Posted: Thu Feb 21, 2008 5:59 pm Post subject: How to unlock Speedtouch 585 v6 from AOL
Added Oct 2009: a method to unlock was worked out, and the necessary files are available on the Downloads pages. The link is placed here so that all can easily find it (apologies to kanenas3 for hijacking his thread):
I recently bought from Ebay a Speedtouch 585 v6 that is unfortunately locked by AOL. It is possible to change the settings and use in another ISP but many of the menus in the Web Interface are missing. Also, upgrading the firmware is prohibited.
I've tried almost every solution I could find but still no luck.
1) Activating Remote Assistance is not possible as the default username/password is not working.
2) Commands like user list & user flush are not working in Telnet.
3) Every single firmware I've tried returns a "Not Compatible" sign.
I've also found inside "dl" a folder named tls and two files in it, pkey0001.pem and cert0001.pem. Both the files and the folder can't be deleted.
Joined: 30 Jun 2004 Posts: 2858 Location: Nottingham, England
Posted: Fri Feb 22, 2008 2:40 am Post subject: Should have solutions for you
It is possible to fix this, but some of the solutions need you to be very brave!
Let's get a minor issue out of the way first:
Quote:
I've also found inside "dl" a folder named tls and two files in it, pkey0001.pem and cert0001.pem. Both the files and the folder can't be deleted.
I've got a ST585v6 also (not locked), and that dir & files were added when I upgraded to the current r6.2.15.5.0 Firmware from the earlier build (previous firmware does not have that dir, although the files exist - are used for https webfiles).
The following are all affected by MLP (also called MLAP) settings:
menus in the Web Interface are missing.
Activating Remote Assistance is not possible.
Commands like user list & user flush are not working in Telnet.
It should (note careful use of that weasel word) be possible to restore your MLP to the default settings. Give me a few moments to find the postings...
OK. First thing: save the files in the `dl' folder via FTP, just in case you ever need to replace them.
Next, if you need to escalate your user privilege, this is how to do it (post #3) (that will probably not fix any problems and, by the sound of what you said, you do not need it).
Next you need to change your MLP settings, and that involves a file called `security.cfg'. Now, I cannot guarantee that this will work for you, because AOL may have prevented you from using the commands to do it. However, if you never try...
If you do not already have security.cfg in the dl directory, that will drop it in there. If that command does not work, then AOL have stopped this method at source.
I suggest that you get that file via FTP now, and store it. A diff between it & a standard security.cfg will tell you what AOL have done to cripple your machine.
Next, upload a bog-standard security.cfg via FTP.
Next, load it in the system:
Quote:
:mlp import
You should (crossed fingers) be able to access all pages, etc..
Of course, you need a standard security.cfg to do this. I shall post one for BUILD 6.2.15.5 after this msg. If your firmware is other than that, then tell me, and I'll get that one for you.
Now, on to the tricky one...
Quote:
3) Every single firmware I've tried returns a "Not Compatible" sign.
It is possible to fix this, but you will need (a friend's?) unlocked router, and some soldering experience, and be brave!
You need to:
Construct a JTAG cable.
Dump the CFE.bin from both routers.
Flash the unlocked-router CFE.bin back over the locked-router.
Joined: 30 Jun 2004 Posts: 2858 Location: Nottingham, England
Posted: Fri Feb 22, 2008 2:47 am Post subject: Get security.cfg
security.cfg for an unlocked bog-standard ST585v6 r6.2.15.5 (r6.2.F.5); this needs saving as a Unix-format file. Use TextPad (txpeng473.exe) or some other suitable editor to do this.
Thanks Alex! That was really quick answer and what an answer!!! :-)
So far I've tried every solution proposed except the one with the "security.cfg" and the JTAG one. I could try the security.cfg as there isn't such a file inside dl. In fact the one files are the ones I told you before inside tls. My firmware version is 6.2.16.3 so I'd be glad if you can send me copy of the file for this version. If that fails too I'try the JTAG version!
Joined: 30 Jun 2004 Posts: 2858 Location: Nottingham, England
Posted: Fri Feb 22, 2008 2:04 pm Post subject: Will take a few days
Quote:
... security.cfg as there isn't such a file inside dl
The file appears within `dl' only when you do the :mlp debug export command. You can try that now, and see if AOL have restricted that (hidden) command. If not, that would allow you to do a diff on the two versions, which would highlight the AOL changes. The file format is very straightforward.
Quote:
My firmware version is 6.2.16.3 so I'd be glad if you can send me copy of the file for this version
Hmm, r6.2.G.3 - only one release version away from what I posted. There were large differences in MLP between r6.1.9 & r6.2.F, but I would expect only minor differences between r6.2.F & r6.2.G - you could use the r6.2.F security.cfg at a pinch. It will take me a few days before I am able to load new firmware & export (I'll certainly do it, but a number of other things take priority).
Quote:
If that fails too I'try the JTAG version!
Can you locate any AOL Firmware? If so, it is often trivial to change the header bytes in bog-standard firmware to match, which will bypass the wrong-firmware check on ST-reboot. I suspect that you may be forced into a re-flash as a permanent fix, however.
I'll get the r6.2.G.3 security.cfg to you as fast as I can. Check if the MLP commands are available in the meantime. _________________ Alex Kemp
The :mlp debug export command is not working either :-/
I'll try the security.cfg solution in a little bit.
Can you please check this photo. Is from another 585v6 I bought from ebay. I believe that the previous owner used the JTAG method. It seems he soldered some pins...Maybe this can make it easier for me
Joined: 30 Jun 2004 Posts: 2858 Location: Nottingham, England
Posted: Fri Feb 22, 2008 4:51 pm Post subject: I do not think that MLP will work for you
Quote:
The :mlp debug export command is not working either :-/
I doubt very much that import will work either, then. Oh well, there was a small chance that they may have overlooked it. Looks like it is either Firmware hacking or JTAG flash-overwrite, then.
Quote:
Can you please check this photo.
That's useful! I don't like the look of the size of some of those solder blobs, though - may be short-circuiting.
Assuming that it is OK with you, I shall copy those photos onto this server, and add them to your post (if you have any objection, they will be removed).
PS
This site has no objection whatsoever to URLs being added, as long as they are relevant to the post and to do with modems!!! It's the pr0n posts that get my goat. I'll also add the security.cfg to the downloads site. That will take a little while to be uploaded, though. I'll remove it from the earlier post when I do, and add a link instead. _________________ Alex Kemp
The main problem with the software solution is that I haven't found a firmware from AOL so as to hack it. I wish I did as I believe there a crc check or something like that which is preventing any kind of upgrade.
The photos I posted are from an unlock 585v6. I'll open the locked one to check if they are the same and I'll post them here. Feel free to use the photos :-)
I have two questions before I begin the JTAG solution
1) In order to put the necessary pins on the router's board do I have to use copper solder or something else?
2) How to construct the cable? I was thinking of using a parallel cable and cut one end. Then use the electrical resistances shown in JTAG schematic. How am I supposed to make the other end of the cable? Should I leave the smaller cables or should I use a ten DIN pin?
Joined: 30 Jun 2004 Posts: 2858 Location: Nottingham, England
Posted: Tue Feb 26, 2008 6:02 pm Post subject: I don't have the experience of this
I'm the wrong guy to ask - no personal experience. I have just the one ST, and cannot afford it to go down. Also, all my time is building this site... and updating a Linux Server at home from Centos 4.5 to 5.1... (and responding to the forum!), so I've never got into that.
However, I know a man who does! I'll ask him if he will respond to your questions. _________________ Alex Kemp
kanenas3
1) In order to put the necessary pins on the router's board do I have to use copper solder or something else?
Your very nice pics of the hacked one show how they have soldered in a standard header. Actually it is hard to do that properly. And unnecessary.
I just used some component leads, a bit of copper wire, even a fine paper clip. or pull individual pins out from a dead motherboard or something. The metal doesn't matter. You will need to solder it on though, and using a single pin and a pair of tweezers makes it fairly easy. Just heat the hole from the other side of the board. Press gently on the pin until the solder heats the end of the pin and allows the hole to open. If you want to buy a header you can. Most large electronics stores will sell them. But you will need to clean the solder from all the holes before you fit it. Hard work.
Quote:
2) How to construct the cable? I was thinking of using a parallel cable and cut one end. Then use the electrical resistances shown in JTAG schematic. How am I supposed to make the other end of the cable? Should I leave the smaller cables or should I use a ten DIN pin?
You don't need that many pins. A serial cable with 9 or 10pins is enough. Or a USB extension cable that they use inside a computer case. Some of them have single pins to allow different motherboard sockets to be accommodated. It has 4 pins on each so you can use two or just use one and grab another cable used to the front panel of the computer with one or 2 pin header on it for ground. Dead computers are thrown out all over the place here. I help myself to useful parts. Like a typical trash man. See what you can find. For the other end I had some 25pin serial gender changes which have nice pcb's that allow the resistors to be neatly soldered. The main rule is short. 20cm could even be too long.
And what to actually do look at the post there by cidi rome and here.
Quote:
The process to unlock ST Routers Explained:
Needed things:
JTAG adapter: cidirome.977mb.com
JTAG application: cidirome.977mb.com
An HEX editor, I use PsPAD
Unlocked Router as source
Locked router to unlock
2. Read the CFE from the unlocked router (ST5x6v6 and ST585v6 are not interchangeable), with this command "STJTAG -backup:CFE /silent" (you have previously had to install the port driver giveio.sys with loaddrv.exe
3. Rename the file you got ex: CFE.BIN.SAVED_20080101_224329 to CFE.BIN_UNLOCKED_ROUTER
4. Read the CFE from the locked router
5. Rename the file you got ex: CFE.BIN.SAVED_20080101_230105 to CFE.BIN_LOCKED_ROUTER
6. Open both files with the HEX editor
7. Copy from CFE.BIN_LOCKED_ROUTER the contents HEX from address 1FF20 to 1FFFF to the same place of CFE.BIN_UNLOCKED_ROUTER replacing the existing contents. You will be copying and replacing 224 Bytes (448 HEX digits).
8. Save the changed file as CFE.BIN
9. Flash the file to the router with the command "STJTAG -flash:CFE /silent"
10. Now you should be able to upgrade the route's firmware with a generic one.
Notes:
1. Remember that, at least on ST516v6 the JTAG port is under some capacitors and as we have to make the connections on the other side they will be inversed.
2. You should start each backup / flash process seconds after turning it on.
Joined: 30 Jun 2004 Posts: 2858 Location: Nottingham, England
Posted: Wed Feb 27, 2008 5:06 am Post subject: Thanks Revs!
Thanks Revs!
You can always tell when someone has actually done the business.
It looks like bog-standard solder should be sufficient. I'm sure that you know this already, but clean any pins that you use beforehand, and put a thin layer of solder+flux on the pin before attempting to solder it in place. That should help prevent those great big blobs of solder that are threatening to short-circuit the JTAG header in the photo.
A little extra from me:
Necessary files & instructions are on the Downloads section of this site. One of the things that nobody has yet is an unlocked CFE.bin to be able to unlock these routers. Perhaps you could provide it... _________________ Alex Kemp
All times are GMT Goto page 1, 2, 3, 4, 5, 6, 7, 8, 9, 10Next
Page 1 of 10
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
