Modem-Help

[simonh]

I’ve FTPed the linux out of the box.
linux_appl.exe contains the following text relating to debug commands... some work:


Execute a ’Trace & Debug’ command. For qualified personnel only. dmesg Show the Linux kernel messages. For qualifies personnel only. Quoted ’Trace & Debug’ command string Execute a ’Trace & Debug’ command. For qualified personnel only. Switch to ’Trace & Debug’ prompt. For qualified personnel only. Switch to Linux shell. For qualified personnel only. tasks Show user space tasks. alg vpn ip dt ip lt ip ct ip +t ip -t sea bstats sea istats sea pstats sea clear sea sq eth stats eth bstats eth pstats eth clear eth trace eth tlen sachem get_config sachem get_state sachem activate_performance sachem deactivate_performance sachem get_data sachem do atm otrace atm sxt atm stt atm svt atm tvc atm tlen atml stats atml pstats atml gstats atml istats atml dstats atml clear pptp ctrace pptp dtrace dbg spt dbg rvt dbg fvt dbg spo dbg cpuload err stats edm ctrl edm sit edm situation edm start edm stop edm otherrxf edm getli edm ss edm setstats edm rs edm resetstats edm gs edm getstats edm sa edm setaddr mdap trace mdap search voip trace voip ss vdsp fxooffhook vdsp tracecodec vdsp hci vdsp info voip info vdsp norevlf voip siploglevel voip addfilter voip delfilter usbhost devs usbhost pos wld spool wld ssrom wld wlifdata wld poolinfo wld macevents wld cmacevents aip kru st aqm

(P.S. some go in pairs...)

Post spliced into this thread from De-compiled Firmware uploaded for the Home-Hub.
Agent: Alex Kemp
Date: Sat, 16 May 2009 23:11:16 +0100

[simonh]

The usb connect/disconnect runs /dl/samba.conf if it exists. on v6.2.2.6 you can ftp to /dl/

hence with a /dl/samba.conf containing:

# Configuration for inventel modules import
#
/usr/bin/whoami >/dl/hello4
SAMBA_DEVICE_NAME=SM_7G

I get a file hello4 conatianing ’root’.

Now I need a linux guru on the case to get a true login. What we need to do is to run a shell with input/output from a TCP port?
telnetd does not seem to be present :(

Or maybe we can read/write the CFE flash using this hole?

s

Post spliced into this thread from De-compiled Firmware uploaded for the Home-Hub.
Agent: Alex Kemp
Date: Sat, 16 May 2009 23:14:14 +0100

[simonh]

# Configuration for inventel modules import
#
/bin/cat /dev/mtdblock0 >/dl/hello4
SAMBA_DEVICE_NAME=SM_7G


yields some flash content?? :)

Post spliced into this thread from De-compiled Firmware uploaded for the Home-Hub.
Agent: Alex Kemp
Date: Sat, 16 May 2009 23:14:42 +0100

[Alex Kemp]

http://download.modem-help.co.uk/mfcs-B/BT/Home-Hub/File-Dumps/
BT Home Hub v1.5 r6.2.2.6 file-dump download (108 files)

Thanks to simonh for sending me the zipped-up contents of all files within a r6.2.2.6 firmware Home-Hub v1.5 (the white one).

Simon put some early findings within the de-compiled firmware topic (starting Thu May 14, 2009 10:40 pm); I have moved those into this thread.
_________________
Alex Kemp

[simonh]

It seems that we can pretty much run whatever we want on the HH 1.5

Has anyone got a telnetd which will work on this hardware? (or just any telnetd for ARM, I've tried a couple, but am unsure of the 'endiness').

s

[simonh]

We now have a telnet prompt on 6.2.2.6

Full details and utelnetd binary in a file to be uploaded soon.
Key is to telnet to 192.168.1.253 (not 254) after running utelnetd.


:)

Now investigating flash manipulation in Linux.

2009-05-20 addition by Alex Kemp:
File in the course of uplift right now. :

http://download.modem-help.co.uk/mfcs-B/BT/Home-Hub/File-Dumps/Telnet-To-HH-r6.2.2.6.zip.php

simonh:
download, unzip and read the txt file.
If you leave the USB stick in through boot, utelnetd is re-run every boot.

Watch out if playing with Flash - download the BTHH GPL and examine broadcon-map.c - this has mtd mappings and a 'BT_OFFSET'. Also run dmesg - this contains info about mtd. Still trying to work it all out myself. You can't access the bootloader through mtd, but maybe read through ram or mem?
Help?


s

[simonh]

I'm really struggling with squashfs for the BT filesystem. We should be able to flash the filesystem, maybe not the kernel, but at the moment I can unsquash, but not squash the filesystem, so I can't load a modified onw. anyone with any ideas?

s

[mstombs]

In my experience of using the "Firmware Mod kit" http://www.bitsum.com/firmware_mod_kit.htm for broadcom WRT54GL type Ethernet routers or its ideas for Ti AR7 adsl routers http://www.linksysinfo.org/forums/showthread.php?t=51806 it is necessary to recreate a complete firmware consisting of header+kernel+filesystem+checkbytes. Maybe this is just to load single images via built-in tools? If you are using JTAG to write directly to the flash chip you need to be aware that the filesystem offset may not be aligned with an "erase boundary" typically can only write to 64K blocks. Ti AR7 routers moved from "separate kernel and filesystem images" to "single image" firmwares this needs more ram to buffer the file but makes for more efficient use of flash space.

[Quietlife2k]

Perhaps http://forum.openwrt.org/viewtopic.php?id=17370&p=1 might help,

[simonh]

thanks for the pointers..

found
http://svn.gna.org/svn/openbox4/trunk/tools/nb4-mksquash/

which when built, creates squashfs images which can be mounted on the HH (tested by blowing a raw image to a usb stick - the hh automagically mounts it when you plug in the stick.). Note the lzma implementation is quite different to the std squashfs.

However, when I dd my new image over the original (from linux prompt), the hub always hangs, and when it is rebooted, refuses to boot. up till today, the hh could be recovered using the 'reset with the wireless association button pressed', and 6.2.2.6 could be restored. As of the last flash attempt (where I left it flashing overnight ;) ), the modem can be reflashed, and boots, and you can get superuser access, but you can no longer ftp to the device - ftp crashes if you try to put or even 'ls'. So basically, the router is b*****d. I've tried flashing to a later version and back again, no joy.
Now I wonder if my ability to get ftp access was down to something I did before, and now my router has done a more complete factory reset.

Has anyone got a HH 1.5 to try my procedures on to see if they work for them?

thanks in advance

s

[simonh]

was a windows issue, after a reboot a 2nd homehub worked... then the first worked... so now back to why my squashfs which is mountable using the kernel, is not accepted as a rootfs.

going to look in the flash for checksums...

s

[simonh]

I think the flashing via
dd bs=64k if=mtd1.bin of=/dev/mtdblock1

is broken.
dmesg shows:
"cfi_cmdset_0002: Disabling erase-suspend-program due to code brokenness."

I think this may mean it’s not erasing blocks, so effectively ORing in the new data. (today I reflashed, and gpt squashfs errors rather than complete failure).

I guess I’ve got to build raw flashing code.

s

[simonh]

does anyone have a buildable set of linux flash (cfi) tools which don't rely on mtd support? Google's given nothing. I could start with the kernel sources - i think i have unfettered access to all hardware.

s

[simonh]

ok, I've proved I can erase the root filesystem mtd2 quite effectively, but when i try 'cat mtd2.file >/var/mtd2', it flashes some of mtd2, but fails some way in.

I think it fails when it hits a point which corrupts some vital part of the filesystem needed to continue the cat cmd (cp does the same).

How do I use pivot-root to swap the root filesystem to another location so I can free up the current rootfs to flash over it?

s

[Alex Kemp]