ECI modem revisions /I and /r – how the MSAN sees them

How the /I revision modem identifies itself to the MSAN in the cabinet:

MA5616>enable
MA5616#config
MA5616(config)#interface vdsl 0/4
MA5616(config-if-vdsl-0/4)#display inventory cpe 0
  ------------------------------------------------------------------------
  G.994.1 vendor ID                : 0xB5004946544E51A6
    G.994.1 country code           : 0xB500
    G.994.1 provider code          : IFTN
    G.994.1 vendor info            : 0x51A6
  System vendor ID                 : 0x58204543494C2020
    System country code            : 0x5820
    System provider code           : ECIL
    System vendor info             : 0x2020
  Version number                   : 5.3.2.6.1.6     
  Vendor serial number             : E5C338EFBFFA4
  Self-test result                 : -
  Transmission mode capability     : 
    G.993.2(Annex A/B/C)          
  ------------------------------------------------------------------------

And here’s how a /r revision modem identifies itself:

MA5616(config-if-vdsl-0/4)#display inventory cpe 1
  ------------------------------------------------------------------------
  G.994.1 vendor ID                : 0xB5004946544E5486
    G.994.1 country code           : 0xB500
    G.994.1 provider code          : IFTN
    G.994.1 vendor info            : 0x5486
  System vendor ID                 : 0x58004543494C0000
    System country code            : 0x5800
    System provider code           : ECIL
    System vendor info             : 0x0000
  Version number                   : 5.4.8.6.1.6
  Vendor serial number             : J245082516
  Self-test result                 : PASS
  Transmission mode capability     : 
    G.993.2(Annex A/B/C)          
  ------------------------------------------------------------------------

How to unlock the ECI VDSL2 modem

The bare info on unlocking the ECI /I VDSL2 CPE modem:

(Please note that this modem has been superseded by the ECI /r model.)

Connect a serial cable to the PCB of the ECI.     See [1] and [2].

Power up the device.

The bootloader should start:

ROM VER: 1.0.5
CFG 01 ...
DDR size from 0xa0000000 - 0xa1ffffff
DDR check ok... start booting...
U-Boot 1.0.4 (Feb 16 2011 - 13:53:56)
CLOCK CPU 333M RAM 166M
DRAM:  32 MB ..
FLASH MANUFACT: c2
FLASH DEVICEID: cb ..

The Linux kernel will auto boot:

Starting kernel ...
Infineon xDSL CPE VR9. ..
Linux version 2.6.20.19 (hyhuang@BSD7.localdomain)
(gcc version 3.4.6 (OpenWrt-2.0)) #1 Tue Aug 9 11:27:46 CST 2011 ..

Arriving finally at a login prompt

Login with username admin and password admin:

login: admin
Password: admin

BusyBox v1.00 (2011.08.09-03:28+0000) Built-in shell (msh) ..

Alpha #

At the Alpha # prompt, enter the six commands below to ‘unlock’ the device:

Alpha # xmldbc -s /switch/lan_access_cpe_enable 1
Alpha # xmldbc -s /switch/port:2/activate 1
Alpha # xmldbc -D /var/tmp/rgdb.xml
Alpha # gzip /var/tmp/rgdb.xml
Alpha # rgcfg save -n /dev/mtdblock/3 -c /var/tmp/rgdb.xml.gz
Alpha # ifconfig br0 192.168.1.55  # adjust this IP address to suit your network #

The unlocked ECI VDSL modem should now be accessible via telnet and web GUI at http://192.168.1.55

N.B. the ECI web interface is too buggy for Firefox. Though Chromium, Internet Exploder and Safari should work okay. [3]

Username and password for telnet and web login are, as above: admin and admin

Finally, the IP address of the ECI must be permanently changed through the web interface to suit your local subnet.

(The ECI’s default IP is 192.168.168.168, as shown below)

[1] http://hackingecibfocusv2fubirevb.wordpress.com/2012/08/13/a-solder-free-uart-connection/

[2] http://hackingecibfocusv2fubirevb.wordpress.com/2012/07/18/pcb-photos-of-eci-b-focus-v-2fubi-rev-b/

[3] http://forum.kitz.co.uk/index.php/topic,11704.msg224443.html#msg224443

PCB Photos of ECI B-Focus V-2FUb/I Rev.B

(Click photos to enlarge)

ECI B-FOCuS V-2FUb/I Rev.B versus Huawei HG612

ECI B-Focus boiler plate

ECI B-Focus PCB (top face)

ECI B-Focus PCB (top face)

ECI B-Focus PCB (bottom face)

ECI B-Focus – Lantiq VRX268 VDSL2/ADSL2+ SOC (PSB 80910)

ECI B-Focus – Lantiq VRX268 VDSL2/ADSL2+ SOC  (PSB80190)

ECI B-Focus – Samsung K4T51163QI – 512Mbit (64MBytes) DDR2-800 SDRAM

ECI B-Focus – Macronix MX29LV640E 64Mbit x8/x16 NOR flash

ECI B-Focus – unpopulated (WIFI transceiver?) solder pads

ECI B-Focus – JTAG/UART thru-holes

ECI B-Focus – JTAG/UART thru-holes

ECI B-Focus – JTAG/UART thru-holes

ECI B-Focus – reinstated JTAG/UART header pins

More photos at [4]

[1] http://www.lantiq.com/uploads/tx_abzlantiqproducts/PB-e-0027-v2_lres.pdf

[2] http://www.macronix.com/QuickPlace/hq/PageLibrary../../MX29LV640ETB..v1.7.pdf

[3] http://www.szyuda88.com/uploadfile/cfile/2011311171825213.pdf

[4] http://forum.kitz.co.uk/index.php/topic,10635.0.html

BT Openreach releases GPL’ed code for ECI VDSL2 modem

Thanks go to Josh Shepherd and Orbixx [1] for drawing attention to the Openreach release of GPL’ed source code for the ECI VDSL2 modem.

Openreach identifies the modem as the ECI Alpha1B VDSL 3048. (slightly less of a mouthful!) [2]

EDIT (18-07-2012): OpenReach has released an updated archive of source code for the ECI (see comments from Burakkucat below).

$ wget http://www.openreach.co.uk/orpg/home/products/super-fastfibreaccess/super-fastfibreaccess/landrgnu/downloads/code/ECIAlpha1BVDSL3048.zip
--2012-07-19 02:02:41--  http://www.openreach.co.uk/orpg/home/products/super-fastfibreaccess/super-fastfibreaccess/landrgnu/downloads/code/ECIAlpha1BVDSL3048.zip
Resolving www.openreach.co.uk (www.openreach.co.uk)... 217.140.45.11
Connecting to www.openreach.co.uk (www.openreach.co.uk)|217.140.45.11|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 100461988 (96M) [application/zip]
Saving to: `ECIAlpha1BVDSL3048.zip'

2012-07-19 02:04:04 (1.15 MB/s) - `ECIAlpha1BVDSL3048.zip' saved [100461988/100461988]

$ md5sum ECIAlpha1BVDSL3048.zip 
b43445b59d2afebdd173e523acaa733b  ECIAlpha1BVDSL3048.zip

$ unzip -v ECIAlpha1BVDSL3048.zip 
Archive:  ECIAlpha1BVDSL3048.zip
 Length   Method    Size  Cmpr    Date    Time   CRC-32   Name
--------  ------  ------- ---- ---------- ----- --------  ----
103900963  Defl:N 100461800   3% 2012-07-10 13:42 35bcf25d  ALPHA_VR_sourcecode_3048_Mar_2012.rar
--------          -------  ---                            -------
103900963         100461800   3%                            1 file

$ unzip ECIAlpha1BVDSL3048.zip 
Archive:  ECIAlpha1BVDSL3048.zip
  inflating: ALPHA_VR_sourcecode_3048_Mar_2012.rar  

$ ls -l
total 199580
-rw-r--r-- 1 asbokid asbokid 103900963 Jul 10 13:42 ALPHA_VR_sourcecode_3048_Mar_2012.rar
-rw-r--r-- 1 asbokid asbokid 100461988 Jul 13 08:42 ECIAlpha1BVDSL3048.zip

$ rar x ALPHA_VR_sourcecode_3048_Mar_2012.rar 
RAR 4.00 beta 3   Copyright (c) 1993-2010 Alexander Roshal   17 Dec 2010

Extracting from ALPHA_VR_sourcecode_3048_Mar_2012.rar

Creating    ALPHA_VR_sourcecode_3048_Mar_2012                         OK
Creating    ALPHA_VR_sourcecode_3048_Mar_2012/vr.3048                 OK
Extracting  ALPHA_VR_sourcecode_3048_Mar_2012/vr.3048/Rules.mk        OK 
Creating    ALPHA_VR_sourcecode_3048_Mar_2012/vr.3048/comlib          OK
Creating    ALPHA_VR_sourcecode_3048_Mar_2012/vr.3048/comlib/zlib-1.2.3  OK
Extracting  ALPHA_VR_sourcecode_3048_Mar_2012/vr.3048/comlib/zlib-1.2.3/algorithm

[..snippage..]

Creating    ALPHA_VR_sourcecode_3048_Mar_2012/vr.3048/progs.priv/diap/o  OK
Creating    ALPHA_VR_sourcecode_3048_Mar_2012/vr.3048/progs.priv/alpha_flash_agent/o  OK
Creating    ALPHA_VR_sourcecode_3048_Mar_2012/vr.3048/progs.priv/alpha_flash_agent/src  OK
All OK
$ 

All looks good! Thank you Openreach!

[1] http://forum.kitz.co.uk/index.php/topic,10635.msg214707.html#msg214707
[2] http://www.openreach.co.uk/orpg/home/products/super-fastfibreaccess/superfastfibre.do

The Web GUI of the ECI B-FOCuS V-2FUb/I Rev.B

Authenticating on the ECI (user:pass = admin:admin)

Setup | Wizard

Setup | WAN (connection #1)

Setup | WAN (connection #2) (unused)

 

Setup | LAN

Advanced | DNS

Maintenance | Administration

Maintenance | System Settings

Maintenance | Firmware Update

Maintenance | Diagnostic Test

Maintenance | System Log

Maintenance | CFM (Connectivity Fault Management)

Status | Device Info

Status | System Log Info

Status | Traffic Statistics

Help | Menu

Starting telnetd and thttpd

telnet and the web GUI can be re-enabled via the UART console.

They both are running on the ECI now, and listening for LAN-side connections. The LAN interface of the modem is re-configured with address 192.168.1.55 to match the local subnet.

Reconfiguring the LAN on the ECI B-FOCUS V-2FUB/I REV.B

Now we start the telnet daemon..

Alpha # rgdb -A /etc/templates/telnetd/telnetd_run.php -V generate_start=1 > /var/run/telnet_start.sh

Alpha # sh /var/run/telnet_start.sh

[/var/run/telnet_start.sh] ...
Starting telnetd ...

Now the web server..

Alpha # rgdb -A /etc/templates/httpd/webs_run.php -V generate_start=1 > /var/run/webs_start.sh

Alpha # cat /var/run/webs_start.sh

#!/bin/sh
echo [$0] ... > /dev/console
echo Starting HTTPD ... > /dev/console
/sbin/thttpd -d /www &
echo $! > /var/run/httpd.pid

Alpha # sh /var/run/webs_start.sh
[/var/run/webs_start.sh] ...
Starting HTTPD ...  auto ,en ,dir = /www

We don’t have netstat to check for listening sockets – there’s probably some equivalent info under /proc [EDIT: see below].

But we can easily confirm that telnetd and thttpd are running by checking their process status with ps (see PIDs #3652 and #3967 below):

Alpha # ps auxw
  PID  Uid     VmSize Stat Command
    1 0           172 S   init
    2 0               RWN [ksoftirqd/0]
    3 0               SW  [watchdog/0]
    4 0               SW< [events/0]
    5 0               SW< [khelper]
    6 0               SW< [kthread]
   24 0               SW< [kblockd/0]
   37 0               SW  [pdflush]
   38 0               SW  [pdflush]
   39 0               SW< [kswapd0]
   40 0               SW< [aio/0]
   74 0               SW  [mtdblockd]
  227 0               SWN [jffs2_gcd_mtd6]
  240 0           596 S   xmldb -n lantiq_vr9_generic_asl56026 -t
  505 0           260 S   syslogd -F sysact -F attack -F notice
  508 0           188 S   klogd -l br0
  605 0           664 S   /usr/sbin/dsl_cpe_control -i -f /ifx/vdsl2/xcpe_hw.bin
  608 0           664 S   /usr/sbin/dsl_cpe_control -i -f /ifx/vdsl2/xcpe_hw.bin
  609 0           664 S   /usr/sbin/dsl_cpe_control -i -f /ifx/vdsl2/xcpe_hw.bin
  610 0           664 S   /usr/sbin/dsl_cpe_control -i -f /ifx/vdsl2/xcpe_hw.bin
  612 0           664 S   /usr/sbin/dsl_cpe_control -i -f /ifx/vdsl2/xcpe_hw.bin
  613 0           664 S   /usr/sbin/dsl_cpe_control -i -f /ifx/vdsl2/xcpe_hw.bin
  614 0           664 S   /usr/sbin/dsl_cpe_control -i -f /ifx/vdsl2/xcpe_hw.bin
  693 0           472 S   /usr/sbin/cfm ptm0 eth0
  696 0           472 S   /usr/sbin/cfm ptm0 eth0
  697 0           472 S   /usr/sbin/cfm ptm0 eth0
  698 0           472 S   /usr/sbin/cfm ptm0 eth0
  712 0               SW  [autbtex]
  713 0               SW  [pmex_ne]
  714 0               SW  [pmex_fe]
  757 0           336 S   /bin/alphaLogd
  770 0           432 S   alphaFlashAgent
  774 0           216 S   /bin/sh /BTAgent/ro/start
  779 0           740 S   ./btagent
  781 0           740 S   ./btagent
  782 0           740 S   ./btagent
  783 0           740 S   ./btagent
  805 0           392 S   /bin/alphaHousekeeper
 1015 0           340 S   -sh
 3652 0           256 S   telnetd
 3967 0           596 S   /sbin/thttpd -d /www
 4441 0           196 R   ps auxw

telnetd (and httpd and btagentd) running on the ECI B-FOCuS V-2FUb/I Rev.B

Manually starting telnetd and thttpd is only temporary.  The rgcfg tool is used to modify the rgdb configuration so that the servers start on every boot.

EDIT:

gavinb on stackoverflow gives some clear info on getting network socket details from the /proc file system. Useful for when netstat isn’t available.

See: http://stackoverflow.com/questions/1980355/linux-api-to-determine-sockets-owned-by-a-process