dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
7422
share rss forum feed

ryanc

join:2011-10-17
kudos:1

Success bypassing the 3800HGV-B with a 3rd party VDSL2 modem

Continuing from where things left off in this thread, »Using a 3rd party VDSL modem

I've got my U-Verse working directly without routing through the 3800HGV-B using one of the Zhone 6610-A1 modems. I think, but have not verified, that any VDSL2 profile 8d modem will work for this.

I've got a Linux box with the 3800HGV-B's broadband ethernet interface connected to one port and the Zhone modem connected to another. I've got the two ports bridged together using a patched bridge module that passes EAPOL traffic.

See these slides for details: »media.defcon.org/dc-19/presentat···-Far.pdf

I imagine the setup would be substantially easier if you have static IPs on U-Verse, I'm dynamic. I've so far manually configured my IP address, but I'm planning to write something that'll sniff and use the DHCP exchange to and use that information to configure everything.

I also found that my 3800HGV-B seems to send some sort of 'kill' packets that cause the DSLAM to shut down the link - these need to be filtered on the linux bridge with ebtables. Filtering outbound packets to the mac address aa:bb:cc:dd:ee:ff fixes the problem.

Both the 2wire gateway and my linux box are able to access the internet directly.

Kill packet:
Frame 3: 60 bytes on wire (480 bits), 60 bytes captured (480 bits)
    Arrival Time: XXXXXXXXXXXXXX
    Epoch Time: XXXXXXXXXXXXXXX
    [Time delta from previous captured frame: XXXXXXXXXXX seconds]
    [Time delta from previous displayed frame: XXXXXXXXX seconds]
    [Time since reference or first frame: XXXXXXXXXXXX seconds]
    Frame Number: 3
    Frame Length: 60 bytes (480 bits)
    Capture Length: 60 bytes (480 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ip:udp:data]
Ethernet II, Src: 2wire_XX:XX:XX (00:26:50:XX:XX:XX), Dst: aa:bb:cc:dd:ee:ff (aa:bb:cc:dd:ee:ff)
    Destination: aa:bb:cc:dd:ee:ff (aa:bb:cc:dd:ee:ff)
        Address: aa:bb:cc:dd:ee:ff (aa:bb:cc:dd:ee:ff)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
    Source: 2wire_XX:XX:XX (00:26:50:XX:XX:XX)
        Address: 2wire_XX:XX:XX (00:26:50:XX:XX:XX)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Type: IP (0x0800)
    Trailer: 00000000000000000000
Internet Protocol, Src: 192.168.1.16 (192.168.1.16), Dst: 192.168.1.1 (192.168.1.1)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 36
    Identification: 0x0000 (0)
    Flags: 0x00
        0... .... = Reserved bit: Not set
        .0.. .... = Don't fragment: Not set
        ..0. .... = More fragments: Not set
    Fragment offset: 0
    Time to live: 0
        [Expert Info (Note/Sequence): "Time To Live" only 0]
            [Message: "Time To Live" only 0]
            [Severity level: Note]
            [Group: Sequence]
    Protocol: UDP (17)
    Header checksum: 0xXXXX [correct]
        [Good: True]
        [Bad: False]
    Source: 192.168.1.16 (192.168.1.16)
    Destination: 192.168.1.1 (192.168.1.1)
User Datagram Protocol, Src Port: x11 (6001), Dst Port: commplex-link (5001)
    Source port: x11 (6001)
    Destination port: commplex-link (5001)
    Length: 16
    Checksum: 0xXXXX [validation disabled]
        [Good Checksum: False]
        [Bad Checksum: False]
Data (8 bytes)
 
0000  03 22 00 00 20 00 01 04                           .".. ...
    Data: 0322000020000104
    [Length: 8]
 

The certificates used for 802.1x on my gateway was issued by '2Wire Device Intermediate CA - V6' which in turn was issued by 'Certification Authority - G1/emailAddress=cms-ops@2wire.com'. My certificate has the mac address and serial number of the 2wire gateway in it, so these are clearly device specific. I've been offered a chance to check out another gateway - maybe they use different certs but the same key?


maartena
Elmo
Premium
join:2002-05-10
Orange, CA
kudos:3
Looks like quite a hassle to go through, just to get your own modem.

What would be the advantage?
--
"I reject your reality and substitute my own!"

ryanc

join:2011-10-17
kudos:1
See this rant: »www.ka9q.net/Uverse/static-ip.html
and this thread: »AT&T U-verse 2Wire Router - Increase session table limit?

The short version is that these shenanigans are the only way to not be subject to the limits of the 3800HGV-B's stateful firewall, which has a maximum session limit that is too low for some users. Mostly, I did this because I want more control at my end, and I can.

I also suspect that on a static IP configuration, this would allow me to use 2-3 additional IP addresses that would otherwise be wasted (I plan to try this).


joako
Premium
join:2000-09-07
/dev/null
kudos:6
reply to ryanc
What about JTAG'ing the RG and extracting the certificates? It's standard 802.1x, no?
--
PRescott7-2097

ryanc

join:2011-10-17
kudos:1
said by joako:

What about JTAG'ing the RG and extracting the certificates? It's standard 802.1x, no?

It's standard EAP-TLS from what I can tell. I have the certificates, but what I really need is the key. I haven't been able to locate information on how to make a jtag cable and dump the flash. If you know how to do that, I'm all ears.

I am considering attempting to dump the flash chip directly like this:

»www.uchobby.com/index.php/2007/0···h-chips/

It looks like the chip I want to dump is the Samsung K9F5608U0D-PCB0

It also appears that it should be possible to bridge the internal VDSL2 modem to one of the switch ports by reconfiguring the vlans on the internal switch (an Infineon ADM6996M). Going to muck with that when I get my bus pirate replaced.

StLCardsFan

join:2011-06-06
Lafayette, LA
reply to ryanc
this is interesting! Ill be watching your thread with great attention. Id love the ability to dump ATT mandated dinosaur equipment.


joako
Premium
join:2000-09-07
/dev/null
kudos:6
reply to ryanc
I wonder what J42 near the CPU is: »farm5.static.flickr.com/4114/539···4f_o.jpg
--
PRescott7-2097

ryanc

join:2011-10-17
kudos:1

1 edit
The JTAG is probably on J1. P1 is the serial console for the modem that's embedded in the gateway. J51 (the other four pin header) looks like it's another serial port. J42 does look interesting. It's not populated on mine, but I can solder it. I don't suppose you know where I can get the parts for that and J51?

My prior research pointed to J1 (the edgecard connector thing) as probably being the JTAG.

Edit: Oh, the photo is from the teardown set that mentions getting a serial console which now seems to have vanished from the internet.


joako
Premium
join:2000-09-07
/dev/null
kudos:6

2 edits
I found that picture as one of the first search results for 3800HGV PCB. Honestly lately Google is utter rubbish. When I search for 2Wire 3800HGV I get so many unrelated results.

»www.flickr.com/photos/40925843@N···ostream/

How similar is the 2701 there seems to be plenty discussion on that one.

Bride mode, VLAN bridged to WLAN, unlock SIP for 3rd party provider. If that all could be done the 2Wire could be upgraded from crap to one of the better devices.

Lots of info here: »hackingbtbusinesshub.wordpress.com/

--
PRescott7-2097

ryanc

join:2011-10-17
kudos:1
reply to ryanc
Parts for the headers on the board from Digikey:

TSM-104-02-T-SV-ND (4 pin, single row)
TSM-105-02-T-DV-ND (10 pin, dual row)


dahan

join:2000-10-25
Leander, TX
reply to joako
said by joako:

unlock SIP for 3rd party provider.

I'm fine with using AT&T's SIP service; if I want to use a 3rd party provider, I can use my own phones/ATAs/etc... what I'd be interested in is using AT&T's SIP with a 3rd party device. I've occasionally seen the SIP registration server mentioned in the 2wire logs, but a server name on its own isn't very useful without the authentication credentials. Anyone have any insights on that?

ryanc

join:2011-10-17
kudos:1
I would expect doing a MitM on the gateway with an external modem to sniff the SIP server creds to work.

ryanc

join:2011-10-17
kudos:1
reply to ryanc
In the other thread from bclbob, it was mentioned that the modem posts to »cwmp.c01.sbcglobal.net/cwmp/services/CWMP on a regular basis. This is AT&T's TR-069 system. »en.wikipedia.org/wiki/TR-069 It looks like the hostname will point to a regional server via a DNS CNAME.

maglito

join:2011-11-21

1 edit
reply to ryanc

will try this weekend

I have static IPs, the new moto NVG510 and a DLink DSL-520B, and want to try and set this up this weekend (Uverse Internet only SW Chicago suburbs). I was thinking mikrotik routerboard might be easier to create the bridge port with(not sure if it can be configured to pass EAPOL), but am willing to build the the linux box and recompile the patched kernel if necessary. I'll post up any questions as I dig in, any tips?

To your knowledge did bob or any of the other Chicago area guys in the original thread also have any success? I'd love to stop out and see a working configuration.

P.S. Perhaps this solution (inspired by the defcon method) is more refined/straightforward?
»www.gremwell.com/marvin-mitm-tap···1x-links


houkouonchi

join:2002-07-22
Ontario, CA
reply to ryanc

Re: Success bypassing the 3800HGV-B with a 3rd party VDSL2 modem

Nice work ryanc!

I am curious if latency is at all better with direct access via the modem bypassing the 2wire?
--
150/75 mbit Verizon FiOS connection FTW!

asbokid

join:2011-09-12
n/a

2 edits
We've established the pinout for the card edge connector found on the 2Wire/Pace series, including the 1800, 2700, 3600, 3800 and 3801.




And there is now some open source JTAG software to dump (and soon to program) the NAND flash ICs on the 2Wire boards.

Public appeal here to anyone experienced in flash translation layers, particularly the FTL from the m-Systems TrueFFS flash file system.

cheers, a

»hackingbtbusinesshub.wordpress.com


houkouonchi

join:2002-07-22
Ontario, CA
Wow, nice. Makes me wonder with the way the uverse system works if hacking the modem could actually allow you to get internet speed that is the full speed of the sync rate (IE 32/5).
--
150/75 mbit Verizon FiOS connection FTW!


joako
Premium
join:2000-09-07
/dev/null
kudos:6
No, that is controlled at the network.
--
PRescott7-2097

asbokid

join:2011-09-12
n/a

4 edits
reply to asbokid
There is some JTAG software for the Trimedia-based routers (1800, 2700, 2701, 3600, 3800 and 3801) for accessing the firmware in the NAND flash memory.

We could really do with some help from those experienced in flash translation layers (FTLs).

The 2Wire routers are using a FTL where the logical-to-physical mapping is stored in the 16-byte out-of-band (OOB) spare area of each NAND flash page.

That mapping is used for wear-levelling, garbage collection and error recovery.

Now we need to understand how that mapping is implemented. This is an exciting reverse-engineering project.

This is what the mapping data looks like: Each row contains the 16-bytes of OOB data for one NAND flash page of 512 bytes.

$ xxd -g4 2701HGV-C_6.3.9.41_nand_full_oob_dump_2.img | cut -c10-44 | ./parsehex
[...]
0199200: c0cf 3c55 24ff 69a5 00ff ff96 0600 ff99  ..<U$.i.........
0199400: 003f fcc0 24ff cc30 00ff ff96 0600 ff99  .?..$..0........
0199600: c3cc 0c3f 24ff c0c0 00ff ff96 0600 ff99  ...?$...........
0199800: a699 693f 24ff cf3c 00ff ff96 0600 ff99  ..i?$..<........
0199a00: 0030 0cfc 24ff c33c 00ff ff96 0600 ff99  .0..$..<........
0199c00: a966 99a6 24ff 9955 00ff ff96 0600 ff99  .f..$..U........
0199e00: 3ff0 0000 24ff f000 00ff ff96 0600 ff99  ?...$...........
019a000: 66a9 9956 24ff a559 00ff ff96 0600 ff99  f..V$..Y........
019a200: 33ff ccc0 24ff cfcc 00ff ff96 0600 ff99  3...$...........
019a400: fc00 f0c3 24ff 3c3c 00ff ff96 0600 ff99  ....$.<<........
019a600: fc00 cc33 24ff ccc0 00ff ff96 0600 ff99  ...3$...........
019a800: 5a6a 993f 24ff cf00 00ff ff96 0600 ff99  Zj.?$...........
019aa00: 995a a50c 24ff 0ffc 00ff ff96 0600 ff99  .Z..$...........
019ac00: 5669 953f 24ff 3f3c 00ff ff96 0600 ff99  Vi.?$.?<........
019ae00: 33c0 fc0c 24ff 3ccc 00ff ff96 0600 ff99  3...$.<.........
019b000: 0f3f ccff 24ff 3330 00ff ff96 0600 ff99  .?..$.30........
019b200: a9a5 9566 24ff 5a55 00ff ff96 0600 ff99  ...f$.ZU........
019b400: 9aa5 55f0 24ff fffc 00ff ff96 0600 ff99  ..U.$...........
019b600: a5aa 69f3 24ff f3cc 00ff ff96 0600 ff99  ..i.$...........
019b800: f0cc fc3c 24ff f3cc 00ff ff96 0600 ff99  ...<$...........
019ba00: 9a9a 5959 24ff a965 00ff ff96 0600 ff99  ..YY$..e........
019bc00: 99a6 a930 24ff 3c0c 00ff ff96 0600 ff99  ...0$.<.........
019be00: aa95 a9c0 24ff fc00 00ff ff96 0600 ff99  ....$...........
019c000: a95a 5995 24ff 6695 00ff ff96 0600 ff99  .ZY.$.f.........
019c200: cc0c f033 24ff 3000 00ff ffb9 0400 ffba  ...3$.0.........
019c400: fff3 3055 24ff 66a9 00ff ffb9 0400 ffba  ..0U$.f.........
019c600: f330 303f 24ff 3ccc 00ff ffb9 0400 ffba  .00?$.<.........
019c800: f330 0ca9 24ff a655 00ff ffb9 0400 ffba  .0..$..U........
019ca00: 5aaa 65c3 24ff 30cc 00ff ffb9 0400 ffba  Z.e.$.0.........
019cc00: 5995 95c3 24ff fc00 00ff ffb9 0400 ffba  Y...$...........
019ce00: 3030 f0ff 24ff fff0 00ff ffb9 0400 ffba  00..$...........
019d000: 6599 5965 24ff 5a95 00ff ffb9 0400 ffba  e.Ye$.Z.........
019d200: 956a 6965 24ff 6669 00ff ffb9 0400 ffba  .jie$.fi........
019d400: cc03 ccfc 24ff c330 00ff ffb9 0400 ffba  ....$..0........
[...]
 

It appears that the FTL used by the flash device in the 2Wire routers is either block-based or a hybrid of block- and sector-based mapping.

It was hoped that the mapping algorithm would be based on ANAND/FMAX, the M-Systems flash translation layer algorithms from TrueFFS.. Many years ago, 2Wire did use M-Systems DoC flash devices. However, close examination of the OOB data used in today's routers has shown that the FTL algorithm appears to be unique to 2Wire.

There is a growing collection of academic papers on flash mapping algorithms for anyone who wants to get a feel for what this is about..

Any offers to collaborate gratefully received :-)

cheers,
asbokid

»hackingbtbusinesshub.wordpress.com/