Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: 1 ... 4 5 [6] 7 8 ... 21

Author Topic: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B  (Read 207995 times)

uklad

  • Member
  • **
  • Posts: 55
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #75 on: March 11, 2012, 09:30:23 AM »

Josh had a ECI supplied if i remember..

Logged

JoshShep

  • Reg Member
  • ***
  • Posts: 266
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #76 on: March 11, 2012, 02:57:58 PM »

From using both the ECI and huawei hg612, I have noticed that I get more jitter using the hg612. The eci seems to perform a little better on my connection. may be different for your connection.

Josh -- A quick couple of questions for you. When you had your FTTC service installed, which VDSL2 modem was officially provided as the active CPE? The Huawei or the ECI? As you probably realise, Openreach supply the modem to match the DSLAM in the FTTC.

If your installation was a Huawei, I wonder from where did you obtain the ECI B-FOCuS modem? Care to share the information, please?  ;)

I was supplied with the ECI, and purchased the Huawei off the bay. I know ECI modems are hard to track down, I have not seen one on eBay!

burakkucat

  • Respected
  • Senior Kitizen
  • *
  • Posts: 38300
  • Over the Rainbow Bridge
    • The ELRepo Project
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #77 on: March 11, 2012, 11:27:59 PM »

Thank you for the update.

Quote
I know ECI modems are hard to track down, I have not seen one on eBay!

I can see that without some degree of co-ordination, when one does turn up on eBay, we will most likely be bidding against each other. :doh:
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

nimda

  • Member
  • **
  • Posts: 14
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #78 on: March 25, 2012, 11:23:16 AM »

Excellent work!  I have the ECI model B-FOCuS V-2FUb/I Rev.B) and after replacing the HH3 for something running OpenWrt (finally, real routing!) last night, I'm now shifting focus to the other mysterious black-box (the modem).

GPL advocate, not too bad with Linux, near zero embedding skills though.  Always keen to get my hands dirt though, albeit usually [learning] on the job!

uklad/asbokid any thing I can do to help?
« Last Edit: March 25, 2012, 10:37:25 PM by nimda »
Logged

nimda

  • Member
  • **
  • Posts: 14
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #79 on: March 25, 2012, 02:53:24 PM »

I'll add, there were a couple of broken links on this thread.  Does anything need hosting, as I can do that.
Logged

asbokid

  • Kitizen
  • ****
  • Posts: 1286
    • Hacking the 2Wire
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #80 on: March 25, 2012, 07:33:14 PM »

Hi nimda!

Great news that you are joining us!  You sound very qualified for this important voluntary position!

There are several possibilities for unlocking the ECI.   The first task must be to gain shell access through the serial port, following uklad's pioneering work.   A USB-TTL bridge is an easy and cheap way to do this. The controller costs less than £2. [1] [2]

It would be rewarding to crack the LZMA mechanism used to lock the embedded file system, since the same mechanism is used by many other manufacturers, but that's probably not an easy hack. Though it certainly offers the most kudos if successful!

The priority must be to re-enable web and telnet/ssh access from the LAN-side. This should be possible through the serial shell access, after the system has booted. Once an unlocking method has been discovered, then a more permanent solution will involve modifying the flash file system.   uklad has generously offered his ECI for target practice for this, but the likelihood of bricking it is quite high, so it's probably wiser to find an unwanted one!

Your hosting offer is much appreciated :-)  SFAICS, the dead links are uklad's original NOR flash dump from the ECI which he uploaded to mediafire, who seem to have deleted it, for lack of downloads(?), and the PDF of Sweetman's book on MIPS Linux (Morgan.Kaufmann.See.MIPS.Run.2nd.Edition.pdf) ?

Uklad's original NOR flash dump (ecinand8mb.bin) is duplicated here [3]

Welcome aboard!

cheers, a

[1] http://www.ebay.co.uk/itm/170732908199
[2] http://www.ebay.co.uk/itm/390363268951
[3] http://docs.google.com/open?id=0B6wW18mYskvBMzZkODg5NGQtNjdjOS00ZjNjLTljNTctZTJkNmYxYWFlMTk1


« Last Edit: April 06, 2012, 04:22:45 PM by asbokid »
Logged

nimda

  • Member
  • **
  • Posts: 14
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #81 on: March 25, 2012, 11:39:09 PM »

Quote
Great news that you are joining us!  You sound very qualified for this important voluntary position!

Thanks, glad to be here.  I'm looking forward to learning along the way too!

Quote
There are several possibilities for unlocking the ECI.   The first task must be to gain shell access through the serial port, following uklad's pioneering work.   A USB-TTL bridge is an easy and cheap way to do this. The controller costs less than £2. [1] [2]

I purchased the PL2303HX USB to TTL Converter Module, it'll take a while to arrive though "Estimated delivery: 12-24 working days" but it was free delivery from Hong Kong so can't complain!  I'll start work on the serial link once the order arrives.

Quote
It would be rewarding to crack the LZMA mechanism used to lock the embedded file system, since the same mechanism is used by many other manufacturers, but that's probably not an easy hack. Though it certainly offers the most kudos if successful!

I'll leave this one for now, I don't feel ready for tackling algorithms just yet.

Quote
The priority must be to re-enable web and telnet/ssh access from the LAN-side. This should be possible through the serial shell access, after the system has booted. Once an unlocking method has been discovered, then a more permanent solution will involve modifying the flash file system.   uklad has generously offered his ECI for target practice for this, but the likelihood of bricking it is quite high, so it's probably wiser to find an unwanted one!

I don't mind testing serial connections, but unless I had a spare, I'd not yet be prepared to put my modem on the line.  So, thanks to uklad for the donation, generous indeed.

Quote
Your hosting offer is much appreciated :-)  SFAICS, the dead links are uklad's original NAND dump from the ECI which he uploaded to mediafire, who seem to have deleted it, for lack of downloads(?), and the PDF of Sweetman's book on MIPS Linux (Morgan.Kaufmann.See.MIPS.Run.2nd.Edition.pdf) ?

Uklad's original NAND dump (ecinand8mb.bin) is duplicated here [3]

No problem at all, I can accommodate ANY hosting needs, especially to aid the greater good of a freed community --decentralising, and taking back control/data, is my computing MO.

Quote from: For reference
[1] http://www.ebay.co.uk/itm/170732908199
[2] http://www.ebay.co.uk/itm/390363268951
[3] http://docs.google.com/open?id=0B6wW18mYskvBMzZkODg5NGQtNjdjOS00ZjNjLTljNTctZTJkNmYxYWFlMTk1

In the meantime, I'll take a read of See MIPS Run.  Also, would you mind sending me (or attaching) the bin file, as I don't want a Google account --yes, one of those!

Once this is opened, what then?  What are the options?  Fundamental question, and possibly obvious answers, but I'm naive in this area of computing, what cool things can be done?
Logged

nimda

  • Member
  • **
  • Posts: 14
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #82 on: March 25, 2012, 11:44:52 PM »

Quote
Quote
There are several possibilities for unlocking the ECI.   The first task must be to gain shell access through the serial port, following uklad's pioneering work.   A USB-TTL bridge is an easy and cheap way to do this. The controller costs less than £2. [1] [2]

I purchased the PL2303HX USB to TTL Converter Module, it'll take a while to arrive though "Estimated delivery: 12-24 working days" but it was free delivery from Hong Kong so can't complain!  I'll start work on the serial link once the order arrives.

Am I right to assume this will require reinstating header-pins?  Is this JTAGing?  I've never (knowingly) played with this before.
Logged

nimda

  • Member
  • **
  • Posts: 14
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #83 on: March 26, 2012, 12:30:00 AM »

Lastly, did uklad not get shell access:-

Quote
Also I did not mention I could login to the unit on the UART console, username and pass where admin admin :0)

Is it not straight forward to "re-enable web and telnet/ssh access from the LAN-side." ?
Logged

asbokid

  • Kitizen
  • ****
  • Posts: 1286
    • Hacking the 2Wire
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #84 on: March 26, 2012, 12:33:28 AM »

Hi again, nimda,

No problem at all, I can accommodate ANY hosting needs, especially to aid the greater good of a freed community --decentralising, and taking back control/data, is my computing MO.
A man after my own heart!

Quote
..would you mind sending me (or attaching) the bin file, as I don't want a Google account --yes, one of those!

Hi.. the perms were stuck. The dump is downloadable now without a gmail account..

https://docs.google.com/leaf?id=0B6wW18mYskvBMzZkODg5NGQtNjdjOS00ZjNjLTljNTctZTJkNmYxYWFlMTk1

Quote
Once this is opened, what then?  What are the options?  Fundamental question, and possibly obvious answers, but I'm naive in this area of computing, what cool things can be done?

Good question.. I think people just like getting under the bonnet.  Paul (Bald_Eagle) and Burakkucat have done some amazing things with graphing scripts, using the low-level diagnostic xdsl data that the unlocked Huawei provides.

My current interest is to try and 'fit' that diagnostic data, especially the channel characteristics (aka insertion loss aka attenuation) to parametised cable reference models.   This would hopefully lead to an accurate analysis of loop quality, and estimated loop length.  The data could be analysed for common fault conditions - bridge taps, etc.

Other options include the development of server-side scripts for graphing. This code would run on the embedded device itself.

I guess ultimately, people would like to see an open source router distribution (openwrt et al) running on these devices, but that would involve the release of the DSP drivers by Broadcom and Lantiq, who are less than forthcoming.

cheers, a

EDIT:  Yes, obtaining serial port access involves soldering the header pins back onto the modem board.  It's not hard with a fine-tipped soldering bit.

JTAG is a different serial protocol, primarily for debugging hardware. It's similar to SPI and has a clock signal (TCK), two data lines for input and output (TDI and TDO) and a control line (TMS) to manage the state of the JTAG engine. 

Unless the bootloader gets wrecked, it should be possible to unlock the ECI using just the TTL serial port.



« Last Edit: March 26, 2012, 01:06:23 AM by asbokid »
Logged

burakkucat

  • Respected
  • Senior Kitizen
  • *
  • Posts: 38300
  • Over the Rainbow Bridge
    • The ELRepo Project
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #85 on: March 26, 2012, 12:34:57 AM »

Quote
Also, would you mind sending me (or attaching) the bin file, as I don't want a Google account --yes, one of those!

For a short time only (just to allow you to download it), I have made the file available from a temporary location. Please let me know once you have got a copy.  ;)

[Edited to mention that the link to the above temporary location is now deprecated.]
« Last Edit: March 26, 2012, 05:11:11 PM by burakkucat »
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

asbokid

  • Kitizen
  • ****
  • Posts: 1286
    • Hacking the 2Wire
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #86 on: March 26, 2012, 12:36:30 AM »

Lastly, did uklad not get shell access:-

Also I did not mention I could login to the unit on the UART console, username and pass where admin admin :0)

Yes, uklad indeed got shell access.

Quote
Is it not straight forward to "re-enable web and telnet/ssh access from the LAN-side." ?

It should be. Unfortunately before uklad got there, he was distracted by his family who obviously have no appreciation of the importance to this work!

cheers, a
« Last Edit: March 26, 2012, 12:39:03 AM by asbokid »
Logged

asbokid

  • Kitizen
  • ****
  • Posts: 1286
    • Hacking the 2Wire
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #87 on: March 26, 2012, 12:38:24 AM »

Quote
Also, would you mind sending me (or attaching) the bin file, as I don't want a Google account --yes, one of those!

For a short time only (just to allow you to download it), I have made the file available from a temporary location. Please let me know once you have got a copy.  ;)

Thanks burakkucat :-)
Logged

burakkucat

  • Respected
  • Senior Kitizen
  • *
  • Posts: 38300
  • Over the Rainbow Bridge
    • The ELRepo Project
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #88 on: March 26, 2012, 12:46:10 AM »

Thanks burakkucat  :)

I'm always willing to assist, where I can.  ;D

(Though I shall pass on helping you lick that multi-coloured ice-cream!  :-\  )
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

nimda

  • Member
  • **
  • Posts: 14
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #89 on: March 26, 2012, 10:23:06 AM »

Quote
Also, would you mind sending me (or attaching) the bin file, as I don't want a Google account --yes, one of those!

For a short time only (just to allow you to download it), I have made the file available from a temporary location. Please let me know once you have got a copy.  ;)

Thanks, I've got the files I need.
Logged
Pages: 1 ... 4 5 [6] 7 8 ... 21
 

anything