====== TP-Link TX-6610 V4 ======
{{description>Informações sobre o TP-Link TX-6610 V4 ONT/ONU. Teardown, hacking, unlocking (desbloqueio), firmwares, custom images, recuperação, bridge.}}
===== Disclaimer =====
Todas as informações, métodos, procedimentos, firmwares, aplicativos e material sobre modificações e configurações postadas neste wiki foram criados pelo O3 Labs (salvo menção em contrário) e disponibilizadas **GRATUITAMENTE** desde o dia de sua elaboração. Denuncie quando possível quaisquer tentativas de venda destes material.
===== Hardware =====
{{:ont:dsc_0289bw.jpg?direct&400 |}}
{{ :ont:dsc_0307bw.jpg?direct&400|}}
----
**[[https://photos.app.goo.gl/4AGLwZfzs5t7vZL48|Álbum com todas as fotos.]]**
^ SoC | Mediatek MT7520ST @ 648 MHz |
^ RAM | Zentel A3R56E40ABF-8E - 256 Mbit (32 MB) DDR2-800 |
^ Flash | GigaDevice 25Q64CSIG - 8 MB SPI Flash |
^ Switch | - |
^ USB | - |
^ Wireless 2.4 GHz| -|
^ Wireless 5 GHz| - |
^ GPON Transceiver / Laser Driver | Econet EN7570N |
^ FXS | - |
^ HPNA | - |
^ Serial | Sim |
^ JTAG | - |
===== Bootlog =====
DRAMC V2.2.0.2 (0)
MT751020 at Thu Nov 15 14:20:28 HKT 2018 version 1.1 free bootbase
Memory size 32MB
flash base: bc000000
Found SPI Flash 8MiB GD25Q64 at 0xbc000000
tcPhyVer_mt7510FE
Not found TC Phy
mtPhyVer_7510Ge
Not found TC Phy
Press any key in 3 secs to enter boot command mode.
............................................................
Invalid Power GPIO, just return and don't turn on Power LED
act_flag:0, img0[1 1 1], img1[0 0 1]
erase addr=30000 size=10000
program from 30000 to 30007
act_flag:0, img0[1 1 1], img1[0 0 1], after modify is_active
boot flag = 0
Decompress to 80002000 free_mem_ptr=80600000 free_mem_ptr_end=80780000
from main
Uncompressing [LZMA] ... done.
Linux version 2.6.36 (root@localhost.localdomain) (gcc version 4.3.4 (GCC) ) #3 SMP Thu Nov 15 14:23:07 HKT 2018
ISPRAM0: PA=002a8000,Size=00008000,enabled
DSPRAM0: PA=1dff8000,Size=00001000,enabled
flash_init: flash_base:bc000000
flash_init: flash_base:bc000000
memsize:32MB
Ralink MT751020 SOC prom init
bootconsole [early0] enabled
CPU revision is: 00019555 (MIPS 34Kc)
Determined physical RAM map:
memory: 01fe0000 @ 00020000 (usable)
Wasting 1024 bytes for tracking 32 unused pages
Zone PFN ranges:
Normal 0x00000020 -> 0x00002000
Movable zone start PFN for each node
early_node_map[1] active PFN ranges
0: 0x00000020 -> 0x00002000
3 available secondary CPU TC(s)
PERCPU: Embedded 7 pages/cpu @81043000 s7168 r8192 d13312 u65536
pcpu-alloc: s7168 r8192 d13312 u65536 alloc=16*4096
pcpu-alloc: [0] 0 [0] 1 [0] 2 [0] 3
Built 1 zonelists in Zone order, mobility grouping on. Total pages: 8096
Kernel command line: es=1
PID hash table entries: 128 (order: -3, 512 bytes)
Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
Primary data cache 64kB, 4-way, VIPT, cache aliases, linesize 32 bytes
Writing ErrCtl register=00061f7b
Readback ErrCtl register=00061f7b
nmi base is 81084200
Memory: 28612k/32640k available (2744k kernel code, 4028k reserved, 570k data, 216k init, 0k highmem)
SLUB: Genslabs=7, HWalign=32, Order=0-3, MinObjects=0, CPUs=4, Nodes=1
Hierarchical RCU implementation.
RCU-based detection of stalled CPUs is disabled.
Verbose stalled-CPUs detection is disabled.
NR_IRQS:64
CPU frequency 648.00 MHz
Using 266.000 MHz high precision timer.
console [ttyS0] enabled, bootconsole disabled
console [ttyS0] enabled, bootconsole disabled
Calibrating delay loop... 430.89 BogoMIPS (lpj=2154496)
pid_max: default: 32768 minimum: 301
Mount-cache hash table entries: 512
34K sync es set to 1.
Config7: 0x80080500
Limit of 4 TCs set
TLB of 64 entry pairs shared by 2 VPEs
VPE 0: TC 0 1 2, VPE 1: TC 3
IPI buffer pool of 16 buffers
CPU revision is: 00019555 ((null))
TC 1 going on-line as CPU 1
CPU revision is: 00019555 ((null))
TC 2 going on-line as CPU 2
CPU revision is: 00019555 ((null))
TC 3 going on-line as CPU 3
Brought up 4 CPUs
NET: Registered protocol family 16
MT7510_pcie_init
check pcie link up status:
isRC0_LINKUP=0
isRC1_LINKUP=0
PCI-E RC0 & RC1 can not link up
bio: create slab at 0
NET: Registered protocol family 8
NET: Registered protocol family 20
Switching to clocksource MIPS
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 1024 (order: 1, 8192 bytes)
TCP bind hash table entries: 1024 (order: 1, 8192 bytes)
TCP: Hash tables configured (established 1024 bind 1024)
TCP reno registered
UDP hash table entries: 128 (order: 0, 4096 bytes)
UDP-Lite hash table entries: 128 (order: 0, 4096 bytes)
NET: Registered protocol family 1
TC3162 hardware watchdog module loaded.
squashfs: version 4.0 (2009/01/31) Phillip Lougher
msgmni has been set to 55
cryptomgr_test used greatest stack depth: 15632 bytes left
io scheduler noop registered (default)
ttyS0 at I/O 0xbfbf0003 (irq = 1) is a TC3162
brd: module loaded
tc3162 mtd init: mt6573_nand_init enter
MediaTek MT6573 Nand driver init, version v2.0
tc3162: flash device 0x01000000 at 0x1c000000
tc3162: Found SPIFLASH 8MiB GD25Q64
Creating 14 MTD partitions on "tc3162":
0x000000000000-0x000000800000 : "flash"
0x000000000000-0x000000020000 : "tcboot"
0x000000020000-0x000000030000 : "romfile"
0x000000030000-0x000000040000 : "bootflag"
0x000000040000-0x000000050000 : "factoryinfo"
0x000000050000-0x000000060000 : "loid"
0x000000060000-0x000000070000 : "hwinfo"
0x000000070000-0x000000090000 : "config"
0x000000090000-0x0000000a0000 : "iot"
0x0000000a0000-0x0000001f0000 : "kernelA"
0x0000001f0000-0x000000400000 : "rootfsA"
0x000000400000-0x000000550000 : "kernelB"
0x000000550000-0x000000760000 : "rootfsB"
0x000000760000-0x000000800000 : "other"
rootfsA
PPP generic driver version 2.4.2
PPP Deflate Compression module registered
PPP BSD Compression module registered
NET: Registered protocol family 24
RT3xxx EHCI/OHCI init.
Netfilter messages via NETLINK v0.30.
nf_conntrack version 0.5.0 (447 buckets, 1788 max)
ctnetlink v0.93: registering with nfnetlink.
nf_conntrack_rtsp v0.6.21 loading
nf_nat_rtsp v0.6.21 loading
ip_tables: (C) 2000-2006 Netfilter Core Team
TCP cubic registered
NET: Registered protocol family 10
IPv6 over IPv4 tunneling driver
NET: Registered protocol family 17
802.1Q VLAN Support v1.8 Ben Greear
All bugs added by David S. Miller
VFS: Mounted root (squashfs filesystem) readonly on device 31:10.
Freeing unused kernel memory: 216k freed
init used greatest stack depth: 15448 bytes left
busybox init and set aff
init started: BusyBox v1.00 (2018.10.25-11:13+0000) multi-call binary
[ used greatest stack depth: 14832 bytes left
busybox used greatest stack depth: 14320 bytes left
mtd[readflash]:device=mtd used greatest stack depth: 14240 bytes left
factoryinfo tclen=160 tcoffset=22
Unlocking factoryinfo ...
Reading from factoryinfo to /tmp/7570_bob.conf ...
00000000h: 00 00 02 20 00 00 03 XX 00 00 00 XX 00 00 01 XX
00000010h: 00 00 00 06 00 00 00 10 00 00 XX XX 00 00 00 XX
00000020h: 00 00 00 XX 00 00 00 10 FF FF FF FF 00 00 00 01
00000030h: 00 00 00 XX 00 00 XX XX FF FF FF FF FF FF FF FF
00000040h: 00 XX XX XX 00 XX 00 XX FF FF FF FF FF FF FF FF
00000050h: XX XX XX 00 XX XX XX 00 00 XX XX XX FF FF FF FF
00000060h: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
00000070h: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
00000080h: FF FF FF FF 00 00 00 05 FF FF FF FF FF FF FF FF
00000090h: FF FF FF FF XX XX XX 00 FF FF FF FF FF FF FF FF
module_sel: module license 'unspecified' taints kernel.
Disabling lock debugging due to kernel taint
insmod used greatest stack depth: 13896 bytes left
tcsmux version: tcsmux V1.1.0.0 (Oct 13 2014-22:25:21).
insmod used greatest stack depth: 13808 bytes left
vlantag_drv_init
TC3162 LED Manager 0.1 init
tcledctrl version: tcledctrl V1.1.0.0 (Nov 15 2018-14:23:21).
tccicmd V1.1.0.0 (Nov 15 2018-14:23:23)
SIFMaster 0.1 init
Register sifm cmd
the number of cfg node is 48
vlantag_init
autopvc_init
LanguageSwitch_init vendorCfgFile_init The number of cache node is 5
Enter into function:parser_romfile
mxml: Bad control character 0x0b not allowed by XML standard!
Romfile format is wrong, we use default romfile to replace current setting romfile!!
mtd[readflash]:device=reservearea tclen=512 tcoffset=197632
Unlocking reservearea ...
Could not open mtd device: reservearea
Unlocking romfile ...
Writing from /tmp/var/romfile.cfg to romfile ...
[ ]���[e]���[w]���[w]����
iptables used greatest stack depth: 13792 bytes left
Can't open /etc/Wireless/WLAN_APOn
lanHost_read: Create node LanHost !
sh: /usr/bin/ip: not found
insmod raeth driver
femac.c:v1.00-NAPI 29.Mar.2011
MAC from flash_base: 0xbc000000(offset: 0x40000):68 ffffffff 7b 6c ffffff95 58
eth0: FE MAC Ethernet address: 68:FF:7B:XX:XX:XX
eth0: starting interface.
EPhy debug(8): tcPhyVerLookUp() in
MT7510FE, EPhy debug(8)(15): tcPhyVerLookUp() out
PhyPart debug: tcPhyInit() in , tcphyver=15, phyaddr=8, eco=0x0
phyaddr = 8
EPhy debug(12): tcPhyVerLookUp() in
MT7510Ge,Internal check flag: fgMT7510Ge_INT=0x0, eco=0x50003
EPhy debug(12)(16): tcPhyVerLookUp() out
PhyPart debug: tcPhyInit() in , tcphyver=16, phyaddr=12, eco=0x0
7510Ge, phyaddr= (12,12)
debug... ,phyaddr=12 ,eco=0x50003
insmod used greatest stack depth: 13520 bytes left
xPON driver initialization
Alloc data struct memory successful, 34456
EN7570 found!
FLASH matrix got
Internal DDMI Enabled
TEC Enabled
RSSI_Vref = 0x216
RSSI_V = 0x295
ERC filter set
MPD Current Offset = 0xea
Start GPON Tx Calibration
Rx LOS is set
CDR disabled
T0/T1 delay = 0x9a
T0/T1 delay = 0x47
RGS_T0C = 0x60
RGS_T1C = 0x54
TGEN done
CDR enabled
Initial bias/mod current loaded from FLASH
MPDL/MPDH loaded
Tx SD set
APD initialization done
Rogue ONU clear
EN7570 Initialization Done!
PON PHY driver version is 111.86.66
XPON Mapping Module init OK!
Ebtables v2.0 registered
Ralink HW NAT Module Enabled
IP check use Black List
device eth0 entered promiscuous mode
done
TC3162 hardware watchdog initialized
no specific node
four ports
SIOCGIFFLAGS: No such device
interface eth0.1 does not exist!
ERROR: trying to remove VLAN -:eth0.1:- error: No such device
SIOCGIFFLAGS: No such device
interface eth0.2 does not exist!
ERROR: trying to remove VLAN -:eth0.2:- error: No such device
SIOCGIFFLAGS: No such device
interface eth0.3 does not exist!
ERROR: trying to remove VLAN -:eth0.3:- error: No such device
SIOCGIFFLAGS: No such device
interface eth0.4 does not exist!
ERROR: trying to remove VLAN -:eth0.4:- error: No such device
device eth0 is already a member of a bridge; can't enslave it to bridge br0.
MT7520S is single port!
mtd[readflash]:device=reservearea tclen=512 tcoffset=197632
Unlocking reservearea ..Start omci
.
Could not open mtd device: reservearea
00:00:10 imgr.c [71]: Initial system driver.
00:00:10 imgr.c [77]: Initial pthread parameters.
00:00:10 imgr.c [83]: Initial dispatcher.
00:00:10 dspch_init.c [23]: Create IPC trap message queue
00:00:10 dspch_init.c [36]: Create IPC trap message queue
00:00:10 imgr.c [89]: Initial database manager.
00:00:10 dbmgr_init.c [32]: Create database memory.
00:00:10 dbmgr_init.c [38]: Create the share database memory successful.
00:00:10 dbmgr_init.c [41]: The total share database size is 0.
00:00:10 imgr.c [95]: Initial config manager.
00:00:10 imgr.c [101]: Initial fault manager.
00:00:10 imgr.c [107]: Initial performance manager.
Warning: there is no router interface for voip!!
iptables v1.4.10: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.4.10: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.4.10: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.4.10: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
device nas1 entered promiscuous mode
br0: port 2(nas1) entering forwarding state
br0: port 2(nas1) entering forwarding state
br0: port 1(eth0) entering forwarding state
br0: port 1(eth0) entering forwarding state
sh: /userfs/bin/dnsmasq: not found
valid subcommands:
adsl
========================insmod iptable_filter=======================
chmod: /userfs/profile.cfg: Read-only file system
valid subcommands:
adsl
set olt type: 0
echo used greatest stack depth: 8680 bytes left
come into gpon_boot
activeImage=0, committedImage=0
Send OAM Update config!
!sendEponOamCmdMsg open message queue fail!
Unlocking romfile ...
Writing from /tmp/var/romfile.cfg to romfile ...
[ ]���[e]pon_vlan_init
Single Lan port���[w]
initilize xpon igmp module....done!
���[w]����
pon_mac_filter_init
Single Lan portCannot open file "/tmp/u
sendOmciCmdMsg open message queue fail!pload_onu_cardholder_type"
SIOCSIFMTU: No such device
SIOCSIFMTU: No such device
SIOCSIFMTU: No such device
SIOCSIFMTU: No such device
got image index(0): V3.1.4instanceId(0), img ver buffer is V3.1.4
SIOCSIFMTU: No such device
got image index(1): V3.1.4instanceId(1), img ver buffer is V3.1.4
*reg=00001640 value:00000000 (ext_switch:0)
Please press Enter to activate this console.
sendOmciCmdMsg open message queue fail!got image index(0): V3.1.4instanceId(0), img ver buffer is V3.1.4
got image index(1): V3.1.4instanceId(1), img ver buffer is V3.1.4
api_set_pon_ver_info(335): -- not implemented, to do here! --
api_set_sn_auth_info(300): snIUint32[0] = 0x54504c47, snIUint32[1] = 0xXXXXXXXX,
vendor: 0x54504c47
api_set_sn_auth_info(308): passwd:
Password:
api_set_vlan_mode(894): set vlanmode=2 vid=210 pri=0
get bootflag(0)got mainVer(V3.1.4) standbyVer(V3.1.4)mainSw(V3.1.4), standBySw(V3.1.4)api_set_sn_auth_info(300): snIUint32[0] = 0x54504c47, snIUint32[1] = 0xXXXXXXXX,
vendor: 0x54504c47
sendOmciCmdMsg open message queue fail!
got image index(0): V3.1.4instanceId(0), img ver buffer is V3.1.4
got image index(1): V3.1.4instanceId(1), img ver buffer is V3.1.4
api_renegotiate(546): current mode is not gpon
api_set_onu_dhcp_status(1103): -- not implemented, to do here! --
mt7570 detected
===== Serial =====
3,3V, baud 115200, 8 bits, no parity, 1 stop bit, idle 1.
===== Custom firmware =====
Baseados no original TX-6610_V4_150922 disponível no site oficial. Basta atualizar com a imagem oficial para retornar ao original.
=== Versão 2021-08-10 ===
* Habilitado menus de configuração avançada na interface web.
* [[https://www.tripleoxygen.net/files/devices/tplink/tx6610/TX-6610V4_O3_2021-08-10.bin|Download (SHA1: 544a532342c77d1d945457e47a488b6e7e59d406)]]
== Agradecimentos ==
Pessoas envolvidas em discussões, dicas ou bate papo em geral. Lista em ordem alfabética.