Open AxisRay opened 2 years ago
I only saw the not allow to modify it.
on the 3FE46398BGCB22
firmware, setting OperatorID
to 0000
(or 9999
) should bypass the check.
For the LOID, I see code to read LOID
and LOIDPassword
from ri/scfg in libdataModel.so
which is called by parser
and omciMgr
, but the driver doesn't have them in its list (this is a binary format in the "ri" mtd).
So the code seems to be present, but with no way to give it the values (unless patching either libdataModel.so
or scfg.ko
, but it wouldn't be easy).
I can see it try to get LOID from scfg
no LOID value in scfg
[01-01 10:00:15][OMCI]get loid failed
[01-01 10:00:15][OMCI]getLoidAuthInfo() exit @ 600m:15s:216ms, :
[01-01 10:00:15][OMCI] - create_instance_auto() act_plugInUnitType = 48
[01-01 10:00:15][OMCI] - create_instance_auto() act_plugInUnitType = 47
unless patching either libdataModel.so or scfg.ko
or we can modify the scfg in ri? it seems easier. but we should know the format detail first
Where is the function scfg_get
It seems that we can use ritool
to set the scfg
ONTUSER@SFP:/sbin# ls -lt /sbin/ritool
lrwxrwxrwx 1 ONTUSER root 17 Jan 25 2021 /sbin/ritool -> /usr/exe/scfgtool
ONTUSER@SFP:/sbin# ritool set LOID 7554196032
Set scfg descrip=LOID value=7554196032 failed.
Unfortunately, it failed. I am trying to figure it out.
update:
I found some error message in dmesg
[ 1527.488000] [K_SCFG] scfg_drv_ioctl: set scfg[LOID] from userspace
[ 1527.488000] item not exist, please check your input LOID
I didn't find where the scfgGroup
defined. Maybe it was hardcoded ?
I have use hex editor to modify scfg.ko
rename SSID-1Name to LOID
rename SSID-1Password to LOIDPassword
and rebuild the firmware
ONTUSER@SFP:~# ritool set LOID 12312312
ONTUSER@SFP:~# dmesg | tail
[ 666.188000] [K_SCFG] scfg_drv_ioctl: set scfg[LOID] from userspace
[ 666.768000] [K_SCFG] : set scfg success
there seems no error message
last_flow_me_recv_at = 0, last_igmp_channel_me_recv_at = 0, last_igmp_acl_me_recv_at = 0
[01-01 00:06:10][OMCI]>>>>on_omci_start_io()
[01-01 00:06:10][OMCI]getLoidAuthInfo() exit @ 6m:10s:111ms, 12312312:00000000
[01-01 00:06:10][OMCI]getLoidAuthInfo() exit @ 6m:10s:206ms, 12312312:00000000
It works!
scfg_get
is in libscfg.so
, and it does an ioctl on /dev/scfg
exposed by scfg.ko
.
scfg_get
and scfg_set
take a field name as parameter, which is handled by scfg.ko
: scfgGroup
seems to be some kind of table, which defines what kind of values are accepted, and where to store it in the mtd partition.
scfg_dump
is used for oflt ri get
command (which wants a parameter, but just dumps all values in the kernel log).
There are also APIs which manipulate a binary dump :
scfg_read
: used in liboflt.so
(oflt_show_ri
, not used) and for ritool dumpbin
commandscfg_write
: used for ritool initbin
command
The scfgtool
binary also has code for an nvram_tool
symlink (in addition to ritool
), where these binary commands use a different offset (but this is probably for other devices).So by modifying the SSID-1Name
and SSID-1Password
field names in scfg.ko
, you can store the values, but :
There might be padding issues, and handling of nul bytes if it's allowed by the spec (since it doesn't seem the values are meant to be stored in hex). Did it work with the OLT ? What format did you use for the two values, and what are the length ?
You would need to do the same changes in scfgtool
to have the new names for ritool dump
(which calls scfg_read
in a loop).
you are right
the length of SSID-1Password
is not enough.
[ 1081.284000] [K_SCFG] scfg_drv_ioctl: set scfg[LOIDPassword] from userspace
[ 1081.284000] your contents is too long
[ 1081.284000] scfg_drv_set_internal failed
Here is my LOID and LOIDPassword (get from ISP)
<Loid>545331303030303035313131313131000000000000000000</Loid>
TS1000005111111
<Password>545331303030303035313131</Password>
TS1000005111
scfgGroup
seems to be some kind of table, which defines what kind of values are accepted, and where to store it in the mtd partition.
I think we can modify the define to solve the "padding issues" and "length limit" ? but I didn't find where it been defined. I'm a totally noob in reverse engineering. 😥
I have modified scfg.ko
and extend LOID to 24bytes , LOIDPassword to 16bytes
ONTUSER@SFP:~# ritool set LOID TS1000005111111
ONTUSER@SFP:~# ritool set LOIDPassword TS1000005111
ONTUSER@SFP:~# ritool get LOID
the LOID: TS1000005111111
ONTUSER@SFP:~# ritool get LOIDPassword
the LOIDPassword:TS1000005111
ONTUSER@SFP:~# ritool get SSID-2Name
the SSID-2Name:0000
ONTUSER@SFP:~#
ritool works well.
the UserName: usradmin
the UserPassword: 12345
the MgntUserName: adminadmin
the MgntUserPassword: ALC#FGU
the LOID: TS1000005111111
the LOIDPassword: TS1000005111
the SSID-2Name:0000
the SSID-2Password:0000
the OperatorID:0000
the SLID:30303030303030303030303030303030
the CountryID:01
the GroupID:30303030
the Checksum1:63e5
the Spare6:3030
the RollbackFlag:0000
omciMgr seems abnormal
[01-01 00:04:41][OMCI]OMCI_LIB: Success to create OMCI mib upload share memory, pointer 0x76588000
ds_sec=-1
Inside GatewayUniSupp_1Itf::GatewayUniSupp_1Itf constructor
[01-01 00:04:41][OMCI]getLoidAuthInfo() exit @ 4m:41s:305ms, TS1000005111111 TS100000: TS100000
[01-01 00:04:41][OMCI] - create_instance_auto() act_plugInUnitType = 48
[01-01 00:04:41][OMCI] - create_instance_auto() act_plugInUnitType = 47
EthManageItf::getInstance: without switch.
[01-01 00:04:41][OMCI]checkPonLEDStatus:Fiber disconnected
create auto instanmce gateway uni ME succesful
[01-01 00:04:41][OMCI]getLoidAuthInfo() exit @ 4m:41s:394ms, TS1000005111111 TS100000r�v�r�0000: TS100000r�v�r�0000
AnigSupp_1 creat
I haven't test with the OLT.
update: tested , not working full log
@AxisRay upgrade custom firmware is here to help you change loid https://github.com/hwti/G-010S-A/issues/1#issuecomment-1066288848
@AxisRay upgrade custom firmware is here to help you change loid #1 (comment)
I know it. The custom firmware is uploaded by me.
I am trying to modify the orgin frimware just for research.
oh, "padding issues"
[01-01 00:11:41]logical_id.value = 20 20 20 20 20 20 20 20 20 53 5a 31 30 30 30 30 30 35 39 34 35 32 37 39
[01-01 00:11:41]password.value = 20 20 20 20 53 5a 31 30 30 30 30 30
oh, "padding issues"
[01-01 00:11:41]logical_id.value = 20 20 20 20 20 20 20 20 20 53 5a 31 30 30 30 30 30 35 39 34 35 32 37 39 [01-01 00:11:41]password.value = 20 20 20 20 53 5a 31 30 30 30 30 30
1, Password: it's mean LOID password, right? (20 characters), but normaly is maximum 12 characters 2, SLID: 32 characters, not the same as the SLID on the web, normaly is maximum 20 character (10 ASCII or 20 HEX)
1, Password: it's mean LOID password, right? (20 characters), but normaly is maximum 12 characters
No, you can find why here
Where is the function
scfg_get
TEST PASS!!!
ONTUSER@SFP:~# onu ploamsg
errorcode=0 curr_state=5 previous_state=4 elapsed_msec=146852
I modified the ri
mtd directly and fix "padding issues"
And recalculated the checksum.
UPDATE:
We can set type to 0001
to enable hex format setting.
So we can prevent "padding issues" .
ONTUSER@SFP:~# ritool set LOID 535a31303030303035393435323739000000000000000000
ONTUSER@SFP:~# ritool get LOID
the LOID:SZ1000005945279
ONTUSER@SFP:~# ritool set LOIDPassword 535a31303030303035393435
ONTUSER@SFP:~# ritool get LOIDPassword
the LOIDPassword:SZ1000005945
ONTUSER@SFP:~#
here is the firmware which based on 3FE46398BGCB22 new-firmware.zip
@AxisRay
I have 2 cases with OLT Huawei.
With ISP1: only check with GPON Serial number, it's ok to get O5
With ISP2: check GPON Serial number and SLID ==> can't get O5, it's O2, O3 (even when using all versions of original fw or custom fw from china)
Doesn't seem to be getting SLID on web, but getting SLID in "ri", and SLID in "ri" in incorrect format.
@vuducdong What format of your SLID
?
you can set SLID by ritool set SLID xxxxxxxx
@vuducdong
ONTUSER@SFP:~# ritool set SLID 30303535393132323700000000000000
ONTUSER@SFP:~# ritool get SLID
the SLID:30303535393132323700000000000000
@vuducdong
ONTUSER@SFP:~# ritool set SLID 30303535393132323700000000000000 ONTUSER@SFP:~# ritool get SLID the SLID:30303535393132323700000000000000
ok, I'll try it. Thanks!
We can set type to
0001
to enable hex format setting. So we can prevent "padding issues" .
But then you need much more space, unless it's stored as a binary (it's strange to have HEX for the set
, but to get a string for get
).
Even 16 + 12 would overwrite SSID2-Name
/ SSID2-Password
(we probably don't care), but also OperatorID
(unless changing all offsets).
omciMgr
log suggests there is a string termination issue too (maybe just in the trace code).
The SLID issues are different, I didn't check on all firmwares, but I remember :
unless changing all offsets
I have changed.
@vuducdong
ONTUSER@SFP:~# ritool set SLID 30303535393132323700000000000000 ONTUSER@SFP:~# ritool get SLID the SLID:30303535393132323700000000000000
still unable to authenticate O5
unless changing all offsets
I have changed.
This would cause issues when switching between firmwares.
It doesn't seem the offsets can be increased, unless removing other entries to make the space.
On init, it seems only 256 bytes are read from the mtd (so maybe RollbackFlag
is only in memory), and I don't see any other locations which would read it (except ri_read_byte
which doesn't seem to be used).
scfgGroupRi
has a field with the size : 256.
ritool dumpbin
reads 256 bytes too.
But there are functions like ri_write
which supports up to 512 (but will only write the first 256 bytes to the mtd), which is strange.
@AxisRay if set OpreratorID is 0000, XXXX, 9999, it's show LOID and LOIDPassword, but while set LOID and get LOID is null. On the other hand, if set OperatorID is 0001, LOID and LOIDPassword disappear and not allow to modify.
On the 3FE46398BGCB22
firmware, if OperatorID
is not 0000
or 9999
:
scfg_set
will refuse to set anything (so ritool set ...
will fail), except OperatorID
ritool dump
and ritool get
will not display all values (there is a boolean for each value, to tell if it's visible with any OperatorID
)Note that it shouldn't prevent omciMgr
from reading the hidden values.
unless removing other entries to make the space.
Right, I have resized the SSID-2Name
and SSID-2Password
.
I also modified the libdataModel.so
, limited the size of LOIDPassword
to 12bytes instead of 16bytes.
unless removing other entries to make the space.
Right, I have resized the
SSID-2Name
andSSID-2Password
.
What do you mean ? Even 16 + 12 would use the whole SSID-2Name
and SSID-2Password
space (I don't know if the code allows to set the size to 0, it doesn't look like it's what you did).
I also modified the
libdataModel.so
, limited the size ofLOIDPassword
to 12bytes instead of 16bytes.
This shouldn't be necessary, as the stack buffer is big enough (and this could even lead to an unterminated string when using the maximum size, at least for omciMgr
traces), even if this isn't a new problem).
What do you mean ? Even 16 + 12 would use the whole
SSID-2Name
andSSID-2Password
space (I don't know if the code allows to set the size to 0, it doesn't look like it's what you did).
the ri
mtd is defined in scfg.ko
.
I moved the start position as well.
in fact, there is no need to modify SSID-2Password
, if the LOIDPassword only have 12bytes.
ignore it.
This would cause issues when switching between firmwares.
It should be safe when switching firmwares.
as I mentioned above , the modification have no effect with other field.
and I guess those field are not used in the firmware.
such as SSID1-Name
SSID1-Password
SSID-2Name
SSID-2Password
Well, I thought there was only 0x20 for the 4 values, not 0x30 🤦♂️
I will check the different possibilities for the flags in the driver (which you changed to input hex, but still store as binary I think). Maybe there is a way to be in string mode (since the GPON spec specifies them as strings), but without the padding.
But just in case, there is a possibility to modify on the ritool
side to output as hex for consistency.
right?
And I cannot change the S/N
update: follow https://github.com/hwti/G-010S-A/issues/7#issuecomment-957071776_ we should set OperatorID 0000 first