Sagem F@ST1201S Bootloader CFE (III)

Conectar el adaptador RS232 a TTL y abrir la aplicación minicom en una consola.
Nada más encender el router, aparece la información del bootloader CFE (Common Firmware Environment) de Broadcom.

La versión de bootloader es la 3.9Sla y la dirección de arranque es 0xbfc00000.


Sagem CFE version: 3.9Sla                                                  

Broadcom version 1.0.37-6.4 for BCM96338 (32bit,SP,BE)

Build Date: Mon Sep 25 18:39:15 CST 2006 (yangj@svr1.sagemharbournetworks.com)

Copyright (C) 2005-2006 Sagem communication.

Boot Address 0xbfc00000

Presionar cualquier tecla para interrumpir el arranque y entrar en el menú bootloader.


*** Press any key to stop auto run (1 seconds) ***

web info: Waiting for connection on socket 0.

1

Sagem CLI>

Para listar los comandos disponible, escribir "help"


Sagem CLI> help
Available commands:

d                   Display the content of PSI or Backup, CFE version
w                   Write the whole image start from beginning of the flash
e                   Erase [t]backup [n]vram or [a]ll flash except bootrom
r                   Run program from flash image or from host depend on [f/h] flag
p                   Print boot line and board parameter info
c                   Change booline parameters
f                   Write image to the flash 
i                   Erase persistent storage data
b                   Change board parameters
reset               Reset the board
flashimage          Flashes a compressed image after the bootloader.
help                Obtain help for CFE commands

For more information about a command, enter 'help command-name'
*** command status = 0
Sagem CLI>

Opción "d", visualiza información de contenidos.


Sagem CLI> d
d[isplay] the content of [p]SI or [b]ackup or the [v]ersion of cfe.  
*** command status = 0
Sagem CLI>

Opción "d p", visualiza información de los contenidos PSI en formato XML.
A destacar el nombre de usuario "admin" y contraseña codificada que es la utilizada en la configuración por HTML y que se accede mediante 192.168.0.1.


Sagem CLI> d p
getShareBlks: i=34, sect_size=65536, end_blk=35
PSI content:

<psitree>
<SystemInfo>
<protocol autoScan="enable" igmpSnp ="disable" igmpMode ="disable" macFilterPolicy="forward" encodePassword="enable" enblUsbM2u="disable" >
<sysLog state="enable" displayLevel="ERR" logLevel="DEBUG" option="local" serverIP="0.0.0.0" serverPort="514"/>
<sysUserName value="admin"/>
<sysPassword value="YWRtaW4="/>
<sptPassword value="c3VwcG9ydA=="/>
<usrPassword value="dXNlcg=="/>
<GUIId value="1"/>
<CountryId value="0"/>
<ConfigId value="F@ST1201S_UNI2_1"/>
</SystemInfo>
<AtmCfg>
<initCfg structureId="2" threadPriority="25" freeCellQSize="10" freePktQSize="200" freePktQBufSize="1600" freePktQBufOffset="32" rxCellQSi>
</AtmCfg>
<AtmCfgTd>
<td1 cat="UBR" PCR="0" SCR="0" MBS="0"/>
</AtmCfgTd>
<AtmCfgVcc>
<vccId9999 vpi="0" vci="65534" tdId="0" aalType="AAL2" adminStatus="down" encap="unknown" qos="disable" instanceId="1509949441"/>
<vccId1 vpi="8" vci="35" tdId="1" aalType="AAL5" adminStatus="up" encap="vcMuxRouted" qos="disable" instanceId="1509949441"/>
</AtmCfgVcc>
<SecCfg>
<srvCtrlList ftp="lan" http="lan" icmp="lan" ssh="lan" telnet="lan" tftp="disable"/>
</SecCfg>
<Lan>
<entry9999 address="1.1.1.1" mask="255.255.255.0" dhcpServer="disable" leasedTime="0" startAddr="0.0.0.0" endAddr="0.0.0.0" instanceId="15>
<entry1 address="192.168.0.1" mask="255.255.255.0" dhcpServer="enable" leasedTime="24" startAddr="192.168.0.128" endAddr="192.168.0.254" i>
</Lan>
<pppsrv_8_35>
<ppp_conId1 userName="" password="" serviceName="" idleTimeout="0" ipExt="disable" auth="auto" useStaticIpAddr="0" localIpAddr="0.0.0.0" p>
</pppsrv_8_35>
<wan_8_35>
<entry1 vccId="1" conId="1" name="pppoe_8_35_1" protocol="PPPOE" encap="LLC" firewall="enable" nat="enable" igmp="disable" vlanId="-1" ser>
</wan_8_35>
<ADSL/>
<RouteCfg>
</RouteCfg>
<EngDbgCfg/>
</psitree>

*** command status = 0
Sagem CLI>

Opción "d b", visualiza información de los contenidos de la copia de seguridad en formato XML.


Sagem CLI> d b
getShareBlks: i=34, sect_size=65536, end_blk=35
Backup content:

<psitree>
<ADSL/>
<AtmCfg>
<initCfg structureId="2" threadPriority="25" freeCellQSize="10" freePktQSize="200" freePktQBufSize="1600" freePktQBufOffset="32" rxCellQSi>
</AtmCfg>
<AtmCfgTd>
<td1 cat="UBR" PCR="0" SCR="0" MBS="0"/>
</AtmCfgTd>
<AtmCfgVcc>
<vccId9999 vpi="0" vci="65534" tdId="0" aalType="AAL2" adminStatus="down" encap="unknown" qos="disable" instanceId="1509949441"/>
<vccId1 vpi="8" vci="35" tdId="1" aalType="AAL5" adminStatus="up" encap="vcMuxRouted" qos="disable" instanceId="1509949441"/>
</AtmCfgVcc>
<SecCfg>
<srvCtrlList ftp="lan" http="lan" icmp="lan" ssh="lan" telnet="lan" tftp="disable"/>
</SecCfg>
<Lan>
<entry9999 address="1.1.1.1" mask="255.255.255.0" dhcpServer="disable" leasedTime="0" startAddr="0.0.0.0" endAddr="0.0.0.0" instanceId="15>
<entry1 address="192.168.0.1" mask="255.255.255.0" dhcpServer="enable" leasedTime="24" startAddr="192.168.0.128" endAddr="192.168.0.254" i>
</Lan>
<SystemInfo>
<sysLog state="enable" displayLevel="ERR" logLevel="DEBUG" option="local" serverIP="0.0.0.0" serverPort="514"/>
<protocol autoScan="enable" igmpSnp ="disable" igmpMode ="disable" macFilterPolicy="forward" encodePassword="enable" enblUsbM2u="disable" >
<sysUserName value="admin"/>
<sysPassword value=""/>
<sptPassword value="c3VwcG9ydA=="/>
<usrPassword value="dXNlcg=="/>
<GUIId value="1"/>
<CountryId value="0"/>
<ConfigId value="F@ST1201S_UNI2_1"/>
</SystemInfo>
<RouteCfg>
</RouteCfg>
<EngDbgCfg/>
<pppsrv_8_35>
<ppp_conId1 userName="" password="" serviceName="" idleTimeout="0" ipExt="disable" auth="auto" useStaticIpAddr="0" localIpAddr="0.0.0.0" p>
</pppsrv_8_35>
<wan_8_35>
<entry1 vccId="1" conId="1" name="pppoe_8_35_1" protocol="PPPOE" encap="LLC" firewall="enable" nat="enable" igmp="disable" vlanId="-1" ser>
</wan_8_35>
</psitree>

*** command status = 0
Sagem CLI>

Opciones "d v", muestra información acerca de las versiones de bootloader de Sagem y Broadcom.


Sagem CLI> d v
Sagem CFE version: 3.9Sla
Broadcom CFE version: 1.0.37
*** command status = 0
Sagem CLI>

Opción "w", graba al inicio de la flash, una imagen desde un host.


Sagem CLI> w

     eg. w [hostip:]whole_image_file_name

*** command status = -2
Sagem CLI>

Opción "e", borra el contenido de nvram, memoria persistente o toda las flash excepto la zona de arranque.


Sagem CLI> e
Erase [n]vram, [p]ersistent storage or [a]ll flash except bootrom
usage: e [n/p/a]
*** command status = 0
Sagem CLI>

Opción "r", carga el contenido de la flash o bien una imagen desde el host.


Sagem CLI> r
Code Address: 0x80010000, Entry Address: 0x8017d018
Decompression OK!
Entry at 0x8017d018
Closing network.
Starting program at 0x8017d018
.............. loading .....

Opción "p", visualiza contenidos de arranque e información del circuito.


Sagem CLI> p
Enter readNvramData(CFE)
Enter kerSysNvRamGet(CFE)
getShareBlks: i=0, sect_size=16384, end_blk=1
kerSysNvRamGet(CFE) Mac address:00:19:4b:20:00:55, BoardId=F@ST1201S 
Enter readNvramData(CFE)
Enter kerSysNvRamGet(CFE)
getShareBlks: i=0, sect_size=16384, end_blk=1
kerSysNvRamGet(CFE) Mac address:00:19:4b:20:00:55, BoardId=F@ST1201S 
Board IP address                  : 192.168.1.1  
Host IP address                   : 192.168.1.100  
Gateway IP address                :   
Run from flash/host (f/h)         : f  
Default host run file name        : vmlinux  
Default host flash file name      : bcm963xx_fs_kernel  
Boot delay (0-9 seconds)          : 1  
Board Id Name                     : F@ST1201S  
Psi size in KB                    : 24
Number of MAC Addresses (1-32)    : 6  
Base MAC Address                  : 00:19:4b:20:00:55  
Ethernet PHY Type                 : Internal
Memory size in MB                 : 8
CMT Thread Number                 : 0

*** command status = 0
Sagem CLI>

Opción "c", cambiar parámetros de configuración.


Sagem CLI> c
Enter readNvramData(CFE)
Enter kerSysNvRamGet(CFE)
getShareBlks: i=0, sect_size=16384, end_blk=1
kerSysNvRamGet(CFE) Mac address:00:19:4b:20:00:55, BoardId=F@ST1201S 
Press:   to use current value
        '-' to go previous parameter
        '.' to clear the current value
        'x' to exit this command
Board IP address                  :  192.168.1.1  x
Enter readNvramData(CFE)
Enter kerSysNvRamGet(CFE)
getShareBlks: i=0, sect_size=16384, end_blk=1
kerSysNvRamGet(CFE) Mac address:00:19:4b:20:00:55, BoardId=F@ST1201S 
*** command status = 0
Sagem CLI>

Opción "f", grabar en flash una imagen.


Sagem CLI> f
Loading 192.168.1.100:bcm963xx_fs_kernel ...
Loading failed.: CFE error -21
*** command status = -21
Sagem CLI>

Opción "i", borrar datos almacenados.


Sagem CLI> i
Erase persisten storage data? (y/n):n
*** command status = -1
Sagem CLI>

Opción "b", cambiar identificador de router.


Sagem CLI> b
Press:   to use current value
        '-' to go previous parameter
        '.' to clear the current value
        'x' to exit this command
Board Id Name (0-7)  
96338SV          -------  0
96338L-2M-8M     -------  1
96338W           -------  2
96338E4          -------  3
F@ST1201         -------  4
F@ST1241         -------  5
F@ST1201S        -------  6
F@ST1241S        -------  7       :  6  x
*** command status = 0
Sagem CLI>

Opción "flashimage", grabar imagen comprimida después del bootloader.


Sagem CLI> flashimage

     eg. flashimage [hostip:]compressed_image_file_name

*** command status = -2
Sagem CLI>


Publicado por Sergio en 10:05 0 comentarios
Etiquetas: , ,

Sagem F@ST1201S Conectando con la UART (II)

Para conectar con el puerto serie es necesario un adaptador de RS232 a TTL, en mi caso tenia una placa de un transmisor RF a RS232. Sin el modulo RF ya tenemos nuestro conversor RS232 a TTL.

 
F@ST1201S con adaptador RS232-TTL
La conexión entre el router y el ordenador se tiene que hacer mediante un cable null modem DB9H-DB9H, de no hacerlo así no se comunicaran.

Null modem DB9H-DB9H
Si el ordenador tiene puerto serie, conectamos el cable directamente, en caso contrario se puede utilizar un adaptador USB a RS232.

USB a RS232
La configuración para poder comunicar el router y el ordenador debe quedar así:

Velocidad: 115200
Bits de datos: 8
Paridad: ninguna
Bits de parada: 1
Control de flujo: no
COM: en mi caso USB a RS232 /dev/ttyUSB0

La aplicación utilizada para las comunicaciones entre router y ordenador es minicom se puede utilizar cualquier otra.

Desde un terminal lanzamos minicom.

minicom

nos aparece la pantalla de bienvenida.

Welcome to minicom 2.4

OPCIONES: I18n 
Compilado en Jan 25 2010, 06:49:09.
Port /dev/ttyUSB0

Presione CTRL-A Z para obtener ayuda sobre teclas especiales                         
                                                                                     
                                                                                     
                                                                                     
Sagem CFE version: 3.9Sla                                                            
Broadcom version 1.0.37-6.4 for BCM96338 (32bit,SP,BE)
Build Date: Mon Sep 25 18:39:15 CST 2006 (yangj@svr1.sagemharbournetworks.com)
Copyright (C) 2005-2006 Sagem communication.

Boot Address 0xbfc00000

Initializing Arena.
Initializing Devices.
Parallel flash device: name AM29LV160B, id 0x2249, size 2048KB
totalBlks=35
totalSize=2048K
Enter readNvramData(CFE)
Enter kerSysNvRamGet(CFE)
getShareBlks: i=0, sect_size=16384, end_blk=1
kerSysNvRamGet(CFE) Mac address:00:19:4b:20:00:55, BoardId=F@ST1201S 
Enter readNvramData(CFE)
Enter kerSysNvRamGet(CFE)
getShareBlks: i=0, sect_size=16384, end_blk=1
kerSysNvRamGet(CFE) Mac address:00:19:4b:20:00:55, BoardId=F@ST1201S 
fInfo.flash_nvram_start_blk = 0
fInfo.flash_nvram_blk_offset = 0x580
fInfo.flash_nvram_number_blk = 1
fInfo.flash_nvram_length = 1024

fInfo.flash_backup_start_blk = 34
fInfo.flash_backup_blk_offset = 0x2000
fInfo.flash_backup_number_blk = 1
fInfo.flash_backup_length = 24576

fInfo.flash_scratch_pad_start_blk = 34
fInfo.flash_scratch_pad_number_blk = 1
fInfo.flash_scratch_pad_blk_offset = 0x8000
fInfo.flash_scratch_pad_length = 8192

fInfo.flash_persistent_start_blk = 34
fInfo.flash_persistent_blk_offset = 0xa000
fInfo.flash_persistent_number_blk = 1
fInfo.flash_persistent_length = 24576

psi startAddr = bfdfa000
sp startAddr = bfdf8000
backup startAddr = bfdf2000

fInfo.flash_nvram_start_blk = 0
fInfo.flash_nvram_blk_offset = 0x580
fInfo.flash_nvram_number_blk = 1
psi startAddr = bfdfa000
fInfo.flash_persistent_start_blk = 34
fInfo.flash_persistent_blk_offset = 0xa000
fInfo.flash_persistent_number_blk = 1
getShareBlks: i=34, sect_size=65536, end_blk=35
Backup content:[]
getShareBlks: i=34, sect_size=65536, end_blk=35
PSI content:[]
Auto-negotiation timed-out
10 MB Half-Duplex (assumed)
Enter readNvramData(CFE)
Enter kerSysNvRamGet(CFE)
getShareBlks: i=0, sect_size=16384, end_blk=1
kerSysNvRamGet(CFE) Mac address:00:19:4b:20:00:55, BoardId=F@ST1201S 
CPU type 0x29010: 240MHz
Total memory: 8388608 bytes (8MB)

Total memory used by CFE:  0x80401000 - 0x8052AE60 (1220192)
Initialized Data:          0x8041F660 - 0x804224A0 (11840)
BSS Area:                  0x804224A0 - 0x80428E60 (27072)
Local Heap:                0x80428E60 - 0x80528E60 (1048576)
Stack Area:                0x80528E60 - 0x8052AE60 (8192)
Text (code) segment:       0x80401000 - 0x8041F654 (124500)
Boot area (physical):      0x0052B000 - 0x0056B000
Relocation Factor:         I:00000000 - D:00000000

Enter readNvramData(CFE)
Enter kerSysNvRamGet(CFE)
getShareBlks: i=0, sect_size=16384, end_blk=1
kerSysNvRamGet(CFE) Mac address:00:19:4b:20:00:55, BoardId=F@ST1201S 
Enter readNvramData(CFE)
Enter kerSysNvRamGet(CFE)
getShareBlks: i=0, sect_size=16384, end_blk=1
kerSysNvRamGet(CFE) Mac address:00:19:4b:20:00:55, BoardId=F@ST1201S 
Board IP address                  : 192.168.1.1  
Host IP address                   : 192.168.1.100  
Gateway IP address                :   
Run from flash/host (f/h)         : f  
Default host run file name        : vmlinux  
Default host flash file name      : bcm963xx_fs_kernel  
Boot delay (0-9 seconds)          : 1  
Board Id Name                     : F@ST1201S  
Psi size in KB                    : 24
Number of MAC Addresses (1-32)    : 6  
Base MAC Address                  : 00:19:4b:20:00:55  
Ethernet PHY Type                 : Internal
Memory size in MB                 : 8
CMT Thread Number                 : 0

*** Press any key to stop auto run (1 seconds) ***
web info: Waiting for connection on socket 0.
0
Code Address: 0x80010000, Entry Address: 0x8017d018
Decompression OK!
Entry at 0x8017d018
Closing network.
Starting program at 0x8017d018
Linux version 2.6.8.1 (yangj@svr1.sagemharbournetworks.com) (gcc version 3.4.2) #1 Wed Nov 29 09:56:41 CST 2006
Parallel flash device: name AM29LV160B, id 0x2249, size 2048KB
Total Flash size: 2048K with 35 sectors
fInfo.flash_nvram_start_blk = 0
fInfo.flash_nvram_blk_offset = 0x580
fInfo.flash_nvram_number_blk = 1
fInfo.flash_nvram_length = 1024

fInfo.flash_backup_start_blk = 34
fInfo.flash_backup_blk_offset = 0x2000
fInfo.flash_backup_number_blk = 1
fInfo.flash_backup_length = 24576

fInfo.flash_scratch_pad_start_blk = 34
fInfo.flash_scratch_pad_number_blk = 1
fInfo.flash_scratch_pad_blk_offset = 0x8000
fInfo.flash_scratch_pad_length = 8192

fInfo.flash_persistent_start_blk = 34
fInfo.flash_persistent_blk_offset = 0xa000
fInfo.flash_persistent_number_blk = 1
fInfo.flash_persistent_length = 24576

psi startAddr = bfdfa000
sp startAddr = bfdf8000
backup startAddr = bfdf2000

F@ST1201S prom init
CPU revision is: 00029010
Determined physical RAM map:
 memory: 007a0000 @ 00000000 (usable)
On node 0 totalpages: 1952
  DMA zone: 1952 pages, LIFO batch:1
  Normal zone: 0 pages, LIFO batch:1
  HighMem zone: 0 pages, LIFO batch:1
Built 1 zonelists
Kernel command line: root=31:0 ro noinitrd
brcm mips: enabling icache and dcache...
Primary instruction cache 16kB, physically tagged, 2-way, linesize 16 bytes.
Primary data cache 8kB 2-way, linesize 16 bytes.
PID hash table entries: 32 (order 5: 256 bytes)
Using 120.000 MHz high precision timer.
Dentry cache hash table entries: 2048 (order: 1, 8192 bytes)
Inode-cache hash table entries: 1024 (order: 0, 4096 bytes)
Memory: 6040k/7808k available (1270k kernel code, 1748k reserved, 185k data, 64k init, 0k highmem)
Calibrating delay loop... 239.20 BogoMIPS
Mount-cache hash table entries: 512 (order: 0, 4096 bytes)
Checking for 'wait' instruction...  unavailable.
NET: Registered protocol family 16
PPP generic driver version 2.4.2
NET: Registered protocol family 24
Using noop io scheduler
bcm963xx_mtd driver v1.0
brcmboard: brcm_board_init entry
bcm963xx_serial driver v2.0
NET: Registered protocol family 2
IP: routing cache hash table of 512 buckets, 4Kbytes
********* ip_rt_init ************
sizeof(struct rtable)=244
ip_rt_max_size=2048, rt_hash_mask=511, ipv4_dst_ops.gc_thresh=512, 
ip_rt_gc_interval=12000, rt_secret_rebuild=120000
TCP: Hash tables configured (established 512 bind 1024)
NET: Registered protocol family 1
NET: Registered protocol family 17
Ebtables v2.0 registered
NET: Registered protocol family 8
NET: Registered protocol family 20
VFS: Mounted root (squashfs filesystem) readonly.
Freeing unused kernel memory: 64k freed
init started:  BusyBox v1.00 (2006.11.29-01:58+0000) multi-call binary
Algorithmics/MIPS FPU Emulator v1.5


BusyBox v1.00 (2006.11.29-01:58+0000) Built-in shell (msh)
Enter 'help' for a list of built-in commands.


Loading drivers and kernel modules... 

atmapi: module license 'Proprietary' taints kernel.
blaadd: blaa_detect entry
adsl: adsl_init entry
Broadcom BCMPROCFS v1.0 initialized
Broadcom BCM6338A2 Ethernet Network Device v0.3 Nov 29 2006 09:55:27
Config Internal PHY Through MDIO
BCM63xx_ENET: Auto-negotiation timed-out
BCM63xx_ENET: 10 MB Half-Duplex (assumed)
eth0: MAC Address: 00:19:4b:20:00:55
Cfm wathcer has been setup!
Broadcom BCM6338A2 USB Network Device v0.4 Nov 29 2006 09:55:29
usb0: MAC Address: 00 19 4B 20 00 55
usb0: Host MAC Address: 00 19 4B 20 00 56
Cfm has been started to initiate!
Enter kerSysPersistentGet: strLen[24576],offset[0],fInfo.flash_persistent_blk_offset=[40960]
usedBlkSize = 65536
getSharedBlks: i = 34, sect_size = 65536, end_blk = 35
psi[1-10]=[]
Enter kerSysPersistentGet: strLen[24576],offset[0],fInfo.flash_persistent_blk_offset=[40960]
usedBlkSize = 65536
getSharedBlks: i = 34, sect_size = 65536, end_blk = 35
psi[1-10]=[]
PSI has been initiated successfully!
BcmAdsl_Initialize=0xC0063228, g_pFnNotifyCallback=0xC0079654
pSdramPHY=0xA07FFFF8, 0xE5FDBFCE 0xFDFEF7EF
AdslCoreHwReset: AdslOemDataAddr = 0xA07F8A54
dgasp: kerSysRegisterDyingGaspHandler: dsl0 registered 
ATM Config Management initiated successfully!
ip_tables: (C) 2000-2002 Netfilter core team
ip_conntrack version 2.1 (61 buckets, 600 max) - 368 bytes per conntrack
ip_conntrack_pptp version 2.1 loaded
ip_nat_pptp version 2.0 loaded
ip_conntrack_h323: init 
ip_nat_h323: initialize the module!
ip_conntrack_rtsp v0.01 loading
ip_nat_rtsp v0.01 loading
Security configuration management initiated successfully!

==>   Software Version: 3.13Sla_en.  <==

device usb0 entered promiscuous mode
br0: port 1(usb0) entering learning state
br0: topology change detected, propagating
br0: port 1(usb0) entering forwarding state
device eth0 entered promiscuous mode
br0: port 2(eth0) entering learning state
br0: topology change detected, propagating
br0: port 2(eth0) entering forwarding state
pvc2684d: Interface "nas_8_35" created sucessfully

pvc2684d: Communicating over ATM 0.8.35, encapsulation: LLC

device nas_8_35 entered promiscuous mode
br0: port 3(nas_8_35) entering learning state
br0: topology change detected, propagating
br0: port 3(nas_8_35) entering forwarding state
Enter kerSysScratchPadGet
usedBlkSize = 65536
getSharedBlks: i = 34, sect_size = 65536, end_blk = 35
Enter kerSysScratchPadSet
usedBlkSize = 65536
getSharedBlks: i = 34, sect_size = 65536, end_blk = 35
setSharedBlks: i = 34, sect_size = 65536, end_blk = 35
Network initiated successfully!
Web Server initiated successfully!
Enter kerSysScratchPadGet
usedBlkSize = 65536
getSharedBlks: i = 34, sect_size = 65536, end_blk = 35
br0: port 2(eth0) entering disabled state
br0: port 1(usb0) entering disabled state
Cfm initiated successfully!

login:

Podemos observar que el firmware esta basado en Linux. Pero no he podido encontrar el código fuente del kernel ni tampoco herramienta alguna para su compilación. Todo y que Sagem tiene una portal opensource Sagemcom pero ni rastro del código fuente del F@ST1201S.

Puede tratarse de una violación de la licencia GPL el firmware incluye:
  • Linux version 2.6.8.1
  • BusyBox v1.00
Publicado por Sergio en 0:42 0 comentarios
Etiquetas: , , , ,

Sagem F@ST1201S Hardware Hacking (I)

F@ST1201S es un router ADSL distribuido por Orange y fabricado por Sagem.
Vista superior
Características:
  • Bridge/Router ADSL/ADSL2/ADSL2+
  • 1 Puerto Ethernet 10/100BT
  • 1 Puerto USB 1.1 (Ethernet)
  • DHCP Cliente/Servidor
  • DNS Cliente/Servidor
  • FTP Cliente/Servidor
  • TFTP Cliente/Servidor
  • HTTP Cliente/Servidor
En la parte frontal dispone de 4 LEDs (Power, ADSL, Internet, LAN).

Vista frontal
En la parte posterior se encuentran los conectores y alimentación.
Vista posterior
  1. RJ11 Linea telefónica.
  2. USB Tipo B (Ethernet)
  3. RJ45 Ethernet
  4. REG (Botón reset)
  5. Jack alimentación.
  6. Interruptor On/Off
Para abrir la carcasa, ponemos el router boca abajo y se quitan los dos tornillos.
Los tornillos son de tipo TORX, la punta es una T10.

Vista inferior
También es necesario separar los 4 clips de la carcasa con la ayuda de un destornillador plano se hace un poco de palanca hacia fuera y se separa.
Detalle ubicación clips
Una vez retirados los tornillos y separados los clips, podemos separar ambas carcasas y ya tenemos el router abierto.
PCBA Router F@ST120
Para sacar el circuito de la carcasa, levantamos hacia arriba por la parte de los LEDs.
Cara Bottom del circuito.
Análisis del circuito por sectores.
Benchmarking F@ST1201S
Zona roja: entrada de la linea telefónica o ADSL, la señal entra por el conector RJ11 y pasa por el transformador y el driver de linea BCM6301.

Zona amarilla: salida USB Ethernet, conector hembra USB tipo B.
Zona verde: salida ETH Ethernet, conector RJ45.
Zona azul: reset, pulsador para restaurar la configuración de fábrica.
Zona violeta: comunicaciones UART, conector hembra con interfaz serie para la conexión del router al PC.
Zona azul oscuro: jack de alimentación, entrada de 7.5V@700mA filtrado de señal y conversión de voltaje a 3.3V.
Zona blanca: comunicaciones EJTAG, podría ser para comunicar por JTAG y leer/escribir la memoria FLASH.
Zona verde oscuro: memoria RAM, 2MB de memoria RAM K4S641632K-UC60.
Zona rosa: memoria FLASH, 8MB de memoria FLASH 29LV160CBTC-90G.
Zona amarillo oscuro: CPU principal, MIPS32 CPU BCM6338KFBG.

Hardware.

CPU: BCM6338KFBG
Flash:  29LV160CBTC-90G
RAM:  K4S641632K-UC60

Comunicaciones UART yEJTAG.

Conectores UART y EJTAG
Para conectar el UART (J13) al ordenador, es necesario un adaptador de puerto serie a señal TTL.

El conector (J7) parece una conexión EJTAG, pero no están identificadas las señales. El router DSL-2640U también tiene un con conector EJTAG de 8 pins, pero el pinout parece algo diferente por los niveles de tensión. Los niveles de tensión que aparecen en la imagen son los obtenidos con el router encendido.

Los pines 3, 4 y 5 tienen una resistencia de pull-up de 1K conectada a Vcc (3.3v).
El pin 6 y 8 están unidos y tienen un resistencia de pull-up de 870 Ohms a Vcc (3,3V), en serie tiene conectada un resistencia de 100 Ohms que conecta con el pin de #RESET de la memoria FLASH 29LV160.

Manual F@AST1201S.

Manual de instalación F@ST1201S. Enlace a Orange (3.8MB)
Guía de instalación rápida. Enlace a Orange (92KB)
Manual de referencia Enlace a Sagem (7.1MB)
Publicado por Sergio en 15:26 0 comentarios
Etiquetas: , , , , ,
Suscribirse a: Entradas (Atom)