Documentando algumas descobertas a respeito do software-side do Sagemcom Modem F@st 2764 GV. Aparentemente ele é mais seguro que o F@ST 1704 em termos de quem pode produzir/rodar código no dispositivo. Além de ser incrivelmente mais chato de executar um simples “ls”!
1960 Ford Truck Pickup Repair Shop Service Manual Cd Covers F 100 F 250 F. Que Pasa Aqui Manual Practico Para La Investigacion Y Diagnostico De Las. Manual Sagemcom Fst 2764 International Ministers Manual Xtreem Mosca. A Manual Of The Vascular Plants Growing Without Cultivation In Salt Lake And. Manual Do Modem Sagemcom F St 2764. Step1 has no results, step 2 showing text but we can not do(TXT2MTXT) in every block and every drawing. Step1 has no results, step 2 showing text but we can not do(TXT2MTXT) in every block and every drawing.
Primeiramente, informo que o modem está rodando a última versão de firmware fornecida pela GVT remotamente até o momento, v8380, e runlevel 4. Quaisquer modificações ou procedimentos feitos aqui podem danificar/brickar seu modem, portanto, é de sua inteira responsabilidade caso tente qualquer coisa aqui descrita!
Observei que já existem esforços para “destrancar” um pouco o modem no PortalADSL (este tópico em específico).
Como havia sido mostrado no teardown, o 2764 GV têm uma porta serial e, possivelmente, JTAG. O primeiro passo foi observar se a porta serial estava ativada e qual seria sua saída (bootlog), o que nos daria boas informações sobre o software (o log foi “sanitizado”):
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 | SAGEM Secure-boot SU2_2_3 fast_2764 CPU: IKANOS Fusiv 180 Family PCI: 33 MHz DRAM: 128 MB Flash: 32 MB Using default environment In: serial Out: serial Err: serial Net: emac1 PHY 88e1119r detected at smi@0x1f switch 88e6171 detected at smi@0x01 emac1 Permanent parameters are programmed and activated : use DSA signature Potential firmware found at address : bf080000 half-flash parsed ! Potential firmware found at address : be000000 Found 2 firmwares ! Searching valid operational firmware Operational Firmware validated at address be000000 good regular firmware at @0xBE000000 with key @0xBF018411 No bootloader arg partition not moved updating kernel args bootargs root=/dev/mtdblock6 ro rootfstype=squashfs operational_start=0xbe000000 rescue_start=0xbf080000 myfs_start=0xbea20000 type=operational image_addr=0xBE000000 kernel args update done Launch regular code from flash alarmLEDMode(E_FLASH)! bootm BE000140 ## Booting image at be000140 ... Image Name: FAST2764_v8380.img Created: 2012-06-08 14:08:37 UTC Image Type: MIPS Linux Kernel Image (gzip compressed) Data Size: 10492534 Bytes = 10 MB Load Address: 80010000 Entry Point: 802e7000 Verifying Checksum ... OK Uncompressing Kernel Image ... OK Starting kernel ... Linux version 2.6.16.26 #1 Fri Jun 8 16:08:23 CEST 2012 argc 9 arg env memsize=128 memsize board_memsize = 128 env memsize=128 env initrd_start=0xA0000000 env initrd_size=0x0 flash_start be000000 env flash_start=0xBE000000 board_flash_size 2000000 env flash_size=0x2000000 arg[1] root=/dev/mtdblock6 arg[2] ro arg[3] rootfstype=squashfs arg[4] operational_start=0xbe000000 arg[5] rescue_start=0xbf080000 arg[6] myfs_start=0xbea20000 arg[7] type=operational arg[8] image_addr=0xBE000000 CPU revision is: 0001964c Determined physical RAM map: memory: 07800000 @ 00000000 (usable) Built 1 zonelists Kernel command line: console=ttyS0,115200 root=/dev/mtdblock6 ro rootfstype=squashfs operational_start=0xbe000000 rescue_start=0xbf080000 myfs_start=0xbea20000 type=operational image_addr=0xBE000000 Primary instruction cache 32kB, physically tagged, 4-way, linesize 32 bytes. Primary data cache 32kB, 4-way, linesize 32 bytes. Synthesized TLB refill handler (20 instructions). Synthesized TLB load handler fastpath (32 instructions). Synthesized TLB store handler fastpath (32 instructions). Synthesized TLB modify handler fastpath (31 instructions). Cache parity protection disabled PID hash table entries: 512 (order: 9, 8192 bytes) Dentry cache hash table entries: 16384 (order: 4, 65536 bytes) Inode-cache hash table entries: 8192 (order: 3, 32768 bytes) Memory: 108828k/122880k available (2368k kernel code, 13900k reserved, 535k data, 136k init, 0k highmem) Mount-cache hash table entries: 512 Checking for 'wait' instruction... available. NET: Registered protocol family 16 Fusiv PCI: starting... SCSI subsystem initialized usbcore: registered new driver usbfs usbcore: registered new driver hub Bluetooth: Core ver 2.8 NET: Registered protocol family 31 Bluetooth: HCI device and connection manager initialized Bluetooth: HCI socket layer initialized fs/cramfs_block_uncompressed created NTFS driver 2.1.26 [Flags: R/O]. incomplete dynamic bit lengths treeInitializing Cryptographic API io scheduler noop registered io scheduler anticipatory registered (default) io scheduler deadline registered io scheduler cfq registered Random: 0x9c448df9 Serial: 8250/16550 driver $Revision: 1.9.6.1 $ 2 ports, IRQ sharing disabled serial8250: ttyS0 at MMIO map 0xb9020000 mem 0xb9020000 (irq = 6) is a 16450 serial8250: ttyS1 at MMIO map 0xb90a0000 mem 0xb90a0000 (irq = 29) is a 16450 ikf68xx-ehci-hcd ikf68xx-ehci-hcd.0: Ikanos On-Chip EHCI Host Controller ikf68xx-ehci-hcd ikf68xx-ehci-hcd.0: new USB bus registered, assigned bus number 1 ikf68xx-ehci-hcd ikf68xx-ehci-hcd.0: irq 35, io mem 0x19230000 ikf68xx-ehci-hcd ikf68xx-ehci-hcd.0: USB 0.0 started, EHCI 1.00, driver 10 Dec 2004 usb usb1: configuration #1 chosen from 1 choice hub 1-0:1.0: USB hub found hub 1-0:1.0: 2 ports detected ikf68xx-ohci-hcd ikf68xx-ohci-hcd.0: Ikanos On-Chip OHCI Host Controller ikf68xx-ohci-hcd ikf68xx-ohci-hcd.0: new USB bus registered, assigned bus number 2 ikf68xx-ohci-hcd ikf68xx-ohci-hcd.0: irq 35, io mem 0x19240800 usb usb2: configuration #1 chosen from 1 choice hub 2-0:1.0: USB hub found hub 2-0:1.0: 2 ports detected usbcore: registered new driver usblp /filer1_vol11/dev_projets5/liveboxProV3/dev/diep/Gvt/3.8.0/checkoutdir/openrg/package/rg/os/linux-2.6/drivers/usb/class/usblp.c: v0.13: USB Printer Device Class driver Initializing USB Mass Storage driver... usbcore: registered new driver usb-storage USB Mass Storage support registered. u32 classifier OLD policer on NET: Registered protocol family 2 IP route cache hash table entries: 1024 (order: 0, 4096 bytes) TCP established hash table entries: 4096 (order: 2, 16384 bytes) TCP bind hash table entries: 4096 (order: 2, 16384 bytes) TCP: Hash tables configured (established 4096 bind 4096) TCP reno registered IPv4 over IPv4 tunneling driver GRE over IPv4 tunneling driver NET: Registered protocol family 1 NET: Registered protocol family 17 Bluetooth: L2CAP ver 2.8 Bluetooth: L2CAP socket layer initialized Bluetooth: SCO (Voice Link) ver 0.5 Bluetooth: SCO socket layer initialized Bluetooth: RFCOMM socket layer initialized Bluetooth: RFCOMM ver 1.7 Bluetooth: BNEP (Ethernet Emulation) ver 1.2 Bluetooth: BNEP filters: protocol multicast NET: Registered protocol family 8 NET: Registered protocol family 20 802.1Q VLAN Support v1.8 Ben Greear All bugs added by David S. Miller openrg_flash: Found 1 x16 devices at 0x0 in 16-bit bank Amd/Fujitsu Extended Query Table at 0x0040 openrg_flash: CFI does not contain boot bank location. Assuming top. number of CFI chips: 1 cfi_cmdset_0002: Disabling erase-suspend-program due to code brokenness. Creating 1 MTD partitions on 'openrg_flash': 0x00000000-0x02000000 : 'openrg' openrg_flash: detected at 0x1e000000 size 33554432 bytes Freeing unused kernel memory: 136k freed Version: 4.9.4.FAST2764_v8380 Platform: Sagem 2764 Vox180 Compilation Time: 08-Jun-12 13:33:23 Tag: NRD_?bldorg?rg_liveboxPro-V3_0-0-1 Compilation Flags: SOUCHE_DEVICE_DISCOVERY=y CONFIG_TELEFONICA=y CONFIG_VDSL=y CONFIG_ROUTING_WITH_DSPRULES=y CONFIG_37xx_STANDARD=y CONFIG_SAGEM_DLNA=y CONFIG_SIP_UNREGISTER_ON_REBOOT=y CONFIG_DYNAMIC_VLAN_CONFIG=y CONFIG_PPP_NO_DHCP_DISCOVERY=y CONFIG_PPP_NO_NOTIFY=y CONFIG_UPNP_HIDE_INVOQUE_FORCE_TERMINATION=y CONFIG_UPNP_HIDE_INVOQUE_REQUEST_CONNECTION=y CONFIG_UPNP_HIDE_INVOQUE_REQUEST_TERMINATION=y CONFIG_UPNP_IGD_PASSWORD=y CONFIG_UPNP_DEVICE_LAN_MODEL_NAME=Sagem_IGD_LAN CONFIG_UPNP_DEVICE_WAN_CON_MODEL_NAME=Sagem_IGD_WANConnection CONFIG_UPNP_DEVICE_WAN_MODEL_NAME=Sagem_IGD_WAN CONFIG_UPNP_DEVICE_MODEL_NUMBER=000 CONFIG_UPNP_DEVICE_MANUFACTURER_URL=www.gvt.com.br CONFIG_UPNP_DEVICE_MANUFACTURER=Sagem CONFIG_UPNP_IGD_DEVICE_TITLE=Sagem_Internet_Gateway_Device CONFIG_RGCONF_MIGRATION=y CONFIG_SOUCHE_RECONF=y CONFIG_SAGEM_DB_ACCESS=y CONFIG_SAGEM_IPPRINT=y CONFIG_USB_PRINTER=y CONFIG_HFS_FS=y CONFIG_HFSPLUS_FS=y CONFIG_PIN_ACTIVE_WIFI=y CONFIG_SSID2=y CONFIG_MULTI_SSID=y CONFIG_SAGEM_WIFI_MAC_ADDRESS=y CONFIG_SAGEM_WIFI_MODE_11N=y CONFIG_DHCPS_SEND_NO_PADI=y CONFIG_DHCPS_INTERFACES=br0 CONFIG_LIVEBOX_VOIP=y CONFIG_LOG_ENTITIES=0 CONFIG_KALLSYMS=y CONFIG_RG_GDBSERVER=y CONFIG_LIVEBOX_TV=y CONFIG_ETH_PRE_LG=5 CONFIG_MODE_ETHERNET=y CONFIG_SOUCHE_USE_EXTERNAL_OPENSSL=y DIST=SAGEM_376X CONFIG_GVT=y CONFIG_INTERNAL_FIRMWARE_VERSION=8.3.8.0 CONFIG_FIRMWARE_VERSION=FAST2764_v8380 LIC=../../../license/jpkg_ikanos_vx.lic User Information: G078000@VZX00000 /filer1_vol11/dev_projets5/liveboxProV3/dev/diep/Gvt/3.8.0/checkoutdir/openrg/package/rg ###### rg_conf/network/rg_mac_wifi = 4c:17:eb:xx:xx:xx ###### ###### generated_mac_wifi = 4c:17:eb:xx:xx:xx ###### ############### Mode_Bridged = 0 ###################### ############### xdsl_mode = 1 ###################### ###### Kernel Debug mode (rg_conf/kernel/debug) = 0 ###### insmod: add-symbol-file build/debug/hard_watchdog_module.o 0xc0004000 -s .data 0xc0005820 -s .bss 0xc0005960 HardwareWatchdogInitialize : NORMAL BOOT HardwareWatchdogInitialize :: --- WATCHDOG -- INITIALIZED with ED72 value (i.e. 5999ms) HardwareWatchdogInitialize :: --- WATCHDOG -- Pacify timer of 2000 ms STARTED insmod: add-symbol-file build/debug/be_pppoa_mod.o 0xc0007000 -s .data 0xc0008710 -s .bss 0xc0008860 insmod: add-symbol-file build/debug/fusivlib.o 0xc0022000 -s .data 0xc002eb50 -s .bss 0xc0030ee0 fusiv library initializing... Buffer Copy Through DMA is enabled fusiv library initialized SUCCESSFULLY... insmod: add-symbol-file build/debug/bus_arbiter_lkm.o 0xc000a000 -s .data 0xc000b380 -s .bss 0xc000b4e0 vox bus arbiter interrupt handlers registered insmod: add-symbol-file build/debug/opensrc_lkm.o 0xc0002000 -s .data 0xc00026d0 -s .bss 0xc0002820 insmod: add-symbol-file build/debug/bm.o 0xc0014000 -s .data 0xc0017170 -s .bss 0xc0017340 Buffer Manager is initializing... BMU GIGE clock Slave Mem Alloc: Req size 16 Ptr2Block 0x191f0000 Load into BM APU Successful !!! Buffer Manager initialized SUCCESSFULLY... insmod: add-symbol-file build/debug/sysutil.o 0xc0019000 -s .data 0xc001c240 -s .bss 0xc001c380 insmod: add-symbol-file build/debug/timerlib.o 0xc0010000 -s .data 0xc0010de0 -s .bss 0xc0010f40 Timers are getting initalized Timers are initilized SUCCESSFULLY... insmod: add-symbol-file build/debug/ethdriver.o 0xc0044000 -s .data 0xc004bb20 -s .bss 0xc004e900 Module params: eth0_mii=0 eth1_mii=1 eth0: Netpro Sierra Ethernet found at 0xb9110000, irq 14 GIGE 1 clock dev->baseAddr b9110000 Slave Mem Alloc: Req size 16 Ptr2Block 0x191f0010 eth0 interface configured in GMII mode eth1: Netpro Sierra Ethernet found at 0xb9150000, irq 13 GIGE 2 clock dev->baseAddr b9150000 SraPort_initializePort: phyAddr=0x1f: PHY attached Slave Mem Alloc: Req size 16 Ptr2Block 0x191f0020 Ethernet Driver is initialized SUCCESSFULLY insmod: add-symbol-file build/debug/vdsldriver_lkm.o 0xc003c000 -s .data 0xc003f9e0 -s .bss 0xc0040ec0 VDSL AP and VDSL PHY clocks are enabled eth2: Netpro VDSL Ethernet found at 0x0, irq 36 >>> bmChangeMacList currNumConfiguredMacAddrs = 0 MAX_NUM_SUPPORTED_MAC_ADDRESSES = 4 0x0:0x1:0x2:0x3:0x4:0x7 User parameters for VDSL AP configured successfully Slave Mem Alloc: Req size 16 Ptr2Block 0x191f0030 VDSL AP started successfully VDSL Driver is initialized SUCCESSFULLY insmod: add-symbol-file build/debug/periap.o 0xc0050000 -s .data 0xc0051c20 -s .bss 0xc0053c60 periApDriverInit: doneSlave Mem Alloc: Req size 16 Ptr2Block 0x191f0040 *******LOAD firmware to AP:PERI_ID result:0Load into PERI_AP APU Successful !!! insmod: add-symbol-file build/debug/ath_hal.o 0xc00e1000 -s .data 0xc014e5f0 -s .bss 0xc0158f20 ath_hal: 0.9.14.25 (AR5212, AR5416, RF5111, RF5112, RF2413, RF5413, DEBUG, REGOPS_FUNC) insmod: add-symbol-file build/debug/wlan.o 0xc015c000 -s .data 0xc019ae80 -s .bss 0xc019b740 wlan: 0.8.4.2 (Atheros/multi-bss) insmod: add-symbol-file build/debug/ath_rate_atheros.o 0xc0066000 -s .data 0xc006b970 -s .bss 0xc0074440 ath_rate_atheros: Version 2.0.1 Copyright (c) 2001-2004 Atheros Communications, Inc, All Rights Reserved insmod: add-symbol-file build/debug/ath_dfs.o 0xc0076000 -s .data 0xc007ec00 -s .bss 0xc007ed80 ath_dfs: Version 2.0.0 Copyright (c) 2005-2006 Atheros Communications, Inc. All Rights Reserved insmod: add-symbol-file build/debug/wlan_wep.o 0xc000d000 -s .data 0xc000e830 -s .bss 0xc000e980 insmod: add-symbol-file build/debug/wlan_tkip.o 0xc0055000 -s .data 0xc0058410 -s .bss 0xc0058560 insmod: add-symbol-file build/debug/wlan_ccmp.o 0xc001e000 -s .data 0xc0020250 -s .bss 0xc00203a0 insmod: add-symbol-file build/debug/wlan_xauth.o 0xc0033000 -s .data 0xc0033300 -s .bss 0xc0033440 insmod: add-symbol-file build/debug/wlan_acl.o 0xc0038000 -s .data 0xc0039010 -s .bss 0xc0039160 wlan: mac acl policy registered insmod: add-symbol-file build/debug/ath_pci.o 0xc019d000 -s .data 0xc01c8e00 -s .bss 0xc01c99e0 ath_pci: 0.9.4.5 (Atheros/multi-bss) ath_pci: CR-LSDK-1.3.1.110_3-4-9_0-0-9 PCI: Enabling device 0000:00:03.0 (0000 -> 0002) wifi%d ath_pci_probe Mac Address to configure 4c:17:eb:xx:xx:xx ar5416InitMacAddr: Eeprom mac address read : 74:b4:92:xx:xx:xx Chan Freq RegPwr HT CTL CTL_U CTL_L DFS 1 2412n 27 HT20 1 0 1 N 1 2412n 20 HT40 1 0 1 N 2 2417n 20 HT40 1 0 1 N 3 2422n 20 HT40 1 1 1 N 4 2427n 20 HT40 1 1 1 N 5 2432n 20 HT40 1 1 1 N 6 2437n 20 HT40 1 1 1 N 7 2442n 20 HT40 1 1 1 N 8 2447n 20 HT40 1 1 1 N 9 2452n 20 HT40 1 1 1 N 10 2457n 20 HT40 1 1 1 N 11 2462n 20 HT40 1 1 1 N 12 2467n 20 HT40 1 1 0 N 13 2472n 20 HT40 1 1 0 N dfs_init_radar_filters: dfs->dfs_rinfo.rn_numradars: 0 DFS min filter rssiThresh = 18 DFS max pulse dur = 131 ticks wifi0: 11ng rates: 1Mbps 2Mbps 5.5Mbps 11Mbps 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps wifi0: 11ng MCS: 0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15 wifi0: mac 384.2 phy 15.15 radio 12.0 wifi0: Use hw queue 1 for WME_AC_BE traffic wifi0: Use hw queue 0 for WME_AC_BK traffic wifi0: Use hw queue 2 for WME_AC_VI traffic wifi0: Use hw queue 3 for WME_AC_VO traffic wifi0: Use hw queue 8 for CAB traffic wifi0: Use hw queue 9 for beacons wifi0: Use hw queue 7 for UAPSD 2xMaxPowerLevel: 32 (LEG) 2xMaxPowerLevel: 38 (LEG) JXU: set the rxBufsize to 3851 wifi0: ath_pci_probe 320 Mac Address configured 4c:17:eb:xx:xx:xx wifi0: Atheros 9287: mem=0x1a000000, irq=25 hw_base=0xba000000 insmod: add-symbol-file build/debug/one_module.o 0xc0249000 -s .main_flow 0xc02859d0 -s .data 0xc02a4de0 -s .bss 0xc02a6ca0 Loading license fe7cce03ae1ecdf8664e2a9d4237fffffffffffffffffffc702e282dad8703897fb79647f254aad168affffffffffffffffffe320ee12b21d44036dba65548ebd421923317a5e6fd3f30792f5c8c58bffffffffffffffffffffffffff.SAGEM loading license key: SAGEM loading license key: SAGEM insmod: add-symbol-file build/debug/kleds_mod.o 0xc0035000 -s .data 0xc0036430 -s .bss 0xc00365c0 insmod: add-symbol-file build/debug/lb_jffs_mod.o 0xc0042000 -s .data 0xc0042200 -s .bss 0xc0042360 Creating 1 MTD partitions on 'openrg_flash': 0x01b00000-0x02000000 : 'jffs2' Press ESC to enter BOOT MENU mode. dd_openrg_init: registering openrg device discovery entity MAPS: 00400000-006a9000 r-xp 00000000 00:09 1424660 /mnt/cramfs/bin/openrg 10000000-1005a000 rw-p 002a9000 00:09 1424660 /mnt/cramfs/bin/openrg 1005a000-10198000 rwxp 1005a000 00:00 0 [heap] 2aaa8000-2aaae000 r-xp 00000000 00:09 5828136 /mnt/cramfs/lib/ld-uClibc.so.0 2aaae000-2aaaf000 rw-p 2aaae000 00:00 0 2aab0000-2aab1000 rw-p 2aab0000 00:00 0 2aab2000-2aab3000 rw-s 00000000 00:06 0 /SYSV0000162e (deleted) 2aab4000-2aab5000 rw-s 00000000 00:06 32769 /SYSV0000162d (deleted) 2aaed000-2aaee000 rw-p 00005000 00:09 5828136 /mnt/cramfs/lib/ld-uClibc.so.0 2aaee000-2ab03000 r-xp 00000000 00:09 6887428 /mnt/cramfs/lib/libopenrg.so 2ab03000-2ab43000 ---p 2ab03000 00:00 0 2ab43000-2ab44000 rw-p 00015000 00:09 6887428 /mnt/cramfs/lib/libopenrg.so 2ab44000-2ab82000 r-xp 00000000 00:09 6604724 /mnt/cramfs/lib/libjutil.so 2ab82000-2abc1000 ---p 2ab82000 00:00 0 2abc1000-2abc6000 rw-p 0003d000 00:09 6604 insmod: add-symbol-file build/debug/wlan_scan_ap.o 0xc0060000 -s .data 0xc0063a80 -s .bss 0xc0063bc0 724 /mnt/cramfs/lib/libjutil.so 2abc6000-2abcc000 rw-p 2abc6000 00:00 0 2abcc000-2ac0a000 r-xp 00000000 00:09 6972316 /mnt/cramfs/lib/libssl.so.0.9.8 2ac0a000-2ac49000 ---p 2ac0a000 00:00 0 2ac49000-2ac4d000 rw-p 0003d000 00:09 6972316 /mnt/cramfs/lib/libssl.so.0.9.8 2ac4d000-2ad8d000 r-xp 00000000 00:09 6068352 /mnt/cramfs/lib/libcrypto.so.0.9.8 2ad8d000-2ada2000 rw-p 00140000 00:09 6068352 /mnt/cramfs/lib/libcrypto.so.0.9.8 2ada2000-2ada6000 rw-p 2ada2000 00:00 0 2ada6000-2ada8000 r-xp 00000000 00:09 6536492 /mnt/cramfs/lib/libdl.so.0 2ada8000-2ade7000 ---p 2ada8000 00:00 0 2ade7000-2ade8000 rw-p 00001000 00:09 6536492 /mnt/cramfs/lib/libdl.so.0 2ade8000-2adff000 r-xp 00000000 00:09 6942384 /mnt/cramfs/lib/librg_config.so 2adff000-2ae3e000 ---p 2adff000 00:00 0 2ae3e000-2ae40000 rw-p 00016000 00:09 6942384 /mnt/cramfs/lib/librg_config.so 2ae40000-2ae41000 rw-p 2ae40000 00:00 0 2ae41000-2ae5d000 r-xp 00000000 00:09 6691100 /mnt/cramfs/lib/libm.so.0 2ae5d000-2ae9d000 ---p 2ae5d000 00:00 0 2ae9d000-2ae9e000 rw-p 0001c000 00:09 6691100 /mnt/cramfs/lib/libm.so.0 2ae9e000-2aea0000 insmod: add-symbol-file build/debug/hw_qos_ikanos_mod.o 0xc0080000 -s .data 0xc0080900 -s .bss 0xc0080a80 r-xp 00000000 00:09 7139092 /mnt/cramfs/lib/libutil.so.0 2aea0000-2aedf000 ---p 2aea0000 00:00 0 2aedf000-2aee0000 rw-p 00001000 00:09 7139092 /mnt/cramfs/lib/libutil.so.0 2aee0000-2af1f000 r-xp 00000000 00:09 5864944 /mnt/cramfs/lib/libSwitch.so 2af1f000-2af5f000 ---p 2af1f000 00:00 0 2af5f000-2af60000 rw-p 0003f000 00:09 5864944 /mnt/cramfs/lib/libSwitch.so 2af60000-2af63000 r-xp 00000000 00:09 6062484 /mnt/cramfs/lib/libcrypt.so.0 2af63000-2afa2000 ---p 2af63000 00:00 0 2afa2000-2afa3000 rw-p 00002000 00:09 6062484 /mnt/cramfs/lib/libchw_qos_init:183 init module rypt.so.0 2afa3000-2afb4000 rw-p 2afa3000 00:00 0 2afb4000-2afbe000 r-xp 00000000 00:09 6719784 /mnt/cramfs/lib/libmsg-api.so 2afbe000-2affd000 ---p 2afbe000 00:00 0 2affd000-2affe000 rw-p 00009000 00:09 6719784 /mnt/cramfs/lib/libmsg-api.so 2affe000-2b00b000 rw-p 2affe000 00:00 0 2b00b000-2b01a000 r-xp 00000000 00:09 6926012 /mnt/cramfs/lib/libpthread.so.0 2b01a000-2b059000 ---p 2b01a000 00:00 0 2b059000-2b05e000 rw-p 0000e000 00:09 6926012 /mnt/cramfs/lib/libpthread.so.0 2b05e000-2b060000 rw-p 2b05e000 00:00 0 2b060000-2b063000 r-xp 00000000 00:09 7130072 /mnt/cramfs/lib/libtr69If.so 2b063000-2b0a2000 ---p 2b063000 00:00 0 2b0a2000-2b0a3000 rw-p 00002000 00:09 7130072 /mnt/cramfs/lib/libtr69If.so 2b0a3000-2b104000 r-xp 00000000 00:09 5933304 /mnt/cramfs/lib/libc.so.0 2b104000-2b144000 ---p 2b104000 00:00 0 2b144000-2b146000 rw-p 00061000 00:09 5933304 /mnt/cramfs/lib/libc.so.0 2b146000-2b14a000 rw-p 2b146000 00:00 0 7fa38000-7fa4d000 rwxp 7fa38000 00:00 0 [stack] insmod: add-symbol-file build/debug/igmp_proxy_mod.o 0xc008d000 -s .data 0xc0094190 -s .bss 0xc00942e0 insmod: add-symbol-file build/debug/rg_usfs.o 0xc0086000 -s .data 0xc0087510 -s .bss 0xc0087680 insmod: add-symbol-file build/debug/tcp_mss.o 0xc0000000 -s .data 0xc0000a00 -s .bss 0xc0000b80 insmod: add-symbol-file build/debug/rg_dhcp_pktfil.o 0xc0089000 -s .data 0xc008a440 -s .bss 0xc008a5c0 insmod: add-symbol-file build/debug/rg_ipv4.o 0xc0084000 -s .data 0xc0084440 -s .bss 0xc00845c0 IPV4 device driver registered insmod: add-symbol-file build/debug/pppoe_relay.o 0xc009c000 -s .data 0xc009f800 -s .bss 0xc009f940 insmod: add-symbol-file build/debug/rg_pppoe_relay.o 0xc0082000 -s .data 0xc0082db0 -s .bss 0xc0082f20 insmod: add-symbol-file build/debug/ife6DriverLoad_mod.o 0xc0098000 -s .data 0xc0098440 -s .bss 0xc00985c0 Initializing IFE6 Driver Load module insmod: add-symbol-file build/debug/watchdog_mod.o 0xc0096000 -s .data 0xc00969f0 -s .bss 0xc0096b60 Initializing Watchdog module Initializing Watchdog module1 Initializing Watchdog module2 insmod: add-symbol-file build/debug/btn.o 0xc009a000 -s .data 0xc009ac40 -s .bss 0xc009ade0 insmod: add-symbol-file build/debug/qos_ingress.o 0xc00b7000 -s .data 0xc00b81b0 -s .bss 0xc00b8340 insmod: add-symbol-file build/debug/bmedrv.o 0xc00ba000 -s .data 0xc00bade0 -s .bss 0xc00bafa0 bmedrv_init: Region 0x07800000 - 0x07ffffff allocated successfully BME Driver has been loaded SUCCESSFULLY insmod: add-symbol-file build/debug/switch.o 0xc00bc000 -s .data 0xc00bd000 -s .bss 0xc00bd1c0 m88e6x6x switch driver for vx180 loaded insmod: add-symbol-file build/debug/dspvoice.o 0xc02e0000 -s .data 0xc0318bc0 -s .bss 0xc031cd00 ################################################## # DSP Voice Module Part 1 Loading ... Register /sys/sagem/voice SysCtl ... OK Using: Software Voicedriver orig_2-1-17_3-6-1 : 2008 # DSP Voice Module Part 1 Loading Ok ################################################## ################################################## # DSP Voice Module Part 2 Loading ... Could not find DSP configuration file, setting to defaults Save and reboot the system to effect the Codec Mode : 2 Total words found in /dsp/dsp218x_1ch_faxonly.dsp Image 31948 Total words found in /dsp/dsp218x_1ch_g729only.dsp Image 31948 Opening of DSP Image [/dsp/dsp218x_1ch_g711vad2only.dsp] failed! Error: 2 Registering Call Back Handlers DSP TIME SLOT Assigned:260 DSP CLock Assigned:27 DSP Codec Type Assigned:2 DSP SPORT Control Reg Assigned:c30f ADSP218x DOWNLOAD DONE !!!! DSP Ver No:1.1 DSP TIME SLOT Assigned:40 DSP CLock Assigned:27 DSP Codec Type Assigned:2 DSP SPORT Control Reg Assigned:820f ADSP218x DOWNLOAD DONE !!!! DSP Ver No:1.1 Initialization SLIC system Initializing Voice slic GPIO is 12 Initializing SPI Module SAGEM SLIC card as SILABS Initializing SLICs Country use for SLIC BRAZIL port 0 is Si32176 LOAD Si3217 PATCH for Rev B No verif Si3217 patch version 0X09292009 Patch loaded successfully PATCH Ret=0 MDAC Calibration for channel other Calibration ZCAL Calibration Activate SLICs => 0 BRAZIL Initialization osAssignInterrupt: Enable IRQ(17) for DSP Enable IRQ for DSP osAssignInterrupt: Enable IRQ(21) for DSP Enable IRQ for DSP # DSP Voice Module Part 2 Loading Ok ################################################## insmod: add-symbol-file build/debug/rtp.o 0xc00d1000 -s .data 0xc00dbce0 -s .bss 0xc00dc7c0 ################################################## # RTP Stack Module Loading ... Register /dev/rtp Device ...Register /sys/sagem/rtp SysCtl ...insmod: cannot open module `/lib/modules/relay.o': No such file or directory Permanent Parameters were stored in Rgconf RAM sg_gvt_entity_runlevel.c : action = 0, xdsl_mode = 1 Main process create child wifi_init: Atheros Wifi card: device AR5416_DEVID_AR9287_PCI (Kiwi). Atheros Wifi card found: killall: twonkymediaserver: no process killed ath0 ath1 mt_ma_open : entering in ------------------- mt_ma_start_process : entering in ------------------- opening reconfentity Entity MAIN AUTOM ID IS 345 killall: twonkymediaserver: no process killed warning #1 :new rg_conf entry but not signaled warning #1 :new rg_conf entry but not signaled warning #1 :new rg_conf entry but not signaled warning #1 :new rg_conf entry but not signaled warning #1 :new rg_conf entry but not signaled warning #1 :new rg_conf entry but not signaled warning #1 :new rg_conf entry but not signaled warning #1 :new rg_conf entry but not signaled To activate ar5xxx Debug traces set entry dev/wifi0/dev_ar5xxx_debug in rg_conf To activate ar5xxx Debug traces set entry dev/wifi0/dev_ar5xxx_debug in rg_conf device eth0 entered promiscuous mode OS: VDSL daemon already running Access: Failed to open bme module 2xMaxPowerLevel: 38 (LEG) 2xMaxPowerLevel: 38 (LEG) JXU: set the rxBufsize to 3851 ath_newstate: ath0: INIT -> SCAN 2xMaxPowerLevel: 38 (LEG) ath_chan_set: Changing to channel - 1 - (2412), Flags 10080, PF 0 JXU: set the rxBufsize to 3851 device ath0 entered promiscuous mode To activate hostapd main Debug traces set entry dev/wifi0/hostapd_main_debug in rg_conf 2xMaxPowerLevel: 38 (LEG) ath_chan_set: Changing to channel - 1 - (2412), Flags 30080, PF 0 JXU: set the rxBufsize to 3851 eth2.600: Setting MAC address to 4c 17 eb xx xx xx. VLAN (eth2.600): Underlying device (eth2) has same MAC, not checking promiscious mode. eth2.602: Setting MAC address to 4c 17 eb xx xx xx. VLAN (eth2.602): Underlying device (eth2) has same MAC, not checking promiscious mode. eth2.4000: Setting MAC address to 4c 17 eb xx xx xx. VLAN (eth2.4000): Underlying device (eth2) has same MAC, not checking promiscious mode. 2xMaxPowerLevel: 38 (LEG) ath_chan_set: Changing to channel - 2 - (2417), Flags 30080, PF 0 JXU: set the rxBufsize to 3851 2xMaxPowerLevel: 38 (LEG) ath_chan_set: Changing to channel - 3 - (2422), Flags 30080, PF 0 JXU: set the rxBufsize to 3851 2xMaxPowerLevel: 38 (LEG) ath_chan_set: Changing to channel - 4 - (2427), Flags 30080, PF 0 JXU: set the rxBufsize to 3851 __BEI:load_rgconf_switch_config called__ __BEI:sg_switch_check_config called__ __BEI:sg_switch_write_config_files called__ __BEI:sg_switch_parse_config called__ __BEI:sg_switch_set_mode called__ __BEI:sg_switch_run_config called__ 2xMaxPowerLevel: 38 (LEG) ath_chan_set: Changing to channel - 5 - (2432), Flags 30080, PF 0 JXU: set the rxBufsize to 3851 2xMaxPowerLevel: 38 (LEG) ath_chan_set: Changing to channel - 6 - (2437), Flags 30080, PF 0 JXU: set the rxBufsize to 3851 killall: twonkymediaserver: no process killed ath_newstate: ath0: SCAN -> INIT 2xMaxPowerLevel: 38 (LEG) JXU: set the rxBufsize to 3851 ath_newstate: ath0: INIT -> SCAN 2xMaxPowerLevel: 38 (LEG) ath_chan_set: Changing to channel - 1 - (2412), Flags 10080, PF 0 JXU: set the rxBufsize to 3851 2xMaxPowerLevel: 38 (LEG) ath_chan_set: Changing to channel - 1 - (2412), Flags 30080, PF 0 JXU: set the rxBufsize to 3851 2xMaxPowerLevel: 38 (LEG) ath_chan_set: Changing to channel - 2 - (2417), Flags 30080, PF 0 JXU: set the rxBufsize to 3851 2xMaxPowerLevel: 38 (LEG) ath_chan_set: Changing to channel - 3 - (2422), Flags 30080, PF 0 JXU: set the rxBufsize to 3851 2xMaxPowerLevel: 38 (LEG) ath_chan_set: Changing to channel - 4 - (2427), Flags 30080, PF 0 JXU: set the rxBufsize to 3851 2xMaxPowerLevel: 38 (LEG) ath_chan_set: Changing to channel - 5 - (2432), Flags 30080, PF 0 JXU: set the rxBufsize to 3851 2xMaxPowerLevel: 38 (LEG) ath_chan_set: Changing to channel - 6 - (2437), Flags 30080, PF 0 JXU: set the rxBufsize to 3851 2xMaxPowerLevel: 38 (LEG) ath_chan_set: Changing to channel - 7 - (2442), Flags 30080, PF 0 JXU: set the rxBufsize to 3851 2xMaxPowerLevel: 38 (LEG) ath_chan_set: Changing to channel - 8 - (2447), Flags 30080, PF 0 JXU: set the rxBufsize to 3851 2xMaxPowerLevel: 38 (LEG) ath_chan_set: Changing to channel - 9 - (2452), Flags 30080, PF 0 JXU: set the rxBufsize to 3851 2xMaxPowerLevel: 38 (LEG) ath_chan_set: Changing to channel - 10 - (2457), Flags 30080, PF 0 JXU: set the rxBufsize to 3851 2xMaxPowerLevel: 38 (LEG) ath_chan_set: Changing to channel - 11 - (2462), Flags 30080, PF 0 JXU: set the rxBufsize to 3851 2xMaxPowerLevel: 38 (LEG) ath_chan_set: Changing to channel - 12 - (2467), Flags 30080, PF 0 JXU: set the rxBufsize to 3851 2xMaxPowerLevel: 38 (LEG) ath_chan_set: Changing to channel - 13 - (2472), Flags 30080, PF 0 JXU: set the rxBufsize to 3851 ******* channel 1 average rssi 0 noise floor 8364 final average rssi 16728 ******* channel 1 average rssi 0 noise floor 8364 final average rssi 16728 ******* channel 6 average rssi 6 noise floor 0 final average rssi 6 ******* channel 11 average rssi 6 noise floor 1 final average rssi 8 find_best_11ng_centerchan: found best center chan: 6 ath_newstate: ath0: SCAN -> JOIN 2xMaxPowerLevel: 38 (LEG) ath_chan_set: Changing to channel - 6 - (2437), Flags 30080, PF 0 JXU: set the rxBufsize to 3851 ath_newstate: ath0: JOIN -> RUN __BEI:sgconfigure_spq_scheduler:134 enable SPQ on AP:1 link speed:1000000000 _switch_free_switch_config called__ Main process create child Main process create child ls: /sys/devices/platform/*/*/[0-9]*-*/*/usb:lp*: No such file or directory ls: /sys/devices/platform/*/*/[0-9]*-*/*/*/usb:lp*: No such file or directory initprocess to launch : /etc/initprocess.sh 4 xdsl autodetect mode actif CPE start address is a7800000 ipos system initialized TwonkyMedia Version 4.4.18 BME 1 is coming up LOG_SYSTEM: reading ini file: '/usr/local/mediaserver/twonkyvision-mediaserver.ini'. Transfer to SDRAM Successful BmeHw: Downloading BME 1 software .....! BmeHw: Bme 1 software code downloaded successfully The feature bit has been successfully modified for eth0 eth1 PERI VDSL APs... ******sysutil apfeature all vlanbridge enable****** alm freq 20 status freq 30 /tmp/dslSavedConfig.conf file not found configuration file /etc/vdsl.conf:start______ configuration file /etc/vdsl.conf:start0______ OamOptionMask Set to 3 _____________________BEI:fpvdslconfigfile NULL__________________ taskUi: profileNum = 2 Sizeof ipos_port_profile=144 Please execute 'vdsl' in 3 seconds to enter into Supervisor mode 2 1 0 Changing port profile #2 BAND_PLAN=0x1 PTM MODE=0x0 OamoptionMask 3 optionMask 8ath_tx_reset Started tx reset ath_tx_reset Completed tx reset ath_bstuck_tasklet: stuck beacon; resetting (bmiss count 36) 2xMaxPowerLevel: 38 (LEG) |
_Linux version 2.6.16.26… _Fontes, onde? ? Vemos também o uso do u-boot como bootloader. Os trechos “Secure-boot” e “use DSA signature” são intimidadores.
Ok, muita coisa interessante já pode ser retirada deste log, mas vamos por partes. Conseguir acesso pela porta serial/shell seria um bom começo. Mas não foi o caso. Como mencionado no fórum do PortalADSL, após certa versão de firmware, o acesso pela ttyS0 foi desativado, não respondendo ao input do usuário. Heck!
Não temos imagens de firmware disponível, não há página para atualização deste, (…) talvez achar outra falha no servidor Web que permita-nos adentrar o dispositivo (como foi o caso do “index2.cgi”).
Veja que o u-boot detecta 2 imagens “potenciais” na flash. Assim que o checksum é verificado, a imagem “operacional” é executada, que é exatamente a v8380. Logo, a segunda imagem deve ser um recovery/fail-safe. Se pudéssemos fazer o u-boot falhar, poderíamos cair em um prompt de recovery ou ainda, a imagem supostamente de recuperação entraria.
Como fazer isso? Glitch na flash! (não tentem isso!). No momento da carga do kernel da flash para a RAM, poderíamos causar ruídos/falhas no barramento de dados da flash, assim os dados seriam corrompidos e o CRC falharia. Isso não seria permanente, os que nos daria segurança. Eis o resultado:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 | SAGEM Secure-boot SU2_2_3 fast_2764 CPU: IKANOS Fusiv 180 Family PCI: 33 MHz DRAM: 128 MB Flash: 32 MB Using default environment In: serial Out: serial Err: serial Net: emac1 PHY 88e1119r detected at smi@0x1f switch 88e6171 detected at smi@0x01 emac1 Permanent parameters are programmed and activated : use DSA signature Potential firmware found at address : bf080000 half-flash parsed ! Potential firmware found at address : be000000 Found 2 firmwares ! Searching valid operational firmware Operational Firmware validated at address be000000 good regular firmware at @0xBE000000 with key @0xBF018411 No bootloader arg partition not moved updating kernel args bootargs root=/dev/mtdblock6 ro rootfstype=squashfs operational_start=0xbe000000 rescue_start=0xbf080000 myfs_start=0xbea20000 type=operational image_addr=0xBE000000 kernel args update done Launch regular code from flash alarmLEDMode(E_FLASH)! bootm BE000140 ## Booting image at be000140 ... Image Name: FAST2764_v8380.img Created: 2012-06-08 14:08:37 UTC Image Type: MIPS Linux Kernel Image (gzip compressed) Data Size: 10492534 Bytes = 10 MB Load Address: 80010000 Entry Point: 802e7000 Verifying Checksum ... Bad Data CRC alarmLEDMode(E_FLASH_RESCUE)! Searching valid rescue firmware Rescue Firmware validated at address bf080000 alarmLEDMode(E_BOOT_FLASH_RESCUE)! recovery firmware at @0xBF080000 with key @0xBF0185A5 is OK No bootloader arg partition not moved updating kernel args bootargs root=/dev/mtdblock5 ro rootfstype=squashfs rescue_start=0xbf080000 myfs_start=0xbfa20000 myfs_size=0x00000000 type=rescue image_addr=0xBF080000 kernel args update done Launch recovery code from flash bootm bf080130 ## Booting image at bf080130 ... Image Name: FAST2764_v82B0.img Created: 2011-07-28 16:06:09 UTC Image Type: MIPS Linux Kernel Image (gzip compressed) Data Size: 10020917 Bytes = 9.6 MB Load Address: 80010000 Entry Point: 802e7000 Verifying Checksum ... OK Uncompressing Kernel Image ... OK Starting kernel ... Linux version 2.6.16.26 #1 Thu Jul 28 18:05:57 CEST 2011 argc 9 arg memsize board_memsize = 128 env memsize=128 env initrd_start=0xA0000000 env initrd_size=0x0 ... |
Funciona! E veja, a imagem de recovery é v82B0, conhecida por ainda ter a index2.cgi. Notem também, que os argumentos passados ao kernel são diferentes, como o dispositivo MTD de root e ele agora é chamado de “rescue”. O modem carrega e funciona normalmente (sincroniza, autentica) com esta imagem. Há uma certa fragilidade a crashes neste modo, devido à incompatibilidades entre o kernel antigo e o rootfs novo (8380). Mas funciona (…).
Agora a porta serial funciona:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 | Username: Password: HomeGateway> HomeGateway> help help Show help for commands within this menu Usage: help all - show all available commands in the current level help [category]... help [category]... help -s Availble help Categories help pvc - show help about PVC scan related commands help conf - show help about Read and write HomeGateway configuration data help FT commands - show help about FT commands help FT atm commands - show help about FT atm commands help FT sndcp commands - show help about FT sndcp commands help vdsl - show help about VDSL commands help upnp - show help about UPnP commands help qos - show help about Control and display QoS data help bridge - show help about API for managing ethernet bridge help gvt - show help about Gvt configuration and control help firewall - show help about Control and display Firewall and NAT data help connection - show help about API for managing connections help inet_connection - show help about API for managing internet connections help wireless - show help about Wireless commands help misc - show help about API for HomeGateway miscellaneous tasks help firmware_update - show help about Firmware update commands help log - show help about Controls HomeGateway logging behavior help dev - show help about Device related commands help kernel - show help about Kernel related commands help system - show help about Commands to control HomeGateway execution help flash - show help about Flash and loader related commands help net - show help about Network related commands help leds - show help about Leds control commands help cmd - show help about Commands related to the Command module Returned 0 HomeGateway> help all Command Category pvc - PVC scan related commands scan Scan predefined vpi.vci to determine PPP protocol scan_restart Restart PVC scan scan_status Display PVC scan status exit Exit sub menu help Show help for commands within this menu Command Category conf - Read and write HomeGateway configuration data factory Factory related commands print Print HomeGateway configuration set Set HomeGateway configuration path to value set_obscure Set HomeGateway configuration path to an obscured value del Delete subtree from HomeGateway configuration ram_set Set HomeGateway dynamic configuration ram_print Print HomeGateway dynamic configuration reconf Reconfigure the system according to the current HomeGateway configuration exit Exit sub menu help Show help for commands within this menu Command Category FT commands - FT commands save Save configurating to flash flash_chksum Display all flash sections checksums atm atm sndcp sndcp vdsl VDSL commands upnp UPnP commands qos Control and display QoS data bridge API for managing ethernet bridge gvt Gvt configuration and control firewall Control and display Firewall and NAT data connection API for managing connections inet_connection API for managing internet connections wireless Wireless commands misc API for HomeGateway miscellaneous tasks firmware_update Firmware update commands log Controls HomeGateway logging behavior dev Device related commands kernel Kernel related commands system Commands to control HomeGateway execution flash Flash and loader related commands net Network related commands leds Leds control commands exit Exit from the current CLI session help Show help for commands within this menu Command Category FT atm commands - FT atm commands atm atm sndcp sndcp vdsl VDSL commands upnp UPnP commands qos Control and display QoS data bridge API for managing ethernet bridge gvt Gvt configuration and control firewall Control and display Firewall and NAT data connection API for managing connections inet_connection API for managing internet connections wireless Wireless commands misc API for HomeGateway miscellaneous tasks firmware_update Firmware update commands log Controls HomeGateway logging behavior dev Device related commands kernel Kernel related commands system Commands to control HomeGateway execution flash Flash and loader related commands net Network related commands leds Leds control commands exit Exit from the current CLI session help Show help for commands within this menu Command Category FT sndcp commands - FT sndcp commands sndcp sndcp vdsl VDSL commands upnp UPnP commands qos Control and display QoS data bridge API for managing ethernet bridge gvt Gvt configuration and control firewall Control and display Firewall and NAT data connection API for managing connections inet_connection API for managing internet connections wireless Wireless commands misc API for HomeGateway miscellaneous tasks firmware_update Firmware update commands log Controls HomeGateway logging behavior dev Device related commands kernel Kernel related commands system Commands to control HomeGateway execution flash Flash and loader related commands net Network related commands leds Leds control commands exit Exit from the current CLI session help Show help for commands within this menu Command Category vdsl - VDSL commands status Get VDSL line status BmeFirmVer Get BME Firmware versions NeSnrAttn Get Near End SNR Margin and Attenuation displayAllPmCounters Display All Performance Counters displayUsInfos Display Far-end informations exit Exit sub menu help Show help for commands within this menu Command Category upnp - UPnP commands igd IGD commands status Display UPnP status exit Exit sub menu help Show help for commands within this menu Command Category qos - Control and display QoS data utilization Connection utilization information exit Exit sub menu help Show help for commands within this menu Command Category bridge - API for managing ethernet bridge connection connect separate network interfaces to form one seamless LAN config Configure bridge info Print bridge information exit Exit sub menu help Show help for commands within this menu Command Category gvt - Gvt configuration and control set Configure the gvt runlevel conf Display the gvt conf exit Exit sub menu help Show help for commands within this menu Command Category firewall - Control and display Firewall and NAT data restart Stop and start Firewall & NAT start Start Firewall & NAT stop Stop Firewall & NAT filter Turn Firewall packet inspection on/off mac_cache_dump Dump MAC cache data dump Display Firewall data variable Display variables of the firewall rules trace Trace packet traversal via the Firewall ruleset fastpath Turns firewall fastpath feature on/off (default is on) set_tr69_rule Creates policy rules for TR69 exit Exit sub menu help Show help for commands within this menu Command Category connection - API for managing connections pppoe Configure pppoe interface l2tp_vpn Configure l2tpc interface pptp_vpn Configure pptpc interface pppoa Configure pppoa interface vlan Configure vlan interface exit Exit sub menu help Show help for commands within this menu Command Category inet_connection - API for managing internet connections pppoe Configure pppoe internet connection l2tp Configure l2tpc internet connection pptp Configure pptpc internet connection pppoa Configure pppoa internet connection ether Configure ethernet internet connection exit Exit sub menu help Show help for commands within this menu Command Category wireless - Wireless commands captive Wireless captive commands exit Exit sub menu help Show help for commands within this menu Command Category misc - API for HomeGateway miscellaneous tasks pppos_start Start PPPoS connection pppos_close Close PPPoS connection print_ram print ram consumption for each process vlan_add Add VLAN interface top Profiling over event loop and estream wbm_debug_set Stop and start WBM debug mode wbm_border_set Stop and start WBM border mode wbm_session_release_all Release all existing WBM sessions knet_hooks_dump Dump to console which knet_hooks run on each device exit Exit sub menu help Show help for commands within this menu Command Category firmware_update - Firmware update commands start Remotely upgrade HomeGateway cancel Kill running remote upgrade exit Exit sub menu help Show help for commands within this menu Command Category log - Controls HomeGateway logging behavior filter Controls the CLI session logging behavior exit Exit sub menu help Show help for commands within this menu Command Category dev - Device related commands mii_reg_get Get Ethernet MII register value mii_reg_set Set Ethernet MII register value mii_phy_reg_get Get Ethernet MII register value mii_phy_reg_set Set Ethernet MII register value exit Exit sub menu help Show help for commands within this menu Command Category kernel - Kernel related commands sys_ioctl issue openrg ioctl meminfo Print memory information top Print HomeGateway's processes memory usage cpu_load_on Periodically shows cpu usage. cpu_load_off Stop showing cpu usage (triggered by cpu_load_on). cpu_load_avg Shows average cpu usage of last 1, 5 and 15 minutes. exit Exit sub menu help Show help for commands within this menu Command Category system - Commands to control HomeGateway execution die Exit from HomeGateway and return ret ps Print HomeGateway's tasks entity_close Close an entity etask_list_dump Dump back trace of all etasks restore_factory_settings Restore factory configuration reboot Reboot the system ver Display version information print_config Print compilation configuration. Search for option if specified exec Execute program cat Print file contents to console shell Spawn busybox shell in foreground date Print the current UTC and local time echo Echo arguments to console autoip_lan_mode Configure the lan interface using Auto-IP igd_lan_mode Configure the lan interface for normal IGD use exit Exit sub menu help Show help for commands within this menu Command Category flash - Flash and loader related commands commit Save HomeGateway configuration to flash erase Erase a given section in the flash load Load and burn image boot Boot the system bset Configure bootloader layout Print the flash layout and content dump Dump the flash content lock Lock mtd region unlock Unlock mtd region exit Exit sub menu help Show help for commands within this menu Command Category net - Network related commands dns_route Dyncamic Routing according to DNS replies igmp IGMP Proxy related commands host Resolve host by name ifconfig Configure network interface ping Test network connectivity rg_ifconfig List HomeGateway Network Devices route Print route table main_wan Print the name of the current main wan device intercept_state Print interception state exit Exit sub menu help Show help for commands within this menu Command Category leds - Leds control commands led_power_set Set POWER led led_wifi_set Set WIRELESS led control_all_leds Set ALL led led_secwifi_set Set WIRELESS SECURITY led led_intnet_set Set INTENRET led led_ftth_set Set FTTH led led_dsl_set Set DSL led led_tel1_set Set PHONE1 led led_tel2_set Set PHONE2 led led_rep1_set Set REPONDEUR1 led led_rep2_set Set REPONDEUR2 led led_usb1_set Set USB1 led led_usb2_set Set USB2 led relay_set Set RELAY led_hpna_set Set HPNA led exit Exit sub menu help Show help for commands within this menu Command Category cmd - Commands related to the Command module exit Exit from the current CLI session help Show help for commands within this menu Returned 0 |
Ok, sem mais:
HomeGateway> system shell Temporary setting log_level off BusyBox v1.01 (2005.09.07-07:38+0000) Built-in shell (ash) Enter 'help' for a list of built-in commands. # help Built-in commands: ------------------- . : break cd chdir continue eval exec exit export false hash help let local pwd read readonly return set shift times trap true type ulimit umask unset wait # ls bin etc home mnt sbin tmp var dev fstab lib proc sys usr |
No entanto, nada disso é permanente. Um reboot e voltamos à estaca zero. E se pudéssemos fazer um downgrade? Mas por onde, não há interface de flashing, exceto via TR69, comandado pela GVT. E onde estaria as imagens para usarmos? Bem, a segunda pergunta, está no link pool, todas as imagens que consegui dos servidores da GVT, as mesmas que o modem obtém para se atualizar. ?
Voltemos ao menu do OpenRG, antes do BusyBox. Existe um sub-menu chamado “flash”:
Command Category flash - Flash and loader related commands commit Save HomeGateway configuration to flash erase Erase a given section in the flash load Load and burn image boot Boot the system bset Configure bootloader layout Print the flash layout and content dump Dump the flash content lock Lock mtd region unlock Unlock mtd region exit Exit sub menu help Show help for commands within this menu |
Vamos ver o layout:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 | HomeGateway> flash layout Flash layout: Section 00 Type BOOT Range 0x01000000-0x01020000 MaxSize 0x00020000 No more information. Section 01 Type FACTORY Range 0x00000000-0x00000000 MaxSize 0xFFFFFF6C Uninitialized. Section 02 Type CONF Range 0x01040000-0x01060000 MaxSize 0x0001FF6C Size 0x00004EE9 Name 'rg_conf' Checksum 0x0027C298 Counter 0x00000033 Start Offset 0x00000000 Section 03 Type CONF Range 0x01060000-0x01080000 MaxSize 0x0001FF6C Size 0x00004F99 Name 'rg_conf' Checksum 0x0027E1C4 Counter 0x00000032 Start Offset 0x00000000 Section 04 Type RECOVERY Range 0x01080000-0x01B00000 MaxSize 0x00A80000 No more information. Section 05 Type JFFS Range 0x01B00000-0x02000000 MaxSize 0x00500000 No more information. Section 06 Type IMAGE Range 0x00000000-0x01000000 MaxSize 0x01000000 No more information. Total 7 sections found. Returned 0 |
Informações úteis! E o comando que nos interessa por ora, é o “load” (vou tentar colocar a saída dos outros comandos em um arquivo a parte).
flash> load URL has not been specified and default URL is not set Usage: load -u Returned 1 |
Aparentemente o comando “load” carrega a imagem de uma URL diretamente e grava na seção < section > ou no endereço < address >. Bem, se quisermos atualizar o firmware do 2764 GV, deveríamos gravar uma imagem operacional na seção 6. Vamos tentar com a imagem mais antiga que pode ser obtida da GVT atualmente (a imagem já está no file vault deste projeto, uma vez que o modem está funcionando, mas poderia vir de um server HTTP local, por exemplo):
flash> load -u http://tripleoxygen.net/files/router_hacking/sagemcom/f2764gv/firmware/stock/FAST2764_v82P6.img.secure -s 6 |
Aguarde alguns minutos… e:
Pode-se verificar a nova imagem com o comando “dump”:
flash> dump -s 6 00000000: 60 4c 51 ea 2c 3b f3 1e e1 70 78 a1 61 2b 9b e0 |`LQ.,;...px.a+..| 00000010: 70 e3 b2 7b a9 26 e3 d1 43 c1 53 a2 5d 0a 60 79 |p..{.&..C.S.].`y| 00000020: 5d 9c 49 73 63 55 d6 e3 45 03 8c ab 8b 48 1e 74 |].IscU..E....H.t| 00000030: 00 03 00 00 00 00 00 00 46 41 53 54 32 37 36 34 |........FAST2764| 00000040: 5f 76 38 32 50 36 2e 69 6d 67 ff ff 00 00 00 00 |_v82P6.img......| 00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000070: 00 00 00 00 00 00 00 00 00 94 00 00 00 00 00 ac |................| 00000080: 00 00 00 00 00 00 00 00 00 00 00 ac 00 00 00 86 |................| 00000090: 00 00 00 00 00 00 01 40 00 92 f7 e3 00 00 00 00 |.......@........| 000000a0: 00 00 00 00 00 00 00 00 00 00 00 00 72 6f 6f 74 |............root| 000000b0: 3d 2f 64 65 76 2f 6d 74 64 62 6c 6f 63 6b 36 20 |=/dev/mtdblock6 | 000000c0: 72 6f 20 72 6f 6f 74 66 73 74 79 70 65 3d 73 71 |ro rootfstype=sq| 000000d0: 75 61 73 68 66 73 20 6f 70 65 72 61 74 69 6f 6e |uashfs operation| 000000e0: 61 6c 5f 73 74 61 72 74 3d 30 78 62 65 30 30 30 |al_start=0xbe000| 000000f0: 30 30 30 20 72 65 73 63 75 65 5f 73 74 61 72 74 |000 rescue_start| |
Reinicie o modem, downgrade feito! Obviamente isto não é muito útil para o usuário convencional, mas como temos a porta serial sempre ativa agora, as pesquisas são mais fáceis. Note que não é possível obter a imagem v82B0 da GVT (removeram). O que é possível é extraí-la da flash após um dump completo. Porém, ela é do tipo rescue, e fazer flash como operational pode não ser uma boa ideia.
Ok, mas glitchs na flash são arriscadas. Outra maneira que descobri depois, foi a do modo LAN_RESCUE que o 2764 GV tem:
- Desligue o modem da tomada;
- Segure o botão reset;
- Ligue a alimentação e segure o reset por alguns segundos.
Os LEDs piscarão em um padrão diferente e neste momento, o modem tentará boot via BOOTP pela rede. Configure seu cliente DHCP & BOOTP (como o TFTPD32 no Windows), o 2764 GV tentará carga de /tftpboot/kernel.img.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 | SAGEM Secure-boot SU2_2_3 fast_2764 CPU: IKANOS Fusiv 180 Family PCI: 33 MHz DRAM: 128 MB Flash: 32 MB Using default environment In: serial Out: serial Err: serial Net: emac1 PHY 88e1119r detected at smi@0x1f switch 88e6171 detected at smi@0x01 emac1 Permanent parameters are programmed and activated : use DSA signature Potential firmware found at address : bf080000 half-flash parsed ! Potential firmware found at address : be000000 Found 2 firmwares ! force recovery bootp tftp alarmLEDMode(E_LAN_RESCUE)! BOOTP broadcast 1 *** Unhandled DHCP Option in OFFER/ACK: 7 *** Unhandled DHCP Option in OFFER/ACK: 44 DHCP client bound to address 192.168.1.101 Using emac1 device TFTP from server 192.168.153.1; our IP address is 192.168.1.101; sending through gateway 192.168.1.2 Filename '/tftpboot/kernel.img'. Load address: 0x80800000 Loading: *checksum bad checksum bad checksum bad checksum bad T T T T T T T T T T Retry count exceeded; starting again BOOTP broadcast 1 *** Unhandled DHCP Option in OFFER/ACK: 7 *** Unhandled DHCP Option in OFFER/ACK: 44 DHCP client bound to address 192.168.1.101 Using emac1 device TFTP from server 192.168.1.2; our IP address is 192.168.1.101 Filename '/tftpboot/kernel.img'. Load address: 0x80800000 Loading: *################################################################ ################################################################# ... ################################################################# ########## done Bytes transferred = 9699328 (940000 hex) Launch recovery code from ram alarmLEDMode(E_RAM_RESCUE)! No bootloader arg partition not moved updating kernel args bootargs root=/dev/mtdblock6 ro rootfstype=squashfs operational_start=0xbe000000 rescue_start=0xbf080000 myfs_start=0xbe940000 type=operational image_addr=0x80800000 kernel args update done bootm 80800140 ## Booting image at 80800140 ... Image Name: FAST2764_v82P6.img Created: 2012-01-13 10:36:20 UTC Image Type: MIPS Linux Kernel Image (gzip compressed) Data Size: 9631651 Bytes = 9.2 MB Load Address: 80010000 Entry Point: 802e7000 Verifying Checksum ... OK Uncompressing Kernel Image ... OK Starting kernel ... Linux version 2.6.16.26 #1 Fri Jan 13 11:36:08 CET 2012 argc 9 arg memsize board_memsize = 128 ... |
Apesar do “kernel.img”, as imagens oficiais funcionam perfeitamente, portanto basta renomear a versão que deseja enviar e pronto. Será feita a carga do kernel para a RAM (por isso, não há risco de enviar algo/versão errada, basta resetar o modem) e seu boot. Enviando uma versão antiga, você ganha acesso à porta serial e então pode “brincar” ou fazer downgrade. E quem sabe, a telnet?
Ativando o daemon telnet para estudos
Aparentemente, apenas a v82B0 foi compilada com suporte a telnet. Caso queira acesso por este meio para estudar o dispositivo (muito melhor que via serial, e não há a necessidade de desmontar o modem), pode ser feito o seguinte:
- Colocar o modem no modo LAN_RESCUE (boot via BOOTP);
- Enviar a imagem v82B0 disponível no vault (veja o link pool);
- Acessar o arquivo de configuração através do link de manutenção do index2.cgi (System > Maintenance);
- Baixar o tar com o arquivo HomeGateway.conf (Download Configuration File);
- Abrir o HomeGateway.conf, procure por “(telnets(ports))” e substitua por “(telnets(ports(0(port(23)))))“;
- Atualize o tar com este HomeGateway.conf alterado;
- Faça upload do tar pela mesma página de manutenção com “Upload Configuration File”;
- Confirme.
O modem será reinicializado, portanto voltará a versão de firmware nova, e não a v82B0. Faça a carga desta via BOOTP novamente. Terá telnet ativado. Hack away!
Lembrando que o método para alterar o HomeGateway.conf também pode ser feito da maneira conhecida no fórum PortalADSL, uma vez que o arquivo é persistente. Vale lembrar também, que esta imagem v82B0 é para rescue e foi extraída de um dump cru da flash, portanto é arriscado gravá-la no aparelho. Use-a apenas via BOOTP!
Acredito que possa trocar o runlevel do modem pela porta serial, através do sub-menu “gvt”, opção “set”. E depois, “flash commit”. Não testei ainda.
Formato da imagem de firmware
Pesquisei pouco sobre o formato, mas a extensão “secure” nas imagens oficiais nos diz algo… julgando pela informação no u-boot, as imagens podem ser assinadas com o algoritmo DSA. Sendo assimétrico, o dispositivo conteria a chave pública e a GVT, a privada. Portanto, somente a GVT conseguiria gerar imagens válidas para o 2764 GV. Claro que, se for possível alteramos a pública dentro do modem para uma na qual temos a privada, bingo!
Uma análise rápida da biblioteca “libFU_TR69.so”, revela símbolos interessantes:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 | DSA_SIG_free extern 000490FC 00000004 R . . . . . . DSA_SIG_new extern 00049104 00000004 R . . . . . . DSA_do_verify extern 0004913C 00000004 R . . . . . . DSA_free extern 00049148 00000004 R . . . . . . DSA_new extern 00049158 00000004 R . . . . . . ... SHA1_Final extern 0004915C 00000004 R . . . . . . SHA1_Init extern 00049180 00000004 R . . . . . . SHA1_Update extern 00049160 00000004 R . . . . . . ... TR69FU_check_CRC_validity .text 00002450 0000015C R . . . . . . TR69FU_check_download_request .text 00004FA8 000003E0 R . . . . . . TR69FU_check_dsa_authencity .text 00002708 00000468 R . . . . . . TR69FU_check_flash_fw_dsa_validity .text 00002B70 000004E8 R . . . . . . TR69FU_check_flash_section_integrity .text 00002124 00000040 R . . . . . . TR69FU_check_fw_compatibility .text 000023CC 00000084 R . . . . . . ... TR69FU_normal_partion_is_valid .text 0000585C 000000AC R . . . . . . TR69FU_rescue_partion_is_valid .text 00005908 000000AC R . . . . . . TR69FU_verify_image_checksum .text 00002164 00000018 R . . . . . . ... rg_close_flash_section extern 00049198 00000004 R . . . . . . rg_ftell_flash_section extern 00049168 00000004 R . . . . . . rg_get_flash_section_size extern 00049190 00000004 R . . . . . . rg_lseek_flash_section extern 00049150 00000004 R . . . . . . rg_open_flash_section extern 0004912C 00000004 R . . . . . . rg_read_flash_section extern 000491A4 00000004 R . . . . . . rg_write_flash_section_chunk extern 000490CC 00000004 R . . . . . . update_sw_vers_from_rgconf_flash .text 00004A6C 00000138 R . . . . . . verify_checksum .text 0000217C 00000058 R . . . . . . |
O arquivo de firmware original, no offset 0x140, contém um cabeçalho uImage, típico para u-boot. Pode ser utilizado o seguinte script para extração (“corte” os primeiros 0x140 bytes antes!). O resultado é um arquivo com compressão gzip, que pode ser descompactado com:
Esta imagem descompactada, contém o kernel + um fs CRAMFS (procure por “Compressed ROMFS”).
Tenho uma cópia do mtdblock0, que corresponde aos exatos 32 MB da flash. Nela, está também, o u-boot. Ele auxiliará nos estudos sobre a assinatura das imagens. Usando as informações de endereços/layout da flash que ele próprio expõe e os passados ao kernel, podemos “destrinchar” com mais detalhe a imagem “crua” da flash.
… fica para a parte 2!
Grato ao pessoal que deu início aos estudos sobre o 2764 GV e com suas descobertas!
Link pool
F@ST 2764 GV File vault (caso alguém saiba de versões diferentes destas listadas, me informe, por favor)