Belgacom Box 2 (Bbox2)

What is it?

The Belgacom Box 2 (BBOX2) is a router used by Belgacom, the most popular Internet Service Provider (ISP) of Belgium, to provide access to thousands of subscribers in the country. Statistics says that there are more then 300.000 of those boxes in circulation. It runs a modified version of Linux by default (OpenRG), and has 1 USB2.0 ports that allows people to modify it, and extend its features.

News

Hardware

  • 1 USB2
  • 2 FXS
  • 1 switch 4 ports
  • 1 serial
  • 1 wifi atheros
  • VDSL2
  • Flash 16MB
  • RAM 64MB
  • 1 JTAG

Pictures

full.jpg
full.jpg
full.jpg
27112009663.jpg

Gallery

Serial port

Put here some pictures on where to solder a 4 pins header for obtaining the serial console.

GND TX NC RX

Put a picture of the pinout here:

bbox2-serial-pinout-usbbub.jpg

Serial messages

Screenlog

$ screen /dev/ttyUSB0 57600 8N1

The output is here (long).

Modules

# cat /proc/modules 
switch_6085 42656 0 - Live 0xc03c1000
bmedrv 7024 0 - Live 0xc0265000
relay_mod 2256 0 - Live 0xc002b000
rtp 62112 2 - Live 0xc03b0000
dspvoice 443584 1 rtp, Live 0xc04d3000
wlan_scan_ap 13792 0 - Live 0xc0270000
clip_mod 13344 0 - Live 0xc026b000
qos_ingress 1216 0 - Live 0xc0042000
watchdog_mod 3392 0 - Live 0xc000d000
ppp 45152 0 - Live 0xc038f000
be_pppoa_mod 6384 1 ppp, Live 0xc0257000
pppoe_relay 96192 0 - Live 0xc0376000
rg_ipv4 1472 0 - Live 0xc0029000
rg_dhcp_pktfil 5136 0 - Live 0xc0250000
jfw 385072 0 - Live 0xc0473000
frag_cache_mod 8768 1 jfw, Live 0xc0245000
tcp_mss 2352 0 - Live 0xc0027000
rg_bridge 56576 1 - Live 0xc0367000
rg_fastpath_bridge 8368 1 rg_bridge, Live 0xc0241000
igmp_proxy_mod 30592 1 - Live 0xc025c000
rg_fastpath 22736 4 pppoe_relay,jfw,rg_fastpath_bridge,igmp_proxy_mod, Live 0xc0249000
log_chardev 10944 7 ppp,pppoe_relay,jfw,frag_cache_mod,rg_bridge,igmp_proxy_mod,rg_fastpath, Live 0xc023d000
wl 498576 0 - Live 0xc03f8000
ath_pktlog 14672 0 - Live 0xc004f000
ath_pci 203216 1 ath_pktlog, Live 0xc027d000
wlan_acl 6624 1 - Live 0xc003f000
wlan_xauth 1088 0 - Live 0xc0025000
wlan_ccmp 9088 0 - Live 0xc003b000
wlan_tkip 14016 0 - Live 0xc0036000
wlan_wep 6528 0 - Live 0xc0000000
ath_dfs 38528 1 ath_pci, Live 0xc0044000
ath_rate_atheros 59376 2 ath_pktlog,ath_pci, Live 0xc022d000
wlan 273104 13 wlan_scan_ap,pppoe_relay,rg_fastpath_bridge,rg_fastpath,ath_pktlog,ath_pci,wlan_acl,wlan_xauth,wlan_ccmp,wlan_tkip,wlan_wep,ath_rate_atheros, Live 0xc0323000
ath_hal 463088 5 ath_pktlog,ath_pci,ath_dfs,ath_rate_atheros, Live 0xc02b0000
btn 3632 0 - Live 0xc0003000
kleds_mod 6880 0 - Live 0xc0022000
kos_lib 83232 27 qos_ingress,watchdog_mod,ppp,pppoe_relay,rg_ipv4,rg_dhcp_pktfil,jfw,frag_cache_mod,tcp_mss,rg_bridge,rg_fastpath_bridge,igmp_proxy_mod,rg_fastpath,log_chardev,btn,kleds_mod, Live 0xc0217000
atmdriver_lkm 1840112 2 rg_fastpath_bridge,rg_fastpath, Live 0xc0054000
ethdriver_lkm 32128 0 - Live 0xc002d000
timers_lkm 6400 1 atmdriver_lkm, Live 0xc001f000
sysutil 7280 0 - Live 0xc001c000
bmdriver_lkm 12032 1 atmdriver_lkm, Live 0xc0009000
peri_ap_lkm 11328 0 - Live 0xc0005000
fusivlib_lkm 47264 10 pppoe_relay,rg_fastpath_bridge,rg_fastpath,btn,kleds_mod,atmdriver_lkm,ethdriver_lkm,sysutil,bmdriver_lkm,peri_ap_lkm, Live 0xc000f000

Dump of the flash

Via a USB key dd if=/dev/mtdblock0 of=mtdblock0

Files:

Re-flash via DD and MTD

A dump of the 16M flash (via dd=/dev/mtdblock0 of=/tmp/16M) in /tmp allows you to backup the complete flash, but also to reflash the flash chip with the dd command. I tested it on a bbox2, rebooted it, and it works fine.

Toolchain

Thomson has a Microsoft Word file (Google HTML copy) where they explain the procedure to get a copy of the toolchain Sources-toolchain-3.2.2.tar:

Free software released under the GNU Lesser General Public License (LGPL) Version 2.1 (available at http://www.gnu.org/licenses/lgpl.txt);

Vlan
Updatedd-1.6
Sources-toolchain-3.2.2.tar

Anyone may obtain from us a copy of the source code for the free software packages listed above. The source packages for these programs are available for download at http://www.thomson.net/open-software. Those individuals without Internet access may request that a CD-ROM or DVD containing the source code be sent to them by mail. To reimburse the expenses incurred by creation, handling and postage, we will charge a €12 fee. To request a CD ROM or DVD of the source code, send an e-mail to ten.nosmoht|terttoc.eivlys#ten.nosmoht|terttoc.eivlys or mail the request, with payment, to Thomson Sylvie Cottret – Open Software Source Code Request, 46 Quai Alphonse Le Gallo 92100 Boulogne-Billancourt, France.

They do not put it online for download:

LV24 sources-toolchain-3.2.2.tar GPL V2 LGPL V2.1 Oversized Available on request

Compile Helloworld.c

  1. Install the toolchain from Jungo -> done
  2. Compile Helloworld.c in static -> done, Hello world works!
  3. Compile a busybox in static with OpenWRT external toolchain option -> does not find some includes…

Compile openwrt packages

It is quite easy to cross-compile packages with the OpenWRT "external toolchain" option if you have previously installed the toolchain:

openwrt-external-toolchain.png

Ninux cross-compiled some packages using this method for the bbox2: http://test.ninux.org/~claudyus/alice_agif/openwrt/ikanos/packages/

Put some static binaries here:

Load software with the TFTP client

The box has a TFTP client which you can use to download some software. I have setuped a TFTP server with dnsmasq (my dnsmasq.conf is here) and created a /tftproot directory where I have put the static busybox. Now you can telnet to your bbox2 and download the static busybox (your bbox2 has to be connected to the internet):

zoobab@buzek /home/zoobab/tmp2 [9]$ telnet 192.168.1.1
Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape character is '^]'.
login: admin
Password: ********
[admin @ home]$ shell

BusyBox v1.01 (2010.01.26-12:11+0100) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

#      
# tftp -g -r busybox -l /tmp/busybox zoobab.dyndns.org
(NOTE: it takes a while before giving you a shell back...)
# ls -lh /tmp/busybox 
-rwxr-xr-x    1 0        0          974.0k Apr  5 18:12 /tmp/busybox

You can create all symlinks to busybox in one command:

/tmp # for i in `./busybox --help | ./grep 'Currently defined functions:' -A30 | ./grep '\s.*,'`; do ln -s busybox `echo $i | ./sed -e 's/,//g'`; done

Kernel sources

There seems to be some kernel sources here:

http://www.livebox-opensource.com/livebox1.2/thomson/src/linux-2.6.12.zip

It contains some adi_fusiv directory:

linux-2.6.12.zip#uzip/linux-2.6/arch/mips/adi_fusiv

There seems to be also an interesting patch here:

http://freetz.mhampicke.de/trunk/make/linux/patches/2.6.19.2/7270_04.76/120-remove_fusiv.patch

Trying to find the sources to which the patch relates to…

FXS interface

The VillageTelco project seems to use the same kind of FXS chip (Si3215 instead of the Si3216 inside the bbox2):

ProSLIC module is Si3215
Start manual calibration
Module 0: Installed -- AUTO FXS
Registered mp char driver on major 34

Some interesting code about the Si Labs 3215 chipset:

/*
   mp.c
   David Rowe 17 May 2009

   Mesh Potato kernel mode driver for the Si Labs 3215 FXS chipset.  A
   bit bashed SPI interface is constructed using the Atheros AR2317
   (aka AR5315) SoC GPIO pins.  The SPI port is used for
   initialisation and signalling of the FXS port, the TDM speech data
   is transferred through the SoC RS232 port (via a hacked version of
   8250.c driver).

   Credits: lots of SPI code and Si labs init code borrowed from
   Zaptel wcfxs.c driver (Wildcard TDM400P TDM FXS/FXO Interface
   Driver) written by Mark Spencer and Matthew Fredrickson.
*/

JTAG

bbox2-jtag-soldering-01.jpg
bbox2-jtag-soldering-02.jpg

Pinout

This is the one of a Philips MIPS 2x10 pins:

TRST 1 2 GND
TDI 3 4 GND
TDO 5 6 GND
TMS 7 8 GND
TCK 9 10 GND
SRESET 11 12 GND
NC 13 14 GND
NC 15 16 GND
NC 17 18 GND
NC 19 20 GND

Urjtag

UrJTAG 0.10 #1864
Copyright (C) 2002, 2003 ETC s.r.o.
Copyright (C) 2007, 2008, 2009 Kolja Waschk and the respective authors

UrJTAG is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
There is absolutely no warranty for UrJTAG.

jtag.c:518 main() Warning: UrJTAG may damage your hardware!
Type "quit" to exit, "help" for help.

jtag> cable JTAGkey
Connected to libftdi driver.
jtag> detect
discovery.c:117 urj_tap_detect_register_size() Warning: TDO seems to be stuck at 0
Error: parse.c:208 urj_parse_file() no error: Cannot open file '/home/zoobab/.jtag/rc' to parse
jtag> detect
IR length: 5
Chain length: 1
Device Id: 00000010011111010011000111001011 (0x027D31CB)
  Manufacturer: Analog Devices, Inc. (0x1CB)
  Unknown part! (0010011111010011) (/usr/local/share/urjtag/analog/PARTS)
jtag> detect
IR length: 5
Chain length: 1
Device Id: 00000010011111010011000111001011 (0x027D31CB)
  Manufacturer: Analog Devices, Inc. (0x1CB)
  Unknown part! (0010011111010011) (/usr/local/share/urjtag/analog/PARTS)
jtag> 

> jtag> discovery
> Detecting IR length ... 5
> Detecting DR length for IR 11111 ... 1
> Detecting DR length for IR 00000 ... 1
> Detecting DR length for IR 00001 ... 671
> Detecting DR length for IR 00010 ... 32
> Detecting DR length for IR 00011 ... 671
> Detecting DR length for IR 00100 ... 1
> Detecting DR length for IR 00101 ... 1
> Detecting DR length for IR 00110 ... 1
> Detecting DR length for IR 00111 ... 306
> Detecting DR length for IR 01000 ... 1
> Detecting DR length for IR 01001 ... 1
> Detecting DR length for IR 01010 ... 1
> Detecting DR length for IR 01011 ... 1
> Detecting DR length for IR 01100 ... 1
> Detecting DR length for IR 01101 ... 1
> Detecting DR length for IR 01110 ... 1
> Detecting DR length for IR 01111 ... 1
> Detecting DR length for IR 10000 ... 1
> Detecting DR length for IR 10001 ... 1
> Detecting DR length for IR 10010 ... 1
> Detecting DR length for IR 10011 ... 1
> Detecting DR length for IR 10100 ... 1
> Detecting DR length for IR 10101 ... 1
> Detecting DR length for IR 10110 ... 1
> Detecting DR length for IR 10111 ... 1
> Detecting DR length for IR 11000 ... 1
> Detecting DR length for IR 11001 ... 1
> Detecting DR length for IR 11010 ... 1
> Detecting DR length for IR 11011 ... 1
> Detecting DR length for IR 11100 ... 1
> Detecting DR length for IR 11101 ... 1
> Detecting DR length for IR 11110 ... 1
> jtag>
> jtag> initbus ejtag_dma
> Initialized bus 1, active bus 0
> jtag> print
>  No. Manufacturer              Part                 Stepping Instruction          Register                        
>    0                                                         (none)               (none)                          
> 
> Active bus:
> *0: EJTAG compatible bus driver via DMA (JTAG part No. 0)
>         start: 0x00000000, length: 0x1E000000, data width: 32 bit, (USEG : User addresses)
>         start: 0x1E000000, length: 0x02000000, data width: 16 bit, (FLASH : Addresses in flash (boot=0x1FC000000))
>         start: 0x20000000, length: 0x60000000, data width: 32 bit, (USEG : User addresses)
>         start: 0x80000000, length: 0x20000000, data width: 32 bit, (KSEG0: Kernel Unmapped Cached)
>         start: 0xA0000000, length: 0x20000000, data width: 32 bit, (KSEG1: Kernel Unmapped Uncached)
>         start: 0xC0000000, length: 0x20000000, data width: 32 bit, (SSEG : Supervisor Mapped)
>         start: 0xE0000000, length: 0x20000000, data width: 32 bit, (KSEG3: Kernel Mapped)
> jtag> readmem 0x1FC000000 0x02000000 out.bin
> address: 0xFFFFFFFC
> length:  0x02000000
> reading:
> chain.c(149) Part 0 without active instruction
> Segmentation fault
> root@buzek /home/zoobab [5]#

USB key speed test

I plugged into the USB slot a USB key formatted in vfat, it seems to be a USB2 port, I have a speed of 2.5MO:

root@buzek /tmp [2]# while true; do wget http://192.168.1.1:631/sda1/10m; done
--2010-03-18 20:10:05--  http://192.168.1.1:631/sda1/10m
Connecting to 192.168.1.1:631... connected.
HTTP request sent, awaiting response... 200 OK
Length: 10485760 (10M) [application/octet-stream]
Saving to: `10m.4'

100%[================================================>] 10,485,760  2.51M/s   in 4.0s    

2010-03-18 20:10:09 (2.50 MB/s) - `10m.4' saved [10485760/10485760]

--2010-03-18 20:10:09--  http://192.168.1.1:631/sda1/10m
Connecting to 192.168.1.1:631... connected.
HTTP request sent, awaiting response... 200 OK
Length: 10485760 (10M) [application/octet-stream]
Saving to: `10m.5'

100%[================================================>] 10,485,760  2.54M/s   in 4.0s    

2010-03-18 20:10:13 (2.53 MB/s) - `10m.5' saved [10485760/10485760]

Files are accessible on hte web interface (http://192.168.1.1:631/) at port 631.

Presentation at Hackito Ergo Sum 2010

Slides

http://www.hackitoergosum.org/2010/HES2010-bhenrion-Hacking-the-Belgacom-Box2.pdf

Videos

Links

Comments

Add a New Comment
or Sign in as Wikidot user
(will not be published)
- +