optus-sagemcom-fast-3864-hacks
optus-sagemcom-fast-3864-hacks copied to clipboard
Published
20 hours ago •
mattimustang
mattimustang
Successfully got access from the serial console
Update: The latest updates will be available at https://github.com/rikka0w0/fast3864op-hacks
I disassembled a Sagemcom F@at 3864OP and soldered 4-pin headers to the PCB board, then hooked it up to a USB-UART 3.3V dongle. On my PC, I started a serial monitor (the baud rate is 115200) and got an interactive console. I was able to log in with the following credentials:
user: admin
password: 0ptU%1M5
Although it is not a Linux shell, it supports several commands (listed below), and the sh command will get you a real Linux shell.
> swversion
8.353.1_F@ST5350_Optus
> help
?
help
logout
exit
quit
reboot
adsl
xdslctl
xtm
brctl
cat
virtualserver
ddns
df
loglevel
logdest
dumpcfg
dumpmdm
dm
dumpeid
mdm
meminfo
psp
kill
dumpsysinfo
exitOnIdle
dnsproxy
syslog
echo
ifconfig
ping
ps
pwd
sntp
sysinfo
tftp
voice
dect
wlctl
arp
defaultgateway
dhcpserver
dns
lan
lanhosts
passwd
ppp
restoredefault
route
save
swversion
uptime
cfgupdate
swupdate
wan
mcpctl
The following is the demostration of the Linux shell:
> sh
BusyBox v1.17.2 (2016-07-23 18:57:58 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
# ls /bin/*
/bin/acs_cli /bin/ftl_format /bin/setmem
/bin/acsd /bin/gmac /bin/sh
/bin/adsl /bin/gmacctl /bin/sleep
/bin/adslctl /bin/grep /bin/smbd
/bin/arl /bin/gunzip /bin/smbpasswd
/bin/arlctl /bin/hotplug /bin/smd
/bin/ash /bin/hspotap /bin/sntp
/bin/bash /bin/httpd /bin/spdsvc
/bin/bcm_boot_launcher /bin/ip /bin/spu
/bin/bpm /bin/ip6tables /bin/spuctl
/bin/bpmctl /bin/ippd /bin/ss
/bin/brctl /bin/iptables /bin/ssk
/bin/bsd /bin/iq /bin/stress
/bin/busybox /bin/iqctl /bin/stty
/bin/cat /bin/kill /bin/swmdk
/bin/chmod /bin/lld2d /bin/sync
/bin/consoled /bin/ln /bin/tc
/bin/cp /bin/ls /bin/telnetd
/bin/dart /bin/mcp /bin/tmsctl
/bin/date /bin/mcpctl /bin/tr69c
/bin/ddnsd /bin/mcpd /bin/true
/bin/dectd /bin/mdkshell /bin/ubiattach
/bin/deluser /bin/mkdir /bin/ubicrc32
/bin/df /bin/mknod /bin/ubidetach
/bin/dhcp6c /bin/mount /bin/ubiformat
/bin/dhcp6s /bin/mtd_debug /bin/ubimkvol
/bin/dhcpc /bin/mtdinfo /bin/ubinfo
/bin/dhcpd /bin/nanddump /bin/ubirename
/bin/diag_ping /bin/nandtest /bin/ubirmvol
/bin/dmesg /bin/nandwrite /bin/ubirsvol
/bin/dnsproxy /bin/nas /bin/ubiupdatevol
/bin/dnsspoof /bin/nas4not /bin/udhcpd
/bin/doc_loadbios /bin/nbtscan /bin/umount
/bin/dry /bin/ntfs-3g /bin/upnp
/bin/dsldiagd /bin/nvram /bin/urlfilterd
/bin/dumpmem /bin/nvramUpdate /bin/usb_modeswitch
/bin/eapd /bin/openl2tpd /bin/vlanctl
/bin/ebtables /bin/openssl /bin/vodsl
/bin/echo /bin/ping /bin/wl
/bin/epi_ttcp /bin/ping6 /bin/wl_server
/bin/ethctl /bin/pppd /bin/wl_server_socket
/bin/ethswctl /bin/ps /bin/wlctl
/bin/false /bin/pwd /bin/wlevt
/bin/fap /bin/pwr /bin/wlmngr
/bin/fapctl /bin/pwrctl /bin/wps_monitor
/bin/fast /bin/radvd /bin/xdslctl
/bin/fc /bin/rastatus6 /bin/xtables-multi
/bin/fcctl /bin/rawSocketTest /bin/xtm
/bin/flash_erase /bin/ripd /bin/xtmctl
/bin/flash_otp_dump /bin/rm /bin/zcat
/bin/flash_otp_info /bin/scriptDaemon /bin/zebra
/bin/flashcp /bin/send_cms_msg
# cat /proc/cpuinfo
system type : F@ST3864V2
processor : 0
cpu model : Broadcom BMIPS4350 V8.0
BogoMIPS : 397.31
wait instruction : yes
microsecond timers : yes
tlb_entries : 32
extra interrupt vector : no
hardware watchpoint : no
ASEs implemented :
shadow register sets : 1
kscratch registers : 0
core : 0
VCED exceptions : not available
VCEI exceptions : not available
processor : 1
cpu model : Broadcom BMIPS4350 V8.0
BogoMIPS : 403.45
wait instruction : yes
microsecond timers : yes
tlb_entries : 32
extra interrupt vector : no
hardware watchpoint : no
ASEs implemented :
shadow register sets : 1
kscratch registers : 0
core : 0
VCED exceptions : not available
VCEI exceptions : not available
# mount
rootfs on / type rootfs (rw)
mtd:rootfs on / type jffs2 (ro,relatime)
proc on /proc type proc (rw,relatime)
tmpfs on /var type tmpfs (rw,relatime,size=420k)
tmpfs on /mnt type tmpfs (rw,relatime,size=16k)
sysfs on /sys type sysfs (rw,relatime)
debugfs on /sys/kernel/debug type debugfs (rw,relatime)
mtd:data on /data type jffs2 (rw,relatime)
none on /proc/bus/usb type usbfs (rw,relatime)
# free
sh: free: not found
# cat /proc/meminfo
MemTotal: 123396 kB
MemFree: 55004 kB
Buffers: 0 kB
Cached: 20432 kB
SwapCached: 0 kB
Active: 6400 kB
Inactive: 17564 kB
Active(anon): 3532 kB
Inactive(anon): 0 kB
Active(file): 2868 kB
Inactive(file): 17564 kB
Unevictable: 0 kB
Mlocked: 0 kB
SwapTotal: 0 kB
SwapFree: 0 kB
Dirty: 0 kB
Writeback: 0 kB
AnonPages: 3520 kB
Mapped: 3660 kB
Shmem: 0 kB
Slab: 33160 kB
SReclaimable: 624 kB
SUnreclaim: 32536 kB
KernelStack: 1168 kB
PageTables: 396 kB
NFS_Unstable: 0 kB
Bounce: 0 kB
WritebackTmp: 0 kB
CommitLimit: 61696 kB
Committed_AS: 8188 kB
VmallocTotal: 1032116 kB
VmallocUsed: 10560 kB
VmallocChunk: 1006836 kB
ip a command is available, but uname and whoami are missing. The following is a snippet from the boot log:
Base: 4.14_04
CFE version 8.353.1 for BCM963268 (32bit,SP,BE)
Build Date: Sat Jul 23 18:46:20 CST 2016 ([email protected])
Copyright (C) 2005-2011 SAGEM Corporation.
Chip ID: BCM63168D0, MIPS: 400MHz, DDR: 400MHz, Bus: 200MHz
Main Thread: TP0
Memory Test Passed
Total Memory: 134217728 bytes (128MB)
Boot Address: 0xb8000000
NAND flash device: , id 0xeff1 block 128KB size 131072KB
External switch id = 53125
Board IP address : 192.168.1.1:ffffff00
Host IP address : 192.168.1.100
Gateway IP address :
Run from flash/host/tftp (f/h/c) : f
Default host run file name : vmlinux
Default host flash file name : bcm963xx_fs_kernel
Boot delay (0-9 seconds) : 1
Boot image (0=latest, 1=previous) : 0
Default host ramdisk file name :
Default ramdisk store address :
Board Id (0-38) : F@ST3864V2
I'm going to explore more on this, perhaps dump the entire firmware and share it with you guys.
Update: I think there is a great chance of running Openwrt on this router, although it is very likely that running the xDSL and Wifi will be problematic: https://github.com/openwrt/openwrt/commit/ff2c96333f418c0c06ebf0bd947b449f579dda7c https://openwrt.org/toh/sercomm/h500-s https://github.com/micjo/bbox3 https://gist.github.com/Noltari/fa7561abbcca6acfbc279935a6bbf80c
Update: I successfully ran OpenWRT on this modem! Looking at the device database, the CPU is very similar to the one in Sky SR102, hence I build my own OpenWRT image (latest branch) based on the SR102 configuration file (without modifications). The attachment is the elf binary that ran on the RAM (without having to flash the NAND). To run the image, you need a second network interface (a cheap USB 100M adapter will work) to serve this image over LAN.
openwrt-bcm63xx-generic-sky_sr102-initramfs.elf.zip
Config: static IP address 192.168.1.100, netmask 255.255.255.0, gateway 192.168.1.1
You will also need to run a tftp server on your PC (e.g. tftpd-hpa on Ubuntu)
Once you set up the hardware, attach to the hardware serial console (115200 baud, no parity) and press SPACE key repeatedly until you see the CFE prompt. Next execute force to override the board ID check, then, type and execute r openwrt-bcm63xx-generic-sky_sr102-initramfs.elf and you should be able to get an OpenWRT interactive shell.
WARNING: DO NOT FLASH IT TO NAND OR USE IN PRODUCTION, the author will not be responsible for any loss.
Boot log:
HELO
CPUI
L1CI
HELO
CPUI
L1CI
4.1404-1.0.38-117.113
DRAM
----
PHYS
STRF
400H
PHYE
DDR3
SIZ4
SIZ3
SIZ2
DINT
USYN
LSYN
MFAS
LMBE
RACE
PASS
----
ZBSS
CODE
DATA
L12F
MAIN
FPS0
BT00
0001
STOP
NAN9
NAN3
RFS1
NAN5
Base: 4.14_04
CFE version 8.353.1 for BCM963268 (32bit,SP,BE)
Build Date: Sat Jul 23 18:46:20 CST 2016 ([email protected])
Copyright (C) 2005-2011 SAGEM Corporation.
Chip ID: BCM63168D0, MIPS: 400MHz, DDR: 400MHz, Bus: 200MHz
Main Thread: TP0
Memory Test Passed
Total Memory: 134217728 bytes (128MB)
Boot Address: 0xb8000000
NAND flash device: , id 0xeff1 block 128KB size 131072KB
External switch id = 53125
Board IP address : 192.168.1.1:ffffff00
Host IP address : 192.168.1.100
Gateway IP address :
Run from flash/host/tftp (f/h/c) : f
Default host run file name : vmlinux
Default host flash file name : bcm963xx_fs_kernel
Boot delay (0-9 seconds) : 1
Boot image (0=latest, 1=previous) : 0
Default host ramdisk file name :
Default ramdisk store address :
Board Id (0-38) : F@ST3864V2
Number of MAC Addresses (1-32) : 11
Base MAC Address : d8:d7:75:13:03:72
PSI Size (1-64) KBytes : 40
Enable Backup PSI [0|1] : 0
System Log Size (0-256) KBytes : 0
Auxillary File System Size Percent: 0
Main Thread Number [0|1] : 0
GPON Serial Number : "BRCM12345678"
GPON Password : " "
Voice Board Configuration (0-0) : SI32261
*** Press any key to stop auto run (1 seconds) ***
Auto run second count down: 1
web info: Waiting for connection on socket 0.
CFE> force
*** command status = 0
CFE> r openwrt-bcm63xx-generic-sky_sr102-initramfs.elf
0x80a00000/4416015 Entry at 0x80a00000
Closing network.
Disabling Switch ports.
Flushing Receive Buffers...
0 buffers found
Closing DMA Channels
Starting program at 0x80a00000
OpenWrt kernel loader for BCM63XX
Copyright (C) 2011 Gabor Juhos <[email protected]>
Copyright (C) 2014 Jonas Gorski <[email protected]>
Copyright (C) 2020 Alvaro Fernandez Rojas <[email protected]>
Decompressing kernel... done!
blasting from 0x80010000 to 0x00e71217 (0x80010000 - 0x80e81220)
Starting kernel at 80010000...
[ 0.000000] Linux version 5.10.120 (rikka@i7-6700) (mips-openwrt-linux-musl-gcc (OpenWrt GCC 11.3.0 r19916-326e109f24) 11.3.0, GNU ld (GNU Binutils) 2.37) #0 Sun Jun 26 14:58:05 2022
[ 0.000000] Detected Broadcom 0x63268 CPU revision d0
[ 0.000000] CPU frequency is 400 MHz
[ 0.000000] 128MB of RAM installed
[ 0.000000] board_bcm963xx: Boot address 0xb8000000
[ 0.000000] board_bcm963xx: CFE version: unknown
[ 0.000000] printk: bootconsole [early0] enabled
[ 0.000000] CPU0 revision is: 0002a080 (Broadcom BMIPS4350)
[ 0.000000] board: board name: BSKYB_63168
[ 0.000000] MIPS: machine is SKY SR102
[ 0.000000] Initrd not found or empty - disabling initrd
[ 0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 16 bytes.
[ 0.000000] Primary data cache 32kB, 2-way, VIPT, cache aliases, linesize 16 bytes
[ 0.000000] Zone ranges:
[ 0.000000] Normal [mem 0x0000000000000000-0x0000000007ffffff]
[ 0.000000] Movable zone start for each node
[ 0.000000] Early memory node ranges
[ 0.000000] node 0: [mem 0x0000000000000000-0x0000000007ffffff]
[ 0.000000] Initmem setup node 0 [mem 0x0000000000000000-0x0000000007ffffff]
[ 0.000000] Built 1 zonelists, mobility grouping on. Total pages: 32480
[ 0.000000] Kernel command line: rootfstype=squashfs,jffs2 noinitrd console=ttyS0,115200
[ 0.000000] Dentry cache hash table entries: 16384 (order: 4, 65536 bytes, linear)
[ 0.000000] Inode-cache hash table entries: 8192 (order: 3, 32768 bytes, linear)
[ 0.000000] mem auto-init: stack:off, heap alloc:off, heap free:off
[ 0.000000] Memory: 113740K/131072K available (5398K kernel code, 630K rwdata, 1180K rodata, 8592K init, 204K bss, 17332K reserved, 0K cma-reserved)
[ 0.000000] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
[ 0.000000] NR_IRQS: 256
[ 0.000000] clocksource: MIPS: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 9556302233 ns
[ 0.000015] sched_clock: 32 bits at 200MHz, resolution 5ns, wraps every 10737418237ns
[ 0.008250] Calibrating delay loop... 398.13 BogoMIPS (lpj=1990656)
[ 0.074653] pid_max: default: 32768 minimum: 301
[ 0.079710] Mount-cache hash table entries: 1024 (order: 0, 4096 bytes, linear)
[ 0.087223] Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes, linear)
[ 0.099339] dyndbg: Ignore empty _ddebug table in a CONFIG_DYNAMIC_DEBUG_CORE build
[ 0.112836] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
[ 0.122975] futex hash table entries: 256 (order: -1, 3072 bytes, linear)
[ 0.130067] pinctrl core: initialized pinctrl subsystem
[ 0.137665] NET: Registered protocol family 16
[ 0.147352] unsupported NAND flash detected
[ 0.389236] registering PCI controller with io_map_base unset
[ 0.471527] PCI host bridge to bus 0000:00
[ 0.475703] pci_bus 0000:00: root bus resource [mem 0x11000000-0x11efffff]
[ 0.482854] pci_bus 0000:00: root bus resource [??? 0x00000000 flags 0x0]
[ 0.489785] pci_bus 0000:00: root bus resource [??? 0x00000000 flags 0x0]
[ 0.496786] pci_bus 0000:00: No busn resource found for root bus, will use [bus 00-ff]
[ 0.504987] pci 0000:00:00.0: [14e4:6326] type 01 class 0x060400
[ 0.511221] pci 0000:00:00.0: PME# supported from D0 D3hot
[ 0.518283] pci 0000:00:00.0: bridge configuration invalid ([bus 00-00]), reconfiguring
[ 0.527823] pci_bus 0000:01: busn_res: [bus 01-ff] end is updated to 01
[ 0.534585] pci_bus 0000:00: busn_res: [bus 00-ff] end is updated to 01
[ 0.541432] pci 0000:00:00.0: PCI bridge to [bus 01]
[ 0.546578] clocksource: Switched to clocksource MIPS
[ 0.554014] NET: Registered protocol family 2
[ 0.559047] IP idents hash table entries: 2048 (order: 2, 16384 bytes, linear)
[ 0.567734] tcp_listen_portaddr_hash hash table entries: 512 (order: 0, 4096 bytes, linear)
[ 0.576378] TCP established hash table entries: 1024 (order: 0, 4096 bytes, linear)
[ 0.584315] TCP bind hash table entries: 1024 (order: 0, 4096 bytes, linear)
[ 0.591585] TCP: Hash tables configured (established 1024 bind 1024)
[ 0.598551] UDP hash table entries: 256 (order: 0, 4096 bytes, linear)
[ 0.605276] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes, linear)
[ 0.612961] NET: Registered protocol family 1
[ 0.617530] PCI: CLS 0 bytes, default 16
[ 0.901442] workingset: timestamp_bits=14 max_order=15 bucket_order=1
[ 0.915844] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[ 0.921855] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc.
[ 0.938015] bcm63268-pinctrl 100000c0.pin-controller: registered at mmio (ptrval)
�[ 0.956862] printk: console [ttyS0] enabledx10000180 (irq = 13, base_baud = 1562500) is a bcm63xx_uart
[ 0.956862] printk: console [ttyS0] enabled
[ 0.965398] printk: bootconsole [early0] disabled
[ 0.965398] printk: bootconsole [early0] disabled
[ 1.000454] bcm63xx-spi 10000800.spi: at [mem 0x10000800-0x10000f0b flags 0x200] (irq 88, FIFOs size 542)
[ 1.015346] spi-nor spi1.0: unrecognized JEDEC id bytes: ff ff ff ff ff ff
[ 1.022474] spi-nor: probe of spi1.0 failed with error -2
[ 1.091113] b53_common: found switch: BCM63xx, rev 0
[ 1.096709] bcm63xx-wdt bcm63xx-wdt: started, timer margin: 30 sec
[ 1.106579] leds-gpio leds-gpio.0: Skipping unavailable LED gpio 0 ((null))
[ 1.113771] leds-gpio leds-gpio.0: Skipping unavailable LED gpio 0 ((null))
[ 1.120964] leds-gpio leds-gpio.0: Skipping unavailable LED gpio 0 ((null))
[ 1.128117] leds-gpio leds-gpio.0: Skipping unavailable LED gpio 0 ((null))
[ 1.135269] leds-gpio leds-gpio.0: Skipping unavailable LED gpio 0 ((null))
[ 1.144027] NET: Registered protocol family 10
[ 1.174048] Segment Routing with IPv6
[ 1.178003] NET: Registered protocol family 17
[ 1.182623] 8021q: 802.1Q VLAN Support v1.8
[ 1.279127] Freeing unused kernel memory: 8592K
[ 1.283735] This architecture does not have kernel memory protection.
[ 1.290425] Run /init as init process
[ 1.912318] init: Console is alive
[ 1.916475] init: - watchdog -
[ 1.956051] kmodloader: loading kernel modules from /etc/modules-boot.d/*
[ 1.996888] usbcore: registered new interface driver usbfs
[ 2.002595] usbcore: registered new interface driver hub
[ 2.008201] usbcore: registered new device driver usb
[ 2.031229] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
[ 2.040669] ehci-fsl: Freescale EHCI Host controller driver
[ 2.051512] ehci-platform: EHCI generic platform driver
[ 2.176635] ehci-platform ehci-platform: EHCI Host Controller
[ 2.182559] ehci-platform ehci-platform: new USB bus registered, assigned bus number 1
[ 2.191059] ehci-platform ehci-platform: irq 18, io mem 0xb0002500
[ 2.226623] ehci-platform ehci-platform: USB 2.0 started, EHCI 1.00, overcurrent ignored
[ 2.236353] hub 1-0:1.0: USB hub found
[ 2.241979] hub 1-0:1.0: 2 ports detected
[ 2.261811] ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver
[ 2.271223] ohci-platform: OHCI generic platform driver
[ 2.276801] ohci-platform ohci-platform: Generic Platform OHCI controller
[ 2.283793] ohci-platform ohci-platform: new USB bus registered, assigned bus number 2
[ 2.292146] ohci-platform ohci-platform: irq 17, io mem 0xb0002600
[ 2.372042] hub 2-0:1.0: USB hub found
[ 2.377698] hub 2-0:1.0: 2 ports detected
[ 2.384753] kmodloader: done loading kernel modules from /etc/modules-boot.d/*
[ 2.402893] init: - preinit -
[ 2.861101] random: jshn: uninitialized urandom read (4 bytes read)
[ 2.948639] random: jshn: uninitialized urandom read (4 bytes read)
[ 3.207859] random: jshn: uninitialized urandom read (4 bytes read)
[ 3.706271] IPv6: ADDRCONF(NETDEV_CHANGE): eth0.1: link becomes ready
Press the [f] key and hit [enter] to enter failsafe mode
Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level
[ 4.767025] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[ 6.106503] procd: - early -
[ 6.110009] procd: - watchdog -
[ 6.692572] procd: - watchdog -
[ 6.698256] procd: - ubus -
[ 6.718728] urandom_read_iter: 3 callbacks suppressed
[ 6.718742] random: ubusd: uninitialized urandom read (4 bytes read)
[ 6.752701] random: ubusd: uninitialized urandom read (4 bytes read)
[ 6.760082] random: ubusd: uninitialized urandom read (4 bytes read)
[ 6.771552] procd: - init -
Please press Enter to activate this console.
[ 7.858556] urandom_read_iter: 18 callbacks suppressed
[ 7.858570] random: jshn: uninitialized urandom read (4 bytes read)
[ 7.935032] random: ubusd: uninitialized urandom read (4 bytes read)
[ 7.957141] random: ubus: uninitialized urandom read (4 bytes read)
[ 8.088936] kmodloader: loading kernel modules from /etc/modules.d/*
[ 8.437800] PPP generic driver version 2.4.2
[ 8.460227] NET: Registered protocol family 24
[ 8.502166] kmodloader: done loading kernel modules from /etc/modules.d/*
[ 8.753221] urngd: v1.0.2 started.
[ 9.105390] random: crng init done
[ 9.108905] random: 1 urandom warning(s) missed due to ratelimiting
BusyBox v1.35.0 (2022-06-26 14:58:05 UTC) built-in shell (ash)
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
-----------------------------------------------------
OpenWrt SNAPSHOT, r19916-326e109f24
-----------------------------------------------------
=== WARNING! =====================================
There is no root password defined on this device!
Use the "passwd" command to set up a new password
in order to prevent unauthorized SSH logins.
--------------------------------------------------
root@OpenWrt:/# uname -a
Linux OpenWrt 5.10.120 #0 Sun Jun 26 14:58:05 2022 mips GNU/Linux
Well done! was anything functional when it was running OpenWrt? like VDSL?
Well done! was anything functional when it was running OpenWrt? like VDSL?
The build identified 2 internet adapters. The WAN port works flawlessly and has internet access if connected to my home router. The USB ports work as well.
Most of the other things don't work at all, including LAN ports (I didn't configure the switch correctly), NAND flash (cannot be identified by OpenWRT), the Wifi, and the VDSL.
Fixing the LAN ports and the NAND flash takes priority. Maybe I should set up another repo and share the OpenWRT config?
I went back to the stock firmware and got the ROM footprint:
# cat /proc/mtd
dev: size erasesize name
mtd0: 03d60000 00020000 "rootfs"
mtd1: 03d60000 00020000 "rootfs_update"
mtd2: 00400000 00020000 "data"
mtd3: 00020000 00020000 "nvram"
mtd4: 03d60000 00020000 "image"
mtd5: 03d60000 00020000 "image_update"
# df
Filesystem 1024-blocks Used Available Use% Mounted on
mtd:rootfs 62848 22208 40640 35% /
mtd:data 4096 568 3528 14% /data
It seems that mtd4 and mtd5 are replicates of mtd0 and mtd1, respectively. The size of mtd0 to mtd3 add up to the correct NAND Flash capacity. Interestingly, I found that mtd1 is empty, which means we might be able to place the openwrt image there, without having to wipe the entire flash.
Base: 4.14_04
CFE version 8.353.1 for BCM963268 (32bit,SP,BE)
Build Date: Sat Jul 23 18:46:20 CST 2016 ([email protected])
Copyright (C) 2005-2011 SAGEM Corporation.
Chip ID: BCM63168D0, MIPS: 400MHz, DDR: 400MHz, Bus: 200MHz
Main Thread: TP0
Memory Test Passed
Total Memory: 134217728 bytes (128MB)
Boot Address: 0xb8000000
NAND flash device: , id 0xeff1 block 128KB size 131072KB
External switch id = 53125
Board IP address : 192.168.1.1:ffffff00
Host IP address : 192.168.1.100
Gateway IP address :
Run from flash/host/tftp (f/h/c) : f
Default host run file name : vmlinux
Default host flash file name : bcm963xx_fs_kernel
Boot delay (0-9 seconds) : 1
Boot image (0=latest, 1=previous) : 0
Default host ramdisk file name :
Default ramdisk store address :
Board Id (0-38) : F@ST3864V2
Number of MAC Addresses (1-32) : 11
Base MAC Address : d8:d7:75:13:03:72
PSI Size (1-64) KBytes : 40
Enable Backup PSI [0|1] : 0
System Log Size (0-256) KBytes : 0
Auxillary File System Size Percent: 0
Main Thread Number [0|1] : 0
GPON Serial Number : "BRCM12345678"
GPON Password : " "
Voice Board Configuration (0-0) : SI32261
*** Press any key to stop auto run (1 seconds) ***
Auto run second count down: 1
web info: Waiting for connection on socket 0.
CFE> r openwrt-21.02.3-bcm63xx-smp-sagem_fast-3864op-initramfs.elf
0x80a00000/4769770 Entry at 0x80a00000
Closing network.
Disabling Switch ports.
Flushing Receive Buffers...
0 buffers found
Closing DMA Channels
Starting program at 0x80a00000
OpenWrt kernel loader for BCM63XX
Copyright (C) 2011 Gabor Juhos <[email protected]>
Copyright (C) 2014 Jonas Gorski <[email protected]>
Copyright (C) 2020 Alvaro Fernandez Rojas <[email protected]>
Decompressing kernel... done!
blasting from 0x80010000 to 0x00f6ced9 (0x80010000 - 0x80f7cee0)
Starting kernel at 80010000...
[ 0.000000] Linux version 5.4.188 (builder@buildhost) (gcc version 8.4.0 (OpenWrt GCC 8.4.0 r16554-1d4dea6d4f)) #0 SMP Sat Apr 16 12:59:34 2022
[ 0.000000] Detected Broadcom 0x63268 CPU revision d0
[ 0.000000] CPU frequency is 400 MHz
[ 0.000000] 128MB of RAM installed
[ 0.000000] board_bcm963xx: Boot address 0xb8000000
[ 0.000000] board_bcm963xx: CFE version: unknown
[ 0.000000] printk: bootconsole [early0] enabled
[ 0.000000] CPU0 revision is: 0002a080 (Broadcom BMIPS4350)
[ 0.000000] board: board name: F@ST 3864OP
[ 0.000000] MIPS: machine is Sagemcom F@st 3864OP
[ 0.000000] Initrd not found or empty - disabling initrd
[ 0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 16 bytes.
[ 0.000000] Primary data cache 32kB, 2-way, VIPT, cache aliases, linesize 16 bytes
[ 0.000000] Zone ranges:
[ 0.000000] Normal [mem 0x0000000000000000-0x0000000007ffffff]
[ 0.000000] Movable zone start for each node
[ 0.000000] Early memory node ranges
[ 0.000000] node 0: [mem 0x0000000000000000-0x0000000007ffffff]
[ 0.000000] Initmem setup node 0 [mem 0x0000000000000000-0x0000000007ffffff]
[ 0.000000] percpu: Embedded 14 pages/cpu s27216 r8192 d21936 u57344
[ 0.000000] Built 1 zonelists, mobility grouping on. Total pages: 32480
[ 0.000000] Kernel command line: rootfstype=squashfs,ubifs noinitrd console=ttyS0,115200
[ 0.000000] Dentry cache hash table entries: 16384 (order: 4, 65536 bytes, linear)
[ 0.000000] Inode-cache hash table entries: 8192 (order: 3, 32768 bytes, linear)
[ 0.000000] mem auto-init: stack:off, heap alloc:off, heap free:off
[ 0.000000] Memory: 112636K/131072K available (6265K kernel code, 230K rwdata, 780K rodata, 9548K init, 209K bss, 18436K reserved, 0K cma-reserved)
[ 0.000000] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=2, Nodes=1
[ 0.000000] rcu: Hierarchical RCU implementation.
[ 0.000000] rcu: RCU calculated value of scheduler-enlistment delay is 25 jiffies.
[ 0.000000] NR_IRQS: 256
[ 0.000000] random: get_random_bytes called from 0x8072da30 with crng_init=0
[ 0.000000] clocksource: MIPS: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 9556302233 ns
[ 0.000014] sched_clock: 32 bits at 200MHz, resolution 5ns, wraps every 10737418237ns
[ 0.008148] Calibrating delay loop... 397.82 BogoMIPS (lpj=795648)
[ 0.046460] pid_max: default: 32768 minimum: 301
[ 0.051547] Mount-cache hash table entries: 1024 (order: 0, 4096 bytes, linear)
[ 0.059082] Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes, linear)
[ 0.071937] rcu: Hierarchical SRCU implementation.
[ 0.078093] smp: Bringing up secondary CPUs ...
[ 0.084281] SMP: Booting CPU1...
[ 13.322683] Primary instruction cache 64kB, VIPT, 4-way, linesize 16 bytes.
[ 13.322700] Primary data cache 32kB, 2-way, VIPT, cache aliases, linesize 16 bytes
[ 13.322978] CPU1 revision is: 0002a080 (Broadcom BMIPS4350)
[ 0.119790] Synchronize counters for CPU 1:
[ 0.119807] SMP: CPU1 is running
[ 0.119831] done.
[ 0.150352] smp: Brought up 1 node, 2 CPUs
[ 0.164933] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 7645041785100000 ns
[ 0.174996] futex hash table entries: 512 (order: 3, 32768 bytes, linear)
[ 0.182222] pinctrl core: initialized pinctrl subsystem
[ 0.189364] NET: Registered protocol family 16
[ 0.251236] clocksource: Switched to clocksource MIPS
[ 0.258821] thermal_sys: Registered thermal governor 'step_wise'
[ 0.260267] NET: Registered protocol family 2
[ 0.271460] IP idents hash table entries: 2048 (order: 2, 16384 bytes, linear)
[ 0.280575] tcp_listen_portaddr_hash hash table entries: 512 (order: 0, 6144 bytes, linear)
[ 0.289350] TCP established hash table entries: 1024 (order: 0, 4096 bytes, linear)
[ 0.297379] TCP bind hash table entries: 1024 (order: 1, 8192 bytes, linear)
[ 0.304714] TCP: Hash tables configured (established 1024 bind 1024)
[ 0.311718] UDP hash table entries: 256 (order: 1, 8192 bytes, linear)
[ 0.318542] UDP-Lite hash table entries: 256 (order: 1, 8192 bytes, linear)
[ 0.326182] NET: Registered protocol family 1
[ 0.330720] PCI: CLS 0 bytes, default 16
[ 0.463223] random: fast init done
[ 0.705557] workingset: timestamp_bits=14 max_order=15 bucket_order=1
[ 0.733109] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[ 0.739197] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc.
[ 0.753200] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 252)
[ 0.766674] bcm63268-pinctrl 100000c0.pin-controller: registered at mmio (ptrval)
[ 0.775500] 10000180.serial: ttyS0 at MMIO 0x10000180 (irq = 13, base_baud = 1562500) is a bcm63xx_uart
[ 0.785226] printk: console [ttyS0] enabled
[ 0.785226] printk: console [ttyS0] enabled
[ 0.793802] printk: bootconsole [early0] disabled
[ 0.793802] printk: bootconsole [early0] disabled
[ 0.812925] nand: device found, Manufacturer ID: 0xef, Chip ID: 0xf1
[ 0.819520] nand: Winbond W29N01HV
[ 0.822961] nand: 128 MiB, SLC, erase size: 128 KiB, page size: 2048, OOB size: 64
[ 0.830850] bcm6368_nand 10000200.nand: detected 128MiB total, 128KiB blocks, 2KiB pages, 16B OOB, 8-bit, Hamming ECC
[ 0.844707] Bad block table not found for chip 0
[ 0.852119] Bad block table not found for chip 0
[ 0.856875] Scanning device for bad blocks
[ 1.283837] Bad block table written to 0x000007fe0000, version 0x01
[ 1.291667] Bad block table written to 0x000007fc0000, version 0x01
[ 1.330662] 4 fixed-partitions partitions found on MTD device brcmnand.0
[ 1.337577] Creating 4 MTD partitions on "brcmnand.0":
[ 1.342844] 0x000000000000-0x000000020000 : "cferom"
[ 1.350605] 0x000000020000-0x000003d80000 : "rootfs_stock"
[ 1.359364] 0x000003d80000-0x000007ae0000 : "rootfs_update"
[ 1.368197] 0x000007b00000-0x000007f00000 : "data_stock"
[ 1.379346] bcm63xx-spi 10000800.spi: at [mem 0x10000800-0x10000f0b flags 0x200] (irq 88, FIFOs size 542)
[ 1.436621] b53_common: found switch: BCM63xx, rev 0
[ 1.442513] bcm63xx-wdt bcm63xx-wdt: started, timer margin: 30 sec
[ 1.449886] leds-gpio leds-gpio.0: Skipping unavailable LED gpio 0 ((null))
[ 1.457091] leds-gpio leds-gpio.0: Skipping unavailable LED gpio 0 ((null))
[ 1.464249] leds-gpio leds-gpio.0: Skipping unavailable LED gpio 0 ((null))
[ 1.471408] leds-gpio leds-gpio.0: Skipping unavailable LED gpio 0 ((null))
[ 1.478572] leds-gpio leds-gpio.0: Skipping unavailable LED gpio 0 ((null))
[ 1.489203] NET: Registered protocol family 10
[ 1.496645] Segment Routing with IPv6
[ 1.500611] NET: Registered protocol family 17
[ 1.505250] bridge: filtering via arp/ip/ip6tables is no longer available by default. Update your scripts to load br_netfilter if you need this.
[ 1.518589] 8021q: 802.1Q VLAN Support v1.8
[ 1.649061] Freeing unused kernel memory: 9548K
[ 1.653715] This architecture does not have kernel memory protection.
[ 1.660325] Run /init as init process
[ 2.489922] init: Console is alive
[ 2.493836] init: - watchdog -
[ 2.530068] kmodloader: loading kernel modules from /etc/modules-boot.d/*
[ 2.564831] usbcore: registered new interface driver usbfs
[ 2.570709] usbcore: registered new interface driver hub
[ 2.576385] usbcore: registered new device driver usb
[ 2.604418] JFS: nTxBlock = 954, nTxLock = 7636
[ 2.623125] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
[ 2.631910] ehci-fsl: Freescale EHCI Host controller driver
[ 2.640261] ehci-platform: EHCI generic platform driver
[ 2.751254] ehci-platform ehci-platform: EHCI Host Controller
[ 2.757210] ehci-platform ehci-platform: new USB bus registered, assigned bus number 1
[ 2.765714] ehci-platform ehci-platform: irq 18, io mem 0xb0002500
[ 2.791222] ehci-platform ehci-platform: USB 2.0 started, EHCI 1.00, overcurrent ignored
[ 2.800931] hub 1-0:1.0: USB hub found
[ 2.804897] hub 1-0:1.0: 2 ports detected
[ 2.819117] ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver
[ 2.827553] ohci-platform: OHCI generic platform driver
[ 2.833219] ohci-platform ohci-platform: Generic Platform OHCI controller
[ 2.840237] ohci-platform ohci-platform: new USB bus registered, assigned bus number 2
[ 2.848540] ohci-platform ohci-platform: irq 17, io mem 0xb0002600
[ 2.920662] hub 2-0:1.0: USB hub found
[ 2.924634] hub 2-0:1.0: 2 ports detected
[ 2.930847] kmodloader: done loading kernel modules from /etc/modules-boot.d/*
[ 2.944067] init: - preinit -
[ 3.322756] random: jshn: uninitialized urandom read (4 bytes read)
[ 3.395685] random: jshn: uninitialized urandom read (4 bytes read)
[ 3.610077] random: jshn: uninitialized urandom read (4 bytes read)
[ 3.982872] IPv6: ADDRCONF(NETDEV_CHANGE): eth0.1: link becomes ready
Press the [f] key and hit [enter] to enter failsafe mode
Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level
[ 4.971352] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[ 8.329798] procd: - early -
[ 8.332914] procd: - watchdog -
[ 8.897971] procd: - watchdog -
[ 8.901750] procd: - ubus -
[ 8.920271] urandom_read: 3 callbacks suppressed
[ 8.920285] random: ubusd: uninitialized urandom read (4 bytes read)
[ 8.956065] random: ubusd: uninitialized urandom read (4 bytes read)
[ 8.963333] random: ubusd: uninitialized urandom read (4 bytes read)
[ 8.973856] procd: - init -
Please press Enter to activate this console.
[ 9.873117] kmodloader: loading kernel modules from /etc/modules.d/*
[ 9.944020] xt_time: kernel timezone is -0000
[ 9.989481] PPP generic driver version 2.4.2
[ 9.996883] NET: Registered protocol family 24
[ 10.026048] kmodloader: done loading kernel modules from /etc/modules.d/*
[ 10.111027] urngd: v1.0.2 started.
[ 10.372419] crng init done
[ 10.375141] random: 1 urandom warning(s) missed due to ratelimiting
[ 35.431953] br-lan: port 1(eth0.1) entered blocking state
[ 35.437624] br-lan: port 1(eth0.1) entered disabled state
[ 35.444025] device eth0.1 entered promiscuous mode
[ 35.449035] device eth0 entered promiscuous mode
[ 35.479679] br-lan: port 1(eth0.1) entered blocking state
[ 35.485272] br-lan: port 1(eth0.1) entered forwarding state
[ 36.428743] IPv6: ADDRCONF(NETDEV_CHANGE): br-lan: link becomes ready
BusyBox v1.33.2 (2022-04-16 12:59:34 UTC) built-in shell (ash)
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
-----------------------------------------------------
OpenWrt 21.02.3, r16554-1d4dea6d4f
-----------------------------------------------------
=== WARNING! =====================================
There is no root password defined on this device!
Use the "passwd" command to set up a new password
in order to prevent unauthorized SSH logins.
--------------------------------------------------
root@OpenWrt:/#