After extensive investigation I now have a good picture of the hard- and software. Together with some special bootloader features we will now be able to hack the SX541 wide open :lol:
Hardware
The microcontroller is a Texas Instruments AR7300 (MIPS). Product info can be found here:TI AR7
This cpu is used in many other networking products such as: NetgearDG834G, Dlink DslG604t and ... the AVM FRITZ!Box Fon.
The codecs are implemented in hardware, the SX541 uses a Voicepump VP140 DSP. If proper programmed the codec quality should be very good. Unfortunately the programming skills of Siemens' Taiwanese ODM partner leave a large space for improvement :lol:
The rest of the hardware is described by Birger: 2MB flash (Fritz!box uses 4MB), 32MB ram, etc.
Software
Unfortunately there is no Linux running on the SX541. The OS is a RTOS called Supertask! which is now sold by Micro Digital Inc.. The TCPIP stack, Router and VoIP software is developed by the Institute for Information Industry in Taiwan and is called III TTF TCPIP Protocol Stack (for Router). The bootloader is developed by Broad Net Inc. from Taiwan. The bootloader can be accessed via the serial console as I described here. For your convenience I will copy the content of that post below. But first the most important discovery I made which will help us running our own code on the SX541: the bootloader has a "administrator mode" which can be accessed by entering a "!". The administrator menu shows:
======================
Upload to Flash
[E] Erase Flash
[G] Run Runtime Code
[M] Upload to Memory
[R] Read from Memory
[W] Write to Memory
[T] Memory Test
[Y] Go to Memory
[A] Set MAC Address
[#] Set Serial Number
[V] Set Board Version
[H] Set Options
[P] Print Boot Params
======================
The additional menuitems are:
[M] Upload to Memory
[R] Read from Memory
[W] Write to Memory
[T] Memory Test
[Y] Go to Memory
With 'M', by using Tftp or Xmodem, code can be uploaded to RAM and then be executed. Execution can also be initiated with 'Y'. There seem to be a few conditions which need to be fulfilled by the binary code. I haven't found these out yet, but using the 'R' command I managed to read the bootloader code which I will further analyze in IDA.
Okay enough for now, below you find a copy of the info I posted earlier about serial console and telnet access.
Have fun and let's get a linux kernel running on the sx541 asap,
JockyW
===================================
as I wrote before, simply telnet into the sx541 (user: admin, pass: empty). You don't need a serial cable for that.
you'll see this menu:
>> system Generic system parameter configuration
interface Interface parameter configuration
wLAN Wireless LAN configuration
bridge Transparent bridging parameter configuration
vc ATM virtual circuit parameter configuration
ppp PPP parameter configuration
dial Dial-out parameter configuration
ip_share NAT parameter configuration
firewall-func Enable disable firewall functions
access-list Access list rules manager
inspect Inspection threshold and rules manager
route Routing parameter configuration
dhcp DHCP parameter configuration
dns DNS proxy parameter configuration
snmp SNMP parameter conguration
tftp Default TFTP paramng parameter configuration
mail Mail parameter cont parameter configuration
chuser Configuration paraiguration
upnp Enable or disable configuration
show Showing system coniguration
monitor Monitor system runewall functions
upgrade Upgrade system firmanager
backup Backup system confld and rules manager
passwd Change user passwoconfiguration
default_reset Reset system configuration to default status
write Write configuration and restart system
reboot Restart system and activate new system configuration
enable Enable configuration mode
su Change to super user(root) mode
ping Ping test
tracert Trace route utility
exit Disable privilege command or disconnect
The submenu "chuser" has these items:
>> max_user Maximum allow telnet access user number
telnet_port Telnet TCP port config (default 8081)
user_profile Legal user profile
address_control Legal client address
login_timeout Login timeout (minutes)
remote_login Remote management function disable or enable
=======
If you connect a Siemens datacable (I bought one at CONRAD for ¤17,95, a "goobay" datenkabel, passend für SIEMENS 25-/35-/45-/50-serie, Best.-Nr.:760217) to the 10-pin header inside the SX541 you can in addition trace the bootlog, enter the bootmonitor for recovery, set debugmode, and telnet via serial cable.
Strip the gsm phoneplug off, you see 3 wires: black, blue & white. Open the sx541 and look at the at the pin header from the top.
--5---4---3---2---1
+---+---+---+---+---+
| o | o | o | o | o |
+ + + + + +
| o | o | o | o | o |
+---+---+---+---+---+
-10---9---8---7---6
---------- front side ---------------
Connect the 3 wires as follows:
3:TX : blue
2:RX : white
5:GND : black
Connect the 9-pin d-sub to the serial port of your PC. Open hyperterminal and set to 115200-8-N-1-No flow control.
If you switch on the SX541 you'll see following bootlog:
===========================================================
TI ADSL AR7300 Loader 0.67.3 build Sep 15 2004 17:03:49
Broad Net Technology, INC.
===========================================================
Flash not found
Copying boot params.....DONE
Press any key to enter command mode ...
Flash Checking Passed.
Unzipping web at 0x94f30000 ... done
Unzipping code at 0x94000000 ... done
In C_Entry() function ...
install_exception
sys_irq_init() ...
Set GPIO
Reset USB and VP140 module ...
##### _ftext = 0x94000000
##### _fdata = 0x94345120
##### __bss_start = 0x9439C300
##### end = 0x9545847C
##### Backup Data from 0x94345120 to 0x9547847C~0x954CF65C len 356832
[INIT] System Log Pool startup ...
[INIT] MTinitialize ..
userclk_init() ...
Runtime code version: 1.56
System startup...
[INIT] Memory COLOR 0, 1500000 bytes ..
[INIT] Memory COLOR 1, 600000 bytes ..
[INIT] Memory COLOR 2, 1900000 bytes ..
manu_id=004A chip_id=2249
ES29LV160D bottom boot 16-bit mode found
Set flash memory layout to Boot Parameters found !!!
Bootcode version: 0.67.3
Serial number: A448012289
Hardware version: 01
sizeof(struct III_Config_t) is 82376
manu_id=004A chip_id=2249
ES29LV160D bottom boot 16-bit mode found
!!! Invalid wireless channel range 0 ~ 0
!!! Use default value 1 ~ 13
default route: 0.0.0.0
BufferInit:
BUF_HDR_SZ=48 BUF_ALIGN_SZ=8 BUFFER_OFFSET=112
BUF_BUFSZ0=384 BUF_BUFSZ1=1872
NUM_OF_B0=0 NUM_OF_B1=1200
BUF_POOL0_SZ=0 BUF_POOL1_SZ=2304000
sizeof(BUFFER0)=432,sizeof(BUFFER1)=1920
*BUF0=0x94c7506c *BUF1=0x94a4285c
Altgn *BUF0=0x94c75070 *BUF1=0x94a42860
End at BUF0:0x94c75070, BUF1:0x94c75060
BUF0[0]=0x94c75070 BUF1[0]=0x94a42860
buffer0 pointer init OK!
buffer1 pointer init OK!
[qm_lnk_init] CLOCKHZ=1000 ...
CLOCKHZ=1000
time = 08/01/2003, 00:00:00
TRAP(linkUp) : send ok!
Interface 0 ip = 127.0.0.1
MAC Address: 00:01:e3:50:98:dd
Memory request 2072 left 297928 ptr 9443F074
Call tn7sar_malloc_dma_xfer() addr:B443F074 size:2072
MAC1 [RX=128 TX=1]: TI External PHY
time = 08/01/2003, 00:00:00
TRAP(linkUp) : send ok!
Interface 1 ip = 192.168.1.100
ruleCheck()> Group: 0, Error: Useless rule index will be truncated
ruleCheck()> Group: 1, Error: Useless rule index will be truncated
ruleCheck()> Group: 2, Error: Useless rule index will be truncated
CBAC rule format check succeed !!
reqCBACBuf()> init match pool, Have: 1000
Memory Address: 0x950c31e8 ~ 0x950c9f64
reqCBACBuf()> init timeGap pool, Have: 10000
Memory Address: 0x950c9f64 ~ 0x950facb8
reqCBACBuf()> init sameHost pool, Have: 2000
Memory Address: 0x950facb8 ~ 0x9510a6d8
CBAC rule pool initialized !!
[initClsfy] clsfy_local_if_mask=0xf00007
[initClsfy] clsfy_localorVPN_if_mask=0xf00007
Init NAT data structure
RUNTASK id=2 if_task if0...
RUNTASK id=3 if_task if1...
RUNTASK id=4 timer_task...
RUNTASK id=5 conn_mgr...
RUNTASK id=6 main_8021x...
RUNTASK id=7 UsbSysInitTask ...
RUNTASK id=8 period_task...
========== ADSL Modem initialization OK ! ======
RUNTASK id=9 telnetd_main...
Unzipping from B0040000 to 95EF0000 ... done
Uncompressed size = 978080
drive start addr[0]=95ef0000, [1]=95fdeca0
[HTTPD] flash_init: failed!!
httpd: listen at 192.168.1.100:80
HTTPD TIMER_RESOURCE:5, FS_RESOURCE:6
RUNTASK httpd...
RUNTASK id=12 dnsproxy...
RUNTASK id=13 snmp_task...
RUNTASK id=14 rip...
RUNTASK id=15 ripout...
UPnP is enabled
UPNP Device initialize success! slot=16
Starting Multitask...
------------------------------------------------------
You can now press:
shift-0: to enable debug
shift-9: to enable config
shift-8:to start telnet console
ENTER : show this help
Looking at this bootlog I'd say it is some kind of RTOS, but not a Linux kernel
If you press any key directly after switching on the sx541 you get into the bootmonitor console:
======================
Upload to Flash
[E] Erase Flash
[G] Run Runtime Code
[A] Set MAC Address
[#] Set Serial Number
[V] Set Board Version
[H] Set Options
[P] Print Boot Params
======================
[AR7300 Boot]
MAC address : 00-01-E3-xx-xx-xx
Serial number : A4xxxxxxxxx
Hardware version: 01
Options : 00-00-00-00-00-00
[AR7300 Boot]:g
Unzipping web at 0x94f30000 ... done
Unzipping code at 0x94000000 ... done
In C_Entry() function ...
install_exception
sys_irq_init() ...
Set GPIO
Reset USB and VP140 module ...
......
-------------------------------
I think it should now be possible to get the VoIP stuff working if the sx541 sits behind another router.
Hardware
The microcontroller is a Texas Instruments AR7300 (MIPS). Product info can be found here:TI AR7
This cpu is used in many other networking products such as: NetgearDG834G, Dlink DslG604t and ... the AVM FRITZ!Box Fon.
The codecs are implemented in hardware, the SX541 uses a Voicepump VP140 DSP. If proper programmed the codec quality should be very good. Unfortunately the programming skills of Siemens' Taiwanese ODM partner leave a large space for improvement :lol:
The rest of the hardware is described by Birger: 2MB flash (Fritz!box uses 4MB), 32MB ram, etc.
Software
Unfortunately there is no Linux running on the SX541. The OS is a RTOS called Supertask! which is now sold by Micro Digital Inc.. The TCPIP stack, Router and VoIP software is developed by the Institute for Information Industry in Taiwan and is called III TTF TCPIP Protocol Stack (for Router). The bootloader is developed by Broad Net Inc. from Taiwan. The bootloader can be accessed via the serial console as I described here. For your convenience I will copy the content of that post below. But first the most important discovery I made which will help us running our own code on the SX541: the bootloader has a "administrator mode" which can be accessed by entering a "!". The administrator menu shows:
======================
Upload to Flash
[E] Erase Flash
[G] Run Runtime Code
[M] Upload to Memory
[R] Read from Memory
[W] Write to Memory
[T] Memory Test
[Y] Go to Memory
[A] Set MAC Address
[#] Set Serial Number
[V] Set Board Version
[H] Set Options
[P] Print Boot Params
======================
The additional menuitems are:
[M] Upload to Memory
[R] Read from Memory
[W] Write to Memory
[T] Memory Test
[Y] Go to Memory
With 'M', by using Tftp or Xmodem, code can be uploaded to RAM and then be executed. Execution can also be initiated with 'Y'. There seem to be a few conditions which need to be fulfilled by the binary code. I haven't found these out yet, but using the 'R' command I managed to read the bootloader code which I will further analyze in IDA.
Okay enough for now, below you find a copy of the info I posted earlier about serial console and telnet access.
Have fun and let's get a linux kernel running on the sx541 asap,
JockyW
===================================
as I wrote before, simply telnet into the sx541 (user: admin, pass: empty). You don't need a serial cable for that.
you'll see this menu:
>> system Generic system parameter configuration
interface Interface parameter configuration
wLAN Wireless LAN configuration
bridge Transparent bridging parameter configuration
vc ATM virtual circuit parameter configuration
ppp PPP parameter configuration
dial Dial-out parameter configuration
ip_share NAT parameter configuration
firewall-func Enable disable firewall functions
access-list Access list rules manager
inspect Inspection threshold and rules manager
route Routing parameter configuration
dhcp DHCP parameter configuration
dns DNS proxy parameter configuration
snmp SNMP parameter conguration
tftp Default TFTP paramng parameter configuration
mail Mail parameter cont parameter configuration
chuser Configuration paraiguration
upnp Enable or disable configuration
show Showing system coniguration
monitor Monitor system runewall functions
upgrade Upgrade system firmanager
backup Backup system confld and rules manager
passwd Change user passwoconfiguration
default_reset Reset system configuration to default status
write Write configuration and restart system
reboot Restart system and activate new system configuration
enable Enable configuration mode
su Change to super user(root) mode
ping Ping test
tracert Trace route utility
exit Disable privilege command or disconnect
The submenu "chuser" has these items:
>> max_user Maximum allow telnet access user number
telnet_port Telnet TCP port config (default 8081)
user_profile Legal user profile
address_control Legal client address
login_timeout Login timeout (minutes)
remote_login Remote management function disable or enable
=======
If you connect a Siemens datacable (I bought one at CONRAD for ¤17,95, a "goobay" datenkabel, passend für SIEMENS 25-/35-/45-/50-serie, Best.-Nr.:760217) to the 10-pin header inside the SX541 you can in addition trace the bootlog, enter the bootmonitor for recovery, set debugmode, and telnet via serial cable.
Strip the gsm phoneplug off, you see 3 wires: black, blue & white. Open the sx541 and look at the at the pin header from the top.
--5---4---3---2---1
+---+---+---+---+---+
| o | o | o | o | o |
+ + + + + +
| o | o | o | o | o |
+---+---+---+---+---+
-10---9---8---7---6
---------- front side ---------------
Connect the 3 wires as follows:
3:TX : blue
2:RX : white
5:GND : black
Connect the 9-pin d-sub to the serial port of your PC. Open hyperterminal and set to 115200-8-N-1-No flow control.
If you switch on the SX541 you'll see following bootlog:
===========================================================
TI ADSL AR7300 Loader 0.67.3 build Sep 15 2004 17:03:49
Broad Net Technology, INC.
===========================================================
Flash not found
Copying boot params.....DONE
Press any key to enter command mode ...
Flash Checking Passed.
Unzipping web at 0x94f30000 ... done
Unzipping code at 0x94000000 ... done
In C_Entry() function ...
install_exception
sys_irq_init() ...
Set GPIO
Reset USB and VP140 module ...
##### _ftext = 0x94000000
##### _fdata = 0x94345120
##### __bss_start = 0x9439C300
##### end = 0x9545847C
##### Backup Data from 0x94345120 to 0x9547847C~0x954CF65C len 356832
[INIT] System Log Pool startup ...
[INIT] MTinitialize ..
userclk_init() ...
Runtime code version: 1.56
System startup...
[INIT] Memory COLOR 0, 1500000 bytes ..
[INIT] Memory COLOR 1, 600000 bytes ..
[INIT] Memory COLOR 2, 1900000 bytes ..
manu_id=004A chip_id=2249
ES29LV160D bottom boot 16-bit mode found
Set flash memory layout to Boot Parameters found !!!
Bootcode version: 0.67.3
Serial number: A448012289
Hardware version: 01
sizeof(struct III_Config_t) is 82376
manu_id=004A chip_id=2249
ES29LV160D bottom boot 16-bit mode found
!!! Invalid wireless channel range 0 ~ 0
!!! Use default value 1 ~ 13
default route: 0.0.0.0
BufferInit:
BUF_HDR_SZ=48 BUF_ALIGN_SZ=8 BUFFER_OFFSET=112
BUF_BUFSZ0=384 BUF_BUFSZ1=1872
NUM_OF_B0=0 NUM_OF_B1=1200
BUF_POOL0_SZ=0 BUF_POOL1_SZ=2304000
sizeof(BUFFER0)=432,sizeof(BUFFER1)=1920
*BUF0=0x94c7506c *BUF1=0x94a4285c
Altgn *BUF0=0x94c75070 *BUF1=0x94a42860
End at BUF0:0x94c75070, BUF1:0x94c75060
BUF0[0]=0x94c75070 BUF1[0]=0x94a42860
buffer0 pointer init OK!
buffer1 pointer init OK!
[qm_lnk_init] CLOCKHZ=1000 ...
CLOCKHZ=1000
time = 08/01/2003, 00:00:00
TRAP(linkUp) : send ok!
Interface 0 ip = 127.0.0.1
MAC Address: 00:01:e3:50:98:dd
Memory request 2072 left 297928 ptr 9443F074
Call tn7sar_malloc_dma_xfer() addr:B443F074 size:2072
MAC1 [RX=128 TX=1]: TI External PHY
time = 08/01/2003, 00:00:00
TRAP(linkUp) : send ok!
Interface 1 ip = 192.168.1.100
ruleCheck()> Group: 0, Error: Useless rule index will be truncated
ruleCheck()> Group: 1, Error: Useless rule index will be truncated
ruleCheck()> Group: 2, Error: Useless rule index will be truncated
CBAC rule format check succeed !!
reqCBACBuf()> init match pool, Have: 1000
Memory Address: 0x950c31e8 ~ 0x950c9f64
reqCBACBuf()> init timeGap pool, Have: 10000
Memory Address: 0x950c9f64 ~ 0x950facb8
reqCBACBuf()> init sameHost pool, Have: 2000
Memory Address: 0x950facb8 ~ 0x9510a6d8
CBAC rule pool initialized !!
[initClsfy] clsfy_local_if_mask=0xf00007
[initClsfy] clsfy_localorVPN_if_mask=0xf00007
Init NAT data structure
RUNTASK id=2 if_task if0...
RUNTASK id=3 if_task if1...
RUNTASK id=4 timer_task...
RUNTASK id=5 conn_mgr...
RUNTASK id=6 main_8021x...
RUNTASK id=7 UsbSysInitTask ...
RUNTASK id=8 period_task...
========== ADSL Modem initialization OK ! ======
RUNTASK id=9 telnetd_main...
Unzipping from B0040000 to 95EF0000 ... done
Uncompressed size = 978080
drive start addr[0]=95ef0000, [1]=95fdeca0
[HTTPD] flash_init: failed!!
httpd: listen at 192.168.1.100:80
HTTPD TIMER_RESOURCE:5, FS_RESOURCE:6
RUNTASK httpd...
RUNTASK id=12 dnsproxy...
RUNTASK id=13 snmp_task...
RUNTASK id=14 rip...
RUNTASK id=15 ripout...
UPnP is enabled
UPNP Device initialize success! slot=16
Starting Multitask...
------------------------------------------------------
You can now press:
shift-0: to enable debug
shift-9: to enable config
shift-8:to start telnet console
ENTER : show this help
Looking at this bootlog I'd say it is some kind of RTOS, but not a Linux kernel
If you press any key directly after switching on the sx541 you get into the bootmonitor console:
======================
Upload to Flash
[E] Erase Flash
[G] Run Runtime Code
[A] Set MAC Address
[#] Set Serial Number
[V] Set Board Version
[H] Set Options
[P] Print Boot Params
======================
[AR7300 Boot]
MAC address : 00-01-E3-xx-xx-xx
Serial number : A4xxxxxxxxx
Hardware version: 01
Options : 00-00-00-00-00-00
[AR7300 Boot]:g
Unzipping web at 0x94f30000 ... done
Unzipping code at 0x94000000 ... done
In C_Entry() function ...
install_exception
sys_irq_init() ...
Set GPIO
Reset USB and VP140 module ...
......
-------------------------------
I think it should now be possible to get the VoIP stuff working if the sx541 sits behind another router.
Zuletzt bearbeitet:
