Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Successfully got access from the serial console #27

Open
rikka0w0 opened this issue Jun 9, 2022 · 8 comments
Open

Successfully got access from the serial console #27

rikka0w0 opened this issue Jun 9, 2022 · 8 comments

Comments

@rikka0w0
Copy link

rikka0w0 commented Jun 9, 2022
edited
Loading

Update: The latest updates will be available at https://github.com/rikka0w0/fast3864op-hacks

I disassembled a Sagemcom F@at 3864OP and soldered 4-pin headers to the PCB board, then hooked it up to a USB-UART 3.3V dongle. On my PC, I started a serial monitor (the baud rate is 115200) and got an interactive console. I was able to log in with the following credentials:

user: admin
password: 0ptU%1M5

Although it is not a Linux shell, it supports several commands (listed below), and the sh command will get you a real Linux shell.

 > swversion
8.353.1_F@ST5350_Optus
 > help
?
help
logout
exit
quit
reboot
adsl
xdslctl
xtm
brctl
cat
virtualserver
ddns
df
loglevel
logdest
dumpcfg
dumpmdm
dm
dumpeid
mdm
meminfo
psp
kill
dumpsysinfo
exitOnIdle
dnsproxy
syslog
echo
ifconfig
ping
ps
pwd
sntp
sysinfo
tftp
voice
dect
wlctl
arp
defaultgateway
dhcpserver
dns
lan
lanhosts
passwd
ppp
restoredefault
route
save
swversion
uptime
cfgupdate
swupdate
wan
mcpctl

The following is the demostration of the Linux shell:

 > sh


BusyBox v1.17.2 (2016-07-23 18:57:58 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

# ls /bin/*
/bin/acs_cli            /bin/ftl_format         /bin/setmem
/bin/acsd               /bin/gmac               /bin/sh
/bin/adsl               /bin/gmacctl            /bin/sleep
/bin/adslctl            /bin/grep               /bin/smbd
/bin/arl                /bin/gunzip             /bin/smbpasswd
/bin/arlctl             /bin/hotplug            /bin/smd
/bin/ash                /bin/hspotap            /bin/sntp
/bin/bash               /bin/httpd              /bin/spdsvc
/bin/bcm_boot_launcher  /bin/ip                 /bin/spu
/bin/bpm                /bin/ip6tables          /bin/spuctl
/bin/bpmctl             /bin/ippd               /bin/ss
/bin/brctl              /bin/iptables           /bin/ssk
/bin/bsd                /bin/iq                 /bin/stress
/bin/busybox            /bin/iqctl              /bin/stty
/bin/cat                /bin/kill               /bin/swmdk
/bin/chmod              /bin/lld2d              /bin/sync
/bin/consoled           /bin/ln                 /bin/tc
/bin/cp                 /bin/ls                 /bin/telnetd
/bin/dart               /bin/mcp                /bin/tmsctl
/bin/date               /bin/mcpctl             /bin/tr69c
/bin/ddnsd              /bin/mcpd               /bin/true
/bin/dectd              /bin/mdkshell           /bin/ubiattach
/bin/deluser            /bin/mkdir              /bin/ubicrc32
/bin/df                 /bin/mknod              /bin/ubidetach
/bin/dhcp6c             /bin/mount              /bin/ubiformat
/bin/dhcp6s             /bin/mtd_debug          /bin/ubimkvol
/bin/dhcpc              /bin/mtdinfo            /bin/ubinfo
/bin/dhcpd              /bin/nanddump           /bin/ubirename
/bin/diag_ping          /bin/nandtest           /bin/ubirmvol
/bin/dmesg              /bin/nandwrite          /bin/ubirsvol
/bin/dnsproxy           /bin/nas                /bin/ubiupdatevol
/bin/dnsspoof           /bin/nas4not            /bin/udhcpd
/bin/doc_loadbios       /bin/nbtscan            /bin/umount
/bin/dry                /bin/ntfs-3g            /bin/upnp
/bin/dsldiagd           /bin/nvram              /bin/urlfilterd
/bin/dumpmem            /bin/nvramUpdate        /bin/usb_modeswitch
/bin/eapd               /bin/openl2tpd          /bin/vlanctl
/bin/ebtables           /bin/openssl            /bin/vodsl
/bin/echo               /bin/ping               /bin/wl
/bin/epi_ttcp           /bin/ping6              /bin/wl_server
/bin/ethctl             /bin/pppd               /bin/wl_server_socket
/bin/ethswctl           /bin/ps                 /bin/wlctl
/bin/false              /bin/pwd                /bin/wlevt
/bin/fap                /bin/pwr                /bin/wlmngr
/bin/fapctl             /bin/pwrctl             /bin/wps_monitor
/bin/fast               /bin/radvd              /bin/xdslctl
/bin/fc                 /bin/rastatus6          /bin/xtables-multi
/bin/fcctl              /bin/rawSocketTest      /bin/xtm
/bin/flash_erase        /bin/ripd               /bin/xtmctl
/bin/flash_otp_dump     /bin/rm                 /bin/zcat
/bin/flash_otp_info     /bin/scriptDaemon       /bin/zebra
/bin/flashcp            /bin/send_cms_msg
# cat /proc/cpuinfo
system type             : F@ST3864V2
processor               : 0
cpu model               : Broadcom BMIPS4350 V8.0
BogoMIPS                : 397.31
wait instruction        : yes
microsecond timers      : yes
tlb_entries             : 32
extra interrupt vector  : no
hardware watchpoint     : no
ASEs implemented        :
shadow register sets    : 1
kscratch registers      : 0
core                    : 0
VCED exceptions         : not available
VCEI exceptions         : not available

processor               : 1
cpu model               : Broadcom BMIPS4350 V8.0
BogoMIPS                : 403.45
wait instruction        : yes
microsecond timers      : yes
tlb_entries             : 32
extra interrupt vector  : no
hardware watchpoint     : no
ASEs implemented        :
shadow register sets    : 1
kscratch registers      : 0
core                    : 0
VCED exceptions         : not available
VCEI exceptions         : not available

# mount
rootfs on / type rootfs (rw)
mtd:rootfs on / type jffs2 (ro,relatime)
proc on /proc type proc (rw,relatime)
tmpfs on /var type tmpfs (rw,relatime,size=420k)
tmpfs on /mnt type tmpfs (rw,relatime,size=16k)
sysfs on /sys type sysfs (rw,relatime)
debugfs on /sys/kernel/debug type debugfs (rw,relatime)
mtd:data on /data type jffs2 (rw,relatime)
none on /proc/bus/usb type usbfs (rw,relatime)
# free 
sh: free: not found
# cat /proc/meminfo 
MemTotal:         123396 kB
MemFree:           55004 kB
Buffers:               0 kB
Cached:            20432 kB
SwapCached:            0 kB
Active:             6400 kB
Inactive:          17564 kB
Active(anon):       3532 kB
Inactive(anon):        0 kB
Active(file):       2868 kB
Inactive(file):    17564 kB
Unevictable:           0 kB
Mlocked:               0 kB
SwapTotal:             0 kB
SwapFree:              0 kB
Dirty:                 0 kB
Writeback:             0 kB
AnonPages:          3520 kB
Mapped:             3660 kB
Shmem:                 0 kB
Slab:              33160 kB
SReclaimable:        624 kB
SUnreclaim:        32536 kB
KernelStack:        1168 kB
PageTables:          396 kB
NFS_Unstable:          0 kB
Bounce:                0 kB
WritebackTmp:          0 kB
CommitLimit:       61696 kB
Committed_AS:       8188 kB
VmallocTotal:    1032116 kB
VmallocUsed:       10560 kB
VmallocChunk:    1006836 kB

ip a command is available, but uname and whoami are missing. The following is a snippet from the boot log:

Base: 4.14_04
CFE version 8.353.1 for BCM963268 (32bit,SP,BE)
Build Date: Sat Jul 23 18:46:20 CST 2016 ([email protected])
Copyright (C) 2005-2011 SAGEM Corporation.

Chip ID: BCM63168D0, MIPS: 400MHz, DDR: 400MHz, Bus: 200MHz
Main Thread: TP0
Memory Test Passed
Total Memory: 134217728 bytes (128MB)
Boot Address: 0xb8000000

NAND flash device: , id 0xeff1 block 128KB size 131072KB
External switch id = 53125 
Board IP address                  : 192.168.1.1:ffffff00  
Host IP address                   : 192.168.1.100  
Gateway IP address                :   
Run from flash/host/tftp (f/h/c)  : f  
Default host run file name        : vmlinux  
Default host flash file name      : bcm963xx_fs_kernel  
Boot delay (0-9 seconds)          : 1  
Boot image (0=latest, 1=previous) : 0  
Default host ramdisk file name    :   
Default ramdisk store address     :   
Board Id (0-38)                   : F@ST3864V2

I'm going to explore more on this, perhaps dump the entire firmware and share it with you guys.

Update:
I think there is a great chance of running Openwrt on this router, although it is very likely that running the xDSL and Wifi will be problematic:
openwrt/openwrt@ff2c963
https://openwrt.org/toh/sercomm/h500-s
https://github.com/micjo/bbox3
https://gist.github.com/Noltari/fa7561abbcca6acfbc279935a6bbf80c
@rikka0w0
Copy link
Author

rikka0w0 commented Jun 26, 2022
edited
Loading

Update:
I successfully ran OpenWRT on this modem! Looking at the device database, the CPU is very similar to the one in Sky SR102, hence I build my own OpenWRT image (latest branch) based on the SR102 configuration file (without modifications). The attachment is the elf binary that ran on the RAM (without having to flash the NAND). To run the image, you need a second network interface (a cheap USB 100M adapter will work) to serve this image over LAN.

openwrt-bcm63xx-generic-sky_sr102-initramfs.elf.zip

Config: static IP address 192.168.1.100, netmask 255.255.255.0, gateway 192.168.1.1
You will also need to run a tftp server on your PC (e.g. tftpd-hpa on Ubuntu)

Once you set up the hardware, attach to the hardware serial console (115200 baud, no parity) and press SPACE key repeatedly until you see the CFE prompt. Next execute force to override the board ID check, then, type and execute r openwrt-bcm63xx-generic-sky_sr102-initramfs.elf and you should be able to get an OpenWRT interactive shell.

WARNING: DO NOT FLASH IT TO NAND OR USE IN PRODUCTION, the author will not be responsible for any loss.

Boot log:

HELO
CPUI
L1CI
HELO
CPUI
L1CI
4.1404-1.0.38-117.113
DRAM
----
PHYS
STRF
400H
PHYE
DDR3
SIZ4
SIZ3
SIZ2
DINT
USYN
LSYN
MFAS
LMBE
RACE
PASS
----
ZBSS
CODE
DATA
L12F
MAIN
FPS0
BT00
0001
STOP
NAN9
NAN3
RFS1
NAN5

Base: 4.14_04
CFE version 8.353.1 for BCM963268 (32bit,SP,BE)
Build Date: Sat Jul 23 18:46:20 CST 2016 ([email protected])
Copyright (C) 2005-2011 SAGEM Corporation.

Chip ID: BCM63168D0, MIPS: 400MHz, DDR: 400MHz, Bus: 200MHz
Main Thread: TP0
Memory Test Passed
Total Memory: 134217728 bytes (128MB)
Boot Address: 0xb8000000

NAND flash device: , id 0xeff1 block 128KB size 131072KB
External switch id = 53125 
Board IP address                  : 192.168.1.1:ffffff00  
Host IP address                   : 192.168.1.100  
Gateway IP address                :   
Run from flash/host/tftp (f/h/c)  : f  
Default host run file name        : vmlinux  
Default host flash file name      : bcm963xx_fs_kernel  
Boot delay (0-9 seconds)          : 1  
Boot image (0=latest, 1=previous) : 0  
Default host ramdisk file name    :   
Default ramdisk store address     :   
Board Id (0-38)                   : F@ST3864V2  
Number of MAC Addresses (1-32)    : 11  
Base MAC Address                  : d8:d7:75:13:03:72  
PSI Size (1-64) KBytes            : 40  
Enable Backup PSI [0|1]           : 0  
System Log Size (0-256) KBytes    : 0  
Auxillary File System Size Percent: 0  
Main Thread Number [0|1]          : 0  
GPON Serial Number                : "BRCM12345678"  
GPON Password                     : "          "  
Voice Board Configuration (0-0)   : SI32261  

*** Press any key to stop auto run (1 seconds) ***
Auto run second count down: 1
web info: Waiting for connection on socket 0.
CFE> force
*** command status = 0
CFE> r openwrt-bcm63xx-generic-sky_sr102-initramfs.elf
0x80a00000/4416015 Entry at 0x80a00000
Closing network.
Disabling Switch ports.
Flushing Receive Buffers...
0 buffers found
Closing DMA Channels
Starting program at 0x80a00000


OpenWrt kernel loader for BCM63XX
Copyright (C) 2011 Gabor Juhos <[email protected]>
Copyright (C) 2014 Jonas Gorski <[email protected]>
Copyright (C) 2020 Alvaro Fernandez Rojas <[email protected]>
Decompressing kernel... done!
blasting from 0x80010000 to 0x00e71217 (0x80010000 - 0x80e81220)
Starting kernel at 80010000...

[    0.000000] Linux version 5.10.120 (rikka@i7-6700) (mips-openwrt-linux-musl-gcc (OpenWrt GCC 11.3.0 r19916-326e109f24) 11.3.0, GNU ld (GNU Binutils) 2.37) #0 Sun Jun 26 14:58:05 2022
[    0.000000] Detected Broadcom 0x63268 CPU revision d0
[    0.000000] CPU frequency is 400 MHz
[    0.000000] 128MB of RAM installed
[    0.000000] board_bcm963xx: Boot address 0xb8000000
[    0.000000] board_bcm963xx: CFE version: unknown
[    0.000000] printk: bootconsole [early0] enabled
[    0.000000] CPU0 revision is: 0002a080 (Broadcom BMIPS4350)
[    0.000000] board: board name: BSKYB_63168
[    0.000000] MIPS: machine is SKY SR102
[    0.000000] Initrd not found or empty - disabling initrd
[    0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 16 bytes.
[    0.000000] Primary data cache 32kB, 2-way, VIPT, cache aliases, linesize 16 bytes
[    0.000000] Zone ranges:
[    0.000000]   Normal   [mem 0x0000000000000000-0x0000000007ffffff]
[    0.000000] Movable zone start for each node
[    0.000000] Early memory node ranges
[    0.000000]   node   0: [mem 0x0000000000000000-0x0000000007ffffff]
[    0.000000] Initmem setup node 0 [mem 0x0000000000000000-0x0000000007ffffff]
[    0.000000] Built 1 zonelists, mobility grouping on.  Total pages: 32480
[    0.000000] Kernel command line: rootfstype=squashfs,jffs2 noinitrd console=ttyS0,115200
[    0.000000] Dentry cache hash table entries: 16384 (order: 4, 65536 bytes, linear)
[    0.000000] Inode-cache hash table entries: 8192 (order: 3, 32768 bytes, linear)
[    0.000000] mem auto-init: stack:off, heap alloc:off, heap free:off
[    0.000000] Memory: 113740K/131072K available (5398K kernel code, 630K rwdata, 1180K rodata, 8592K init, 204K bss, 17332K reserved, 0K cma-reserved)
[    0.000000] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
[    0.000000] NR_IRQS: 256
[    0.000000] clocksource: MIPS: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 9556302233 ns
[    0.000015] sched_clock: 32 bits at 200MHz, resolution 5ns, wraps every 10737418237ns
[    0.008250] Calibrating delay loop... 398.13 BogoMIPS (lpj=1990656)
[    0.074653] pid_max: default: 32768 minimum: 301
[    0.079710] Mount-cache hash table entries: 1024 (order: 0, 4096 bytes, linear)
[    0.087223] Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes, linear)
[    0.099339] dyndbg: Ignore empty _ddebug table in a CONFIG_DYNAMIC_DEBUG_CORE build
[    0.112836] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
[    0.122975] futex hash table entries: 256 (order: -1, 3072 bytes, linear)
[    0.130067] pinctrl core: initialized pinctrl subsystem
[    0.137665] NET: Registered protocol family 16
[    0.147352] unsupported NAND flash detected
[    0.389236] registering PCI controller with io_map_base unset
[    0.471527] PCI host bridge to bus 0000:00
[    0.475703] pci_bus 0000:00: root bus resource [mem 0x11000000-0x11efffff]
[    0.482854] pci_bus 0000:00: root bus resource [??? 0x00000000 flags 0x0]
[    0.489785] pci_bus 0000:00: root bus resource [??? 0x00000000 flags 0x0]
[    0.496786] pci_bus 0000:00: No busn resource found for root bus, will use [bus 00-ff]
[    0.504987] pci 0000:00:00.0: [14e4:6326] type 01 class 0x060400
[    0.511221] pci 0000:00:00.0: PME# supported from D0 D3hot
[    0.518283] pci 0000:00:00.0: bridge configuration invalid ([bus 00-00]), reconfiguring
[    0.527823] pci_bus 0000:01: busn_res: [bus 01-ff] end is updated to 01
[    0.534585] pci_bus 0000:00: busn_res: [bus 00-ff] end is updated to 01
[    0.541432] pci 0000:00:00.0: PCI bridge to [bus 01]
[    0.546578] clocksource: Switched to clocksource MIPS
[    0.554014] NET: Registered protocol family 2
[    0.559047] IP idents hash table entries: 2048 (order: 2, 16384 bytes, linear)
[    0.567734] tcp_listen_portaddr_hash hash table entries: 512 (order: 0, 4096 bytes, linear)
[    0.576378] TCP established hash table entries: 1024 (order: 0, 4096 bytes, linear)
[    0.584315] TCP bind hash table entries: 1024 (order: 0, 4096 bytes, linear)
[    0.591585] TCP: Hash tables configured (established 1024 bind 1024)
[    0.598551] UDP hash table entries: 256 (order: 0, 4096 bytes, linear)
[    0.605276] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes, linear)
[    0.612961] NET: Registered protocol family 1
[    0.617530] PCI: CLS 0 bytes, default 16
[    0.901442] workingset: timestamp_bits=14 max_order=15 bucket_order=1
[    0.915844] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[    0.921855] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc.
[    0.938015] bcm63268-pinctrl 100000c0.pin-controller: registered at mmio (ptrval)
�[    0.956862] printk: console [ttyS0] enabledx10000180 (irq = 13, base_baud = 1562500) is a bcm63xx_uart
[    0.956862] printk: console [ttyS0] enabled
[    0.965398] printk: bootconsole [early0] disabled
[    0.965398] printk: bootconsole [early0] disabled
[    1.000454] bcm63xx-spi 10000800.spi: at [mem 0x10000800-0x10000f0b flags 0x200] (irq 88, FIFOs size 542)
[    1.015346] spi-nor spi1.0: unrecognized JEDEC id bytes: ff ff ff ff ff ff
[    1.022474] spi-nor: probe of spi1.0 failed with error -2
[    1.091113] b53_common: found switch: BCM63xx, rev 0
[    1.096709] bcm63xx-wdt bcm63xx-wdt:  started, timer margin: 30 sec
[    1.106579] leds-gpio leds-gpio.0: Skipping unavailable LED gpio 0 ((null))
[    1.113771] leds-gpio leds-gpio.0: Skipping unavailable LED gpio 0 ((null))
[    1.120964] leds-gpio leds-gpio.0: Skipping unavailable LED gpio 0 ((null))
[    1.128117] leds-gpio leds-gpio.0: Skipping unavailable LED gpio 0 ((null))
[    1.135269] leds-gpio leds-gpio.0: Skipping unavailable LED gpio 0 ((null))
[    1.144027] NET: Registered protocol family 10
[    1.174048] Segment Routing with IPv6
[    1.178003] NET: Registered protocol family 17
[    1.182623] 8021q: 802.1Q VLAN Support v1.8
[    1.279127] Freeing unused kernel memory: 8592K
[    1.283735] This architecture does not have kernel memory protection.
[    1.290425] Run /init as init process
[    1.912318] init: Console is alive
[    1.916475] init: - watchdog -
[    1.956051] kmodloader: loading kernel modules from /etc/modules-boot.d/*
[    1.996888] usbcore: registered new interface driver usbfs
[    2.002595] usbcore: registered new interface driver hub
[    2.008201] usbcore: registered new device driver usb
[    2.031229] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
[    2.040669] ehci-fsl: Freescale EHCI Host controller driver
[    2.051512] ehci-platform: EHCI generic platform driver
[    2.176635] ehci-platform ehci-platform: EHCI Host Controller
[    2.182559] ehci-platform ehci-platform: new USB bus registered, assigned bus number 1
[    2.191059] ehci-platform ehci-platform: irq 18, io mem 0xb0002500
[    2.226623] ehci-platform ehci-platform: USB 2.0 started, EHCI 1.00, overcurrent ignored
[    2.236353] hub 1-0:1.0: USB hub found
[    2.241979] hub 1-0:1.0: 2 ports detected
[    2.261811] ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver
[    2.271223] ohci-platform: OHCI generic platform driver
[    2.276801] ohci-platform ohci-platform: Generic Platform OHCI controller
[    2.283793] ohci-platform ohci-platform: new USB bus registered, assigned bus number 2
[    2.292146] ohci-platform ohci-platform: irq 17, io mem 0xb0002600
[    2.372042] hub 2-0:1.0: USB hub found
[    2.377698] hub 2-0:1.0: 2 ports detected
[    2.384753] kmodloader: done loading kernel modules from /etc/modules-boot.d/*
[    2.402893] init: - preinit -
[    2.861101] random: jshn: uninitialized urandom read (4 bytes read)
[    2.948639] random: jshn: uninitialized urandom read (4 bytes read)
[    3.207859] random: jshn: uninitialized urandom read (4 bytes read)
[    3.706271] IPv6: ADDRCONF(NETDEV_CHANGE): eth0.1: link becomes ready
Press the [f] key and hit [enter] to enter failsafe mode
Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level
[    4.767025] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[    6.106503] procd: - early -
[    6.110009] procd: - watchdog -
[    6.692572] procd: - watchdog -
[    6.698256] procd: - ubus -
[    6.718728] urandom_read_iter: 3 callbacks suppressed
[    6.718742] random: ubusd: uninitialized urandom read (4 bytes read)
[    6.752701] random: ubusd: uninitialized urandom read (4 bytes read)
[    6.760082] random: ubusd: uninitialized urandom read (4 bytes read)
[    6.771552] procd: - init -
Please press Enter to activate this console.
[    7.858556] urandom_read_iter: 18 callbacks suppressed
[    7.858570] random: jshn: uninitialized urandom read (4 bytes read)
[    7.935032] random: ubusd: uninitialized urandom read (4 bytes read)
[    7.957141] random: ubus: uninitialized urandom read (4 bytes read)
[    8.088936] kmodloader: loading kernel modules from /etc/modules.d/*
[    8.437800] PPP generic driver version 2.4.2
[    8.460227] NET: Registered protocol family 24
[    8.502166] kmodloader: done loading kernel modules from /etc/modules.d/*
[    8.753221] urngd: v1.0.2 started.
[    9.105390] random: crng init done
[    9.108905] random: 1 urandom warning(s) missed due to ratelimiting



BusyBox v1.35.0 (2022-06-26 14:58:05 UTC) built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt SNAPSHOT, r19916-326e109f24
 -----------------------------------------------------
=== WARNING! =====================================
There is no root password defined on this device!
Use the "passwd" command to set up a new password
in order to prevent unauthorized SSH logins.
--------------------------------------------------
root@OpenWrt:/# uname -a
Linux OpenWrt 5.10.120 #0 Sun Jun 26 14:58:05 2022 mips GNU/Linux

@mattimustang
Copy link
Owner

Well done! was anything functional when it was running OpenWrt? like VDSL?

@rikka0w0
Copy link
Author

Well done! was anything functional when it was running OpenWrt? like VDSL?

The build identified 2 internet adapters. The WAN port works flawlessly and has internet access if connected to my home router. The USB ports work as well.

Most of the other things don't work at all, including LAN ports (I didn't configure the switch correctly), NAND flash (cannot be identified by OpenWRT), the Wifi, and the VDSL.

Fixing the LAN ports and the NAND flash takes priority. Maybe I should set up another repo and share the OpenWRT config?

@rikka0w0
Copy link
Author

I went back to the stock firmware and got the ROM footprint:

# cat /proc/mtd
dev:    size   erasesize  name
mtd0: 03d60000 00020000 "rootfs"
mtd1: 03d60000 00020000 "rootfs_update"
mtd2: 00400000 00020000 "data"
mtd3: 00020000 00020000 "nvram"
mtd4: 03d60000 00020000 "image"
mtd5: 03d60000 00020000 "image_update"

# df
Filesystem           1024-blocks    Used Available Use% Mounted on
mtd:rootfs               62848     22208     40640  35% /
mtd:data                  4096       568      3528  14% /data

It seems that mtd4 and mtd5 are replicates of mtd0 and mtd1, respectively. The size of mtd0 to mtd3 add up to the correct NAND Flash capacity. Interestingly, I found that mtd1 is empty, which means we might be able to place the openwrt image there, without having to wipe the entire flash.

@rikka0w0
Copy link
Author

rikka0w0 commented Jun 29, 2022
edited
Loading 

Base: 4.14_04
CFE version 8.353.1 for BCM963268 (32bit,SP,BE)
Build Date: Sat Jul 23 18:46:20 CST 2016 ([email protected])
Copyright (C) 2005-2011 SAGEM Corporation.

Chip ID: BCM63168D0, MIPS: 400MHz, DDR: 400MHz, Bus: 200MHz
Main Thread: TP0
Memory Test Passed
Total Memory: 134217728 bytes (128MB)
Boot Address: 0xb8000000

NAND flash device: , id 0xeff1 block 128KB size 131072KB
External switch id = 53125 
Board IP address                  : 192.168.1.1:ffffff00  
Host IP address                   : 192.168.1.100  
Gateway IP address                :   
Run from flash/host/tftp (f/h/c)  : f  
Default host run file name        : vmlinux  
Default host flash file name      : bcm963xx_fs_kernel  
Boot delay (0-9 seconds)          : 1  
Boot image (0=latest, 1=previous) : 0  
Default host ramdisk file name    :   
Default ramdisk store address     :   
Board Id (0-38)                   : F@ST3864V2  
Number of MAC Addresses (1-32)    : 11  
Base MAC Address                  : d8:d7:75:13:03:72  
PSI Size (1-64) KBytes            : 40  
Enable Backup PSI [0|1]           : 0  
System Log Size (0-256) KBytes    : 0  
Auxillary File System Size Percent: 0  
Main Thread Number [0|1]          : 0  
GPON Serial Number                : "BRCM12345678"  
GPON Password                     : "          "  
Voice Board Configuration (0-0)   : SI32261  

*** Press any key to stop auto run (1 seconds) ***
Auto run second count down: 1
web info: Waiting for connection on socket 0.
CFE> r openwrt-21.02.3-bcm63xx-smp-sagem_fast-3864op-initramfs.elf
0x80a00000/4769770 Entry at 0x80a00000
Closing network.
Disabling Switch ports.
Flushing Receive Buffers...
0 buffers found
Closing DMA Channels
Starting program at 0x80a00000


OpenWrt kernel loader for BCM63XX
Copyright (C) 2011 Gabor Juhos <[email protected]>
Copyright (C) 2014 Jonas Gorski <[email protected]>
Copyright (C) 2020 Alvaro Fernandez Rojas <[email protected]>
Decompressing kernel... done!
blasting from 0x80010000 to 0x00f6ced9 (0x80010000 - 0x80f7cee0)
Starting kernel at 80010000...

[    0.000000] Linux version 5.4.188 (builder@buildhost) (gcc version 8.4.0 (OpenWrt GCC 8.4.0 r16554-1d4dea6d4f)) #0 SMP Sat Apr 16 12:59:34 2022
[    0.000000] Detected Broadcom 0x63268 CPU revision d0
[    0.000000] CPU frequency is 400 MHz
[    0.000000] 128MB of RAM installed
[    0.000000] board_bcm963xx: Boot address 0xb8000000
[    0.000000] board_bcm963xx: CFE version: unknown
[    0.000000] printk: bootconsole [early0] enabled
[    0.000000] CPU0 revision is: 0002a080 (Broadcom BMIPS4350)
[    0.000000] board: board name: F@ST 3864OP
[    0.000000] MIPS: machine is Sagemcom F@st 3864OP
[    0.000000] Initrd not found or empty - disabling initrd
[    0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 16 bytes.
[    0.000000] Primary data cache 32kB, 2-way, VIPT, cache aliases, linesize 16 bytes
[    0.000000] Zone ranges:
[    0.000000]   Normal   [mem 0x0000000000000000-0x0000000007ffffff]
[    0.000000] Movable zone start for each node
[    0.000000] Early memory node ranges
[    0.000000]   node   0: [mem 0x0000000000000000-0x0000000007ffffff]
[    0.000000] Initmem setup node 0 [mem 0x0000000000000000-0x0000000007ffffff]
[    0.000000] percpu: Embedded 14 pages/cpu s27216 r8192 d21936 u57344
[    0.000000] Built 1 zonelists, mobility grouping on.  Total pages: 32480
[    0.000000] Kernel command line: rootfstype=squashfs,ubifs noinitrd console=ttyS0,115200
[    0.000000] Dentry cache hash table entries: 16384 (order: 4, 65536 bytes, linear)
[    0.000000] Inode-cache hash table entries: 8192 (order: 3, 32768 bytes, linear)
[    0.000000] mem auto-init: stack:off, heap alloc:off, heap free:off
[    0.000000] Memory: 112636K/131072K available (6265K kernel code, 230K rwdata, 780K rodata, 9548K init, 209K bss, 18436K reserved, 0K cma-reserved)
[    0.000000] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=2, Nodes=1
[    0.000000] rcu: Hierarchical RCU implementation.
[    0.000000] rcu: RCU calculated value of scheduler-enlistment delay is 25 jiffies.
[    0.000000] NR_IRQS: 256
[    0.000000] random: get_random_bytes called from 0x8072da30 with crng_init=0
[    0.000000] clocksource: MIPS: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 9556302233 ns
[    0.000014] sched_clock: 32 bits at 200MHz, resolution 5ns, wraps every 10737418237ns
[    0.008148] Calibrating delay loop... 397.82 BogoMIPS (lpj=795648)
[    0.046460] pid_max: default: 32768 minimum: 301
[    0.051547] Mount-cache hash table entries: 1024 (order: 0, 4096 bytes, linear)
[    0.059082] Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes, linear)
[    0.071937] rcu: Hierarchical SRCU implementation.
[    0.078093] smp: Bringing up secondary CPUs ...
[    0.084281] SMP: Booting CPU1...
[   13.322683] Primary instruction cache 64kB, VIPT, 4-way, linesize 16 bytes.
[   13.322700] Primary data cache 32kB, 2-way, VIPT, cache aliases, linesize 16 bytes
[   13.322978] CPU1 revision is: 0002a080 (Broadcom BMIPS4350)
[    0.119790] Synchronize counters for CPU 1: 
[    0.119807] SMP: CPU1 is running
[    0.119831] done.
[    0.150352] smp: Brought up 1 node, 2 CPUs
[    0.164933] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 7645041785100000 ns
[    0.174996] futex hash table entries: 512 (order: 3, 32768 bytes, linear)
[    0.182222] pinctrl core: initialized pinctrl subsystem
[    0.189364] NET: Registered protocol family 16
[    0.251236] clocksource: Switched to clocksource MIPS
[    0.258821] thermal_sys: Registered thermal governor 'step_wise'
[    0.260267] NET: Registered protocol family 2
[    0.271460] IP idents hash table entries: 2048 (order: 2, 16384 bytes, linear)
[    0.280575] tcp_listen_portaddr_hash hash table entries: 512 (order: 0, 6144 bytes, linear)
[    0.289350] TCP established hash table entries: 1024 (order: 0, 4096 bytes, linear)
[    0.297379] TCP bind hash table entries: 1024 (order: 1, 8192 bytes, linear)
[    0.304714] TCP: Hash tables configured (established 1024 bind 1024)
[    0.311718] UDP hash table entries: 256 (order: 1, 8192 bytes, linear)
[    0.318542] UDP-Lite hash table entries: 256 (order: 1, 8192 bytes, linear)
[    0.326182] NET: Registered protocol family 1
[    0.330720] PCI: CLS 0 bytes, default 16
[    0.463223] random: fast init done
[    0.705557] workingset: timestamp_bits=14 max_order=15 bucket_order=1
[    0.733109] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[    0.739197] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc.
[    0.753200] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 252)
[    0.766674] bcm63268-pinctrl 100000c0.pin-controller: registered at mmio (ptrval)
[    0.775500] 10000180.serial: ttyS0 at MMIO 0x10000180 (irq = 13, base_baud = 1562500) is a bcm63xx_uart
[    0.785226] printk: console [ttyS0] enabled
[    0.785226] printk: console [ttyS0] enabled
[    0.793802] printk: bootconsole [early0] disabled
[    0.793802] printk: bootconsole [early0] disabled
[    0.812925] nand: device found, Manufacturer ID: 0xef, Chip ID: 0xf1
[    0.819520] nand: Winbond W29N01HV
[    0.822961] nand: 128 MiB, SLC, erase size: 128 KiB, page size: 2048, OOB size: 64
[    0.830850] bcm6368_nand 10000200.nand: detected 128MiB total, 128KiB blocks, 2KiB pages, 16B OOB, 8-bit, Hamming ECC
[    0.844707] Bad block table not found for chip 0
[    0.852119] Bad block table not found for chip 0
[    0.856875] Scanning device for bad blocks
[    1.283837] Bad block table written to 0x000007fe0000, version 0x01
[    1.291667] Bad block table written to 0x000007fc0000, version 0x01
[    1.330662] 4 fixed-partitions partitions found on MTD device brcmnand.0
[    1.337577] Creating 4 MTD partitions on "brcmnand.0":
[    1.342844] 0x000000000000-0x000000020000 : "cferom"
[    1.350605] 0x000000020000-0x000003d80000 : "rootfs_stock"
[    1.359364] 0x000003d80000-0x000007ae0000 : "rootfs_update"
[    1.368197] 0x000007b00000-0x000007f00000 : "data_stock"
[    1.379346] bcm63xx-spi 10000800.spi: at [mem 0x10000800-0x10000f0b flags 0x200] (irq 88, FIFOs size 542)
[    1.436621] b53_common: found switch: BCM63xx, rev 0
[    1.442513] bcm63xx-wdt bcm63xx-wdt:  started, timer margin: 30 sec
[    1.449886] leds-gpio leds-gpio.0: Skipping unavailable LED gpio 0 ((null))
[    1.457091] leds-gpio leds-gpio.0: Skipping unavailable LED gpio 0 ((null))
[    1.464249] leds-gpio leds-gpio.0: Skipping unavailable LED gpio 0 ((null))
[    1.471408] leds-gpio leds-gpio.0: Skipping unavailable LED gpio 0 ((null))
[    1.478572] leds-gpio leds-gpio.0: Skipping unavailable LED gpio 0 ((null))
[    1.489203] NET: Registered protocol family 10
[    1.496645] Segment Routing with IPv6
[    1.500611] NET: Registered protocol family 17
[    1.505250] bridge: filtering via arp/ip/ip6tables is no longer available by default. Update your scripts to load br_netfilter if you need this.
[    1.518589] 8021q: 802.1Q VLAN Support v1.8
[    1.649061] Freeing unused kernel memory: 9548K
[    1.653715] This architecture does not have kernel memory protection.
[    1.660325] Run /init as init process
[    2.489922] init: Console is alive
[    2.493836] init: - watchdog -
[    2.530068] kmodloader: loading kernel modules from /etc/modules-boot.d/*
[    2.564831] usbcore: registered new interface driver usbfs
[    2.570709] usbcore: registered new interface driver hub
[    2.576385] usbcore: registered new device driver usb
[    2.604418] JFS: nTxBlock = 954, nTxLock = 7636
[    2.623125] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
[    2.631910] ehci-fsl: Freescale EHCI Host controller driver
[    2.640261] ehci-platform: EHCI generic platform driver
[    2.751254] ehci-platform ehci-platform: EHCI Host Controller
[    2.757210] ehci-platform ehci-platform: new USB bus registered, assigned bus number 1
[    2.765714] ehci-platform ehci-platform: irq 18, io mem 0xb0002500
[    2.791222] ehci-platform ehci-platform: USB 2.0 started, EHCI 1.00, overcurrent ignored
[    2.800931] hub 1-0:1.0: USB hub found
[    2.804897] hub 1-0:1.0: 2 ports detected
[    2.819117] ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver
[    2.827553] ohci-platform: OHCI generic platform driver
[    2.833219] ohci-platform ohci-platform: Generic Platform OHCI controller
[    2.840237] ohci-platform ohci-platform: new USB bus registered, assigned bus number 2
[    2.848540] ohci-platform ohci-platform: irq 17, io mem 0xb0002600
[    2.920662] hub 2-0:1.0: USB hub found
[    2.924634] hub 2-0:1.0: 2 ports detected
[    2.930847] kmodloader: done loading kernel modules from /etc/modules-boot.d/*
[    2.944067] init: - preinit -
[    3.322756] random: jshn: uninitialized urandom read (4 bytes read)
[    3.395685] random: jshn: uninitialized urandom read (4 bytes read)
[    3.610077] random: jshn: uninitialized urandom read (4 bytes read)
[    3.982872] IPv6: ADDRCONF(NETDEV_CHANGE): eth0.1: link becomes ready
Press the [f] key and hit [enter] to enter failsafe mode
Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level
[    4.971352] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[    8.329798] procd: - early -
[    8.332914] procd: - watchdog -
[    8.897971] procd: - watchdog -
[    8.901750] procd: - ubus -
[    8.920271] urandom_read: 3 callbacks suppressed
[    8.920285] random: ubusd: uninitialized urandom read (4 bytes read)
[    8.956065] random: ubusd: uninitialized urandom read (4 bytes read)
[    8.963333] random: ubusd: uninitialized urandom read (4 bytes read)
[    8.973856] procd: - init -
Please press Enter to activate this console.
[    9.873117] kmodloader: loading kernel modules from /etc/modules.d/*
[    9.944020] xt_time: kernel timezone is -0000
[    9.989481] PPP generic driver version 2.4.2
[    9.996883] NET: Registered protocol family 24
[   10.026048] kmodloader: done loading kernel modules from /etc/modules.d/*
[   10.111027] urngd: v1.0.2 started.
[   10.372419] crng init done
[   10.375141] random: 1 urandom warning(s) missed due to ratelimiting
[   35.431953] br-lan: port 1(eth0.1) entered blocking state
[   35.437624] br-lan: port 1(eth0.1) entered disabled state
[   35.444025] device eth0.1 entered promiscuous mode
[   35.449035] device eth0 entered promiscuous mode
[   35.479679] br-lan: port 1(eth0.1) entered blocking state
[   35.485272] br-lan: port 1(eth0.1) entered forwarding state
[   36.428743] IPv6: ADDRCONF(NETDEV_CHANGE): br-lan: link becomes ready



BusyBox v1.33.2 (2022-04-16 12:59:34 UTC) built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 21.02.3, r16554-1d4dea6d4f
 -----------------------------------------------------
=== WARNING! =====================================
There is no root password defined on this device!
Use the "passwd" command to set up a new password
in order to prevent unauthorized SSH logins.
--------------------------------------------------
root@OpenWrt:/#

@Jiaqin-Tan
Copy link

Jiaqin-Tan commented Jul 10, 2024
edited
Loading

Hi, if you got some spare time, could you tell me what could cause the issue I'm having here?

When I run 'r 192.168.1.100:firm_ware.elf'; It returns: '*** command status = -18', please see attached picture.

Do you know what could possibility cause the error, or what does it mean by 'status = -18', any help would be good.

image

@rikka0w0
Copy link
Author

When I run 'r 192.168.1.100:firm_ware.elf'; It returns: '*** command status = -18', please see attached picture.

Please omit the host ip address from your command.

In addition, check out this:
https://openwrt.org/inbox/toh/sagem/f_st3864op#boot_openwrt_in_ram

The support of this device has been merged into main stream OpenWrt repo. I wrote the above wiki. For now, only development builds are available, checkout:
https://downloads.openwrt.org/snapshots/targets/bmips/bcm63268/

You should try to flash the router with the firmware from the above URL. For the first installation, use the one ends with xxx-cfe.bin. This bin won't support RAM boot.

I would recommend you to do a RAM boot to backup your stock firmware. Just in case if the OpenWrt doesn't work. You will need the xxx-initramfs.bin for the RAM boot and you have to compile the image yourself. Clone the latest OpenWrt source and follow the official built steps.

@Jiaqin-Tan
Copy link

Thank you for taking the time writing such detailed instruction!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mattimustang @rikka0w0 @Jiaqin-Tan