T-Com / Telekom Speedport Smart 3

Under Construction!
This page is currently under construction. You can edit the article to help completing it.

bootloader U-Boot
Main Kernel Linux 4.9.59
RFS OS distribution Modified OpenWrt 17.01.3
Boot core OS distribution Modified OpenWrt 15.05_ltq Chaos Calmer

Bootcore and rootfs have different OpenWRT and Linux versions.

Vendor Arcadyan
xDSL VRX518
Flash-Chip Micron MT29F8G08ABACAWP
Flash size 1024 MiB NAND Flash
Ram-Chip
RAM
Internet ADSL/VDSL/VDSL2
USB Yes 1 x 2.0
Serial Yes
JTAG ?
Cores 4
Instruction set Architecture MIPS
System-On-Chip-Family tbd
CPU/Speed InterAptiv 800 MHz
Vendor Lantiq

There are holes for a 2.54 mm pin header near the RJ-45 port for Link. It's labeled “J15”.

pin 1 pin 2 pin 3 pin 4
VCC (3.3V) TX RX GND

Do NOT connect the VCC pin of the PCB to the VCC pin of your serial interface! This can harm both devices.

Configuration: 115200 8N1 LSB first

According to the OEM bootloader, the flash layout is the following:

 #: name                size            offset          mask_flags
 0: uboot               0x200000        0x0             0
 1: ubootconfigA        0x100000        0x200000        0
 2: ubootconfigB        0x100000        0x300000        0
 3: gphyfirmware        0x100000        0x400000        0
 4: calibration         0x200000        0x500000        0
 5: bootcore            0x1000000       0x700000        0
 6: glbcfg              0x200000        0x1700000       0
 7: board_data          0x100000        0x1900000       0
 8: system_sw           0x1e600000      0x1a00000       0
 9: smarthome           0x17400000      0x20000000      0
10: smarthome_cfg       0x3c00000       0x37400000      0
11: repeater_img        0x1900000       0x3b000000      0
12: bridge_img          0xf00000        0x3c900000      0
13: arc_res             0x2600000       0x3d800000      0
14: res                 0x200000        0x3fe00000      0

active partition: nand0,0 - (uboot) 0x200000 @ 0x0

To switch boot mode, there are several unequipped resistors on the PCB. The following table shows the different modes and how they can be achieved. “1” means short circuiting the contacts of the resistor.

R212 R214 R215 R217 boot configuration (as shown in the log gathered from UART) descripition
0 0 1 1 00 fallback to UART
0 1 1 1 01 fallback to UART
0 0 1 0 02 fallback to UART
0 1 1 0 03 fallback to UART
1 0 1 1 04 UART boot mode
1 1 1 1 05 fallback to UART
1 0 1 0 06 fallback to UART; shows additional message “No valid image selected”
0 0 0 1 08 fallback to UART
0 1 0 1 09 boot from flash
0 0 0 0 0a boot from flash; default boot configuration
0 1 0 0 0b fallback to UART
1 0 0 1 0c fallback to UART
1 0 0 0 0e boot from flash
1 1 0 0 0f fallback to UART
1 1 1 0 ? boot loop

The firmware images are encrypted. The decryption seems to be done in the root file system by an executable /usr/bin/arc-fw-extractor. This tool makes use of OpenSSL libssl. RSA-4096, SHA-512 and AES-256-CBC seem to be used. According to the output of the program, there's a HMAC mechanism implemented. This means, that only signed firmware will be accepted in the upgrade process (signed by the manufacturer/vendor). Modified firmware won't be runable.

Output of ubi info l:

GRX500 # ubi info l UBI: volume information dump: UBI: vol_id 0 UBI: reserved_pebs 11 UBI: alignment 1 UBI: data_pad 0 UBI: vol_type 3 UBI: name_len 7 UBI: usable_leb_size 253952 UBI: used_ebs 11 UBI: used_bytes 2793472 UBI: last_eb_bytes 253952 UBI: corrupted 0 UBI: upd_marker 0 UBI: name kernelA UBI: volume information dump: UBI: vol_id 1 UBI: reserved_pebs 136 UBI: alignment 1 UBI: data_pad 0 UBI: vol_type 3 UBI: name_len 7 UBI: usable_leb_size 253952 UBI: used_ebs 136 UBI: used_bytes 34537472 UBI: last_eb_bytes 253952 UBI: corrupted 0 UBI: upd_marker 0 UBI: name rootfsA UBI: volume information dump: UBI: vol_id 2 UBI: reserved_pebs 4 UBI: alignment 1 UBI: data_pad 0 UBI: vol_type 3 UBI: name_len 9 UBI: usable_leb_size 253952 UBI: used_ebs 4 UBI: used_bytes 1015808 UBI: last_eb_bytes 253952 UBI: corrupted 0 UBI: upd_marker 0 UBI: name firmwareA UBI: volume information dump: UBI: vol_id 3 UBI: reserved_pebs 11 UBI: alignment 1 UBI: data_pad 0 UBI: vol_type 3 UBI: name_len 7 UBI: usable_leb_size 253952 UBI: used_ebs 11 UBI: used_bytes 2793472 UBI: last_eb_bytes 253952 UBI: corrupted 0 UBI: upd_marker 0 UBI: name kernelB UBI: volume information dump: UBI: vol_id 4 UBI: reserved_pebs 135 UBI: alignment 1 UBI: data_pad 0 UBI: vol_type 3 UBI: name_len 7 UBI: usable_leb_size 253952 UBI: used_ebs 135 UBI: used_bytes 34283520 UBI: last_eb_bytes 253952 UBI: corrupted 0 UBI: upd_marker 0 UBI: name rootfsB UBI: volume information dump: UBI: vol_id 5 UBI: reserved_pebs 4 UBI: alignment 1 UBI: data_pad 0 UBI: vol_type 3 UBI: name_len 9 UBI: usable_leb_size 253952 UBI: used_ebs 4 UBI: used_bytes 1015808 UBI: last_eb_bytes 253952 UBI: corrupted 0 UBI: upd_marker 0 UBI: name firmwareB UBI: volume information dump: UBI: vol_id 6 UBI: reserved_pebs 8 UBI: alignment 1 UBI: data_pad 0 UBI: vol_type 3 UBI: name_len 9 UBI: usable_leb_size 253952 UBI: used_ebs 8 UBI: used_bytes 2031616 UBI: last_eb_bytes 253952 UBI: corrupted 0 UBI: upd_marker 0 UBI: name bootcoreA UBI: volume information dump: UBI: vol_id 7 UBI: reserved_pebs 8 UBI: alignment 1 UBI: data_pad 0 UBI: vol_type 3 UBI: name_len 9 UBI: usable_leb_size 253952 UBI: used_ebs 8 UBI: used_bytes 2031616 UBI: last_eb_bytes 253952 UBI: corrupted 0 UBI: upd_marker 0 UBI: name bootcoreB UBI: volume information dump: UBI: vol_id 8 UBI: reserved_pebs 17 UBI: alignment 1 UBI: data_pad 0 UBI: vol_type 3 UBI: name_len 7 UBI: usable_leb_size 253952 UBI: used_ebs 17 UBI: used_bytes 4317184 UBI: last_eb_bytes 253952 UBI: corrupted 0 UBI: upd_marker 0 UBI: name glbcfgA UBI: volume information dump: UBI: vol_id 9 UBI: reserved_pebs 17 UBI: alignment 1 UBI: data_pad 0 UBI: vol_type 3 UBI: name_len 7 UBI: usable_leb_size 253952 UBI: used_ebs 17 UBI: used_bytes 4317184 UBI: last_eb_bytes 253952 UBI: corrupted 0 UBI: upd_marker 0 UBI: name glbcfgB UBI: volume information dump: UBI: vol_id 11 UBI: reserved_pebs 83 UBI: alignment 1 UBI: data_pad 0 UBI: vol_type 3 UBI: name_len 11 UBI: usable_leb_size 253952 UBI: used_ebs 83 UBI: used_bytes 21078016 UBI: last_eb_bytes 253952 UBI: corrupted 0 UBI: upd_marker 0 UBI: name rootfs_data UBI: volume information dump: UBI: vol_id 2147479551 UBI: reserved_pebs 2 UBI: alignment 1 UBI: data_pad 0 UBI: vol_type 3 UBI: name_len 13 UBI: usable_leb_size 253952 UBI: used_ebs 2 UBI: used_bytes 507904 UBI: last_eb_bytes 2 UBI: corrupted 0 UBI: upd_marker 0 UBI: name layout volume

ROM VER: 2.1.0 CFG 0a B . . . done 1.30.001.0000 (May 02 2018 - 16:20:30) interAptiv cps cpu/ddr run in 800/666 Mhz DRAM: 224 MiB NAND: ONFI flash detected ONFI param page 0 valid NAND device: Manufacturer ID: 0x2c, Chip ID: 0xd3 (Micron MT29F8G08ABACAWP) ECC: BCH_8BITS Page size:4096, OOB size:224 1024 MiB Bad block table found at page 262080, version 0x01 Bad block table found at page 262016, version 0x01 In: serial Out: serial Err: serial Net: multi type Internal phy firmware version: 0x853c GRX500 Switch [Cold Boot] Type "run flash_nfs" to mount root filesystem over NFS Creating 1 MTD partitions on "nand0": 0x000001a00000-0x000020000000 : "mtd=8" UBI: attaching mtd1 to ubi0 UBI: physical eraseblock size: 262144 bytes (256 KiB) UBI: logical eraseblock size: 253952 bytes UBI: smallest flash I/O unit: 4096 UBI: VID header offset: 4096 (aligned 4096) UBI: data offset: 8192 UBI: attached mtd1 to ubi0 UBI: MTD device name: "mtd=8" UBI: MTD device size: 486 MiB UBI: number of good PEBs: 1944 UBI: number of bad PEBs: 0 UBI: max. allowed volumes: 128 UBI: wear-leveling threshold: 4096 UBI: number of internal volumes: 1 UBI: number of user volumes: 11 UBI: available PEBs: 1487 UBI: total number of reserved PEBs: 457 UBI: number of PEBs reserved for bad PEB handling: 19 UBI: max/mean erase counter: 101/11 Volume kernelA found at volume id 0 read 0 bytes from volume 0 to 80800000(buf address) Read [2793472] bytes ======== Firmware version: 010137.3.0.008.1 Firmware Date : Fri Apr 19 15:37:10 2019 CST ======== Hit any key to stop autoboot: 0 Volume bootcoreA found at volume id 6 read 0 bytes from volume 6 to a0400000(buf address) Read [2031616] bytes Volume kernelA found at volume id 0 read 0 bytes from volume 0 to 80800000(buf address) Read [2793472] bytes ## Booting kernel from Legacy Image at 80800000 ... Image Name: MIPS LEDE LTQCPE Linux-4.9 Created: 2017-10-03 3:03:27 UTC Image Type: MIPS Linux Kernel Image (lzma compressed) Data Size: 2625472 Bytes = 2.5 MiB Load Address: a0020000 Entry Point: a0020000 Verifying Checksum ... OK Uncompressing Kernel Image ... OK Starting kernel ...

Ouput of the printenv command:

bootcmd=run flash_flash bootdelay=2 baudrate=115200 preboot=echo;echo Type \"run flash_nfs\" to mount root filesystem over NFS;echo bootfile="uImage" mem=224M phym=224M ipaddr=192.168.2.1 serverip=192.168.2.2 netdev=eth0 console=ttyLTQ0 tftppath= loadaddr=0x80800000 rootpath=/mnt/full_fs rootfsmtd=/dev/mtdblock6 nfsargs= setenv bootargs ubi.mtd=system_sw root=/dev/nfs rw nfsroot=${serverip}:${rootpath} ramargs=setenv bootargs root=/dev/ram rw addip=setenv bootargs ${bootargs} ip=${ipaddr}:${serverip}:${gatewayip}:${netmask}:${hostname}:${netdev}:on flash_nfs=run nfsargs addip addmisc;bootm ${kernel_addr} net_nfs=run run_bootcore;tftp ${loadaddr} ${tftppath}${bootfile};run nfsargs addip addmisc;bootm net_flash=run run_bootcore;tftp ${loadaddr} ${tftppath}${bootfile}; run flashargs addip addmisc; bootm net_ram=run run_bootcore;tftp ${loadaddr} ${tftppath}${bootfile}; run ramargs addip addmisc; bootm u-boot=u-boot-nand.bin rootfs=rootfs.img firmware=firmware.img fullimage=fullimage.img totalimage=totalimage.img load=tftp $(loadaddr) $(u-boot) update=protect off 1:0-2;era 1:0-2;cp.b $(loadaddr) B0000000 $(filesize) flashargs=setenv bootargs ubi.mtd=system_sw,${ubi_vid_hdr_offset} rootfsname=${rootfsname} ro rootfstype=squashfs do_overlay ${nandtype} flash_flash=run run_bootcore;ubi read ${loadaddr} ${kernel_vol};run flashargs addmisc;bootm ${loadaddr};httpd PFEU=0 update_nandboot=tftp ${loadaddr} ${tftppath}u-boot-nand.bin;nand erase 0 400000;nand erase 1A00000 1D600000;nand write.partial ${loadaddr} 0 ${filesize} ubi_init=setenv kernelA_id 0;setenv rootfsA_id 1;setenv firmwareA_id 2;setenv kernelB_id 3;setenv rootfsB_id 4;setenv firmwareB_id 5;setenv bootcoreA_id 6; setenv bootcoreB_id 7;setenv setbank check_image${uw switchbankA=setenv active_bank A;setenv kernel_id ${kernelA_id};setenv rootfs_id ${rootfsA_id};setenv f_kernel_size f_kernel_sizeA;setenv kernel_vol kernelA;setenv rootfs_vol rootfsA;setenv firmware_vol firmA switchbankB=setenv active_bank B;setenv kernel_id ${kernelB_id};setenv rootfs_id ${rootfsB_id};setenv f_kernel_size f_kernel_sizeB;setenv kernel_vol kernelB;setenv rootfs_vol rootfsB;setenv firmware_vol firmB check_image0=run switchbankA check_image1=run switchbankB;setenv update_chk 0;save check_image2=run switchbankB check_image3=run switchbankA;setenv update_chk 2;save update_uboot=tftp ${loadaddr} ${tftppath}${u-boot}; nand write.partial ${loadaddr} 0 ${filesize} update_kernel=tftpboot ${loadaddr} ${tftppath}${bootfile};run switchbankB;upgrade ${loadaddr} ${filesize};run switchbankA;set update_chk 0;upgrade ${loadaddr} ${filesize} update_bootloader=update_uboot update_rootfs=tftpboot ${loadaddr} ${tftppath}${rootfs};run switchbankB;upgrade ${loadaddr} ${filesize};run switchbankA;set update_chk 0;upgrade ${loadaddr} ${filesize} update_firmware=tftpboot ${loadaddr} ${tftppath}${firmware};upgrade ${loadaddr} ${filesize} update_fullimage=tftpboot ${loadaddr} ${tftppath}${fullimage};run switchbankB;upgrade ${loadaddr} ${filesize};run switchbankA;set update_chk 0;upgrade ${loadaddr} ${filesize} update_totalimage=tftpboot ${loadaddr} ${tftppath}${totalimage};upgrade ${loadaddr} ${filesize} update_gphyfirmware=tftpboot ${loadaddr} ${tftppath}gphy_firmware.img;nand write.partial ${loadaddr} 0x400000 ${filesize};re gphy_fw_addr=CONFIG_GRX500_EXTERN_GPHY_FW_ADDR update_bootcore=tftpboot ${loadaddr} ${tftppath}${bootcore};run switchbankB;upgrade ${loadaddr} ${filesize};run switchbankA;set update_chk 0;upgrade ${loadaddr} ${filesize} run_bootcore=ubi read 0xA0400000 ${bootcore_vol} ; secboot load_os 0x8E000000 0xA0400000 0x200000 bootcore=uImage_bootcore reset_uboot_config=nand erase ${f_ubootconfig_addr} ${f_ubootconfig_range};nand erase ${f_red_ubootconfig_addr} ${f_ubootconfig_range}; reset_ddr_config=nand write.partial 80400000 ${f_ddrconfig_addr} ${f_ddrconfig_size} reset_sysconfig=run ubi_init;ubi remove sysconfig;ubi remove sysconfigA;ubi remove sysconfigB mtdparts=mtdparts=17c00000.nand-parts:2m(uboot),1m(ubootconfigA),1m(ubootconfigB),1m(gphyfirmware),2m(calibration),16m(bootcore),2m(glbcfg),1m(board_data),486m(system_sw),372m(smarthome),60m(smarthome_cfg),2) part0_begin=0x00000000 part1_begin=0x00040000 part2_begin=0x000C0000 total_part=3 flash_end=0x007FFFFF data_block0=uboot data_block1=firmware data_block2=rootfs data_block3=kernel data_block4=sysconfig data_block5=ubootconfig data_block6=board_data total_db=7 f_uboot_addr=0x00000000 f_uboot_size=0 f_ubootconfig_addr=0x200000 f_ubootconfig_size=0x100000 f_ubootconfig_end=0x007FEFFF f_ubootconfig_range=0x100000 f_red_ubootconfig_addr=0x300000 f_gphy_firmware_addr=IFX_CFG_FLASH_GPHY_FIRMWARE_IMAGE_START_ADDR f_gphy_firmware_size=IFX_CFG_FLASH_GPHY_FIRMWARE_IMAGE_SIZE f_gphy_firmware_end=IFX_CFG_FLASH_GPHY_FIRMWARE_IMAGE_END_ADDR f_kernel_addr=0x007EDFFF f_kernel_end=IFX_CFG_FLASH_KERNEL_IMAGE_END_ADDR f_rootfs_addr=0x000C0000 f_rootfs_size=0 f_rootfs_end=IFX_CFG_FLASH_ROOTFS_IMAGE_END_ADDR f_firmware_addr=0x00040000 f_firmware_size=0 f_fwdiag_addr=IFX_CFG_FLASH_FIRMWARE_DIAG_START_ADDR f_fwdiag_size=IFX_CFG_FLASH_FIRMWARE_DIAG_SIZE f_sysconfig_addr=0x007EE000 f_sysconfig_size=0x10000 f_dectconfig_addr=IFX_CFG_FLASH_DECT_CFG_START_ADDR f_dectconfig_size=IFX_CFG_FLASH_DECT_CFG_SIZE f_wlanconfig_addr= IFX_CFG_FLASH_WLAN_CFG_START_ADDR f_wlanconfig_size=IFX_CFG_FLASH_WLAN_CFG_SIZE f_ddrconfig_addr=0x00003fe8 f_ddrconfig_size=24 f_ddrconfig_end=0x00003fff f_manuf_addr=0x007FF000 f_manuf_size=0x1000 f_manuf_end=0x007FFFFF ethact=GRX500 Switch ethaddr=4C:1B:86:78:E9:BA bl_version=1.30.001.0000 (May 02 2018 - 16:20:30) mtdids=nand0=17c00000.nand-parts f_rootfs_crc=E890D5E2 f_kernel_crc=5C8B7EF9 f_firmware_crc=CCB214AA f_bootcore_crc=3FBABC1F addmisc=setenv bootargs ${bootargs} console=${console},${baudrate} ethaddr=${ethaddr} panic=1 ${mtdparts} init=/etc/preinit active_bank=${active_bank} update_chk=${update_chk} maxcpus=4 pci=pcie_bus_perf eth} update_chk=0 warm_boot=n stdin=serial stdout=serial stderr=serial ver=1.30.001.0000 BootType=Cold kernelA_id=0 rootfsA_id=1 firmwareA_id=2 kernelB_id=3 rootfsB_id=4 firmwareB_id=5 bootcoreA_id=6 bootcoreB_id=7 setbank=check_image0 active_bank=A kernel_id=0 rootfs_id=1 f_kernel_size=f_kernel_sizeA kernel_vol=kernelA rootfs_vol=rootfsA firmware_vol=firmwareA rootfsname=rootfsA bootcore_vol=bootcoreA partition=nand0,0 mtddevnum=0 mtddevname=uboot ubi_vid_hdr_offset=4096 vrx518=1

Add some basic tags, e.g. SoC, RAM, Flash.How to add tags

This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2022/01/11 19:23
  • by thehaecker