Hacking the Siemens SX541

[heini66]

fehler, sorry.

 

[molli123]

Siemens has promised somewhere to make the source code public after a final release. They already gave the source of the SE505 dsl/cable to publich.

Let's hope...........

Klaus

I dont' believe Siemens. They don't say anything about the date of a final release. On the other hand they seem to use Apache... it has an own license, but afaik it also requires altered sourcecode to be made public.

I don't have time right now, but it should be possible to find other programs with similar licenses in the firmware using strings.

Micha!



../home/molli123$ telnet sx541 80
Trying 10.1.2.254...
Connected to sx541.***.de.
Escape character is '^]'.
GET / HTTP/1.0

HTTP/1.0 200 OK
Server: Apache/0.6.5
Pragma: no-cache
Date: Sun, 01 Jan 2001 00:00:00 GMT
Expires: Sun, 01 Jan 2001 00:00:00 GMT
Cache-Control: max-age=0, must-revalidate
Connection: close
Content-type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

 

[JOCKYW2001]

The OS is a RTOS called Supertask! and that has little to do with Linux. It is likely the http daemon Supertask! uses is based on Apache, and maybe according to GPL they or Siemens have to provide sourcecode for that, but even if they would that is of very little use to us.

The right way to go is to run a Linux kernel on the SX541. One possibilty is to to take the Fritz!box kernel and try to run it. Unfortunately what is missing are the VP140 modules. See if you can rip these from somewhere else ...

/JockyW

 

[heini66]

linux, yeah! thats what i want!


anybody able to open the fw2.img that can be extracted from the firmware???
i can only open fw1.img, content a folder www and files inside. the webinterface files.

may there is something to see?

heini

 

[JOCKYW2001]

fw2 is SOHO.BIN, and that's the Supertask! RTOS

/JockyW

 

[heini66]

so far i'm, too...
but able to open the bin file???

 

[JOCKYW2001]

so far i'm, too...
but able to open the bin file???

You can view the file in hexedit. You can't mount or do anything else with it.

/JockyW

 

[JOCKYW2001]

Some work has been done to run OpenWRT Linux on AR7 based routers.
Check out:
http://wiki.openwrt.org/AR7Port
and
http://ar7-firmware.berlios.de/

/JockyW

 

[heini66]

Some work has been done to run OpenWRT Linux on AR7 based routers. Check out: http://wiki.openwrt.org/AR7Port and http://ar7-firmware.berlios.de/ /JockyW

lets do some more work on that point...
i contacted the owner of the berlios projekt, his already siemens patched kernel is on his way into my sx, soon as mail is arrived!
(posting will follow)
anybody able to help to bring this project working?voicedump chip, switch???
openwrt on the sx541, not longer a dream?

heini

 

[heini66]

first boot on linux is done.
but not so perfect...
but it's the first try.
and let me hopefully look into the future of the sx541

:edit

something happend...

http://ar7-firmware.berlios.de/devices/sx541.html.de

 

[Flieger]

first boot on linux is done.
but not so perfect...
but it's the first try.
and let me hopefully look into the future of the sx541

:edit

something happend...

http://ar7-firmware.berlios.de/devices/sx541.html.de

sehr cool, leider kein Plan vom Pinguin.

ich frag mal den Brainslayer von DD-WRT

http://forum.bsr-clan.de/viewtopic.php?p=27445#27445

alles wird gut ..

 

[heini66]

today's log

 

[heini66]

a wiki on openwrt belonging to the sx541 is opend.
http://wiki.openwrt.org/AR7Port

 

[michiel]

I want to edit the webpages of the firmware, so I extract the the files with:

perl -e '$h="PK\x03\x04"; undef $/; (undef, @f)=split($h,<>); for(@f){ $i++; open F, ">fw$i.zip";
print F "$h$_" }' firmware.bin

witch gives me:
172032 fw1.zip
1516554 fw2.zip
1688586 firmware.bin

No i want to do de reverse, merging the 2 zip files to 1 bin file. How can I do this?? ("tar" doesn't do the job)

 

[Flieger]

hi michiel

could you extract this firmware ?

in this zwitserland firm there is a advanced_usb_web.stm

on this side you can configure the FTP and HTTP Server.

thats what i want

 

[sbegel]

weiter so!

Leute ihr glaub mir nicht wie ich mich freue das ihr solche Fortschritte macht!
Ich könnte Luftsprünge machen, und habe Respekt vor eurem Können!

Ich finde es so schade das ich das alles nicht kann.

Macht weiter so, ich liebe euch!!!!!

mfg

 

[michiel]

Flieger ,
I can't extract it, won't work
How do you install this firmware on a sx541?? I gives me a error when I try it.

 

[Flieger]

me to

 

[michiel]

oke, I am trying to know the upgrade function of the sx541 a bit more. When I telnet to the sx541 and give the command "upgrade ?" it will give me 5 options:

ROOT :> upgrade ?

  all <ip|Xmodem> [file]
                        Upgrade firmware image
  kernel <ip|Xmodem> [file]
                        Upgrade kernal run-time code image
  web_image <ip|Xmodem> [file]
                        Upgrade web image file
  conf_file <ip|Xmodem> [file]
                        Upgrade configuration file
  boot_code <ip|Xmodem> [file]
                        Upgrade boot code

You can do these upgrades using a tftp server, so I installed one.
Bellow is a list of witch functions works etc..:

all: doesn't work yet
upgrades all the functions (kernel, web_image, conf_file, boot_code), (I assume), but how???

kernel: doesn't work yet
upgrades the firmware, also known as "Runtime Code Version", (I assume), but how???

web_image: doesn't work yet
upgrades the webfiles (PFS.IMG), (I assume), but how???

conf_file: works
You can set the settings with this upgrade. The conf file can be genarated with the function "backup conf_file <ip|Xmodem>" witch will generated a script.cfg file that can be edited using a simpel text editor

boot_code: doesn't work yet
Upgrades the bootcode (I assume), but how???


Does anyone knows how the get the others to work? I get a error with the Header Pattern check

 

[heini66]

update:
2.6.19.2 up! :mrgreen:

[AR7300 Boot]:y

Go to Memory Address: (default:0xB0020000) : 0x94000000
Jump to address 0x94000000 ...

AR7 loader started...
argc = 16384 = 0x4000
argv = 00000010
envp = 80004000
base = 94001f20
argc = 8 = 0x8
argv = 94301e80
envp = 94301c00
base = b4301f30
argv[] = go
argv[] = console=ttyS0,115200
argv[] = debug
argv[] = mtdparts=sinus:64k(boot)ro,-(flash)
argv[] = root=/dev/nfs
argv[] = rw
argv[] = nfsroot=/nfsroot,nolock,rsize=1024,wsize=1024
argv[] = ip=192.168.2.1:192.168.2.2::255.255.255.0:sinus:eth0:off
envp[] = nfsroot="nfs"
envp[] = HWRevision="00"
envp[] = flashsize="0x00200000"
envp[] = memsize="0x01000000"
envp[] = maca="00:04:0E:0A:D0:DF"
envp[] = macb="00:04:0E:0A:D0:DE"
envp[] = modetty0="115200,n,8,1,hw"
Launching kernel decompressor.
data = b4301f30
addr = b4301f30
lzma = 0x0000005d
size (in) = 2797701
size (out) = 2797701
Kernel decompressor was successful ... launching kernel.
loader.c:159, press any key to continue

LINUX running...
ar7_init_cmdline(8,94301e80)
ar7_init_cmdline: cmdline=console=ttyS0,115200 debug mtdparts=sinus:64k(boot)ro,-(flash) root=/dev/nfs rw nfsroot=/nfsroot,nof
ar7_init_env(94301c00)
ar7_init_env: nfsroot
ar7_init_env: HWRevision
ar7_init_env: flashsize
ar7_init_env: memsize
ar7_init_env: maca
ar7_init_env: macb
ar7_init_env: modetty0
prom_getenv(macb)
prom_getenv(maca)
prom_getenv(maca)
prom_getenv(maca)
Linux version 2.6.19.2 (ar7@linux) (gcc version 4.1.2) #45 PREEMPT Thu Mar 29 20:45:18 CEST 2007
CPU revision is: 00018448
Clocks: prediv: 1, postdiv: 25, mul: 8
Clocks: prediv: 1, postdiv: 1, mul: 10
Determined physical RAM map:
 memory: 02000000 @ 14000000 (usable)
On node 0 totalpages: 8192
  DMA zone: 64 pages used for memmap
  DMA zone: 0 pages reserved
  DMA zone: 8128 pages, LIFO batch:0
  Normal zone: 0 pages used for memmap
Built 1 zonelists.  Total pages: 8128
Kernel command line: console=ttyS0,115200 debug mtdparts=sinus:64k(boot)ro,-(flash) root=/dev/nfs rw nfsroot=/nfsroot,nolock,f
Primary instruction cache 16kB, physically tagged, 4-way, linesize 16 bytes.
Primary data cache 16kB, 4-way, linesize 16 bytes.
Synthesized TLB refill handler (20 instructions).
Synthesized TLB load handler fastpath (32 instructions).
Synthesized TLB store handler fastpath (32 instructions).
Synthesized TLB modify handler fastpath (31 instructions).
PID hash table entries: 128 (order: 7, 512 bytes)
Using 75.000 MHz high precision timer.
Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
Memory: 29608k/32772k available (2196k kernel code, 316k reserved, 396k data, 140k init)
Calibrating delay loop... 6.42 BogoMIPS (lpj=32128)
Mount-cache hash table entries: 512
Checking for 'wait' instruction...  available.
NET: Registered protocol family 16
vlynq0: regs 0x08611800, irq 29, mem 0x04000000
vlynq1: regs 0x08611c00, irq 33, mem 0x0c000000
PCI over VLYNQ emulation: probe of vlynq0 failed with error -22
PCI over VLYNQ emulation: probe of vlynq1 failed with error -22
Generic PHY: Registered new driver
NET: Registered protocol family 2
IP route cache hash table entries: 256 (order: -2, 1024 bytes)
TCP established hash table entries: 1024 (order: 0, 4096 bytes)
TCP bind hash table entries: 512 (order: -1, 2048 bytes)
TCP: Hash tables configured (established 1024 bind 512)
TCP reno registered
squashfs: version 3.0 (2006/03/15) Phillip Lougher
io scheduler noop registered
io scheduler deadline registered (default)
ar7_wdt: disabling watchdog timer
ar7_wdt: timer margin 59 seconds (prescale 65535, change 57180, freq 62500000)
Serial: 8250/16550 driver $Revision: 1.90 $ 2 ports, IRQ sharing disabled
serial8250: ttyS0 at MMIO 0x8610e00 (irq = 15) is a TI-AR7
serial8250: ttyS1 at MMIO 0x8610f00 (irq = 16) is a TI-AR7
Fixed PHY: Registered new driver
device_bind_driver: device fixed@100:1 already bound
cpmac-mii: probed
cpmac: device eth0 (regs: 08612800, irq: 41, phy: fixed@100:1, mac: 00:00:00:12:34:56)
cpmac: device eth1 (regs: 08610000, irq: 27, phy: 0:1f, mac: 00:00:00:12:34:56)
physmap platform flash device: 00400000 at 10000000
physmap-flash.0: Found 1 x16 devices at 0x0 in 16-bit bank
physmap-flash.0: Found an alias at 0x200000 for the chip at 0x0
 Amd/Fujitsu Extended Query Table at 0x0040
number of CFI chips: 1
cfi_cmdset_0002: Disabling erase-suspend-program due to code brokenness.
RedBoot partition parsing not available
ar7part partition parsing not available
mtd: Giving out device 0 to physmap-flash.0
Registered led device: ar7:status
TCP cubic registered
NET: Registered protocol family 1
NET: Registered protocol family 17
Time: MIPS clocksource has been installed.
PHY: fixed@100:1 - Link is Up - 10/Half
IP-Config: Complete:
      device=eth0, addr=192.168.2.1, mask=255.255.255.0, gw=255.255.255.255,
     host=sinus, domain=, nis-domain=(none),
     bootserver=192.168.2.2, rootserver=192.168.2.2, rootpath=
Root-NFS: Mounting /nfsroot on server 192.168.2.2 as root
Root-NFS:     rsize = 1024, wsize = 1024, timeo = 0, retrans = 0
Root-NFS:     acreg (min,max) = (3,60), acdir (min,max) = (30,60)
Root-NFS:     nfsd port = -1, mountd port = 0, flags = 00000200
Looking up port of RPC 100003/2 on 192.168.2.2
portmap: server 192.168.2.2 not responding, timed out
Root-NFS: Unable to get nfsd port number from server, using default
Root-NFS: Portmapper on server returned 2049 as nfsd port
Looking up port of RPC 100005/1 on 192.168.2.2
portmap: server 192.168.2.2 not responding, timed out
Root-NFS: Unable to get mountd port number from server, using default
Root-NFS: mountd port is 627
NFS:      nfs_mount(c0a80202:/nfsroot)
mount: server 192.168.2.2 not responding, timed out
Root-NFS: Server returned error -5 while mounting /nfsroot
VFS: Unable to mount root fs via NFS, trying floppy.
VFS: Cannot open root device "nfs" or unknown-block(2,0)
Please append a correct "root=" boot option
Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(2,0)
 <0>Rebooting in 3 seconds..Reboot

es fehlt hier noch das weiter zu bootende filesystem das bei diesem kernel auf 192.168.2.2 erwartet wird, hier aber z.zt bei mir noch nicht exportiert wird.