Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: 1 [2] 3 4 ... 21

Author Topic: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B  (Read 218621 times)

uklad

  • Member
  • **
  • Posts: 55
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #15 on: January 24, 2012, 07:23:06 PM »

output from flinfo

Code: [Select]
Bank # 1: MXIC  29LV640BB (64 Mbit, boot sector SA0~SA126 size 64k bytes,other s
ectors SA127~SA135 size 8k bytes)
  Size: 8 MB in 135 Sectors
  Sector Start Addresses:
    B0000000      B0002000      B0004000      B0006000      B0008000
    B000A000      B000C000      B000E000      B0010000      B0020000
    B0030000      B0040000      B0050000      B0060000      B0070000
    B0080000      B0090000      B00A0000      B00B0000      B00C0000
    B00D0000      B00E0000      B00F0000      B0100000      B0110000
    B0120000      B0130000      B0140000      B0150000      B0160000
    B0170000      B0180000      B0190000      B01A0000      B01B0000
    B01C0000      B01D0000      B01E0000      B01F0000      B0200000
    B0210000      B0220000      B0230000      B0240000      B0250000
    B0260000      B0270000      B0280000      B0290000      B02A0000
    B02B0000      B02C0000      B02D0000      B02E0000      B02F0000
    B0300000      B0310000      B0320000      B0330000      B0340000
    B0350000      B0360000      B0370000      B0380000      B0390000
    B03A0000      B03B0000      B03C0000      B03D0000      B03E0000
    B03F0000      B0400000      B0410000      B0420000      B0430000
    B0440000      B0450000      B0460000      B0470000      B0480000
    B0490000      B04A0000      B04B0000      B04C0000      B04D0000
    B04E0000      B04F0000      B0500000      B0510000      B0520000
    B0530000      B0540000      B0550000      B0560000      B0570000
    B0580000      B0590000      B05A0000      B05B0000      B05C0000
    B05D0000      B05E0000      B05F0000      B0600000      B0610000
    B0620000      B0630000      B0640000      B0650000      B0660000
    B0670000      B0680000      B0690000      B06A0000      B06B0000
    B06C0000      B06D0000      B06E0000      B06F0000      B0700000
    B0710000      B0720000      B0730000      B0740000      B0750000
    B0760000      B0770000      B0780000      B0790000      B07A0000
    B07B0000      B07C0000      B07D0000      B07E0000      B07F0000
Logged

burakkucat

  • Respected
  • Senior Kitizen
  • *
  • Posts: 38300
  • Over the Rainbow Bridge
    • The ELRepo Project
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #16 on: January 24, 2012, 07:24:08 PM »

Those who enjoy such things will now be looking out for a source of ECI model B-FOCuS V-2FUb/I Rev.B modems . . .
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

uklad

  • Member
  • **
  • Posts: 55
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #17 on: January 24, 2012, 07:35:40 PM »

Logged

uklad

  • Member
  • **
  • Posts: 55
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #18 on: January 24, 2012, 07:43:57 PM »

Dumping the NAND now going to take a while
Logged

asbokid

  • Kitizen
  • ****
  • Posts: 1286
    • Hacking the 2Wire
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #19 on: January 24, 2012, 07:56:01 PM »

Dumping the NAND now going to take a while

Good stuff! Cheers for the pinout! It will help a lot of others.   Did you set your stopwatch?  The 8Mbyte NAND in the Huawei takes about 45 mins to dump over a 115,200bps UART, if I recall correctly. That's a posh cable you got there!  What is the default port speed setting on the ECI?   Are you running Linux or the other one?
« Last Edit: January 24, 2012, 08:02:02 PM by asbokid »
Logged

uklad

  • Member
  • **
  • Posts: 55
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #20 on: January 24, 2012, 08:11:12 PM »

Port speed is 115,200bps N-8-1

Im a windows user, to be honest im a bit of a noob when in comes to Linux but i find doing stuff like this is the best way to learn
Logged

Bald_Eagle1

  • Helpful
  • Kitizen
  • *
  • Posts: 2721
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #21 on: January 24, 2012, 08:29:29 PM »


Are you running Linux or the other one?


Wassup asbokid? Were you choking too much to actually type the 'W' word?  :lol:
Logged

asbokid

  • Kitizen
  • ****
  • Posts: 1286
    • Hacking the 2Wire
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #22 on: January 24, 2012, 08:45:37 PM »

Most things can be done in Windows, but it is often much harder and not worth the extra effort  ???  There are some good live CDs for Linux for those who don't want to commit hard disk space.

Once the NOR flash contents are extracted, there are a couple of Linux tools useful for processing the hex dump.

First there is 'cut', a text processing tool. It can be used to strip the 16 bytes of ASCII chaff from the end of every line in the hex dump, and that leading 'b' from the TLB address mapping:

Code: [Select]

$ head eciflashdumpdemo.hex

b0000000: 2f830000 409eff38 38600000 4bffff3c    /...@..88`..K..<
b0000010: 835e000c 809e0008 2b9a00ff 829e0010    .^......+.......
b0000020: 82be0014 7f45d378 409d000c 3b4000ff    .....E.x@...;@..
b0000030: 38a000ff 2b9500ff 409d0008 3aa000ff    8...+...@...:...
b0000040: 8002021c 3bfb000a 7f9f0040 419d002c    ....;......@A..,
b0000050: 2f9a0000 419e0014 7c1f0050 3925ffff    /...A...|..P9%..
b0000060: 7f890040 419d0014 7fe3fb78 4bf1401d    ...@A......xK.@.
b0000070: 7c651b78 48000014 3c00bfff 6000ffff    |e.xH...<...`...

$ cut -c 2-45 eciflashdumpdemo.hex

0000000: 2f830000 409eff38 38600000 4bffff3c
0000010: 835e000c 809e0008 2b9a00ff 829e0010
0000020: 82be0014 7f45d378 409d000c 3b4000ff
0000030: 38a000ff 2b9500ff 409d0008 3aa000ff
0000040: 8002021c 3bfb000a 7f9f0040 419d002c
0000050: 2f9a0000 419e0014 7c1f0050 3925ffff
0000060: 7f890040 419d0014 7fe3fb78 4bf1401d
0000070: 7c651b78 48000014 3c00bfff 6000ffff

Another very useful Linux tool is called 'xxd'.  It can reverse (-r) the hexdump back into a binary flash image:

Code: [Select]
$ cut -c 2-45 eciflashdumpdemo.hex  | xxd -r > eciflashdumpdemo.bin

$ xxd eciflashdumpdemo.bin

0000000: 2f83 0000 409e ff38 3860 0000 4bff ff3c  /...@..88`..K..<
0000010: 835e 000c 809e 0008 2b9a 00ff 829e 0010  .^......+.......
0000020: 82be 0014 7f45 d378 409d 000c 3b40 00ff  .....E.x@...;@..
0000030: 38a0 00ff 2b95 00ff 409d 0008 3aa0 00ff  8...+...@...:...
0000040: 8002 021c 3bfb 000a 7f9f 0040 419d 002c  ....;......@A..,
0000050: 2f9a 0000 419e 0014 7c1f 0050 3925 ffff  /...A...|..P9%..
0000060: 7f89 0040 419d 0014 7fe3 fb78 4bf1 401d  ...@A......xK.@.
0000070: 7c65 1b78 4800 0014 3c00 bfff 6000 ffff  |e.xH...<...`...

cheers, a

P.S. Ignore Baldie, the agent provocateur.  Microsoft secretly pays him to taunt us!
« Last Edit: April 06, 2012, 04:13:18 PM by asbokid »
Logged

uklad

  • Member
  • **
  • Posts: 55
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #23 on: January 24, 2012, 11:19:48 PM »

nand dump complete and converted to bin image

-- LINK REMOVED --
« Last Edit: January 25, 2012, 10:21:46 PM by uklad »
Logged

asbokid

  • Kitizen
  • ****
  • Posts: 1286
    • Hacking the 2Wire
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #24 on: January 25, 2012, 03:18:28 AM »

[nor] dump complete and converted to bin image

http://www.mediafire.com/?1tcdqu616xpfofe     (EDIT: corrected URL)

Excellent job.  You deserve a pint!

The next stage is to identify and separate the components in the flash image.

These components will include the bootloader itself, the Linux kernel image(s), the file system image(s), and usually an area for storing non-volatile configuration data.

From the Linux kernel boot log that you posted earlier, we can see that the kernel was compiled with drivers for the SquashFS file system, and for the JFFS2 file system:

Code: [Select]
squashfs: version 3.2-r2 (2007/01/15) Phillip Lougher
squashfs: LZMA suppport for slax.org by jro
JFFS2 version 2.2. (NAND) (SUMMARY)  (C) 2001-2006 Red Hat, Inc.

SquashFS is a read-only file system. It was designed by Phillip Lougher, an expert embedded developer from Wale's.  SquashFS is often used as the root flash file system in MIPS-based routers, including the Huawei HG612.

JFFS2 is a read-write file system. It was written especially for flash devices and includes wear-levelling to mitigate the weakness in NAND (and NOR) flash storage.

The next task is to identify the boundaries of those components in the flash image. One way to do this is to search for the 'magic numbers' that are stored at the beginning of those firmware components.

SquashFS uses several different magic numbers in the superblock of a file system. These indicate the 'endianness' of the file system (big- or little-endian) and the compression scheme used.

We can use the Linux tool 'grep' to discover those magic numbers:

Code: [Select]
$ xxd eciflash.bin | grep -A2 'qshs\|sqsh\|hsqs\|shsq'

01410c0: 7173 6873 0000 034c 0000 0000 0d69 6910  qshs...L.....ii.
01410d0: 0000 0000 0000 0008 4001 a000 0003 0000  ........@.......
01410e0: 0f94 0010 c002 014d 58cf 3e00 0000 0015  .......MX.>.....
--
04e10c0: 7173 6873 0000 034c 0000 0000 0d69 6910  qshs...L.....ii.
04e10d0: 0000 0000 0000 0008 4001 a000 0003 0000  ........@.......
04e10e0: 0f94 0010 c002 014e 40aa 1700 0000 0015  .......N@.......
$

It finds two Big Endian SquashFS file systems in the firmware that use LZMA compression. Those compressed file systems start at flash offsets 0x14,10c0 and 0x4e,10c0.

The presence of two file systems (and two kernels), a master and a slave, is a fail-safe mechanism.

The size of each squash file system image is needed now. A tool originally written by Goundoulf, lead developer for the French OpenBox project [1], can be fettled to work with the ECI flash image [2]:

Code: [Select]
$ ./ecisquash-extract eciflash.bin

Size of firmware 'eciflash.bin' : 5856192 octets
---------------------------------------------------------------

Signature of SquashFS found:
---------------------------------------------------------------
Signature : 0x71736873 ('qshs')
Format : LZMA-Big Endian
Offset : 0x1410c0
Version SquashFS : 3.0
Octets utilised : 2641669 octets
Date of creation : Mon Feb 14 06:44:14 2011
---------------------------------------------------------------

Signature of SquashFS found:
---------------------------------------------------------------
Signature : 0x71736873 ('qshs')
Format : LZMA-Big Endian
Offset : 0x4e10c0
Version SquashFS : 3.0
Octets utilised : 2642454 octets
Date of creation : Tue Aug  9 04:31:35 2011
---------------------------------------------------------------

The Linux tool 'dd' is used to isolate those SquashFS images into separate files:

Code: [Select]
$ dd if=eciflash.bin of=ecirootfs1 bs=1 skip=$((0x1410c0)) count=2641669
2641669+0 records in
2641669+0 records out
2641669 bytes (2.6 MB) copied, 5.69564 s, 464 kB/s

From the boot log, we can see that Junjiro Okajima's patch (JRO) for LZMA compression was applied to the squashfs kernel driver.

We must now search for a compatible version of the unsquashfs tool for the PC to decompress the file system, in readiness for unlocking it.

cheers, a

[1] http://svn.gna.org/svn/openbox4/trunk/tools/nb4-extract/
[2] https://docs.google.com/open?id=0B....
« Last Edit: April 06, 2012, 04:14:39 PM by asbokid »
Logged

burakkucat

  • Respected
  • Senior Kitizen
  • *
  • Posts: 38300
  • Over the Rainbow Bridge
    • The ELRepo Project
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #25 on: January 25, 2012, 03:37:36 AM »


Are you running Linux or the other one?


Wassup asbokid? Were you choking too much to actually type the 'W' word?  :lol:

Do I detect that the Baldy_Bird is a real big closet Redmond 'doze fanatic?  :tongue:  :sick:  :vomit:
« Last Edit: September 25, 2012, 01:06:21 AM by burakkucat »
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

burakkucat

  • Respected
  • Senior Kitizen
  • *
  • Posts: 38300
  • Over the Rainbow Bridge
    • The ELRepo Project
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #26 on: January 25, 2012, 03:43:43 AM »

nand dump complete and converted to bin image

http://dl.dropbox.com/u/6134482/ecinand.rar

Excellent job.  You deserve a pint!

Let's see what is available --  :drink:
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

uklad

  • Member
  • **
  • Posts: 55
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #27 on: January 25, 2012, 07:23:27 AM »

I will do a new dump tonight I know what I was doing wrong now :)
Logged

burakkucat

  • Respected
  • Senior Kitizen
  • *
  • Posts: 38300
  • Over the Rainbow Bridge
    • The ELRepo Project
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #28 on: January 25, 2012, 11:29:09 AM »

Silly question time.

As that ECI B-FOCuS modem was supplied as the active NTE for your FTTC service, with it in a disembowelled state, what are you currently using?  ???
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

uklad

  • Member
  • **
  • Posts: 55
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #29 on: January 25, 2012, 12:06:56 PM »

Silly question time.

As that ECI B-FOCuS modem was supplied as the active NTE for your FTTC service, with it in a disembowelled state, what are you currently using?  ???

Its in bits until the wife wants to watch iplayer then i put it back together LOL i could do with a HG612 donation :)
« Last Edit: January 25, 2012, 12:20:13 PM by uklad »
Logged
Pages: 1 [2] 3 4 ... 21