From fd41b4ea15515a57eab7c19133c9dbda497f07ee Mon Sep 17 00:00:00 2001 From: Simone Bortolin Date: Wed, 7 Sep 2022 11:52:45 +0200 Subject: add new root procedure --- _ont/ont-huawei-ma5671a-root.md | 174 +++++++++++++-------- .../img/new-root-procedure/board-molex-arduino.jpg | Bin 0 -> 102770 bytes assets/img/new-root-procedure/cat.png | Bin 0 -> 49684 bytes .../new-root-procedure/code-after-enter-shell.png | Bin 0 -> 366268 bytes assets/img/new-root-procedure/press-enter.jpg | Bin 0 -> 159349 bytes assets/img/new-root-procedure/vim.png | Bin 0 -> 76520 bytes 6 files changed, 112 insertions(+), 62 deletions(-) create mode 100644 assets/img/new-root-procedure/board-molex-arduino.jpg create mode 100644 assets/img/new-root-procedure/cat.png create mode 100644 assets/img/new-root-procedure/code-after-enter-shell.png create mode 100644 assets/img/new-root-procedure/press-enter.jpg create mode 100644 assets/img/new-root-procedure/vim.png diff --git a/_ont/ont-huawei-ma5671a-root.md b/_ont/ont-huawei-ma5671a-root.md index 60f16b5..f10d1c1 100644 --- a/_ont/ont-huawei-ma5671a-root.md +++ b/_ont/ont-huawei-ma5671a-root.md @@ -16,104 +16,154 @@ layout: default {% include alert.html content="Use GND wire as ON/OFF switch, otherwise there will be a slight delay before data is displayed on the console (putty/TeraTerm)." alert="Important" icon="svg-warning" color="yellow" %} +0. Install python and `pyserial` with `pip` +```shell +pip install pyserial +``` +1. make the connections as shown to a TTL adapter except for GND (which remains detached and is used as a switch) + + {% include image.html file="ma5671a-root-1.jpg" alt="Example of how the sfp-ttl connection should look like" caption="Example of how the sfp-ttl connection should look like" %} +{% include image.html file="new-root-procedure\board-molex-arduino.jpg" alt="Example of how the sfp-ttl connection should look like with a custom board" caption="Example of how the sfp-ttl connection should look like with a custom board" %} {% include image.html file="ma5671a-root-2.jpg" alt="Molex SFP" caption="Molex SFP" %} {:style="counter-reset:none"} -2. Disassemble the stick by releasing the metal tabs that hold the cover in place. There are two tabs, one on each side, inside these holes: - -{% include image.html file="ma5671a-root-4.jpg" alt="Metal tabs that hold the cover in place" caption="Metal tabs that hold the cover in place" %} - +2. run this programme and only then connect the GND pin + +```py +import sys +import time + +import serial.tools + +try: + ser = serial.Serial("COM8", 115200, parity=serial.PARITY_NONE, stopbits=serial.STOPBITS_ONE, bytesize=serial.EIGHTBITS) + print('[+] Use serial port device:', ser.name) + print('[+] Waiting for trigger characters...') + while True: + try: + recv = ser.readline().decode() + except Exception as x: + print("Decode errore", x) + continue + if recv.startswith('U-Boot'): + print('[+] Received! transfer enable command...') + print('[+] Transfer command sequence 1') + t_end = time.time() + 3 + while time.time() < t_end: + ser.write(chr(3).encode()) + time.sleep(1) + print('[+] Transfer command sequence 2') + ser.write('setenv bootdelay 3\n'.encode()) + time.sleep(1) + print('[+] Transfer command sequence 3') + ser.write('setenv asc0 0\n'.encode()) + time.sleep(1) + print('[+] Transfer command sequence 4') + ser.write( + 'setenv preboot "gpio input 105;gpio input 106;gpio input 107;gpio input 108;gpio set 3;gpio set 109;gpio set 110;gpio clear 423;gpio clear 422;gpio clear 325;gpio clear 402;gpio clear 424"\n'.encode()) + time.sleep(1) + print('[+] Transfer command sequence 5') + ser.write('saveenv\n'.encode()) + time.sleep(3) + print('[+] Transfer command sequence 6') + ser.write('reset\n'.encode()) + print('[+] Enable command transfer complete! rebooting...') + break + else: + print(recv) +except Exception as e: + try: + print('[!] Error:', e) + sys.exit(1) + finally: + e = None + del e + +except (KeyboardInterrupt, SystemExit): + ser.close() + sys.exit(1) +``` {:style="counter-reset:none"} -3. Once you have removed the metal casing, you are left with the half-naked stick (note that the release mechanism also comes off easily and then you don't know how to put it back together, so take a photo and memorise the positioning well). +4. Reboot the stick +5. Open Tera Term (or other serial terminal emulator), after load press `enter` to activate the console -4. Before shorting the stick, connect the previously soldered cables and molex to the USB serial (photo immediately below) and to the stick (the molex, of course) and check that the jumper on the usb key is set to 3.3V +{% include image.html file="new-root-procedure\press-enter.jpg" alt="Press enter for activate the console" caption="Press enter for activate the console" %} -{% include image.html file="ma5671a-root-8.jpg" alt="TTL" caption="TTL" %} -{:style="counter-reset:none"} -5. The disassembled stick will appear as in the photo, in which I have highlighted in red the 2 pins to be shorted. Here they use wire, but a pair of tweezers is sufficient (I used those, in fact). Be careful not to make any other contacts by possibly covering everything else with electrical tape. +{% include alert.html content="It is possible that there are still linux kernel init outputs, in which case press enter until they are finished (under no circumstances should vim be started if such scripts are sent to stdout), if you do not press `enter` often enough there may be a kernel panic and a stick reboot." alert="Important" icon="svg-warning" color="yellow" %} -{% include image.html file="ma5671a-root-4.jpg" alt="tweezers" caption="tweezers" %} -{% include image.html file="ma5671a-root-6.jpg" alt="tweezers" caption="tweezers" %} -{% include image.html file="ma5671a-root-5.jpg" alt="tweezers and eletrical tape" caption="tweezers and eletrical tape" %} -{% include image.html file="ma5671a-root-6.jpg" alt="tweezers" caption="tweezers" %} +{% include image.html file="new-root-procedure\code-after-enter-shell.png" alt="Linux kernel init output after enter in console" caption="Linux kernel init output after enter in console" %} {:style="counter-reset:none"} -6. for the moment connect all cables to the usb key except the green (ground) or red (voltage), otherwise the stick will boot before you can do the following (N.B. for those who bought the uart above RX and TX are reversed). Open and configure Teratem for serial connection (select the correct com port, speed 115.200, english language, otherwise in japainise you can't read anything understandable) insert the key in the PC (I take it for granted that it has already been installed, drivers and all), short the 2 pins seen above and keeping the short connected the missing coloured cable +5. With `cat` change the default shell from `/opt/lantiq/bin/minishell` to `/bin/ash` the file `/etc/passwd`: -7. if you have done everything correctly, you should see something similar to the picture below (if nothing happens, you have obviously done something wrong with cables, molexes, soldering irons, etc., so you will have to start from the beginning again and work out which step you did wrong): - -{% include image.html file="ma5671a-root-9.png" alt="serial shell" caption="serial shell" %} +```shell +sed -i "s|/opt/lantiq/bin/minishell|/bin/ash|g" /etc/passwd +``` +{% include alert.html content="Do not use `vim`!" alert="Important" icon="svg-warning" color="red" %} -{:style="counter-reset:none"} -8. Remove the short (tweezers or whatever you used), then type 7 and enter. You should see this: +{% include alert.html content="Take attention to kernel panics, they happen often! Be quick, if a kernel panic happens wait for the reboot and try again." alert="Important" icon="svg-warning" color="yellow" %} -{% include image.html file="ma5671a-root-10.png" alt="serial shell 2" caption="serial shell 2" %} -{:style="counter-reset:none"} -9. from the Teraterm menu `FILE` → `TRANSFER` → `XMODEM` → `SEND` → `[1224abort.bin]` (which is the third of the files downloaded earlier): +```shell +[ 34.612000] Kernel panic - not syncing: Fatal exception in interrupt +[ 34.612000] Rebooting in 3 seconds.. +``` -{% include image.html file="ma5671a-root-11.png" alt="1224abort.bin" caption="1224abort.bin" %} +{% include alert.html content="The cause of these kernel panics could be insufficient power supply." alert="Info" icon="svg-info" color="blue" %} {:style="counter-reset:none"} -10. as soon as the file transfer is complete, you have 2 seconds to press `CTRL+C`, if you have not done so, you can return to the step 6. Otherwise, you should see: +6. Reboot it this time connected to the router with cage or mediaconverter, with the port set to an IP on the 192.168.1.0/24 subnet (the stick has the IP 192.168.1.10) -{% include image.html file="ma5671a-root-12.png" alt="falcon shell" caption="falcon shell" %} +{% include alert.html content="If your subnet is 192.168.1.0/24 make sure you have no ip conflicts." alert="Note" icon="svg-warning" color="yellow" %} {:style="counter-reset:none"} -11. To permanently unlock the bootloader, without having to repeat the previous steps, you must give the following commands: -``` -FALCON => setenv bootdelay 5 -FALCON => setenv asc0 0 -FALCON => setenv preboot "gpio input 105;gpio input 106;gpio input 107;gpio input 108;gpio set 3;gpio set 109;gpio set 110;gpio clear 423;gpio clear 422;gpio clear 325;gpio clear 402;gpio clear 424" -FALCON => saveenv -``` +7. Run the terminal and login to the stick with ssh -12. if you have done everything correctly you can reboot the stick (actually if you are convinced that everything is ok you could also close it again), disconnecting and reconnecting one of the 2 cables from before (ground or voltage), then again from the terminal you will have 5 seconds to lock the bootloader by doing a simple CTRL+C. Now upload the firmware image of the first mtd2 partition to the stick with the command +```shell +ssh root@192.168.1.10 ``` -FALCON => loadb 0x80800000 -``` -At this point it will appear: -{% include image.html file="ma5671a-root-13.jpg" alt="shell requiring mt2 upload" caption="shell requiring mt2 upload" %} +The password is `admin123`. {:style="counter-reset:none"} -13. From the teratem menu do `FILE` → `TRANSFER` → `KERMIT` → `SEND` → `[mtd2.bin]`. -It will start uploading the file at a speed of about 3-4 KBbs. Now you will have to wait more than half an hour for the upload to complete. - -14. Once finished, the image loaded on the stick must also be saved to the corresponding system partition (the first of the 2) with the commands +9. Make a backup of all partitions, an easy way is: +- On the stick run: +```shell +cat /proc/mtd ``` -FALCON => sf probe 0 -FALCON => sf erase C0000 740000 -FALCON => sf write 80800000 C0000 740000 +- For each mtdX run, on computer shell: +```shell +nc -l -p 1234 > mtdX.bin ``` - -15. check that the stick is configured to boot from partition 0 (yes I know mtd2 goes on 0 and mtd5 goes on 1, complain to Laniq) with the command +And in the lantiq shell: +```shell +cat /dev/mtdX | nc 192.168.1.11 1234 ``` -FALCON => printenv committed_image +10. upload the mtd5 image in `/tmp` whit the command ``` -16. if it is 0, fine, otherwise configure partition 0 with the commands, and check if are 0. +scp mtd5.bin root@192.168.1.10:/tmp/ ``` -FALCON => setenv committed_image 0 -FALCON => saveenv -FALCON => printenv committed_image +then write the mtd5 file it into the second partition (the 1) with the command: ``` -17. Reboot it this time connected to the router with cage or mediaconverter, with the port set to an IP on the 192.168.1.0/24 subnet (the stick has the IP 192.168.1.10) - -18. log in via the web, it makes you configure the password when you first log in with a root user. These credentials are the same as those used in ssh - -19. set the password access the sitck in SCP, upload the mtd5 image in `/tmp` whit the command +mtd -e image1 write mtd5.bin image1 ``` -scp mtd5.bin root@192.168.1.10:/tmp/ +11. change the `committed` variabile with ``` -then write it into the second partition (the 1) with the command: +setenv committed_image 1 +saveenv +printenv committed_image ``` -mtd -e image1 write mtd5.bin image1 +12. upload the mtd1 image in `/tmp` whit the command ``` - -{% include alert.html content="You could also have done it as a serial, but from here it is much quicker -" alert="Info" icon="svg-info" color="blue" %} +scp mtd2.bin root@192.168.1.10:/tmp/ +``` +then write the mtd2 file it into the second partition (the 0) with the command: +``` +mtd -e image1 write mtd2.bin image1 +``` +{% include alert.html content="You could also have done it as a serial, but from here it is much quicker with SSH" alert="Info" icon="svg-info" color="blue" %} # Miscellaneous Links - [Come avere i 2.5 Gbps su un unico dispositivo senza il Fastgate](https://forum.fibra.click/d/17836-come-avere-i-25-gbps-su-un-unico-dispositivo-senza-il-fastgate) diff --git a/assets/img/new-root-procedure/board-molex-arduino.jpg b/assets/img/new-root-procedure/board-molex-arduino.jpg new file mode 100644 index 0000000..d21db7d Binary files /dev/null and b/assets/img/new-root-procedure/board-molex-arduino.jpg differ diff --git a/assets/img/new-root-procedure/cat.png b/assets/img/new-root-procedure/cat.png new file mode 100644 index 0000000..18b415e Binary files /dev/null and b/assets/img/new-root-procedure/cat.png differ diff --git a/assets/img/new-root-procedure/code-after-enter-shell.png b/assets/img/new-root-procedure/code-after-enter-shell.png new file mode 100644 index 0000000..11ed17b Binary files /dev/null and b/assets/img/new-root-procedure/code-after-enter-shell.png differ diff --git a/assets/img/new-root-procedure/press-enter.jpg b/assets/img/new-root-procedure/press-enter.jpg new file mode 100644 index 0000000..1023f03 Binary files /dev/null and b/assets/img/new-root-procedure/press-enter.jpg differ diff --git a/assets/img/new-root-procedure/vim.png b/assets/img/new-root-procedure/vim.png new file mode 100644 index 0000000..f97100b Binary files /dev/null and b/assets/img/new-root-procedure/vim.png differ -- cgit v1.2.3