Hacking the Siemens SX541

[JOCKYW2001]

After extensive investigation I now have a good picture of the hard- and software. Together with some special bootloader features we will now be able to hack the SX541 wide open

Hardware

The microcontroller is a Texas Instruments AR7300 (MIPS). Product info can be found here:TI AR7
This cpu is used in many other networking products such as: NetgearDG834G, Dlink DslG604t and ... the AVM FRITZ!Box Fon.

The codecs are implemented in hardware, the SX541 uses a Voicepump VP140 DSP. If proper programmed the codec quality should be very good. Unfortunately the programming skills of Siemens' Taiwanese ODM partner leave a large space for improvement

The rest of the hardware is described by Birger: 2MB flash (Fritz!box uses 4MB), 32MB ram, etc.

Software

Unfortunately there is no Linux running on the SX541. The OS is a RTOS called Supertask! which is now sold by Micro Digital Inc.. The TCPIP stack, Router and VoIP software is developed by the Institute for Information Industry in Taiwan and is called III TTF TCPIP Protocol Stack (for Router). The bootloader is developed by Broad Net Inc. from Taiwan. The bootloader can be accessed via the serial console as I described here. For your convenience I will copy the content of that post below. But first the most important discovery I made which will help us running our own code on the SX541: the bootloader has a "administrator mode" which can be accessed by entering a "!". The administrator menu shows:

======================
[u] Upload to Flash
[E] Erase Flash
[G] Run Runtime Code
[M] Upload to Memory
[R] Read from Memory
[W] Write to Memory
[T] Memory Test
[Y] Go to Memory
[A] Set MAC Address
[#] Set Serial Number
[V] Set Board Version
[H] Set Options
[P] Print Boot Params
======================


The additional menuitems are:

[M] Upload to Memory
[R] Read from Memory
[W] Write to Memory
[T] Memory Test
[Y] Go to Memory

With 'M', by using Tftp or Xmodem, code can be uploaded to RAM and then be executed. Execution can also be initiated with 'Y'. There seem to be a few conditions which need to be fulfilled by the binary code. I haven't found these out yet, but using the 'R' command I managed to read the bootloader code which I will further analyze in IDA.

Okay enough for now, below you find a copy of the info I posted earlier about serial console and telnet access.

Have fun and let's get a linux kernel running on the sx541 asap,
JockyW

===================================

as I wrote before, simply telnet into the sx541 (user: admin, pass: empty). You don't need a serial cable for that.

you'll see this menu:
>> system Generic system parameter configuration
interface Interface parameter configuration
wLAN Wireless LAN configuration
bridge Transparent bridging parameter configuration
vc ATM virtual circuit parameter configuration
ppp PPP parameter configuration
dial Dial-out parameter configuration
ip_share NAT parameter configuration
firewall-func Enable disable firewall functions
access-list Access list rules manager
inspect Inspection threshold and rules manager
route Routing parameter configuration
dhcp DHCP parameter configuration
dns DNS proxy parameter configuration
snmp SNMP parameter conguration
tftp Default TFTP paramng parameter configuration
mail Mail parameter cont parameter configuration
chuser Configuration paraiguration
upnp Enable or disable configuration
show Showing system coniguration
monitor Monitor system runewall functions
upgrade Upgrade system firmanager
backup Backup system confld and rules manager
passwd Change user passwoconfiguration
default_reset Reset system configuration to default status
write Write configuration and restart system
reboot Restart system and activate new system configuration
enable Enable configuration mode
su Change to super user(root) mode
ping Ping test
tracert Trace route utility
exit Disable privilege command or disconnect

The submenu "chuser" has these items:
>> max_user Maximum allow telnet access user number
telnet_port Telnet TCP port config (default 8081)
user_profile Legal user profile
address_control Legal client address
login_timeout Login timeout (minutes)
remote_login Remote management function disable or enable
=======

If you connect a Siemens datacable (I bought one at CONRAD for €17,95, a "goobay" datenkabel, passend für SIEMENS 25-/35-/45-/50-serie, Best.-Nr.:760217) to the 10-pin header inside the SX541 you can in addition trace the bootlog, enter the bootmonitor for recovery, set debugmode, and telnet via serial cable.

Strip the gsm phoneplug off, you see 3 wires: black, blue & white. Open the sx541 and look at the at the pin header from the top.
--5---4---3---2---1
+---+---+---+---+---+
| o | o | o | o | o |
+ + + + + +
| o | o | o | o | o |
+---+---+---+---+---+
-10---9---8---7---6
---------- front side ---------------

Connect the 3 wires as follows:
3:TX : blue
2:RX : white
5:GND : black

Connect the 9-pin d-sub to the serial port of your PC. Open hyperterminal and set to 115200-8-N-1-No flow control.

If you switch on the SX541 you'll see following bootlog:
================================================== =========
TI ADSL AR7300 Loader 0.67.3 build Sep 15 2004 17:03:49
Broad Net Technology, INC.
================================================== =========
Flash not found

Copying boot params.....DONE

Press any key to enter command mode ...
Flash Checking Passed.

Unzipping web at 0x94f30000 ... done
Unzipping code at 0x94000000 ... done
In C_Entry() function ...
install_exception
sys_irq_init() ...
Set GPIO
Reset USB and VP140 module ...
##### _ftext = 0x94000000
##### _fdata = 0x94345120
##### __bss_start = 0x9439C300
##### end = 0x9545847C
##### Backup Data from 0x94345120 to 0x9547847C~0x954CF65C len 356832
[INIT] System Log Pool startup ...
[INIT] MTinitialize ..
userclk_init() ...
Runtime code version: 1.56
System startup...
[INIT] Memory COLOR 0, 1500000 bytes ..
[INIT] Memory COLOR 1, 600000 bytes ..
[INIT] Memory COLOR 2, 1900000 bytes ..

manu_id=004A chip_id=2249
ES29LV160D bottom boot 16-bit mode found
Set flash memory layout to Boot Parameters found !!!
Bootcode version: 0.67.3
Serial number: A448012289
Hardware version: 01
sizeof(struct III_Config_t) is 82376

manu_id=004A chip_id=2249
ES29LV160D bottom boot 16-bit mode found
!!! Invalid wireless channel range 0 ~ 0
!!! Use default value 1 ~ 13
default route: 0.0.0.0
BufferInit:
BUF_HDR_SZ=48 BUF_ALIGN_SZ=8 BUFFER_OFFSET=112
BUF_BUFSZ0=384 BUF_BUFSZ1=1872
NUM_OF_B0=0 NUM_OF_B1=1200
BUF_POOL0_SZ=0 BUF_POOL1_SZ=2304000
sizeof(BUFFER0)=432,sizeof(BUFFER1)=1920
*BUF0=0x94c7506c *BUF1=0x94a4285c
Altgn *BUF0=0x94c75070 *BUF1=0x94a42860
End at BUF0:0x94c75070, BUF1:0x94c75060

BUF0[0]=0x94c75070 BUF1[0]=0x94a42860

buffer0 pointer init OK!
buffer1 pointer init OK!
[qm_lnk_init] CLOCKHZ=1000 ...
CLOCKHZ=1000
time = 08/01/2003, 00:00:00
TRAP(linkUp) : send ok!
Interface 0 ip = 127.0.0.1

MAC Address: 00:01:e3:50:98:dd
Memory request 2072 left 297928 ptr 9443F074
Call tn7sar_malloc_dma_xfer() addr:B443F074 size:2072
MAC1 [RX=128 TX=1]: TI External PHY
time = 08/01/2003, 00:00:00
TRAP(linkUp) : send ok!
Interface 1 ip = 192.168.1.100

ruleCheck()> Group: 0, Error: Useless rule index will be truncated
ruleCheck()> Group: 1, Error: Useless rule index will be truncated
ruleCheck()> Group: 2, Error: Useless rule index will be truncated
CBAC rule format check succeed !!
reqCBACBuf()> init match pool, Have: 1000
Memory Address: 0x950c31e8 ~ 0x950c9f64
reqCBACBuf()> init timeGap pool, Have: 10000
Memory Address: 0x950c9f64 ~ 0x950facb8
reqCBACBuf()> init sameHost pool, Have: 2000
Memory Address: 0x950facb8 ~ 0x9510a6d8
CBAC rule pool initialized !!
[initClsfy] clsfy_local_if_mask=0xf00007
[initClsfy] clsfy_localorVPN_if_mask=0xf00007
Init NAT data structure
RUNTASK id=2 if_task if0...
RUNTASK id=3 if_task if1...
RUNTASK id=4 timer_task...
RUNTASK id=5 conn_mgr...
RUNTASK id=6 main_8021x...
RUNTASK id=7 UsbSysInitTask ...
RUNTASK id=8 period_task...

========== ADSL Modem initialization OK ! ======

RUNTASK id=9 telnetd_main...
Unzipping from B0040000 to 95EF0000 ... done
Uncompressed size = 978080
drive start addr[0]=95ef0000, [1]=95fdeca0
[HTTPD] flash_init: failed!!
httpd: listen at 192.168.1.100:80
HTTPD TIMER_RESOURCE:5, FS_RESOURCE:6
RUNTASK httpd...
RUNTASK id=12 dnsproxy...
RUNTASK id=13 snmp_task...
RUNTASK id=14 rip...
RUNTASK id=15 ripout...
UPnP is enabled
UPNP Device initialize success! slot=16
Starting Multitask...
------------------------------------------------------
You can now press:
shift-0: to enable debug
shift-9: to enable config
shift-8:to start telnet console
ENTER : show this help


Looking at this bootlog I'd say it is some kind of RTOS, but not a Linux kernel


If you press any key directly after switching on the sx541 you get into the bootmonitor console:

======================
[u] Upload to Flash
[E] Erase Flash
[G] Run Runtime Code
[A] Set MAC Address
[#] Set Serial Number
[V] Set Board Version
[H] Set Options
[P] Print Boot Params
======================

[AR7300 Boot]


MAC address : 00-01-E3-xx-xx-xx
Serial number : A4xxxxxxxxx
Hardware version: 01
Options : 00-00-00-00-00-00

[AR7300 Boot]:g

Unzipping web at 0x94f30000 ... done
Unzipping code at 0x94000000 ... done
In C_Entry() function ...
install_exception
sys_irq_init() ...
Set GPIO
Reset USB and VP140 module ...
......
-------------------------------

I think it should now be possible to get the VoIP stuff working if the sx541 sits behind another router.

[Christoph]

I'm highly impressed!

But to be honest:

I am not sure wether i should thank you for this guideline or rather delete it - i am afraid this could cause us trouble with Siemens as we experienced before with AVM a longer time ago (we had to delete a part of the download section because of hacks but anyway could solve the matter in a very friendly way with AVM).

The point is, if people crash their router because of this guideline, there will be no warranty i assume.

Everybody should be aware of this matter before trying to use this guideline!

But in case of upcoming trouble with Siemens it might be deleted someday.

[rob]

Hi Jockyw2001,

thank you for that information. You really did a very very good job.
I think Christoph should change your status from "Neuling" to "Expert" immediately .

I think it is very important to have very precise information about systems you are working with just for debugging purposes and understanding.
I also understand concerns of Christoph; it should be clear for everybody that no warrenty will be given if these guidelines are followed.

Greetings,

rob

[Christoph]

Zitat:

Zitat von rob

I think Christoph should change your status from "Neuling" to "Expert" immediately .

I think so, too.

If i can make you happy with some kind of a special rank, please just let me know your wish.

[JOCKYW2001]

@Christoph: I'm only sharing my own reverse engineering findings in this forum. This is not forbidden by law (at least in Germany). Those findings were obtained by 1. turning 2 screws to open the SX541, 2. studying the firmware in a hexviewer, 3. a lot of googling, 4. connecting a datacable to the serial console.

I did not receive or disclose any confidential information from Siemens nor from anyone else, and also I will not make any Siemens code available in this forum. Afaik that was the nature of the problem with AVM.

My contribution is directed to people who like to do a bit more with their SX541 than just "using" it Perhaps in the future Siemens or their ODM can benefit from our results By no means it is intended to mainstream users, who surely make up the majority of forum readers here.

If Siemens complains about this thread just nuke it. I will then post it somewhere else, e.g in the Hardware Recycling Initiative

Cheers, JockyW

[Christoph]

@ JOCKYW2001:

I am thankfull for your guideline although i'm no owner of a SX-541. I highly appreciate your effort regarding the guideline and also regarding the additional explanations you gave with your last posting.

I guess, this will bring Siemens parties a better point of view before claiming.

[karpe]

[quote="JOCKYW2001
I did not receive or disclose any confidential information from Siemens nor from anyone else, and also I will not make any Siemens code available in this forum. Afaik that was the nature of the problem with AVM.

[/quote]

Siemens has promised somewhere to make the source code public after a final release. They already gave the source of the SE505 dsl/cable to publich.

Let's hope...........

Klaus

[JOCKYW2001]

Zitat:

Zitat von karpe

Siemens has promised somewhere to make the source code public after a final release. They already gave the source of the SE505 dsl/cable to publich.

Let's hope...........

Klaus

Yes, when I called the Siemens helpdesk some weeks ago they said that they might publish the sourcecode some time later here.

However, they only publish sourcecode when it is under GPL and unfortunately, contrary to what I believed earlier, they don't use GPL sources. So you can hope, but they won't publish anything

/JockyW

[Pürzel]

Zitat:

My contribution is directed to people who like to do a bit more with their SX541 than just "using" it Perhaps in the future Siemens or their ODM can benefit from our results;) By no means it is intended to mainstream users, who surely make up the majority of forum readers here.

Die Anerkennung Deiner Arbeit ist Dir von den Mainstream usern gewiss und ich glaube auch bei allgemeiner Unkenntnis der meisten Forenuser in tiefergehender Technik, lesen viele hier Deine Berichte interessiert mit.

Die Frage ,die hier sicher viele wegen Deiner grossen Kenntnis, an Dich richten würden ist:

Hältst Du das SX541 aus rein technischer Sicht für geeignet in Zukunft alle Aufgaben in zufriedener Qualität zu verrichten?

Egal ob nun mit Linux oder Originalsoft

Gruss Thomas

[JOCKYW2001]

Zitat:

Zitat von Pürzel

Hältst Du das SX541 aus rein technischer Sicht für geeignet in Zukunft alle Aufgaben in zufriedener Qualität zu verrichten?

Egal ob nun mit Linux oder Originalsoft

From the hardware point of view I like it better than the Fritz. The Voicepump chip implements the codecs in hardware and therefore the main cpu is not so much under stress and can be used for other tasks. From the software point of view the Fritz is currently better. So yes, the SX541 can do a perfect job in the future, but it seems Siemens needs a very long time. They should employ more programmers, that way they can reduce the helpdesk soon. Good for the customer and good for Siemens

ciao, JockyW

[Pürzel]

Danke, Jockeyw

Deine Antwort gibt allen Verzweifelten Zuversicht, dass es mit dem Sx541 noch ein gutes Ende nimmt.

Die Leistungsvielfalt hat mich bei diesem Gerät von Anfang an begeistert, wäre schade gewesen, wenn es zu Elektronikschrott werden würde.

Vielleicht solltest Du Dich mal bei Siemens als Programmer bewerben. Die Unterstützung einer breiten, SX541 geschädigten Kundschaft wäre Dir gewiss.

Vielen Dank nochmals

Thomas

[@rc0r]

Hmm... sorry dass ich sonen alten Thread nochmal hochhole.

Könnt mir jemand sagen, ob ich den SX541 als WLAN-AP nutzen kann hinter einem Router (ZYxel 660HW67)?
Wie es scheint ist die WLAN-Funktion meines 660HW67 defekt, sodass ich nun den SX541 dahinter hängen möchte (erstmal um mit noch ein paar mehr Rechnern ins Netz zu kommen und die LAN-Verkabelung zu belassen).
Wie müsste die Verkabelung sein?
Vom LAN-Port des Zyxel muss ich direkt an den WAN-Port des SX541 gehen oder an einen LAN-Port des SX541?

Im Zyxel habe ich der MAC des SX541 eine feste IP zugewiesen.
Welche Einstellungen muss ich vornehmen im SX541?
Ich denke mir das so... leider funktioniert es leider so nicht:
- 1483 Routing
- IP: wie im Zyxel eingetragen für den sx541 (zb 192.168.0.3)
- Subnetzmaske 255.255.255.0
- defaultgateway Zyxelrouteradresse (192.168.0.1)
- vpi/vci 1/32
- verkapselung llc
- qos-klasse ubr
- pcr/scr/mbs 4000/4000/10
- dhcpclient ja(an).

ist das so okay oder sind diese einstellungen falsch (lan-port des zyxel ist an den wan-port des sx541 mit einem normalen kabel verbunden und die ip des routers wurde auf die zyxel-sx541-ip geändert, dns ist zyxelip).

Danke im voraus für Eure Hinweise.

@rc0r

[Flieger]

der wan port ist für DSL sonst geht da nix. wenn du Glück hast, kann das die SMC Firmware. Frag hier ma nach: http://www.ip-phone-forum.de/forum/v...ic.php?t=30696

Was spricht gegen: "nur das SX " verwenden?

[karpe]

Jockyw hat soweit ich erinnere eine Lösung dafür gefunden. Vielleicht schaus du dir einfach mal seine threads an. Soweit ich erinnere muss man dazu über Telnet das Routing ausschalten und in den Bridging Mode umschalten.

[lgirus]

Hi guys, is there a hidden option somewhere to make the web interface of this router english? Tried looking via telnet already but found nothing in the config yet.

[heini66]

@igirus:

flash firmware from:
http://www.sipsurf.de/Firmware-SMC.shtml
and you will have an english web-interface, not from siemens but working in same "stable" conditions on the sx541.

heini

[michiel]

Hello,

I'm trying to connect a serial cable to my modem, I use a Cisco console cable.
But I have some trouble with this. Can somebody give the pin-layout of the db9 connector? where does the GR, TX and RX go?

Thanks!!

[Flieger]

look at this site:
http://michael.fuckner.net/me/blog/i...ens-SX541.html

[michiel]

That site does not describe the layout of the pins at the db9 connector side, it only describe the layout on the modem side.

[Waverider40]

hallo michiel,

try this Side

Edit: use URL Tags pls., rollo


waverider