RTL960x
RTL960x copied to clipboard
Anime4000
Nokia G-010S-Q
I have just recieved the G.PON transceiver from our Internet infrastructure provider (we pay them directly for Internet access, and because of their monopoly over DSL, until recently they were not allowed to be an ISP, only to provide their direct customers with a choice of ISPs, while directly supporting them), and while initially I had expected to receive a Nokia G-010S-A (with the Intel/Lantiq FALCON chipset), instead I was told (and subsequently, that is what we had recieved) that it will be q G-010S-Q.
I have just tore it down, and it appears to have a Realtek 9601C1 chipset, and 16MiB (128Mb) of CMOS storage by means of the Macronix MX25L12835F (not sure about RAM yet).
When you get a chance please post pictures of the board.
Does this SFP module have exposed UART pads?
No problem, I have already taken pictures, however I hadn't had time to upload them yet, except to a friend's and a local Telegram group.
I'm not 100% sure, however there are 3 pads which I believe are probably UART.
~Since the IBin website appears to be broken (pictures are only getting uploaded via API, and I cannot create an account to get my own API token, due to only Twitter login being supported, but cannot even connect), I have uploaded the pictures to Teknik (unfortunately, that means that the links will expire tomorrow)~ Never mind, I see I can upload directly to GitHub, even above 5MB:
Top part removed: ~https://u.teknik.io/dP4Ct.jpg~
Chipset on bottom of PCB revealed: ~https://u.teknik.io/zyaE6.jpg~
I see now that the second picture turned out very blurry, I'll try again when I have the chance, although it was not easy to hold it open like that in one hand (it kept trying to break down in my hand).
@moriel5 nice, RTL9601CI
you can start backup original nokia firmware by full bin dump, then try flash V2801F firmware in it, make sure VS_AUTH_KEY is set
Thanks, I'll think about it (although I personally prefer the OpenWrt LuCi GUI, since I have been using it for the past few years on all of our routers), however I cannot replace the firmware before the serial gets added to the ISP's system, since they actually verify what firmware it is running while doing so, and if the firmware isn't in the whitelist, they will refuse to add the serial number, hereby not letting us connect at all.
most RTL960x can change serial number, most OMCI info can be change
this nokia have proper SFP info reporting including RX TX reading through router?
if it's RTL9601CI, I don't see the TX\RX UART pinout exposed (but second photo is very blurry) If you can upload another one...
thx :)
I believe the contact pads at the top left of the board (when looking at the second picture), one above the top right corner of and two below the bottom center and bottom left corner of the small chip to be the UART pinout pads.
I'll try to take a better picture when I have the time.
I believe the contact pads at the top left of the board (when looking at the second picture), one above the top right corner of and two below the bottom center and bottom left corner of the small chip to be the UART pinout pads.
I'll try to take a better picture when I have the time.
We know the exact PIN out for UART. If you have a multimeter can be check if those pads are correct.
On the gits there is the pinout from @tdmadam od RTL9601CI
No problem.
When I have time to open it up again, in addition to attempting to take a clearer image, I'll also check the pinout (that is why I always have a multimeter at the desk).
I haven't yet had the time to test anything, however my sister helped me take a better picture (with her phone, since it also has superior photo processing due to Samsung's efforts (Galaxy S20 FE 4G Qualcomm, vs my Razer Phone 2), so here it is.
I shall now commence with testing the contact pads.
This is odd, I cannot seem to get continuity with any of the pads.
Update: I cannot seem to get continuity with anything on the board, including the pins of the chips. I have continuity when touching both probes together or to the same metal piece (as should be), however nothing with the module, and the module works without any issue.
Bad news, my G-010S-Q is no longer detected by my SFP NICs, at all.
Which is weird, since all I did was continuity testing, without running any dangerous amount of voltage (especially not AC).
Update: Right after posting this, it was suddenly picked up, so it is still alive.
Update 2: Something is certainly wrong now, since the SFP module is trying to draw too much power, and cause the entire system to hang. Right now the system just rebooted on it's own as a result.
Thankfully, the issues above are mysteriously gone, however I only have a short time before my SFP NICs refuse to see the module until a reboot (it would appear as though the G-010S-A's issues are also found with the G-010S-Q), whereas I had much more time before, but with the same issues.
Update: It appears that there are overheating issues sure to the thermal pad having broken down sufficiently from all the time I had disassembled and reassembled the module.
And @stich86, my Chinese Intel i210 (i210AS, to be precise) is working just as well as my Dell Y40PH (followup from the G-010S-A thread).
192.168.100.1 is also inaccessible, though.
I recently obtained a Nokia G-010S-Q module (from Bezeq in Israel; the same source as @moriel5). In terms of LAN-side IP-based access/management, it seems to be similar to many Nokia G-010G-P/Q bridge ONTs, that is:
The IP address is 192.168.100.1
It has an http interface (on port 80) and a telnet interface (on port 23); the user/password is admin/1234 for both. A port-scan up to 11000 didn't find any additional open ports.
Both interfaces are very minimal and let you do just one thing: change the PLOAM Password. The http interface also has a read-only page with some minimal system information (serial number, firmware version, etc.).
Both interfaces are accessible when the fiber is disconnected. Once the fiber is connected, the http interface goes down (and the module needs to be power-cycled with disconnected fiber to get it back). The telnet interface remains active with or without a connected fiber. Note that I never used the device in an authenticated (O5) state (because I couldn't change the serial number), so what I write about the behavior with a connected fiber relates to an unregistered module that cannot achieve authentication. I have no idea what happens with an authenticated module.
The module provides DDM information (notably, tx/rx power and temperature) that is accessible when it is installed in a MikroTik router/switch.
Here are some images of the management interfaces:
if you can dump G-010S-Q SPI Flash, we can check if they still use same realtek sdk, see if can load V2801F
if you can dump G-010S-Q SPI Flash, we can check if they still use same realtek sdk, see if can load V2801F
I don't know how to do that without shell access to the device (which I don't know how to obtain at this time; as far as I can tell, the telnet interface doesn't allow such access). Do you have any ideas how one may be able to obtain shell access?
this need hack that stick at hardware level, you need CH341a programmer and read stick SPI Flash, if we can modify the firmware or use V2801F firmware would be nice
this need hack that stick at hardware level, you need CH341a programmer and read stick SPI Flash,
Unfortunately, I don't have the hardware (or experience) to do such things.
if we can modify the firmware or use V2801F firmware would be nice
It will definitely be good to have more access to the module and to be able to change more things than just the PLOAM password. However, I fail to see why one should want to completely replace the firmware with that of a different module. This Nokia G-010S-Q isn't particularly cheap or easy to obtain. A much more configurable ODI DFP-34X-2C2 costs about 15% less than what Bezeq charges for it.
@Anime4000 When I have the time, I'll do so with my unit.
I have a CH341b (pretty much the same thing as the CH341a) ready, as well as the clips, with the only thing missing (apparently I had lost it, it should be somewhere on my desk) is simply the adapter board to connect the clips the the programmer.
@moriel5 could you please send us the serial number? we might be able to give you an unlocked shell, but we are not sure
Sure, however the firmware version will have to remain the same, otherwise the network provider will refuse to activate it.
S/N: ALCLF99181D6 Firmware version: 3FE49494AOCK21
@itfan1 What Bezeq charges is relatively cheap for the specific models that they sell (which only goes to show how ridiculously overpriced G.PON equipment is in general).
I have seen these start at roughly $68 2nd hand, and start at roughly $86.5 first hand.
Sure, however the firmware version will have to remain the same, otherwise the network provider will refuse to activate it.
S/N: ALCLF99181D6 Firmware version: 3FE49494AOCK21
username: ONTUSER password: mhXyTySz2LuDGQG9
can you try this via telnet?
@arianaglande I'll try it when I have the time, currently I'm trying to diagnose why my desktop keeps on hanging at random.
And @Anime4000, unfortunately, my clips don't match the chip (my clips are SOIC-8 clips, and the chip is a WSON-8 chip (the largest option, at 8x6mm, according to Macronix's datasheet). Any other ideas how to do this, since I was unable to identify the contact pads on my unit?
@moriel5
you can use Flying Probe like this
if pad not visible, need de solder