Sagemcom Modem F@st 2764 GV (Power Box GVT) – Hacking #1

Documentando algumas descobertas a respeito do software-side do Sagemcom Modem F@st 2764 GV. Aparentemente ele é mais seguro que o F@ST 1704 em termos de quem pode produzir/rodar código no dispositivo. Além de ser incrivelmente mais chato de executar um simples “ls”!

Primeiramente, informo que o modem está rodando a última versão de firmware fornecida pela GVT remotamente até o momento, v8380, e runlevel 4. Quaisquer modificações ou procedimentos feitos aqui podem danificar/brickar seu modem, portanto, é de sua inteira responsabilidade caso tente qualquer coisa aqui descrita!

Observei que já existem esforços para “destrancar” um pouco o modem no PortalADSL (este tópico em específico).

Como havia sido mostrado no teardown, o 2764 GV têm uma porta serial e, possivelmente, JTAG. O primeiro passo foi observar se a porta serial estava ativada e qual seria sua saída (bootlog), o que nos daria boas informações sobre o software (o log foi “sanitizado”):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
SAGEM Secure-boot SU2_2_3 fast_2764

CPU: IKANOS Fusiv 180 Family
PCI: 33 MHz
DRAM: 128 MB
Flash: 32 MB
Using default environment

In: serial
Out: serial
Err: serial
Net: emac1

PHY 88e1119r detected at smi@0x1f
switch 88e6171 detected at smi@0x01
emac1

Permanent parameters are programmed and activated : use DSA signature
Potential firmware found at address : bf080000
half-flash parsed !
Potential firmware found at address : be000000
Found 2 firmwares !
Searching valid operational firmware
Operational Firmware validated at address be000000
good regular firmware at @0xBE000000 with key @0xBF018411
No bootloader arg
partition not moved
updating kernel args
bootargs root=/dev/mtdblock6 ro rootfstype=squashfs operational_start=0xbe000000 rescue_start=0xbf080000 myfs_start=0xbea20000 type=operational image_addr=0xBE000000
kernel args update done
Launch regular code from flash
alarmLEDMode(E_FLASH)!
bootm BE000140
## Booting image at be000140 ...
Image Name: FAST2764_v8380.img
Created: 2012-06-08 14:08:37 UTC
Image Type: MIPS Linux Kernel Image (gzip compressed)
Data Size: 10492534 Bytes = 10 MB
Load Address: 80010000
Entry Point: 802e7000
Verifying Checksum ... OK
Uncompressing Kernel Image ... OK

Starting kernel ...

Linux version 2.6.16.26 #1 Fri Jun 8 16:08:23 CEST 2012
argc 9 arg env memsize=128
memsize board_memsize = 128
env memsize=128
env initrd_start=0xA0000000
env initrd_size=0x0
flash_start be000000
env flash_start=0xBE000000
board_flash_size 2000000
env flash_size=0x2000000
arg[1] root=/dev/mtdblock6
arg[2] ro
arg[3] rootfstype=squashfs
arg[4] operational_start=0xbe000000
arg[5] rescue_start=0xbf080000
arg[6] myfs_start=0xbea20000
arg[7] type=operational
arg[8] image_addr=0xBE000000
CPU revision is: 0001964c
Determined physical RAM map:
memory: 07800000 @ 00000000 (usable)
Built 1 zonelists
Kernel command line: console=ttyS0,115200 root=/dev/mtdblock6 ro rootfstype=squashfs operational_start=0xbe000000 rescue_start=0xbf080000 myfs_start=0xbea20000 type=operational image_addr=0xBE000000
Primary instruction cache 32kB, physically tagged, 4-way, linesize 32 bytes.
Primary data cache 32kB, 4-way, linesize 32 bytes.
Synthesized TLB refill handler (20 instructions).
Synthesized TLB load handler fastpath (32 instructions).
Synthesized TLB store handler fastpath (32 instructions).
Synthesized TLB modify handler fastpath (31 instructions).
Cache parity protection disabled
PID hash table entries: 512 (order: 9, 8192 bytes)
Dentry cache hash table entries: 16384 (order: 4, 65536 bytes)
Inode-cache hash table entries: 8192 (order: 3, 32768 bytes)
Memory: 108828k/122880k available (2368k kernel code, 13900k reserved, 535k data, 136k init, 0k highmem)
Mount-cache hash table entries: 512
Checking for 'wait' instruction... available.
NET: Registered protocol family 16
Fusiv PCI: starting...
SCSI subsystem initialized
usbcore: registered new driver usbfs
usbcore: registered new driver hub
Bluetooth: Core ver 2.8
NET: Registered protocol family 31
Bluetooth: HCI device and connection manager initialized
Bluetooth: HCI socket layer initialized
fs/cramfs_block_uncompressed created
NTFS driver 2.1.26 [Flags: R/O].
incomplete dynamic bit lengths treeInitializing Cryptographic API
io scheduler noop registered
io scheduler anticipatory registered (default)
io scheduler deadline registered
io scheduler cfq registered

Random: 0x9c448df9
Serial: 8250/16550 driver $Revision: 1.9.6.1 $ 2 ports, IRQ sharing disabled
serial8250: ttyS0 at MMIO map 0xb9020000 mem 0xb9020000 (irq = 6) is a 16450
serial8250: ttyS1 at MMIO map 0xb90a0000 mem 0xb90a0000 (irq = 29) is a 16450
ikf68xx-ehci-hcd ikf68xx-ehci-hcd.0: Ikanos On-Chip EHCI Host Controller
ikf68xx-ehci-hcd ikf68xx-ehci-hcd.0: new USB bus registered, assigned bus number 1
ikf68xx-ehci-hcd ikf68xx-ehci-hcd.0: irq 35, io mem 0x19230000
ikf68xx-ehci-hcd ikf68xx-ehci-hcd.0: USB 0.0 started, EHCI 1.00, driver 10 Dec 2004
usb usb1: configuration #1 chosen from 1 choice
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 2 ports detected
ikf68xx-ohci-hcd ikf68xx-ohci-hcd.0: Ikanos On-Chip OHCI Host Controller
ikf68xx-ohci-hcd ikf68xx-ohci-hcd.0: new USB bus registered, assigned bus number 2
ikf68xx-ohci-hcd ikf68xx-ohci-hcd.0: irq 35, io mem 0x19240800
usb usb2: configuration #1 chosen from 1 choice
hub 2-0:1.0: USB hub found
hub 2-0:1.0: 2 ports detected
usbcore: registered new driver usblp
/filer1_vol11/dev_projets5/liveboxProV3/dev/diep/Gvt/3.8.0/checkoutdir/openrg/package/rg/os/linux-2.6/drivers/usb/class/usblp.c: v0.13: USB Printer Device Class driver
Initializing USB Mass Storage driver...
usbcore: registered new driver usb-storage
USB Mass Storage support registered.
u32 classifier
OLD policer on
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 4096 (order: 2, 16384 bytes)
TCP bind hash table entries: 4096 (order: 2, 16384 bytes)
TCP: Hash tables configured (established 4096 bind 4096)
TCP reno registered
IPv4 over IPv4 tunneling driver
GRE over IPv4 tunneling driver
NET: Registered protocol family 1
NET: Registered protocol family 17
Bluetooth: L2CAP ver 2.8
Bluetooth: L2CAP socket layer initialized
Bluetooth: SCO (Voice Link) ver 0.5
Bluetooth: SCO socket layer initialized
Bluetooth: RFCOMM socket layer initialized
Bluetooth: RFCOMM ver 1.7
Bluetooth: BNEP (Ethernet Emulation) ver 1.2
Bluetooth: BNEP filters: protocol multicast
NET: Registered protocol family 8
NET: Registered protocol family 20
802.1Q VLAN Support v1.8 Ben Greear
All bugs added by David S. Miller
openrg_flash: Found 1 x16 devices at 0x0 in 16-bit bank
Amd/Fujitsu Extended Query Table at 0x0040
openrg_flash: CFI does not contain boot bank location. Assuming top.
number of CFI chips: 1
cfi_cmdset_0002: Disabling erase-suspend-program due to code brokenness.
Creating 1 MTD partitions on "openrg_flash":
0x00000000-0x02000000 : "openrg"
openrg_flash: detected at 0x1e000000 size 33554432 bytes
Freeing unused kernel memory: 136k freed
Version: 4.9.4.FAST2764_v8380
Platform: Sagem 2764 Vox180
Compilation Time: 08-Jun-12 13:33:23
Tag: NRD_?bldorg?rg_liveboxPro-V3_0-0-1
Compilation Flags: SOUCHE_DEVICE_DISCOVERY=y CONFIG_TELEFONICA=y CONFIG_VDSL=y CONFIG_ROUTING_WITH_DSPRULES=y CONFIG_37xx_STANDARD=y CONFIG_SAGEM_DLNA=y CONFIG_SIP_UNREGISTER_ON_REBOOT=y CONFIG_DYNAMIC_VLAN_CONFIG=y CONFIG_PPP_NO_DHCP_DISCOVERY=y CONFIG_PPP_NO_NOTIFY=y CONFIG_UPNP_HIDE_INVOQUE_FORCE_TERMINATION=y CONFIG_UPNP_HIDE_INVOQUE_REQUEST_CONNECTION=y CONFIG_UPNP_HIDE_INVOQUE_REQUEST_TERMINATION=y CONFIG_UPNP_IGD_PASSWORD=y CONFIG_UPNP_DEVICE_LAN_MODEL_NAME=Sagem_IGD_LAN CONFIG_UPNP_DEVICE_WAN_CON_MODEL_NAME=Sagem_IGD_WANConnection CONFIG_UPNP_DEVICE_WAN_MODEL_NAME=Sagem_IGD_WAN CONFIG_UPNP_DEVICE_MODEL_NUMBER=000 CONFIG_UPNP_DEVICE_MANUFACTURER_URL=www.gvt.com.br CONFIG_UPNP_DEVICE_MANUFACTURER=Sagem CONFIG_UPNP_IGD_DEVICE_TITLE=Sagem_Internet_Gateway_Device CONFIG_RGCONF_MIGRATION=y CONFIG_SOUCHE_RECONF=y CONFIG_SAGEM_DB_ACCESS=y CONFIG_SAGEM_IPPRINT=y CONFIG_USB_PRINTER=y CONFIG_HFS_FS=y CONFIG_HFSPLUS_FS=y CONFIG_PIN_ACTIVE_WIFI=y CONFIG_SSID2=y CONFIG_MULTI_SSID=y CONFIG_SAGEM_WIFI_MAC_ADDRESS=y CONFIG_SAGEM_WIFI_MODE_11N=y CONFIG_DHCPS_SEND_NO_PADI=y CONFIG_DHCPS_INTERFACES=br0 CONFIG_LIVEBOX_VOIP=y CONFIG_LOG_ENTITIES=0 CONFIG_KALLSYMS=y CONFIG_RG_GDBSERVER=y CONFIG_LIVEBOX_TV=y CONFIG_ETH_PRE_LG=5 CONFIG_MODE_ETHERNET=y CONFIG_SOUCHE_USE_EXTERNAL_OPENSSL=y DIST=SAGEM_376X CONFIG_GVT=y CONFIG_INTERNAL_FIRMWARE_VERSION=8.3.8.0 CONFIG_FIRMWARE_VERSION=FAST2764_v8380 LIC=../../../license/jpkg_ikanos_vx.lic
User Information: G078000@VZX00000 /filer1_vol11/dev_projets5/liveboxProV3/dev/diep/Gvt/3.8.0/checkoutdir/openrg/package/rg
###### rg_conf/network/rg_mac_wifi = 4c:17:eb:xx:xx:xx ######
###### generated_mac_wifi = 4c:17:eb:xx:xx:xx ######
############### Mode_Bridged = 0 ######################
############### xdsl_mode = 1 ######################
###### Kernel Debug mode (rg_conf/kernel/debug) = 0 ######

insmod: add-symbol-file build/debug/hard_watchdog_module.o 0xc0004000 -s .data 0xc0005820 -s .bss 0xc0005960

HardwareWatchdogInitialize : NORMAL BOOT

HardwareWatchdogInitialize :: --- WATCHDOG -- INITIALIZED with ED72 value (i.e. 5999ms)
HardwareWatchdogInitialize :: --- WATCHDOG -- Pacify timer of 2000 ms STARTED

insmod: add-symbol-file build/debug/be_pppoa_mod.o 0xc0007000 -s .data 0xc0008710 -s .bss 0xc0008860

insmod: add-symbol-file build/debug/fusivlib.o 0xc0022000 -s .data 0xc002eb50 -s .bss 0xc0030ee0
fusiv library initializing...
Buffer Copy Through DMA is enabled

fusiv library initialized SUCCESSFULLY...

insmod: add-symbol-file build/debug/bus_arbiter_lkm.o 0xc000a000 -s .data 0xc000b380 -s .bss 0xc000b4e0
vox bus arbiter interrupt handlers registered

insmod: add-symbol-file build/debug/opensrc_lkm.o 0xc0002000 -s .data 0xc00026d0 -s .bss 0xc0002820

insmod: add-symbol-file build/debug/bm.o 0xc0014000 -s .data 0xc0017170 -s .bss 0xc0017340

Buffer Manager is initializing...
BMU GIGE clock
Slave Mem Alloc: Req size 16 Ptr2Block 0x191f0000
Load into BM APU Successful !!!

Buffer Manager initialized SUCCESSFULLY...

insmod: add-symbol-file build/debug/sysutil.o 0xc0019000 -s .data 0xc001c240 -s .bss 0xc001c380

insmod: add-symbol-file build/debug/timerlib.o 0xc0010000 -s .data 0xc0010de0 -s .bss 0xc0010f40
Timers are getting initalized
Timers are initilized SUCCESSFULLY...

insmod: add-symbol-file build/debug/ethdriver.o 0xc0044000 -s .data 0xc004bb20 -s .bss 0xc004e900
Module params: eth0_mii=0 eth1_mii=1
eth0: Netpro Sierra Ethernet found at 0xb9110000, irq 14
GIGE 1 clock dev->baseAddr b9110000
Slave Mem Alloc: Req size 16 Ptr2Block 0x191f0010
eth0 interface configured in GMII mode
eth1: Netpro Sierra Ethernet found at 0xb9150000, irq 13
GIGE 2 clock dev->baseAddr b9150000
SraPort_initializePort: phyAddr=0x1f: PHY attached
Slave Mem Alloc: Req size 16 Ptr2Block 0x191f0020

Ethernet Driver is initialized SUCCESSFULLY

insmod: add-symbol-file build/debug/vdsldriver_lkm.o 0xc003c000 -s .data 0xc003f9e0 -s .bss 0xc0040ec0
VDSL AP and VDSL PHY clocks are enabled
eth2: Netpro VDSL Ethernet found at 0x0, irq 36
>>> bmChangeMacList currNumConfiguredMacAddrs = 0 MAX_NUM_SUPPORTED_MAC_ADDRESSES = 4
0x0:0x1:0x2:0x3:0x4:0x7
User parameters for VDSL AP configured successfully
Slave Mem Alloc: Req size 16 Ptr2Block 0x191f0030
VDSL AP started successfully

VDSL Driver is initialized SUCCESSFULLY

insmod: add-symbol-file build/debug/periap.o 0xc0050000 -s .data 0xc0051c20 -s .bss 0xc0053c60
periApDriverInit: doneSlave Mem Alloc: Req size 16 Ptr2Block 0x191f0040

*******LOAD firmware to AP:PERI_ID result:0Load into PERI_AP APU Successful !!!

insmod: add-symbol-file build/debug/ath_hal.o 0xc00e1000 -s .data 0xc014e5f0 -s .bss 0xc0158f20
ath_hal: 0.9.14.25 (AR5212, AR5416, RF5111, RF5112, RF2413, RF5413, DEBUG, REGOPS_FUNC)

insmod: add-symbol-file build/debug/wlan.o 0xc015c000 -s .data 0xc019ae80 -s .bss 0xc019b740
wlan: 0.8.4.2 (Atheros/multi-bss)

insmod: add-symbol-file build/debug/ath_rate_atheros.o 0xc0066000 -s .data 0xc006b970 -s .bss 0xc0074440
ath_rate_atheros: Version 2.0.1
Copyright (c) 2001-2004 Atheros Communications, Inc, All Rights Reserved

insmod: add-symbol-file build/debug/ath_dfs.o 0xc0076000 -s .data 0xc007ec00 -s .bss 0xc007ed80
ath_dfs: Version 2.0.0
Copyright (c) 2005-2006 Atheros Communications, Inc. All Rights Reserved

insmod: add-symbol-file build/debug/wlan_wep.o 0xc000d000 -s .data 0xc000e830 -s .bss 0xc000e980

insmod: add-symbol-file build/debug/wlan_tkip.o 0xc0055000 -s .data 0xc0058410 -s .bss 0xc0058560

insmod: add-symbol-file build/debug/wlan_ccmp.o 0xc001e000 -s .data 0xc0020250 -s .bss 0xc00203a0

insmod: add-symbol-file build/debug/wlan_xauth.o 0xc0033000 -s .data 0xc0033300 -s .bss 0xc0033440

insmod: add-symbol-file build/debug/wlan_acl.o 0xc0038000 -s .data 0xc0039010 -s .bss 0xc0039160
wlan: mac acl policy registered

insmod: add-symbol-file build/debug/ath_pci.o 0xc019d000 -s .data 0xc01c8e00 -s .bss 0xc01c99e0
ath_pci: 0.9.4.5 (Atheros/multi-bss)
ath_pci: CR-LSDK-1.3.1.110_3-4-9_0-0-9
PCI: Enabling device 0000:00:03.0 (0000 -> 0002)
wifi%d ath_pci_probe Mac Address to configure 4c:17:eb:xx:xx:xx
ar5416InitMacAddr: Eeprom mac address read : 74:b4:92:xx:xx:xx
Chan Freq RegPwr HT CTL CTL_U CTL_L DFS
1 2412n 27 HT20 1 0 1 N
1 2412n 20 HT40 1 0 1 N
2 2417n 20 HT40 1 0 1 N
3 2422n 20 HT40 1 1 1 N
4 2427n 20 HT40 1 1 1 N
5 2432n 20 HT40 1 1 1 N
6 2437n 20 HT40 1 1 1 N
7 2442n 20 HT40 1 1 1 N
8 2447n 20 HT40 1 1 1 N
9 2452n 20 HT40 1 1 1 N
10 2457n 20 HT40 1 1 1 N
11 2462n 20 HT40 1 1 1 N
12 2467n 20 HT40 1 1 0 N
13 2472n 20 HT40 1 1 0 N
dfs_init_radar_filters: dfs->dfs_rinfo.rn_numradars: 0
DFS min filter rssiThresh = 18
DFS max pulse dur = 131 ticks
wifi0: 11ng rates: 1Mbps 2Mbps 5.5Mbps 11Mbps 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps
wifi0: 11ng MCS: 0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15
wifi0: mac 384.2 phy 15.15 radio 12.0
wifi0: Use hw queue 1 for WME_AC_BE traffic
wifi0: Use hw queue 0 for WME_AC_BK traffic
wifi0: Use hw queue 2 for WME_AC_VI traffic
wifi0: Use hw queue 3 for WME_AC_VO traffic
wifi0: Use hw queue 8 for CAB traffic
wifi0: Use hw queue 9 for beacons
wifi0: Use hw queue 7 for UAPSD
2xMaxPowerLevel: 32 (LEG)
2xMaxPowerLevel: 38 (LEG)

JXU: set the rxBufsize to 3851
wifi0: ath_pci_probe 320 Mac Address configured 4c:17:eb:xx:xx:xx
wifi0: Atheros 9287: mem=0x1a000000, irq=25 hw_base=0xba000000

insmod: add-symbol-file build/debug/one_module.o 0xc0249000 -s .main_flow 0xc02859d0 -s .data 0xc02a4de0 -s .bss 0xc02a6ca0
Loading license fe7cce03ae1ecdf8664e2a9d4237fffffffffffffffffffc702e282dad8703897fb79647f254aad168affffffffffffffffffe320ee12b21d44036dba65548ebd421923317a5e6fd3f30792f5c8c58bffffffffffffffffffffffffff.SAGEM
loading license key: SAGEM
loading license key: SAGEM

insmod: add-symbol-file build/debug/kleds_mod.o 0xc0035000 -s .data 0xc0036430 -s .bss 0xc00365c0

insmod: add-symbol-file build/debug/lb_jffs_mod.o 0xc0042000 -s .data 0xc0042200 -s .bss 0xc0042360
Creating 1 MTD partitions on "openrg_flash":
0x01b00000-0x02000000 : "jffs2"
Press ESC to enter BOOT MENU mode.
dd_openrg_init: registering openrg device discovery entity
MAPS:
00400000-006a9000 r-xp 00000000 00:09 1424660 /mnt/cramfs/bin/openrg
10000000-1005a000 rw-p 002a9000 00:09 1424660 /mnt/cramfs/bin/openrg
1005a000-10198000 rwxp 1005a000 00:00 0 [heap]
2aaa8000-2aaae000 r-xp 00000000 00:09 5828136 /mnt/cramfs/lib/ld-uClibc.so.0
2aaae000-2aaaf000 rw-p 2aaae000 00:00 0
2aab0000-2aab1000 rw-p 2aab0000 00:00 0
2aab2000-2aab3000 rw-s 00000000 00:06 0 /SYSV0000162e (deleted)
2aab4000-2aab5000 rw-s 00000000 00:06 32769 /SYSV0000162d (deleted)
2aaed000-2aaee000 rw-p 00005000 00:09 5828136 /mnt/cramfs/lib/ld-uClibc.so.0
2aaee000-2ab03000 r-xp 00000000 00:09 6887428 /mnt/cramfs/lib/libopenrg.so
2ab03000-2ab43000 ---p 2ab03000 00:00 0
2ab43000-2ab44000 rw-p 00015000 00:09 6887428 /mnt/cramfs/lib/libopenrg.so
2ab44000-2ab82000 r-xp 00000000 00:09 6604724 /mnt/cramfs/lib/libjutil.so
2ab82000-2abc1000 ---p 2ab82000 00:00 0
2abc1000-2abc6000 rw-p 0003d000 00:09 6604
insmod: add-symbol-file build/debug/wlan_scan_ap.o 0xc0060000 -s .data 0xc0063a80 -s .bss 0xc0063bc0
724 /mnt/cramfs/lib/libjutil.so
2abc6000-2abcc000 rw-p 2abc6000 00:00 0
2abcc000-2ac0a000 r-xp 00000000 00:09 6972316 /mnt/cramfs/lib/libssl.so.0.9.8
2ac0a000-2ac49000 ---p 2ac0a000 00:00 0
2ac49000-2ac4d000 rw-p 0003d000 00:09 6972316 /mnt/cramfs/lib/libssl.so.0.9.8
2ac4d000-2ad8d000 r-xp 00000000 00:09 6068352 /mnt/cramfs/lib/libcrypto.so.0.9.8
2ad8d000-2ada2000 rw-p 00140000 00:09 6068352 /mnt/cramfs/lib/libcrypto.so.0.9.8
2ada2000-2ada6000 rw-p 2ada2000 00:00 0
2ada6000-2ada8000 r-xp 00000000 00:09 6536492 /mnt/cramfs/lib/libdl.so.0
2ada8000-2ade7000 ---p 2ada8000 00:00 0
2ade7000-2ade8000 rw-p 00001000 00:09 6536492 /mnt/cramfs/lib/libdl.so.0
2ade8000-2adff000 r-xp 00000000 00:09 6942384 /mnt/cramfs/lib/librg_config.so
2adff000-2ae3e000 ---p 2adff000 00:00 0
2ae3e000-2ae40000 rw-p 00016000 00:09 6942384 /mnt/cramfs/lib/librg_config.so
2ae40000-2ae41000 rw-p 2ae40000 00:00 0
2ae41000-2ae5d000 r-xp 00000000 00:09 6691100 /mnt/cramfs/lib/libm.so.0
2ae5d000-2ae9d000 ---p 2ae5d000 00:00 0
2ae9d000-2ae9e000 rw-p 0001c000 00:09 6691100 /mnt/cramfs/lib/libm.so.0
2ae9e000-2aea0000
insmod: add-symbol-file build/debug/hw_qos_ikanos_mod.o 0xc0080000 -s .data 0xc0080900 -s .bss 0xc0080a80
r-xp 00000000 00:09 7139092 /mnt/cramfs/lib/libutil.so.0
2aea0000-2aedf000 ---p 2aea0000 00:00 0
2aedf000-2aee0000 rw-p 00001000 00:09 7139092 /mnt/cramfs/lib/libutil.so.0
2aee0000-2af1f000 r-xp 00000000 00:09 5864944 /mnt/cramfs/lib/libSwitch.so
2af1f000-2af5f000 ---p 2af1f000 00:00 0
2af5f000-2af60000 rw-p 0003f000 00:09 5864944 /mnt/cramfs/lib/libSwitch.so
2af60000-2af63000 r-xp 00000000 00:09 6062484 /mnt/cramfs/lib/libcrypt.so.0
2af63000-2afa2000 ---p 2af63000 00:00 0
2afa2000-2afa3000 rw-p 00002000 00:09 6062484 /mnt/cramfs/lib/libchw_qos_init:183 init module
rypt.so.0
2afa3000-2afb4000 rw-p 2afa3000 00:00 0
2afb4000-2afbe000 r-xp 00000000 00:09 6719784 /mnt/cramfs/lib/libmsg-api.so
2afbe000-2affd000 ---p 2afbe000 00:00 0
2affd000-2affe000 rw-p 00009000 00:09 6719784 /mnt/cramfs/lib/libmsg-api.so
2affe000-2b00b000 rw-p 2affe000 00:00 0
2b00b000-2b01a000 r-xp 00000000 00:09 6926012 /mnt/cramfs/lib/libpthread.so.0
2b01a000-2b059000 ---p 2b01a000 00:00 0
2b059000-2b05e000 rw-p 0000e000 00:09 6926012 /mnt/cramfs/lib/libpthread.so.0
2b05e000-2b060000 rw-p 2b05e000 00:00 0
2b060000-2b063000 r-xp 00000000 00:09 7130072 /mnt/cramfs/lib/libtr69If.so
2b063000-2b0a2000 ---p 2b063000 00:00 0
2b0a2000-2b0a3000 rw-p 00002000 00:09 7130072 /mnt/cramfs/lib/libtr69If.so
2b0a3000-2b104000 r-xp 00000000 00:09 5933304 /mnt/cramfs/lib/libc.so.0
2b104000-2b144000 ---p 2b104000 00:00 0
2b144000-2b146000 rw-p 00061000 00:09 5933304 /mnt/cramfs/lib/libc.so.0
2b146000-2b14a000 rw-p 2b146000 00:00 0
7fa38000-7fa4d000 rwxp 7fa38000 00:00 0 [stack]

insmod: add-symbol-file build/debug/igmp_proxy_mod.o 0xc008d000 -s .data 0xc0094190 -s .bss 0xc00942e0

insmod: add-symbol-file build/debug/rg_usfs.o 0xc0086000 -s .data 0xc0087510 -s .bss 0xc0087680

insmod: add-symbol-file build/debug/tcp_mss.o 0xc0000000 -s .data 0xc0000a00 -s .bss 0xc0000b80

insmod: add-symbol-file build/debug/rg_dhcp_pktfil.o 0xc0089000 -s .data 0xc008a440 -s .bss 0xc008a5c0

insmod: add-symbol-file build/debug/rg_ipv4.o 0xc0084000 -s .data 0xc0084440 -s .bss 0xc00845c0
IPV4 device driver registered

insmod: add-symbol-file build/debug/pppoe_relay.o 0xc009c000 -s .data 0xc009f800 -s .bss 0xc009f940

insmod: add-symbol-file build/debug/rg_pppoe_relay.o 0xc0082000 -s .data 0xc0082db0 -s .bss 0xc0082f20

insmod: add-symbol-file build/debug/ife6DriverLoad_mod.o 0xc0098000 -s .data 0xc0098440 -s .bss 0xc00985c0
Initializing IFE6 Driver Load module

insmod: add-symbol-file build/debug/watchdog_mod.o 0xc0096000 -s .data 0xc00969f0 -s .bss 0xc0096b60
Initializing Watchdog module
Initializing Watchdog module1
Initializing Watchdog module2

insmod: add-symbol-file build/debug/btn.o 0xc009a000 -s .data 0xc009ac40 -s .bss 0xc009ade0

insmod: add-symbol-file build/debug/qos_ingress.o 0xc00b7000 -s .data 0xc00b81b0 -s .bss 0xc00b8340

insmod: add-symbol-file build/debug/bmedrv.o 0xc00ba000 -s .data 0xc00bade0 -s .bss 0xc00bafa0
bmedrv_init: Region 0x07800000 - 0x07ffffff allocated successfully
BME Driver has been loaded SUCCESSFULLY

insmod: add-symbol-file build/debug/switch.o 0xc00bc000 -s .data 0xc00bd000 -s .bss 0xc00bd1c0
m88e6x6x switch driver for vx180 loaded

insmod: add-symbol-file build/debug/dspvoice.o 0xc02e0000 -s .data 0xc0318bc0 -s .bss 0xc031cd00

##################################################
# DSP Voice Module Part 1 Loading ...

Register /sys/sagem/voice SysCtl ... OK
Using: Software Voicedriver orig_2-1-17_3-6-1 : 2008

# DSP Voice Module Part 1 Loading Ok
##################################################

##################################################
# DSP Voice Module Part 2 Loading ...

Could not find DSP configuration file, setting to defaults
Save and reboot the system to effect the Codec Mode : 2
Total words found in /dsp/dsp218x_1ch_faxonly.dsp Image 31948
Total words found in /dsp/dsp218x_1ch_g729only.dsp Image 31948
Opening of DSP Image [/dsp/dsp218x_1ch_g711vad2only.dsp] failed! Error: 2

Registering Call Back Handlers

DSP TIME SLOT Assigned:260
DSP CLock Assigned:27
DSP Codec Type Assigned:2
DSP SPORT Control Reg Assigned:c30f
ADSP218x DOWNLOAD DONE !!!!

DSP Ver No:1.1

DSP TIME SLOT Assigned:40
DSP CLock Assigned:27
DSP Codec Type Assigned:2
DSP SPORT Control Reg Assigned:820f
ADSP218x DOWNLOAD DONE !!!!

DSP Ver No:1.1
Initialization SLIC system
Initializing Voice
slic GPIO is 12
Initializing SPI Module
SAGEM SLIC card as SILABS
Initializing SLICs
Country use for SLIC BRAZIL
port 0 is Si32176
LOAD Si3217 PATCH for Rev B
No verif
Si3217 patch version 0X09292009
Patch loaded successfully
PATCH Ret=0
MDAC Calibration for channel
other Calibration
ZCAL Calibration
Activate SLICs => 0
BRAZIL Initialization
osAssignInterrupt: Enable IRQ(17) for DSP

Enable IRQ for DSP
osAssignInterrupt: Enable IRQ(21) for DSP

Enable IRQ for DSP

# DSP Voice Module Part 2 Loading Ok
##################################################

insmod: add-symbol-file build/debug/rtp.o 0xc00d1000 -s .data 0xc00dbce0 -s .bss 0xc00dc7c0

##################################################
# RTP Stack Module Loading ...

Register /dev/rtp Device ...Register /sys/sagem/rtp SysCtl ...insmod: cannot open module `/lib/modules/relay.o': No such file or directory
Permanent Parameters were stored in Rgconf RAM
sg_gvt_entity_runlevel.c : action = 0, xdsl_mode = 1
Main process create child
wifi_init: Atheros Wifi card: device AR5416_DEVID_AR9287_PCI (Kiwi).
Atheros Wifi card found: killall: twonkymediaserver: no process killed
ath0
ath1
mt_ma_open : entering in -------------------
mt_ma_start_process : entering in -------------------
opening reconfentity Entity

MAIN AUTOM ID IS 345 killall: twonkymediaserver: no process killed
warning #1 :new rg_conf entry but not signaled
warning #1 :new rg_conf entry but not signaled
warning #1 :new rg_conf entry but not signaled
warning #1 :new rg_conf entry but not signaled
warning #1 :new rg_conf entry but not signaled
warning #1 :new rg_conf entry but not signaled
warning #1 :new rg_conf entry but not signaled
warning #1 :new rg_conf entry but not signaled

To activate ar5xxx Debug traces set entry dev/wifi0/dev_ar5xxx_debug in rg_conf

To activate ar5xxx Debug traces set entry dev/wifi0/dev_ar5xxx_debug in rg_conf
device eth0 entered promiscuous mode
OS: VDSL daemon already running
Access: Failed to open bme module
2xMaxPowerLevel: 38 (LEG)
2xMaxPowerLevel: 38 (LEG)

JXU: set the rxBufsize to 3851
ath_newstate: ath0: INIT -> SCAN
2xMaxPowerLevel: 38 (LEG)
ath_chan_set: Changing to channel - 1 - (2412), Flags 10080, PF 0

JXU: set the rxBufsize to 3851
device ath0 entered promiscuous mode

To activate hostapd main Debug traces set entry dev/wifi0/hostapd_main_debug in rg_conf
2xMaxPowerLevel: 38 (LEG)
ath_chan_set: Changing to channel - 1 - (2412), Flags 30080, PF 0

JXU: set the rxBufsize to 3851
eth2.600: Setting MAC address to 4c 17 eb xx xx xx.
VLAN (eth2.600): Underlying device (eth2) has same MAC, not checking promiscious mode.
eth2.602: Setting MAC address to 4c 17 eb xx xx xx.
VLAN (eth2.602): Underlying device (eth2) has same MAC, not checking promiscious mode.
eth2.4000: Setting MAC address to 4c 17 eb xx xx xx.
VLAN (eth2.4000): Underlying device (eth2) has same MAC, not checking promiscious mode.
2xMaxPowerLevel: 38 (LEG)
ath_chan_set: Changing to channel - 2 - (2417), Flags 30080, PF 0

JXU: set the rxBufsize to 3851
2xMaxPowerLevel: 38 (LEG)
ath_chan_set: Changing to channel - 3 - (2422), Flags 30080, PF 0

JXU: set the rxBufsize to 3851
2xMaxPowerLevel: 38 (LEG)
ath_chan_set: Changing to channel - 4 - (2427), Flags 30080, PF 0

JXU: set the rxBufsize to 3851

__BEI:load_rgconf_switch_config called__

__BEI:sg_switch_check_config called__

__BEI:sg_switch_write_config_files called__

__BEI:sg_switch_parse_config called__

__BEI:sg_switch_set_mode called__

__BEI:sg_switch_run_config called__
2xMaxPowerLevel: 38 (LEG)
ath_chan_set: Changing to channel - 5 - (2432), Flags 30080, PF 0

JXU: set the rxBufsize to 3851
2xMaxPowerLevel: 38 (LEG)
ath_chan_set: Changing to channel - 6 - (2437), Flags 30080, PF 0

JXU: set the rxBufsize to 3851
killall: twonkymediaserver: no process killed
ath_newstate: ath0: SCAN -> INIT
2xMaxPowerLevel: 38 (LEG)

JXU: set the rxBufsize to 3851
ath_newstate: ath0: INIT -> SCAN
2xMaxPowerLevel: 38 (LEG)
ath_chan_set: Changing to channel - 1 - (2412), Flags 10080, PF 0

JXU: set the rxBufsize to 3851
2xMaxPowerLevel: 38 (LEG)
ath_chan_set: Changing to channel - 1 - (2412), Flags 30080, PF 0

JXU: set the rxBufsize to 3851
2xMaxPowerLevel: 38 (LEG)
ath_chan_set: Changing to channel - 2 - (2417), Flags 30080, PF 0

JXU: set the rxBufsize to 3851
2xMaxPowerLevel: 38 (LEG)
ath_chan_set: Changing to channel - 3 - (2422), Flags 30080, PF 0

JXU: set the rxBufsize to 3851
2xMaxPowerLevel: 38 (LEG)
ath_chan_set: Changing to channel - 4 - (2427), Flags 30080, PF 0

JXU: set the rxBufsize to 3851
2xMaxPowerLevel: 38 (LEG)
ath_chan_set: Changing to channel - 5 - (2432), Flags 30080, PF 0

JXU: set the rxBufsize to 3851
2xMaxPowerLevel: 38 (LEG)
ath_chan_set: Changing to channel - 6 - (2437), Flags 30080, PF 0

JXU: set the rxBufsize to 3851
2xMaxPowerLevel: 38 (LEG)
ath_chan_set: Changing to channel - 7 - (2442), Flags 30080, PF 0

JXU: set the rxBufsize to 3851
2xMaxPowerLevel: 38 (LEG)
ath_chan_set: Changing to channel - 8 - (2447), Flags 30080, PF 0

JXU: set the rxBufsize to 3851
2xMaxPowerLevel: 38 (LEG)
ath_chan_set: Changing to channel - 9 - (2452), Flags 30080, PF 0

JXU: set the rxBufsize to 3851
2xMaxPowerLevel: 38 (LEG)
ath_chan_set: Changing to channel - 10 - (2457), Flags 30080, PF 0

JXU: set the rxBufsize to 3851
2xMaxPowerLevel: 38 (LEG)
ath_chan_set: Changing to channel - 11 - (2462), Flags 30080, PF 0

JXU: set the rxBufsize to 3851
2xMaxPowerLevel: 38 (LEG)
ath_chan_set: Changing to channel - 12 - (2467), Flags 30080, PF 0

JXU: set the rxBufsize to 3851
2xMaxPowerLevel: 38 (LEG)
ath_chan_set: Changing to channel - 13 - (2472), Flags 30080, PF 0

JXU: set the rxBufsize to 3851
******* channel 1 average rssi 0 noise floor 8364 final average rssi 16728
******* channel 1 average rssi 0 noise floor 8364 final average rssi 16728
******* channel 6 average rssi 6 noise floor 0 final average rssi 6
******* channel 11 average rssi 6 noise floor 1 final average rssi 8
find_best_11ng_centerchan: found best center chan: 6
ath_newstate: ath0: SCAN -> JOIN
2xMaxPowerLevel: 38 (LEG)
ath_chan_set: Changing to channel - 6 - (2437), Flags 30080, PF 0

JXU: set the rxBufsize to 3851
ath_newstate: ath0: JOIN -> RUN

__BEI:sgconfigure_spq_scheduler:134 enable SPQ on AP:1 link speed:1000000000
_switch_free_switch_config called__
Main process create child
Main process create child
ls: /sys/devices/platform/*/*/[0-9]*-*/*/usb:lp*: No such file or directory
ls: /sys/devices/platform/*/*/[0-9]*-*/*/*/usb:lp*: No such file or directory
initprocess to launch : /etc/initprocess.sh 4

xdsl autodetect mode actif

CPE start address is a7800000

ipos system initialized
TwonkyMedia Version 4.4.18

BME 1 is coming up
LOG_SYSTEM: reading ini file: "/usr/local/mediaserver/twonkyvision-mediaserver.ini".

Transfer to SDRAM Successful

BmeHw: Downloading BME 1 software .....!

BmeHw: Bme 1 software code downloaded successfully

The feature bit has been successfully modified for eth0 eth1 PERI VDSL APs...

******sysutil apfeature all vlanbridge enable******

alm freq 20
status freq 30
/tmp/dslSavedConfig.conf file not found

configuration file /etc/vdsl.conf:start______

configuration file /etc/vdsl.conf:start0______

OamOptionMask Set to 3
_____________________BEI:fpvdslconfigfile == NULL__________________
taskUi: profileNum = 2 Sizeof ipos_port_profile=144

Please execute 'vdsl' in 3 seconds to enter into Supervisor mode
2
1
0

Changing port profile #2 BAND_PLAN=0x1 PTM MODE=0x0
OamoptionMask 3
optionMask 8ath_tx_reset Started tx reset
ath_tx_reset Completed tx reset
ath_bstuck_tasklet: stuck beacon; resetting (bmiss count 36)
2xMaxPowerLevel: 38 (LEG)

Linux version 2.6.16.26… Fontes, onde? ;) Vemos também o uso do u-boot como bootloader. Os trechos “Secure-boot” e “use DSA signature” são intimidadores.

Ok, muita coisa interessante já pode ser retirada deste log, mas vamos por partes. Conseguir acesso pela porta serial/shell seria um bom começo. Mas não foi o caso. Como mencionado no fórum do PortalADSL, após certa versão de firmware, o acesso pela ttyS0 foi desativado, não respondendo ao input do usuário. Heck!

Não temos imagens de firmware disponível, não há página para atualização deste, (…) talvez achar outra falha no servidor Web que permita-nos adentrar o dispositivo (como foi o caso do “index2.cgi”).

Veja que o u-boot detecta 2 imagens “potenciais” na flash. Assim que o checksum é verificado, a imagem “operacional” é executada, que é exatamente a v8380. Logo, a segunda imagem deve ser um recovery/fail-safe. Se pudéssemos fazer o u-boot falhar, poderíamos cair em um prompt de recovery ou ainda, a imagem supostamente de recuperação entraria.

Como fazer isso? Glitch na flash! (não tentem isso!). No momento da carga do kernel da flash para a RAM, poderíamos causar ruídos/falhas no barramento de dados da flash, assim os dados seriam corrompidos e o CRC falharia. Isso não seria permanente, os que nos daria segurança. Eis o resultado:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
SAGEM Secure-boot SU2_2_3 fast_2764

CPU: IKANOS Fusiv 180 Family
PCI: 33 MHz
DRAM: 128 MB
Flash: 32 MB
Using default environment

In: serial
Out: serial
Err: serial
Net: emac1

PHY 88e1119r detected at smi@0x1f
switch 88e6171 detected at smi@0x01
emac1

Permanent parameters are programmed and activated : use DSA signature
Potential firmware found at address : bf080000
half-flash parsed !
Potential firmware found at address : be000000
Found 2 firmwares !
Searching valid operational firmware
Operational Firmware validated at address be000000
good regular firmware at @0xBE000000 with key @0xBF018411
No bootloader arg
partition not moved
updating kernel args
bootargs root=/dev/mtdblock6 ro rootfstype=squashfs operational_start=0xbe000000 rescue_start=0xbf080000 myfs_start=0xbea20000 type=operational image_addr=0xBE000000
kernel args update done
Launch regular code from flash
alarmLEDMode(E_FLASH)!
bootm BE000140
## Booting image at be000140 ...
Image Name: FAST2764_v8380.img
Created: 2012-06-08 14:08:37 UTC
Image Type: MIPS Linux Kernel Image (gzip compressed)
Data Size: 10492534 Bytes = 10 MB
Load Address: 80010000
Entry Point: 802e7000
Verifying Checksum ... Bad Data CRC
alarmLEDMode(E_FLASH_RESCUE)!
Searching valid rescue firmware
Rescue Firmware validated at address bf080000
alarmLEDMode(E_BOOT_FLASH_RESCUE)!
recovery firmware at @0xBF080000 with key @0xBF0185A5 is OK
No bootloader arg
partition not moved
updating kernel args
bootargs root=/dev/mtdblock5 ro rootfstype=squashfs rescue_start=0xbf080000 myfs_start=0xbfa20000 myfs_size=0x00000000 type=rescue image_addr=0xBF080000
kernel args update done
Launch recovery code from flash
bootm bf080130
## Booting image at bf080130 ...
Image Name: FAST2764_v82B0.img
Created: 2011-07-28 16:06:09 UTC
Image Type: MIPS Linux Kernel Image (gzip compressed)
Data Size: 10020917 Bytes = 9.6 MB
Load Address: 80010000
Entry Point: 802e7000
Verifying Checksum ... OK
Uncompressing Kernel Image ... OK

Starting kernel ...

Linux version 2.6.16.26 #1 Thu Jul 28 18:05:57 CEST 2011
argc 9 arg <NULL> env memsize=128
memsize board_memsize = 128
env memsize=128
env initrd_start=0xA0000000
env initrd_size=0x0
...

Funciona! E veja, a imagem de recovery é v82B0, conhecida por ainda ter a index2.cgi. Notem também, que os argumentos passados ao kernel são diferentes, como o dispositivo MTD de root e ele agora é chamado de “rescue”. O modem carrega e funciona normalmente (sincroniza, autentica) com esta imagem. Há uma certa fragilidade a crashes neste modo, devido à incompatibilidades entre o kernel antigo e o rootfs novo (8380). Mas funciona (…).

Agora a porta serial funciona:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
Username:
Password:

HomeGateway>
HomeGateway> help
help   Show help for commands within this menu

Usage:
    help all - show all available commands in the current level
    help [category]... <category> - show commands in a certain category
    help [category]... <command> - show detailed help for a specific command
    help -s <string> - search for categories/commands containing the string

Availble help Categories
help pvc - show help about PVC scan related commands
help conf - show help about Read and write HomeGateway configuration data
help FT commands - show help about FT commands
help FT atm commands - show help about FT atm commands
help FT sndcp commands - show help about FT sndcp commands
help vdsl - show help about VDSL commands
help upnp - show help about UPnP commands
help qos - show help about Control and display QoS data
help bridge - show help about API for managing ethernet bridge
help gvt - show help about Gvt configuration and control
help firewall - show help about Control and display Firewall and NAT data
help connection - show help about API for managing connections
help inet_connection - show help about API for managing internet connections
help wireless - show help about Wireless commands
help misc - show help about API for HomeGateway miscellaneous tasks
help firmware_update - show help about Firmware update commands
help log - show help about Controls HomeGateway logging behavior
help dev - show help about Device related commands
help kernel - show help about Kernel related commands
help system - show help about Commands to control HomeGateway execution
help flash - show help about Flash and loader related commands
help net - show help about Network related commands
help leds - show help about Leds control commands
help cmd - show help about Commands related to the Command module

Returned 0
HomeGateway> help all

Command Category pvc - PVC scan related commands
scan           Scan predefined vpi.vci to determine PPP protocol
scan_restart   Restart PVC scan
scan_status    Display PVC scan status
exit           Exit sub menu
help           Show help for commands within this menu

Command Category conf - Read and write HomeGateway configuration data
factory       Factory related commands
print         Print HomeGateway configuration
set           Set HomeGateway configuration path to value
set_obscure   Set HomeGateway configuration path to an obscured value
del           Delete subtree from HomeGateway configuration
ram_set       Set HomeGateway dynamic configuration
ram_print     Print HomeGateway dynamic configuration
reconf        Reconfigure the system according to the current HomeGateway
              configuration
exit          Exit sub menu
help          Show help for commands within this menu

Command Category FT commands - FT commands
save              Save configurating to flash
flash_chksum      Display all flash sections checksums
atm               atm
sndcp             sndcp
vdsl              VDSL commands
upnp              UPnP commands
qos               Control and display QoS data
bridge            API for managing ethernet bridge
gvt               Gvt configuration and control
firewall          Control and display Firewall and NAT data
connection        API for managing connections
inet_connection   API for managing internet connections
wireless          Wireless commands
misc              API for HomeGateway miscellaneous tasks
firmware_update   Firmware update commands
log               Controls HomeGateway logging behavior
dev               Device related commands
kernel            Kernel related commands
system            Commands to control HomeGateway execution
flash             Flash and loader related commands
net               Network related commands
leds              Leds control commands
exit              Exit from the current CLI session
help              Show help for commands within this menu

Command Category FT atm commands - FT atm commands
atm               atm
sndcp             sndcp
vdsl              VDSL commands
upnp              UPnP commands
qos               Control and display QoS data
bridge            API for managing ethernet bridge
gvt               Gvt configuration and control
firewall          Control and display Firewall and NAT data
connection        API for managing connections
inet_connection   API for managing internet connections
wireless          Wireless commands
misc              API for HomeGateway miscellaneous tasks
firmware_update   Firmware update commands
log               Controls HomeGateway logging behavior
dev               Device related commands
kernel            Kernel related commands
system            Commands to control HomeGateway execution
flash             Flash and loader related commands
net               Network related commands
leds              Leds control commands
exit              Exit from the current CLI session
help              Show help for commands within this menu

Command Category FT sndcp commands - FT sndcp commands
sndcp             sndcp
vdsl              VDSL commands
upnp              UPnP commands
qos               Control and display QoS data
bridge            API for managing ethernet bridge
gvt               Gvt configuration and control
firewall          Control and display Firewall and NAT data
connection        API for managing connections
inet_connection   API for managing internet connections
wireless          Wireless commands
misc              API for HomeGateway miscellaneous tasks
firmware_update   Firmware update commands
log               Controls HomeGateway logging behavior
dev               Device related commands
kernel            Kernel related commands
system            Commands to control HomeGateway execution
flash             Flash and loader related commands
net               Network related commands
leds              Leds control commands
exit              Exit from the current CLI session
help              Show help for commands within this menu

Command Category vdsl - VDSL commands
status                 Get VDSL line status
BmeFirmVer             Get BME Firmware versions
NeSnrAttn              Get Near End SNR Margin and Attenuation
displayAllPmCounters   Display All Performance Counters
displayUsInfos         Display Far-end informations
exit                   Exit sub menu
help                   Show help for commands within this menu

Command Category upnp - UPnP commands
igd      IGD commands
status   Display UPnP status
exit     Exit sub menu
help     Show help for commands within this menu

Command Category qos - Control and display QoS data
utilization   Connection utilization information
exit          Exit sub menu
help          Show help for commands within this menu

Command Category bridge - API for managing ethernet bridge
connection   connect separate network interfaces to form one seamless LAN
config       Configure bridge
info         Print bridge information
exit         Exit sub menu
help         Show help for commands within this menu

Command Category gvt - Gvt configuration and control
set    Configure the gvt runlevel
conf   Display the gvt conf
exit   Exit sub menu
help   Show help for commands within this menu

Command Category firewall - Control and display Firewall and NAT data
restart          Stop and start Firewall & NAT
start            Start Firewall & NAT
stop             Stop Firewall & NAT
filter           Turn Firewall packet inspection on/off
mac_cache_dump   Dump MAC cache data
dump             Display Firewall data
variable         Display variables of the firewall rules
trace            Trace packet traversal via the Firewall ruleset
fastpath         Turns firewall fastpath feature on/off (default is on)
set_tr69_rule    Creates policy rules for TR69
exit             Exit sub menu
help             Show help for commands within this menu

Command Category connection - API for managing connections
pppoe      Configure pppoe interface
l2tp_vpn   Configure l2tpc interface
pptp_vpn   Configure pptpc interface
pppoa      Configure pppoa interface
vlan       Configure vlan interface
exit       Exit sub menu
help       Show help for commands within this menu

Command Category inet_connection - API for managing internet connections
pppoe   Configure pppoe internet connection
l2tp    Configure l2tpc internet connection
pptp    Configure pptpc internet connection
pppoa   Configure pppoa internet connection
ether   Configure ethernet internet connection
exit    Exit sub menu
help    Show help for commands within this menu

Command Category wireless - Wireless commands
captive   Wireless captive commands
exit      Exit sub menu
help      Show help for commands within this menu

Command Category misc - API for HomeGateway miscellaneous tasks
pppos_start               Start PPPoS connection
pppos_close               Close PPPoS connection
print_ram                 print ram consumption for each process
vlan_add                  Add VLAN interface
top                       Profiling over event loop and estream
wbm_debug_set             Stop and start WBM debug mode
wbm_border_set            Stop and start WBM border mode
wbm_session_release_all   Release all existing WBM sessions
knet_hooks_dump           Dump to console which knet_hooks run on each device
exit                      Exit sub menu
help                      Show help for commands within this menu

Command Category firmware_update - Firmware update commands
start    Remotely upgrade HomeGateway
cancel   Kill running remote upgrade
exit     Exit sub menu
help     Show help for commands within this menu

Command Category log - Controls HomeGateway logging behavior
filter   Controls the CLI session logging behavior
exit     Exit sub menu
help     Show help for commands within this menu

Command Category dev - Device related commands
mii_reg_get       Get Ethernet MII register value
mii_reg_set       Set Ethernet MII register value
mii_phy_reg_get   Get Ethernet MII register value
mii_phy_reg_set   Set Ethernet MII register value
exit              Exit sub menu
help              Show help for commands within this menu

Command Category kernel - Kernel related commands
sys_ioctl      issue openrg ioctl
meminfo        Print memory information
top            Print HomeGateway's processes memory usage
cpu_load_on    Periodically shows cpu usage.
cpu_load_off   Stop showing cpu usage (triggered by cpu_load_on).
cpu_load_avg   Shows average cpu usage of last 1, 5 and 15 minutes.
exit           Exit sub menu
help           Show help for commands within this menu

Command Category system - Commands to control HomeGateway execution
die                        Exit from HomeGateway and return ret
ps                         Print HomeGateway's tasks
entity_close               Close an entity
etask_list_dump            Dump back trace of all etasks
restore_factory_settings   Restore factory configuration
reboot                     Reboot the system
ver                        Display version information
print_config               Print compilation configuration. Search for option
                           if specified
exec                       Execute program
cat                        Print file contents to console
shell                      Spawn busybox shell in foreground
date                       Print the current UTC and local time
echo                       Echo arguments to console
autoip_lan_mode            Configure the lan interface using Auto-IP
igd_lan_mode               Configure the lan interface for normal IGD use
exit                       Exit sub menu
help                       Show help for commands within this menu

Command Category flash - Flash and loader related commands
commit   Save HomeGateway configuration to flash
erase    Erase a given section in the flash
load     Load and burn image
boot     Boot the system
bset     Configure bootloader
layout   Print the flash layout and content
dump     Dump the flash content
lock     Lock mtd region
unlock   Unlock mtd region
exit     Exit sub menu
help     Show help for commands within this menu

Command Category net - Network related commands
dns_route         Dyncamic Routing according to DNS replies
igmp              IGMP Proxy related commands
host              Resolve host by name
ifconfig          Configure network interface
ping              Test network connectivity
rg_ifconfig       List HomeGateway Network Devices
route             Print route table
main_wan          Print the name of the current main wan device
intercept_state   Print interception state
exit              Exit sub menu
help              Show help for commands within this menu

Command Category leds - Leds control commands
led_power_set      Set POWER led
led_wifi_set       Set WIRELESS led
control_all_leds   Set ALL led
led_secwifi_set    Set WIRELESS SECURITY led
led_intnet_set     Set INTENRET led
led_ftth_set       Set FTTH led
led_dsl_set        Set DSL led
led_tel1_set       Set PHONE1 led
led_tel2_set       Set PHONE2 led
led_rep1_set       Set REPONDEUR1 led
led_rep2_set       Set REPONDEUR2 led
led_usb1_set       Set USB1 led
led_usb2_set       Set USB2 led
relay_set          Set RELAY
led_hpna_set       Set HPNA led
exit               Exit sub menu
help               Show help for commands within this menu

Command Category cmd - Commands related to the Command module
exit   Exit from the current CLI session
help   Show help for commands within this menu

Returned 0

Ok, sem mais:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
HomeGateway> system shell

Temporary setting log_level off

BusyBox v1.01 (2005.09.07-07:38+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

# help

Built-in commands:
-------------------
. : break cd chdir continue eval exec exit export false hash
help let local pwd read readonly return set shift times trap
true type ulimit umask unset wait

# ls
bin etc home mnt sbin tmp var
dev fstab lib proc sys usr

:) Deixarei um “dump” no link pool em breve. Dump da v82B0 e v8380 no pool.

No entanto, nada disso é permanente. Um reboot e voltamos à estaca zero. E se pudéssemos fazer um downgrade? Mas por onde, não há interface de flashing, exceto via TR69, comandado pela GVT. E onde estaria as imagens para usarmos? Bem, a segunda pergunta, está no link pool, todas as imagens que consegui dos servidores da GVT, as mesmas que o modem obtém para se atualizar. ;)

Voltemos ao menu do OpenRG, antes do BusyBox. Existe um sub-menu chamado “flash”:

1
2
3
4
5
6
7
8
9
10
11
12
13
Command Category flash - Flash and loader related commands

commit   Save HomeGateway configuration to flash
erase    Erase a given section in the flash
load     Load and burn image
boot     Boot the system
bset     Configure bootloader
layout   Print the flash layout and content
dump     Dump the flash content
lock     Lock mtd region
unlock   Unlock mtd region
exit     Exit sub menu
help     Show help for commands within this menu

Vamos ver o layout:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
HomeGateway> flash layout
Flash layout:

Section 00 Type BOOT       Range 0x01000000-0x01020000 MaxSize 0x00020000
    No more information.

Section 01 Type FACTORY    Range 0x00000000-0x00000000 MaxSize 0xFFFFFF6C
    Uninitialized.

Section 02 Type CONF       Range 0x01040000-0x01060000 MaxSize 0x0001FF6C
    Size 0x00004EE9 Name 'rg_conf'
    Checksum 0x0027C298 Counter 0x00000033 Start Offset 0x00000000

Section 03 Type CONF       Range 0x01060000-0x01080000 MaxSize 0x0001FF6C
    Size 0x00004F99 Name 'rg_conf'
    Checksum 0x0027E1C4 Counter 0x00000032 Start Offset 0x00000000

Section 04 Type RECOVERY   Range 0x01080000-0x01B00000 MaxSize 0x00A80000
    No more information.

Section 05 Type JFFS       Range 0x01B00000-0x02000000 MaxSize 0x00500000
    No more information.

Section 06 Type IMAGE      Range 0x00000000-0x01000000 MaxSize 0x01000000
    No more information.

Total 7 sections found.

Returned 0

Informações úteis! E o comando que nos interessa por ora, é o “load” (vou tentar colocar a saída dos outros comandos em um arquivo a parte).

1
2
3
4
5
flash> load
URL has not been specified and default URL is not set
Usage: load -u <url> [-s <section> | -r <address>]

Returned 1

Aparentemente o comando “load” carrega a imagem de uma URL diretamente e grava na seção < section > ou no endereço < address >. Bem, se quisermos atualizar o firmware do 2764 GV, deveríamos gravar uma imagem operacional na seção 6. Vamos tentar com a imagem mais antiga que pode ser obtida da GVT atualmente (a imagem já está no file vault deste projeto, uma vez que o modem está funcionando, mas poderia vir de um server HTTP local, por exemplo):

1
flash> load -u http://tripleoxygen.net/files/router_hacking/sagemcom/f2764gv/firmware/stock/FAST2764_v82P6.img.secure -s 6

Aguarde alguns minutos… e:

1
2
3
Download completed successfully

Returned 0

Pode-se verificar a nova imagem com o comando “dump”:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
flash> dump -s 6

00000000: 60 4c 51 ea 2c 3b f3 1e e1 70 78 a1 61 2b 9b e0 |`LQ.,;...px.a+..|
00000010: 70 e3 b2 7b a9 26 e3 d1 43 c1 53 a2 5d 0a 60 79 |p..{.&..C.S.].`y|
00000020: 5d 9c 49 73 63 55 d6 e3 45 03 8c ab 8b 48 1e 74 |].IscU..E....H.t|
00000030: 00 03 00 00 00 00 00 00 46 41 53 54 32 37 36 34 |........FAST2764|
00000040: 5f 76 38 32 50 36 2e 69 6d 67 ff ff 00 00 00 00 |_v82P6.img......|
00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000070: 00 00 00 00 00 00 00 00 00 94 00 00 00 00 00 ac |................|
00000080: 00 00 00 00 00 00 00 00 00 00 00 ac 00 00 00 86 |................|
00000090: 00 00 00 00 00 00 01 40 00 92 f7 e3 00 00 00 00 |.......@........|
000000a0: 00 00 00 00 00 00 00 00 00 00 00 00 72 6f 6f 74 |............root|
000000b0: 3d 2f 64 65 76 2f 6d 74 64 62 6c 6f 63 6b 36 20 |=/dev/mtdblock6 |
000000c0: 72 6f 20 72 6f 6f 74 66 73 74 79 70 65 3d 73 71 |ro rootfstype=sq|
000000d0: 75 61 73 68 66 73 20 6f 70 65 72 61 74 69 6f 6e |uashfs operation|
000000e0: 61 6c 5f 73 74 61 72 74 3d 30 78 62 65 30 30 30 |al_start=0xbe000|
000000f0: 30 30 30 20 72 65 73 63 75 65 5f 73 74 61 72 74 |000 rescue_start|

Reinicie o modem, downgrade feito! Obviamente isto não é muito útil para o usuário convencional, mas como temos a porta serial sempre ativa agora, as pesquisas são mais fáceis. Note que não é possível obter a imagem v82B0 da GVT (removeram). O que é possível é extraí-la da flash após um dump completo. Porém, ela é do tipo rescue, e fazer flash como operational pode não ser uma boa ideia.

Ok, mas glitchs na flash são arriscadas. Outra maneira que descobri depois, foi a do modo LAN_RESCUE que o 2764 GV tem:

Os LEDs piscarão em um padrão diferente e neste momento, o modem tentará boot via BOOTP pela rede. Configure seu cliente DHCP & BOOTP (como o TFTPD32 no Windows), o 2764 GV tentará carga de /tftpboot/kernel.img.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
SAGEM Secure-boot SU2_2_3 fast_2764

CPU: IKANOS Fusiv 180 Family
PCI: 33 MHz
DRAM: 128 MB
Flash: 32 MB
Using default environment

In: serial
Out: serial
Err: serial
Net: emac1

PHY 88e1119r detected at smi@0x1f
switch 88e6171 detected at smi@0x01
emac1

Permanent parameters are programmed and activated : use DSA signature
Potential firmware found at address : bf080000
half-flash parsed !
Potential firmware found at address : be000000
Found 2 firmwares !
force recovery bootp tftp
alarmLEDMode(E_LAN_RESCUE)!
BOOTP broadcast 1
*** Unhandled DHCP Option in OFFER/ACK: 7
*** Unhandled DHCP Option in OFFER/ACK: 44
DHCP client bound to address 192.168.1.101
Using emac1 device
TFTP from server 192.168.153.1; our IP address is 192.168.1.101; sending through gateway 192.168.1.2
Filename '/tftpboot/kernel.img'.
Load address: 0x80800000
Loading: *checksum bad
checksum bad
checksum bad
checksum bad
T T T T T T T T T T
Retry count exceeded; starting again
BOOTP broadcast 1
*** Unhandled DHCP Option in OFFER/ACK: 7
*** Unhandled DHCP Option in OFFER/ACK: 44
DHCP client bound to address 192.168.1.101
Using emac1 device
TFTP from server 192.168.1.2; our IP address is 192.168.1.101
Filename '/tftpboot/kernel.img'.
Load address: 0x80800000
Loading: *################################################################
#################################################################
...
#################################################################

##########
done
Bytes transferred = 9699328 (940000 hex)
Launch recovery code from ram
alarmLEDMode(E_RAM_RESCUE)!
No bootloader arg
partition not moved
updating kernel args
bootargs root=/dev/mtdblock6 ro rootfstype=squashfs operational_start=0xbe000000 rescue_start=0xbf080000 myfs_start=0xbe940000 type=operational image_addr=0x80800000
kernel args update done
bootm 80800140
## Booting image at 80800140 ...
Image Name: FAST2764_v82P6.img
Created: 2012-01-13 10:36:20 UTC
Image Type: MIPS Linux Kernel Image (gzip compressed)
Data Size: 9631651 Bytes = 9.2 MB
Load Address: 80010000
Entry Point: 802e7000
Verifying Checksum ... OK
Uncompressing Kernel Image ... OK

Starting kernel ...

Linux version 2.6.16.26 #1 Fri Jan 13 11:36:08 CET 2012
argc 9 arg <NULL> env memsize=128
memsize board_memsize = 128
...

Apesar do “kernel.img”, as imagens oficiais funcionam perfeitamente, portanto basta renomear a versão que deseja enviar e pronto. Será feita a carga do kernel para a RAM (por isso, não há risco de enviar algo/versão errada, basta resetar o modem) e seu boot. Enviando uma versão antiga, você ganha acesso à porta serial e então pode “brincar” ou fazer downgrade. E quem sabe, a telnet?

Ativando o daemon telnet para estudos

Aparentemente, apenas a v82B0 foi compilada com suporte a telnet. Caso queira acesso por este meio para estudar o dispositivo (muito melhor que via serial, e não há a necessidade de desmontar o modem), pode ser feito o seguinte:

O modem será reinicializado, portanto voltará a versão de firmware nova, e não a v82B0. Faça a carga desta via BOOTP novamente. Terá telnet ativado. Hack away!

Lembrando que o método para alterar o HomeGateway.conf também pode ser feito da maneira conhecida no fórum PortalADSL, uma vez que o arquivo é persistente. Vale lembrar também, que esta imagem v82B0 é para rescue e foi extraída de um dump cru da flash, portanto é arriscado gravá-la no aparelho. Use-a apenas via BOOTP!

Acredito que possa trocar o runlevel do modem pela porta serial, através do sub-menu “gvt”, opção “set”. E depois, “flash commit”. Não testei ainda.

Formato da imagem de firmware

Pesquisei pouco sobre o formato, mas a extensão “secure” nas imagens oficiais nos diz algo… julgando pela informação no u-boot, as imagens podem ser assinadas com o algoritmo DSA. Sendo assimétrico, o dispositivo conteria a chave pública e a GVT, a privada. Portanto, somente a GVT conseguiria gerar imagens válidas para o 2764 GV. Claro que, se for possível alteramos a pública dentro do modem para uma na qual temos a privada, bingo!

Uma análise rápida da biblioteca “libFU_TR69.so”, revela símbolos interessantes:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
DSA_SIG_free                         extern      000490FC 00000004 R . . . . . .
DSA_SIG_new                          extern      00049104 00000004 R . . . . . .
DSA_do_verify                        extern      0004913C 00000004 R . . . . . .
DSA_free                             extern      00049148 00000004 R . . . . . .
DSA_new                              extern      00049158 00000004 R . . . . . .
...
SHA1_Final                           extern      0004915C 00000004 R . . . . . .
SHA1_Init                            extern      00049180 00000004 R . . . . . .
SHA1_Update                          extern      00049160 00000004 R . . . . . .
...
TR69FU_check_CRC_validity            .text       00002450 0000015C R . . . . . .
TR69FU_check_download_request        .text       00004FA8 000003E0 R . . . . . .
TR69FU_check_dsa_authencity          .text       00002708 00000468 R . . . . . .
TR69FU_check_flash_fw_dsa_validity   .text       00002B70 000004E8 R . . . . . .
TR69FU_check_flash_section_integrity .text       00002124 00000040 R . . . . . .
TR69FU_check_fw_compatibility        .text       000023CC 00000084 R . . . . . .
...
TR69FU_normal_partion_is_valid       .text       0000585C 000000AC R . . . . . .
TR69FU_rescue_partion_is_valid       .text       00005908 000000AC R . . . . . .
TR69FU_verify_image_checksum         .text       00002164 00000018 R . . . . . .
...
rg_close_flash_section               extern      00049198 00000004 R . . . . . .
rg_ftell_flash_section               extern      00049168 00000004 R . . . . . .
rg_get_flash_section_size            extern      00049190 00000004 R . . . . . .
rg_lseek_flash_section               extern      00049150 00000004 R . . . . . .
rg_open_flash_section                extern      0004912C 00000004 R . . . . . .
rg_read_flash_section                extern      000491A4 00000004 R . . . . . .
rg_write_flash_section_chunk         extern      000490CC 00000004 R . . . . . .
update_sw_vers_from_rgconf_flash     .text       00004A6C 00000138 R . . . . . .
verify_checksum                      .text       0000217C 00000058 R . . . . . .

O arquivo de firmware original, no offset 0×140, contém um cabeçalho uImage, típico para u-boot. Pode ser utilizado o seguinte script para extração (“corte” os primeiros 0×140 bytes antes!). O resultado é um arquivo com compressão gzip, que pode ser descompactado com:

1
cat Image | gzip -d > Image.dec

Esta imagem descompactada, contém o kernel + um fs CRAMFS (procure por “Compressed ROMFS”).

Tenho uma cópia do mtdblock0, que corresponde aos exatos 32 MB da flash. Nela, está também, o u-boot. Ele auxiliará nos estudos sobre a assinatura das imagens. Usando as informações de endereços/layout da flash que ele próprio expõe e os passados ao kernel, podemos “destrinchar” com mais detalhe a imagem “crua” da flash.

… fica para a parte 2!

Grato ao pessoal que deu início aos estudos sobre o 2764 GV e com suas descobertas!

Link pool

F@ST 2764 GV File vault (caso alguém saiba de versões diferentes destas listadas, me informe, por favor)

Posted on August 29, 2012 at 1:35 pm by Triple Oxygen · Permalink
In: Hardware R.E., Software R.E. · Tagged with: , , , ,

35 Responses

Subscribe to comments via RSS

  1. Written by Lucas
    on 4 September 2012 at 9:59 pm
    Reply · Permalink

    Voce tem previsão de quando irar posta a parte 2?

  2. Written by Rodrigo
    on 5 September 2012 at 4:10 pm
    Reply · Permalink

    Boa tarde, voce poderia me indicar um conversor TTL / Serial USB, no mercado livre tem varios, mais ser voce poder especificar um agradeço.

    • Written by Triple Oxygen
      on 5 September 2012 at 7:34 pm
      Reply · Permalink

      Qualquer um que não seja baseado no PL2303. Série da FTDI e CP2102 são OK. No mais, todos iguais.

  3. Written by Moacir
    on 6 September 2012 at 1:49 pm
    Reply · Permalink

    Boa tarde. Ontem estava navegando próximo da 1/2 noite, quando o modem F@ast 2764 parou de responder. Olhei para ele e percebi que estava reinicializando. Quando terminou, acessei a página de configuração e vi que a GVT tinha atualizado o firmware para a versão 8388. Também uso ele em runlevel 4 (desbloqueado) e minhas configurações permaneceram as mesmas, iclusive o IP da LAN que alterei para outro BEM diferente do default.

  4. Written by Eduardo Ellery
    on 6 September 2012 at 9:09 pm
    Reply · Permalink

    Caros,

    Tem como habilitar SNMP nesse modem?

    O meu antigo tinha por default…

    Tambem não funcionou comigo o DynDNS…

    Abraço!

  5. Written by Renato
    on 17 September 2012 at 9:06 pm
    Reply · Permalink

    Gostaria de ativar o Firewall do aparelho, e gerencia-lo pelo navegador, como no thomsom tg508

  6. Written by Bruno
    on 19 September 2012 at 7:13 pm
    Reply · Permalink

    Olá Triple Oxygen, parabéns pelo conteúdo.

    Gostaria de saber se você conseguiu fazer alguma coisa a mais nesse modem, você acha possível fazer uma adaptação no firmware openwrt para roda nesse modem.?

  7. Written by Pedro Vanzella
    on 21 September 2012 at 6:33 pm
    Reply · Permalink

    Peguei meu PowerBox hoje e ele veio com o firmware mais novo (FAST2764_v8388).

    Bootei ele por TFTP e ele subiu a versão 82B0 corretamente. Baixei as configurações, ativei telnet, subi novamente. Conectei por telnet e flasheei o 82B0. Fui tentar acessar a index2.cgi e ele rebootou… Para o 8388.

    Tentei novamente. Desta vez rebootei o aparelho sem TFTP. Ele subiu no 82B0. Tentei acessar o index2.cgi e ele rebootou novamente para o 8388.

    Tentei mais uma vez. Flasheei o 82B0. Peguei as configs, mudei o runlevel, desativei TR69, me certifiquei de que telnet estava ativa. Rebootei sem TFTP. Estava no 82B0. Como deveria estar no runlevel 3, eu poderia trocar a faixa do DHCP, não? Não podia.
    Entrei por telnet nele e troquei o runlevel para 3 novamente. Saí da Telnet e ele rebootou. Para o 8388.

    Não faço idéia do que está acontecendo com ele, não consigo manter ele no 82B0. Tudo o que quero é mudar a faixa de IPs e desligar o QoS e o TR69 (pra GVT não fuçar mais no aparelho).

    • Written by Triple Oxygen
      on 22 September 2012 at 12:39 am
      Reply · Permalink

      Olhe no fórum do hardware.com.br

    • Written by Dennys
      on 12 October 2012 at 11:24 pm
      Reply · Permalink

      Caro Pedro como faço para subir via TFTP?

  8. Written by MSXManiac
    on 23 September 2012 at 1:19 am
    Reply · Permalink
  9. Written by fasci
    on 23 September 2012 at 9:30 pm
    Reply · Permalink

    Cara, acho que você fez uma besteira em postar como fazer o downgrade sem antes termos portado uma versão do openwrt para ele. Você não só revelou uma preciosa informação, como também revelou outra. Não quero expô-las aqui. Como consigo contato melhor com você? Você consegue ver meu email?
    Abs

    • Written by Triple Oxygen
      on 23 September 2012 at 11:34 pm
      Reply · Permalink

      O propósito do blog é divulgar, não esconder informações. Quanto mais dados, mais fácil de quem se interessar de ajudar/pesquisar. Se a GVT der algum passo (isso que teme?), ela estará fazendo besteira.

      Página “About” tem o endereço de e-mail.

  10. Written by Gustavo
    on 25 September 2012 at 5:51 pm
    Reply · Permalink

    Como faco para configurar o tftpd?

    • Written by Gustavo
      on 25 September 2012 at 6:26 pm
      Reply · Permalink

      no windows, tftpd32.

  11. Written by Bruno
    on 27 September 2012 at 11:01 am
    Reply · Permalink

    Belo Post Triple Oxygen… Entendo a preocupação do Fasci, mas também penso que quanto mais gente sabendo estas informações, mais gente conseguirá ajudar!!

    Meu modem foi instalado recentemente e já estava neste firmware 8388… Eu tenho algumas dúvida!!

    Minha intenção é deixá-lo em modo bridge, e pelo jeito terei de fazer um downgrade…
    Mas a dúvida que tenho é se em modo bridge a GVT ainda tem o poder de fuçar e atualizar o aparelho??

    E a respeito do downgrade… Não consigo bootar ele por TFPT…. Não acho o modem!

  12. Written by facsi
    on 28 September 2012 at 9:51 pm
    Reply · Permalink

    Oxy, vc recebeu meu email? O nick é facsi e não fasci eu digitei errado.

  13. Written by eltondapg
    on 29 September 2012 at 10:03 pm
    Reply · Permalink

    configura o ip fixo para 192.168.100.10
    255.255.255………
    192.168.100.1 e abri o TFTP32 que ae ele acha o modem!!!

  14. Written by Gustavo
    on 1 October 2012 at 2:25 am
    Reply · Permalink

    Já consegui! Inclusive já mandei/executei arquivos no roteador

  15. Written by Paulo
    on 1 October 2012 at 6:56 pm
    Reply · Permalink

    Preciso de uma ajuda, não estou sabendo utilizar Tftpd32, configurei da forma que eu acho que está correto, mas não deu certo, alguém teria como ajudar?

  16. Written by "Desbloqueio" do POWERBOX GVT
    on 3 October 2012 at 8:51 pm
    Reply · Permalink

    [...] [...]

  17. Written by lima
    on 5 October 2012 at 9:52 am
    Reply · Permalink

    amigo elton, o ip ta certo mesmo, 192.168.100.x, coloquei esse e não deu nada, qual o ip certo mesmo para o tftp funfar.

  18. Written by lima
    on 5 October 2012 at 1:10 pm
    Reply · Permalink

    ja consegui moderador, não precisava deletar o meu post.

  19. Written by lima
    on 5 October 2012 at 1:29 pm
    Reply · Permalink

    vixi, postei no lugar errado, desculpem ai moderador, tava la no portaladsl.

  20. Written by Token47
    on 20 October 2012 at 5:00 pm
    Reply · Permalink

    Pois é, também tenho um, dei um jeito de habilitar modo bridge, acho um absurdo não darem essa opção pro usuário. Vamos em frente, openwrt nesse router vai ser muito bom. Ansiosamente aguardando pelos avanços!

  21. Written by Diego
    on 31 October 2012 at 5:34 am
    Reply · Permalink

    Os comentários a respeito das configurações do TFTPD32 estão meio confusos. Alguem poderia esclarecer, de forma objetiva, quais devem ser as configurações?

    Mais especificamente:

    - detalhar as configurações do DHCP
    - informar os serviços que devem ser iniciados (TFTP e DHCP está claro, mas e quanto a DNS?

    Grato a todos

  22. Written by diego
    on 15 November 2012 at 12:29 am
    Reply · Permalink

    amigo não configo colocar modem em modo tftp eu preciso urgente desse desbloqueio será que algem pode me ajudar a fazer o downgrade

  23. Written by Lucas
    on 15 December 2012 at 11:19 am
    Reply · Permalink

    Olá, gostaria de saber se você tem mais alguma novidade sobre o powerbox, se descobriu mais alguma coisa.

    • Written by Triple Oxygen
      on 29 December 2012 at 2:44 am
      Reply · Permalink

      Ainda não, pois não pesquisei mais. Mas pretendo retornar em breve. Há outra pessoa trabalhando também.

  24. Written by Robson
    on 29 December 2012 at 9:00 pm
    Reply · Permalink

    ai depois de desbloqueado posso atualizar para o novo firmware 8388? ou não e como altero para ele sempre procurar os firmware hack deste site pelo telnet?

  25. Written by Marco
    on 19 October 2013 at 1:00 am
    Reply · Permalink

    alguem sabe se tem como usar o load -u, ou alguma outra maneira, para transformar o HomeGateway.conf em rg_conf e dar um flash no sector 2 e 3?

Subscribe to comments via RSS

Leave a Reply

*