM_DataPathThresholds1DaySet
   pmetr,         PM_ElapsedTimeReset
   pmlesc15mg,    PM_LineEventShowtimeCounters15MinGet
   pmlesc1dg,     PM_LineEventShowtimeCounters1DayGet
   pmlescsg,      PM_LineEventShowtimeCountersShowtimeGet
   pmlesctg,      PM_LineEventShowtimeCountersTotalGet
   pmleshs15mg,   PM_LineEventShowtimeHistoryStats15MinGet
   pmleshs1dg,    PM_LineEventShowtimeHistoryStats1DayGet
   pmlfc15mg,     PM_LineFailureCounters15MinGet
   pmlfc1dg,      PM_LineFailureCounters1DayGet
   pmlfcsg,       PM_LineFailureCountersShowtimeGet
   pmlfctg,       PM_LineFailureCountersTotalGet
   pmlfhs15mg,    PM_LineFailureHistoryStats15MinGet
   pmlfhs1dg,     PM_LineFailureHistoryStats1DayGet
   pmlic15mg,     PM_LineInitCounters15MinGet
   pmlic1dg,      PM_LineInitCounters1DayGet
   pmlicsg,       PM_LineInitCountersShowtimeGet
   pmlictg,       PM_LineInitCountersTotalGet
   pmlihs15mg,    PM_LineInitHistoryStats15MinGet
   pmlihs1dg,     PM_LineInitHistoryStats1DayGet
   pmlit15mg,     PM_LineInitThresholds15MinGet
   pmlit15ms,     PM_LineInitThresholds15MinSet
   pmlit1dg,      PM_LineInitThresholds1DayGet
   pmlit1ds,      PM_LineInitThresholds1DaySet
   pmlsc15mg,     PM_LineSecCounters15MinGet
   pmlsc1dg,      PM_LineSecCounters1DayGet
   pmlscsg,       PM_LineSecCountersShowtimeGet
   pmlsctg,       PM_LineSecCountersTotalGet
   pmlshs15mg,    PM_LineSecHistoryStats15MinGet
   pmlshs1dg,     PM_LineSecHistoryStats1DayGet
   pmlst15mg,     PM_LineSecThresholds15MinGet
   pmlst15ms,     PM_LineSecThresholds15MinSet
   pmlst1dg,      PM_LineSecThresholds1DayGet
   pmlst1ds,      PM_LineSecThresholds1DaySet
   pmrtc15mg,     PM_ReTxCounters15MinGet
   pmrtc1dg,      PM_ReTxCounters1DayGet
   pmrtcsg,       PM_ReTxCountersShowtimeGet
   pmrtctg,       PM_ReTxCountersTotalGet
   pmrths15mg,    PM_ReTxHistoryStats15MinGet
   pmrths1dg,     PM_ReTxHistoryStats1DayGet
   pmrtt15mg,     PM_ReTxThresholds15MinGet
   pmrtt15ms,     PM_ReTxThresholds15MinSet
   pmrtt1dg,      PM_ReTxThresholds1DayGet
   pmrtt1ds,      PM_ReTxThresholds1DaySet
   pmr,           PM_Reset
   pmsmg,         PM_SyncModeGet
   pmsms,         PM_SyncModeSet
   ptsg,          PilotTonesStatusGet
   quit,          Quit
   rccg,          RebootCriteriaConfigGet
   rccs,          RebootCriteriaConfigSet
   rusg,          ResourceUsageStatisticsGet
   se,            ScriptExecute
   sicg,          SystemInterfaceConfigGet
   sics,          SystemInterfaceConfigSet
   sisg,          SystemInterfaceStatusGet
   tmcs,          TestModeControlSet
   tmsg,          TestModeStatusGet
   vig,           VersionInformationGet
Alpha # echo help > /var/tmp/pipe/dsl_cpe1_cmd
Alpha # cat /var/tmp/pipe/dsl_cpe1_ack
   acog,          AutobootConfigOptionGet
   acos,          AutobootConfigOptionSet
   acs,           AutobootControlSet
   alf,           AutobootLoadFirmware
   asecg,         AutobootScriptExecuteConfigGet
   asecs,         AutobootScriptExecuteConfigSet
   asg,           AutobootStatusGet
   aufg,          AutobootUsedFirmwareGet
   alig,          AuxLineInventoryGet
   bbsg,          BandBorderStatusGet
   bpstg,         BandPlanSTatusGet
   bpsg,          BandPlanSupportGet
   dbgmlg,        DBG_ModuleLevelGet
   dbgmls,        DBG_ModuleLevelSet
   dms,           DeviceMessageSend
   esmcg,         EventStatusMaskConfigGet
   esmcs,         EventStatusMaskConfigSet
   fpsg,          FramingParameterStatusGet
   g997amdpfcg,   G997_AlarmMaskDataPathFailuresConfigGet
   g997amdpfcs,   G997_AlarmMaskDataPathFailuresConfigSet
   g997amlfcg,    G997_AlarmMaskLineFailuresConfigGet
   g997amlfcs,    G997_AlarmMaskLineFailuresConfigSet
   g997bang,      G997_BitAllocationNscGet
   g997bansg,     G997_BitAllocationNscShortGet
   g997cdrtcg,    G997_ChannelDataRateThresholdConfigGet
   g997cdrtcs,    G997_ChannelDataRateThresholdConfigSet
   g997csg,       G997_ChannelStatusGet
   g997dpfsg,     G997_DataPathFailuresStatusGet
   g997dfr,       G997_DeltFreeResources
   g997dhling,    G997_DeltHLINGet
   g997dhlinsg,   G997_DeltHLINScaleGet
   g997dhlogg,    G997_DeltHLOGGet
   g997dqlng,     G997_DeltQLNGet
   g997dsnrg,     G997_DeltSNRGet
   g997fpsg,      G997_FramingParameterStatusGet
   g997gang,      G997_GainAllocationNscGet
   g997gansg,     G997_GainAllocationNscShortGet
   g997lstg,      G997_LastStateTransmittedGet
   g997lacg,      G997_LineActivateConfigGet
   g997lacs,      G997_LineActivateConfigSet
   g997lfsg,      G997_LineFailureStatusGet
   g997lisg,      G997_LineInitStatusGet
   g997lig,       G997_LineInventoryGet
   g997listrg,    G997_LineInventorySTRingGet
   g997lis,       G997_LineInventorySet
   g997lsg,       G997_LineStatusGet
   g997lspbg,     G997_LineStatusPerBandGet
   g997ltsg,      G997_LineTransmissionStatusGet
   g997pmsft,     G997_PowerManagementStateForcedTrigger
   g997pmsg,      G997_PowerManagementStatusGet
   g997racg,      G997_RateAdaptationConfigGet
   g997racs,      G997_RateAdaptationConfigSet
   g997sang,      G997_SnrAllocationNscGet
   g997sansg,     G997_SnrAllocationNscShortGet
   g997xtusecg,   G997_XTUSystemEnablingConfigGet
   g997xtusecs,   G997_XTUSystemEnablingConfigSet
   g997xtusesg,   G997_XTUSystemEnablingStatusGet
   help,          Help
   ics,           InstanceControlSet
   isg,           InstanceStatusGet
   lecg,          LastExceptionCodesGet
   lfcg,          LineFeatureConfigGet
   lfcs,          LineFeatureConfigSet
   lfsg,          LineFeatureStatusGet
   locg,          LineOptionsConfigGet
   locs,          LineOptionsConfigSet
   lsg,           LineStateGet
   llcg,          LowLevelConfigurationGet
   llcs,          LowLevelConfigurationSet
   mlsg,          MiscLineStatusGet
   mfcg,          MultimodeFsmConfigGet
   mfcs,          MultimodeFsmConfigSet
   mfsg,          MultimodeFsmStatusGet
   nsecg,         NotificationScriptExecuteConfigGet
   nsecs,         NotificationScriptExecuteConfigSet
   pm15meet,      PM_15MinElapsedExtTrigger
   pmbms,         PM_BurninModeSet
   pmcc15mg,      PM_ChannelCounters15MinGet
   pmcc1dg,       PM_ChannelCounters1DayGet
   pmccsg,        PM_ChannelCountersShowtimeGet
   pmcctg,        PM_ChannelCountersTotalGet
   pmchs15mg,     PM_ChannelHistoryStats15MinGet
   pmchs1dg,      PM_ChannelHistoryStats1DayGet
   pmct15mg,      PM_ChannelThresholds15MinGet
   pmct15ms,      PM_ChannelThresholds15MinSet
   pmct1dg,       PM_ChannelThresholds1DayGet
   pmct1ds,       PM_ChannelThresholds1DaySet
   pmcg,          PM_ConfigGet
   pmcs,          PM_ConfigSet
   pmdpc15mg,     PM_DataPathCounters15MinGet
   pmdpc1dg,      PM_DataPathCounters1DayGet
   pmdpcsg,       PM_DataPathCountersShowtimeGet
   pmdpctg,       PM_DataPathCountersTotalGet
   pmdpfc15mg,    PM_DataPathFailureCounters15MinGet
   pmdpfc1dg,     PM_DataPathFailureCounters1DayGet
   pmdpfcsg,      PM_DataPathFailureCountersShowtimeGet
   pmdpfctg,      PM_DataPathFailureCountersTotalGet
   pmdpfhs15mg,   PM_DataPathFailureHistoryStats15MinGet
   pmdpfhs1dg,    PM_DataPathFailureHistoryStats1DayGet
   pmdphs15mg,    PM_DataPathHistoryStats15MinGet
   pmdphs1dg,     PM_DataPathHistoryStats1DayGet
   pmdpt15mg,     PM_DataPathThresholds15MinGet
   pmdpt15ms,     PM_DataPathThresholds15MinSet
   pmdpt1dg,      PM_DataPathThresholds1DayGet
   pmdpt1ds,      PM_DataPathThresholds1DaySet
   pmetr,         PM_ElapsedTimeReset
   pmlesc15mg,    PM_LineEventShowtimeCounters15MinGet
   pmlesc1dg,     PM_LineEventShowtimeCounters1DayGet
   pmlescsg,      PM_LineEventShowtimeCountersShowtimeGet
   pmlesctg,      PM_LineEventShowtimeCountersTotalGet
   pmleshs15mg,   PM_LineEventShowtimeHistoryStats15MinGet
   pmleshs1dg,    PM_LineEventShowtimeHistoryStats1DayGet
   pmlfc15mg,     PM_LineFailureCounters15MinGet
   pmlfc1dg,      PM_LineFailureCounters1DayGet
   pmlfcsg,       PM_LineFailureCountersShowtimeGet
   pmlfctg,       PM_LineFailureCountersTotalGet
   pmlfhs15mg,    PM_LineFailureHistoryStats15MinGet
   pmlfhs1dg,     PM_LineFailureHistoryStats1DayGet
   pmlic15mg,     PM_LineInitCounters15MinGet
   pmlic1dg,      PM_LineInitCounters1DayGet
   pmlicsg,       PM_LineInitCountersShowtimeGet
   pmlictg,       PM_LineInitCountersTotalGet
   pmlihs15mg,    PM_LineInitHistoryStats15MinGet
   pmlihs1dg,     PM_LineInitHistoryStats1DayGet
   pmlit15mg,     PM_LineInitThresholds15MinGet
   pmlit15ms,     PM_LineInitThresholds15MinSet
   pmlit1dg,      PM_LineInitThresholds1DayGet
   pmlit1ds,      PM_LineInitThresholds1DaySet
   pmlsc15mg,     PM_LineSecCounters15MinGet
   pmlsc1dg,      PM_LineSecCounters1DayGet
   pmlscsg,       PM_LineSecCountersShowtimeGet
   pmlsctg,       PM_LineSecCountersTotalGet
   pmlshs15mg,    PM_LineSecHistoryStats15MinGet
   pmlshs1dg,     PM_LineSecHistoryStats1DayGet
   pmlst15mg,     PM_LineSecThresholds15MinGet
   pmlst15ms,     PM_LineSecThresholds15MinSet
   pmlst1dg,      PM_LineSecThresholds1DayGet
   pmlst1ds,      PM_LineSecThresholds1DaySet
   pmrtc15mg,     PM_ReTxCounters15MinGet
   pmrtc1dg,      PM_ReTxCounters1DayGet
   pmrtcsg,       PM_ReTxCountersShowtimeGet
   pmrtctg,       PM_ReTxCountersTotalGet
   pmrths15mg,    PM_ReTxHistoryStats15MinGet
   pmrths1dg,     PM_ReTxHistoryStats1DayGet
   pmrtt15mg,     PM_ReTxThresholds15MinGet
   pmrtt15ms,     PM_ReTxThresholds15MinSet
   pmrtt1dg,      PM_ReTxThresholds1DayGet
   pmrtt1ds,      PM_ReTxThresholds1DaySet
   pmr,           PM_Reset
   pmsmg,         PM_SyncModeGet
   pmsms,         PM_SyncModeSet
   ptsg,          PilotTonesStatusGet
   quit,          Quit
   rccg,          RebootCriteriaConfigGet
   rccs,          RebootCriteriaConfigSet
   rusg,          ResourceUsageStatisticsGet
   se,            ScriptExecute
   sicg,          SystemInterfaceConfigGet
   sics,          SystemInterfaceConfigSet
   sisg,          SystemInterfaceStatusGet
   tmcs,          TestModeControlSet
   tmsg,          TestModeStatusGet
   vig,           VersionInformationGet
Alpha # exit
Connection closed by foreign host.
[bcat@Duo2 ECI]$

I am not sure if that 'help' list is identical to the one discovered by asbokid for the 'newer' type ECI device, the V-2FUb/r, but if it is, Bald_Eagle1 will be able to (eventually) support both ECI device types.  ;)
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: Bald_Eagle1 on March 08, 2013, 07:05:05 AM
I am not sure if that 'help' list is identical to the one discovered by asbokid for the 'newer' type ECI device, the V-2FUb/r, but if it is, Bald_Eagle1 will be able to (eventually) support both ECI device types.  ;)

It would indeed be good to support these devices, but I have to say it's not something I will be working on in the immediate future.

If anyone was to write the code in plain old 'C' for converting the data from these devices into the same (or very similar) format as the xdslcmd data obtained from the Huawei HG612 modem, it would be a relatively easy/quick exercise for me to include that within the new HG612 programs' code.

 
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: soussss on March 08, 2013, 08:41:00 PM
hi to you all.
is there a simple way  for a newbie  how to unlock this modem . i have got the r version with two rubber feet ( two screws) soldered the three pin to board ready for usb .....................
i have downloaded the software for the usb and installed it but when i power the modem nothing pops up on the screen.
does the modem need to be connected to the router .............
i am not hi tech guy still learning thanks for your help
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: les-70 on March 10, 2013, 04:42:11 PM
  Not sure I understand the problem but:-

1. You can check the USB to TTL etc is working by connecting RX to TX on the USB to TTL only and seeing if you get a character echo in a terminal,  e.g. putty, with settings as in the /r post. 

  You should then connect to the three pins to the TTL side of the USB adapter checking that you have GND correct by looking closely at the pics in the /r post. 

2.  Power up the modem first, wait a minute, THEN open the terminal and press return a few times. If there is no response try a fresh terminal session with the wires the other way round i.e. RX TX swapped over.

  I find it best to open a fresh terminal each time.  Once you have a connection you should see modem output at modem power up if you power down and up leaving the connected terminal window open.

  If the USB to TTL is working but all fails it may be a "soldering the pins fault".

    Good luck
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: HighBeta on March 21, 2013, 07:11:35 PM
is there a simple way  for a newbie  how to unlock this modem .

Unfortunately both the versions of the ECI can be trouble some. Also there's  a big problem with "grey" pl2303 chips according to the prolific web site.[1]

Maybe to save time (and a few extra gray hairs) is to get an unlocked one off ebay* (unlocked "I" s don't come up often though)


----------------------------------------------------------------------------------------------------------------------
* http://www.ebay.co.uk/sch/i.html?_trksid=p5197.m570.l1313&_nkw=unlocked+eci&_sacat=0&_from=R40

[1] http://www.prolific.com.tw/US/ShowProduct.aspx?p_id=225&pcid=41
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: asbokid on March 21, 2013, 10:39:02 PM
Alternatives to the pl2303 include the cp2102, the ft232 and the ch341.

cheers, a
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: HighBeta on March 27, 2013, 07:45:50 PM
Sometimes trying the "underside" pads might just work.

As asbokid highlights on page 15
Quote from: asbokid

Perhaps if you have the patience to try it again, maybe the pins could be clipped to the pads on the underside of the board. These are actually plated thru-holes, so there should still be continuity.
(http://www1.picturepush.com/photo/a/10188279/480/ECI-B-FOCuS-VDSL2-modem---solderless-UART-connection/DSC-0923.jpg) (http://picturepush.com/public/10188279)
----------------------------------------------------------------------------------------------------------------------
If all else fails
The "well known" ebay  seller has dropped the price to below £20 on the "r" on the link *

* http://www.ebay.co.uk/sch/i.html?_trksid=p5197.m570.l1313&_nkw=unlocked+eci&_sacat=0&_from=R40
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: Chrysalis on March 27, 2013, 09:04:30 PM
ok sad to report the telnetd locking still happens with manually killing btagent, I had my modem powered on in this room for over a week, tried telnet today and needed to reboot to access.

if I run top, there is an indication of whats wrong.

At first the process called autbtex was consuming all cpu power, I couldnt kill it, its unkillable.
Now that process is fighting with telnetd for all cpu power.
the modem has a load avg of over 4.xx just sitting idle on my lan.

so somethign is sucking up cpu power and I expect also sucking up resources probably eventually causing telnet to lockup.  The one process that is consistent is autbtex, telnet isnt constantly sucking up cpu power it goes idle after a bit of time.

I want to get an ECI running on my line now, as I am currently interleaved, last time I was it recovered in 2 days with prety much no errors, but it seems there is complications this time round, the hg lost sync about 2 hours ago (which is probably going to trash DLM recovery) and the only cause is I can see a short period of lower upload attainable (still above 20meg) which coincided with the resync, the modem actually synced higher than previous suggesting it was a very short issue that had gone by the time it had synced, so I want to see if ECI fixes these niggling issues as DLM is a pain.  But I am not keen plugging in a modem that has issues with processes sucking up all its cpu power whilst idle and a telnet that will lock me out after a few days.

My new ECI v1 seems to have been sent via a dodgy courier so I am not sure when I will get it now.
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: biohead on March 30, 2013, 12:21:47 PM
Managed to find some time, so I've dug out my network switch just to confirm what can and can't be done whilst connected to only LAN1. As other people have mentioned, it is rather messy as it's introducing yet another device (Modem, Router and Switch now) to the mix.

Just for confirmation, my current layout is like this:

Code: [Select]
Gigabit Switch (5 Port)
^  ^  ^  ^  ^                   
x  x  |  |  |
      |  |   ->  ECI Modem
      |  |
      |   --- > Router WAN
      |
       ------ > Router LAN

I let the switch power up fully, then connect the modem to the switch followed by the WAN connection, then once that's established I connect to the LAN. Not sure if it matters, but that's the method I use anyway. The ECI /I was unlocked using Asbo's method, and I've preset it to use an IP address of 192.168.1.55.

My ISP is Talktalk, and the router is the 4th Gen Apple Time Capsule.

Using solely the wireless connection to the router to avoid more wires  :blush: I can remain connected to the internet whilst browsing to the router gui on 192.168.1.55 and open a telnet session to the ECI. I'm not sure there's anything else I know what to try.

If anyone does wants me to test anything out whilst I'm setup like this let me know and I shall - i'll keep this setup like this for a week or so.
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: colly05 on June 16, 2013, 04:01:54 PM
has anyone managed to get stats with the the plunet router Technicolor TG582n FTTC
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: drsox on June 16, 2013, 04:08:22 PM
I'm not sure what you mean by get the stats from the Technicolor router?
The 582n doesn't do the VDSL / FTTC connection so it doesn't know or care about the sync speed or error rates.

The Openreach modem in front? of the 582n does.
Do you mean 'Has anyone managed to NAT through to an unlocked openreach modem via a 582n?' allowing access to the stats on an unlocked modem without having to plug the computer directly into the Openreach modem?
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: colly05 on June 16, 2013, 04:14:02 PM
yes sorry i get the issue where the net goes slow and the modem web ui is not loading unplug the lan 1 on modem i can get the ui
so far the modem is unlocked and i have put it on ip 192.168.1.85
ive tried everything i can think of but still cant connect to the ui and the web goes slow
the only thing i haven't done is direct from laptop to lan 2 on modem and use the wifi on laptop for web as i am unsure how to do that

thanks for any tips
(think i am getting OCD on the modem stats )
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: navzptc on July 20, 2013, 03:52:54 PM
Has anyone managed to be able to have the Lan1 port going to the WAN port on a router, and have the Lan2 going into the router switch to be able to access the GUI and get the line stats etc??

I have my Lan2 set up as 192.168.1.240 and it works fine as long as the Wan port is not connected - As soon as I plug in the Wan port I lose the ability to access the GUI and get my stats :(

I presume that as I cant connect to the Lan2 port whilst running, I wont be able to run eDMT?

Any assistance very much appreciated  :)

Andy
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: Chrysalis on July 20, 2013, 04:54:32 PM
Has anyone managed to be able to have the Lan1 port going to the WAN port on a router, and have the Lan2 going into the router switch to be able to access the GUI and get the line stats etc??

I have my Lan2 set up as 192.168.1.240 and it works fine as long as the Wan port is not connected - As soon as I plug in the Wan port I lose the ability to access the GUI and get my stats :(

I presume that as I cant connect to the Lan2 port whilst running, I wont be able to run eDMT?

Any assistance very much appreciated  :)

Andy


Similiar to my experience.
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: ryant704 on July 20, 2013, 04:56:40 PM
I could only connect to one of the device (modem and router) until you removed the IP from your computer and allowed it to auto-assign now I can access both.
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: navzptc on July 20, 2013, 06:02:27 PM
I could only connect to one of the device (modem and router) until you removed the IP from your computer and allowed it to auto-assign now I can access both.

Don't quite follow what you mean, as computer is on auto-assign?

I have got it running using a switch and just Lan1 as per biohead's post about 6 down from here, but it would be more convenient if I could just use the router and 2 cables to the modem

Would be grateful for more info on what you mean - VMT.

Andy
 
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: ryant704 on July 20, 2013, 07:28:37 PM
I assume you are changing your computer IP so you can connect to 1 or the other device, allowing the DHCP to assign automatically allows me to connect to both devices when plugged in LAN1 and LAN2.
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: bungee on July 23, 2013, 10:51:02 AM
Has anyone managed to be able to have the Lan1 port going to the WAN port on a router, and have the Lan2 going into the router switch to be able to access the GUI and get the line stats etc??

I have my Lan2 set up as 192.168.1.240 and it works fine as long as the Wan port is not connected - As soon as I plug in the Wan port I lose the ability to access the GUI and get my stats :(

I presume that as I cant connect to the Lan2 port whilst running, I wont be able to run eDMT?

Any assistance very much appreciated  :)

Andy


Similiar to my experience.

This is the same problem I have as well -  I can’t view the gui on my ECI  B-FOCuS V-2FUb/I Rev.B  modem when the internet is connected even if I use two leads.

If I connect either port  1 or 2 on the ECI to the LAN side of my Technicolor 582n I can view the ECI gui on 192.168.1.55. However as soon as I connect port 1 on the ECI to the WAN port on the Technicolor, so that the internet is available on the LAN, I am no longer able to connect to the ECI gui on 192.168.1.55 even though port 2 on the ECI modem is still connected to the LAN side of the Technicolor.

Can someone confirm that it is possible to view the ECI gui when the internet is connected and explain how they have configured it?

It seems to me that both ports on the ECI are acting as one port as with a cable in either ECI port 1 or 2 and connected to the Technicolor LAN side both ports respond on 192.168.1.55. Anyone know how the two ports should be configured and the linux commands (ifconfig?) to check my configuration?
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: richardh on September 20, 2013, 01:07:49 PM
Hi all

I have got hold of an ECI /I  and unlocked it successfully but after going through all that i can't do the simple bit of configuring the web gui to establish a connection. it syncs fine so it's just a case of finding the right setup. could anyone assist me please step by step if possible, i would be so grateful thanks.

Another thing is as i'm currently using a HG612 in router mode, is this still possible with the ECI?  i noticed DHCP is disabled.
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: burakkucat on September 22, 2013, 02:54:23 AM
Hello Richard. Welcome to the Kitz forum.  :)

You have unlocked your ECI B-FOCuS /I modem. Did you try it on your line before performing the unlocking process? The reason why I ask is that unlocking it does not change any of its fundamental configuration. So if it worked before it was unlocked, it should still work after it has been unlocked.  ;)

You say "it syncs fine", so does it allow a PPPoE process to be established via the LAN1 port?

Re-reading the last line of your post I take it that you have an unlocked Hauwei HG612 that you have reconfigured to operate as a modem/router? Is that what you would like to do with the ECI B-FOCuS /I?  :-\
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: richardh on September 22, 2013, 06:22:47 PM
Hi burakkucat and thanks  :)

I know it sounds silly as if i done everything else then this would be so simple.

The ECI modem was bought from ebay and soon as i received it i didn't test it on my line, i just unlocked it straight away. then onto the webgui to configure the connection settings to mirror the HG612. i found the ECI to sync with the cabinet fine at approx 71000kbps / 20000kbps  but it won't establish that connection to plusnet perhaps because the settings are a little wrong.

Ideally i would like to use the ECI in router mode so it handles everything such as the pppoe connection, dhcp server etc..    i don't know if this is possible?  if not i can connect to my router using the wan port (which i also tried btw).

Perhaps i should have left the settings alone soon as i unlocked it but now it appears i'm in a pickle so anyone who could guide me through it via manual setup would be great.

Thanks
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: burakkucat on September 22, 2013, 11:17:40 PM
 :hmm:  Hmm . . . The ECI modems are a bit of a problem.  :-X

You clearly have the configuration correct in terms of the VLAN, etc, as you are able to establish synchronisation with the DSLAM.

I need to ask for clarification on one point with regards to your Huawei HG612 modem. Have you been using the HG612 to establish the PPPoE session with your ISP? Or have you just used it as a pure bridge, as Beattie originally supplied it? If the former is the case, then the relevant configuration applied to the ECI B-FOCuS /I should work.  :-\

You could give the ECI a 'long reset' which will then revert it back to Beattie's original status. Then a test with your router  connected to the LAN1 port will allow you to confirm the correct operation. If you were then to perform the unlocking steps, it should continue to operate in bridge mode.

As for how to configure a B-FOCuS /I to establish a PPPoE session, etc, that is something I am unable to assist you with.  :no:  You may be able to glean the required information by carefully scrutinising all the ECI related posts in these fora. The main problem is that the B-FOCuS /I has been superseded by the B-FOCuS /r and all work has been performed on the latter -- based around replacing the Beattie provided firmware.

Sorry that I am unable to provide any explicit details.  :(
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: richardh on September 23, 2013, 01:15:19 PM
You have been more than helpful  :)

I did that factory reset via the webgui which put it back to pre unlock status.  then i tested it out by using my routers wan port to make the connection and it worked!

Seeing as it still works when unlocked now i noticed what the problem was... firstly the vlan id / priority settings are totally different to the HG612 and should of been left alone and secondly since the modem isn't fully unlocked, some of the settings like bridge mode/pppoe clearly don't work because the only Wan setting that works is Dynamic IP for some reason and it acts as a bridge. whenever i select any of them other options the tab "Wan setup" goes blank.

Anyhow since installing it i have reduced my pings by 8ms so far which is good although i have lost about 1.5MB throughput because for some reason using a Wan port always does that to me. so as it seems the ECI /I version will never get that router function i may aswell get rid of it and keep hold of my Huawei for now until the clever chaps see to the /R version.

Thanks again burakkucat for lending a hand  :)
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: burakkucat on September 23, 2013, 07:24:48 PM
You have been more than helpful  :)

<snip>

Thanks again burakkucat for lending a hand  :)

You're welcome.  ;)  Sorry the help was not that fulfilling.  :(

I always try to avoid causing damage with my paws . . .  ;D
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: uklad on October 13, 2013, 03:45:51 PM
Where is asbokid at the moment need his help with somthing but ive lost his email :(
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: burakkucat on October 14, 2013, 12:27:32 AM
Precise location? I know not . . .  :no:

E-mail address? It's available almost everywhere!  ::)

For example, go to this page (http://huaweihg612hacking.wordpress.com/about/), scroll to the bottom of the right-hand panel and hover the cursor over / click on the 'asbokid' in the line that reads --

Quote
HuaweiHG612Hacking by asbokid is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License.
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: khile on November 10, 2013, 10:03:18 AM
Is this model hakable now as got fiber installed on thursday and really want to start hacking and flashing  :D
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: Ronski on November 10, 2013, 10:59:49 AM
You will be better off getting an Huawei  HG612 off eBay, much easier to unlock and there are programs available to monitor your connection.
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: custard on March 30, 2014, 12:05:20 AM
I've been using this modem unlocked for the last week. I'd like to confirm that telnet and the gui remain accessible if another router acting as a switch inbetween the modem and normal router is used.

I've tested various codes from the list posted earlier in the thread. My findings are that errors such as CRC, FEC and ES are reported although probably not always accurately.

I was going to show the outputs of each code I tested but was unable to do so as the modem could not handle being asked for multiple outputs simultaneously. Doing this caused me to lose telnet access and I don't want to reboot just yet.

So if anyone tries the codes below I would advise that they are done in batches of 6-8.

Code: [Select]
echo " bpstg" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " bbsg 0" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " bbsg 1" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " fpsg 0 0" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " fpsg 0 1" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " g997amlfcg 0" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " g997amlfcg 1" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack
echo " g997fpsg 0 0" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " g997fpsg 0 1" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " g997lig 0 " > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " g997lig 1 " > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " g997listrg 0 " > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " g997listrg 1 " > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
 echo " g997lsg 0 1" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " g997lsg 1 1" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " g997lspbg 0" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " g997lspbg 1" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " lfcg 0" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " lfcg 1" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " llcg" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmcc15mg 0 0 0" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmcc15mg 0 0 1" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmcc15mg 0 0 2" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmcc15mg 0 1 0" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmcc15mg 0 1 1" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmcc15mg 0 1 2" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmcc1dg 0 0 0" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmcc1dg 0 0 1" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmcc1dg 0 0 2" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmcc1dg 0 1 0" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmcc1dg 0 1 1" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmcc1dg 0 1 2" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmccsg 0 0 0" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmccsg 0 0 1" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmccsg 0 0 2" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmccsg 0 1 0" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmccsg 0 1 1" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmccsg 0 1 2" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmcctg 0 0" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmcctg 0 1" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmdpc15mg 0 0 0" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmdpc15mg 0 0 1" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmdpc15mg 0 0 2" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmdpc15mg 0 1 0" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmdpc15mg 0 1 1" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmdpc15mg 0 1 2" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmdpc1dg 0 0 0" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmdpc1dg 0 0 1" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmdpc1dg 0 0 2" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmdpc1dg 0 1 0" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmdpc1dg 0 1 1" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmdpc1dg 0 1 2" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmdpcsg 0 0 0" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmdpcsg 0 0 1" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmdpcsg 0 0 2" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmdpcsg 0 1 0" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmdpcsg 0 1 1" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmdpcsg 0 1 2" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmdpctg 0 0" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmdpctg 0 1" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmdpfc15mg 0 0 0" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmdpfc15mg 0 0 1" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmdpfc15mg 0 0 2" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmdpfc15mg 0 1 0" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmdpfc15mg 0 1 1" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmdpfc15mg 0 1 2" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmlesc15mg 0 0 " > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmlesc15mg 0 1 " > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmlesc15mg 0 2 " > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmlesc15mg 1 0 " > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmlesc15mg 1 1 " > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmlesc15mg 1 2 " > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo "pmlesc1dg 0 0" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo "pmlesc1dg 0 1" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo "pmlesc1dg 0 2" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo "pmlesc1dg 1 0" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo "pmlesc1dg 1 1" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo "pmlesc1dg 1 2" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmlescsg 0 0" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmlescsg 0 1" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmlescsg 0 2" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmlescsg 1 0" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmlescsg 1 1" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmlescsg 1 2" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmlesctg 0" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmlesctg 1" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmlfc15mg 0 0" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmlfc15mg 0 1" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmlfc15mg 0 2" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmlfc15mg 1 0" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmlfc15mg 1 1" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmlfc15mg 1 2" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmlfc1dg 0 0" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmlfc1dg 0 1" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmlfc1dg 0 2" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmlfc1dg 1 0" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmlfc1dg 1 1" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmlfc1dg 1 2" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmlfcsg 0 0" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmlfcsg 0 1" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmlfcsg 0 2" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmlfcsg 1 0" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmlfcsg 1 1" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmlfcsg 1 2" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmlfctg 0" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmlfctg 1" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmlsc15mg 0 0 " > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmlsc15mg 0 1 " > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmlsc15mg 0 2 " > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmlsc15mg 1 0 " > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmlsc15mg 1 1 " > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmlsc15mg 1 2 " > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmlsc1dg 0 0 " > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmlsc1dg 0 1 " > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmlsc1dg 0 2" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmlsc1dg 1 0 " > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmlsc1dg 1 1 " > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmlsc1dg 1 2 " > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmlscsg 0 0 " > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmlscsg 0 1" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmlscsg 0 2" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmlscsg 1 0 " > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmlscsg 1 1" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmlscsg 1 2" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmlsctg 0 " > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmlsctg 1 " > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmrtc15mg 0 0 " > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmrtc15mg 0 1 " > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmrtc15mg 0 2 " > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmrtc1dg 0 0 " > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmrtc1dg 0 1 " > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmrtc1dg 0 2 " > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmrtcsg 0 0 " > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmrtcsg 0 1 " > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmrtcsg 0 2 " > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " pmrtctg 0 " > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " rusg" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
echo " vig" > /tmp/pipe/dsl_cpe0_cmd
cat /tmp/pipe/dsl_cpe0_ack   
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: Blackeagle on March 31, 2014, 03:43:14 PM
I'd like to confirm that telnet and the gui remain accessible if another router acting as a switch inbetween the modem and normal router is used.

Few questions !!

a) Is that absolutely necessary ?  I have a spare switch I could use, but I will probably be breaking t&c's by doing so!
b) Am I likely to get locked out again by a firmware upgrade, as with the HG612?
 
Quote
My findings are that errors such as CRC, FEC and ES are reported although probably not always accurately.
c) Is this via the GUI or telnet ?  Also, what leads you to believe they are not always accurate ?
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: custard on March 31, 2014, 05:09:36 PM


a) Is that absolutely necessary ?  I have a spare switch I could use, but I will probably be breaking t&c's by doing so!
I can't access the modem with WAN connected unless i use the above method.
Quote
b) Am I likely to get locked out again by a firmware upgrade, as with the HG612?
Possibly but i'd wait for someone more qualified to answer
 
Quote
c) Is this via the GUI or telnet ?  Also, what leads you to believe they are not always accurate ?
The FEC errors on both sometimes show a figure of about 49,000,0000 or something which is probably the threshold. I also have only seen HEC at 0.
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: HighBeta on March 31, 2014, 08:49:33 PM
Thanks custard for the updates -useful info  :)
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: cederom on February 20, 2015, 04:30:18 PM
Can you please provide ARX CPU pinout for JTAG port (i.e. what pins on CPU are the JTAG signals)?
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: imap on May 25, 2015, 09:01:25 PM
Hi everyone.

Obtained ECI modem not long time ago after switch over to fiber. Not being happy with my other Huawei modem i thought maybe i can somehow, get this to work, and after searching net i've come across this post.

Currently i am half way through hacking this thing but i am getting strange serial output in terminal. Instead of readable characters i am getting ASCII characters. I cant get to the bottom of this. i have tested serial adaptor and seems to work fine. It echoes character to terminal and works well with microcontroller.
Is it maybe setting in hyperterminal whats buggered?

I appreciate any help and will answer any question best to my ability.

Thanks.

Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: kitz on May 25, 2015, 09:18:58 PM
Hi and welcome to the forums  ^-^

Im afraid its way over my head when it comes to hacking the ECI so I'll leave that to the other guys would may hopefully be able to help you.   


I would however be interested in any results such as line stats in comparison to the Huawei if you do manage to get it working :) 
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: currytop on May 25, 2015, 09:51:20 PM
Check serial terminal emulator is set to 115,200 baud, no flow control, no parity.

Steve
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: imap on May 27, 2015, 08:35:03 PM
Check serial terminal emulator is set to 115,200 baud, no flow control, no parity.



I have changed settings and got no difference in output until i connected rx wire. lol

Thanks!
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: IBulti on June 09, 2015, 06:26:06 PM
Hi,

I have been trying to use the information you have kindly provided on the web/forums but I seem to have run into a hicup.
I have set my serial port to 115200 8 bit 1 stop with no flow or parity.
Although I have tried several speed settings all I get is gobble gook

»¿åëW«V©öVjìÛUÚ

               ºô
                 ú»´Ôjjú»Ô*ª
                            ªtô{ë¶öÖ­ëë+뤫MQÑ£¤aöõºê*¶«övöìûööööûööÖöÛ+ëå#[5
¿#w==
»¿åëW«V©öVjìÛUÚ

               ºô
                 ú»´Ôjjú»Ô*ª
                            ªtô{ë¶öÖ­ëë+뤫MQÑ£¤aöõºê*¶«övöìûööööûööÖöÛ+ëå#[5
¿#w==
»¿
  ºô
    ú»´Ôjjú»Ô*ª
               ªtô{ë¶öÖ­ëë+뤫MQÑ£¤aöõºê*¶«övöìûööööûööÖöÛ+ëå#[5
¿#w==
»¿åëW«V©öVjìÛUÚ

               ºô
                 ú»´Ôjjú»Ô*ª
                            ªtô{ë¶öÖ­ëë+뤫MQÑ£¤aöõºê*¶«övöìûööö
Where am I going wrong?
I am using PUTTY as the terminal program as Win 8.1 does not seem to have Hyper Terminal.

Thanks
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: burakkucat on June 09, 2015, 06:33:54 PM
Welcome to the Kitz forum.  :)

That output clearly shows your terminal emulator is incorrectly configured.

115200 bps is correct
no parity checking is correct
no flow control is correct

Perhaps try 7 data bits rather than 8?  :-\
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: les-70 on June 09, 2015, 07:08:24 PM
  You should check all the pin connections and cables involved.  It is not unusual to see such output first try!!
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: Ragnarok on June 10, 2015, 08:43:24 AM
Sometime a reboot can fix that. othertimes it is a slightly dodgy connection!
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: andrew_c on July 25, 2015, 08:15:20 PM
Had to register to say this forum has been a great help in unlocking my ECI B Focus /I modem.

I too got the strange characters - my soldering just needed a little extra fettling.

Thanks again. Andy
Title: Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
Post by: kitz on July 29, 2015, 12:37:45 AM
Hi Andy and welcome :)

Glad that you found the information useful.