D-Link DSL-6850U
The D-LINK 6850U is a VDSL modem + router given by Israeli telecom provider Bezeq to customers of their high-speed VDSL plans (so-called Next Generation Network - NGN). The device seems to be custom made by D-Link specifically for Bezeq, and it arrives flashed with custom Bezeq firmware that includes many “features” such as open-by-default remote management ports (with default usernames and passwords!) and remote “management” backdoors that are very hard to shut off.
Note on TR-069
The modem/router has TR-069 enabled by default, the hidden URL to manage it is: http://10.0.0.138/_@tr69cfg.html
(Where 10.0.0.138 is the default modem IP address).
There is not explicit “disable” button there but changing the “ACS URL” (Bezeq server) to some internal IP address like 10.0.0.199 should do it.
Hardware
Info
Instruction set | MIPS |
---|---|
Vendor | Broadcom |
bootloader | cfe |
Board ID | 963168XN5 |
System-On-Chip | Broadcom BCM63168 |
CPU @Frq | BMIPS4350 v8.0 @400 MHz BMIPS Dual Core |
Flash-Chip | NAND |
Flash size | 128 MiB |
RAM | 128 MiB |
Wireless | Dual band N wireless (2.4GHz / 5GHz) |
Antenna | 2x |
switch | integrated 4x 10/100 |
USB | Yes |
Power adapter | |
Serial | Yes |
JTAG | ? |
Image
Serial
The board has a header pin serial interface named JP1 with pinout as follows:
1 | 2 | 3 | 4 | 5 |
---|---|---|---|---|
RX | ? | GND | TX |
Usual serial params are used: 115200 baud, 8N1.
Bootlogs
OEM bootlog
HELO CPUI L1CI HELO CPUI L1CI DRAM ---- PHYS STRF 400H PHYE DDR3 SIZ4 SIZ3 SIZ2 DINT USYN LSYN MFAS LMBE RACE PASS ---- ZBSS CODE DATA L12F MAIN FPS0 BT00 0001 BT00 0492 NAN3 RFS2 NAN5 CFE version 1.0.38-114.185 for BCM963268 (32bit,SP,BE) Build Date: Thu Aug 29 18:11:14 CST 2013 (looking@bb4compile) Copyright (C) 2000-2011 Broadcom Corporation. NAND flash device: name ESMT, id 0x92f1 block 128KB size 131072KB Chip ID: BCM63168D0, MIPS: 400MHz, DDR: 400MHz, Bus: 200MHz Main Thread: TP0 Memory Test Passed Total Memory: 134217728 bytes (128MB) Boot Address: 0xb8000000 Board IP address : 192.168.1.1:ffffff00 Host IP address : 192.168.1.100 Gateway IP address : Run from flash/host (f/h) : f Default host run file name : vmlinux Default host flash file name : bcm963xx_fs_kernel Boot delay (0-9 seconds) : 1 Boot image (0=latest, 1=previous) : 0 Board Id (0-26) : 963168XN5 Number of MAC Addresses (1-32) : 11 Base MAC Address : c4:a8:1d:aa:bb:cc PSI Size (1-64) KBytes : 64 Enable Backup PSI [0|1] : 0 System Log Size (0-256) KBytes : 0 Auxillary File System Size Percent: 0 Main Thread Number [0|1] : 0 *** Press any key to stop auto run (1 seconds) *** Auto run second count down: 110 Booting from latest image (0xb8020000) ... Decompression OK! Entry at 0x803aaf20 Closing network. Disabling Switch ports. Flushing Receive Buffers... 0 buffers found. Closing DMA Channels. Starting program at 0x803aaf20 Linux version 2.6.30 (looking@bb4compile) (gcc version 4.4.2 (Buildroot 2010.02-git) ) #1 SMP PREEMPT Thu Aug 29 18:16:50 CST 2013 BCM Flash API. Flash device is not found. 963168XN5 prom init CPU revision is: 0002a080 (Broadcom4350) DSL SDRAM reserved: 0x132000 Determined physical RAM map: memory: 07ece000 @ 00000000 (usable) Zone PFN ranges: DMA 0x00000000 -> 0x00001000 Normal 0x00001000 -> 0x00007ece Movable zone start PFN for each node early_node_map[1] active PFN ranges 0: 0x00000000 -> 0x00007ece On node 0 totalpages: 32462 free_area_init_node: node 0, pgdat 804b19c0, node_mem_map 81000000 DMA zone: 32 pages used for memmap DMA zone: 0 pages reserved DMA zone: 4064 pages, LIFO batch:0 Normal zone: 222 pages used for memmap Normal zone: 28144 pages, LIFO batch:7 Built 1 zonelists in Zone order, mobility grouping on. Total pages: 32208 Kernel command line: root=mtd:rootfs ro rootfstype=jffs2 console=ttyS0,115200 wait instruction: enabled Primary instruction cache 64kB, VIPT, 4-way, linesize 16 bytes. Primary data cache 32kB, 2-way, VIPT, cache aliases, linesize 16 bytes NR_IRQS:128 PID hash table entries: 512 (order: 9, 2048 bytes) console [ttyS0] enabled Dentry cache hash table entries: 16384 (order: 4, 65536 bytes) Inode-cache hash table entries: 8192 (order: 3, 32768 bytes) Memory: 123296k/129848k available (3724k kernel code, 6380k reserved, 1037k data, 156k init, 0k highmem) Calibrating delay loop... 399.36 BogoMIPS (lpj=199680) Mount-cache hash table entries: 512 --Kernel Config-- SMP=1 PREEMPT=1 DEBUG_SPINLOCK=0 DEBUG_MUTEXES=0 Broadcom Logger v0.1 Aug 29 2013 18:12:04 CPU revision is: 0002a080 (Broadcom4350) Primary instruction cache 64kB, VIPT, 4-way, linesize 16 bytes. Primary data cache 32kB, 2-way, VIPT, cache aliases, linesize 16 bytes Calibrating delay loop... 402.43 BogoMIPS (lpj=201216) Brought up 2 CPUs net_namespace: 1140 bytes NET: Registered protocol family 16 Total Flash size: 0K with -1 sectors Internal 1P2 VREG will be shutdown if unused...Unused, turn it off (000092a2-00009297=11<300) registering PCI controller with io_map_base unset registering PCI controller with io_map_base unset bio: create slab <bio-0> at 0 SCSI subsystem initialized usbcore: registered new interface driver usbfs usbcore: registered new interface driver hub usbcore: registered new device driver usb pci 0000:00:00.0: reg 10 32bit mmio: [0x10004000-0x10005fff] pci 0000:00:00.0: supports D1 D2 pci 0000:00:00.0: PME# supported from D0 D3hot D3cold pci 0000:00:00.0: PME# disabled pci 0000:00:09.0: reg 10 32bit mmio: [0x10002600-0x100026ff] pci 0000:00:0a.0: reg 10 32bit mmio: [0x10002500-0x100025ff] pci 0000:01:00.0: PME# supported from D0 D3hot pci 0000:01:00.0: PME# disabled pci 0000:02:00.0: reg 10 64bit mmio: [0x000000-0x007fff] pci 0000:02:00.0: supports D1 D2 pci 0000:01:00.0: PCI bridge, secondary bus 0000:02 pci 0000:01:00.0: IO window: disabled pci 0000:01:00.0: MEM window: 0x11000000-0x110fffff pci 0000:01:00.0: PREFETCH window: disabled PCI: Enabling device 0000:01:00.0 (0000 -> 0002) PCI: Setting latency timer of device 0000:01:00.0 to 64 skbFreeTask created successfully [0;34mBLOG v3.0 Initialized[0m BLOG Rule v1.0 Initialized Broadcom IQoS v0.1 Aug 29 2013 18:15:30 initialized Broadcom GBPM v0.1 Aug 29 2013 18:15:30 initialized NET: Registered protocol family 8 NET: Registered protocol family 20 NET: Registered protocol family 2 IP route cache hash table entries: 1024 (order: 0, 4096 bytes) TCP established hash table entries: 4096 (order: 3, 32768 bytes) TCP bind hash table entries: 4096 (order: 3, 32768 bytes) TCP: Hash tables configured (established 4096 bind 4096) TCP reno registered NET: Registered protocol family 1 NTFS driver 2.1.29 [Flags: R/W]. JFFS2 version 2.2. (NAND) © 2001-2006 Red Hat, Inc. fuse init (API version 7.11) msgmni has been set to 241 io scheduler noop registered (default) PCI: Setting latency timer of device 0000:01:00.0 to 64 Driver 'sd' needs updating - please use bus_type methods PPP generic driver version 2.4.2 PPP Deflate Compression module registered PPP BSD Compression module registered NET: Registered protocol family 24 bcm963xx_mtd driver v2.0 Failed to read image tag from flash Broadcom DSL NAND controller (BrcmNand Controller) -->brcmnand_scan: CS=0, numchips=1, csi=0 mtd->oobsize=0, mtd->eccOobSize=0 NAND_CS_NAND_XOR=00000000 Disabling XOR on CS#0 brcmnand_scan: Calling brcmnand_probe for CS=0 B4: NandSelect=40000001, nandConfig=15142200, chipSelect=0 brcmnand_read_id: CS0: dev_id=92f18095 After: NandSelect=40000001, nandConfig=15142200 DevId 92f18095 may not be supported. Will use config info Spare Area Size = 16B/512B Block size=00020000, erase shift=17 NAND Config: Reg=15142200, chipSize=128 MB, blockSize=128K, erase_shift=11 busWidth=1, pageSize=2048B, page_shift=11, page_mask=000007ff timing1 not adjusted: 6574845b timing2 not adjusted: 00001e96 brcmnand_adjust_acccontrol: gAccControl[CS=0]=00000000, ACC=f7ff1010 ECC level changed to 15 OOB size changed to 16 BrcmNAND mfg 0 0 UNSUPPORTED NAND CHIP 128MB on CS0 Found NAND on CS0: ACC=f7ff1010, cfg=15142200, flashId=92f18095, tim1=6574845b, tim2=00001e96 BrcmNAND version = 0x0400 128MB @00000000 brcmnand_scan: Done brcmnand_probe brcmnand_scan: B4 nand_select = 40000001 brcmnand_scan: After nand_select = 40000001 100 CS=0, chip->ctrl->CS[0]=0 ECC level 15, threshold at 1 bits reqEccLevel=0, eccLevel=15 190 eccLevel=15, chip->ecclevel=15, acc=f7ff1010 brcmnand_scan 10 200 CS=0, chip->ctrl->CS[0]=0 200 chip->ecclevel=15, acc=f7ff1010 page_shift=11, bbt_erase_shift=17, chip_shift=27, phys_erase_shift=17 brcmnand_scan 220 Brcm NAND controller version = 4.0 NAND flash size 128MB @18000000 brcmnand_scan 230 brcmnand_scan 40, mtd->oobsize=64, chip->ecclayout=00000000 brcmnand_scan 42, mtd->oobsize=64, chip->ecclevel=15, isMLC=0, chip->cellinfo=0 ECC layout=brcmnand_oob_bch4_4k brcmnand_scan: mtd->oobsize=64 brcmnand_scan: oobavail=50, eccsize=512, writesize=2048 brcmnand_scan, eccsize=512, writesize=2048, eccsteps=4, ecclevel=15, eccbytes=3 300 CS=0, chip->ctrl->CS[0]=0 500 chip=87a61d90, CS=0, chip->ctrl->CS[0]=0 -->brcmnand_default_bbt brcmnand_default_bbt: bbt_td = bbt_main_descr Bad block table Bbt0 found at page 0000ffc0, version 0x01 for chip on CS0 Bad block table 1tbB found at page 0000ff80, version 0x01 for chip on CS0 nand_read_bbt: Bad block at 0x052c0000 brcmnandCET: Status -> Deferred brcmnand_scan 99 Creating 4 MTD partitions on "brcmnand.0": 0x000000020000-0x000003d80000 : "rootfs" 0x000003d80000-0x000007ae0000 : "rootfs_update" 0x000007b00000-0x000007f00000 : "data" 0x000000000000-0x000000020000 : "nvram" ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver PCI: Enabling device 0000:00:0a.0 (0000 -> 0002) PCI: Setting latency timer of device 0000:00:0a.0 to 64 ehci_hcd 0000:00:0a.0: EHCI Host Controller ehci_hcd 0000:00:0a.0: new USB bus registered, assigned bus number 1 ehci_hcd 0000:00:0a.0: Enabling legacy PCI PM ehci_hcd 0000:00:0a.0: irq 18, io mem 0x10002500 ehci_hcd 0000:00:0a.0: USB f.f started, EHCI 1.00 usb usb1: configuration #1 chosen from 1 choice hub 1-0:1.0: USB hub found hub 1-0:1.0: 2 ports detected ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver PCI: Enabling device 0000:00:09.0 (0000 -> 0002) PCI: Setting latency timer of device 0000:00:09.0 to 64 ohci_hcd 0000:00:09.0: OHCI Host Controller ohci_hcd 0000:00:09.0: new USB bus registered, assigned bus number 2 ohci_hcd 0000:00:09.0: irq 17, io mem 0x10002600 usb usb2: configuration #1 chosen from 1 choice hub 2-0:1.0: USB hub found hub 2-0:1.0: 2 ports detected usbcore: registered new interface driver usblp Initializing USB Mass Storage driver... usbcore: registered new interface driver usb-storage USB Mass Storage support registered. usbcore: registered new interface driver usbserial USB Serial support registered for generic usbcore: registered new interface driver usbserial_generic usbserial: USB Serial Driver core USB Serial support registered for GSM modem (1-port) usbcore: registered new interface driver option option: v0.7.2:USB Driver for GSM modems brcmboard: brcm_board_init entry brcm_board_init: isShared=0, rstToDflt_irq=0 Serial: BCM63XX driver $Revision: 3.00 $ [0;33mMagic SysRq enabled (type ^ h for list of supported commands)[0m ttyS0 at MMIO 0xb0000180 (irq = 13) is a BCM63XX ttyS1 at MMIO 0xb00001a0 (irq = 42) is a BCM63XX Total # RxBds=1448 bcmPktDmaBds_init: Broadcom Packet DMA BDs initialized bcmPktDma_init: Broadcom Packet DMA Library initialized bcmxtmrt: Broadcom BCM3168D0 ATM/PTM Network Device v0.4 Aug 29 2013 18:14:52 IPSEC SPU: SUCCEEDED GACT probability NOT on Mirror/redirect action on u32 classifier input device check on Actions configured TCP cubic registered Initializing XFRM netlink socket NET: Registered protocol family 10 IPv6 over IPv4 tunneling driver NET: Registered protocol family 17 NET: Registered protocol family 15 Initializing MCPD Module Ebtables v2.0 registered ebt_time registered ebt_ftos registered ebt_wmm_mark registered 802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com> All bugs added by David S. Miller <davem@redhat.com> jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x01020000: 0xd869 instead jffs2_scan_eraseblock(): Magic bitmask 0x1985 not found at 0x01020008: 0x0006 instead VFS: Mounted root (jffs2 filesystem) readonly on device 31:0. Freeing unused kernel memory: 156k freed ^@init started: BusyBox v1.17.2 (2013-08-29 18:44:43 CST) starting pid 230, tty '': '/etc/init.d/rcS' starting pid 234, tty '': '-/bin/sh' BusyBox v1.17.2 (2013-08-29 18:44:43 CST) built-in shell (ash) Enter 'help' for a list of built-in commands. Loading drivers and kernel modules... chipinfo: module license 'proprietary' taints kernel. Disabling lock debugging due to kernel taint brcmchipinfo: brcm_chipinfo_init entry Broadcom Ingress QoS Module Char Driver v0.1 Aug 29 2013 18:14:15 Registered<243>[0m Broadcom Ingress QoS ver 0.1 initialized BPM: tot_mem_size=134217728B (128MB), buf_mem_size=20132655B (19MB), num of buffers=9460, buf size=2128 Broadcom BPM Module Char Driver v0.1 Aug 29 2013 18:14:04 Registered<244>[0m [0;34m[NTC bpm] bpm_set_status: BPM status : enabled [0m NBUFF v1.0 Initialized [0;36;44mInitialized fcache state[0m [0;36;44mBroadcom Packet Flow Cache Char Driver v2.2 Aug 29 2013 18:14:16 Registered<242>[0m Created Proc FS /procfs/fcache [0;36;44mBroadcom Packet Flow Cache registered with netdev chain[0m [0;36;44mBroadcom Packet Flow Cache learning via BLOG enabled.[0m [0;36;44mConstructed Broadcom Packet Flow Cache v2.2 Aug 29 2013 18:14:16[0m chipId 0x631680D0 Broadcom Forwarding Assist Processor (FAP) Char Driver v0.1 Aug 29 2013 18:14:06 Registered <241> Enabling SMISBUS PHYS_FAP_BASE[0] is 0x10c01000 FAP Soft Reset Done 4ke Reset Done Enabling SMISBUS PHYS_FAP_BASE[1] is 0x10c01000 FAP Soft Reset Done 4ke Reset Done FAP Debug values at 0xa5d9c590 0xa5e1c590 Allocated FAP0 GSO Buffers (0xA5DAA618) : 1048576 bytes @ 0xA5F00000 Allocated FAP1 GSO Buffers (0xA5E2A618) : 1048576 bytes @ 0xA5800000 Allocated FAP0 TM SDRAM Queue Storage (a5daa61c) : 341376 bytes @ a5e80000 Allocated FAP1 TM SDRAM Queue Storage (a5e2a61c) : 341376 bytes @ a5900000 [0;34m[NTC fapProto] fapReset : Reset FAP Protocol layer[0m [FAP0] DSPRAM : stack <0x80000000><1536>, global <0x80000600><3968>, free <2688>, total<8192> [FAP1] DSPRAM : stack <0x80000000><1536>, global <0x80000600><3968>, free <2688>, total<8192> [FAP0] PSM : addr<0x80002000>, used <23292>, free <1284>, total <24576> [FAP1] PSM : addr<0x80002000>, used <23292>, free <1284>, total <24576> [FAP0] DQM : availableMemory 14652 bytes, nextByteAddress 0xE0004948 [FAP1] DQM : availableMemory 14652 bytes, nextByteAddress 0xE0004948 [FAP0] GSO Buffer set to 0xA5F00000 [FAP1] GSO Buffer set to 0xA5800000 [FAP0] FAP BPM Initialized. [FAP1] FAP BPM Initialized. fapDrv_construct: FAP0: pManagedMemory=b0820650. wastage 8 bytes fapDrv_construct: FAP1: pManagedMemory=b0a20650. wastage 8 bytes bcmPktDma_bind: FAP Driver binding successfull [FAP0] FAP TM: ON [FAP1] FAP TM: ON bcmxtmcfg: bcmxtmcfg_init entry adsl: adsl_init entry Broadcom BCM63168D0 Ethernet Network Device v0.1 Aug 29 2013 18:14:40 Broadcom GMAC Char Driver v0.1 Aug 29 2013 18:14:48 Registered<249>[0m Broadcom GMAC Driver v0.1 Aug 29 2013 18:14:48 Initialized fapDrv_psmAlloc: fapIdx=1, size: 4800, offset=b0a20650 bytes remaining 7000 ETH Init: Ch:0 - 200 tx BDs at 0xb0a20650 fapDrv_psmAlloc: fapIdx=0, size: 4800, offset=b0820650 bytes remaining 7000 ETH Init: Ch:1 - 200 tx BDs at 0xb0820650 fapDrv_psmAlloc: wastage 8 bytes fapDrv_psmAlloc: fapIdx=0, size: 4808, offset=b0821910 bytes remaining 2184 ETH Init: Ch:0 - 600 rx BDs at 0xb0821910 fapDrv_psmAlloc: wastage 8 bytes fapDrv_psmAlloc: fapIdx=1, size: 4808, offset=b0a21910 bytes remaining 2184 ETH Init: Ch:1 - 600 rx BDs at 0xb0a21910 dgasp: kerSysRegisterDyingGaspHandler: bcmsw registered dev name:eth1 eth1: MAC Address: C4:A8:1D:AA:BB:CC dev name:eth2 eth2: MAC Address: C4:A8:1D:AA:BB:CC dev name:eth3 eth3: MAC Address: C4:A8:1D:AA:BB:CC dev name:eth0 eth0: MAC Address: C4:A8:1D:AA:BB:CC NComm TMS V6.80 Kernel Module loaded. Broadcom BCM3168D0 USB Network Device v0.4a Aug 29 2013 18:14:25 usb0: MAC Address: C4 A8 1D AA BB CC usb0: Host MAC Address: C4 A8 1D AA BB CC hub 1-0:1.0: over-current change on port 2 USBD Initialization done status 0 USB Link DOWN. message received before monitor task is initialized kerSysSendtoMonitorTask [0;34m[NTC arl] arlEnable : Enabled ARL binding to FAP[0m Broadcom Address Resolution Logic Processor (ARL) Char Driver v0.1 Aug 29 2013 18:14:04 Registered <245> --SMP support wl: dsl_tx_pkt_flush_len=338 wl: high_wmark_tot=6149 PCI: Setting latency timer of device 0000:00:00.0 to 64 wl: passivemode=1 wl: napimode=0 wl1: allocskbmode=1 currallocskbsz=3500 Neither SPROM nor OTP has valid image wl:srom/otp not programmed, using main memory mapped srom info(wombo board) wl:loading /etc/wlan/bcm6362_map.bin srom rev:8 wl: reading /etc/wlan/bcmcmn_nvramvars.bin, file size=16 wl1: Broadcom BCM435f 802.11 Wireless Controller 6.30.102.7.cpe4.12L08.0 dgasp: kerSysRegisterDyingGaspHandler: wl1 registered PCI: Enabling device 0000:02:00.0 (0000 -> 0002) PCI: Setting latency timer of device 0000:02:00.0 to 64 wl: passivemode=1 wl: napimode=0 wl0: allocskbmode=1 currallocskbsz=512 Neither SPROM nor OTP has valid image wl:srom/otp not programmed, using main memory mapped srom info(wombo board) wl:loading /etc/wlan/bcm43217_map.bin srom rev:8 wl: reading /etc/wlan/bcmcmn_nvramvars.bin, file size=16 wl0: Broadcom BCMa8db 802.11 Wireless Controller 6.30.102.7.cpe4.12L08.0 dgasp: kerSysRegisterDyingGaspHandler: wl0 registered p8021ag: p8021ag_init entry Broadcom 802.1Q VLAN Interface, v0.1 ===== Release Version 4.12L.08 (build timestamp 130829_1841) ===== Host MIPS Clock divider pwrsaving is enabled DDR Self Refresh pwrsaving is enabled ifconfig: br0: error fetching interface information: Device not found ifconfig: br0: error fetching interface information: Device not found ifconfig: br0: error fetching interface information: Device not found ifconfig: br0: error fetching interface information: Device not found ip_tables: (C) 2000-2006 Netfilter Core Team nf_conntrack version 0.5.0 (2028 buckets, 8112 max) ip6_tables: (C) 2000-2006 Netfilter Core Team ifconfig: br0: error fetching interface information: Device not found status = disable netBiosName=bezeq directoryName =bezeq utf8DirName=bezeq charset=utf8 samba disable,don't start samba killall: imspector: no process killed hotspotCfg->externalCaptivePortal=[pwcaptive.bezeq.co.il], hotspotCfg->sessionExpirationTime=[1800], hotspotCfg->accessLimitation=[5] Netfilter messages via NETLINK v0.30. Bad chain. Chain ARP_POLICY doesn't exist. iptables: No chain/target/match by that name device eth0 entered promiscuous mode ADDRCONF(NETDEV_UP): eth0: link is not ready device eth1 entered promiscuous mode ADDRCONF(NETDEV_UP): eth1: link is not ready device eth2 entered promiscuous mode ADDRCONF(NETDEV_UP): eth2: link is not ready device eth3 entered promiscuous mode ADDRCONF(NETDEV_UP): eth3: link is not ready device wl0 entered promiscuous mode WLmngr Daemon is running optarg=0 shmId=0 br0: port 5(wl0) entering forwarding state wlevt is ready for new msg... device wl1 entered promiscuous mode br0: port 6(wl1) entering forwarding state tr69c:error:31.697:initLoggingFromConfig:276:failed to get lock, ret=9809 status = disable netBiosName=bezeq directoryName =bezeq utf8DirName=bezeq charset=utf8 samba disable,don't start samba I am open &async_queue = 0xc0c20e70wlButtonInit open<0> gpio_fasync success kill_fasync: bad magic number in fasync_struct! Pasync_queue->magic = 0x4601 hotspotCfg->externalCaptivePortal=[pwcaptive.bezeq.co.il], hotspotCfg->sessionExpirationTime=[1800], hotspotCfg->accessLimitation=[5] wlmngr_initCfg:dataSync:2 Bad chain. Chain ARP_POLICY doesn't exist. Chain ARP_POLICY doesn't exist. Chain ARP_POLICY doesn't exist. iptables: No chain/target/match by that name BcmAdsl_Initialize=0xC026FC00, g_pFnNotifyCallback=0xC02B02C4 lmemhdr[2]=0x100CE000, pAdslLMem[2]=0x100CE000 pSdramPHY=0xA7FFFFF8, 0xFFFFFFFF 0xFFFFFFFF *** XfaceOffset: 0x5FF90 => 0x5FF90 *** *** PhySdramSize got adjusted: 0xE6890 => 0x11D0C0 *** AdslCoreSharedMemInit: shareMemSize=85789(85792) AdslCoreHwReset: pLocSbSta=83950000 bkupThreshold=3072 AdslCoreHwReset: AdslOemDataAddr = 0xA7FA59F8 ***BcmDiagsMgrRegisterClient: 0 *** dgasp: kerSysRegisterDyingGaspHandler: dsl0 registered fapDrv_psmAlloc: fapIdx=1, size: 1600, offset=b0a22be0 bytes remaining 584 XTM Init: Ch:0 - 200 rx BDs at 0xb0a22be0 fapDrv_psmAlloc: fapIdx=1, size: 128, offset=b0a23220 bytes remaining 456 XTM Init: Ch:1 - 16 rx BDs at 0xb0a23220 bcmxtmrt: PTM/ATM Non-Bonding Mode configured in system dnsprobe: Can not open /etc/resolv.conf Line 0: xDSL G.994 training message received before monitor task is initialized kerSysSendtoMonitorTask tr69c:error:37.759:updateTr69cCfgInfo:519:Could not get lock, ret=9809 iptables: Chain already exists iptables: Chain already exists tr69c:error:43.760:setDefaultActiveNotification:1607:could not get lock iptables: Chain already exists dnsprobe: Can not open /etc/resolv.conf message received before monitor task is initialized kerSysSendtoMonitorTask monitor task is initialized pid= 343 tr143EchoCfgServer:notice:48.781:main:322:calling cmsMdm_init with shmId=0 tr143EchoCfgServer:notice:48.782:cmsMdm_init:191:entered, eid=112(tr143EchoCfgServer) shmid=0 tr143EchoCfgServer:notice:48.782:oalShm_init:135:attaching to existing shmId=0 tr143EchoCfgServer:notice:48.782:oalLck_init:114:attach existing done, semid=0 tr143EchoCfgServer:notice:48.782:cmsMem_initSharedMemPointer:134:shm pool: 0x58815e1c-0x58888000 tr143EchoCfgServer:error:48.866:main:332:setupConfig error ret=-1 tr143EchoCfgServer:notice:48.866:cmsMdm_cleanup:367:entered tr143EchoCfgServer:notice:48.867:cmsMdm_cleanup:375:done Ori sn XXXXXXXXXXXXX Line 0: VDSL G.993 started Note: Loading 6300 MDK (default) driver for 63168 chip Switch MDK: num_switches = 1 Switch MDK: unit = 0; phy_pbmp = 0xf; config_pbmp = 0xf Switch MDK link poll thread: unit=0; phypbmp=0xf br0: port 5(wl0) entering disabled state device wl0 left promiscuous mode br0: port 5(wl0) entering disabled state ssk:error:50.060:lck_checkBeforeEntry:225:lock required during cmsObj_getNextInSubTreeFlags ssk:error:50.061:lck_checkBeforeEntry:225:lock required during cmsObj_getNextInSubTreeFlags device wl0 entered promiscuous mode br0: port 5(wl0) entering forwarding state br0: port 5(wl0) entering disabled state Setting SSID: "HELLO" Setting SSID: "Bezeq Free 003333" Setting SSID: "wl0_Guest2" Setting SSID: "wl0_Guest3" wlctl: Unsupported device wl0 left promiscuous mode br0: port 5(wl0) entering disabled state ssk:error:51.872:lck_checkBeforeEntry:225:lock required during cmsObj_getNextInSubTreeFlags ssk:error:51.873:lck_checkBeforeEntry:225:lock required during cmsObj_getNextInSubTreeFlags device wl0 entered promiscuous mode br0: port 5(wl0) entering forwarding state ssk:error:52.252:hijack_init:1786:fail to get br2's ip address acsd: scan in progress ... acsd: scan in progress ... acsd: scan in progress ... acsd: scan in progress ... acsd: scan in progress ... acsd: scan in progress ... acsd: scan in progress ... dnsprobe: Can not open /etc/resolv.conf acsd: scan in progress ... acsd: scan in progress ... acsd: scan in progress ... acsd: scan in progress ... acsd: scan in progress ... acsd: selected channel spec: 0x1001 wl1: WLC_GET_VAR(bw_cap): Invalid argument ACSD >>acs_get_rs_info(778): failed to get bw_capret code: -1 acsd: scan in progress ... acsd: scan in progress ... acsd: scan in progress ... acsd: scan in progress ... acsd: scan in progress ... acsd: scan in progress ... acsd: scan in progress ... acsd: scan in progress ... acsd: scan in progress ... acsd: scan in progress ... acsd: selected channel spec: 0x1001 Line 0: VDSL2 link up, Bearer 0, us=5023, ds=54072 bcmxtmcfg: XTM Link Information, port = 0, State = UP, Service Support = PTM bcmxtmcfg: ReconfigureSAR port 0 traffictype 2 bcmxtmcfg: Normal(XTM/PTM) Mode enabled TxLineRateTimer=6371 iptables: Chain already exists (ssk) xDSL link up, Connection Type: PTM bcmxtmrt: MAC address: c4 a8 1d aa bb cc [DoCreateDeviceReq.3087]: register_netdev [DoCreateDeviceReq.3089]: register_netdev done [FAP0] xtmCreateDevice : devId 0, encapType 0, headerLen 0 bcmxtmcfg: Reserve PTM vcid=0 ptmPri=1 port=0 bondingPort=4 bcmxtmcfg: Reserve PTM vcid=1 ptmPri=2 port=0 bondingPort=4 bcmxtmcfg: Reserve TxQueueIdx=0 for vcid 0 bcmxtmcfg: Reserve MP group=0 priority=0 weight=1 XTM Init: Ch:0 - 400 tx BDs at 0xa5d74000 bcmxtmcfg: Connection UP, LinkActiveStatus=0x1, US=5023000, DS=54072000 [FAP1] xtmCreateDevice : devId 0, encapType 0, headerLen 0 [FAP0] xtmLinkUp : devId 0, matchId 0 [FAP1] xtmLinkUp : devId 0, matchId 0 [FAP0] xtmLinkUp : devId 0, matchId 1 [FAP1] xtmLinkUp : devId 0, matchId 1 dnsprobe: Can not open /etc/resolv.conf ptm0.2 MAC address set to C4:A8:1D:AA:BB:CC netdev path : ptm0.2 -> ptm0 BCMVLAN : ptm0 mode was set to RG Created new Tag Rule: dev=ptm0, dir=1, tags=0, id=0 Created new Tag Rule: dev=ptm0, dir=0, tags=1, id=0 Created new Tag Rule: dev=ptm0, dir=0, tags=2, id=0 Created new Tag Rule: dev=ptm0, dir=0, tags=0, id=0 device ptm0 entered promiscuous mode ptm0.1 MAC address set to C4:A8:1D:AA:BB:CC netdev path : ptm0.1 -> ptm0 BCMVLAN : ptm0 mode was set to RG Created new Tag Rule: dev=ptm0, dir=1, tags=0, id=1 Created new Tag Rule: dev=ptm0, dir=0, tags=1, id=1 Created new Tag Rule: dev=ptm0, dir=0, tags=2, id=1 Created new Tag Rule: dev=ptm0, dir=0, tags=0, id=1 recovered previous ppp session info ppp1.1(0030881bde0d/6e36) wlctl: wl driver adapter not found wlctl: wl driver adapter not found wlctl: wl driver adapter not found PPP: ppp1.1 Start to connect ... saving ppp session info ppp1.1(0030881bde0d/6438) netdev path : ppp1.1 -> ptm0.1 -> ptm0 br0: port 6(wl1) entering disabled state device wl1 left promiscuous mode br0: port 6(wl1) entering disabled state sh: can't create /var/3g/wanup: nonexistent directory PPP: ppp1.1 Connection Up. device wl1 entered promiscuous mode br0: port 6(wl1) entering forwarding state wlctl: Not Permitted wlctl: Undefined error wlmngr_init:dataSync:2 wlmngr_initCfg:dataSync:2 br0: port 6(wl1) entering disabled state Setting SSID: "HELLO-5Ghz" Setting SSID: "wl1_Guest1" Setting SSID: "wl1_Guest2" Setting SSID: "wl1_Guest3" wlctl: Unsupported Primary DNS server = 1.2.3.4 Secondary DNS server = 5.6.7.8 iptables: No chain/target/match by that name iptables: No chain/target/match by that name iptables: No chain/target/match by that name iptables: Chain already exists ptm0.2: no IPv6 routers present ptm0.1: no IPv6 routers present request successful All services associated with ppp1.1 is activated. device wl1 left promiscuous mode br0: port 6(wl1) entering disabled state device wl1 entered promiscuous mode br0: port 6(wl1) entering forwarding state acsd: scan in progress ... acsd: scan in progress ... acsd: scan in progress ... acsd: scan in progress ... acsd: scan in progress ... acsd: scan in progress ... acsd: scan in progress ... acsd: scan in progress ... acsd: scan in progress ... acsd: scan in progress ... acsd: scan in progress ... acsd: scan in progress ... acsd: scan in progress ... acsd: selected channel spec: 0x1001 acsd: scan in progress ... acsd: scan in progress ... acsd: scan in progress ... acsd: scan in progress ... acsd: scan in progress ... acsd: scan in progress ... acsd: scan in progress ... acsd: selected channel spec: 0xd93e !!!!!!!! read(fd=7) error=131 tr69c:error:88.495:postComplete:1195:Post to ACS failed, Status = 3 error: illegal http response or read failure tr69c:error:88.496:cancelPeriodicInform:1608:request failed, ret=9003 tr69c:error:88.496:acsDisconnect:344:ACS Disconnect with error 3 tr69c:error:88.496:retrySessionConnection:222:ACS connect failed, retryCount = 1, backOffTime = 8000ms yyyCyy!!!!!!!! read(fd=7) error=131 tr69c:error:102.556:postComplete:1195:Post to ACS failed, Status = 3 error: illegal http response or read failure tr69c:error:102.557:cancelPeriodicInform:1608:request failed, ret=9003 tr69c:error:102.557:acsDisconnect:344:ACS Disconnect with error 3 tr69c:error:102.557:retrySessionConnection:222:ACS connect failed, retryCount = 2, backOffTime = 15000ms !!!!!!!! read(fd=7) error=131 tr69c:error:119.050:postComplete:1195:Post to ACS failed, Status = 3 error: illegal http response or read failure tr69c:error:119.050:cancelPeriodicInform:1608:request failed, ret=9003 tr69c:error:119.050:acsDisconnect:344:ACS Disconnect with error 3 tr69c:error:119.050:retrySessionConnection:222:ACS connect failed, retryCount = 3, backOffTime = 31000ms !!!!!!!! read(fd=7) error=131 tr69c:error:156.104:postComplete:1195:Post to ACS failed, Status = 3 error: illegal http response or read failure tr69c:error:156.104:cancelPeriodicInform:1608:request failed, ret=9003 tr69c:error:156.105:acsDisconnect:344:ACS Disconnect with error 3 tr69c:error:156.105:retrySessionConnection:222:ACS connect failed, retryCount = 4, backOffTime = 73000ms yyyy ^C ^C ^C
Shell access
After the device boot you will get a limited shell access, to obtain proper shell access run “sh -c sh” (Should work with telnet too).
GPL Code
Part of the gpl code was released.
https://dlink-gpl.s3.amazonaws.com/GPL1400342/DSL6850UA1_GPL10008BZ.tar.gz