Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: 1 ... 8 9 [10] 11 12 ... 21

Author Topic: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B  (Read 208005 times)

burakkucat

  • Respected
  • Senior Kitizen
  • *
  • Posts: 38300
  • Over the Rainbow Bridge
    • The ELRepo Project
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #135 on: April 11, 2012, 08:25:47 PM »

Quote
The test_agent executable is interesting too... test_agent config seems to reveal the tr-069 url, maybe we could fake the server by running a dns server locally and "fool" the modem into taking our commands?

TR-069 spoofing is something I have been occasionally thinking about . . .  :-\
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

ben1066

  • Member
  • **
  • Posts: 74
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #136 on: April 11, 2012, 09:00:50 PM »

It seems to be quite open, so long as we can pretend to be the correct server...
Logged

burakkucat

  • Respected
  • Senior Kitizen
  • *
  • Posts: 38300
  • Over the Rainbow Bridge
    • The ELRepo Project
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #137 on: April 11, 2012, 11:07:39 PM »

My understanding is --

The modem/router will make contact with the Evil Empire, at designated times, and say: "I'm here. It's me. This is my status, current configuration and firmware. Is there anything you wish to do?"

The Evil Empire may reply: "Noted. Now bog off!"

At the next contact initiated by the modem/router, the Empire may say: "Yes. I have a little something for you. Let me have control."

The modem/router sets itself into recipient mode and says: "You have control."

The Evil Empire then initiates contact with the modem/router via the designated port and proceeds to molest, nay ravish, the CPE.  :o

There are references regarding TR-069 "out there" (sorry, I don't have any links to hand) but each Empire can implement the technique in its own way. The concept of the technique is clearly defined, the precise details are proprietary.

If you now have sight of some (or all) of the inner workings, then analysis and documentation of the algorithm will be very useful.  ;)
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

asbokid

  • Kitizen
  • ****
  • Posts: 1286
    • Hacking the 2Wire
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #138 on: April 12, 2012, 03:32:30 AM »

(you missed gzipping the config file btw)

Oops!  Thanks for pointing it out. Duly corrected!

is there any way to get like stats? I haven't found any xdsl binary.

/usr/sbin/dsl_cpe_control looks promising. Please report back with info!

cheers, a

Logged

nimda

  • Member
  • **
  • Posts: 14
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #139 on: April 12, 2012, 06:17:59 PM »

There are references regarding TR-069 "out there" (sorry, I don't have any links to hand) but each Empire can implement the technique in its own way. The concept of the technique is clearly defined, the precise details are proprietary.

http://www.broadband-forum.org/technical/download/TR-069_Amendment-2.pdf
Logged

ben1066

  • Member
  • **
  • Posts: 74
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #140 on: April 12, 2012, 06:48:25 PM »

Code: [Select]
Alpha # dsl_cpe_control -h
DSL_CPE: Welcome to DSL CPI API control application
DSL_CPE: usage: [options]
DSL_CPE: following options are available:
DSL_CPE:  --help        (-h)    - help screen
DSL_CPE:  --version     (-v)    - display version
DSL_CPE:  --init        (-i)    - init device w/ <xtu> Bits seperated by undersc
ore (e.g. -i05_01_04_00_04_01_00_00)
DSL_CPE:  --low_cfg     (-l)    - low level configuration file
DSL_CPE:  --console     (-c)    - start console
DSL_CPE:  --event_cnf   (-e)    - configure instance activation handling <enable
/disable>[_mask] (e.g. -e1_1)
DSL_CPE:  --msg_dump    (-m)    - enable message dump
DSL_CPE:  --auto_scr_1  (-a)    - autoboot start script for ADSL (empty by defau
lt)
DSL_CPE:  --auto_scr_2  (-A)    - autoboot start script for VDSL (empty by defau
lt)
DSL_CPE:  --firmware1   (-f)    - firmware file, default /opt/ifx/firmware/xcpe_
hw.bin
DSL_CPE:  --notif       (-n)    - notification script name, default ./xdslrc.sh
DSL_CPE:  --tcpmsg      (-t)    - enable dbgtool, listen only on <ipaddr> (optio
nal, e.g. -t0.0.0.0)
DSL_CPE:  --multimode   (-M)    - set multimode config -M<NextMode>_<AdslSubPref
> (e.g. -M1_1)
DSL_CPE:  --tc-layer    (-T)    - set TC-Layer options -T<TcLayer>_<TcConfigUs>_
<TcConfigDs> (e.g. -T2_0x3_0x1)

Whatever command I run it seems to kill my telnet session... Maybe it's because of how I have routing setup, I'll try something else...

This may be of interest http://pastebin.com/2D4NW2HR . In addition, if you look through /www/ there are a lot of hidden web pages, unfortunately none have any statistics.

http://svn.dd-wrt.com:8000/browser/src/router/dsl_cpe_control/src/dsl_cpe_control.c?rev=15977 seems to give us source for the dsl_cpe_control utility.
« Last Edit: April 12, 2012, 07:12:44 PM by ben1066 »
Logged

burakkucat

  • Respected
  • Senior Kitizen
  • *
  • Posts: 38300
  • Over the Rainbow Bridge
    • The ELRepo Project
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #141 on: April 12, 2012, 09:29:08 PM »

http://www.broadband-forum.org/technical/download/TR-069_Amendment-2.pdf

Thank you for providing the link to the document. Team-work prevails, once again. I just couldn't lay my paws on it at the time of my previous post.  :)
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

asbokid

  • Kitizen
  • ****
  • Posts: 1286
    • Hacking the 2Wire
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #142 on: April 12, 2012, 10:35:34 PM »

Code: [Select]
Alpha # dsl_cpe_control -h
DSL_CPE: Welcome to DSL CPI API control application
DSL_CPE: usage: [options]
DSL_CPE: following options are available:
DSL_CPE:  --help        (-h)    - help screen
DSL_CPE:  --version     (-v)    - display version
DSL_CPE:  --init        (-i)    - init device w/ <xtu> Bits seperated by underscore (e.g. -i05_01_04_00_04_01_00_00)
DSL_CPE:  --low_cfg     (-l)    - low level configuration file
DSL_CPE:  --console     (-c)    - start console
DSL_CPE:  --event_cnf   (-e)    - configure instance activation handling <enable/disable>[_mask] (e.g. -e1_1)
DSL_CPE:  --msg_dump    (-m)    - enable message dump
DSL_CPE:  --auto_scr_1  (-a)    - autoboot start script for ADSL (empty by default)
DSL_CPE:  --auto_scr_2  (-A)    - autoboot start script for VDSL (empty by default)
DSL_CPE:  --firmware1   (-f)    - firmware file, default /opt/ifx/firmware/xcpe_hw.bin
DSL_CPE:  --notif       (-n)    - notification script name, default ./xdslrc.sh
DSL_CPE:  --tcpmsg      (-t)    - enable dbgtool, listen only on <ipaddr> (optional, e.g. -t0.0.0.0)
DSL_CPE:  --multimode   (-M)    - set multimode config -M<NextMode>_<AdslSubPref> (e.g. -M1_1)
DSL_CPE:  --tc-layer    (-T)    - set TC-Layer options -T<TcLayer>_<TcConfigUs>_<TcConfigDs> (e.g. -T2_0x3_0x1)

Ahh. maybe it's another multi-call binary that presents a different set of command line options depending on how it's invoked (argv[0]) ?  Just a guess.

uklad has commandeered his ECI now, so no more playing with it for me :(

However, if I've got the gist right..

the CPU in the ECI is a dual core  - a MIPS32 and an unknown 32-bit DSP engine - in all probability another MIPS32 with extensions to the instruction set to provide DSP hardware functionality.

The MIPS32 core#1 runs the MIPS Linux operating system.  The hardware driver blob aka 'firmware'  (/ifx/vdsl2/xcpe_hw.bin) for the second core is loaded by the control core (core#1) into shared memory, and the execution of that code by core#2 is started.

The Linux kernel has a loadable kernel module (/ifx/vdsl2/drv_dsl_cpe_api.ko) which provides an interface from userspace to the kernel by way of a character device (/dev/dsl_cpe_api). It is through this interface that the line statistics from the DSP32 core are obtained.   There should be a userspace binary that invokes system calls (read/write/ioctl) on that device. The embedded webserver must be invoking such calls, either directly, or via some middleware (i.e. that xmldb thing).

It's much the same in the Broadcom-chipset Huawei. A userspace binary called xdslcmd is used to invoke ioctl() system calls on /dev/bcmadsl0 to obtain various xdsl stats.  The Linux kernel passes these calls to an ioctl de-multiplexer in the device driver, which obtains the stats from the hardware driver (the firmware blob) running on the DSP core. This is via some form of inter-process communication (IPC), semaphores, shared memory or message passing.

Quote
This may be of interest http://pastebin.com/2D4NW2HR . In addition, if you look through /www/ there are a lot of hidden web pages, unfortunately none have any statistics.

Ahh. server-side scripting fudged together with javascript.  It's very similar to the Huawei, except the ECI also uses that XML database for storing realtime data. [1]

In the excerpt of code below, we can see the embedded servlet function ConfigGetArray().

The servlet parsing engine in the embedded webserver replaces everything within the delimiters <? and ?> with the return value from the ConfigGetArray function.

And the ConfigGetArray() function must query the XML database for the statistic, in this case to obtain the line attenuation for frequency band 0.

Code: [Select]
..
var StLineAttenuation = new Array();
..
/* Line Attenuation*/
StLineAttenuation[0] = <?ConfigGetArray(/runtime/vdsl2/line/band:0/,lnatten/up,lnatten/down)?>;

You could directly obtain that statistic using xmldbc, with something like this:

Code: [Select]
xmldbc -g /runtime/vdsl2/line/band:0/lnatten/down

To get a bit closer to the kernel..  you could build strace and monitor the system calls made by xmldbc (et al) as that command is invoked. This will uncover how to communicate directly with the kernel device driver.  However the API will be documented in the source code for the drv_dsl_cpe_api device driver.

Also, take a close look at the -a command line option of xmldbc. It will dump the database contents including runtime and temporary data. That could reveal the XML node names for the tonemap data.

Since I haven't got access to an ECI any more, it is with great regret that I must bow out out of the hack-fest but with the reassurance that it is left in the competent hands of uklad and yourself  :)

Quote
http://svn.dd-wrt.com:8000/browser/src/router/dsl_cpe_control/src/dsl_cpe_control.c?rev=15977 seems to give us source for the dsl_cpe_control utility.

Aha.. I saw that in the corrupted source tarball published by Openreach.  :police:

cheers, a

EDIT:  Bit of info in the openwrt.org development mailing list.   Note how you read and write to a pipe to send commands to the dsl_cpe_control daemon to request and receive stats from the xdsl layer.  That will be for the AR9 (Lantiq's ADSL2 SOC family) but it's probably very similar for the VR9 (VDSL2.chipset family including the VRX268). [2]

[1] http://www.psidoc.com/showthread.php/635-busybox-quot-httpd-quot-help-needed-hacking-a-router
[2] https://lists.openwrt.org/pipermail/openwrt-devel/2012-January/013602.html
« Last Edit: April 13, 2012, 04:27:52 AM by asbokid »
Logged

ben1066

  • Member
  • **
  • Posts: 74
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #143 on: April 13, 2012, 10:47:58 AM »

http://pastie.org/private/andzysdm8hhmse2groohw
xmldbc -D /tmp/db.xml -a

As you can tell a lot of data is missing for some reason. However that pipe works PERFECTLY. The command set is listed with the command "help". http://pastie.org/private/uxkq541nllsply2evizxw and it seems to work much the same as the DSL version :D

Code: [Select]
Alpha # echo "g997lsg 1 1" > /tmp/pipe/dsl_cpe0_cmd
Alpha # cat /tmp/pipe/dsl_cpe0_ack
nReturn=0 nDirection=1 nDeltDataType=1 LATN=231 SATN=178 SNR=64 ATTNDR=42533120
ACTPS=-901 ACTATP=55
for example. Still a sucky way to interface, but at least it does work :) From this we SHOULD be able to make our own shell script to get data.

Kept on poking, first is downstream rate, second is upstream, third is downstream line stats, forth is upstream line stats.
Code: [Select]
Alpha # echo "g997csg 0 1" > /tmp/pipe/dsl_cpe0_cmd
Alpha # cat /tmp/pipe/dsl_cpe0_ack
nReturn=0 nChannel=0 nDirection=1 ActualDataRate=39992000 PreviousDataRate=0 ActualInterleaveDelay=0 ActualImpulseNoiseProtection=0


Alpha # echo "g997csg 0 0" > /tmp/pipe/dsl_cpe0_cmd
Alpha # cat /tmp/pipe/dsl_cpe0_ack
nReturn=0 nChannel=0 nDirection=0 ActualDataRate=8448000 PreviousDataRate=0 ActualInterleaveDelay=0 ActualImpulseNoiseProtection=0


Alpha # echo "g997lsg 1 1" > /tmp/pipe/dsl_cpe0_cmd
Alpha # cat /tmp/pipe/dsl_cpe0_ack
nReturn=0 nDirection=1 nDeltDataType=1 LATN=231 SATN=177 SNR=65 ATTNDR=42428544 ACTPS=-901 ACTATP=55


Alpha # echo "g997lsg 0 1" > /tmp/pipe/dsl_cpe0_cmd
Alpha # cat /tmp/pipe/dsl_cpe0_ack
nReturn=0 nDirection=0 nDeltDataType=1 LATN=0 SATN=0 SNR=62 ATTNDR=8650125 ACTPS=-901 ACTATP=109

After reading through that script more all the line stats need dividing by ten, that gives me a downstream attenuation of 23.1db and SNR of 6.5db, and an upstream attenuation of 0db? and 6.2db snr.. Is that good or bad for FTTC? I'm not really convinced of that SNR, it seems really bad for the speeds I get..

My latest speedtest is

and that's pre 80/20. I have a forecast date of Monday for that.
« Last Edit: April 13, 2012, 02:01:03 PM by ben1066 »
Logged

uklad

  • Member
  • **
  • Posts: 55
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #144 on: April 13, 2012, 03:07:04 PM »

Since I haven't got access to an ECI any more, it is with great regret that I must bow out out of the hack-fest but with the reassurance that it is left in the competent hands of uklad and yourself

I can make mine available to you again just it cannot be live on DSL at the same time.. but the offer of a loan still stands..
Logged

ben1066

  • Member
  • **
  • Posts: 74
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #145 on: April 13, 2012, 03:11:25 PM »

I can provide an ssh tunnel to my home server which has telnet access to my modem if it's really necessary..
Logged

asbokid

  • Kitizen
  • ****
  • Posts: 1286
    • Hacking the 2Wire
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #146 on: April 13, 2012, 11:06:36 PM »

http://pastie.org/private/andzysdm8hhmse2groohw
xmldbc -D /tmp/db.xml -a

As you can tell a lot of data is missing for some reason. However that pipe works PERFECTLY. The command set is listed with the command "help". http://pastie.org/private/uxkq541nllsply2evizxw and it seems to work much the same as the DSL version :D

Code: [Select]
Alpha # echo "g997lsg 1 1" > /tmp/pipe/dsl_cpe0_cmd
Alpha # cat /tmp/pipe/dsl_cpe0_ack
nReturn=0 nDirection=1 nDeltDataType=1 LATN=231 SATN=178 SNR=64 ATTNDR=42533120
ACTPS=-901 ACTATP=55
for example. Still a sucky way to interface, but at least it does work :) From this we SHOULD be able to make our own shell script to get data.

Whayhay!  Good find, Ben!   Do the values correspond with the stats in the web interface of the ECI?  Maybe the missing values are populated once the device has had a reasonably long uptime?

Quote
After reading through that script more all the line stats need dividing by ten, that gives me a downstream attenuation of 23.1db and SNR of 6.5db, and an upstream attenuation of 0db? and 6.2db snr.. Is that good or bad for FTTC? I'm not really convinced of that SNR, it seems really bad for the speeds I get..

God knows! It doesn't sound very good though.   Paul (Bald_Eagle) is the man with the answers. He has officially studied more VDSL2 connection stats than the rest of us have had hot dinners!

I can provide an ssh tunnel to my home server which has telnet access to my modem if it's really necessary..

I can make mine available to you again just it cannot be live on DSL at the same time.. but the offer of a loan still stands..

That's very generous of you both  :)

The main interest is the LZMA tweak to the Linux kernel driver for squashfs.    The tweak needs to be cracked before a fully functional file system can be re-built (in our own graven image) for the ECI.   To that end, we need to dump the uncompressed form of the files that we couldn't uncompress with the open source tools.

It was hoped that this could be done with a shell script on the ECI. However the shell provided by Busybox in the ECI firmware is the lightweight msh (the Minix shell).  It is very pared down so it's missing too much functionality to be useful.

The alternative is to build some native MIPS code to do the file system dumping. To build this code, there's a pre-built GNU cross-compiling toolchain for the Lantiq XWAY AR9 CPUs which should be okay for the VR9 series. It might take a little while to sort that out though.  Hopefully before then Openreach will have repaired that dodgy tarball of GPL'ed code for the ECI.  The tarball may well contain a toolchain.

cheers, a

Logged

Bald_Eagle1

  • Helpful
  • Kitizen
  • *
  • Posts: 2721
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #147 on: April 14, 2012, 08:50:07 AM »


Quote
After reading through that script more all the line stats need dividing by ten, that gives me a downstream attenuation of 23.1db and SNR of 6.5db, and an upstream attenuation of 0db? and 6.2db snr.. Is that good or bad for FTTC? I'm not really convinced of that SNR, it seems really bad for the speeds I get..

God knows! It doesn't sound very good though.   Paul (Bald_Eagle) is the man with the answers. He has officially studied more VDSL2 connection stats than the rest of us have had hot dinners!


The Huawei HG612 splits attenuation/SNR etc. across the band plans & reports 0dB in its GUI where a value would be expected.
Is the ESI stats snippet posted (LATN=231 SATN=178 SNR=64 ) the only combined value shown for all the downstream band plans?

If so, I THINK it seems to report the stats in a similar way to the FritzBox! 3930.
I THINK the FritzBox! also reports 0dB for upstream attenuation.

What sync speeds are being achieved & how do they compare against Attainable Rates?
If there is not much difference between them, that COULD explain the low(ish) SNR values (assuming it really means SNR Margin).

High Attainable speed connections, still capped at 40Mb show SNRM values of up to 30dB or so.
My connection that struggles to achieve more than 30Mb (sync & attainable) has a value usually of 6dB (quite often less).
« Last Edit: April 14, 2012, 09:03:38 AM by Bald_Eagle1 »
Logged

ben1066

  • Member
  • **
  • Posts: 74
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #148 on: April 14, 2012, 11:14:15 AM »


Quote
After reading through that script more all the line stats need dividing by ten, that gives me a downstream attenuation of 23.1db and SNR of 6.5db, and an upstream attenuation of 0db? and 6.2db snr.. Is that good or bad for FTTC? I'm not really convinced of that SNR, it seems really bad for the speeds I get..

God knows! It doesn't sound very good though.   Paul (Bald_Eagle) is the man with the answers. He has officially studied more VDSL2 connection stats than the rest of us have had hot dinners!


The Huawei HG612 splits attenuation/SNR etc. across the band plans & reports 0dB in its GUI where a value would be expected.
Is the ESI stats snippet posted (LATN=231 SATN=178 SNR=64 ) the only combined value shown for all the downstream band plans?

If so, I THINK it seems to report the stats in a similar way to the FritzBox! 3930.
I THINK the FritzBox! also reports 0dB for upstream attenuation.

What sync speeds are being achieved & how do they compare against Attainable Rates?
If there is not much difference between them, that COULD explain the low(ish) SNR values (assuming it really means SNR Margin).

High Attainable speed connections, still capped at 40Mb show SNRM values of up to 30dB or so.
My connection that struggles to achieve more than 30Mb (sync & attainable) has a value usually of 6dB (quite often less).

Still waiting for the uplift, should happen Monday I ordered late. My attainable and achieved speeds are very close,


The GUI also displays 0 for all values like the Huawei,

I'm not really sure what the arguments for the command are but getting them wrong causes cat to hang when reading ack sometimes. FritzBoxes seem to use Infineon/Lantiq CPUs so the same reporting would make sense.
Logged

Bald_Eagle1

  • Helpful
  • Kitizen
  • *
  • Posts: 2721
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #149 on: April 14, 2012, 12:02:24 PM »



FWIW, these are from a FritzBox! - I got the number wrong earlier:-






Logged
Pages: 1 ... 8 9 [10] 11 12 ... 21
 

anything