dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
3471
share rss forum feed

Roop

join:2003-11-15
Ottawa, ON

exploring the alcatel lucent cellpipe 7130

Click for full size
Click for full size
i decided to crack open a cellpipe today. it was littlerally cracking, these things were not meant to be opened. i was gentle with the PCB and it still works.

You can clearly read all the chips, the main CPU is an IKANOS FUSIV Vx150–IKF6833-1 (ikanos ikf68331-a1-pb1-c) or vx150 for short. Some specs:
»www.ikanos.com/wp-content/upload···_V61.pdf

The cellpipe does has a console port on the back but it's 5 pin mini-din which no one uses. On the board there's a 9 pin what looks like an eTTL pinout (3.3v instead of the RS232 -9/9v)

It looks like this:

I'm mapping the pins this way based on the above diagram:

1 2
3 4
5 6
7 8
9

A quick voltmeter check:
1, 2, 4, 7 = 5v
other pins = 0 or variable 0-0.1v

Maybe I can get some TTL serial out of this? Thoughts, suggestions?


squircle

join:2009-06-23
Oakville, ON
Last I tried, I couldn't get anything from the mini-DIN but I haven't tried the onboard header. Good luck!

Roop

join:2003-11-15
Ottawa, ON

3 edits
reply to Roop
boot code

Net:   voxEmac
 
Type "h" for HELP. Have fun!
 
Hit any key to stop autoboot:  1  0 
Use Partition 2 to boot
length = 4978932, crc32=1b8ae6b5
CRC32 checksum OK!
Use Partition 2 to boot
## Booting image at bf800000 ...
   Image Name:   adi_kernel_2.6
   Created:      2011-09-14   2:06:05 UTC
   Image Type:   MIPS Linux Kernel Image (gzip compressed)
   Data Size:    1189550 Bytes =  1.1 MB
   Load Address: 80010000
   Entry Point:  802af000
   Verifying Checksum ... OK
   Uncompressing Kernel Image ... OK
 
Starting kernel ...
 
Linux version 2.6.18.2 (xxxxx@CompilerServer2.gemtek.com.tw) (gcc version 3.4.3) #1193 PREEMPT Wed Sep 14 10:05:59 CST 2011
CPU revision is: 6833c400
Determined physical RAM map:
 memory: 02000000 @ 00000000 (usable)
Initial ramdisk at: 0x80000000 (0 bytes)
Built 1 zonelists.  Total pages: 8192
Kernel command line: root=/dev/mtdblock2 rw rootfstype=jffs2 myfs_start=0xbf940000 rootfstype=cramfs root=/dev/mtdblock5 
***** INFO: saved_root_name is /dev/mtdblock2 
****************************************myfs_start is 0xbf940000 
***** INFO: saved_root_name is /dev/mtdblock5 
Primary instruction cache 16kB, linesize 32 bytes.
Primary data cache 8kB, linesize 32 bytes.
Fusiv LX4189 CACHES 
Synthesized TLB refill handler (17 instructions).
Synthesized TLB load handler fastpath (31 instructions).
Synthesized TLB store handler fastpath (31 instructions).
Synthesized TLB modify handler fastpath (25 instructions).
PID hash table entries: 256 (order: 8, 1024 bytes)
Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
Memory: 28900k/32768k available (2256k kernel code, 3852k reserved, 423k data, 164k init, 0k highmem)
Mount-cache hash table entries: 512
Checking for 'wait' instruction...  unavailable.
checking if image is initramfs... it is
Freeing initrd memory: 0k freed
NET: Registered protocol family 16
Fusiv PCI: starting...
NET: Registered protocol family 2
IP route cache hash table entries: 256 (order: -2, 1024 bytes)
TCP established hash table entries: 1024 (order: 0, 4096 bytes)
TCP bind hash table entries: 512 (order: -1, 2048 bytes)
TCP: Hash tables configured (established 1024 bind 512)
TCP reno registered
squashfs: version 3.2-r2 (2007/01/15) Phillip Lougher
squashfs: LZMA suppport for slax.org by jro
JFFS2 version 2.2. (C) 2001-2006 Red Hat, Inc.
Initializing Cryptographic API
io scheduler noop registered (default)
Serial: 8250/16550 driver $Revision: 1.3 $ 2 ports, IRQ sharing disabled
serial8250: ttyS0 at MMIO 0xb9020000 (irq = 6) is a 16450
RAMDISK driver initialized: 16 RAM disks of 4096K size 1024 blocksize
PPP generic driver version 2.4.2
NET: Registered protocol family 24
*****************************************In init_mb tmp is 0x1f940000
On Board flash device: 0x1000000 at 0x1f000000
ADI flash: Found 1 x16 devices at 0x0 in 16-bit bank
 Amd/Fujitsu Extended Query Table at 0x0040
  Silicon revision: 6
  Address sensitive unlock: Not required
  Erase Suspend: Read/write
  Block protection: 1 sectors per group
  Temporary block unprotect: Not supported
  Block protect/unprotect scheme: 8
  Number of simultaneous operations: 0
  Burst mode: Not supported
  Page mode: 8 word page
  Vpp Supply Minimum Program/Erase Voltage: 11.5 V
  Vpp Supply Maximum Program/Erase Voltage: 12.5 V
  Top/Bottom Boot Block: Uniform, Bottom WP
ADI flash: CFI does not contain boot bank location. Assuming top.
number of CFI chips: 1
cfi_cmdset_0002: Disabling erase-suspend-program due to code brokenness.
Creating 6 MTD partitions on "ADI flash":
0x00000000-0x00060000 : "ADI uBOOT Partition"
0x00060000-0x001a0000 : "ADI Flash OS Partition"
0x001a0000-0x00800000 : "ADI Flash FS Partition"
0x00800000-0x00940000 : "ADI Flash OS-2 Partition"
0x00940000-0x00f60000 : "ADI Flash FS-2 Partition"
0x00f60000-0x01000000 : "ADI Config JFFS2 Partition"
ip_conntrack version 2.4 (256 buckets, 2048 max) - 268 bytes per conntrack
ip_conntrack_rtsp v0.6.21 loading
ip_nat_rtsp v0.6.21 loading
ip_conntrack_pptp version 3.1 loaded
ip_nat_pptp version 3.0 loaded
ip_tables: (C) 2000-2006 Netfilter Core Team
TCP bic registered
NET: Registered protocol family 1
NET: Registered protocol family 17
NET: Registered protocol family 8
NET: Registered protocol family 20
802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
All bugs added by David S. Miller <davem@redhat.com>
VFS: Mounted root (squashfs filesystem) readonly.
Freeing unused kernel memory: 164k freed
bmedrv: module license 'proprietary' taints kernel.
***** VDSL BME driver registered with Major number: 254 *****
fusiv library initializing...
 
fusiv library initialized SUCCESSFULLY... 
Timers are getting initalized
 
Timers are initilized SUCCESSFULLY...
periApDriverInit: doneSlave Mem Alloc: Req size 16   Ptr2Block 0x191f0000
 
 *******LOAD firmware to AP:PERI_ID result:0Load into PERI_AP APU Successful !!!
 
 Added AP PREROUTE Hook 
 Added AP POSTROUTE Hook 
 Buffer Manager is initializing...
Slave Mem Alloc: Req size 16   Ptr2Block 0x191f0010
Load into BM APU Successful !!!
 
** Switch driver installed successfully - v.6.9.4 5th Nov, 2008 **
Slave Mem Alloc: Req size 16   Ptr2Block 0x191f0020
Slave Mem Alloc: Req size 16   Ptr2Block 0x191f0030
 
Ethernet Driver is initialized SUCCESSFULLY
***** PPP over Ethernet Relay driver registered with Major number: 253 *****
IGMP Snoop Module inserted successfully- v6.6 on 2007.09.26
Ikanos Fusiv Watchdog  is registered as char device Major No 0
Set Switch as Power Down Mode
nvram_init: INFO=>nvram conf initialized successfully!
nvram_init: INFO=> RAM CONF successful created!
nvram_init: INFO=>nvram MAC initialized successfully!
nvram_init: INFO=>nvram TR069 initialized successfully!
nvram_init: INFO=> RC.CONF successful created!
 
ipos system initialized 
CreateTimer15Mins(): success 
IPOS:Unable to run the API.  BME is idle.
start autoRestart from UI Task
 
BME 1 is coming up
Fusiv oampBmeStart() ../
 
b1p0  iposBmeStartBlk cmdtag 0 status: IN PROGRESS 
cpe> 
INI RESETHello 2 
 
Downloading BME 1 software..... klogd started: BusyBox v1.00 (2011.07.08-04:35+0000)
killall: syslogd: no process killed
IPOS:Unable to run the API.  BME is idle.
IPOS:Unable to run the API.  BME is idle.
IPOS:Unable to run the API.  BME is idle.
cat: /etc/config/Panic_Log_10: No such file or directory
Sat Nov 26 04:10:00 UTC 2011
IPOS:Unable to run the API.  BME is idle.
IPOS:Unable to run the API.  BME is idle.
/usr/shell/lan.sh start ok
IPOS:Unable to run the API.  BME is idle.
/usr/shell/hostname.sh config ok
Use RT2880 WLAN Module!!
IPOS:Unable to run the API.  BME is idle.
RT2880 iNIC: 802.11n WLAN PCI driver v2.0.0.0 (Jan. 15, 2009)
RT2880 iNIC: pci dev 0000:00:01.0 (id 1814:0801 rev 00)
PCI: Enabling device 0000:00:01.0 (0000 -> 0002)
rt->regs = ba100000
===> Get MAC from iNIC
============= Init Thread ===================
RacfgTaskThread pid = 236
RacfgBacklogThread pid = 237
ra0: Ralink iNIC at 0xba100000, 00:43:0c:00:00:00, IRQ 25
IPOS:Unable to run the API.  BME is idle.
failed to query MAC address (stat=54)
IPOS:Unable to run the API.  BME is idle.
IPOS:Unable to run the API.  BME is idle.
IPOS:Unable to run the API.  BME is idle.
IPOS:Unable to run the API.  BME is idle.
IPOS:Unable to run the API.  BME is idle.
 
Bme 1 software code downloaded successfully
b1p0  iposBmeStartBlk cmdtag 0 status: COMPLETE 
cpe> 
 alm freq 20
 status freq 30
b1p0  iposPeriodicReportEnable cmdtag 99 status: IN PROGRESS 
cpe> 
 alm freq 20
 status freq 30
b1p0  iposPeriodicReportEnable cmdtag 99 status: IN PROGRESS 
cpe> 
b1p0  iposPeriodicReportEnable cmdtag 99 status: COMPLETE 
cpe> rm: cannot remove `/tmp/oldrc.conf.bridge': No such file or directory
device eth0 entered promiscuous mode
b0: port 1(eth0) entering learning state
Server: Unknown InterfaceFailed to set parameters for server interface
pppoe-relay can't be enbaled: No server interface is configured
/usr/shell/bridge.sh start error
/usr/shell/udhcpd.sh config_boot ok
 
***** udhcpd start ver 1000 *****
info, udhcpd (v0.9.9-pre) started
error, max_leases value (254) not sane, setting to 245 instead
server_config.max_leases_ratio : 183
error, Unable to open /etc/config/gt_old_lease for reading
gt_lease_check: -1
error, Unable to open /tmp/gt_old_lease for reading
[in background ]DebugMessage: 0 
/usr/shell/udhcpd.sh start ok
Set Switch as Normal Operation
 
Please execute 'vdsl 900' in 15 seconds to enter into Supervisor mode
_nvram_get: ERROR=> nvram_get() the wrong field[wl_enable]
Enter main
Enter getFromNV
Enter SetupMultiCast
IPAddr=192.168.2.1
MultiCastGroup=239.255.255.239
start easyconf and mac writer
link not up yet!!: No such file or directory
Ikanos watchdog: Enable Watch Dog !
 
Enable Watch Dog!!
AC:81:12:xx:xx:xx
Use RT2880 WLAN AC Module!!
module wlan_ac installed!!
[wlan_ac] wireless default interface ra0
[wlan_ac] ra0 mac addr : 00 43 0C 00 00 00 
BC::Bridge Filter 
b0 mac=AC:81:12:xx:xx:xx  
b0gwlan_client_info.alg=2
 maclistgwlan_client_info.mode=0
 isgwlan_client_info.broadcastMac=ff:ff:ff:ff:ff:ff
 empgwlan_client_info.bridgeMac=ac:81:12:xx:xx:xx
ty.gwlan_client_info.num=0
.
gwlan_client_info.eth_type=0000
Have done mass production
Group added successfully
 
Group added successfully
 

Roop

join:2003-11-15
Ottawa, ON
reply to Roop
Click for full size
the contraption in the picture allowed me to dump the serial console boot sequence. here's how i did it. i'm hoping this allows others to make similar (hopefully better less complicated setups). maybe from their we can do more interesting things like enable telnet and dump firmwares or what have you.

so the serial port on the back of my cellpipe works fine, at least for reading. i haven't tried writing yet.

the picture is the cellpipe PCB on the right. connected are the black wire (ground) and red wire to the serial transmit. there's no need to dissamble it btw.

in the middle is an arduino 2009/duemillenova USB which i'm using as my 3.3v TTL to seral to USB converter. The red wire from the cellpipe connects to yellow, then white to the arduino. SPECIAL NOTE: leaving the arduino connected at boot time prevents any output. right after turn on the cell pipe, you plug the white wire in and get output. the black wire from the cell pipe which turns into white is the ground. i plug this into arduino's ground to ensure the same reference.

on the far left is my crappy oscilloscope. i was able to measure a single bit width with it of approximately 10.6 microseconds which allowed me to approximate that to 57600 baud, (8N1 was guessed). here's the basic arduino code i used. note the lack of writing if anyone can fix that.

last note in this: the arduino is 5v TTL, the cellpipe is 3.3v TTL. this makes me a bit hesitant to simply wire the arduino's TX to the cellpipe's RX just yet.

void setup()  
{
  Serial.begin(57600);
}
 
void loop()                     // run over and over again
{
 
  if(Serial.available()) {
    char bytes = Serial.read();
    Serial.print(bytes);
    
    //Serial.println(Serial.read());
  }
 
}
 


creed3020
Premium
join:2006-04-26
Kitchener, ON
kudos:2
reply to Roop
The slot of the back of the PCB reminds me of a SO-DIMM slot.

Great work so far, I'm sure Teddy Boom and mlord will find this interesting.


TSI Gabe
Router of Packets
Premium,VIP
join:2007-01-03
Gatineau, QC
kudos:7
that's weird looking oscilloscope, what is that? I thought it was a cell phone at first.


HiVolt
Premium
join:2000-12-28
Toronto, ON
kudos:21
Reviews:
·TekSavvy DSL
·TekSavvy Cable
reply to creed3020
said by creed3020:

The slot of the back of the PCB reminds me of a SO-DIMM slot.

That's Mini-PCI, used for the wireless portion of the Cellpipe... Looks by the RA logo, the wireless chipset is RALink. It's crap.
--
F**K THE NHL. Go Blue Jays 2013!!!


TSI Gabe
Router of Packets
Premium,VIP
join:2007-01-03
Gatineau, QC
kudos:7
the IC to the right is where I'd focus my attention. M29W128GL

128MB NOR Flash. That's likely where the firmware is sitting.


creed3020
Premium
join:2006-04-26
Kitchener, ON
kudos:2
Reviews:
·TekSavvy Cable
reply to HiVolt
I've never seen a Mini-PCI slot I guess then, perhaps without anything in the photo for scale it's hard to see actually how wide it is.

The spring clips on the side are also the same for SODIMM though, but they do look like they are soldered to the board. Hard to make this out without an oblique shot. I see the RA Link chip within that area. I looked at this photo and realized I have Mini-PCI confused with Mini-PCIE »en.wikipedia.org/wiki/File:MiniP···ards.jpg


TSI Gabe
Router of Packets
Premium,VIP
join:2007-01-03
Gatineau, QC
kudos:7
reply to HiVolt
looks like Mini-PCI to me as well.

Roop

join:2003-11-15
Ottawa, ON
reply to Roop
It is a mini-pci card. For scale you can consider that coaxial cable connector in the pictures at about 1cm. It's a Ralink chipset, however the good wireless in the sagemcom is also brought to you by ralink. the sagemcom has 3 anteans for proper 802.11n/mimo where the cellpipe only has two.

the oscilloscope i use is a mini-dso

»www.youtube.com/watch?v=iRcGYPU70To
it's pretty basic, not very fast, but it's cheap, small and battery powered.


Guspaz
Guspaz
Premium,MVM
join:2001-11-05
Montreal, QC
kudos:23
reply to Roop
Hmm, Linux and busybox. Those are GPL'd applications. This means that Bell is distributing the binaries of GPL'd software. If Bell does not include a copy of the GPL and offer of source with the CellPipe modems, then Bell's distribution of the CellPipe modems represents an act of commercial (criminal) copyright infringement.

I'd be curious to see what Bell's response would be if their legal department was contacted with a demand for the GPL'd source in the modem.

Of note is that it doesn't matter that Bell doesn't make the modems or write the firmware. It doesn't matter if they don't have the source. They are not allowed to distribute GPL'd binaries without either including the source or an offer of the source.
--
Developer: Tomato/MLPPP, Linux/MLPPP, etc »fixppp.org

Roop

join:2003-11-15
Ottawa, ON
Yeah, if there's some legal type person who wouldn't mind chasing after bell with this, it could be awesome... or put it on DSLR's front page to get their attention . I devised a crude method to send information at 3.3v rather than 5.0v (use a big diode, 2kv diodes have voltage drops of 2+ volts), I'll implement and test tonight and hit up that 'supervisor mode' prompt.

Once I'm done here, I'll do the same with my sagemcom, hopefully more carefully as I actual care about that one. There are already pictures of the insides of those but no boot logs.

pjlahaie

join:2009-03-14
Ottawa, ON
reply to Guspaz
said by Guspaz:

Hmm, Linux and busybox. Those are GPL'd applications. This means that Bell is distributing the binaries of GPL'd software. If Bell does not include a copy of the GPL and offer of source with the CellPipe modems, then Bell's distribution of the CellPipe modems represents an act of commercial (criminal) copyright infringement.

Does renting constitute distribution? I thought Bell still owned the modems, so are you even allowed to flash them?


Guspaz
Guspaz
Premium,MVM
join:2001-11-05
Montreal, QC
kudos:23
said by pjlahaie:

Does renting constitute distribution? I thought Bell still owned the modems, so are you even allowed to flash them?

The consensus by GPL experts is that rental versus purchase is irrelevant, because the GPL doesn't care about the form of the financial transaction. Possession and ownership are different things, and all you have to do to have distributed something is to put it into my possession.

EDIT: Explained from another angle, you can't rent or sell a piece of code (or binary) without the permission from the copyright holder of that code, and the GPL does not authorize rental, only distribution. So Bell owns the modem, but they do not own the GPL'd code they put on the modem. The distribution of the GPL'd code therefore falls under the GPL license, rather than Bell's rental license; Bell can't relicense that code under their rental contract.
--
Developer: Tomato/MLPPP, Linux/MLPPP, etc »fixppp.org

morisato

join:2008-03-16
Oshawa, ON
the connection hub also has gpled code right?

TechNut2

join:2010-05-17
canada
reply to Guspaz
said by Guspaz:

said by pjlahaie:

Does renting constitute distribution? I thought Bell still owned the modems, so are you even allowed to flash them?

The consensus by GPL experts is that rental versus purchase is irrelevant, because the GPL doesn't care about the form of the financial transaction. Possession and ownership are different things, and all you have to do to have distributed something is to put it into my possession.

EDIT: Explained from another angle, you can't rent or sell a piece of code (or binary) without the permission from the copyright holder of that code, and the GPL does not authorize rental, only distribution. So Bell owns the modem, but they do not own the GPL'd code they put on the modem. The distribution of the GPL'd code therefore falls under the GPL license, rather than Bell's rental license; Bell can't relicense that code under their rental contract.

Bell would be indemnified by the manufacturer. Aka, Bell does not "produce" the product, they simply resell it. Under commercial terms, Sagemcom would cover them.

it's moot anyway. If you can use google, "sagemcom gpl" would have taken you to this link,

»opensource.sagemcom.com/

Roop

join:2003-11-15
Ottawa, ON

3 edits
reply to Roop
ok so i ditched the ardunio in favor of a maxim3232cpe serial to 3.3v TTL convert. I simply connected the ground, tx and rx pin and voila! 3.3v TTL to interface with the console port. here's the help menu at bootup:

CPU: IKANOS Fusiv 150 Family
DRAM:  32 MB
Flash: 16 MB
In:    serial
Out:   serial
Err:   serial
Net:   voxEmac
 
Type "h" for HELP. Have fun!
 
Hit any key to stop autoboot:  0 
> h
?       - alias for 'help'
askenv  - get environment variables from stdin
autoscr - run script from memory
base    - print or set address offset
bdinfo  - print Board Info structure
boot    - boot default, i.e., run 'bootcmd'
bootd   - boot default, i.e., run 'bootcmd'
bootelf - Boot from an ELF image in memory
bootm   - boot application image from memory
bootp- boot image via network using BootP/TFTP protocol
bootvx  - Boot vxWorks from an ELF image
cmp     - memory compare
coninfo - print console devices and information
cp      - memory copy
crc32   - checksum calculation
dhcp- invoke DHCP client to obtain IP/boot params
echo    - echo args to console
erase   - erase FLASH memory
flinfo  - print FLASH memory information
go      - start application at address 'addr'
help    - print online help
itest- return true/false on integer compare
loadb   - load binary file over serial line (kermit mode)
loads   - load S-Record file over serial line
loop    - infinite loop on address range
md      - memory display
mm      - memory modify (auto-incrementing)
mtest   - simple RAM test
mw      - memory write (fill)
nm      - memory modify (constant address)
pci     - list and access PCI Configuration Space
ping- send ICMP ECHO_REQUEST to network host
printenv- print environment variables
protect - enable or disable FLASH write protection
rarpboot- boot image via network using RARP/TFTP protocol
reset   - Perform RESET of the CPU
run     - run commands in an environment variable
saveenv - save environment variables to persistent storage
setenv  - set environment variables
sleep   - delay execution for some time
tftpboot- boot image via network using TFTP protocol
version - print monitor version
 

command printenv

> printenv
&#65533;&#65533;:eauthor=Leo@analog devices
bootdelay=1
baudrate=57600
preboot=echo;echo Type "h" for HELP.  Have fun!;echo
netboot=dhcp;tftp;run netargs; bootm
nfsargs=setenv bootargs root=/dev/nfs ip=dhcp
localargs=setenv bootargs root=/dev/mtdblock2 ip=dhcp
addmisc=setenv bootargs $(bootargs) console=ttyS0,$(baudrate) read-only=readonly
netargs=run nfsargs addmisc
flash_nfs=run nfsargs addmisc;bootm $(kernel_addr)
flash_local=run localargs addmisc;bootm $(kernel_addr)
netboot_initrd=dhcp;tftp;tftp 80600000 initrd;setenv bootargs root=/dev/ram ramdisk_size=8192 ip=dhcp;run addmisc;bootm 80400000 80600000
rootpath=/export/miniroot-mipsel
autoload=no
myfs_start=0xbfd40000
kernel_addr=BFC60000
ramdisk_addr=B0100000
u-boot=u-boot.bin
bootfile=kernel.img
load=dhcp;tftp 80400000 $(u-boot)
load_kernel=dhcp;tftp 80400000 $(bootfile)
ethaddr=00:00:00:01:02:05
bootcmd=bootm 0xbf060000
bootargs=myfs_start=0xbf1a0000 rootfstype=cramfs root=/dev/mtdblock3
boot_partition=2
firmware_upgrade=0
boot_successfully=1
fw_length=1048576
fw_crc=ffffffff
console_enable=0
u-boot-ver=1.1.4b
ipaddr=192.168.1.2
upgrade_uboot=tftp $(u-boot);protect off all;erase bf000000 bf05ffff;cp.b 0x80400000 bf000000 60000
initenv=protect off all;erase bf020000 bf03ffff
stdin=serial
stdout=serial
stderr=serial
ethact=voxEmac
 
Environment size: 1293/131068 bytes
 

JMJimmy

join:2008-07-23
Reviews:
·TekSavvy DSL
reply to TechNut2
said by TechNut2:

Bell would be indemnified by the manufacturer. Aka, Bell does not "produce" the product, they simply resell it. Under commercial terms, Sagemcom would cover them.

it's moot anyway. If you can use google, "sagemcom gpl" would have taken you to this link,

»opensource.sagemcom.com/

I thought it was the Cellpipe....

Roop

join:2003-11-15
Ottawa, ON
yeah it is a cellpipe... would someone be able to get the source from alcatel then?

JMJimmy

join:2008-07-23
Alcatel has a form buried on their website but overall Bell, Telus, and Alcatel are in violation of GPL in multiple ways.


Guspaz
Guspaz
Premium,MVM
join:2001-11-05
Montreal, QC
kudos:23
reply to TechNut2
said by TechNut2:

Bell would be indemnified by the manufacturer. Aka, Bell does not "produce" the product, they simply resell it. Under commercial terms, Sagemcom would cover them.

it's moot anyway. If you can use google, "sagemcom gpl" would have taken you to this link,

»opensource.sagemcom.com/

You're confusing patent law and copyright law. You can't be indemnified against a crimimal act. Sagemcom does not own the software they're distributing, and neither does Bell. It doesn't matter where Bell got the software, Bell is the one distributing it to you.

Also, googling for "manufacturer name gpl" is irrelevant, since it has no bearing on the GPL. The GPL says the binaries must come with either the source or an offer of the source. Having to google for the source is a violation of the GPL, and as such, copyright infringement.
--
Developer: Tomato/MLPPP, Linux/MLPPP, etc »fixppp.org

Roop

join:2003-11-15
Ottawa, ON

1 edit
reply to Roop
downloadraw.01.strings.bz2 609,950 bytes
I originally added this to the other post but i'm breaking this into it's own so things don't get too long.

the boot manager 'bdinfo' command shows the flash memory's mapping. the first several blocks are the read only boot loader (there is an option to change that to read-write). the next section is the read write area where the actual kernel image is. i used the command 'md' to dump this onto the serial (0xBF000000 through to 0xC0000000). unfortunately it's not binary, it's HEX + ASCII. the command xxd can convert this back to binary.

> bdinfo
boot_params = 0x81F53FB0
memstart    = 0x80000000
memsize     = 0x02000000
flashstart  = 0xBF000000
flashsize   = 0x01000000
flashoffset = 0x0005FFB8
ethaddr     = 00:00:00:01:02:05
ip_addr     = 192.168.1.2
baudrate    = 57600 bps
> md 0xBF000000
bf000000: 100000ff 00000000 100000fd 00000000    ................
....
f05ea80: 62696e00 626f6f74 66696c65 3d6b6572    bin.bootfile=ker
....
bf100f90: 9af2b9a2 5121fb0c ce43e021 9149f39b    ....Q!...C.!.I..
bf100fa0: b55fabd4 511b96dd f881e755 1768bbb0    ._..Q......U.h..
bf100fb0: 900fea25 d573e045 d0fb7b12 d71e973c    ...%.s.E..{....<
bf100fc0: 5007a1df 7067131c 8c711d7f 2773faa1    P...pg...q..'s..
 

I have this complete hex dump. i have it in three formats, 24mb of what you see on the screen (hex dumped), 3.0GB binary image and 854kb text strings dumps. If you want them, PM me.

raw.01.log = raw hex dump with ascii from the md command - 24mb compressed
raw.01.bin = the file above converted to pure binary (command xxd -r raw.01.log raw.01.bin) 3.0GB
raw.01.strings = the command strings run on raw.01.bin (strings raw.01.bin > raw.01.strings) this file is attached. it's just text, you can search through for things of interest but not much else.

i found the string adi_kernel_2.6, that actual found me some actual fusiv source on google:
»test.ninux.org/~claudyus/alice_a···Makefile

ok, i think that's all for me. i'll let some other folks run with some of the intial work i've done. i'll be super optomistic and hope that one day this leads to some awesome firmware on the cellpipe.

as for my production cellpipe, TSI Martin noted he'll replace it with a sagemcom since it will not get the new firmware, it's stuck on R3... i do have another bell supplied sagemcom i use for wireless.. maybe i can dump it's firmware :)

TechNut2

join:2010-05-17
canada
reply to Guspaz
said by Guspaz:

said by TechNut2:

Bell would be indemnified by the manufacturer. Aka, Bell does not "produce" the product, they simply resell it. Under commercial terms, Sagemcom would cover them.

it's moot anyway. If you can use google, "sagemcom gpl" would have taken you to this link,

»opensource.sagemcom.com/

You're confusing patent law and copyright law. You can't be indemnified against a crimimal act. Sagemcom does not own the software they're distributing, and neither does Bell. It doesn't matter where Bell got the software, Bell is the one distributing it to you.

Also, googling for "manufacturer name gpl" is irrelevant, since it has no bearing on the GPL. The GPL says the binaries must come with either the source or an offer of the source. Having to google for the source is a violation of the GPL, and as such, copyright infringement.

I have worked on these kinds of agreements before. It's covered by the manufacturer. Bell is not technically distributing the software. A derivative work, is changing the GPL'd software itself. Changing the logos or web interface developed by ALU, would not be a derivative work for the GPL. As we have seen by reading these forums on the Voltage issue, users on this forum are not legal experts by any means. Take it from someone who deals with corporate agreements of this kind, your theory is not right. The GPL itself is very clear, if you modify the software, the source needs to be available, otherwise, you are "Free to use" as you see fit if you do not modify it.

Under your logic Guspaz, the guy who sells a Android phone at a cell phone hut in the mall is "distributing" GPL software too. That's not the case. If the guy in the hut in the mall, modifies the linux kernel, and sells the phone, he would need to publish the code. If all he is doing is reselling without modification, then, no need. In this case, ALU is responsible for being compliant with the license. I know (after working with them years ago), that they have a strong FOSS program in place. Trust me, all of the telco hardware providers worry about open source. In Canada, its a major concern. China and others, well, that's where attention should be focused. Indemnity agreements DO cover patent and copyright issues. The only way Bell is on the hook, is if they modify the source code themselves. That's not something that Bell typically does, as they like to procure product, not do R&D on it.


Guspaz
Guspaz
Premium,MVM
join:2001-11-05
Montreal, QC
kudos:23
You're incorrect. Bell is distributing the binaries, stripping those binaries of the appropriate notices is a violation.

Modification is irrelevant. Section 3 of the GPL merely says you may copy and distribute binaries if you do one of the things (accompany with source, or an offer of the source either from you or that you got with it).

If a guy in the phone hut is selling a retail boxed Android phone, that phone will have the GPL offer of source somewhere in it (often in the legal fine print in the manual). If he's selling a bare phone, he's guilty of copyright infringement.
--
Developer: Tomato/MLPPP, Linux/MLPPP, etc »fixppp.org

JMJimmy

join:2008-07-23
reply to TechNut2
Also, Bhell would have had to modify it to work with it's stingers wouldn't they?

TechNut2

join:2010-05-17
canada
reply to Guspaz
said by Guspaz:

You're incorrect. Bell is distributing the binaries, stripping those binaries of the appropriate notices is a violation.

Modification is irrelevant. Section 3 of the GPL merely says you may copy and distribute binaries if you do one of the things (accompany with source, or an offer of the source either from you or that you got with it).

If a guy in the phone hut is selling a retail boxed Android phone, that phone will have the GPL offer of source somewhere in it (often in the legal fine print in the manual). If he's selling a bare phone, he's guilty of copyright infringement.

Seriously, did you actually read what you typed? That makes no sense whatsoever Guspaz. You are confusing distribution of software with distribution of product to a end user. End user to ALU and from the license perspective is Bell, unless Bell makes any modification to GPL related code. "selling a bare phone, he's guilty of copyright infringement", you make yourself seem silly. End users are generally exempted from license issues, by indemnity or other legal vehicles, because they USE the product, they do not produce it. Bell USES the product, they do not produce it. An end user selling a phone, is not breaking any law, unless they do not have the rights to sell it. You are twisting some wording to meet your intent, but that does not make you right. The license in and of itself needs to be interpreted in greater commercial terms and common-law terms. Maybe it is different in QC, but in the rest of Canada, your argument is a false theory. No judge in Canada would find a end user who sold a phone guilty of any infringement whatsoever for simply using and buying/selling the device without a manual.

BTW, Roop, it's awesome you have been able to get into the device, that's very cool stuff! Didn't mean to hijack your thread, just when people pipe up with conspiracy crap, that's just plain wrong, it makes everyone on these forums look bad.

TechNut2

join:2010-05-17
canada
reply to JMJimmy
said by JMJimmy:

Also, Bhell would have had to modify it to work with it's stingers wouldn't they?

No, The Stingers are owned by ALU. So, they would be modifying there own code to do it. That code, as long as it is not based on a FOSS license, would not need to be published/released.

Remember, code running on a Linux system that is developed by you, is not considered a derivative work (Linus has this in the kernel modified GPL license file). Even binary blobs or other closed drivers are not considered derivatives, BUT, that has not been testing court to my knowledge.

The only modification Bell will do is modify the HTML interface for their customers (if that). That's not a derivative work, and is not under the GPL. So, no need to release it to anyone.

Hilton

join:2013-01-26

1 edit
reply to Roop
Hi Roop, good work.

Can you share the u-boot dump in hex format?

Thank you.

Hilton

join:2013-01-26
reply to Roop
Please delete this post.