dslreports logo
 
    All Forums Hot Topics Gallery
spc

spacer

Search Topic:
uniqs
3817
share rss forum feed

Roop

join:2003-11-15
Ottawa, ON

exploring the alcatel lucent cellpipe 7130

Click for full size
Click for full size
i decided to crack open a cellpipe today. it was littlerally cracking, these things were not meant to be opened. i was gentle with the PCB and it still works.

You can clearly read all the chips, the main CPU is an IKANOS FUSIV Vx150–IKF6833-1 (ikanos ikf68331-a1-pb1-c) or vx150 for short. Some specs:
»www.ikanos.com/wp-content/upload ··· _V61.pdf

The cellpipe does has a console port on the back but it's 5 pin mini-din which no one uses. On the board there's a 9 pin what looks like an eTTL pinout (3.3v instead of the RS232 -9/9v)

It looks like this:

I'm mapping the pins this way based on the above diagram:

1 2
3 4
5 6
7 8
9

A quick voltmeter check:
1, 2, 4, 7 = 5v
other pins = 0 or variable 0-0.1v

Maybe I can get some TTL serial out of this? Thoughts, suggestions?


squircle

join:2009-06-23
Oakville, ON
Last I tried, I couldn't get anything from the mini-DIN but I haven't tried the onboard header. Good luck!

Roop

join:2003-11-15
Ottawa, ON

3 edits
reply to Roop
boot code


Roop

join:2003-11-15
Ottawa, ON
reply to Roop
Click for full size
the contraption in the picture allowed me to dump the serial console boot sequence. here's how i did it. i'm hoping this allows others to make similar (hopefully better less complicated setups). maybe from their we can do more interesting things like enable telnet and dump firmwares or what have you.

so the serial port on the back of my cellpipe works fine, at least for reading. i haven't tried writing yet.

the picture is the cellpipe PCB on the right. connected are the black wire (ground) and red wire to the serial transmit. there's no need to dissamble it btw.

in the middle is an arduino 2009/duemillenova USB which i'm using as my 3.3v TTL to seral to USB converter. The red wire from the cellpipe connects to yellow, then white to the arduino. SPECIAL NOTE: leaving the arduino connected at boot time prevents any output. right after turn on the cell pipe, you plug the white wire in and get output. the black wire from the cell pipe which turns into white is the ground. i plug this into arduino's ground to ensure the same reference.

on the far left is my crappy oscilloscope. i was able to measure a single bit width with it of approximately 10.6 microseconds which allowed me to approximate that to 57600 baud, (8N1 was guessed). here's the basic arduino code i used. note the lack of writing if anyone can fix that.

last note in this: the arduino is 5v TTL, the cellpipe is 3.3v TTL. this makes me a bit hesitant to simply wire the arduino's TX to the cellpipe's RX just yet.



creed3020
Premium
join:2006-04-26
Kitchener, ON
kudos:2
reply to Roop
The slot of the back of the PCB reminds me of a SO-DIMM slot.

Great work so far, I'm sure Teddy Boom and mlord will find this interesting.


TSI Gabe
Router of Packets
Premium,VIP
join:2007-01-03
Gatineau, QC
kudos:7
that's weird looking oscilloscope, what is that? I thought it was a cell phone at first.


HiVolt
Premium
join:2000-12-28
Toronto, ON
kudos:22
Reviews:
·TekSavvy DSL
reply to creed3020
said by creed3020:

The slot of the back of the PCB reminds me of a SO-DIMM slot.

That's Mini-PCI, used for the wireless portion of the Cellpipe... Looks by the RA logo, the wireless chipset is RALink. It's crap.
--
F**K THE NHL. Go Blue Jays 2013!!!


TSI Gabe
Router of Packets
Premium,VIP
join:2007-01-03
Gatineau, QC
kudos:7
the IC to the right is where I'd focus my attention. M29W128GL

128MB NOR Flash. That's likely where the firmware is sitting.


creed3020
Premium
join:2006-04-26
Kitchener, ON
kudos:2
Reviews:
·TekSavvy Cable
reply to HiVolt
I've never seen a Mini-PCI slot I guess then, perhaps without anything in the photo for scale it's hard to see actually how wide it is.

The spring clips on the side are also the same for SODIMM though, but they do look like they are soldered to the board. Hard to make this out without an oblique shot. I see the RA Link chip within that area. I looked at this photo and realized I have Mini-PCI confused with Mini-PCIE »en.wikipedia.org/wiki/File:MiniP ··· ards.jpg


TSI Gabe
Router of Packets
Premium,VIP
join:2007-01-03
Gatineau, QC
kudos:7
reply to HiVolt
looks like Mini-PCI to me as well.

Roop

join:2003-11-15
Ottawa, ON
reply to Roop
It is a mini-pci card. For scale you can consider that coaxial cable connector in the pictures at about 1cm. It's a Ralink chipset, however the good wireless in the sagemcom is also brought to you by ralink. the sagemcom has 3 anteans for proper 802.11n/mimo where the cellpipe only has two.

the oscilloscope i use is a mini-dso

»www.youtube.com/watch?v=iRcGYPU7 ··· GYPU70To
it's pretty basic, not very fast, but it's cheap, small and battery powered.


Guspaz
Guspaz
Premium,MVM
join:2001-11-05
Montreal, QC
kudos:23
reply to Roop
Hmm, Linux and busybox. Those are GPL'd applications. This means that Bell is distributing the binaries of GPL'd software. If Bell does not include a copy of the GPL and offer of source with the CellPipe modems, then Bell's distribution of the CellPipe modems represents an act of commercial (criminal) copyright infringement.

I'd be curious to see what Bell's response would be if their legal department was contacted with a demand for the GPL'd source in the modem.

Of note is that it doesn't matter that Bell doesn't make the modems or write the firmware. It doesn't matter if they don't have the source. They are not allowed to distribute GPL'd binaries without either including the source or an offer of the source.
--
Developer: Tomato/MLPPP, Linux/MLPPP, etc »fixppp.org

Roop

join:2003-11-15
Ottawa, ON
Yeah, if there's some legal type person who wouldn't mind chasing after bell with this, it could be awesome... or put it on DSLR's front page to get their attention . I devised a crude method to send information at 3.3v rather than 5.0v (use a big diode, 2kv diodes have voltage drops of 2+ volts), I'll implement and test tonight and hit up that 'supervisor mode' prompt.

Once I'm done here, I'll do the same with my sagemcom, hopefully more carefully as I actual care about that one. There are already pictures of the insides of those but no boot logs.

pjlahaie

join:2009-03-14
Ottawa, ON
reply to Guspaz
said by Guspaz:

Hmm, Linux and busybox. Those are GPL'd applications. This means that Bell is distributing the binaries of GPL'd software. If Bell does not include a copy of the GPL and offer of source with the CellPipe modems, then Bell's distribution of the CellPipe modems represents an act of commercial (criminal) copyright infringement.

Does renting constitute distribution? I thought Bell still owned the modems, so are you even allowed to flash them?


Guspaz
Guspaz
Premium,MVM
join:2001-11-05
Montreal, QC
kudos:23
said by pjlahaie:

Does renting constitute distribution? I thought Bell still owned the modems, so are you even allowed to flash them?

The consensus by GPL experts is that rental versus purchase is irrelevant, because the GPL doesn't care about the form of the financial transaction. Possession and ownership are different things, and all you have to do to have distributed something is to put it into my possession.

EDIT: Explained from another angle, you can't rent or sell a piece of code (or binary) without the permission from the copyright holder of that code, and the GPL does not authorize rental, only distribution. So Bell owns the modem, but they do not own the GPL'd code they put on the modem. The distribution of the GPL'd code therefore falls under the GPL license, rather than Bell's rental license; Bell can't relicense that code under their rental contract.
--
Developer: Tomato/MLPPP, Linux/MLPPP, etc »fixppp.org

morisato

join:2008-03-16
Oshawa, ON
kudos:1
the connection hub also has gpled code right?

TechNut2

join:2010-05-17
canada
reply to Guspaz
said by Guspaz:

said by pjlahaie:

Does renting constitute distribution? I thought Bell still owned the modems, so are you even allowed to flash them?

The consensus by GPL experts is that rental versus purchase is irrelevant, because the GPL doesn't care about the form of the financial transaction. Possession and ownership are different things, and all you have to do to have distributed something is to put it into my possession.

EDIT: Explained from another angle, you can't rent or sell a piece of code (or binary) without the permission from the copyright holder of that code, and the GPL does not authorize rental, only distribution. So Bell owns the modem, but they do not own the GPL'd code they put on the modem. The distribution of the GPL'd code therefore falls under the GPL license, rather than Bell's rental license; Bell can't relicense that code under their rental contract.

Bell would be indemnified by the manufacturer. Aka, Bell does not "produce" the product, they simply resell it. Under commercial terms, Sagemcom would cover them.

it's moot anyway. If you can use google, "sagemcom gpl" would have taken you to this link,

»opensource.sagemcom.com/

Roop

join:2003-11-15
Ottawa, ON

3 edits
reply to Roop
ok so i ditched the ardunio in favor of a maxim3232cpe serial to 3.3v TTL convert. I simply connected the ground, tx and rx pin and voila! 3.3v TTL to interface with the console port. here's the help menu at bootup:


command printenv


JMJimmy

join:2008-07-23
Reviews:
·TekSavvy DSL
reply to TechNut2
said by TechNut2:

Bell would be indemnified by the manufacturer. Aka, Bell does not "produce" the product, they simply resell it. Under commercial terms, Sagemcom would cover them.

it's moot anyway. If you can use google, "sagemcom gpl" would have taken you to this link,

»opensource.sagemcom.com/

I thought it was the Cellpipe....

Roop

join:2003-11-15
Ottawa, ON
yeah it is a cellpipe... would someone be able to get the source from alcatel then?

JMJimmy

join:2008-07-23
Alcatel has a form buried on their website but overall Bell, Telus, and Alcatel are in violation of GPL in multiple ways.


Guspaz
Guspaz
Premium,MVM
join:2001-11-05
Montreal, QC
kudos:23
reply to TechNut2
said by TechNut2:

Bell would be indemnified by the manufacturer. Aka, Bell does not "produce" the product, they simply resell it. Under commercial terms, Sagemcom would cover them.

it's moot anyway. If you can use google, "sagemcom gpl" would have taken you to this link,

»opensource.sagemcom.com/

You're confusing patent law and copyright law. You can't be indemnified against a crimimal act. Sagemcom does not own the software they're distributing, and neither does Bell. It doesn't matter where Bell got the software, Bell is the one distributing it to you.

Also, googling for "manufacturer name gpl" is irrelevant, since it has no bearing on the GPL. The GPL says the binaries must come with either the source or an offer of the source. Having to google for the source is a violation of the GPL, and as such, copyright infringement.
--
Developer: Tomato/MLPPP, Linux/MLPPP, etc »fixppp.org

Roop

join:2003-11-15
Ottawa, ON

1 edit
reply to Roop
downloadraw.01.strings.bz2 609,950 bytes
I originally added this to the other post but i'm breaking this into it's own so things don't get too long.

the boot manager 'bdinfo' command shows the flash memory's mapping. the first several blocks are the read only boot loader (there is an option to change that to read-write). the next section is the read write area where the actual kernel image is. i used the command 'md' to dump this onto the serial (0xBF000000 through to 0xC0000000). unfortunately it's not binary, it's HEX + ASCII. the command xxd can convert this back to binary.


I have this complete hex dump. i have it in three formats, 24mb of what you see on the screen (hex dumped), 3.0GB binary image and 854kb text strings dumps. If you want them, PM me.

raw.01.log = raw hex dump with ascii from the md command - 24mb compressed
raw.01.bin = the file above converted to pure binary (command xxd -r raw.01.log raw.01.bin) 3.0GB
raw.01.strings = the command strings run on raw.01.bin (strings raw.01.bin > raw.01.strings) this file is attached. it's just text, you can search through for things of interest but not much else.

i found the string adi_kernel_2.6, that actual found me some actual fusiv source on google:
http://test.ninux.org/~claudyus/alice_agif/linux-2.6.19.2/arch/mips/adi_fusiv/bootimg/Makefile

ok, i think that's all for me. i'll let some other folks run with some of the intial work i've done. i'll be super optomistic and hope that one day this leads to some awesome firmware on the cellpipe.

as for my production cellpipe, TSI Martin noted he'll replace it with a sagemcom since it will not get the new firmware, it's stuck on R3... i do have another bell supplied sagemcom i use for wireless.. maybe i can dump it's firmware :)

TechNut2

join:2010-05-17
canada
reply to Guspaz
said by Guspaz:

said by TechNut2:

Bell would be indemnified by the manufacturer. Aka, Bell does not "produce" the product, they simply resell it. Under commercial terms, Sagemcom would cover them.

it's moot anyway. If you can use google, "sagemcom gpl" would have taken you to this link,

»opensource.sagemcom.com/

You're confusing patent law and copyright law. You can't be indemnified against a crimimal act. Sagemcom does not own the software they're distributing, and neither does Bell. It doesn't matter where Bell got the software, Bell is the one distributing it to you.

Also, googling for "manufacturer name gpl" is irrelevant, since it has no bearing on the GPL. The GPL says the binaries must come with either the source or an offer of the source. Having to google for the source is a violation of the GPL, and as such, copyright infringement.

I have worked on these kinds of agreements before. It's covered by the manufacturer. Bell is not technically distributing the software. A derivative work, is changing the GPL'd software itself. Changing the logos or web interface developed by ALU, would not be a derivative work for the GPL. As we have seen by reading these forums on the Voltage issue, users on this forum are not legal experts by any means. Take it from someone who deals with corporate agreements of this kind, your theory is not right. The GPL itself is very clear, if you modify the software, the source needs to be available, otherwise, you are "Free to use" as you see fit if you do not modify it.

Under your logic Guspaz, the guy who sells a Android phone at a cell phone hut in the mall is "distributing" GPL software too. That's not the case. If the guy in the hut in the mall, modifies the linux kernel, and sells the phone, he would need to publish the code. If all he is doing is reselling without modification, then, no need. In this case, ALU is responsible for being compliant with the license. I know (after working with them years ago), that they have a strong FOSS program in place. Trust me, all of the telco hardware providers worry about open source. In Canada, its a major concern. China and others, well, that's where attention should be focused. Indemnity agreements DO cover patent and copyright issues. The only way Bell is on the hook, is if they modify the source code themselves. That's not something that Bell typically does, as they like to procure product, not do R&D on it.


Guspaz
Guspaz
Premium,MVM
join:2001-11-05
Montreal, QC
kudos:23
You're incorrect. Bell is distributing the binaries, stripping those binaries of the appropriate notices is a violation.

Modification is irrelevant. Section 3 of the GPL merely says you may copy and distribute binaries if you do one of the things (accompany with source, or an offer of the source either from you or that you got with it).

If a guy in the phone hut is selling a retail boxed Android phone, that phone will have the GPL offer of source somewhere in it (often in the legal fine print in the manual). If he's selling a bare phone, he's guilty of copyright infringement.
--
Developer: Tomato/MLPPP, Linux/MLPPP, etc »fixppp.org

JMJimmy

join:2008-07-23
reply to TechNut2
Also, Bhell would have had to modify it to work with it's stingers wouldn't they?

TechNut2

join:2010-05-17
canada
reply to Guspaz
said by Guspaz:

You're incorrect. Bell is distributing the binaries, stripping those binaries of the appropriate notices is a violation.

Modification is irrelevant. Section 3 of the GPL merely says you may copy and distribute binaries if you do one of the things (accompany with source, or an offer of the source either from you or that you got with it).

If a guy in the phone hut is selling a retail boxed Android phone, that phone will have the GPL offer of source somewhere in it (often in the legal fine print in the manual). If he's selling a bare phone, he's guilty of copyright infringement.

Seriously, did you actually read what you typed? That makes no sense whatsoever Guspaz. You are confusing distribution of software with distribution of product to a end user. End user to ALU and from the license perspective is Bell, unless Bell makes any modification to GPL related code. "selling a bare phone, he's guilty of copyright infringement", you make yourself seem silly. End users are generally exempted from license issues, by indemnity or other legal vehicles, because they USE the product, they do not produce it. Bell USES the product, they do not produce it. An end user selling a phone, is not breaking any law, unless they do not have the rights to sell it. You are twisting some wording to meet your intent, but that does not make you right. The license in and of itself needs to be interpreted in greater commercial terms and common-law terms. Maybe it is different in QC, but in the rest of Canada, your argument is a false theory. No judge in Canada would find a end user who sold a phone guilty of any infringement whatsoever for simply using and buying/selling the device without a manual.

BTW, Roop, it's awesome you have been able to get into the device, that's very cool stuff! Didn't mean to hijack your thread, just when people pipe up with conspiracy crap, that's just plain wrong, it makes everyone on these forums look bad.

TechNut2

join:2010-05-17
canada
reply to JMJimmy
said by JMJimmy:

Also, Bhell would have had to modify it to work with it's stingers wouldn't they?

No, The Stingers are owned by ALU. So, they would be modifying there own code to do it. That code, as long as it is not based on a FOSS license, would not need to be published/released.

Remember, code running on a Linux system that is developed by you, is not considered a derivative work (Linus has this in the kernel modified GPL license file). Even binary blobs or other closed drivers are not considered derivatives, BUT, that has not been testing court to my knowledge.

The only modification Bell will do is modify the HTML interface for their customers (if that). That's not a derivative work, and is not under the GPL. So, no need to release it to anyone.

Hilton

join:2013-01-26

1 edit
reply to Roop
Hi Roop, good work.

Can you share the u-boot dump in hex format?

Thank you.

Hilton

join:2013-01-26
reply to Roop
Please delete this post.