Support MA5671A SFP GPON

For Developers
1

Hello
My location was recently switched to integrated receiver(part of the deal).Now I have a leftover module - MA5671A. This SFP module is based on lantiq chip PEB/PEF 98035

The module runs OpenWRT version 14.07, 64MB RAM, 16MB Flash Winbond W25Q128FV

Access to the full shell is restricted after login ssh root@192.168.1.10. Limited number of minishell commands are available:
lanpsg gtop otop show_version.sh display_version Configuration Version, reboot Status dmesg

How can I adapt it to install extra applications like speedtest-cli or iperf3?

dmesg(sanitized)

# dmesg
[    0.000000] Linux version 3.10.49 (gingis@Lantiq-DEV) (gcc version 4.8.3 (OpenWrt/Linaro GCC 4.8-2014.04 14.07_ltq) ) #1 Wed May 17 22:32:19 CST 2018
[    0.000000] SoC: Falcon rev A22
[    0.000000] bootconsole [early0] enabled
[    0.000000] CPU revision is: 00019556 (MIPS 34Kc)
[    0.000000] MIPS: machine is SFP - Lantiq Falcon SFP Stick
[    0.000000] e=memsize=64
[    0.000000] e=initrd_start=0xA0000000
[    0.000000] e=initrd_size=0x0
[    0.000000] e=flash_start=0xB0000000
[    0.000000] e=flash_size=0x36E4DC49
[    0.000000] e=ethaddr=48:57:09:11:de:ff
[    0.000000] MEMSIZE = 67108864
[    0.000000] Determined physical RAM map:
[    0.000000]  memory: 04000000 @ 00000000 (usable)
[    0.000000] debug: ignoring loglevel setting.
[    0.000000] User-defined physical RAM map:
[    0.000000]  memory: 03f00000 @ 00000000 (usable)
[    0.000000] Initrd not found or empty - disabling initrd
[    0.000000] Zone ranges:
[    0.000000]   Normal   [mem 0x00000000-0x03efffff]
[    0.000000] Movable zone start for each node
[    0.000000] Early memory node ranges
[    0.000000]   node   0: [mem 0x00000000-0x03efffff]
[    0.000000] On node 0 totalpages: 16128
[    0.000000] free_area_init_node: node 0, pgdat 80312610, node_mem_map 81003ec0
[    0.000000]   Normal zone: 126 pages used for memmap
[    0.000000]   Normal zone: 0 pages reserved
[    0.000000]   Normal zone: 16128 pages, LIFO batch:3
[    0.000000] Primary instruction cache 32kB, VIPT, 4-way, linesize 32 bytes.
[    0.000000] Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes
[    0.000000] pcpu-alloc: s0 r0 d32768 u32768 alloc=1*32768
[    0.000000] pcpu-alloc: [0] 0 
[    0.000000] Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 16002
[    0.000000] Kernel command line: rootfstype=squashfs,jffs2 ip=192.168.1.10:192.168.1.100:192.168.2.0:255.255.255.0:::off ethaddr=48:57:02:42:7f:ff machtype=SFP ignore_loglevel vpe1_load_addr=0x83f00000 vpe1_mem=1M mem=63M mtdparts=sflash:256k(uboot)ro,512k(uboot_env),7424k(image0),8192k(linux) console= console=ttyLTQ0,115200 init=/etc/preinit
[    0.000000] PID hash table entries: 256 (order: -2, 1024 bytes)
[    0.000000] Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
[    0.000000] Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
[    0.000000] Writing ErrCtl register=0005420d
[    0.000000] Readback ErrCtl register=0005420d
[    0.000000] Memory: 60204k/64512k available (2587k kernel code, 4308k reserved, 664k data, 192k init, 0k highmem)
[    0.000000] NR_IRQS:328
[    0.000000] Setting up vectored interrupts
[    0.000000] CPU Clock: 400MHz
[    0.032000] Calibrating delay loop... 265.98 BogoMIPS (lpj=531968)
[    0.036000] pid_max: default: 32768 minimum: 301
[    0.040000] Mount-cache hash table entries: 512
[    0.048000] pinctrl core: initialized pinctrl subsystem
[    0.052000] NET: Registered protocol family 16
[    0.072000] pinctrl-falcon pinctrl.4: Init done
[    0.092000] bio: create slab <bio-0> at 0
[    0.096000] FALC(tm) ON GPIO Driver, (C) 2012 Lantiq Deutschland Gmbh
[    0.104000] Switching to clocksource MIPS
[    0.112000] NET: Registered protocol family 2
[    0.116000] TCP established hash table entries: 512 (order: 0, 4096 bytes)
[    0.124000] TCP bind hash table entries: 512 (order: -1, 2048 bytes)
[    0.128000] TCP: Hash tables configured (established 512 bind 512)
[    0.136000] TCP: reno registered
[    0.140000] UDP hash table entries: 256 (order: 0, 4096 bytes)
[    0.144000] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
[    0.152000] NET: Registered protocol family 1
[    0.156000] RPC: Registered named UNIX socket transport module.
[    0.160000] RPC: Registered udp transport module.
[    0.168000] RPC: Registered tcp transport module.
[    0.172000] RPC: Registered tcp NFSv4.1 backchannel transport module.
[    0.180000] EASY98000 LED driver, Version 1.0.1 (c) Copyright 2013, Lantiq Deutschland GmbH
[    0.188000] Wired TLB entries for Linux read_c0_wired() = 0
[    0.196000] config3 0x2425 MT 1
[    0.196000] MVPControl 0x2, STLB 0 VPC 1 EVP 0
[    0.196000] mvpconf0 0xb8008403, PVPE 1 PTC 3 M 1
[    0.208000] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[    0.216000] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc.
[    0.224000] msgmni has been set to 117
[    0.232000] io scheduler noop registered
[    0.232000] io scheduler deadline registered (default)
[    0.240000] 1e100c00.serial: ttyLTQ0 at MMIO 0x1e100c00 (irq = 104) is a lantiq,asc
[    0.248000] console [ttyLTQ0] enabled, bootconsole disabled
[    0.268000] m25p80 spi0.0: found w25q128, expected s25fl129p0
[    0.272000] m25p80 spi0.0: w25q128 (16384 Kbytes)
[    0.276000] 4 cmdlinepart partitions found on MTD device sflash
[    0.280000] Creating 4 MTD partitions on "sflash":
[    0.284000] 0x000000000000-0x000000040000 : "uboot"
[    0.292000] 0x000000040000-0x0000000c0000 : "uboot_env"
[    0.300000] 0x0000000c0000-0x000000800000 : "image0"
[    0.304000] 0x000000800000-0x000001000000 : "linux"
[    0.312000] 0x000000926e57-0x000001000000 : "rootfs"
[    0.316000] mtd: partition "rootfs" must either start or end on erase block boundary or be smaller than an erase block -- forcing read-only
[    0.328000] mtd: device 4 (rootfs) set to be root filesystem
[    0.332000] mtd: partition "rootfs_data" created automatically, ofs=0xb40000, len=0x4c0000
[    0.340000] 0x000000b40000-0x000001000000 : "rootfs_data"
[    0.352000] wdt 1f8803f0.watchdog: Init done
[    0.356000] TCP: cubic registered
[    0.356000] NET: Registered protocol family 17
[    0.360000] 8021q: 802.1Q VLAN Support v1.8
[   12.424000] VFS: Mounted root (squashfs filesystem) readonly on device 31:4.
[   12.428000] Freeing unused kernel memory: 192K (80330000 - 80360000)
[   15.128000] pps_core: LinuxPPS API ver. 1 registered
[   15.132000] pps_core: Software ver. 5.3.6 - Copyright 2005-2007 Rodolfo Giometti <giometti@linux.it>
[   15.144000] PTP clock support registered
[   19.192000] jffs2: notice: (274) jffs2_build_xattr_subsystem: complete building xattr subsystem, 1 of xdatum (0 unchecked, 0 orphan) and 23 of xref (0 dead, 2 orphan) found.
[   21.584000] IFXOS, Version 1.6.6 (c) Copyright 2009, Lantiq Deutschland GmbH
[   21.660000] NET: Registered protocol family 10
[   21.680000] GPON SFP I2C Slave Driver, Version 2.2.1 (c) Copyright 2015, Lantiq Beteiligungs-GmbH & Co. KG
[   21.696000] [sfp_i2c] vpe code <sfp_i2c_vpe.bin> with size <4236 bytes> loaded!
[   21.704000] VPE loader: VPE1 running successfully
[   21.796000] FALC(tm) ON Optic Driver, version 7.5.1.0 (c) Copyright 2015, Lantiq Beteiligungs-GmbH & Co. KG
[   22.240000] FALC(tm) ON Base Driver, Version 7.5.1.0 (c) Copyright 2017, Intel Corporation - Testpatch GPONSW-3406 v H05
[   22.260000] [onu] GPIO5 stuck detected : PPS/LOS/NTR8K features are not available
[   22.280000] FALC(tm) ON Ethernet Driver, Version 7.5.1.0 (c) Copyright 2017, Intel Corporation - Testpatch GPONSW-3406 v H05
[   22.308000] mod_f24s: Unknown symbol skb_complete_tx_timestamp (err 0)
[   22.320000] mod_f24s: Unknown symbol skb_complete_tx_timestamp (err 0)
[   29.088000] i2c /dev entries driver
[   29.112000] Custom GPIO-based I2C driver version 0.1.1
[   29.128000] i2c-gpio i2c-gpio.0: using pins 37 (SDA) and 38 (SCL)
[   33.772000] [onu] serial number: HWTC8757beef
[   34.096000] [onu] password: 
[   34.132000] [onu] GPHY Firmware loaded into RAM (phy11g.bin)
[   34.388000] [onu] PE[255] firmware loaded v9.90.6.1
[   36.044000] libphy: Falcon MDIO: probed
[   36.068000] IPv6: ADDRCONF(NETDEV_UP): host: link is not ready
[   36.112000] IPv6: ADDRCONF(NETDEV_UP): lct0: link is not ready
[   38.444000] IPv6: ADDRCONF(NETDEV_UP): lct0: link is not ready
[   44.500000] IPv6: ADDRCONF(NETDEV_UP): host: link is not ready
[   45.404000] device exc entered promiscuous mode
[   53.176000] IPv6: ADDRCONF(NETDEV_CHANGE): lct0: link becomes ready
#
2

Port current OpenWrt to it as the best approach (that's a 2014 release).

If the packages you want to install don't require any kernel modules, there's a chance that the ones archived at http://archive.openwrt.org/barrier_breaker/14.07/ may be useful. If the OEM modified the build system from "official" Barrier Breaker, they may not work for you.

3

In the archive I find iperf and nice choice of interesting packages. If I could only escape the "walled garden" I tried every command I could think of.
Does anyone know how to obtain a fully interactive shell?

4

After "bombarding" the minishell with various commands for two days I decided to give up. My old roommate has this equipment to remove integrated circuits. I treat it as a failure because it is impractical and requires chip removal.
Next weekend we will attempt to retrieve data from the chip.

ma2
ma2.jpg1200×510 218 KB

5

This is a Lantiq GPON SFP, the company made this chip has defunct and merged with Intel, the source code for the GPON driver part is nowhere to be found so the chance of having a fully working, newer version Openwrt is very slim, your PCB shot looks exactly the one I have as "Alcatel Lucent" brand, you could dump the NAND flash with CH341A SPI reader from Chinese or with a RPI because the chip is SPI, I have my own NAND dump at my repo here: https://github.com/minhng99/alcatel_lucent-lantiq_falcon

my ALCL stick does allow access to the full linux shell... currently I couldn't make it work with my ISP yet, could you give me your NAND dump when you've pulled it out?

6

Finally, a full interactive shell. I changed one line in /etc/passwd from /opt/lantiq/bin/minishell to /bin/ash

root:x:0:0:root:/home/ONTUSER:/opt/lantiq/bin/minishell

Flash mtd layout

root@SFP:~# cat /proc/mtd 
dev:    size   erasesize  name
mtd0: 00040000 00010000 "uboot"
mtd1: 00080000 00010000 "uboot_env"
mtd2: 00740000 00010000 "linux"
mtd3: 006191d8 00010000 "rootfs"
mtd4: 00400000 00010000 "rootfs_data"
mtd5: 00800000 00010000 "image1"

command syntax used to compress squash file system.

squashfs-4.2-official/mksquashfs SQFS/ sqsh.bin -all-root -b 262144 -comp xz

// sqsh.bin padded with FF's to match original squashfs size=2200024 (from mtd2) / /

I'm little dissapointed, no uhttpd.

1 Like
7

@minhng99
I like the CH341A flash reader, just placed the order for myself. Thanks.

link to modified mtd2 image0 (full shell))

Full Image dump - uboot+uboot_env+image0+image1

The full image has uboot_env sanitized(serial number and MAC) image0 and image1 are original(restricted minishell)

Not only PCB are identical
md5 sums of mtd0=992b31a67c644aa68cf7f9caf956b1f9 for my Huawei and your Alcatel
U-Boot 2011.12-lantiq-gpon-1.2.24 (Nov 03 2014 - 22:46:28)

1 Like
8

Wow, so Huawei just rebrand the Alcatel-Lucent and install their OS then? Very interesting...

20191101-181249.jpg600×800

I wanted to try to flash your image because my OS don't forwarding PPPoE frames while my GPON state is authenticated (O5)

9

Yours have one more electronic part next to the flash.

A fix for Mikrotik users. Same Alcatel SFP
https://forum.mikrotik.com/viewtopic.php?f=3&t=116364#p758700

OMCID_BIN=/opt/lantiq/bin/omcid
#OMCI_MGR_BIN=/opt/lantiq/bin/omciLibMgr
#OMCI_PARSER_BIN=/opt/lantiq/bin/omciLibParser

${OMCID_BIN} -d3 ${uni2lan} -p $mib_file -o$omcc_version > /dev/console 2> /dev/console &
# ${OMCI_MGR_BIN} > /dev/console 2> /dev/console &
# sleep 5
# ${OMCI_PARSER_BIN} > /dev/console 2> /dev/console &
1 Like
10

Wow, thank you very much, it's worked, PPPoE dialing successfully!!! That guy also have the same stick G-010S-P as me, it's somewhere middle between Nokia and Alcatel-Lucent

that thread also have how to enable UART also which is very nice, I've probed every pins and haven't be able to find a working UART pin, you know there's no "factory reset" button on these thing so once I messed it up I have to pull the flash out and reflash it which is very frustrating.

11

Positive confirmation for UART on MA5671A. Pin 2 and Pin 7. With restricted minishell only Pin 2, fast scrolling display without ability to abort autoboot.

12

It apparently this stick doesn't forward IGMP, my IPTV doesn't work with this stick but works with another "more dumb" lantiq-based stick (Sercomm FGS202) which doesn't use Openwrt

13

Did you try to flash my image? I have no clue about IPTV.

14

no, it's my stock image with the OCMI modded... I don't really want to flash random images because they might hardware damage the thing by pulling the wrong I/O pin

the openwrt just doesn't forward IGMP traffic, normally they have igmpproxy package for that but it require a clear LAN/WAN interface meanwhile the GPON stick doesn't really expose the L2 WAN interface to the openwrt OS so I have no idea how to make it work

15

with the flash chip removed I get similar output like in fgs202 thread

ROM: V1.1.4
ROM: CFG 0x00000006
ROM: SFLASH-4
ROM: CFG 0x00000006
ROM: SFLASH-4
ROM: CFG 0x00000006
ROM: SFLASH-4
ROM: Boot? (0-9A-F<CR>) 7
ROM: CFG 0x00000007
ROM: XMODEM
CCCCCCCCCCCCCCC

With the flash chip back I've tried to tape over SFP ground pins 1,9,10. No effect.

edit:
Good people from allaboutcircuits forum suggested shorting DO and GND flash pins. That did not work.
Instead I shorted momentarilly flash pin 4(GND) and pin 5 (Data In) while powering up the sfp. Got the ROM prompt. From there: xmodem, transfer modified uboot, change env, load image and enjoy full shell access.

16

thanks for the trick, also be able to get into ROM here after I've nuked uboot accidentally...

I've put together a uboot code here that is supposedly for this device, last time I flashed it bindly it doesn't boot (I don't know how to make UART access back then so idk if it actually executed or not) but now I'm gonna try again.

17

It takes time but it's also possible to load the whole image and restore bricked SFP module without removing flash.

For Windows users this excellent software has support for xmodem and Kermit transfer protocols.

XMODEM - to transfer U-Boot(extract FFDD0022-1020BF from mtd0)

At uboot prompt 'loadb' command will use Kermit protocol to transfer mtd1/mtd2 into memory. It takes around 25 minutes for 7.6MB file. Step 2, 'sf' to write from memory to flash.
I will post exact commands and offsets next week.

Edit:

The modified mtd0 (1224ABORT.bin) will ignore the locked mtd1 (uboot_env).

1224ABORT.bin md5sum: 10e94a4b4acdc82dec20c7904b69e5c0
The name comes from U-Boot version 1.22.4 in case someone is wondering.

Use it with XMODEM after shorting pins 4 and 5 on the Windbond flash to return to the default unlocked environment.

After getting access to uboot_env on flash let's set permament access to the module. UART connected to pin#2 and pin#7 is required for this step.

FALCON => setenv bootdelay 5
FALCON => setenv asc0 0
FALCON => setenv preboot "gpio input 105;gpio input 106;gpio input 107;gpio input 108;gpio set 3;gpio set 109;gpio set 110;gpio clear 423; gpio clear 422; gpio clear 325; gpio clear402; gpio clear 424"
FALCON => saveenv

Recovery of bricked module. Confirmed working for MA5671A and G-010S-P modules.

#verify memstart and flashstart addresses
FALCON => bdinfo
boot_params = 0x83F37F98
memstart    = 0x80000000
memsize     = 0x04000000
flashstart  = 0xB0000000
flashsize   = 0x8A40A5C0
flashoffset = 0x00000000

#transfer desired file by Kermit into memory
FALCON => loadb
## Ready for binary (kermit) download to 0x80800000 at 115200 bps...

## Total Size      = 0x00040000 = 262144 Bytes
## Start Addr      = 0x80800000

#general syntax
#sf write "from memory address" "to flash offset" "length"

#to write mtd0(uboot)
sf probe 0
sf erase 0 40000
sf write 80800000 0 40000				 

#to write mtd1(uboot_env)
sf probe 0
sf erase 40000 80000
sf write 80800000 40000 80000 

#to write mtd2(image0)
sf probe 0
sf erase C0000 740000
sf write 80800000 C0000 740000

#to write mtd5(image1)
sf probe 0
sf erase 800000 740000
sf write 80800000 800000 740000

#example of writing mtd0(uboot)
FALCON => sf probe 0
SF: Detected W25Q128BV with page size 256 Bytes, erase size 4 KiB, total 16 MiB
FALCON => sf erase 0 40000
SF: 262144 bytes @ 0x0 Erased: OK
FALCON => sf write 80800000 0 40000
SF: 262144 bytes @ 0x0 Written: OK
FALCON =>

#display memory or flash content
md 80800000
md B0000000 (flash uboot)
md B0040000 (flash uboot_env)
md B00C0000 (flash image0)
18

Would you mind sharing short instructions how to compile uboot using your code. Tried make menuconfig. MAKEALL complains about missing ppc_8xx-gcc.

This is supposedly the most up to date branch, however I could't find any references to SFP
https://github.com/danielschwierzeck/u-boot-lantiq/tree/openwrt/v2014.07

Many SFP hits here.

Could not locate the source archive yet for OpenWrt 12.09 Attitude Adjustment. At least .config (config.lantiq_falcon) is posted. That's a good start.
xhttp://archive.openwrt.org/attitude_adjustment/12.09/lantiq/falcon/

From what I understand, lantiq uboot for SFP modules must be compiled for MIPS32 revision 2, board Falcon, cpu 34kc

19

None of the code I've found on the internet have any reference to the FALC ON board... I've managed to find a bunch of diff patch file somewhere that I don't remember but I've put together that repo and it's build-able
You need an old MIPS32 gcc here: https://github.com/minhng99/toolchain-mips_r2_gcc-4.6-linaro_uClibc-0.9.33.2
And here's the commands to compile it:

export CROSS_COMPILE='/home/user/toolchain-mips_r2_gcc-4.6-linaro_uClibc-0.9.33.2/bin/mips-openwrt-linux-uclibc-'
export ARCH=mips
make easy980x0_norflash

make

There seems to be multiple board config variant for this device, you can check the list here:

EDIT: It's alive!!! my uboot code works!

Screenshot%20from%202019-12-05%2000-47-09
Screenshot%20from%202019-12-05%2000-47-09917×688 53.2 KB

But there's no SPI Flash code for the config I've built... the "sf" command isn't exist, it might need some extra work to make it fully functional, maybe it's supposed to be easy980x0_serialflash?

Screenshot%20from%202019-12-05%2003-10-56
Screenshot%20from%202019-12-05%2003-10-56832×638 70.3 KB

with the serialflash config, it found the SPI flash and even attempted to boot the kernel image, nice!

Looks like it have a SGMII driver, we may even be able to do netconsole with this

1 Like
20

Thank you. Incredible! With the "make easy980x0_serialflash" I have working u-boot. The compiled binary was named u-boot.bri.
I replaced original u-boot with this one. I am able to fully boot, ping and login@192.168.1.10 to my module. Will test some more, later after work.

1 Like