Tobias Diedrich took up the challenge on the flash-memory-dump and found it to be 3 zlib-compressed images: booter and 2 application files of different versions – for backup purposes.
Some surprise it was to find two new versions this way never seen in action: 4.14 from jjaf
- and 3.11 from td
-image. And the first brakeup of hardware/software-versioning by the active 4.19 in an AC218bu (having to lead to a new presentation-layout).
Wondering about PPPoE-ethertype-identification for forwarding, i noticed only one single location with both close to each other. Try hex-search for 4086000C 8864
.
A new dump is available showing memory-location 0x800000/0x9FE000 of version 4.19, probably the flash- as opposed to the SDRAM-memory of all the other dumps.
This is probably the location where to permanently update the firmware!
Have a preliminary look at the tasks running on two different versions, automatically read out by a developed analyzing application.
To produce a memory dump you will need the WindRiver Tornado® Prototyper Plus (which was available for information-cost, but is not any more.) and jjaf.de ECI-ATU-memory-readout script-package that builds upon that. This package is in minor parts for Windows only.
Alternativly to Tornado, you can use vxgdb.
Extract the jjaf.de ECI-ATU-memory-readout script-package into the $WIND_BASE\host\x86-win32\bin\
-directory
Because this procedure reads out raw memory-contents, there is a high probability that some remnants of production-data (real internet-traffic incl. security-codes) is found in that dump! So at minimum use the following procedure:
Disconnect all other stations from the device other than the dumping server.
Reset the device.
This will ensure that clean
dumps will be produced that do not have distracting, unimportant information in them.
Disconnect all other stations from the device other than the dumping server.
Disconnect DSL-line from the device.
Reset the device to no-sync-state.
Execute $WIND_BASE\host\x86-win32\bin\eci\eci-read.bat
and follow the instructions.
Shutdown wtx-registry and target.
Rename produced dump-suffix to -nosync.raw"
, but leave the rest intact. It's the processor-#, OS-ID and -version.
Connect the DSL-line to the device.
Reset the device to sync-state.
Execute $WIND_BASE\host\x86-win32\bin\eci\eci-read.bat
Rename produced dump-suffix to -sync.raw"
, but leave the rest intact.
communicate these dumps and problems with the script (not WindRiver Tornado® Prototyper Plus).
tgtsvr
is giving out error-message Error: Error performing target core file checksum. Warning: Core file checksums do not match.This message is normal, just proceed.
Since lacking the original core-image the script uses a hacked dummy named dummy-ppc860.out
with the correct ELF-PPC860 format to allow to start tgtsvr
up.
A notice has been included in the script in version 1.0.2
This issue is fixed in version 1.0.4 thx to Pierre-Alain Jauze, if not: please continue reading.
Some operatings-systems like Microsoft Windows XP do not process a batch-file like eci-read.bat
in parallel. They wait for the termination of the called applications instead.
In this case you either have to fix the problem and send in the solution for inclusion into the script or manually enter the batch-commands for yourself in a console-window.
A notice has been included in the script in version 1.0.3
Among other tools i found WinHex very useful in analyzing these files. There is a template for WIND_TCB-structure to analyze stack-frames.
architecture |
BSP |
version |
RAM-image (000000-3FFFFF) |
flash-image (800000-9FFFFF) |
|||
---|---|---|---|---|---|---|---|
nosync |
sync |
full dump |
booter |
app |
|||
PPC860 |
Hi-FOCuS AneT board - 850 SAR |
||||||
no IP |
|||||||
no IP |
|||||||
Hi-FOCuS SU board - PowerPC 860 SAR |
|||||||
description |
length [bytes] |
---|---|
Version |
5 |
Serial Number |
20 |
Discrete Flags |
2 |
Ethernet IP Address |
|
Ethernet IP Sub-Network Mask |
|
Ethernet Default Gateway |
|
MAC Address |
|
Alarm Mask & Severity |
40 |
ALARM (2*i+1) |
|
ALARM (2*i) |
|
M&E RES SEVERITY |
|
1483 Encapsulation - Routing Table |
|
Customer Unit ID |
20 |
Customer Unit Name |
14 |
Customer Unit Description |
20 |
First Installation Date |
8 |
EEProm Not Empty ( |
1 |
CRC - 12 Rsult [sic!] |
2 |