† Wolfgang H. Franke

feedback links search [web, newgroups] Heute heise.de wired.com webmail banking {jjaf-admin} spam-handling distributed.net-stats picture gallery internet-monitor

[counter]

jjaf.de/eci/hi-focus/atu-r

ECI Telecom Hi-FOCuS ATU-R memory-dumps

2002-11-10: flash-dump seperated

Tobias Diedrich took up the challenge on the flash-memory-dump and found it to be 3 zlib-compressed images: booter and 2 application files of different versions – for backup purposes.

Some surprise it was to find two new versions this way never seen in action: 4.14 from jjaf- and 3.11 from td-image. And the first brakeup of hardware/software-versioning by the active 4.19 in an AC218bu (having to lead to a new presentation-layout).

2002-09-01: what about the ethertypes?

Wondering about PPPoE-ethertype-identification for forwarding, i noticed only one single location with both close to each other. Try hex-search for 4086000C 8864.

2002-04-20: new memory found!

A new dump is available showing memory-location 0x800000/0x9FE000 of version 4.19, probably the flash- as opposed to the SDRAM-memory of all the other dumps.

This is probably the location where to permanently update the firmware!

before …: analyzing the dumps

Have a preliminary look at the tasks running on two different versions, automatically read out by a developed analyzing application.

intro

To produce a memory dump you will need the WindRiver Tornado® Prototyper Plus (which was available for information-cost, but is not any more.) and jjaf.de ECI-ATU-memory-readout script-package that builds upon that. This package is in minor parts for Windows only.

Alternativly to Tornado, you can use vxgdb.

installation

Extract the jjaf.de ECI-ATU-memory-readout script-package into the $WIND_BASE\host\x86-win32\bin\-directory

usage

warning

Because this procedure reads out raw memory-contents, there is a high probability that some remnants of production-data (real internet-traffic incl. security-codes) is found in that dump! So at minimum use the following procedure:

  1. Disconnect all other stations from the device other than the dumping server.

  2. Reset the device.

This will ensure that clean dumps will be produced that do not have distracting, unimportant information in them.

Shielding B-FOCuS AC230bu (AneT-Less)

procedure

  1. Disconnect all other stations from the device other than the dumping server.

  2. Disconnect DSL-line from the device.

  3. Reset the device to no-sync-state.

  4. Execute $WIND_BASE\host\x86-win32\bin\eci\eci-read.bat and follow the instructions.

  5. Shutdown wtx-registry and target.

  6. Rename produced dump-suffix to -nosync.raw", but leave the rest intact. It's the processor-#, OS-ID and -version.

  7. Connect the DSL-line to the device.

  8. Reset the device to sync-state.

  9. Execute $WIND_BASE\host\x86-win32\bin\eci\eci-read.bat

  10. Rename produced dump-suffix to -sync.raw", but leave the rest intact.

  11. communicate these dumps and problems with the script (not WindRiver Tornado® Prototyper Plus).

known issues

tgtsvr is giving out error-message Error: Error performing target core file checksum. Warning: Core file checksums do not match.

This message is normal, just proceed.

Since lacking the original core-image the script uses a hacked dummy named dummy-ppc860.out with the correct ELF-PPC860 format to allow to start tgtsvr up.

A notice has been included in the script in version 1.0.2

The script stops at some early point, probably after starting registry

This issue is fixed in version 1.0.4 thx to Pierre-Alain Jauze, if not: please continue reading.

Some operatings-systems like Microsoft Windows XP do not process a batch-file like eci-read.bat in parallel. They wait for the termination of the called applications instead.

In this case you either have to fix the problem and send in the solution for inclusion into the script or manually enter the batch-commands for yourself in a console-window.

A notice has been included in the script in version 1.0.3

download existing dumps for inspection

Among other tools i found WinHex very useful in analyzing these files. There is a template for WIND_TCB-structure to analyze stack-frames.

architecture

BSP

version

RAM-image (000000-3FFFFF)

flash-image (800000-9FFFFF)

nosync

sync

full dump

booter

app

PPC860

Hi-FOCuS AneT board - 850 SAR

4.19

jjaf

jjaf

jjaf

ac220bu 5.2 (2001-03-13T10:02:00)

ac220bu 4.19

frw

frw

frw (initial init on new location)

frw (initial init on new location)

4.18

leo

no IP

4.13

paj

paj

Karim

no IP

Hi-FOCuS SU board - PowerPC 860 SAR

3.12

Tonio²K

Tonio²K

BeRT

BeRT

02.24i

jjaf

02.24

Edo

Edo

xtof

xtof

E2PROM-structure

description

length [bytes]

Version

5

Serial Number

20

Discrete Flags
FIELD, BSP, ADS, HF, SU, RESERVED

2

Ethernet IP Address

Ethernet IP Sub-Network Mask

Ethernet Default Gateway

MAC Address

Alarm Mask & Severity

40

ALARM (2*i+1)

ALARM (2*i)

M&E RES SEVERITY

1483 Encapsulation - Routing Table
ENTRY#, BYTE#, ISP(i-1), IP Address, MASK, VPI, VCI

Customer Unit ID

20

Customer Unit Name

14

Customer Unit Description

20

First Installation Date

8

EEProm Not Empty (0xba)

1

CRC - 12 Rsult [sic!]

2

This work is licensed under a Creative Commons License Valid XHTML 1.0! Valid CSS! privacy policy