maestro?! professional modem brickster, if any credit is due :-)
i wouldn't like to borrow anyone's modem for that reason
Looking a bit closer at that interesting NOR flash region in the ECI..
The region starts at offset
0x40000 in
uklad's dump and appears to run from
0x40000-0x4ffff. The 'sector size' for that address region (SA11) of the NOR device (Macronix MX29LV640EB) is
0x10000 (64KBytes). [1]
The flash region appears to hold the OpenRG board configuration partition. In the first few bytes it is labelled as such - "
RGCFG1". As well as that gzip'ed CPE XML MIB file, the partition contains other configuration parameters including MAC addresses, country code, board hardware revision number, etc.
Other fields in the
RGCFG1 config partition header include
header length (
0x00000080)
the XML MIB offset
(0x00000126)
the XML MIB length (
0x000008a4)
a checksum (perhaps
0x00043c62)
As we can see those values are all stored in big-endian format to match the platform.
$ dd if=ecinand8mb.bin skip=$((0x40000)) bs=1 | xxd -l $((0x125))
0000000: 5247 4346 4731 0000 0000 0000 0000 0000 RGCFG1..........
0000010: 0000 0080 0000 0126 0000 08a4 0004 3c62 .......&......<b
0000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000030: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000040: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000050: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000060: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000070: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000080: 6163 7469 7665 7265 6769 6f6e 3d32 0a63 activeregion=2.c
0000090: 6f75 6e74 7279 636f 6465 3d38 3430 0a68 ountrycode=840.h
00000a0: 7772 6576 3d41 310a 776c 616e 6d61 633d wrev=A1.wlanmac=
00000b0: 3543 3a33 333a 3845 3a38 343a 3839 3a44 5C:33:8E:84:89:D
00000c0: 420a 6c61 6e6d 6163 3d35 433a 3333 3a38 B.lanmac=5C:33:8
00000d0: 453a 3834 3a38 393a 4442 0a77 616e 6d61 E:84:89:DB.wanma
00000e0: 633d 3030 3a45 303a 3932 3a30 303a 3031 c=00:E0:92:00:01
00000f0: 3a34 300a 666c 6173 6873 7065 6564 3d36 :40.flashspeed=6
0000100: 3230 0a3d 3162 3635 6137 3232 3764 6565 20.=1b65a7227dee
0000110: 6561 3166 3763 6331 6433 6431 3234 6236 ea1f7cc1d3d124b6
0000120: 3162 3964 0a 1b9d.
The only reference to
RGCFG1 in the entire userspace of the ECI firmware is in an 80KByte binary found under
/usr/sbin/rgbin for which there is, naturally, no source code.
rgbin is one of those multi-entry binaries. From running
strings against the
rgbin binary, this looks like a relevant excerpt:
asbokid@home:~/eci_bfocus_squashfs-root/usr/sbin$ strings rgbin
[...]
%s version %d (block size: 0x%x)
Usage: %s {operation} {OPTIONS}
operation -
dump show nvram information.
upgrade upgrade the nvram to the latest format.
get get config from nvram.
save save config to nvram.
getmac get MAC address.
setmac set MAC address.
setenv set env. variable.
getenv get the value of env. var.
delenv delete env. varialbes.
dumpenv dump env. variables.
options -
-h show this help message.
-v verbose mode.
-n {nvram} nvram (mtd block) device.
-c {config file} configuration file.
-i {index} index. (zero based)
-s {message} message to set.
-e {var=val} environment variable.
-m {mode} 0 -> 00:80:c8:ab:cd:ef (lower case, colon seperated)
1 -> 00:80:C8:AB:CD:EF (upper case, colon seperated)
2 -> 00.80.c8.ab.cd.ef (lower case, dot seperated)
3 -> 00.80.C8.AB.CD.ED (upper case, dot seperated)
-f calculate & set flash programming speed. (@ setenv only)
BlockOffset=%d(0x%x), MaxSize=%d(0x%x)
header in nvram is version %d
config size = 0x%x (%d)
config checksum = 0x%x (%d)
config offset = 0x%x (%d)
header in nvram is invalid !
PROFILE
RGCFG0
RGCFG1
%d %d %x
config data is corrupted ! (checksum = 0x%x, should be 0x%x)
Signature = RGCFG1
env size = %d (0x%x)
config size = %d (0x%x)
config checksum = 0x%x
Burning %d bytes to nvram (offset:0x%x) !
header size : %d
config offset : %d
config size : %d
config checksum : 0x%x
burn done !!!
unable to open config file!
no config file specified!
unable to open nvram!
no nvram specified!
[...]
So
/usr/sbin/rgbin appears to be the userspace utility for reading and writing the "NVRAM" area of flash. In the NVRAM area is that gzip'ed XML MIB file which contains the configuration parameters to disable LAN access and lock the device.
Importantly, through the use of a checksum, the
rgbin tool can detect if the NVRAM region has been corrupted. So to modify the NVRAM contents of flash by manually overwriting that flash region will involve updating the checksum field as well.
EDIT: With serial console access, it should be possible to run
/usr/sbin/rgbin to get and set the NVRAM config setting using the proper method.
EDIT2: That 32-bit field in the header of the configuration partition is indeed the checksum for the gzipped XML MIB file. See the output of the attached C program.
#include <stdio.h>
#include <stdlib.h>
int main(int argc, char **argv) {
FILE *fp;
int sz, csum = 0, i;
unsigned char *buf;
if(argc!=2) {
printf("usage: %s <filename>\n", argv[0]);
goto badexit;
}
if(!(fp=fopen(argv[1], "rb"))) {
printf("Error reading file %s\n", argv[1]);
goto badexit;
}
fseek(fp,0L,SEEK_END);
sz=ftell(fp);
fseek(fp,0L,SEEK_SET);
if(!(buf=malloc(sizeof(unsigned char) * sz))) {
printf("Memory allocation error\n");
goto badexit;
}
if(fread(buf, 1, sz, fp) != sz) {
printf("Error reading %d bytes from %s\n", sz, argv[1]);
goto badexit;
}
printf("Read %08x (%d) bytes from %s\n", sz, sz, argv[1]);
fclose(fp);
for(i=0;i<sz;i++)
csum += buf[i];
printf("checksum of %s = %08x\n", argv[1], csum);
free(buf);
return 0;
badexit:
if(fp)
fclose(fp);
if(buf)
free(buf);
return -1;
}
$ ./checksum eciconfig.gz
Read 000008a4 (2212) bytes from eciconfig.gz
checksum of eciconfig.gz = 00043c62
If all else fails, we can manually re-program that raw flash block with a new XML MIB file that is configured to re-enable LAN and web GUI access
Slowly getting there
cheers, a
[1]
http://www.macronix.com/..MX29LV640ETBver13-1.3.pdf (see sector address table on page 9)