diff options
author | Andrea Greco <accounts@andreagre.co> | 2023-10-10 12:13:49 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-10-10 12:13:49 +0200 |
commit | df1edd76f66b33eabe72cc7cbf656fddf7f72bea (patch) | |
tree | 4ab5ceecf4ee514d75fe19c45bb898499071bfb7 /_ont/ont-sercomm-fg1000b-11.md | |
parent | hotfix zte router page (#273) (diff) | |
download | hack-gpon.github.io-df1edd76f66b33eabe72cc7cbf656fddf7f72bea.tar hack-gpon.github.io-df1edd76f66b33eabe72cc7cbf656fddf7f72bea.tar.gz hack-gpon.github.io-df1edd76f66b33eabe72cc7cbf656fddf7f72bea.tar.bz2 hack-gpon.github.io-df1edd76f66b33eabe72cc7cbf656fddf7f72bea.tar.lz hack-gpon.github.io-df1edd76f66b33eabe72cc7cbf656fddf7f72bea.tar.xz hack-gpon.github.io-df1edd76f66b33eabe72cc7cbf656fddf7f72bea.tar.zst hack-gpon.github.io-df1edd76f66b33eabe72cc7cbf656fddf7f72bea.zip |
Diffstat (limited to '_ont/ont-sercomm-fg1000b-11.md')
-rw-r--r-- | _ont/ont-sercomm-fg1000b-11.md | 95 |
1 files changed, 48 insertions, 47 deletions
diff --git a/_ont/ont-sercomm-fg1000b-11.md b/_ont/ont-sercomm-fg1000b-11.md index f96aa01..c9bb9ed 100644 --- a/_ont/ont-sercomm-fg1000b-11.md +++ b/_ont/ont-sercomm-fg1000b-11.md @@ -39,17 +39,17 @@ parent: Sercomm ## Serial -See picture side2 for the pin identification, use 112500 8-N-1 -The ONT seems only to display output of the ROM CFE and flash CFE, but don't allow interupting the boot... +See side2 picture for pin identification, use 112500 8-N-1 +The ONT seems to only display output of the ROM CFE and flash CFE, but doesn't seem to allow interrupting the boot. {% include serial_dump.html file="fg1000b-11_boot_cfe.txt" alt="Sercomm FG1000B.11 CFE boot dump" title="Sercomm FG1000B.11 CFE boot dump" %} ## Root procedure -[See how the enable telnet/ssh section](/ont-sercomm-fg1000b-11/#enable-telnetsshserial) +[See the enable telnet/ssh section](/ont-sercomm-fg1000b-11/#enable-telnetsshserial) ## List of software versions -Current only version seen is: 090144.1.0.001 +Currently the only known version is 090144.1.0.001 ## List of partitions `cat /proc/mtd` @@ -82,34 +82,34 @@ Current only version seen is: 090144.1.0.001 # Useful files and binaries -{% include alert.html content="NanD MTD 5 mounted as `/tmp/var_link_dir/ft` contains all serials and mac address of the ONT, please consider backup before any hack, files are: `customer_sn,gpon_sn,hw_version,mac_addr,pcba_sn`" alert="Warning" icon="svg-warning" color="red" %} +{% include alert.html content="NAND MTD5 mounted as `/tmp/var_link_dir/ft` contains all serial numbers and the MAC address of the ONT, please consider backing it up before performing any hack, files are: `customer_sn,gpon_sn,hw_version,mac_addr,pcba_sn`" alert="Warning" icon="svg-warning" color="red" %} {% include alert.html content="Calling the `board_init` binary directly or indirectly (via init script) when the board is already booted will cause NAND mtd 5, 15, 16 & 17 to be erased! -Please backup those before any hacking! Recovery is possible if you hardware reset the device, enable the telnet and recreate the `customer_sn, gpon_sn, hw_version, mac_addr, pcba_sn` file on the `/tmp/var_link_dir/ft` volume which can be remount R/W `mount -o remount,rw /dev/mtdblock5 /tmp/var_link_dir/ft`." alert="Warning" icon="svg-warning" color="red" %} +Please back them up before any hacking! Recovery is possible if you hardware reset the device, enable the telnet and recreate the `customer_sn, gpon_sn, hw_version, mac_addr, pcba_sn` file on the `/tmp/var_link_dir/ft` volume which can be remounted as R/W `mount -o remount,rw /dev/mtdblock5 /tmp/var_link_dir/ft`." alert="Warning" icon="svg-warning" color="red" %} ## Useful files -* `/etc/framework_init.sh` - is the main entry for sercomm framework launch by `/etc/rcS` +* `/etc/framework_init.sh` - is the main entry for the launch of the Sercomm framework by `/etc/rcS` ## Useful binaries -* `pb_ap` - monitoring the `reset button`, if pushed more than 10s it reset to factory default, otherwise it reboot the device - Run at startup - no args +* `pb_ap` - monitors the `reset button`. If the button is pushed for longer than 10s it resets the ONT to factory default, otherwise it only reboots the device - Run at startup - no args -* `fw_image_ctl` - allow firmware info, upgrade, switch between `fw0` & `fw1`, replicate between fw, desactivate image etc... - Options listes when called woth no args +* `fw_image_ctl` - allows firmware upgrade, switch between `fw0` & `fw1`,reading firmware info, replicating between fw, deactivating image etc... - Options listed when called with no args -* `cmld_client`- manipulate the configuration 'DB' stored in a /dev/mtd15, output is XML format. The root element is "InternetGatewayDevice" you need to use a final '.' dot to list all sub-element. example to get the full device XML config ```cmld_client get_node InternetGatewayDevice.```. Element with `writable="1"` can be changed with `set` and the node path. Element marked `dynamic="1"` have their value evaluated at the time you specifically call get on the node, `cmld_client get InternetGatewayDevice.WANDevice.1.X_SC_GponInterfaceConfig.Status` - The daemon is run at startup - option list whe called with no args +* `cmld_client`- manipulates the configuration 'DB' stored in /dev/mtd15, its output is in the XML format. The root element is "InternetGatewayDevice". A final '.' dot is needed to list all sub-elements. Example to get the device's full XML config ```cmld_client get_node InternetGatewayDevice.```. Listed elements with `writable="1"` can be changed with `set` and the node path. Elements marked as `dynamic="1"` have their value evaluated at the time you specifically call get on that specific node, `cmld_client get InternetGatewayDevice.WANDevice.1.X_SC_GponInterfaceConfig.Status` - The daemon is run at startup - options listed when called with no args -* `cmd_agent` - is a strange daemon launch at startup during `/etc/rcS` that open a `/tmp/cmd_client` sock file that listen to command and execute them. - No args +* `cmd_agent` - strange daemon launched at startup during `/etc/rcS` that opens a `/tmp/cmd_client` sock file that listens to commands and executes them. - No args -* `statd` - is a daemon launch at boot which collect monitoring data from the ONT. - No args +* `statd` - daemon launched at boot which collects monitoring data from the ONT. - No args * `ubusd` - ubusd is used to send message between processes, current ubus services are `cml,network-manager,smd` -* `smd` - is the daemon in charge of launching `/opt/` plugin for each of the ONT service like: `init, gpon, iptv, temperature, account, http, lan, network, syslog, system`. All is done in code which is not helping hacking the device. +* `smd` - daemon in charge of launching the `/opt/` plugin for each of the ONT's service like: `init, gpon, iptv, temperature, account, http, lan, network, syslog, system`. All is done in code which does not help hacking the device. # Usage -## Enable telnet/SSH/serial +## Enabling telnet/SSH/serial -Below code can be pasted in the browser console after loading the `http://192.168.100.1` (default ONT page). This will enable telnet as root with no password on the device (same can be done with `/usr/sbin/sshd` binary). The below hack uses an injection on the `eventlog_applog_download.json` page, command can be injected in the request body `applog_select` parameter and are executed as superadmin (root). +The code below can be pasted in the browser's console after opening `http://192.168.100.1` (default ONT's web UI). This will enable telnet as root with no password on the device (same can be done with `/usr/sbin/sshd` binary). The below hack uses an injection on the `eventlog_applog_download.json` page, the commands can be injected in the request body's `applog_select` parameter and they are executed as superadmin (root). ```javascript // Fetch a non csrf protected page to get a csrf token await fetch("http://192.168.100.1/setup.cgi?next_file=statusandsupport/status.html").then(function (response) { @@ -140,27 +140,27 @@ fetch('http://192.168.100.1/data/statussupporteventlog_applog_download.json?_=16 .then(console.log) ``` -There is a way to make a script call at boot if you want to have telnet or other service started at boot. It uses a hack from libsl_system.so where there is a `system(...)` call using a String from config, string must be <=12 char, the system call is supposed to set set hostname of the device for storage sharing. -In the example below you would first creat a `/data/up` shell script and ensure it has execute rights (ex: `chmod 755`) +There is a way to make a script call at boot to ensure telnet or other services start at boot if needed. It uses a hack from libsl_system.so where there is a `system(...)` call using a String from config, string must be <=12 char. The system call is supposed to set set hostname of the device for storage sharing. +In the example below, a `/data/up` shell script would be created (ensure it has execute rights, such as: `chmod 755`). ``` -#first we need to add the missing entry +#First we need to add the missing entry /usr/bin/cmld_client add InternetGatewayDevice.Services.StorageService. 1 -#then inject within the 12 character limit the hostname and a call to our script +#Then inject within the 12 character limit the hostname and a call to our script /usr/bin/cmld_client set InternetGatewayDevice.Services.StorageService.1.X_SC_NetbiosName='a;/data/up&' /usr/bin/cmld_client save ``` -## Log configuration -`syslogd` is configure via Config DB config `cmld_client get_node InternetGatewayDevice.X_SC_Management.Syslog.` this config is read from the libsl_syslog.so plugin of smd daemon, which generate the file `/tmp/lxxd/logd.conf` and start the daemon with it as parameter. +## Logging configuration +`syslogd` is configured via Config DB config `cmld_client get_node InternetGatewayDevice.X_SC_Management.Syslog.`. This config is read from the libsl_syslog.so plugin of smd daemon, which generates the `/tmp/lxxd/logd.conf` file and starts the daemon with it as parameter. # GPON ONU status -## Get the operational status of the ONU +## Getting the operational status of the ONU ``` /bin/gponctl getState ``` -## Get information of the OLT vendor +## Getting OLT vendor information ``` /usr/sbin/umci_ctl stack get olt_type ``` @@ -178,15 +178,15 @@ or # GPON/OMCI settings -Part of GPON config is done via the misc configuration loaded as first lib by the smd binary, config can be seens here: +Part of GPON config is done via the misc configuration loaded as first lib by the smd binary, the config can be seen here: ``` /usr/bin/cmld_client get_node InternetGatewayDevice.X_SC_MiscCfg.GPON. ``` -Beware the field `OmciManageUniMask`, `PretendFwVersion` are initiated in the binary with respective value `01000000`, `0` +Be aware the fields `OmciManageUniMask`, `PretendFwVersion` are initiated in the binary with respective value `01000000`, `0`. ## Getting/Setting ONU GPON Serial Number Default value: 16 hex chars on the back of the ONT, starts with `53434F4DA`. The default S/N is the Modem-ID on the sticker. -You can test serial and/or ploam combinaison using with below command. Pwd is Hexe only and can be up to 36. +You can test serial and/or ploam combinations using the command provided below. The password is Hex only and can be up to 36 characters long. ``` /bin/gponctl stop /bin/gponctl setSnPwd --pwd 00-00-0X-XX-XX-XX-XX-XX-XX-XX --sn YY-YY-YY-YY-YY-YY-YY-YY @@ -198,7 +198,7 @@ You can monitor status by running: /bin/gponctl getstate ``` -To save the serial number you need to re-mount R/W the `/tmp/var_link_dir/ft` and change the `gpon_sn` file (consider backup of the folder before ANY action) +To save the serial number you need to re-mount `/tmp/var_link_dir/ft` as R/W and change the `gpon_sn` file (consider backing up of the folder before ANY action) ``` /bin/mount -o remount,rw /dev/mtdblock5 /tmp/var_link_dir/ft echo "XXXXXXXXXXXXX" > /tmp/var_link_dir/ft/gpon_sn @@ -208,7 +208,8 @@ echo "XXXXXXXXXXXXX" > /tmp/var_link_dir/ft/gpon_sn ## Getting/Setting ONU GPON PLOAM password -PLOAM can be set directly for Text or Hexa (without `0x`) via Web interface if < 10 digit otherwise POST call to URL allow > 10 digits for example 20 digit hex can be setup via (max is 36 digit): +The PLOAM password can be set directly as text or hex (without `0x`) via the Web interface if shorter than 10 digits, otherwise a POST call to the URL provided below allows passwords longer than 10 digits (max is 36 characters). +For example a 20-digit long hex password can be set with these commands: ``` curl -i -s -k -X $'POST' -H $'Content-Type: application/x-www-form-urlencoded' \ @@ -217,14 +218,14 @@ curl -i -s -k -X $'POST' -H $'Content-Type: application/x-www-form-urlencoded' \ $'http://192.168.100.1/ONT/client/data/Router.json' ``` -Or via command line with: +Or via the CLI with: ``` /usr/bin/cmld_client set InternetGatewayDevice.WANDevice.1.X_SC_GponInterfaceConfig.X_SC_Password=00000XXXXXXXXXXXXXXX /usr/bin/cmld_client save ``` ## Getting/Setting ONU GPON LOID and LOID password -{% include alert.html content="Not tested but seems used by the misc config at smd init" alert="Warning" icon="svg-warning" color="red" %} +{% include alert.html content="Not tested but seems to be used by the misc config at smd init" alert="Warning" icon="svg-warning" color="red" %} ``` /usr/bin/cmld_client set InternetGatewayDevice.X_SC_MiscCfg.GPON.LoIdPassword= @@ -233,12 +234,12 @@ Or via command line with: ``` ## Getting/Setting OMCI software version (ME 7) -{% include alert.html content="`get` works, `set` is not tested but seems used by the misc config at smd init" alert="Warning" icon="svg-warning" color="red" %} +{% include alert.html content="`get` works, `set` is not tested but seems to be used by the misc config at smd init" alert="Warning" icon="svg-warning" color="red" %} ``` /usr/bin/cmld_client get InternetGatewayDevice.X_SC_MiscCfg.GPON.OmciVersion ``` -or via umci_ctl get/set tool (not tested if config overwrite umci or the other way around) +or via umci_ctl get/set tool (if the config overwrite OMCI or the other way around has not been tested) ``` /usr/sbin/umci_ctl mib get 7 ``` @@ -253,45 +254,45 @@ reboot ``` ## Getting/Setting OMCI vendor ID (ME 256) Default value: `53434F4D` -{% include alert.html content="`set` option is available with `Class_id`, `Entity_id`, `Index` and `Value` parameters, not tested." alert="Warning" icon="svg-warning" color="red" %} +{% include alert.html content="The `set` command is available for `Class_id`, `Entity_id`, `Index` and `Value` parameters, but has not been tested." alert="Warning" icon="svg-warning" color="red" %} ``` /usr/sbin/umci_ctl mib get 256 ``` ## Getting/Setting OMCI equipment ID (ME 257) -{% include alert.html content="`set` option is available with `Class_id`, `Entity_id`, `Index` and `Value` parameters, not tested." alert="Warning" icon="svg-warning" color="red" %} +{% include alert.html content=" The `set` command is available for `Class_id`, `Entity_id`, `Index` and `Value` parameters, but has not been tested." alert="Warning" icon="svg-warning" color="red" %} ``` -/usr/sbin/umci_ctl mib get 256 +/usr/sbin/umci_ctl mib get 257 ``` # Advanced settings ## Transferring files to the stick -Since neither `netcat`/`nc` nor `ftp`/`sftp`/`ftps` are available the best option is to use `curl` to download file from a webserver on your network over HTTP only. -Additionaly you can add a arm full version of `busybox` in the /data partition and then use `nc` to pipe data in and out of the device. +Since neither `netcat`/`nc` nor `ftp`/`sftp`/`ftps` are available, the best option is to use `curl` to download files from a webserver on your network over HTTP only. +Additionaly a full version of `busybox` for ARM can be added in the /data partition and then use `nc` to pipe data in and out of the device. -## Backup of all partition -You can use `dd` which is available on the device/default busybox to backup the efull nand via `/dev/mtd` +## Backup of all partitions +`dd` can be used, as it is available on the device/default busybox to backup the efull nand via `/dev/mtd` ## Checking the currently active image ``` /usr/sbin/fw_ctl -s ``` -Output information about the firmware including a `current running fw` line +The output includes a `current running fw` line. ## Booting to a different image ``` /usr/sbin/fw_ctl -c X ``` -Where `X` is <0|1|3> set commit image, 3: commit current fw +Where `X` is <0|1|3> and sets commit image; 3 commits current firmware. ## Cloning of image 0 into image 1 ``` /usr/sbin/fw_ctl -r XXXX ``` -Where `XXX` is <fw|lib> copy type <fw|lib> from current fw to backup fw +Where `XXX` is <fw|lib> copy type <fw|lib> from current firmware to backup firmware. ## Setting management MAC ``` @@ -300,7 +301,7 @@ echo "A095XXXXXXXX" > /tmp/var_link_dir/ft/mac_addr /bin/mount -o remount,ro /dev/mtdblock5 /tmp/var_link_dir/ft /sbin/reboot ``` -The format is 12 hex digit without `0x` nor `:` +The format is 12 hex digit without any `0x` or `:` ## Setting management IP ``` @@ -309,13 +310,13 @@ The format is 12 hex digit without `0x` nor `:` ``` ## Rebooting the ONU -Either via the public WebUi `http://192.168.100.1/ONT/client/html/content/config/problem_handling.html?lang=en`, `Reboot` boutton -or +Either via the public WebUi `http://192.168.100.1/ONT/client/html/content/config/problem_handling.html?lang=en`, `Reboot` button or + ``` /sbin/reboot ``` # Known Bugs -It seems the `cmld_client get` can't return string values longer than 12 characters even for fields type mentioning string length. A walkaround is to use the `get_node` on the parent element to get proper value ouput. +It seems `cmld_client get` can't return string values longer than 12 characters, even for field types mentioning string length. A walkaround is to use `get_node` on the parent element to get proper value ouput. # Miscellaneous Links @@ -327,5 +328,5 @@ It seems the `cmld_client get` can't return string values longer than 12 charact - Telekom Glasfaser Modem 2 # Credits -This whole documentation here was made possible by reverse engineering, and time investment from @hwti and the rest of the folks from the forum mention in the links section of the page. Thanks a lot! +This whole documentation here was made possible thanks to the time invested into reverse engineering by @hwti and the rest of the folks from the forum mentioned in the links section of this page. Thanks a lot! |