I’ve updated the relevant post, please let me know if there’s something wrong.

Warning: we are investigating an issue with the ARGO55+ firmware – apparently there’s a configuration problem with the WAN, and clients are unable to reach the outside. Please be aware of that before trying a downgrade on the 55+.

Ok, so we have no way – at this time, at least – to unlock the interface of the Argo with the recent firmware revisions.
By the way, what are these revisions?

These are the firmware versions I am aware of:

1.3.19 (Mar 25 2011) [ARGO95]
1.3.20 (Mar 25 2011) [ARGO55+]
0.4.4 (Nov 20 2011) [ARGO55+/ARGO95]
1.4.4 (Jan 19 2012) [ARGO95]
0.4.52 (Feb 28 2012) [ARGO55+/ARGO95]

As you can see, the version numbering is kind of curious, but release 1.3.19 (for 95) and 1.3.20 (for 55+) are the last one with interface enabled. So, how we can downgrade to that firmware version? Well, here the bootloader of the Argo comes handy.

What you’ll need:

- A serial port connection to the Argo
- A tftp server (i.e. tftp32)
- For ARGO55+: argo55_openrg_1_n.img and argo55_openrg_2_n.img
- For ARGO95: argo95_openrg_1_n.img and argo95_openrg_2_n.img

Assign your computer a fixed ip address on the same network of the router (i.e. 192.168.1.10), connect it to the ethernet port nearest to the power supply port, fire up the tftp server and copy to its root the two *.img files. Connect to the router via serial port, log in and do a

conf download tftp://<tftp_server_ip>/my_conf_backup.conf

then do a dump of your entire flash (if you haven’t done it already) using the instructions posted here.

Finally, type system reboot and press enter.

As soon as the router restarts, you’ll see the message “Press ENTER twice to stop autoboot in 2 seconds”. Quicky press (you guessed it) the enter key two times.
You are now in the U-Boot command prompt: this nice bootloader has a load of useful features (take a look at the help command), but has also the power to render your router unusable. So, pay attention!

Now we have to set a couple of variables: I’m assuming that you used 192.168.1.10 as the ip of your tftp server, remember to adapt the commands to your setup.

Set the router ip address:
setenv ipaddr 192.168.1.1

Set the router netmask:
setenv netmask 255.255.255.0

Set the tftp server ip address:
setenv serverip 192.168.1.10

Now check if you can reach the tftp server machine with
ping 192.168.1.10

If everything is ok, you can now cross your fingers, and start the downgrade.

First downgrade the recovery image:
update_openrg argo55_openrg_1_n.img 1 (if you are downgrading an ARGO55+)
or
update_openrg argo95_openrg_1_n.img 1 (if you are downgrading an ARGO95)

Then the standard image:
update_openrg argo55_openrg_2_n.img 2 (if you are downgrading an ARGO55+)
or
update_openrg argo95_openrg_2_n.img 2 (if you are downgrading an ARGO95)

If you haven’t received any error, you can check that the images are correctly recognized with get_openrg_active 

Make sure that there are two valid partitions, and the active one is the 3/7. Then, exit typing reset and pressing enter.

The Argo should now reboot and start your new-old-firmware. Keep in mind that Fastweb has still access to your router, so probably the best way to avoid an immediate upgrade is to disconnect the WAN cable (fiber or adsl) during the boot, log in to the router (via serial port) and issue a

cwmp session_stop

that should stop the remote configuration service, hopefully. Then reconnect the WAN cable, access to the Argo web interface, and follow the steps in the hardening post, before it’s too late :)

Update (02/04/2012)

Corrected a couple of mistakes (mistyped the update_openrg commands and forgot to mention to connect via ethernet). Thanks D3FenD3r and geogeo!

Update 2 (13/04/2012)

Added files and instructions for ARGO55+. Thanks Arf!

Update 3 (14/04/2012)

Added a missing command line. Thanks D3FenD3r!

Update 4 (16/04/2012)

Added a warning while we investigate problems with the ARGO55+ configuration.

A side-by-side comparison of the pre-update and post-update configurations (including firewall settings fetched with firewall dump), didn’t reveal anything relevant: the firewall, apparently, isn’t the culprit. So, in lack of other informations, we must assume that the interface has been locked out at compile time.

So, how can we regain access to the Argo? Well, in the next post we’ll talk about downgrade :)

I’ve made up a quick’n'dirty script (in php, forgive me, just because the gzinflate function was quicker to use) that you can call from command line with:

php conf_inflate.php <conf_dump> <dest_file>

In <dest_file> you’ll have the configuration in plain text.

You can get the script here.

Usually, those aren’t RS232, but so-called TTL-level serial ports: this means that they use diferent voltage levels (0 – +5v vs. -12 –  +12v), and you need an adapter to connect them to your computer.

So, this nifty little device comes to hand: the USB-BUB II from Modern Device. As you can suppose, it’s at its second incarnation.

The USB-BUB II it’s based around the FT232R chip: it connects to an usb port, and provides a TTL serial, complete with DTR and CTS signals. But the board has a couple of handy – and unusual – features: first of all there’s a polyfuse, to protect the USB line from short circuits. Also, two smd LEDs – one green and one red –  that shows activity on the RX and TX line.

The board can also deliver 3.3v or 5v power – but don’t count too much on that, the maximum current is 50mA. In case you need some power, however, on the back of the board there’s also space to solder an external voltage regulator.

The BUB use is straightforward: drivers are available for Windows, OS X and Windows CE (!), and recent versions of Linux kernel supports it natively. Also, the board is delivered fully mounted, you just need to solder the header, or the wires, and connect the usb. It works pretty well at all the speeds I tried, and it doesn’t suffer too much from interferences, from what I can say.

Overall, a pretty useful device – a bit pricey (€13,50, shipped in the EU, from The JeeLabs Shop), but still a good choice.

First of all, let’s make a dump of the flash.

We said that the router has a telnet access: when we log in, we’re in the command line shell of OpenRG. From there we can control various aspects of the box, but if we type ‘system shell‘ and press enter… voilà! We’re in a busybox shell!

We can put a pendrive in one of the USB ports and mount it:

mount /dev/sda1 /mnt/flash

then use dd to dump the flash:

dd if=/dev/mtdblock0 of=/mnt/flash/flashdump.img bs=1m 

Now we have a 16Mb file, but what there’s inside?

We saw that our router uses U-Boot as its bootloader. This is a good thing: U-Boot is open source, and this version keeps a bunch of useful commands.

With flayout, we have the layout of the flash:

=> flayout
Section 00 Type UNKNOWN Address 0xBF000000 MaxSize 0×00060000
Section 01 Type IMAGE Address 0xBF060000 MaxSize 0x003E0000
Section 02 Type IMAGE Address 0xBF440000 MaxSize 0x00AE0000
Section 03 Type CONF Address 0xBFF20000 MaxSize 0×00060000
Section 04 Type CONF Address 0xBFF80000 MaxSize 0×00060000
Section 05 Type FACTORY Address 0xBFFE0000 MaxSize 0x0001FC00
Section 06 Type LAYOUT Address 0xBFFFFC00 MaxSize 0×00000400

Also, from bdinfo, we know at wich address is the flash start:

flashstart = 0xBF000000

Now, we can split our flash image:

dd if=flashimage.img of=uboot.img ibs=1 count=$((0×00060000))

Here in Europe, the obvious choice seems some low end Weller model, but: a) they are greatly overpriced and b) the non-professional line has received very poor reviews.

After reading a bunch of forum threads and reviews, a company name stood out: Hakko. Everyone loved its products, especially the venerable model 936 (out of production), and its successor, the FX-888. Buy it here it’s not easy: almost nobody sells it online, even on the bay. Hopefully I’ve been able to get it through a local reseller.

Packaging and apparence

The FX-888 comes in a robust yellow cardboard box: opening it we find the manuals (a couple of sheets, actually) and the iron. Under that, there’s the station and the iron holder.

Hakko has made quite a nice job with the look of the soldering station: it’s small (a nice feature when you’ve little space on the desk), it has a solid feel and a modern look. The temperature is written in Celsius and Fahrenheit, and a red led indicates when the temperature is reached. Probably a display with a digital readout of the iron temperature would’ve made a nice addon, but is more a whim than a real need.

Use

The FX-888 is a pleasure to use: the iron is light and comfortable, and the cord is very flexible. It reaches the temperature very quickly, and is extremely accurate. Also, during work, it keeps the temperature very well, something that isn’t found easily in the low-end stations.

The holder is solid and spots three kinds of cleaners: the usual sponge, a cleaning rubber – to clean the iron without water, thus help in keeping the temperature – and a cleaning wire, to remove the oxide while keeping a bit of solder on the tip.

The station is ESD safe (the iron is grounded), thus reducing the risk of electrostatic discharges that can damage your circuits. Also, the control knob can be locked in position, and under the base there’s a little screwdriver that can be used for thermal corrections.

Wrap-up

Of course this cannot be a fair review: I started the piece stating my infatuation for the object in question… but I felt the need to let know everyone looking for a soldering station with a reasonable price (I paid mine about €110), excellent quality and a broad range of tips to choose from, that this can be a good choice.

Also, if you visit Hakko‘s site, you’ll find plenty of information on the station, tips and also a story (in the form of a personal diary) to learn soldering!

This is what I did, feel free to find other methods and add a comment to this post :)

- Activate the firewall, and block – with a specific rule – port 4567 (is used for remote control)

- Delete the firewall rule that allows access – via telnet – from a specific list of networks, but write down those networks (these are the networks from which the provider connects to do remote maintenance)

- Create a static route for every network noted in the previous step, redirecting to a non-existing gateway (ie. 0.0.0.0)

A note on the last point: when you restart the router, it will fail to connect to the ACS (remote configuration) server. This is a nice thing, but because of this the ‘Fastweb’ led will remain red, and the ‘Ethernet’ and ‘WiFi’ leds will remain off. This is just aesthetic: wireless and wired network works perfectly.

Usual disclaimer: these are not general purpose instructions – I cannot guarantee it will work for you. Use them at your own risk.

The interface is available via http or https and telnet, on the external interface - you can access it only from the local network, but you need to use the external ip address of the router.

But how can we find the username / password? Well, when Fastweb started delivering those boxes, they left the default values of admin / admin – guessing that was easy, and everyone was happy :) But the fun didn’t last long – they quickly remotely upgraded the firmware, changing the password and stopping the joy.

So, what can we do? Luckily I found a couple of those things:

They are media converters – the media converter it’s the link between optical fiber and twisted pair. A couple of those, an hub, Wireshark, and we have the perfect setup to do Man In The Middle!

The plan is simple: we start to sniff packets between the router and the Fastweb infrastructure, then we reset the router configuration (keeping pressed the reset pushbutton for about 15 sec), and… yes! We get the configuration file!

Luckily, in OpenRG the password is obfuscated (and not encrypted!), and we can deobfuscate it with Zibri’s OpenRG deobfiscator. Bingo!

Username: lanadmin / Password: lanpasswd

Username: UserName / Password: Password

Yes… they didn’t learn anything.

Argo 95 headers (Click to enlarge)

But what are they for? Well, this is what I found using a logic probe:

1. UART
Vcc   NC    GND   RxD   TxD
o     o     o     o     o
+3,3   0     0    +2,9  +3,2

2. JTAG
Vcc
o     o     o     o     o     o     o

o     o     o     o     o     o     o
Vcc         GND   GND   GND   GND   GND
(Probable pinout: http://www.jtagtest.com/pinouts/ejtag)

3. ?
+3,3   0    +2,9  +3,2  +3,2   0
o     o     o     o     o     o
Vcc   GND               TxD?

I have absolutely no idea of what the port 3 is: there is activity on pin 5, but it isn’t a serial port. Port 1 is what we were looking for: we can connect using a RS232 – TTL adapter and a terminal emulator (115000 baud, 8 bits, no parity, 1 stop bit), and… voilà! The bootlog!

Reading the bootlog, we  learn some useful things: the box runs OpenRG, and the bootloader is U-Boot – and is freely accessible!

These are the available commands:

=> help
? – alias for ‘help’
askenv – get environment variables from stdin
autoscr – run script from memory
base – print or set address offset
bdinfo – print Board Info structure
boot – boot default, i.e., run ‘bootcmd’
boot_openrg – boot Openrg active image
bootd – boot default, i.e., run ‘bootcmd’
bootm – boot application image from memory
bootp – boot image via network using BOOTP/TFTP protocol
cmp – memory compare
coninfo – print console devices and information
cp – memory copy
crc32 – checksum calculation
dhcp – boot image via network using DHCP/TFTP protocol
echo – echo args to console
erase – erase FLASH memory
flayout – print FLASH layout and sections
flinfo – print FLASH memory information
get_openrg_active – print info about Openrg images in flash and indicate what is
the active
go – start application at address ‘addr’
gpio – GPIO management commands
help – print online help
iminfo – print header information for application image
imls – list all images found in flash
imxtract- extract a part of a multi-image
itest – return true/false on integer compare
led – LED management commands
loadb – load binary file over serial line (kermit mode)
loads – load S-Record file over serial line
loady – load binary file over serial line (ymodem mode)
loop – infinite loop on address range
md – memory display
mii – MII utility commands
mm – memory modify (auto-incrementing)
mtest – simple RAM test
mw – memory write (fill)
nfs – boot image via network using NFS protocol
nm – memory modify (constant address)
pci – list and access PCI Configuration Space
ping – send ICMP ECHO_REQUEST to network host
printenv- print environment variables
protect – enable or disable FLASH write protection
rarpboot- boot image via network using RARP/TFTP protocol
reset – Perform RESET of the CPU
run – run commands in an environment variable
saveenv – save environment variables to persistent storage
setenv – set environment variables
sleep – delay execution for some time
tftpboot- boot image via network using TFTP protocol
update_openrg – update openrg writing inactive image section
update_openrg_factory – update openrg factory settings
version – print monitor version

Wow, seems a lot of fun, right? :)