Are you saying that you do not have a copy of the current firmware image in a suitable state so that it can be uploaded to the device, via the Broadcom boot-loader?
A slight mis-communication there. It was simply a way of testing what effect, if any, changing the config would have on the update process.
Although now you mention it... I
don't have a copy of the new firmware image suitable for uploading
But not to worry. Thanks to Asbokid's toolkit producing one is a fairly trivial exercise now I have the flashdump and have extracted the various components
So the telnet user name and password has been changed, but would I be correct in understanding that this is only updated when the modem is reset?
What is the new user name and password?
I could tell you that but then I'd have to.... Oops... Sorry. Wrong movie
Here they are:
Username: mLQp%k=b
Password: hNdq/Kggn5n8XfFpd6uqzQ==
Oh I'm sorry. Did I forget to mention they've been obphosilogged
Seriously, this isn't BGW. Unless Huawei/Openreach have blundered badly in implementing whatever hash and/or encryption method they're using, they're virtually bulletproof.
With what I learned today (see below), I suspect the only way to regain access is to replace the config.
But I'm a little perplexed. I know that whilst some (including me - and I believe you) lost telnet access, others have not. If I'm correct the update doesn't appear to be working 100% as BT intended if its sole purpose is to block modem access. Or am I missing something?
No, you're not missing anything the rest of us didn't.
I was looking at the following two areas of Asbokid's memory map with the idea of re-enabling telnet by rewriting the config block using the jtag port.
B875 0000 - B875 FFFF CMS config.xml for MAIN image (0x4F48 of 0x10000 bytes used)
B876 0000 - B876 FFFF CMS config.xml for SLAVE image (0x4F48 of 0x10000 bytes used)
'MAIN' was completely blank (0xFF) and 'SLAVE' contained the string 'invaild' at address B8760000, the rest was blank (0xFF).
I remembered seeing an error msg about a config file in the boot log so I took another look and found the following.
Waiting for cli start! |Config File is error. Havn't start or end tag.
Now read the backup configuration!!!
The second Config File is error. Havn't start or end tag.
read default config file!!!!!!!!!!!
I wasn't able to alter the boot flag so I re-flashed the 'plain' unlocked firmware, rebooted and got the same msg. I then changed the admin password to 'Huawei', rebooted again and the error msg was gone. Just the 'Waiting for cli start!' msg remained.
Both areas now contained identical copies of the changed config.
Restoring the default settings by pressing the button and through the web interface erases both areas and writes the string 'invaild' at the start. So it looks like these are actually the 'user defined' master and backup configs for both images. They are only created when the config is changed from the default.
This is why some people still had telnet access while others lost both.