HACKING ECI B-FOCUS V2FUB/I REV.

B
Home

Apr

About

Modifying the XML database nodes (to

unlock modem)

Documented below are the commands to permanently re-enable the telnet server and the web GUI
on the ECI VDSL2 modem:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

Alpha # xmldbc -h
Usage: xmldbc version 2 [OPTIONS]
-h show this help message.
-H show version number.
-v verbose mode.
-a dump database include runtime and tmp.
-i ignore external function (like runtime).
-g {node path} get value from {node path}.
-s {node path} {value} set {value} in {node path}.
-d {node path} delete {node path}.
-l {XML file} reload XML file to database.
-f {XML file} set XML file to database.
-D {XML file} dump database to XML file.
-S {unix socket} specify unix socket name, default is /var/run/xmldb_sock
-A {ephp file} embeded php parse.
-V {name=value} variable for ephp.
-x {command} set extended get/set command.
-t {tag:sec:command} schedule a timer.
-k {tag} kill timers by tag.

Alpha # xmldbc -g /switch/lan_access_cpe_enable
0

Alpha # xmldbc -s /switch/lan_access_cpe_enable 1

Alpha # xmldbc -g /switch/lan_access_cpe_enable
1

Alpha # Alpha # xmldbc -g /switch/port:2/activate
0

Alpha # xmldbc -s /switch/port:2/activate 1

Alpha # xmldbc -g /switch/port:2/activate
1

The database now needs to be written to NVRAM.

NVRAM is a 64kByte partition of the flash, from

offset 0x40000 to 0x4ffff. The partition is mapped to /dev/mtdblock/3, which is a symlink to

/dev/mtdblock3.

For reading and programming NVRAM, there is a tool /usr/sbin/rgcfg (symlinked to multi-call binary
/usr/sbin/rgbin):
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

Alpha # /usr/sbin/rgcfg -h
rgcfg version 3 (block size: 0x10000)
Usage: rgcfg {operation} {OPTIONS}
operation -
dump show nvram information.
upgrade upgrade the nvram to the latest format.
get get config from nvram.
save save config to nvram.
getmac get MAC address.
setmac set MAC address.

setenv set env. variable.
getenv get the value of env. var.
delenv delete env. varialbes.
dumpenv dump env. variables.

options -
-h show this help message.
-v verbose mode.
-n {nvram} nvram (mtd block) device.
-c {config file} configuration file.
-i {index} index. (zero based)
-s {message} message to set.
-e {var=val} environment variable.
-m {mode} 0 -> 00:80:c8:ab:cd:ef (lower case, colon seperated)
1 -> 00:80:C8:AB:CD:EF (upper case, colon seperated)
2 -> 00.80.c8.ab.cd.ef (lower case, dot seperated)
3 -> 00.80.C8.AB.CD.ED (upper case, dot seperated)
-f calculate & set flash programming speed. (@ setenv only)

BlockOffset=0(0x0), MaxSize=65536(0x10000)
Alpha #

The NVRAM type is listed, and the NVRAM contents are dumped to a file as follows:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

Alpha # /usr/sbin/rgcfg dump -n /dev/mtdblock/3

version : 2
size : 0x8a4 (2212)
checksum : 0x43c62 (277602)
offset : 0x126 (294)

Alpha # /usr/sbin/rgcfg dumpenv -n /dev/mtdblock/3
=1b65a7227deeea1f7cc1d3d124b61b9d
flashspeed=620
wanmac=00:E0:92:00:01:40
lanmac=5C:33:8E:84:89:DB
wlanmac=5C:33:8E:84:89:DB
hwrev=A1
countrycode=840
activeregion=2

With the XML database nodes modified, the NVRAM is re-written as follows. It is a multi-stage
process:
1
2
3
4
5
6
7
8
9
10

Alpha # xmldbc -D /var/tmp/rgdb.xml

Alpha # cat /var/tmp/rgdb.xml | more
<lantiq_vr9_generic_asl56026>
<check>
<is_factory>factory</is_factory>
</check>
<vdsl2>
<infineon>
<fw_variant>VA</fw_variant>

11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

<annex>A</annex>
<adsl_encaps>1</adsl_encaps>
<default_vpi_vci>1</default_vpi_vci>
<line_config>
<filter>0</filter>
<hw_hybrid>2</hw_hybrid>
<line_mode>102</line_mode>
</line_config>
</infineon>
</vdsl2>
<switch>
<bypass_mode>0</bypass_mode>
<lan_access_cpe_enable>1</lan_access_cpe_enable>
<discard_specific_pkt>1</discard_specific_pkt>
<igmp_queue>3</igmp_queue>
....

Note, above, that the value of XML node lan_access_cpe_enable is now 1.

Now re-compress the rgdb.xml file
1

Alpha # gzip /var/tmp/rgdb.xml

The modified config file is now flashed to NVRAM.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

Alpha # rgcfg save -v -n /dev/mtdblock/3 -c /var/tmp/rgdb.xml.gz

2213 bytes read from config file (checksum:0x45c4f)!
header in nvram is version 2
config size = 0x8a5 (2213)
config checksum = 0x45c4f (285775)
config offset = 0x126 (294)
Signature = RGCFG1
env size = 166 (0xa6)
config size = 2213 (0x8a5)
config checksum = 0x45c4f
Burning 2507 bytes to nvram (offset:0x0) !
header size : 128
config offset : 294
config size : 2213
config checksum : 0x45c4f
burn done !!!
rgcfg exit with code 0

Alpha #

The tool rgcfg is used to confirm that the flash programming actually took place:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

Alpha # rgcfg get -n /dev/mtdblock/3 -c /var/tmp/newreadrgdb.xml.gz

Alpha # gunzip newreadrgdb.xml.gz

Alpha # cat newreadrgdb.xml | more
<lantiq_vr9_generic_asl56026>
<check>
<is_factory>factory</is_factory>
</check>
<vdsl2>
<infineon>
<fw_variant>VA</fw_variant>
<annex>A</annex>
<adsl_encaps>1</adsl_encaps>
<default_vpi_vci>1</default_vpi_vci>
<line_config>
<filter>0</filter>
<hw_hybrid>2</hw_hybrid>
<line_mode>102</line_mode>
</line_config>

21
22
23
24
25
26
27
28

</infineon>
</vdsl2>
<switch>
<bypass_mode>0</bypass_mode>
<lan_access_cpe_enable>1</lan_access_cpe_enable>
<discard_specific_pkt>1</discard_specific_pkt>
<igmp_queue>3</igmp_queue>
Alpha #

The XML node value of lan_access_cpe_enable is now 1.

Success!

The above information is thanks to a lucky find at http://lyuts.net. Alex documents the parameter
types used by xmldbc with an Asus NAS. [1]
EDIT:
Thanks to ben1066 for pointing out a missing stage. [2]
[1] http://lyuts.net/blog/2012/03/fan-problem-asus-nas-m-25
[2] http://forum.kitz.co.uk/index.php/topic,10635.msg214795.html#msg214795
About these ads

Share this:

Twitter

Facebook

Like
Be the first to like this.
This entry was posted on April 9, 2012, in Uncategorized. Bookmark the permalink.
1 Comment

Startup sequence of the ECI B-FOCuS V-

Starting telnetd and thttpd

2FUb/I Rev.B

ONE THOUGHT ON MODIFYING THE XML DATABASE NODES (TO UNLOCK MODEM)

wedding photographers says:

December 3, 2014 at 6:41 am

The couples would bbe proud that they have invited a New York
wedding photographer to their wedding. They will
use classic, romantic poses aand there is more emphasis on capturing the family and
friends inn posed photographs.

REPLY

Your mother asks you, where are you getting married, when are you getting married,
thedy know why
so thats not asked, but remember: You just got engaged.

LEAVE A REPLY

ECI
ECI B-FOCUS
B-FOCUS VDSL2
VDSL2 MODEM
MODEM

(click to enlarge)

(click to enlarge)

ABOUT
ABOUT ECI
ECI V-2FUB/I
V-2FUB/I REV.B
REV.B
The ECI V-2FUb/I Rev.B is the second type of VDSL2 modem supplied by BT Openreach for its FTTC service. (The other
modem is the Huawei HG612).
This blog documents the unlocking of the ECI to obtain the statistics from the xDSL layer.
Much credit goes to uklad who obtained a UART connection on the PCB, dumped the flash contents, and supplied a
specimen for target practice!

RECENT
RECENT POSTS
POSTS
ECI modem revisions /I and /r how the MSAN sees them
How to unlock the ECI VDSL2 modem
A solder-free UART connection
PCB Photos of ECI B-Focus V-2FUb/I Rev.B
BT Openreach releases GPLed code for ECI VDSL2 modem
The Web GUI of the ECI B-FOCuS V-2FUb/I Rev.B

Starting telnetd and thttpd

Modifying the XML database nodes (to unlock modem)

SEARCH
SEARCH SITE
SITE

BLOGROLL
BLOGROLL
BT Openreach VDSL2 modem for FTTC (ECI model B-FOCuS V-2FUb/I Rev.B) (kitz.co.uk)
Hacking BT Business Hub
Hacking BT Openreach modem (skyuser.co.uk)
Hacking the ECI model B-FOCuS V-2FUb/I Rev.B (kitz.co.uk)
Hacking the Huawei HG612
Huawei HG612 Vs ECI model B-FOCuS V-2FUb/I Rev.B on ECI cab (kitz.co.uk)
Inside the Huawei MA5616 MSAN (DSLAM)

LICENSING
LICENSING

HackingECIBFoCuSV-2FubRevB,
HackingBTBusinessHub and
HackingThe2Wire
by asbokid are licensed under the Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License.

Create a free website or blog at WordPress.com. | The Bouquet Theme.