Seguridad Wireless - Wifi

Equipos y materiales => Puntos de acceso, routers, switchs y bridges => Mensaje iniciado por: flipper en 09-05-2016, 22:27 (Lunes)

Título: Movistar FTTH GPT-2541GNAC. Modificar rootfs
Publicado por: flipper en 09-05-2016, 22:27 (Lunes)
Buenas,

Hace un par de meses contraté la fibra de Movistar y me instalaron el nuevo router GPT-2541GNAC. Necesito configurar uno de los puertos del router en modo trunk, y aunque en principio es posible realizarlo desde la web del equipo, saltan errores por todos lados. Sé que podría ponerlo en modo bridge y conectar un router neutro detrás, pero no es una opción. Así que me he puesto a destriparlo. He conseguido extraer el rootfs del router, añadirle un script para que cuando arranque ejecute los scripts que guarde en la partición app, que está montada con jffs2. He conseguido entender como está estructurado el firmware, y creo que podría actualizarlo con una versión propia sin problema. También he parcheado un librería ya que estaba cansado de tener que introducir contraseñas para tener acceso al shell. 

Aunque lo anterior debería de funcionar, me estoy planteando cambiar el sistema de archivos de squashfs a jffs2, de manera que sea más sencillo cambiar la configuración de nuevo. Para ello, tendría convertir el rootfs a jffs2, lo que no debería de ser un problema, y que actualizar el CFE para que le pase el cmdline con los datos correctos al Kernel. Actualmente le está pasando esto: root=31:0 rootfstype=squashfs  irqaffinity=0. Por lo que tendría que modificar el rootfstype a jffs2

Entiendo que el cmdline se lo pasa el bootloader, en mi caso el (CFE version 1.0.41-117.134 for BCM96838 (32bit,SP,BE)), al kernel cuando lo invoca, el problema es que no sé como modificar este dato. Al entrar en el shell del CFE, no existe ningún comando para modificarlo, de hecho está capadísimo, ya que ni da la posibilidad de poder actualizar el firmware o modificar el bootline. He extraido el CFE y lo he examinado, pero no he encontrado donde guarda esta cadena para poder modificarlo.

Como mis conocimientos de Linux son nulos, y es la primera vez que juego con un router de este manera, agradecería vuestra ayuda y opinión sobre si es posible hacer lo que pretendo, la menera de hacerlo o si existe alguna otra opción para conseguir lo mismo.

Adjunto el log del equipo, por si puede ayudar para esto o alguien más en el futuro.

Código: [Seleccionar]
HELO
CPUI
L1CI
HELO
CPUI
L1CI
4.1404Apatch1-1.0.41-117.134
DRAM
----
PHYS
ZQDN
PHYE
DINT
TST1
TST2
PASS
----
ZBSS
CODE
DATA
L12F
MAIN
COMS
COME
SUCC


Base: 4.14_04Apatch1
CFE version 1.0.41-117.134 for BCM96838 (32bit,SP,BE)
Build Date: 09/11/2015 (joggy@DJiaBu)
Copyright (C) 2000-2013 Broadcom Corporation.

Chip ID: BCM68380_B0, MIPS: 600MHz, DDR: 533MHz, Bus: 240MHz
RDP: 800MHz
Main Thread: TP0
Total Memory: 268435456 bytes (256MB)
Boot Address: 0xbfc00000

NAND flash device: MXIC MX30LF1G08AM, id 0xc2f1 block 128KB size 131072KB
Total Flash size: 131072KB with 1024 sectors
Configuring RGMII pinpux
ddr_tm_base_address = 0xa0800000
f_initialize_bbh_dma_sdma_related_arrays:(956) errorenable IH Wan-Wan forwarding...
Initializing port 0
Initializing port 1
Initializing port 2
Initializing port 3
Initializing port 4
oren_data_path_go done!!!
Board IP address                  : 192.168.1.1:ffffff00
Host IP address                   : 192.168.1.100
Gateway IP address                :
Run from flash/host/tftp (f/h/c)  : f
Default host run file name        : vmlinux
Default host flash file name      : bcm963xx_fs_kernel
Boot delay (0-9 seconds)          : 1
Boot image (0=latest, 1=previous) : 0
Default host ramdisk file name    :
Default ramdisk store address     :
Board Id (0-25)                   : GPT-2541GNAC
Number of MAC Addresses (1-32)    : 10
Base MAC Address                  : 98:97:d1:00:fd:2a
PSI Size (1-128) KBytes           : 128
Enable Backup PSI [0|1]           : 1
System Log Size (0-256) KBytes    : 0
Auxillary File System Size Percent: 0
Main Thread Number [0|1]          : 0
GPON Serial Number                : "MSTC23F2CBB1"
GPON Password                     : "          "
MC memory allocation (MB)         : 4
TM memory allocation (MB)         : 20
Voice Board Configuration (0-0)   : LE9541

Creating CPU ring for queue number 0 with 32 packets descriptor=0x8066b5cc
 Done initializing Ring 0 Base=0xa220f710K End=0xa220f910K calculated entries= 32 RDD Base=0x0220f710K descriptor=0x8066b5cc
Open PHY 1 on MAC 0 : link state = Down
Open PHY 2 on MAC 1 : link state = Down
Open PHY 3 on MAC 2 : link state = Down
Open PHY 4 on MAC 3 : link state = Down
Open PHY 31 on MAC 4 : link state = 1000M Full
*** Press any key to stop auto run (1 seconds) ***
Auto run second count down: 0
Wait for Multiboot Service Packet...  4PHY 1 on MAC 0 : link state = 1000M Full                                                                                                                                                              0
Booting from latest image (0xc2e40000) ...
Correctable ECC Error detected: addr=0x03bb1800, intrCtrl=0x000000B0, accessCtrl=0xF7441010
Code Address: 0x80010000, Entry Address: 0x8034ec30
Linux file system CRC CORRECT
Linux kernel CRC CORRECT
Decompression OK!
Entry at 0x8034ec30
Closing network.
Starting program at 0x8034ec30
Linux version 3.4.11-rt19 (david@DJiaBu) (gcc version 4.6.2 (Buildroot 2011.11) ) #4 SMP PREEMPT Mon Dec 21 15:38:16 CST 2015
GPT-2541GNAC prom init
CPU revision is: 0002a080 (Broadcom BMIPS4350)
Determined physical RAM map:
 memory: 01400000 @ 0ec00000 (reserved)
 memory: 00400000 @ 0e800000 (reserved)
 memory: 0e800000 @ 00000000 (usable)
Zone PFN ranges:
  DMA      0x00000000 -> 0x00001000
  Normal   0x00001000 -> 0x0000e800
Movable zone start PFN for each node
Early memory PFN ranges
    0: 0x00000000 -> 0x0000e800
On node 0 totalpages: 59392
free_area_init_node: node 0, pgdat 80437f50, node_mem_map 81000000
  DMA zone: 32 pages used for memmap
  DMA zone: 0 pages reserved
  DMA zone: 4064 pages, LIFO batch:0
  Normal zone: 432 pages used for memmap
  Normal zone: 54864 pages, LIFO batch:15
PERCPU: Embedded 7 pages/cpu @811d3000 s5088 r8192 d15392 u32768
pcpu-alloc: s5088 r8192 d15392 u32768 alloc=8*4096
pcpu-alloc: [0] 0 [0] 1
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 58928
Kernel command line: root=31:0 rootfstype=squashfs  irqaffinity=0
PID hash table entries: 1024 (order: 0, 4096 bytes)
Dentry cache hash table entries: 32768 (order: 5, 131072 bytes)
Inode-cache hash table entries: 16384 (order: 4, 65536 bytes)
Primary instruction cache 64kB, VIPT, 4-way, linesize 16 bytes.
Primary data cache 32kB, 2-way, VIPT, cache aliases, linesize 16 bytes
Memory: 230412k/237568k available (3380k kernel code, 7156k reserved, 878k data, 204k init, 0k highmem)
Preemptible hierarchical RCU implementation.
NR_IRQS:256
console [ttyS0] enabled
Allocating memory for DSP module core and initialization code
Allocated DSP module memory - CORE=0x0 SIZE=0, INIT=0x0 SIZE=0
Calibrating delay loop... 598.01 BogoMIPS (lpj=299008)
pid_max: default: 32768 minimum: 301
Mount-cache hash table entries: 512
--Kernel Config--
  SMP=1
  PREEMPT=1
  DEBUG_SPINLOCK=0
  DEBUG_MUTEXES=0
Broadcom Logger v0.1 Dec 21 2015 14:39:00
CPU revision is: 0002a080 (Broadcom BMIPS4350)
Primary instruction cache 64kB, VIPT, 4-way, linesize 16 bytes.
Primary data cache 32kB, 2-way, VIPT, cache aliases, linesize 16 bytes
Brought up 2 CPUs
NET: Registered protocol family 16
PMC Driver Init... done.


########## 5G reset ###############

registering PCI controller with io_map_base unset
registering PCI controller with io_map_base unset
registering PCI controller with io_map_base unset
bio: create slab <bio-0> at 0
PCI host bridge to bus 0000:00
pci_bus 0000:00: root bus resource [mem 0xeff00000-0xefffffff]
pci_bus 0000:00: root bus resource [io  0xf1000000-0xf100ffff]
PCI host bridge to bus 0000:01
pci_bus 0000:01: root bus resource [mem 0xd0000000-0xdfffffff]
pci_bus 0000:01: root bus resource [??? 0x00000000 flags 0x0]
pci 0000:01:00.0: [14e4:6838] type 01 class 0x060400
pci 0000:01:00.0: PME# supported from D0 D3hot
pci 0000:01:00.0: PCI bridge to [bus 02-02]
PCI host bridge to bus 0000:03
pci_bus 0000:03: root bus resource [mem 0xe0000000-0xefefffff]
pci_bus 0000:03: root bus resource [??? 0x00000000 flags 0x0]
pci 0000:03:00.0: [14e4:6838] type 01 class 0x060400
pci 0000:03:00.0: PME# supported from D0 D3hot
pci 0000:04:00.0: [14e4:a8db] type 00 class 0x028000
pci 0000:04:00.0: reg 10: [mem 0x00000000-0x00007fff 64bit]
pci 0000:04:00.0: supports D1 D2
pci 0000:03:00.0: BAR 8: assigned [mem 0xe0000000-0xe00fffff]
pci 0000:04:00.0: BAR 0: assigned [mem 0xe0000000-0xe0007fff 64bit]
pci 0000:03:00.0: PCI bridge to [bus 04-04]
pci 0000:03:00.0:   bridge window [mem 0xe0000000-0xe00fffff]
PCI: Enabling device 0000:03:00.0 (0000 -> 0002)
bcmhs_spi bcmhs_spi.1: master is unqueued, this is deprecated
skbFreeTask created successfully
BLOG v3.0 Initialized
BLOG Rule v1.0 Initialized
Broadcom IQoS v0.1 Dec 21 2015 14:42:33 initialized
Broadcom GBPM v0.1 Dec 21 2015 14:42:33 initialized
Switching to clocksource MIPS
NET: Registered protocol family 2
IP route cache hash table entries: 2048 (order: 1, 8192 bytes)
TCP established hash table entries: 8192 (order: 4, 65536 bytes)
TCP bind hash table entries: 8192 (order: 4, 65536 bytes)
TCP: Hash tables configured (established 8192 bind 8192)
TCP: reno registered
UDP hash table entries: 128 (order: 0, 4096 bytes)
UDP-Lite hash table entries: 128 (order: 0, 4096 bytes)
NET: Registered protocol family 1
PCI: CLS 0 bytes, default 16
init_bcm_tstamp: unhandled mips_hpt_freq=300000000, adjust constants in bcm_tstamp.c
bcm_tstamp initialized, (hpt_freq=300000000 2us_div=300 2ns_mult=0 2ns_shift=0)
squashfs: version 4.0 (2009/01/31) Phillip Lougher
jffs2: version 2.2. (NAND) © 2001-2006 Red Hat, Inc.
msgmni has been set to 450
io scheduler noop registered (default)
Broadcom NAND controller (BrcmNand Controller)
mtd->oobsize=0, mtd->eccOobSize=0
NAND_CS_NAND_XOR=00000000
B4: NandSelect=40000001, nandConfig=15142200, chipSelect=0
brcmnand_read_id: CS0: dev_id=c2f18095
After: NandSelect=40000001, nandConfig=15142200
Block size=00020000, erase shift=17
NAND Config: Reg=15142200, chipSize=128 MB, blockSize=128K, erase_shift=11
busWidth=1, pageSize=2048B, page_shift=11, page_mask=000007ff
timing1 not adjusted: 6574845b
timing2 not adjusted: 00001e96
BrcmNAND mfg c2 f1 Macronix MX30LF1G08AM 128MB on CS0

Found NAND on CS0: ACC=f7441010, cfg=15142200, flashId=c2f18095, tim1=6574845b, tim2=00001e96
BrcmNAND version = 0x80000500 128MB @00000000
brcmnand_scan: B4 nand_select = 40000001
brcmnand_scan: After nand_select = 40000001
handle_acc_control: default CORR ERR threshold  1 bits
ACC: 16 OOB bytes per 512B ECC step; from ID probe: 16
page_shift=11, bbt_erase_shift=17, chip_shift=27, phys_erase_shift=17
Brcm NAND controller version = 5.0 NAND flash size 128MB @18000000
ECC layout=brcmnand_oob_bch4_2k
brcmnand_scan:  mtd->oobsize=64
brcmnand_scan: oobavail=35, eccsize=512, writesize=2048
brcmnand_scan, eccsize=512, writesize=2048, eccsteps=4, ecclevel=4, eccbytes=7
Initialiation of nandBlockMap is Done
-->brcmnand_default_bbt
brcmnand_default_bbt: bbt_td = bbt_slc_bch4_main_descr
Bad block table Bbt0 found at page 0000ffc0, version 0x01 for chip on CS0
Bad block table 1tbB found at page 0000ff80, version 0x01 for chip on CS0
brcmnand_reset_corr_threshold: default CORR ERR threshold  1 bits for CS0
brcmnand_reset_corr_threshold: CORR ERR threshold changed to 3 bits for CS0
rescanning ....
----- Contents of BBT -----
----- END Contents of BBT -----
brcmnandCET: Status -> Deferred
create_nandBlockMapK : offset = 0x00020000, size = 0x03220000, ctr = 1, endctr = 402
create_nandBlockMapK : offset = 0x03240000, size = 0x03220000, ctr = 402, endctr = 803
find_filetag_offset : offset = 0x03240000 , size = 0x03220000, block_offset=0
find_filetag_offset : offset = 0x00020000 , size = 0x03220000, block_offset=0
Creating 9 MTD partitions on "brcmnand.0":
0x000003260000-0x000006460000 : "rootfs"
0x000000040000-0x000003240000 : "rootfs_update"
0x000007b00000-0x000007f00000 : "data"
0x000000000000-0x000000020000 : "nvram"
0x000003240000-0x000006460000 : "image"
0x000000020000-0x000003240000 : "image_update"
0x000006260000-0x000007900000 : "app"
0x000007900000-0x000007a00000 : "usrcfg"
0x000007a00000-0x000007b00000 : "cfg_upgrade"
PPP generic driver version 2.4.2
PPP BSD Compression module registered
PPP Deflate Compression module registered
NET: Registered protocol family 24
i2c /dev entries driver
brcmboard: brcm_board_init entry
SES: Button Interrupt 0x1 is enabled
wl1SesBtn_mapIntr: Button Interrupt 0x2 is enabled
SES: LED GPIO 0x8003 is enabled
Serial: BCM63XX driver $Revision: 3.00 $
Magic SysRq with Auxilliary trigger char enabled (type ^ h for list of supported commands)
ttyS0 at MMIO 0xb4e00500 (irq = 9) is a BCM63XX
ttyS1 at MMIO 0xb4e00520 (irq = 10) is a BCM63XX
BPM: tot_mem_size=268435456B (256MB), buf_mem_size <10%> =26843540B (25MB), num of buffers=13315, buf size=2016
Broadcom BPM Module Char Driver v0.1 Dec 21 2015 14:39:17 Registered<244>
Create successful!!!
TCP: cubic registered
Initializing XFRM netlink socket
NET: Registered protocol family 10
IPv6 over IPv4 tunneling driver
NET: Registered protocol family 17
NET: Registered protocol family 15
Initializing MCPD Module
Ebtables v2.0 registered
ebt_time registered
ebt_ftos registered
ebt_wmm_mark registered
8021q: 802.1Q VLAN Support v1.8
VFS: Mounted root (squashfs filesystem) readonly on device 31:0.
Freeing unused kernel memory: 204k freed
init started: BusyBox v1.17.2 (2015-12-21 14:46:51 CST)
starting pid 213, tty '': '/bin/sh -l -c "bcm_boot_launcher start"'
Mounting filesystems...
jffs2: Empty flash at 0x00418fa0 ends at 0x00419000
jffs2: Empty flash at 0x009eb0a4 ends at 0x009eb800
jffs2: jffs2_scan_inode_node(): CRC failed on node at 0x00cacfd4: Read 0xffffffff, calculated 0x8645f6f1
jffs2: Empty flash at 0x00cad01c ends at 0x00cad800
jffs2: Empty flash at 0x01301a44 ends at 0x01302000
jffs2: Empty flash at 0x01307160 ends at 0x01307800
jffs2: Empty flash at 0x01317934 ends at 0x01318000
main, getpid = 229
BOS: Enter bosInit
bosTimerInit
Enter bosAppInit Exit bosAppInit BOS: Exit bosInit
Enter TaskCreate rtpAppRegisterSignal, mm pid = 234
TaskCreate - spawn new task rtpExit TaskCreate Enter TaskCreate rtcpTaskCreate - spawn new task rtcpExit TaskCreate flashIvrRead
strLen:368808
offset:0
flashIvrRead
strLen:155480
offset:368808
jffs2: notice: (220) check_node_data: wrong data CRC in data node at 0x0150c560: read 0x7e39b97d, calculated 0x78a072c0.
Configuring system...
Loading drivers and kernel modules...

gpon_stack: module license 'Proprietary' taints kernel.
Disabling lock debugging due to kernel taint
LOGGER driver Init Done : 0x8c68be80

[ENTERED]:ICF_ES

INFO: AUTO_SCALE: 1

INFO: MODE_OF_OPERATION: 0

INFO: SIP_COMPACT_HDRS: NO

INFO: NW_TRACE_ENABLED: YES
INFO: ICF_DEF_SIP_SERVER_PORT: 6062
INFO: ICF_DEF_SIP_PROXY_PORT: 6061
INFO: TRANSPORT_MODE: 0
INFO: ICF_SYS_RESOURCE_LIMIT: 1

[ENTERING]:icf_es_init
[ICF_ES]:PORT initalized succesfully
icf_port_open_ipc_channel path = /var/iptk_es.chanl
the open channel succeded
exit from the es init
START GPON SerDes Init script
 mdio_write_c22_register
 mdio_write_c22_register
 mdio_write_c22_register
 mdio_write_c22_register
 mdio_write_c22_register
 mdio_write_c22_register
 mdio_write_c22_register
 mdio_write_c22_register
 mdio_write_c22_register
 mdio_write_c22_register
 mdio_write_c22_register
 mdio_write_c22_register
 mdio_write_c22_register
 mdio_write_c22_register
 mdio_write_c22_register
 mdio_write_c22_register
 mdio_write_c22_register
 mdio_write_c22_register
 mdio_write_c22_register
 mdio_write_c22_register
 !!!!   PLL locked !!!!!!     !!!!   RX CDR locked !!!!!!     !!!!   TX CDR locked !!!!!!     mdio_write_c22_register
 mdio_write_c22_register
 mdio_write_c22_register
GPON SerDes Initialization Sequence Done
f_initialize_bbh_dma_sdma_related_arrays:(956) errorenable IH Wan-Wan forwarding...
Initializing port 0
Initializing port 1
Initializing port 2
Initializing port 3
Initializing port 4
oren_data_path_go done!!!
# Created object <system>
RDPA lan init
# Created object <port/index=lan0>
# Created object <port/index=lan1>
# Created object <port/index=lan2>
# Created object <port/index=lan3>
# Created object <port/index=lan4>
# Created object <egress_tm/dir=ds,index=0>
# Created object <egress_tm/dir=ds,index=1>
# Created object <egress_tm/dir=ds,index=2>
# Created object <egress_tm/dir=ds,index=3>
# Created object <egress_tm/dir=ds,index=4>
RDPA lan init end
Creating CPU ring for queue number 0 with 128 packets descriptor=0xc04ba6a0
 Done initializing Ring 0 Base=0xac69d080 End=0xac69d880 calculated entries= 128 RDD Base=0x0c69d080 descriptor=0xc04ba6a0
rdpa filter init start!!
# Created object <filter>
rdpa filter init end
# Created object <iptv>
Bridge fastpath module. compiled Dec 21 2015 , 14:42:13
brcmchipinfo: brcm_chipinfo_init entry
NBUFF v1.0 Initialized
Initialized fcache state
Broadcom Packet Flow Cache  Char Driver v2.2 Dec 21 2015 14:39:51 Registered<242>
Created Proc FS /procfs/fcache
Broadcom Packet Flow Cache registered with netdev chain
Broadcom Packet Flow Cache learning via BLOG enabled.
[FHW]  pktDbgLvl[0xc056c800]=0
[FHW]  fhw_construct:
Initialized Fcache HW accelerator layer state
flwStatsThread created
Constructed Broadcom Packet Flow Cache v2.2 Dec 21 2015 14:39:51
Broadcom Packet Flow Cache HW acceleration enabled.
Broadcom Packet Flow Cache HW acceleration enabled.
i2c i2c-0: Failed to register i2c client gpon_i2c at 0x50 (-16)
i2c i2c-0: Failed to register i2c client gpon_i2c at 0x50 (-16)
i2c i2c-0: Failed to register i2c client gpon_i2c at 0x51 (-16)
i2c i2c-0: Failed to register i2c client gpon_i2c at 0x51 (-16)
Broadcom BCM68380_B0 Ethernet Network Device v0.1 Dec 21 2015 14:42:13
dgasp: kerSysRegisterDyingGaspHandler: bcmsw registered
eth0: MAC Address: 98:97:D1:00:FD:2A
eth1: MAC Address: 98:97:D1:00:FD:2A
eth2: MAC Address: 98:97:D1:00:FD:2A
eth3: MAC Address: 98:97:D1:00:FD:2A
eth4: MAC Address: 98:97:D1:00:FD:2A
Creating CPU ring for queue number 3 with 512 packets descriptor=0xc04ba724
 Done initializing Ring 3 Base=0xaae74080 End=0xaae76080 calculated entries= 512 RDD Base=0x0ae74080 descriptor=0xc04ba724
Trun on 1 Active LED
eth0 Link UP 1000 mbps full duplex
 mdio_write_c22_register
 ethsw_phy_write_reg
ERROR : LAN index (4) wrong!
Trun on 5 Active LED
eth4 Link UP 1000 mbps full duplex
message received before monitor task is initialized kerSysSendtoMonitorTask
cpu Ring 3 has been flushed
Creating CPU ring for queue number 8 with 1024 packets descriptor=0xc04ba800
 Done initializing Ring 8 Base=0xaafe0080 End=0xaafe4080 calculated entries= 1024 RDD Base=0x0afe0080 descriptor=0xc04ba800
 Wifi Forwarding Driver initialized !
timer = 500, threshold = 1024 number_of_packets_to_read = 128 fist pci queue 8 number_of_queues = 1
--SMP support
wl: dsl_tx_pkt_flush_len=338
wl: norm_wmark_tot=8654, pktc_wmark_tot=2048
Initializing WLCSM Module
PCI: Enabling device 0000:04:00.0 (0000 -> 0002)
wl: passivemode=1
wl0: creating kthread wl0-kthrd
wl: napimode=0
Neither SPROM nor OTP has valid image
wl:srom/otp not programmed, using main memory mapped srom info(wombo board)
wl: ID=pci/4/0/
wl: ID=pci/4/0/
wl:loading /etc/wlan/bcm43217_map.bin
srom rev:8
wl0: allocskbmode=1 currallocskbsz=512
wl0: Broadcom BCMa8db 802.11 Wireless Controller 6.37.14.4803.cpe4.14L04Apatch1.0-kdb
dgasp: kerSysRegisterDyingGaspHandler: wl0 registered
Loading PCM shim driver
Endpoint: endpoint_init entry
Endpoint: endpoint_init COMPLETED
Creating CPU ring for queue number 2 with 32 packets descriptor=0xc04ba6f8
 Done initializing Ring 2 Base=0xa8d90c80 End=0xa8d90e80 calculated entries= 32 RDD Base=0x08d90c80 descriptor=0xc04ba6f8
[NTC ploamFsm] printSerialPasswd: SN=4d:53:54:43:23:f2:cb:b1
[NTC ploamFsm] printSerialPasswd: PW=20:20:20:20:20:20:20:20:20:20
dgasp: kerSysRegisterDyingGaspHandler: gpon0 registered
[NTC ploamFsm] bcm_ploamCreate: ploam driver created.
Creating CPU ring for queue number 4 with 64 packets descriptor=0xc04ba750
 Done initializing Ring 4 Base=0xac706080 End=0xac706480 calculated entries= 64 RDD Base=0x0c706080 descriptor=0xc04ba750
Broadcom 802.1Q VLAN Interface, v0.1
PCIe0: No device found - Powering down
chip type: 2

[INF rdpadrv] rdpa_cmd_drv_init: Broadcom Runner Packet Processor Char Driver v0.2 Dec 21 2015 14:42:04 Registered. Device: bcmrdpa Ver:<251>

[INF rdpadrv] rdpa_cmd_drv_init: RDPA driver init: OK
Loading GRE kernel modules...
gre: GRE over IPv4 demultiplexor driver
ip_gre: GRE over IPv4 tunneling driver
Saving kernel bootup messages for dumpsysinfo...
Starting CMS smd...

Un saludo



Título: Re: Movistar FTTH GPT-2541GNAC. Modificar rootfs
Publicado por: kieffer en 15-06-2017, 22:26 (Jueves)
Hola Flipper,

Yo también he estado trasteando para intentar averiguar la contraseña del usuario supervisor pero por putty usando un conversor usb a UART TTL he conseguido leer lo que has expuesto pero no consigo entrar comandos... creo que solo es para monitorizar... Por SSH y con usuario 1234 y el password que nos dan en la pegatina pide un password para hacer el dumpcfg.. Te agradeceria detallases un poco con la parte de:  "extraer el rootfs del router, añadirle un script para que cuando arranque ejecute los scripts que guarde en la partición app, que está montada con jffs2. He conseguido entender como está estructurado el firmware, y creo que podría actualizarlo con una versión propia sin problema. También he parcheado un librería ya que estaba cansado de tener que introducir contraseñas para tener acceso al shell. 

en /etc/smt.cfg he visto que hay definido un password por defecto para el usuario 1234 que es 12345678 pero no tiene sentido porque esa ya viene cambiada de fábrica por la que hay en la pegatina...

Cualquier ayuda será bien recibida, gracias de antemano,
Título: Re: Movistar FTTH GPT-2541GNAC. Modificar rootfs
Publicado por: takezo en 19-05-2018, 13:03 (Sábado)
¿habéis podido avanzar con esto..?
tengo un mistrastar hgu movistar y me interesaria mucho poder acceder al equipo en modo root para itnentar tunearlo