Hackeando o Sagemcom F@st 2764 da GVT

Question

Alguns desesperados devem ter Googleado sobre o famoso modem capado da GVT, vulgo Power Box modelo F@st da Sagemcom e devem ter vistos em algumas postagens de meados de 2007 um hack (o &uacute;nico descoberto at&eacute; agora) conhecido como &ldquo;index2.cgi&rdquo;.
Fonte: http://www.reclameaqui.com.br/2437341/gvt/modem-sagemcom-f-st-2764-index2-cgi-nao-acessivel/
Consiste em um menu complet&iacute;ssimo com todas as fun&ccedil;&otilde;es avan&ccedil;adas do roteador, inclusive o modo &ldquo;Bridge&rdquo;, atualmente indispon&iacute;vel para n&oacute;s usu&aacute;rios comuns.
Devido esta informa&ccedil;&atilde;o vazada dos pr&oacute;prios funcion&aacute;rios da GVT (segundo a fonte), eles removeram esta brecha do modem nas vers&otilde;es mais novas, e agora, n&atilde;o nos resta nada.
 
Por&eacute;m, curioso como sou, olha o que eu descobri dentro do modem:
http://img15.imageshack.us/img15/3240/modempn.jpg
Pesquisando, descobri que estes pinos s&atilde;o uma interface serial.
Como descobri: Pesquisei por um modem semelhante:
http://wiki.openwrt.org/toh/sagem/fast2404
No final da p&aacute;gina, tem uma foto dele aberto real&ccedil;ando OS MESMOS 4 PINOS. E logo abaixo tem: port.serial
http://wiki.openwrt.org/doc/hardware/port.serial
Realemente, se voc&ecirc; for analisar os logs do modem, se voc&ecirc; pesquisar por &ldquo;ttyS0&rdquo; voc&ecirc; ir&aacute; encontrar alguma coisa....
Para quem n&atilde;o sabe, estes modems/roteadores mais recentes rodam o LINUX dentro dele. N&atilde;o &eacute; diferente com este aqui.
Sobre estes pinos:
1) O padr&atilde;o de voltagem &eacute; o TTL (3.3V)
2) Da esquerda para direita: 3,3V, 2,4V, 3,3V, 0V (ground?)
Se eu conseguir comunica&ccedil;&atilde;o serial com o modem, usando o putty ou outro emulador de terminal, eu consigo ver informa&ccedil;&otilde;es exclusivas do modem, e possivelmente, conseguir rodar programas nele, tipo cliente torrent entre outros. As possibilidades s&atilde;o infinitas.
O grande problema &eacute;: Conseguir transformar estes 3.3V TTL em RS232, que este &uacute;ltimo &eacute; 5V.
Meu irm&atilde;o &eacute; um semi-engenheiro el&eacute;trico e com a ajuda dele conseguirei fazer comunica&ccedil;&atilde;o serial usando um CI chamado MAX232.
Qualquer novidade postarei aqui.

Answer

como assim voc&ecirc; estar descobrindo uma forma de hackear o modem ? ou de libera todos os recursos dele ?At&eacute;+

Answer

Fico com a mesma pergunta do Danilo Dorgam...

Apesar de n&atilde;o possuir este modem, achei isso interessante. De qualquer forma irei acompanhar aqui o andamento dessa aventura.

Answer

Sim! Analisando outros modens e roteadores do mercado que usam um sistema Linux chamado OpenWRT, eles possuem uns terminais de comunica&ccedil;&atilde;o no padr&atilde;o TTL/RS232 (vulgo porta serial).

Estou verificando se atrav&eacute;s desta porta existe um terminal (tipo um ttyS0) onde eu possa manipular o sistema.

At&eacute; o presente momento, s&atilde;o s&oacute; teorias. Ainda fico pensando na tela de login... ser&aacute; que l&aacute; eu j&aacute; estarei logado? Ser&aacute; que l&aacute; s&oacute; ter&aacute; logs? Nesta segunda estarei me reunindo com o meu ir&atilde;o para fazer-mos um circuito na protoboard com o integrado Maxim MAX232, que converte sinal TTL (3.3V) em serial RS232 (5V).

E tem mais uma coisa: Essas portas USB do modem s&atilde;o muito suspeitas... l&aacute; n&atilde;o tem corrente em nenhum dos pinos... ele n&atilde;o reproduz nada... n&atilde;o toca nada, nem sequer &eacute; um Set Top Box pra isso... Ser&aacute; que esse USB funciona como device e n&atilde;o como host ???

T&eacute; +.

Answer

bem interi&ccedil;ante eu tenho esse modem acho que se tudo de certo ai tamb&eacute;m vou aplicar no meu 
At&eacute;+

Answer

Olha, posso estar caindo de p&aacute;ra-quedas, mas eu tenho um D-Link DSL 2640B (e, antes desse, um DSL 500B) e ambos (arriscaria dizer todos os modelos) possuem, al&eacute;m do acesso pelo Browser, um modo de comando via telnet. Por que voc&ecirc; n&atilde;o roda um nmap contra o IP do modem e v&ecirc; quais as portas dele que est&atilde;o abertas? Se as 22 ou 23 estiverem dispon&iacute;veis, voc&ecirc; poder&aacute; acessar a linha de comando desse modem.

Answer

o sistema dele esta em uma eprom ?

se for &eacute; so ver nela o /etc o que ta configurado e comandos ai pelo seu micro mesmo pelo aplicativo do browser capaz de voce conseguir passar parametros que quer pra ele.

[]'s

Answer

As seguintes portas est&atilde;o abertas: 80, 2222, 2555. Essa 2222 parece uma porta SSH alternativa. Testei ela mas n&atilde;o obti resposta alguma.Eu vi uma vez na internet um cara hackeando um servidor usando o BackTrack e ele conseguia ver os cabe&ccedil;alhos do protocolo e a partir dali ele visualizava o que o computador remoto estava requisitando. Algu&eacute;m sabe um caminho pra isso.

Answer

fernando_ccs17 disse: 
 
As seguintes portas est&atilde;o abertas: 80, 2222, 2555. Essa 2222 parece uma porta SSH alternativa.

Todas as portas est&atilde;o abertas. Todas as portas respondem com alg&uacute;m daemom.
 
A porta 2222 mais nos parece um servi&ccedil;o trojano do que um servi&ccedil;o leg&iacute;timo no modem/router.

Answer

Irm&atilde;os, trago-vos boas novas.Apresento-vos o log de inicializa&ccedil;&atilde;o que ele transmite pelos pinos.

SAGEM Secure-boot SU2_2_3 fast_2764
 
CPU: IKANOS Fusiv 180 Family
PCI:   33 MHz
DRAM:  128 MB
Flash: 32 MB
Using default environment
 
In:    serial
Out:   serial
Err:   serial
Net:   emac1

PHY 88e1119r detected at smi@0x1f
switch 88e6171 detected at smi@0x01
emac1
 
Permanent parameters are programmed and activated : use DSA signature
Potential firmware found at address : bf080000
half-flash parsed !
Potential firmware found at address : be000000
Found 2 firmwares !
Searching valid operational firmware
Operational Firmware validated at address be000000
good regular firmware at @0xBE000000 with key @0xBF018411
 
No bootloader arg
partition not moved
updating kernel args
bootargs root=/dev/mtdblock6 ro rootfstype=squashfs operational_start=0xbe000000 rescue_start=0xbf080000 myfs_start=0xbe940000 type=operational image_addr=0xBE000000 
kernel args update done
Launch regular code from flash
alarmLEDMode(E_FLASH)!
bootm BE000140 
## Booting image at be000140 ...
   Image Name:   FAST2764_v82PE.img
   Created:      2012-05-22  14:35:10 UTC
   Image Type:   MIPS Linux Kernel Image (gzip compressed)
   Data Size:    9628879 Bytes =  9.2 MB
   Load Address: 80010000
   Entry Point:  802e7000
   Verifying Checksum ... OK
   Uncompressing Kernel Image ... OK
 
Starting kernel ...
 
Linux version 2.6.16.26 #1 Tue May 22 16:34:58 CEST 2012
 
argc 9 arg &lt;NULL&gt; env memsize=128 
 
memsize  board_memsize = 128
 
env memsize=128 
 
env initrd_start=0xA0000000

env initrd_size=0x0

flash_start be000000
 
env flash_start=0xBE000000

board_flash_size 2000000

env flash_size=0x2000000 
 
arg[1] root=/dev/mtdblock6 
 
arg[2] ro 
 
arg[3] rootfstype=squashfs 
 
arg[4] operational_start=0xbe000000

arg[5] rescue_start=0xbf080000

arg[6] myfs_start=0xbe940000

arg[7] type=operational

arg[8] image_addr=0xBE000000 
 
CPU revision is: 0001964c

Determined physical RAM map:
 
 memory: 07800000 @ 00000000 (usable)
 
Built 1 zonelists
 
Kernel command line: console=ttyS0,115200 root=/dev/mtdblock6 ro rootfstype=squashfs operational_start=0xbe000000 rescue_start=0xbf080000 myfs_start=0xbe940000 type=operational image_addr=0xBE000000 
 
Primary instruction cache 32kB, physically tagged, 4-way, linesize 32 bytes.
 
Primary data cache 32kB, 4-way, linesize 32 bytes.

Synthesized TLB refill handler (20 instructions).

Synthesized TLB load handler fastpath (32 instructions).
 
Synthesized TLB store handler fastpath (32 instructions).
 
Synthesized TLB modify handler fastpath (31 instructions).
 
Cache parity protection disabled
 
PID hash table entries: 512 (order: 9, 8192 bytes)
 
Dentry cache hash table entries: 16384 (order: 4, 65536 bytes)
 
Inode-cache hash table entries: 8192 (order: 3, 32768 bytes)
 
Memory: 109696k/122880k available (2368k kernel code, 13068k reserved, 535k data, 136k init, 0k highmem)
 
Mount-cache hash table entries: 512
 
Checking for 'wait' instruction...  available.

NET: Registered protocol family 16

Fusiv PCI: starting...
 
SCSI subsystem initialized
 
usbcore: registered new driver usbfs

usbcore: registered new driver hub
 
Bluetooth: Core ver 2.8

NET: Registered protocol family 31
 
Bluetooth: HCI device and connection manager initialized
 
Bluetooth: HCI socket layer initialized
 
fs/cramfs_block_uncompressed created

NTFS driver 2.1.26 [Flags: R/O].

incomplete dynamic bit lengths tree&lt;6&gt;Initializing Cryptographic API

io scheduler noop registered
io scheduler anticipatory registered (default)
 
io scheduler deadline registered

io scheduler cfq registered

Random: 0x3c2a8682
 
Serial: 8250/16550 driver $Revision: 1.9.6.1 $ 2 ports, IRQ sharing disabled
 
serial8250: ttyS0 at MMIO map 0xb9020000 mem 0xb9020000 (irq = 6) is a 16450
 
serial8250: ttyS1 at MMIO map 0xb90a0000 mem 0xb90a0000 (irq = 29) is a 16450
 
ikf68xx-ehci-hcd ikf68xx-ehci-hcd.0: Ikanos On-Chip EHCI Host Controller

ikf68xx-ehci-hcd ikf68xx-ehci-hcd.0: new USB bus registered, assigned bus number 1
 
ikf68xx-ehci-hcd ikf68xx-ehci-hcd.0: irq 35, io mem 0x19230000

ikf68xx-ehci-hcd ikf68xx-ehci-hcd.0: USB 0.0 started, EHCI 1.00, driver 10 Dec 2004

usb usb1: configuration #1 chosen from 1 choice
 
hub 1-0:1.0: USB hub found
 
hub 1-0:1.0: 2 ports detected

ikf68xx-ohci-hcd ikf68xx-ohci-hcd.0: Ikanos On-Chip OHCI Host Controller
 
ikf68xx-ohci-hcd ikf68xx-ohci-hcd.0: new USB bus registered, assigned bus number 2

ikf68xx-ohci-hcd ikf68xx-ohci-hcd.0: irq 35, io mem 0x19240800
 
usb usb2: configuration #1 chosen from 1 choice
 
hub 2-0:1.0: USB hub found
 
hub 2-0:1.0: 2 ports detected

usbcore: registered new driver usblp
 
/filer1_vol11/dev_projets5/liveboxProV3/dev/diep/Gvt/2.P.E/checkoutdir/openrg/package/rg/os/linux-2.6/drivers/usb/class/usblp.c: v0.13: USB Printer Device Class driver

Initializing USB Mass Storage driver...
 
usbcore: registered new driver usb-storage
 
USB Mass Storage support registered.

u32 classifier
 
    OLD policer on 
 
NET: Registered protocol family 2
 
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
 
TCP established hash table entries: 4096 (order: 2, 16384 bytes)

TCP bind hash table entries: 4096 (order: 2, 16384 bytes)
 
TCP: Hash tables configured (established 4096 bind 4096)
 
TCP reno registered
 
IPv4 over IPv4 tunneling driver
 
GRE over IPv4 tunneling driver

NET: Registered protocol family 1
 
NET: Registered protocol family 17
 
Bluetooth: L2CAP ver 2.8
 
Bluetooth: L2CAP socket layer initialized

Bluetooth: SCO (Voice Link) ver 0.5

Bluetooth: SCO socket layer initialized

Bluetooth: RFCOMM socket layer initialized

Bluetooth: RFCOMM ver 1.7
 
Bluetooth: BNEP (Ethernet Emulation) ver 1.2
 
Bluetooth: BNEP filters: protocol multicast
 
NET: Registered protocol family 8
 
NET: Registered protocol family 20

802.1Q VLAN Support v1.8 Ben Greear &lt;greearb@candelatech.com&gt;

All bugs added by David S. Miller &lt;davem@redhat.com&gt;

openrg_flash: Found 1 x16 devices at 0x0 in 16-bit bank
 
 Amd/Fujitsu Extended Query Table at 0x0040
 
openrg_flash: CFI does not contain boot bank location. Assuming top.
 
number of CFI chips: 1
 
cfi_cmdset_0002: Disabling erase-suspend-program due to code brokenness.

Creating 1 MTD partitions on openrg_flash:
 
0x00000000-0x02000000 : openrg
 
openrg_flash: detected at 0x1e000000 size 33554432 bytes

Freeing unused kernel memory: 136k freed
 
Version: 4.9.4.FAST2764_v82PE
 
Platform: Sagem 2764 Vox180
 
Compilation Time: 22-May-12 14:09:59
 
Tag: NRD_?bldorg?rg_liveboxPro-V3_0-0-1
 
Compilation Flags: SOUCHE_DEVICE_DISCOVERY=y CONFIG_TELEFONICA=y CONFIG_VDSL=y CONFIG_ROUTING_WITH_DSPRULES=y CONFIG_37xx_STANDARD=y CONFIG_SAGEM_DLNA=y CONFIG_DYNAMIC_VLAN_CONFIG=y CONFIG_PPP_NO_DHCP_DISCOVERY=y CONFIG_PPP_NO_NOTIFY=y CONFIG_UPNP_HIDE_INVOQUE_FORCE_TERMINATION=y CONFIG_UPNP_HIDE_INVOQUE_REQUEST_CONNECTION=y CONFIG_UPNP_HIDE_INVOQUE_REQUEST_TERMINATION=y CONFIG_UPNP_DEVICE_LAN_MODEL_NAME=Sagem_IGD_LAN CONFIG_UPNP_DEVICE_WAN_CON_MODEL_NAME=Sagem_IGD_WANConnection CONFIG_UPNP_DEVICE_WAN_MODEL_NAME=Sagem_IGD_WAN CONFIG_UPNP_DEVICE_MODEL_NUMBER=000 CONFIG_UPNP_DEVICE_MANUFACTURER_URL=www.gvt.com.br CONFIG_UPNP_DEVICE_MANUFACTURER=Sagem CONFIG_UPNP_IGD_DEVICE_TITLE=Sagem_Internet_Gateway_Device CONFIG_RGCONF_MIGRATION=y CONFIG_SOUCHE_RECONF=y CONFIG_SAGEM_DB_ACCESS=y CONFIG_SAGEM_IPPRINT=y CONFIG_USB_PRINTER=y CONFIG_HFS_FS=y CONFIG_HFSPLUS_FS=y CONFIG_SSID2=y CONFIG_MULTI_SSID=y CONFIG_SAGEM_WIFI_MAC_ADDRESS=y CONFIG_SAGEM_WIFI_MODE_11N=y CONFIG_DHCPS_SEND_NO_PADI=y CONFIG_DHCPS_INTERFACES=br0 CONFIG_LOG_ENTITIES=0 CONFIG_KALLSYMS=y CONFIG_RG_GDBSERVER=y CONFIG_LIVEBOX_TV=y CONFIG_ETH_PRE_LG=5 CONFIG_MODE_ETHERNET=y CONFIG_SOUCHE_USE_EXTERNAL_OPENSSL=y DIST=SAGEM_376X CONFIG_GVT=y CONFIG_INTERNAL_FIRMWARE_VERSION=8.2.P.E CONFIG_FIRMWARE_VERSION=FAST2764_v82PE LIC=../../../license/jpkg_ikanos_vx.lic
 
User Information: G178194@VZY08001 /filer1_vol11/dev_projets5/liveboxProV3/dev/diep/Gvt/2.P.E/checkoutdir/openrg/package/rg

###### rg_conf/network/rg_mac_wifi = 2c:e4:12:7f:59:45 ######
###### generated_mac_wifi = 2c:e4:12:7f:59:45 ######
############### Mode_Bridged = 0 ######################
############### xdsl_mode = 1 ######################
###### Kernel Debug mode (rg_conf/kernel/debug) = 0 ######

insmod: add-symbol-file build/debug/hard_watchdog_module.o 0xc0004000 -s .data 0xc0005820 -s .bss 0xc0005960

HardwareWatchdogInitialize : NORMAL BOOT

HardwareWatchdogInitialize :: --- WATCHDOG -- INITIALIZED with ED72 value (i.e. 5999ms)

HardwareWatchdogInitialize :: --- WATCHDOG -- Pacify timer of 2000 ms STARTED

insmod: add-symbol-file build/debug/be_pppoa_mod.o 0xc0007000 -s .data 0xc0008710 -s .bss 0xc0008860

insmod: add-symbol-file build/debug/fusivlib.o 0xc0022000 -s .data 0xc002eb50 -s .bss 0xc0030ee0
 
fusiv library initializing...
 
Buffer Copy Through DMA is enabled
   
fusiv library initialized SUCCESSFULLY...

insmod: add-symbol-file build/debug/bus_arbiter_lkm.o 0xc000a000 -s .data 0xc000b380 -s .bss 0xc000b4e0
 
vox bus arbiter interrupt handlers registered

insmod: add-symbol-file build/debug/opensrc_lkm.o 0xc0002000 -s .data 0xc00026d0 -s .bss 0xc0002820

insmod: add-symbol-file build/debug/bm.o 0xc0014000 -s .data 0xc0017170 -s .bss 0xc0017340

Buffer Manager is initializing...

BMU GIGE clock 
 
Slave Mem Alloc: Req size 16   Ptr2Block 0x191f0000
 
Load into BM APU Successful !!!

Buffer Manager initialized SUCCESSFULLY...

insmod: add-symbol-file build/debug/sysutil.o 0xc0019000 -s .data 0xc001c240 -s .bss 0xc001c380

insmod: add-symbol-file build/debug/timerlib.o 0xc0010000 -s .data 0xc0010de0 -s .bss 0xc0010f40

Timers are getting initalized
 
Timers are initilized SUCCESSFULLY...

insmod: add-symbol-file build/debug/ethdriver.o 0xc0044000 -s .data 0xc004bb20 -s .bss 0xc004e900
 
Module params: eth0_mii=0   eth1_mii=1

eth0: Netpro Sierra Ethernet found at 0xb9110000, irq 14

GIGE 1 clock dev-&gt;baseAddr b9110000

Slave Mem Alloc: Req size 16   Ptr2Block 0x191f0010

eth0 interface configured in GMII mode

eth1: Netpro Sierra Ethernet found at 0xb9150000, irq 13
 
GIGE 2 clock dev-&gt;baseAddr b9150000 
 
SraPort_initializePort: phyAddr=0x1f: PHY attached

Slave Mem Alloc: Req size 16   Ptr2Block 0x191f0020
   
Ethernet Driver is initialized SUCCESSFULLY

insmod: add-symbol-file build/debug/vdsldriver_lkm.o 0xc003c000 -s .data 0xc003f9e0 -s .bss 0xc0040ec0
 
VDSL AP and VDSL PHY  clocks are enabled 
 
eth2: Netpro VDSL Ethernet found at 0x0, irq 36

&gt;&gt;&gt; bmChangeMacList currNumConfiguredMacAddrs = 0 MAX_NUM_SUPPORTED_MAC_ADDRESSES = 4 
 
0x0:0x1:0x2:0x3:0x4:0x7
 
User parameters for VDSL AP configured successfully
 
Slave Mem Alloc: Req size 16   Ptr2Block 0x191f0030

VDSL AP started successfully

VDSL Driver is initialized SUCCESSFULLY

insmod: add-symbol-file build/debug/periap.o 0xc0050000 -s .data 0xc0051c20 -s .bss 0xc0053c60
 
periApDriverInit: doneSlave Mem Alloc: Req size 16   Ptr2Block 0x191f0040

*******LOAD firmware to AP:PERI_ID result:0Load into PERI_AP APU Successful !!!

insmod: add-symbol-file build/debug/ath_hal.o 0xc00e1000 -s .data 0xc014e5f0 -s .bss 0xc0158f20

ath_hal: 0.9.14.25 (AR5212, AR5416, RF5111, RF5112, RF2413, RF5413, DEBUG, REGOPS_FUNC)

insmod: add-symbol-file build/debug/wlan.o 0xc015c000 -s .data 0xc019ae80 -s .bss 0xc019b740

wlan: 0.8.4.2 (Atheros/multi-bss)

insmod: add-symbol-file build/debug/ath_rate_atheros.o 0xc0066000 -s .data 0xc006b970 -s .bss 0xc0074440

ath_rate_atheros: Version 2.0.1

insmod: add-symbol-file build/debug/ath_dfs.o 0xc0076000 -s .data 0xc007ec00 -s .bss 0xc007ed80

insmod: add-symbol-file build/debug/wlan_wep.o 0xc000d000 -s .data 0xc000e830 -s .bss 0xc000e980

insmod: add-symbol-file build/debug/wlan_tkip.o 0xc0055000 -s .data 0xc0058410 -s .bss 0xc0058560

insmod: add-symbol-file build/debug/wlan_ccmp.o 0xc001e000 -s .data 0xc0020250 -s .bss 0xc00203a0

insmod: add-symbol-file build/debug/wlan_xauth.o 0xc0033000 -s .data 0xc0033300 -s .bss 0xc0033440

insmod: add-symbol-file build/debug/wlan_acl.o 0xc0038000 -s .data 0xc0039010 -s .bss 0xc0039160
 
wlan: mac acl policy registered

insmod: add-symbol-file build/debug/ath_pci.o 0xc019d000 -s .data 0xc01c8e00 -s .bss 0xc01c99e0

ath_pci: 0.9.4.5 (Atheros/multi-bss)

ath_pci: CR-LSDK-1.3.1.110_3-4-9_0-0-9

PCI: Enabling device 0000:00:03.0 (0000 -&gt; 0002)
 
wifi%d ath_pci_probe Mac Address to configure 2c:e4:12:7f:59:45

ar5416InitMacAddr: Eeprom mac address read : 74:b4:92:9f:df:75
 
Chan  Freq  RegPwr  HT   CTL CTL_U CTL_L DFS

1  2412n     27  HT20  1    0    1     N

1  2412n     20  HT40  1    0    1     N

2  2417n     20  HT40  1    0    1     N

3  2422n     20  HT40  1    1    1     N

4  2427n     20  HT40  1    1    1     N

5  2432n     20  HT40  1    1    1     N

6  2437n     20  HT40  1    1    1     N

7  2442n     20  HT40  1    1    1     N

8  2447n     20  HT40  1    1    1     N

9  2452n     20  HT40  1    1    1     N

10  2457n     20  HT40  1    1    1     N

11  2462n     20  HT40  1    1    1     N

12  2467n     20  HT40  1    1    0     N

13  2472n     20  HT40  1    1    0     N

dfs_init_radar_filters: dfs-&gt;dfs_rinfo.rn_numradars: 0

DFS min filter rssiThresh = 18

DFS max pulse dur = 131 ticks

wifi0: 11ng rates: 1Mbps 2Mbps 5.5Mbps 11Mbps 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps

wifi0: 11ng MCS:  0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15

wifi0: mac 384.2 phy 15.15 radio 12.0

wifi0: Use hw queue 1 for WME_AC_BE traffic

wifi0: Use hw queue 0 for WME_AC_BK traffic

wifi0: Use hw queue 2 for WME_AC_VI traffic

wifi0: Use hw queue 3 for WME_AC_VO traffic

wifi0: Use hw queue 8 for CAB traffic

wifi0: Use hw queue 9 for beacons

wifi0: Use hw queue 7 for UAPSD

2xMaxPowerLevel: 32 (LEG)

2xMaxPowerLevel: 38 (LEG)

JXU: set the rxBufsize to 3851

wifi0: ath_pci_probe 320 Mac Address configured 2c:e4:12:7f:59:45

wifi0: Atheros 9287: mem=0x1a000000, irq=25 hw_base=0xba000000

insmod: add-symbol-file build/debug/one_module.o 0xc024a000 -s .main_flow 0xc0286a20 -s .data 0xc02a6530 -s .bss 0xc02a83e0

Loading license 2e7cce03ae1ecdf8664e2a9d4237505fb4b92a03b3c702e282dad8703897fb79647f254aad168a000042689d4bbeae320ee12b21d44036dba65548ebd421923317a5e6fd3f30792f5c8c58b63fbb65f614a9b3010287.SAGEM

loading license key: SAGEM

insmod: add-symbol-file build/debug/kleds_mod.o 0xc0035000 -s .data 0xc0036430 -s .bss 0xc00365c0

insmod: add-symbol-file build/debug/lb_jffs_mod.o 0xc0042000 -s .data 0xc0042200 -s .bss 0xc0042360
 
Creating 1 MTD partitions on openrg_flash:
 
0x01b00000-0x02000000 : jffs2

Press ESC to enter BOOT MENU mode.
dd_openrg_init: registering openrg device discovery entity
MAPS: 
00400000-006b8000 r-xp 00000000 00:09 1420624    /mnt/cramfs/bin/openrg
10000000-1005a000 rw-p 002b8000 00:09 1420624    /mnt/cramfs/bin/openrg
1005a000-10185000 rwxp 1005a000 00:00 0          [heap]
2aaa8000-2aaae000 r-xp 00000000 00:09 5085368    /mnt/cramfs/lib/ld-uClibc.so.0
2aaae000-2aaaf000 rw-p 2aaae000 00:00 0 
2aab0000-2aab1000 rw-p 2aab0000 00:00 0 
2aab2000-2aab3000 rw-s 00000000 00:06 0          /SYSV0000162e (deleted)
2aab4000-2aab5000 rw-s 00000000 00:06 32769      /SYSV0000162d (deleted)
2aaed000-2aaee000 rw-p 00005000 00:09 5085368    /mnt/cramfs/lib/ld-uClibc.so.0
2aaee000-2ab03000 r-xp 00000000 00:09 6131348    /mnt/cramfs/lib/libopenrg.so
2ab03000-2ab43000 ---p 2ab03000 00:00 0 
2ab43000-2ab44000 rw-p 00015000 00:09 6131348    /mnt/cramfs/lib/libopenrg.so
2ab44000-2ab82000 r-xp 00000000 00:09 5848512    /mnt/cramfs/lib/libjutil.so
2ab82000-2abc1000 ---p 2ab82000 00:00 0 
2abc1000-2abc6000 rw-p 0003d000 00:09 5

insmod: add-symbol-file build/debug/wlan_scan_ap.o 0xc0060000 -s .data 0xc0063a80 -s .bss 0xc0063bc0

848512    /mnt/cramfs/lib/libjutil.so
2abc6000-2abcc000 rw-p 2abc6000 00:00 0 
2abcc000-2ac0a000 r-xp 00000000 00:09 6216144    /mnt/cramfs/lib/libssl.so.0.9.8
2ac0a000-2ac49000 ---p 2ac0a000 00:00 0 
2ac49000-2ac4d000 rw-p 0003d000 00:09 6216144    /mnt/cramfs/lib/libssl.so.0.9.8
2ac4d000-2ad8d000 r-xp 00000000 00:09 5312136    /mnt/cramfs/lib/libcrypto.so.0.9.8
2ad8d000-2ada2000 rw-p 00140000 00:09 5312136    /mnt/cramfs/lib/libcrypto.so.0.9.8
2ada2000-2ada6000 rw-p 2ada2000 00:00 0 
2ada6000-2ada8000 r-xp 00000000 00:09 5780280    /mnt/cramfs/lib/libdl.so.0
2ada8000-2ade7000 ---p 2ada8000 00:00 0 
2ade7000-2ade8000 rw-p 00001000 00:09 5780280    /mnt/cramfs/lib/libdl.so.0
2ade8000-2adfe000 r-xp 00000000 00:09 6186348    /mnt/cramfs/lib/librg_config.so
2adfe000-2ae3e000 ---p 2adfe000 00:00 0 
2ae3e000-2ae40000 rw-p 00016000 00:09 6186348    /mnt/cramfs/lib/librg_config.so
2ae40000-2ae41000 rw-p 2ae40000 00:00 0 
2ae41000-2ae5d000 r-xp 00000000 00:09 5935020    /mnt/cramfs/lib/libm.so.0
2ae5d000-2ae9d000 ---p 2ae5d000 00:00 0 
2ae9d000-2ae9e000 rw-p 0001c000 00:09 5935020    /mnt/cramfs/lib/libm.so.0
2ae9e000-2aea0000 r-xp 000

insmod: add-symbol-file build/debug/hw_qos_ikanos_mod.o 0xc0080000 -s .data 0xc0080900 -s .bss 0xc0080a80

00000 00:09 6382320    /mnt/cramfs/lib/libutil.so.0
2aea0000-2aedf000 ---p 2aea0000 00:00 0 
2aedf000-2aee0000 rw-p 00001000 00:09 6382320    /mnt/cramfs/lib/libutil.so.0
2aee0000-2af1f000 r-xp 00000000 00:09 5108728    /mnt/cramfs/lib/libSwitch.so
2af1f000-2af5f000 ---p 2af1f000 00:00 0 
2af5f000-2af60000 rw-p 0003f000 00:09 5108728    /mnt/cramfs/lib/libSwitch.so
2af60000-2af63000 r-xp 00000000 00:09 5306268    /mnt/cramfs/lib/libcrypt.so.0
2af63000-2afa2000 ---p 2af63000 0hw_qos_init:183    init module

0:00 0 
2afa2000-2afa3000 rw-p 00002000 00:09 5306268    /mnt/cramfs/lib/libcrypt.so.0
2afa3000-2afb4000 rw-p 2afa3000 00:00 0 
2afb4000-2afbe000 r-xp 00000000 00:09 5963704    /mnt/cramfs/lib/libmsg-api.so
2afbe000-2affd000 ---p 2afbe000 00:00 0 
2affd000-2affe000 rw-p 00009000 00:09 5963704    /mnt/cramfs/lib/libmsg-api.so
2affe000-2b00b000 rw-p 2affe000 00:00 0 
2b00b000-2b01a000 r-xp 00000000 00:09 6169976    /mnt/cramfs/lib/libpthread.so.0
2b01a000-2b059000 ---p 2b01a000 00:00 0 
2b059000-2b05e000 rw-p 0000e000 00:09 6169976    /mnt/cramfs/lib/libpthread.so.0
2b05e000-2b060000 rw-p 2b05e000 00:00 0 
2b060000-2b063000 r-xp 00000000 00:09 6373300    /mnt/cramfs/lib/libtr69If.so
2b063000-2b0a2000 ---p 2b063000 00:00 0 
2b0a2000-2b0a3000 rw-p 00002000 00:09 6373300    /mnt/cramfs/lib/libtr69If.so
2b0a3000-2b104000 r-xp 00000000 00:09 5177088    /mnt/cramfs/lib/libc.so.0
2b104000-2b144000 ---p 2b104000 00:00 0 
2b144000-2b146000 rw-p 00061000 00:09 5177088    /mnt/cramfs/lib/libc.so.0
2b146000-2b14a000 rw-p 2b146000 00:00 0 
7fa35000-7fa4a000 rwxp 7fa35000 00:00 0          [stack]

insmod: add-symbol-file build/debug/igmp_proxy_mod.o 0xc008d000 -s .data 0xc0094170 -s .bss 0xc00942c0

insmod: add-symbol-file build/debug/rg_usfs.o 0xc0086000 -s .data 0xc0087510 -s .bss 0xc0087680

insmod: add-symbol-file build/debug/tcp_mss.o 0xc0000000 -s .data 0xc0000a00 -s .bss 0xc0000b80

insmod: add-symbol-file build/debug/rg_dhcp_pktfil.o 0xc0089000 -s .data 0xc008a440 -s .bss 0xc008a5c0

insmod: add-symbol-file build/debug/rg_ipv4.o 0xc0084000 -s .data 0xc0084440 -s .bss 0xc00845c0

IPV4 device driver registered

insmod: add-symbol-file build/debug/pppoe_relay.o 0xc009c000 -s .data 0xc009f800 -s .bss 0xc009f940

insmod: add-symbol-file build/debug/rg_pppoe_relay.o 0xc0082000 -s .data 0xc0082db0 -s .bss 0xc0082f20

insmod: add-symbol-file build/debug/ife6DriverLoad_mod.o 0xc0098000 -s .data 0xc0098440 -s .bss 0xc00985c0

Initializing IFE6 Driver Load module

insmod: add-symbol-file build/debug/watchdog_mod.o 0xc0096000 -s .data 0xc00969f0 -s .bss 0xc0096b60

Initializing Watchdog module

Initializing Watchdog module1

Initializing Watchdog module2

insmod: add-symbol-file build/debug/btn.o 0xc009a000 -s .data 0xc009ac40 -s .bss 0xc009ade0

insmod: add-symbol-file build/debug/qos_ingress.o 0xc00b7000 -s .data 0xc00b81b0 -s .bss 0xc00b8340

insmod: add-symbol-file build/debug/bmedrv.o 0xc00ba000 -s .data 0xc00bade0 -s .bss 0xc00bafa0

bmedrv_init: Region 0x07800000 - 0x07ffffff allocated successfully

BME Driver has been loaded SUCCESSFULLY

insmod: add-symbol-file build/debug/switch.o 0xc00bc000 -s .data 0xc00bd000 -s .bss 0xc00bd1c0

m88e6x6x switch driver for vx180 loaded

insmod: cannot open module `/lib/modules/dspvoice.o': No such file or directory
insmod: cannot open module `/lib/modules/rtp.o': No such file or directory
insmod: cannot open module `/lib/modules/relay.o': No such file or directory
 Permanent Parameters were stored in Rgconf RAM 
sg_gvt_entity_runlevel.c : action = 0, xdsl_mode = 1
wifi_init: Atheros Wifi card: device AR5416_DEVID_AR9287_PCI (Kiwi).
Atheros Wifi card found: ath0
ath1
mt_ma_open : entering in -------------------
mt_ma_start_process : entering in -------------------
opening reconfentity Entity

MAIN AUTOM ID IS 345 warning #1 :new rg_conf entry but not signaled
warning #1 :new rg_conf entry but not signaled
warning #1 :new rg_conf entry but not signaled
warning #1 :new rg_conf entry but not signaled
warning #1 :new rg_conf entry but not signaled
warning #1 :new rg_conf entry but not signaled
warning #1 :new rg_conf entry but not signaled
warning #1 :new rg_conf entry but not signaled

To activate ar5xxx Debug traces set entry dev/wifi0/dev_ar5xxx_debug in rg_conf

To activate ar5xxx Debug traces set entry dev/wifi0/dev_ar5xxx_debug in rg_conf 
device eth0 entered promiscuous mode

OS: VDSL daemon already running
Acceseth2.600: Setting MAC address to s: 2c F e4ai 12le 7fd  59to 42 .

opVLAN (eth2.600):  Underlying device (eth2) has same MAC, not checking promiscious mode.

en bme module
eth2.602: Setting MAC address to  2c e4 12 7f 59 42.

VLAN (eth2.602):  Underlying device (eth2) has same MAC, not checking promiscious mode.

eth2.4000: Setting MAC address to  2c e4 12 7f 59 42.

VLAN (eth2.4000):  Underlying device (eth2) has same MAC, not checking promiscious mode.

__BEI:load_rgconf_switch_config called__

__BEI:sg_switch_check_config called__

__BEI:sg_switch_write_config_files called__

__BEI:sg_switch_parse_config called__

__BEI:sg_switch_set_mode called__

__BEI:sg_switch_run_config called__

__BEI:sconfigure_spq_scheduler:134    enable SPQ on AP:1 link speed:1000000000

g_switch_free_switch_config called__
ls: /sys/devices/platform/*/*/[0-9]*-*/*/usb:lp*: No such file or directory
ls: /sys/devices/platform/*/*/[0-9]*-*/*/*/usb:lp*: No such file or directory
initprocess to launch : /etc/initprocess.sh 2

xdsl autodetect mode actif

CPE start address is a7800000

ipos system initialized

BME 1 is coming up

Transfer to SDRAM Successful

BmeHw: Downloading BME 1 software .....!

BmeHw: Bme 1 software code downloaded successfully

The feature bit has been successfully modified for  eth0 eth1 PERI VDSL APs...

******sysutil apfeature all vlanbridge enable******

alm freq 20
 status freq 30
/tmp/dslSavedConfig.conf file not found

configuration file /etc/vdsl.conf:start______

configuration file /etc/vdsl.conf:start0______

OamOptionMask Set to 3
_____________________BEI:fpvdslconfigfile == NULL__________________

taskUi: profileNum = 2 Sizeof ipos_port_profile=144

Please execute 'vdsl' in 3 seconds to enter into Supervisor mode
2
1
0

Changing port profile #2 BAND_PLAN=0x1 PTM MODE=0x0
OamoptionMask 3
optionMask 8

Quem quiser me ajudar, pode comprar no mercadolivre um conversor TTL / Serial DB9 ou USB.
O baud rate dele &eacute; 115200, 1 bit de parada, sem paridade.
Mas tem uma coisa que me aflinge.
Quando comecei a dar comandos no terminal, qualquer coisa mesmo, ele n&atilde;o respondia de jeito nenhum. Mas segundo o site da OpenWRT, em alguns routers, o baud rate altera depois do boot..

Pois bem.. testei com 9600, 12800, 19200 e nada... at&eacute; que em 38400, ele respondia! Por&eacute;m com caracteres muito doidos.
A explica&ccedil;&atilde;o pra isso &eacute;: O baud rate de recep&ccedil;&atilde;o N&Atilde;O &eacute; o mesmo baud rate de transmiss&atilde;o, o que significa que terei que usar duas portas seriais.

Postarei mais novidades em breve.

Answer

Como disse anteriormente, eu preciso de duas portas seriais para fazer a comunica&ccedil;&atilde;o, pois o baud rate &eacute; diferente para envio e recep&ccedil;&atilde;o.

1) eu consigo entender tudo o que o router diz em 115200 mas n&atilde;o consigo transmitir. Simplesmente ele n&atilde;o responde nada quando transmito.

2) Consigo transmitir em 38400 mas ele n&atilde;o entende o que eu digo, mas pelo menos ele recebe alguma coisa, o que &eacute; bom, porque da&iacute; ele me d&aacute; uma lista de comandos v&aacute;lidos!

isto &eacute; o que ele me responde:
SysRq : HELP : loglevel0-8 reBoot tErm Full kIll showMem Nice showPc Sync showTasks UnmountO grande problema &eacute; encontrar o baud rate correto de ENVIO para que ele entenda os meus caracteres.

Apenas por curiosidade, isso &eacute; o que acontece quando o baud rate est&aacute; incorreto:
 =s:z{pA&Icirc;p &macr;=&sup2;&laquo;e&Iuml;&Ecirc;Q}&ccedil;&uacute;&euml;3]&Igrave;&Agrave;`@&frac12;&ccedil;&Ecirc;&Icirc;&agrave;&sup2;&deg;pA&icirc;&cedil;&ograve;]&Igrave;&aelig;`@&frac12;g&laquo;g&sup2;&Ccedil;Q&Icirc;                            0&sect;]&ordf;&deg;0i*&uacute;&iuml;3&Agrave;sEt&egrave;;0&iuml;qrq&icirc;y&agrave;``d```e:g:;&Atilde;;A&Igrave;&ucirc;ps&raquo;&ordm;+X&egrave;z&uacute;wzy&egrave;&egrave;&uacute;&sup2;&AElig;&Iuml;&Ecirc;&uacute;&euml;3]&Igrave;&Agrave;``Y&Icirc;&agrave;&sup2;&deg;0&sect;]&Igrave;&aelig;`p                            &ordm;&uacute;&euml;30&sect;]&ordf;&deg;0&copy;2&iuml;&Yacute;}s&Ccedil;&Agrave;8`&iuml;&sect;&egrave;&agrave;K&ucirc;&macr;
&deg;&uacute;!2&iuml;29&Agrave;8pe1&sect;y&Agrave;8&laquo;=w2y&Egrave;#z&Atilde;;&Egrave;`&divide;&sup2;3!9&ucirc;&macr; w:r&middot;3&sect;zr3!9&ucirc;&macr; &uacute;&Agrave;&iacute;&Egrave;&Ecirc;&sup2;3&sect;zr3!9&ucirc;&macr; r&Atilde;&Egrave;&Ecirc;&sup2;3&sect;zr3!9&Agrave;&Eacute;                            ]&ecirc;3&macr;&curren;&divide;&sup3;&Ccedil;&agrave;2&Ecirc;&Acirc;:2
p&laquo;9&yuml;z&sup2;0&Igrave;&Ccedil;&agrave;2&Ecirc;&acirc;X&auml;&acirc;&ntilde;&agrave;&laquo;9&yuml;&aelig;&ecirc;9&Agrave;&Euml;&Egrave;&ecirc;2&aacute;&agrave;:2x&acirc;&laquo;9&yuml;q&ograve;&deg;ow`&acirc;&eth;&Atilde;&Ccedil;&Agrave;x&ccedil;&egrave;&Igrave;&Auml;&aacute;b&ocirc;&egrave;&egrave;&Acirc;g&laquo;&agrave;`w:0s;gSz&Ccedil;&Agrave;&Euml;&Egrave;&ecirc;2&aacute;&ucirc;                            &agrave;r&Agrave;}{1u&pound;&Ograve;&laquo;&ntilde;&Ecirc;&Egrave;zs&atilde;#&Ograve;&uacute;&ntilde;&ograve;r&auml;&Ograve;q&cent;&sup2;p&euml;&atilde;&yuml;9&uacute;0&Icirc;&egrave;&agrave;&Ecirc;&Egrave;&Egrave;99&uacute;0&Icirc;&egrave;&agrave;&Ecirc;&Egrave;&Egrave;&ordm;&egrave;&ograve;`:&uacute;p!&laquo;&ntilde;&Ecirc;&Egrave;zs&atilde;#g&ordm;&egrave;&ograve;`&Egrave;&Otilde;;3&sect;&Ecirc;&icirc;2                            ;z&ograve;`&cent;8&Yacute;&euml;&atilde;&yuml;r&ograve;zys2&Agrave;&yuml;ky&Egrave;\pW&sect;&Agrave;&times;&Ograve;&sect;::r&atilde;9
                                  &igrave;32&thorn;&ugrave;&aelig;&Atilde;&iuml;Y&Egrave;s f&egrave;&Egrave;&ograve;&Ecirc;&ntilde;p;&ucirc;pr&laquo;2z&egrave;6z&Euml;K&egrave;&Egrave;&Ecirc;&Igrave;&Agrave;&Ecirc;&eacute;&egrave;&Egrave;]&egrave;&Icirc;&egrave;&eacute;&plusmn;                            &raquo;:&deg;&eacute;}&Atilde;&agrave;&aacute;qad&uacute;&oslash;&Egrave;9&plusmn;q&cedil;8&deg;&uacute;19&agrave;9&yuml;}&Atilde;&Aacute;0&ordm;
&Eacute; mais ou menos isso a&iacute; que o router recebe quando transmito em 38400. Como disse, em 115200 nem isso a&iacute; em cima chega at&eacute; o router.
 Isso vai dar trabalho...

Preciso que algu&eacute;m d&ecirc; uma id&eacute;ia de como eu faria para detectar o baud rate dele. Estava pensando num programa que ficasse enviando a palavra reboot [enter] pela porta serial e ele teria uma velocidade inicial de 9600 e ele iria incrementando este valor at&eacute; passar pela velocidade do router. Saber&iacute;amos quando encontramos a velocidade quando o modem reiniciasse. S&oacute; que eu sou um zero a esquerda em programa&ccedil;&atilde;o...

Answer

Se eu conseguir comunica&ccedil;&atilde;o serial com o modem, usando o putty ou outro  emulador de terminal, eu consigo ver informa&ccedil;&otilde;es exclusivas do modem, e  possivelmente, conseguir rodar programas nele, tipo cliente torrent  entre outros. As possibilidades s&atilde;o infinitas.

Quais possibilidades teria?

Answer

Se voc&ecirc; se refere as possibilidades de conseguir comunica&ccedil;&atilde;o serial com o modem, isso eu j&aacute; fiz. S&oacute; falta encontrar o baud rate correto de transmiss&atilde;o.

Se voc&ecirc; se refere as possibilidades de rodar qualquer coisa no modem, ai &eacute; outra hist&oacute;ria. Falei em cliente torrent, mas nele n&atilde;o tem espa&ccedil;o suficiente em disco.
Update: Mais uma teoria brotou em minha mente... Penso que os caras da GVT n&atilde;o removeram a pagina index2.cgi, mas sim, renomearam para algo menos l&oacute;gico. Estou analisando com meu irm&atilde;o esse problema da transmiss&atilde;o. Um componente que ele chama de porta l&oacute;gica pode resolver nosso problema.

Answer

Pessoal, em um forum tinha como habilitar as fun&ccedil;oes deste modem, eu peguei la. S&oacute; que dai alguem de l&aacute; do portaladsl deve estar ganhando $ dinheiro vendendo a m&aacute;gica no ML, e simplesmente est&atilde;o apagando TODOS os posts que tinham sobre o assunto por l&aacute;. Ent&atilde;o como acho isto uma sacanagem, ai vai a receitinha de bolo para liberar as fun&ccedil;&atilde;oe deste modem. Eu n&atilde;o tenho a TV, e parece que com a TV tem que fazer mais alguma coisa, mas se for para colocar em modo 'bridge' funciona OK
 
Divirtam-se...
 
--------------------------------------------------------------------
 
Modem VDSL2 Sagemcom Fast2764 em modo Bridge 
 
Entre na p&aacute;gina de admin do PB
 
Digite na barra de endere&ccedil;os:
 
192.168.25.1/save_rg_conf.cgi
 
Ele deve enviar um arquivo chamado 'HomeGateway.conf'
salve este arquivo. Se por acaso der algum erro ou falhar,
tente novamente.
 
Edite o arquivo, pode ser com o notepad mesmo, mas &eacute; arquivo tipo unix, sem cr.
Pode se quiser antes para ficar mais bonitinho, converter para crlf.
 
Procure no arquivo a seguinte texto:
runlevel(2)
Substitua o '2' por '4'
 
Salve o arquivo.
 
Baixe um programinha chamado 'curl', que vc pode baixar daqui:
http://www.paehl.com/open_source/?CURL_7.26.0
 
Pode ser a vers&atilde;o mais simples esta Download WITHOUT SSL
&eacute; um aquivo .exe, salve NO DIRETORIO ONDE EST&Auml; o arquivo .conf.
 
A seguir abra o command prompt ou 'uma janela de DOS' no NO MESMO DIRETORIO onde est&aacute; o curl e o .conf e digite:
 
curl -u admin:gvt12345 -F [EMAIL=new_rg_conf=@HomeGateway.conf]new_rg_conf=@HomeGateway.conf[/EMAIL] 192.168.25.1/replace_rg_conf.cgi 
 
Use o 'cut &amp; paste' deste comando, mai&uacute;sculas e minusculas n&atilde;o podem ser trocadas.
 
O modem vai responder com um texto dizendo que foi criado arquivo tempor&aacute;rio, etc.
 
Est&aacute; pronto. Va na tela de configura&ccedil;&atilde;o/modo de opera&ccedil;&atilde;o e a op&ccedil;&atilde;o de colocar em modo 'bridge' deve estar l&aacute;. Outras p&aacute;ginas tamb&eacute;m est&atilde;o diferentes, com mais op&ccedil;&otilde;es, portas USB liberadas, etc. 
 
Boa sorte!
 
--------------------------------------------------------------------

Answer

muito interessante esse assunto, nem sabia esse lance de linux no aparelho. vamos acompanhar e ver o que o amigo consegue.

Ferramentas

Mover Tópico