Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: 1 ... 6 7 [8] 9 10 ... 21

Author Topic: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B  (Read 216934 times)

asbokid

  • Kitizen
  • ****
  • Posts: 1286
    • Hacking the 2Wire
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #105 on: April 06, 2012, 01:56:32 AM »

Tell me what to and I'll be happy to do it, especially if it means I get a pretty web interface and can help others in my situation. It'd also be nice to find a repair system for new firmware, if one exists...

Hi again Ben..

Once you've gained a shell via the serial port.. your energies could be profitably focused on that tool for modifying the NVRAM configuration data of the modem..

It looks like you would need to modify one or two XML element values in the gzip'ed CPE MIB file that is found in the "RGCFG1" NVRAM board configuration partition of the flash.

Specifically, these are the element values which probably need changing..

   <switch>
..
      <lan_access_cpe_enable>0</lan_access_cpe_enable>
..
      <port id="2">
         <vid>102</vid>
         <pri>7</pri>
         <loopback>0</loopback>
         <activate>0</activate>
         <special_vlan>0</special_vlan>
      </port>
   </switch>

It may be that the XML MIB file needs to be gunzipped first.. bit of tinkering necessary there..

There appears to be a dedicated tool for modifying the XML MIB file [1] in the ECI modem..

The tool is found at /usr/sbin/xmldbc

Here are the command line options for xmldbc:

Code: [Select]
Usage: xmldbc version 2 [OPTIONS]
  -h                     show this help message.
  -H                     show version number.
  -v                     verbose mode.
  -a                     dump database include runtime and tmp.
  -i                     ignore external function (like runtime).
  -g {node path}         get value from {node path}.
  -s {node path} {value} set  {value} in {node path}.
  -d {node path}         delete {node path}.
  -l {XML file}          reload XML file to database.
  -f {XML file}          set XML file to database.
  -D {XML file}          dump database to XML file.
  -S {unix socket}       specify unix socket name, default is /var/run/xmldb_sock
  -A {ephp file}         embeded php parse.
  -V {name=value}        variable for ephp.
  -x {command}           set extended get/set command.
  -t {tag:sec:command}   schedule a timer.
  -k {tag}               kill timers by tag.

The xmldbc tool has all the commands needed to set the elements (nodes) in the XML MIB of the ECI to re-enable LAN-side access and the web GUI.

It would probably be easiest to enable DHCP on the ECI as well, and let it assign the PC an IP address.

This is on the brink of success..

cheers, a

[1] http://en.wikipedia.org/wiki/Management_information_base
Logged

asbokid

  • Kitizen
  • ****
  • Posts: 1286
    • Hacking the 2Wire
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #106 on: April 06, 2012, 04:30:49 PM »

Hi.. An important correction...

The flash memory IC on the PCB of the ECI is a Macronix MX29LV640EB. [1] That is a NOR flash device rather than a NAND device...

As such, the IC utilises the Common Flash Interface (CFI) rather than the Open NAND flash interface (ONFI)...

On a second note..

Just a quick observation..

Whoever built the firmware for the ECI also patched the U-Boot loader to use RSA authentication.

We can see that from the boot log dumps that uklad posted to this thread. [2] [3]

Code: [Select]
Have RSA magic !!!
Image at B0051060:
   Image Name:   MIPS Linux-2.6.20
..
Have RSA magic !!!
Image at B03F1060:
   Image Name:   MIPS Linux-2.6.20
..
## Booting image from active region 2 at b03f0000 ...
Check RSA image magic--OK!
Please type [setenv rsa_check 1] !!!
..
RSA_CHECK:  0

Fortunately, it looks like RSA authentication is present but disabled.

RSA authentication of firmware is not a standard part of U-Boot. [4]  It was patched into the ECI firmware by persons unknown. But it looks like this developer might have an idea who did it. [5]   At the time (July 2009) he was working for SAGEM. [6]

From that mailing list thread, it's clear that Wolfgang Denk, the U-Boot developer, was resistant to the idea of RSA authentication of firmware.

Nevertheless, the code somehow wormed its way into the firmware of the ECI kit supplied as VDSL2 CPE by BT Openreach.

U-Boot is GPL licensed, so this modification for RSA is a violation of the terms under which its use is granted.

cheers, a

[1] http://www.macronix.com/../MX29LV640ETBver13-1.3.pdf
[2] http://forum.kitz.co.uk/index.php/topic,10635.msg209378.html#msg209378
[3] http://forum.kitz.co.uk/index.php/topic,10635.msg209377.html#msg209377
[4] http://git.denx.de/?p=u-boot.git;a=tree;f=doc/uImage.FIT
[5] http://lists.denx.de/pipermail/u-boot/2009-July/057169.html
[6] http://www.doyoubuzz.com/cyrille-francois
« Last Edit: April 09, 2012, 08:57:52 PM by asbokid »
Logged

uklad

  • Member
  • **
  • Posts: 55
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #107 on: April 08, 2012, 09:46:59 PM »

Asbokid i just dropped you an email... let me know what you think ...
Logged

ben1066

  • Member
  • **
  • Posts: 74
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #108 on: April 09, 2012, 08:06:50 PM »

I have been in contact with the FSF about our device violating the GPL multiple times, they are working on it. Also, I am yet to receive my converter because I'm foolish, it's bank holiday today and last Friday, hence no post. I should get it tomorrow or the day after.
Logged

Blackeagle

  • Reg Member
  • ***
  • Posts: 257
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #109 on: April 09, 2012, 08:50:50 PM »

Following this with great interest as said modem is currently powering my FTTC service.

Given what asbo has said, I believe that its possible to connect by UART and use xmldbc to modify the configuration to enable LAN side access.  If this indeed the case, then all of you guys in this thread have worked yet another miracle between you.  Although I don't currently see that this will aid any user that cannot add the required port to the ECI,  I am of the (hopeful) opinion that once its unlocked, someone may find a loophole in much the same way as asbo did for the HG612 to be able to upload over ethernet.

If not, I am quite prepared to wave my soldering iron once again, although the prospect of SWMBO being unable to access FB does fill me with dread should I lift a pad or bridge something  :o

If this is gonna be my only option (other than buying an HG612), if someone could provide details of the needed cables etc I would be more than greatful.  Perhaps I'm being lazy here and should just review the thread, but I don't want to jump in and then find I should have got something else.

Basically, I just want to be sure of what I'm doing before I do it !!!

Thanks for your attention

BE
Logged
ASCII stupid question, get a stupid ANSI -- TalkTalk Broadband since 2006

uklad

  • Member
  • **
  • Posts: 55
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #110 on: April 09, 2012, 09:50:42 PM »

Blackeagle: we are not there yet but making progress, judging by what we have found so far even if asbokid unlocks the firmware file I can not find any means for flashing the firmware without having access to the UART console, anyway work continues..
Logged

Blackeagle

  • Reg Member
  • ***
  • Posts: 257
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #111 on: April 09, 2012, 09:57:47 PM »

Blackeagle: we are not there yet but making progress, judging by what we have found so far even if asbokid unlocks the firmware file I can not find any means for flashing the firmware without having access to the UART console, anyway work continues..

NP uklad.  I may have just sourced myself an unlocked Huawei HG612, leaving me time and space to play with the ECI !!

As an aside, I have found a source for the Dare DB120 but it would still need translating to english, which won't happen for a month or so.

Keep up the good work bud !!

Regards

BE
Logged
ASCII stupid question, get a stupid ANSI -- TalkTalk Broadband since 2006

burakkucat

  • Respected
  • Senior Kitizen
  • *
  • Posts: 38300
  • Over the Rainbow Bridge
    • The ELRepo Project
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #112 on: April 10, 2012, 03:33:39 AM »

Quote
As an aside, I have found a source for the Dare DB120 but it would still need translating to english, which won't happen for a month or so.

That will be interesting.  :)  And will be worth a thread of its own!
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

JoshShep

  • Reg Member
  • ***
  • Posts: 266
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #113 on: April 10, 2012, 12:43:50 PM »

Looks like Openreach have released code for the ECI

http://www.openreach.co.uk/orpg/home/products/super-fastfibreaccess/superfastfibre.do

scroll down to Openreach Modems @ OTN's

Or here is the direct download link - http://www.openreach.co.uk/orpg/home/products/super-fastfibreaccess/downloads/eci_alpha1B_VDSL_3048.zip

asbokid

  • Kitizen
  • ****
  • Posts: 1286
    • Hacking the 2Wire
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #114 on: April 10, 2012, 03:26:06 PM »

Looks like Openreach have released code for the ECI

http://www.openreach.co.uk/orpg/home/products/super-fastfibreaccess/superfastfibre.do

scroll down to Openreach Modems @ OTN's

Or here is the direct download link - http://www.openreach.co.uk/orpg/home/products/super-fastfibreaccess/downloads/eci_alpha1B_VDSL_3048.zip

Thank you for posting that, Josh. Well spotted!

Thank you to BT Openreach as well.

Frustratingly...the tarball (inside the zip) is corrupted, but hopefully someone at Openreach will soon remedy that.

cheers, a



p.s. uklad asked me to report that we've successfully unlocked his ECI via the UART.   All credit to uklad for breaking the camel's back  :)

Here are a couple of screenshots. The ECI has a really nice GUI. Great shame that it's hidden away from sight  :-X

Maybe we can now do some performance tests to compare the ECI and the HG612.






More screenshots at: http://hackingecibfocusv2fubirevb.wordpress.com/
« Last Edit: April 10, 2012, 03:49:35 PM by asbokid »
Logged

c6em

  • Reg Member
  • ***
  • Posts: 504
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #115 on: April 10, 2012, 04:03:09 PM »


The GUI seems exactly the same layout as used on the Dlink 2640B and 2740B series of ADSL routers.
Logged

roseway

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 43875
  • Penguins CAN fly
    • DSLstats
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #116 on: April 10, 2012, 04:35:21 PM »

Quote
Frustratingly...the tarball (inside the zip) is corrupted, but hopefully someone at Openreach will soon remedy that.

There only seems to be one header file missing: vr.3048/boards/lantiq_vr9/bootcode/include/asm-mips/arch-mips

All the rest is recoverable from the archive.
Logged
  Eric

JoshShep

  • Reg Member
  • ***
  • Posts: 266
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #117 on: April 10, 2012, 04:39:46 PM »

Great work guys  ;)

Would it be possible to unlock the modem via the second Lan port?

asbokid

  • Kitizen
  • ****
  • Posts: 1286
    • Hacking the 2Wire
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #118 on: April 10, 2012, 05:11:56 PM »

Quote
Frustratingly...the tarball (inside the zip) is corrupted, but hopefully someone at Openreach will soon remedy that.

There only seems to be one header file missing: vr.3048/boards/lantiq_vr9/bootcode/include/asm-mips/arch-mips

All the rest is recoverable from the archive.

A lot more than one file is corrupted  :'(

Nearly 75% of the gzipped tar archive (contained within the zip) is corrupted.

The .tar.gz file (contained within the zip) should be 89,684,840 bytes in length.

However, from byte 22,020,096 (0x1500000) onwards in that .gz, is all zero:

Code: [Select]
asbokid@l502x:~/eci_gpl$ wget http://www.openreach.co.uk/orpg/home/products/super-fastfibreaccess/downloads/eci_alpha1B_VDSL_3048.zip
--2012-04-10 17:02:34--  http://www.openreach.co.uk/orpg/home/products/super-fastfibreaccess/downloads/eci_alpha1B_VDSL_3048.zip
Resolving www.openreach.co.uk (www.openreach.co.uk)... 217.140.45.11
Connecting to www.openreach.co.uk (www.openreach.co.uk)|217.140.45.11|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 22016583 (21M) [application/zip]
Saving to: `eci_alpha1B_VDSL_3048.zip'

100%[===============================================================================================>] 22,016,583  1.39M/s   in 20s     

2012-04-10 17:02:55 (1.04 MB/s) - `eci_alpha1B_VDSL_3048.zip' saved [22016583/22016583]

asbokid@l502x:~/eci_gpl$ md5sum eci_alpha1B_VDSL_3048.zip
2016cacd7b7bd67da645f6dac57cd970  eci_alpha1B_VDSL_3048.zip

asbokid@l502x:~/eci_gpl$ unzip -v eci_alpha1B_VDSL_3048.zip
Archive:  eci_alpha1B_VDSL_3048.zip
 Length   Method    Size  Cmpr    Date    Time   CRC-32   Name
--------  ------  ------- ---- ---------- ----- --------  ----
89684840  Defl:N 22016395  76% 2012-03-16 08:08 7a4f3ff3  ECI ALPHA1B_VDSL_3048_Mar_2012.tar.gz
--------          -------  ---                            -------
89684840         22016395  76%                            1 file

asbokid@l502x:~/eci_gpl$ unzip -t eci_alpha1B_VDSL_3048.zip
Archive:  eci_alpha1B_VDSL_3048.zip
    testing: ECI ALPHA1B_VDSL_3048_Mar_2012.tar.gz   OK
No errors detected in compressed data of eci_alpha1B_VDSL_3048.zip.

asbokid@l502x:~/eci_gpl$ unzip eci_alpha1B_VDSL_3048.zip
Archive:  eci_alpha1B_VDSL_3048.zip
  inflating: ECI ALPHA1B_VDSL_3048_Mar_2012.tar.gz 

asbokid@l502x:~/eci_gpl$ ls -l
total 109088
-rw-r--r-- 1 asbokid asbokid 89684840 Mar 16 08:08 ECIALPHA1B_VDSL_3048_Mar_2012.tar.gz
-rw-r--r-- 1 asbokid asbokid 22016583 Mar 20 08:02 eci_alpha1B_VDSL_3048.zip

asbokid@l502x:~/eci_gpl$ md5sum ECI\ ALPHA1B_VDSL_3048_Mar_2012.tar.gz
2cfa0976bd4318125200a7115c28380e  ECI ALPHA1B_VDSL_3048_Mar_2012.tar.gz

asbokid@l502x:~/eci_gpl$ gunzip -t ECI\ ALPHA1B_VDSL_3048_Mar_2012.tar.gz

gzip: ECI ALPHA1B_VDSL_3048_Mar_2012.tar.gz: unexpected end of file

asbokid@l502x:~/eci_gpl$ dd bs=1 skip=$((0x14fff00)) if=ECI\ ALPHA1B_VDSL_3048_Mar_2012.tar.gz | xxd -l $((0x200))
0000000: 2004 72b1 c063 21ec 88c4 65f3 222e 053b   .r..c!...e."..;
0000010: a63b 1817 5974 cb38 212f 3728 8c3c 156d  .;..Yt.8!/7(.<.m
0000020: cfec eff1 7df5 7bda 4b04 8dd3 ee22 d2e6  ....}.{.K...."..
0000030: 04c4 9a37 2d8a cf48 cb7a de7a 81cb ea34  ...7-..H.z.z...4
0000040: b2ed efc1 db0c 73e9 dee4 e379 3100 7665  ......s....y1.ve
0000050: 3a1f b183 a2c9 3aaf 4920 c678 2f8f e1a6  :.....:.I .x/...
0000060: a6b0 06b9 4dae 00f7 6d37 2b0a f23f 54ff  ....M...m7+..?T.
0000070: 458e 760e b7ee e759 3a1d dc7d ce77 30b2  E.v....Y:..}.w0.
0000080: 219a bf29 9514 13d4 7360 24d4 0806 cc19  !..)....s`$.....
0000090: 1035 4c05 83ed 74c7 c38e e037 47e8 f484  .5L...t....7G...
00000a0: dd24 3411 75ad a016 e0fb 4077 87e2 c988  .$4.u.....@w....
00000b0: 0c00 1aae baf3 017e 19ab e55d 24cc 0cee  .......~...]$...
00000c0: 4ecd 1013 f489 6852 0bec 648b 9908 a6d9  N.....hR..d.....
00000d0: 6683 d985 3a88 d61c a807 f139 f0cb 2d33  f...:......9..-3
00000e0: 74c0 994c d3e2 1ad3 7971 3a0b 3e90 9858  t..L....yq:.>..X
00000f0: 181a e9ce 807d 81af f6c6 6839 933c 9709  .....}....h9.<..
0000100: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000110: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000120: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000130: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000140: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000150: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000160: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000170: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000180: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000190: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00001a0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00001b0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00001c0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00001d0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00001e0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00001f0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
...

Hopefully Openreach will notice the problem ASAP  :)

cheers, a
« Last Edit: April 10, 2012, 05:21:01 PM by asbokid »
Logged

burakkucat

  • Respected
  • Senior Kitizen
  • *
  • Posts: 38300
  • Over the Rainbow Bridge
    • The ELRepo Project
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #119 on: April 10, 2012, 06:09:44 PM »

Quote
p.s. uklad asked me to report that we've successfully unlocked his ECI via the UART.   All credit to uklad for breaking the camel's back  :)

Excellent news!  :thumbs:  :clap:  :clap2:  :dance:  :silly:

Congratulations to the pair of you.  :drink:
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.
Pages: 1 ... 6 7 [8] 9 10 ... 21
 

anything