Linux for MAMEcabs

No, this isn’t the name of a new specialized GNU/Linux distro :)

Six or seven years ago, I started thinking about putting a PC loaded with MAME in a coin-op arcade – indeed I discovered a very active community discussing the topic, so I joined the bandwagon: found an old cabinet from a local reseller, brought it home (quite a major task, if you ask me), and after some days I had available hundreds of games to be played where they belong to (as you can see in the pictures of The Lab).

During these years, the hardware has been under a couple of major revisions, but the most evolving area has surely been the software: first DOS, then Linux (Slackware), using AdvanceMAME, then SDLmame, then again AdvanceMAME.

Recently the partition containing the OS has corrupted; it had already become somewhat a mess, so I started thinking about starting from ground.
Learning from past experiences, I had some requirements:
– It had to be GNU/Linux
– It had to boot quickly
– It had to boot from a compactflash
– It had to run in framebuffer (to avoid Xorg and his bulkness)
– It had to run in a read-only partition

The last point is essential: call me a freak, but i want to be able to turn it of without needing a shutdown sequence.
I was thinking about a custom Linux with BusyBox, then I found Voyage Linux: it’s a Debian-based distro, targeted at embedded systems. It has a small footprint, and it runs in a read-only partition. Just perfect!
I downloaded the Live CD, and following the instructions, installed it on a 512Mb compactflash. To make it boot quicker, and reduce further the footprint, I removed all the unuseful services (wifi and hotspot related services, software watchdog, etc.).
The kernel needed a bit of trimming, too (on the cab I’ve a Matrox G400, and matroxfb isn’t enabled by default), so here are the instructions to build a custom kernel.
The final touch was to make it boot silently: using the kernel switch console=tty7 I moved the boot output to virtual console 7, but there was still the output from GRUB: hopefully, this article from Refining Linux shows exactly how to patch Grub to make it stealth :)

Written by bano on 2012/07/15 Categories: Retrogaming
No Comments on Linux for MAMEcabs

A bit of joy for the 55+, too!

Big thanks to Arf, that – using a little voodoo – has managed to dump an older firmware from a vanilla ARGO55+!
So we can downgrade the ADSL flavour, too :)

I’ve updated the relevant post, please let me know if there’s something wrong.


Written by bano on 2012/04/12 Categories: Hacking Tags: , , , , , , , , , ,
2 Comments on A bit of joy for the 55+, too!

Amtec (ElsagDatamag) Argo 55/95 – Take 8: Firmware downgrade

Boring, usual disclaimer: the stuff you’ll read in this article can easily render your router a not-so-useful paperweight. Please take the time to read and understand it completely, and keep in mind that I cannot guarantee that it will work on your Argo.
Also, make sure you follow the instructions for the right model of router: ARGO55+ is the ADSL version, while ARGO95 is the optical fiber one.

Warning: we are investigating an issue with the ARGO55+ firmware – apparently there’s a configuration problem with the WAN, and clients are unable to reach the outside. Please be aware of that before trying a downgrade on the 55+.

Ok, so we have no way – at this time, at least – to unlock the interface of the Argo with the recent firmware revisions.
By the way, what are these revisions?

These are the firmware versions I am aware of:

1.3.19 (Mar 25 2011) [ARGO95]
1.3.20 (Mar 25 2011) [ARGO55+]
0.4.4 (Nov 20 2011) [ARGO55+/ARGO95]
1.4.4 (Jan 19 2012) [ARGO95]
0.4.52 (Feb 28 2012) [ARGO55+/ARGO95]

As you can see, the version numbering is kind of curious, but release 1.3.19 (for 95) and 1.3.20 (for 55+) are the last one with interface enabled. So, how we can downgrade to that firmware version? Well, here the bootloader of the Argo comes handy.

What you’ll need:

– A serial port connection to the Argo
– A tftp server (i.e. tftp32)
For ARGO55+: argo55_openrg_1_n.img and argo55_openrg_2_n.img
For ARGO95: argo95_openrg_1_n.img and argo95_openrg_2_n.img

Assign your computer a fixed ip address on the same network of the router (i.e., connect it to the ethernet port nearest to the power supply port, fire up the tftp server and copy to its root the two *.img files. Connect to the router via serial port, log in and do a

conf download tftp://<tftp_server_ip>/my_conf_backup.conf

then do a dump of your entire flash (if you haven’t done it already) using the instructions posted here.

Finally, type system reboot and press enter.

As soon as the router restarts, you’ll see the message “Press ENTER twice to stop autoboot in 2 seconds”. Quicky press (you guessed it) the enter key two times.
You are now in the U-Boot command prompt: this nice bootloader has a load of useful features (take a look at the help command), but has also the power to render your router unusable. So, pay attention!

Now we have to set a couple of variables: I’m assuming that you used as the ip of your tftp server, remember to adapt the commands to your setup.

Set the router ip address:
setenv ipaddr

Set the router netmask:
setenv netmask

Set the tftp server ip address:
setenv serverip

Now check if you can reach the tftp server machine with

If everything is ok, you can now cross your fingers, and start the downgrade.

First downgrade the recovery image:
update_openrg argo55_openrg_1_n.img 1 (if you are downgrading an ARGO55+)
update_openrg argo95_openrg_1_n.img 1 (if you are downgrading an ARGO95)

Then the standard image:
update_openrg argo55_openrg_2_n.img 2 (if you are downgrading an ARGO55+)
update_openrg argo95_openrg_2_n.img 2
(if you are downgrading an ARGO95)

If you haven’t received any error, you can check that the images are correctly recognized with get_openrg_active 

Make sure that there are two valid partitions, and the active one is the 3/7. Then, exit typing reset and pressing enter.

The Argo should now reboot and start your new-old-firmware. Keep in mind that Fastweb has still access to your router, so probably the best way to avoid an immediate upgrade is to disconnect the WAN cable (fiber or adsl) during the boot, log in to the router (via serial port) and issue a

cwmp session_stop

that should stop the remote configuration service, hopefully. Then reconnect the WAN cable, access to the Argo web interface, and follow the steps in the hardening post, before it’s too late :)


Update (02/04/2012)

Corrected a couple of mistakes (mistyped the update_openrg commands and forgot to mention to connect via ethernet). Thanks D3FenD3r and geogeo!

Update 2 (13/04/2012)

Added files and instructions for ARGO55+. Thanks Arf!

Update 3 (14/04/2012)

Added a missing command line. Thanks D3FenD3r!

Update 4 (16/04/2012)

Added a warning while we investigate problems with the ARGO55+ configuration.

Written by bano on 2012/03/22 Categories: Hacking Tags: , , , , , , , , ,
110 Comments on Amtec (ElsagDatamag) Argo 55/95 – Take 8: Firmware downgrade

Amtec (ElsagDatamag) Argo 55/95 – Take 7: Fastweb strikes back

As probably the vast majority out there already noticed, Fastweb in the past weeks has provisioned a firmware update (version 0.4.4 – we’ll came back on this) that locks out users from the interface of the Argo (web, telnet, ssh). Thanks to the user geogeo I’ve had the opportunity to take a look at the new firmware: apparently, ports (22, 23, 80, 443, etc.) are binded, but are refusing any connection (even from the Argo itself!).

A side-by-side comparison of the pre-update and post-update configurations (including firewall settings fetched with firewall dump), didn’t reveal anything relevant: the firewall, apparently, isn’t the culprit. So, in lack of other informations, we must assume that the interface has been locked out at compile time.

So, how can we regain access to the Argo? Well, in the next post we’ll talk about downgrade :)

Written by bano on  Categories: Hacking Tags: , , , , , , ,
1 Comment on Amtec (ElsagDatamag) Argo 55/95 – Take 7: Fastweb strikes back

Amtec (ElsagDatamag) Argo 55/95 – Take 6: Uncompress rg_conf

Just a quick one (thanks to purputy for pointing this out): the two configuration areas of the flash we dumped in the previous post are compressed with the deflate algorithm, and it’s quite easy to extract them.

I’ve made up a quick’n’dirty script (in php, forgive me, just because the gzinflate function was quicker to use) that you can call from command line with:

php conf_inflate.php <conf_dump> <dest_file>

In <dest_file> you’ll have the configuration in plain text.

You can get the script here.

Written by bano on 2012/02/03 Categories: Hacking Tags: , , , , , , , , ,
13 Comments on Amtec (ElsagDatamag) Argo 55/95 – Take 6: Uncompress rg_conf