ECI Telecom Hi-FOCuS ATU-R memory-dumps (jjaf.de)

ECI Telecom Hi-FOCuS ATU-R memory-dumps

2002-11-10: flash-dump seperated

Tobias Diedrich took up the challenge on the flash-memory-dump and found it to be 3 zlib-compressed images: booter and 2 application files of different versions – for backup purposes.

Some surprise it was to find two new versions this way never seen in action: 4.14 from jjaf- and 3.11 from td-image. And the first brakeup of hardware/software-versioning by the active 4.19 in an AC218bu (having to lead to a new presentation-layout).

2002-09-01: what about the ethertypes?

Wondering about PPPoE-ethertype-identification for forwarding, i noticed only one single location with both close to each other. Try hex-search for 4086000C 8864.

2002-04-20: new memory found!

A new dump is available showing memory-location 0x800000/0x9FE000 of version 4.19, probably the flash- as opposed to the SDRAM-memory of all the other dumps.

This is probably the location where to permanently update the firmware!

before …: analyzing the dumps

Have a preliminary look at the tasks running on two different versions, automatically read out by a developed analyzing application.

intro

To produce a memory dump you will need the WindRiver Tornado^® Prototyper Plus (which was available for information-cost, but is not any more.) and jjaf.de ECI-ATU-memory-readout script-package that builds upon that. This package is in minor parts for Windows only.

Alternativly to Tornado, you can use vxgdb.

usage

warning

Because this procedure reads out raw memory-contents, there is a high probability that some remnants of production-data (real internet-traffic incl. security-codes) is found in that dump! So at minimum use the following procedure:

Disconnect all other stations from the device other than the dumping server.
Reset the device.

This will ensure that clean dumps will be produced that do not have distracting, unimportant information in them.

procedure

Disconnect all other stations from the device other than the dumping server.

Disconnect DSL-line from the device.

Reset the device to no-sync-state.

Execute $WIND_BASE\host\x86-win32\bin\eci\eci-read.bat and follow the instructions.

Shutdown wtx-registry and target.

Rename produced dump-suffix to -nosync.raw", but leave the rest intact. It's the processor-#, OS-ID and -version.

Connect the DSL-line to the device.

Reset the device to sync-state.

Execute $WIND_BASE\host\x86-win32\bin\eci\eci-read.bat

Rename produced dump-suffix to -sync.raw", but leave the rest intact.

communicate these dumps and problems with the script (not WindRiver Tornado^® Prototyper Plus).

known issues

tgtsvr is giving out error-message Error: Error performing target core file checksum. Warning: Core file checksums do not match.

This message is normal, just proceed.

Since lacking the original core-image the script uses a hacked dummy named dummy-ppc860.out with the correct ELF-PPC860 format to allow to start tgtsvr up.

A notice has been included in the script in version 1.0.2

The script stops at some early point, probably after starting registry

This issue is fixed in version 1.0.4 thx to Pierre-Alain Jauze, if not: please continue reading.

Some operatings-systems like Microsoft Windows XP do not process a batch-file like eci-read.bat in parallel. They wait for the termination of the called applications instead.

In this case you either have to fix the problem and send in the solution for inclusion into the script or manually enter the batch-commands for yourself in a console-window.

A notice has been included in the script in version 1.0.3

download existing dumps for inspection

architecture	BSP	version	RAM-image (000000-3FFFFF)	flash-image (800000-9FFFFF)
PPC860	Hi-FOCuS AneT board - 850 SAR	4.19	jjaf	jjaf	jjaf	ac220bu 5.2 (2001-03-13T10:02:00)	ac220bu 4.19
frw	frw
frw (initial init on new location)	frw (initial init on new location)
4.18	leo	no IP
4.13	paj	paj
Karim	no IP
Hi-FOCuS SU board - PowerPC 860 SAR	3.12	Tonio²K	Tonio²K
BeRT	BeRT
02.24i	jjaf
02.24	Edo	Edo
xtof	xtof

architecture

BSP

version

RAM-image (000000-3FFFFF)

flash-image (800000-9FFFFF)

nosync

sync

full dump

booter

app

PPC860

Hi-FOCuS AneT board - 850 SAR

4.19

jjaf

ac220bu 5.2 (2001-03-13T10:02:00)

ac220bu 4.19

frw

frw (initial init on new location)

no IP

no IP

Hi-FOCuS SU board - PowerPC 860 SAR

E2PROM-structure

description	length [bytes]
Version	5
Serial Number	20
Discrete Flags `FIELD, BSP, ADS, HF, SU, RESERVED`	2
Ethernet IP Address
Ethernet IP Sub-Network Mask
Ethernet Default Gateway
MAC Address
Alarm Mask & Severity	40
ALARM (2*i+1)
ALARM (2*i)
M&E RES SEVERITY
1483 Encapsulation - Routing Table `ENTRY#, BYTE#, ISP(i-1), IP Address, MASK, VPI, VCI`
Customer Unit ID	20
Customer Unit Name	14
Customer Unit Description	20
First Installation Date	8
EEProm Not Empty (`0xba`)	1
CRC - 12 Rsult [sic!]	2

description

length [bytes]

Version

Serial Number

Discrete Flags
FIELD, BSP, ADS, HF, SU, RESERVED

Ethernet IP Address

Ethernet IP Sub-Network Mask

Ethernet Default Gateway

MAC Address

Alarm Mask & Severity

ALARM (2*i+1)

ALARM (2*i)

M&E RES SEVERITY

1483 Encapsulation - Routing Table
ENTRY#, BYTE#, ISP(i-1), IP Address, MASK, VPI, VCI

Customer Unit ID

Customer Unit Name

Customer Unit Description

First Installation Date

EEProm Not Empty (0xba)

CRC - 12 Rsult [sic!]