.titleBar { margin-bottom: 5px!important; }

Hacking the Siemens SX541

Dieses Thema im Forum "Gigaset" wurde erstellt von JOCKYW2001, 19 März 2005.

  1. JOCKYW2001

    JOCKYW2001 Neuer User

    Registriert seit:
    10 Feb. 2005
    Beiträge:
    188
    Zustimmungen:
    0
    Punkte für Erfolge:
    16
    #1 JOCKYW2001, 19 März 2005
    Zuletzt bearbeitet: 11 Nov. 2006
    After extensive investigation I now have a good picture of the hard- and software. Together with some special bootloader features we will now be able to hack the SX541 wide open :lol:

    Hardware

    The microcontroller is a Texas Instruments AR7300 (MIPS). Product info can be found here:TI AR7
    This cpu is used in many other networking products such as: NetgearDG834G, Dlink DslG604t and ... the AVM FRITZ!Box Fon.

    The codecs are implemented in hardware, the SX541 uses a Voicepump VP140 DSP. If proper programmed the codec quality should be very good. Unfortunately the programming skills of Siemens' Taiwanese ODM partner leave a large space for improvement :lol:

    The rest of the hardware is described by Birger: 2MB flash (Fritz!box uses 4MB), 32MB ram, etc.

    Software

    Unfortunately there is no Linux running on the SX541. The OS is a RTOS called Supertask! which is now sold by Micro Digital Inc.. The TCPIP stack, Router and VoIP software is developed by the Institute for Information Industry in Taiwan and is called III TTF TCPIP Protocol Stack (for Router). The bootloader is developed by Broad Net Inc. from Taiwan. The bootloader can be accessed via the serial console as I described here. For your convenience I will copy the content of that post below. But first the most important discovery I made which will help us running our own code on the SX541: the bootloader has a "administrator mode" which can be accessed by entering a "!". The administrator menu shows:

    ======================
    Upload to Flash
    [E] Erase Flash
    [G] Run Runtime Code
    [M] Upload to Memory
    [R] Read from Memory
    [W] Write to Memory
    [T] Memory Test
    [Y] Go to Memory
    [A] Set MAC Address
    [#] Set Serial Number
    [V] Set Board Version
    [H] Set Options
    [P] Print Boot Params
    ======================


    The additional menuitems are:

    [M] Upload to Memory
    [R] Read from Memory
    [W] Write to Memory
    [T] Memory Test
    [Y] Go to Memory

    With 'M', by using Tftp or Xmodem, code can be uploaded to RAM and then be executed. Execution can also be initiated with 'Y'. There seem to be a few conditions which need to be fulfilled by the binary code. I haven't found these out yet, but using the 'R' command I managed to read the bootloader code which I will further analyze in IDA.

    Okay enough for now, below you find a copy of the info I posted earlier about serial console and telnet access.

    Have fun and let's get a linux kernel running on the sx541 asap,
    JockyW

    ===================================

    as I wrote before, simply telnet into the sx541 (user: admin, pass: empty). You don't need a serial cable for that.

    you'll see this menu:
    >> system Generic system parameter configuration
    interface Interface parameter configuration
    wLAN Wireless LAN configuration
    bridge Transparent bridging parameter configuration
    vc ATM virtual circuit parameter configuration
    ppp PPP parameter configuration
    dial Dial-out parameter configuration
    ip_share NAT parameter configuration
    firewall-func Enable disable firewall functions
    access-list Access list rules manager
    inspect Inspection threshold and rules manager
    route Routing parameter configuration
    dhcp DHCP parameter configuration
    dns DNS proxy parameter configuration
    snmp SNMP parameter conguration
    tftp Default TFTP paramng parameter configuration
    mail Mail parameter cont parameter configuration
    chuser Configuration paraiguration
    upnp Enable or disable configuration
    show Showing system coniguration
    monitor Monitor system runewall functions
    upgrade Upgrade system firmanager
    backup Backup system confld and rules manager
    passwd Change user passwoconfiguration
    default_reset Reset system configuration to default status
    write Write configuration and restart system
    reboot Restart system and activate new system configuration
    enable Enable configuration mode
    su Change to super user(root) mode
    ping Ping test
    tracert Trace route utility
    exit Disable privilege command or disconnect

    The submenu "chuser" has these items:
    >> max_user Maximum allow telnet access user number
    telnet_port Telnet TCP port config (default 8081)
    user_profile Legal user profile
    address_control Legal client address
    login_timeout Login timeout (minutes)
    remote_login Remote management function disable or enable
    =======

    If you connect a Siemens datacable (I bought one at CONRAD for ¤17,95, a "goobay" datenkabel, passend für SIEMENS 25-/35-/45-/50-serie, Best.-Nr.:760217) to the 10-pin header inside the SX541 you can in addition trace the bootlog, enter the bootmonitor for recovery, set debugmode, and telnet via serial cable.

    Strip the gsm phoneplug off, you see 3 wires: black, blue & white. Open the sx541 and look at the at the pin header from the top.
    --5---4---3---2---1
    +---+---+---+---+---+
    | o | o | o | o | o |
    + + + + + +
    | o | o | o | o | o |
    +---+---+---+---+---+
    -10---9---8---7---6
    ---------- front side ---------------

    Connect the 3 wires as follows:
    3:TX : blue
    2:RX : white
    5:GND : black

    Connect the 9-pin d-sub to the serial port of your PC. Open hyperterminal and set to 115200-8-N-1-No flow control.

    If you switch on the SX541 you'll see following bootlog:
    ===========================================================
    TI ADSL AR7300 Loader 0.67.3 build Sep 15 2004 17:03:49
    Broad Net Technology, INC.
    ===========================================================
    Flash not found

    Copying boot params.....DONE

    Press any key to enter command mode ...
    Flash Checking Passed.

    Unzipping web at 0x94f30000 ... done
    Unzipping code at 0x94000000 ... done
    In C_Entry() function ...
    install_exception
    sys_irq_init() ...
    Set GPIO
    Reset USB and VP140 module ...
    ##### _ftext = 0x94000000
    ##### _fdata = 0x94345120
    ##### __bss_start = 0x9439C300
    ##### end = 0x9545847C
    ##### Backup Data from 0x94345120 to 0x9547847C~0x954CF65C len 356832
    [INIT] System Log Pool startup ...
    [INIT] MTinitialize ..
    userclk_init() ...
    Runtime code version: 1.56
    System startup...
    [INIT] Memory COLOR 0, 1500000 bytes ..
    [INIT] Memory COLOR 1, 600000 bytes ..
    [INIT] Memory COLOR 2, 1900000 bytes ..

    manu_id=004A chip_id=2249
    ES29LV160D bottom boot 16-bit mode found
    Set flash memory layout to Boot Parameters found !!!
    Bootcode version: 0.67.3
    Serial number: A448012289
    Hardware version: 01
    sizeof(struct III_Config_t) is 82376

    manu_id=004A chip_id=2249
    ES29LV160D bottom boot 16-bit mode found
    !!! Invalid wireless channel range 0 ~ 0
    !!! Use default value 1 ~ 13
    default route: 0.0.0.0
    BufferInit:
    BUF_HDR_SZ=48 BUF_ALIGN_SZ=8 BUFFER_OFFSET=112
    BUF_BUFSZ0=384 BUF_BUFSZ1=1872
    NUM_OF_B0=0 NUM_OF_B1=1200
    BUF_POOL0_SZ=0 BUF_POOL1_SZ=2304000
    sizeof(BUFFER0)=432,sizeof(BUFFER1)=1920
    *BUF0=0x94c7506c *BUF1=0x94a4285c
    Altgn *BUF0=0x94c75070 *BUF1=0x94a42860
    End at BUF0:0x94c75070, BUF1:0x94c75060

    BUF0[0]=0x94c75070 BUF1[0]=0x94a42860

    buffer0 pointer init OK!
    buffer1 pointer init OK!
    [qm_lnk_init] CLOCKHZ=1000 ...
    CLOCKHZ=1000
    time = 08/01/2003, 00:00:00
    TRAP(linkUp) : send ok!
    Interface 0 ip = 127.0.0.1

    MAC Address: 00:01:e3:50:98:dd
    Memory request 2072 left 297928 ptr 9443F074
    Call tn7sar_malloc_dma_xfer() addr:B443F074 size:2072
    MAC1 [RX=128 TX=1]: TI External PHY
    time = 08/01/2003, 00:00:00
    TRAP(linkUp) : send ok!
    Interface 1 ip = 192.168.1.100

    ruleCheck()> Group: 0, Error: Useless rule index will be truncated
    ruleCheck()> Group: 1, Error: Useless rule index will be truncated
    ruleCheck()> Group: 2, Error: Useless rule index will be truncated
    CBAC rule format check succeed !!
    reqCBACBuf()> init match pool, Have: 1000
    Memory Address: 0x950c31e8 ~ 0x950c9f64
    reqCBACBuf()> init timeGap pool, Have: 10000
    Memory Address: 0x950c9f64 ~ 0x950facb8
    reqCBACBuf()> init sameHost pool, Have: 2000
    Memory Address: 0x950facb8 ~ 0x9510a6d8
    CBAC rule pool initialized !!
    [initClsfy] clsfy_local_if_mask=0xf00007
    [initClsfy] clsfy_localorVPN_if_mask=0xf00007
    Init NAT data structure
    RUNTASK id=2 if_task if0...
    RUNTASK id=3 if_task if1...
    RUNTASK id=4 timer_task...
    RUNTASK id=5 conn_mgr...
    RUNTASK id=6 main_8021x...
    RUNTASK id=7 UsbSysInitTask ...
    RUNTASK id=8 period_task...

    ========== ADSL Modem initialization OK ! ======

    RUNTASK id=9 telnetd_main...
    Unzipping from B0040000 to 95EF0000 ... done
    Uncompressed size = 978080
    drive start addr[0]=95ef0000, [1]=95fdeca0
    [HTTPD] flash_init: failed!!
    httpd: listen at 192.168.1.100:80
    HTTPD TIMER_RESOURCE:5, FS_RESOURCE:6
    RUNTASK httpd...
    RUNTASK id=12 dnsproxy...
    RUNTASK id=13 snmp_task...
    RUNTASK id=14 rip...
    RUNTASK id=15 ripout...
    UPnP is enabled
    UPNP Device initialize success! slot=16
    Starting Multitask...
    ------------------------------------------------------
    You can now press:
    shift-0: to enable debug
    shift-9: to enable config
    shift-8:to start telnet console
    ENTER : show this help


    Looking at this bootlog I'd say it is some kind of RTOS, but not a Linux kernel :(


    If you press any key directly after switching on the sx541 you get into the bootmonitor console:

    ======================
    Upload to Flash
    [E] Erase Flash
    [G] Run Runtime Code
    [A] Set MAC Address
    [#] Set Serial Number
    [V] Set Board Version
    [H] Set Options
    [P] Print Boot Params
    ======================

    [AR7300 Boot]:p


    MAC address : 00-01-E3-xx-xx-xx
    Serial number : A4xxxxxxxxx
    Hardware version: 01
    Options : 00-00-00-00-00-00

    [AR7300 Boot]:g

    Unzipping web at 0x94f30000 ... done
    Unzipping code at 0x94000000 ... done
    In C_Entry() function ...
    install_exception
    sys_irq_init() ...
    Set GPIO
    Reset USB and VP140 module ...
    ......
    -------------------------------

    I think it should now be possible to get the VoIP stuff working if the sx541 sits behind another router.
     
  2. Christoph

    Christoph IPPF-Promi

    Registriert seit:
    20 Feb. 2004
    Beiträge:
    6,229
    Zustimmungen:
    5
    Punkte für Erfolge:
    38
    Ort:
    Düsseldorf
    I'm highly impressed! :shock:

    But to be honest:

    I am not sure wether i should thank you for this guideline or rather delete it - i am afraid this could cause us trouble with Siemens as we experienced before with AVM a longer time ago (we had to delete a part of the download section because of hacks but anyway could solve the matter in a very friendly way with AVM).

    The point is, if people crash their router because of this guideline, there will be no warranty i assume.

    Everybody should be aware of this matter before trying to use this guideline!

    But in case of upcoming trouble with Siemens it might be deleted someday. :roll:
     
  3. rob

    rob Mitglied

    Registriert seit:
    15 Feb. 2005
    Beiträge:
    399
    Zustimmungen:
    0
    Punkte für Erfolge:
    0
    Hi Jockyw2001,

    thank you for that information. You really did a very very good job.
    I think Christoph should change your status from "Neuling" to "Expert" immediately ;-) ;-) ;-).

    I think it is very important to have very precise information about systems you are working with just for debugging purposes and understanding.
    I also understand concerns of Christoph; it should be clear for everybody that no warrenty will be given if these guidelines are followed.

    Greetings,

    rob
     
  4. Christoph

    Christoph IPPF-Promi

    Registriert seit:
    20 Feb. 2004
    Beiträge:
    6,229
    Zustimmungen:
    5
    Punkte für Erfolge:
    38
    Ort:
    Düsseldorf
    I think so, too.

    If i can make you happy with some kind of a special rank, please just let me know your wish. :)
     
  5. JOCKYW2001

    JOCKYW2001 Neuer User

    Registriert seit:
    10 Feb. 2005
    Beiträge:
    188
    Zustimmungen:
    0
    Punkte für Erfolge:
    16
    @Christoph: I'm only sharing my own reverse engineering findings in this forum. This is not forbidden by law (at least in Germany). Those findings were obtained by 1. turning 2 screws to open the SX541, 2. studying the firmware in a hexviewer, 3. a lot of googling, 4. connecting a datacable to the serial console.

    I did not receive or disclose any confidential information from Siemens nor from anyone else, and also I will not make any Siemens code available in this forum. Afaik that was the nature of the problem with AVM.

    My contribution is directed to people who like to do a bit more with their SX541 than just "using" it :) Perhaps in the future Siemens or their ODM can benefit from our results;) By no means it is intended to mainstream users, who surely make up the majority of forum readers here.

    If Siemens complains about this thread just nuke it. I will then post it somewhere else, e.g in the Hardware Recycling Initiative

    Cheers, JockyW
     
  6. Christoph

    Christoph IPPF-Promi

    Registriert seit:
    20 Feb. 2004
    Beiträge:
    6,229
    Zustimmungen:
    5
    Punkte für Erfolge:
    38
    Ort:
    Düsseldorf
    @ JOCKYW2001:

    I am thankfull for your guideline although i'm no owner of a SX-541. I highly appreciate your effort regarding the guideline and also regarding the additional explanations you gave with your last posting.

    I guess, this will bring Siemens parties a better point of view before claiming. ;-)
     
  7. karpe

    karpe Mitglied

    Registriert seit:
    22 Dez. 2004
    Beiträge:
    578
    Zustimmungen:
    1
    Punkte für Erfolge:
    18
    Beruf:
    Dipl.-Ing. Spezialität Rechnernetze
    Ort:
    Hamburg
    [quote="JOCKYW2001
    I did not receive or disclose any confidential information from Siemens nor from anyone else, and also I will not make any Siemens code available in this forum. Afaik that was the nature of the problem with AVM.

    [/quote]

    Siemens has promised somewhere to make the source code public after a final release. They already gave the source of the SE505 dsl/cable to publich.

    Let's hope...........

    Klaus
     
  8. JOCKYW2001

    JOCKYW2001 Neuer User

    Registriert seit:
    10 Feb. 2005
    Beiträge:
    188
    Zustimmungen:
    0
    Punkte für Erfolge:
    16
    Yes, when I called the Siemens helpdesk some weeks ago they said that they might publish the sourcecode some time later here.

    However, they only publish sourcecode when it is under GPL and unfortunately, contrary to what I believed earlier, they don't use GPL sources. So you can hope, but they won't publish anything :(

    /JockyW
     
  9. Pürzel

    Pürzel Neuer User

    Registriert seit:
    13 Dez. 2004
    Beiträge:
    73
    Zustimmungen:
    0
    Punkte für Erfolge:
    0
    Die Anerkennung Deiner Arbeit ist Dir von den Mainstream usern gewiss und ich glaube auch bei allgemeiner Unkenntnis der meisten Forenuser in tiefergehender Technik, lesen viele hier Deine Berichte interessiert mit.

    Die Frage ,die hier sicher viele wegen Deiner grossen Kenntnis, an Dich richten würden ist:

    Hältst Du das SX541 aus rein technischer Sicht für geeignet in Zukunft alle Aufgaben in zufriedener Qualität zu verrichten?

    Egal ob nun mit Linux oder Originalsoft

    Gruss Thomas
     
  10. JOCKYW2001

    JOCKYW2001 Neuer User

    Registriert seit:
    10 Feb. 2005
    Beiträge:
    188
    Zustimmungen:
    0
    Punkte für Erfolge:
    16
    From the hardware point of view I like it better than the Fritz. The Voicepump chip implements the codecs in hardware and therefore the main cpu is not so much under stress and can be used for other tasks. From the software point of view the Fritz is currently better. So yes, the SX541 can do a perfect job in the future, but it seems Siemens needs a very long time. They should employ more programmers, that way they can reduce the helpdesk soon. Good for the customer and good for Siemens :)

    ciao, JockyW
     
  11. Pürzel

    Pürzel Neuer User

    Registriert seit:
    13 Dez. 2004
    Beiträge:
    73
    Zustimmungen:
    0
    Punkte für Erfolge:
    0
    Danke, Jockeyw

    Deine Antwort gibt allen Verzweifelten Zuversicht, dass es mit dem Sx541 noch ein gutes Ende nimmt.

    Die Leistungsvielfalt hat mich bei diesem Gerät von Anfang an begeistert, wäre schade gewesen, wenn es zu Elektronikschrott werden würde.

    Vielleicht solltest Du Dich mal bei Siemens als Programmer bewerben. Die Unterstützung einer breiten, SX541 geschädigten Kundschaft wäre Dir gewiss.

    Vielen Dank nochmals

    Thomas
     
  12. @rc0r

    @rc0r Neuer User

    Registriert seit:
    4 Nov. 2004
    Beiträge:
    27
    Zustimmungen:
    0
    Punkte für Erfolge:
    0
    sx541 als WLAN-AP hinter zyxel 660HW67

    Hmm... sorry dass ich sonen alten Thread nochmal hochhole.

    Könnt mir jemand sagen, ob ich den SX541 als WLAN-AP nutzen kann hinter einem Router (ZYxel 660HW67)?
    Wie es scheint ist die WLAN-Funktion meines 660HW67 defekt, sodass ich nun den SX541 dahinter hängen möchte (erstmal um mit noch ein paar mehr Rechnern ins Netz zu kommen und die LAN-Verkabelung zu belassen).
    Wie müsste die Verkabelung sein?
    Vom LAN-Port des Zyxel muss ich direkt an den WAN-Port des SX541 gehen oder an einen LAN-Port des SX541?

    Im Zyxel habe ich der MAC des SX541 eine feste IP zugewiesen.
    Welche Einstellungen muss ich vornehmen im SX541?
    Ich denke mir das so... leider funktioniert es leider so nicht:
    - 1483 Routing
    - IP: wie im Zyxel eingetragen für den sx541 (zb 192.168.0.3)
    - Subnetzmaske 255.255.255.0
    - defaultgateway Zyxelrouteradresse (192.168.0.1)
    - vpi/vci 1/32
    - verkapselung llc
    - qos-klasse ubr
    - pcr/scr/mbs 4000/4000/10
    - dhcpclient ja(an).

    ist das so okay oder sind diese einstellungen falsch (lan-port des zyxel ist an den wan-port des sx541 mit einem normalen kabel verbunden und die ip des routers wurde auf die zyxel-sx541-ip geändert, dns ist zyxelip).

    Danke im voraus für Eure Hinweise.

    @rc0r
     
  13. Flieger

    Flieger Mitglied

    Registriert seit:
    4 Mai 2005
    Beiträge:
    332
    Zustimmungen:
    0
    Punkte für Erfolge:
    16
  14. karpe

    karpe Mitglied

    Registriert seit:
    22 Dez. 2004
    Beiträge:
    578
    Zustimmungen:
    1
    Punkte für Erfolge:
    18
    Beruf:
    Dipl.-Ing. Spezialität Rechnernetze
    Ort:
    Hamburg
    Jockyw hat soweit ich erinnere eine Lösung dafür gefunden. Vielleicht schaus du dir einfach mal seine threads an. Soweit ich erinnere muss man dazu über Telnet das Routing ausschalten und in den Bridging Mode umschalten.
     
  15. lgirus

    lgirus Neuer User

    Registriert seit:
    14 Dez. 2005
    Beiträge:
    1
    Zustimmungen:
    0
    Punkte für Erfolge:
    0
    Hi guys, is there a hidden option somewhere to make the web interface of this router english? Tried looking via telnet already but found nothing in the config yet.
     
  16. michiel

    michiel Neuer User

    Registriert seit:
    1 Dez. 2005
    Beiträge:
    14
    Zustimmungen:
    0
    Punkte für Erfolge:
    0
    Hello,

    I'm trying to connect a serial cable to my modem, I use a Cisco console cable.
    But I have some trouble with this. Can somebody give the pin-layout of the db9 connector? where does the GR, TX and RX go?

    Thanks!!
     
  17. Flieger

    Flieger Mitglied

    Registriert seit:
    4 Mai 2005
    Beiträge:
    332
    Zustimmungen:
    0
    Punkte für Erfolge:
    16
  18. michiel

    michiel Neuer User

    Registriert seit:
    1 Dez. 2005
    Beiträge:
    14
    Zustimmungen:
    0
    Punkte für Erfolge:
    0
    That site does not describe the layout of the pins at the db9 connector side, it only describe the layout on the modem side.
     
  19. Waverider40

    Waverider40 Mitglied

    Registriert seit:
    11 Jan. 2005
    Beiträge:
    384
    Zustimmungen:
    0
    Punkte für Erfolge:
    16
    Ort:
    Nordwürttemberg