| reply to parallel_jay
Re: Alcatel Cellpipe 7130 TJ3-65-014E modified TELUS firmware said by parallel_jay:Is the user/pass combo the same as used on the Actiontec?
Apparently we are no longer permitted to post passwords on DSLReports. I don't know if TELUS employees are telling DSLReports moderators to remove the passwords, if this is the case TELUS should probably contact me via the forums and I will be happy to remove the passwords.
If we could get a official response from TELUS regarding this issue it would be appreciated, I am a reasonable person and if they do not want this information posted I don't think anyone would disagree with them. The whole shadow-in-the-wall approach and not having official representation on DSLReports unlike Shaw is rather tiring. |
|
|
|
 Patman023Ex-TELUS employee, Ubuntu Lover
join:2009-03-01
Edmonton, AB | it's a liability issue regarding trade secrets. State (our mod) posted about it recently... |
|
| said by Patman023:it's a liability issue regarding trade secrets. State (our mod) posted about it recently...
I feel like they have done a 360 regarding this issue, it feels to me like TELUS has contacted them but not bothered to contact me regarding these posts. I think if we could get an official response out of TELUS to clarify if we can continue to modify the firmware on the devices that would be the best.
I am just a fan of the TELUS HSIA product, and like that the enthusiast community can continue to thrive on DSLR like they have with Shaw. We aren't doing any harm, why does it matter? |
|
Patman023Ex-TELUS employee, Ubuntu Lover
join:2009-03-01
Edmonton, AB | you would be surprised at how protective the big T is of their brand. in any case, this removal policy was in place back when the 2Wire MDC panel came to be public knowledge, and maybe even before... |
|
 parallel_jayFormer TELUS employee, current P.I.T.A.
join:2006-02-08
Edmonton, AB | reply to TelusFW
That's ok I wasn't asking you to post it. I know of the board policy. I'm just curious if it uses the same user/pass combo. |
|
| reply to TelusFW
said by TelusFW:I am just a fan of the TELUS HSIA product, and like that the enthusiast community can continue to thrive on DSLR like they have with Shaw. We aren't doing any harm, why does it matter?
Instead of posting the user/pass, perhaps you would post the method used of obtaining it (in case you are hit by a bus, ...or abducted by telus)? Do you download the firmware from the modem itself to extract it? How is that done?
- Enthusiast supporting openness, transparency and education... |
|
TheMGPremium
join:2007-09-04
Canada
kudos:2 | My guess would be that he's using JTAG or something similar to extract the firmware from the EEPROM/flash memory in the unit. Once the code is extracted, it's only a matter of digging through it until the desired information is located and decoded if necessary.
There's really not much Telus can do to stop people from modifying the firmware in a device they have physical access to.
However, not everyone has the skills, knowledge, and resources to be able to go down to the hardware level. |
|
| reply to kpopper
said by kpopper :Instead of posting the user/pass, perhaps you would post the method used of obtaining it (in case you are hit by a bus, ...or abducted by telus)? Do you download the firmware from the modem itself to extract it? How is that done?
- Enthusiast supporting openness, transparency and education...
I guess he was abducted. Sad. Describing the entire process would have helped everyone continue on. Telus likes to keep things hidden, but tinkering enthusiasts do too. 
How do you update the .img file? (Is there any spyware in this one?) A step-by-step guide written on a wiki would have been nice. |
|
| reply to kpopper
The Cellpipe 7130 is based on the Broadcom 6368 System-on-Chip (SoC). This is a dual VIPER MIPS32 core processor.
The bootloader for the 63xx series of CPUs is Broadcom's Common Firmware Environment (CFE) bootloader.
The CFE bootloader has a primitive console that can be accessed via a UART serial interface on the router's PCB.
Most 63xx routers have a set of header pins or solder pads where the UART (and JTAG) connection can be made.
The UART interface is usually running at 3.3v TTL levels. As such, it is not compatible with the voltages found in RS232 connections. A voltage level converter is needed. Since RS232 ports are becoming increasingly rare on modern PCs, it is more convenient to use a USB-UART bridge controller.
The clone Nokia DKU5 cellphone data cable has an integral USB-UART bridge controller (the Prolific Logic PL2303 IC). These data cables can be bought for just a dollar or two. One end of the cable has a standard USB-A plug. The other end has a proprietary Nokia phone plug. This plug is cut off, exposing a handful of wires. These are traced to the two serial lines (TXD and RXD) and GND.
These three wires are attached to the appropriate points on the board of the router.
Serial terminal software, such as minicom, is run on the PC.
The router is booted and the CFE bootloader dumps its output to the UART interface which is monitored on the PC.
The CFE bootloader usually allows the boot to be interrupted by pressing a key in the terminal console.
The CFE bootloader then presents a simple menu. One of the options is to hexdump the flash contents.
It can take quite a while to hexdump the entire flash image over the serial interface. Maybe 30 minutes for an 8MByte flash device.
Once the hexdump is complete, it is reversed back into a binary image. Standard tools can now be used to unsquash the contents of the flash file system in that image. The flash filesystem of the router is now completely open.
At this point, if you're comfortable using Linux, it's childsplay to discover usernames and passwords for the web interface, or telnet server, etc. |
|
