Nokia G-010S-Q

[moriel5]

I have just recieved the G.PON transceiver from our Internet infrastructure provider (we pay them directly for Internet access, and because of their monopoly over DSL, until recently they were not allowed to be an ISP, only to provide their direct customers with a choice of ISPs, while directly supporting them), and while initially I had expected to receive a Nokia G-010S-A (with the Intel/Lantiq FALCON chipset), instead I was told (and subsequently, that is what we had recieved) that it will be q G-010S-Q.

I have just tore it down, and it appears to have a Realtek 9601C1 chipset, and 16MiB (128Mb) of CMOS storage by means of the Macronix MX25L12835F (not sure about RAM yet).

[tdmadam]

When you get a chance please post pictures of the board.

Does this SFP module have exposed UART pads?

[moriel5]

No problem, I have already taken pictures, however I hadn't had time to upload them yet, except to a friend's and a local Telegram group.

I'm not 100% sure, however there are 3 pads which I believe are probably UART.

[moriel5]

~Since the IBin website appears to be broken (pictures are only getting uploaded via API, and I cannot create an account to get my own API token, due to only Twitter login being supported, but cannot even connect), I have uploaded the pictures to Teknik (unfortunately, that means that the links will expire tomorrow)~ Never mind, I see I can upload directly to GitHub, even above 5MB:

Top part removed: ~https://u.teknik.io/dP4Ct.jpg~

Chipset on bottom of PCB revealed: ~https://u.teknik.io/zyaE6.jpg~

[moriel5]

I see now that the second picture turned out very blurry, I'll try again when I have the chance, although it was not easy to hold it open like that in one hand (it kept trying to break down in my hand).

[Anime4000]

Nokia start using Realtek now? RTL9601CI or RTL9601D ?

[moriel5]

@Anime4000 I too was surprised.

It's the RTL6901C1

[Anime4000]

@moriel5 nice, RTL9601CI

you can start backup original nokia firmware by full bin dump, then try flash V2801F firmware in it, make sure VS_AUTH_KEY is set

[moriel5]

Thanks, I'll think about it (although I personally prefer the OpenWrt LuCi GUI, since I have been using it for the past few years on all of our routers), however I cannot replace the firmware before the serial gets added to the ISP's system, since they actually verify what firmware it is running while doing so, and if the firmware isn't in the whitelist, they will refuse to add the serial number, hereby not letting us connect at all.

[Anime4000]

most RTL960x can change serial number, most OMCI info can be change

this nokia have proper SFP info reporting including RX TX reading through router?

[stich86]

if it's RTL9601CI, I don't see the TX\RX UART pinout exposed (but second photo is very blurry) If you can upload another one...

thx :)

[moriel5]

I believe the contact pads at the top left of the board (when looking at the second picture), one above the top right corner of and two below the bottom center and bottom left corner of the small chip to be the UART pinout pads.

I'll try to take a better picture when I have the time.

[stich86]

I believe the contact pads at the top left of the board (when looking at the second picture), one above the top right corner of and two below the bottom center and bottom left corner of the small chip to be the UART pinout pads.

I'll try to take a better picture when I have the time.

We know the exact PIN out for UART. If you have a multimeter can be check if those pads are correct.

On the gits there is the pinout from @tdmadam od RTL9601CI

[moriel5]

No problem.

When I have time to open it up again, in addition to attempting to take a clearer image, I'll also check the pinout (that is why I always have a multimeter at the desk).

[moriel5]

I haven't yet had the time to test anything, however my sister helped me take a better picture (with her phone, since it also has superior photo processing due to Samsung's efforts (Galaxy S20 FE 4G Qualcomm, vs my Razer Phone 2), so here it is.

I shall now commence with testing the contact pads.

[moriel5]

This is odd, I cannot seem to get continuity with any of the pads.

Update: I cannot seem to get continuity with anything on the board, including the pins of the chips. I have continuity when touching both probes together or to the same metal piece (as should be), however nothing with the module, and the module works without any issue.

[moriel5]

Bad news, my G-010S-Q is no longer detected by my SFP NICs, at all.

Which is weird, since all I did was continuity testing, without running any dangerous amount of voltage (especially not AC).

Update: Right after posting this, it was suddenly picked up, so it is still alive.

Update 2: Something is certainly wrong now, since the SFP module is trying to draw too much power, and cause the entire system to hang. Right now the system just rebooted on it's own as a result.

[moriel5]

Thankfully, the issues above are mysteriously gone, however I only have a short time before my SFP NICs refuse to see the module until a reboot (it would appear as though the G-010S-A's issues are also found with the G-010S-Q), whereas I had much more time before, but with the same issues.

Update: It appears that there are overheating issues sure to the thermal pad having broken down sufficiently from all the time I had disassembled and reassembled the module.

[moriel5]

And @stich86, my Chinese Intel i210 (i210AS, to be precise) is working just as well as my Dell Y40PH (followup from the G-010S-A thread).

192.168.100.1 is also inaccessible, though.

[itfan1]

I recently obtained a Nokia G-010S-Q module (from Bezeq in Israel; the same source as @moriel5). In terms of LAN-side IP-based access/management, it seems to be similar to many Nokia G-010G-P/Q bridge ONTs, that is:

The IP address is 192.168.100.1

It has an http interface (on port 80) and a telnet interface (on port 23); the user/password is admin/1234 for both. A port-scan up to 11000 didn't find any additional open ports.

Both interfaces are very minimal and let you do just one thing: change the PLOAM Password. The http interface also has a read-only page with some minimal system information (serial number, firmware version, etc.).

Both interfaces are accessible when the fiber is disconnected. Once the fiber is connected, the http interface goes down (and the module needs to be power-cycled with disconnected fiber to get it back). The telnet interface remains active with or without a connected fiber. Note that I never used the device in an authenticated (O5) state (because I couldn't change the serial number), so what I write about the behavior with a connected fiber relates to an unregistered module that cannot achieve authentication. I have no idea what happens with an authenticated module.

The module provides DDM information (notably, tx/rx power and temperature) that is accessible when it is installed in a MikroTik router/switch.

Here are some images of the management interfaces:

[Anime4000]

if you can dump G-010S-Q SPI Flash, we can check if they still use same realtek sdk, see if can load V2801F

[itfan1]

if you can dump G-010S-Q SPI Flash, we can check if they still use same realtek sdk, see if can load V2801F

I don't know how to do that without shell access to the device (which I don't know how to obtain at this time; as far as I can tell, the telnet interface doesn't allow such access). Do you have any ideas how one may be able to obtain shell access?

[Anime4000]

this need hack that stick at hardware level, you need CH341a programmer and read stick SPI Flash, if we can modify the firmware or use V2801F firmware would be nice

[itfan1]

this need hack that stick at hardware level, you need CH341a programmer and read stick SPI Flash,

Unfortunately, I don't have the hardware (or experience) to do such things.

if we can modify the firmware or use V2801F firmware would be nice

It will definitely be good to have more access to the module and to be able to change more things than just the PLOAM password. However, I fail to see why one should want to completely replace the firmware with that of a different module. This Nokia G-010S-Q isn't particularly cheap or easy to obtain. A much more configurable ODI DFP-34X-2C2 costs about 15% less than what Bezeq charges for it.

[moriel5]

@Anime4000 When I have the time, I'll do so with my unit.

I have a CH341b (pretty much the same thing as the CH341a) ready, as well as the clips, with the only thing missing (apparently I had lost it, it should be somewhere on my desk) is simply the adapter board to connect the clips the the programmer.

[xzVice]

@moriel5 could you please send us the serial number? we might be able to give you an unlocked shell, but we are not sure

[moriel5]

Sure, however the firmware version will have to remain the same, otherwise the network provider will refuse to activate it.

S/N: ALCLF99181D6 Firmware version: 3FE49494AOCK21

[moriel5]

@itfan1 What Bezeq charges is relatively cheap for the specific models that they sell (which only goes to show how ridiculously overpriced G.PON equipment is in general).

I have seen these start at roughly $68 2nd hand, and start at roughly $86.5 first hand.

[xzVice]

Sure, however the firmware version will have to remain the same, otherwise the network provider will refuse to activate it.

S/N: ALCLF99181D6 Firmware version: 3FE49494AOCK21

username: ONTUSER password: mhXyTySz2LuDGQG9

can you try this via telnet?

[moriel5]

@arianaglande I'll try it when I have the time, currently I'm trying to diagnose why my desktop keeps on hanging at random.

And @Anime4000, unfortunately, my clips don't match the chip (my clips are SOIC-8 clips, and the chip is a WSON-8 chip (the largest option, at 8x6mm, according to Macronix's datasheet). Any other ideas how to do this, since I was unable to identify the contact pads on my unit?

[Anime4000]

@moriel5 you can use Flying Probe like this

if pad not visible, need de solder

[tdmadam]

I'll try it when I have the time...

If telnet works and gives you an admin shell then it should be easy to dump the firmware.

[moriel5]

@Anime4000 Thanks, I understand that I'll need to order one off AliExpress then, so that will have to wait a few weeks, until I do so and it arrives.

[moriel5]

@tdmadam That is certainly true, although I am pretty used to doing so with the CH340, so I have no idea how to go about it (unless you mean with mtd).

[jason-akw]

I recently obtained a Nokia G-010S-Q module (from Bezeq in Israel; the same source as @moriel5). In terms of LAN-side IP-based access/management, it seems to be similar to many Nokia G-010G-P/Q bridge ONTs, that is:

The IP address is 192.168.100.1

It has an http interface (on port 80) and a telnet interface (on port 23); the user/password is admin/1234 for both. A port-scan up to 11000 didn't find any additional open ports.

Both interfaces are very minimal and let you do just one thing: change the PLOAM Password. The http interface also has a read-only page with some minimal system information (serial number, firmware version, etc.).

Both interfaces are accessible when the fiber is disconnected. Once the fiber is connected, the http interface goes down (and the module needs to be power-cycled with disconnected fiber to get it back). The telnet interface remains active with or without a connected fiber. Note that I never used the device in an authenticated (O5) state (because I couldn't change the serial number), so what I write about the behavior with a connected fiber relates to an unregistered module that cannot achieve authentication. I have no idea what happens with an authenticated module.

The module provides DDM information (notably, tx/rx power and temperature) that is accessible when it is installed in a MikroTik router/switch.

Here are some images of the management interfaces:

I think this model is ODM by CIG. As I know, this UI only use on CIG ODM models.

For CIG skus, every unit's password is different.

[xzVice]

I recently obtained a Nokia G-010S-Q module (from Bezeq in Israel; the same source as @moriel5). In terms of LAN-side IP-based access/management, it seems to be similar to many Nokia G-010G-P/Q bridge ONTs, that is: The IP address is 192.168.100.1 It has an http interface (on port 80) and a telnet interface (on port 23); the user/password is admin/1234 for both. A port-scan up to 11000 didn't find any additional open ports. Both interfaces are very minimal and let you do just one thing: change the PLOAM Password. The http interface also has a read-only page with some minimal system information (serial number, firmware version, etc.). Both interfaces are accessible when the fiber is disconnected. Once the fiber is connected, the http interface goes down (and the module needs to be power-cycled with disconnected fiber to get it back). The telnet interface remains active with or without a connected fiber. Note that I never used the device in an authenticated (O5) state (because I couldn't change the serial number), so what I write about the behavior with a connected fiber relates to an unregistered module that cannot achieve authentication. I have no idea what happens with an authenticated module. The module provides DDM information (notably, tx/rx power and temperature) that is accessible when it is installed in a MikroTik router/switch. Here are some images of the management interfaces:

I think this model is ODM by CIG. As I know, this UI only use on CIG ODM models.

For CIG skus, every unit's password is different.

could you please send your serial number? i need you to try the credentials i will generate for you

[itfan1]

could you please send your serial number? i need you to try the credentials i will generate for you

@arianaglande - I don't want to post my serial number on the open internet. I'll be happy to send it to you in a private message, if you can provide some way for me to do so.

[moriel5]

@itfan1 I certainly understand your concern.

The only reason I was fine with publishing mine, is because I was assured by Bezeq's representative that I could register multiple transcievers to the same account (I forget the correct term in English), as well as be allowed to purchase multiple transcievers, and in any case I intend to mainly be connected with either the G-010S-A (after modding it), or (if my budget allows for it, and/or I find it for cheaper) the Huawei MA5671A (after modding it's firmware to "convert" it to a Nokia G-010S-A).

The benefit of this, is that I can switch transceiver at will between those I activate, and test things if needed (as well as have backups).

[xzVice]

could you please send your serial number? i need you to try the credentials i will generate for you

@arianaglande - I don't want to post my serial number on the open internet. I'll be happy to send it to you in a private message, if you can provide some way for me to do so.

sure, you can message me on telegram: https://t.me/arianaglandee

[itfan1]

@arianaglande generated a password from my serial number. I'm sorry to report that it doesn't work.

[moriel5]

@itfan1 Hmm... Then I guess we need to wait until either I, or someone else, backs up the firmware directly from the chip.

I should be able to once I have the necessary tools (I'm currently making more towards getting WSON-8 clips, since should be cheaper and cleaner, however I am in a tight spot financially, so even that is getting delayed (let alone additional transceivers, let alone running fiber in the conduit in the immediate future).

Thre best I can do is run CAT.5e (I already have a 100M solid core roll) to improve the stability of the DSL line, and switch ISP over to 019 to get on the 200/20Mbps plan for cheaper than we are currently paying for 100/5 (our current wired modem-router, despite only having a 100Mbps RJ-45, does support profile 30a, perhaps even 35b (I forget, however 30a is sufficient for up to 230/100Mbps), so we will at least be able to get higher upload speeds).

[moriel5]

Unfortunately, no updates regarding firmware dumping, due to real-life circumstances, however I have ordered some PCM thermal pads and thermal putty, so after they since, at the very least I should be able to replace the stock thermal pad, which should theoretically allow me to get connecting to my unit.

[bequiet11]

Hi I would be able to help with getting the dump from the SPI, tools, clips probes etc. Are you on htmag also?

[itfan1]

Hi I would be able to help with getting the dump from the SPI, tools, clips probes etc.

That will be nice.

Are you on htmag also?

I'm itfan on htmag. @moriel5 may also be there. Since htmag is an Israeli site, I doubt if it's relevant for anyone else who participated in the discussion here.

[bequiet11]

We will keep the discussion about this subject here, Just wanted to make sure it is still relevant.

[shuher21]

I have very similar ONT stick CIG G-97S/Nokia G-010S-Q, Google Fiber GFLT210 also with chip RTL9601CI But without WebUI enabled (using UART, I was able to enable telnet).

later I had flashed my G-010S-Q with full dump "C00R657V2801F_V1.9.0-220404.bin" from working stick post "https://github.com/Anime4000/RTL960x/issues/155" But after flashing I got a brick.

I also created full dump from my G-010S-Q and has boot log.

@Anime4000 Nokia_G-010S-Q_boot.log could you please help with working V2801F firmware for G-010S-Q?

[BittorB]

Hello

In my repo i have uploaded a full dump from this module with version 3FE49494AOCK21. how i can generate a ONTUSER password?

Thanks