OpenWrt Forum Archive

Topic: Technicolor TD5130 revA1 Hacking - First Steps

The content of this topic has been archived on 18 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
thiagaopp
27 Jun 2015, 02:52

Hi,
I am interested in porting OpenWrt into Technicolor TD5130 router.
Well I am a SW developer I don't have a good expertise in HW subjects but and I hope I can contribute to the project, since I make embbeded SW for a company many years without such expertise ^^
I read many pages of the documentation and of the wiki but I still have some questions...

1) How to get the HW information using the shell after boot? I looked into "Remote Access Management" page of the router and I have just the telnet option to enable. There is no ssh and the telnet session is very limited, I can't execute commands like "cat /proc/cpuinfo". The only commands I can execute seems equivalent to the same commands available in the web interface. So I guess this access I have is not the shell, right?

2) I unassembled the router and I seems it has both serial and JTAG access (I'm the very begining of the study and I haven't soldered anything yet to confirm). So, do I really need this shell access after boot? Or I can skip this step and go straight to serial or JTAG?

3) I didn't understand very well if I will need to replace the bootloader? I guess I will need that if the OEM added some kind of blocking or checking that prevent other SW to be flashed, correct?

Nice weekend for everybody ^^

Post #2
Mijzelf
27 Jun 2015, 08:18

1) Indeed, that's not a shell.  Sometimes you can 'break out' of this kind of wrapper by executing 'shell' or '/bin/sh' or something like that. It can help if you can extract a firmware file, to find the wrapper. Executing 'strings' on it can reveal 'hidden' commands.
2) Depends. Sometimes you'll have a shell on serial, in that case you don't need a shell on network. (Although it's more convenient). But sometimes you only have a login prompt, with unknown credentials.
3) Correct. Although there might be other reasons to replace the bootloader. If it is that stripped down that you can't upload new firmware to the bootloader, it might also be necessary to replace it.

Post #3
thiagaopp
3 Jul 2015, 03:33

Hi all,
I managed to get access to the shell without the interference of the wrapper uhull cool
Well now I'm in doubt about the next steps... Should I make a backup the entire flash now (how to??)? Or should I concentrate on getting the information below (from the wiki)?

Certain information on router ABCD needs to be collected before it can be worked on. The device template has been created so that all of this information (and more) can be recorded in a consistent fashion.
The desirable information includes
    the type of CPU
    available GNU/Linux drivers for that hardware
    the type of Flash memory chip
    quality photograph of the PCB
    OEM boot log
    the type of bootloader
    the precise flash layout

(Last edited by thiagaopp on 3 Jul 2015, 17:10)

Post #4
Mijzelf
5 Jul 2015, 09:19

You only need to backup the flash if you plan to flash something else. The way that should be done depends on the hardware. When the box has nor flash, maybe you can just copy the /dev/mtd* with dd. In case of nand flash you need software like mtddump, flashdump, readflash, ... Cannot remember the exact name now. Have a look in /sbin or /usr/sbin on your router.
Both ways can have the problem that the firmware kernel doesn't 'see' all of the flash. If you can dump using the bootloader it's better.

Many of the 'desirable information' can be found in /proc.

Post #5
urmitnick
12 Jan 2016, 02:54

Hi, any news about this Router?

Post #6
domingos.paraiso
7 Aug 2017, 04:02

Hi,

I have this one without use in my house, today I try to understand how it works... I open it and put some wires to make a serial console, (sorry no pics now, if anyone like to know I post the details, I use and RS-232 to USB dongle).
Well, if you try to access the device over the cable ethernet or wifi you will find just a CLI to configure your router, nothing about a Linux shell, but with a serial console you can see the entire process since kernel boot.
They run some kind of Linux with kernel 2.6, so I bet is possible to port OpenWrt to this machine.
If you press <ESC> before it load the kernel you can enter a console to flash the memory and change the system, its very good to development.
I anyone want to exchange experiences and join me to port the OpenWrt, please let me know.
The board have a place to put one USB head, I solder one, try to put a pendrive, but nothing happends, checking the files I wonder it use the missed USB port to share an USB printer, but don't find it on the system.
Here is a lot of text grabbed from serial (I put a fixed serial interface to make easy access to console again)

The first one, I type <ESC> before the kernel loading process...

Booting
Press 'ESC' to enter BOOT console...
Using Int. PHY
ip=192.168.1.1
mac=00:18:e7:9f:46:f4
(c)Copyright Realtek, Inc. 2009
Project RTL867X LOADER (LZMA)
Version 00.00.13g-led-cdp-133M-uartE-8MFWSPT (Aug 22 2012 14:05:09)

<RTL867X>elp
<RTL867X>help
help
info
reboot
run [app addr] [entry addr]
r [addr]
w [addr] [val]
d [addr] <len>
resetcfg
mac ["clear"/"osk"/mac address]
bootline
entry [address]
load [address]
xmodem [address]
tftp [ip] [server ip] [file name]
web
multicast
flashsize [256(k)/128(k)/1(M)/2(M)/4(M)/8(M)/16(M)]
memsize ROW[2k/4k/8k/16k] COL[256/512/1k/2k/4k] BANK[2/4]
<RTL867X>info
(c)Copyright Realtek, Inc. 2009
Project RTL867X LOADER (LZMA)
Version 00.00.13g-led-cdp-133M-uartE-8MFWSPT (Aug 22 2012 14:05:09)

<RTL867X>BootLine: file
MAC Address [0]: 00:18:E7:9F:46:F4
Entry Point: 0x80000000
Load Address: 0x80000000
Application Address: 0xBD010000
Flash Size: 16M
Memory Configuration: ROW:8K COL:512 Bank:4Banks
MII Selection: 0 (0: Int. PHY  1: Ext. PHY)

<RTL867X>

Normal boot process and some commands to show the hardware.

Booting
Press 'ESC' to enter BOOT console...
Using Int. PHY
ip=192.168.1.1
mac=00:18:e7:9f:46:f4
Decompress file... ok!
Linux version 2.6.19 (rain@dayan) (gcc version 3.4.6-1.3.6) #1 Mon Jul 28 19:52:01 CST 2014
CPU revision is: 0000ff00
Determined physical RAM map:
 memory: 02000000 @ 00000000 (usable)
User-defined physical RAM map:
 memory: 02000000 @ 00000000 (usable)
Built 1 zonelists.  Total pages: 8128
Kernel command line: console=ttyS0,115200 mem=32M root=31:1 panic=60
root_dev_setup 222 line:31:1
Primary instruction cache 16kB, linesize 16 bytes.
Primary data cache 8kB, linesize 16 bytes.
Synthesized TLB refill handler (17 instructions).
Synthesized TLB load handler fastpath (31 instructions).
Synthesized TLB store handler fastpath (31 instructions).
Synthesized TLB modify handler fastpath (25 instructions).
PID hash table entries: 128 (order: 7, 512 bytes)
Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
Memory: 23620k/32768k available (3648k kernel code, 9148k reserved, 532k data, 136k init, 0k highmem)
Mount-cache hash table entries: 512
Checking for 'wait' instruction...  disabled.
IMEM section size = 0x8558
NET: Registered protocol family 16
SCSI subsystem initialized
Sangoma WANPIPE Router v1.1 (c) 1995-2000 Sangoma Technologies Inc.
NET: Registered protocol family 2
IP route cache hash table entries: 256 (order: -2, 1024 bytes)
TCP established hash table entries: 1024 (order: 0, 4096 bytes)
TCP bind hash table entries: 512 (order: -1, 2048 bytes)
TCP: Hash tables configured (established 1024 bind 512)
TCP reno registered
Realtek GPIO Driver for Flash Reload Default
NET: Registered protocol family 21
squashfs: version 3.2 (2007/01/02) Phillip Lougher
io scheduler noop registered
io scheduler anticipatory registered
io scheduler deadline registered
io scheduler cfq registered (default)
memmap_pid load
sarbridge_dump load
leddump load
memrw load
fqdn MODULE loaded
Serial: 8250/16550 driver $Revision: 1.4 $ 1 ports, IRQ sharing disabled
netlog start
serial8250: ttyS0 at MMIO 0x0 (irq = 12) is a 16550A
PPP generic driver version 2.4.2
NET: Registered protocol family 24
8139cp Ethernet driver v0.0.7 (Feb 27, 2002)
eth0: RTL-8139C+ at 0xb8018000, 00:00:00:01:00:02, IRQ 26
RTL8672 NIC100 Probing..
eth0_sw0: RTL-8305 at port 0
eth0_sw1: RTL-8305 at port 1
eth0_sw2: RTL-8305 at port 2
eth0_sw3: RTL-8305 at port 3
init MLD Snooping...done
eth phy patch done!
phy 1 10M EEE disabled 100M EEE disabled
phy 2 10M EEE disabled 100M EEE disabled
phy 3 10M EEE disabled 100M EEE disabled
phy 4 10M EEE disabled 100M EEE disabled
phy 0 10M EEE disabled 100M EEE disabled
RTL8192C/RTL8188C driver version 1.1 (2010-03-31/2011-10-04)
=====>>INSIDE rtl8192cd_init_one <<=====
vendor_deivce_id=819110ec
val=5
val=c6
tx_power_tracking Thread create successfully!
_
=====>>EXIT rtl8192cd_init_one <<=====
=====>>INSIDE rtl8192cd_init_one <<=====
=====>>EXIT rtl8192cd_init_one <<=====
=====>>INSIDE rtl8192cd_init_one <<=====
=====>>EXIT rtl8192cd_init_one <<=====
=====>>INSIDE rtl8192cd_init_one <<=====
=====>>EXIT rtl8192cd_init_one <<=====
=====>>INSIDE rtl8192cd_init_one <<=====
=====>>EXIT rtl8192cd_init_one <<=====
flash device: 0x1000000 at 0xbd000000
SFCR:0xb8001200 SFCSR:0xb8001208 SFDR:0xb800120c
can not get SPI chip driver!

MXIC matched!!get SPI chip driver!
Physically mapped flash: Found an alies 0x800000 for the chip at 0x0, mxic device detect.
use auto flash: 0x00800000
Creating 4 MTD partitions on "Physically mapped flash":
0x00000000-0x00010000 : "boot"
0x00010000-0x007c0000 : "rootfs"
0x007c0000-0x007e0000 : "data_store"
0x007e0000-0x00800000 : "data_store_bk"
u32 classifier
    input device check on
ip_conntrack version 2.4 (256 buckets, 2048 max) - 216 bytes per conntrack
ip_conntrack_pptp version 3.1 loaded
ip_conntrack_ipsec loaded
ip_conntrack_rtsp v0.6.21 loading
ip_conntrack_l2tp version 3.1 loaded
ip_nat_pptp version 3.0 loaded
ip_nat_rtsp v0.6.21 loading
ip_tables: (C) 2000-2006 Netfilter Core Team
ipt_time loading
/proc/DoS created
TCP cubic registered
Realtek SD2-FastPath v1.00beta_2.4.26-uc0
/proc/FastPath created
NET: Registered protocol family 1
NET: Registered protocol family 10
lo: Disabled Privacy Extensions
Mobile IPv6
ip6_tables: (C) 2000-2006 Netfilter Core Team
/proc/DoS6 created
IPv6 over IPv4 tunneling driver
NET: Registered protocol family 17
Bridge firewalling registered
Ebtables v2.0 registered
NET: Registered protocol family 8
NET: Registered protocol family 20
ATM OAM F5 initialized.
ATM OAM F4 initialized.
Enable 8671G 1 function
Enable 8671 0 function
Enable 8672 function
ratm: RTL8670 SAR v0.0.2 (Jun 17, 2003)
/proc/AUTO_PVC_SEARCH created
SQUASHFS v2.0: patch superblock-inode-number from 0x17 to 0x110b9c
VFS: Mounted root (squashfs filesystem) readonly.
Freeing unused kernel memory: 136k freed
init started: BusyBox v1.7.0 (Mon Jun  1 10:24:33 2009)
starting pid 84, tty '/dev/ttyS0': '/etc/init.d/rcS'

Bring up DSL-SkyHopper
Linux (none) 2.6.19 #1 Mon Jul 28 19:52:01 CST 2014 mips unknown
Starting system...
Mounting /proc: done.
mount: mounting none on /proc/bus/usb/ failed: No such file or directory
mount: mounting none on /sys/ failed: No such device
Brining up loopback interface: done.
Mounting /tmp: done.
Prepare for Samba
done.
Mounting /var: done.
Setting Hostname: done.
Insert modules: done
get content from flash to '/tmp/nvram.tmp'.
header fine, try part-load
is new part-conf
conf file size: 69110
Bring up bridge done
Brining up eth(LAN) interfaceeth0: Promiscuous mode enabled.
device eth0 entered promiscuous mode
br0: port 1(eth0) entering learning state
br0: topology change detected, propagating
br0: port 1(eth0) entering forwarding state
 done
Initial iptables default chains:done
Initial ip6tables default chains:done
Initial ebtables default chains:done
datastore started.
ADSL2PlusRouter login: mallinfo:
*mi.fordblks = f08
*mi.uordblks = f8
*mi.arena = 1000
mi.smblks = 0
mi.ordblks = 1
mi.hblks = 0
mi.hblkhd = 0
mi.fsmblks = 0
mi.keepcost = f08
mi.usmblks = 1000
PVC Number = 1. Set Desc number per VC = 62
fixme atm_find_ci in sar_open!
ratm(itf 0): open 0.35
create: ch0 (0/35) 6000,0
sar_close
ATM OAM F5 initialized.
ATM OAM F4 initialized.
Enable 8671G 1 function
Enable 8671 0 function
Enable 8672 function
create: ch0 (0/35) 6000,0
applying workaround...done

InitAdslMode....

InitAdsl
Oct  3 17:54:07 [DHCPserver]: DHCP server up

ip_conntrack_rtsp v0.6.21 loading
set dos:0x0
block time:300
v6addr->s6_addr32[0]: 00000000
v6addr->s6_addr32[1]: 00000000
v6addr->s6_addr32[2]: 00000000
v6addr->s6_addr32[3]: 00000000
set dos:0x0
block time:300
ip_conntrack_ipsec loaded
ip_conntrack_pptp version 3.1 unloaded
ip_conntrack_pptp version 3.1 loaded
ip_conntrack_pptp version 3.1 unloaded
ip_conntrack_l2tp version 3.1 loaded

ADSL2PlusRouter login: admin

# cd /proc

# cat cpuinfo
system type             : RTL8672
processor               : 0
cpu model               : R3000 V0.0
BogoMIPS                : 398.95
wait instruction        : no
microsecond timers      : no
tlb_entries             : 32
extra interrupt vector  : no
hardware watchpoint     : no
ASEs implemented        :
VCED exceptions         : not available
VCEI exceptions         : not available

#


# cat meminfo
MemTotal:        23756 kB
MemFree:          4496 kB
Buffers:          1736 kB
Cached:           8148 kB
SwapCached:          0 kB
Active:           7060 kB
Inactive:         6032 kB
SwapTotal:           0 kB
SwapFree:            0 kB
Dirty:               0 kB
Writeback:           0 kB
AnonPages:        3224 kB
Mapped:           2908 kB
Slab:             4856 kB
SReclaimable:      424 kB
SUnreclaim:       4432 kB
PageTables:        468 kB
NFS_Unstable:        0 kB
Bounce:              0 kB
CommitLimit:     11876 kB
Committed_AS:     7204 kB
VmallocTotal:  1048404 kB
VmallocUsed:      1188 kB
VmallocChunk:  1047140 kB
#

# uname -a
Linux ADSL2PlusRouter 2.6.19 #1 Mon Jul 28 19:52:01 CST 2014 mips unknown
#



# cat cmdline
console=ttyS0,115200 mem=32M root=31:1 panic=60
#


# cat diskstats
  31    0 mtdblock0 0 0 0 0 0 0 0 0 0 0 0
  31    1 mtdblock1 151 1549 3400 1080 0 0 0 0 0 1080 1080
  31    2 mtdblock2 0 0 0 0 0 0 0 0 0 0 0
  31    3 mtdblock3 0 0 0 0 0 0 0 0 0 0 0
#

# cat mtd
dev:    size   erasesize  name
mtd0: 00010000 00001000 "boot"
mtd1: 007b0000 00001000 "rootfs"
mtd2: 00020000 00001000 "data_store"
mtd3: 00020000 00001000 "data_store_bk"
#


# cat filesystems
nodev   rootfs
nodev   bdev
nodev   proc
nodev   sockfs
nodev   pipefs
nodev   tmpfs
nodev   devpts
        squashfs
nodev   ramfs
nodev   mqueue
#

# cat partitions
major minor  #blocks  name

  31     0         64 mtdblock0
  31     1       7872 mtdblock1
  31     2        128 mtdblock2
  31     3        128 mtdblock3
#

# cat iomem
00000000-01ffffff : System RAM
  00000000-0038ffff : Kernel code
  00390000-004150bf : Kernel data
#

(Last edited by domingos.paraiso on 8 Aug 2017, 21:38)

The discussion might have continued from here.