Support for GPON SFP FGS202

Is the firmware and bootloader the same for both 144 and 947 version?
Sercomm Boot Version 2.0.2.0
image#0 version: SCOMFGS202112

Yes, my UART printouts is exactly like what you've posted, I've compared every version number, even tried to flash other people's flash dump but it still doesn't work on my ER-X-SFP

13 Sep 2019, 11:49 pm by mail@forum.openwrt.org:

Your post inspired me to try different flash dumps.

First I tried an older version SCOMFGS202110. Its length is 0x1b77a0 and checksum 0x82bda605

ROM: V1.1.4
ROM: CFG 0x00000006
ROM: SFLASH-4
hw fuse format 1


U-Boot 2011.12-lantiq-gpon-1.2.20.1-svn20 (Aug 10 2015 - 13:49:58), Build: falcon_sfp

Board: SFP
DRAM:  internal: 1 MiB
Now running in RAM - U-Boot at: 9f2c4000
SF: Detected MX25L6405D with page size 64 KiB, total 8 MiB
Chip:  FALCON-SR (A22)
Bootmode: 0x06
Reset cause: Power-On Reset
CPU Clock: 400 MHz
Done!
Net:   SGMII, SERDES [PRIME]

Type run flash_nfs to mount root filesystem over NFS

SF: Detected MX25L6405D with page size 64 KiB, total 8 MiB
SF: Detected MX25L6405D with page size 64 KiB, total 8 MiB
SF: Detected MX25L6405D with page size 64 KiB, total 8 MiB
active_img 0, committed_img 1
pid_addr 0x2b77a0
dbSign Addr: 0x9f200208
imgNum: 1
img 0: start addr: 0x100000, length: 0x1b77a0
checksum: 0x82bda605
crc32 result: 0x82bda605
check sum OK
name c_img
value 1
name activate_image
value 0
Erasing SPI flash...Writing to SPI flash...done
SF: Detected MX25L6405D with page size 64 KiB, total 8 MiB

***************************************************
    Sercomm Boot Version 2.0.2.0

***************************************************
No sc dl flag.
gpio_id:8 no found
Entering Firmware : Everything is OK.
No sc dl flag.
## Starting application at 0x10000000 ...
Overall used memory: 199488
Available packet buffer: 704448 (llt min 7425, llt max 18432)
Init flash support
M25PXX : Init device 'Macronix 64 Mbit' with JEDEC ID 0xC22017/0x0000.
Found flash at 0x00000000-0x007fffff
Flash bank with 128 sectors, sector size is 65536 bytes
Find valid uboot environment in env_off and env_end_off
Machine: Falcon SFP Stick (SFP)
Set image#0 version: SCOMFGS202110
Set image#1 version: SCOMFGS202110
Successfully stored environment to 0x7f0000
Successfully stored environment to 0x60000
Image start address: 0xb0100000
Image 0: 0xB0100000 - valid

Image 1: 0xB0480000 - valid
ONT Boot up #1 image
FALC(tm) ON Optic Driver, version 7.4.0.0 (c) Copyright 2015, Lantiq Beteiligungs-GmbH & Co. KG
FALC(tm) ON Base Driver, Version 7.3.3.0 (c) Copyright 2015, Lantiq Beteiligungs-GmbH & Co. KG

next, I tried the "virgin" dump. My setup don't have ethernet connected thus the output is not complete.

ROM: V1.1.4
ROM: CFG 0x00000006
ROM: SFLASH-4
hw fuse format 1


U-Boot 2011.12-lantiq-gpon-1.2.20.1-svn20 (Aug 10 2015 - 13:49:58), Build: falcon_sfp

Board: SFP
DRAM:  internal: 1 MiB
Now running in RAM - U-Boot at: 9f2c4000
SF: Detected MX25L6405D with page size 64 KiB, total 8 MiB
Chip:  FALCON-SR (A22)
Bootmode: 0x06
Reset cause: Power-On Reset
CPU Clock: 400 MHz
Done!
Net:   SGMII, SERDES [PRIME]

Type run flash_nfs to mount root filesystem over NFS

SF: Detected MX25L6405D with page size 64 KiB, total 8 MiB
SF: Detected MX25L6405D with page size 64 KiB, total 8 MiB
SF: Detected MX25L6405D with page size 64 KiB, total 8 MiB
active_img 0, committed_img 1
pid_addr 0x2a0ce8
dbSign Addr: 0x9f200208
imgNum: 1
img 0: start addr: 0x100000, length: 0x1a0ce8
checksum: 0xa39a73eb
crc32 result: 0x856d1025
check sum error
try run another image.
pid_addr 0x620ce8
dbSign Addr: 0x9f200208
imgNum: 1
img 0: start addr: 0x480000, length: 0x1a0ce8
checksum: 0xa39a73eb
crc32 result: 0xd7cc6721
check sum error
Enter download mode, two image all error
DEBUG_INF:===================================================
DEBUG_INF:Sercomm Upgrade(Module Ver 2.14.02.24) Start!
DEBUG_INF:===================================================
SF: Detected MX25L6405D with page size 64 KiB, total 8 MiB

0x0000: 00  c0  02  12  35  88
Error: SGMII TBI not in sync!
Error: SGMII TBI not in sync!
Error: SGMII TBI not in sync!
Error: SGMII TBI not in sync!
Error: SGMII TBI not in sync!
Error: SGMII TBI not in sync!

Lastly, the regular Orange dump from the top of this page. My module serial number has changed. Opened the image in the editor to modify serial number, MAC address, date code at the offset 0x50000. Reflashed the module. It did not take my changes. Values defaulted to: sn: SCOM00000118 MAC: 00:CO:02:12:35:89 date: 150707

When I replace the whole 74 bytes at offset 0x50000 from another file, the serial number does change. It appears first 4 bytes compose the checksum. Can't figure out how it is computed. Any advice anyone?
Full images are in the first post

taken from Used Image

00000000  6e be 7c 02 01 66 74 5f  66 6c 61 67 3d 30 00 64  |n.|..ft_flag=0.d|
00000010  61 74 65 5f 63 6f 64 65  3d 31 37 30 31 30 39 00  |ate_code=170109.|
00000020  70 63 62 61 73 6e 3d 52  2e 42 4e 4e 36 43 54 32  |pcbasn=R.BNN6CT2|
00000030  36 42 39 00 6e 53 65 72  69 61 6c 3d 53 43 4f 4d  |6B9.nSerial=SCOM|
00000040  32 31 30 34 32 32 39 30  00 65 74 68 61 64 64 72  |21042290.ethaddr|
00000050  3d 37 38 3a 39 34 3a 42  34 3a 32 44 3a 42 38 3a  |=78:94:B4:2D:B8:|
00000060  32 41 00 62 6f 73 61 5f  74 79 70 65 3d 30 30 30  |2A.bosa_type=000|
00000070  30 30 30 00                                       |000.|
00000074

6EBE7C020166745F666C61673D3000646174655F636F64653D3137303130390070636261736E3D522E424E4E36435432364239006E53657269616C3D53434F4D323130343232393000657468616464723D37383A39343A42343A32443A42383A324100626F73615F747970653D30303030303000

taken from Virgin Image

00000000  cf 47 84 29 01 66 74 5f  66 6c 61 67 3d 30 00 64  |.G.).ft_flag=0.d|
00000010  61 74 65 5f 63 6f 64 65  3d 31 36 31 30 31 31 00  |ate_code=161011.|
00000020  70 63 62 61 73 6e 3d 52  2e 42 4e 4e 36 39 55 32  |pcbasn=R.BNN69U2|
00000030  32 35 38 00 6e 53 65 72  69 61 6c 3d 53 43 4f 4d  |258.nSerial=SCOM|
00000040  32 31 30 31 43 38 43 33  00 65 74 68 61 64 64 72  |2101C8C3.ethaddr|
00000050  3d 42 34 3a 41 35 3a 45  46 3a 39 46 3a 32 43 3a  |=B4:A5:EF:9F:2C:|
00000060  39 30 00 62 6f 73 61 5f  74 79 70 65 3d 30 30 30  |90.bosa_type=000|
00000070  30 30 30 00                                       |000.|
00000074

CF4784290166745F666C61673D3000646174655F636F64653D3136313031310070636261736E3D522E424E4E36395532323538006E53657269616C3D53434F4D323130314338433300657468616464723D42343A41353A45463A39463A32433A393000626F73615F747970653D30303030303000

Hi centaur,

I played also around a bit with this module (changed the serial number).
Unfortunately I don't have a GPON ISP to test it at the moment, so I am happy to hear if it works for you.

To calculate the CRC (I use HxD)

  • Copy the the whole page 0x50000 to 0x5FFFF. (64kByte) to a new file
  • Remove the first 5!!!!!! bytes.
  • Change your serial Number.
  • Calculate CRC-32 file checksum https://emn178.github.io/online-tools/crc32_checksum.html
  • Insert the 4 Bytes of the CRC AND the 5th byte (always 0x01?) again.
  • Modify the 0x50000-0x5FFFF section with your new file.
1 Like

rixo this is amazing!
I copied the 50005-5FFFF block in HxD to a new file. Replaced the MAC and serial number with new values, calculated checksum (used internal HxD calculator). Paste it back and filled in 4 bytes (0x50000) with calculated CRC.
Checked firtst with the EEPROM reader. All good.
My ISP allows me to use any compliant GPON ONT. The new MAC and SN is now present on the status page and ONT is registered.
Thank you.

Hi Centaur,
Great that it works for you. :wink:
Are you connected to a Huawei OLT from your provider?

Unfortunately I am unable to Ping the device at 192.168.2.200.

My setup:
FGS202 in the TP-LINK MC220. Pin 6 connected to USB to UART adapter
No Optical Cable plugged in (Not available at this location).

The Status page you mentioned is that from the FGS202 itself (@192.168.2.200?), or from your provider?
Does this also work without Optical cable?

You programmed it with an external flash programmer, or did you find out how to use the bootloader?

he used an external flash programmer to flash it, I think it should be reachable from both LAN/WAN side, are you located on the same subnet as 192.168.2.200? Idk what kind of mask it would use but I think /24 will work if it does listen there

Maybe do a port scan throughout your subnet to discover it?

@rixo
Hi Rixo,

My previous ONT was HG8010H so I assume it must be connected to a Huawei OLT?

I'm afraid, the LAN interface at 192.168.2.200 will expose itself only when the end router requests and gets its own IP. In 1 or 2 cases SFP was pingable with only optical link connected. I'm not sure what's the mechanism behind that.

My "Status Page" is a part of customer portal where I can review my bills, view data usage/see assigned IP addresses/edit and add new GPON device.

I use an external programmer. The flash is connected by tiny wires to the SFP board. When doing in-circuit programming I only disconnect the wire #8(VCC) from the board.

Preliminary flash map

Offset hex----------Offset decimal --extra info
0x000000-0x03FFFF  0000000-0262143  #U-Boot/ magic number=0xFFDD0022
0x040000-0x04FFFF  0262144-0327679  #uboot_env
0x050000-0x05FFFF  0327680-0393215  #Manufact info/ at 0x50000 CRC32 for (0x050005-0x05FFFF)
0x060000-0x06FFFF  0393216-0458751  #env storage  / at 0x60000 CRC32 for (0x060005-0x06FFFF)
0x070000-0x07FFFF  0458752-0524287  #syslog storage
0x080000-0x08FFFF  0524288-0589823  #uboot_env(redund) /at 0x80000 CRC32 for (0x080005-0x08FFFF)
0x0FFF00-0x0FFFFF  1048320-1048575  #256 bytes image0 header/CRC32 at 0x0FFF18(reversed) for(0x100000-0x2A0CE7)
0x100000-0x2A0CE7  1048576-2755815  #Image0/magic number=0x2100FF03
0x47FF00-0x47FFFF  4718336-4718591  #256 bytes image1 header/CRC32 at 0x47FF18(reversed) for(0x480000-0x620CE7)
0x480000-0x620CE7  4718592-6425831  #Image1/magic number=0x2100FF03
0x7D0000-0x7DFFFF  8192000-8257535  #syslog storage(redund)
0x7F0000-0x7FFFFF  8323072-8388607  #env storage  / at 0x7F0000 CRC32 for (0x7F0005-0x7FFFFF)

image0 pid_addr 0x2a0ce8
image1 pid_addr 0x620ce8
64 bytes long encrypted gpon password at 0x7F0168

I went through cycles of gpon password changes. Always arriving with the same results for the flash dump called "used" from post #1
It is not my area of expertise. If someone is up for a challenge... here you go.
gpon pass=0000000000 (10 decimal characters)
encrypt_data=6a35842c290882b9397d259e2d77843ce6f8c796fcfd952362b1232b88bf4a04 (64 hex)

gpon pass=1111111111 (10 decimal characters)
encrypt_data=3c2546dce8cde2aa07687b58c3036ddf2d563d6f2157a7cc37c441e13c2267fc (64 hex)

I'm pretty much finished with this module. It is working pretty well. I'm still open for any future testing
if members of this forum come up with some new ideas.

1 Like

Your ISP allows you to use custom ONT? I have a no name chinese ONT that act as a GPON to Ethernet converter (will not do routing or PPPoE but passing L2 data straight to the Ethernet), I've dumped the firmware and changed the SLID, GPON S/N, MAC address to mimic my ISP provided ONT but it still don't want to work with my ISP's GPON network, I don't think my ISP allow customer to use custom ONT so I don't bother to ask them about it.

What I'm curious about is on your customer portal page, does it show anything related to the GPON ONT hardware? Firmware version/model/...? Because I think their OLT is using something else to authenticate the ONT but I still don't know exactly....

It is small ISP. Before I had Internet with them over radio waves, then they migrated to fiber optics. Just to be clear, I stopped by their office and asked politely if I can use my own ONT. On the ONT portal page basic information like S/N GPON password/MAC/model number/registration status are displayed. In the edit/add ONT mode a dropped down menu gives choice of several ONT profiles.
At what stage of authentication your connection is failing? First goal is to receive O5 ONT operation state before setting PPPoE over VLAN. Most of ISP don't bother but I read about one or two using RADIUS to check if ONT responds with correct firmware version.

no idea about authentication stage.... all I know is that I cannot do PPPoE dialing from my PC (worked just fine with the ISP-provided ONT when set to L2 bridge) with that custom ONT, the thing seems to be able to detect the fiber plugged in because it has TX RX power meter but other than that then I have no idea, it doesn't tell me anything else, looks like it's running a stripped down Huawei firmware or something...

Thank you for all this great information.

I found out that when you isolate pin 10 with some tape the SFP module stays in the integrated bootloader even before u-boot.
I am able to upload the same u-boot (0x000000 - 0x0333F4) (PIN3 is indeed the uart rx pin) with tera term.
Maybe somebody knows how to change the u-boot image such that we can read and write the flash.

For now I also soldered small wires to the flash chip and placed a diode in the VCC line so that when the SFP module not powered I can read the flash chip in-circuit without changing something.

I compared my flash dump with your sfporange1.bin. You can find mine here: https://ufile.io/gzmn03sz
I don't have an encrypt_data string.

How do you change the this GPON password?

Where is this "mib_file=HWTC" from post 3# coming from?

1 Like

Rixo,

Thank you for this valuable post. I would never guessed isolating pin #10 brings this ROM prompt!

ROM: V1.1.4
ROM: CFG 0x00000007
ROM: XMODEM
CCCC
ROM: CFG 0x00000007

Using XMODEM transfer I was able to upload the u-boot. Also I tried with bigger file to see how far it will go. Transfer stopped at 0x33480

After hitting random keys I noticed it responds to Ctrl-D
Subsequently, hitting it repeatedly produced another prompt. It expects values in uppercase.

CROM: Boot? (0-9A-F<CR>) 6


ROM: CFG 0x00000006
ROM: SFLASH-4
hw fuse format 1

U-Boot 2011.12-lantiq-gpon-1.2.20.1-svn20 (Aug 10 2015 - 13:49:58), Build: falcon_sfp

Board: SFP
DRAM:  internal: 1 MiB
Now running in RAM - U-Boot at: 9f2c4000
SF: Detected MX25L6405D with page size 64 KiB, total 8 MiB
Chip:  FALCON-SR (A22)
Bootmode: 0x06
Reset cause: Power-On Reset
CPU Clock: 400 MHz
Done!

Some other values I tried

ROM: CFG 0x00000001
ROM: NOR
ROM: CFG 0x00000002
ROM: NAND8, no ECC
ROM: CFG 0x00000003
ROM: NAND8, with ECC
ROM: CFG 0x00000004
ROM: SFLASH
ROM: CFG 0x00000005
ROM: SFLASH-2
ROM: CFG 0x00000006
ROM: SFLASH-4
CROM: CFG 0x00000007
ROM: XMODEM
ROM: CFG 0x00000008
ROM  �����?8�����
ROM: CFG 0x00000009
ROM: RGMII_A0
ROM: CFG 0x0000000A
ROM: RGMII_A1
ROM: CFG 0x0000000B
ROM: RGMII_A2
ROM: CFG 0x0000000C
ROM: RGMII_A3
ROM: CFG 0x0000000D
ROM: RGMII_B0
ROM: CFG 0x0000000E
ROM: RGMII_B1
ROM: CFG 0x0000000F
ROM: RGMII_B2
ROM: CFG 0x00000010
ROM: RGMII_B3
ROM: CFG 0x00000011
ROM: GMII_PHY
ROM: CFG 0x00000012
ROM: GMII_MAC
ROM: CFG 0x00000013
ROM: MII_PHY
ROM: CFG 0x00000014
ROM: MII_MAC
ROM: CFG 0x00000015
ROM: GPHY_0
ROM: CFG 0x00000016
ROM: GPHY_1
ROM: CFG 0x00000017
ROM: SGMII
ROM: CFG 0x00000018
ROM: SGMII-MAC ANEG
ROM: CFG 0x00000019
ROM: SGMII-PHY ANEG

Where is this "mib_file=HWTC" from post 3# coming from?

Content of first couple posts is not entirely mine. I mixed info copied from several forums.
mib_file string must have come from another flash dump.
https://www.dropbox.com/s/9n1sd8ckoaqgd7t/20190315_144612_MX25L6435.bin?dl=0

How do you change the this GPON password?

One of the ONT profiles on my portal displays (MGMT IP) when set. Telnet to that IP gives me access to the SFP menu.

Hello,

Interresting topic, I get same GPON Module, I have also find the TX pin but no RX (on test point)

After putting the module in a Livebox I can setup the SLID with the hidden page "sav-sfp" but the module did'nt work with my provider.

I can see RX/TX signal in my switch, Link is UP after disable auto negociation but I can"t reach the gateway.

I believe I should change the S/N number of the module,

Is the only way is to de solder memory chip ?

I have try to ping 192.168.2.200 or 192.168.100.X from LAN side , nothing answer.

Hi Louis42
I have my flash chip removed. In-circuit testing clips on the market are generally for SOP packages. Our flash chip uses WSON package. That makes difficult to attach a SOP clip without some modifications. The best is probably to solder tiny wires with in-series diode to the chip's pin #8, the same way Rixo did.

I compared my flash dump with your sfporange1.bin. You can find mine here: https://ufile.io/gzmn03sz
I don't have an encrypt_data string.

I had flashed your bin into my SFP module. After setting up the 1111111111 password, the encrypt_data string appeared.

00000000  30 30 30 30 30 32 00 69  6d 61 67 65 30 5f 69 73  |000002.image0_is|
00000010  5f 76 61 6c 69 64 3d 31  00 69 6d 61 67 65 31 5f  |_valid=1.image1_|
00000020  69 73 5f 76 61 6c 69 64  3d 31 00 65 6e 63 72 79  |is_valid=1.encry|
00000030  70 74 5f 64 61 74 61 3d  61 64 31 64 39 38 38 33  |pt_data=ad1d9883|
00000040  31 61 62 32 30 33 31 66  33 38 33 36 61 63 38 38  |1ab2031f3836ac88|
00000050  62 33 66 39 31 31 30 31  34 63 37 31 36 65 36 33  |b3f911014c716e63|
00000060  30 37 39 62 63 35 30 63  34 39 65 65 36 64 30 66  |079bc50c49ee6d0f|
00000070  35 37 66 63 38 30 36 36  00 ff ff ff ff ff ff ff  |57fc8066........|

Something else, I also spotted the password in A2h table (0x51) of the EEPROM

00000000  50 00 fb 00 4b 00 00 00  8c a0 75 30 87 8c 7a 44  |P...K.....u0..zD|
00000010  88 b8 00 00 75 30 00 00  9b 82 22 d0 7b 86 2b d4  |....u0....".{.+.|
00000020  07 cb 00 0c 06 30 00 0f  00 00 00 00 00 00 00 00  |.....0..........|
00000030  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000040  00 00 00 00 3f 80 00 00  00 00 00 00 01 00 00 00  |....?...........|
00000050  01 00 00 00 01 00 00 00  01 00 00 00 00 00 00 12  |................|
00000060  17 d9 80 e8 16 52 00 00  00 00 00 00 00 00 02 00  |.....R..........|
00000070  01 40 00 00 01 40 00 00  00 00 00 00 00 00 00 00  |.@...@..........|
00000080  00 00 01 00 46 47 53 32  30 32 20 20 20 20 20 20  |....FGS202      |
00000090  20 20 20 20 20 20 20 20  53 43 4f 4d 46 47 53 32  |        SCOMFGS2|
000000a0  30 32 76 31 20 20 01 00  00 00 00 00 17 d9 00 00  |02v1  ..........|
000000b0  00 00 00 00 00 00 00 00  31 31 31 31 31 31 31 31  |........11111111|
000000c0  31 31 00 52 52 41 4e 47  45 53 43 4f 4d 46 47 53  |11.RRANGESCOMFGS|
000000d0  32 30 32 31 31 32 00 00  53 43 4f 4d 46 47 53 32  |202112..SCOMFGS2|
000000e0  30 32 31 31 32 00 03 00  00 00 10 00 01 00 00 00  |02112...........|
000000f0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 20  |............... |

The range 0xB8-0xC1 is not write protected. Any I2C programmer should write these bytes without any problem.
Word of advice. It may be difficult to get any I2C readings from FGS202 unless SFP pin #6 is connected to ground and pin#7 held high (4.7k to Vcc)
If using RaspberryPi as a programmer. Install i2c-tools and connect
#1 3.3V
#3 SDA
#5 SCL
#6 GND

on SFP module
#1 GND
#4 SDA
#5 SCL
#6 GND
#7 4.7k to 3.3V
#15 3.3v

Hi Centaur

Thanks for your answer,

If I am not wrong I need to :

  • Desolder the flash from the SFP.
  • Solder tiny wire from SFP to the flash and put a diode on PIN 8 (For avoid issue for read flash without unplug it I believe ? )
  • Read / write flash with a clip

Hi Louis42

Option 1:
Remove the chip completely. Attach soft wires to all pins. Read/Write. Solder back.

Option 2.
If I understand correctly Rixo does in-circuit reading without the chip being removed. Pin #8 (VCC) needs to be lifted/separated to prevent current from flowing back into pcb.

Option 3.
Same like option 2, except use self-made clip for the WSON package.
Something like on the picture #5 or better https://imgur.com/a/ox4Ey