Feb 18 2013
Unlocking the ECI B-FOCuS V-2FUb/r Rev. B VDSL modem
BT ships a variety of modems for its VDSL/Infinity product. There are ongoing discussions regarding the merits of each, but what all do have in common is that they are locked-down and inaccessible. The Huawei HG612 is theoretically the easiest to root, as described – but this does require loading a custom firmware. Additionally, mine re-locked itself and I’ve been unable to get into firmware-recovery mode since 🙁
The ECI B-FOCuS V-2FUb/I Rev. 1B can be unlocked via a serial connection without any need to replace the stock firmware – details here.
What I didn’t realise is there there are two version of the ECI modem – the one I’ve just acquired exposing fewer features when unlocked. It also has a different PCB layout, and seems more problematic to get into. I was, however, able to free all of the internal clips by removing the screws beneath the two rubber feet and then prising the case apart, starting with the rear corners and then moving to the smallest clip – above the ethernet ports. That made freeing the sides easier, and then the remainder of the lid could be released.
The pin-out mentioned at the above link appear correct: pin 2 is TXD, pin is 3 RXD and (unlabelled) pin 4 is GND. The TXD pin on the PCB must connect to the RXD pin on the UART/USB adapter, and the RXD pin on the PCB must connect to the TXD pin on the adapter.
With that, the boot-sequence can be logged:
ROM VER: 1. ROM VER: 1.0.5 CFG 01 DDR autotuning Rev 0.3c DDR size from 0xa0000000 - 0xa3ffffff DDR check ok... start booting... VG3503J 1-A-DC BootLoader v2.00.01 (May 25 2012 - 13:44:42) CLOCK CPU 333M RAM 166M DRAM: 32 MiB Flash: 8 MiB In: serial Out: serial Err: serial Net: Internal phy(GE) firmware version: 0x8400 vr9 Switch Hit any key to stop autoboot: 0 ## Checking CFG Image at b07c0000 ... ## Check Primary System Image ... ## Primary System Image Checksum OK ## ## Select Primary System Image to Execute ... ## Booting image at b0021000 ... ## Booting kernel from Legacy Image at b0021000 ... Image Name: MIPS IFXCPE Linux-2.6.20.19 Created: 2012-06-14 8:07:15 UTC Image Type: MIPS Linux Kernel Image (lzma compressed) Data Size: 942624 Bytes = 920.5 KiB Load Address: 80002000 Entry Point: 802c4000 Verifying Checksum ... OK Uncompressing Kernel Image ... OK Starting kernel ... Infineon xDSL CPE VR9 mips_hpt_frequency = 166666666, counter_resolution = 2 Linux version 2.6.20.19 (morgan@ARCADYAN) (gcc version 3.4.6 (OpenWrt-2.0)) #72 Thu Jun 14 16:07:11 CST 2012 Found: The value of commit_img= (1) phym = 02000000, mem = 01f00000, max_pfn = 00001f00 Reserving memory for CP1 @0xa1f00000, size 0x00100000 CPU revision is: 00019555 Determined physical RAM map: User-defined physical RAM map: memory: 01f00000 @ 00000000 (usable) Initrd not found or empty - disabling initrd Built 1 zonelists. Total pages: 7874 Kernel command line: root=/dev/mtdblock8 ro rootfstype=squashfs ip=192.168.2.1:192.168.2.100::::eth0:on console=ttyS0,115200 ethaddr=84:9C:A6:xx:xx:xx phym=32M mem=31M panic=1 mtdparts=ifx_nor0:128k@0(uboot),3648k@128k(pri_image),3648k@3776k(sec_image),512k@7424k(btagent),64k@7936k(pri_bfocus_cfg),64k@8000k(sec_bfocus_cfg),64k@8064k(sysconfig),64k@8128k(misc_cfg),2624k@1152k(pri_rootfs),2624k@4800k(sec_rootfs),8192k@0(all_flash) init=/etc/preinit vpe1_load_addr=0x81f00000 vpe1_mem=1M ethwan= commit_img=1 LD_LIB 1 MIPSR2 register sets available Primary instruction cache 32kB, physically tagged, 4-way, linesize 32 bytes. Primary data cache 32kB, 4-way, linesize 32 bytes. Synthesized TLB refill handler (20 instructions). Synthesized TLB load handler fastpath (32 instructions). Synthesized TLB store handler fastpath (32 instructions). Synthesized TLB modify handler fastpath (31 instructions). Cache parity protection disabled Lantiq ICU driver, version 3.0.1, (c) 2001-2010 Lantiq Deutschland GmbH PID hash table entries: 128 (order: 7, 512 bytes) Using 166.667 MHz high precision timer. Dentry cache hash table entries: 4096 (order: 2, 16384 bytes) Inode-cache hash table entries: 2048 (order: 1, 8192 bytes) Memory: 28112k/31744k available (2314k kernel code, 3632k reserved, 505k data, 160k init, 0k highmem) Security Framework v1.0.0 initialized Mount-cache hash table entries: 512 NET: Registered protocol family 16 NET: Registered protocol family 8 NET: Registered protocol family 20 NET: Registered protocol family 2 IP route cache hash table entries: 1024 (order: 0, 4096 bytes) TCP established hash table entries: 1024 (order: 0, 4096 bytes) TCP bind hash table entries: 512 (order: -1, 2048 bytes) TCP: Hash tables configured (established 1024 bind 512) TCP reno registered gptu: totally 6 16-bit timers/counters gptu: misc_register on minor 63 gptu: succeeded to request irq 118 gptu: succeeded to request irq 119 gptu: succeeded to request irq 120 gptu: succeeded to request irq 121 gptu: succeeded to request irq 122 gptu: succeeded to request irq 123 IFX DMA driver, version ifxmips_dma_core.c:v1.0.9 ,(c)2009 Infineon Technologies AG Lantiq CGU driver, version 1.0.9, (c) 2001-2010 Lantiq Deutschland GmbH Wired TLB entries for Linux read_c0_wired() = 0 squashfs: version 3.2-r2 (2007/01/15) Phillip Lougher squashfs: LZMA suppport for slax.org by jro JFFS2 version 2.2. (NAND) (SUMMARY) (C) 2001-2006 Red Hat, Inc. io scheduler noop registered (default) ifx_pmu_init: Major 252 Lantiq PMU driver, version 1.1.4, (c) 2001-2010 Lantiq Deutschland GmbH Lantiq GPIO driver, version 1.2.12, (c) 2001-2010 Lantiq Deutschland GmbH Infineon Technologies RCU driver version 1.0.6 Lantiq LED Controller driver, version 1.0.4, (c) 2001-2010 Lantiq Deutschland GmbH MEI CPE Driver, Version 1.0.2 <6>(c) Copyright 2009, Infineon Technologies AG <6>### MEI CPE - MEI CPE - MEI CPE - MEI CPE ### <6>ttyS0 at MMIO 0xbe100c00 (irq = 105) is a IFX_ASC Lantiq ASC (UART) driver, version 1.0.5, (c) 2001-2010 Lantiq Deutschland GmbH RAMDISK driver initialized: 1 RAM disks of 6144K size 1024 blocksize loop: loaded (max 8 devices) PPP generic driver version 2.4.2 PPP Deflate Compression module registered PPP BSD Compression module registered PPP MPPE Compression module registered NET: Registered protocol family 24 IFX SWITCH API, Version 1.1.7.2 SWAPI: Registered character device [switch_api] with major no [81] Switch API: PCE MicroCode loaded !! Switch Auto Polling value = 0 GPHY FW load for A1x !! GPHY FIRMWARE LOAD SUCCESSFULLY AT ADDR : 300000 IFX GPHY driver GE Mode, version ifxmips_vr9_gphy: V0.9 - Firmware: 8304 ifx_nor0: Found 1 x16 devices at 0x0 in 16-bit bank Amd/Fujitsu Extended Query Table at 0x0040 number of CFI chips: 1 cfi_cmdset_0002: Disabling erase-suspend-program due to code brokenness. 11 cmdlinepart partitions found on MTD device ifx_nor0 ifx_mtd_init flash0: Using dynamic image partition Creating 11 MTD partitions on "ifx_nor0": 0x00000000-0x00020000 : "uboot" 0x00020000-0x003b0000 : "pri_image" 0x003b0000-0x00740000 : "sec_image" 0x00740000-0x007c0000 : "btagent" 0x007c0000-0x007d0000 : "pri_bfocus_cfg" 0x007d0000-0x007e0000 : "sec_bfocus_cfg" 0x007e0000-0x007f0000 : "sysconfig" 0x007f0000-0x00800000 : "misc_cfg" 0x00120000-0x003b0000 : "pri_rootfs" 0x004b0000-0x00740000 : "sec_rootfs" 0x00000000-0x00800000 : "all_flash" Lantiq MTD NOR driver, version 1.0.4, (c) 2001-2010 Lantiq Deutschland GmbH ======= ifx_gpio_register(3) ======= Lantiq SSC driver, version 2.2.0, (c) 2001-2010 Lantiq Deutschland GmbH ======= ifx_gpio_register(21) ======= Lantiq SPI EERPOM driver, version 1.1.1, (c) 2001-2010 Lantiq Deutschland GmbH Lantiq LED driver, version 1.0.15, (c) 2001-2010 Lantiq Deutschland GmbH nf_conntrack version 0.5.0 (248 buckets, 1984 max) nf_ct_ftp: registering helper for pf: 2 port: 21 nf_ct_ftp: registering helper for pf: 10 port: 21 ip_conntrack_rtsp v0.6.21 loading GRE over IPv4 tunneling driver ip_nat_rtsp v0.6.21 loading ip_tables: (C) 2000-2006 Netfilter Core Team ipt_time loading TCP cubic registered NET: Registered protocol family 1 NET: Registered protocol family 17 NET: Registered protocol family 8 atmpvc_init() failed with -17 lec.c: May 25 2012 11:44:27 initialized mpc.c: May 25 2012 11:44:25 initialized 802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com> All bugs added by David S. Miller <davem@redhat.com> VFS: Mounted root (squashfs filesystem) readonly. Freeing unused kernel memory: 160k freed Time: MIPS clocksource has been installed. Warning: unable to open an initial console. Algorithmics/MIPS FPU Emulator v1.5 SIOCSIFADDR: No such device SIOCGIFFLAGS: No such device SIOCSIFADDR: No such device SIOCGIFFLAGS: No such device arc_oshal: module license 'Propritary' taints kernel. OSHAL: Shared Wrapper Library HKR DRV: Created Successfully ETH LoopBack DRV: Created Successfully !! Board Name : BFocusV2FubR Bloader Version : v2.00.01 MAC Address : 84:9C:A6:xx:xx:xx Serial Number : J250179246 Active Image No : 1 Image Version : v2.02.01 BuildDate : 2012/06/14 16:07:18 [system_info_getSystemImageHeaderInfo] can not find signature !!! SYSINFO DRV: Created Successfully SYSTEM MAC = 84:9C:A6:xx:xx:xx IFXOS, Version 1.5.11 <6>(c) Copyright 2007, Infineon Technologies AG <6>### IFXOS - IFXOS - IFXOS - IFXOS ### [ppa_do_ioctl_cmd] : open PPA device (/dev/ifx_ppa) failed. (errno=6) [ppa_do_ioctl_cmd] : open PPA device (/dev/ifx_ppa) failed. (errno=6) [ppa_do_ioctl_cmd] : open PPA device (/dev/ifx_ppa) failed. (errno=6) xDSL_MODE_VRX=vdsl xDSL_MODE_VRX=vdsl [: 13600: unknown operand Lantiq CPE API Driver version: DSL CPE API V4.6.3.5-pd3 Predefined debug level: 4 05_01_04_00_04_01_00_07 IFXOS - User Thread Startup <evnthnd>, TID 1026 (PID 1332) - ENTER VDSL Firmware Ver=5.4.8.6.1.6 IFXOS - User Thread Startup <tPipe_0>, TID 2051 (PID 1337) - ENTER IFXOS - User Thread Startup <tPipe_1>, TID 3076 (PID 1338) - ENTER ENTER - Kernel Thread Startup <autbtex> <7>ENTER - Kernel Thread Startup <pmex_ne> <7>ENTER - Kernel Thread Startup <pmex_fe> nReturn=0 #<< xDSL_MODE_VRX xDSL_MODE_VRX=vdsl #>> xDSL_MODE_VRX cp: `/flash/rc.conf' and `/flash/rc.conf' are the same file For img_addr 0xb07e0000, nextStartAddr 0xb07f0000 and preEndAddr 0xb07e0000 Writing to Flash... # flash writing finished! For img_addr 0xb07e0000, nextStartAddr 0xb07f0000 and preEndAddr 0xb07e0000 Writing to Flash... # flash writing finished! /ramdisk/flash/BSP-Test-VR9 Setting in flash is VDSL mode switch init settings... PPA E5 mode init... Loading E5 (MII0/1) driver ...... Read mac address from U-Boot: 84:9C:A6:xx:xx:xx Succeeded! PPE datapath driver info: Version ID: 128.3.3.1.0.0.1 Family : N/A DR Type : Normal Data Path | Indirect-Fast Path Interface : MII0 | MII1 Mode : Routing Release : 0.0.1 PPE 0 firmware info: Version ID: 7.1.5.1.0.33 Family : VR9 FW Type : Standard Interface : MII0/1 + PTM Mode : reserved - 1 Release : 0.33 PPE 1 firmware info: Version ID: 7.2.1.6.1.12 Family : VR9 FW Type : Acceleration Interface : MII0 + MII1 Mode : Bridging + IPv4 Routing Release : 1.12 PPA API --- init successfully device eth0 entered promiscuous mode br0: port 1(eth0) entering learning state br0: topology change detected, propagating br0: port 1(eth0) entering forwarding state ifx_ppa_init - init succeeded ptm0 Link encap:Ethernet HWaddr 84:9C:A6:xx:xx:xx BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) nReturn=0 nReturn=0 device br0 already exists; can't create bridge with the same name device eth0 is already a member of a bridge; can't enslave it to bridge br0. exec dsl_cpe_pipe.sh dms 0x5048 0000 0001 0001 nReturn=0 nData="5048 0000 0001 " File Length : 00000231 Commit Image No : 00000001 Reserved : 00000000 CRC32 : 5BD75EE2 Calculate CRC32 : 5BD75EE2 MAGIC number : 1F 8b File Length : 00000231 Commit Image No : 00000001 Reserved : 00000000 CRC32 : 5BD75EE2 Calculate CRC32 : 5BD75EE2 MAGIC number : 1F 8b gz file content : 1F 8B ./nvram ./nvram/bfocus.xml [dsl_monitor] get /dev/dsl_cpe_api/0 fd = 4 UPS Monitor fd = 5 UPS status changed to : -- Without UPS -- device ptm0 entered promiscuous mode br0: port 2(ptm0) entering learning state Delay running DHCPC until DSL link is up .. cpu_mac = 84:9C:A6:xx:xx:xx VID0_REMOVE mode is enabled .. ifx_ppa_init - init succeeded VID 0 remove is enabled br0: topology change detected, propagating br0: port 2(ptm0) entering forwarding state Disable Debug Mode .. LAN1 MAXBITRATE=AUTO DUPLEX_MODE=AUTO LAN2 MAXBITRATE=AUTO DUPLEX_MODE=AUTO <gphy_proc_power_write> gphy 1, count 2, len 2, buf 1 [gphy_proc_power_write] POWER UP [gphy_proc_power_write] pdata:0x1000 <gphy_proc_power_write> gphy 0, count 2, len 2, buf 0 [gphy_proc_power_write] POWER DOWN [gphy_proc_power_write] pdata:0x1800 CFM Device Driver: Created Successfully VLAN Table size:64: ========================================================== vlan id:0000 PortMember:0000 vlan id:0040 PortMember:005f vlan id:0050 PortMember:0c7f vlan id:0010 PortMember:0860 vlan id:0020 PortMember:0440 vlan id:0101 PortMember:0810 vlan id:0102 PortMember:0804 vlan id:0006 PortMember:0040 vlan id:0011 PortMember:0800 vlan id:0301 PortMember:0840 vlan id:0000 PortMember:0000 vlan id:0000 PortMember:0000 vlan id:0000 PortMember:0000 vlan id:0000 PortMember:0000 vlan id:0000 PortMember:0000 vlan id:0000 PortMember:0000 ========================================================== LAN1 Link Status:0 LAN2 Link Status:0 WAN Link Status:0 LAN1 PVID:101 LAN2 PVID:102 WAN PVID:11 cfm_register_callback_handle_packets enter... cfm_register_callback_handle_packets succeed... arcCfmLlStateMachineLIT arcCfmLlStateMachineLI, event=0 arcCfmLlStateMachineLIT arcCfmLlStateMachineLI, event=0 arcCfmLlStateMachineLIT arcCfmLlStateMachineLI, event=0 arcCfmLlStateMachineLIT arcCfmLlStateMachineLI, event=0 wdt_ioctl:enable watch dog timer! The timeout was set to 90 seconds check bfocus.xml succeed... BTAgent config finish!!! BTA: Starting BT Agent src/plugin.c: Library_load: start plugin_source/libbtagent.so src/plugin.c: Library_load: success src/main.c: Agent Plugin: File Path is ../RW/btagent.conf src/main.c: Agent Plugin: RW config file exists src/main.c: Agent Plugin: Versions match src/plugin.c: Library_load: start plugin_source/libbtagent_api.so src/plugin.c: Library_load: success src/plugin.c: Library_load: start plugin_source/libfwm.so src/plugin.c: Library_load: success src/firmware_manager.c: The data model is not ready1 src/plugin.c: Library_load: start plugin_source/liblogger.so src/plugin.c: Library_load: success src/plugin.c: Library_load: start plugin_source/libprobe.so src/plugin.c: Library_load: success src/main.c: Loaded source plugins src/plugin.c: Library_load: start plugin_transport/libsec.so src/plugin.c: Library_load: success src/main.c: Loaded transport plugins src/plugin.c: Library_load: start plugin_parse/libxml.so src/plugin.c: Library_load: success src/main.c: Loaded parse plugins IFX CPE login: src/firmware_manager.c: J250179246, 2.02.01, BFocusV2FubR, Arcadyan Technology Corp src/firmware_manager.c: serialNumber atoi is 0 src/firmware_manager.c: connection attempt: 1 src/firmware_manager.c: sleep for 35
… unfortunately this isn’t helpful since, even when presented with a “login” prompt, typed characters aren’t echoed and the system does not seem responsive to (serial) input. This problem seems to have struck another user on the forum linked above, but no resolution was ever reported… perhaps I’ve just got a dodgy USB adapter?
More as I work it out…
Stuart
18th February 2013 @ 11:36 pm
Update:
No – I’d mis-seated the TXD/RXD pin on pad 2. D’oh!
Random filesystem contents:
Stuart
18th February 2013 @ 11:45 pm
Default settings:
Stuart
18th February 2013 @ 11:52 pm
Default running processes (no external connections):
David Shelton
29th April 2013 @ 3:32 pm
Hello Stuart,
Im David Shelton, no relation I think! im trying to understand what exactly is locked on these, I want to use one with edpnet in belgium for their VDSL service.
Cheers
David
Stuart
1st May 2013 @ 11:00 am
Hi David,
The main reason for unlocking these devices (other than, hey, because we can 😉 is to re-enable the admin interfaces and to get enhanced statistics which the devices gather but which aren’t accessible by default.
I suspect that you’d be fine using one outside of the UK – although you might want to ensure that the ‘btagent’ process is removed. I suspect that this is reporting and connect-out only – but given that the source isn’t available, one can only guess…
Hope this helps,
Stuart
ben
27th May 2014 @ 3:48 pm
Did you proceed from terminal access to unlocking? Was it just a matter of editing the config shell script…?
Syst3mSh0ck
27th December 2014 @ 11:51 am
Hi Stuart, thanks for the useful information you’ve put on here. I’m just wondering if you’ve managed to locate a modified firmware image for the updated ECI “R” revision or if you have managed to modify it yourself?
Cheers.
bcm
21st March 2015 @ 10:04 am
How about df? I’m curious what free space there is on the stock firmware for hacking in?