OpenWrt Forum Archive

Topic: Easybox 904 LTE open source code to be provide soon

The content of this topic has been archived between 1 Apr 2018 and 5 May 2018. Unfortunately there are posts – most likely complete pages – missing.

I have made some Pictures of the internals.

Back of the Box
http://www0.xup.in/exec/ximg.php?fid=67275328


Front of the box
http://www0.xup.in/exec/ximg.php?fid=18832776

My Question is how can i enable the UART mode, so that i can boot a UBoot in RAM.
Maybe somebody here know it. The Processor is a "XRX288 Ver A 14".
I'm writting at the moment a wiki entrie for that device http://wiki.openwrt.org/toh/arcadyan/easybox_904_lte.
The Bootloader needs a password to enter the menu. If somebody have a idea, please post it.

Best regards
middey

(Last edited by middey on 2 Aug 2013, 12:53)

I have now figured out how i get a Recovery image.
I just extracted the original update with binwalk.
And used the script MACverify.sh in /usr/sbin
i called it "./MACverify.sh fullUEN vodafone_update" then i renamed the vodafone_update to fullimage.img and moved it to the tftpd root directory.
After that i started the tftpd server and set the ip to 192.168.2.100.
Then i hold  the reset button down and powered up the device. I released the reset Button, when the LCD shows a red Screen with Infos to the Recovery procedure.
Then the box flash the image to it. In my case it tooked 2 Minutes.
But for Secure you should wait 5-10 minutes to be safer.
Then you need to powercycle the box.


If anyone is interested in the Firmware Image just write a post here, and i will try to explain what i know about it.

Best regards

Do you mean VRX288? This would be a Lantiq SoC. There is some documentation Lantiq SoCs. "Image Name: MIPS LTQCPE Linux-2.6.32.32" => LTQ could stand for Lantiq.

AFAIK lantiq SoC have an integrated Ethernet switch and Lantiq has no IP for 802.11 WNICs. Now what about the LTE-Chip?

In german: http://www.lte-anbieter.info/technik/ka … hp#tabelle

(Last edited by kirschwasser on 1 Jul 2013, 19:22)

yeah it latinq based i think. I can't say anything about the Hardware yet because i have no shell access in all.
It run's already a modifed openwrt but arcadyan never released the GPL Code of _ANY_ router.
The recovery image is very special the images get checked by a public key and have a signature file in it.
But the Firmware check Script have a security vulnerable it doesn't chekc if the public key is on the System (it's in the bash Script but commented out smile )
mrkiko has mailed to GPL Violations and somebody has contact to a lawyer from Vodafone.
The Vodafone men said that they will publish a gpl-tarball but i don't belive that till i see it.
If you interested on these device we can maybe build a firmware with telnet for the device to get more informations over it.

I'm looking forward to hearing from you

Hmkay, then GPL Violations is the way to go!

Personally I am not interested in this router. We have good wire-based broadband available and no money for the hardware nor for the LTE carrier. At the moment. This could change and we could want or need LTE ;-)

I am interested in an overview over the available silicon intellectual property regarding the "last mile" out there, and of course the available FOSS Linux support for this solutions. There does not seem to be really much competition and even less Linux support :-(

Have a look here: SoCs.

AFAIK intel acquired SIP for DOCSIS from Texas Instrument but I don't see any products.

Broadcom definitely has own SIP on DSL and DOCSIS, for both there is no FOSS support. Don't know about LTE or any older Cellular standards (like UMTS, EDGE, CDMA2000). Broadcom also designed their own MIPS-based CPUs, which produced some problems. There was also a problem with a driver for some of their Ethernet IP, that was not GPL'ed. and so on.

If you look at Openmoko, it is quite expensive. It seems to be a solid mobile phone, and I do not require any of the android-apps out there. But it is expensive. Biggest problem is (I think) the Linux support for the cellular SIP and of course the numbers of sold units. :-(((

If you read a bit around in the Internet, it also seems to be, that very old (ancient) solutions from 1980 get a patent in 2005. This kills possible competition right away.

I got a similar device, an easybox 904 xDSL. It would be great if i could use it with another provider, but it's impossible to change the account data or get access to the config files which have to be somewhere on the device. i found that it is possible to telnet to port 2001, there's soem kind of configuration otion but i have no idea how to use it.

A fe days ago there was a new firmware released for the 904 xDSL, so it's possible to extract the sqhasfs fromt the firmware. Wouldit be possible to activate dropbox somehwo and access the box via ssh? I've seen that the binaries are included and the whole system is a modiefied openwrt already. here's the link: http://hilfe.vodafone.de/system/selfser … TOPIC_ID=0

any ideas?

Hi toyboy,
that's interessting. Google said that port 2001 is used by telnet server or trojans i think it should be a telnet server.
Some people from gpl-violations.org have managed to get the source code of the easybox 904 LTE.
But it's not officially released it's more like a alpha in that we should check if all GPL licensed Software included.
I can't actually try if port 2001 is also open on the Easybox 904 LTE because i make a mistake on soldering and now I'm waiting for desoldering Iron.

The LTE Firmware is looked down as much as possible. You not even can enter the U Boot without a password. The password is checked against a sha1 hash.
The console Output is disabled right after starting the Kernel.
Maybe you can join the irc so that we can speak better about it.

PS: You should also go the way over gpl-violations.org, because Nils Faerber already has contact to Vodafone. http://lists.gpl-violations.org/piperma … 00278.html

Best regards

does anyone feel like donating a unit to openwrt so i can help port openwrt to this unit ?

hey middey, i opened my box now and found the 4-pin connector, i think that's the serial port? it's also visible in the pictures earlier in this thread. i will buy a serial to usb converter to access it, hopefully this will give access to a console session? could you point me towards more information how to access u-boot on such devices like the easybox 904 lte (and hopefully xDSL as well)?at the moment i can't even use the box because it's ISP locked, no way to enter new login information.

@ blogic: sorry, but i can't spare too much money at the moment... i got mine for a what i think was a fair price... 50 euros on ebay. the xDSL is a neat device, if it was possible to run openwrt on it it would serve all my home-LAN needs smile

hi toyboy, I have no good messages for you. I have connected the 4 pin Connector (Yes it is a TTL Port) but you have no acces to the u-boot.
If you interupt the boot process you get the question for a password. In the Source File of the uboot i found the passage in that the password is checked.
But it get hashed with sha1 and compared with the sha1 hash hardcoded in the uboot. I think it is not possible to crack this sha1 hash.
I think you cannot even change the isp in the config file. I think the ISP is hardcoded in a binary and till now you haven't a source code.
And if you get them It's nohi toyboy, I have no good messages for you. I have connected the 4 pin Connector (Yes it is a TTL Port) but you have no acces to the u-boot.
If you interupt the boot process you get the question for a password. In the Source File of the uboot i found the passage in that the password is checked.
But it get hashed with sha1 and compared with the sha1 hash hardcoded in the uboot. I think it is not possible to crack this sha1 hash.
I think you cannot even change the isp in the config file. I think the ISP is hardcoded in a binary and till now you haven't a source code.
And if you get them It's not sure if this binary code is included.
But maybe i have another possibility to gain acces to the box. Update to the newest firmware. ( I have looked a bit in it and as far as i see they haven't deactivated the failsafe mode.)
So while booting you should press the reset button many times. But wait a little bit before you starting, because when you press it to early the box will boot in a tftp mode.
PS: Can you make some Photos of your device too ?
@blogic my device is actually bricked as because i make a mistake while soldering I'm waiting for the tool that i have ordered. And hope i can remove the solder bridge on the flash.

Best regardst sure if this binary code is included.
But maybe i have another possibility to gain acces to the box. Update to the newest firmware. ( I have looked a bit in it and as far as i see they haven't deactivated the failsafe mode.)
So while booting you should press the reset button many times. But wait a little bit before you starting, because when you press it to early the box will boot in a tftp mode.
@blogic my device is actually bricked as because i make a mistake while soldering I'm waiting for the tool that i have ordered. And hope i can remove the solder bridge on the nand.

Best regards

(Last edited by middey on 26 Jul 2013, 07:59)

Here are two pics of the easybox 904 xDSL:

PunBB bbcode test
PunBB bbcode test

also i connected the serial converter, put the baud rate to 115200 and saw this:

CONNECTING WITH 'Easybox 904 xDSL' =->

Connected.

ROM VER: 1.1.4
CFG 06
NAND
NAND Read OK

ROM VER: 1.1.4
CFG 06
NAND
NAND Read OK
nand_read_page - 00000008
DDR autotuning Rev 0.3c
DDR size from 0xa0000000 - 0xa7ffffff
DDR check ok... start booting...



U-Boot 2010.06-Lv2.0.40-A0.5 (Nov 22 2012 - 15:40:12)

CLOCK CPU 500M RAM 250M
DRAM:  128 MiB
NAND:  NAND device: Manufacturer ID: 0xec, Chip ID: 0xdc (Samsung NAND 512MiB 3,3V 8-bit)
512 MiB
Bad block table found at page 262080, version 0x01
Bad block table found at page 262016, version 0x01
nand_read_bbt: Bad block at 0x0000077e0000
nand_read_bbt: Bad block at 0x00000daa0000
In:    serial
Out:   serial
Err:   serial
Net:   Internal phy(GE) firmware version: 0x040b
vr9 Switch

Type "run flash_nfs" to mount root filesystem over NFS

Hit any key to stop autoboot:  0 
Uncompressing LCD bootup images ............... 
NAND read: device 0 offset 0x0000000004700000, size 0x0000000000300000
 0x300000 bytes read: OK
1. bootid : 2, bootnum : 2
Erasing at 0x4560000 -- 100% complete.
done
2. bootid : 2, bootnum : 3

NAND read: device 0 offset 0x000000001fa00000, size 0x0000000000500000
 0x500000 bytes read: OK
## Booting kernel from Legacy Image at 80800000 ...
   Image Name:   MIPS LTQCPE Linux-2.6.32.32
   Created:      2013-05-03   3:21:27 UTC
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    1572800 Bytes = 1.5 MiB
   Load Address: 80002000
   Entry Point:  800061b0
   Verifying Checksum ... OK
   Uncompressing Kernel Image ... OK

Starting kernel ...

Lantiq xDSL CPE VR9
mips_hpt_frequency = 250000000, counter_resolution = 2

when i hit a key while the message asks me to i can enter a password, it would be great to have that password...

CONNECTING WITH 'Easybox 904 xDSL' =->

Connected.

ROM VER: 1.1.4
CFG 06
NAND
NAND Read OK

ROM VER: 1.1.4
CFG 06
NAND
NAND Read OK
nand_read_page - 00000008
DDR autotuning Rev 0.3c
DDR size from 0xa0000000 - 0xa7ffffff
DDR check ok... start booting...



U-Boot 2010.06-Lv2.0.40-A0.5 (Nov 22 2012 - 15:40:12)

CLOCK CPU 500M RAM 250M
DRAM:  128 MiB
NAND:  NAND device: Manufacturer ID: 0xec, Chip ID: 0xdc (Samsung NAND 512MiB 3,3V 8-bit)
512 MiB
Bad block table found at page 262080, version 0x01
Bad block table found at page 262016, version 0x01
nand_read_bbt: Bad block at 0x0000077e0000
nand_read_bbt: Bad block at 0x00000daa0000
In:    serial
Out:   serial
Err:   serial
Net:   Internal phy(GE) firmware version: 0x040b
vr9 Switch

Type "run flash_nfs" to mount root filesystem over NFS

Hit any key to stop autoboot:  0 


please input password : 

wrong password, rebooting ... 0
ROM VER: 1.1.4
CFG 06
NAND
NAND Read OK
nand_read_page - 00000008
DDR autotuning Rev 0.3c
DDR size from 0xa0000000 - 0xa7ffffff
DDR check ok... start booting...



U-Boot 2010.06-Lv2.0.40-A0.5 (Nov 22 2012 - 15:40:12)

CLOCK CPU 500M RAM 250M
DRAM:  128 MiB
NAND:  NAND device: Manufacturer ID: 0xec, Chip ID: 0xdc (Samsung NAND 512MiB 3,3V 8-bit)
512 MiB
Bad block table found at page 262080, version 0x01
Bad block table found at page 262016, version 0x01
nand_read_bbt: Bad block at 0x0000077e0000
nand_read_bbt: Bad block at 0x00000daa0000
In:    serial
Out:   serial
Err:   serial
Net:   Internal phy(GE) firmware version: 0x040b
vr9 Switch

Type "run flash_nfs" to mount root filesystem over NFS

Hit any key to stop autoboot:  0 
Uncompressing LCD bootup images ............... 
NAND read: device 0 offset 0x0000000004700000, size 0x0000000000300000
 0x300000 bytes read: OK
1. bootid : 2, bootnum : 0
Erasing at 0x4560000 -- 100% complete.
done
2. bootid : 2, bootnum : 1

NAND read: device 0 offset 0x000000001fa00000, size 0x0000000000500000
 0x500000 bytes read: OK
## Booting kernel from Legacy Image at 80800000 ...
   Image Name:   MIPS LTQCPE Linux-2.6.32.32
   Created:      2013-05-03   3:21:27 UTC
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    1572800 Bytes = 1.5 MiB
   Load Address: 80002000
   Entry Point:  800061b0
   Verifying Checksum ... OK
   Uncompressing Kernel Image ... OK

Starting kernel ...

Lantiq xDSL CPE VR9
mips_hpt_frequency = 250000000, counter_resolution = 2

unfortunately this doesn't get me any further, like you already said before hmm
the method with pushing the reset button many times doesn't do anything for this box.

cheers

Hm ok,
Yesterday I unbricked my Box and try to build the new Firmware with the GPL Sourcecode of it ( Thanks to GPL-Violations.org).
But while booting it freezes my Laptop didn't recognized the lan port. And on the Serial interface was still no Output more than before.
After that i edited the include/image.mk, so that it use my dir to build a squashfs file from it. I extracted in that dir the Vodafone firmware and make my changes so that i have now telnet and serial enabled.
Now i'm dump the flash of the device and after that i will try flashing the GPL image on it and look for debug output whats happened.
I still not know the password for the bootloader, i have the source files of the uboot and in that is the password as sha1 hashed string.
I think it is inpossible to crack the hash.
I will later ask on the irc whats the best way to go. Blogic and the other users in the irc helped me very much so i like to say thank you to all.

@ toyboy if you want you can join the irc channel #openwrt on irc.freenode.org. Then we can talk about it and don't spam the forums smile

Best regards

What about the hardware?
What 802.11 and what LTE chip is on the PCB?

Are the LTE drivers free or at least compiled for a current kernel?
Could they be used for mobile phones?

kirschwasser: I'm really new at linux and so i don't know what's the best way to find out the answers for the questions above.
I didn't looked at the LTE driver because my Sim slot here is broken and i haven't booted yet an image builded from GPL Sources.
I will edit the wiki later with a full bootlog.

EDIT:
I think it should use the RT3883iNIC as Wifi chip.

Best regards

(Last edited by middey on 2 Aug 2013, 14:44)

Some pictures of the Chips soldered to the PCB would suffice ;-)

I think the interesting parts are Covered by the silver metall and the black Thing on the SoC.
I will write down here the Chips that i have found and googled.
1 VIA VT6212L 4-Port PCI USB Host http://www.via.com.tw/en/products/perip … sb/vt6212/
2 HN4842CG    in the near of the lan Ports
1 Latinq Xway Slic 120 For the Telephone Lines http://webcache.googleusercontent.com/s … ent=ubuntu
2 Latinq PEF7071 http://gadgetcat.wordpress.com/tag/pef7071/
1 Lantiq PSB 21150 F V1.4 ISDN S/T/U HDLC Interface 1-Line 192Kbps 3.3V http://www.arrow.com/item/detail/lantiq/psb21150fv1.4

Best regards

(Last edited by middey on 3 Aug 2013, 08:35)

I'd like to have a second stage bootloader without a password.
But my skills are not good enough to make it by myself.
I discovered the file with the password check in the GPL Sources it is
./package/infineon-utilities/feeds/ifx_feeds_uboot/open_uboot/src.904lte/common/main.c
the checking routine "verify_password" is in
./package/infineon-utilities/feeds/ifx_feeds_uboot/open_uboot/src.904lte/board/vr9/sha1dgst.c
I changed the the check from "verify_password(console_buffer) != 0" to "verify_password(console_buffer) == 0" .
Then i builded the complete buildroot added a uImage header to the uboot and flashed it at the kernel possition.
But after a reboot my device was in a boot loop. So i had to reflash the original Firmware.

Maybe someone with more skills than mine can help me with this.
The download to the GPL Sources is http://dl.hald.pw/904lte-01.07.tar.gz

Best regards
middey

toyboy wrote:

Here are two pics of the easybox 904 xDSL:

PunBB bbcode test
PunBB bbcode test

also i connected the serial converter, put the baud rate to 115200 and saw this:

CONNECTING WITH 'Easybox 904 xDSL' =->

Connected.

ROM VER: 1.1.4
CFG 06
NAND
NAND Read OK

ROM VER: 1.1.4
CFG 06
NAND
NAND Read OK
nand_read_page - 00000008
DDR autotuning Rev 0.3c
DDR size from 0xa0000000 - 0xa7ffffff
DDR check ok... start booting...



U-Boot 2010.06-Lv2.0.40-A0.5 (Nov 22 2012 - 15:40:12)

CLOCK CPU 500M RAM 250M
DRAM:  128 MiB
NAND:  NAND device: Manufacturer ID: 0xec, Chip ID: 0xdc (Samsung NAND 512MiB 3,3V 8-bit)
512 MiB
Bad block table found at page 262080, version 0x01
Bad block table found at page 262016, version 0x01
nand_read_bbt: Bad block at 0x0000077e0000
nand_read_bbt: Bad block at 0x00000daa0000
In:    serial
Out:   serial
Err:   serial
Net:   Internal phy(GE) firmware version: 0x040b
vr9 Switch

Type "run flash_nfs" to mount root filesystem over NFS

Hit any key to stop autoboot:  0 
Uncompressing LCD bootup images ............... 
NAND read: device 0 offset 0x0000000004700000, size 0x0000000000300000
 0x300000 bytes read: OK
1. bootid : 2, bootnum : 2
Erasing at 0x4560000 -- 100% complete.
done
2. bootid : 2, bootnum : 3

NAND read: device 0 offset 0x000000001fa00000, size 0x0000000000500000
 0x500000 bytes read: OK
## Booting kernel from Legacy Image at 80800000 ...
   Image Name:   MIPS LTQCPE Linux-2.6.32.32
   Created:      2013-05-03   3:21:27 UTC
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    1572800 Bytes = 1.5 MiB
   Load Address: 80002000
   Entry Point:  800061b0
   Verifying Checksum ... OK
   Uncompressing Kernel Image ... OK

Starting kernel ...

Lantiq xDSL CPE VR9
mips_hpt_frequency = 250000000, counter_resolution = 2

when i hit a key while the message asks me to i can enter a password, it would be great to have that password...

CONNECTING WITH 'Easybox 904 xDSL' =->

Connected.

ROM VER: 1.1.4
CFG 06
NAND
NAND Read OK

ROM VER: 1.1.4
CFG 06
NAND
NAND Read OK
nand_read_page - 00000008
DDR autotuning Rev 0.3c
DDR size from 0xa0000000 - 0xa7ffffff
DDR check ok... start booting...



U-Boot 2010.06-Lv2.0.40-A0.5 (Nov 22 2012 - 15:40:12)

CLOCK CPU 500M RAM 250M
DRAM:  128 MiB
NAND:  NAND device: Manufacturer ID: 0xec, Chip ID: 0xdc (Samsung NAND 512MiB 3,3V 8-bit)
512 MiB
Bad block table found at page 262080, version 0x01
Bad block table found at page 262016, version 0x01
nand_read_bbt: Bad block at 0x0000077e0000
nand_read_bbt: Bad block at 0x00000daa0000
In:    serial
Out:   serial
Err:   serial
Net:   Internal phy(GE) firmware version: 0x040b
vr9 Switch

Type "run flash_nfs" to mount root filesystem over NFS

Hit any key to stop autoboot:  0 


please input password : 

wrong password, rebooting ... 0
ROM VER: 1.1.4
CFG 06
NAND
NAND Read OK
nand_read_page - 00000008
DDR autotuning Rev 0.3c
DDR size from 0xa0000000 - 0xa7ffffff
DDR check ok... start booting...



U-Boot 2010.06-Lv2.0.40-A0.5 (Nov 22 2012 - 15:40:12)

CLOCK CPU 500M RAM 250M
DRAM:  128 MiB
NAND:  NAND device: Manufacturer ID: 0xec, Chip ID: 0xdc (Samsung NAND 512MiB 3,3V 8-bit)
512 MiB
Bad block table found at page 262080, version 0x01
Bad block table found at page 262016, version 0x01
nand_read_bbt: Bad block at 0x0000077e0000
nand_read_bbt: Bad block at 0x00000daa0000
In:    serial
Out:   serial
Err:   serial
Net:   Internal phy(GE) firmware version: 0x040b
vr9 Switch

Type "run flash_nfs" to mount root filesystem over NFS

Hit any key to stop autoboot:  0 
Uncompressing LCD bootup images ............... 
NAND read: device 0 offset 0x0000000004700000, size 0x0000000000300000
 0x300000 bytes read: OK
1. bootid : 2, bootnum : 0
Erasing at 0x4560000 -- 100% complete.
done
2. bootid : 2, bootnum : 1

NAND read: device 0 offset 0x000000001fa00000, size 0x0000000000500000
 0x500000 bytes read: OK
## Booting kernel from Legacy Image at 80800000 ...
   Image Name:   MIPS LTQCPE Linux-2.6.32.32
   Created:      2013-05-03   3:21:27 UTC
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    1572800 Bytes = 1.5 MiB
   Load Address: 80002000
   Entry Point:  800061b0
   Verifying Checksum ... OK
   Uncompressing Kernel Image ... OK

Starting kernel ...

Lantiq xDSL CPE VR9
mips_hpt_frequency = 250000000, counter_resolution = 2

unfortunately this doesn't get me any further, like you already said before hmm
the method with pushing the reset button many times doesn't do anything for this box.

cheers

Did you try 123456 as requested password while booting up?

Broadcom firmwares use 123456 as default password for root user. It's a common practice in GPL firms from Comtrend.

Regards,
Alex

(Last edited by asmartin on 5 Oct 2013, 13:13)

For the password prompt on the serial console, please try "u50J09KaVO".

I tried this password's on the easybox 904 lte, but they didn't worked.
Astoria now have released the source code

Best regards

That's weird.
What I posted is the decrypted sha1-hash the input is compared against. (From said sources. v1.07)
Of course, they could've changed the hash before releasing the sources or it changes once the box goes through the initial setup.

I do have a 904 myself, but it's in use almost 24/7 (and not only by me), so testing is a little hard.

what hash have you cracked can you post it here ?
Do you also have the LTE version of the Easybox ?
If you want i can dump the bootloader and upload it for you.
But my skills are not so good that i can find the hash on it.

Best regards

char dgst[20]={0x23,0xa4,0x0c,0x2a,0x45,0x49,0xea,0xe5,0x88,0xdc,0xa4,0x78,0x87,0xbb,0x5d,0x7c,0x55,0x90,0x44,0xf2};

equals; 23a40c2a4549eae588dca47887bb5d7c559044f2 - sha1.

I used the 1.07 package from www.astorianetworks.com/astoria/Easybox 904 LTE.html, as well as the package you linked above. Both have the same hash, so it doesn't really matter though the packages *are* different.

So if that doesn't work... well, step through the code I guess. If there's really nothing else going on, I'd either say they changed the pass or it gets changed somewhere in the initial setup procedure.

Take what I'm saying with a grain of salt though, I'm not *that* experienced myself. Just bored. smile

I don't know what i'm making wrong.
When i generate the sha1 hash of u50J09KaVO i get b3c794d349137311f07422926a09092e3395ecec
The Password must be wrong or i make a big failure.
@shodan If you are in the irc chat can you write me your name ?

Best regards