Feb 18 2013

Unlocking the ECI B-FOCuS V-2FUb/r Rev. B VDSL modem

BT ships a variety of modems for its VDSL/Infinity product. There are ongoing discussions regarding the merits of each, but what all do have in common is that they are locked-down and inaccessible. The Huawei HG612 is theoretically the easiest to root, as described – but this does require loading a custom firmware. Additionally, mine re-locked itself and I’ve been unable to get into firmware-recovery mode since 🙁

The ECI B-FOCuS V-2FUb/I Rev. 1B can be unlocked via a serial connection without any need to replace the stock firmware – details here.

What I didn’t realise is there there are two version of the ECI modem – the one I’ve just acquired exposing fewer features when unlocked. It also has a different PCB layout, and seems more problematic to get into. I was, however, able to free all of the internal clips by removing the screws beneath the two rubber feet and then prising the case apart, starting with the rear corners and then moving to the smallest clip – above the ethernet ports. That made freeing the sides easier, and then the remainder of the lid could be released.

The pin-out mentioned at the above link appear correct: pin 2 is TXD, pin is 3 RXD and (unlabelled) pin 4 is GND. The TXD pin on the PCB must connect to the RXD pin on the UART/USB adapter, and the RXD pin on the PCB must connect to the TXD pin on the adapter.

With that, the boot-sequence can be logged:

ROM VER: 1.
ROM VER: 1.0.5
CFG 01
DDR autotuning Rev 0.3c
DDR size from 0xa0000000 - 0xa3ffffff
DDR check ok... start booting...

VG3503J 1-A-DC BootLoader v2.00.01 (May 25 2012 - 13:44:42)

CLOCK CPU 333M RAM 166M
DRAM:  32 MiB
Flash: 8 MiB
In:    serial
Out:   serial
Err:   serial
Net:   Internal phy(GE) firmware version: 0x8400
vr9 Switch

Hit any key to stop autoboot:  0 

## Checking CFG Image at b07c0000 ...

## Check Primary System Image ...

## Primary System Image Checksum OK ##

## Select Primary System Image to Execute  ...

## Booting image at b0021000 ...
## Booting kernel from Legacy Image at b0021000 ...
   Image Name:   MIPS IFXCPE Linux-2.6.20.19
   Created:      2012-06-14   8:07:15 UTC
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    942624 Bytes = 920.5 KiB
   Load Address: 80002000
   Entry Point:  802c4000
   Verifying Checksum ... OK
   Uncompressing Kernel Image ... OK

Starting kernel ...

Infineon xDSL CPE VR9
mips_hpt_frequency = 166666666, counter_resolution = 2
Linux version 2.6.20.19
 (morgan@ARCADYAN) (gcc version 3.4.6 (OpenWrt-2.0)) #72 Thu Jun 14 16:07:11 CST 2012
Found: The value of commit_img=  (1)
phym = 02000000, mem = 01f00000, max_pfn = 00001f00
Reserving memory for CP1 @0xa1f00000, size 0x00100000
CPU revision is: 00019555
Determined physical RAM map:
User-defined physical RAM map:
 memory: 01f00000 @ 00000000 (usable)
Initrd not found or empty - disabling initrd
Built 1 zonelists.  Total pages: 7874
Kernel command line: root=/dev/mtdblock8 ro rootfstype=squashfs ip=192.168.2.1:192.168.2.100::::eth0:on console=ttyS0,115200 ethaddr=84:9C:A6:xx:xx:xx phym=32M mem=31M panic=1 mtdparts=ifx_nor0:128k@0(uboot),3648k@128k(pri_image),3648k@3776k(sec_image),512k@7424k(btagent),64k@7936k(pri_bfocus_cfg),64k@8000k(sec_bfocus_cfg),64k@8064k(sysconfig),64k@8128k(misc_cfg),2624k@1152k(pri_rootfs),2624k@4800k(sec_rootfs),8192k@0(all_flash) init=/etc/preinit vpe1_load_addr=0x81f00000 vpe1_mem=1M ethwan= commit_img=1 LD_LIB
1 MIPSR2 register sets available
Primary instruction cache 32kB, physically tagged, 4-way, linesize 32 bytes.
Primary data cache 32kB, 4-way, linesize 32 bytes.
Synthesized TLB refill handler (20 instructions).
Synthesized TLB load handler fastpath (32 instructions).
Synthesized TLB store handler fastpath (32 instructions).
Synthesized TLB modify handler fastpath (31 instructions).
Cache parity protection disabled
Lantiq ICU driver, version 3.0.1, (c) 2001-2010 Lantiq Deutschland GmbH
PID hash table entries: 128 (order: 7, 512 bytes)
Using 166.667 MHz high precision timer.
Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
Memory: 28112k/31744k available (2314k kernel code, 3632k reserved, 505k data, 160k init, 0k highmem)
Security Framework v1.0.0 initialized
Mount-cache hash table entries: 512
NET: Registered protocol family 16
NET: Registered protocol family 8
NET: Registered protocol family 20
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 1024 (order: 0, 4096 bytes)
TCP bind hash table entries: 512 (order: -1, 2048 bytes)
TCP: Hash tables configured (established 1024 bind 512)
TCP reno registered
gptu: totally 6 16-bit timers/counters
gptu: misc_register on minor 63
gptu: succeeded to request irq 118
gptu: succeeded to request irq 119
gptu: succeeded to request irq 120
gptu: succeeded to request irq 121
gptu: succeeded to request irq 122
gptu: succeeded to request irq 123
IFX DMA driver, version ifxmips_dma_core.c:v1.0.9
,(c)2009 Infineon Technologies AG
Lantiq CGU driver, version 1.0.9, (c) 2001-2010 Lantiq Deutschland GmbH
Wired TLB entries for Linux read_c0_wired() = 0
squashfs: version 3.2-r2 (2007/01/15) Phillip Lougher
squashfs: LZMA suppport for slax.org by jro
JFFS2 version 2.2. (NAND) (SUMMARY)  (C) 2001-2006 Red Hat, Inc.
io scheduler noop registered (default)
ifx_pmu_init: Major 252
Lantiq PMU driver, version 1.1.4, (c) 2001-2010 Lantiq Deutschland GmbH
Lantiq GPIO driver, version 1.2.12, (c) 2001-2010 Lantiq Deutschland GmbH
Infineon Technologies RCU driver version 1.0.6
Lantiq LED Controller driver, version 1.0.4, (c) 2001-2010 Lantiq Deutschland GmbH
MEI CPE Driver, Version 1.0.2
&amp;amp;amp;amp;amp;amp;amp;amp;lt;6&amp;amp;amp;amp;amp;amp;amp;amp;gt;(c) Copyright 2009, Infineon Technologies AG
&amp;amp;amp;amp;amp;amp;amp;amp;lt;6&amp;amp;amp;amp;amp;amp;amp;amp;gt;### MEI CPE - MEI CPE - MEI CPE - MEI CPE ###
&amp;amp;amp;amp;amp;amp;amp;amp;lt;6&amp;amp;amp;amp;amp;amp;amp;amp;gt;ttyS0 at MMIO 0xbe100c00 (irq = 105) is a IFX_ASC
Lantiq ASC (UART) driver, version 1.0.5, (c) 2001-2010 Lantiq Deutschland GmbH
RAMDISK driver initialized: 1 RAM disks of 6144K size 1024 blocksize
loop: loaded (max 8 devices)
PPP generic driver version 2.4.2
PPP Deflate Compression module registered
PPP BSD Compression module registered
PPP MPPE Compression module registered
NET: Registered protocol family 24
IFX SWITCH API, Version 1.1.7.2
SWAPI: Registered character device [switch_api] with major no [81]
Switch API: PCE MicroCode loaded !!
Switch Auto Polling value = 0
GPHY FW load for A1x !!
GPHY FIRMWARE LOAD SUCCESSFULLY AT ADDR : 300000
IFX GPHY driver GE Mode, version ifxmips_vr9_gphy: V0.9 - Firmware: 8304
ifx_nor0: Found 1 x16 devices at 0x0 in 16-bit bank
 Amd/Fujitsu Extended Query Table at 0x0040
number of CFI chips: 1
cfi_cmdset_0002: Disabling erase-suspend-program due to code brokenness.
11 cmdlinepart partitions found on MTD device ifx_nor0
ifx_mtd_init flash0: Using dynamic image partition
Creating 11 MTD partitions on "ifx_nor0":
0x00000000-0x00020000 : "uboot"
0x00020000-0x003b0000 : "pri_image"
0x003b0000-0x00740000 : "sec_image"
0x00740000-0x007c0000 : "btagent"
0x007c0000-0x007d0000 : "pri_bfocus_cfg"
0x007d0000-0x007e0000 : "sec_bfocus_cfg"
0x007e0000-0x007f0000 : "sysconfig"
0x007f0000-0x00800000 : "misc_cfg"
0x00120000-0x003b0000 : "pri_rootfs"
0x004b0000-0x00740000 : "sec_rootfs"
0x00000000-0x00800000 : "all_flash"
Lantiq MTD NOR driver, version 1.0.4, (c) 2001-2010 Lantiq Deutschland GmbH

======= ifx_gpio_register(3) =======
Lantiq SSC driver, version 2.2.0, (c) 2001-2010 Lantiq Deutschland GmbH

======= ifx_gpio_register(21) =======
Lantiq SPI EERPOM driver, version 1.1.1, (c) 2001-2010 Lantiq Deutschland GmbH
Lantiq LED driver, version 1.0.15, (c) 2001-2010 Lantiq Deutschland GmbH
nf_conntrack version 0.5.0 (248 buckets, 1984 max)
nf_ct_ftp: registering helper for pf: 2 port: 21
nf_ct_ftp: registering helper for pf: 10 port: 21
ip_conntrack_rtsp v0.6.21 loading
GRE over IPv4 tunneling driver
ip_nat_rtsp v0.6.21 loading
ip_tables: (C) 2000-2006 Netfilter Core Team
ipt_time loading
TCP cubic registered
NET: Registered protocol family 1
NET: Registered protocol family 17
NET: Registered protocol family 8
atmpvc_init() failed with -17
lec.c: May 25 2012 11:44:27 initialized
mpc.c: May 25 2012 11:44:25 initialized
802.1Q VLAN Support v1.8 Ben Greear &amp;amp;amp;amp;amp;amp;amp;amp;lt;greearb@candelatech.com&amp;amp;amp;amp;amp;amp;amp;amp;gt;
All bugs added by David S. Miller &amp;amp;amp;amp;amp;amp;amp;amp;lt;davem@redhat.com&amp;amp;amp;amp;amp;amp;amp;amp;gt;
VFS: Mounted root (squashfs filesystem) readonly.
Freeing unused kernel memory: 160k freed
Time: MIPS clocksource has been installed.
Warning: unable to open an initial console.
Algorithmics/MIPS FPU Emulator v1.5
SIOCSIFADDR: No such device
SIOCGIFFLAGS: No such device
SIOCSIFADDR: No such device
SIOCGIFFLAGS: No such device
arc_oshal: module license 'Propritary' taints kernel.
OSHAL: Shared Wrapper Library

HKR DRV: Created Successfully

 ETH LoopBack DRV: Created Successfully !! 

Board Name         : BFocusV2FubR
Bloader Version    : v2.00.01
MAC Address        : 84:9C:A6:xx:xx:xx
Serial Number      : J250179246
Active Image No    : 1

Image Version      : v2.02.01
BuildDate          : 2012/06/14 16:07:18

[system_info_getSystemImageHeaderInfo] can not find signature !!!

SYSINFO DRV: Created Successfully
SYSTEM MAC = 84:9C:A6:xx:xx:xx
IFXOS, Version 1.5.11
&amp;amp;amp;amp;amp;amp;amp;amp;lt;6&amp;amp;amp;amp;amp;amp;amp;amp;gt;(c) Copyright 2007, Infineon Technologies AG
&amp;amp;amp;amp;amp;amp;amp;amp;lt;6&amp;amp;amp;amp;amp;amp;amp;amp;gt;### IFXOS - IFXOS - IFXOS - IFXOS ###

 [ppa_do_ioctl_cmd] : open PPA device (/dev/ifx_ppa) failed. (errno=6)

 [ppa_do_ioctl_cmd] : open PPA device (/dev/ifx_ppa) failed. (errno=6)

 [ppa_do_ioctl_cmd] : open PPA device (/dev/ifx_ppa) failed. (errno=6)
xDSL_MODE_VRX=vdsl
xDSL_MODE_VRX=vdsl
[: 13600: unknown operand

Lantiq CPE API Driver version: DSL CPE API V4.6.3.5-pd3

Predefined debug level: 4
05_01_04_00_04_01_00_07
IFXOS - User Thread Startup &amp;amp;amp;amp;amp;amp;amp;amp;lt;evnthnd&amp;amp;amp;amp;amp;amp;amp;amp;gt;, TID 1026 (PID 1332) - ENTER

VDSL Firmware Ver=5.4.8.6.1.6
IFXOS - User Thread Startup &amp;amp;amp;amp;amp;amp;amp;amp;lt;tPipe_0&amp;amp;amp;amp;amp;amp;amp;amp;gt;, TID 2051 (PID 1337) - ENTER
IFXOS - User Thread Startup &amp;amp;amp;amp;amp;amp;amp;amp;lt;tPipe_1&amp;amp;amp;amp;amp;amp;amp;amp;gt;, TID 3076 (PID 1338) - ENTER
ENTER - Kernel Thread Startup &amp;amp;amp;amp;amp;amp;amp;amp;lt;autbtex&amp;amp;amp;amp;amp;amp;amp;amp;gt;
&amp;amp;amp;amp;amp;amp;amp;amp;lt;7&amp;amp;amp;amp;amp;amp;amp;amp;gt;ENTER - Kernel Thread Startup &amp;amp;amp;amp;amp;amp;amp;amp;lt;pmex_ne&amp;amp;amp;amp;amp;amp;amp;amp;gt;
&amp;amp;amp;amp;amp;amp;amp;amp;lt;7&amp;amp;amp;amp;amp;amp;amp;amp;gt;ENTER - Kernel Thread Startup &amp;amp;amp;amp;amp;amp;amp;amp;lt;pmex_fe&amp;amp;amp;amp;amp;amp;amp;amp;gt;
nReturn=0 

#&amp;amp;amp;amp;amp;amp;amp;amp;lt;&amp;amp;amp;amp;amp;amp;amp;amp;lt; xDSL_MODE_VRX
xDSL_MODE_VRX=vdsl
#&amp;amp;amp;amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;amp;amp;amp;amp;gt; xDSL_MODE_VRX
cp: `/flash/rc.conf' and `/flash/rc.conf' are the same file
For img_addr 0xb07e0000, nextStartAddr 0xb07f0000 and preEndAddr 0xb07e0000

Writing to Flash...
#
flash writing finished!
For img_addr 0xb07e0000, nextStartAddr 0xb07f0000 and preEndAddr 0xb07e0000

Writing to Flash...
#
flash writing finished!
/ramdisk/flash/BSP-Test-VR9
Setting in flash is VDSL mode
switch init settings...
PPA E5 mode init...
Loading E5 (MII0/1) driver ...... 

Read mac address from U-Boot: 84:9C:A6:xx:xx:xx

Succeeded!
PPE datapath driver info:
  Version ID: 128.3.3.1.0.0.1
  Family    : N/A
  DR Type   : Normal Data Path | Indirect-Fast Path
  Interface : MII0 | MII1
  Mode      : Routing
  Release   : 0.0.1
PPE 0 firmware info:
  Version ID: 7.1.5.1.0.33
  Family    : VR9
  FW Type   : Standard
  Interface : MII0/1 + PTM
  Mode      : reserved - 1
  Release   : 0.33
PPE 1 firmware info:
  Version ID: 7.2.1.6.1.12
  Family    : VR9
  FW Type   : Acceleration
  Interface : MII0 + MII1
  Mode      : Bridging + IPv4 Routing
  Release   : 1.12
PPA API --- init successfully
device eth0 entered promiscuous mode
br0: port 1(eth0) entering learning state
br0: topology change detected, propagating
br0: port 1(eth0) entering forwarding state
ifx_ppa_init - init succeeded
ptm0      Link encap:Ethernet  HWaddr 84:9C:A6:xx:xx:xx
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

nReturn=0 

nReturn=0 

device br0 already exists; can't create bridge with the same name
device eth0 is already a member of a bridge; can't enslave it to bridge br0.
exec dsl_cpe_pipe.sh dms 0x5048 0000 0001 0001
nReturn=0 nData="5048 0000 0001 "

 File Length            : 00000231
 Commit Image  No       : 00000001
 Reserved               : 00000000
 CRC32                  : 5BD75EE2
 Calculate CRC32    : 5BD75EE2
 MAGIC number      : 1F 8b

 File Length            : 00000231
 Commit Image  No       : 00000001
 Reserved               : 00000000
 CRC32                  : 5BD75EE2
 Calculate CRC32    : 5BD75EE2
 MAGIC number      : 1F 8b

 gz file content  : 1F 8B
./nvram
./nvram/bfocus.xml
[dsl_monitor] get /dev/dsl_cpe_api/0 fd = 4
UPS Monitor fd = 5

 UPS status changed to :  -- Without UPS --
device ptm0 entered promiscuous mode
br0: port 2(ptm0) entering learning state
Delay running DHCPC until DSL link is up ..
cpu_mac = 84:9C:A6:xx:xx:xx
VID0_REMOVE mode is enabled ..
ifx_ppa_init - init succeeded

VID 0 remove is enabled

br0: topology change detected, propagating
br0: port 2(ptm0) entering forwarding state
Disable Debug Mode ..
LAN1 MAXBITRATE=AUTO DUPLEX_MODE=AUTO
LAN2 MAXBITRATE=AUTO DUPLEX_MODE=AUTO
&amp;amp;amp;amp;amp;amp;amp;amp;lt;gphy_proc_power_write&amp;amp;amp;amp;amp;amp;amp;amp;gt; gphy 1, count 2, len 2, buf 1

[gphy_proc_power_write] POWER UP
[gphy_proc_power_write] pdata:0x1000
&amp;amp;amp;amp;amp;amp;amp;amp;lt;gphy_proc_power_write&amp;amp;amp;amp;amp;amp;amp;amp;gt; gphy 0, count 2, len 2, buf 0

[gphy_proc_power_write] POWER DOWN
[gphy_proc_power_write] pdata:0x1800

CFM Device Driver: Created Successfully
VLAN Table size:64:
==========================================================
vlan id:0000 PortMember:0000
vlan id:0040 PortMember:005f
vlan id:0050 PortMember:0c7f
vlan id:0010 PortMember:0860
vlan id:0020 PortMember:0440
vlan id:0101 PortMember:0810
vlan id:0102 PortMember:0804
vlan id:0006 PortMember:0040
vlan id:0011 PortMember:0800
vlan id:0301 PortMember:0840
vlan id:0000 PortMember:0000
vlan id:0000 PortMember:0000
vlan id:0000 PortMember:0000
vlan id:0000 PortMember:0000
vlan id:0000 PortMember:0000
vlan id:0000 PortMember:0000
==========================================================
LAN1 Link Status:0
LAN2 Link Status:0
WAN Link Status:0
LAN1 PVID:101
LAN2 PVID:102
WAN PVID:11
cfm_register_callback_handle_packets enter...
cfm_register_callback_handle_packets succeed...
arcCfmLlStateMachineLIT
arcCfmLlStateMachineLI, event=0
arcCfmLlStateMachineLIT
arcCfmLlStateMachineLI, event=0
arcCfmLlStateMachineLIT
arcCfmLlStateMachineLI, event=0
arcCfmLlStateMachineLIT
arcCfmLlStateMachineLI, event=0
 wdt_ioctl:enable watch dog timer!
The timeout was set to 90 seconds
check bfocus.xml succeed...
BTAgent config finish!!!
BTA: Starting BT Agent
src/plugin.c: Library_load: start plugin_source/libbtagent.so
src/plugin.c: Library_load: success
src/main.c: Agent Plugin: File Path is ../RW/btagent.conf
src/main.c: Agent Plugin: RW config file exists
src/main.c: Agent Plugin: Versions match
src/plugin.c: Library_load: start plugin_source/libbtagent_api.so
src/plugin.c: Library_load: success
src/plugin.c: Library_load: start plugin_source/libfwm.so
src/plugin.c: Library_load: success
src/firmware_manager.c: The data model is not ready1
src/plugin.c: Library_load: start plugin_source/liblogger.so
src/plugin.c: Library_load: success
src/plugin.c: Library_load: start plugin_source/libprobe.so
src/plugin.c: Library_load: success
src/main.c: Loaded source plugins
src/plugin.c: Library_load: start plugin_transport/libsec.so
src/plugin.c: Library_load: success
src/main.c: Loaded transport plugins
src/plugin.c: Library_load: start plugin_parse/libxml.so
src/plugin.c: Library_load: success
src/main.c: Loaded parse plugins

IFX CPE login:
src/firmware_manager.c: J250179246, 2.02.01, BFocusV2FubR, Arcadyan Technology Corp
src/firmware_manager.c: serialNumber atoi is 0
src/firmware_manager.c: connection attempt: 1
src/firmware_manager.c: sleep for 35

… unfortunately this isn’t helpful since, even when presented with a “login” prompt, typed characters aren’t echoed and the system does not seem responsive to (serial) input. This problem seems to have struck another user on the forum linked above, but no resolution was ever reported… perhaps I’ve just got a dodgy USB adapter?

More as I work it out…

By Stuart • Hardware 8

8 Comments

Stuart
18th February 2013 @ 11:36 pm

Update:
No – I’d mis-seated the TXD/RXD pin on pad 2. D’oh!

Random filesystem contents:


# mount
/dev/mtdblock8 on / type squashfs (ro)
proc on /proc type proc (rw)
none on /sys type sysfs (rw)
/dev/ram on /ramdisk type ramfs (rw)
/dev/ram on /dev type ramfs (rw)
/dev/mtdblock3 on /BT/BTAgent/RW type jffs2 (rw)

# find / -xdev -type f
/BT/BTAgent/RO/RWPath
/BT/BTAgent/RO/bfocus.xml
/BT/BTAgent/RO/btagent
/BT/BTAgent/RO/btagent.conf
/BT/BTAgent/RO/btagentstart.sh
/BT/BTAgent/RO/libparseplugins.so
/BT/BTAgent/RO/libplugin.so
/BT/BTAgent/RO/libplugins.so
/BT/BTAgent/RO/libsourceplugins.so
/BT/BTAgent/RO/libtcp.so
/BT/BTAgent/RO/libtransportplugins.so
/BT/BTAgent/RO/plugin_parse/libxml.so
/BT/BTAgent/RO/plugin_source/libbtagent.so
/BT/BTAgent/RO/plugin_source/libbtagent_api.so
/BT/BTAgent/RO/plugin_source/libfwm.so
/BT/BTAgent/RO/plugin_source/liblogger.so
/BT/BTAgent/RO/plugin_source/libprobe.so
/BT/BTAgent/RO/plugin_transport/libsec.so
/BT/BTAgent/RO/publickeys.dat
/BT/BTAgent/RO/publickeys.dat.mms
/BT/BTAgent/RO/publickeys.dat.production
/BT/BTAgent/RO/timestamp.log
/BT/BTAgent/RO/use_mms_publickeys.bat
/BT/BTAgent/RO/use_production_publickeys.bat
/bin/busybox
/bin/busybox2
/etc/banner
/etc/cmv_batch
/etc/codeclist
/etc/config.sh
/etc/device_table.txt
/etc/diag.sh
/etc/fstab
/etc/group
/etc/host.conf
/etc/igmpproxy.conf
/etc/init.d/PPA.sh
/etc/init.d/adm6996.sh
/etc/init.d/adsl_bringup.sh
/etc/init.d/adsl_link_status_update
/etc/init.d/algs
/etc/init.d/algs_bringup.sh
/etc/init.d/algs_start
/etc/init.d/algs_stop
/etc/init.d/boot
/etc/init.d/cli
/etc/init.d/create_ppp_cfg
/etc/init.d/create_rip_config
/etc/init.d/ddns
/etc/init.d/ddns_start
/etc/init.d/ddns_stop
/etc/init.d/demo_setup
/etc/init.d/disable_voip
/etc/init.d/dnrd.sh
/etc/init.d/dns_relay
/etc/init.d/dns_relay_start
/etc/init.d/dns_relay_stop
/etc/init.d/enable_fax
/etc/init.d/enable_voip
/etc/init.d/ftpd
/etc/init.d/get_min
/etc/init.d/httpd
/etc/init.d/ifx_cpe_control_init.sh
/etc/init.d/ifx_load_cpe_mei_drv.sh
/etc/init.d/ifx_load_dsl_cpe_api.sh
/etc/init.d/ifx_load_ifxos_drv.sh
/etc/init.d/ifx_show_version.sh
/etc/init.d/igmp
/etc/init.d/igmp_start
/etc/init.d/igmp_stop
/etc/init.d/igmpd
/etc/init.d/inetd
/etc/init.d/inetd_start
/etc/init.d/init_ipqos.sh
/etc/init.d/ipv6.sh
/etc/init.d/kill_ppp_proc
/etc/init.d/lan_services_bringup.sh
/etc/init.d/lo_ipfwd_hosts.sh
/etc/init.d/nfext.sh
/etc/init.d/node_gpio.sh
/etc/init.d/ntpc
/etc/init.d/ntpc_start
/etc/init.d/ntpc_stop
/etc/init.d/oam
/etc/init.d/oam_apply_setting
/etc/init.d/oam_start
/etc/init.d/oam_stop
/etc/init.d/opt_rt_conn.sh
/etc/init.d/passwd.sh
/etc/init.d/pif
/etc/init.d/pif_start
/etc/init.d/pif_stop
/etc/init.d/pmcu.sh
/etc/init.d/policy_routing
/etc/init.d/policy_routing_start
/etc/init.d/policy_routing_stop
/etc/init.d/port_trigger.sh
/etc/init.d/port_trigger_add
/etc/init.d/port_trigger_delete
/etc/init.d/port_trigger_init
/etc/init.d/postinit
/etc/init.d/ppp_demand.sh
/etc/init.d/pppoa
/etc/init.d/pppoa_start
/etc/init.d/pppoa_stop
/etc/init.d/pppoe
/etc/init.d/pppoe_start
/etc/init.d/pppoe_stop
/etc/init.d/qos
/etc/init.d/qos_apply_priority
/etc/init.d/qos_downstream_start
/etc/init.d/qos_init
/etc/init.d/qos_rate_update
/etc/init.d/qos_start
/etc/init.d/qos_start_lan
/etc/init.d/qos_start_wan
/etc/init.d/qos_stop
/etc/init.d/qos_stop_lan
/etc/init.d/qos_stop_wan
/etc/init.d/qos_upstream_start
/etc/init.d/rcS
/etc/init.d/rcS.bsp
/etc/init.d/rcS.device
/etc/init.d/rcS.router
/etc/init.d/resolv.sh
/etc/init.d/ripd
/etc/init.d/ripd_start
/etc/init.d/ripd_stop
/etc/init.d/sip_alg
/etc/init.d/sip_alg_start
/etc/init.d/sip_alg_stop
/etc/init.d/snmp.sh
/etc/init.d/source_modelconfig.sh
/etc/init.d/sshd
/etc/init.d/sshd_start
/etc/init.d/sshd_stop
/etc/init.d/switch_api.sh
/etc/init.d/syslogd.sh
/etc/init.d/tc.sh
/etc/init.d/telnetd
/etc/init.d/tftpd
/etc/init.d/udhcpc
/etc/init.d/udhcpd
/etc/init.d/udhcpd_pool_conf
/etc/init.d/udhcpd_start
/etc/init.d/usb_host_device.sh
/etc/init.d/version.sh
/etc/init.d/vlan
/etc/init.d/vlan.sh
/etc/init.d/vlan_common.sh
/etc/init.d/vlan_membership_apply
/etc/init.d/vlan_start
/etc/init.d/vlan_stop
/etc/init.d/voip_ports_cfg
/etc/init.d/wan_bringup.sh
/etc/init.d/wlan_bringup.sh
/etc/init.d/xdsl_esh.sh
/etc/init.d/xdslrc.sh
/etc/init_a5.script
/etc/init_a5_2.script
/etc/init_d5.script
/etc/init_d5_2.script
/etc/inittab
/etc/ipsec1-3des.conf
/etc/ipsec1-aes.conf
/etc/ipsec1-des.conf
/etc/ipsec2-3des.conf
/etc/ipsec2-aes.conf
/etc/ipsec2-des.conf
/etc/modules.conf
/etc/modules.d/40-ipt-core
/etc/ppp/dhcp-ipv6
/etc/ppp/ip-down
/etc/ppp/ip-up
/etc/preinit
/etc/rc.common
/etc/rc.conf.gz
/etc/rc.d/adsl_down
/etc/rc.d/adsl_up
/etc/rc.d/ath_wlan_start
/etc/rc.d/ath_wlan_stop
/etc/rc.d/backup
/etc/rc.d/backup_voip
/etc/rc.d/bringup_dnsmasq
/etc/rc.d/bringup_wan_dhcp6c
/etc/rc.d/checkpid
/etc/rc.d/create_and_run_dhcp6c_cfg
/etc/rc.d/create_clip_if
/etc/rc.d/create_eth_if
/etc/rc.d/create_mpoa_if
/etc/rc.d/create_ptm_if
/etc/rc.d/del_line
/etc/rc.d/delete_clip_if
/etc/rc.d/delete_eth_if
/etc/rc.d/delete_mpoa_if
/etc/rc.d/delete_ptm_if
/etc/rc.d/dhcp-ipv6
/etc/rc.d/free_memory.sh
/etc/rc.d/get_default_wan_config
/etc/rc.d/get_lan_if
/etc/rc.d/get_wan_if
/etc/rc.d/get_wlan_stats
/etc/rc.d/install_mps_devices.sh
/etc/rc.d/invoke_upgrade.sh
/etc/rc.d/ipqos_class_add
/etc/rc.d/ipqos_class_delete
/etc/rc.d/ipqos_class_skip
/etc/rc.d/ipqos_disable
/etc/rc.d/ipqos_init
/etc/rc.d/ipqos_mgmt
/etc/rc.d/ipqos_mgmt_traffic_config
/etc/rc.d/ipqos_q_mgmt
/etc/rc.d/ipqos_rate_update
/etc/rc.d/ipv6-dns-update
/etc/rc.d/killproc
/etc/rc.d/lan_wan_isolation.sh
/etc/rc.d/mgmt.sh
/etc/rc.d/model_config.sh
/etc/rc.d/port_drill
/etc/rc.d/ppa_config.sh
/etc/rc.d/ppa_up_config
/etc/rc.d/ppe_ipqos_disable
/etc/rc.d/ppe_ipqos_init
/etc/rc.d/ppe_ipqos_main
/etc/rc.d/ppe_ipqos_mii0cfg
/etc/rc.d/ppe_ipqos_q_init
/etc/rc.d/ppe_ipqos_q_mgmt
/etc/rc.d/ppe_ipqos_start
/etc/rc.d/rc.bringup_adsl
/etc/rc.d/rc.bringup_adsl_start
/etc/rc.d/rc.bringup_adsl_stop
/etc/rc.d/rc.bringup_lan
/etc/rc.d/rc.bringup_lan_start
/etc/rc.d/rc.bringup_lan_stop
/etc/rc.d/rc.bringup_services
/etc/rc.d/rc.bringup_services_start
/etc/rc.d/rc.bringup_services_stop
/etc/rc.d/rc.bringup_staticRoutes
/etc/rc.d/rc.bringup_voip_start
/etc/rc.d/rc.bringup_voip_stop
/etc/rc.d/rc.bringup_wan
/etc/rc.d/rc.bringup_wan_services
/etc/rc.d/rc.bringup_wan_services_start
/etc/rc.d/rc.bringup_wan_services_stop
/etc/rc.d/rc.bringup_wan_start
/etc/rc.d/rc.bringup_wan_stop
/etc/rc.d/rc.bringup_wireless
/etc/rc.d/rc.bringup_wireless_start
/etc/rc.d/rc.bringup_wireless_stop
/etc/rc.d/rc.bringup_wlan
/etc/rc.d/rc.firewall
/etc/rc.d/rc.firewall_app_filter
/etc/rc.d/rc.firewall_app_filter_start
/etc/rc.d/rc.firewall_app_filter_stop
/etc/rc.d/rc.firewall_dos
/etc/rc.d/rc.firewall_dos_start
/etc/rc.d/rc.firewall_start
/etc/rc.d/rc.getBridgeIfs
/etc/rc.d/rc.getBridgeStats
/etc/rc.d/rc.getIfStats
/etc/rc.d/rc.staticRoutes
/etc/rc.d/rebootcpe.sh
/etc/rc.d/restore_tr69_defaults
/etc/rc.d/rt_media.sh
/etc/rc.d/save_calibrate
/etc/rc.d/save_fwdiag
/etc/rc.d/sip.sh
/etc/rc.d/tsc_wlan_start
/etc/rc.d/tsc_wlan_stop
/etc/rc.d/udhcpc.script
/etc/rc.d/udhcpc_lan.script
/etc/rc.d/voip_port.sh
/etc/rc.d/wave_wlan_sec_capability
/etc/rc.d/wlan_ap_start
/etc/rc.d/wlan_ap_stop
/etc/rc.d/wlan_capability
/etc/rc.d/wlan_get_ap_dyn_info
/etc/rc.d/wlan_get_assoc
/etc/rc.d/wlan_get_radio_dyn_info
/etc/rc.d/wlan_get_stats
/etc/rc.d/wlan_get_wps_dyn_info
/etc/rc.d/wlan_get_wps_regs_dyn_info
/etc/rc.d/wlan_init
/etc/rc.d/wlan_mac_ctrl_modify
/etc/rc.d/wlan_remove_vap
/etc/rc.d/wlan_sec_modify
/etc/rc.d/wlan_wps_get_profile
/etc/services
/etc/shells
/etc/snmpd.conf
/etc/sys.conf
/etc/sys.conf.device
/etc/timestamp
/etc/version
/etc/voip.conf.tgz
/lib/firmware/2.6.20.19/dsl_vr9_firmware_xdsl-05.04.08.06.01.06_05.04.04.04.00.01.bin
/lib/ld-uClibc-0.9.30.1.so
/lib/libIFXAPIs.so
/lib/libatm.so.1.0.0
/lib/libbtagent_api.so.1
/lib/libcrypt-0.9.30.1.so
/lib/libdl-0.9.30.1.so
/lib/libgcc_s.so.1
/lib/libifx_common.so
/lib/libifx_osa.so
/lib/libm-0.9.30.1.so
/lib/libnsl-0.9.30.1.so
/lib/libpthread-0.9.30.1.so
/lib/libresolv-0.9.30.1.so
/lib/librt-0.9.30.1.so
/lib/libuClibc-0.9.30.1.so
/lib/libutil-0.9.30.1.so
/lib/modules/2.6.20.19/arc_oshal.ko
/lib/modules/2.6.20.19/cfm-8021ag.ko
/lib/modules/2.6.20.19/eth_loopback_core.ko
/lib/modules/2.6.20.19/hkr_core.ko
/lib/modules/2.6.20.19/ifx_nfext_core.ko
/lib/modules/2.6.20.19/ifx_nfext_ppp.ko
/lib/modules/2.6.20.19/ifx_ppa_api.ko
/lib/modules/2.6.20.19/ifx_ppa_api_proc.ko
/lib/modules/2.6.20.19/ifxmips_ppa_datapath_vr9_a5.ko
/lib/modules/2.6.20.19/ifxmips_ppa_datapath_vr9_e5.ko
/lib/modules/2.6.20.19/ifxmips_ppa_hal_vr9_a5.ko
/lib/modules/2.6.20.19/ifxmips_ppa_hal_vr9_e5.ko
/lib/modules/2.6.20.19/power_saving_driver.ko
/lib/modules/2.6.20.19/sysinfo_core.ko
/lib/modules/2.6.20.19/xt_comment.ko
/lib/upgrade/platform.sh
/opt/lantiq/bin/adsl.scr
/opt/lantiq/bin/alias_drv_mei_cpe.sh
/opt/lantiq/bin/alias_dsl_cpe.sh
/opt/lantiq/bin/debug_level.cfg
/opt/lantiq/bin/drv_dsl_cpe_api.ko
/opt/lantiq/bin/drv_ifxos.ko
/opt/lantiq/bin/dsl_cpe_control
/opt/lantiq/bin/dsl_cpe_pipe.sh
/opt/lantiq/bin/enable_ARC_JTAG.sh
/opt/lantiq/bin/ifx_mei_cpe_drv_init.sh
/opt/lantiq/bin/inst_driver.sh
/opt/lantiq/bin/inst_drv_cpe_api.sh
/opt/lantiq/bin/inst_drv_mei_cpe.sh
/opt/lantiq/bin/mei_cpe_drv_test
/opt/lantiq/bin/vdsl.scr
/opt/lantiq/bin/what.sh
/opt/lantiq/bin/whatz.sh
/ramdisk_copy/etc/dsl_api/cmv_scripts
/ramdisk_copy/etc/hosts
/ramdisk_copy/etc/ilmid/ilmid.conf
/ramdisk_copy/etc/inetd.conf
/ramdisk_copy/etc/passwd
/ramdisk_copy/etc/ppp/resolv.conf
/ramdisk_copy/etc/ripd.conf
/ramdisk_copy/etc/snmp/snmpd.conf
/ramdisk_copy/etc/udhcpd.conf
/ramdisk_copy/flash/BSP-Test/bringup_bridge_multipvc.sh
/ramdisk_copy/flash/BSP-Test/bringup_dhcp_mii0.sh
/ramdisk_copy/flash/BSP-Test/bringup_dhcp_wanatm.sh
/ramdisk_copy/flash/BSP-Test/bringup_dhcp_wanatm_ppa.sh
/ramdisk_copy/flash/BSP-Test/bringup_dhcp_waneth.sh
/ramdisk_copy/flash/BSP-Test/bringup_dhcp_waneth_ppa.sh
/ramdisk_copy/flash/BSP-Test/bringup_pppoatm.sh
/ramdisk_copy/flash/BSP-Test/bringup_pppoatm_ppa.sh
/ramdisk_copy/flash/BSP-Test/bringup_pppoe_mii0.sh
/ramdisk_copy/flash/BSP-Test/bringup_pppoe_wanatm.sh
/ramdisk_copy/flash/BSP-Test/bringup_pppoe_wanatm_ppa.sh
/ramdisk_copy/flash/BSP-Test/bringup_pppoe_waneth.sh
/ramdisk_copy/flash/BSP-Test/bringup_pppoe_waneth_ppa.sh
/ramdisk_copy/flash/BSP-Test/bringup_staticip_mii0.sh
/ramdisk_copy/flash/BSP-Test/bringup_staticip_wanatm.sh
/ramdisk_copy/flash/BSP-Test/bringup_staticip_wanatm_ppa.sh
/ramdisk_copy/flash/BSP-Test/bringup_staticip_waneth.sh
/ramdisk_copy/flash/BSP-Test/bringup_staticip_waneth_ppa.sh
/ramdisk_copy/flash/BSP-Test/bringup_tapidemo.sh
/ramdisk_copy/flash/BSP-Test-VR9/PPA_A5_hwbridge_switch_conf.sh
/ramdisk_copy/flash/BSP-Test-VR9/PPA_A5_routing_switch_conf.sh
/ramdisk_copy/flash/BSP-Test-VR9/PPA_E5_hwbridge_switch_conf.sh
/ramdisk_copy/flash/BSP-Test-VR9/PPA_E5_routing_switch_conf.sh
/ramdisk_copy/flash/BSP-Test-VR9/PPA_integrated_script.sh
/ramdisk_copy/flash/BSP-Test-VR9/bringup_lan_wan_ethernet.sh
/ramdisk_copy/flash/BSP-Test-VR9/bringup_usb_device.sh
/ramdisk_copy/flash/BSP-Test-VR9/bringup_usb_host.sh
/ramdisk_copy/flash/BSP-Test-VR9/bringup_wan_nat.sh
/ramdisk_copy/flash/BSP-Test-VR9/bringup_wan_pppoe.sh
/ramdisk_copy/flash/BSP-Test-VR9/bringup_wan_pvc.sh
/ramdisk_copy/flash/BSP-Test-VR9/bringup_xdsl_mode.sh
/ramdisk_copy/flash/BSP-Test-VR9/change_xdsl_mode.sh
/ramdisk_copy/flash/BSP-Test-VR9/cusb_modem_ppe.sh
/ramdisk_copy/flash/BSP-Test-VR9/cusb_modem_switch.sh
/ramdisk_copy/flash/BSP-Test-VR9/cusb_modem_switch_atm.sh
/ramdisk_copy/flash/BSP-Test-VR9/cusb_modem_switch_atm_novlan.sh
/ramdisk_copy/flash/BSP-Test-VR9/cusb_modem_switch_loopback.sh
/ramdisk_copy/flash/BSP-Test-VR9/cusb_modem_switch_loopback_bcast_block.sh
/ramdisk_copy/flash/BSP-Test-VR9/cusb_modem_switch_loopback_bcast_block_disable.sh
/ramdisk_copy/flash/BSP-Test-VR9/cusb_modem_switch_loopback_disable.sh
/ramdisk_copy/flash/BSP-Test-VR9/cusb_modem_switch_loopback_mcast_block.sh
/ramdisk_copy/flash/BSP-Test-VR9/cusb_modem_switch_loopback_mcast_block_disable.sh
/ramdisk_copy/flash/BSP-Test-VR9/rc.conf.gz
/ramdisk_copy/flash/BSP-Test-VR9/reset_to_bsp_default.sh
/ramdisk_copy/flash/BSP-Test-VR9/reset_too_default.sh
/ramdisk_copy/flash/env.sh
/ramdisk_copy/flash/lock.txt
/ramdisk_copy/flash/print_debug_info.sh
/ramdisk_copy/tmp/system_status
/ramdisk_copy/var/lib/misc/udhcpd.leases
/sbin/flash_eraseall
/sbin/flash_upgrade
/sbin/modprobe.sh
/sbin/ppacmd
/usr/bin/oamctl
/usr/bin/oamd
/usr/bin/switch_utility
/usr/bin/wget
/usr/lib/libltdl.so.3.1.5
/usr/lib/libmatrixssl.so
/usr/lib/liboamapi.so
/usr/lib/libpcap.so.0.9.8
/usr/lib/opkg/info/8021ag.list
/usr/lib/opkg/info/atm-tools.list
/usr/lib/opkg/info/base-files-ifxcpe.list
/usr/lib/opkg/info/base-files-vr9-bsp.list
/usr/lib/opkg/info/board.list
/usr/lib/opkg/info/br2684ctl.list
/usr/lib/opkg/info/bridge-utils.list
/usr/lib/opkg/info/btagent.list
/usr/lib/opkg/info/busybox.list
/usr/lib/opkg/info/cfg.list
/usr/lib/opkg/info/gpio.list
/usr/lib/opkg/info/hkr.list
/usr/lib/opkg/info/ifx-IFXAPIs.list
/usr/lib/opkg/info/ifx-base-files-common.list
/usr/lib/opkg/info/ifx-config.list
/usr/lib/opkg/info/ifx-dsl-cpe-api-vrx.list
/usr/lib/opkg/info/ifx-dsl-cpe-control-vrx.list
/usr/lib/opkg/info/ifx-dsl-cpe-mei-vrx.list
/usr/lib/opkg/info/ifx-dsl-vr9-firmware-xdsl.list
/usr/lib/opkg/info/ifx-ethsw.list
/usr/lib/opkg/info/ifx-oam.list
/usr/lib/opkg/info/ifx-os.list
/usr/lib/opkg/info/ifx-utilities.list
/usr/lib/opkg/info/image-tools.list
/usr/lib/opkg/info/kernel.list
/usr/lib/opkg/info/kmod-arc.list
/usr/lib/opkg/info/kmod-cfm-8021ag.list
/usr/lib/opkg/info/kmod-eth.list
/usr/lib/opkg/info/kmod-hkr.list
/usr/lib/opkg/info/kmod-ifx-nfext.list
/usr/lib/opkg/info/kmod-ifxcpe.list
/usr/lib/opkg/info/kmod-ipt-core.list
/usr/lib/opkg/info/kmod-power.list
/usr/lib/opkg/info/kmod-sysinfo.list
/usr/lib/opkg/info/libgcc.list
/usr/lib/opkg/info/libmatrixssl-nothread.list
/usr/lib/opkg/info/libpcap.list
/usr/lib/opkg/info/libpthread.list
/usr/lib/opkg/info/libtool.list
/usr/lib/opkg/info/linux-atm.list
/usr/lib/opkg/info/mtd.list
/usr/lib/opkg/info/open.list
/usr/lib/opkg/info/power.list
/usr/lib/opkg/info/tcpdump-mini.list
/usr/lib/opkg/info/uclibc.list
/usr/lib/opkg/info/wget-gpl-v2-matrixssl.list
/usr/lib/opkg/status
/usr/sbin/br2684ctl
/usr/sbin/br2684ctld
/usr/sbin/brctl
/usr/sbin/bringup_adsl.sh
/usr/sbin/bringup_igmpproxy.sh
/usr/sbin/bringup_ipsec1.sh
/usr/sbin/bringup_ipsec1_nonat.sh
/usr/sbin/bringup_ipsec2.sh
/usr/sbin/bringup_ipsec2_nonat.sh
/usr/sbin/bringup_qos_demo.sh
/usr/sbin/bringup_qos_demo2.sh
/usr/sbin/bringup_single_mii_1.sh
/usr/sbin/bringup_single_mii_2.sh
/usr/sbin/bringup_tapidemo.sh
/usr/sbin/bringup_vdsl.sh
/usr/sbin/btagent_arc_version
/usr/sbin/char_dev_node_create.sh
/usr/sbin/check_dsl_status.sh
/usr/sbin/dhcpc_monitor.sh
/usr/sbin/factorycfg.sh
/usr/sbin/free_dma
/usr/sbin/ifx_util
/usr/sbin/init_power_saving.sh
/usr/sbin/mkfs_mtd.sh
/usr/sbin/mknod_util
/usr/sbin/nas_create.sh
/usr/sbin/next_macaddr
/usr/sbin/patches_list.sh
/usr/sbin/power_saving
/usr/sbin/restore_dsl_settings.sh
/usr/sbin/save_dsl_setting.sh
/usr/sbin/save_dsl_settings.sh
/usr/sbin/savecfg.sh
/usr/sbin/status_oper
/usr/sbin/swreset
/usr/sbin/t.sh
/usr/sbin/tcpdump
/usr/sbin/upgrade
/usr/sbin/util_8021ag
/usr/sbin/util_binfo
/usr/sbin/util_cfg_xml
/usr/sbin/util_gpio
/usr/sbin/util_hkr_mgr
/usr/sbin/util_hkr_mgrd
/usr/sbin/util_hkr_xdsld
/usr/sbin/version.sh
/usr/sbin/vg3503j_bloader_upgrade.sh
/usr/sbin/vg3503j_bringup_xdsl_mode.sh
/usr/sbin/vg3503j_bt_xml_modify.sh
/usr/sbin/vg3503j_cfg_store.sh
/usr/sbin/vg3503j_cfm_cfg.sh
/usr/sbin/vg3503j_change_xdsl_mode.sh
/usr/sbin/vg3503j_config_coc.sh
/usr/sbin/vg3503j_config_debug_mode.sh
/usr/sbin/vg3503j_config_development_mode.sh
/usr/sbin/vg3503j_create_virtual_interface.sh
/usr/sbin/vg3503j_detect_btagent.sh
/usr/sbin/vg3503j_gphy_led.sh
/usr/sbin/vg3503j_ifconfig_set.sh
/usr/sbin/vg3503j_img_download.sh
/usr/sbin/vg3503j_img_upgrade.sh
/usr/sbin/vg3503j_lan_cfg.sh
/usr/sbin/vg3503j_ledtest.sh
/usr/sbin/vg3503j_restart_dhcpc.sh
/usr/sbin/vg3503j_set_debug_mode.sh
/usr/sbin/vg3503j_switch_dsl_mode.sh
/usr/sbin/vg3503j_switch_vlan_mode.sh
/usr/sbin/vg3503j_vlan_test.sh
/usr/sbin/vg3503j_wan_cfg.sh
/usr/sbin/vg3503j_wan_if_cfg.sh
/usr/sbin/vlan_internal_info_dump.sh
/usr/sbin/vlanctl
/usr/sbin/wan_info_clear.sh
/usr/sbin/wan_info_dump.sh
/usr/sbin/wan_monitor_start.sh
/usr/sbin/wan_monitor_stop.sh
/usr/share/udhcpc/default.script

# find /BT/BTAgent/RW/ -xdev -type f
/BT/BTAgent/RW/btagent.conf
# cat /BT/BTAgent/RW/btagent.conf 
|BTAgent.ForceReboot||1|ForceReboot
|BTAgent.Restart||1|Restart
|BTAgent.Version|1.21|4|
|BTAgent.FirmwareInformServerIP|firmware.mms.bt.com|6|
|BTAgent.FirmwareInformServerPort|80|6|
|BTAgent.FirmwareInformRequest|GET /%s.txt?modelName=%s&manufacturer=%s&serialnumber=%s&firmwareversion=%s%s HTTP/1.1|6|
|BTAgent.FirmwareInformPeriod|86400|6|
|BTAgent.Default.FirmwareInformPeriod|86400|4|
|BTAgent.Default.FirmwarePullEnable|0|4|
|BTAgent.FirmwarePullEnable|0|6|
|BTAgent.FirmwarePullDelay|0|6|
|BTAgent.FirmwareSupported||6|
|BTAgent.FirmwareAdditional1||6|
|BTAgent.FirmwareAdditional2||6|
|BTAgent.MaxAttempts|10|6|
|BTAgent.ConnectTimeout|60|6|
|BTAgent.TimeoutMultiple|2|6|

# ls /ramdisk/
etc          flash        nvram        tftp_upload  tmp          var
# find /ramdisk -xdev -type f
/ramdisk/nvram/bfocus.xml
/ramdisk/var/log/messages
/ramdisk/var/lib/misc/udhcpd.leases
/ramdisk/tmp/bfocus.conf
/ramdisk/tmp/adsl_status
/ramdisk/tmp/vdsl
/ramdisk/tmp/macaddress
/ramdisk/tmp/system_status
/ramdisk/flash/passwd
/ramdisk/flash/rc.conf
/ramdisk/flash/print_debug_info.sh
/ramdisk/flash/lock.txt
/ramdisk/flash/env.sh
/ramdisk/flash/BSP-Test-VR9/reset_too_default.sh
/ramdisk/flash/BSP-Test-VR9/reset_to_bsp_default.sh
/ramdisk/flash/BSP-Test-VR9/rc.conf.gz
/ramdisk/flash/BSP-Test-VR9/cusb_modem_switch_loopback_mcast_block_disable.sh
/ramdisk/flash/BSP-Test-VR9/cusb_modem_switch_loopback_mcast_block.sh
/ramdisk/flash/BSP-Test-VR9/cusb_modem_switch_loopback_disable.sh
/ramdisk/flash/BSP-Test-VR9/cusb_modem_switch_loopback_bcast_block_disable.sh
/ramdisk/flash/BSP-Test-VR9/cusb_modem_switch_loopback_bcast_block.sh
/ramdisk/flash/BSP-Test-VR9/cusb_modem_switch_loopback.sh
/ramdisk/flash/BSP-Test-VR9/cusb_modem_switch_atm_novlan.sh
/ramdisk/flash/BSP-Test-VR9/cusb_modem_switch_atm.sh
/ramdisk/flash/BSP-Test-VR9/cusb_modem_switch.sh
/ramdisk/flash/BSP-Test-VR9/cusb_modem_ppe.sh
/ramdisk/flash/BSP-Test-VR9/change_xdsl_mode.sh
/ramdisk/flash/BSP-Test-VR9/bringup_xdsl_mode.sh
/ramdisk/flash/BSP-Test-VR9/bringup_wan_pvc.sh
/ramdisk/flash/BSP-Test-VR9/bringup_wan_pppoe.sh
/ramdisk/flash/BSP-Test-VR9/bringup_wan_nat.sh
/ramdisk/flash/BSP-Test-VR9/bringup_usb_host.sh
/ramdisk/flash/BSP-Test-VR9/bringup_usb_device.sh
/ramdisk/flash/BSP-Test-VR9/bringup_lan_wan_ethernet.sh
/ramdisk/flash/BSP-Test-VR9/PPA_integrated_script.sh
/ramdisk/flash/BSP-Test-VR9/PPA_E5_routing_switch_conf.sh
/ramdisk/flash/BSP-Test-VR9/PPA_E5_hwbridge_switch_conf.sh
/ramdisk/flash/BSP-Test-VR9/PPA_A5_routing_switch_conf.sh
/ramdisk/flash/BSP-Test-VR9/PPA_A5_hwbridge_switch_conf.sh
/ramdisk/flash/BSP-Test/bringup_tapidemo.sh
/ramdisk/flash/BSP-Test/bringup_staticip_waneth_ppa.sh
/ramdisk/flash/BSP-Test/bringup_staticip_waneth.sh
/ramdisk/flash/BSP-Test/bringup_staticip_wanatm_ppa.sh
/ramdisk/flash/BSP-Test/bringup_staticip_wanatm.sh
/ramdisk/flash/BSP-Test/bringup_staticip_mii0.sh
/ramdisk/flash/BSP-Test/bringup_pppoe_waneth_ppa.sh
/ramdisk/flash/BSP-Test/bringup_pppoe_waneth.sh
/ramdisk/flash/BSP-Test/bringup_pppoe_wanatm_ppa.sh
/ramdisk/flash/BSP-Test/bringup_pppoe_wanatm.sh
/ramdisk/flash/BSP-Test/bringup_pppoe_mii0.sh
/ramdisk/flash/BSP-Test/bringup_pppoatm_ppa.sh
/ramdisk/flash/BSP-Test/bringup_pppoatm.sh
/ramdisk/flash/BSP-Test/bringup_dhcp_waneth_ppa.sh
/ramdisk/flash/BSP-Test/bringup_dhcp_waneth.sh
/ramdisk/flash/BSP-Test/bringup_dhcp_wanatm_ppa.sh
/ramdisk/flash/BSP-Test/bringup_dhcp_wanatm.sh
/ramdisk/flash/BSP-Test/bringup_dhcp_mii0.sh
/ramdisk/flash/BSP-Test/bringup_bridge_multipvc.sh
/ramdisk/etc/udhcpd.conf
/ramdisk/etc/snmp/snmpd.conf
/ramdisk/etc/ripd.conf
/ramdisk/etc/ppp/resolv.conf
/ramdisk/etc/passwd
/ramdisk/etc/inetd.conf
/ramdisk/etc/ilmid/ilmid.conf
/ramdisk/etc/hosts
/ramdisk/etc/dsl_api/cmv_scripts

Stuart
18th February 2013 @ 11:45 pm

Default settings:

# /usr/sbin/vg3503j_bt_xml_modify.sh
Usage:  
        <group name> <entry name> <entry value> 

Current XML Config:

<WAN_CFG_GROUP_T_00>
<media_type>VDSL</media_type> <!-- VDSL | ADSL -->
<ip_cfg_option>DHCP</ip_cfg_option> <!-- DHCP | STATIC -->
<ipv4_address>192.168.1.1</ipv4_address>
<ipv4_mask>255.255.255.0</ipv4_mask>
<ipv4_default_gw>192.168.1.254</ipv4_default_gw>
<ipv4_primary_dns>0.0.0.0</ipv4_primary_dns>
<ipv4_secondary_dns>0.0.0.0</ipv4_secondary_dns>
<development_phase>DISABLE</development_phase>
<lan1_mgm_fixed_ip>192.168.168.168</lan1_mgm_fixed_ip>
<untag_mgm_fixed_ip>192.168.2.1</untag_mgm_fixed_ip>
<lan_mgm_admin>DISABLE</lan_mgm_admin>
<lan1_port_admin>ENABLE</lan1_port_admin>
<lan2_port_admin>DISABLE</lan2_port_admin>
<lan1_maxbitrate>Auto</lan1_maxbitrate>
<lan2_maxbitrate>Auto</lan2_maxbitrate>
<lan1_duplex_mode>Auto</lan1_duplex_mode>
<lan2_duplex_mode>Auto</lan2_duplex_mode>
<vlan_mode>VID0_REMOVE</vlan_mode> <!-- TRANSPARENT | VID0_REMOVE -->
</WAN_CFG_GROUP_T_00>

<ATM_BR2684_CFG_GROUP_T_00>
<enable>ON</enable>
<nas_if_num>0</nas_if_num>
<vpi_num>0</vpi_num>
<vci_num>33</vci_num>
<qos_type>UBR</qos_type>
</ATM_BR2684_CFG_GROUP_T_00>

Stuart
18th February 2013 @ 11:52 pm

Default running processes (no external connections):


# ps -ef
  PID  Uid     VmSize Stat Command
    1 root        440 S   init       
    2 root            RWN [ksoftirqd/0]
    3 root            SW  [watchdog/0]
    4 root            SW< [events/0]
    5 root            SW< [khelper]
    6 root            SW< [kthread]
   26 root            SW< [kblockd/0]
   39 root            SW  [pdflush]
   40 root            SW  [pdflush]
   41 root            SW< [kswapd0]
   42 root            SW< [aio/0]
   76 root            SW  [mtdblockd]
 1329 root        564 S   /opt/lantiq/bin/dsl_cpe_control -i05_01_04_00_04_01_0
 1331 root        564 S   /opt/lantiq/bin/dsl_cpe_control -i05_01_04_00_04_01_0
 1332 root        564 S   /opt/lantiq/bin/dsl_cpe_control -i05_01_04_00_04_01_0
 1337 root        564 S   /opt/lantiq/bin/dsl_cpe_control -i05_01_04_00_04_01_0
 1338 root        564 S   /opt/lantiq/bin/dsl_cpe_control -i05_01_04_00_04_01_0
 1364 root            SW  [autbtex]
 1365 root            SW  [pmex_ne]
 1366 root            SW  [pmex_fe]
 2098 root        364 S   /sbin/syslogd -s 8 -b 2 -l 8 
 3190 root        348 S   /usr/sbin/util_hkr_mgrd 
 3452 root            SW< [cfmEntry]
 3453 root            SW< [cfmT]
 3454 root            SW< [cfmC]
 3455 root            SW< [cfmL]
 3456 root            SW< [cfmP]
 3485 root        328 S   /sbin/watchdog -t 90 /dev/ifx_wdt 
 3490 root            SWN [jffs2_gcd_mtd3]
 3492 root        452 S   /bin/sh /BT/BTAgent/RO/btagentstart.sh 
 3495 root        544 S   -sh 
 3497 root        728 S   ./btagent 
 3498 root        728 S   ./btagent 
 3499 root        728 S   ./btagent 
 3500 root        728 S   ./btagent 
 3801 root        448 R   ps -ef

David Shelton
29th April 2013 @ 3:32 pm

Hello Stuart,

Im David Shelton, no relation I think! im trying to understand what exactly is locked on these, I want to use one with edpnet in belgium for their VDSL service.

Cheers

David

Reply
Stuart
1st May 2013 @ 11:00 am

Hi David,

The main reason for unlocking these devices (other than, hey, because we can 😉 is to re-enable the admin interfaces and to get enhanced statistics which the devices gather but which aren’t accessible by default.

I suspect that you’d be fine using one outside of the UK – although you might want to ensure that the ‘btagent’ process is removed. I suspect that this is reporting and connect-out only – but given that the source isn’t available, one can only guess…

Hope this helps,

Stuart

Reply
- ben
  27th May 2014 @ 3:48 pm
  
  Did you proceed from terminal access to unlocking? Was it just a matter of editing the config shell script…?
  
  Reply
- Syst3mSh0ck
  27th December 2014 @ 11:51 am
  
  Hi Stuart, thanks for the useful information you’ve put on here. I’m just wondering if you’ve managed to locate a modified firmware image for the updated ECI “R” revision or if you have managed to modify it yourself?
  
  Cheers.
  
  Reply
bcm
21st March 2015 @ 10:04 am

How about df? I’m curious what free space there is on the stock firmware for hacking in?

Reply

Unlocking the ECI B-FOCuS V-2FUb/r Rev. B VDSL modem

Like this:

Related

8 Comments

Leave a ReplyCancel reply

Archives

Categories

Subscribe to Blog via Email

Unlocking the ECI B-FOCuS V-2FUb/r Rev. B VDSL modem

Share this:

Like this:

Related

8 Comments

Leave a ReplyCancel reply

Archives

Categories

Subscribe to Blog via Email