diff options
author | Simone <26844016+simonebortolin@users.noreply.github.com> | 2024-02-18 11:30:52 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2024-02-18 11:30:52 +0100 |
commit | eddf563f18fe6283615af62edea91ee6fc13447c (patch) | |
tree | 7cdaef6d0d1bb86cdc59a011e6a98ad5943d4125 /_router_pon | |
parent | Update ont-nokia-xs-010x-q.md with new version (#305) (diff) | |
download | hack-gpon.github.io-eddf563f18fe6283615af62edea91ee6fc13447c.tar hack-gpon.github.io-eddf563f18fe6283615af62edea91ee6fc13447c.tar.gz hack-gpon.github.io-eddf563f18fe6283615af62edea91ee6fc13447c.tar.bz2 hack-gpon.github.io-eddf563f18fe6283615af62edea91ee6fc13447c.tar.lz hack-gpon.github.io-eddf563f18fe6283615af62edea91ee6fc13447c.tar.xz hack-gpon.github.io-eddf563f18fe6283615af62edea91ee6fc13447c.tar.zst hack-gpon.github.io-eddf563f18fe6283615af62edea91ee6fc13447c.zip |
Diffstat (limited to '_router_pon')
-rw-r--r-- | _router_pon/avm.md | 5 | ||||
-rw-r--r-- | _router_pon/avm_fritzbox.md | 25 | ||||
-rw-r--r-- | _router_pon/avm_fritzbox_5530.md | 35 | ||||
-rw-r--r-- | _router_pon/avm_fritzbox_5590.md | 35 | ||||
-rw-r--r-- | _router_pon/free_iliad.md | 13 | ||||
-rw-r--r-- | _router_pon/free_iliad_box_pop.md | 53 | ||||
-rw-r--r-- | _router_pon/ont-zte-f6645p.md | 199 | ||||
-rw-r--r-- | _router_pon/ont-zte.md | 5 |
8 files changed, 370 insertions, 0 deletions
diff --git a/_router_pon/avm.md b/_router_pon/avm.md new file mode 100644 index 0000000..438f856 --- /dev/null +++ b/_router_pon/avm.md @@ -0,0 +1,5 @@ +--- +title: AVM +has_children: true +layout: default +--- diff --git a/_router_pon/avm_fritzbox.md b/_router_pon/avm_fritzbox.md new file mode 100644 index 0000000..261f02b --- /dev/null +++ b/_router_pon/avm_fritzbox.md @@ -0,0 +1,25 @@ +## SFP Whitelist + +- FRITZ!SFP AON (IEEE 802.3ah-2004 1000BASE-BX10, TX 1310 nm, RX 1480 to 1580 nm, LC/APC 8°, 10 km)[^aon] +- FRITZ!SFP AON TV Filter (IEEE 802.3ah-2004 1000BASE-BX10) +- FRITZ!SFP GPON (GPON ITU-T G.984.2/984.5, TX 1310 nm, RX 1490 nm, LC/UPC 8°, 20 km) +- FRITZ!SFP XGS-PON (XGS-PON ITU-T G.9807 TX 1270 nm, RX 1577 nm, è l’unico che usa un SC/UPC, 20 km) + + +# GPON/OMCI settings + +## Setting ONU GPON Serial Number + +It is possible to change the serial numebr by editing it in the http://fritz.box/support.lua, in the ASCII format (ZTEG012345678) + +{% include image.html file="avm/avm_serial.jpg" alt="Serial number form" caption="Serial number form" %} + + +## Setting ONU GPON PLOAM password + +It is possible to change the GPON PLOAM passowrd by editing it in the logon data, in the ASCII format (PLOAM) + +{% include image.html file="avm/avm_ploam.jpg" alt="PLOAM Password form" caption="PLOAM Password form" %} + +-- +[^aon] [EWE AON Anschluss SFP Transceiver](https://www.glasfaserforum.de/forum/thread/984-ewe-aon-anschluss-sfp-transceiver/) diff --git a/_router_pon/avm_fritzbox_5530.md b/_router_pon/avm_fritzbox_5530.md new file mode 100644 index 0000000..38c1093 --- /dev/null +++ b/_router_pon/avm_fritzbox_5530.md @@ -0,0 +1,35 @@ +--- +title: AVM FRITZ!Box 5530 +has_children: false +layout: default +parent: AVM +--- + +# Hardware Specifications + +| | | +| --------------- | ------------------------------------------------------------------------ | +| Vendor/Brand | AVM FRITZ!Box 5530 | +| Model | FRITZ!Box 5530 | +| ODM | ✅ | +| Chipset | MaxLinear Falcon PRX321B1BI-S-LNEV MIPS32 | +| Flash | 128 MB | +| RAM | 1024 MB | +| Chipset | MaxLinear Falcon PRX321B1BI-S-LNEV MIPS32 | +| CPU Clock | 800 MHz | +| Bootloader | | +| System | | +| Load addr | | +| SFP | 1GBASE-BX10 (only FRITZ!SFP AON), PON equivalent symbol GPON and XGS-PON | +| Ethernet | 4 1GbE, 1 2.5GbE LAN/WAN | +| Optics | SC/UPC | +| IP address | 192.168.1.254 | +| Web Gui | ✅ | +| SSH | | +| Telnet | | +| Serial | | +| Serial baud | 115200 | +| Serial encoding | 8-N-1 | +| Form Factor | CPE with SFP w/o MAC support | + +{% include_relative avm_fritzbox.md %} diff --git a/_router_pon/avm_fritzbox_5590.md b/_router_pon/avm_fritzbox_5590.md new file mode 100644 index 0000000..3af6f5d --- /dev/null +++ b/_router_pon/avm_fritzbox_5590.md @@ -0,0 +1,35 @@ +--- +title: AVM FRITZ!Box 5590 +has_children: false +layout: default +parent: AVM +--- + +# Hardware Specifications + +| | | +| --------------- | ------------------------------------------------------------------------ | +| Vendor/Brand | AVM FRITZ!Box 5590 | +| Model | FRITZ!Box 5590 | +| ODM | ✅ | +| Chipset | MaxLinear Falcon PRX321B1BI-S-LNEV MIPS32 | +| Flash | 4 GB | +| RAM | 2048 MB | +| Chipset | MaxLinear Falcon PRX321B1BI-S-LNEV MIPS32 | +| CPU Clock | 800 MHz | +| Bootloader | | +| System | | +| Load addr | | +| SFP | 1GBASE-BX10 (only FRITZ!SFP AON), PON equivalent symbol GPON and XGS-PON | +| Ethernet | 4 1GbE, 1 2.5GbE LAN/WAN | +| Optics | SC/UPC | +| IP address | 192.168.1.254 | +| Web Gui | ✅ | +| SSH | | +| Telnet | | +| Serial | | +| Serial baud | 115200 | +| Serial encoding | 8-N-1 | +| Form Factor | CPE with SFP w/o MAC support | + +{% include_relative avm_fritzbox.md %} diff --git a/_router_pon/free_iliad.md b/_router_pon/free_iliad.md new file mode 100644 index 0000000..39727b8 --- /dev/null +++ b/_router_pon/free_iliad.md @@ -0,0 +1,13 @@ +--- +title: Free/Iliad +has_children: true +layout: default +--- + +# Free/Iliad network + +Iliad's (Italy) PON network is delivered through two types of technology: GPON or EPON where available. The latter is not actually pure 10G-EPON but DPoE (DOCSIS Provisioning over EPON), confirmed by analyzing the physical layer signals. + +Using a Xilinx Kintex 7 FPGA with an integrated logic analyzer, an optical module has been connected to the FPGA's transceiver. The transceiver synchronized successfully and the sync header sequence was the one expected for 10G-EPON: a FEC codeword is a sequence of 31 words. Those words have a sync header binary value of `10` or `01` repeated 27 times corresponding to the original message plus `00, 11, 11, 00` corresponding to the FEC parity information. Discarding the latter part and descrambling the remaining data, the packets have been retrieved. + +As an example, a packet starts with `55 d5 55 1b 3c 07 5f` in hex, which corresponds to a DPoE (10G) preamble (actually it's missing one starting `0x55` byte but the CRC8 at the end is correct nonetheless). diff --git a/_router_pon/free_iliad_box_pop.md b/_router_pon/free_iliad_box_pop.md new file mode 100644 index 0000000..fc48698 --- /dev/null +++ b/_router_pon/free_iliad_box_pop.md @@ -0,0 +1,53 @@ +--- +title: FreeBox Pop/IliadBox +has_children: false +layout: default +parent: Free/Iliad +--- + +# Hardware Specifications + +| | | +| ---------------- | ---------------------------------------------------------------------------------- | +| Vendor/Brand | Free/Iliad | +| Model | | +| ODM | | +| ODM Product Code | | +| Chipset | BCM63153 | +| Flash | 4GB eMMC 5.1 KLM4G1FETE-B041 | +| RAM | 2x 512MB DDR3L-1866 NT5CC128M16JR-EK | +| CPU | | +| CPU Clock | | +| Bootloader | | +| System | | +| Load addr | | +| SFP | 1G-BASEX, 10G-BASESR-LR, HSGMII (only AFM0003ILD), PON equivalent symbol EPON 10/1 | +| Ethernet | 2 1GbE, 1 2.5GbE LAN/WAN | +| Optics | SC/UPC | +| IP address | 192.168.1.254 | +| Web Gui | ✅ | +| SSH | | +| Telnet | | +| Serial | | +| Serial baud | 115200 | +| Serial encoding | 8-N-1 | +| Form Factor | CPE with SFP w/o MAC support | + + + +## Serial + +The serial port is routed through the USB-C port used for power (which is PD compliant, tested with a notebook power supply). The pins are SBU1 and SBU2, reversal is handled using an open drain buffer (SN74LVC2G07) so a pull-up resistor on RX is needed. On the power daughter board TP7 is TX and TP8 is RX. There is also a USB differential pair routed through the USB-C connector but there is no use for it yet. +At the moment nothing more than a boot log is available. [^bcm61650hack] [^freeboxhack] + +## SFP Whitelist +- WTD RTXM166-401-C13 (EPON w/o MAC) +- WTD RTXM166-401-C11 (EPON w/o MAC) +- Hisense LTF7215-BH+ (EPON w/o MAC) +- [Technicolor AFM0003](/ont-technicolor-afm0003) (GPON with MAC) +- SFP Copper 10Gtek (1 and 10 Gbps) + +# Miscellaneous Links + +[^bcm61650hack]: *Pwning the bcm61650* https://blog.xilokar.info/pwning-the-bcm61650.html +[^freeboxhack]: *Firmware key extraction by gaining EL3* https://blog.xilokar.info/firmware-key-extraction-by-gaining-el3.html diff --git a/_router_pon/ont-zte-f6645p.md b/_router_pon/ont-zte-f6645p.md new file mode 100644 index 0000000..9a412fa --- /dev/null +++ b/_router_pon/ont-zte-f6645p.md @@ -0,0 +1,199 @@ +--- +title: ZTE F6645P +has_children: false +layout: default +parent: ZTE +--- + +# Hardware Specifications + +| | | +| ------------ | ----------------------------- | +| Vendor/Brand | ZTE | +| Model | F6645P | +| ODM | ✅ | +| CPU | ZTE | +| CPU Clock | 266 MHz | +| Chipset | ZTE | +| Flash | 130 MB Kioxia TC58BVG0S3HTAI0 | +| RAM | 315 MB | +| System | | +| 2.5GBaseT | Yes | +| Optics | SC/APC or SC/UPC | +| IP address | 192.168.1.1 | +| Web Gui | Random password | +| SSH | | +| Telnet | ✅ [^1] | +| Serial | Only RX | +| Form Factor | ONT | + +## List of partitions + +| dev | size | erasesize | name | +| ---- | -------- | --------- | ---------------- | +| mtd0 | 08000000 | 00020000 | "whole flash" | +| mtd1 | 00200000 | 00020000 | "u-boot" | +| mtd2 | 00400000 | 00020000 | "others" | +| mtd3 | 00400000 | 00020000 | "parameter tags" | +| mtd4 | 00400000 | 00020000 | "wlan" | +| mtd5 | 00800000 | 00020000 | "usercfg" | +| mtd6 | 00400000 | 00020000 | "Plugin" | +| mtd7 | 02a00000 | 00020000 | "kernel1" | +| mtd8 | 02a00000 | 00020000 | "kernel2" | +| mtd9 | 029e0000 | 00020000 | "rootfs" | + + + +This ONT supports dual boot, as visible from the presence of `kernel0` and `kernel1`, which contain the rootfs. +The boot images can be swapped with the following command: + +```sh +upgradetest switchver X +``` + +Where `X` can be `0/1`, based on the image you want to boot from. + + +You can also clone the currently running image into the other slot using this command: + +```sh +syn_version +``` + +# Use + +## Enable Telnet +{% include alert.html content="This is an external script ([ZTE Telnet enabler](https://github.com/douniwan5788/zte_modem_tools)), use at your own risk! Credentials don't survive at reboot!" alert="Note" icon="svg-info" color="blue" %} + +```sh +python3 zte_factroymode.py --user admin --pass admin --ip 192.168.1.1 --port 80 telnet open +``` + +You should get this output and credentials to login over telnet: + +```sh +trying user:"admin" pass:"admin" +reset facTelnetSteps: +reset OK! + +facStep 1: +OK! + +facStep 2: +OK! + +facStep 3: +OK! + +facStep 4: +OK! + +facStep 5: +OK! + +done +Username: 2W3iqFVt +Password: Eqb8X8Qt +``` + +## Enable console redirection + +To see omcidebug messages on telnet, execute this command (just the first time of each connection): + +```sh +redir printf +``` + +# GPON ONU status + +## Getting the operational status of the ONU + +To check the connection status, use the following command: +``` +gpontest -gstate +``` +`[gpontest] gpon state is [O5]` for O5 state + +## Getting OLT vendor information + +```sh +sendcmd 132 omcidebug showmedata 131 +``` + +This command will print the following output: + +```sh +################################## +MIB INFO: + ME CLASS: 131 + DB NAME: olt_g, DBHandle: 32 +################################## + +<-----MeID[ 0x0000,0 ], Addr[ 0x19a2b1]-----> + Vendorid:48 57 54 43 + EquipmentID:00 00 00 00 00 00 00 00 00 00 + 00 00 00 00 00 00 00 00 00 00 + Version:31 30 00 00 00 00 00 00 00 00 + 00 00 00 00 + TimeofDay:00 00 00 00 00 00 00 00 00 00 + 00 00 00 00 +--------------------------------------------------------------------- +``` + +## Querying a particular OMCI ME + +```sh +sendcmd 132 omcidebug showmedata ID_MIB (eg. 7 for Firmware version) +``` + +This command will print the following output: + +```sh + +################################## +MIB INFO: + ME CLASS: 7 + DB NAME: soft_image, DBHandle: 14 +################################## + +<-----MeID[ 0x0000,0 ], Addr[ 0x19a011]-----> + Version:V6.0.10N41 + Is committed:01 + Is active:01 + Is valid:01 + +<-----MeID[ 0x0001,1 ], Addr[ 0x19a031]-----> + Version:V6.0.10N39 + Is committed:00 + Is active:00 + Is valid:01 +--------------------------------------------------------------------- +``` + +# GPON/OMCI settings + +## Setting ONU GPON Serial Number + +{% include alert.html content="Both S/N and VID have to be changed. 2176 is for the VID (first 4 letters of the S/N) and 2177 is for the last 8 digits of the S/N" alert="Note" icon="svg-info" color="blue" %} +```sh +setmac 1 2176 ZTEG +setmac 1 2177 AABBCCDD +``` + +## Setting ONU GPON PLOAM password + +{% include alert.html content="The PLOAM password is stored in the ASCII format." alert="Note" icon="svg-info" color="blue" %} +This can be done easily via the web UI. To do it via the shell use: +```sh +setmac 1 2181 1234567890 +setmac 1 2178 1234567890 +``` + + +# Miscellaneous Links + +- [ZTE Telnet enabled](https://github.com/douniwan5788/zte_modem_tools) + +--- + +[^2]: Credentials are randomly generated by zte_factroymode.py, they are not persistent and will change at reboot.
\ No newline at end of file diff --git a/_router_pon/ont-zte.md b/_router_pon/ont-zte.md new file mode 100644 index 0000000..fff9ccb --- /dev/null +++ b/_router_pon/ont-zte.md @@ -0,0 +1,5 @@ +--- +title: ZTE +has_children: true +layout: default +---
\ No newline at end of file |