Documentando algumas descobertas a respeito do software-side do Sagemcom Modem F@st 2764 GV. Aparentemente ele é mais seguro que o F@ST 1704 em termos de quem pode produzir/rodar código no dispositivo. Além de ser incrivelmente mais chato de executar um simples “ls”!
Primeiramente, informo que o modem está rodando a última versão de firmware fornecida pela GVT remotamente até o momento, v8380, e runlevel 4. Quaisquer modificações ou procedimentos feitos aqui podem danificar/brickar seu modem, portanto, é de sua inteira responsabilidade caso tente qualquer coisa aqui descrita!
Observei que já existem esforços para “destrancar” um pouco o modem no PortalADSL (este tópico em específico).
Como havia sido mostrado no teardown, o 2764 GV têm uma porta serial e, possivelmente, JTAG. O primeiro passo foi observar se a porta serial estava ativada e qual seria sua saída (bootlog), o que nos daria boas informações sobre o software (o log foi “sanitizado”):
<td>
<div class="text codecolorer">
SAGEM Secure-boot SU2_2_3 fast_2764<br /> <br /> CPU: IKANOS Fusiv 180 Family<br /> PCI: 33 MHz<br /> DRAM: 128 MB<br /> Flash: 32 MB<br /> Using default environment<br /> <br /> In: serial<br /> Out: serial<br /> Err: serial<br /> Net: emac1<br /> <br /> PHY 88e1119r detected at smi@0x1f<br /> switch 88e6171 detected at smi@0x01<br /> emac1<br /> <br /> Permanent parameters are programmed and activated : use DSA signature<br /> Potential firmware found at address : bf080000<br /> half-flash parsed !<br /> Potential firmware found at address : be000000<br /> Found 2 firmwares !<br /> Searching valid operational firmware<br /> Operational Firmware validated at address be000000<br /> good regular firmware at @0xBE000000 with key @0xBF018411<br /> No bootloader arg<br /> partition not moved<br /> updating kernel args<br /> bootargs root=/dev/mtdblock6 ro rootfstype=squashfs operational_start=0xbe000000 rescue_start=0xbf080000 myfs_start=0xbea20000 type=operational image_addr=0xBE000000<br /> kernel args update done<br /> Launch regular code from flash<br /> alarmLEDMode(E_FLASH)!<br /> bootm BE000140<br /> ## Booting image at be000140 ...<br /> Image Name: FAST2764_v8380.img<br /> Created: 2012-06-08 14:08:37 UTC<br /> Image Type: MIPS Linux Kernel Image (gzip compressed)<br /> Data Size: 10492534 Bytes = 10 MB<br /> Load Address: 80010000<br /> Entry Point: 802e7000<br /> Verifying Checksum ... OK<br /> Uncompressing Kernel Image ... OK<br /> <br /> Starting kernel ...<br /> <br /> Linux version 2.6.16.26 #1 Fri Jun 8 16:08:23 CEST 2012<br /> argc 9 arg env memsize=128<br /> memsize board_memsize = 128<br /> env memsize=128<br /> env initrd_start=0xA0000000<br /> env initrd_size=0x0<br /> flash_start be000000<br /> env flash_start=0xBE000000<br /> board_flash_size 2000000<br /> env flash_size=0x2000000<br /> arg[1] root=/dev/mtdblock6<br /> arg[2] ro<br /> arg[3] rootfstype=squashfs<br /> arg[4] operational_start=0xbe000000<br /> arg[5] rescue_start=0xbf080000<br /> arg[6] myfs_start=0xbea20000<br /> arg[7] type=operational<br /> arg[8] image_addr=0xBE000000<br /> CPU revision is: 0001964c<br /> Determined physical RAM map:<br /> memory: 07800000 @ 00000000 (usable)<br /> Built 1 zonelists<br /> Kernel command line: console=ttyS0,115200 root=/dev/mtdblock6 ro rootfstype=squashfs operational_start=0xbe000000 rescue_start=0xbf080000 myfs_start=0xbea20000 type=operational image_addr=0xBE000000<br /> Primary instruction cache 32kB, physically tagged, 4-way, linesize 32 bytes.<br /> Primary data cache 32kB, 4-way, linesize 32 bytes.<br /> Synthesized TLB refill handler (20 instructions).<br /> Synthesized TLB load handler fastpath (32 instructions).<br /> Synthesized TLB store handler fastpath (32 instructions).<br /> Synthesized TLB modify handler fastpath (31 instructions).<br /> Cache parity protection disabled<br /> PID hash table entries: 512 (order: 9, 8192 bytes)<br /> Dentry cache hash table entries: 16384 (order: 4, 65536 bytes)<br /> Inode-cache hash table entries: 8192 (order: 3, 32768 bytes)<br /> Memory: 108828k/122880k available (2368k kernel code, 13900k reserved, 535k data, 136k init, 0k highmem)<br /> Mount-cache hash table entries: 512<br /> Checking for 'wait' instruction... available.<br /> NET: Registered protocol family 16<br /> Fusiv PCI: starting...<br /> SCSI subsystem initialized<br /> usbcore: registered new driver usbfs<br /> usbcore: registered new driver hub<br /> Bluetooth: Core ver 2.8<br /> NET: Registered protocol family 31<br /> Bluetooth: HCI device and connection manager initialized<br /> Bluetooth: HCI socket layer initialized<br /> fs/cramfs_block_uncompressed created<br /> NTFS driver 2.1.26 [Flags: R/O].<br /> incomplete dynamic bit lengths treeInitializing Cryptographic API<br /> io scheduler noop registered<br /> io scheduler anticipatory registered (default)<br /> io scheduler deadline registered<br /> io scheduler cfq registered<br /> <br /> Random: 0x9c448df9<br /> Serial: 8250/16550 driver $Revision: 1.9.6.1 $ 2 ports, IRQ sharing disabled<br /> serial8250: ttyS0 at MMIO map 0xb9020000 mem 0xb9020000 (irq = 6) is a 16450<br /> serial8250: ttyS1 at MMIO map 0xb90a0000 mem 0xb90a0000 (irq = 29) is a 16450<br /> ikf68xx-ehci-hcd ikf68xx-ehci-hcd.0: Ikanos On-Chip EHCI Host Controller<br /> ikf68xx-ehci-hcd ikf68xx-ehci-hcd.0: new USB bus registered, assigned bus number 1<br /> ikf68xx-ehci-hcd ikf68xx-ehci-hcd.0: irq 35, io mem 0x19230000<br /> ikf68xx-ehci-hcd ikf68xx-ehci-hcd.0: USB 0.0 started, EHCI 1.00, driver 10 Dec 2004<br /> usb usb1: configuration #1 chosen from 1 choice<br /> hub 1-0:1.0: USB hub found<br /> hub 1-0:1.0: 2 ports detected<br /> ikf68xx-ohci-hcd ikf68xx-ohci-hcd.0: Ikanos On-Chip OHCI Host Controller<br /> ikf68xx-ohci-hcd ikf68xx-ohci-hcd.0: new USB bus registered, assigned bus number 2<br /> ikf68xx-ohci-hcd ikf68xx-ohci-hcd.0: irq 35, io mem 0x19240800<br /> usb usb2: configuration #1 chosen from 1 choice<br /> hub 2-0:1.0: USB hub found<br /> hub 2-0:1.0: 2 ports detected<br /> usbcore: registered new driver usblp<br /> /filer1_vol11/dev_projets5/liveboxProV3/dev/diep/Gvt/3.8.0/checkoutdir/openrg/package/rg/os/linux-2.6/drivers/usb/class/usblp.c: v0.13: USB Printer Device Class driver<br /> Initializing USB Mass Storage driver...<br /> usbcore: registered new driver usb-storage<br /> USB Mass Storage support registered.<br /> u32 classifier<br /> OLD policer on<br /> NET: Registered protocol family 2<br /> IP route cache hash table entries: 1024 (order: 0, 4096 bytes)<br /> TCP established hash table entries: 4096 (order: 2, 16384 bytes)<br /> TCP bind hash table entries: 4096 (order: 2, 16384 bytes)<br /> TCP: Hash tables configured (established 4096 bind 4096)<br /> TCP reno registered<br /> IPv4 over IPv4 tunneling driver<br /> GRE over IPv4 tunneling driver<br /> NET: Registered protocol family 1<br /> NET: Registered protocol family 17<br /> Bluetooth: L2CAP ver 2.8<br /> Bluetooth: L2CAP socket layer initialized<br /> Bluetooth: SCO (Voice Link) ver 0.5<br /> Bluetooth: SCO socket layer initialized<br /> Bluetooth: RFCOMM socket layer initialized<br /> Bluetooth: RFCOMM ver 1.7<br /> Bluetooth: BNEP (Ethernet Emulation) ver 1.2<br /> Bluetooth: BNEP filters: protocol multicast<br /> NET: Registered protocol family 8<br /> NET: Registered protocol family 20<br /> 802.1Q VLAN Support v1.8 Ben Greear<br /> All bugs added by David S. Miller<br /> openrg_flash: Found 1 x16 devices at 0x0 in 16-bit bank<br /> Amd/Fujitsu Extended Query Table at 0x0040<br /> openrg_flash: CFI does not contain boot bank location. Assuming top.<br /> number of CFI chips: 1<br /> cfi_cmdset_0002: Disabling erase-suspend-program due to code brokenness.<br /> Creating 1 MTD partitions on "openrg_flash":<br /> 0x00000000-0x02000000 : "openrg"<br /> openrg_flash: detected at 0x1e000000 size 33554432 bytes<br /> Freeing unused kernel memory: 136k freed<br /> Version: 4.9.4.FAST2764_v8380<br /> Platform: Sagem 2764 Vox180<br /> Compilation Time: 08-Jun-12 13:33:23<br /> Tag: NRD_?bldorg?rg_liveboxPro-V3_0-0-1<br /> Compilation Flags: SOUCHE_DEVICE_DISCOVERY=y CONFIG_TELEFONICA=y CONFIG_VDSL=y CONFIG_ROUTING_WITH_DSPRULES=y CONFIG_37xx_STANDARD=y CONFIG_SAGEM_DLNA=y CONFIG_SIP_UNREGISTER_ON_REBOOT=y CONFIG_DYNAMIC_VLAN_CONFIG=y CONFIG_PPP_NO_DHCP_DISCOVERY=y CONFIG_PPP_NO_NOTIFY=y CONFIG_UPNP_HIDE_INVOQUE_FORCE_TERMINATION=y CONFIG_UPNP_HIDE_INVOQUE_REQUEST_CONNECTION=y CONFIG_UPNP_HIDE_INVOQUE_REQUEST_TERMINATION=y CONFIG_UPNP_IGD_PASSWORD=y CONFIG_UPNP_DEVICE_LAN_MODEL_NAME=Sagem_IGD_LAN CONFIG_UPNP_DEVICE_WAN_CON_MODEL_NAME=Sagem_IGD_WANConnection CONFIG_UPNP_DEVICE_WAN_MODEL_NAME=Sagem_IGD_WAN CONFIG_UPNP_DEVICE_MODEL_NUMBER=000 CONFIG_UPNP_DEVICE_MANUFACTURER_URL=www.gvt.com.br CONFIG_UPNP_DEVICE_MANUFACTURER=Sagem CONFIG_UPNP_IGD_DEVICE_TITLE=Sagem_Internet_Gateway_Device CONFIG_RGCONF_MIGRATION=y CONFIG_SOUCHE_RECONF=y CONFIG_SAGEM_DB_ACCESS=y CONFIG_SAGEM_IPPRINT=y CONFIG_USB_PRINTER=y CONFIG_HFS_FS=y CONFIG_HFSPLUS_FS=y CONFIG_PIN_ACTIVE_WIFI=y CONFIG_SSID2=y CONFIG_MULTI_SSID=y CONFIG_SAGEM_WIFI_MAC_ADDRESS=y CONFIG_SAGEM_WIFI_MODE_11N=y CONFIG_DHCPS_SEND_NO_PADI=y CONFIG_DHCPS_INTERFACES=br0 CONFIG_LIVEBOX_VOIP=y CONFIG_LOG_ENTITIES=0 CONFIG_KALLSYMS=y CONFIG_RG_GDBSERVER=y CONFIG_LIVEBOX_TV=y CONFIG_ETH_PRE_LG=5 CONFIG_MODE_ETHERNET=y CONFIG_SOUCHE_USE_EXTERNAL_OPENSSL=y DIST=SAGEM_376X CONFIG_GVT=y CONFIG_INTERNAL_FIRMWARE_VERSION=8.3.8.0 CONFIG_FIRMWARE_VERSION=FAST2764_v8380 LIC=../../../license/jpkg_ikanos_vx.lic<br /> User Information: G078000@VZX00000 /filer1_vol11/dev_projets5/liveboxProV3/dev/diep/Gvt/3.8.0/checkoutdir/openrg/package/rg<br /> ###### rg_conf/network/rg_mac_wifi = 4c:17:eb:xx:xx:xx ######<br /> ###### generated_mac_wifi = 4c:17:eb:xx:xx:xx ######<br /> ############### Mode_Bridged = 0 ######################<br /> ############### xdsl_mode = 1 ######################<br /> ###### Kernel Debug mode (rg_conf/kernel/debug) = 0 ######<br /> <br /> insmod: add-symbol-file build/debug/hard_watchdog_module.o 0xc0004000 -s .data 0xc0005820 -s .bss 0xc0005960<br /> <br /> HardwareWatchdogInitialize : NORMAL BOOT<br /> <br /> HardwareWatchdogInitialize :: --- WATCHDOG -- INITIALIZED with ED72 value (i.e. 5999ms)<br /> HardwareWatchdogInitialize :: --- WATCHDOG -- Pacify timer of 2000 ms STARTED<br /> <br /> insmod: add-symbol-file build/debug/be_pppoa_mod.o 0xc0007000 -s .data 0xc0008710 -s .bss 0xc0008860<br /> <br /> insmod: add-symbol-file build/debug/fusivlib.o 0xc0022000 -s .data 0xc002eb50 -s .bss 0xc0030ee0<br /> fusiv library initializing...<br /> Buffer Copy Through DMA is enabled<br /> <br /> fusiv library initialized SUCCESSFULLY...<br /> <br /> insmod: add-symbol-file build/debug/bus_arbiter_lkm.o 0xc000a000 -s .data 0xc000b380 -s .bss 0xc000b4e0<br /> vox bus arbiter interrupt handlers registered<br /> <br /> insmod: add-symbol-file build/debug/opensrc_lkm.o 0xc0002000 -s .data 0xc00026d0 -s .bss 0xc0002820<br /> <br /> insmod: add-symbol-file build/debug/bm.o 0xc0014000 -s .data 0xc0017170 -s .bss 0xc0017340<br /> <br /> Buffer Manager is initializing...<br /> BMU GIGE clock<br /> Slave Mem Alloc: Req size 16 Ptr2Block 0x191f0000<br /> Load into BM APU Successful !!!<br /> <br /> Buffer Manager initialized SUCCESSFULLY...<br /> <br /> insmod: add-symbol-file build/debug/sysutil.o 0xc0019000 -s .data 0xc001c240 -s .bss 0xc001c380<br /> <br /> insmod: add-symbol-file build/debug/timerlib.o 0xc0010000 -s .data 0xc0010de0 -s .bss 0xc0010f40<br /> Timers are getting initalized<br /> Timers are initilized SUCCESSFULLY...<br /> <br /> insmod: add-symbol-file build/debug/ethdriver.o 0xc0044000 -s .data 0xc004bb20 -s .bss 0xc004e900<br /> Module params: eth0_mii=0 eth1_mii=1<br /> eth0: Netpro Sierra Ethernet found at 0xb9110000, irq 14<br /> GIGE 1 clock dev->baseAddr b9110000<br /> Slave Mem Alloc: Req size 16 Ptr2Block 0x191f0010<br /> eth0 interface configured in GMII mode<br /> eth1: Netpro Sierra Ethernet found at 0xb9150000, irq 13<br /> GIGE 2 clock dev->baseAddr b9150000<br /> SraPort_initializePort: phyAddr=0x1f: PHY attached<br /> Slave Mem Alloc: Req size 16 Ptr2Block 0x191f0020<br /> <br /> Ethernet Driver is initialized SUCCESSFULLY<br /> <br /> insmod: add-symbol-file build/debug/vdsldriver_lkm.o 0xc003c000 -s .data 0xc003f9e0 -s .bss 0xc0040ec0<br /> VDSL AP and VDSL PHY clocks are enabled<br /> eth2: Netpro VDSL Ethernet found at 0x0, irq 36<br /> >>> bmChangeMacList currNumConfiguredMacAddrs = 0 MAX_NUM_SUPPORTED_MAC_ADDRESSES = 4<br /> 0x0:0x1:0x2:0x3:0x4:0x7<br /> User parameters for VDSL AP configured successfully<br /> Slave Mem Alloc: Req size 16 Ptr2Block 0x191f0030<br /> VDSL AP started successfully<br /> <br /> VDSL Driver is initialized SUCCESSFULLY<br /> <br /> insmod: add-symbol-file build/debug/periap.o 0xc0050000 -s .data 0xc0051c20 -s .bss 0xc0053c60<br /> periApDriverInit: doneSlave Mem Alloc: Req size 16 Ptr2Block 0x191f0040<br /> <br /> *******LOAD firmware to AP:PERI_ID result:0Load into PERI_AP APU Successful !!!<br /> <br /> insmod: add-symbol-file build/debug/ath_hal.o 0xc00e1000 -s .data 0xc014e5f0 -s .bss 0xc0158f20<br /> ath_hal: 0.9.14.25 (AR5212, AR5416, RF5111, RF5112, RF2413, RF5413, DEBUG, REGOPS_FUNC)<br /> <br /> insmod: add-symbol-file build/debug/wlan.o 0xc015c000 -s .data 0xc019ae80 -s .bss 0xc019b740<br /> wlan: 0.8.4.2 (Atheros/multi-bss)<br /> <br /> insmod: add-symbol-file build/debug/ath_rate_atheros.o 0xc0066000 -s .data 0xc006b970 -s .bss 0xc0074440<br /> ath_rate_atheros: Version 2.0.1<br /> Copyright (c) 2001-2004 Atheros Communications, Inc, All Rights Reserved<br /> <br /> insmod: add-symbol-file build/debug/ath_dfs.o 0xc0076000 -s .data 0xc007ec00 -s .bss 0xc007ed80<br /> ath_dfs: Version 2.0.0<br /> Copyright (c) 2005-2006 Atheros Communications, Inc. All Rights Reserved<br /> <br /> insmod: add-symbol-file build/debug/wlan_wep.o 0xc000d000 -s .data 0xc000e830 -s .bss 0xc000e980<br /> <br /> insmod: add-symbol-file build/debug/wlan_tkip.o 0xc0055000 -s .data 0xc0058410 -s .bss 0xc0058560<br /> <br /> insmod: add-symbol-file build/debug/wlan_ccmp.o 0xc001e000 -s .data 0xc0020250 -s .bss 0xc00203a0<br /> <br /> insmod: add-symbol-file build/debug/wlan_xauth.o 0xc0033000 -s .data 0xc0033300 -s .bss 0xc0033440<br /> <br /> insmod: add-symbol-file build/debug/wlan_acl.o 0xc0038000 -s .data 0xc0039010 -s .bss 0xc0039160<br /> wlan: mac acl policy registered<br /> <br /> insmod: add-symbol-file build/debug/ath_pci.o 0xc019d000 -s .data 0xc01c8e00 -s .bss 0xc01c99e0<br /> ath_pci: 0.9.4.5 (Atheros/multi-bss)<br /> ath_pci: CR-LSDK-1.3.1.110_3-4-9_0-0-9<br /> PCI: Enabling device 0000:00:03.0 (0000 -> 0002)<br /> wifi%d ath_pci_probe Mac Address to configure 4c:17:eb:xx:xx:xx<br /> ar5416InitMacAddr: Eeprom mac address read : 74:b4:92:xx:xx:xx<br /> Chan Freq RegPwr HT CTL CTL_U CTL_L DFS<br /> 1 2412n 27 HT20 1 0 1 N<br /> 1 2412n 20 HT40 1 0 1 N<br /> 2 2417n 20 HT40 1 0 1 N<br /> 3 2422n 20 HT40 1 1 1 N<br /> 4 2427n 20 HT40 1 1 1 N<br /> 5 2432n 20 HT40 1 1 1 N<br /> 6 2437n 20 HT40 1 1 1 N<br /> 7 2442n 20 HT40 1 1 1 N<br /> 8 2447n 20 HT40 1 1 1 N<br /> 9 2452n 20 HT40 1 1 1 N<br /> 10 2457n 20 HT40 1 1 1 N<br /> 11 2462n 20 HT40 1 1 1 N<br /> 12 2467n 20 HT40 1 1 0 N<br /> 13 2472n 20 HT40 1 1 0 N<br /> dfs_init_radar_filters: dfs->dfs_rinfo.rn_numradars: 0<br /> DFS min filter rssiThresh = 18<br /> DFS max pulse dur = 131 ticks<br /> wifi0: 11ng rates: 1Mbps 2Mbps 5.5Mbps 11Mbps 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps<br /> wifi0: 11ng MCS: 0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15<br /> wifi0: mac 384.2 phy 15.15 radio 12.0<br /> wifi0: Use hw queue 1 for WME_AC_BE traffic<br /> wifi0: Use hw queue 0 for WME_AC_BK traffic<br /> wifi0: Use hw queue 2 for WME_AC_VI traffic<br /> wifi0: Use hw queue 3 for WME_AC_VO traffic<br /> wifi0: Use hw queue 8 for CAB traffic<br /> wifi0: Use hw queue 9 for beacons<br /> wifi0: Use hw queue 7 for UAPSD<br /> 2xMaxPowerLevel: 32 (LEG)<br /> 2xMaxPowerLevel: 38 (LEG)<br /> <br /> JXU: set the rxBufsize to 3851<br /> wifi0: ath_pci_probe 320 Mac Address configured 4c:17:eb:xx:xx:xx<br /> wifi0: Atheros 9287: mem=0x1a000000, irq=25 hw_base=0xba000000<br /> <br /> insmod: add-symbol-file build/debug/one_module.o 0xc0249000 -s .main_flow 0xc02859d0 -s .data 0xc02a4de0 -s .bss 0xc02a6ca0<br /> Loading license fe7cce03ae1ecdf8664e2a9d4237fffffffffffffffffffc702e282dad8703897fb79647f254aad168affffffffffffffffffe320ee12b21d44036dba65548ebd421923317a5e6fd3f30792f5c8c58bffffffffffffffffffffffffff.SAGEM<br /> loading license key: SAGEM<br /> loading license key: SAGEM<br /> <br /> insmod: add-symbol-file build/debug/kleds_mod.o 0xc0035000 -s .data 0xc0036430 -s .bss 0xc00365c0<br /> <br /> insmod: add-symbol-file build/debug/lb_jffs_mod.o 0xc0042000 -s .data 0xc0042200 -s .bss 0xc0042360<br /> Creating 1 MTD partitions on "openrg_flash":<br /> 0x01b00000-0x02000000 : "jffs2"<br /> Press ESC to enter BOOT MENU mode.<br /> dd_openrg_init: registering openrg device discovery entity<br /> MAPS:<br /> 00400000-006a9000 r-xp 00000000 00:09 1424660 /mnt/cramfs/bin/openrg<br /> 10000000-1005a000 rw-p 002a9000 00:09 1424660 /mnt/cramfs/bin/openrg<br /> 1005a000-10198000 rwxp 1005a000 00:00 0 [heap]<br /> 2aaa8000-2aaae000 r-xp 00000000 00:09 5828136 /mnt/cramfs/lib/ld-uClibc.so.0<br /> 2aaae000-2aaaf000 rw-p 2aaae000 00:00 0<br /> 2aab0000-2aab1000 rw-p 2aab0000 00:00 0<br /> 2aab2000-2aab3000 rw-s 00000000 00:06 0 /SYSV0000162e (deleted)<br /> 2aab4000-2aab5000 rw-s 00000000 00:06 32769 /SYSV0000162d (deleted)<br /> 2aaed000-2aaee000 rw-p 00005000 00:09 5828136 /mnt/cramfs/lib/ld-uClibc.so.0<br /> 2aaee000-2ab03000 r-xp 00000000 00:09 6887428 /mnt/cramfs/lib/libopenrg.so<br /> 2ab03000-2ab43000 ---p 2ab03000 00:00 0<br /> 2ab43000-2ab44000 rw-p 00015000 00:09 6887428 /mnt/cramfs/lib/libopenrg.so<br /> 2ab44000-2ab82000 r-xp 00000000 00:09 6604724 /mnt/cramfs/lib/libjutil.so<br /> 2ab82000-2abc1000 ---p 2ab82000 00:00 0<br /> 2abc1000-2abc6000 rw-p 0003d000 00:09 6604<br /> insmod: add-symbol-file build/debug/wlan_scan_ap.o 0xc0060000 -s .data 0xc0063a80 -s .bss 0xc0063bc0<br /> 724 /mnt/cramfs/lib/libjutil.so<br /> 2abc6000-2abcc000 rw-p 2abc6000 00:00 0<br /> 2abcc000-2ac0a000 r-xp 00000000 00:09 6972316 /mnt/cramfs/lib/libssl.so.0.9.8<br /> 2ac0a000-2ac49000 ---p 2ac0a000 00:00 0<br /> 2ac49000-2ac4d000 rw-p 0003d000 00:09 6972316 /mnt/cramfs/lib/libssl.so.0.9.8<br /> 2ac4d000-2ad8d000 r-xp 00000000 00:09 6068352 /mnt/cramfs/lib/libcrypto.so.0.9.8<br /> 2ad8d000-2ada2000 rw-p 00140000 00:09 6068352 /mnt/cramfs/lib/libcrypto.so.0.9.8<br /> 2ada2000-2ada6000 rw-p 2ada2000 00:00 0<br /> 2ada6000-2ada8000 r-xp 00000000 00:09 6536492 /mnt/cramfs/lib/libdl.so.0<br /> 2ada8000-2ade7000 ---p 2ada8000 00:00 0<br /> 2ade7000-2ade8000 rw-p 00001000 00:09 6536492 /mnt/cramfs/lib/libdl.so.0<br /> 2ade8000-2adff000 r-xp 00000000 00:09 6942384 /mnt/cramfs/lib/librg_config.so<br /> 2adff000-2ae3e000 ---p 2adff000 00:00 0<br /> 2ae3e000-2ae40000 rw-p 00016000 00:09 6942384 /mnt/cramfs/lib/librg_config.so<br /> 2ae40000-2ae41000 rw-p 2ae40000 00:00 0<br /> 2ae41000-2ae5d000 r-xp 00000000 00:09 6691100 /mnt/cramfs/lib/libm.so.0<br /> 2ae5d000-2ae9d000 ---p 2ae5d000 00:00 0<br /> 2ae9d000-2ae9e000 rw-p 0001c000 00:09 6691100 /mnt/cramfs/lib/libm.so.0<br /> 2ae9e000-2aea0000<br /> insmod: add-symbol-file build/debug/hw_qos_ikanos_mod.o 0xc0080000 -s .data 0xc0080900 -s .bss 0xc0080a80<br /> r-xp 00000000 00:09 7139092 /mnt/cramfs/lib/libutil.so.0<br /> 2aea0000-2aedf000 ---p 2aea0000 00:00 0<br /> 2aedf000-2aee0000 rw-p 00001000 00:09 7139092 /mnt/cramfs/lib/libutil.so.0<br /> 2aee0000-2af1f000 r-xp 00000000 00:09 5864944 /mnt/cramfs/lib/libSwitch.so<br /> 2af1f000-2af5f000 ---p 2af1f000 00:00 0<br /> 2af5f000-2af60000 rw-p 0003f000 00:09 5864944 /mnt/cramfs/lib/libSwitch.so<br /> 2af60000-2af63000 r-xp 00000000 00:09 6062484 /mnt/cramfs/lib/libcrypt.so.0<br /> 2af63000-2afa2000 ---p 2af63000 00:00 0<br /> 2afa2000-2afa3000 rw-p 00002000 00:09 6062484 /mnt/cramfs/lib/libchw_qos_init:183 init module<br /> rypt.so.0<br /> 2afa3000-2afb4000 rw-p 2afa3000 00:00 0<br /> 2afb4000-2afbe000 r-xp 00000000 00:09 6719784 /mnt/cramfs/lib/libmsg-api.so<br /> 2afbe000-2affd000 ---p 2afbe000 00:00 0<br /> 2affd000-2affe000 rw-p 00009000 00:09 6719784 /mnt/cramfs/lib/libmsg-api.so<br /> 2affe000-2b00b000 rw-p 2affe000 00:00 0<br /> 2b00b000-2b01a000 r-xp 00000000 00:09 6926012 /mnt/cramfs/lib/libpthread.so.0<br /> 2b01a000-2b059000 ---p 2b01a000 00:00 0<br /> 2b059000-2b05e000 rw-p 0000e000 00:09 6926012 /mnt/cramfs/lib/libpthread.so.0<br /> 2b05e000-2b060000 rw-p 2b05e000 00:00 0<br /> 2b060000-2b063000 r-xp 00000000 00:09 7130072 /mnt/cramfs/lib/libtr69If.so<br /> 2b063000-2b0a2000 ---p 2b063000 00:00 0<br /> 2b0a2000-2b0a3000 rw-p 00002000 00:09 7130072 /mnt/cramfs/lib/libtr69If.so<br /> 2b0a3000-2b104000 r-xp 00000000 00:09 5933304 /mnt/cramfs/lib/libc.so.0<br /> 2b104000-2b144000 ---p 2b104000 00:00 0<br /> 2b144000-2b146000 rw-p 00061000 00:09 5933304 /mnt/cramfs/lib/libc.so.0<br /> 2b146000-2b14a000 rw-p 2b146000 00:00 0<br /> 7fa38000-7fa4d000 rwxp 7fa38000 00:00 0 [stack]<br /> <br /> insmod: add-symbol-file build/debug/igmp_proxy_mod.o 0xc008d000 -s .data 0xc0094190 -s .bss 0xc00942e0<br /> <br /> insmod: add-symbol-file build/debug/rg_usfs.o 0xc0086000 -s .data 0xc0087510 -s .bss 0xc0087680<br /> <br /> insmod: add-symbol-file build/debug/tcp_mss.o 0xc0000000 -s .data 0xc0000a00 -s .bss 0xc0000b80<br /> <br /> insmod: add-symbol-file build/debug/rg_dhcp_pktfil.o 0xc0089000 -s .data 0xc008a440 -s .bss 0xc008a5c0<br /> <br /> insmod: add-symbol-file build/debug/rg_ipv4.o 0xc0084000 -s .data 0xc0084440 -s .bss 0xc00845c0<br /> IPV4 device driver registered<br /> <br /> insmod: add-symbol-file build/debug/pppoe_relay.o 0xc009c000 -s .data 0xc009f800 -s .bss 0xc009f940<br /> <br /> insmod: add-symbol-file build/debug/rg_pppoe_relay.o 0xc0082000 -s .data 0xc0082db0 -s .bss 0xc0082f20<br /> <br /> insmod: add-symbol-file build/debug/ife6DriverLoad_mod.o 0xc0098000 -s .data 0xc0098440 -s .bss 0xc00985c0<br /> Initializing IFE6 Driver Load module<br /> <br /> insmod: add-symbol-file build/debug/watchdog_mod.o 0xc0096000 -s .data 0xc00969f0 -s .bss 0xc0096b60<br /> Initializing Watchdog module<br /> Initializing Watchdog module1<br /> Initializing Watchdog module2<br /> <br /> insmod: add-symbol-file build/debug/btn.o 0xc009a000 -s .data 0xc009ac40 -s .bss 0xc009ade0<br /> <br /> insmod: add-symbol-file build/debug/qos_ingress.o 0xc00b7000 -s .data 0xc00b81b0 -s .bss 0xc00b8340<br /> <br /> insmod: add-symbol-file build/debug/bmedrv.o 0xc00ba000 -s .data 0xc00bade0 -s .bss 0xc00bafa0<br /> bmedrv_init: Region 0x07800000 - 0x07ffffff allocated successfully<br /> BME Driver has been loaded SUCCESSFULLY<br /> <br /> insmod: add-symbol-file build/debug/switch.o 0xc00bc000 -s .data 0xc00bd000 -s .bss 0xc00bd1c0<br /> m88e6x6x switch driver for vx180 loaded<br /> <br /> insmod: add-symbol-file build/debug/dspvoice.o 0xc02e0000 -s .data 0xc0318bc0 -s .bss 0xc031cd00<br /> <br /> ##################################################<br /> # DSP Voice Module Part 1 Loading ...<br /> <br /> Register /sys/sagem/voice SysCtl ... OK<br /> Using: Software Voicedriver orig_2-1-17_3-6-1 : 2008<br /> <br /> # DSP Voice Module Part 1 Loading Ok<br /> ##################################################<br /> <br /> ##################################################<br /> # DSP Voice Module Part 2 Loading ...<br /> <br /> Could not find DSP configuration file, setting to defaults<br /> Save and reboot the system to effect the Codec Mode : 2<br /> Total words found in /dsp/dsp218x_1ch_faxonly.dsp Image 31948<br /> Total words found in /dsp/dsp218x_1ch_g729only.dsp Image 31948<br /> Opening of DSP Image [/dsp/dsp218x_1ch_g711vad2only.dsp] failed! Error: 2<br /> <br /> Registering Call Back Handlers<br /> <br /> DSP TIME SLOT Assigned:260<br /> DSP CLock Assigned:27<br /> DSP Codec Type Assigned:2<br /> DSP SPORT Control Reg Assigned:c30f<br /> ADSP218x DOWNLOAD DONE !!!!<br /> <br /> DSP Ver No:1.1<br /> <br /> DSP TIME SLOT Assigned:40<br /> DSP CLock Assigned:27<br /> DSP Codec Type Assigned:2<br /> DSP SPORT Control Reg Assigned:820f<br /> ADSP218x DOWNLOAD DONE !!!!<br /> <br /> DSP Ver No:1.1<br /> Initialization SLIC system<br /> Initializing Voice<br /> slic GPIO is 12<br /> Initializing SPI Module<br /> SAGEM SLIC card as SILABS<br /> Initializing SLICs<br /> Country use for SLIC BRAZIL<br /> port 0 is Si32176<br /> LOAD Si3217 PATCH for Rev B<br /> No verif<br /> Si3217 patch version 0X09292009<br /> Patch loaded successfully<br /> PATCH Ret=0<br /> MDAC Calibration for channel<br /> other Calibration<br /> ZCAL Calibration<br /> Activate SLICs => 0<br /> BRAZIL Initialization<br /> osAssignInterrupt: Enable IRQ(17) for DSP<br /> <br /> Enable IRQ for DSP<br /> osAssignInterrupt: Enable IRQ(21) for DSP<br /> <br /> Enable IRQ for DSP<br /> <br /> # DSP Voice Module Part 2 Loading Ok<br /> ##################################################<br /> <br /> insmod: add-symbol-file build/debug/rtp.o 0xc00d1000 -s .data 0xc00dbce0 -s .bss 0xc00dc7c0<br /> <br /> ##################################################<br /> # RTP Stack Module Loading ...<br /> <br /> Register /dev/rtp Device ...Register /sys/sagem/rtp SysCtl ...insmod: cannot open module `/lib/modules/relay.o': No such file or directory<br /> Permanent Parameters were stored in Rgconf RAM<br /> sg_gvt_entity_runlevel.c : action = 0, xdsl_mode = 1<br /> Main process create child<br /> wifi_init: Atheros Wifi card: device AR5416_DEVID_AR9287_PCI (Kiwi).<br /> Atheros Wifi card found: killall: twonkymediaserver: no process killed<br /> ath0<br /> ath1<br /> mt_ma_open : entering in -------------------<br /> mt_ma_start_process : entering in -------------------<br /> opening reconfentity Entity<br /> <br /> MAIN AUTOM ID IS 345 killall: twonkymediaserver: no process killed<br /> warning #1 :new rg_conf entry but not signaled<br /> warning #1 :new rg_conf entry but not signaled<br /> warning #1 :new rg_conf entry but not signaled<br /> warning #1 :new rg_conf entry but not signaled<br /> warning #1 :new rg_conf entry but not signaled<br /> warning #1 :new rg_conf entry but not signaled<br /> warning #1 :new rg_conf entry but not signaled<br /> warning #1 :new rg_conf entry but not signaled<br /> <br /> To activate ar5xxx Debug traces set entry dev/wifi0/dev_ar5xxx_debug in rg_conf<br /> <br /> To activate ar5xxx Debug traces set entry dev/wifi0/dev_ar5xxx_debug in rg_conf<br /> device eth0 entered promiscuous mode<br /> OS: VDSL daemon already running<br /> Access: Failed to open bme module<br /> 2xMaxPowerLevel: 38 (LEG)<br /> 2xMaxPowerLevel: 38 (LEG)<br /> <br /> JXU: set the rxBufsize to 3851<br /> ath_newstate: ath0: INIT -> SCAN<br /> 2xMaxPowerLevel: 38 (LEG)<br /> ath_chan_set: Changing to channel - 1 - (2412), Flags 10080, PF 0<br /> <br /> JXU: set the rxBufsize to 3851<br /> device ath0 entered promiscuous mode<br /> <br /> To activate hostapd main Debug traces set entry dev/wifi0/hostapd_main_debug in rg_conf<br /> 2xMaxPowerLevel: 38 (LEG)<br /> ath_chan_set: Changing to channel - 1 - (2412), Flags 30080, PF 0<br /> <br /> JXU: set the rxBufsize to 3851<br /> eth2.600: Setting MAC address to 4c 17 eb xx xx xx.<br /> VLAN (eth2.600): Underlying device (eth2) has same MAC, not checking promiscious mode.<br /> eth2.602: Setting MAC address to 4c 17 eb xx xx xx.<br /> VLAN (eth2.602): Underlying device (eth2) has same MAC, not checking promiscious mode.<br /> eth2.4000: Setting MAC address to 4c 17 eb xx xx xx.<br /> VLAN (eth2.4000): Underlying device (eth2) has same MAC, not checking promiscious mode.<br /> 2xMaxPowerLevel: 38 (LEG)<br /> ath_chan_set: Changing to channel - 2 - (2417), Flags 30080, PF 0<br /> <br /> JXU: set the rxBufsize to 3851<br /> 2xMaxPowerLevel: 38 (LEG)<br /> ath_chan_set: Changing to channel - 3 - (2422), Flags 30080, PF 0<br /> <br /> JXU: set the rxBufsize to 3851<br /> 2xMaxPowerLevel: 38 (LEG)<br /> ath_chan_set: Changing to channel - 4 - (2427), Flags 30080, PF 0<br /> <br /> JXU: set the rxBufsize to 3851<br /> <br /> __BEI:load_rgconf_switch_config called__<br /> <br /> __BEI:sg_switch_check_config called__<br /> <br /> __BEI:sg_switch_write_config_files called__<br /> <br /> __BEI:sg_switch_parse_config called__<br /> <br /> __BEI:sg_switch_set_mode called__<br /> <br /> __BEI:sg_switch_run_config called__<br /> 2xMaxPowerLevel: 38 (LEG)<br /> ath_chan_set: Changing to channel - 5 - (2432), Flags 30080, PF 0<br /> <br /> JXU: set the rxBufsize to 3851<br /> 2xMaxPowerLevel: 38 (LEG)<br /> ath_chan_set: Changing to channel - 6 - (2437), Flags 30080, PF 0<br /> <br /> JXU: set the rxBufsize to 3851<br /> killall: twonkymediaserver: no process killed<br /> ath_newstate: ath0: SCAN -> INIT<br /> 2xMaxPowerLevel: 38 (LEG)<br /> <br /> JXU: set the rxBufsize to 3851<br /> ath_newstate: ath0: INIT -> SCAN<br /> 2xMaxPowerLevel: 38 (LEG)<br /> ath_chan_set: Changing to channel - 1 - (2412), Flags 10080, PF 0<br /> <br /> JXU: set the rxBufsize to 3851<br /> 2xMaxPowerLevel: 38 (LEG)<br /> ath_chan_set: Changing to channel - 1 - (2412), Flags 30080, PF 0<br /> <br /> JXU: set the rxBufsize to 3851<br /> 2xMaxPowerLevel: 38 (LEG)<br /> ath_chan_set: Changing to channel - 2 - (2417), Flags 30080, PF 0<br /> <br /> JXU: set the rxBufsize to 3851<br /> 2xMaxPowerLevel: 38 (LEG)<br /> ath_chan_set: Changing to channel - 3 - (2422), Flags 30080, PF 0<br /> <br /> JXU: set the rxBufsize to 3851<br /> 2xMaxPowerLevel: 38 (LEG)<br /> ath_chan_set: Changing to channel - 4 - (2427), Flags 30080, PF 0<br /> <br /> JXU: set the rxBufsize to 3851<br /> 2xMaxPowerLevel: 38 (LEG)<br /> ath_chan_set: Changing to channel - 5 - (2432), Flags 30080, PF 0<br /> <br /> JXU: set the rxBufsize to 3851<br /> 2xMaxPowerLevel: 38 (LEG)<br /> ath_chan_set: Changing to channel - 6 - (2437), Flags 30080, PF 0<br /> <br /> JXU: set the rxBufsize to 3851<br /> 2xMaxPowerLevel: 38 (LEG)<br /> ath_chan_set: Changing to channel - 7 - (2442), Flags 30080, PF 0<br /> <br /> JXU: set the rxBufsize to 3851<br /> 2xMaxPowerLevel: 38 (LEG)<br /> ath_chan_set: Changing to channel - 8 - (2447), Flags 30080, PF 0<br /> <br /> JXU: set the rxBufsize to 3851<br /> 2xMaxPowerLevel: 38 (LEG)<br /> ath_chan_set: Changing to channel - 9 - (2452), Flags 30080, PF 0<br /> <br /> JXU: set the rxBufsize to 3851<br /> 2xMaxPowerLevel: 38 (LEG)<br /> ath_chan_set: Changing to channel - 10 - (2457), Flags 30080, PF 0<br /> <br /> JXU: set the rxBufsize to 3851<br /> 2xMaxPowerLevel: 38 (LEG)<br /> ath_chan_set: Changing to channel - 11 - (2462), Flags 30080, PF 0<br /> <br /> JXU: set the rxBufsize to 3851<br /> 2xMaxPowerLevel: 38 (LEG)<br /> ath_chan_set: Changing to channel - 12 - (2467), Flags 30080, PF 0<br /> <br /> JXU: set the rxBufsize to 3851<br /> 2xMaxPowerLevel: 38 (LEG)<br /> ath_chan_set: Changing to channel - 13 - (2472), Flags 30080, PF 0<br /> <br /> JXU: set the rxBufsize to 3851<br /> ******* channel 1 average rssi 0 noise floor 8364 final average rssi 16728<br /> ******* channel 1 average rssi 0 noise floor 8364 final average rssi 16728<br /> ******* channel 6 average rssi 6 noise floor 0 final average rssi 6<br /> ******* channel 11 average rssi 6 noise floor 1 final average rssi 8<br /> find_best_11ng_centerchan: found best center chan: 6<br /> ath_newstate: ath0: SCAN -> JOIN<br /> 2xMaxPowerLevel: 38 (LEG)<br /> ath_chan_set: Changing to channel - 6 - (2437), Flags 30080, PF 0<br /> <br /> JXU: set the rxBufsize to 3851<br /> ath_newstate: ath0: JOIN -> RUN<br /> <br /> __BEI:sgconfigure_spq_scheduler:134 enable SPQ on AP:1 link speed:1000000000<br /> _switch_free_switch_config called__<br /> Main process create child<br /> Main process create child<br /> ls: /sys/devices/platform/*/*/[0-9]*-*/*/usb:lp*: No such file or directory<br /> ls: /sys/devices/platform/*/*/[0-9]*-*/*/*/usb:lp*: No such file or directory<br /> initprocess to launch : /etc/initprocess.sh 4<br /> <br /> xdsl autodetect mode actif<br /> <br /> CPE start address is a7800000<br /> <br /> ipos system initialized<br /> TwonkyMedia Version 4.4.18<br /> <br /> BME 1 is coming up<br /> LOG_SYSTEM: reading ini file: "/usr/local/mediaserver/twonkyvision-mediaserver.ini".<br /> <br /> Transfer to SDRAM Successful<br /> <br /> BmeHw: Downloading BME 1 software .....!<br /> <br /> BmeHw: Bme 1 software code downloaded successfully<br /> <br /> The feature bit has been successfully modified for eth0 eth1 PERI VDSL APs...<br /> <br /> ******sysutil apfeature all vlanbridge enable******<br /> <br /> alm freq 20<br /> status freq 30<br /> /tmp/dslSavedConfig.conf file not found<br /> <br /> configuration file /etc/vdsl.conf:start______<br /> <br /> configuration file /etc/vdsl.conf:start0______<br /> <br /> OamOptionMask Set to 3<br /> _____________________BEI:fpvdslconfigfile == NULL__________________<br /> taskUi: profileNum = 2 Sizeof ipos_port_profile=144<br /> <br /> Please execute 'vdsl' in 3 seconds to enter into Supervisor mode<br /> 2<br /> 1<br /> 0<br /> <br /> Changing port profile #2 BAND_PLAN=0x1 PTM MODE=0x0<br /> OamoptionMask 3<br /> optionMask 8ath_tx_reset Started tx reset<br /> ath_tx_reset Completed tx reset<br /> ath_bstuck_tasklet: stuck beacon; resetting (bmiss count 36)<br /> 2xMaxPowerLevel: 38 (LEG)
</div>
</td>
</tr>
_Linux version 2.6.16.26… _Fontes, onde? 😉 Vemos também o uso do u-boot como bootloader. Os trechos “Secure-boot” e “use DSA signature” são intimidadores.
Ok, muita coisa interessante já pode ser retirada deste log, mas vamos por partes. Conseguir acesso pela porta serial/shell seria um bom começo. Mas não foi o caso. Como mencionado no fórum do PortalADSL, após certa versão de firmware, o acesso pela ttyS0 foi desativado, não respondendo ao input do usuário. Heck!
Não temos imagens de firmware disponível, não há página para atualização deste, (…) talvez achar outra falha no servidor Web que permita-nos adentrar o dispositivo (como foi o caso do “index2.cgi”).
Veja que o u-boot detecta 2 imagens “potenciais” na flash. Assim que o checksum é verificado, a imagem “operacional” é executada, que é exatamente a v8380. Logo, a segunda imagem deve ser um recovery/fail-safe. Se pudéssemos fazer o u-boot falhar, poderíamos cair em um prompt de recovery ou ainda, a imagem supostamente de recuperação entraria.
Como fazer isso? Glitch na flash! (não tentem isso!). No momento da carga do kernel da flash para a RAM, poderíamos causar ruídos/falhas no barramento de dados da flash, assim os dados seriam corrompidos e o CRC falharia. Isso não seria permanente, os que nos daria segurança. Eis o resultado:
<td>
<div class="text codecolorer">
SAGEM Secure-boot SU2_2_3 fast_2764<br /> <br /> CPU: IKANOS Fusiv 180 Family<br /> PCI: 33 MHz<br /> DRAM: 128 MB<br /> Flash: 32 MB<br /> Using default environment<br /> <br /> In: serial<br /> Out: serial<br /> Err: serial<br /> Net: emac1<br /> <br /> PHY 88e1119r detected at smi@0x1f<br /> switch 88e6171 detected at smi@0x01<br /> emac1<br /> <br /> Permanent parameters are programmed and activated : use DSA signature<br /> Potential firmware found at address : bf080000<br /> half-flash parsed !<br /> Potential firmware found at address : be000000<br /> Found 2 firmwares !<br /> Searching valid operational firmware<br /> Operational Firmware validated at address be000000<br /> good regular firmware at @0xBE000000 with key @0xBF018411<br /> No bootloader arg<br /> partition not moved<br /> updating kernel args<br /> bootargs root=/dev/mtdblock6 ro rootfstype=squashfs operational_start=0xbe000000 rescue_start=0xbf080000 myfs_start=0xbea20000 type=operational image_addr=0xBE000000<br /> kernel args update done<br /> Launch regular code from flash<br /> alarmLEDMode(E_FLASH)!<br /> bootm BE000140<br /> ## Booting image at be000140 ...<br /> Image Name: FAST2764_v8380.img<br /> Created: 2012-06-08 14:08:37 UTC<br /> Image Type: MIPS Linux Kernel Image (gzip compressed)<br /> Data Size: 10492534 Bytes = 10 MB<br /> Load Address: 80010000<br /> Entry Point: 802e7000<br /> Verifying Checksum ... Bad Data CRC<br /> alarmLEDMode(E_FLASH_RESCUE)!<br /> Searching valid rescue firmware<br /> Rescue Firmware validated at address bf080000<br /> alarmLEDMode(E_BOOT_FLASH_RESCUE)!<br /> recovery firmware at @0xBF080000 with key @0xBF0185A5 is OK<br /> No bootloader arg<br /> partition not moved<br /> updating kernel args<br /> bootargs root=/dev/mtdblock5 ro rootfstype=squashfs rescue_start=0xbf080000 myfs_start=0xbfa20000 myfs_size=0x00000000 type=rescue image_addr=0xBF080000<br /> kernel args update done<br /> Launch recovery code from flash<br /> bootm bf080130<br /> ## Booting image at bf080130 ...<br /> Image Name: FAST2764_v82B0.img<br /> Created: 2011-07-28 16:06:09 UTC<br /> Image Type: MIPS Linux Kernel Image (gzip compressed)<br /> Data Size: 10020917 Bytes = 9.6 MB<br /> Load Address: 80010000<br /> Entry Point: 802e7000<br /> Verifying Checksum ... OK<br /> Uncompressing Kernel Image ... OK<br /> <br /> Starting kernel ...<br /> <br /> Linux version 2.6.16.26 #1 Thu Jul 28 18:05:57 CEST 2011<br /> argc 9 arg <NULL> env memsize=128<br /> memsize board_memsize = 128<br /> env memsize=128<br /> env initrd_start=0xA0000000<br /> env initrd_size=0x0<br /> ...
</div>
</td>
</tr>
Funciona! E veja, a imagem de recovery é v82B0, conhecida por ainda ter a index2.cgi. Notem também, que os argumentos passados ao kernel são diferentes, como o dispositivo MTD de root e ele agora é chamado de “rescue”. O modem carrega e funciona normalmente (sincroniza, autentica) com esta imagem. Há uma certa fragilidade a crashes neste modo, devido à incompatibilidades entre o kernel antigo e o rootfs novo (8380). Mas funciona (…).
Agora a porta serial funciona:
<td>
<div class="text codecolorer">
Username:<br /> Password:<br /> <br /> HomeGateway> <br /> HomeGateway> help<br /> help Show help for commands within this menu<br /> <br /> Usage:<br /> help all - show all available commands in the current level<br /> help [category]... <category> - show commands in a certain category<br /> help [category]... <command> - show detailed help for a specific command<br /> help -s <string> - search for categories/commands containing the string<br /> <br /> Availble help Categories<br /> help pvc - show help about PVC scan related commands<br /> help conf - show help about Read and write HomeGateway configuration data<br /> help FT commands - show help about FT commands<br /> help FT atm commands - show help about FT atm commands<br /> help FT sndcp commands - show help about FT sndcp commands<br /> help vdsl - show help about VDSL commands<br /> help upnp - show help about UPnP commands<br /> help qos - show help about Control and display QoS data<br /> help bridge - show help about API for managing ethernet bridge<br /> help gvt - show help about Gvt configuration and control<br /> help firewall - show help about Control and display Firewall and NAT data<br /> help connection - show help about API for managing connections<br /> help inet_connection - show help about API for managing internet connections<br /> help wireless - show help about Wireless commands<br /> help misc - show help about API for HomeGateway miscellaneous tasks<br /> help firmware_update - show help about Firmware update commands<br /> help log - show help about Controls HomeGateway logging behavior<br /> help dev - show help about Device related commands<br /> help kernel - show help about Kernel related commands<br /> help system - show help about Commands to control HomeGateway execution<br /> help flash - show help about Flash and loader related commands<br /> help net - show help about Network related commands<br /> help leds - show help about Leds control commands<br /> help cmd - show help about Commands related to the Command module<br /> <br /> Returned 0<br /> HomeGateway> help all<br /> <br /> Command Category pvc - PVC scan related commands<br /> scan Scan predefined vpi.vci to determine PPP protocol<br /> scan_restart Restart PVC scan<br /> scan_status Display PVC scan status<br /> exit Exit sub menu<br /> help Show help for commands within this menu<br /> <br /> Command Category conf - Read and write HomeGateway configuration data<br /> factory Factory related commands<br /> print Print HomeGateway configuration<br /> set Set HomeGateway configuration path to value<br /> set_obscure Set HomeGateway configuration path to an obscured value<br /> del Delete subtree from HomeGateway configuration<br /> ram_set Set HomeGateway dynamic configuration<br /> ram_print Print HomeGateway dynamic configuration<br /> reconf Reconfigure the system according to the current HomeGateway <br /> configuration<br /> exit Exit sub menu<br /> help Show help for commands within this menu<br /> <br /> Command Category FT commands - FT commands<br /> save Save configurating to flash<br /> flash_chksum Display all flash sections checksums<br /> atm atm<br /> sndcp sndcp<br /> vdsl VDSL commands<br /> upnp UPnP commands<br /> qos Control and display QoS data<br /> bridge API for managing ethernet bridge<br /> gvt Gvt configuration and control<br /> firewall Control and display Firewall and NAT data<br /> connection API for managing connections<br /> inet_connection API for managing internet connections<br /> wireless Wireless commands<br /> misc API for HomeGateway miscellaneous tasks<br /> firmware_update Firmware update commands<br /> log Controls HomeGateway logging behavior<br /> dev Device related commands<br /> kernel Kernel related commands<br /> system Commands to control HomeGateway execution<br /> flash Flash and loader related commands<br /> net Network related commands<br /> leds Leds control commands<br /> exit Exit from the current CLI session<br /> help Show help for commands within this menu<br /> <br /> Command Category FT atm commands - FT atm commands<br /> atm atm<br /> sndcp sndcp<br /> vdsl VDSL commands<br /> upnp UPnP commands<br /> qos Control and display QoS data<br /> bridge API for managing ethernet bridge<br /> gvt Gvt configuration and control<br /> firewall Control and display Firewall and NAT data<br /> connection API for managing connections<br /> inet_connection API for managing internet connections<br /> wireless Wireless commands<br /> misc API for HomeGateway miscellaneous tasks<br /> firmware_update Firmware update commands<br /> log Controls HomeGateway logging behavior<br /> dev Device related commands<br /> kernel Kernel related commands<br /> system Commands to control HomeGateway execution<br /> flash Flash and loader related commands<br /> net Network related commands<br /> leds Leds control commands<br /> exit Exit from the current CLI session<br /> help Show help for commands within this menu<br /> <br /> Command Category FT sndcp commands - FT sndcp commands<br /> sndcp sndcp<br /> vdsl VDSL commands<br /> upnp UPnP commands<br /> qos Control and display QoS data<br /> bridge API for managing ethernet bridge<br /> gvt Gvt configuration and control<br /> firewall Control and display Firewall and NAT data<br /> connection API for managing connections<br /> inet_connection API for managing internet connections<br /> wireless Wireless commands<br /> misc API for HomeGateway miscellaneous tasks<br /> firmware_update Firmware update commands<br /> log Controls HomeGateway logging behavior<br /> dev Device related commands<br /> kernel Kernel related commands<br /> system Commands to control HomeGateway execution<br /> flash Flash and loader related commands<br /> net Network related commands<br /> leds Leds control commands<br /> exit Exit from the current CLI session<br /> help Show help for commands within this menu<br /> <br /> Command Category vdsl - VDSL commands<br /> status Get VDSL line status<br /> BmeFirmVer Get BME Firmware versions<br /> NeSnrAttn Get Near End SNR Margin and Attenuation<br /> displayAllPmCounters Display All Performance Counters<br /> displayUsInfos Display Far-end informations<br /> exit Exit sub menu<br /> help Show help for commands within this menu<br /> <br /> Command Category upnp - UPnP commands<br /> igd IGD commands<br /> status Display UPnP status<br /> exit Exit sub menu<br /> help Show help for commands within this menu<br /> <br /> Command Category qos - Control and display QoS data<br /> utilization Connection utilization information<br /> exit Exit sub menu<br /> help Show help for commands within this menu<br /> <br /> Command Category bridge - API for managing ethernet bridge<br /> connection connect separate network interfaces to form one seamless LAN<br /> config Configure bridge<br /> info Print bridge information<br /> exit Exit sub menu<br /> help Show help for commands within this menu<br /> <br /> Command Category gvt - Gvt configuration and control<br /> set Configure the gvt runlevel<br /> conf Display the gvt conf<br /> exit Exit sub menu<br /> help Show help for commands within this menu<br /> <br /> Command Category firewall - Control and display Firewall and NAT data<br /> restart Stop and start Firewall & NAT<br /> start Start Firewall & NAT<br /> stop Stop Firewall & NAT<br /> filter Turn Firewall packet inspection on/off<br /> mac_cache_dump Dump MAC cache data<br /> dump Display Firewall data<br /> variable Display variables of the firewall rules<br /> trace Trace packet traversal via the Firewall ruleset<br /> fastpath Turns firewall fastpath feature on/off (default is on)<br /> set_tr69_rule Creates policy rules for TR69<br /> exit Exit sub menu<br /> help Show help for commands within this menu<br /> <br /> Command Category connection - API for managing connections<br /> pppoe Configure pppoe interface<br /> l2tp_vpn Configure l2tpc interface<br /> pptp_vpn Configure pptpc interface<br /> pppoa Configure pppoa interface<br /> vlan Configure vlan interface<br /> exit Exit sub menu<br /> help Show help for commands within this menu<br /> <br /> Command Category inet_connection - API for managing internet connections<br /> pppoe Configure pppoe internet connection<br /> l2tp Configure l2tpc internet connection<br /> pptp Configure pptpc internet connection<br /> pppoa Configure pppoa internet connection<br /> ether Configure ethernet internet connection<br /> exit Exit sub menu<br /> help Show help for commands within this menu<br /> <br /> Command Category wireless - Wireless commands<br /> captive Wireless captive commands<br /> exit Exit sub menu<br /> help Show help for commands within this menu<br /> <br /> Command Category misc - API for HomeGateway miscellaneous tasks<br /> pppos_start Start PPPoS connection<br /> pppos_close Close PPPoS connection<br /> print_ram print ram consumption for each process<br /> vlan_add Add VLAN interface<br /> top Profiling over event loop and estream<br /> wbm_debug_set Stop and start WBM debug mode<br /> wbm_border_set Stop and start WBM border mode<br /> wbm_session_release_all Release all existing WBM sessions<br /> knet_hooks_dump Dump to console which knet_hooks run on each device<br /> exit Exit sub menu<br /> help Show help for commands within this menu<br /> <br /> Command Category firmware_update - Firmware update commands<br /> start Remotely upgrade HomeGateway<br /> cancel Kill running remote upgrade<br /> exit Exit sub menu<br /> help Show help for commands within this menu<br /> <br /> Command Category log - Controls HomeGateway logging behavior<br /> filter Controls the CLI session logging behavior<br /> exit Exit sub menu<br /> help Show help for commands within this menu<br /> <br /> Command Category dev - Device related commands<br /> mii_reg_get Get Ethernet MII register value<br /> mii_reg_set Set Ethernet MII register value<br /> mii_phy_reg_get Get Ethernet MII register value<br /> mii_phy_reg_set Set Ethernet MII register value<br /> exit Exit sub menu<br /> help Show help for commands within this menu<br /> <br /> Command Category kernel - Kernel related commands<br /> sys_ioctl issue openrg ioctl<br /> meminfo Print memory information<br /> top Print HomeGateway's processes memory usage<br /> cpu_load_on Periodically shows cpu usage.<br /> cpu_load_off Stop showing cpu usage (triggered by cpu_load_on).<br /> cpu_load_avg Shows average cpu usage of last 1, 5 and 15 minutes. <br /> exit Exit sub menu<br /> help Show help for commands within this menu<br /> <br /> Command Category system - Commands to control HomeGateway execution<br /> die Exit from HomeGateway and return ret<br /> ps Print HomeGateway's tasks<br /> entity_close Close an entity<br /> etask_list_dump Dump back trace of all etasks<br /> restore_factory_settings Restore factory configuration<br /> reboot Reboot the system<br /> ver Display version information<br /> print_config Print compilation configuration. Search for option <br /> if specified<br /> exec Execute program<br /> cat Print file contents to console<br /> shell Spawn busybox shell in foreground<br /> date Print the current UTC and local time<br /> echo Echo arguments to console<br /> autoip_lan_mode Configure the lan interface using Auto-IP<br /> igd_lan_mode Configure the lan interface for normal IGD use<br /> exit Exit sub menu<br /> help Show help for commands within this menu<br /> <br /> Command Category flash - Flash and loader related commands<br /> commit Save HomeGateway configuration to flash<br /> erase Erase a given section in the flash<br /> load Load and burn image<br /> boot Boot the system<br /> bset Configure bootloader<br /> layout Print the flash layout and content<br /> dump Dump the flash content<br /> lock Lock mtd region<br /> unlock Unlock mtd region<br /> exit Exit sub menu<br /> help Show help for commands within this menu<br /> <br /> Command Category net - Network related commands<br /> dns_route Dyncamic Routing according to DNS replies<br /> igmp IGMP Proxy related commands<br /> host Resolve host by name<br /> ifconfig Configure network interface<br /> ping Test network connectivity<br /> rg_ifconfig List HomeGateway Network Devices<br /> route Print route table<br /> main_wan Print the name of the current main wan device<br /> intercept_state Print interception state<br /> exit Exit sub menu<br /> help Show help for commands within this menu<br /> <br /> Command Category leds - Leds control commands<br /> led_power_set Set POWER led<br /> led_wifi_set Set WIRELESS led<br /> control_all_leds Set ALL led<br /> led_secwifi_set Set WIRELESS SECURITY led<br /> led_intnet_set Set INTENRET led<br /> led_ftth_set Set FTTH led<br /> led_dsl_set Set DSL led<br /> led_tel1_set Set PHONE1 led<br /> led_tel2_set Set PHONE2 led<br /> led_rep1_set Set REPONDEUR1 led<br /> led_rep2_set Set REPONDEUR2 led<br /> led_usb1_set Set USB1 led<br /> led_usb2_set Set USB2 led<br /> relay_set Set RELAY<br /> led_hpna_set Set HPNA led<br /> exit Exit sub menu<br /> help Show help for commands within this menu<br /> <br /> Command Category cmd - Commands related to the Command module<br /> exit Exit from the current CLI session<br /> help Show help for commands within this menu<br /> <br /> Returned 0
</div>
</td>
</tr>
Ok, sem mais:
<td>
<div class="text codecolorer">
HomeGateway> system shell<br /> <br /> Temporary setting log_level off<br /> <br /> BusyBox v1.01 (2005.09.07-07:38+0000) Built-in shell (ash)<br /> Enter 'help' for a list of built-in commands.<br /> <br /> # help<br /> <br /> Built-in commands:<br /> -------------------<br /> . : break cd chdir continue eval exec exit export false hash<br /> help let local pwd read readonly return set shift times trap<br /> true type ulimit umask unset wait<br /> <br /> # ls<br /> bin etc home mnt sbin tmp var<br /> dev fstab lib proc sys usr
</div>
</td>
</tr>
Deixarei um “dump” no link pool em breve. Dump da v82B0 e v8380 no pool.
No entanto, nada disso é permanente. Um reboot e voltamos à estaca zero. E se pudéssemos fazer um downgrade? Mas por onde, não há interface de flashing, exceto via TR69, comandado pela GVT. E onde estaria as imagens para usarmos? Bem, a segunda pergunta, está no link pool, todas as imagens que consegui dos servidores da GVT, as mesmas que o modem obtém para se atualizar. 😉
Voltemos ao menu do OpenRG, antes do BusyBox. Existe um sub-menu chamado “flash”:
<td>
<div class="text codecolorer">
Command Category flash - Flash and loader related commands<br /> <br /> commit Save HomeGateway configuration to flash<br /> erase Erase a given section in the flash<br /> load Load and burn image<br /> boot Boot the system<br /> bset Configure bootloader<br /> layout Print the flash layout and content<br /> dump Dump the flash content<br /> lock Lock mtd region<br /> unlock Unlock mtd region<br /> exit Exit sub menu<br /> help Show help for commands within this menu
</div>
</td>
</tr>
Vamos ver o layout:
<td>
<div class="text codecolorer">
HomeGateway> flash layout<br /> Flash layout:<br /> <br /> Section 00 Type BOOT Range 0x01000000-0x01020000 MaxSize 0x00020000<br /> No more information.<br /> <br /> Section 01 Type FACTORY Range 0x00000000-0x00000000 MaxSize 0xFFFFFF6C<br /> Uninitialized.<br /> <br /> Section 02 Type CONF Range 0x01040000-0x01060000 MaxSize 0x0001FF6C<br /> Size 0x00004EE9 Name 'rg_conf'<br /> Checksum 0x0027C298 Counter 0x00000033 Start Offset 0x00000000<br /> <br /> Section 03 Type CONF Range 0x01060000-0x01080000 MaxSize 0x0001FF6C<br /> Size 0x00004F99 Name 'rg_conf'<br /> Checksum 0x0027E1C4 Counter 0x00000032 Start Offset 0x00000000<br /> <br /> Section 04 Type RECOVERY Range 0x01080000-0x01B00000 MaxSize 0x00A80000<br /> No more information.<br /> <br /> Section 05 Type JFFS Range 0x01B00000-0x02000000 MaxSize 0x00500000<br /> No more information.<br /> <br /> Section 06 Type IMAGE Range 0x00000000-0x01000000 MaxSize 0x01000000<br /> No more information.<br /> <br /> Total 7 sections found.<br /> <br /> Returned 0
</div>
</td>
</tr>
Informações úteis! E o comando que nos interessa por ora, é o “load” (vou tentar colocar a saída dos outros comandos em um arquivo a parte).
<td>
<div class="text codecolorer">
flash> load<br /> URL has not been specified and default URL is not set<br /> Usage: load -u <url> [-s <section> | -r <address>]<br /> <br /> Returned 1
</div>
</td>
</tr>
Aparentemente o comando “load” carrega a imagem de uma URL diretamente e grava na seção < section > ou no endereço < address >. Bem, se quisermos atualizar o firmware do 2764 GV, deveríamos gravar uma imagem operacional na seção 6. Vamos tentar com a imagem mais antiga que pode ser obtida da GVT atualmente (a imagem já está no file vault deste projeto, uma vez que o modem está funcionando, mas poderia vir de um server HTTP local, por exemplo):
<td>
<div class="text codecolorer">
flash> load -u http://tripleoxygen.net/files/router_hacking/sagemcom/f2764gv/firmware/stock/FAST2764_v82P6.img.secure -s 6
</div>
</td>
</tr>
Aguarde alguns minutos… e:
<td>
<div class="text codecolorer">
Download completed successfully<br /> <br /> Returned 0
</div>
</td>
</tr>
Pode-se verificar a nova imagem com o comando “dump”:
<td>
<div class="text codecolorer">
flash> dump -s 6<br /> <br /> 00000000: 60 4c 51 ea 2c 3b f3 1e e1 70 78 a1 61 2b 9b e0 |`LQ.,;...px.a+..|<br /> 00000010: 70 e3 b2 7b a9 26 e3 d1 43 c1 53 a2 5d 0a 60 79 |p..{.&..C.S.].`y|<br /> 00000020: 5d 9c 49 73 63 55 d6 e3 45 03 8c ab 8b 48 1e 74 |].IscU..E....H.t|<br /> 00000030: 00 03 00 00 00 00 00 00 46 41 53 54 32 37 36 34 |........FAST2764|<br /> 00000040: 5f 76 38 32 50 36 2e 69 6d 67 ff ff 00 00 00 00 |_v82P6.img......|<br /> 00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|<br /> 00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|<br /> 00000070: 00 00 00 00 00 00 00 00 00 94 00 00 00 00 00 ac |................|<br /> 00000080: 00 00 00 00 00 00 00 00 00 00 00 ac 00 00 00 86 |................|<br /> 00000090: 00 00 00 00 00 00 01 40 00 92 f7 e3 00 00 00 00 |.......@........|<br /> 000000a0: 00 00 00 00 00 00 00 00 00 00 00 00 72 6f 6f 74 |............root|<br /> 000000b0: 3d 2f 64 65 76 2f 6d 74 64 62 6c 6f 63 6b 36 20 |=/dev/mtdblock6 |<br /> 000000c0: 72 6f 20 72 6f 6f 74 66 73 74 79 70 65 3d 73 71 |ro rootfstype=sq|<br /> 000000d0: 75 61 73 68 66 73 20 6f 70 65 72 61 74 69 6f 6e |uashfs operation|<br /> 000000e0: 61 6c 5f 73 74 61 72 74 3d 30 78 62 65 30 30 30 |al_start=0xbe000|<br /> 000000f0: 30 30 30 20 72 65 73 63 75 65 5f 73 74 61 72 74 |000 rescue_start|
</div>
</td>
</tr>
Reinicie o modem, downgrade feito! Obviamente isto não é muito útil para o usuário convencional, mas como temos a porta serial sempre ativa agora, as pesquisas são mais fáceis. Note que não é possível obter a imagem v82B0 da GVT (removeram). O que é possível é extraí-la da flash após um dump completo. Porém, ela é do tipo rescue, e fazer flash como operational pode não ser uma boa ideia.
Ok, mas glitchs na flash são arriscadas. Outra maneira que descobri depois, foi a do modo LAN_RESCUE que o 2764 GV tem:
- Desligue o modem da tomada;
- Segure o botão reset;
- Ligue a alimentação e segure o reset por alguns segundos.
Os LEDs piscarão em um padrão diferente e neste momento, o modem tentará boot via BOOTP pela rede. Configure seu cliente DHCP & BOOTP (como o TFTPD32 no Windows), o 2764 GV tentará carga de /tftpboot/kernel.img.
<td>
<div class="text codecolorer">
SAGEM Secure-boot SU2_2_3 fast_2764<br /> <br /> CPU: IKANOS Fusiv 180 Family<br /> PCI: 33 MHz<br /> DRAM: 128 MB<br /> Flash: 32 MB<br /> Using default environment<br /> <br /> In: serial<br /> Out: serial<br /> Err: serial<br /> Net: emac1<br /> <br /> PHY 88e1119r detected at smi@0x1f<br /> switch 88e6171 detected at smi@0x01<br /> emac1<br /> <br /> Permanent parameters are programmed and activated : use DSA signature<br /> Potential firmware found at address : bf080000<br /> half-flash parsed !<br /> Potential firmware found at address : be000000<br /> Found 2 firmwares !<br /> force recovery bootp tftp<br /> alarmLEDMode(E_LAN_RESCUE)!<br /> BOOTP broadcast 1<br /> *** Unhandled DHCP Option in OFFER/ACK: 7<br /> *** Unhandled DHCP Option in OFFER/ACK: 44<br /> DHCP client bound to address 192.168.1.101<br /> Using emac1 device<br /> TFTP from server 192.168.153.1; our IP address is 192.168.1.101; sending through gateway 192.168.1.2<br /> Filename '/tftpboot/kernel.img'.<br /> Load address: 0x80800000<br /> Loading: *checksum bad<br /> checksum bad<br /> checksum bad<br /> checksum bad<br /> T T T T T T T T T T<br /> Retry count exceeded; starting again<br /> BOOTP broadcast 1<br /> *** Unhandled DHCP Option in OFFER/ACK: 7<br /> *** Unhandled DHCP Option in OFFER/ACK: 44<br /> DHCP client bound to address 192.168.1.101<br /> Using emac1 device<br /> TFTP from server 192.168.1.2; our IP address is 192.168.1.101<br /> Filename '/tftpboot/kernel.img'.<br /> Load address: 0x80800000<br /> Loading: *################################################################<br /> #################################################################<br /> ...<br /> #################################################################<br /> <br /> ##########<br /> done<br /> Bytes transferred = 9699328 (940000 hex)<br /> Launch recovery code from ram<br /> alarmLEDMode(E_RAM_RESCUE)!<br /> No bootloader arg<br /> partition not moved<br /> updating kernel args<br /> bootargs root=/dev/mtdblock6 ro rootfstype=squashfs operational_start=0xbe000000 rescue_start=0xbf080000 myfs_start=0xbe940000 type=operational image_addr=0x80800000<br /> kernel args update done<br /> bootm 80800140<br /> ## Booting image at 80800140 ...<br /> Image Name: FAST2764_v82P6.img<br /> Created: 2012-01-13 10:36:20 UTC<br /> Image Type: MIPS Linux Kernel Image (gzip compressed)<br /> Data Size: 9631651 Bytes = 9.2 MB<br /> Load Address: 80010000<br /> Entry Point: 802e7000<br /> Verifying Checksum ... OK<br /> Uncompressing Kernel Image ... OK<br /> <br /> Starting kernel ...<br /> <br /> Linux version 2.6.16.26 #1 Fri Jan 13 11:36:08 CET 2012<br /> argc 9 arg <NULL> env memsize=128<br /> memsize board_memsize = 128<br /> ...
</div>
</td>
</tr>
Apesar do “kernel.img”, as imagens oficiais funcionam perfeitamente, portanto basta renomear a versão que deseja enviar e pronto. Será feita a carga do kernel para a RAM (por isso, não há risco de enviar algo/versão errada, basta resetar o modem) e seu boot. Enviando uma versão antiga, você ganha acesso à porta serial e então pode “brincar” ou fazer downgrade. E quem sabe, a telnet?
Ativando o daemon telnet para estudos
Aparentemente, apenas a v82B0 foi compilada com suporte a telnet. Caso queira acesso por este meio para estudar o dispositivo (muito melhor que via serial, e não há a necessidade de desmontar o modem), pode ser feito o seguinte:
- Colocar o modem no modo LAN_RESCUE (boot via BOOTP);
- Enviar a imagem v82B0 disponível no vault (veja o link pool);
- Acessar o arquivo de configuração através do link de manutenção do index2.cgi (System > Maintenance);
- Baixar o tar com o arquivo HomeGateway.conf (Download Configuration File);
- Abrir o HomeGateway.conf, procure por “(telnets(ports))” e substitua por “(telnets(ports(0(port(23)))))“;
- Atualize o tar com este HomeGateway.conf alterado;
- Faça upload do tar pela mesma página de manutenção com “Upload Configuration File”;
- Confirme.
O modem será reinicializado, portanto voltará a versão de firmware nova, e não a v82B0. Faça a carga desta via BOOTP novamente. Terá telnet ativado. Hack away!
Lembrando que o método para alterar o HomeGateway.conf também pode ser feito da maneira conhecida no fórum PortalADSL, uma vez que o arquivo é persistente. Vale lembrar também, que esta imagem v82B0 é para rescue e foi extraída de um dump cru da flash, portanto é arriscado gravá-la no aparelho. Use-a apenas via BOOTP!
Acredito que possa trocar o runlevel do modem pela porta serial, através do sub-menu “gvt”, opção “set”. E depois, “flash commit”. Não testei ainda.
Formato da imagem de firmware
Pesquisei pouco sobre o formato, mas a extensão “secure” nas imagens oficiais nos diz algo… julgando pela informação no u-boot, as imagens podem ser assinadas com o algoritmo DSA. Sendo assimétrico, o dispositivo conteria a chave pública e a GVT, a privada. Portanto, somente a GVT conseguiria gerar imagens válidas para o 2764 GV. Claro que, se for possível alteramos a pública dentro do modem para uma na qual temos a privada, bingo!
Uma análise rápida da biblioteca “libFU_TR69.so”, revela símbolos interessantes:
<td>
<div class="text codecolorer">
DSA_SIG_free extern 000490FC 00000004 R . . . . . .<br /> DSA_SIG_new extern 00049104 00000004 R . . . . . .<br /> DSA_do_verify extern 0004913C 00000004 R . . . . . .<br /> DSA_free extern 00049148 00000004 R . . . . . .<br /> DSA_new extern 00049158 00000004 R . . . . . .<br /> ...<br /> SHA1_Final extern 0004915C 00000004 R . . . . . .<br /> SHA1_Init extern 00049180 00000004 R . . . . . .<br /> SHA1_Update extern 00049160 00000004 R . . . . . .<br /> ...<br /> TR69FU_check_CRC_validity .text 00002450 0000015C R . . . . . .<br /> TR69FU_check_download_request .text 00004FA8 000003E0 R . . . . . .<br /> TR69FU_check_dsa_authencity .text 00002708 00000468 R . . . . . .<br /> TR69FU_check_flash_fw_dsa_validity .text 00002B70 000004E8 R . . . . . .<br /> TR69FU_check_flash_section_integrity .text 00002124 00000040 R . . . . . .<br /> TR69FU_check_fw_compatibility .text 000023CC 00000084 R . . . . . .<br /> ...<br /> TR69FU_normal_partion_is_valid .text 0000585C 000000AC R . . . . . .<br /> TR69FU_rescue_partion_is_valid .text 00005908 000000AC R . . . . . .<br /> TR69FU_verify_image_checksum .text 00002164 00000018 R . . . . . .<br /> ...<br /> rg_close_flash_section extern 00049198 00000004 R . . . . . .<br /> rg_ftell_flash_section extern 00049168 00000004 R . . . . . .<br /> rg_get_flash_section_size extern 00049190 00000004 R . . . . . .<br /> rg_lseek_flash_section extern 00049150 00000004 R . . . . . .<br /> rg_open_flash_section extern 0004912C 00000004 R . . . . . .<br /> rg_read_flash_section extern 000491A4 00000004 R . . . . . .<br /> rg_write_flash_section_chunk extern 000490CC 00000004 R . . . . . .<br /> update_sw_vers_from_rgconf_flash .text 00004A6C 00000138 R . . . . . .<br /> verify_checksum .text 0000217C 00000058 R . . . . . .
</div>
</td>
</tr>
O arquivo de firmware original, no offset 0x140, contém um cabeçalho uImage, típico para u-boot. Pode ser utilizado o seguinte script para extração (“corte” os primeiros 0x140 bytes antes!). O resultado é um arquivo com compressão gzip, que pode ser descompactado com:
<td>
<div class="text codecolorer">
cat Image | gzip -d > Image.dec
</div>
</td>
</tr>
Esta imagem descompactada, contém o kernel + um fs CRAMFS (procure por “Compressed ROMFS”).
Tenho uma cópia do mtdblock0, que corresponde aos exatos 32 MB da flash. Nela, está também, o u-boot. Ele auxiliará nos estudos sobre a assinatura das imagens. Usando as informações de endereços/layout da flash que ele próprio expõe e os passados ao kernel, podemos “destrinchar” com mais detalhe a imagem “crua” da flash.
… fica para a parte 2!
Grato ao pessoal que deu início aos estudos sobre o 2764 GV e com suas descobertas!
Link pool
F@ST 2764 GV File vault (caso alguém saiba de versões diferentes destas listadas, me informe, por favor)