Sphairon Turbolink IAD
From GPLdevWiki
Contents |
Overview
The Sphairon Turbolink IAD is technically a full featured VoIP router wrapped around the Infineon Amazon chipset. Practically it is a completely undocumented and unmanagable VoIP capable VLAN router which acts as a modem from the LAN side.
It's provided by the german ISPs Hansanet and Alice as a WLAN or NOWLAN version, and it remains the property of these ISPs. Contracts bound to this unit typically cover a single VoIP number, single PC PPoE license, with an optional IPTV VLAN channel. Many people use a router behind this router due to its crippeled nature.
It's initially configured with some kind of audio guide asking to enter a PIN number in an attached phone (for this very contract) which appears to be the provision code for an initial TR-069 session. Besides that there's no way to change anything but possible WLAN settings. Although owned by the ISP, these routers fly around in the garbage these days, since they are plain unusable otherwise, of course with all configuration left on it.
Further configuration is done by the ISP using TR-069, firmware updates are done using TR-069 initiated HTTP fetch, SSH is open to the ISP side only (ouch).
Warning #1: You are not allowed to modify other people's property!
Warning #2: This unit has 230V AC on the mainboard!
There are a bunch of versions of this modem, only the WLAN and NOWLAN versions are obviously named. Both exist in a DSL only version or one with external FXO and ISDN input. Besides that there's the option that LAN4 is intended for IPTV usage, thus named 'Home TV'. This document attempts to cover all versions. The test case was a the NOWLAN one with no external FXO and ISDN but with Home TV on LAN4, storing firmware versions 1.17 and 1.18.
Hardware
The hardware seems to be centered around Infineons reference design for an xDSL gateway. See page 9 of Infineon VoIP solutions for Seamless Communication (1.2 MB, pdf).
User Interface
- 5 x LED: Power / DSL / Internet / Phone / Info
- 4 x LED: Ethernet 1-4
- 1 x LED: WLAN (WLAN model only)
- Reset switch hole (backside, short = reboot, 4sec++ = factory reset)
- WLAN switch (WLAN model only)
Connectors
- 1 x RJ-45 DSL in
- 1 x RJ-XX FXO in (external FXO version only, otherwise not mounted)
- 2 x RJ-45 ISDN S0 Bus used as:
- 1 x external + 1 x internal S0 (external S0 version only)
- 2 x internal S0 bus (non external S0 version only)
- 3 x TAE Analog Phone (front, 2 x TAE-F, 1 x TAE-N, connected to 2 lines)
- 2 x RJ-XX Analog Phone (not mounted)
- 4 x RJ-45 Ethernet (Ethernet 4 optionally named Home TV)
A part of the front cover can be removed, showing:
- 1 x External S0 4-pin connector block (external S0 version only, otherwise not mounted)
- 1 x Internal S0 4-pin connector block
- 1 x External FXO 4-pin connector block (external FXO version only, otherwise not mounted)
- 1 x Analog Phone 4-pin connector block (2 lines)
- 2 x DIP switches for 100 Ohm S0 line termination
- 1 x DIP switch labeled 'Bus' (Bus Power?)
Major Components
Main Board
- Infineon PSB50505 V1.3
- AMAZON Family highly integrated single-chip solution for ADSL2/2+ Modems
- 32-bit MIPS 4KEc RISC processor running at 235 MHz
- no public documentation, see Infineon XWAY™ AMAZON Family
- ISSI IS42S32400B-7TL
- 4Meg x 32 128-Mbit synchronous DRAM (16 MB)
- See ISSI IS42S32400B (822 kB, pdf)
- ST M29W640FB-70NG
- 64 Mbit 3V flash (8 MB)
- See M29W640FB (1.3 MB, pdf)
- Infineon PEB 3322HL V1.4 Vinetic 2VIP
- 2-line VoIP DSP
- See Infineon VINETIC®-2VIP
- Infineon PEB 3086F V1.4 ISAC-SX
- ISDN Subscriber Access Controller
- See Infineon ISAC™-SX - PEB 3086
- See ISAC-SX ISDN Subscriber Access Controller PEB/PEF 3086 Version 1.3 (2.7 MB, pdf)
- 2 x Infineon PEB4264T V1.2
- DuSLIC ringing converter
- See also: DuSLIC ringing modes (1.2 MB, pdf)
- Infineon ADM6996I
- 6port 10/100Mb/s single chip ethernet switch controller
- See Infineon Samurai-6I/IX (7.2 MB, pdf)
MiniPCI Board
The MiniPCI connector on the main board is not mounted in the NOWLAN version.
Serial Console
There's a 4-pin serial interface, running at 3.3 Volt, 115200 Baud, 8N1
1 2 3 4 3V3 TxD RxD GND
The system starts an U-Boot console allowing to break the boot process by hitting the Return key in the right moment after powerup. From there the low level environment may be tweaked, other firmware may be flashed, or network boot may be initiated.
See Boot Logs section below.
JTAG Interface
FIXME - TODO
Firmware
Original Firmware
Firmware Images
Since this router is only managable and updatable by the ISP through TR-069 there's no public source for firmware at all. If you know any or have some please mail me to extend the knowledge about different firmware versions.
Sourcecode
Sphairon provides the GPLed part of the firmware on their website:
- See also: IAD support page #1 and IAD support page #2
Firmware Structure
Image Format
There's no user accessible way to update firmware besides the U-Boot serial console and the JTAG interface. The U-Boot firmware update environment variables refer these possible firmware parts:
offset filename content command -------------------------------------------------------------------------------- 00000-3FFFF flashimage_ori_4.bin Full 4 MB flash image run test_fab_4 00000-3FFFF flashimage_ori_8a.bin Lower half of 8 MB image run test_fab_8 40000-7FFFF flashimage_ori_8b.bin Upper half of 8 MB image run test_fab_8 -------------------------------------------------------------------------------- 00000-0FEFF u-boot.img U-Boot bootloader run update_uboot 0FF00-0FFFF typelabel.bin Typelabel without macaddr run update_etl 0FF80-0FF90 macaddr.bin MAC address of typelabel run update_macaddr -------------------------------------------------------------------------------- XXXXX-XXXXX firmware.img Amazon Firmware run update_firmware XXXXX-XXXXX rootfs.img Root Filesystem run update_rootfs XXXXX-XXXXX uImage Linux Kernel run update_kernel
FIXME - may be wrong: For the images marked with XXXXX the upgrade commands in the U-Boot environment are missing. The flash layout below shows that their size and location is variable so they have to be created dynamically.
TR-069 Web images:
A transfer log in the config's filetrans folder shows that a firmware upgrade was HTTP fetched from a 10.192.128.xx address at this location:
- /Firmware/TR069/AGSphairon/2.11-2.18_nowlan.webimage
A webimage contains an arbitary mixture of Uboot, Sysconfig, Firmware, Rootfs and Kernel images, plus some meta information covering vendor id, hardware version and model ident number. For image integrity checks MD5 hashes are used.
Flash Layout
The flash chip at (hex) B3000000 can either be a 4 MB or 8 MB chip:
offset img1 img2 size content ----------------------------------------------------------------------------------------- 000000-00FEFF mtd0 mtd0 63.75 kB U-Boot Bootloader 00FF00-00FFFF mtd0 mtd0 0.25 kB Type Label (see U-Boot log) 010000-01FFFF mtd1 mtd1 64.00 kB U-Boot Environment 020000-03FFFF mtd2 mtd7 128.00 kB System Config #1 (chunklists of tgz's of /ramdisk/flash) 040000-XXXXXX mtd3 mtd8 256.00 kB Amazon Firmware #1 (squashfs, ro-mounted as /firmware) 080000-XXXXXX mtd4 mtd9 2320.00 kB Root Filesytem #1 (squashfs, ro-mounted as /) XXXXXX-3FFFFF mtd4 mtd9 556.00 kB Linux Kernel #1 ----------------------------------------------------------------------------------------- 400000-40FEFF mtd5 mtd5 63.75 kB U-Boot Bootloader BACKUP (unused) 40FF00-40FFFF mtd5 mtd5 0.25 kB Type Label BACKUP (unused) 410000-41FFFF mtd6 mtd6 64.00 kB U-Boot Environment BACKUP (unused) 420000-43FFFF mtd7 mtd2 128.00 kB System Config #2 (chunklists of tgz's of /ramdisk/flash) 440000-XXXXXX mtd8 mtd3 256.00 kB Amazon Firmware #2 (squashfs, ro-mounted as /firmware) 480000-XXXXXX mtd9 mtd4 2320.00 kB Root Filesytem #2 (squashfs, ro-mounted as /) XXXXXX-7FFFFF mtd9 mtd4 556.00 kB Linux Kernel #2
This 8 MB chip allows storing two different firmware instances, from now on called bootimages.
The U-Boot Bootloader, Type Label and U-Boot Environment are common for both bootimages. Although two upper backup partitions exist they are unused. The System Config, Amazon firmware, Root filesytem and the Linux kernel are stored once for each bootimage.
Note that the Amazon firmware and Root filesytem grow bottom up, while the Linux kernel grows top down. This is pretty fancy regarding free flash space but breaks U-Boot kernel update functionality and environment defaults.
Another strange fact: The Root Filesytem and the Linux Kernel share the same partition in each bootimage.
Bootimage Selection
The bootimage selection is mainly controlled by a bunch of U-Boot environment variables. f1_* and f2_* store the dimensions of the partitions for each bootimage. f_i1_ok and f_i2_ok mark the respective bootimage valid. The variables f_aci and kernel_addr set the active bootimage.
variable defaults backup example | variable defaults backup example ----------------------------------------------+----------------------------------------------- f1_uboot_addr 0xB3000000 0xB3000000 ok | f2_uboot_addr 0xB3000000 0xB3000000 ok f1_uboot_size 0x0000FF00 0x0000FF00 ok | f2_uboot_size 0x0000FF00 0x0000FF00 ok f1_ubootconfig_addr 0xB3010000 0xB3010000 ok | f2_ubootconfig_addr 0xB3010000 0xB3010000 ok f1_ubootconfig_size 0x00010000 0x00010000 ok | f2_ubootconfig_size 0x00010000 0x00010000 ok f1_sysconfig_addr 0xB3020000 0xB3020000 ok | f2_sysconfig_addr 0xB3020000 0xB3020000 ok f1_sysconfig_addr2 0xB3030000 0xB3030000 ok | f2_sysconfig_addr2 0xB3030000 0xB3030000 ok f1_sysconfig_size 0x00010000 0x00010000 ok | f2_sysconfig_size 0x00010000 0x00010000 ok f1_firmware_addr 0xB3040000 0xb3040000 ok | f2_firmware_addr 0xB3440000 0xb3440000 ok f1_firmware_size 0x00040000 0x0002c000 ** | f2_firmware_size 0x00040000 0x0002c000 ** f1_rootfs_addr 0xB3080000 0xb3080000 ok | f2_rootfs_addr 0xB3480000 0xb3480000 ok f1_rootfs_end 0xB3080000 0xb32c3fff ** | f2_rootfs_end 0xB3480000 0xb36c3fff ** f1_rootfs_size 0 0x00244000 ** | f2_rootfs_size 0 0x00244000 ** f1_kernel_addr 0xB33FFFFF 0xb337513d ** | f2_kernel_addr 0xB37FFFFF 0xb3775106 ** f1_kernel_size 0 0x0008aec3 ** | f2_kernel_size 0 0x0008aefa ** ----------------------------------------------+----------------------------------------------- f1_ubootconfb_addr 0xB3410000 0xB3410000 ok | f2_ubootconfb_addr 0xB3410000 0xB3410000 ok f1_ubootconfb_size 0x00010000 0x00010000 ok | f2_ubootconfb_size 0x00010000 0x00010000 ok ----------------------------------------------+----------------------------------------------- f_i1_ok 0 1 ** | f_i2_ok 0 1 ** ----------------------------------------------+----------------------------------------------- kernel_addr 0xB33FFFFF 0xb337513d ** f_aci 1 1 ok
Provided both bootimages are valid switching from bootimage #1 to #2 can be done like this:
AMAZON # setenv flashargs setenv bootargs root=/dev/mtdblock4 bootimage=2 AMAZON # setenv f_aci 2 AMAZON # saveenv Saving Environment to Flash... Saving ubootconfig ... Erasing Flash from B3010000 to B301FFFF ... Done Writing to Flash to B3010000 from buffer 80AB0008 with length 00010000 ... Done AMAZON # reset
If the choosen bootimage fails to boot it is automatically toggled and rebooted. If the other one fails too the procedure repeats 4 times until U-Boot gives up entering the serial console.
Repairing the environment:
Once the U-Boot environment gets damaged or erazed by one of the 'reset_ucfg*' commands it is loaded with defaults. After this the device doesn't boot any more, that is why you should keep a backup of 'printenv' results for later debricking before tweaking anything. All values marked 'ok' above are loaded with correct defaults. All values marked with '**' need to be restored from a backup after.
With the above sample backup (1 = firmware 1.18, 2 = firmware 1.17) debricking worked with:
setenv f1_firmware_size 0x0002c000 setenv f1_rootfs_end 0xb32c3fff setenv f1_rootfs_size 0x00244000 setenv f1_kernel_addr 0xb337513d setenv f1_kernel_size 0x0008aec3 setenv f_i1_ok 1 setenv f2_firmware_size 0x0002c000 setenv f2_rootfs_end 0xb36c3fff setenv f2_rootfs_size 0x00244000 setenv f2_kernel_addr 0xb3775106 setenv f2_kernel_size 0x0008aefa setenv f_i2_ok 1 setenv kernel_addr 0xb337513d setenv f_aci 1 saveenv reset
All other values in U-Boot Environment are loaded with correct defaults.
Typelabel Format
The ETL (Electronic Type Label) stores device specific settings, serial number and mac address in the last 256 bytes of the U-Boot partition.
offset size content example bootlog comment --------------------------------------------------------------------------------------------- 0x00 4 HW Version 2/00 2/00 - 0x04 10 Serial number 0601012345 06/01/012345 yy/mm/nnnnnn 0x0E 10 Date of production 0601012359 06/01/01/23/59 yy/mm/dd/hh/mm 0x18 32 WLAN module no no padded with 0x20 0x38 26 Default WLAN WEP key 0xFFFFFF... ÿÿÿ... none=filled with 0xFF 0x52 12 Annex mode Annex-B Annex-B padded with 0x20 0x5E 2 LED configuration 0xBCE8 10111100111010 2xLSB zero or hardw cfg 0x60 32 Product Turbolink-IAD Turbolink-IAD padded with 0x20 0x80 17 MAC address 00:10:20:30:40:50 00:10:20:30:40:50 - 0x91 1 Hardware config 0x08 various see table below 0x92 6 Ident number 286204 286204 - 0x98 104 Customer Hansenet Hansenet padded with 0x20 The bootlog additionaly refers these hardware settings: ------------------------------------------------------- FXO: 0 S0 extern: 0 S0 intern: 1 A/B count: 2 Switch IC: 1 Simcard: 0
Build Tools
MIPS Toolchain
Sphairon offers an uClibc MIPS toolchain on their site:
- Sphairon uclibc_mips_toolchain_tar.bz2
- See also: IAD support page #1 and IAD support page #2
Firmware Tools
To compose your own firmware or unpack existing one two executables are required:
- mksquashfs-lzma (part of Firmware Mod Tools)
- unsquashfs-lzma (part of Firmware Mod Tools)
You need to compile them yourself:
- Get the Firmware Mod Tools
Note that mksquashfs-lzma and unsquashfs-lzma are special, they use a byte swapped magic cookie of a normal lzma compressed squashed root filesystem.
You have to modify two lines in src/squashfs-2.1-r2/squashfs_fs.h to:
#define SQUASHFS_MAGIC 0x73716C7A #define SQUASHFS_MAGIC_SWAP 0x7A6C7173
Then compile it and you'll have working mksquashfs-lzma and unsquashfs-lzma executables.
Software Reference
Boot Logs
Here the logs taken from the serial console. For privacy reasons the MAC address, serial number and manufacture date have been altered.
U-Boot log
Here is the log of the U-Boot part of the boot process up to entering the serial console prompt. Note that this is the NOWLAN version, that's why the WLAN key is padded 0xFF (ÿ).
Version 1.0.1 Read EEPROM Jump to Flash Version 1.0.1 Read EEPROM Jump to Flash Head : Amazon Version 1.0.0 DRAM: 16 MB Head : relocate_code start Head: relocate code finish. Image Name: u-boot image Image Type: MIPS Linux Firmware (lzma compressed) Data Size: 41569 Bytes = 40.6 kB Load Address: 80100000 Entry Point: 80100000 Disabling all the interrupts Uncompressing UBoot Image ... Uncompression completed successfully with destLen 133600. Head: Jumping to u-boot in the ram at 0x80100000 Infineon Amazon U-Boot 2.0.33-16 (Jun 8 2006 - 12:15:51) In env_init : env_ptr = 0xb3010000 For enviornment CRC32 is OK Board: AMAZON Yangtse Version, Chip V1.3, CPU Speed 235 MHz DRAM: 16 MB relocate_code start relocate code finish Entering flash_init() Flash: 8 MB env_relocate[224] malloced ENV at 80ab0008 **************************************************************** * Sphairon type label * * ------------------------------------------------------------ * * Product: : Turbolink-IAD * * HW Version : 2/00 * * Serial number : YY/MM/NNNNNN * * Date of production: : YY/MM/DD/HH/MM * * MAC address : 00:XX:XX:XX:XX:XX * * WLAN module : no * * Annex mode : Annex-B * * Ident number : 286204 * * Default WLAN WEP key : ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ * * Customer : Hansenet * * FXO : 0 * * S0 extern : 0 * * S0 intern : 1 * * A/B count : 2 * * Switch IC : 1 * * Simcard : 0 * * LED configuration : 10111100111010 * **************************************************************** Initialize devices... In: serial Out: serial Err: serial Net: reset switch ADM6996 SMI Mode-Chip ID:71023 AMAZON Switch **************************************************************** * Bootimage information * * ------------------------------------------------------------ * * Active bootimage: 1 * * Bootimage status: Valid * **************************************************************** Type "run flash_nfs" to mount root filesystem over NFS Press enter key to stop autoboot: 2 ... 1 ... <ENTER> AMAZON #
Firmware log
Without user interaction the above log continues autobooting like that:
Press enter key to stop autoboot: 2 ... 1 ... 0 ## Booting image at b337513d ... Image Name: MIPS Linux-2.4.20-AMAZON-3.0.3 Created: 2007-03-30 8:05:35 UTC Image Type: MIPS Linux Kernel Image (lzma compressed) Data Size: 568955 Bytes = 555.6 kB Load Address: 80002000 Entry Point: 801b0040 Verifying Checksum ... OK Uncompressing Kernel Image ... Uncompression time : 255595/117500000 Uncompression length is 1937408 OK Starting kernel ... Yangtse Version memsize=16l flash_start=0xb3000000 flash_size=8388608l CPU revision is: 00019064 Primary instruction cache 8kB, physically tagged, 4-way, linesize 16 bytes. Primary data cache 4kB 2-way, linesize 16 bytes. Linux version 2.4.20-AMAZON-3.0.3 (heinzm@linux-bautzen) (gcc version 3.3.4) #2 Fr Mär 30 10:05:24 CEST 2007 Can't analyze prologue code at 800236d4 Determined physical RAM map: User-defined physical RAM map: memory: 01000000 @ 00000000 (usable) On node 0 totalpages: 4096 zone(0): 4096 pages. zone(1): 0 pages. zone(2): 0 pages. Kernel command line: root=/dev/mtdblock4 bootimage=1 ip=192.168.100.1:192.168.100.100::::eth1:off console=ttyS0,115200 ethaddr=00:XX:XX:XX:XX:XX mem=16M panic=1 mips_counter_frequency:117500000 r4k_offset: 0011edd8(1175000) Calibrating delay loop... 233.47 BogoMIPS MIPS CPU counter frequency is fixed at 117500000 Hz Memory: 14160k/16384k available (1695k kernel code, 2224k reserved, 92 k data, 68k init, 0k highmem) Dentry cache hash table entries: 2048 (order: 2, 16384 bytes) Inode cache hash table entries: 1024 (order: 1, 8192 bytes) Mount-cache hash table entries: 512 (order: 0, 4096 bytes) Buffer-cache hash table entries: 1024 (order: 0, 4096 bytes) Page-cache hash table entries: 4096 (order: 2, 16384 bytes) Checking for 'wait' instruction.............................[OK] POSIX conformance testing by UNIFIX Linux NET4.0 for Linux 2.4 Initializing RT netlink socket LSP Revision 1 Starting kswapd Disabling the Out Of Memory Killer Squashfs 2.2 (released 2005/07/03) (C) 2002-2004, 2005 Phillip Lougher i2c-core.o: i2c core module version 2.6.2 (20011118) i2c-dev.o: i2c /dev entries driver module version 2.6.2 (20011118) i2c-algo-bit.o: i2c bit algorithm module version 2.6.2 (20011118) pty: 256 Unix98 ptys configured Infineon Technologies Synchronous Serial Controller (SSC) driver version 0.2.1-sas - built Mar 30 2007 10:02:37 Starting mib_poll... Inside mib poll loop ... loop: loaded (max 8 devices) PPP generic driver version 2.4.2 ttyS%d0 at MEM 0xb0100400 (irq = 144) is a AMAZONASC oamk: init_module() called. Opening oam kernel socket oamk: init_module() returned. MTD partition layout for 8 MB FLASH bootimage 1 init_amazon_mtd: start_scan_addr: b3000000 init_amazon_mtd: chip probing count 0 Amazon: probing address:b3000000 Amd/Fujitsu Extended Query Table v1.3 at 0x0040 number of CFI chips: 1 cfi_cmdset_0002: Disabling fast programming due to code brokenness. init_amazon_mtd: bank1, name:Amazon Bank 0, size:8388608 bytes AMAZON flash0: Using static image partition definition AMAZON flash0: Partition count is 10 Creating 10 MTD partitions on "Amazon Bank 0": 0x00000000-0x00010000 : "uboot" 0x00010000-0x00020000 : "ubootconfig" 0x00020000-0x00040000 : "sysconfig" 0x00040000-0x00080000 : "active_firmware" 0x00080000-0x00400000 : "active_rootfs,kernel" 0x00400000-0x00410000 : "backup_uboot" 0x00410000-0x00420000 : "backup_ubootconfig" 0x00420000-0x00440000 : "backup_sysconfig" 0x00440000-0x00480000 : "second_firmware" 0x00480000-0x00800000 : "second_rootfs,kernel" Tracer: Initialization complete NET4: Linux TCP/IP 1.0 for NET4.0 IP Protocols: ICMP, UDP, TCP, IGMP IP: routing cache hash table of 512 buckets, 4Kbytes TCP: Hash tables configured (established 1024 bind 2048) Linux IP multicast router 0.06 plus PIM-SM ip_conntrack version 2.1 (128 buckets, 1024 max) - 352 bytes per conntrack ip_conntrack_pptp version 1.9 loaded ip_conntrack_rtsp v0.01 loading ip_nat_pptp version 1.5 loaded ip_nat_rtsp v0.01 loading SUCCESS 100 MAJOR_NUM_RTSP ip_tables: (C) 2000-2002 Netfilter core team netfilter PSD loaded - (c) astaro AG NET4: Unix domain sockets 1.0/SMP for Linux NET4.0. Ebtables v2.0 registered NET4: Ethernet Bridge 008 for NET4.0 Bridge firewalling registered 802.1Q VLAN Support v1.7 Amazon Port Initialization VFS: Mounted root (squashfs filesystem) readonly. Mounted devfs on /dev Freeing unused kernel memory: Pinit started: BusyBox v1.00 (2007.03.30-08:13+0000) multi-call binary Algorithmics/MIPS FPU Emulator v1.5 Created character device /dev/amazon_port with major[252] and minor[0] 1+0 records in 1+0 records out 1+0 records in 1+0 records out rd_dataset() Source /dev/mtd/2 Size 131072 Device block size 65536 rd_dataset() MTD Type:3H Flags:00000005H OOBlk:0H OOBlkSize:0H ECCType:0H ECCSize:0H rd_dataset() Search OffSect: 0H Hdr:4FFF2596H rd_dataset() Search OffSect:10000H Hdr:CFFF1B29H rd_dataset() Search PosHdr: 0H Hdr:CFFF1B29H SizImg:6953 rd_dataset() Search PosHdr: 1B30H Hdr:CFFF1AC2H SizImg:6850 rd_dataset() Search PosHdr: 35F8H Hdr:CFFF1B29H SizImg:6953 rd_dataset() Search PosHdr: 5128H Hdr:CFFF1AC2H SizImg:6850 rd_dataset() Search PosHdr: 6BF0H Hdr:CFFF1B29H SizImg:6953 rd_dataset() Search PosHdr: 8720H Hdr:CFFF1AC2H SizImg:6850 rd_dataset() Search PosHdr: A1E8H Hdr:CFFF1B29H SizImg:6953 rd_dataset() Last Dataset OffSect:10000H PosHdr:A1E8H Hdr:CFFF1B29H SizImg:6953 read_syscfg_main() Target file /tmp/conf.tgz created successfully (6953 from 6953 bytes saved). Sun Jan 1 00:00:00 MEZ 2006 reading rc.conf version ... rc.conf version ... "1000" rc.conf not concerned by partialFactoryReset version=1000 reading database.txt version ... database.txt version ... "8" database.txt not concerned by partialFactoryReset version=8 partialFactoryReset() : not concened version -> try normal process date: 23, month: 3, hour: 14, minute: 4 ./translate: not found Dummy modprobe : ip_nat_rtsp Dummy modprobe : ip_conntrack_rtsp Dummy modprobe : ifx_ip_nat_sip Bringing up syslog Bringing up klogd Enable successfull Using /lib/modules/2.4.20-AMAZON-3.0.3/kernel/drivers/net/admmod.o Loading ADM6996 driver... ADM6996 SMI Mode-Chip ID:71023 <6>device eth1 entered promiscuous mode Success Not ADM6996LC br0: port 1(eth1) entering learning state Enable successfull Enable successfull Enable successfull Enable successfull Enable successfull RFC1483/2684 bridge: Interface "nas1" created sucessfully set_qsb: mbs is too large, mbr:10000 taus:882567 RFC1483/2684 bridge: Communicating over ATM 0.1.35, encapsulation: LLC RFC1483/2684 bridge: Interface configured optarg : RT-VBR,aal5:scr=650,mbs=10000,max_pcr=1300,cdv=50 optarg : RT-VBR,aal5:scr=650,mbs=10000,max_pcr=1300,cdv=50 Plugin /usr/lib/pppd/2.4.2/rp-pppoe.so loaded. RP-PPPoE plugin version 3.3 compiled against pppd 2.4.2 RFC1483/2684 bridge: Interface "nas2" created sucessfully RFC1483/2684 bridge: Communicating over ATM 0.1.32, encapsulation: LLC RFC1483/2684 bridge: Interface configured optarg : UBRdevice nas2 entered promiscuous mode br0: port 2(nas2) entering learning state optarg : UBRbr0: port 1(eth1) entering forwarding state br0: topology change detected, propagating RFC1483/2684 bridge: Interface "nas3" created sucessfully set_qsb: <warning> MIN_PCR should not be zero RFC1483/2684 bridge: Communicating over ATM 0.1.34, encapsulation: LLC RFC1483/2684 bridge: Interface configured optarg : NRT-VBR,aal5:scr=9000,mbs=20000,max_pcr=10000 optarg : NRT-VBR,aal5:scr=9000,mbs=20000,max_pcr=10000 device nas3 entered promiscuous mode br0: port 3(nas3) entering learning state 3.0.3-16.8 add two VLAN interfaces deactivate bridge br0: port 3(nas3) entering disabled state br0: port 2(nas2) entering disabled state br0: port 1(eth1) entering disabled state br0: port 1(eth1) entering disabled state device eth1 left promiscuous mode br0: port 2(nas2) entering disabled state device nas2 left promiscuous mode br0: port 3(nas3) entering disabled state device nas3 left promiscuous mode configure br0 for VLAN ID2 device nas2 entered promiscuous mode br0: port 2(nas2) entering learning state br0: port 1(eth1.2) entering learning state configure br1 for VLAN ID3 device nas3 entered promiscuous mode br1: port 2(nas3) entering learning state br1: port 1(eth1.3) entering learning state ADM6996I Registersatz VLAN Konfiguration (WRITE) addr: 0001, value: 880f (WRITE) addr: 0003, value: 880f (WRITE) addr: 0005, value: 880f (WRITE) addr: 0007, value: 8c0f (WRITE) addr: 0008, value: 840f (WRITE) addr: 000a, value: 5906 (WRITE) addr: 0010, value: 0040 (WRITE) addr: 0011, value: a320 (WRITE) addr: 0012, value: 3602 (WRITE) addr: 0020, value: bfd5 (WRITE) addr: 0021, value: ffd5 (WRITE) addr: 0022, value: ffd5 (WRITE) addr: 002a, value: 0000 (WRITE) addr: 0040, value: 0827 (WRITE) addr: 0041, value: 8002 (WRITE) addr: 0042, value: 0828 (WRITE) addr: 0043, value: 8003 (WRITE) addr: 0045, value: 0001 (WRITE) addr: 0047, value: 0001 (WRITE) addr: 0049, value: 0001 (WRITE) addr: 004b, value: 0001 (WRITE) addr: 004d, value: 0001 (WRITE) addr: 004f, value: 0001 (WRITE) addr: 0051, value: 0001 (WRITE) addr: 0053, value: 0001 (WRITE) addr: 0055, value: 0001 (WRITE) addr: 0057, value: 0001 (WRITE) addr: 0059, value: 0001 (WRITE) addr: 005b, value: 0001 (WRITE) addr: 005d, value: 0001 (WRITE) addr: 005f, value: 0001 (WRITE) addr: 002f, value: ffff Terminating on signal 15. Image 1 already set as valid bootimage +--------------------------------------+ | Linux/MIPS on AMAZON by Infineon CPE | +--------------------------------------+ amazon login: amazon Board Driver, Version 0.0.1.8 <6>(c) Copyright 2004, Infineon Technologies AG <1>ISAC-SX PEB3086 Driver 3.0 (MMIO mode) loaded ISAC-SX Base0: 0x14000000, 0, 1, 0, 2 ISAC-SX hardware V1.4 detected. ISAC-SX at 0xB4000000 in LT-S mode (0x03). ISAC-SX driver registered with device number: 240 ISAC-SX irq handler registered for irq 0x004F (79). driver configured 0 br0: port 2(nas2) entering forwarding state br0: topology change detected, propagating br0: port 1(eth1.2) entering forwarding state br0: topology change detected, propagating br1: port 2(nas3) entering forwarding state br1: topology change detected, propagating br1: port 1(eth1.3) entering forwarding state br1: topology change detected, propagating ISACSX Device 0 opened. Board_InitPlatform! SPI_Init! Board_InitIrq! init finished! drv_amazon:reset deactivated! driver configured 1 driver configured 2 amazon login:
Packages
Core system
- U-Boot 2.0.33-16-Amazon-1.0.0 (bootloader, missing source)
- MIPS Linux-2.4.20-Amazon-3.0.3 (kernel)
- Infineon Amazon firmware + drivers (closed source)
- uClibc 0.9.27
- Busybox 1.0 (modified, missing source)
- includes: [, basename, busybox, cat, chmod, chroot, cmp, cp, cut, date, dd, dmesg, dumpleases, echo, env, expr, false, fgrep, free, getty, grep, gunzip, gzip, hostname, httpd, ifconfig, inetd, init, insmod, kill, killall, klogd, ln, logger, login, logread, ls, lsmod, mkdir, mknod, modprobe, more, mount, msh, mv, nice, nslookup, od, passwd, pidof, ping, ps, pwd, reboot, renice, rm, rmmod, route, sh, sleep, syslogd, tail, tar, telnetd, test, top, touch, tr, true, tty, udhcpc, udhcpd, udhcpr, umount, uname, uptime, usleep, vconfig, vi, zcat
- mtd (memory device driver)
- OpenSSL (missing source)
Routing
- iproute2 (IP routing)
- bridge-utils (bridging)
- iptables (IP filtering + forwarding)
- ebtables (Ether filtering)
- vlan (VLAN routing)
- zebra (RIP routing)
- tc (Traffic Control, missing source?)
- tc
Connectivity
- br2684ctl (RFC1483/2684 Bridge Daemon)
- linux-atm (ATM on Linux)
- ppp (Point-to-Point Protocol)
- rp-pppoe (PPP-over-Ethernet redirector)
- dimclient (Dimark TR-069 embedded client, closed source)
Services
- dhcp (DHCP relay, missing source)
- dnrd (DNS relay)
- net-snmp (SNMP daemon, missing source)
- dropbear (SSH server, missing source)
- linux-ftpd (FTP server, missing source)
- ntpclient (NTP client)
- ez-ipupdate (DynDNS client)
- tftp-hpa 0.40 (TFTP server, missing source, only 0.35 source)
- rtpd (RTP proxy, closed source)
Wireless
- Wireless Tools
Telephony
- eXosip 2.2.2 (SIP protocol stack, missing source)
Misc
- ifx_util (Infineon chip control and Utility, closed source)
- adm6996, cmvread, cmvwrite, flash_timer, get_adsl_rate, get_atmqos_name, get_if_index, mem, naptcfg, mknod_util, next_macaddr, status_oper, swreset, voip_relay
- sas_tools (StandAlone System Tools, flash handling, closed source)
- bootimage, cfg_export, get_env_var, read_syscfg, etl-tool, web_upgrade, write_syscfg
- sasapp (StandAlone System Applications, Status LED and RTP support, closed source)
- adsl-status, led, ledd, rtpd, rtpfilter.
Special Files
- voip-phone <database> <daemon> <cfg_socket> (SIP protocol stack)
- watchdogserver <seconds> <syslog> (auto reboot on crash)
System Config
Each firmware instance has one 128 kB configuration storage flash partition. It is divided in two 64 kB sectors, which each store a chunklist of tar.gz archives of the complete configuration in /ramdisk/flash.
Each chunk starts with a 4-byte header (16-bit active low chunkflags, 16-bit chunk length), followed by the payload tar.gz, padded with 0xFF to 32-bit word boundaries (which is IFF style chunk padding). The unused remainder of the respective sector is also padded with 0xFF.
The chunkflags mainly provide a mechanism to preserve chain integrity during writes in multitasking environment. First the flags FFFF are written out with the size, then it's overwritten with DFFF to mark the size valid (alloc flash), then the data is appended and the flags are set to CFFF marking the size and data valid. So these active low flags are: 1000 = size valid, 2000 = data valid.
The flag 8000 (changing CFFF flags to 4FFF) is obviously used to mark the respective sector full, and only occurs in the first chunk of the first sector if the second sector contains the last valid config.
The executables responsible for this, read_syscfg and write_syscfg, have an option 'backup', which seems to be an obsolete mechanism, since it accesses the sysconfig of the other bootimage then.
The average config size is 10 kB, so the 2 sectors can keep a backlog of about 12 configs after some time. Not sure yet what happens when both sectors are filled to the end. FIXME!
If no valid config could be read at boot time, or if the reset switch is pressed until the power LED lights up RED, factory defaults from /etc/conf.tgz are used to append a valid config to the chain. This means that a factory reset does by far not clear personal data on this unit.
Files present in the default config:
- authorized_keys (rsa public key of the ISP for dropbear, symlinked from /root/.ssh/authorized_keys)
- database.txt (TR-069 database)
- database_tr69.txt (TR-069 database)
- dps_patch (changed TR-069 profile data)
- eventCodeP.dat (status response of last TR-069 session)
- profile (pathes, symlinked from /etc/profile)
- rc.conf (system config, symlinked from /etc/rc.conf)
- rsa_key (rsa private key of the router for dropbear)
Additional files added after:
- filetrans/ (unix datestamp named logs of recent TR-069 file tranfers)
- parameter/ (empty dir)
- callinfodb.txt (recent calls flat-db)
- date.last (datestamp of last valid time, or of 2006/01/01 if none)
- dps.add (added TR-069 profile data)
- fwdiag (empty file)
- passwd (root password, symlinked from /etc/passwd)
- pin.txt (provision code for TR-069)
- tr69_sw_old_version (firmware version string, pre 1.18 fw or post update to other bootimage only)
Root Access
Now after the config mechanism is known let's gain root access to this black box in white. This envolves the U-Boot Console to read out the config, TFTP to store an altered config and ends up in having SSH access.
Here the checklist of the requirements:
- A computer with direct LAN connection to the router (here: 192.168.1.100).
- A serial cable and level converter connected to the router's serial port.
- A terminal emulation program capable of session logging.
- A Linux (or compatible) root shell with Perl and SSH installed.
- A TFTP server
And here a step by step guide:
U-Boot Console
- Enter U-Boot console and find out the active bootimage (required for 8 MB models only):
AMAZON # printenv f_aci f_aci=1 AMAZON # printenv flashargs flashargs=setenv bootargs root=/dev/mtdblock4 bootimage=1
- If the above variables end in =1 then config base address is B3020000
- If the above variables end in =2 then config base address is B3420000
- Start the logging function of your terminal program then dump and checksum the config:
AMAZON # md.b B3020000 20000 b3020000: cf ff 1b 29 1f 8b 08 00 00 00 00 00 02 03 ec 5c ...)...........\ b3020010: 0b 8c 24 c7 59 3e 2b 8e 89 3b 44 b6 13 63 09 29 ..$.Y>+..;D..c.) <snip> b303ffe0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................ b303fff0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................ AMAZON # crc32 B3020000 20000 CRC32 for b3020000 ... b303ffff ==> 0646432c
- Stop the logging function of your terminal program and save the (ca. 550 kB) log as sysconfig.txt
- Fire up a shell, download the uboot utils and extract the configs:
bash$ wget -q http://url.soon.here/uboot-utils_0.10.tgz bash$ tar xfz uboot-utils_0.10.tgz bash$ ./uboot2bin sysconfig.txt sysconfig.bin bash$ ./bin2config sysconfig.bin sysconfig
- Now the latest config is unpacked into the subdir sysconfig.
- Now first remove the LAN side firewalling:
bash$ echo "(sleep 60 && iptables -F IFX_FW_DENY_LAN_IF_INPUT) &" >>sysconfig/profile
- Make sure you have a RSA keypair installed, if not create one.
- Now append your RSA public key to the authorized keys:
bash$ cat ~/.ssh/id_rsa.pub >>sysconfig/authorized_keys
- Now repack the configs to a sector again:
bash$ ./config2bin sysconfig newconfig.bin
- The resulting file can now be flashed. For this you need a running TFTP server hosting newconfig.bin.
- To simplify further work we adapt the U-Boot IP to match the router's default IP:
AMAZON # setenv ipaddr 192.168.1.1 AMAZON # setenv serverip 192.168.1.100 AMAZON # saveenv Saving Environment to Flash... Saving ubootconfig ... Erasing Flash from B3010000 to B301FFFF ... Done Writing to Flash to B3010000 from buffer 80AB0008 with length 00010000 ... Done
- Now comes the dangerous part, transfer, erase and flash it (typos here are fatal!):
AMAZON # tftpboot 80400000 newconfig.bin ARP broadcast 1 TFTP from server 192.168.1.100; our IP address is 192.168.1.1 Filename 'newconfig.bin'. Load address: 0x80400000 Loading: ############# done Bytes transferred = 131072 (20000 hex) AMAZON # erase B3020000 B303ffff 1 Erase Flash from B3020000 to B303FFFF AMAZON # cp.b 80400000 B3020000 20000 Copy to Flash... done AMAZON # reset
- Now after a complete boot we have:
SSH access
The default IP of this router is 192.168.1.1 netmask 255.255.255.0. If you followed above procedure you should be able to SSH to the device with RSA key authentification.
Crippleware Alert
This device is a perfect example of anti developer GPL based crippleware, lots of source is missing and many important functions are either missing, broken or messed:
- On the LAN side nmap scans show ftp, ssh and telnet ports in filtered state, only TCP to port 8082 is open, telnetting it shows that it claims to run a gSOAP/2.7 webserver.
- LAN port filtering is configured by disabling the LAN related settings in the application_server tag of rc.conf. Opening these ports by changing rc.conf doesn't help since the boot script rcS verifies these settings and modifies rc.conf if they changed before services are launched.
- The /etc/passwd encryption algorithm seems unknown, so replacing the file with something working is difficult, especially because of busybox passwd applett crashing SIGSEGV. So creating or changing passwords is impossible for now, hence no console or password login for now. Maybe there's some mechanism to make it work, maybe that's why the busybox source is missing.
... and more - WIP.
Links
- Sphairon Turbolink IAD WLAN Intro - Press text Cebit 2005 (pdf, german language)
