{"id":964,"date":"2016-03-29T21:12:09","date_gmt":"2016-03-29T19:12:09","guid":{"rendered":"https:\/\/bergs.biz\/blog\/?p=964"},"modified":"2016-03-30T20:01:35","modified_gmt":"2016-03-30T18:01:35","slug":"hacking-the-genexis-fibertwist-p2410","status":"publish","type":"post","link":"https:\/\/bergs.biz\/blog\/2016\/03\/29\/hacking-the-genexis-fibertwist-p2410\/","title":{"rendered":"Hacking the Genexis FiberTwist-P2410"},"content":{"rendered":"<p>In my <a href=\"https:\/\/bergs.biz\/blog\/2016\/03\/29\/genexis-fibertwist-p2410-dissected\/\">previous article<\/a> I described the key components the Genexis FiberTwist-P2410 is comprised of. One of these components is the serial console connector, and its presence was so tempting that I simply <em>had<\/em> to play with it&#8230;<\/p>\n<figure id=\"attachment_965\" aria-describedby=\"caption-attachment-965\" style=\"width: 155px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/bergs.biz\/blog\/wp-content\/uploads\/2016\/03\/Serial-Connector.png\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-965 size-medium\" src=\"https:\/\/bergs.biz\/blog\/wp-content\/uploads\/2016\/03\/Serial-Connector-155x300.png\" alt=\"Layout of Serial Console Connector\" width=\"155\" height=\"300\" srcset=\"https:\/\/bergs.biz\/blog\/wp-content\/uploads\/2016\/03\/Serial-Connector-155x300.png 155w, https:\/\/bergs.biz\/blog\/wp-content\/uploads\/2016\/03\/Serial-Connector-77x150.png 77w, https:\/\/bergs.biz\/blog\/wp-content\/uploads\/2016\/03\/Serial-Connector.png 200w\" sizes=\"auto, (max-width: 155px) 100vw, 155px\" \/><\/a><figcaption id=\"caption-attachment-965\" class=\"wp-caption-text\">Layout of Serial Console Connector<\/figcaption><\/figure>\n<p>So I connected a <a href=\"http:\/\/www.amazon.de\/gp\/product\/B008RF73CS\/ref=as_li_tl?ie=UTF8&amp;camp=1638&amp;creative=19454&amp;creativeASIN=B008RF73CS&amp;linkCode=as2&amp;tag=bergsbiz-21\" target=\"_blank\">UART-to-USB converter<\/a> and watched the console output while the device boots&#8230; Communications parameters were easy to guess: 115,200 bps, 8N1, no handshake (neither HW, nor SW)&#8230;<!--more--><\/p>\n<pre>ROM VER: 1.0.0\r\nCFG 06\r\nNAND\r\n\r\nROM VER: 1.0.0\r\nCFG 06\r\nNAND\r\n\r\nbootstrap-polar-2.1.0-R (Dec\u00a0 1 2015 - 15:47:13)\r\n\r\nDDR autotuning Rev 1.0\r\nDDR size from 0xa0000000 - 0xa3ffffff\r\nDQS GATE ECHO DLL Delay Slice0:00000014\r\nDQS GATE ECHO DLL Delay Slice1:00000016\r\nRead DQS Delay Slice0:00000026\r\nRead DQS Delay Slice1:00000026\r\nWrite DQS Delay Slice0:00000025\r\nWrite DQS Delay Slice1:00000025\r\n\r\n\r\nbootloader-polar-2.1.0-R (Dec 01 2015 - 15:46:40)\r\n\r\nCLOCK CPU 600M RAM 300M\r\n16 Bit RAM\r\nDRAM:\u00a0 128 MiB\r\nNAND:\u00a0 NAND device: Manufacturer ID: 0xc8, Chip ID: 0xd1 (Unknown NAND 128MiB 3,3V 8-bit)\r\n128 MiB\r\nBad block table found at page 65472, version 0x01\r\nBad block table found at page 65408, version 0x01\r\n*** Warning - bad CRC or NAND, using default environment\r\n\r\nIn:\u00a0\u00a0\u00a0 serial\r\nOut:\u00a0\u00a0 serial\r\nErr:\u00a0\u00a0 serial\r\nNet:\u00a0\u00a0 internal phy using 25Mhz clock\r\nInternal phy firmware version: 0x8434\r\nar10 Switch\r\n\r\nType \"run flash_nfs\" to mount root filesystem over NFS\r\n\r\nHit any key to stop autoboot:\u00a0 1\u00a0 0 \r\nCreating 1 MTD partitions on \"nand0\":\r\n0x000000280000-0x000007f80000 : \"mtd=4\"\r\nUBI: attaching mtd1 to ubi0\r\nUBI: physical eraseblock size:\u00a0\u00a0 131072 bytes (128 KiB)\r\nUBI: logical eraseblock size:\u00a0\u00a0\u00a0 129024 bytes\r\nUBI: smallest flash I\/O unit:\u00a0\u00a0\u00a0 2048\r\nUBI: sub-page size:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 512\r\nUBI: VID header offset:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 512 (aligned 512)\r\nUBI: data offset:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 2048\r\nUBI: attached mtd1 to ubi0\r\nUBI: MTD device name:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \"mtd=4\"\r\nUBI: MTD device size:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 125 MiB\r\nUBI: number of good PEBs:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1000\r\nUBI: number of bad PEBs:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\r\nUBI: max. allowed volumes:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 128\r\nUBI: wear-leveling threshold:\u00a0\u00a0\u00a0 4096\r\nUBI: number of internal volumes: 1\r\nUBI: number of user volumes:\u00a0\u00a0\u00a0\u00a0 2\r\nUBI: available PEBs:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0\r\nUBI: total number of reserved PEBs: 1000\r\nUBI: number of PEBs reserved for bad PEB handling: 20\r\nUBI: max\/mean erase counter: 2\/0\r\nUBIFS: mounted UBI device 0, volume 1, name \"data\"\r\nUBIFS: mounted read-only\r\nUBIFS: file system size:\u00a0\u00a0 120250368 bytes (117432 KiB, 114 MiB, 932 LEBs)\r\nUBIFS: journal size:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 9033728 bytes (8822 KiB, 8 MiB, 71 LEBs)\r\nUBIFS: media format:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 w4\/r0 (latest is w4\/r0)\r\nUBIFS: default compressor: LZO\r\nUBIFS: reserved for root:\u00a0 0 bytes (0 KiB)\r\nfeed 'geneos-polar-2.1.0-R.img', ino 82, new f_pos 0x9b0a8e3find file geneos-polar-2.1.0-R.img on position 0Loading file 'fw\/0\/geneos-polar-2.1.0-R.img' to address 0x83000000 (size 0)\r\nLoading file 'fw\/0\/geneos-polar-2.1.0-R.img' to addr 0x83000000 with size 6546932 (0x0063e5f4)...\r\nDone\r\n## Booting kernel from FIT Image at 83000000 ...\r\n\u00a0\u00a0 Using 'conf@1' configuration\r\n\u00a0\u00a0 Trying 'kernel@1' kernel subimage\r\n\u00a0\u00a0\u00a0\u00a0 Description:\u00a0 Generic initramfs\r\n\u00a0\u00a0\u00a0\u00a0 Type:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Kernel Image\r\n\u00a0\u00a0\u00a0\u00a0 Compression:\u00a0 lzma compressed\r\n\u00a0\u00a0\u00a0\u00a0 Data Start:\u00a0\u00a0 0x83000118\r\n\u00a0\u00a0\u00a0\u00a0 Data Size:\u00a0\u00a0\u00a0 6535067 Bytes = 6.2 MiB\r\n\u00a0\u00a0\u00a0\u00a0 Architecture: MIPS\r\n\u00a0\u00a0\u00a0\u00a0 OS:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Linux\r\n\u00a0\u00a0\u00a0\u00a0 Load Address: 0x80002000\r\n\u00a0\u00a0\u00a0\u00a0 Entry Point:\u00a0 0x80002000\r\n\u00a0\u00a0\u00a0\u00a0 Hash algo:\u00a0\u00a0\u00a0 sha1\r\n\u00a0\u00a0\u00a0\u00a0 Hash value:\u00a0\u00a0 42bd16e172686233005096bde4abefe44bcf566b\r\n\u00a0\u00a0 Verifying Hash Integrity ... sha1+ OK\r\n## Flattened Device Tree from FIT Image at 83000000\r\n\u00a0\u00a0 Using 'conf@1' configuration\r\n\u00a0\u00a0 Trying 'fdt@1' FDT blob subimage\r\n\u00a0\u00a0\u00a0\u00a0 Description:\u00a0 Genexis Polar FDT blob\r\n\u00a0\u00a0\u00a0\u00a0 Type:\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Flat Device Tree\r\n\u00a0\u00a0\u00a0\u00a0 Compression:\u00a0 uncompressed\r\n\u00a0\u00a0\u00a0\u00a0 Data Start:\u00a0\u00a0 0x8363b9a8\r\n\u00a0\u00a0\u00a0\u00a0 Data Size:\u00a0\u00a0\u00a0 10482 Bytes = 10.2 KiB\r\n\u00a0\u00a0\u00a0\u00a0 Architecture: MIPS\r\n\u00a0\u00a0\u00a0\u00a0 Hash algo:\u00a0\u00a0\u00a0 sha1\r\n\u00a0\u00a0\u00a0\u00a0 Hash value:\u00a0\u00a0 5050dde93e7d83b3c5339da2b8e9cdf227f44658\r\n\u00a0\u00a0 Verifying Hash Integrity ... sha1+ OK\r\n\u00a0\u00a0 Booting using the fdt blob at 0x8363b9a8\r\ndata_blob [0x8363b9a8], gpio [15] \r\nFlash system LED \r\n\u00a0\u00a0 Uncompressing Kernel Image ... OK\r\n\r\nStarting kernel ...\r\n\r\n[\u00a0\u00a0\u00a0 0.000000] Linux version 3.10.12 (jenkins@jenkins) (gcc version 4.8.3 (OpenWrt\/Linaro GCC 4.8-2014.04 unknown) ) #2 Tue Dec 1 15:53:05 CET 2015\r\n[\u00a0\u00a0\u00a0 0.000000] SoC: xRX330 rev 1.1\r\n[\u00a0\u00a0\u00a0 0.000000] bootconsole [early0] enabled\r\n[\u00a0\u00a0\u00a0 0.000000] CPU0 revision is: 00019556 (MIPS 34Kc)\r\n[\u00a0\u00a0\u00a0 0.000000] adding memory size:133169152 from DT\r\n[\u00a0\u00a0\u00a0 0.000000] Determined physical RAM map:\r\n[\u00a0\u00a0\u00a0 0.000000]\u00a0 memory: 07f00000 @ 00000000 (usable)\r\n[\u00a0\u00a0\u00a0 0.000000] Initrd not found or empty - disabling initrd\r\n[\u00a0\u00a0\u00a0 0.000000] Zone ranges:\r\n[\u00a0\u00a0\u00a0 0.000000]\u00a0\u00a0 Normal\u00a0\u00a0 [mem 0x00000000-0x07efffff]\r\n[\u00a0\u00a0\u00a0 0.000000] Movable zone start for each node\r\n[\u00a0\u00a0\u00a0 0.000000] Early memory node ranges\r\n[\u00a0\u00a0\u00a0 0.000000]\u00a0\u00a0 node\u00a0\u00a0 0: [mem 0x00000000-0x07efffff]\r\n[\u00a0\u00a0\u00a0 0.000000] Primary instruction cache 32kB, 4-way, VIPT, linesize 32 bytes.\r\n[\u00a0\u00a0\u00a0 0.000000] Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes\r\n[\u00a0\u00a0\u00a0 0.000000] Built 1 zonelists in Zone order, mobility grouping on.\u00a0 Total pages: 32258\r\n[\u00a0\u00a0\u00a0 0.000000] Kernel command line: ubi.mtd=system_sw console=ttyLTQ0,115200 init=\/etc\/preinit bootstrap_ver=\"bootstrap-polar-2.1.0-R\" bootloader_ver=\"bootloader-polar-2.1.0-R\" fw_number=0 \r\n[\u00a0\u00a0\u00a0 0.000000] PID hash table entries: 512 (order: -1, 2048 bytes)\r\n[\u00a0\u00a0\u00a0 0.000000] Dentry cache hash table entries: 16384 (order: 4, 65536 bytes)\r\n[\u00a0\u00a0\u00a0 0.000000] Inode-cache hash table entries: 8192 (order: 3, 32768 bytes)\r\n[\u00a0\u00a0\u00a0 0.000000] Writing ErrCtl register=00004100\r\n[\u00a0\u00a0\u00a0 0.000000] Readback ErrCtl register=00004100\r\n[\u00a0\u00a0\u00a0 0.000000] Memory: 118548k\/130048k available (4128k kernel code, 11500k reserved, 1070k data, 4776k init, 0k highmem)\r\n[\u00a0\u00a0\u00a0 0.000000] NR_IRQS:256\r\n[\u00a0\u00a0\u00a0 0.000000] Setting up vectored interrupts\r\n[\u00a0\u00a0\u00a0 0.000000] CPU Clock: 600MHz\r\n[\u00a0\u00a0\u00a0 0.000000] Calibrating delay loop... 397.82 BogoMIPS (lpj=795648)\r\n[\u00a0\u00a0\u00a0 0.032000] pid_max: default: 32768 minimum: 301\r\n[\u00a0\u00a0\u00a0 0.036000] Mount-cache hash table entries: 512\r\n[\u00a0\u00a0\u00a0 0.044000] pinctrl core: initialized pinctrl subsystem\r\n[\u00a0\u00a0\u00a0 0.048000] NET: Registered protocol family 16\r\n[\u00a0\u00a0\u00a0 0.060000] dma-xway 1e104100.dma: Init done - hw rev: 8, ports: 5, channels: 24\r\n[\u00a0\u00a0\u00a0 0.068000] pinctrl-xway 1e100b10.pinmux: Init done\r\n[\u00a0\u00a0\u00a0 0.072000] Init done\r\n[\u00a0\u00a0\u00a0 0.072000] gpio-stp-xway 1e100bb0.stp: Reserved = 0x00000000\r\n[\u00a0\u00a0\u00a0 0.076000] gpio-stp-xway 1e100bb0.stp: edge = 67108864, groups = 3, dsl = 0\r\n[\u00a0\u00a0\u00a0 0.080000] gpio-stp-xway 1e100bb0.stp: phy1 = 0, phy2 = 0, phy3 = 0, phy4 = 0\r\n[\u00a0\u00a0\u00a0 0.084000] gpio-stp-xway 1e100bb0.stp: Init done\r\n[\u00a0\u00a0\u00a0 0.088000] gpio-stp-xway 1e100bb0.stp: AR = 0x00000000\r\n[\u00a0\u00a0\u00a0 0.092000] gpio-stp-xway 1e100bb0.stp: CPU0 = 0x000000ff\r\n[\u00a0\u00a0\u00a0 0.096000] gpio-stp-xway 1e100bb0.stp: CPU1 = 0x00000000\r\n[\u00a0\u00a0\u00a0 0.100000] gpio-stp-xway 1e100bb0.stp: CON0 = 0x84008000\r\n[\u00a0\u00a0\u00a0 0.104000] gpio-stp-xway 1e100bb0.stp: C0N1 = 0x81000003\r\n[\u00a0\u00a0\u00a0 0.108000] !!!!!!! WAVE400 system registeration on AHB \r\n[\u00a0\u00a0\u00a0 0.112000] MTLK_MEM_BAR1_START is 1a000000\r\n[\u00a0\u00a0\u00a0 0.116000] MTLK_MEM_BAR1_END is 1a7fffff\r\n[\u00a0\u00a0\u00a0 0.120000] MTLK_WIRELESS_IRQ_IN_INDEX is 26\r\n[\u00a0\u00a0\u00a0 0.124000] dcdc-xrx200 1f106a00.dcdc: Core Voltage : 0 mV\r\n[\u00a0\u00a0\u00a0 0.736000] pcie_wait_phy_link_up port 1 timeout\r\n[\u00a0\u00a0\u00a0 1.248000] pcie_wait_phy_link_up port 1 timeout\r\n[\u00a0\u00a0\u00a0 1.760000] pcie_wait_phy_link_up port 1 timeout\r\n[\u00a0\u00a0\u00a0 1.764000] pcie_rc_initialize port 1 link up failed!!!!!\r\n[\u00a0\u00a0\u00a0 1.768000] Lantiq PCIe Root Complex Driver - 2.0.3\r\n[\u00a0\u00a0\u00a0 1.772000] Copyright(c) 2009 - 2013 LANTIQ DEUTSCHLAND GMBH\r\n[\u00a0\u00a0\u00a0 1.796000] bio: create slab &lt;bio-0&gt; at 0\r\n[\u00a0\u00a0\u00a0 1.800000] SCSI subsystem initialized\r\n[\u00a0\u00a0\u00a0 1.804000] usbcore: registered new interface driver usbfs\r\n[\u00a0\u00a0\u00a0 1.808000] usbcore: registered new interface driver hub\r\n[\u00a0\u00a0\u00a0 1.812000] usbcore: registered new device driver usb\r\n[\u00a0\u00a0\u00a0 1.816000] NET: Registered protocol family 8\r\n[\u00a0\u00a0\u00a0 1.820000] NET: Registered protocol family 20\r\n[\u00a0\u00a0\u00a0 1.824000] Switching to clocksource MIPS\r\n[\u00a0\u00a0\u00a0 1.828000] NET: Registered protocol family 2\r\n[\u00a0\u00a0\u00a0 1.836000] TCP established hash table entries: 1024 (order: 1, 8192 bytes)\r\n[\u00a0\u00a0\u00a0 1.840000] TCP bind hash table entries: 1024 (order: 0, 4096 bytes)\r\n[\u00a0\u00a0\u00a0 1.848000] TCP: Hash tables configured (established 1024 bind 1024)\r\n[\u00a0\u00a0\u00a0 1.856000] TCP: reno registered\r\n[\u00a0\u00a0\u00a0 1.856000] UDP hash table entries: 256 (order: 0, 4096 bytes)\r\n[\u00a0\u00a0\u00a0 1.864000] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)\r\n[\u00a0\u00a0\u00a0 1.872000] NET: Registered protocol family 1\r\n[\u00a0\u00a0\u00a0 6.348000] gptu: totally 6 16-bit timers\/counters\r\n[\u00a0\u00a0\u00a0 6.352000] gptu: misc_register on minor 63\r\n[\u00a0\u00a0\u00a0 6.356000] gptu: succeeded to request irq 126\r\n[\u00a0\u00a0\u00a0 6.360000] gptu: succeeded to request irq 127\r\n[\u00a0\u00a0\u00a0 6.364000] gptu: succeeded to request irq 128\r\n[\u00a0\u00a0\u00a0 6.368000] gptu: succeeded to request irq 129\r\n[\u00a0\u00a0\u00a0 6.372000] gptu: succeeded to request irq 130\r\n[\u00a0\u00a0\u00a0 6.376000] gptu: succeeded to request irq 131\r\n[\u00a0\u00a0\u00a0 6.384000] vpe1_mem = 0\r\n[\u00a0\u00a0\u00a0 6.388000] Wired TLB entries for Linux read_c0_wired() = 0\r\n[\u00a0\u00a0\u00a0 6.396000] squashfs: version 4.0 (2009\/01\/31) Phillip Lougher\r\n[\u00a0\u00a0\u00a0 6.400000] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc.\r\n[\u00a0\u00a0\u00a0 6.412000] msgmni has been set to 231\r\n[\u00a0\u00a0\u00a0 6.416000] io scheduler noop registered\r\n[\u00a0\u00a0\u00a0 6.420000] io scheduler deadline registered (default)\r\n[\u00a0\u00a0\u00a0 6.428000] lantiq,asc 1e100c00.serial: pins are not configured from the driver\r\n[\u00a0\u00a0\u00a0 6.436000] 1e100c00.serial: ttyLTQ0 at MMIO 0x1e100c00 (irq = 112) is a lantiq,asc\r\n[\u00a0\u00a0\u00a0 6.452000] console [ttyLTQ0] enabled, bootconsole disabled\r\n[\u00a0\u00a0\u00a0 6.452000] console [ttyLTQ0] enabled, bootconsole disabled\r\n[\u00a0\u00a0\u00a0 6.464000] loop: module loaded\r\n[\u00a0\u00a0\u00a0 6.472000] NAND device: Manufacturer ID: 0xc8, Chip ID: 0xd1 (Unknown NAND 128MiB 3,3V 8-bit), 128MiB, page size: 2048, OOB size: 64\r\n[\u00a0\u00a0\u00a0 6.480000] Scanning device for bad blocks\r\n[\u00a0\u00a0\u00a0 6.524000] 5 ofpart partitions found on MTD device 14000000.nand-parts\r\n[\u00a0\u00a0\u00a0 6.528000] Creating 5 MTD partitions on \"14000000.nand-parts\":\r\n[\u00a0\u00a0\u00a0 6.536000] 0x000000000000-0x000000080000 : \"bootstrap\"\r\n[\u00a0\u00a0\u00a0 6.544000] 0x000000080000-0x000000180000 : \"bootloader\"\r\n[\u00a0\u00a0\u00a0 6.548000] 0x000000180000-0x000000200000 : \"reserved_1\"\r\n[\u00a0\u00a0\u00a0 6.552000] 0x000000200000-0x000000280000 : \"reserved_2\"\r\n[\u00a0\u00a0\u00a0 6.560000] 0x000000280000-0x000007f80000 : \"system_sw\"\r\n[\u00a0\u00a0\u00a0 6.568000] IMQ driver loaded successfully. (numdevs = 3, numqueues = 1)\r\n[\u00a0\u00a0\u00a0 6.576000] \u00a0\u00a0 \u00a0Hooking IMQ after NAT on PREROUTING.\r\n[\u00a0\u00a0\u00a0 6.580000] \u00a0\u00a0 \u00a0Hooking IMQ after NAT on POSTROUTING.\r\n[\u00a0\u00a0\u00a0 6.588000] Lantiq VRX318 Version 2.0.0 \r\n[\u00a0\u00a0\u00a0 6.588000] LTQ ETH SWITCH API, Version 2.0.1.\r\n[\u00a0\u00a0\u00a0 6.592000] SWAPI: Registered char device [switch_api] with major no [81]\r\n[\u00a0\u00a0\u00a0 6.600000] Switch API: PCE MicroCode loaded !!\r\n[\u00a0\u00a0\u00a0 6.604000] gphy_driver_init: fw_mode:11G-FW, no of phys:4, mode:0\r\n[\u00a0\u00a0\u00a0 6.612000] PPP generic driver version 2.4.2\r\n[\u00a0\u00a0\u00a0 6.616000] PPP MPPE Compression module registered\r\n[\u00a0\u00a0\u00a0 6.620000] NET: Registered protocol family 24\r\n[\u00a0\u00a0\u00a0 6.624000] res = 87908f00\r\n[\u00a0\u00a0\u00a0 6.628000] wdt 1f8803f0.watchdog: Init done\r\n[\u00a0\u00a0\u00a0 6.632000] leds-gpio gpio-leds.13: pins are not configured from the driver\r\n[\u00a0\u00a0\u00a0 6.644000] Lantiq DEU driver version 2.0.0 \r\n[\u00a0\u00a0\u00a0 6.648000] LTQ DEU DES initialized.\r\n[\u00a0\u00a0\u00a0 6.652000] LTQ DEU AES initialized.\r\n[\u00a0\u00a0\u00a0 6.652000] LTQ DEU ARC4 initialized\r\n[\u00a0\u00a0\u00a0 6.656000] LTQ DEU SHA1 initialized\r\n[\u00a0\u00a0\u00a0 6.660000] LTQ DEU MD5 initialized \r\n[\u00a0\u00a0\u00a0 6.664000] LTQ DEU SHA1_HMAC initialized\r\n[\u00a0\u00a0\u00a0 6.668000] LTQ DEU MD5_HMAC initialized\r\n[\u00a0\u00a0\u00a0 6.672000] DEU driver initialization complete!\r\n[\u00a0\u00a0\u00a0 6.676000] u32 classifier\r\n[\u00a0\u00a0\u00a0 6.680000]\u00a0\u00a0\u00a0\u00a0 input device check on\r\n[\u00a0\u00a0\u00a0 6.684000]\u00a0\u00a0\u00a0\u00a0 Actions configured\r\n[\u00a0\u00a0\u00a0 6.684000] nf_conntrack version 0.5.0 (1852 buckets, 7408 max)\r\n[\u00a0\u00a0\u00a0 6.692000] xt_time: kernel timezone is -0000\r\n[\u00a0\u00a0\u00a0 6.696000] ipip: IPv4 over IPv4 tunneling driver\r\n[\u00a0\u00a0\u00a0 6.704000] ip_tables: (C) 2000-2006 Netfilter Core Team\r\n[\u00a0\u00a0\u00a0 6.708000] TCP: cubic registered\r\n[\u00a0\u00a0\u00a0 6.708000] Initializing XFRM netlink socket\r\n[\u00a0\u00a0\u00a0 6.712000] NET: Registered protocol family 10\r\n[\u00a0\u00a0\u00a0 6.720000] NET: Registered protocol family 17\r\n[\u00a0\u00a0\u00a0 6.724000] NET: Registered protocol family 15\r\n[\u00a0\u00a0\u00a0 6.728000] Bridge firewalling registered\r\n[\u00a0\u00a0\u00a0 6.732000] Ebtables v2.0 registered\r\n[\u00a0\u00a0\u00a0 6.736000] lec:lane_module_init: lec.c: initialized\r\n[\u00a0\u00a0\u00a0 6.740000] mpoa:atm_mpoa_init: mpc.c: initialized\r\n[\u00a0\u00a0\u00a0 6.744000] KOAM is loaded successfully.\r\n[\u00a0\u00a0\u00a0 6.748000] 8021q: 802.1Q VLAN Support v1.8\r\n[\u00a0\u00a0\u00a0 6.756000] UBI: attaching mtd4 to ubi0#\r\n[\u00a0\u00a0\u00a0 6.968000] UBI: scanning is finished\r\n[\u00a0\u00a0\u00a0 6.984000] UBI: attached mtd4 (name \"system_sw\", size 125 MiB) to ubi0\r\n[\u00a0\u00a0\u00a0 6.992000] UBI: PEB size: 131072 bytes (128 KiB), LEB size: 129024 bytes\r\n[\u00a0\u00a0\u00a0 6.996000] UBI: min.\/max. I\/O unit sizes: 2048\/2048, sub-page size 512\r\n[\u00a0\u00a0\u00a0 7.004000] UBI: VID header offset: 512 (aligned 512), data offset: 2048\r\n[\u00a0\u00a0\u00a0 7.012000] UBI: good PEBs: 1000, bad PEBs: 0, corrupted PEBs: 0\r\n[\u00a0\u00a0\u00a0 7.016000] UBI: user volume: 2, internal volumes: 1, max. volumes count: 128\r\n[\u00a0\u00a0\u00a0 7.024000] UBI: max\/mean erase counter: 2\/0, WL threshold: 4096, image sequence number: 768042961\r\n[\u00a0\u00a0\u00a0 7.032000] UBI: available PEBs: 0, total reserved PEBs: 1000, PEBs reserved for bad PEB handling: 20\r\n[\u00a0\u00a0\u00a0 7.044000] UBI: background thread \"ubi_bgt0d\" started, PID 326\r\n[\u00a0\u00a0\u00a0 7.076000] Freeing unused kernel memory: 4776K (80516000 - 809c0000)\r\n[\u00a0\u00a0\u00a0 7.104000] input: gpio-keys-polled.10 as \/devices\/gpio-keys-polled.10\/input\/input0\r\n[\u00a0\u00a0\u00a0 7.116000] usbcore: registered new interface driver usb-storage\r\n[\u00a0\u00a0 11.408000] IFXOS, Version 1.5.92 (c) Copyright 2009, Lantiq Deutschland GmbH\r\n[\u00a0\u00a0 11.416000] ip6_tables: (C) 2000-2006 Netfilter Core Team\r\n[\u00a0\u00a0 11.432000] i2c \/dev entries driver\r\n[\u00a0\u00a0 11.436000] i2c-gpio i2c.14: using pins 211 (SDA) and 209 (SCL)\r\n[\u00a0\u00a0 11.444000] switch_module_init(): Module initializing...\r\n[\u00a0\u00a0 11.448000] read_physical_2_logical_lan_ports_mapping(): lan-ports-mapping &lt;2, 4, 1, 3&gt;\r\n[\u00a0\u00a0 11.456000] switch_module_init(): External PHY present!\r\n[\u00a0\u00a0 11.480000] phy_get_identifier(): PHY identifier: 321\r\n[\u00a0\u00a0 11.484000] External PHY present id = 321\r\n[\u00a0\u00a0 11.508000] switch_module_init(): Module initialized...\r\n[\u00a0\u00a0 11.516000] hidraw: raw HID events driver (C) Jiri Kosina\r\n[\u00a0\u00a0 13.176000] Loading D5 (MII0\/1) driver ...... \r\n[\u00a0\u00a0 13.180000] \r\n[\u00a0\u00a0 13.180000] Cannot find wlanm\r\n[\u00a0\u00a0 13.204000] CHIPID: 1, chipid address: 0xbf107344\r\n[\u00a0\u00a0 13.208000] Succeeded!\r\n[\u00a0\u00a0 13.212000] PPE datapath driver info:\r\n[\u00a0\u00a0 13.212000]\u00a0\u00a0 Version ID: 128.3.3.1.0.0.3\r\n[\u00a0\u00a0 13.212000]\u00a0\u00a0 Family\u00a0\u00a0\u00a0 : AR10\r\n[\u00a0\u00a0 13.212000]\u00a0\u00a0 DR Type\u00a0\u00a0 : Normal Data Path | Indirect-Fast Path\r\n[\u00a0\u00a0 13.212000]\u00a0\u00a0 Interface : MII0 | MII1\r\n[\u00a0\u00a0 13.212000]\u00a0\u00a0 Mode\u00a0\u00a0\u00a0\u00a0\u00a0 : Routing\r\n[\u00a0\u00a0 13.212000]\u00a0\u00a0 Release\u00a0\u00a0 : 0.0.3\r\n[\u00a0\u00a0 13.236000] PPE firmware info:\r\n[\u00a0\u00a0 13.236000]\u00a0\u00a0 Version ID: 10.5.2.16.1\r\n[\u00a0\u00a0 13.236000]\u00a0\u00a0 Family\u00a0\u00a0\u00a0 : GRX390\r\n[\u00a0\u00a0 13.236000]\u00a0\u00a0 FW Package: D5\r\n[\u00a0\u00a0 13.236000]\u00a0\u00a0 Release\u00a0\u00a0 : 2.16.1\r\n[\u00a0\u00a0 13.236000] PPE firmware feature:\r\n[\u00a0\u00a0 13.236000]\u00a0\u00a0 Packet Acceleration\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Support\r\n[\u00a0\u00a0 13.236000]\u00a0\u00a0 IPv4\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Support\r\n[\u00a0\u00a0 13.236000]\u00a0\u00a0 IPv6\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Support\r\n[\u00a0\u00a0 13.236000]\u00a0\u00a0 6RD\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Support\r\n[\u00a0\u00a0 13.236000]\u00a0\u00a0 DS-Lite\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Support\r\n[\u00a0\u00a0 13.364000] PPA API --- init successfully\r\n[\u00a0\u00a0 14.956000] UBIFS: mounted UBI device 0, volume 1, name \"data\", R\/O mode\r\n[\u00a0\u00a0 14.960000] UBIFS: LEB size: 129024 bytes (126 KiB), min.\/max. I\/O unit sizes: 2048 bytes\/2048 bytes\r\n[\u00a0\u00a0 14.968000] UBIFS: FS size: 120250368 bytes (114 MiB, 932 LEBs), journal size 9033728 bytes (8 MiB, 71 LEBs)\r\n[\u00a0\u00a0 14.980000] UBIFS: reserved for root: 0 bytes (0 KiB)\r\n[\u00a0\u00a0 14.984000] UBIFS: media format: w4\/r0 (latest is w4\/r0), UUID 648017B7-983B-4FE2-9327-15032C0F2A06, small LPT model\r\n[\u00a0\u00a0 15.676000] gphy-fw gphy-fw.8: proc_write_phy_fw:\u00a0\u00a0 Found:VR9 V1.2 GPHY GE\u00a0 FW \r\n[\u00a0\u00a0 15.688000] gphy-fw gphy-fw.8: booting GPHY0 firmware at 5CE0000 for GRX390\r\n[\u00a0\u00a0 15.692000] gphy-fw gphy-fw.8: booting GPHY1 firmware at 5CE0000 for GRX390\r\n[\u00a0\u00a0 15.700000] gphy-fw gphy-fw.8: booting GPHY2 firmware at 5CE0000 for GRX390\r\n[\u00a0\u00a0 15.708000] gphy-fw gphy-fw.8: booting GPHY3 firmware at 5CE0000 for GRX390\r\n[\u00a0\u00a0 15.712000] ltq_gphy_firmware_config: fw_mode:11G-FW, no of phys:4,data_ptr:5CE0000\r\n[\u00a0\u00a0 19.564000] device eth1 entered promiscuous mode<\/pre>\n<p>From this boot loader\/kernel boot log we can gather many more details about the ONT&#8217;s hardware:<\/p>\n<ul>\n<li>CPU: MIPS 34Kc @ 600 MHz, 397.82 BogoMIPS<\/li>\n<\/ul>\n<p>There is the following MTD partitions:<\/p>\n<pre>Creating 5 MTD partitions on \"14000000.nand-parts\":\r\n0x000000000000-0x000000080000 : \"bootstrap\"\r\n0x000000080000-0x000000180000 : \"bootloader\"\r\n0x000000180000-0x000000200000 : \"reserved_1\"\r\n0x000000200000-0x000000280000 : \"reserved_2\"\r\n0x000000280000-0x000007f80000 : \"system_sw\"<\/pre>\n<p>One of these partitions is attached as a UBI partition:<\/p>\n<pre>UBI: attached mtd4 (name \"system_sw\", size 125 MiB) to ubi0<\/pre>\n<p>Then later one volume is mounted:<\/p>\n<pre>UBIFS: mounted UBI device 0, volume 1, name \"data\", R\/O mode<\/pre>\n<p>There was also the following interesting console output:<\/p>\n<pre>Press the [f] key and hit [enter] to enter failsafe mode\r\nPress the [1], [2], [3] or [4] key and hit [enter] to select the debug level\r\n[...]\r\ngeneos login:<\/pre>\n<p>So you can boot into a &#8220;failsafe&#8221; mode (can we exploit that?!), and you can set the debug level.<\/p>\n<p>At the end there is a login prompt&#8230; But how to get in???<\/p>\n<p>Ok, I tried the &#8220;failsafe&#8221; mode, and look what I got:<\/p>\n<pre>f\r\n- failsafe -\r\n\/etc\/preinit: line 1: telnetd: not found\r\n\r\n\r\nBusyBox v1.22.1 (2015-12-01 15:47:20 CET) built-in shell (ash)\r\nEnter 'help' for a list of built-in commands.\r\n\r\nash: can't access tty; job control turned off\r\n\u00a0 _______\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ________\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 __\r\n\u00a0|\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 |.-----.-----.-----.|\u00a0 |\u00a0 |\u00a0 |.----.|\u00a0 |_\r\n\u00a0|\u00a0\u00a0 -\u00a0\u00a0 ||\u00a0 _\u00a0 |\u00a0 -__|\u00a0\u00a0\u00a0\u00a0 ||\u00a0 |\u00a0 |\u00a0 ||\u00a0\u00a0 _||\u00a0\u00a0 _|\r\n\u00a0|_______||\u00a0\u00a0 __|_____|__|__||________||__|\u00a0 |____|\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 |__| W I R E L E S S\u00a0\u00a0 F R E E D O M\r\n\u00a0-----------------------------------------------------\r\n\u00a0BARRIER BREAKER (14.07, unknown)\r\n\u00a0-----------------------------------------------------\r\n\u00a0 * 1\/2 oz Galliano\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Pour all ingredients into\r\n\u00a0 * 4 oz cold Coffee\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 an irish coffee mug filled\r\n\u00a0 * 1 1\/2 oz Dark Rum\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 with crushed ice. Stir.\r\n\u00a0 * 2 tsp. Creme de Cacao\r\n\u00a0-----------------------------------------------------\r\nroot@(none):\/#<\/pre>\n<p>This looks very familiar&#8230; \ud83d\ude00<\/p>\n<p>So the firmware is very obviously based on OpenWrt 14.07, codenamed &#8220;Barrier Breaker&#8221; (with a device target of &#8220;lantiq\/generic&#8221;)&#8230; I think I need to write the Genexis guys a nice email, asking for the source code&#8230; \ud83d\ude00<\/p>\n<p>Anyway, let&#8217;s continue:<\/p>\n<pre>root@(none):\/# cat \/etc\/passwd \r\nroot:x:0:0:root:\/root:\/bin\/ash\r\noperator:x:0:0:Operator:\/root:\/usr\/bin\/oxsh\r\nadmin:x:25197:25197:End User:\/var:\/bin\/false\r\ndaemon:x:1:1:daemon:\/var:\/bin\/false\r\nftp:x:55:55:ftp:\/home\/ftp:\/bin\/false\r\nnetwork:x:101:101:network:\/var:\/bin\/false\r\nnobody:x:65534:65534:nobody:\/var:\/bin\/false\r\nroot@(none):\/# cat \/etc\/shadow \r\nroot:!:0:0:99999:7:::\r\noperator:$6$FardvCZyI71$Uxu5a\/76M8LMeaubaNqdGb\/3\/oMn7Dmmj2THQrV6bWaysO2tKACck3kRkEJgeTI8rkMn4xUHDxXAoXC2E7L580:0:0:99999:7:::\r\nadmin:!:0:0:99999:7:::\r\ndaemon:*:0:0:99999:7:::\r\nftp:*:0:0:99999:7:::\r\nnetwork:*:0:0:99999:7:::\r\nnobody:*:0:0:99999:7:::<\/pre>\n<p>Ok, so I have to log in as &#8220;operator&#8221;&#8230; What if I change the password for that user, and try to boot into multi-user mode?<\/p>\n<p>Duh, that didn&#8217;t work out&#8230; Could change the password, but not continue to boot into multi-user mode&#8230; When I rebooted the router the password I chose didn&#8217;t work&#8230;<\/p>\n<p>But wait, often it&#8217;s &#8220;admin&#8221; as the login, and &#8220;admin&#8221; as the password&#8230; Now the login is &#8220;operator&#8221;, so why not try &#8220;operator&#8221; as the password:<\/p>\n<pre>geneos login: operator\r\nPassword: \r\nGenexis Operating System (GeneOS)\r\nCopyright (c) 2014-2015 Genexis B.V. All rights reserved.\r\nGeneOS version: geneos-polar-2.1.0-R\r\ngeneos#<\/pre>\n<p>Oh joy, I did it!!! \ud83d\ude00<\/p>\n<p>Naive as I am I expected to have a full-blown OpenWrt&#8230; But not so&#8230; Not even &#8220;help&#8221; worked&#8230; But pressing &#8220;?&#8221; <em>did<\/em> work&#8230; \ud83d\ude42<\/p>\n<pre>geneos# \r\n\u00a0 configure\u00a0\u00a0 Enter configuration mode\r\n\u00a0 copy\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Copy from one file to another\r\n\u00a0 ping\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Send ICMP echo requests\r\n\u00a0 quit\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Exit shell\r\n\u00a0 reload\u00a0\u00a0\u00a0\u00a0\u00a0 Reload system\r\n\u00a0 show\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Show running system information\r\n\u00a0 write\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Write running configuration<\/pre>\n<p>Wait&#8230; This somehow looks familiar&#8230; Like Cisco&#8217;s IOS?!<\/p>\n<pre>geneos# show &lt;press \"?\"&gt;\r\n\u00a0 clock\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Show system clock\r\n\u00a0 cwmp\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Show CWMP information\r\n\u00a0 dhcp\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 DHCP information\r\n\u00a0 history\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Show command line history\r\n\u00a0 interface\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Interface information\r\n\u00a0 logging\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Log messages\r\n\u00a0 running-config\u00a0 Show running configuration\r\n\u00a0 tech-support\u00a0\u00a0\u00a0 Show information for Technical Support\r\n\u00a0 version\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Show version info<\/pre>\n<p>Yes, that&#8217;s right. So it should be fairly easy to fiddle with this thing&#8230; \ud83d\ude42<\/p>\n<p>Let&#8217;s first try to bring the Ethernet interfaces up, which are administratively down by default:<\/p>\n<pre>geneos# conf term\r\n geneos(config)#\r\n geneos(config)# interface lan\/ethernet1\r\n geneos(config-if-lan-eth)# no shutdown\r\n geneos(config-if-lan-eth)# exit\r\n geneos(config)# interface lan\/ethernet2\r\n geneos(config-if-lan-eth)# no shutdown\r\n geneos(config-if-lan-eth)# exit\r\n geneos(config)# interface lan\/ethernet3\r\n geneos(config-if-lan-eth)# no shutdown\r\n geneos(config-if-lan-eth)# exit\r\n geneos(config)# interface lan\/ethernet4\r\n geneos(config-if-lan-eth)# no shutdown\r\n geneos(config-if-lan-eth)# exit<\/pre>\n<p>Ok, now let&#8217;s connect a LAN cable that&#8217;s connected to my laptop&#8230; Ok, that look&#8217;s great:<\/p>\n<figure id=\"attachment_980\" aria-describedby=\"caption-attachment-980\" style=\"width: 670px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/bergs.biz\/blog\/wp-content\/uploads\/2016\/03\/IMG_0678.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-980\" src=\"https:\/\/bergs.biz\/blog\/wp-content\/uploads\/2016\/03\/IMG_0678.jpg\" alt=\"Port is now up, &quot;link&quot; LED is lit.\" width=\"670\" height=\"414\" srcset=\"https:\/\/bergs.biz\/blog\/wp-content\/uploads\/2016\/03\/IMG_0678.jpg 670w, https:\/\/bergs.biz\/blog\/wp-content\/uploads\/2016\/03\/IMG_0678-150x93.jpg 150w, https:\/\/bergs.biz\/blog\/wp-content\/uploads\/2016\/03\/IMG_0678-300x185.jpg 300w\" sizes=\"auto, (max-width: 670px) 100vw, 670px\" \/><\/a><figcaption id=\"caption-attachment-980\" class=\"wp-caption-text\">Port is now up, &#8220;link&#8221; LED is lit.<\/figcaption><\/figure>\n<p>From the default config options I can figure out that the WAN interface acts as a DHCP client. So my guess that they do port-based security seems to be true&#8230;\u00a0 As I have a dedicated fiber into the PoP this is not a security risk&#8230; Someone would have to physically connect their fiber to my fiber that comes from the PoP in order to impersonate me&#8230; Doesn&#8217;t sound very easy&#8230;<\/p>\n<p>Let&#8217;s continue&#8230;<\/p>\n<pre>geneos# show tech-support\r\n --------------- show logging level debugging ---------------\r\n [...]\r\n Dec\u00a0 1 14:50:32 geneos local1.info mgmt-agent[871]: usp.product.prodname = 'FiberTwist-P2410', length = 16\r\n [...]\r\n Dec\u00a0 1 14:50:32 geneos local1.info mgmt-agent[871]: [truncated] usp.dropbear.rsakey = 'AAAAB3NzaC1yc2EAAAA...<\/pre>\n<p>Duh&#8230; <em>This<\/em> I don&#8217;t like&#8230; So they can remotely log into my router?! Boooo!!!<\/p>\n<p>Ok, maybe modifying the boot image brings us any further&#8230; But how to extract it??? Let&#8217;s boot into failsafe mode again&#8230; After a while of playing around I figured out how to do it:<\/p>\n<pre>## Sends firmware to external VR9 PHY\r\n# unlzma -c \/etc\/gphy\/gphy_firmware.img.lzma &gt; \/proc\/driver\/ltq_gphy\/phyfirmware\r\n# cd \/lib\/modules\/3.10.12\/\r\n# modprobe ltqmips_ppe_drv.ko\r\n# ifconfig eth0 192.168.2.43\r\n## Mount volume from flash ROM\r\n# mount -t ubifs \/dev\/ubi0_1 \/mnt\/\r\n# cd \/mnt\/fw\/0\r\n# md5sum -b geneos-polar-2.1.0-R.img\r\n## On remote side (your PC?): netcat -l 9999 &gt;geneos-polar-2.1.0-R.img\r\n# cat geneos-polar-2.1.0-R.img | nc 192.168.2.10 9999\r\n## On remote side check that FW image is not corrupted\r\n# md5sum -b geneos-polar-2.1.0-R.img<\/pre>\n<p>Ok, now we have a copy of the &#8220;Polar&#8221; (which is the platform name) boot image. From the boot log we can tell this is a &#8220;FIT Image.&#8221; But what is that? It&#8217;s the &#8220;<a href=\"http:\/\/www.xilinx.com\/video\/soc\/uboot-fit-images.html\" target=\"_blank\">Flattened Image Tree<\/a>&#8221; for the U-Boot boot loader. There&#8217;s a <code>dumpimage<\/code> tool available to unpack these images, so let&#8217;s play with it&#8230;<\/p>\n<pre>$ mkimage -l geneos-polar-2.1.0-R.img \r\nFIT description: Image tree for Polar platform products.\r\nCreated: Tue Dec 1 15:53:16 2015\r\n Image 0 (kernel@1)\r\n Description: Generic initramfs\r\n Created: Tue Dec 1 15:53:16 2015\r\n Type: Kernel Image\r\n Compression: lzma compressed\r\n Data Size: 6535067 Bytes = 6381.90 kB = 6.23 MB\r\n Architecture: MIPS\r\n OS: Linux\r\n Load Address: 0x80002000\r\n Entry Point: 0x80002000\r\n Hash algo: sha1\r\n Hash value: 42bd16e172686233005096bde4abefe44bcf566b\r\n Image 1 (fdt@1)\r\n Description: Genexis Polar FDT blob\r\n Created: Tue Dec 1 15:53:16 2015\r\n Type: Flat Device Tree\r\n Compression: uncompressed\r\n Data Size: 10482 Bytes = 10.24 kB = 0.01 MB\r\n Architecture: MIPS\r\n Hash algo: sha1\r\n Hash value: 5050dde93e7d83b3c5339da2b8e9cdf227f44658\r\n Default Configuration: 'conf@1'\r\n Configuration 0 (conf@1)\r\n Description: Configuration for all Polar variants\r\n Kernel: kernel@1\r\n FDT: fdt@1<\/pre>\n<p>So there&#8217;s two images in it, plus a common config. Let&#8217;s extract the images&#8230; To do so you must build the U-boot tools:<\/p>\n<pre>git clone git:\/\/git.denx.de\/u-boot.git\r\ncd u-boot\r\nmake O=sandbox sandbox_config\r\nmake O=sandbox<\/pre>\n<p>Then you have the tool we require in <code>sandbox\/tools\/dumpimage<\/code>.<\/p>\n<p>To extract the two images from the FIT image do the following:<\/p>\n<pre>dumpimage -i geneos-polar-2.1.0-R.img -T flat_dt -p 0 kernel.initramfs.lzma\r\ndumpimage -i geneos-polar-2.1.0-R.img -T flat_dt -p 1 fdt.img<\/pre>\n<p>At this point I&#8217;m currently stuck. I can un-lzma the initramfs file, but I cannot find out how to unpack the resulting file. Any idea?<\/p>\n<p>Similarly to the FIT image I transferred the <code>config.db<\/code> file from <code>\/mnt\/config\/<\/code>. This is a SQLite3 file that can easily be viewed and edited.<\/p>\n<p>Now back to the boot loader. The boot loader seems to be U-Boot. If you&#8217;re quick and press any key within a second you can interrupt auto boot, and you will be in the boot loader&#8217;s command line:<\/p>\n<pre>GRX330 # \r\nGRX330 # help\r\n?\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 - alias for 'help'\r\nbase\u00a0\u00a0\u00a0 - print or set address offset\r\nbootm\u00a0\u00a0 - boot application image from memory\r\nbootp\u00a0\u00a0 - boot image via network using BOOTP\/TFTP protocol\r\nchpart\u00a0 - change active partition\r\ncmp\u00a0\u00a0\u00a0\u00a0 - memory compare\r\ncp\u00a0\u00a0\u00a0\u00a0\u00a0 - memory copy\r\ncrc32\u00a0\u00a0 - checksum calculation\r\necho\u00a0\u00a0\u00a0 - echo args to console\r\nfdt\u00a0\u00a0\u00a0\u00a0 - flattened device tree utility commands\r\ngo\u00a0\u00a0\u00a0\u00a0\u00a0 - start application at address 'addr'\r\nhelp\u00a0\u00a0\u00a0 - print command description\/usage\r\nloadb\u00a0\u00a0 - load binary file over serial line (kermit mode)\r\nloady\u00a0\u00a0 - load binary file over serial line (ymodem mode)\r\nloop\u00a0\u00a0\u00a0 - infinite loop on address range\r\nmd\u00a0\u00a0\u00a0\u00a0\u00a0 - memory display\r\nmm\u00a0\u00a0\u00a0\u00a0\u00a0 - memory modify (auto-incrementing address)\r\nmtdparts- define flash\/nand partitions\r\nmtest\u00a0\u00a0 - simple RAM read\/write test\r\nmw\u00a0\u00a0\u00a0\u00a0\u00a0 - memory write (fill)\r\nnand\u00a0\u00a0\u00a0 - NAND sub-system\r\nnboot\u00a0\u00a0 - boot from NAND device\r\nnm\u00a0\u00a0\u00a0\u00a0\u00a0 - memory modify (constant address)\r\nping\u00a0\u00a0\u00a0 - send ICMP ECHO_REQUEST to network host\r\nprintenv- print environment variables\r\nrarpboot- boot image via network using RARP\/TFTP protocol\r\nreset\u00a0\u00a0 - Perform RESET of the CPU\r\nrun\u00a0\u00a0\u00a0\u00a0 - run commands in an environment variable\r\nsetenv\u00a0 - set environment variables\r\ntftpboot- boot image via network using TFTP protocol\r\nubi\u00a0\u00a0\u00a0\u00a0 - ubi commands\r\nubifs_genload- load file from an UBIFS filesystem\r\nubifsload- load file from an UBIFS filesystem\r\nubifsls - list files in a directory\r\nubifsmount- mount UBIFS volume\r\nupgrade - upgrade - forward\/backward copy memory to pre-defined flash location\r\nversion - print monitor version\r\nGRX330 #<\/pre>\n<p>I think it would be nice to create an image of the current system on an NFS server, modify it, and boot from there&#8230; This way I can&#8217;t brick the device, and still play with it&#8230; \ud83d\ude42<\/p>\n<p>For reference purposes here&#8217;s the output of <code>printenv<\/code>:<\/p>\n<pre>GRX330 # printenv\r\nbootcmd=run flash_flash\r\nbootdelay=1\r\nbaudrate=115200\r\npreboot=echo;echo Type \\\"run flash_nfs\\\" to mount root filesystem over NFS;echo\r\nbootfile=\"uImage\"\r\nmem=118M\r\nphym=128M\r\nwlanm=119M\r\nipaddr=192.168.1.1\r\nserverip=192.168.1.2\r\nethaddr=00:E0:92:XX:XX:XX\r\nnetdev=eth0\r\nconsole=ttyLTQ0\r\ntftppath=\r\nloadaddr=0x83000000\r\nrootpath=\/mnt\/full_fs\r\nrootfsmtd=\/dev\/mtdblock3\r\nnfsargs= setenv bootargs ubi.mtd=system_sw root=\/dev\/nfs rw nfsroot=$(serverip):$(rootpath)\r\nramargs=setenv bootargs root=\/dev\/ram rw\r\naddip=setenv bootargs $(bootargs) ip=$(ipaddr):$(serverip):$(gatewayip):$(netmask):$(hostname):$(netdev):on\r\nflash_nfs=run nfsargs addip addmisc;bootm $(kernel_addr)\r\nnet_nfs=tftp $(loadaddr) $(tftppath)$(bootfile);run nfsargs addip addmisc;bootm\r\nnet_flash=tftp $(loadaddr) $(tftppath)$(bootfile); run flashargs addip addmisc; bootm\r\nnet_ram=tftp $(loadaddr) $(tftppath)$(bootfile); run ramargs addip addmisc; bootm\r\nu-boot=u-boot.ltq\r\nrootfs=rootfs.img\r\nfirmware=firmware.img\r\nfullimage=fullimage.img\r\ntotalimage=totalimage.img\r\nload=tftp $(loadaddr) $(u-boot)\r\nupdate=protect off 1:0-2;era 1:0-2;cp.b $(loadaddr) B0000000 $(filesize)\r\nflashargs=setenv bootargs ubi.mtd=system_sw\r\nflash_flash=run flashargs addmisc;ubi part system_sw;ubifsmount data;setenv bootargs $(bootargs) fw_number=0;ubifs_genload $(loadaddr) fw\/0\/;bootm $(loadaddr);setenv bootargs $(bootargs) fw_number=1;ubifs_genload $(loadaddr) fw\/1\/;bootm $(loadaddr)\r\nupdate_nandboot=tftp $(loadaddr) $(tftppath)u-boot-nand.bin;nand erase 0 17FFFF;nand erase 1C0000 31FFFFF;nand write.partial $(loadaddr) 0 $(filesize)\r\nubi_init=setenv kernelA_id 0;setenv rootfsA_id 1;setenv firmwareA_id 2;setenv kernelB_id 3;setenv rootfsB_id 4;setenv firmwareB_id 5;setenv setbank check_image$(update_chk);run $(setbank);ubi part system_sw\r\nupdate_chk=0\r\nswitchbankA=setenv active_bank A;setenv kernel_id $(kernelA_id);setenv rootfs_id $(rootfsA_id);setenv f_kernel_size f_kernel_sizeA;setenv kernel_vol kernelA;setenv rootfs_vol rootfsA;setenv firmware_vol firmwareA;setenv rootfsname rootfsA\r\nswitchbankB=setenv active_bank B;setenv kernel_id $(kernelB_id);setenv rootfs_id $(rootfsB_id);setenv f_kernel_size f_kernel_sizeB;setenv kernel_vol kernelB;setenv rootfs_vol rootfsB;setenv firmware_vol firmwareB;setenv rootfsname rootfsB\r\ncheck_image0=run switchbankA\r\ncheck_image1=run switchbankB;setenv update_chk 0;save\r\ncheck_image2=run switchbankB\r\ncheck_image3=run switchbankA;setenv update_chk 2;save\r\nupdate_uboot=tftp $(loadaddr) $(tftppath)$(u-boot); nand write.partial $(loadaddr) 0x4000 $(filesize);reset\r\nupdate_kernel=run ubi_init;tftpboot $(loadaddr) $(tftppath)$(bootfile);run switchbankB;upgrade $(loadaddr) $(filesize);run switchbankA;set update_chk 0;upgrade $(loadaddr) $(filesize)\r\nupdate_bootloader=update_uboot\r\nupdate_rootfs=run ubi_init;tftpboot $(loadaddr) $(tftppath)$(rootfs);run switchbankB;upgrade $(loadaddr) $(filesize);run switchbankA;set update_chk 0;upgrade $(loadaddr) $(filesize)\r\nupdate_firmware=run ubi_init;tftpboot $(loadaddr) $(tftppath)$(firmware);run switchbankB;upgrade $(loadaddr) $(filesize);run switchbankA;set update_chk 0;upgrade $(loadaddr) $(filesize)\r\nupdate_fullimage=run ubi_init;tftpboot $(loadaddr) $(tftppath)$(fullimage);run switchbankB;upgrade $(loadaddr) $(filesize);run switchbankA;set update_chk 0;upgrade $(loadaddr) $(filesize)\r\nupdate_totalimage=run ubi_init;tftpboot $(loadaddr) $(tftppath)$(totalimage);upgrade $(loadaddr) $(filesize)\r\nreset_uboot_config=nand erase $(f_ubootconfig_addr) $(f_ubootconfig_range)\r\nreset_ddr_config=nand write.partial 80400000 $(f_ddrconfig_addr) $(f_ddrconfig_size)\r\nreset_sysconfig=run ubi_init;ubi remove sysconfig;ubi remove sysconfigA;ubi remove sysconfigB\r\nmtdparts=mtdparts=ifx_nand:512k(bootstrap),1m(bootloader),512k(reserved_1),512k(reserved_2),125m(system_sw),-(bbt)\r\npart0_begin=0x00000000\r\npart1_begin=0x00040000\r\npart2_begin=0x000C0000\r\npart3_begin=0x002C0000\r\npart4_begin=0x07000000\r\npart5_begin=0x07040000\r\npart6_begin=0x07080000\r\ntotal_part=7\r\nflash_end=0x07FFFFFF\r\ndata_block0=uboot\r\ndata_block1=firmware\r\ndata_block2=kernel\r\ndata_block3=rootfs\r\ndata_block4=sysconfig\r\ndata_block5=ubootconfig\r\ndata_block6=dectconfig\r\ntotal_db=7\r\nf_uboot_addr=0x00000000\r\nf_uboot_size=0\r\nf_ubootconfig_addr=0x100000\r\nf_ubootconfig_size=0x4000\r\nf_ubootconfig_end=0x07040FFF\r\nf_ubootconfig_range=0x80000\r\nf_gphy_firmware_addr=IFX_CFG_FLASH_GPHY_FIRMWARE_IMAGE_START_ADDR\r\nf_gphy_firmware_size=IFX_CFG_FLASH_GPHY_FIRMWARE_IMAGE_SIZE\r\nf_gphy_firmware_end=IFX_CFG_FLASH_GPHY_FIRMWARE_IMAGE_END_ADDR\r\nf_kernel_addr=0x000C0000\r\nf_kernel_size=0\r\nf_kernel_end=IFX_CFG_FLASH_KERNEL_IMAGE_END_ADDR\r\nf_rootfs_addr=0x002C0000\r\nf_rootfs_size=0\r\nf_rootfs_end=IFX_CFG_FLASH_ROOTFS_IMAGE_END_ADDR\r\nf_firmware_addr=0x00040000\r\nf_firmware_size=0\r\nf_fwdiag_addr=IFX_CFG_FLASH_FIRMWARE_DIAG_START_ADDR\r\nf_fwdiag_size=IFX_CFG_FLASH_FIRMWARE_DIAG_SIZE\r\nf_sysconfig_addr=0x07000000\r\nf_sysconfig_size=0x10000\r\nf_dectconfig_addr=0x07080000\r\nf_dectconfig_size=0x400\r\nf_wlanconfig_addr= IFX_CFG_FLASH_WLAN_CFG_START_ADDR\r\nf_wlanconfig_size=IFX_CFG_FLASH_WLAN_CFG_SIZE\r\nf_ddrconfig_addr=0x00003fe0\r\nf_ddrconfig_size=32\r\nf_ddrconfig_end=0x00003fff\r\nstdin=serial\r\nstdout=serial\r\nstderr=serial\r\nver=U-Boot-2010.06-LANTIQ-v-2.3.08\r\nethact=ar10 Switch\r\naddmisc=setenv bootargs $(bootargs) console=$(console),$(baudrate) init=\/etc\/preinit\u00a0 bootstrap_ver=\"bootstrap-polar-2.1.0-R\" bootloader_ver=\"bootloader-polar-2.1.0-R\"\r\nmtdids=nand0=ifx_nand\r\npartition=nand0,0\r\nmtddevnum=0\r\nmtddevname=bootstrap\r\n\r\nEnvironment size: 5407\/16380 bytes<\/pre>\n<p>BTW, there&#8217;s also JP2 with 10 pads which look like it could be two USB ports (4 each plus a spare each?). This guess is backed by the fact that the onboard Linux has USB support&#8230; \ud83d\ude42<\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;Hacking&#8221; the Genexis FiberTwist-P2410 &#8212; for now that just means watch it booting on the serial console, but maybe this is just the first step in accomplishing more?!<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[58,122],"tags":[224,151,226,222],"class_list":["post-964","post","type-post","status-publish","format-standard","hentry","category-communications","category-english","tag-fiber","tag-glasfaser","tag-hacking","tag-ont"],"_links":{"self":[{"href":"https:\/\/bergs.biz\/blog\/wp-json\/wp\/v2\/posts\/964","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/bergs.biz\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/bergs.biz\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/bergs.biz\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/bergs.biz\/blog\/wp-json\/wp\/v2\/comments?post=964"}],"version-history":[{"count":21,"href":"https:\/\/bergs.biz\/blog\/wp-json\/wp\/v2\/posts\/964\/revisions"}],"predecessor-version":[{"id":989,"href":"https:\/\/bergs.biz\/blog\/wp-json\/wp\/v2\/posts\/964\/revisions\/989"}],"wp:attachment":[{"href":"https:\/\/bergs.biz\/blog\/wp-json\/wp\/v2\/media?parent=964"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/bergs.biz\/blog\/wp-json\/wp\/v2\/categories?post=964"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/bergs.biz\/blog\/wp-json\/wp\/v2\/tags?post=964"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}