Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: 1 ... 13 14 [15] 16 17 ... 21

Author Topic: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B  (Read 207733 times)

burakkucat

  • Respected
  • Senior Kitizen
  • *
  • Posts: 38300
  • Over the Rainbow Bridge
    • The ELRepo Project
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #210 on: August 04, 2012, 08:13:28 PM »

Quote
Is this one corrupt ?

No, it is quite innocent and pure.  :P  ;)
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

asbokid

  • Kitizen
  • ****
  • Posts: 1286
    • Hacking the 2Wire
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #211 on: August 13, 2012, 05:59:37 PM »


For those who don't want to solder to the PCB, maybe a strip of right angled header pins could be taped temporarily to the UART solder pads.

This was just tried, using a Prolific Logic pl2303 USB-UART adaptor (cost £1.50 inc P&P from ebay):

See: http://www.ebay.co.uk/itm/180836792643



Adhesive tape isn't strong enough to hold the header pins onto the PCB pads.

But Dolly the clothes peg proved just the job! She is electrostatic-safe, too  :D


The Linux device driver for the pl2303 has been included since 2.4 kernels. The Prolific website in Taiwan carries (binary) drivers for Windows and the Macintosh.

Installing the pl2303 driver for Windows. 


Now, finally, we can log into the ECI modem via the serial console:


cheers, a
« Last Edit: August 13, 2012, 09:48:30 PM by asbokid »
Logged

burakkucat

  • Respected
  • Senior Kitizen
  • *
  • Posts: 38300
  • Over the Rainbow Bridge
    • The ELRepo Project
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #212 on: August 13, 2012, 06:17:35 PM »

I was happily looking through this thread until I came across the last four images.  :(   BGW? Yucky!  :tongue:  It's put me right off my evening meal.  :'(
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

Howlingwolf

  • Reg Member
  • ***
  • Posts: 107
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #213 on: August 24, 2012, 07:13:36 PM »

Adhesive tape isn't strong enough to hold the header pins onto the PCB pads.

But Dolly the clothes peg proved just the job! She is electrostatic-safe, too  :D


I'm impressed. True hardware hacking in it's purest form.

Sir, I salute you!
Logged

burakkucat

  • Respected
  • Senior Kitizen
  • *
  • Posts: 38300
  • Over the Rainbow Bridge
    • The ELRepo Project
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #214 on: September 25, 2012, 03:25:34 AM »

Apologies to all for the cat-cursing at around 0245 hours today, b*cat was very frustrated.  :-[

An ECI B-FOCuS modem was upended.
It's rubber feet were removed.
The four screws, so exposed, were undone.
The case was opened.
The PCB was removed and placed on a firm insulating surface.
The PSU was attached and the modem was powered up.
Application of meter probes to the four pads at location JP1 showed with negative probe on pad #2 from the left, 3.28 VDC on pads #1, #3 & #5.
Confirmed #2 is GND, #3 is VCC, #1 & #5 are TXD & RXD.
A block of five 90 degree header pins had leads attached.
Jake (the peg) was encouraged to hold the block of header pins against the solder infested pads.
The cat cursing started.
No matter how things were tried, no continuity could be obtained from the PCB solder pads to the ends of the fly-leads.  :(
Tiny dimples were gently made in the solder infesting the pads.
The cat-cursing got louder.  >:(
Offering up the header pins into the dimples was finally achieved.
Still no continuity.
The cat-cursing reached fortissimo!  >:D
The soldering-iron was considered . . . and rejected.
b*cat's paws are now too fumbly and the vision is not good enough for such micro-surgery.
Fifty years ago and things were considerably different . . .  :'(
I'll just have to wait for the software unlocking method to be resolved.

And now I've just seen the time. Well overdue some  :sleep:
« Last Edit: November 04, 2012, 12:30:32 AM by burakkucat »
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

asbokid

  • Kitizen
  • ****
  • Posts: 1286
    • Hacking the 2Wire
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #215 on: September 25, 2012, 07:06:38 PM »

Hello burakkucat!

..
No matter how things were tried, no continuity could be obtained from the PCB solder pads to the ends of the fly-leads.  :(
Tiny dimples were gently made in the solder infesting the pads.
..
Offering up the header pins into the dimples was finally achieved.
...
Still no continuity.
..

Damnation!

No continuity? As in no electrical continuity, according to a multimeter?  Or no connectivity on the serial port?  If the latter, does the pl2303 adaptor definitely work? I've had two or three which were duffs. There's a spare adaptor here if you need it, or happy to solder-in the pins if you dare entrust Royal Mail* with it?!

The tails of the right-angled header pins were facing inwards (away from the nearest PCB edge)?
And a good quality peg was used? Definitely the correct model? Type A rather than the Type B?!


cheers, a
« Last Edit: September 25, 2012, 07:26:01 PM by asbokid »
Logged

burakkucat

  • Respected
  • Senior Kitizen
  • *
  • Posts: 38300
  • Over the Rainbow Bridge
    • The ELRepo Project
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #216 on: September 25, 2012, 10:45:06 PM »

No continuity? As in no electrical continuity, according to a multimeter?

Yes and yes.  :(

Quote
does the pl2303 adaptor definitely work? I've had two or three which were duffs.

I thought a pl2303 adaptor required usage of BGW? Though there is a driver in the Linux kernel --

Quote
[bcat@Duo2 ~]$ find /lib/modules -name pl2303.ko | sort
/lib/modules/2.6.32-220.23.1.el6.x86_64/kernel/drivers/usb/serial/pl2303.ko
/lib/modules/2.6.32-279.5.2.el6.x86_64/kernel/drivers/usb/serial/pl2303.ko
/lib/modules/3.5.4-1.el6.elrepo.x86_64/kernel/drivers/usb/serial/pl2303.ko

As both my laptop and workstation computers have serial ports (I would never be without one), I have this RS232 to TTL Converter Cable (based on the ST micro ST3232EC chip) for the job.

Quote
happy to solder-in the pins if you dare entrust Royal Mail* with it?!

I may eventually take advantage of your kind offer. At the moment, I am a little bit concerned that your Wayne may come across it and decide it would be useful currency with which to obtain two cans of Special Brew:-X

Quote
The tails of the right-angled header pins were facing inwards (away from the nearest PCB edge)?

Confirmed.

Quote
And a good quality peg was used? Definitely the correct model? Type A rather than the Type B?!

Yes, a Type A of plastic rather than wooden construction. You don't think that is the cause, do you?  :-\
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

asbokid

  • Kitizen
  • ****
  • Posts: 1286
    • Hacking the 2Wire
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #217 on: September 26, 2012, 02:11:49 AM »


I thought a pl2303 adaptor required usage of BGW?

The pl2303 works fine on Linux. The kernel driver automatically inserts after the device is enumerated, and the dumb USB serial device becomes available as ttyUSB0

Code: [Select]
Sep 25 22:58:26 l502x kernel: [353464.425850] usb 2-2: New USB device found, idVendor=067b, idProduct=2303
Sep 25 22:58:26 l502x kernel: [353464.425855] usb 2-2: New USB device strings: Mfr=1, Product=2, SerialNumber=0
Sep 25 22:58:26 l502x kernel: [353464.425858] usb 2-2: Product: USB-Serial Controller
Sep 25 22:58:26 l502x kernel: [353464.425861] usb 2-2: Manufacturer: Prolific Technology Inc.
Sep 25 22:58:26 l502x kernel: [353464.427931] pl2303 2-2:1.0: pl2303 converter detected
Sep 25 22:58:26 l502x kernel: [353464.456013] usb 2-2: pl2303 converter now attached to ttyUSB0

The serial terminal program minicom is run:

Code: [Select]
$ minicom -D /dev/ttyUSB0

and away it goes..


Quote
Yes, a Type A of plastic rather than wooden construction. You don't think that is the cause, do you?  :-\

The peg I used was of the very highest (Tesco Value) quality, but it did have a powerful snap to it.   Yet when the trick was tried again just now, exactly the same problem occurred as you found.  Though after giving the pads a scuff-up with my fingernail, everything worked okay once again.  So maybe it's down to solder oxidisation?

Perhaps if you have the patience to try it again, maybe the pins could be clipped to the pads on the underside of the board. These are actually plated thru-holes, so there should still be continuity.








cheers, a
Logged

drsox

  • Member
  • **
  • Posts: 55
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #218 on: October 06, 2012, 08:59:52 PM »

ben1066,

I'm happy to give you FTP / website space if you want somewhere to host your eDMT with no bandwidth frustrations or intrusive advertising! Pop me an email on kitzedmt@sioned.info

I have a quick query with eDMT too. When on the same LAN I can connect to the vdsl modem with eDMT but if I am not on the same subnet, and NAT to it.. I can't connect and eDMT crashes after clicking connect. Any idea why routed vs. on subnet should make a difference?

Tom (commercial link removed by admin)
« Last Edit: October 06, 2012, 10:36:00 PM by roseway »
Logged

ben1066

  • Member
  • **
  • Posts: 74
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #219 on: October 26, 2012, 04:49:42 PM »

Hey,
Great to know people are still interested in this. I can only assume that that is a modem limitation as telnet is fairly simple, I don't see why it'd fail. All code can be found at http://curlybracket.co.uk/misc/edmt.zip though thanks for the offer of hosting.
Enjoy.
Logged

drsox

  • Member
  • **
  • Posts: 55
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #220 on: October 26, 2012, 05:46:39 PM »

Downloaded and will have a tinker.

As far as I could see from a packet capture the compiled program was trying to make a SMB connection to the router! Not even trying telnet.

--
link edit by admin to signature
« Last Edit: November 04, 2012, 01:37:32 PM by kitz »
Logged

burakkucat

  • Respected
  • Senior Kitizen
  • *
  • Posts: 38300
  • Over the Rainbow Bridge
    • The ELRepo Project
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #221 on: November 03, 2012, 06:54:18 PM »

After a lot of "cat cursing" throughout last night, I finally managed to unlock one of the original ECI B-FOCuS modems (supplied by Openreach as the alternative CPE to the Huawei HG612 modem) by following the published instructions to the letter. [1]

As Firefox is the only browser I have installed, I was unable to call up the device's buggy GUI and so telnet access was used to confirm that successful unlocking had been achieved.

Code: [Select]
[bcat@Duo2 ~]$ telnet 192.168.168.168
Trying 192.168.168.168...
Connected to 192.168.168.168.
Escape character is '^]'.
login as: admin
password:

BusyBox v1.00 (2011.08.09-03:28+0000) Built-in shell (msh)
Enter 'help' for a list of built-in commands.

Alpha # help

Built-in commands:
-------------------
        . : break cd continue eval exec exit export help login newgrp
        read readonly set shift times trap umask wait

Alpha # echo $PATH
/usr/bin:/bin:/usr/sbin:/sbin
Alpha # ls /usr/bin
yes                                    pcaccess_disable.sh
wget                                   pcaccess.sh
wc                                     mpstat
uptime                                 loopback_stop
update_upgrade.sh                      loopback_start
update_uboot.sh                        logger
tr                                     killall
top                                    free
tftp                                   expr
test_agent                             dirname
test                                   cut
stopqos.sh                             cusb_modem_switch_loopback_disable.sh
startqos.sh                            cusb_modem_switch_loopback.sh
port2_enable                           cusb_modem_switch.sh
port2_disable                          cusb_modem_ppe.sh
port1_enable                           basename
port1_disable                          [
Alpha # ls /bin
zcat              rm                login             df
usleep            pwd               logcmd            dd
uname             ps                ln                date
umount            ping              kill              cp
true              mv                gzip              chmod
touch             msh               gunzip            cat
switch_utility    mount             grep              busybox
spy               more              fgrep             alpha_flash_cmd
sleep             mknod             false             alphaLogd
sh                mkdir             egrep             alphaHousekeeper
sed               ls                echo              alphaFlashAgent
Alpha # ls /usr/sbin
xmldbc            submit            mfc               cabletest:5
xmldb             stats             mem               cabletest:4
wan               scut              in.tftpd          cabletest:3
vconfig           rgdb              ifx_util          cabletest:2
usockc            rgcfg             ifx_gpio          cabletest:1
upgrade           rgbin             dsl_cpe_control   brctl
udhcpr            read_img          diap              alpha_tantos
udhcpd            ppacmd            diagnostic        alpha_macaddr
udhcpc            pmcu              dayconvert        alpha_inventory
time              pfile             chnet             alpha_gen_submac
telnetd           ntpclient         check             alpha_bdtool
syslog            next_macaddr      cfmctl
sys               mknod_util        cfm
Alpha # ls /sbin
thttpd    swapon    rmmod     mdev      insmod    getty
syslogd   swapoff   reboot    lsmod     init
sysctl    route     modprobe  klogd     ifconfig
Alpha # ps
  PID  Uid     VmSize Stat Command
    1 0           172 S   init       
    2 0               SWN [ksoftirqd/0]
    3 0               SW  [watchdog/0]
    4 0               SW< [events/0]
    5 0               SW< [khelper]
    6 0               SW< [kthread]
   24 0               SW< [kblockd/0]
   37 0               SW  [pdflush]
   38 0               SW  [pdflush]
   39 0               SW< [kswapd0]
   40 0               SW< [aio/0]
   74 0               SW  [mtdblockd]
  227 0               SWN [jffs2_gcd_mtd6]
  240 0           596 S   xmldb -n lantiq_vr9_generic_asl56026 -t
  505 0           260 S   syslogd -F sysact -F attack -F notice
  508 0           188 S   klogd -l br0
  605 0           664 S   /usr/sbin/dsl_cpe_control -i -f /ifx/vdsl2/xcpe_hw.bi
  608 0           664 S   /usr/sbin/dsl_cpe_control -i -f /ifx/vdsl2/xcpe_hw.bi
  609 0           664 S   /usr/sbin/dsl_cpe_control -i -f /ifx/vdsl2/xcpe_hw.bi
  610 0           664 S   /usr/sbin/dsl_cpe_control -i -f /ifx/vdsl2/xcpe_hw.bi
  612 0           664 S   /usr/sbin/dsl_cpe_control -i -f /ifx/vdsl2/xcpe_hw.bi
  613 0           664 S   /usr/sbin/dsl_cpe_control -i -f /ifx/vdsl2/xcpe_hw.bi
  614 0           664 S   /usr/sbin/dsl_cpe_control -i -f /ifx/vdsl2/xcpe_hw.bi
  693 0           472 S   /usr/sbin/cfm ptm0 eth0
  696 0           472 S   /usr/sbin/cfm ptm0 eth0
  697 0           472 S   /usr/sbin/cfm ptm0 eth0
  698 0           472 S   /usr/sbin/cfm ptm0 eth0
  712 0               SW  [autbtex]
  713 0               SW  [pmex_ne]
  714 0               SW  [pmex_fe]
  755 0           404 S   /usr/sbin/diap
  764 0           596 S   /sbin/thttpd -d /www
  778 0           264 R   telnetd
  793 0           336 S   /bin/alphaLogd
  806 0           432 S   alphaFlashAgent
  810 0           216 S   /bin/sh /BTAgent/ro/start
  815 0           740 S   ./btagent
  817 0           740 S   ./btagent
  820 0           740 S   ./btagent
  821 0           740 S   ./btagent
  841 0           392 S   /bin/alphaHousekeeper
 1073 0           164 S   /sbin/getty -L ttyS0 115200 vt102
 1280 0           252 S   /bin/sh
 1961 0           196 R   ps
Alpha # kill 810
Alpha # killall btagent
Alpha # ps
  PID  Uid     VmSize Stat Command
    1 0           172 S   init       

<snip>

  764 0           596 S   /sbin/thttpd -d /www
  778 0           264 S   telnetd
  793 0           336 S   /bin/alphaLogd
  806 0           432 S   alphaFlashAgent
  841 0           392 S   /bin/alphaHousekeeper
 1073 0           164 S   /sbin/getty -L ttyS0 115200 vt102
 1280 0           252 S   /bin/sh
 2055 0           196 R   ps
Alpha # mount
/dev/mtdblock2 on / type squashfs (ro)
sysfs on /sys type sysfs (rw)
tmpfs on /dev type tmpfs (rw)
devpts on /dev/pts type devpts (rw)
none on /proc type proc (rw)
ramfs on /var type ramfs (rw)
/dev/mtdblock6 on /BTAgent/rw type jffs2 (rw)
Alpha # umount /BTAgent/rw
Alpha # mount
/dev/mtdblock2 on / type squashfs (ro)
sysfs on /sys type sysfs (rw)
tmpfs on /dev type tmpfs (rw)
devpts on /dev/pts type devpts (rw)
none on /proc type proc (rw)
ramfs on /var type ramfs (rw)
Alpha # exit
Connection closed by foreign host.
[bcat@Duo2 ~]$

I have provided that rather extensive example, above, as it shows how to turn off the Beatie Group's "busy-body", the BTAgent. Once terminated, that "unknown quantity" will remain disabled until the next power-cycle or reboot of the device. (The same technique can be used to disable the identical agent that executes within the Huawei HG612.)

Has anyone determined if the device's IP address can be changed via telnet access? By default it is 192.168.168.168 and I would like to reconfigure it to be 192.168.1.254, for consistency with my other modem/routers.

[1] http://hackingecibfocusv2fubirevb.wordpress.com/2012/09/23/bare-instructions-to-unlock-eci-vdsl2-modem/
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

les-70

  • Kitizen
  • ****
  • Posts: 1254
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #222 on: November 03, 2012, 09:48:31 PM »

  As per the Asbo instructions it can be changed via telnet but I did not find how to make a permanent change via telnet.  The GUI does however let you make the permanent change which survives a power on and off.
Logged

burakkucat

  • Respected
  • Senior Kitizen
  • *
  • Posts: 38300
  • Over the Rainbow Bridge
    • The ELRepo Project
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #223 on: November 03, 2012, 10:09:41 PM »

Thanks for that confirmation, Les. I can see I missed typing the word 'permanently' in my previous post --

Quote
Has anyone determined if the device's IP address can be permanently changed via telnet access?

 :doh:  D'oh!
« Last Edit: November 04, 2012, 12:33:01 AM by burakkucat »
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

liamstears

  • Member
  • **
  • Posts: 21
Re: Hacking the ECI model B-FOCuS V-2FUb/I Rev.B
« Reply #224 on: November 06, 2012, 10:50:42 PM »

Ok so I would really like to unlock my eci modem but a bit confused on how I have to do it

I know you can get the usb ttl converter off ebay but I would prefer not to spend any money if I can so can I just hook the modem straight up to the com port on my asrock z68 extreme4 gen3 mobo?

Pinout for the com port shows RRXD1, TTXD1 and ground so that's all that's needed right?

Also running windows 8 so is it easy to do from windows? which software is easiest and compatible with windows 8 to send the commands?
Logged
Pages: 1 ... 13 14 [15] 16 17 ... 21
 

anything