Kitz Forum

Broadband Related => Broadband Hardware => Topic started by: BritBrat on February 14, 2012, 09:32:15 PM

Title: @ uklad and asbokid
Post by: BritBrat on February 14, 2012, 09:32:15 PM
I have been impressed with you thread on "Hacking the ECI model B-FOCuS V-2FUb/I Rev.B)" I tried Google translation but none seemed to make any more sence to me than your thread :)

Anyway back to why I am making this post, Sky are rolling out firmware updates to routers and changing over to MER (MAC Encapsulated Routing) but using their own protocols that are not known to anyone else and  therfore you can't use a third party router.

Do you think you could find out what they are using?
Title: Re: @ uklad and asbokid
Post by: asbokid on February 15, 2012, 05:34:14 AM
I have been impressed with you thread on "Hacking the ECI model B-FOCuS V-2FUb/I Rev.B)" I tried Google translation but none seemed to make any more sence to me than your thread :)

hehe. eventually we will prove the infinite monkey theorem! [1]

Quote
Anyway back to why I am making this post, Sky are rolling out firmware updates to routers and changing over to MER (MAC Encapsulated Routing) but using their own protocols that are not known to anyone else and  therfore you can't use a third party router.

Do you think you could find out what they are using?

Heck, that's nice of Sky.  Wasn't aware of any of this going on.  No wonder people are so miffed.  Sky reportedly supplies the DLink DSL-2640. Hope that's better than the DSL-2680 supplied by TalkTalk.  The 2680 was a Trend chipset running ZyNOS, but according to Michael Pudeev, the 2640 is Broadcom-based and runs MIPS-Linux.  [2]

The DSL-2640s is apparently powered by a Broadcom 6328 SoC. [3]  DLink's release of GPL'ed code for the 2640s is here [4]. An earlier v.1.07 firmware for the DSL-2640s is at [5].  The firmware is in the usual Broadcom format:

Code: [Select]
$ xxd -l 256 recover.img
0000000: 3600 0000 4272 6f61 6463 6f6d 2043 6f72  6...Broadcom Cor
0000010: 706f 7261 7469 6f00 7665 722e 2032 2e30  poratio.ver. 2.0
0000020: 0000 0000 0000 3633 3238 0000 3936 3332  ......6328..9632
0000030: 3841 564e 4700 0000 0000 0000 3100 3338  8AVNG.......1.38
0000040: 3437 3135 3500 0000 3000 0000 0000 0000  47155...0.......
0000050: 0000 0000 3000 0000 0000 0000 0000 3332  ....0.........32
0000060: 3137 3039 3639 3630 0000 3239 3733 3639  17096960..297369
0000070: 3600 0000 3332 3230 3037 3036 3536 0000  6...3220070656..
0000080: 3837 3334 3539 0000 0000 0000 0000 0000  873459..........
0000090: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000a0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000b0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000c0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000d0: 0000 0000 0000 0000 e3e9 a9d3 35e2 3538  ............5.58
00000e0: b8ce 9897 0000 0000 0000 0000 ea5a d22c  .............Z.,
00000f0: 0000 0000 0000 0000 0000 0000 0000 0000  ................

$ dd if=recover.img of=HDR bs=1 count=256
256+0 records in
256+0 records out
256 bytes (256 B) copied, 0.00123929 s, 207 kB/s

$ dd if=recover.img of=ROOTFS bs=1 skip=256 count=2973696
2973696+0 records in
2973696+0 records out
2973696 bytes (3.0 MB) copied, 3.7481 s, 793 kB/s

$ dd if=recover.img of=KERNEL bs=1 skip=2973952 count=873459
873459+0 records in
873459+0 records out
873459 bytes (873 kB) copied, 1.1052 s, 790 kB/s

$ ls -ln
total 7524
-rw-r--r-- 1 1000 1000     256 Feb 15 05:09 HDR
-rw-r--r-- 1 1000 1000  873459 Feb 15 05:14 KERNEL
-rw-r--r-- 1 1000 1000 3847496 May 20  2010 recover.img
-rw-r--r-- 1 1000 1000 2973696 Feb 15 05:12 ROOTFS

$ 7z x ../ROOTFS  | more

7-Zip [64] 9.20  Copyright (c) 1999-2010 Igor Pavlov  2010-11-18
p7zip Version 9.20 (locale=en_GB.UTF-8,Utf16=on,HugeFiles=on,8 CPUs)

Processing archive: ../ROOTFS

Extracting  bin
Extracting  data
Extracting  dev
Extracting  etc
Extracting  lib
Extracting  linuxrc
Extracting  mnt
Extracting  opt
Extracting  proc
Extracting  sbin
Extracting  sys
Extracting  tmp
Extracting  usr
Extracting  var
Extracting  webs
Extracting  bin/adsl
Extracting  bin/adslctl
Extracting  bin/brctl
Extracting  bin/busybox
Extracting  bin/cat
Extracting  bin/chmod
Extracting  bin/consoled
Extracting  bin/cp
Extracting  bin/date
Extracting  bin/ddnsd
Extracting  bin/deluser
Extracting  bin/df

[...snipped..]  (see attached file output.txt)

tcpdump builds okay on MIPS32 so it can probably be gotten to run on the 2640s. [6]. tcpdump can sniff the frames at the ethernet layer. In theory it could help to discover the secret protocol that Sky is using.

Not something I personally want to look at!

cheers, a

[1] http://en.wikipedia.org/wiki/Infinite_monkey_theorem
[2] http://pudeev.livejournal.com/33449.html
[3] http://pathogenrush.blogspot.com/2010/09/d-link-dsl-2640s.html
[4] http://www1.sky.com/opensourcesoftware/router/downloads.html
[5] http://www.skyuser.co.uk/forum/sky-router/43328-how-downgrade-firmware-sky-d-link-dsl-2640s-router-firmware-2-04-a.html
[6] http://www.tcpdump.org/