Yes, with a media converter or SFP switch. Or serial console of course.
1 Like
I've added a brief summary of the I2C commands provided by the sfp_i2c daemon.
0x79 - Enable (0/2) / Disable (1) serial console
0xE3 - Set sfp_a2_info environment variable ie. SFF-8472 A2h (Contains Serial Number, MAC Address, LOID Password)
0xE5 - Reboot (Kills PID 1)
0xE6 - Change ToD
0x80 (On Page 0x62) - Enable/Disable VLAN trunking
Examples:
Enable VLAN trunking:
i2cset -y 0 0x51 0x7F 0x62
i2cset -y 0 0x51 0x80 1
Reboot
i2cset -y 0 0x51 0xE5 1
I couldn't get the backdoor 0x79 to work and I don't have the time to investigate.
Essentially once you have serial communication you can break into OpenWRT failsafe mode on boot and run mount_root and modify /etc/passwd to change the root user shell to /bin/ash
2 Likes
Thanks, that's great information. Very promissing. What is the source of these commands? Is it complete?
This reminded me of a presentation from Mikrotik Users Meeting in 2018.
It would be great if soldering could be avoided.
Just a quick static analysis of the /opt/lantiq/bin/sfp_i2c binary. The enablement of VLAN trunking was utilized via script on a ISP CPE router which was the reason to dig deeper.
The code looks like an awful copy/paste hack job added by a beginner or lazy programmer when compared to what I assume is the original used in the Alcatel-Lucent G-010S-P which only has the 0xE3/5/6 command addresses.
Here's the CPE script
#!/bin/sh
#Set the password
i2cset -y 0 0x51 0x7B 0x56
i2cset -y 0 0x51 0x7C 0x4c
i2cset -y 0 0x51 0x7D 0x41
i2cset -y 0 0x51 0x7E 0x4e
#Read back password
i2cget -y 0 0x51 0x7B
i2cget -y 0 0x51 0x7C
i2cget -y 0 0x51 0x7D
i2cget -y 0 0x51 0x7E
#Set the adress A2H 127 to 0x62
i2cset -y 0 0x51 0x7F 0x62
#enable/disable trunking
i2cset -y 0 0x51 0x80 $1
My test rig is similar to that of the presentation
I did not thoroughly look at how to use the 79/E3/E6 commands but from my short test session 79 did not get triggered and judging by the codes loop and a bounds check start of 0x80 it might be a lost cause.
3 Likes
Or run this, also working fine if you are fast enough:
sed -i 's@/opt/lantiq/bin/minishell@/bin/ash@' /etc/passwd && cat /etc/passwd
Term macro:
:start
; Connect to COM3.
;
connect '/C=3'
setbaud 115200
; Set root shell
wait 'Please press Enter to activate this console.'
pause 5
sendln
wait 'root@SFP:/#'
sendln "sed -i 's@/opt/lantiq/bin/minishell@/bin/ash@' /etc/passwd && cat /etc/passwd"
wait '/bin/ash'
sendln
;closett
messagebox 'completed.' 'SSH Setup'
call start
end
Thanks to everyone who has contributed to this thread.
I'm attempting to configure an MA5671A over I2C - I don't have the soldering skills to construct a UART adapter, but am using Reveltronic's SFP adapter and a Raspberry PI to access pins 4+5 (SDA and SCL) and read/write the page A0h and A2h data.
This is mostly working, but the problem I'm having is writing to pages 0x60, 0x61 and 0x62.
Without sending the password (which I noticed spells "VLAN") in the script posted by up-n-atom, I am not able to even read pages 0x60, 0x61 and 0x62 (the content is just 0xaa in bytes 0x80-0xff).
If I send the "VLAN" password, then I am then able to select and read from pages 0x60, 0x61 and 0x62, but it doesn't appear possible to write to those pages - I can write to the VLAN byte (page 0x62, byte 0x80), but not to the MAC address location which I believe to be at offset 0x80 in page 0x61.
I don't have any problems writing to page 0 in A2h - I can change the PLOAM password, and the new value is then visible from the minishell when I reinsert the device back in my router.
Does anyone know if there are perhaps different passwords required for different configuration items?
Thanks.
3 Likes
To answer my own question, I simply needed to use what I've discovered to be the standard default password of 0x00 0x00 0x10 0x11. After writing that, I can read and write to all the A2h pages, including the "vlan" bit.
I haven't been able to test the device yet, but it looks like the important settings (PLOAM password, GPON Serial, GPON MAC) can all be set over i2c, without a need to reflash or gain access to the root filesystem.
5 Likes
I found tons of good information here, which inspired me to attempt to flash the MA5671A;
However, after typing 7 at the prompt, it does not go further; I have tried on several terminals (tera term, picocom, minicom, screen) but the results are the same.
Am I doing something wrong or missing a step here:
I am using the USB TTL as shared by @bmx29, and the only difference is I use the revelprog-IS SFP adapter such as the one also shared by @bmx29.
May anyone know what I could try differently to be able to flash it?
Thank you!
Hi! Ensure that rx, tx and GND are conected to the usb to ttl. GND is important, whitout gnd you receive data but send usually fails.
1 Like
Thanks for replying @markg23
It turned out that the RX connection was not in the proper pin when using the Revelprog-IS SFP adapter;
It has 3 Rx pins, and I was using one that proved to be incorrect.
Below is the picture of the correct assembly when using this adapter:
After that, I could send the 1224Abort.bin, and I am not flashing the Carlitoxx image.
I really appreciate your help.
Thank you!
Hey guys
I have UDM-Pro and two Wan links. My two ISP use Huawei OLTs. A link is linked directly to the UDM-PRO by a Carlitoxxpro. The other link is connected through a Huawei EG8010H ONU.
I have a Huawei SFP MA5671A GPON and after many attempts and reading many forums, I managed to unlock it. My intention with this MA5671 is to replace the EG8010H.
I have curr_state=5 with the command onu ploamsg, the problem is that I can't connect via PPPOE. I tested connecting the SFP to an MC220L and PPPOE media converter via Windows and also to a GL.INET router, without success. Directly on the UDM-PR did not work either.
What I notice differently is that with the command onu gtcsng the serial returned is different from the serial configured in the MA5671.
Any ideas or proposals on how I can move forward?
I bought an already stitched MA5671A, changed the interface settings, lost access to 192.168.1.10. I saved the firmware while it was working, question, can I reset the default settings, or should I firmware it?
I would like to recommend two websites that continue to develop software and work on this module
The latest custom release for the MA5671A was released on 25 August. It is worth noting that one of the original developers provides input on how to improve the firmware
https://www.right.com.cn/forum/thread-8220173-1-1.html.
A group of computer scientists from an Italian university consolidated the information and developed new methods to access this module.
1 Like
I flashed the firmware and it seems to work.
GPON status
| registration status | 1 |
|---|---|
| signal status | false |
| Received optical power | 0.00uW -infdBm |
| Transmitting optical power | 0.79mW -1.04dBm |
| CPU temperature | 72 ℃ |
| Laser temperature | 55 ℃ |
| connection rate | 1000M , Full Duplex |
| Number of restarts | Non-O5: 0 , OMCID: 0 |
| current boot partition | image0 |
| Interoperable version | Final_v2021_12_28_c2 / 2022.08.25 |
Is this temperature normal? It went to 80 without even having fiber connected.
Top usage seems a bit high, can somone post top output?
Mem: 25304K used, 35084K free, 68K shrd, 2428K buff, 7328K cached
CPU: 25% usr 73% sys 0% nic 0% idle 0% io 0% irq 0% sirq
Load average: 2.99 0.95 0.34 4/81 5408
PID PPID USER STAT VSZ %VSZ %CPU COMMAND
1464 1 root S 1544 3% 4% {monitoptic.sh} /bin/sh /opt/lantiq/b
3 2 root SW 0 0% 2% [ksoftirqd/0]
558 2 root SW 0 0% 1% [timer/onu-3]
2449 2174 root R 1520 3% 0% top
1201 1 root S 21004 35% 0% /opt/lantiq/bin/omcid -d 3 -p /etc/mi
1438 1 root S 1548 3% 0% {monitomcid.sh} /bin/sh /opt/lantiq/b
1661 800 root S 1216 2% 0% /usr/sbin/dropbear -F -P /var/run/dro
5405 5404 root R 25696 43% 0% /opt/lantiq/bin/otop -b -g s
1214 1 root S 10032 17% 0% /opt/lantiq/bin/ocal
917 1 root S 3244 5% 0% /opt/lantiq/bin/sfp_i2c -a
1163 1 root S 3204 5% 0% ipwatchd -c /etc/ipwatchd.conf
832 1 root S 2108 3% 0% /usr/sbin/uhttpd -f -h /www -r HUAWEI
1144 1 root S 1596 3% 0% {S68ssb_check.sh} /bin/sh /etc/rc.com
2174 1661 root S 1556 3% 0% -ash
5404 1464 root S 1544 3% 0% {monitoptic.sh} /bin/sh /opt/lantiq/b
711 1 root S 1516 3% 0% /sbin/netifd
1578 1 root S < 1516 3% 0% /usr/sbin/ntpd -n -N -S /usr/sbin/ntp
818 1 root S 1512 3% 0% /usr/sbin/telnetd -F -l /bin/login.sh
5173 1438 root S 1508 2% 0% sleep 10
1146 1144 root S 1508 2% 0% sleep 60
edit: it seems the high temperature and cpu usage is caused by a script monitoptic which polls otop for Signal detect = true all the time. So plugging the fiber actually fixes the cpu usage.
Hi,
Anyone tried MacchiatoBIN DoubleShot + MA5671A? I am using OpenWRT 22.03 and encountered below error. Also tried the Snapshot FW. Same issue.
[ 215.723384] sfp sfp-eth3: please wait, module slow to respond
[ 256.094746] sfp sfp-eth3: module HUAWEI MA5671A rev 0000 sn 485754434B7D9E9E dc 181116
[ 256.134703] hwmon hwmon3: temp1_input not attached to any thermal zone
[ 261.833262] sfp sfp-eth3: module persistently indicates fault, disabling
Hi!
I know this has been a long time since you posted this message, but I am encountering the exact same issue.
How did you solve this?
I'm quite intrigued as I managed to get access to the stick on 192.168.1.10, but after flashing mtd5, I got into this reboot issue.
Thx in advance for any help!
Hello,
I have just obtained a pair of MA5671A and I have a D-Link DGS-1210-10P to put them in.
I have all the info from my current GPON transceiver (password, serial etc.. I think all of it)
And I plan to give this a try to finally ditch my ISP's awful (and rental !) router
However this thread is very long and experimental.
Could someone knowledgeable with the flashing process spell out the process to go from 0 to OpenWRT on these transceivers ?
Reading here, it seems it does work, does it work in a stable manner ?
Hopefully this thread could become the basis for a wiki page for handling this device ?
Thanks !
Hi all. After several hits and misses I was able to get my MA5671A to get to O5 state, running carlitoxx firmware.
I have it in my edgerouter X-SFP. The SFP port is setup to 192.168.1.2 and I've set the ip of the SFP to static on 192.168.1.1.
Based on the WEB interface of the SFP, even after O5 it seems all network interfaces are in router mode and not bridged.
I setup a VLAN interface on the SFP port on my edgerouter as the ISP requires me to pppoe over VLAN 600. The problem is that I'm getting the standard "timeout waiting pado packets", meaning nothing is coming from edgerouter to the SFP and back when it comes to pppoe.
Can somebody share a screenshot of their working MA5671A network interfaces in the WEB or share the network config file please?
Looks like there is no way not to reboot 
I changed PLOAM, got it working and stopped hacking the device. I can get into it via ssh, it works fine with Mikrotik. No reason to hack it more
Good. Can someone tell me which SFP GPON is more complete and customized with webui manager. I found this one on aliexpress. Link
