TP-Link TX-6610 - GPON terminal

Post new topic   Reply to topic    DD-WRT Forum Index -> Ralink SoC based Hardware
Author Message
BizonGod
DD-WRT Novice


Joined: 25 Jan 2011
Posts: 1

PostPosted: Sat Nov 12, 2016 11:28    Post subject: TP-Link TX-6610 - GPON terminal Reply with quote
Hi All!
I would like to describe hardware and some software of GPON terminal TP-Link TX-6610.

1/ Device opening
It is not so intuitive Smile
Under sticker with SN, under device is screw located. This screw need to be removed.
There are also latches on sides of housing. After levering latches housing is opened to
two halves.


2/ Printed Circuit Board, hardware
Inside case PCB is located, and on it we can find:
- CPU MediaTek/EcoNet MT7520ST
- RAM Winbond W9725G6KB-25 -> 32MB DDR2
- Flash Winbond W25Q64FVSIG -> 8MB NOR SPI
- laser amplifier EcoNet EN7570N, something like MAX24003
- DC/DC converter AP3502EM, up to 2A, on PCB max 15V input, output 3,3V
- reverse polarity protection on SK14 diode
- laser BOSA THBD313B3N

3/ UART connector
of course exists Smile -> JP1, pins:
1 - RX
2 - TX
3 - GND
4 - VCC
Speed - 115200

4/ Hardware modifications possibility:
For sure Flash can be upgraded , e .g. to Winbond W25Q128FVSIG -> 16MB.
Looking on PCB we can probability find A13 and BA2 lines, so PCB can accept up to
256MB, e. g. W9725G6KB-25

5/ CPU description
There are likely no information. Datasheet can't be found.

6/ Bootlog over UART
Here are data, that's goes thru UART during booting :
Code:

DRAMC V2.2.0.2 (0)


MT751020 at Tue Sep 22 10:18:19 HKT 2015 version 1.1 free bootbase

Memory size 32MB

flash base: bc000000
Found SPI Flash 8MiB Winbond W25Q64 at 0xbc000000

tcPhyVer_mt7510FE
 Not found TC Phy
mtPhyVer_7510Ge
Not found TC Phy
Press any key in 3 secs to enter boot command mode.
............................................................


Invalid Power GPIO, just return and don't turn on Power LED
act_flag:0, img0[1 1 1], img1[0 0 1]
boot flag = 0
Decompress to 80002000 free_mem_ptr=80600000 free_mem_ptr_end=80780000
from main
Uncompressing [LZMA] ...  done.
Linux version 2.6.36 (root@localhost.localdomain) (gcc version 4.3.4 (GCC) ) #23 SMP Thu Sep 24 04:17:46 HKT 2015
ISPRAM0: PA=002a8000,Size=00008000,enabled
DSPRAM0: PA=1dff8000,Size=00001000,enabled
flash_init: flash_base:bc000000
flash_init: flash_base:bc000000
memsize:32MB
Ralink MT751020 SOC prom init
bootconsole [early0] enabled
CPU revision is: 00019555 (MIPS 34Kc)
Determined physical RAM map:
 memory: 01fe0000 @ 00020000 (usable)
Wasting 1024 bytes for tracking 32 unused pages
Zone PFN ranges:
  Normal   0x00000020 -> 0x00002000
Movable zone start PFN for each node
early_node_map[1] active PFN ranges
    0: 0x00000020 -> 0x00002000
3 available secondary CPU TC(s)
PERCPU: Embedded 7 pages/cpu @81043000 s7168 r8192 d13312 u65536
pcpu-alloc: s7168 r8192 d13312 u65536 alloc=16*4096
pcpu-alloc: [0] 0 [0] 1 [0] 2 [0] 3
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 8096
Kernel command line:  es=1
PID hash table entries: 128 (order: -3, 512 bytes)
Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
Primary data cache 64kB, 4-way, VIPT, cache aliases, linesize 32 bytes
Writing ErrCtl register=0004884a
Readback ErrCtl register=0004884a
nmi base is 81084200
Memory: 28676k/32640k available (2744k kernel code, 3964k reserved, 570k data, 216k init, 0k highmem)
SLUB: Genslabs=7, HWalign=32, Order=0-3, MinObjects=0, CPUs=4, Nodes=1
Hierarchical RCU implementation.
        RCU-based detection of stalled CPUs is disabled.
        Verbose stalled-CPUs detection is disabled.
NR_IRQS:64
CPU frequency 648.00 MHz
 Using 266.000 MHz high precision timer.
console [ttyS0] enabled, bootconsole disabled
console [ttyS0] enabled, bootconsole disabled
Calibrating delay loop... 430.89 BogoMIPS (lpj=2154496)
pid_max: default: 32768 minimum: 301
Mount-cache hash table entries: 512
34K sync es set to 1.
Config7: 0x80080500
Limit of 4 TCs set
TLB of 64 entry pairs shared by 2 VPEs
VPE 0: TC 0 1 2, VPE 1: TC 3
IPI buffer pool of 16 buffers
CPU revision is: 00019555 ((null))
TC 1 going on-line as CPU 1
CPU revision is: 00019555 ((null))
TC 2 going on-line as CPU 2
CPU revision is: 00019555 ((null))
TC 3 going on-line as CPU 3
Brought up 4 CPUs
NET: Registered protocol family 16
MT7510_pcie_init
check pcie link up status:
isRC0_LINKUP=0
isRC1_LINKUP=0
PCI-E RC0 & RC1 can not link up
bio: create slab <bio-0> at 0
NET: Registered protocol family 8
NET: Registered protocol family 20
Switching to clocksource MIPS
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 1024 (order: 1, 8192 bytes)
TCP bind hash table entries: 1024 (order: 1, 8192 bytes)
TCP: Hash tables configured (established 1024 bind 1024)
TCP reno registered
UDP hash table entries: 128 (order: 0, 4096 bytes)
UDP-Lite hash table entries: 128 (order: 0, 4096 bytes)
NET: Registered protocol family 1
TC3162 hardware watchdog module loaded.
squashfs: version 4.0 (2009/01/31) Phillip Lougher
msgmni has been set to 56
cryptomgr_test used greatest stack depth: 15360 bytes left
cryptomgr_test used greatest stack depth: 15324 bytes left
io scheduler noop registered (default)
ttyS0 at I/O 0xbfbf0003 (irq = 1) is a TC3162
brd: module loaded
tc3162 mtd init: mt6573_nand_init enter
MediaTek MT6573 Nand driver init, version v2.0
tc3162: flash device 0x01000000 at 0x1c000000
tc3162: Found SPIFLASH 8MiB Winbond W25Q64
Creating 14 MTD partitions on "tc3162":
0x000000000000-0x000000800000 : "flash"
0x000000000000-0x000000020000 : "tcboot"
0x000000020000-0x000000030000 : "romfile"
0x000000030000-0x000000040000 : "bootflag"
0x000000040000-0x000000050000 : "factoryinfo"
0x000000050000-0x000000060000 : "loid"
0x000000060000-0x000000070000 : "hwinfo"
0x000000070000-0x000000090000 : "config"
0x000000090000-0x0000000a0000 : "iot"
0x0000000a0000-0x0000001f0000 : "kernelA"
0x0000001f0000-0x000000400000 : "rootfsA"
0x000000400000-0x000000550000 : "kernelB"
0x000000550000-0x000000760000 : "rootfsB"
0x000000760000-0x000000800000 : "other"
rootfsA
PPP generic driver version 2.4.2
PPP Deflate Compression module registered
PPP BSD Compression module registered
NET: Registered protocol family 24
RT3xxx EHCI/OHCI init.
Netfilter messages via NETLINK v0.30.
nf_conntrack version 0.5.0 (448 buckets, 1792 max)
ctnetlink v0.93: registering with nfnetlink.
nf_conntrack_rtsp v0.6.21 loading
nf_nat_rtsp v0.6.21 loading
ip_tables: (C) 2000-2006 Netfilter Core Team
TCP cubic registered
NET: Registered protocol family 10
IPv6 over IPv4 tunneling driver
NET: Registered protocol family 17
802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
All bugs added by David S. Miller <davem@redhat.com>
VFS: Mounted root (squashfs filesystem) readonly on device 31:10.
Freeing unused kernel memory: 216k freed
busybox init and set aff
init started:  BusyBox v1.00 (2015.09.17-05:01+0000) multi-call binary
[ used greatest stack depth: 14832 bytes left
[ used greatest stack depth: 14528 bytes left
busybox used greatest stack depth: 14320 bytes left
mtd[readflash]:device=mtd used greatest stack depth: 14240 bytes left
factoryinfo tclen=160 tcoffset=22
Unlocking factoryinfo ...
Reading from factoryinfo to /tmp/7570_bob.conf ...

00000000h: 00 00 02 37 00 00 04 88 00 00 00 F0 00 00 00 B8
00000010h: 00 00 00 06 00 00 00 10 00 00 0E B3 00 00 00 14
00000020h: 00 00 00 1C 00 00 00 10 FF FF FF FF 00 00 00 01
00000030h: 00 00 00 67 00 00 0B B8 FF FF FF FF FF FF FF FF
00000040h: 00 AF 00 F3 00 63 00 E9 FF FF FF FF FF FF FF FF
00000050h: 27 6C 69 00 03 E5 10 C0 00 64 02 48 FF FF FF FF
00000060h: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
00000070h: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
00000080h: FF FF FF FF 00 00 00 05 FF FF FF FF FF FF FF FF
00000090h: FF FF FF FF 07 05 07 00 FF FF FF FF FF FF FF FFmodule_sel: module license 'unspecified' taints kernel.
Disabling lock debugging due to kernel taint
insmod used greatest stack depth: 13784 bytes left

tcsmux version: tcsmux V1.1.0.0 (Oct 13 2014-22:25:21).
vlantag_drv_init
TC3162 LED Manager 0.1 init

tcledctrl version: tcledctrl V1.1.0.0 (Sep 20 2015-14:57:19).
tccicmd V1.1.0.0 (Sep 20 2015-14:57:23)

SIFMaster 0.1 init

Register sifm cmd
the number of cfg node is 48
vlantag_init
autopvc_init
LanguageSwitch_init vendorCfgFile_init The number of cache node is 5
Enter into function:parser_romfile
mxml: Bad control character 0x0b not allowed by XML standard!
Romfile format is wrong, we use default romfile to replace current setting romfile!!
mtd[readflash]:device=reservearea tclen=512 tcoffset=197632
Unlocking reservearea ...
Could not open mtd device: reservearea
Unlocking romfile ...
Writing from /tmp/var/romfile.cfg to romfile ...
 [w]
Can't open /etc/Wireless/WLAN_APOn

lanHost_read: Create node LanHost !
sh: /usr/bin/ip: not found
insmod raeth driver
femac.c:v1.00-NAPI 29.Mar.2011
MAC from flash_base: 0xbc000000(offset: 0x40000):ffffffec 08 6b 2e 76 70
eth0: FE MAC Ethernet address: EC:08:6B:2E:76:70
eth0: starting interface.
EPhy debug(8): tcPhyVerLookUp() in
MT7510FE, EPhy debug(8)(15): tcPhyVerLookUp() out
PhyPart debug: tcPhyInit() in , tcphyver=15, phyaddr=8, eco=0x0
phyaddr = 8
EPhy debug(12): tcPhyVerLookUp() in
MT7510Ge,Internal check flag: fgMT7510Ge_INT=0x0, eco=0x50003
EPhy debug(12)(16): tcPhyVerLookUp() out
PhyPart debug: tcPhyInit() in , tcphyver=16, phyaddr=12, eco=0x0

 7510Ge, phyaddr= (12,12)
debug... ,phyaddr=12 ,eco=0x50003
xPON driver initialization
Alloc data struct memory successful, 34456
EN7570 found!
FLASH matrix got
Internal DDMI Enabled
TEC Enabled
RSSI_Vref = 0x215
RSSI_V = 0x29a
ERC filter set
MPD Current Offset = 0xdd
Start GPON Tx Calibration
Rx LOS is set
CDR disabled
T0/T1 delay = 0x9a
T0/T1 delay = 0x47
RGS_T0C = 0x51
RGS_T1C = 0x49
TGEN done
CDR enabled
Initial bias/mod current loaded from FLASH
MPDL/MPDH loaded
Tx SD set
APD initialization done
Rogue ONU clear
EN7570 Initialization Done!
PON PHY driver version is 111.86.66
XPON Mapping Module init OK!
Ebtables v2.0 registered
Ralink HW NAT Module Enabled
IP check use Black List
device eth0 entered promiscuous mode
done
TC3162 hardware watchdog initialized
no specific node
four ports
SIOCGIFFLAGS: No such device
interface eth0.1 does not exist!
sh: vconfig: not found
SIOCGIFFLAGS: No such device
interface eth0.2 does not exist!
sh: vconfig: not found
SIOCGIFFLAGS: No such device
interface eth0.3 does not exist!
sh: vconfig: not found
SIOCGIFFLAGS: No such device
interface eth0.4 does not exist!
sh: vconfig: not found
device eth0 is already a member of a bridge; can't enslave it to bridge br0.
MT7520S is single port!
mtd[readflash]:device=reservearea tclen=512 tcoffset=197632
Unlocking reservearea ..Start omci
.
Could not open mtd device: reservearea
00:00:11 imgr.c [71]: Initial system driver.
00:00:11 imgr.c [77]: Initial pthread parameters.
00:00:11 imgr.c [83]: Initial dispatcher.
00:00:11 dspch_init.c [23]: Create IPC trap message queue
00:00:11 dspch_init.c [36]: Create IPC trap message queue
00:00:11 imgr.c [89]: Initial database manager.
00:00:11 dbmgr_init.c [32]: Create database memory.
00:00:11 dbmgr_init.c [38]: Create the share database memory successful.
00:00:11 dbmgr_init.c [41]: The total share database size is 0.
00:00:11 imgr.c [95]: Initial config manager.
00:00:11 imgr.c [101]: Initial fault manager.
00:00:11 imgr.c [107]: Initial performance manager.
Warning: there is no router interface for voip!!
iptables v1.4.10: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.4.10: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.4.10: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.4.10: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
device nas1 entered promiscuous mode
br0: port 2(nas1) entering forwarding state
br0: port 2(nas1) entering forwarding state
br0: port 1(eth0) entering forwarding state
br0: port 1(eth0) entering forwarding state
sh: /userfs/bin/dnsmasq: not found
valid subcommands:
adsl
========================insmod iptable_filter=======================
chmod: /userfs/profile.cfg: Read-only file system
valid subcommands:
adsl
set olt type: 0
echo used greatest stack depth: 8944 bytes left
come into gpon_boot
activeImage=0, committedImage=0

Send OAM Update config!
!sendEponOamCmdMsg open message queue fail!
Unlocking romfile ...
Writing from /tmp/var/romfile.cfg to romfile ...
 [w]pon_vlan_init

Single Lan p[w]

 initilize xpon igmp module....done!
Cannot open file "/tm
sendOmciCmdMsg open message queue fail!p/upload_onu_cardholder_type"
pon_mac_filter_init

Single Lan portSIOCSIFMTU: No such device
got image index(0): V3.1.4instanceId(0), img ver buffer is V3.1.4
SIOCSIFMTU: No such device
SIOCSIFMTU: No such device
got image index(1): V3.1.4instanceId(1), img ver buffer is V3.1.4
SIOCSIFMTU: No such device
SIOCSIFMTU: No such device
*reg=00001640 value:00000000 (ext_switch:0)

Please press Enter to activate this console. got image index(0): V3.1.4instanceId(0), img ver buffer is V3.1.4
got image index(1): V3.1.4instanceId(1), img ver buffer is V3.1.4
api_set_pon_ver_info(335): -- not implemented, to do here! --
api_set_sn_auth_info(300): snIUint32[0] = 0x54504c47, snIUint32[1] = 0x6b2e7670,
vendor: 0x54504c47
echo used greatest stack depth: 8512 bytes left
api_set_sn_auth_info(308): passwd:
Password:
erase at 0x00050000 with buflen 10000
start erasing memory: 0x50000 with length: 10000
after erasing memory
Write at 0x00050000 +0x00010000 ... with first char: ff
Write end ...
api_set_vlan_mode(853): set vlanmode=0 vid=1 pri=0
api_set_sn_auth_info(300): snIUint32[0] = 0x54504c47, snIUint32[1] = 0x6b2e7670,
vendor: 0x54504c47
got image index(0): V3.1.4instanceId(0), img ver buffer is V3.1.4
got image index(1): V3.1.4instanceId(1), img ver buffer is V3.1.4
Line 778: IOT class 256, inst 0, attr id 1 value: V4.0
Line 778: IOT class 256, inst 0, attr id 0 value: TPLG
Line 778: IOT class 256, inst 0, attr id 2 value: TPLGk.vp
Line 778: IOT class 256, inst 0, attr id 3 value:
Line 778: IOT class 257, inst 0, attr id 0 value: TX-6610
Line 778: IOT class 257, inst 0, attr id 1 value: ▒
Line 778: IOT class 7, inst 0, attr id 0 value: V3.1.4
Line 778: IOT class 7, inst 1, attr id 0 value: V3.1.4
api_renegotiate(546): current mode is not gpon
api_set_onu_dhcp_status(1062): -- not implemented, to do here! --
mt7570 detected


7/ Bootloader menu
There is list of commands available in bootloader:
Code:

bldr> ?

?                                   Print out help messages.
help                                Print out help messages.
reset                               Board reset.
go                                  Booting the linux kernel.
decomp                              Decompress kernel image to ram.
memrl <addr>                        Read a word from addr.
memwl <addr> <value>                Write a word to addr.
memtest <s_addr> <e_addr> <partern> <iteration>Memory test.
bflag get|set <0 1>                 Get or set bootflag.
dump <addr> <len>                   Dump memory content.
jump <addr>                         Jump to addr.
flash <dst> <src> <len>             Write to flash from src to dst.
imginfo                             Show images info.
xmdm <addr> <len>                   Xmodem receive to addr.
miir <phyaddr> <reg>                Read ethernet phy reg.
miiw <phyaddr> <reg> <value>        Write ethernet phy reg.
cpufreq <freq num> / <m> <n>        Set CPU Freq <156~450>(freq has to be multiple of 6)
ipaddr <ip addr>                    Change modem's IP.
httpd                               Start Web Server
ddrdrv <..>                         Change DDR driving length
bldr>


8/ How to break in Smile
I looked into firmware file of this device, available under:
[url]static.tp-link.com/res/down/soft/TX-6610_V4_150922.zip[/url]
Inside can be found Linux image and SquashFS/LZMA file system.
After extraction of files, some where I found passwd .
Inside was login for root i hashed password -> admin / 1234
Using this data I was able to login over UART.

9/ Few outputs
busybox --help
Code:

# busybox --help
BusyBox v1.00 (2015.09.17-05:01+0000) multi-call binary

Usage: busybox [function] [arguments]...
   or: [function] [arguments]...

        BusyBox is a multi-call binary that combines many common Unix
        utilities into a single executable.  Most people will create a
        link to busybox for each function they wish to use, and BusyBox
        will act like whatever it was invoked as.

Currently defined functions:
        [, arp, ash, basename, busybox, cat, chmod, cp, cut, date, dd,
        dirname, dmesg, echo, env, expr, false, free, getty, gunzip, gzip,
        head, hostname, ifconfig, init, insmod, ip, kill, killall, klogd,
        ln, login, ls, mkdir, more, mount, mv, netstat, nslookup, passwd,
        pidof, ping, ping6, ps, pwd, reboot, rm, rmdir, rmmod, route,
        sed, sh, sleep, sysctl, syslogd, tar, taskset, test, tftp, top,
        traceroute, true, udhcpc, udhcpd, umount, uname, uptime, usleep,
        yes, zcat


dmesg
Code:

TC 0 1 2, VPE 1: TC 3
IPI buffer pool of 16 buffers
CPU revision is: 00019555 ((null))
TC 1 going on-line as CPU 1
CPU revision is: 00019555 ((null))
TC 2 going on-line as CPU 2
CPU revision is: 00019555 ((null))
TC 3 going on-line as CPU 3
Brought up 4 CPUs
NET: Registered protocol family 16
FPU Affinity set after 6460 emulations
MT7510_pcie_init
check pcie link up status:
isRC0_LINKUP=0
isRC1_LINKUP=0
PCI-E RC0 & RC1 can not link up
bio: create slab <bio-0> at 0
NET: Registered protocol family 8
NET: Registered protocol family 20
Switching to clocksource MIPS
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 1024 (order: 1, 8192 bytes)
TCP bind hash table entries: 1024 (order: 1, 8192 bytes)
TCP: Hash tables configured (established 1024 bind 1024)
TCP reno registered
UDP hash table entries: 128 (order: 0, 4096 bytes)
UDP-Lite hash table entries: 128 (order: 0, 4096 bytes)
NET: Registered protocol family 1
PCI: CLS 0 bytes, default 32
TC3162 hardware watchdog module loaded.
squashfs: version 4.0 (2009/01/31) Phillip Lougher
msgmni has been set to 56
cryptomgr_test used greatest stack depth: 15632 bytes left
io scheduler noop registered (default)
ttyS0 at I/O 0xbfbf0003 (irq = 1) is a TC3162
brd: module loaded
tc3162 mtd init: mt6573_nand_init enter
MediaTek MT6573 Nand driver init, version v2.0
tc3162: flash device 0x01000000 at 0x1c000000
tc3162: Found SPIFLASH 8MiB Winbond W25Q64
Creating 14 MTD partitions on "tc3162":
0x000000000000-0x000000800000 : "flash"
0x000000000000-0x000000020000 : "tcboot"
0x000000020000-0x000000030000 : "romfile"
0x000000030000-0x000000040000 : "bootflag"
0x000000040000-0x000000050000 : "factoryinfo"
0x000000050000-0x000000060000 : "loid"
0x000000060000-0x000000070000 : "hwinfo"
0x000000070000-0x000000090000 : "config"
0x000000090000-0x0000000a0000 : "iot"
0x0000000a0000-0x0000001f0000 : "kernelA"
0x0000001f0000-0x000000400000 : "rootfsA"
0x000000400000-0x000000550000 : "kernelB"
0x000000550000-0x000000760000 : "rootfsB"
0x000000760000-0x000000800000 : "other"
rootfsA
PPP generic driver version 2.4.2
PPP Deflate Compression module registered
PPP BSD Compression module registered
NET: Registered protocol family 24
RT3xxx EHCI/OHCI init.
Netfilter messages via NETLINK v0.30.
nf_conntrack version 0.5.0 (448 buckets, 1792 max)
ctnetlink v0.93: registering with nfnetlink.
nf_conntrack_rtsp v0.6.21 loading
port #0: 554
nf_nat_rtsp v0.6.21 loading
ip_tables: (C) 2000-2006 Netfilter Core Team
TCP cubic registered
NET: Registered protocol family 10
IPv6 over IPv4 tunneling driver
NET: Registered protocol family 17
802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
All bugs added by David S. Miller <davem@redhat.com>
VFS: Mounted root (squashfs filesystem) readonly on device 31:10.
Freeing unused kernel memory: 216k freed
init used greatest stack depth: 15448 bytes left
[ used greatest stack depth: 14832 bytes left
busybox used greatest stack depth: 14320 bytes left
mtd used greatest stack depth: 14240 bytes left
module_sel: module license 'unspecified' taints kernel.
Disabling lock debugging due to kernel taint
insmod used greatest stack depth: 13744 bytes left

tcsmux version: tcsmux V1.1.0.0 (Oct 13 2014-22:25:21).
vlantag_drv_init
TC3162 LED Manager 0.1 init

tcledctrl version: tcledctrl V1.1.0.0 (Sep 20 2015-14:57:19).
tccicmd V1.1.0.0 (Sep 20 2015-14:57:23)

SIFMaster 0.1 init

Register sifm cmd
the number of cfg node is 48
vlantag_init
autopvc_init
LanguageSwitch_init vendorCfgFile_init The number of cache node is 5

lanHost_read: Create node LanHost !
femac.c:v1.00-NAPI 29.Mar.2011
MAC from flash_base: 0xbc000000(offset: 0x40000):ffffffec 08 6b 2e 76 70
eth0: FE MAC Ethernet address: EC:08:6B:2E:76:70
eth0: starting interface.
EPhy debug(8): tcPhyVerLookUp() in
MT7510FE, EPhy debug(8)(15): tcPhyVerLookUp() out
PhyPart debug: tcPhyInit() in , tcphyver=15, phyaddr=8, eco=0x0
phyaddr = 8
EPhy debug(12): tcPhyVerLookUp() in
MT7510Ge,Internal check flag: fgMT7510Ge_INT=0x0, eco=0x50003
EPhy debug(12)(16): tcPhyVerLookUp() out
PhyPart debug: tcPhyInit() in , tcphyver=16, phyaddr=12, eco=0x0

 7510Ge, phyaddr= (12,12)
debug... ,phyaddr=12 ,eco=0x50003
xPON driver initialization
Alloc data struct memory successful, 34456
EN7570 found!
FLASH matrix got
Internal DDMI Enabled
TEC Enabled
RSSI_Vref = 0x216
RSSI_V = 0x299
ERC filter set
MPD Current Offset = 0xdd
Start GPON Tx Calibration
Rx LOS is set
CDR disabled
T0/T1 delay = 0x9a
T0/T1 delay = 0x47
RGS_T0C = 0x52
RGS_T1C = 0x4a
TGEN done
CDR enabled
Initial bias/mod current loaded from FLASH
MPDL/MPDH loaded
Tx SD set
APD initialization done
Rogue ONU clear
EN7570 Initialization Done!
PON PHY driver version is 111.86.66
XPON Mapping Module init OK!
Ebtables v2.0 registered
insmod used greatest stack depth: 13736 bytes left
Ralink HW NAT Module Enabled
IP check use Black List
device eth0 entered promiscuous mode
TC3162 hardware watchdog initialized
Start omci
Warning: there is no router interface for voip!!
device nas1 entered promiscuous mode
br0: port 2(nas1) entering forwarding state
br0: port 2(nas1) entering forwarding state
br0: port 1(eth0) entering forwarding state
br0: port 1(eth0) entering forwarding state
valid subcommands:
adsl
========================insmod iptable_filter=======================
insmod used greatest stack depth: 13728 bytes left
set olt type: 0
echo used greatest stack depth: 8944 bytes left
come into gpon_boot
valid subcommands:
adsl
activeImage=0, committedImage=0

Send OAM Update config!
!pon_vlan_init

Single Lan port
 initilize xpon igmp module....done!

sendOmciCmdMsg open message queue fail!pon_mac_filter_init

Single Lan portgot image index(0): V3.1.4instanceId(0), img ver buffer is V3.1.4
got image index(1): V3.1.4instanceId(1), img ver buffer is V3.1.4
got image index(0): V3.1.4instanceId(0), img ver buffer is V3.1.4
got image index(1): V3.1.4instanceId(1), img ver buffer is V3.1.4
api_set_pon_ver_info(335): -- not implemented, to do here! --
eth0: no IPv6 routers present
api_set_sn_auth_info(300): snIUint32[0] = 0x54504c47, snIUint32[1] = 0x6b2e7670,
vendor: 0x54504c47
omci: no IPv6 routers present
api_set_sn_auth_info(308): passwd:
oam: no IPv6 routers present
Password:
erase at 0x00050000 with buflen 10000
start erasing memory: 0x50000 with length: 10000
after erasing memory
Write at 0x00050000 +0x00010000 ... with first char: ff
Write end ...
api_set_vlan_mode(853): set vlanmode=0 vid=1 pri=0
api_set_sn_auth_info(300): snIUint32[0] = 0x54504c47, snIUint32[1] = 0x6b2e7670,
vendor: 0x54504c47
got image index(0): V3.1.4instanceId(0), img ver buffer is V3.1.4
got image index(1): V3.1.4instanceId(1), img ver buffer is V3.1.4
Line 778: IOT class 256, inst 0, attr id 1 value: V4.0
Line 778: IOT class 256, inst 0, attr id 0 value: TPLG
Line 778: IOT class 256, inst 0, attr id 2 value: TPLGk.vp
Line 778: IOT class 256, inst 0, attr id 3 value:
Line 778: IOT class 257, inst 0, attr id 0 value: TX-6610
Line 778: IOT class 257, inst 0, attr id 1 value: ▒
Line 778: IOT class 7, inst 0, attr id 0 value: V3.1.4
Line 778: IOT class 7, inst 1, attr id 0 value: V3.1.4
api_renegotiate(546): current mode is not gpon
api_set_onu_dhcp_status(1062): -- not implemented, to do here! --
mt7570 detected
pon: no IPv6 routers present
nas1: no IPv6 routers present
br0: no IPv6 routers present


ifconfig -a
Code:

# ifconfig -a
br0       Link encap:Ethernet  HWaddr EC:08:6B:xx:xx:xx
          inet addr:192.168.1.220  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::ee08:6bff:fe2e:7670/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:2000  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:468 (468.0 B)

eth0      Link encap:Ethernet  HWaddr EC:08:6B:xx:xx:xx
          inet6 addr: fe80::ee08:6bff:fe2e:7670/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:2000  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
          Interrupt:22

ip6tnl0   Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          NOARP  MTU:1460  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

nas1      Link encap:Ethernet  HWaddr EC:08:6B:xx:xx:xx
          inet6 addr: fe80::ee08:6bff:fe2e:7670/64 Scope:Link
          UP BROADCAST RUNNING  MTU:2000  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:14 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:1072 (1.0 KiB)

oam       Link encap:Ethernet  HWaddr EC:08:6B:xx:xx:xx
          inet6 addr: fe80::ee08:6bff:fe2e:7670/64 Scope:Link
          UP BROADCAST RUNNING NOARP  MTU:2000  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:3 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

omci      Link encap:Ethernet  HWaddr EC:08:6B:xx:xx:xx
          inet6 addr: fe80::ee08:6bff:fe2e:7670/64 Scope:Link
          UP BROADCAST RUNNING NOARP  MTU:2000  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:3 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

pon       Link encap:Ethernet  HWaddr EC:08:6B:xx:xx:xx
          inet6 addr: fe80::ee08:6bff:fe2e:7670/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:2000  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:20 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

sit0      Link encap:UNSPEC  HWaddr 00-00-00-00-CA-30-00-47-00-00-00-00-00-00-00-00
          NOARP  MTU:1480  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)


mount
Code:

# mount
/dev/mtdblock10 on / type squashfs (ro,relatime)
proc on /proc type proc (rw,relatime)
ramfs on /tmp type ramfs (rw,relatime)
devpts on /dev/pts type devpts (rw,relatime,mode=600)


10/ Opened ports

This is list of opened ports:
Code:

# netstat -l
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 *:http                  *:*                     LISTEN
tcp        0      0 *:ftp                   *:*                     LISTEN
tcp        0      0 *:telnet                *:*                     LISTEN
Active UNIX domain sockets (only servers)
Proto RefCnt Flags       Type       State         I-Node Path
unix  2      [ ACC ]     STREAM     LISTENING     225    /tmp/tcapi_sock


As we can see, telnet is available Smile

11/ Telnet access

Login over telnet is possible, but using different login and password -> admin / admin .
Code:

---------------------------
Welcome To Use GPON Product
---------------------------
Login:admin
Password:
# ls
bin      etc      linuxrc  proc     tmp      usr      web
dev      lib      modules  sbin     userfs   var
#


As we can see, device is opened to the user Smile

12/ Kernel

Device's firmware is based on Linux, version 2.6.36
Manufacturer gives source code, at least part of it:
[url]static.tp-link.com/resources/gpl/TX-6610V4_GPL.tar.gz[/url]

13/ Flash upgrade
To check if really Flash can be upgraded, I desoldered it. After download of it content I wrote it on fresh
W25Q128 flash using programmer. After solder new flash in place it was discovered correctly Smile
Code:

DRAMC V2.2.0.2 (0)


MT751020 at Tue Sep 22 10:18:19 HKT 2015 version 1.1 free bootbase

Memory size 32MB

flash base: bc000000
Found SPI Flash 16MiB Winbond W25Q128 at 0xbc000000

tcPhyVer_mt7510FE
 Not found TC Phy
mtPhyVer_7510Ge
Not found TC Phy
Press any key in 3 secs to enter boot command mode.
............................................................


Invalid Power GPIO, just return and don't turn on Power LED
act_flag:0, img0[1 1 1], img1[0 0 1]
boot flag = 0
Decompress to 80002000 free_mem_ptr=80600000 free_mem_ptr_end=80780000
from main
Uncompressing [LZMA] ...  done.
Linux version 2.6.36 (root@localhost.localdomain) (gcc version 4.3.4 (GCC) ) #23 SMP Thu Sep 24 04:17:46 HKT 2015
ISPRAM0: PA=002a8000,Size=00008000,enabled
DSPRAM0: PA=1dff8000,Size=00001000,enabled
flash_init: flash_base:bc000000
flash_init: flash_base:bc000000
memsize:32MB
Ralink MT751020 SOC prom init
bootconsole [early0] enabled
CPU revision is: 00019555 (MIPS 34Kc)
Determined physical RAM map:
 memory: 01fe0000 @ 00020000 (usable)
Wasting 1024 bytes for tracking 32 unused pages
Zone PFN ranges:
  Normal   0x00000020 -> 0x00002000
Movable zone start PFN for each node
early_node_map[1] active PFN ranges
    0: 0x00000020 -> 0x00002000
3 available secondary CPU TC(s)
PERCPU: Embedded 7 pages/cpu @81043000 s7168 r8192 d13312 u65536
pcpu-alloc: s7168 r8192 d13312 u65536 alloc=16*4096
pcpu-alloc: [0] 0 [0] 1 [0] 2 [0] 3
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 8096
Kernel command line:  es=1
PID hash table entries: 128 (order: -3, 512 bytes)
Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
Primary data cache 64kB, 4-way, VIPT, cache aliases, linesize 32 bytes
Writing ErrCtl register=00048840
Readback ErrCtl register=00048840
nmi base is 81084200
Memory: 28676k/32640k available (2744k kernel code, 3964k reserved, 570k data, 216k init, 0k highmem)
SLUB: Genslabs=7, HWalign=32, Order=0-3, MinObjects=0, CPUs=4, Nodes=1
Hierarchical RCU implementation.
        RCU-based detection of stalled CPUs is disabled.
        Verbose stalled-CPUs detection is disabled.
NR_IRQS:64
CPU frequency 648.00 MHz
 Using 266.000 MHz high precision timer.
console [ttyS0] enabled, bootconsole disabled
console [ttyS0] enabled, bootconsole disabled
Calibrating delay loop... 430.89 BogoMIPS (lpj=2154496)
pid_max: default: 32768 minimum: 301
Mount-cache hash table entries: 512
34K sync es set to 1.
Config7: 0x80080500
Limit of 4 TCs set
TLB of 64 entry pairs shared by 2 VPEs
VPE 0: TC 0 1 2, VPE 1: TC 3
IPI buffer pool of 16 buffers
CPU revision is: 00019555 ((null))
TC 1 going on-line as CPU 1
CPU revision is: 00019555 ((null))
TC 2 going on-line as CPU 2
CPU revision is: 00019555 ((null))
TC 3 going on-line as CPU 3
Brought up 4 CPUs
NET: Registered protocol family 16
MT7510_pcie_init
check pcie link up status:
isRC0_LINKUP=0
isRC1_LINKUP=0
PCI-E RC0 & RC1 can not link up
bio: create slab <bio-0> at 0
NET: Registered protocol family 8
NET: Registered protocol family 20
Switching to clocksource MIPS
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 1024 (order: 1, 8192 bytes)
TCP bind hash table entries: 1024 (order: 1, 8192 bytes)
TCP: Hash tables configured (established 1024 bind 1024)
TCP reno registered
UDP hash table entries: 128 (order: 0, 4096 bytes)
UDP-Lite hash table entries: 128 (order: 0, 4096 bytes)
NET: Registered protocol family 1
TC3162 hardware watchdog module loaded.
squashfs: version 4.0 (2009/01/31) Phillip Lougher
msgmni has been set to 56
cryptomgr_test used greatest stack depth: 15632 bytes left
cryptomgr_test used greatest stack depth: 15464 bytes left
io scheduler noop registered (default)
cryptomgr_test used greatest stack depth: 15320 bytes left
ttyS0 at I/O 0xbfbf0003 (irq = 1) is a TC3162
brd: module loaded
tc3162 mtd init: mt6573_nand_init enter
MediaTek MT6573 Nand driver init, version v2.0
tc3162: flash device 0x01000000 at 0x1c000000
tc3162: Found SPIFLASH 16MiB Winbond W25Q128
Creating 14 MTD partitions on "tc3162":
0x000000000000-0x000001000000 : "flash"
0x000000000000-0x000000020000 : "tcboot"
0x000000020000-0x000000030000 : "romfile"
0x000000030000-0x000000040000 : "bootflag"
0x000000040000-0x000000050000 : "factoryinfo"
0x000000050000-0x000000060000 : "loid"
0x000000060000-0x000000070000 : "hwinfo"
0x000000070000-0x000000090000 : "config"
0x000000090000-0x0000000a0000 : "iot"
0x0000000a0000-0x0000001f0000 : "kernelA"
0x0000001f0000-0x000000400000 : "rootfsA"
0x000000400000-0x000000550000 : "kernelB"
0x000000550000-0x000000760000 : "rootfsB"
0x000000760000-0x000000800000 : "other"
rootfsA
PPP generic driver version 2.4.2
PPP Deflate Compression module registered
PPP BSD Compression module registered
NET: Registered protocol family 24
RT3xxx EHCI/OHCI init.
Netfilter messages via NETLINK v0.30.
nf_conntrack version 0.5.0 (448 buckets, 1792 max)
ctnetlink v0.93: registering with nfnetlink.
nf_conntrack_rtsp v0.6.21 loading
nf_nat_rtsp v0.6.21 loading
ip_tables: (C) 2000-2006 Netfilter Core Team
TCP cubic registered
NET: Registered protocol family 10
IPv6 over IPv4 tunneling driver
NET: Registered protocol family 17
802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
All bugs added by David S. Miller <davem@redhat.com>
VFS: Mounted root (squashfs filesystem) readonly on device 31:10.
Freeing unused kernel memory: 216k freed
init used greatest stack depth: 15176 bytes left
busybox init and set aff
init started:  BusyBox v1.00 (2015.09.17-05:01+0000) multi-call binary
[ used greatest stack depth: 14832 bytes left
busybox used greatest stack depth: 14280 bytes left
mtd[readflash]:device=famtd used greatest stack depth: 14240 bytes left
ctoryinfo tclen=160 tcoffseprolinecmd used greatest stack depth: 14176 bytes left
t=22
Unlocking factoryinfo ...
Reading from factoryinfo to /tmp/7570_bob.conf ...

00000000h: 00 00 02 37 00 00 04 88 00 00 00 F0 00 00 00 B8
00000010h: 00 00 00 06 00 00 00 10 00 00 0E B3 00 00 00 14
00000020h: 00 00 00 1C 00 00 00 10 FF FF FF FF 00 00 00 01
00000030h: 00 00 00 67 00 00 0B B8 FF FF FF FF FF FF FF FF
00000040h: 00 AF 00 F3 00 63 00 E9 FF FF FF FF FF FF FF FF
00000050h: 27 6C 69 00 03 E5 10 C0 00 64 02 48 FF FF FF FF
00000060h: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
00000070h: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
00000080h: FF FF FF FF 00 00 00 05 FF FF FF FF FF FF FF FF
00000090h: FF FF FF FF 07 05 07 00 FF FF FF FF FF FF FF FFmodule_sel: module license 'unspecified' taints kernel.
Disabling lock debugging due to kernel taint
insmod used greatest stack depth: 13896 bytes left

tcsmux version: tcsmux V1.1.0.0 (Oct 13 2014-22:25:21).
vlantag_drv_init
TC3162 LED Manager 0.1 init

tcledctrl version: tcledctrl V1.1.0.0 (Sep 20 2015-14:57:19).
tccicmd V1.1.0.0 (Sep 20 2015-14:57:23)

SIFMaster 0.1 init

Register sifm cmd
insmod used greatest stack depth: 13640 bytes left
the number of cfg node is 48
vlantag_init
autopvc_init
LanguageSwitch_init vendorCfgFile_init The number of cache node is 5
Enter into function:parser_romfile
mxml: Bad control character 0x0b not allowed by XML standard!
Romfile format is wrong, we use default romfile to replace current setting romfile!!
mtd[readflash]:device=reservearea tclen=512 tcoffset=197632
Unlocking reservearea ...
Could not open mtd device: reservearea
Unlocking romfile ...
Writing from /tmp/var/romfile.cfg to romfile ...
 [w]
Can't open /etc/Wireless/WLAN_APOn

lanHost_read: Create node LanHost !
sh: /usr/bin/ip: not found
insmod raeth driver
femac.c:v1.00-NAPI 29.Mar.2011
MAC from flash_base: 0xbc000000(offset: 0x40000):ffffffec 08 6b 2e 76 70
eth0: FE MAC Ethernet address: EC:08:6B:2E:76:70
eth0: starting interface.
EPhy debug(8): tcPhyVerLookUp() in
MT7510FE, EPhy debug(8)(15): tcPhyVerLookUp() out
PhyPart debug: tcPhyInit() in , tcphyver=15, phyaddr=8, eco=0x0
phyaddr = 8
EPhy debug(12): tcPhyVerLookUp() in
MT7510Ge,Internal check flag: fgMT7510Ge_INT=0x0, eco=0x50003
EPhy debug(12)(16): tcPhyVerLookUp() out
PhyPart debug: tcPhyInit() in , tcphyver=16, phyaddr=12, eco=0x0

 7510Ge, phyaddr= (12,12)
debug... ,phyaddr=12 ,eco=0x50003
xPON driver initialization
Alloc data struct memory successful, 34456
EN7570 found!
FLASH matrix got
Internal DDMI Enabled
TEC Enabled
RSSI_Vref = 0x216
RSSI_V = 0x298
ERC filter set
MPD Current Offset = 0xdd
Start GPON Tx Calibration
Rx LOS is set
CDR disabled
T0/T1 delay = 0x9a
T0/T1 delay = 0x47
RGS_T0C = 0x52
RGS_T1C = 0x49
TGEN done
CDR enabled
Initial bias/mod current loaded from FLASH
MPDL/MPDH loaded
Tx SD set
APD initialization done
Rogue ONU clear
EN7570 Initialization Done!
PON PHY driver version is 111.86.66
XPON Mapping Module init OK!
Ebtables v2.0 registered
Ralink HW NAT Module Enabled
IP check use Black List
device eth0 entered promiscuous mode
done
no specific node
TC3162 hardware watchdog initialized
four ports
SIOCGIFFLAGS: No such device
interface eth0.1 does not exist!
sh: vconfig: not found
SIOCGIFFLAGS: No such device
interface eth0.2 does not exist!
sh: vconfig: not found
SIOCGIFFLAGS: No such device
interface eth0.3 does not exist!
sh: vconfig: not found
SIOCGIFFLAGS: No such device
interface eth0.4 does not exist!
sh: vconfig: not found
device eth0 is already a member of a bridge; can't enslave it to bridge br0.
MT7520S is single port!
mtd[readflash]:device=reservearea tclen=512 tcoffset=197632
Unlocking reservearea Start omci
...
Could not open mtd device: reservearea
00:00:11 imgr.c [71]: Initial system driver.
00:00:11 imgr.c [77]: Initial pthread parameters.
00:00:11 imgr.c [83]: Initial dispatcher.
00:00:11 dspch_init.c [23]: Create IPC trap message queue
00:00:11 dspch_init.c [36]: Create IPC trap message queue
00:00:11 imgr.c [89]: Initial database manager.
00:00:11 dbmgr_init.c [32]: Create database memory.
00:00:11 dbmgr_init.c [38]: Create the share database memory successful.
00:00:11 dbmgr_init.c [41]: The total share database size is 0.
00:00:11 imgr.c [95]: Initial config manager.
00:00:11 imgr.c [101]: Initial fault manager.
00:00:11 imgr.c [107]: Initial performance manager.
Warning: there is no router interface for voip!!
iptables v1.4.10: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.4.10: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.4.10: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.4.10: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
device nas1 entered promiscuous mode
br0: port 2(nas1) entering forwarding state
br0: port 2(nas1) entering forwarding state
br0: port 1(eth0) entering forwarding state
br0: port 1(eth0) entering forwarding state
sh: /userfs/bin/dnsmasq: not found
valid subcommands:
adsl
========================insmod iptable_filter=======================
chmod: /userfs/profile.cfg: Read-only file system
valid subcommands:
adsl
set olt type: 0
echo used greatest stack depth: 8944 bytes left
come into gpon_boot
activeImage=0, committedImage=0

Send OAM Update config!
!sendEponOamCmdMsg open message queue fail!
Unlocking romfile ...
Writing from /tmp/var/romfile.cfg to romfile ...
 [w]
pon_vlan_init

Single Lan port
 initilize xpon igmp module....done!
pon_mac_filter_init

Single Lan portCannot open file "/tmp
sendOmciCmdMsg open message queue fail!/upload_onu_cardholder_type"
SIOCSIFMTU: No such device
SIOCSIFMTU: No such device
SIOCSIFMTU: No such device
got image index(0): V3.1.4instanceId(0), img ver buffer is V3.1.4
SIOCSIFMTU: No such device
got image index(1): V3.1.4instanceId(1), img ver buffer is V3.1.4
SIOCSIFMTU: No such device
*reg=00001640 value:00000000 (ext_switch:0)

Please press Enter to activate this console. got image index(0): V3.1.4instanceId(0), img ver buffer is V3.1.4
got image index(1): V3.1.4instanceId(1), img ver buffer is V3.1.4
api_set_pon_ver_info(335): -- not implemented, to do here! --
api_set_sn_auth_info(300): snIUint32[0] = 0x54504c47, snIUint32[1] = 0x6b2e7670,
vendor: 0x54504c47
api_set_sn_auth_info(308): passwd:
Password:
erase at 0x00050000 with buflen 10000
start erasing memory: 0x50000 with length: 10000
after erasing memory
Write at 0x00050000 +0x00010000 ... with first char: ff
Write end ...
api_set_vlan_mode(853): set vlanmode=0 vid=1 pri=0
api_set_sn_auth_info(300): snIUint32[0] = 0x54504c47, snIUint32[1] = 0x6b2e7670,
vendor: 0x54504c47
got image index(0): V3.1.4instanceId(0), img ver buffer is V3.1.4
got image index(1): V3.1.4instanceId(1), img ver buffer is V3.1.4
Line 778: IOT class 256, inst 0, attr id 1 value: V4.0
Line 778: IOT class 256, inst 0, attr id 0 value: TPLG
Line 778: IOT class 256, inst 0, attr id 2 value: TPLGk.vp
Line 778: IOT class 256, inst 0, attr id 3 value:
Line 778: IOT class 257, inst 0, attr id 0 value: TX-6610
Line 778: IOT class 257, inst 0, attr id 1 value: ▒
Line 778: IOT class 7, inst 0, attr id 0 value: V3.1.4
Line 778: IOT class 7, inst 1, attr id 0 value: V3.1.4
api_renegotiate(546): current mode is not gpon
api_set_onu_dhcp_status(1062): -- not implemented, to do here! --
mt7570 detected




Few photos of PCB in next week.
If someone have more info about this device, especially CPU, please write Smile

Best regards,
BizonGod
Sponsor
alexandernst
DD-WRT Novice


Joined: 09 Jan 2013
Posts: 2

PostPosted: Mon Dec 18, 2017 2:49    Post subject: Firmware debugging Reply with quote
I recently acquired this device and I'm debugging it's firmware in order to tweak it.
I have opened a repo in GitHub, feel free to join me.

http://github.com/alexandernst/TPLink-TX6610-V4-firmware-RE
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Ralink SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum