I’ve made up a quick’n'dirty script (in php, forgive me, just because the gzinflate function was quicker to use) that you can call from command line with:

php conf_inflate.php <conf_dump> <dest_file>

In <dest_file> you’ll have the configuration in plain text.

You can get the script here.

Usually, those aren’t RS232, but so-called TTL-level serial ports: this means that they use diferent voltage levels (0 – +5v vs. -12 –  +12v), and you need an adapter to connect them to your computer.

So, this nifty little device comes to hand: the USB-BUB II from Modern Device. As you can suppose, it’s at its second incarnation.

The USB-BUB II it’s based around the FT232R chip: it connects to an usb port, and provides a TTL serial, complete with DTR and CTS signals. But the board has a couple of handy – and unusual – features: first of all there’s a polyfuse, to protect the USB line from short circuits. Also, two smd LEDs – one green and one red –  that shows activity on the RX and TX line.

The board can also deliver 3.3v or 5v power – but don’t count too much on that, the maximum current is 50mA. In case you need some power, however, on the back of the board there’s also space to solder an external voltage regulator.

The BUB use is straightforward: drivers are available for Windows, OS X and Windows CE (!), and recent versions of Linux kernel supports it natively. Also, the board is delivered fully mounted, you just need to solder the header, or the wires, and connect the usb. It works pretty well at all the speeds I tried, and it doesn’t suffer too much from interferences, from what I can say.

Overall, a pretty useful device – a bit pricey (€13,50, shipped in the EU, from The JeeLabs Shop), but still a good choice.

First of all, let’s make a dump of the flash.

We said that the router has a telnet access: when we log in, we’re in the command line shell of OpenRG. From there we can control various aspects of the box, but if we type ‘system shell‘ and press enter… voilà! We’re in a busybox shell!

We can put a pendrive in one of the USB ports and mount it:

mount /dev/sda1 /mnt/flash

then use dd to dump the flash:

dd if=/dev/mtdblock0 of=/mnt/flash/flashdump.img bs=1m 

Now we have a 16Mb file, but what there’s inside?

We saw that our router uses U-Boot as its bootloader. This is a good thing: U-Boot is open source, and this version keeps a bunch of useful commands.

With flayout, we have the layout of the flash:

=> flayout
Section 00 Type UNKNOWN Address 0xBF000000 MaxSize 0×00060000
Section 01 Type IMAGE Address 0xBF060000 MaxSize 0x003E0000
Section 02 Type IMAGE Address 0xBF440000 MaxSize 0x00AE0000
Section 03 Type CONF Address 0xBFF20000 MaxSize 0×00060000
Section 04 Type CONF Address 0xBFF80000 MaxSize 0×00060000
Section 05 Type FACTORY Address 0xBFFE0000 MaxSize 0x0001FC00
Section 06 Type LAYOUT Address 0xBFFFFC00 MaxSize 0×00000400

Also, from bdinfo, we know at wich address is the flash start:

flashstart = 0xBF000000

Now, we can split our flash image:

dd if=flashimage.img of=uboot.img ibs=1 count=$((0×00060000))

Here in Europe, the obvious choice seems some low end Weller model, but: a) they are greatly overpriced and b) the non-professional line has received very poor reviews.

After reading a bunch of forum threads and reviews, a company name stood out: Hakko. Everyone loved its products, especially the venerable model 936 (out of production), and its successor, the FX-888. Buy it here it’s not easy: almost nobody sells it online, even on the bay. Hopefully I’ve been able to get it through a local reseller.

Packaging and apparence

The FX-888 comes in a robust yellow cardboard box: opening it we find the manuals (a couple of sheets, actually) and the iron. Under that, there’s the station and the iron holder.

Hakko has made quite a nice job with the look of the soldering station: it’s small (a nice feature when you’ve little space on the desk), it has a solid feel and a modern look. The temperature is written in Celsius and Fahrenheit, and a red led indicates when the temperature is reached. Probably a display with a digital readout of the iron temperature would’ve made a nice addon, but is more a whim than a real need.

Use

The FX-888 is a pleasure to use: the iron is light and comfortable, and the cord is very flexible. It reaches the temperature very quickly, and is extremely accurate. Also, during work, it keeps the temperature very well, something that isn’t found easily in the low-end stations.

The holder is solid and spots three kinds of cleaners: the usual sponge, a cleaning rubber – to clean the iron without water, thus help in keeping the temperature – and a cleaning wire, to remove the oxide while keeping a bit of solder on the tip.

The station is ESD safe (the iron is grounded), thus reducing the risk of electrostatic discharges that can damage your circuits. Also, the control knob can be locked in position, and under the base there’s a little screwdriver that can be used for thermal corrections.

Wrap-up

Of course this cannot be a fair review: I started the piece stating my infatuation for the object in question… but I felt the need to let know everyone looking for a soldering station with a reasonable price (I paid mine about €110), excellent quality and a broad range of tips to choose from, that this can be a good choice.

Also, if you visit Hakko‘s site, you’ll find plenty of information on the station, tips and also a story (in the form of a personal diary) to learn soldering!

This is what I did, feel free to find other methods and add a comment to this post :)

- Activate the firewall, and block – with a specific rule – port 4567 (is used for remote control)

- Delete the firewall rule that allows access – via telnet – from a specific list of networks, but write down those networks (these are the networks from which the provider connects to do remote maintenance)

- Create a static route for every network noted in the previous step, redirecting to a non-existing gateway (ie. 0.0.0.0)

A note on the last point: when you restart the router, it will fail to connect to the ACS (remote configuration) server. This is a nice thing, but because of this the ‘Fastweb’ led will remain red, and the ‘Ethernet’ and ‘WiFi’ leds will remain off. This is just aesthetic: wireless and wired network works perfectly.

Usual disclaimer: these are not general purpose instructions – I cannot guarantee it will work for you. Use them at your own risk.

The interface is available via http or https and telnet, on the external interface - you can access it only from the local network, but you need to use the external ip address of the router.

But how can we find the username / password? Well, when Fastweb started delivering those boxes, they left the default values of admin / admin – guessing that was easy, and everyone was happy :) But the fun didn’t last long – they quickly remotely upgraded the firmware, changing the password and stopping the joy.

So, what can we do? Luckily I found a couple of those things:

They are media converters – the media converter it’s the link between optical fiber and twisted pair. A couple of those, an hub, Wireshark, and we have the perfect setup to do Man In The Middle!

The plan is simple: we start to sniff packets between the router and the Fastweb infrastructure, then we reset the router configuration (keeping pressed the reset pushbutton for about 15 sec), and… yes! We get the configuration file!

Luckily, in OpenRG the password is obfuscated (and not encrypted!), and we can deobfuscate it with Zibri’s OpenRG deobfiscator. Bingo!

Username: lanadmin / Password: lanpasswd

Username: UserName / Password: Password

Yes… they didn’t learn anything.

Argo 95 headers (Click to enlarge)

But what are they for? Well, this is what I found using a logic probe:

1. UART
Vcc   NC    GND   RxD   TxD
o     o     o     o     o
+3,3   0     0    +2,9  +3,2

2. JTAG
Vcc
o     o     o     o     o     o     o

o     o     o     o     o     o     o
Vcc         GND   GND   GND   GND   GND
(Probable pinout: http://www.jtagtest.com/pinouts/ejtag)

3. ?
+3,3   0    +2,9  +3,2  +3,2   0
o     o     o     o     o     o
Vcc   GND               TxD?

I have absolutely no idea of what the port 3 is: there is activity on pin 5, but it isn’t a serial port. Port 1 is what we were looking for: we can connect using a RS232 – TTL adapter and a terminal emulator (115000 baud, 8 bits, no parity, 1 stop bit), and… voilà! The bootlog!

Reading the bootlog, we  learn some useful things: the box runs OpenRG, and the bootloader is U-Boot – and is freely accessible!

These are the available commands:

=> help
? – alias for ‘help’
askenv – get environment variables from stdin
autoscr – run script from memory
base – print or set address offset
bdinfo – print Board Info structure
boot – boot default, i.e., run ‘bootcmd’
boot_openrg – boot Openrg active image
bootd – boot default, i.e., run ‘bootcmd’
bootm – boot application image from memory
bootp – boot image via network using BOOTP/TFTP protocol
cmp – memory compare
coninfo – print console devices and information
cp – memory copy
crc32 – checksum calculation
dhcp – boot image via network using DHCP/TFTP protocol
echo – echo args to console
erase – erase FLASH memory
flayout – print FLASH layout and sections
flinfo – print FLASH memory information
get_openrg_active – print info about Openrg images in flash and indicate what is
the active
go – start application at address ‘addr’
gpio – GPIO management commands
help – print online help
iminfo – print header information for application image
imls – list all images found in flash
imxtract- extract a part of a multi-image
itest – return true/false on integer compare
led – LED management commands
loadb – load binary file over serial line (kermit mode)
loads – load S-Record file over serial line
loady – load binary file over serial line (ymodem mode)
loop – infinite loop on address range
md – memory display
mii – MII utility commands
mm – memory modify (auto-incrementing)
mtest – simple RAM test
mw – memory write (fill)
nfs – boot image via network using NFS protocol
nm – memory modify (constant address)
pci – list and access PCI Configuration Space
ping – send ICMP ECHO_REQUEST to network host
printenv- print environment variables
protect – enable or disable FLASH write protection
rarpboot- boot image via network using RARP/TFTP protocol
reset – Perform RESET of the CPU
run – run commands in an environment variable
saveenv – save environment variables to persistent storage
setenv – set environment variables
sleep – delay execution for some time
tftpboot- boot image via network using TFTP protocol
update_openrg – update openrg writing inactive image section
update_openrg_factory – update openrg factory settings
version – print monitor version

Wow, seems a lot of fun, right? :)

First a notice: Argo 55 is the model delivered with ADSL contracts, while Argo 95 is the FTTH variant – from what I can tell, the hardware is more or less identical, the only difference being the presence of an ADSL modem in the 55, which becomes a media converter in he 95. Said that, these articles will use the Argo 95 – the one I have at home – as a basis.

So let’s take a peek at the inner guts of the thing:

Argo 95 innards (click to enlarge)

Nice, huh? From left to right we have the power supply section, the media converter, the switch (and, in the lower section, the SoC) and the ATA. In the lower right corner there’s the wireless miniPCI card (an Atheros AR5700G).

These are the main chips on the board (in yellow):

1. SoC: ikanos IKF6836 (http://www.algasystems.net/pub/ARGO95/soc.pdf)
2. RAM: SAMSUNG   K4H511638G-LCCC (http://www.algasystems.net/pub/ARGO95/ram.pdf)
3. Flash: SPANSION S29GL128P11TFI1 (http://www.algasystems.net/pub/ARGO95/flash.pdf)
4. Media converter: IC+ IP113S LF (http://www.algasystems.net/pub/ARGO95/mediaconv.pdf)
5. Switch: Marvell 88E6063-RCJ1 (http://www.algasystems.net/pub/ARGO95/switch.pdf)
6. ATA: ZARLINK Le88266DLC (http://www.algasystems.net/pub/ARGO95/ata.pdf)

So, our router architecture is similar to Belgacom BBox2 (aming others), 16Mb of flash and 64Mb of RAM.

Ok, neat piece of hardware. In the next post, we’ll se what those tasty headers are there for :)