Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: 1 ... 5 6 [7] 8 9 ... 21

Author Topic: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B  (Read 195768 times)

burakkucat

  • Global Moderator
  • Senior Kitizen
  • *
  • Posts: 35818
  • Over the Rainbow Bridge
    • The ELRepo Project
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #90 on: March 26, 2012, 05:09:16 PM »

Quote
Thanks, I've got the files I need.

Excellent. Thank you for letting me know. I'll now deprecate that link.  :)
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

uklad

  • Member
  • **
  • Posts: 55
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #91 on: March 26, 2012, 09:13:20 PM »

Lastly, did uklad not get shell access:-

Also I did not mention I could login to the unit on the UART console, username and pass where admin admin :0)

Yes, uklad indeed got shell access.

Quote
Is it not straight forward to "re-enable web and telnet/ssh access from the LAN-side." ?

It should be. Unfortunately before uklad got there, he was distracted by his family who obviously have no appreciation of the importance to this work!

cheers, a

Full time job one wife two kids and builders out the back is leaving me with very little spare time !! but i`m still lurking.. and you are correct I did try explaining once what i was doing with the ECI modem and she gave me the rolled eyes nod !! followed by ohhh yeah !!

Logged

nimda

  • Just arrived
  • *
  • Posts: 14
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #92 on: March 26, 2012, 11:03:18 PM »

Full time job one wife two kids and builders out the back is leaving me with very little spare time !! but i`m still lurking.. and you are correct I did try explaining once what i was doing with the ECI modem and she gave me the rolled eyes nod !! followed by ohhh yeah !!

One more child, but no builders :)  You've inspired me to start, and continue the work you have done.  Please continue to lurk, you are after all the thread's founder ;)

Can you give me any tips for the serial connection settings?  I'll be using Linux, so the programs will be different, but same ports, speeds, etc.  any information will be useful at this stage --besides, I've got a while to wait for my serial link hardware delivery, so I'm soaking up the details.
Logged

uklad

  • Member
  • **
  • Posts: 55
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #93 on: March 27, 2012, 09:23:56 PM »

Port speed is 115,200bps N-8-1
Logged

ben1066

  • Member
  • **
  • Posts: 74
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #94 on: April 03, 2012, 02:22:41 PM »

I have recently got one of these with my FTTC install although I'm not quite ready to kill it. I have emailed sfconservancy.org and they have shown an interest in the situation. I will keep you posted on any progress relating to GPL compliance. If someone can show me the exact solder points I do have the required equipment here already for a serial-usb adapter...
« Last Edit: April 03, 2012, 02:58:47 PM by ben1066 »
Logged

uklad

  • Member
  • **
  • Posts: 55
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #95 on: April 03, 2012, 03:43:28 PM »

I have recently got one of these with my FTTC install although I'm not quite ready to kill it. I have emailed sfconservancy.org and they have shown an interest in the situation. I will keep you posted on any progress relating to GPL compliance. If someone can show me the exact solder points I do have the required equipment here already for a serial-usb adapter...

See post #17 on this thread
Logged

ben1066

  • Member
  • **
  • Posts: 74
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #96 on: April 03, 2012, 03:58:18 PM »

Ah thanks, when I get a chance I'll see what I can do. My adapter is technically 5v but a few resistors should be good enough to get it down to 3.3V ish.

Update: Tried but as I couldnt get the solder from the holes I had to mount the header on top, it didn't work regardless. I guess someone else will have to help :(

Update 2: Just trying to work out why it didn't work, looks like I lifted the TX pad accidently :(

Update 3: Okay, so I couldn't be defeated. Turns out near the TX pad there is an unpopulated capacitor footprint, appears to be a decoupling capacitor for TX. Anyway, using that I managed to solder some flying wires to all the pads and now I think I have a working UART port. I say I think as apparently the USB->Serial I have only does 9600 baud, not the 115,200 baud, but I do get garbage outputted, and the timing seems about right. Ordered a http://cgi.ebay.co.uk/ws/eBayISAPI.dll?ViewItem&item=270805125757#ht_2480wt_952 and hopefully it'll work :)
« Last Edit: April 04, 2012, 05:42:09 PM by ben1066 »
Logged

nimda

  • Just arrived
  • *
  • Posts: 14
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #97 on: April 05, 2012, 01:22:31 AM »

Good to have you aboard!  Getting stuck right in too, I see.

I'm still awaiting my Hong Kong delivery (PL2303HX), aparently dispatched on the 28th, and no doubt is on a boat or storage create somewhere between here and there!

Keep us posted though, sounds like an enthusiastic start :D
Logged

ben1066

  • Member
  • **
  • Posts: 74
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #98 on: April 05, 2012, 10:20:56 AM »

I should get my converter tomorrow, one advantage of paying extra for buying from the UK. From there I'm quite happy to help out as I can, although I'm not really that sure what I'm doing. What if we were to use mine to modify the firmware to enable the web interface? Surely that would give a usable image for an "upgrade" of everyone elses. Also, there are a couple of unpopulated connectors next to all the others, any ideas what they may be?
« Last Edit: April 05, 2012, 04:30:34 PM by ben1066 »
Logged

burakkucat

  • Global Moderator
  • Senior Kitizen
  • *
  • Posts: 35818
  • Over the Rainbow Bridge
    • The ELRepo Project
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #99 on: April 05, 2012, 05:15:22 PM »

I wonder if it might be appropriate to suggest that you source a Huawei HG612 to use on your VDSL2 service and then you loan your current ECI B-FOCuS modem to The Maestro, Asbokid, himself?  :-\
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

asbokid

  • Kitizen
  • ****
  • Posts: 1286
    • Hacking the 2Wire
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #100 on: April 05, 2012, 05:52:20 PM »

I should get my converter tomorrow, one advantage of paying extra for buying from the UK. From there I'm quite happy to help out as I can, although I'm not really that sure what I'm doing. What if we were to use mine to modify the firmware to enable the web interface? Surely that would give a usable image for an "upgrade" of everyone elses.

Hi ben1066!

I just passed the NOR flash image that was extracted by uklad through the latest release (0.4.3) of a tool called binwalk.

binwalk is an amazing open source utility developed by Craig Heffner. It can be downloaded from http://binwalk.googlecode.com/   

The tool scans binary images for 'magic numbers' -  short signatures - used in Linux to identify binary types.  Binwalk can identify various compressed archives, kernel images, and many other binary components commonly found in embedded firmware.

As we discovered ourselves, there are two LZMA-compressed squashfs read-only root file system images in the NOR image, and a JFFS2 read-write flash file system. Binwalk also discovered the offsets, lengths and load addresses of the two LZMA-compressed big-endian MIPS32 Linux kernels and the U-Boot loader image.   

But what's most interesting is that Binwalk has discovered an area of the flash where the gzip'ed configuration file for the ECI is stored.   We already discovered the default config file in the read-only root file system. That's the config file that is loaded when the device is hard-reset.    However, what BinWalk appears to have uncovered is the 'working' config file. That copy of the configuration file is modifiable without the need to rebuild and rewrite the entire root file system.   

In theory, the device can be unlocked by very carefully erasing the NOR block containing that config file, and by re-programming the block with new (unlocking) contents.   The U-Boot bootloader should have the necessary NOR functions to perform those operations.

The specific area of interest in the NOR device starts at offset 0x40126:

Code: [Select]
$ md5sum ecinand8mb.bin
2a2db35f797546c0e3e036a469a942d4  ecinand8mb.bin

$ binwalk ecinand8mb.bin

DECIMAL    HEX        DESCRIPTION
-------------------------------------------------------------------------------------------------------
17680      0x4510    uImage header, header size: 64 bytes, header CRC: 0xDCFA529A, created: Mon Oct 18 09:20:23 2010, image size: 49728 bytes, Data Address: 0xA0400000, Entry Point: 0xA0400000, data CRC: 0xC1F4907, OS: Linux, CPU: MIPS, image type: Firmware Image, compression type: lzma, image name: u-boot image
17744      0x4550    LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 133532 bytes
262438    0x40126    gzip compressed data, from Unix, last modified: Sat Jan  1 00:02:13 2000, max compression
331872    0x51060    uImage header, header size: 64 bytes, header CRC: 0x6C1EFC77, created: Mon Feb 14 06:44:17 2011, image size: 3624992 bytes, Data Address: 0x80002000, Entry Point: 0x802CD000, data CRC: 0x15E32D3E, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: MIPS Linux-2.6.20
331936    0x510A0    LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 3084422 bytes
1314976    0x1410A0  PackImg Tag, little endian size: 5253120 bytes; big endian size: 2641920 bytes
1315008    0x1410C0  Squashfs filesystem, big endian, lzma signature, version 3.0, size: 2641669 bytes, 844 inodes, blocksize: 65536 bytes, created: Mon Feb 14 06:44:14 2011
1315127    0x141137  LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 61676 bytes
1330443    0x144D0B  LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 7100 bytes
[...]
3954947    0x3C5903  LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 672 bytes
3955226    0x3C5A1A  LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 6752 bytes
4132960    0x3F1060  uImage header, header size: 64 bytes, header CRC: 0x55E6D872, created: Tue Aug  9 04:31:37 2011, image size: 3629088 bytes, Data Address: 0x80002000, Entry Point: 0x802CD000, data CRC: 0xC331258, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: MIPS Linux-2.6.20
4133024    0x3F10A0  LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 3084421 bytes
5116064    0x4E10A0  PackImg Tag, little endian size: 6301696 bytes; big endian size: 2646016 bytes
5116096    0x4E10C0  Squashfs filesystem, big endian, lzma signature, version 3.0, size: 2642454 bytes, 844 inodes, blocksize: 65536 bytes, created: Tue Aug  9 04:31:35 2011
5116215    0x4E1137  LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 50734 bytes
[...]
7757093    0x765D25  LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 6752 bytes
7929856    0x790000  JFFS2 filesystem data big endian, JFFS node length: 12
[...]
8257536    0x7E0000  JFFS2 filesystem data big endian, JFFS node length: 12


The flash memory area containing the configuration file can be extracted with the Unix tools dd and gunzip:

Code: [Select]
$ dd bs=1 if=ecinand8mb.bin of=eciconfig.gz skip=$((0x40126)) count=$((0x8a4))
2212+0 records in
2212+0 records out
2212 bytes (2.2 kB) copied, 0.0065032 s, 340 kB/s

$ gunzip -v -l eciconfig.gz
method  crc     date  time           compressed        uncompressed  ratio uncompressed_name
defla 366d7213 Apr  5 17:45                2212                7929  72.4% eciconfig

$ cat eciconfig.gz | gunzip

<lantiq_vr9_generic_asl56026>
<check>
<is_factory>factory</is_factory>
</check>
<vdsl2>
<infineon>
<fw_variant>VA</fw_variant>
<annex>A</annex>
<adsl_encaps>1</adsl_encaps>
<default_vpi_vci>1</default_vpi_vci>
<line_config>
<filter>0</filter>
<hw_hybrid>2</hw_hybrid>
<line_mode>102</line_mode>
</line_config>
</infineon>
</vdsl2>
<switch>
<bypass_mode>0</bypass_mode>
<lan_access_cpe_enable>0</lan_access_cpe_enable>
<discard_specific_pkt>1</discard_specific_pkt>
<igmp_queue>3</igmp_queue>
<port id="1">
<vid>101</vid>
<pri>2</pri>
<loopback>0</loopback>
<activate>1</activate>
<special_vlan>0</special_vlan>
</port>
<port id="2">
<vid>102</vid>
<pri>7</pri>
<loopback>0</loopback>
<activate>0</activate>
<special_vlan>0</special_vlan>
</port>
</switch>
<wan>
<physical_type>1</physical_type>
<enable_dhcp60>0</enable_dhcp60>
<dhcp_option60></dhcp_option60>
<enable_dhcp61>0</enable_dhcp61>
<dhcp_iaid></dhcp_iaid>
<dhcp_duid>0</dhcp_duid>
<enable_dhcp125>0</enable_dhcp125>
<dhcp_option125></dhcp_option125>
<enable_prepadt>0</enable_prepadt>
<dsl>
<defaultroute>1</defaultroute>
<inf id="1">
<mode>1</mode>
<enable>1</enable>
<atm>
<pvc>
<settings>
<vpi>8</vpi>
<vci>35</vci>
</settings>
</pvc>
</atm>
<ptm>
<vtag>
<settings>
<connection>connection1</connection>
<enable>1</enable>
<vid>301</vid>
<priority>5</priority>
<bt>
<enable>1</enable>
<wan_vid1>101</wan_vid1>
<wan_vid2>102</wan_vid2>
</bt>
</settings>
</vtag>
</ptm>
<dhcp>
<hostname></hostname>
<clonemac></clonemac>
<autodns>1</autodns>
<mtu>1500</mtu>
</dhcp>
<static>
<mode>1</mode>
<ip>5.60.39.51</ip>
<netmask>255.0.0.0</netmask>
<gateway>5.21.97.200</gateway>
<clonemac></clonemac>
<mtu>1500</mtu>
</static>
</inf>
<inf id="2">
<mode>2</mode>
<enable>0</enable>
<atm>
<pvc>
<settings>
<vpi>0</vpi>
<vci>35</vci>
</settings>
</pvc>
</atm>
<ptm>
<vtag>
<settings>
<connection>connection2</connection>
<enable>0</enable>
<vid>12</vid>
<priority>0</priority>
</settings>
</vtag>
</ptm>
<dhcp>
<hostname></hostname>
<clonemac></clonemac>
<autodns>1</autodns>
<mtu>1500</mtu>
</dhcp>
<static>
<mode>1</mode>
<ip>5.55.52.52</ip>
<netmask>255.0.0.0</netmask>
<gateway>5.55.52.1</gateway>
<clonemac></clonemac>
<mtu>1500</mtu>
</static>
</inf>
</dsl>
<defaultroute>1</defaultroute>
</wan>
<lan>
<ethernet>
<inf id="1">
<enable>1</enable>
<defaultip>192.168.168.168</defaultip>
<ip>192.168.168.168</ip>
<netmask>255.255.255.0</netmask>
<dhcp>
<server>
<enable>0</enable>
</server>
</dhcp>
</inf>
</ethernet>
</lan>
<dnsrelay>
<mode>2</mode>
<server>
<primarydns>172.19.10.100</primarydns>
<secondarydns>172.19.10.99</secondarydns>
</server>
</dnsrelay>
<security>
<log>
<systeminfo>1</systeminfo>
<debuginfo>0</debuginfo>
<attackinfo>1</attackinfo>
<droppacketinfo>0</droppacketinfo>
<noticeinfo>1</noticeinfo>
</log>
</security>
<time>
<syncwith>2</syncwith>
<timezone>5</timezone>
<daylightsaving>0</daylightsaving>
<ntpserver>
<ip>pool.ntp.org</ip>
<interval>604800</interval>
</ntpserver>
</time>
<sys>
<brand>Infineon</brand>
<bridge>1</bridge>
<hostname>ECLVL05</hostname>
<type>ResidentialModem</type>
<devicename>VDSL2 2 port Modem</devicename>
<modeldescription>VDSL2 2 port Modem</modeldescription>
<modelname>ECLVL05</modelname>
<vendor>Generic</vendor>
<url></url>
<regdomain>fcc</regdomain>
<language>en</language>
<basicmode>0</basicmode>
<supportlang>auto,en,de</supportlang>
<telnetd>true</telnetd>
<sshd>true</sshd>
<sessiontimeout>600</sessiontimeout>
<user id="1">
<name>admin</name>
<defaultpassword>admin</defaultpassword>
<password>admin</password>
<group>0</group>
</user>
<user id="2">
<name>user</name>
<password>user</password>
<group>1</group>
</user>
<log>
<logserverenable>0</logserverenable>
<loglevel>0</loglevel>
<logserver></logserver>
</log>
<supporturl></supporturl>
</sys>
<function>
<tr069>1</tr069>
<httpd_upnp>1</httpd_upnp>
</function>
<tr069>
<enable>0</enable>
<getrpcmethodsenable>1</getrpcmethodsenable>
<connection_line>1</connection_line>
<route>1</route>
<authenticate>0</authenticate>
<devicesummary>InternetGatewayDevice:1.0[](Baseline:1, EthernetLAN:1, ADSLWAN:1, Time:1, IPPing:1)</devicesummary>
<max_envs>1</max_envs>
<inform_retry_mode>3</inform_retry_mode>
<connect_retry_mode>3</connect_retry_mode>
<inform_retry_interval>30</inform_retry_interval>
<connect_retry_interval>30</connect_retry_interval>
<deviceinfo>
<manufactureroui>001195</manufactureroui>
<specversion>1.0.1</specversion>
<provisioningcode></provisioningcode>
<productclass>ASL-56026</productclass>
<manufacturer>ALPHA</manufacturer>
<hardwareversion>HA1</hardwareversion>
<landevicenumberofentries>1</landevicenumberofentries>
<wandevicenumberofentries>1</wandevicenumberofentries>
</deviceinfo>
<managementserver>
<username></username>
<password></password>
<connectionrequesturl></connectionrequesturl>
<connectionrequestpath>asl56026</connectionrequestpath>
<connectionrequestusername>admin</connectionrequestusername>
<connectionrequestpassword>admin</connectionrequestpassword>
<url>http://iop-tw.workssys.com/comserver/node1/tr069</url>
<defaulturl>http://iop-tw.workssys.com/comserver/node1/tr069</defaulturl>
<periodicinformenable>1</periodicinformenable>
<periodicinforminterval>60</periodicinforminterval>
<periodicinformtime>1157436610</periodicinformtime>
<upgrade>1</upgrade>
<parameterkey></parameterkey>
</managementserver>
<misc>
<recvtimeout>20</recvtimeout>
<rebootcmdkey></rebootcmdkey>
<schedulecmdkey></schedulecmdkey>
<previousurl></previousurl>
<acsport>8082</acsport>
<debuglevel>7</debuglevel>
<pfdebuglevel>7</pfdebuglevel>
<entry id="1">
<commandkey></commandkey>
<filetype></filetype>
<url></url>
<username></username>
<password></password>
<filesize>0</filesize>
<targetfilename></targetfilename>
<starttime>0</starttime>
</entry>
<entry id="2">
<commandkey></commandkey>
<filetype></filetype>
<url></url>
<username></username>
<password></password>
<filesize>0</filesize>
<targetfilename></targetfilename>
<starttime>0</starttime>
</entry>
<entry id="3">
<commandkey></commandkey>
<filetype></filetype>
<url></url>
<username></username>
<password></password>
<filesize>0</filesize>
<targetfilename></targetfilename>
<starttime>0</starttime>
</entry>
<entry id="4">
<commandkey></commandkey>
<filetype></filetype>
<url></url>
<username></username>
<password></password>
<filesize>0</filesize>
<targetfilename></targetfilename>
<starttime>0</starttime>
</entry>
</misc>
</tr069>
<cfm>
<enable>1</enable>
<md_index>md_name</md_index>
<md_level>0</md_level>
<ma_index>ma_name</ma_index>
<mep_index>1</mep_index>
<vlan_id>1</vlan_id>
<cfm_8021p>0</cfm_8021p>
<ccm_enable>0</ccm_enable>
<direct>up</direct>
<ccm_interval>10s</ccm_interval>
<lbm>
<distination_address></distination_address>
<number_of_lbm>1</number_of_lbm>
</lbm>
<ltm>
<target_address></target_address>
</ltm>
</cfm>
<proc>
<web>
<sessionum>8</sessionum>
<authnum>6</authnum>
</web>
</proc>
</lantiq_vr9_generic_asl56026>

$


cheers, a
« Last Edit: April 06, 2012, 04:24:10 PM by asbokid »
Logged

ben1066

  • Member
  • **
  • Posts: 74
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #101 on: April 05, 2012, 07:21:13 PM »

Tell me what to and I'll be happy to do it, especially if it means I get a pretty web interface and can help others in my situation. It'd also be nice to find a repair system for new firmware, if one exists...
Logged

asbokid

  • Kitizen
  • ****
  • Posts: 1286
    • Hacking the 2Wire
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #102 on: April 05, 2012, 09:54:07 PM »

maestro?! professional modem brickster, if any credit is due :-)  :blush:  i wouldn't like to borrow anyone's modem for that reason  ???

Looking a bit closer at that interesting NOR flash region in the ECI..

The region starts at offset 0x40000 in uklad's dump and appears to run from 0x40000-0x4ffff.    The 'sector size' for that address region (SA11) of the NOR device (Macronix MX29LV640EB) is 0x10000 (64KBytes). [1]

The flash region appears to hold the OpenRG board configuration partition. In the first few bytes it is labelled as such - "RGCFG1".   As well as that gzip'ed CPE XML MIB file, the partition contains other configuration parameters including MAC addresses, country code, board hardware revision number, etc.

Other fields in the RGCFG1 config partition header include

header length (0x00000080)
the XML MIB offset (0x00000126)
the XML MIB length (0x000008a4)
a checksum (perhaps 0x00043c62)

As we can see those values are all stored in big-endian format to match the platform.

Code: [Select]
$ dd if=ecinand8mb.bin skip=$((0x40000)) bs=1 | xxd -l $((0x125))
0000000: 5247 4346 4731 0000 0000 0000 0000 0000  RGCFG1..........
0000010: 0000 0080 0000 0126 0000 08a4 0004 3c62  .......&......<b
0000020: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000030: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000040: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000050: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000060: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000070: 0000 0000 0000 0000 0000 0000 0000 0000  ................
0000080: 6163 7469 7665 7265 6769 6f6e 3d32 0a63  activeregion=2.c
0000090: 6f75 6e74 7279 636f 6465 3d38 3430 0a68  ountrycode=840.h
00000a0: 7772 6576 3d41 310a 776c 616e 6d61 633d  wrev=A1.wlanmac=
00000b0: 3543 3a33 333a 3845 3a38 343a 3839 3a44  5C:33:8E:84:89:D
00000c0: 420a 6c61 6e6d 6163 3d35 433a 3333 3a38  B.lanmac=5C:33:8
00000d0: 453a 3834 3a38 393a 4442 0a77 616e 6d61  E:84:89:DB.wanma
00000e0: 633d 3030 3a45 303a 3932 3a30 303a 3031  c=00:E0:92:00:01
00000f0: 3a34 300a 666c 6173 6873 7065 6564 3d36  :40.flashspeed=6
0000100: 3230 0a3d 3162 3635 6137 3232 3764 6565  20.=1b65a7227dee
0000110: 6561 3166 3763 6331 6433 6431 3234 6236  ea1f7cc1d3d124b6
0000120: 3162 3964 0a                             1b9d.

The only reference to RGCFG1 in the entire userspace of the ECI firmware is in an 80KByte binary found under /usr/sbin/rgbin for which there is, naturally, no source code.

rgbin is one of those multi-entry binaries.  From running strings against the rgbin binary, this looks like a relevant excerpt:

Code: [Select]
asbokid@home:~/eci_bfocus_squashfs-root/usr/sbin$ strings rgbin
[...]
%s version %d (block size: 0x%x)
Usage: %s {operation} {OPTIONS}
  operation -
    dump                     show nvram information.
    upgrade                  upgrade the nvram to the latest format.
    get                      get config from nvram.
    save                     save config to nvram.
    getmac                   get MAC address.
    setmac                   set MAC address.
    setenv                   set env. variable.
    getenv                   get the value of env. var.
    delenv                   delete env. varialbes.
    dumpenv                  dump env. variables.
  options -
    -h                       show this help message.
    -v                       verbose mode.
    -n {nvram}               nvram (mtd block) device.
    -c {config file}         configuration file.
    -i {index}               index. (zero based)
    -s {message}             message to set.
    -e {var=val}             environment variable.
    -m {mode}                0 -> 00:80:c8:ab:cd:ef (lower case, colon seperated)
                             1 -> 00:80:C8:AB:CD:EF (upper case, colon seperated)
                             2 -> 00.80.c8.ab.cd.ef (lower case, dot seperated)
                             3 -> 00.80.C8.AB.CD.ED (upper case, dot seperated)
    -f                       calculate & set flash programming speed. (@ setenv only)
BlockOffset=%d(0x%x), MaxSize=%d(0x%x)
header in nvram is version %d
   config size     = 0x%x (%d)
   config checksum = 0x%x (%d)
   config offset   = 0x%x (%d)
header in nvram is invalid !
PROFILE
RGCFG0
RGCFG1
%d %d %x
config data is corrupted ! (checksum = 0x%x, should be 0x%x)
Signature       = RGCFG1
env size        = %d (0x%x)
config size     = %d (0x%x)
config checksum = 0x%x
Burning %d bytes to nvram (offset:0x%x) !
header size     : %d
config offset   : %d
config size     : %d
config checksum : 0x%x
burn done !!!
unable to open config file!
no config file specified!
unable to open nvram!
no nvram specified!
[...]

So /usr/sbin/rgbin appears to be the userspace utility for reading and writing the "NVRAM" area of flash. In the NVRAM area is that gzip'ed XML MIB file which contains the configuration parameters to disable LAN access and lock the device.

Importantly, through the use of a checksum, the rgbin tool can detect if the NVRAM region has been corrupted.  So to modify the NVRAM contents of flash by manually overwriting that flash region will involve updating the checksum field as well.

EDIT: With serial console access, it should be possible to run /usr/sbin/rgbin to get and set the NVRAM config setting using the proper method.

EDIT2: That 32-bit field in the header of the configuration partition is indeed the checksum for the gzipped XML MIB file. See the output of the attached C program.

Code: [Select]
#include <stdio.h>
#include <stdlib.h>

int main(int argc, char **argv) {
    FILE *fp;

    int sz, csum = 0, i;
    unsigned char *buf;
   
    if(argc!=2) {
        printf("usage: %s <filename>\n", argv[0]);
        goto badexit;
    }

    if(!(fp=fopen(argv[1], "rb"))) {
        printf("Error reading file %s\n", argv[1]);
        goto badexit;
    }

    fseek(fp,0L,SEEK_END);
    sz=ftell(fp);
    fseek(fp,0L,SEEK_SET);

    if(!(buf=malloc(sizeof(unsigned char) * sz))) {
        printf("Memory allocation error\n");
        goto badexit;
    }

    if(fread(buf, 1, sz, fp) != sz) {
        printf("Error reading %d bytes from %s\n", sz, argv[1]);
        goto badexit;
    }
    printf("Read %08x (%d) bytes from %s\n", sz, sz, argv[1]);

    fclose(fp);

    for(i=0;i<sz;i++)
        csum += buf[i];

    printf("checksum of %s = %08x\n", argv[1], csum);
    free(buf);
    return 0;

badexit:
    if(fp)
        fclose(fp);
    if(buf)
        free(buf);
    return -1;

}

$ ./checksum eciconfig.gz
Read 000008a4 (2212) bytes from eciconfig.gz
checksum of eciconfig.gz = 00043c62

If all else fails, we can manually re-program that raw flash block with a new XML MIB file that is configured to re-enable LAN and web GUI access  :P

Slowly getting there  ???

cheers, a

[1] http://www.macronix.com/..MX29LV640ETBver13-1.3.pdf   (see sector address table on page 9)
« Last Edit: April 10, 2012, 02:17:10 AM by asbokid »
Logged

asbokid

  • Kitizen
  • ****
  • Posts: 1286
    • Hacking the 2Wire
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #103 on: April 05, 2012, 10:54:24 PM »

Tell me what to and I'll be happy to do it, especially if it means I get a pretty web interface and can help others in my situation. It'd also be nice to find a repair system for new firmware, if one exists...

Hi again Ben..

Once you've gained a shell via the serial port.. your energies could be profitably focused on that tool for modifying the NVRAM configuration data of the modem..

It looks like you would need to modify one or two XML element values in the gzip'ed CPE MIB file that is found in the "RGCFG1" NVRAM board configuration partition of the flash.

Specifically, these are the element value which probably need changing..

   <switch>
..
      <lan_access_cpe_enable>0</lan_access_cpe_enable>
..
      <port id="2">
         <vid>102</vid>
         <pri>7</pri>
         <loopback>0</loopback>
         <activate>0</activate>
         <special_vlan>0</special_vlan>
      </port>
   </switch>

It may be that the XML MIB file needs to be gunzipped first.. bit of tinkering necessary there..

cheers, a
Logged

nimda

  • Just arrived
  • *
  • Posts: 14
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #104 on: April 06, 2012, 01:48:45 AM »

Sterling work there, asbokid.  I'm mostly in awe, don't really understand everything you say, but am diligently reading your reports, and replicating your work locally.

If you don't mind my asking, where did you get your skills, and how long did it take :)
Logged
Pages: 1 ... 5 6 [7] 8 9 ... 21