OpenWrt Forum Archive

Topic: Sagem Fast 5655

The content of this topic has been archived on 23 Mar 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
urban
8 Sep 2017, 13:02

I'm trying to use this device (which is branded by telecom) and doesn't allow to set anything when not connected to their fiber network.

I've managed to get uart - there are two of them, and two linuxes running there - one on ARC processor (guessing that's the gpon) and one on BCM96838 (that one interests me).

The issue is that CFE and uboot doesn't allow to interrupt the boot process (tried ctrl+c which prints "Abort" and booting continues).

Anybody has any idea how to get into linux running on BCM?

Here's the bootlog:

BTL1
HELO
CPUI
L1CI
CPUI
L1CI
ZBSS
CODE
DATA
L12F
MAIN
OTP?
OTPP
ROTB
SCBT
NAND
IMG?
IMGL
HDR?
HDRP
MCV?
KEY?
KEYA
MID?
MIDP
MCVA
SBI?
SBIA
PASS
----
HELO
CPUI
L1CI
PLLI
PMCB
4.1603-1.0.38-116.174
DRAM
----
PHYS
ZQDN
PHYE
DINT
TST1
TST2
PASS
----
ZBSS
L12F
MAIN
Version cfe-rom: 7.31.6.7
FPS0
SVOL
NGEO
FVLY
FVLY
RVOL
KEY1
RVOL
BTL?
BTLA
PASS
J2EP


Base: 4.16_03
CFE version 1.0.38-116.174 for BCM96838 (32bit,SP,BE)
Build Date: Wed Oct  5 10:30:52 CEST 2016 (g110680@rmm-p1303265fl)
Copyright (C) 2000-2013 Broadcom Corporation.
Version cfe-ram: 7.31.6.7

Boot Strap Register:  0x800078ff
Chip ID: BCM68380_B0, MIPS: 600MHz, DDR: 533MHz, Bus: 240MHz
RDP: 800MHz
Main Thread: TP0
Total Memory: 268435456 bytes (256MB)
Boot Address: 0xbfc00000

NextLevelBoot U-boot @ 0x8fe00000

NAND ECC BCH-4, page size 0x800 bytes, spare size used 64 bytes
NAND flash device: Micron MT29F1G08AAC, id 0x2cf1 block 128KB size 131072KB
Configuring RGMII pinpux
Board IP address                  : 192.168.1.1:ffffff00  
Host IP address                   : 192.168.1.100  
Gateway IP address                :   
Run from flash/host/tftp (f/h/c)  : f  
Default host run file name        : vmlinux  
Default host flash file name      : bcm963xx_fs_kernel  
Boot delay (0-9 seconds)          : 1  
Default host ramdisk file name    :   
Default ramdisk store address     :   
Board Id (0-45)                   : F@ST5656OPL  
Number of MAC Addresses (1-32)    : 11  
Base MAC Address                  : xx:xx:xx:xx:xx:xx  
PSI Size (1-64) KBytes            : 40  
Enable Backup PSI [0|1]           : 1  
System Log Size (0-256) KBytes    : 0  
Auxillary File System Size Percent: 0  
Main Thread Number [0|1]          : 0  
GPON Serial Number                : "SMBXXXXXXXX"  
GPON Password                     : "1234567890"  
MC memory allocation (MB)         : 4  
TM memory allocation (MB)         : 20  
WLan Feature                      : 0x00  
Voice Board Configuration (0-3)   : SI32260_1FXS_1  

enable IH Wan-Wan forwarding...
data_path_go Done!!
Set EMAC4 as RGMII
Set EMAC4 as RGMII
Creating CPU ring for queue number 0 with 32 packets descriptor=0x8068b8c4
 Done initializing Ring 0 Base=0xa2214220K End=0xa2214420K calculated entries= 32 RDD Base=0x02214220K descriptor=0x8068b8c4
Open PHY 1 on MAC 0 : link state = Down
Open PHY 2 on MAC 1 : link state = Down
Open PHY 3 on MAC 2 : link state = Down
Open PHY 4 on MAC 3 : link state = Down
Open PHY 0 on MAC 4 : link state = Down
Initializing UBI to launch u-boot!
Running UbiScan...

Found 547 UBI logical blocks on NAND
UBI Layout volume is on logical block 3d7
initialize_ubi...cferam reading uboot  ======================= !!!
UBI volume uboot has id 2
Correctable ECC Error detected: addr=0x002b4200, intrCtrl=0x00000090, accessCtrl=0xE3441010
read 1076992 bytes from UBI volume 2
We got aes_key1
UBI volume aes_key2 has id 6
We got aes_key2 enc
read 64 bytes from UBI volume 6
Ubi U-Boot Entry at 0x8fe00000
Closing network.
Starting program at 0x8fe00000

U-Boot 2011.12
Version: 7.31.6.7-full (Oct 05 2016 - 10:30:29) 
Copyright (C) 2011 - 2013 Sagemcom All rights reserved
Board: Sagemcom fast
CPU: Broadcom BCM68380 (Chip1 Rev4)
DRAM:  256 MiB
NAND:  128 MiB
Using default environment

Creating 1 MTD partitions on "nand0":
0x0000000c0000-0x000007b00000 : "mtd=2"
UBI: attaching mtd1 to ubi0
UBI: physical eraseblock size:   131072 bytes (128 KiB)
UBI: logical eraseblock size:    126976 bytes
UBI: smallest flash I/O unit:    2048
UBI: VID header offset:          2048 (aligned 2048)
UBI: data offset:                4096
UBI: attached mtd1 to ubi0
UBI: MTD device name:            "mtd=2"
UBI: MTD device size:            122 MiB
UBI: number of good PEBs:        978
UBI: number of bad PEBs:         0
UBI: max. allowed volumes:       128
UBI: wear-leveling threshold:    256
UBI: number of internal volumes: 1
UBI: number of user volumes:     12
UBI: available PEBs:             108
UBI: total number of reserved PEBs: 870
UBI: number of PEBs reserved for bad PEB handling: 9
UBI: max/mean erase counter: 10/1
Read 6632 bytes from volume permanent_param to 8de25420
Unable to retrive mac_addr from lanBaseMacAddr
mac_addr set according to wanBaseMacAddr
NVRAM MAC addr:xxxxxxxx
NVRAM GSN:xxxxxxxx
No need to update NVRAM mac addr/gsn
Net:   enable IH Wan-Wan forwarding...
data_path_go Done!!
Set EMAC4 as RGMII
Set EMAC4 as RGMII
Creating CPU ring for queue number 0 with 32 packets descriptor=0x8ff07108
 Done initializing Ring 0 Base=0xafa05130 End=0xafa05330 calculated entries= 32 RDD Base=0x0fa05130 descriptor=0x8ff07108
BCM63xxx_RUN
sb3: sb3_sagem_init()
sb3: action: 1002
Aes_key2 is available
Read 64 bytes from volume aes_key_operator to 8ddc0238
sb3: sb3_boot( operational )
sb3: top available addr 0x8dcc0000, ram available = 0xd8c0000 
sb3: read image operational size=1d4e000 to address=8bf70000
sb3_load_ubivol: max_load_size=227278848
Read 30728192 bytes from volume operational to 8bf70000
sb3: image operational has gsdf format
sb3: image operational signature OK
sb3: No pre-boot commands
sb3: setting kernel args
bootm 8BF8F000 
## Booting kernel from Legacy Image at 8bf8f000 ...
   Image Name:   FTPL_02.01.23
   Created:      2016-11-21  10:29:01 UTC
   Image Type:   MIPS Linux Kernel Image (gzip compressed)
   Data Size:    2752512 Bytes = 2.6 MiB
   Load Address: 80010000
   Entry Point:  804431d0
   Verifying Checksum ... OK
   Uncompressing Kernel Image ... OK

Starting kernel ...

ramoops: The memory size and the record size must be non-zero
ramoops: The memory size and the record size must be non-zero
ramoops: The memory size and the record size must be non-zero
mtd: bad character after partition (-)
init started: BusyBox v1.13.3 (2016-11-21 11:08:15 CET)
starting pid 404, tty '': '/etc/init.d/sysinit'

SYSINIT

SoftAtHome HGW version: FTPLSF02.01.23#17
Compiled on sahwbld04.be.softathome.com, Mon, 21 Nov 2016 11:27:26 +0100

Mounting proc filesystem ...
Mounting sys filesystem ...
Mounting tmpfs filesystem (/dev) ...
Mounting tmpfs filesystem (/var) ...
Mounting tmpfs filesystem (/var/log) ...
Mounting tmpfs filesystem (/tmp) ...
Mounting usbfs filesystem (/proc/bus/usb) ...
Mounting pstore filesystem (/mnt/pstore) ...
Mounting cgroup filesystem (/sys/fs/cgroup/)
> NORMAL BOOT <


> BOOT SYSTEM <

=======> Bootloader requests a soft reset!! <=======

Executing soft reset.
Run reset scripts
killall: dms: no process killed
killall: dlna_monitor: no process killed
Jan  1 01:00:10 pcb_cli:         - [x]Could not connect to pcb://ipc:{/var/run/pcb_sys} - (logerr@env.c:98)
Jan  1 01:00:10 pcb_cli:         - [x]Could not connect to pcb://ipc:{/var/run/pcb_sys} - (logerr@env.c:98)
Jan  1 01:00:10 pcb_cli:         - [x]Could not connect to pcb://ipc:{/var/run/pcb_sys} - (logerr@env.c:98)
Jan  1 01:00:11 pcb_cli:         - [x]Could not connect to pcb://ipc:{/var/run/pcb_sys} - (logerr@env.c:98)
Jan  1 01:00:12 pcb_cli:         - [x]Could not connect to pcb://ipc:{/var/run/pcb_sys} - (logerr@env.c:98)
Jan  1 01:00:12 pcb_cli:         - [x]Could not connect to pcb://ipc:{/var/run/pcb_sys} - (logerr@env.c:98)
Jan  1 01:00:13 pcb_cli:         - [x]Could not connect to pcb://ipc:{/var/run/pcb_sys} - (logerr@env.c:98)
Jan  1 01:00:13 pcb_cli:         - [x]Could not connect to pcb://ipc:{/var/run/pcb_sys} - (logerr@env.c:98)
Jan  1 01:00:13 pcb_cli:         - [x]Could not connect to pcb://ipc:{/var/run/pcb_sys} - (logerr@env.c:98)

*********************** Populating /cfg/system


*********************** /cfg/system Populated

cp: cannot stat '/usr/lib/dropbear/.ssh/*': No such file or directory
 start rc.sysinit
Mounting other filesystems ...
Switching to RUNLEVEL 1 ...
start combining scripts: 13.95 14.31
stop combining scripts: 14.09 14.35
removing abort trigger
*********************** Starting script /etc/rc1.d/S00apparmor at: 14.11 14.38
*********************** Starting script /etc/rc1.d/S00faultmonitor at: 30.29 30.19
*********************** Starting script /etc/rc1.d/S00syslogd at: 30.32 30.21
*********************** Starting script /etc/rc1.d/S01EnableRebootOnCrash at: 30.37 30.25
panic_on_page_allocation_failure flag is not present in this kernel release...
*********************** Starting script /etc/rc1.d/S01EnableRebootOnOOM at: 30.45 30.25
*********************** Starting script /etc/rc1.d/S01sysbus at: 30.47 30.27
*********************** Starting script /etc/rc1.d/S01sysctl at: 30.76 30.40
*********************** Starting script /etc/rc1.d/S02hardware at: 30.79 30.44
grep: /etc/config/hgwcfg.*: No such file or directory
eth4 Link UP 1000 mbps full duplex
modprobe: Module pwrmngtd not found.
Board not populated with PMD 
mknod: /dev/bpm: File exists
ret code = 0.
ret code = 0.
ret code = 0.
ret code = 0.
ret code = 0.
*********************** Starting script /etc/rc1.d/S03wanconf at: 40.23 37.66
Starting wanconf...
*********************** Starting script /etc/rc1.d/S03wlan_quantenna at: 40.30 37.69
*********************** Starting script /etc/rc1.d/S05hgwcfg_init at: 40.35 37.69
*********************** Starting script /etc/rc1.d/S05nbr_cancel at: 41.98 38.55
*********************** Starting script /etc/rc1.d/S07ebttcpmss at: 42.00 38.56
*********************** Starting script /etc/rc1.d/S07l2dhcprelay at: 42.14 38.68
*********************** Starting script /etc/rc1.d/S10netmodeconfig1 at: 42.24 38.77
1024+0 records in
1024+0 records out
1024 bytes (1024 B) copied, 0 s, 34.133333 kB/s





*********************** Starting script /etc/rc1.d/S10usermngt at: 50.35 46.34
*********************** Starting script /etc/rc1.d/S17faultmonitorplugin at: 50.88 46.73
*********************** Starting script /etc/rc1.d/S17led_plugin at: 50.98 46.82
*********************** Starting script /etc/rc1.d/S20nemo-core at: 51.20 47.00
/etc/nemo-defaults.odl:12: error: failed to create instance for Intf
/etc/nemo-defaults.odl:164: error: failed to create instance for Intf
Error loading object definition file
*********************** Starting script /etc/rc1.d/S20network at: 51.92 47.65
*********************** Starting script /etc/rc1.d/S20pppd at: 51.97 47.69
Post #2
asldjlajhdwat
12 Sep 2017, 11:18

Hello,

First, this may interest you [0] it is a different router, but most of these run similar stuff it seems. The summary is that later firmware verisons lock people out from UART.

However, I have a few thoughts (sorry if they are silly, I have not much knowldge of hardware things).


- The method the vendor/oem chose to lock people out from UART could be bootdelaykey [1]. If this is the case it might just be a matter of spamming keyboard IO til you find a match, a python script could be useful here.
- When I boot a 5355 (running 4.1603-1.0.38-116.141, cfe-rom: 7.28.13), I get an interesting line well after UBoot that says, 'Magic SysRq with Auxilliary trigger char enabled (type ^ h for list of supported commands)', this could potentially be used for something?
- I wonder if perhaps there is some header on the board that can be jumpered to stop autoboot? I find it unlikely a manufacturer would not leave a backdoor.
- Failing the above, there are a few 'maintenance' utilities on the web interface for this router such as ping/dns/ntp, I would check those out for command injection, because that might be another way to gain access.
- Finally, I want to run a DHCP server on PC and plug into WAN port, and sniff everything, I am suspicious of this device at the software level, and there may be some way to enable debugging thru some configuration.

Edit: Also reading hxxps://wiki.openwrt.org/doc/techref/bootloader/cfe it suggests a procedure to escape the CFE boot process (even though it says For accessing this web interface, perhaps this might be useful to try?)

[0] hxxps://forums.whirlpool.net.au/archive/2547693
[1] hxxps://github.com/lentinj/u-boot/blob/master/doc/README.autoboot#L129

(Last edited by asldjlajhdwat on 12 Sep 2017, 11:32)

The discussion might have continued from here.