Hello, This is a python script to download flash memory content.

import serial import time import re

dev_name = '/dev/ttyACM0' scoop_size = 0x80

def xmit(data, xtimeout=0.1): response = b'' try: with serial.Serial(dev_name, timeout=xtimeout) as ser: ser.write(data.encode()) while True: response_tmp = ser.read(1024) response += response_tmp if not len(response_tmp) == 1024: break except (OSError, FileNotFoundError, serial.serialutil.SerialException) as e: print('IO exception') time.sleep(2) return response.decode('utf-8')

def send_at(at_cmd): at_cmd += '\r' return xmit(at_cmd, xtimeout=1.0)

def get_mtd_table(): response = xmit('mtd\r') start = response.find('#:') if start < 0: return '' line_idx = 0 output = [] for line in response[start:].split('\n\r'): if len(line) < 2: break if line.find('#') >= 0: continue rows = line.split() row_idx = 0 row_dict ={} row_names = ["idx", "name", "size", "offset", "flags"] for row in rows: if row_idx == 0: row = re.sub(':$', '', row) row_dict[row_names[row_idx]] = row row_idx += 1 output.append(row_dict) line_idx += 1 return output

def dump_part(record): part_size = int(record['size'], 16) name = record['name'] fd = open(name, 'wb') response = xmit('nand read ${loadaddr} ' + name + '\r') print(response) response = xmit('md.l ${loadaddr} ' + hex(scoop_size) + '\r') start_part_addr = -1 start_line_addr = 0 linear_addr = 0 run = True while run: for line in response.split('\n\r'): if not run: break if line.find(':') < 0: continue rows = line.split() start_line_addr = int(re.sub(':$', '', rows[0]), 16) if start_part_addr < 0: start_part_addr = start_line_addr if start_line_addr != linear_addr + start_part_addr: print('error: linear_addr {} != start_line_addr {}'.format(linear_addr + start_part_addr, start_line_addr)) for i in range(1,5): fd.write(int(rows[i], 16).to_bytes(4, byteorder='big', signed=False)) linear_addr += 4 if linear_addr >= part_size: run = False break print('linear_addr {}, part_size {}'.format(linear_addr, part_size)) if linear_addr >= part_size: run = False break else: response = xmit('\r') fd.close() xmit(' \r')

for n in range(4): response = send_at('AT') if len(response) > 0: break else: time.sleep(4) send_at('AT') response = send_at('AT+CFUN?') if response.find('+CFUN:') >= 0: print('in AT mode') send_at('AT+CFUN=1,1') time.sleep(1) response = xmit(' \r') while response.find('#') < 0: time.sleep(1) response = xmit(' \r') if response.find('#') >= 0: print('in U-Boot') xmit(' \r') mtd_table = get_mtd_table() for record in mtd_table: dump_part(record) print('switching back into AT mode') xmit('run boot_default\r') else: print('error: switching into U-Boot failed')

On Wed, 29 Jan 2020 at 00:28, Elias Devoldere eldevoldere@gmail.com wrote:

Hello, I was playing with LTE modem R11e-4G based on ALT3800-B0 chipset. I was amazed when I got a U-Boot console after command at+cfun=1,1 and sending several random characters. I assume it's not news for seasoned wolves who hunt here. As a modem rookie I did not find a relevant link to this topic during Google's fast search.

My questions. Is this behavior generally known? Can this be a one-piece property (I have only one piece)? Could it be useful for interesting research? Is there anyone who cares about it?

I will try to extract parts of the memory using U-boot.

Below you find pieces of the listing.

Best, Elias

# help help ? - alias for 'help' base - print or set address offset bdinfo - print Board Info structure boot - boot default, i.e., run 'bootcmd' bootd - boot default, i.e., run 'bootcmd' bootelf - Boot from an ELF image in memory bootfw - Load and boot FW from ELF image in memory bootm - boot application image from memory bootp - boot image via network using BOOTP/TFTP protocol bootvx - Boot vxWorks from an ELF image chpart - change active partition clocks - print clock configuration cmp - memory compare coninfo - print console devices and information cp - memory copy crc32 - checksum calculation create_bdinfo- Create Board info dhcp - boot image via network using DHCP/TFTP protocol dip - show the Boot mode configuration options echo - echo args to console editenv - edit environment variable env - environment handling commands exit - exit script false - do nothing, unsuccessfully fdt - flattened device tree utility commands fsinfo - print information about filesystems fsload - load binary file from a filesystem image fsloadbsp- load bsp binary files from a filesystem image fstest - testing filesystems go - start application at address '[*]addr' (possibly be indirect address) gpio - input/set/clear/toggle gpio pins help - print command description/usage i2c - I2C sub-system iminfo - print header information for application image imxtract- extract a part of a multi-image initfw - Init FW PLLs itest - return true/false on integer compare kermit_stat- Show statistics of the last Kermit session kermit_stat_print- print kermit statistics at the end of session loadb - load binary file over serial line (kermit mode) loads - load S-Record file over serial line loady - load binary file over serial line (ymodem mode) loop - infinite loop on address range loopw - infinite write loop on address range ls - list files in a directory (default /) md - memory display md5sum - compute MD5 message digest mdc - memory display cyclic mii - MII utility commands mm - memory modify (auto-incrementing address) mtdparts- define flash/nand partitions mtest - simple RAM read/write test mw - memory write (fill) mwc - memory write cyclic nand - NAND sub-system nandotp - NAND OTP sub-system nboot - boot from NAND device nfs - boot image via network using NFS protocol nm - memory modify (constant address) ping - send ICMP ECHO_REQUEST to network host printenv- print environment variables rarpboot- boot image via network using RARP/TFTP protocol reginfo - print register information reset - Perform RESET of the CPU reset_cause- print reset cause run - run commands in an environment variable saveenv - save environment variables to persistent storage setenv - set environment variables show_bdinfo- Show board info showvar - print local hushshell variables sleep - delay execution for some time source - run script from memory test - minimal test like /bin/sh tftpboot- boot image via network using TFTP protocol true - do nothing, successfully unlzo - decopress a lzo memory region unzip - unzip a memory region version - print monitor, compiler and linker version

U-Boot 2012.10 (Aug 09 2018 - 10:17:38) mips-fourgee3100-linux-uclibc-gcc (0.1) 4.5.3 GNU ld (GNU Binutils) 2.21

# baudrate=115200 boot_default=run flash_boot boot_nand_mtd=run nand_choose_rootfs; run flash_set_bootargs; nboot kernel${boot_number}; nand read ${dtb_addr} dtb${boot_number} ${dtb_size}; bootm ${loadaddr} - ${dtb_addr} boot_nand_ramfs=run ram_set_bootargs; nboot kernel${boot_number}; bootm boot_number=2 boot_option=boot_default boot_tftp_ramfs=run ram_set_bootargs; ${tftpbootcmd} vmlinux.uboot; bootm ${loadaddr} bootcmd=if itest.b 0 == *a00d001b; then run ${boot_option}; else echo 'GUESS MODE - NO BOOT ALLOWED !!!'; fi bootdelay=6 bootm_low=0x82100000 bootm_size=0x6000000 cdc_connect_timeout=10 consoledev=ttyS0 dtb_addr=0x84000000 dtb_file=alt3802.dtb dtb_size=0x4000 env_check=if test ${env_saved} = 0; then setenv env_saved 1; saveenv; fi env_configured_size=0x4000 env_saved=1 erase_env_nand=nand erase.part env; nand erase.part backup_env eth_phy_mode=rmii ethact=usb_ether ethaddr=00:E0:0C:00:11:A0 fastboot=setenv loadaddr ${fastboot_loadaddr};run loadfw; if test $? -eq 0; then bootfw ${unziped_fwaddr} 1; fi; run loadotp; if run loadbsp;then run process_fw; fi; fastboot_loadaddr=0x82800000 fdt_high=0x83000000 fdtdbg=no flash_boot=run nand_choose_rootfs; run flash_set_bootargs; run fastboot; nboot kernel${boot_number}; nand read ${dtb_addr} dtb${boot_number} ${dtb_size}; bootm ${loadaddr} - ${dtb_addr} flash_set_bootargs=setenv bootargs $ip root=${root} rw rootfstype=jffs2 console=$consoledev,$kernel_baudrate $othbootargs $kernellog gatewayip=0.0.0.0 hostname=alt3800 initrd_high=0x83000000 ipaddr=10.0.0.1 kernel_baudrate=115200 kernel_file=uImage kernellog=quiet load_fw=run load_phy_fw; run load_lte_fw load_lte_fw=${tftpbootcmd} $lte_fw; setenv fw_type LTE; bootelf load_phy_fw=${tftpbootcmd} $phy_fw; setenv fw_type PHY; bootelf loadaddr=0x80100000 loadbsp=chpart nvm; fsloadbsp 1 ${ramFilesShAddr} band_list bandbp file_list bspfilesbp loadfw= nand read.jffs2 ${loadaddr} modem_fw${boot_number}; unlzo ${loadaddr} ${unziped_fwaddr}; loadotp=nandotp read ${ramOtpShAddr} spl 20 lte_fw=PS100_RealPHY.elf

mtdparts=mtdparts=alt3800_nfc:512k(spl),768k(uboot1),768k(uboot2),256k(env),256k(backup_env),3m(nvm),3m(kernel1),256k(dtb1),37m(rootfs1),3m(kernel2),256k(dtb2),37m(rootfs2),4m(modem_fw1),4m(modem_fw2),-(tstorage)

nand128_mtdparts=mtdparts=alt3800_nfc:512k(spl),768k(uboot1),768k(uboot2),256k(env),256k(backup_env),3m(nvm),3m(kernel1),256k(dtb1),37m(rootfs1),3m(kernel2),256k(dtb2),37m(rootfs2),4m(modem_fw1),4m(modem_fw2),-(tstorage)

nand128_scheme2_mtdparts=mtdparts=alt3800_nfc:512k(spl),768k(uboot1),768k(uboot2),256k(env),256k(backup_env),3m(nvm),4m(kernel1),256k(dtb1),53m(rootfs1),4m(kernel2),256k(dtb2),53m(rootfs2),4m(modem_fw1),4m(modem_fw2)

nand256_mtdparts=mtdparts=alt3800_nfc:512k(spl),768k(uboot1),768k(uboot2),256k(env),256k(backup_env),3m(nvm),4m(kernel1),256k(dtb1),40m(rootfs1),4m(kernel2),256k(dtb2),40m(rootfs2),4m(modem_fw1),4m(modem_fw2),10m(ua),-(tstorage) nand_choose_rootfs=if test 1 = ${boot_number}; then setenv root /dev/mtdblock8;else setenv root /dev/mtdblock11; fi nand_erasesize=20000 nand_oobsize=40 nand_uboot_file=u-boot.bin nand_uboot_spl_file=u-boot-spl.bin.alt3800 nand_writesize=800 nc=run nchelp; setenv stdin nc;setenv stdout nc;setenv stderr nc nchelp=echo On the host side run the script: ./netconsole $ipaddr $ncinport ncinport=6665 ncip=10.0.0.10 ncmux=run nchelp; setenv stdout ${stdout},nc; setenv stdin ${stdin},nc; setenv stderr ${stderr},nc ncoutport=6665 netdev=eth0 netmask=255.255.0.0 nvm_file=nvm.jffs2.img phy_dbgstreamer=0 phy_fw=Lte.out phy_sniffer=0 preboot=run env_check; if test -n $prebootcmd; then echo; echo Running pre-boot command; run prebootcmd;fi; process_fw=initfw; bootfw ${unziped_fwaddr} 0 ramFilesShAddr=0xA030004c ramOtpShAddr=0xA0300000 ram_set_bootargs=setenv bootargs $ip root=/dev/ram rw console=$consoledev,$kernel_baudrate $othbootargs $kernellog rootfs_file=rootfs.jffs2.img ser=setenv stdin serial;setenv stdout serial;setenv stderr serial serverip=10.0.0.10 set_ip=setenv ip ip=$ipaddr:$serverip:$gatewayip:$netmask:$hostname:$netdev:off stderr=serial,usbtty stdin=serial,usbtty stdout=serial,usbtty testdramaddress=no testdramcache=yes testdramcount=1 testdramdata=no testdramsize=0x08000000 testdramstart=0x80100000 testdramwalk=no tftpbootcmd=tftpboot toggle_boot_number=if test 1 = ${boot_number}; then set boot_number 2; else set boot_number 1; fi; saveenv unziped_fwaddr=0x83000000 update_all=run update_all_nand update_all_nand=run update_kernel_nand update_dtb_nand update_rootfs_nand update_dtb=run update_dtb_nand update_dtb_nand=if ${tftpbootcmd} ${dtb_file}; then nand erase.part dtb${boot_number}; nand write ${loadaddr} dtb${boot_number} ${filesize}; fi update_kernel=run update_kernel_nand update_kernel_nand=if ${tftpbootcmd} ${kernel_file}; then nand erase.part kernel${boot_number}; nand write ${loadaddr} kernel${boot_number} ${filesize}; fi update_linux=${tftpbootcmd} uImage update_multi_img=run update_multi_img_nand update_multi_img_nand=setenv kernel_file vmlinux.uboot; run update_kernel_nand update_nvm=run update_nvm_nand update_nvm_nand=if ${tftpbootcmd} ${nvm_file}; then nand erase.part nvm; nand write ${loadaddr} nvm ${filesize}; fi update_ramdisk=${tftpbootcmd} $ramdiskaddr ramdisk.gz.uboot update_rootfs=run update_rootfs_nand update_rootfs_nand=if ${tftpbootcmd} ${rootfs_file}; then nand erase.part rootfs${boot_number}; nand write ${loadaddr} rootfs${boot_number} ${filesize}; fi update_uboot=run update_uboot_nand update_uboot_nand=run update_uboot_nand_spl update_uboot_nand_non_spl erase_env_nand update_uboot_nand_non_spl=if ${tftpbootcmd} ${nand_uboot_file}; then nand erase.part uboot1; nand write ${loadaddr} uboot1 ${filesize}; nand erase.part uboot2; nand write ${loadaddr} uboot2 ${filesize}; fi update_uboot_nand_spl=if ${tftpbootcmd} ${nand_uboot_spl_file}; then nand erase.part spl; nand write ${loadaddr} spl ${filesize}; fi usbphymode=0 usbtty=cdc_acm ver=U-Boot 2012.10 (Aug 09 2018 - 10:17:38)

Environment size: 6184/16379 bytes

mtdparts

device nand0 <alt3800_nfc>, # parts = 15 #: name size offset mask_flags 0: spl 0x00080000 0x00000000 0 1: uboot1 0x000c0000 0x00080000 0 2: uboot2 0x000c0000 0x00140000 0 3: env 0x00040000 0x00200000 0 4: backup_env 0x00040000 0x00240000 0 5: nvm 0x00300000 0x00280000 0 6: kernel1 0x00300000 0x00580000 0 7: dtb1 0x00040000 0x00880000 0 8: rootfs1 0x02500000 0x008c0000 0 9: kernel2 0x00300000 0x02dc0000 0 10: dtb2 0x00040000 0x030c0000 0 11: rootfs2 0x02500000 0x03100000 0 12: modem_fw1 0x00400000 0x05600000 0 13: modem_fw2 0x00400000 0x05a00000 0 14: tstorage 0x02200000 0x05e00000 0

active partition: nand0,0 - (spl) 0x00080000 @ 0x00000000

defaults: mtdids : nand0=alt3800_nfc mtdparts: uninitialized

Hi Elias,

thanks for reaching out.

On Wed, Jan 29, 2020 at 12:28:37AM +0100, Elias Devoldere wrote:

I was playing with LTE modem R11e-4G based on ALT3800-B0 chipset.

I've read about Altair (now part of sony) based modems, but never had any actual contact with them.

It seems that one HL78 NB-IoT modem from Sierra Wireless as well as the L866 from Telit seems to be based on Altair, but I wasn't aware that Mikrotik is also using Altair.

I was amazed when I got a U-Boot console after command at+cfun=1,1 and sending several random characters. I assume it's not news for seasoned wolves who hunt here.

This is highly unexpected, of course.

Is this behavior generally known?

I've never heard of it, certainly it was not a topic in Osmocom so far.

Can this be a one-piece property (I have only one piece)?

possibly, but more likely it relates to the specific firmware build.

Could it be useful for interesting research?

of course.

Is there anyone who cares about it?

I do.

I will try to extract parts of the memory using U-boot.

good luck!

U-Boot 2012.10 (Aug 09 2018 - 10:17:38) mips-fourgee3100-linux-uclibc-gcc (0.1) 4.5.3

ok, so we know it's a MIPS architecture, and we know it's the fourgee3100 (Altair 3100) for whihc it was originally written. The 3800 is likely bcakwards compatible then.

'GUESS MODE - NO BOOT ALLOWED !!!'; fi

whatever a GUESS MODE is

dtb_file=alt3802.dtb

3802 is even a more specific part number

lte_fw=PS100_RealPHY.elf

also interesting that the PHY firmware comes as ELF file, would be interesting to see what ELF architecture it is for.

ver=U-Boot 2012.10 (Aug 09 2018 - 10:17:38)

always surprising what kind of stone age versions are in use :)

Please do keep us posed. I odered one of those modems myself, too.