Samsung SMT-G3210

From GPLdevWiki

Contents 1 Overview 1.1 Featurematrix 2 Hardware 2.1 User Interface 2.2 Connectors 2.3 Disassembly notes 2.4 Major components 2.4.1 mainboard 2.4.2 stacked PCB 2.4.3 miniPCI slot 2.5 Serial Console 2.5.1 Log of serial console while booting 2.6 Root access 2.7 JTAG 2.8 PCB Photographs 3 Firmware 3.1 Original Firmware 3.1.1 Firmware Images 3.1.2 Sourcecode 3.2 Firmware Structure 3.2.1 Image Format 3.2.2 Flash Layout 3.3 Build Tools 3.3.1 MIPS Toolchain 3.3.2 Firmware Tools 3.3.3 Firmware modding 3.4 Modified Firmware 4 Software Reference 4.1 Packages 4.1.1 Core system 4.1.2 Configuration 4.1.3 Routing 4.1.4 Connectivity 4.1.5 Services 4.1.6 Wireless 4.1.7 Telephony 4.1.8 USB-Host 5 Links

Overview

FIXME: Although filed under SMT-G3210, this document (soon) covers the entire SMT 3000 series.

The Samsung SMT-G3210 is a ADSL2+ CPE featuring USB 2.0 Host, 802.11b/g WiFi, 4-port switch and 3 analogue and 1 S0 phone lines.

It is part of the Integrated Access gateway Devices IAD SMT-G3000 model family from Samsung.

Featurematrix

Model              SMT     SMT      SMT    SMT   SMT     SMT
                -G3000  -G3200   -G3010 -G3020 -G3210 -G3220
Modem Router        Y       Y        Y      Y      Y      Y
LAN Ports           1       2        4      4      4      4
WLAN                -       Y        -      -      Y      Y
USB                 -       -        Y      Y      Y      Y
Trunk (PSTN or ISDN)-       -        -      Y      -      Y
VoIP                -       -        Y      Y      Y      Y
S0                  -       -        Y      Y      Y      Y

From: Samsung IAD SMT-G3000 series (109 kB, pdf)

Hardware

The hardware seems to be centered around Infineons reference design for an xDSL gateway. See page 9 of Infineon VoIP solutions for Seamless Communication (1.2 MB, pdf).

User Interface

• 5 x LED: Power / DSL / Phone / LAN / Info
• 1 x LED: WLAN (WLAN models only)

Connectors

• 1 x RJ-45 DSL/Tel in (1:Dsl a, 2:Dsl b, 3: ISDN 2a, 4: ISDN 1a, 5: ISDN 1b, 6: ISDN 2b, 7: analog 1a, 8: analog 1b)
• 1 x RJ-45 Internal S0 bus
• 3 x TAE analog phone (front side)
• 4 x RJ-45 LAN 1-4
• 1 x USB 2.0 host
• 1 x Power supply connector (12V, 1.5A)
• 1 x WLAN antenna (WLAN models only)

Disassembly notes

There are four clearly visible screws on the backside of the device. Once they are removed, the two halves of the case can be taken apart easily.

The WiFi antenna is connected via a standard U.FL connector. Simply unplug it.

On the inside, there is one stacked SLIC PCB which is fixed with one further screw. If you remove it, you can remove the stacked PCB. Removal is quite hard, since the connectors fit very tightly. Make sure to notice there are two stacking connectors!

The miniPCI card is glued into the socket, and also glued with an adhesive pad to the PCB below. With a bit of force, it can be removed from the adhesive pad.

Major components

mainboard

• Infineon PSB50505
  • AMAZON Family highly integrated single-chip solution for ADSL2/2+ Modems
  • 32-bit MIPS 4KEc RISC processor running at 235 MHz
  • no public documentation, see Infineon XWAY™ AMAZON Family
• 2x Infineon PEB 3332 HT V2.1
  • VINETIC-CPE Voice over IP Processor for CPE
  • RTP packetization
  • Voice compression G.711, G.732.1, G.726, G.729, iLBC
  • T.38 Fax Relay support
  • DTMF + Caller-ID rx/tx
  • Line-Echo-Cancellation up to 128ms
  • Parallel and SPI interface to host
  • 2-channel CODEC with voice processing DSP
  • SLIC interface
  • See Infineon XWAY™ VINETIC-1/-2PLUS - VoIP CPE Processor with integrated SLIC (1 MB, pdf)
• VIA VT6212L
  • 4-port USB2.0 host controller
  • See Via VT6212 / VT6212L PCI USB2.0 Controller (448 kB, pdf)
• Infineon ADM6996I
  • 6port 10/100Mb/s single chip ethernet switch controller
  • See Infineon Samurai-6I/IX (7.2 MB, pdf)
• Delta LFE8731
  • magnetics for ethernet
  • See Delta LFE8731 (612 kb, pdf)
• 2x Hynix HY57V561620FTP-H
  • 4 banks x 4M x 16Bit SDRAM
  • See Hynix HY57V561620(L)T (51 kB, pdf)
• 2x Infineon PEB3086F ISAC-SX V1.4
  • ISDN subscriber access controller
  • See Infineon ISAC-SX ISDN Subscriber Access Controller (2.7 MB, pdf)
• Xilinx XC9536XL
  • See Xilinx XC9536XL High Performance CPLD (197 kB, pdf)

stacked PCB

• 3x Infineon PEF4268 T V1.2
  • advanced ringing SLIC with DC/DC converter

miniPCI slot

• Atheros AR2414A-001
  • 802.11b/g chipset

Serial Console

At connector P1, running at 3.3 Volt, 115200 Baud, 8N1:

 1   2   3   4
3V3 TxD RxD GND

The system starts an U-Boot console allowing to break the boot process by hitting Return key in the right moment after powerup (only in version 1 of the firmware, in version 2 and 3 access is disabled). From there the low level environment may be changed (default IP address and boot options) or TFTP network boot may be initiated.

Due to its pretty huge (16 MB) flash chip the Samsung router allows for two same sized rootfs partitions, each one sized 6.5 MB. That's the secret why this router can flash itself while being online (it just flashes 'the other partition' and marks the new one valid for next boot).

Log of serial console while booting

FIXME - TODO

Root access

The default IP of this router is 192.168.220.1 netmask 255.255.255.0, which can be changed. In case of forgotten IP a hardcoded backup IP 196.168.220.250 netmask 255.255.255.252 exists, allowing (port 80 only) access from a computer with IP 196.168.220.249 and same netmask.

By default firmware versions 1 and 2 allow telnet access to the router on port 30023. The root password for version 1 is "admin", for version 2 and 3 it is unknown. In version 3 of the firmware telnet is disabled by default and can only be activated "from the inside" by "touch /configs/etc/enable_telnet" (hen and egg principle). See Modified Firmware below to get root access to this router anyway.

JTAG

On the bottom of the PCB, there are testpads close to P1. The test pads are labelled TDI TDO TMS and TCK. TRST is pin1 of P1

PCB Photographs

See http://laforge.gnumonks.org/photoalbum/devices/samsung_smt-g3210/

Firmware

Original Firmware

Firmware Images

Although promoted on Samsung's homepage this device is only available from the german ISP Freenet, which is the only source of firmware images. Version 1 and 2 of the firmware are branded Freenet only, version 3 allows to use some features with third party ISPs. However, this still doesn't work well since many hardcoded Freenet references as well as fallback servers exist in the firmware.

There's no unbranded firmware available so far, so use with care.

• Freenet FTP for currently supported Samsung SMT-G3xx0 routers
  • V1.02: SMT-G3210_V1.02_130407.tar
  • V2.03: SMT-G3210_V2.03_250208.tar
  • V3.01: SMT-G3210_V3.01_210708.tar
  • V3.02: SMT-G3210_V3.02_040309.tar

The firmware can be flashed through the Web interface, directly with these (unpacked) TAR images.

Sourcecode

The source code is availlable from Samsung's homepage, it's pretty developer friendly for the Open Source part of the router, each package is in a separate folder, with build.sh in each - showing the intention and build options of the manufacturer.

However, some parts of the source are missing (thttpd, php, libmysql, tc, disktype, bcrypt, ...) and some are provided in other versions than the ones on the device (br2684ctl), some are binaries only (pppd, rp-pppoe.so, pppoatm.so, libupnp.so, libixml.so, libthreadutil.so).

• See Samsung SMT-G3210_opensrc.tbz

The firmware image creation and decompression tools are included as binaries (mkimage, mksquashfs-lzma, unsquashfs-lzma).

Firmware Structure

Image Format

The firmware image is an uncompressed TAR archive which contains:

• u-boot.img (bootloader: U-Boot 2.6.0-M1664 Flash:N Amazon Version 1.0.0)
• uImage (kernel: MIPS Linux-2.4.20-AMAZON-3.1.5-M)
• rootfs.img (root filesystem, mounted as /)
• firmware.img (Amazon firmware, mounted as /firmware)
• versionInfo.status (contains version and checksums of above parts)

The files rootfs.img and firmware.img contain an U-Boot header and are big endian LZMA compressed squashfs images with byte swapped signature. The file uImage has an U-Boot header too and is a LZMA compressed kernel image.

The checksums in versionInfo.status are 5-digit zero padded results of the Linux 'sum' command.

Flash Layout

The 16 MB flash chip is divided in 7 partitions:

• mtd0: U-Boot bootloader (128 kB)
• mtd1: Amazon firmware (256 kB, squashfs, mounted as /firmware)
• mtd2: Linux kernel (1 MB)
• mtd3: Root filesytem A (6.5 MB, squashfs, ro-mounted as /)
• mtd4: Root filesytem B (6.5 MB, squashfs, ro-mounted as /)
• mtd5: System configs (1.5 MB, jffs2, rw-mounted as /configs)
• mtd6: U-Boot environment (128 kB)

The G3000 and G3200 only have an 8 MB flash chip with 6 partitions. They store only one rootfs, resulting in System configs being on mtd4 and the U-boot environment on mtd5.

Build Tools

MIPS Toolchain

Originally the MIPS toolchain required to cross compile code for this router was available from Samsung's source code section. However, they removed it.

There are Amazon chipset driven routers from Sphairon (way more crippled) sold by another bunch of german ISPs. Sphairon offers the GPL parts of the system together with a uClibc MIPS toolchain on their site:

• Sphairon uclibc_mips_toolchain_tar.bz2

Firmware Tools

To compose your own firmware or unpack existing one three executables are required:

• mksquashfs-lzma (part of Firmware Mod Tools)
• unsquashfs-lzma (part of Firmware Mod Tools)
• mkimage (part of U-Boot package)

You can either use the binaries from the source code above or you can compile them yourself:

• Get the Firmware Mod Tools

Note that mksquashfs-lzma and unsquashfs-lzma are special, they use a byte swapped magic cookie of a normal lzma compressed squashed root filesystem.

You have to modify two lines in src/squashfs-2.1-r2/squashfs_fs.h to:

#define SQUASHFS_MAGIC			0x73716C7A
#define SQUASHFS_MAGIC_SWAP		0x7A6C7173

Then compile it and you'll have working mksquashfs-lzma and unsquashfs-lzma executables.

Now comes mkimage, so:

• Get the latest U-Boot Package

You neen't compile the entire big package, so best only compile the two object files to get mkimage:

cd lib_generic && gcc crc32.c -I../include -c -DUSE_HOSTCC
cd tools && gcc mkimage.c ../lib_generic/crc32.o -I../include -o mkimage

Now you should have a working mkimage executable.

Firmware modding

Unfortunately you can only compile parts of an image from the above source, due to quite some closed source parts of the firmware (see Software Reference below) so rolling own firmware requires a mixed open/closed source compilation from a recent firmware. Unpack the latest firmware and replace or add own stuff then compress and tar it again.

To unpack an existing firmware do:

tar xfv the_latest_firmware.tar
dd if=rootfs.img of=rootfs bs=64 skip=1
unsquashfs-lzma -dest squashfs rootfs

Now you find the root filesystem unpacked in the folder squashfs and you can do your modifications. Make sure you preserve file ownership and permissions.

To recreate an image from your modifications do:

mksquashfs-lzma squashfs rootfs -be -noappend
mkimage -A mips -O linux -T standalone -C lzma -n "Amazon rootfs" -d rootfs rootfs.img
mv versionInfo.status versionInfo.status.old
sed -e "s/ROOTFS_CHECKSUM=.*/ROOTFS_CHECKSUM=`sum rootfs.img  | sed 's|\s.*||g'`/g" versionInfo.status.old >versionInfo.status
tar cfv the_new_firmware.tar u-boot.img firmware.img rootfs.img uImage versionInfo.status

The resulting TAR image now can be flashed through the web interface. If the image size is too large (rootfs > 6.5 MB) the router will reject it.

Modified Firmware

To enable telnet access for firmware version 3.x you need a modified firmware image, which can be obtained from these URLs:

• http://rapidshare.com/files/227978343/SMT-G3210_V3.02_010509mod.tar
• http://rapidshare.com/files/227983983/SMT-G3210_V3.01_080908mod.tar

(Images for the SMT-G3010 and SMT-G3220 routers can be found here:

• http://rapidshare.com/files/227983984/SMT-G3220_V3.00_100908mod.tar
• http://rapidshare.com/files/227983985/SMT-G3010_V3.01_110908mod.tar)

The TAR images from there can be directly flashed through the web interface. Make sure you have flashed the latest original firmware first, and if you migrated to another major version before a factory reset makes sense. Note that using modified images will void your warranty, so use at your own risk. Debricking of this router is no easy task, and for most people just impossible. (Some German language troubleshooting hints are available here: http://bitflip.de/samsung/troubleshooting.html)

After successfull flashing you can access the device via telnet on port 30023, the default root password is 'banana'. If login fails a factory reset may help.

Software Reference

Packages

Here an overview of all installed software packages and support executables. Closed source application information has been gathered using Linux 'strings' on the named files.

Core system

• U-Boot bootloader

• Linux kernel 2.4.20

• uClibc : ld-uClibc-0.9.27.so, libcrypt-0.9.27.so, libdl-0.9.27.so, libm-0.9.27.so, libnsl-0.9.27.so, libpthread-0.9.27.so, libresolv-0.9.27.so, librt-0.9.27.so, libuClibc-0.9.27.so, libutil-0.9.27.so

• Amazon and peripheral daemons (closed source) : amazon_autoboot_daemon, amazon_codeswap_daemon, miscellany, swreset, upgrade_led

• Amazon and peripheral tools (scripts or closed source) : amazon_debugread, amazon_dsl_disconnect, amazon_show_firmware_date, tcpmessages, translate, cmvread, cmvwrite, file_r_sorting, ifx_util, ipc_sender, lan_switch_reset, led_blink, led_off, led_on, led_test, mem, mknod_util, setflag

• Busybox 1.0 (modified) : [, ash, basename, busybox, cat, chmod, chown, chroot, cp, crond, crontab, cut, date, dd, df, dmesg, du, dumpleases, echo, egrep, env, expr, false, fdisk, fgrep, find, free, getopt, getty, grep, gunzip, gzip, head, hostname, httpd, ifconfig, inetd, init, insmod, kill, killall, klogd, ln, logger, login, logread, ls, lsmod, md5sum, mkdir, mknod, modprobe, more, mount, msh, mv, netstat, passwd, ps, pwd, rdate, reboot, rm, rmdir, rmmod, route, sed, seq, sh, sha1sum, sleep, sysctl, syslogd, tail, tar, telnetd, test, tftp, top, touch, tr, true, tty, udhcpc, udhcpd, udhcpr, umount, uname, uptime, usleep, vi, wc, wget, xargs, zcat

• psmisc : fuser

• OpenSSL : libcrypto.so.0.9.7, libssl.so.0.9.7

Configuration

• bcrypt (used for config export encryption, missing source) : bcrypt

• stunnel (TCP SSL wrapper, used for TR-069) : stunnel

• helper daemons (closed source) : dmanager, tr69d, upgrade_checker

• helper tools (scripts or closed source) : conf_swap, data_sem_init, data_util, db_conversion, env_cmd, iad_status_oper, informer, read_img, status_oper, upgrade, upgrade_downloader, upgrade_redirector, restore_default, upgrade_sw, ver_boot, ver_fw, verify_default

Routing

• iproute2 (IP routing) : ip

• bridge-utils (Bridging) : brctl

• iptables (IP filtering + forwarding) : iptables, iptables-restore, iptables-save

• ebtables (Ether filtering) : unused in V3.

• zebra (RIP routing) : unused in V3.

• tc (Traffic Control, missing source) : tc

• helper tools (scripts or closed source) : addpolicy, delpolicy, naptcfg, nfappcfg

Connectivity

• br2684ctl (RFC1483/2684 Bridge Daemon, modified) : br2684ctl

• linux-atm (ATM on Linux) : atmaddr, atmarp, atmarpd

• ppp (Point-to-Point Protocol, modified) : pppd

• rp-pppoe (PPP-over-Ethernet redirector) : pppoe, pppoe-relay

• helper daemons (closed source) : init_daily_reconnection, oamd, observer, wan_miscellany

• helper tools (scripts or closed source) : adsl_cmd, atm_autosearch, get_adsl_rate, get_atmqos_name, get_dev_info, get_if_index, get_ip, iad_ppp_logger, macr, make_ifcfg, next_macaddr, oamctl, ppp_idle_timeout, ppp_rc_api

• ping (missing source) : ping

Services

• thttpd (Web server, includes PHP 4.3.4 and libmysql, missing source) : thttpd

• proftpd (FTP server) : proftpd

• dnrd (DNS relay) : dnrd

• linux-igd, libupnp (UPnP daemon, modified) : upnpd

• ntpclient (NTP client) : ntpclient

• ez-ipupdate (DynDNS client) : ez-ipupdate

• helper daemons (closed source) : redirector

• helper tools (closed source) : mail_checker

Wireless

• Mad Wifi? (closed or missing source?) : 80211debug, 80211stats, athdebug, athstats, wlanconfig, wlandebug, wlanstats

• Wireless Tools : iwconfig, iwevent, iwgetid, iwlist, iwpriv, iwspy

• hostapd : hostapd

• Atheros WSC drivers (Wi-Fi Simple Config, closed source) : wsccmd, wsc_cfg

• helper tools (closed source) : gen_wpakey, macw, wlan_mac_search

Telephony

• SIP+ISDN+FXO phone (closed source) : main, isdn, sp

• faxagent (T38 SIP FAX User Agent, closed source) : faxagent

• helper tools (closed source) : aft, emer_stopper

USB-Host

• murasaki (HotPlug support) : hotplug.murasaki, murasaki.generic, murasaki.pci, murasaki.usb, murasaki_init.pci, murasaki_init.usb

• disktype (format detection, missing source) : disktype

• sg3_utils (SCSI utilities) : sg_map

• mtools (FAT/FAT32 tools) : mtools, mlabel

• lockfile (from procmail, used by usb-mount) : lockfile

• gawk (needed for murasaki) : gawk

• helper daemons (closed source) : watch_usb, ip9100

• helper tools (closed source) : dummy

• misc usb tools (scripts or missing source) : usb-mount, usb-umount, usb_id_test, usb_printerid

Links

• Samsung product homepage - Specs, manuals and sourcecode, but no firmware.
• Freenet product support page - Specs, howtos, manuals, german language only.