Amtec (ElsagDatamag) Argo 55/95 – Take 5: Dump the flash

Now that we have gained access to the box, let’s start gather some info – this is the very first step if we want to try to build a custom firmware.

First of all, let’s make a dump of the flash.

We said that the router has a telnet access: when we log in, we’re in the command line shell of OpenRG. From there we can control various aspects of the box, but if we type ‘system shell‘ and press enter… voilà! We’re in a busybox shell!

We can put a pendrive in one of the USB ports and mount it:

mount /dev/sda1 /mnt/flash

then use dd to dump the flash:

dd if=/dev/mtdblock0 of=/mnt/flash/flashdump.img bs=1m 

Now we have a 16Mb file, but what there’s inside?

We saw that our router uses U-Boot as its bootloader. This is a good thing: U-Boot is open source, and this version keeps a bunch of useful commands.

With flayout, we have the layout of the flash:

=> flayout
Section 00 Type UNKNOWN Address 0xBF000000 MaxSize 0×00060000
Section 01 Type IMAGE Address 0xBF060000 MaxSize 0x003E0000
Section 02 Type IMAGE Address 0xBF440000 MaxSize 0x00AE0000
Section 03 Type CONF Address 0xBFF20000 MaxSize 0×00060000
Section 04 Type CONF Address 0xBFF80000 MaxSize 0×00060000
Section 05 Type FACTORY Address 0xBFFE0000 MaxSize 0x0001FC00
Section 06 Type LAYOUT Address 0xBFFFFC00 MaxSize 0×00000400

Also, from bdinfo, we know at wich address is the flash start:

flashstart = 0xBF000000

Now, we can split our flash image:

dd if=flashimage.img of=uboot.img ibs=1 count=$((0×00060000))

dd if=flashimage.img of=openrg_1.img ibs=1 skip=$((0×00060000)) count=$((0x003E0000))

dd if=flashimage.img of=openrg_2.img ibs=1 skip=$((0×00440000)) count=$((0x00AE0000))

dd if=flashimage.img of=conf_1.img ibs=1 skip=$((0x00F20000)) count=$((0×00060000))

dd if=flashimage.img of=conf_2.img ibs=1 skip=$((0x00F80000)) count=$((0×00060000))

dd if=flashimage.img of=conf_factory.img ibs=1 skip=$((0x00FE0000)) count=$((0x0001FC00))

dd if=flashimage.img of=conf_factory.img ibs=1 skip=$((0x00FFFC00)) count=$((0×00000400))

Ok, time to start an hexdecimal editor :)

 

Written by bano on 2012/01/21 Categories: Hacking Tags: , , , , , , ,
No Comments

Related Posts

Review: Hakko FX-888 soldering station

Every now and then we fall in love with an appliance, a tool, a piece of equipment. This time, it was a soldering station… but let’s start from the beginning. Being in need of a soldering station, I started to look for something relatively affordable, but with a good quality.

Here in Europe, the obvious choice seems some low end Weller model, but: a) they are greatly overpriced and b) the non-professional line has received very poor reviews.

After reading a bunch of forum threads and reviews, a company name stood out: Hakko. Everyone loved its products, especially the venerable model 936 (out of production), and its successor, the FX-888. Buy it here it’s not easy: almost nobody sells it online, even on the bay. Hopefully I’ve been able to get it through a local reseller.

Packaging and apparence

Hakko FX-888 packaging (open)

The FX-888 comes in a robust yellow cardboard box: opening it we find the manuals (a couple of sheets, actually) and the iron. Under that, there’s the station and the iron holder.

FX-888

Hakko has made quite a nice job with the look of the soldering station: it’s small (a nice feature when you’ve little space on the desk), it has a solid feel and a modern look. The temperature is written in Celsius and Fahrenheit, and a red led indicates when the temperature is reached. Probably a display with a digital readout of the iron temperature would’ve made a nice addon, but is more a whim than a real need.

Use

The FX-888 is a pleasure to use: the iron is light and comfortable, and the cord is very flexible. It reaches the temperature very quickly, and is extremely accurate. Also, during work, it keeps the temperature very well, something that isn’t found easily in the low-end stations.

The holder is solid and spots three kinds of cleaners: the usual sponge, a cleaning rubber – to clean the iron without water, thus help in keeping the temperature – and a cleaning wire, to remove the oxide while keeping a bit of solder on the tip.

 

The station is ESD safe (the iron is grounded), thus reducing the risk of electrostatic discharges that can damage your circuits. Also, the control knob can be locked in position, and under the base there’s a little screwdriver that can be used for thermal corrections.

Wrap-up

Of course this cannot be a fair review: I started the piece stating my infatuation for the object in question… but I felt the need to let know everyone looking for a soldering station with a reasonable price (I paid mine about €110), excellent quality and a broad range of tips to choose from, that this can be a good choice.

Also, if you visit Hakko‘s site, you’ll find plenty of information on the station, tips and also a story (in the form of a personal diary) to learn soldering!

Written by bano on  Categories: Electronics Tags: , , ,
No Comments

Related Posts

Amtec (ElsagDatamag) Argo 55/95 – Take 4: Hardening

It seems like a good idea, since we have now access (again) to the router, try to do our best to lock out the provider, and avoid further remote configurations / upgrades.

This is what I did, feel free to find other methods and add a comment to this post :)

- Activate the firewall, and block – with a specific rule – port 4567 (is used for remote control)

- Delete the firewall rule that allows access – via telnet – from a specific list of networks, but write down those networks (these are the networks from which the provider connects to do remote maintenance)

- Create a static route for every network noted in the previous step, redirecting to a non-existing gateway (ie. 0.0.0.0)

A note on the last point: when you restart the router, it will fail to connect to the ACS (remote configuration) server. This is a nice thing, but because of this the ‘Fastweb’ led will remain red, and the ‘Ethernet’ and ‘WiFi’ leds will remain off. This is just aesthetic: wireless and wired network works perfectly.

Usual disclaimer: these are not general purpose instructions – I cannot guarantee it will work for you. Use them at your own risk.

Written by bano on 2012/01/18 Categories: Hacking Tags: , , , , ,
No Comments

Related Posts

Amtec (ElsagDatamag) Argo 55/95 – Take 3: Sniffing the password!

Even if we learned some useful things about our router (and in the next posts, we will continue to explore it), we still need to find the credentials to access to the interface.

The interface is available via http or https and telnet, on the external interface - you can access it only from the local network, but you need to use the external ip address of the router.

But how can we find the username / password? Well, when Fastweb started delivering those boxes, they left the default values of admin / admin – guessing that was easy, and everyone was happy :) But the fun didn’t last long – they quickly remotely upgraded the firmware, changing the password and stopping the joy.

So, what can we do? Luckily I found a couple of those things:

Media converters

 

They are media converters – the media converter it’s the link between optical fiber and twisted pair. A couple of those, an hub, Wireshark, and we have the perfect setup to do Man In The Middle!

The plan is simple: we start to sniff packets between the router and the Fastweb infrastructure, then we reset the router configuration (keeping pressed the reset pushbutton for about 15 sec), and… yes! We get the configuration file!

Luckily, in OpenRG the password is obfuscated (and not encrypted!), and we can deobfuscate it with Zibri’s OpenRG deobfiscator. Bingo!

Username: lanadminPassword: lanpasswd

Username: UserName / Password: Password

Yes… they didn’t learn anything.

 

Written by bano on 2012/01/17 Categories: Hacking Tags: , , , , , , , , ,
4 Comments

Related Posts

Amtec (ElsagDatamag) Argo 55/95 – Take 2: Serial access

In the previous post, we saw that the board sports three interesting headers (in red):

Argo 95 headers

Argo 95 headers (Click to enlarge)

But what are they for? Well, this is what I found using a logic probe:

1. UART
Vcc   NC    GND   RxD   TxD
o     o     o     o     o
+3,3   0     0    +2,9  +3,2

2. JTAG
Vcc
o     o     o     o     o     o     o

o     o     o     o     o     o     o
Vcc         GND   GND   GND   GND   GND
(Probable pinout: http://www.jtagtest.com/pinouts/ejtag)

3. ?
+3,3   0    +2,9  +3,2  +3,2   0
o     o     o     o     o     o
Vcc   GND               TxD?

I have absolutely no idea of what the port 3 is: there is activity on pin 5, but it isn’t a serial port. Port 1 is what we were looking for: we can connect using a RS232 – TTL adapter and a terminal emulator (115000 baud, 8 bits, no parity, 1 stop bit), and… voilà! The bootlog!

Reading the bootlog, we  learn some useful things: the box runs OpenRG, and the bootloader is U-Boot – and is freely accessible!

These are the available commands:

=> help
? – alias for ‘help’
askenv – get environment variables from stdin
autoscr – run script from memory
base – print or set address offset
bdinfo – print Board Info structure
boot – boot default, i.e., run ‘bootcmd’
boot_openrg – boot Openrg active image
bootd – boot default, i.e., run ‘bootcmd’
bootm – boot application image from memory
bootp – boot image via network using BOOTP/TFTP protocol
cmp – memory compare
coninfo – print console devices and information
cp – memory copy
crc32 – checksum calculation
dhcp – boot image via network using DHCP/TFTP protocol
echo – echo args to console
erase – erase FLASH memory
flayout – print FLASH layout and sections
flinfo – print FLASH memory information
get_openrg_active – print info about Openrg images in flash and indicate what is
the active
go – start application at address ‘addr’
gpio – GPIO management commands
help – print online help
iminfo – print header information for application image
imls – list all images found in flash
imxtract- extract a part of a multi-image
itest – return true/false on integer compare
led – LED management commands
loadb – load binary file over serial line (kermit mode)
loads – load S-Record file over serial line
loady – load binary file over serial line (ymodem mode)
loop – infinite loop on address range
md – memory display
mii – MII utility commands
mm – memory modify (auto-incrementing)
mtest – simple RAM test
mw – memory write (fill)
nfs – boot image via network using NFS protocol
nm – memory modify (constant address)
pci – list and access PCI Configuration Space
ping – send ICMP ECHO_REQUEST to network host
printenv- print environment variables
protect – enable or disable FLASH write protection
rarpboot- boot image via network using RARP/TFTP protocol
reset – Perform RESET of the CPU
run – run commands in an environment variable
saveenv – save environment variables to persistent storage
setenv – set environment variables
sleep – delay execution for some time
tftpboot- boot image via network using TFTP protocol
update_openrg – update openrg writing inactive image section
update_openrg_factory – update openrg factory settings
version – print monitor version

Wow, seems a lot of fun, right? :)

 

Written by bano on 2012/01/16 Categories: Hacking Tags: , , , , , , , ,
No Comments

Related Posts

Amtec (ElsagDatamag) Argo 55/95 – Take 1: The innards

Since the first weeks of 2011, the italian provider Fastweb is delivering this router to new customers. Since it’s a full-featured router, with a full-featured web interface (but inaccessible to the user), it seemed quite a nice idea to study the box a bit.

First a notice: Argo 55 is the model delivered with ADSL contracts, while Argo 95 is the FTTH variant – from what I can tell, the hardware is more or less identical, the only difference being the presence of an ADSL modem in the 55, which becomes a media converter in he 95. Said that, these articles will use the Argo 95 – the one I have at home – as a basis.

So let’s take a peek at the inner guts of the thing:

Argo 95 innards

Argo 95 innards (click to enlarge)

Nice, huh? From left to right we have the power supply section, the media converter, the switch (and, in the lower section, the SoC) and the ATA. In the lower right corner there’s the wireless miniPCI card (an Atheros AR5700G).

These are the main chips on the board (in yellow):

1. SoC: ikanos IKF6836 (http://www.algasystems.net/pub/ARGO95/soc.pdf)
2. RAM: SAMSUNG   K4H511638G-LCCC (http://www.algasystems.net/pub/ARGO95/ram.pdf)
3. Flash: SPANSION S29GL128P11TFI1 (http://www.algasystems.net/pub/ARGO95/flash.pdf)
4. Media converter: IC+ IP113S LF (http://www.algasystems.net/pub/ARGO95/mediaconv.pdf)
5. Switch: Marvell 88E6063-RCJ1 (http://www.algasystems.net/pub/ARGO95/switch.pdf)
6. ATA: ZARLINK Le88266DLC (http://www.algasystems.net/pub/ARGO95/ata.pdf)

So, our router architecture is similar to Belgacom BBox2 (aming others), 16Mb of flash and 64Mb of RAM.

Ok, neat piece of hardware. In the next post, we’ll se what those tasty headers are there for :)

Written by bano on 2012/01/15 Categories: Hacking Tags: , , , , , , , ,
No Comments

Related Posts