Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: [1] 2 3 ... 22

Author Topic: HG612 new firmware - Preliminary results.  (Read 214705 times)

Howlingwolf

  • Reg Member
  • ***
  • Posts: 107
HG612 new firmware - Preliminary results.
« on: October 22, 2013, 09:26:34 PM »

I got the usb ttl interface today. Took things slowly and carefully as it's been a while since I did any soldering but it actually went quite well despite that.

I've now got a full flash dump of the new firmware. According to the header info, this is software version V100R001C01B030SP06.

At a first pass it looks like this update is solely about removing access to the modem. Greybeard was right about the web interface files being missing (webidx and webimg). The binary is also gone (/bin/web), along with the bftpd and tr064 binaries.

There are also two significant changes in the default config. The telnet username and password have been changed and LAN2 appears to have been disabled rather than simply relying on the firewall setting to block access. <LANEthernetInterfaceConfigInstance> entries 2-4 now have Enable="0".

I shall take a closer look tomorrow but it's not looking too good at the moment  :(
Logged

burakkucat

  • Respected
  • Senior Kitizen
  • *
  • Posts: 38300
  • Over the Rainbow Bridge
    • The ELRepo Project
Re: HG612 new firmware - Preliminary results.
« Reply #1 on: October 22, 2013, 10:01:30 PM »

Well done Wolfy. :thumbs:

Do you think it might be feasible to extract the latest Broadcom driver blob and insert it into the earlier version of the firmware?
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

kitz

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 34012
  • Trinity: Most guys do.
    • http://www.kitz.co.uk
Re: HG612 new firmware - Preliminary results.
« Reply #2 on: October 22, 2013, 10:38:20 PM »

Thank you for the progress report

Quote
The telnet username and password have been changed and LAN2 appears to have been disabled rather than simply relying on the firewall setting to block access.

The removal of the GUI could perhaps be explained as 'lazyness' or to make more room if we were being generous.  However your new findings would certainly suggest an attempt to block access.   

Why Ive no idea what they think they are going to achieve - its not like anything bad can be done.   The ones who currently have an unlocked version are hardly the type who are going to be messing and botch things up then go crying to BT.  The HH5 is just being released as an all in unit so why do this on something that will soon no longer be supplied?   Whats the big deal about getting information about your line?

Oh wait!  We can tell if theres something wrong, rather than just accept what were told. 
The sooner the likes of Netgear et all get their act together and start producing a half decent affordable VDSL router the better.
Logged
Please do not PM me with queries for broadband help as I may not be able to respond.
-----
How to get your router line stats :: ADSL Exchange Checker

burakkucat

  • Respected
  • Senior Kitizen
  • *
  • Posts: 38300
  • Over the Rainbow Bridge
    • The ELRepo Project
Re: HG612 new firmware - Preliminary results.
« Reply #3 on: October 22, 2013, 11:06:10 PM »

Quote
The sooner the likes of Netgear et all get their act together and start producing a half decent affordable VDSL router the better.

Or the OpenWrt wizards put together a release suitable for the Lantiq powered HH5, perhaps?  :-\

I'm sure there is somebody, somewhere, with their 'disembowelling tongs' at the ready, just waiting for a HH5 to become available.  :)
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

Greybeard33

  • Member
  • **
  • Posts: 56
Re: HG612 new firmware - Preliminary results.
« Reply #4 on: October 22, 2013, 11:42:19 PM »

There are also two significant changes in the default config. The telnet username and password have been changed and LAN2 appears to have been disabled rather than simply relying on the firewall setting to block access. <LANEthernetInterfaceConfigInstance> entries 2-4 now have Enable="0".
In view of this, it is puzzling that the remote update process does not always reset the config to default.
Logged

Howlingwolf

  • Reg Member
  • ***
  • Posts: 107
Re: HG612 new firmware - Preliminary results.
« Reply #5 on: October 23, 2013, 02:29:31 AM »

Well done Wolfy. :thumbs:

Thank you. It's nice to have one's efforts appreciated  :blush:


Do you think it might be feasible to extract the latest Broadcom driver blob and insert it into the earlier version of the firmware?

I'm not sure. The kernel has been rebuilt (Sat Jun 1 18:28:34 CST 2013) so it might not load in the older one. It's certainly something I'm going to try.

Along with the no doubt doomed attempt to restore the web interface  :-\

I going to start with something much simpler of course, re-enabling telnet access. That should be fairly straight forward. Two settings plus the firewall level if I've read things correctly.

I'm going to take a closer look at the differences between the old and new root filesystems first before I do that.


Oh wait!  We can tell if theres something wrong, rather than just accept what were told. 

Yep. That would be it  ::)


There are also two significant changes in the default config. The telnet username and password have been changed and LAN2 appears to have been disabled rather than simply relying on the firewall setting to block access. <LANEthernetInterfaceConfigInstance> entries 2-4 now have Enable="0".
In view of this, it is puzzling that the remote update process does not always reset the config to default.

Yes indeed. The only thing I can think of is some change in the config is responsible. I'm tempted to run it through the update cycle again with a changed LAN IP but that would bring everything else to a halt as I don't have a spare... spare modem  :lol:
Logged

burakkucat

  • Respected
  • Senior Kitizen
  • *
  • Posts: 38300
  • Over the Rainbow Bridge
    • The ELRepo Project
Re: HG612 new firmware - Preliminary results.
« Reply #6 on: October 23, 2013, 03:09:02 AM »

Are you saying that you do not have a copy of the current firmware image in a suitable state so that it can be uploaded to the device, via the Broadcom boot-loader?  :-\
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

Ronski

  • Helpful
  • Kitizen
  • *
  • Posts: 4315
Re: HG612 new firmware - Preliminary results.
« Reply #7 on: October 23, 2013, 10:25:54 AM »

So the telnet user name and password has been changed, but would I be correct in understanding that this is only updated when the modem is reset?

What is the new  user name and password?
Logged
Formerly restrained by ECI and ali,  now surfing along at 1147/105  ;D

bbnovice

  • Reg Member
  • ***
  • Posts: 267
Re: HG612 new firmware - Preliminary results.
« Reply #8 on: October 23, 2013, 05:33:53 PM »


At a first pass it looks like this update is solely about removing access to the modem. Greybeard was right about the web interface files being missing (webidx and webimg). The binary is also gone (/bin/web), along with the bftpd and tr064 binaries.

I shall take a closer look tomorrow but it's not looking too good at the moment  :(

Hats off to you Wolfy !!!!  ;D

But I'm a little perplexed. I know that whilst some (including me - and I believe you) lost telnet access, others have not. If I'm correct the update doesn't appear to be working 100% as BT intended if its sole purpose is to block modem access. Or am I missing something?

BBN 
Logged

Howlingwolf

  • Reg Member
  • ***
  • Posts: 107
Re: HG612 new firmware - Preliminary results.
« Reply #9 on: October 23, 2013, 06:48:27 PM »

Are you saying that you do not have a copy of the current firmware image in a suitable state so that it can be uploaded to the device, via the Broadcom boot-loader?  :-\

A slight mis-communication there. It was simply a way of testing what effect, if any, changing the config would have on the update process.

Although now you mention it... I don't have a copy of the new firmware image suitable for uploading  :-\

But not to worry. Thanks to Asbokid's toolkit producing one is a fairly trivial exercise now I have the flashdump and have extracted the various components  ;D


So the telnet user name and password has been changed, but would I be correct in understanding that this is only updated when the modem is reset?

What is the new  user name and password?

I could tell you that but then I'd have to....  Oops... Sorry. Wrong movie  ;D

Here they are:

Username: mLQp%k=b
Password: hNdq/Kggn5n8XfFpd6uqzQ==


Oh I'm sorry. Did I forget to mention they've been obphosilogged :P

Seriously, this isn't BGW. Unless Huawei/Openreach have blundered badly in implementing whatever hash and/or encryption method they're using, they're virtually bulletproof.

With what I learned today (see below), I suspect the only way to regain access is to replace the config.


But I'm a little perplexed. I know that whilst some (including me - and I believe you) lost telnet access, others have not. If I'm correct the update doesn't appear to be working 100% as BT intended if its sole purpose is to block modem access. Or am I missing something?

No, you're not missing anything the rest of us didn't.

I was looking at the following two areas of Asbokid's memory map with the idea of re-enabling telnet by rewriting the config block using the jtag port.

Code: [Select]
B875 0000 - B875 FFFF   CMS config.xml for MAIN image (0x4F48 of 0x10000 bytes used)
B876 0000 - B876 FFFF   CMS config.xml for SLAVE image (0x4F48 of 0x10000 bytes used)

'MAIN' was completely blank (0xFF) and 'SLAVE' contained the string 'invaild' at address B8760000, the rest was blank (0xFF).

I remembered seeing an error msg about a config file in the boot log so I took another look and found the following.

Code: [Select]
Waiting for cli start! |Config File is error. Havn't start or end tag.
Now read the backup configuration!!!
The second Config File is error. Havn't start or end tag.
read default config file!!!!!!!!!!!

I wasn't able to alter the boot flag so I re-flashed the 'plain' unlocked firmware, rebooted and got the same msg. I then changed the admin password to 'Huawei', rebooted again and the error msg was gone. Just the 'Waiting for cli start!' msg remained.

Both areas now contained identical copies of the changed config.

Restoring the default settings by pressing the button and through the web interface erases both areas and writes the string 'invaild' at the start. So it looks like these are actually the 'user defined' master and backup configs for both images. They are only created when the config is changed from the default.

This is why some people still had telnet access while others lost both.

« Last Edit: October 23, 2013, 07:03:12 PM by Howlingwolf »
Logged

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7478
  • AAISP CF
Re: HG612 new firmware - Preliminary results.
« Reply #10 on: October 23, 2013, 08:12:39 PM »

wow seems a mess, I think the easiest option is probably new blob on old firmware. I dont think the kernel version will be an issue for that.
Logged

Greybeard33

  • Member
  • **
  • Posts: 56
Re: HG612 new firmware - Preliminary results.
« Reply #11 on: October 23, 2013, 08:51:40 PM »

Restoring the default settings by pressing the button and through the web interface erases both areas and writes the string 'invaild' at the start. So it looks like these are actually the 'user defined' master and backup configs for both images. They are only created when the config is changed from the default.

This is why some people still had telnet access while others lost both.
Ah, so those of us who have still got telnet access must have saved a change to the config after flashing the unlocked firmware? In my case I am struggling to remember making any change - maybe something to do with the logging.

For anyone who wants to get telnet access back but keep the new BLOB, I guess the easiest way would be to re-flash the original unlocked firmware, save some minor change to the config through the web UI, then wait for the BT Agent to re-flash the update?
Logged

Howlingwolf

  • Reg Member
  • ***
  • Posts: 107
Re: HG612 new firmware - Preliminary results.
« Reply #12 on: October 24, 2013, 02:52:51 AM »

wow seems a mess, I think the easiest option is probably new blob on old firmware. I dont think the kernel version will be an issue for that.

heh. It only seems like a mess because I tried to explain how I reached my conclusions.

As for blobs and other entities...  Patience young human, patience. I'm getting there  ;)


Ah, so those of us who have still got telnet access must have saved a change to the config after flashing the unlocked firmware? In my case I am struggling to remember making any change - maybe something to do with the logging.

I've since tested that 'update with changed config' scenario by changing the config then flashing the original, unmodified B030SP10 firmware. I still had telnet access until I restored the defaults.


For anyone who wants to get telnet access back but keep the new BLOB, I guess the easiest way would be to re-flash the original unlocked firmware, save some minor change to the config through the web UI, then wait for the BT Agent to re-flash the update?

Indeed you could...

Or alternatively you could use the new firmware image I've built for the purpose  :P


The following MEGA folder contains three files:

bcm96368MVWG_fs_kernel_HG612V100R001C01B028SP10_no-btagent - B028SP10 based firmware.
- 'New' blob (A2pv6C035m.d22g). A2pv6C038m.d24j
- BTAgent, web interface component and BT firewall settings stripped.
- ptm1.301 'back channel' removed.
- ACS wan access rule removed from standard firewall setting.
- Default timezone set to GMT (was Beijing), uk.pool.ntp.org ntp servers added to list.
- Save config option restored.
- Minor typo and grammatic errors corrected.
bcm96368MVWG_fs_kernel_HG612V100R001C01B030SP06_original - The latest version. No changes. Locked.
bcm96368MVWG_fs_kernel_HG612V100R001C01B030SP06_unlocked - Unlocked version of the above.
- Telnet username and password replaced.
- LAN Ethernet interfaces 2-4 re-enabled
- BT firewall settings stripped

https://mega.co.nz/#F!LdJFDIJL!e_E1twsIg2kTet8mPjrb4w


The B028SP10 version is the one I mentioned before. It's been 'on test' for a week now and appears to be perfectly stable. I'm unable to judge how well it performs compared to the original SP10 blob as I had a line fault repaired just as the new firmware was being pushed out.

Both the locked and unlocked variants of the new firmware have been flashed and boot cleanly. Telnet access is available on the latter using the same defaults as before. Neither has been 'line tested' as yet but there is no reason to expect any problems in that area.

As always, let me know if there are any problems, comments, suggestions, etc.


Please see this thread for latest firmware updates (Aug 2014)
http://forum.kitz.co.uk/index.php?topic=14262.0



[edited by Admin to correct firmware version]
edited by Admin to point to new firmware version
« Last Edit: August 09, 2014, 08:59:23 PM by kitz »
Logged

Ronski

  • Helpful
  • Kitizen
  • *
  • Posts: 4315
Re: HG612 new firmware - Preliminary results.
« Reply #13 on: October 24, 2013, 06:22:06 AM »

Well done  Howlingwolf, you're a star  :thumbs:

I shall be downloading as soon as I get my PC turned on. 
Logged
Formerly restrained by ECI and ali,  now surfing along at 1147/105  ;D

roseway

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 43872
  • Penguins CAN fly
    • DSLstats
Re: HG612 new firmware - Preliminary results.
« Reply #14 on: October 24, 2013, 07:48:18 AM »

That's great work HW!
Logged
  Eric
Pages: [1] 2 3 ... 22