Huawei HG630B. Connecting to the UART

In my previous post I guessed that a five pad header on the rear of the PCB could be a UART of some type.

I quickly soldered a header to the pads, connected my Saleae logic analyzer up, switched on the router and started my snooping.

After a few attempts at finding a suitable ground pin, it wasn’t long before I had data that looked like this.

There's definitely some data there — There’s definitely some data there

My old friend 8 bit ASCII. These logic analyzers are very good for the price - the software has decoded some of the data stream as 'found\r\n' — My old friend 8 bit ASCII. These logic analyzers are very good for the price – the software has decoded some of the data stream as ‘found\r\n’

The data is sent at 115.2 kbit/s with standard 8,N,1 settings. It took a little bit longer to find the RxD pin. Here is the HG630B serial port pinout.

The wire colors in the image are the standard colors for a TTL-232R USB to Serial adapter.

There are two pads which I have not labelled. One of them seems to be +Vcc while the other is just N/C. Either way, they are not required for serial communication.

Here is a full transcript of the serial port while the device boots:

HELO
CPUI
L1CI
HELO
CPUI
L1CI
DRAM
----
PHYS
STRF
400H
PHYE
DDR2
SIZ4
SIZ3
SIZ2
SIZ1
DINT
USYN
LSYN
MFAS
LMBE
RACE
PASS
----
ZBSS
CODE
DATA
L12F
MAIN
 
 
CFE version 1.0.38-114.174 for BCM963268 (32bit,SP,BE)
Build Date: Wed Apr  2 11:24:49 CST 2014 (sunhongyong@X3755-vhg)
Copyright (C) 2000-2011 Broadcom Corporation.
 
NAND flash device: name <not identified>, id 0x98d1 block 128KB size 131072KB
Chip ID: BCM63168D0, MIPS: 400MHz, DDR: 400MHz, Bus: 200MHz
Main Thread: TP0
Memory Test Passed
Total Memory: 67108864 bytes (64MB)
Boot Address: 0xb8000000
 
Board IP address                  : 192.168.1.1:ffffff00
Host IP address                   : 192.168.1.100
Gateway IP address                :
Run from flash/host (f/h)         : f
Default host run file name        : vmlinux
Default host flash file name      : bcm963xx_fs_kernel
Boot delay (0-9 seconds)          : 1
Boot image (0=latest, 1=previous) : 0
Board Id (0-1)                    : 963268_hg630b
Number of MAC Addresses (1-32)    : 10
Base MAC Address                  : 02:10:18:01:00:01
PSI Size (1-64) KBytes            : 0
Enable Backup PSI [0|1]           : 0
System Log Size (0-256) KBytes    : 0
Main Thread Number [0|1]          : 0
 
 
 Boot :e=192.168.1.1:ffffff00 h=192.168.1.100 g= r=f f=vmlinux i=bcm963xx_fs_ker                      nel d=1 p=0
*** Press any key to stop auto run (1 seconds) ***
Auto run second count down: 0
Boot from slave system!
SIGN CHK ALWAYLYS.
get bootflag = 2
 check tag at block 6 crc ok
Check Image Crc Success
I have find vmlinux.lz at block 291
I have get vmlinux.lz size at block 304
Decompression OK!
Entry at 0x800146c0
Closing network.
Disabling Switch ports.
Flushing Receive Buffers...
0 buffers found.
Closing DMA Channels.
Starting program at 0x800146c0
Linux version 2.6.30 (sunhongyong@X3755-vhg) (gcc version 4.4.2 (Buildroot 2010.                      02-git) ) #7 SMP PREEMPT Wed Apr 2 11:25:47 CST 2014
======== nand_flash_init =======
NAND flash device id 98d1 is not supported.
 
Init Flash Error iReturn = -1
63268hg622b prom init
CPU revision is: 0002a080 (Broadcom4350)
DSL SDRAM reserved: 0x132000
Determined physical RAM map:
 memory: 03ece000 @ 00000000 (usable)
Zone PFN ranges:
  DMA      0x00000000 -> 0x00001000
  Normal   0x00001000 -> 0x00003ece
Movable zone start PFN for each node
early_node_map[1] active PFN ranges
    0: 0x00000000 -> 0x00003ece
On node 0 totalpages: 16078
free_area_init_node: node 0, pgdat 804b2c70, node_mem_map 81000000
  DMA zone: 32 pages used for memmap
  DMA zone: 0 pages reserved
  DMA zone: 4064 pages, LIFO batch:0
  Normal zone: 94 pages used for memmap
  Normal zone: 11888 pages, LIFO batch:1
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 15952
Kernel command line: root=mtd:rootfs ro rootfstype=jffs2 console=ttyS0,115200
wait instruction: enabled
Primary instruction cache 64kB, VIPT, 4-way, linesize 16 bytes.
Primary data cache 32kB, 2-way, VIPT, cache aliases, linesize 16 bytes
NR_IRQS:128
PID hash table entries: 256 (order: 8, 1024 bytes)
console [ttyS0] enabled
Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
Memory: 58028k/64312k available (3735k kernel code, 6264k reserved, 1030k data,                       168k init, 0k highmem)
Calibrating delay loop... 399.36 BogoMIPS (lpj=199680)
Mount-cache hash table entries: 512
--Kernel Config--
  SMP=1
  PREEMPT=1
  DEBUG_SPINLOCK=0
  DEBUG_MUTEXES=0
Broadcom Logger v0.1 Apr  2 2014 11:00:39
CPU revision is: 0002a080 (Broadcom4350)
Primary instruction cache 64kB, VIPT, 4-way, linesize 16 bytes.
Primary data cache 32kB, 2-way, VIPT, cache aliases, linesize 16 bytes
Calibrating delay loop... 402.43 BogoMIPS (lpj=201216)
Brought up 2 CPUs
net_namespace: 1152 bytes
bhal: bhalInit entry
NET: Registered protocol family 16
Internal 1P2 VREG is forced to remain enabled
registering PCI controller with io_map_base unset
registering PCI controller with io_map_base unset
bio: create slab <bio-0> at 0
SCSI subsystem initialized
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
pci 0000:00:00.0: reg 10 32bit mmio: [0x10004000-0x10013fff]
pci 0000:00:00.0: reg 30 32bit mmio: [0x000000-0x0007ff]
pci 0000:00:00.0: supports D1 D2
pci 0000:00:00.0: PME# supported from D0 D3hot D3cold
pci 0000:00:00.0: PME# disabled
pci 0000:00:09.0: reg 10 32bit mmio: [0x10002600-0x100026ff]
pci 0000:00:0a.0: reg 10 32bit mmio: [0x10002500-0x100025ff]
pci 0000:01:00.0: PME# supported from D0 D3hot
pci 0000:01:00.0: PME# disabled
pci 0000:01:00.0: PCI bridge, secondary bus 0000:02
pci 0000:01:00.0:   IO window: disabled
pci 0000:01:00.0:   MEM window: disabled
pci 0000:01:00.0:   PREFETCH window: disabled
PCI: Setting latency timer of device 0000:01:00.0 to 64
BLOG v3.0 Initialized
BLOG Rule v1.0 Initialized
Broadcom IQoS v0.1 Apr  2 2014 11:06:33 initialized
Broadcom GBPM v0.1 Apr  2 2014 11:06:33 initialized
NET: Registered protocol family 8
NET: Registered protocol family 20
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 2048 (order: 2, 16384 bytes)
TCP bind hash table entries: 2048 (order: 2, 16384 bytes)
TCP: Hash tables configured (established 2048 bind 2048)
TCP reno registered
NET: Registered protocol family 1
JFFS2 version 2.2. (NAND) © 2001-2006 Red Hat, Inc.
fuse init (API version 7.11)
msgmni has been set to 113
io scheduler noop registered (default)
PCI: Setting latency timer of device 0000:01:00.0 to 64
Driver 'sd' needs updating - please use bus_type methods
PPP generic driver version 2.4.2
NET: Registered protocol family 24
IMQ driver loaded successfully.
        Hooking IMQ after NAT on PREROUTING.
        Hooking IMQ before NAT on POSTROUTING.
Broadcom DSL NAND controller (128MB @00000000
brcmnand_scan: Done brcmnand_probe
brcmnand_scan: B4 nand_select = 40000001
brcmnand_scan: After nand_select = 40000001
100 CS=0, chip->ctrl->CS[0]=0
ECC level 15, threshold at 1 bits
reqEccLevel=1, eccLevel=15
190 eccLevel=15, chip->ecclevel=15, acc=f7ff1010
brcmnand_scan 10
200 CS=0, chip->ctrl->CS[0]=0
200 chip->ecclevel=15, acc=f7ff1010
page_shift=11, bbt_erase_shift=17, chip_shift=27, phys_erase_shift=17
brcmnand_scan 220
Brcm NAND controller version = 4.0 NAND flash size 128MB @18000000
brcmnand_scan 230
brcmnand_scan 40, mtd->oobsize=64, chip->ecclayout=00000000
brcmnand_scan 42, mtd->oobsize=64, chip->ecclevel=15, isMLC=0, chip->cellinfo=0
ECC layout=brcmnand_oob_bch4_4k
brcmnand_scan:  mtd->oobsize=64
brcmnand_scan: oobavail=50, eccsize=512, writesize=2048
brcmnand_scan, eccsize=512, writesize=2048, eccsteps=4, ecclevel=15, eccbytes=3
300 CS=0, chip->ctrl->CS[0]=0
500 chip=83a5f190, CS=0, chip->ctrl->CS[0]=0
-->brcmnand_default_bbt
brcmnand_default_bbt: bbt_td = bbt_main_descr
Bad block table Bbt0 found at page 0000ffc0, version 0x01 for chip on CS0
Bad block table 1tbB found at page 0000ff80, version 0x01 for chip on CS0
brcmnandCET: Status -> Deferred
brcmnand_scan 99
Boot from slave system!
iBlkStart 123
 
=======iBlkStart:292=======
Creating 3 MTD partitions on "brcmnand.0":
0x000002460000-0x000004760000 : "rootfs"
0x000000160000-0x000002460000 : "rootfsbak"
0x0000070a0000-0x000007dc0000 : "config"
ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
PCI: Enabling device 0000:00:0a.0 (0000 -> 0002)
PCI: Setting latency timer of device 0000:00:0a.0 to 64
ehci_hcd 0000:00:0a.0: EHCI Host Controller
ehci_hcd 0000:00:0a.0: new USB bus registered, assigned bus number 1
ehci_hcd 0000:00:0a.0: Enabling legacy PCI PM
ehci_hcd 0000:00:0a.0: irq 18, io mem 0x10002500
ehci_hcd 0000:00:0a.0: USB f.f started, EHCI 1.00
usb usb1: configuration #1 chosen from 1 choice
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 2 ports detected
ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver
PCI: Enabling device 0000:00:09.0 (0000 -> 0002)
PCI: Setting latency timer of device 0000:00:09.0 to 64
ohci_hcd 0000:00:09.0: OHCI Host Controller
ohci_hcd 0000:00:09.0: new USB bus registered, assigned bus number 2
ohci_hcd 0000:00:09.0: irq 17, io mem 0x10002600
usb usb2: configuration #1 chosen from 1 choice
hub 2-0:1.0: USB hub found
hub 2-0:1.0: 2 ports detected
usbcore: registered new interface driver usblp
Initializing USB Mass Storage driver...
usbcore: registered new interface driver usb-storage
USB Mass Storage support registered.
usbcore: registered new interface driver usbserial
USB Serial support registered for generic
usbcore: registered new interface driver usbserial_generic
usbserial: USB Serial Driver core
usbcore: registered new interface driver usbtest
MoniterInit entry
Serial: BCM63XX driver $Revision: 3.00 $
ttyS0 at MMIO 0xb0000180 (irq = 13) is a BCM63XX
ttyS1 at MMIO 0xb00001a0 (irq = 42) is a BCM63XX
adsl: adsl_init entry
bcmxtmcfg: bcmxtmcfg_init entry
bcmxtmrt: Broadcom BCM3168D0 ATM/PTM Network Device v0.4 Apr  2 2014 11:05:36
bcmPktDma_init: Broadcom Packet DMA Library initialized
Total # RxBds=1448
bcmPktDmaBds_init: Broadcom Packet DMA BDs initialized
 
GACT probability NOT on
Mirror/redirect action on
u32 classifier
    input device check on
    Actions configured
Netfilter messages via NETLINK v0.30.
nf_conntrack version 0.5.0 (1004 buckets, 4016 max)
xt_time: kernel timezone is -0000
nf_nat_pt: no ports specified
ip_tables: (C) 2000-2006 Netfilter Core Team
TCP cubic registered
Initializing XFRM netlink socket
NET: Registered protocol family 10
ip6_tables: (C) 2000-2006 Netfilter Core Team
IPv6 over IPv4 tunneling driver
NET: Registered protocol family 17
NET: Registered protocol family 15
Ebtables v2.0 registered
ebt_time registered
ebt_ftos registered
ebt_wmm_mark registered
802.1Q VLAN Support v1.8 Ben Greear <[email protected]>
All bugs added by David S. Miller <[email protected]>
VFS: Mounted root (jffs2 filesystem) readonly on device 31:0.
Freeing unused kernel memory: 168k freed
 
=file:drivers/usb/core/hub.c,line:3274,func:hub_events=eventCounts=1=
init started: BusyBox vv1.9.1 (2014-04-02 11:18:48 CST)
starting pid 265, tty '': '/etc/init.d/rcS'
RCS DONE
starting pid 267, tty '': '/bin/sh'
 
 
BusyBox vv1.9.1 (2014-04-02 11:18:48 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
 
-/bin/sh: usbdiagd: not found
Loading drivers and kernel modules...
bcm_ingqos: module license 'Proprietary' taints kernel.
Disabling lock debugging due to kernel taint
Broadcom Ingress QoS Module  Char Driver v0.1 Apr  2 2014 11:04:45 Registered<243>
 
Broadcom Ingress QoS ver 0.1 initialized
BPM: tot_mem_size=67108864B (64MB), buf_mem_size=6710886B (6MB), num of buffers=3201, buf siz         e=2096
Broadcom BPM Module Char Driver v0.1 Apr  2 2014 11:04:44 Registered<244>
[NTC bpm] bpm_set_status: BPM status : enabled
 
NBUFF v1.0 Initialized
Initialized fcache state
Broadcom Packet Flow Cache  Char Driver v2.2 Apr  2 2014 11:04:43 Registered<242>
Created Proc FS /procfs/fcache
Broadcom Packet Flow Cache registered with netdev chain
Broadcom Packet Flow Cache learning via BLOG enabled.
Constructed Broadcom Packet Flow Cache v2.2 Apr  2 2014 11:04:43
chipId 0x631680D0
Broadcom Forwarding Assist Processor (FAP) Char Driver v0.1 Apr  2 2014 11:04:47 Registered <         241>
FAP Debug values at 0x00000010 0x00000010
Enabling SMISBUS PHYS_FAP_BASE[0] is 0x10c01000
FAP Soft Reset Done
4ke Reset Done
Enabling SMISBUS PHYS_FAP_BASE[1] is 0x10c01000
FAP Soft Reset Done
4ke Reset Done
Allocated FAP0 GSO Buffers (0xA2F1D124) : 1048576 bytes @ 0xA2800000
Allocated FAP1 GSO Buffers (0xA2F9D124) : 1048576 bytes @ 0xA2900000
[NTC fapProto] fapReset  : Reset FAP Protocol layer
[FAP0] DSPRAM : stack <0x80000000><1024>, global <0x80000400><7096>, free <72>, total<8192>
[FAP1] DSPRAM : stack <0x80000000><1024>, global <0x80000400><7096>, free <72>, total<8192>
[FAP0] PSM : addr<0x80002000>, used <24560>, free <16>, total <24576>
[FAP1] PSM : addr<0x80002000>, used <24560>, free <16>, total <24576>
[FAP0] Flows supported: 237 (dsp 60, psm 75, qsm 102)
[FAP1] Flows supported: 237 (dsp 60, psm 75, qsm 102)
[FAP0] DQM : availableMemory 14188 bytes, nextByteAddress 0xE0010894
[FAP1] DQM : availableMemory 14188 bytes, nextByteAddress 0xE0010894
[FAP0] GSO Buffer set to 0xA2800000
[FAP1] GSO Buffer set to 0xA2900000
[FAP0] FAP BPM Initialized.
[FAP1] FAP BPM Initialized.
bcmPktDma_bind: FAP Driver binding successfull
Broadcom BCM63168D0 Ethernet Network Device v0.1 Apr  2 2014 11:04:36
fapDrv_psmAlloc: fapIdx=0, size: 4000, offset=b08206f0 bytes remaining 7008
ETH Init: Ch:0 - 200 tx BDs at 0xb08206f0
fapDrv_psmAlloc: fapIdx=1, size: 4000, offset=b0a206f0 bytes remaining 7008
ETH Init: Ch:1 - 200 tx BDs at 0xb0a206f0
fapDrv_psmAlloc: wastage 8 bytes
fapDrv_psmAlloc: fapIdx=0, size: 4808, offset=b0821690 bytes remaining 2192
ETH Init: Ch:0 - 600 rx BDs at 0xb0821690
fapDrv_psmAlloc: wastage 8 bytes
fapDrv_psmAlloc: fapIdx=1, size: 4808, offset=b0a21690 bytes remaining 2192
ETH Init: Ch:1 - 600 rx BDs at 0xb0a21690
eth0.3: MAC Address: FF:FF:FF:FF:FF:FF {Changed to protect the innocent}
eth0.5: MAC Address: FF:FF:FF:FF:FF:FF {Changed to protect the innocent}
eth0.4: MAC Address: FF:FF:FF:FF:FF:FF {Changed to protect the innocent}
eth0.2: MAC Address: FF:FF:FF:FF:FF:FF {Changed to protect the innocent}
nas0: MAC Address: FF:FF:FF:FF:FF:FF {Changed to protect the innocent}
 
=file:drivers/usb/core/hub.c,line:3274,func:hub_events=eventCounts=2=
--SMP support
wl: dsl_tx_pkt_flush_len=338
wl: high_wmark_tot=2080
PCI: Setting latency timer of device 0000:00:00.0 to 64
wl: passivemode=1
wl: napimode=0
wl0: allocskbmode=1 currallocskbsz=512
otp_read_pci: bad crc
Neither SPROM nor OTP has valid image
wl:srom/otp not programmed, using main memory mapped srom info(wombo board)
wl:loading /etc/wlan/bcm6362_vars.bin
Failed to open srom image from '/etc/wlan/bcm6362_vars.bin'.
wl:loading /etc/wlan/bcm6362_map.bin
wl0: Broadcom BCM435f 802.11 Wireless Controller 5.100.138.2001.cpe.L.3
p8021ag: p8021ag_init entry
IRQ 8/BCM WATCHDOG: IRQF_DISABLED is not guaranteed on shared IRQs
BCM Hardware Watchdog Timer for BCM96361
USB Serial support registered for GSM modem (1-port)
usbcore: registered new interface driver option
option: v0.7.2:USB Driver for GSM modems
Start mic now ...
magic number is 3e 00 65 b0.
Read from flash ok.
 
*****Start cfmUpgradeUpdateCfg()!*****
 
*****No need update config[2]*****
load cfm ok.
start log proc...
ifconfig: SIOCSIFNETMASK: Cannot assign requested address
br0: starting userspace STP failed, starting kernel STP
add group failed: Operation not supported
set group 0 mac learning disable in br0 failed: Operation not supported
BcmAdsl_Initialize=0x80232A70, g_pFnNotifyCallback=0x804A6694
lmemhdr[2]=0x100CE000, pAdslLMem[2]=0x100CE000
pSdramPHY=0xA3FFFFF8, 0x6FECFDAF 0x65BBFE4D
*** XfaceOffset: 0x5FF90 => 0x5FF90 ***
*** PhySdramSize got adjusted: 0xD9E68 => 0x110570 ***
AdslCoreSharedMemInit: shareMemAvailable=137840
AdslCoreHwReset:  pLocSbSta=82b88000 bkupThreshold=3072
AdslCoreHwReset:  AdslOemDataAddr = 0xA3F9AC2C
fapDrv_psmAlloc: fapIdx=1, size: 1600, offset=b0a22960 bytes remaining 592
XTM Init: Ch:0 - 200 rx BDs at 0xb0a22960
fapDrv_psmAlloc: fapIdx=1, size: 128, offset=b0a22fa0 bytes remaining 464
XTM Init: Ch:1 - 16 rx BDs at 0xb0a22fa0
Success
ARL table flush done
Success
Read Prsite on!
atp: cur kernel version:[2.6.30]
device eth0.2 entered promiscuous mode
device eth0.3 entered promiscuous mode
device eth0.4 entered promiscuous mode
device eth0.5 entered promiscuous mode
ADDRCONF(NETDEV_UP): eth0.2: link is not ready
ADDRCONF(NETDEV_UP): eth0.3: link is not ready
ADDRCONF(NETDEV_UP): eth0.4: link is not ready
ADDRCONF(NETDEV_UP): eth0.5: link is not ready
device eth0 is not a slave of br0
arp uses obsolete (PF_INET,SOCK_PACKET)
 
bcmPktDma_init: Broadcom Packet DMA Library initialized
-------------------------------
-----Welcome to ATP Cli------
-------------------------------
 
Login:
The console is prohibited!
 
Login:
The console is prohibited!

HELO CPUI L1CI HELO CPUI L1CI DRAM ---- PHYS STRF 400H PHYE DDR2 SIZ4 SIZ3 SIZ2 SIZ1 DINT USYN LSYN MFAS LMBE RACE PASS ---- ZBSS CODE DATA L12F MAIN CFE version 1.0.38-114.174 for BCM963268 (32bit,SP,BE) Build Date: Wed Apr 2 11:24:49 CST 2014 (sunhongyong@X3755-vhg) Copyright (C) 2000-2011 Broadcom Corporation. NAND flash device: name <not identified>, id 0x98d1 block 128KB size 131072KB Chip ID: BCM63168D0, MIPS: 400MHz, DDR: 400MHz, Bus: 200MHz Main Thread: TP0 Memory Test Passed Total Memory: 67108864 bytes (64MB) Boot Address: 0xb8000000 Board IP address : 192.168.1.1:ffffff00 Host IP address : 192.168.1.100 Gateway IP address : Run from flash/host (f/h) : f Default host run file name : vmlinux Default host flash file name : bcm963xx_fs_kernel Boot delay (0-9 seconds) : 1 Boot image (0=latest, 1=previous) : 0 Board Id (0-1) : 963268_hg630b Number of MAC Addresses (1-32) : 10 Base MAC Address : 02:10:18:01:00:01 PSI Size (1-64) KBytes : 0 Enable Backup PSI [0|1] : 0 System Log Size (0-256) KBytes : 0 Main Thread Number [0|1] : 0 Boot :e=192.168.1.1:ffffff00 h=192.168.1.100 g= r=f f=vmlinux i=bcm963xx_fs_ker nel d=1 p=0 *** Press any key to stop auto run (1 seconds) *** Auto run second count down: 0 Boot from slave system! SIGN CHK ALWAYLYS. get bootflag = 2 check tag at block 6 crc ok Check Image Crc Success I have find vmlinux.lz at block 291 I have get vmlinux.lz size at block 304 Decompression OK! Entry at 0x800146c0 Closing network. Disabling Switch ports. Flushing Receive Buffers... 0 buffers found. Closing DMA Channels. Starting program at 0x800146c0 Linux version 2.6.30 (sunhongyong@X3755-vhg) (gcc version 4.4.2 (Buildroot 2010. 02-git) ) #7 SMP PREEMPT Wed Apr 2 11:25:47 CST 2014 ======== nand_flash_init ======= NAND flash device id 98d1 is not supported. Init Flash Error iReturn = -1 63268hg622b prom init CPU revision is: 0002a080 (Broadcom4350) DSL SDRAM reserved: 0x132000 Determined physical RAM map: memory: 03ece000 @ 00000000 (usable) Zone PFN ranges: DMA 0x00000000 -> 0x00001000 Normal 0x00001000 -> 0x00003ece Movable zone start PFN for each node early_node_map[1] active PFN ranges 0: 0x00000000 -> 0x00003ece On node 0 totalpages: 16078 free_area_init_node: node 0, pgdat 804b2c70, node_mem_map 81000000 DMA zone: 32 pages used for memmap DMA zone: 0 pages reserved DMA zone: 4064 pages, LIFO batch:0 Normal zone: 94 pages used for memmap Normal zone: 11888 pages, LIFO batch:1 Built 1 zonelists in Zone order, mobility grouping on. Total pages: 15952 Kernel command line: root=mtd:rootfs ro rootfstype=jffs2 console=ttyS0,115200 wait instruction: enabled Primary instruction cache 64kB, VIPT, 4-way, linesize 16 bytes. Primary data cache 32kB, 2-way, VIPT, cache aliases, linesize 16 bytes NR_IRQS:128 PID hash table entries: 256 (order: 8, 1024 bytes) console [ttyS0] enabled Dentry cache hash table entries: 8192 (order: 3, 32768 bytes) Inode-cache hash table entries: 4096 (order: 2, 16384 bytes) Memory: 58028k/64312k available (3735k kernel code, 6264k reserved, 1030k data, 168k init, 0k highmem) Calibrating delay loop... 399.36 BogoMIPS (lpj=199680) Mount-cache hash table entries: 512 --Kernel Config-- SMP=1 PREEMPT=1 DEBUG_SPINLOCK=0 DEBUG_MUTEXES=0 Broadcom Logger v0.1 Apr 2 2014 11:00:39 CPU revision is: 0002a080 (Broadcom4350) Primary instruction cache 64kB, VIPT, 4-way, linesize 16 bytes. Primary data cache 32kB, 2-way, VIPT, cache aliases, linesize 16 bytes Calibrating delay loop... 402.43 BogoMIPS (lpj=201216) Brought up 2 CPUs net_namespace: 1152 bytes bhal: bhalInit entry NET: Registered protocol family 16 Internal 1P2 VREG is forced to remain enabled registering PCI controller with io_map_base unset registering PCI controller with io_map_base unset bio: create slab <bio-0> at 0 SCSI subsystem initialized usbcore: registered new interface driver usbfs usbcore: registered new interface driver hub usbcore: registered new device driver usb pci 0000:00:00.0: reg 10 32bit mmio: [0x10004000-0x10013fff] pci 0000:00:00.0: reg 30 32bit mmio: [0x000000-0x0007ff] pci 0000:00:00.0: supports D1 D2 pci 0000:00:00.0: PME# supported from D0 D3hot D3cold pci 0000:00:00.0: PME# disabled pci 0000:00:09.0: reg 10 32bit mmio: [0x10002600-0x100026ff] pci 0000:00:0a.0: reg 10 32bit mmio: [0x10002500-0x100025ff] pci 0000:01:00.0: PME# supported from D0 D3hot pci 0000:01:00.0: PME# disabled pci 0000:01:00.0: PCI bridge, secondary bus 0000:02 pci 0000:01:00.0: IO window: disabled pci 0000:01:00.0: MEM window: disabled pci 0000:01:00.0: PREFETCH window: disabled PCI: Setting latency timer of device 0000:01:00.0 to 64 BLOG v3.0 Initialized BLOG Rule v1.0 Initialized Broadcom IQoS v0.1 Apr 2 2014 11:06:33 initialized Broadcom GBPM v0.1 Apr 2 2014 11:06:33 initialized NET: Registered protocol family 8 NET: Registered protocol family 20 NET: Registered protocol family 2 IP route cache hash table entries: 1024 (order: 0, 4096 bytes) TCP established hash table entries: 2048 (order: 2, 16384 bytes) TCP bind hash table entries: 2048 (order: 2, 16384 bytes) TCP: Hash tables configured (established 2048 bind 2048) TCP reno registered NET: Registered protocol family 1 JFFS2 version 2.2. (NAND) © 2001-2006 Red Hat, Inc. fuse init (API version 7.11) msgmni has been set to 113 io scheduler noop registered (default) PCI: Setting latency timer of device 0000:01:00.0 to 64 Driver 'sd' needs updating - please use bus_type methods PPP generic driver version 2.4.2 NET: Registered protocol family 24 IMQ driver loaded successfully. Hooking IMQ after NAT on PREROUTING. Hooking IMQ before NAT on POSTROUTING. Broadcom DSL NAND controller (128MB @00000000 brcmnand_scan: Done brcmnand_probe brcmnand_scan: B4 nand_select = 40000001 brcmnand_scan: After nand_select = 40000001 100 CS=0, chip->ctrl->CS[0]=0 ECC level 15, threshold at 1 bits reqEccLevel=1, eccLevel=15 190 eccLevel=15, chip->ecclevel=15, acc=f7ff1010 brcmnand_scan 10 200 CS=0, chip->ctrl->CS[0]=0 200 chip->ecclevel=15, acc=f7ff1010 page_shift=11, bbt_erase_shift=17, chip_shift=27, phys_erase_shift=17 brcmnand_scan 220 Brcm NAND controller version = 4.0 NAND flash size 128MB @18000000 brcmnand_scan 230 brcmnand_scan 40, mtd->oobsize=64, chip->ecclayout=00000000 brcmnand_scan 42, mtd->oobsize=64, chip->ecclevel=15, isMLC=0, chip->cellinfo=0 ECC layout=brcmnand_oob_bch4_4k brcmnand_scan: mtd->oobsize=64 brcmnand_scan: oobavail=50, eccsize=512, writesize=2048 brcmnand_scan, eccsize=512, writesize=2048, eccsteps=4, ecclevel=15, eccbytes=3 300 CS=0, chip->ctrl->CS[0]=0 500 chip=83a5f190, CS=0, chip->ctrl->CS[0]=0 -->brcmnand_default_bbt brcmnand_default_bbt: bbt_td = bbt_main_descr Bad block table Bbt0 found at page 0000ffc0, version 0x01 for chip on CS0 Bad block table 1tbB found at page 0000ff80, version 0x01 for chip on CS0 brcmnandCET: Status -> Deferred brcmnand_scan 99 Boot from slave system! iBlkStart 123 =======iBlkStart:292======= Creating 3 MTD partitions on "brcmnand.0": 0x000002460000-0x000004760000 : "rootfs" 0x000000160000-0x000002460000 : "rootfsbak" 0x0000070a0000-0x000007dc0000 : "config" ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver PCI: Enabling device 0000:00:0a.0 (0000 -> 0002) PCI: Setting latency timer of device 0000:00:0a.0 to 64 ehci_hcd 0000:00:0a.0: EHCI Host Controller ehci_hcd 0000:00:0a.0: new USB bus registered, assigned bus number 1 ehci_hcd 0000:00:0a.0: Enabling legacy PCI PM ehci_hcd 0000:00:0a.0: irq 18, io mem 0x10002500 ehci_hcd 0000:00:0a.0: USB f.f started, EHCI 1.00 usb usb1: configuration #1 chosen from 1 choice hub 1-0:1.0: USB hub found hub 1-0:1.0: 2 ports detected ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver PCI: Enabling device 0000:00:09.0 (0000 -> 0002) PCI: Setting latency timer of device 0000:00:09.0 to 64 ohci_hcd 0000:00:09.0: OHCI Host Controller ohci_hcd 0000:00:09.0: new USB bus registered, assigned bus number 2 ohci_hcd 0000:00:09.0: irq 17, io mem 0x10002600 usb usb2: configuration #1 chosen from 1 choice hub 2-0:1.0: USB hub found hub 2-0:1.0: 2 ports detected usbcore: registered new interface driver usblp Initializing USB Mass Storage driver... usbcore: registered new interface driver usb-storage USB Mass Storage support registered. usbcore: registered new interface driver usbserial USB Serial support registered for generic usbcore: registered new interface driver usbserial_generic usbserial: USB Serial Driver core usbcore: registered new interface driver usbtest MoniterInit entry Serial: BCM63XX driver $Revision: 3.00 $ ttyS0 at MMIO 0xb0000180 (irq = 13) is a BCM63XX ttyS1 at MMIO 0xb00001a0 (irq = 42) is a BCM63XX adsl: adsl_init entry bcmxtmcfg: bcmxtmcfg_init entry bcmxtmrt: Broadcom BCM3168D0 ATM/PTM Network Device v0.4 Apr 2 2014 11:05:36 bcmPktDma_init: Broadcom Packet DMA Library initialized Total # RxBds=1448 bcmPktDmaBds_init: Broadcom Packet DMA BDs initialized GACT probability NOT on Mirror/redirect action on u32 classifier input device check on Actions configured Netfilter messages via NETLINK v0.30. nf_conntrack version 0.5.0 (1004 buckets, 4016 max) xt_time: kernel timezone is -0000 nf_nat_pt: no ports specified ip_tables: (C) 2000-2006 Netfilter Core Team TCP cubic registered Initializing XFRM netlink socket NET: Registered protocol family 10 ip6_tables: (C) 2000-2006 Netfilter Core Team IPv6 over IPv4 tunneling driver NET: Registered protocol family 17 NET: Registered protocol family 15 Ebtables v2.0 registered ebt_time registered ebt_ftos registered ebt_wmm_mark registered 802.1Q VLAN Support v1.8 Ben Greear <[email protected]> All bugs added by David S. Miller <[email protected]> VFS: Mounted root (jffs2 filesystem) readonly on device 31:0. Freeing unused kernel memory: 168k freed =file:drivers/usb/core/hub.c,line:3274,func:hub_events=eventCounts=1= init started: BusyBox vv1.9.1 (2014-04-02 11:18:48 CST) starting pid 265, tty '': '/etc/init.d/rcS' RCS DONE starting pid 267, tty '': '/bin/sh' BusyBox vv1.9.1 (2014-04-02 11:18:48 CST) built-in shell (ash) Enter 'help' for a list of built-in commands. -/bin/sh: usbdiagd: not found Loading drivers and kernel modules... bcm_ingqos: module license 'Proprietary' taints kernel. Disabling lock debugging due to kernel taint Broadcom Ingress QoS Module Char Driver v0.1 Apr 2 2014 11:04:45 Registered<243> Broadcom Ingress QoS ver 0.1 initialized BPM: tot_mem_size=67108864B (64MB), buf_mem_size=6710886B (6MB), num of buffers=3201, buf siz e=2096 Broadcom BPM Module Char Driver v0.1 Apr 2 2014 11:04:44 Registered<244> [NTC bpm] bpm_set_status: BPM status : enabled NBUFF v1.0 Initialized Initialized fcache state Broadcom Packet Flow Cache Char Driver v2.2 Apr 2 2014 11:04:43 Registered<242> Created Proc FS /procfs/fcache Broadcom Packet Flow Cache registered with netdev chain Broadcom Packet Flow Cache learning via BLOG enabled. Constructed Broadcom Packet Flow Cache v2.2 Apr 2 2014 11:04:43 chipId 0x631680D0 Broadcom Forwarding Assist Processor (FAP) Char Driver v0.1 Apr 2 2014 11:04:47 Registered < 241> FAP Debug values at 0x00000010 0x00000010 Enabling SMISBUS PHYS_FAP_BASE[0] is 0x10c01000 FAP Soft Reset Done 4ke Reset Done Enabling SMISBUS PHYS_FAP_BASE[1] is 0x10c01000 FAP Soft Reset Done 4ke Reset Done Allocated FAP0 GSO Buffers (0xA2F1D124) : 1048576 bytes @ 0xA2800000 Allocated FAP1 GSO Buffers (0xA2F9D124) : 1048576 bytes @ 0xA2900000 [NTC fapProto] fapReset : Reset FAP Protocol layer [FAP0] DSPRAM : stack <0x80000000><1024>, global <0x80000400><7096>, free <72>, total<8192> [FAP1] DSPRAM : stack <0x80000000><1024>, global <0x80000400><7096>, free <72>, total<8192> [FAP0] PSM : addr<0x80002000>, used <24560>, free <16>, total <24576> [FAP1] PSM : addr<0x80002000>, used <24560>, free <16>, total <24576> [FAP0] Flows supported: 237 (dsp 60, psm 75, qsm 102) [FAP1] Flows supported: 237 (dsp 60, psm 75, qsm 102) [FAP0] DQM : availableMemory 14188 bytes, nextByteAddress 0xE0010894 [FAP1] DQM : availableMemory 14188 bytes, nextByteAddress 0xE0010894 [FAP0] GSO Buffer set to 0xA2800000 [FAP1] GSO Buffer set to 0xA2900000 [FAP0] FAP BPM Initialized. [FAP1] FAP BPM Initialized. bcmPktDma_bind: FAP Driver binding successfull Broadcom BCM63168D0 Ethernet Network Device v0.1 Apr 2 2014 11:04:36 fapDrv_psmAlloc: fapIdx=0, size: 4000, offset=b08206f0 bytes remaining 7008 ETH Init: Ch:0 - 200 tx BDs at 0xb08206f0 fapDrv_psmAlloc: fapIdx=1, size: 4000, offset=b0a206f0 bytes remaining 7008 ETH Init: Ch:1 - 200 tx BDs at 0xb0a206f0 fapDrv_psmAlloc: wastage 8 bytes fapDrv_psmAlloc: fapIdx=0, size: 4808, offset=b0821690 bytes remaining 2192 ETH Init: Ch:0 - 600 rx BDs at 0xb0821690 fapDrv_psmAlloc: wastage 8 bytes fapDrv_psmAlloc: fapIdx=1, size: 4808, offset=b0a21690 bytes remaining 2192 ETH Init: Ch:1 - 600 rx BDs at 0xb0a21690 eth0.3: MAC Address: FF:FF:FF:FF:FF:FF {Changed to protect the innocent} eth0.5: MAC Address: FF:FF:FF:FF:FF:FF {Changed to protect the innocent} eth0.4: MAC Address: FF:FF:FF:FF:FF:FF {Changed to protect the innocent} eth0.2: MAC Address: FF:FF:FF:FF:FF:FF {Changed to protect the innocent} nas0: MAC Address: FF:FF:FF:FF:FF:FF {Changed to protect the innocent} =file:drivers/usb/core/hub.c,line:3274,func:hub_events=eventCounts=2= --SMP support wl: dsl_tx_pkt_flush_len=338 wl: high_wmark_tot=2080 PCI: Setting latency timer of device 0000:00:00.0 to 64 wl: passivemode=1 wl: napimode=0 wl0: allocskbmode=1 currallocskbsz=512 otp_read_pci: bad crc Neither SPROM nor OTP has valid image wl:srom/otp not programmed, using main memory mapped srom info(wombo board) wl:loading /etc/wlan/bcm6362_vars.bin Failed to open srom image from '/etc/wlan/bcm6362_vars.bin'. wl:loading /etc/wlan/bcm6362_map.bin wl0: Broadcom BCM435f 802.11 Wireless Controller 5.100.138.2001.cpe.L.3 p8021ag: p8021ag_init entry IRQ 8/BCM WATCHDOG: IRQF_DISABLED is not guaranteed on shared IRQs BCM Hardware Watchdog Timer for BCM96361 USB Serial support registered for GSM modem (1-port) usbcore: registered new interface driver option option: v0.7.2:USB Driver for GSM modems Start mic now ... magic number is 3e 00 65 b0. Read from flash ok. *****Start cfmUpgradeUpdateCfg()!***** *****No need update config[2]***** load cfm ok. start log proc... ifconfig: SIOCSIFNETMASK: Cannot assign requested address br0: starting userspace STP failed, starting kernel STP add group failed: Operation not supported set group 0 mac learning disable in br0 failed: Operation not supported BcmAdsl_Initialize=0x80232A70, g_pFnNotifyCallback=0x804A6694 lmemhdr[2]=0x100CE000, pAdslLMem[2]=0x100CE000 pSdramPHY=0xA3FFFFF8, 0x6FECFDAF 0x65BBFE4D *** XfaceOffset: 0x5FF90 => 0x5FF90 *** *** PhySdramSize got adjusted: 0xD9E68 => 0x110570 *** AdslCoreSharedMemInit: shareMemAvailable=137840 AdslCoreHwReset: pLocSbSta=82b88000 bkupThreshold=3072 AdslCoreHwReset: AdslOemDataAddr = 0xA3F9AC2C fapDrv_psmAlloc: fapIdx=1, size: 1600, offset=b0a22960 bytes remaining 592 XTM Init: Ch:0 - 200 rx BDs at 0xb0a22960 fapDrv_psmAlloc: fapIdx=1, size: 128, offset=b0a22fa0 bytes remaining 464 XTM Init: Ch:1 - 16 rx BDs at 0xb0a22fa0 Success ARL table flush done Success Read Prsite on! atp: cur kernel version:[2.6.30] device eth0.2 entered promiscuous mode device eth0.3 entered promiscuous mode device eth0.4 entered promiscuous mode device eth0.5 entered promiscuous mode ADDRCONF(NETDEV_UP): eth0.2: link is not ready ADDRCONF(NETDEV_UP): eth0.3: link is not ready ADDRCONF(NETDEV_UP): eth0.4: link is not ready ADDRCONF(NETDEV_UP): eth0.5: link is not ready device eth0 is not a slave of br0 arp uses obsolete (PF_INET,SOCK_PACKET) bcmPktDma_init: Broadcom Packet DMA Library initialized ------------------------------- -----Welcome to ATP Cli------ ------------------------------- Login: The console is prohibited! Login: The console is prohibited!

Back in line 62, there is a 1 second countdown to press any key and enter an admin menu. I’m unsure what this does yet, as it looks like it could break things.

Once the router has booted up, any attempt to login results in the message “The console is prohibited!”. Oh well, I’ll need to look into another way to get root privileges on the device.

There are a number of useful pieces of information in the serial log though – Line 103 indicates the serial interface (or another interface is) is ttyS0. This is very useful as it means a blind attack could (potentially) output it’s result to /dev/ttys0

2 Comments

Dermot McDonnell says:

22 July 2014 at 6:52 am

The 1s countdown allows access to the BCM bootloader. Various commands are available.

Abs says:

7 January 2023 at 12:53 am

My router just stops at “Closing DMA channels”, I’m wondering why it hangs here. My guess is that perhaps the newer models have removed a full trace to the TX?
Im still entirely unsure.

john.geek.nz

38911 Basic Bytes Free

Huawei HG630B. Connecting to the UART

About the Author: John

2 Comments

Leave a Reply Cancel reply

You May Also Like

Solar heated Spa Pool (hot tub)

Beer Fridge Repairs

About the Author: John

2 Comments

Leave a Reply Cancel reply