From eldevoldere at gmail.com Mon Feb 3 12:04:10 2020 From: eldevoldere at gmail.com (Elias Devoldere) Date: Mon, 3 Feb 2020 13:04:10 +0100 Subject: Platform ALT3800 as good target? In-Reply-To: References: Message-ID: Hello, This is a python script to download flash memory content. import serial import time import re dev_name = '/dev/ttyACM0' scoop_size = 0x80 def xmit(data, xtimeout=0.1): response = b'' try: with serial.Serial(dev_name, timeout=xtimeout) as ser: ser.write(data.encode()) while True: response_tmp = ser.read(1024) response += response_tmp if not len(response_tmp) == 1024: break except (OSError, FileNotFoundError, serial.serialutil.SerialException) as e: print('IO exception') time.sleep(2) return response.decode('utf-8') def send_at(at_cmd): at_cmd += '\r' return xmit(at_cmd, xtimeout=1.0) def get_mtd_table(): response = xmit('mtd\r') start = response.find('#:') if start < 0: return '' line_idx = 0 output = [] for line in response[start:].split('\n\r'): if len(line) < 2: break if line.find('#') >= 0: continue rows = line.split() row_idx = 0 row_dict ={} row_names = ["idx", "name", "size", "offset", "flags"] for row in rows: if row_idx == 0: row = re.sub('\:$', '', row) row_dict[row_names[row_idx]] = row row_idx += 1 output.append(row_dict) line_idx += 1 return output def dump_part(record): part_size = int(record['size'], 16) name = record['name'] fd = open(name, 'wb') response = xmit('nand read ${loadaddr} ' + name + '\r') print(response) response = xmit('md.l ${loadaddr} ' + hex(scoop_size) + '\r') start_part_addr = -1 start_line_addr = 0 linear_addr = 0 run = True while run: for line in response.split('\n\r'): if not run: break if line.find(':') < 0: continue rows = line.split() start_line_addr = int(re.sub('\:$', '', rows[0]), 16) if start_part_addr < 0: start_part_addr = start_line_addr if start_line_addr != linear_addr + start_part_addr: print('error: linear_addr {} != start_line_addr {}'.format(linear_addr + start_part_addr, start_line_addr)) for i in range(1,5): fd.write(int(rows[i], 16).to_bytes(4, byteorder='big', signed=False)) linear_addr += 4 if linear_addr >= part_size: run = False break print('linear_addr {}, part_size {}'.format(linear_addr, part_size)) if linear_addr >= part_size: run = False break else: response = xmit('\r') fd.close() xmit(' \r') for n in range(4): response = send_at('AT') if len(response) > 0: break else: time.sleep(4) send_at('AT') response = send_at('AT+CFUN?') if response.find('+CFUN:') >= 0: print('in AT mode') send_at('AT+CFUN=1,1') time.sleep(1) response = xmit(' \r') while response.find('#') < 0: time.sleep(1) response = xmit(' \r') if response.find('#') >= 0: print('in U-Boot') xmit(' \r') mtd_table = get_mtd_table() for record in mtd_table: dump_part(record) print('switching back into AT mode') xmit('run boot_default\r') else: print('error: switching into U-Boot failed') On Wed, 29 Jan 2020 at 00:28, Elias Devoldere wrote: > Hello, > I was playing with LTE modem R11e-4G based on ALT3800-B0 chipset. > I was amazed when I got a U-Boot console after command at+cfun=1,1 and > sending several random characters. I assume it's not news for seasoned > wolves who hunt here. > As a modem rookie I did not find a relevant link to this topic during > Google's fast search. > > My questions. > Is this behavior generally known? > Can this be a one-piece property (I have only one piece)? > Could it be useful for interesting research? > Is there anyone who cares about it? > > I will try to extract parts of the memory using U-boot. > > Below you find pieces of the listing. > > Best, > Elias > > # help > help > ? - alias for 'help' > base - print or set address offset > bdinfo - print Board Info structure > boot - boot default, i.e., run 'bootcmd' > bootd - boot default, i.e., run 'bootcmd' > bootelf - Boot from an ELF image in memory > bootfw - Load and boot FW from ELF image in memory > bootm - boot application image from memory > bootp - boot image via network using BOOTP/TFTP protocol > bootvx - Boot vxWorks from an ELF image > chpart - change active partition > clocks - print clock configuration > cmp - memory compare > coninfo - print console devices and information > cp - memory copy > crc32 - checksum calculation > create_bdinfo- Create Board info > dhcp - boot image via network using DHCP/TFTP protocol > dip - show the Boot mode configuration options > echo - echo args to console > editenv - edit environment variable > env - environment handling commands > exit - exit script > false - do nothing, unsuccessfully > fdt - flattened device tree utility commands > fsinfo - print information about filesystems > fsload - load binary file from a filesystem image > fsloadbsp- load bsp binary files from a filesystem image > fstest - testing filesystems > go - start application at address '[*]addr' (possibly be indirect > address) > gpio - input/set/clear/toggle gpio pins > help - print command description/usage > i2c - I2C sub-system > iminfo - print header information for application image > imxtract- extract a part of a multi-image > initfw - Init FW PLLs > itest - return true/false on integer compare > kermit_stat- Show statistics of the last Kermit session > kermit_stat_print- print kermit statistics at the end of session > loadb - load binary file over serial line (kermit mode) > loads - load S-Record file over serial line > loady - load binary file over serial line (ymodem mode) > loop - infinite loop on address range > loopw - infinite write loop on address range > ls - list files in a directory (default /) > md - memory display > md5sum - compute MD5 message digest > mdc - memory display cyclic > mii - MII utility commands > mm - memory modify (auto-incrementing address) > mtdparts- define flash/nand partitions > mtest - simple RAM read/write test > mw - memory write (fill) > mwc - memory write cyclic > nand - NAND sub-system > nandotp - NAND OTP sub-system > nboot - boot from NAND device > nfs - boot image via network using NFS protocol > nm - memory modify (constant address) > ping - send ICMP ECHO_REQUEST to network host > printenv- print environment variables > rarpboot- boot image via network using RARP/TFTP protocol > reginfo - print register information > reset - Perform RESET of the CPU > reset_cause- print reset cause > run - run commands in an environment variable > saveenv - save environment variables to persistent storage > setenv - set environment variables > show_bdinfo- Show board info > showvar - print local hushshell variables > sleep - delay execution for some time > source - run script from memory > test - minimal test like /bin/sh > tftpboot- boot image via network using TFTP protocol > true - do nothing, successfully > unlzo - decopress a lzo memory region > unzip - unzip a memory region > version - print monitor, compiler and linker version > > U-Boot 2012.10 (Aug 09 2018 - 10:17:38) > mips-fourgee3100-linux-uclibc-gcc (0.1) 4.5.3 > GNU ld (GNU Binutils) 2.21 > > # > baudrate=115200 > boot_default=run flash_boot > boot_nand_mtd=run nand_choose_rootfs; run flash_set_bootargs; nboot > kernel${boot_number}; nand read ${dtb_addr} dtb${boot_number} ${dtb_size}; > bootm ${loadaddr} - ${dtb_addr} > boot_nand_ramfs=run ram_set_bootargs; nboot kernel${boot_number}; bootm > boot_number=2 > boot_option=boot_default > boot_tftp_ramfs=run ram_set_bootargs; ${tftpbootcmd} vmlinux.uboot; bootm > ${loadaddr} > bootcmd=if itest.b 0 == *a00d001b; then run ${boot_option}; else echo > 'GUESS MODE - NO BOOT ALLOWED !!!'; fi > bootdelay=6 > bootm_low=0x82100000 > bootm_size=0x6000000 > cdc_connect_timeout=10 > consoledev=ttyS0 > dtb_addr=0x84000000 > dtb_file=alt3802.dtb > dtb_size=0x4000 > env_check=if test ${env_saved} = 0; then setenv env_saved 1; saveenv; fi > env_configured_size=0x4000 > env_saved=1 > erase_env_nand=nand erase.part env; nand erase.part backup_env > eth_phy_mode=rmii > ethact=usb_ether > ethaddr=00:E0:0C:00:11:A0 > fastboot=setenv loadaddr ${fastboot_loadaddr};run loadfw; if test $? -eq > 0; then bootfw ${unziped_fwaddr} 1; fi; run loadotp; if run loadbsp;then > run process_fw; fi; > fastboot_loadaddr=0x82800000 > fdt_high=0x83000000 > fdtdbg=no > flash_boot=run nand_choose_rootfs; run flash_set_bootargs; run fastboot; > nboot kernel${boot_number}; nand read ${dtb_addr} dtb${boot_number} > ${dtb_size}; bootm ${loadaddr} - ${dtb_addr} > flash_set_bootargs=setenv bootargs $ip root=${root} rw rootfstype=jffs2 > console=$consoledev,$kernel_baudrate $othbootargs $kernellog > gatewayip=0.0.0.0 > hostname=alt3800 > initrd_high=0x83000000 > ipaddr=10.0.0.1 > kernel_baudrate=115200 > kernel_file=uImage > kernellog=quiet > load_fw=run load_phy_fw; run load_lte_fw > load_lte_fw=${tftpbootcmd} $lte_fw; setenv fw_type LTE; bootelf > load_phy_fw=${tftpbootcmd} $phy_fw; setenv fw_type PHY; bootelf > loadaddr=0x80100000 > loadbsp=chpart nvm; fsloadbsp 1 ${ramFilesShAddr} band_list bandbp > file_list bspfilesbp > loadfw= nand read.jffs2 ${loadaddr} modem_fw${boot_number}; unlzo > ${loadaddr} ${unziped_fwaddr}; > loadotp=nandotp read ${ramOtpShAddr} spl 20 > lte_fw=PS100_RealPHY.elf > > mtdparts=mtdparts=alt3800_nfc:512k(spl),768k(uboot1),768k(uboot2),256k(env),256k(backup_env),3m(nvm),3m(kernel1),256k(dtb1),37m(rootfs1),3m(kernel2),256k(dtb2),37m(rootfs2),4m(modem_fw1),4m(modem_fw2),-(tstorage) > > nand128_mtdparts=mtdparts=alt3800_nfc:512k(spl),768k(uboot1),768k(uboot2),256k(env),256k(backup_env),3m(nvm),3m(kernel1),256k(dtb1),37m(rootfs1),3m(kernel2),256k(dtb2),37m(rootfs2),4m(modem_fw1),4m(modem_fw2),-(tstorage) > > nand128_scheme2_mtdparts=mtdparts=alt3800_nfc:512k(spl),768k(uboot1),768k(uboot2),256k(env),256k(backup_env),3m(nvm),4m(kernel1),256k(dtb1),53m(rootfs1),4m(kernel2),256k(dtb2),53m(rootfs2),4m(modem_fw1),4m(modem_fw2) > > nand256_mtdparts=mtdparts=alt3800_nfc:512k(spl),768k(uboot1),768k(uboot2),256k(env),256k(backup_env),3m(nvm),4m(kernel1),256k(dtb1),40m(rootfs1),4m(kernel2),256k(dtb2),40m(rootfs2),4m(modem_fw1),4m(modem_fw2),10m(ua),-(tstorage) > nand_choose_rootfs=if test 1 = ${boot_number}; then setenv root > /dev/mtdblock8;else setenv root /dev/mtdblock11; fi > nand_erasesize=20000 > nand_oobsize=40 > nand_uboot_file=u-boot.bin > nand_uboot_spl_file=u-boot-spl.bin.alt3800 > nand_writesize=800 > nc=run nchelp; setenv stdin nc;setenv stdout nc;setenv stderr nc > nchelp=echo On the host side run the script: ./netconsole $ipaddr $ncinport > ncinport=6665 > ncip=10.0.0.10 > ncmux=run nchelp; setenv stdout ${stdout},nc; setenv stdin ${stdin},nc; > setenv stderr ${stderr},nc > ncoutport=6665 > netdev=eth0 > netmask=255.255.0.0 > nvm_file=nvm.jffs2.img > phy_dbgstreamer=0 > phy_fw=Lte.out > phy_sniffer=0 > preboot=run env_check; if test -n $prebootcmd; then echo; echo Running > pre-boot command; run prebootcmd;fi; > process_fw=initfw; bootfw ${unziped_fwaddr} 0 > ramFilesShAddr=0xA030004c > ramOtpShAddr=0xA0300000 > ram_set_bootargs=setenv bootargs $ip root=/dev/ram rw > console=$consoledev,$kernel_baudrate $othbootargs $kernellog > rootfs_file=rootfs.jffs2.img > ser=setenv stdin serial;setenv stdout serial;setenv stderr serial > serverip=10.0.0.10 > set_ip=setenv ip > ip=$ipaddr:$serverip:$gatewayip:$netmask:$hostname:$netdev:off > stderr=serial,usbtty > stdin=serial,usbtty > stdout=serial,usbtty > testdramaddress=no > testdramcache=yes > testdramcount=1 > testdramdata=no > testdramsize=0x08000000 > testdramstart=0x80100000 > testdramwalk=no > tftpbootcmd=tftpboot > toggle_boot_number=if test 1 = ${boot_number}; then set boot_number 2; > else set boot_number 1; fi; saveenv > unziped_fwaddr=0x83000000 > update_all=run update_all_nand > update_all_nand=run update_kernel_nand update_dtb_nand update_rootfs_nand > update_dtb=run update_dtb_nand > update_dtb_nand=if ${tftpbootcmd} ${dtb_file}; then nand erase.part > dtb${boot_number}; nand write ${loadaddr} dtb${boot_number} ${filesize}; fi > update_kernel=run update_kernel_nand > update_kernel_nand=if ${tftpbootcmd} ${kernel_file}; then nand erase.part > kernel${boot_number}; nand write ${loadaddr} kernel${boot_number} > ${filesize}; fi > update_linux=${tftpbootcmd} uImage > update_multi_img=run update_multi_img_nand > update_multi_img_nand=setenv kernel_file vmlinux.uboot; run > update_kernel_nand > update_nvm=run update_nvm_nand > update_nvm_nand=if ${tftpbootcmd} ${nvm_file}; then nand erase.part nvm; > nand write ${loadaddr} nvm ${filesize}; fi > update_ramdisk=${tftpbootcmd} $ramdiskaddr ramdisk.gz.uboot > update_rootfs=run update_rootfs_nand > update_rootfs_nand=if ${tftpbootcmd} ${rootfs_file}; then nand erase.part > rootfs${boot_number}; nand write ${loadaddr} rootfs${boot_number} > ${filesize}; fi > update_uboot=run update_uboot_nand > update_uboot_nand=run update_uboot_nand_spl update_uboot_nand_non_spl > erase_env_nand > update_uboot_nand_non_spl=if ${tftpbootcmd} ${nand_uboot_file}; then nand > erase.part uboot1; nand write ${loadaddr} uboot1 ${filesize}; nand > erase.part uboot2; nand write ${loadaddr} uboot2 ${filesize}; fi > update_uboot_nand_spl=if ${tftpbootcmd} ${nand_uboot_spl_file}; then nand > erase.part spl; nand write ${loadaddr} spl ${filesize}; fi > usbphymode=0 > usbtty=cdc_acm > ver=U-Boot 2012.10 (Aug 09 2018 - 10:17:38) > > Environment size: 6184/16379 bytes > > mtdparts > > device nand0 , # parts = 15 > #: name size offset mask_flags > 0: spl 0x00080000 0x00000000 0 > 1: uboot1 0x000c0000 0x00080000 0 > 2: uboot2 0x000c0000 0x00140000 0 > 3: env 0x00040000 0x00200000 0 > 4: backup_env 0x00040000 0x00240000 0 > 5: nvm 0x00300000 0x00280000 0 > 6: kernel1 0x00300000 0x00580000 0 > 7: dtb1 0x00040000 0x00880000 0 > 8: rootfs1 0x02500000 0x008c0000 0 > 9: kernel2 0x00300000 0x02dc0000 0 > 10: dtb2 0x00040000 0x030c0000 0 > 11: rootfs2 0x02500000 0x03100000 0 > 12: modem_fw1 0x00400000 0x05600000 0 > 13: modem_fw2 0x00400000 0x05a00000 0 > 14: tstorage 0x02200000 0x05e00000 0 > > active partition: nand0,0 - (spl) 0x00080000 @ 0x00000000 > > defaults: > mtdids : nand0=alt3800_nfc > mtdparts: uninitialized > -------------- next part -------------- An HTML attachment was scrubbed... URL: From laforge at osmocom.org Wed Feb 5 12:43:17 2020 From: laforge at osmocom.org (Harald Welte) Date: Wed, 5 Feb 2020 13:43:17 +0100 Subject: Platform ALT3800 as good target? In-Reply-To: References: Message-ID: <20200205124317.GD343380@nataraja> Hi Elias, thanks for reaching out. On Wed, Jan 29, 2020 at 12:28:37AM +0100, Elias Devoldere wrote: > I was playing with LTE modem R11e-4G based on ALT3800-B0 chipset. I've read about Altair (now part of sony) based modems, but never had any actual contact with them. It seems that one HL78 NB-IoT modem from Sierra Wireless as well as the L866 from Telit seems to be based on Altair, but I wasn't aware that Mikrotik is also using Altair. > I was amazed when I got a U-Boot console after command at+cfun=1,1 and > sending several random characters. I assume it's not news for seasoned > wolves who hunt here. This is highly unexpected, of course. > Is this behavior generally known? I've never heard of it, certainly it was not a topic in Osmocom so far. > Can this be a one-piece property (I have only one piece)? possibly, but more likely it relates to the specific firmware build. > Could it be useful for interesting research? of course. > Is there anyone who cares about it? I do. > I will try to extract parts of the memory using U-boot. good luck! > U-Boot 2012.10 (Aug 09 2018 - 10:17:38) > mips-fourgee3100-linux-uclibc-gcc (0.1) 4.5.3 ok, so we know it's a MIPS architecture, and we know it's the fourgee3100 (Altair 3100) for whihc it was originally written. The 3800 is likely bcakwards compatible then. > 'GUESS MODE - NO BOOT ALLOWED !!!'; fi whatever a GUESS MODE is > dtb_file=alt3802.dtb 3802 is even a more specific part number > lte_fw=PS100_RealPHY.elf also interesting that the PHY firmware comes as ELF file, would be interesting to see what ELF architecture it is for. > ver=U-Boot 2012.10 (Aug 09 2018 - 10:17:38) always surprising what kind of stone age versions are in use :) Please do keep us posed. I odered one of those modems myself, too. -- - Harald Welte http://laforge.gnumonks.org/ ============================================================================ "Privacy in residential applications is a desirable marketing option." (ETSI EN 300 175-7 Ch. A6) From laforge at osmocom.org Wed Feb 5 12:45:49 2020 From: laforge at osmocom.org (Harald Welte) Date: Wed, 5 Feb 2020 13:45:49 +0100 Subject: Platform ALT3800 as good target? In-Reply-To: References: Message-ID: <20200205124549.GF343380@nataraja> Hi Elias, On Mon, Feb 03, 2020 at 01:04:10PM +0100, Elias Devoldere wrote: > This is a python script to download flash memory content. Thanks. unfortunately it looks like your e-mail client has completely upset the indenting, which in python is fatal. -- - Harald Welte http://laforge.gnumonks.org/ ============================================================================ "Privacy in residential applications is a desirable marketing option." (ETSI EN 300 175-7 Ch. A6) From pshinjo at sect.tu-berlin.de Thu Feb 6 09:43:48 2020 From: pshinjo at sect.tu-berlin.de (Shinjo Park) Date: Thu, 6 Feb 2020 10:43:48 +0100 Subject: Platform ALT3800 as good target? In-Reply-To: <20200205124317.GD343380@nataraja> References: <20200205124317.GD343380@nataraja> Message-ID: <2095807.jaDxuElD7r@brandenburg> Hi all, I didn't knew that MikroTik is also doing LTE these days, and seems that there are more interesting products from them. They also have additional modems: * R11e-LTE: https://mikrotik.com/product/r11e_lte * R11e-LTE-US: https://mikrotik.com/product/r11e_lte_us * R11e-LTE6: https://mikrotik.com/product/r11e_lte6 According to internal photos for FCC ID [1], R11e-LTE6 seems to have... ASR Micro LTE modems. Never heard about that company before, but seems that they have acquired Marvell's baseband business and their chipset is used in mobile routers. R11e-LTE-US [2] and probablyt also R11e-LTE seems to use Qualcomm MDM9207, nothing seems so special here. [1] https://fcc.report/FCC-ID/TV711ELTE6/4191387 [2] https://fccid.io/TV7R11ELTE/Internal-Photos/Internal-Photos-3591471 Best regards, Shinjo 2020? 2? 5? ??? ?? 1? 43? 17? CET? Harald Welte ?? ? ?: > Hi Elias, > > thanks for reaching out. > > On Wed, Jan 29, 2020 at 12:28:37AM +0100, Elias Devoldere wrote: > > I was playing with LTE modem R11e-4G based on ALT3800-B0 chipset. > > I've read about Altair (now part of sony) based modems, but never had any > actual contact with them. > > It seems that one HL78 NB-IoT modem from Sierra Wireless as well as the L866 > from Telit seems to be based on Altair, but I wasn't aware that Mikrotik is > also using Altair. > > > I was amazed when I got a U-Boot console after command at+cfun=1,1 and > > sending several random characters. I assume it's not news for seasoned > > wolves who hunt here. > > This is highly unexpected, of course. > > > Is this behavior generally known? > > I've never heard of it, certainly it was not a topic in Osmocom so far. > > > Can this be a one-piece property (I have only one piece)? > > possibly, but more likely it relates to the specific firmware build. > > > Could it be useful for interesting research? > > of course. > > > Is there anyone who cares about it? > > I do. > > > I will try to extract parts of the memory using U-boot. > > good luck! > > > U-Boot 2012.10 (Aug 09 2018 - 10:17:38) > > mips-fourgee3100-linux-uclibc-gcc (0.1) 4.5.3 > > ok, so we know it's a MIPS architecture, and we know it's the fourgee3100 > (Altair 3100) for whihc it was originally written. The 3800 is likely > bcakwards compatible then. > > > 'GUESS MODE - NO BOOT ALLOWED !!!'; fi > > whatever a GUESS MODE is > > > dtb_file=alt3802.dtb > > 3802 is even a more specific part number > > > lte_fw=PS100_RealPHY.elf > > also interesting that the PHY firmware comes as ELF file, would be > interesting to see what ELF architecture it is for. > > > ver=U-Boot 2012.10 (Aug 09 2018 - 10:17:38) > > always surprising what kind of stone age versions are in use :) > > Please do keep us posed. I odered one of those modems myself, too. -- Shinjo Park Security in Telecommunications TU Berlin / Telekom Innovation Laboratories Ernst-Reuter-Platz 7, Sekr TEL 16 / D - 10587 Berlin, Germany Phone: +49 30 8353 58272 From laforge at osmocom.org Thu Feb 6 14:10:27 2020 From: laforge at osmocom.org (Harald Welte) Date: Thu, 6 Feb 2020 15:10:27 +0100 Subject: Platform ALT3800 as good target? In-Reply-To: <2095807.jaDxuElD7r@brandenburg> References: <20200205124317.GD343380@nataraja> <2095807.jaDxuElD7r@brandenburg> Message-ID: <20200206141027.GM343380@nataraja> On Thu, Feb 06, 2020 at 10:43:48AM +0100, Shinjo Park wrote: > I didn't knew that MikroTik is also doing LTE these days, They are actually selling LTE eNB these days, not sure if you noticed that, too? The products are called "InterCell" Unfortunately only in rather weird bands so far. -- - Harald Welte http://laforge.gnumonks.org/ ============================================================================ "Privacy in residential applications is a desirable marketing option." (ETSI EN 300 175-7 Ch. A6) From laforge at osmocom.org Fri Feb 7 13:45:04 2020 From: laforge at osmocom.org (Harald Welte) Date: Fri, 7 Feb 2020 14:45:04 +0100 Subject: Platform ALT3800 as good target? In-Reply-To: References: Message-ID: <20200207134504.GG545067@nataraja> Hi Elias and community, I created a redmine project on osmocom.org and added some initial information at https://osmocom.org/projects/altair-lte-modems/wiki/Mikrotik_R11e-4G As can be seen, it's easy to get access to a serial console if you know the pin-out and have one of our Osmocom mPCIe breakout boards. Happy hacking! -- - Harald Welte http://laforge.gnumonks.org/ ============================================================================ "Privacy in residential applications is a desirable marketing option." (ETSI EN 300 175-7 Ch. A6)