rigacci.org

User Tools

Site Tools

Trace:
doc:appunti:hardware:technicolor_tg789vac_v2

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Last revisionBoth sides next revision
doc:appunti:hardware:technicolor_tg789vac_v2 [2020/03/18 15:58] – [Router Bircked] niccolodoc:appunti:hardware:technicolor_tg789vac_v2 [2020/03/23 18:31] – [Router Bircked] niccolo
Line 78: Line 78:
 </code> </code>
  
-===== Router Bircked =====+===== Router Bricked =====
  
 I succeeded in bricking this router, may be after I installed the **openvpn** package, which required the **kmod-tun** one. I mixed packages from different architectures and sources, so probably I got some unworkable mix. It is probable that my customization went into the overlay partition and the boot partition is still good, but unfortunately I don't know any method to clean or format the overlay. I succeeded in bricking this router, may be after I installed the **openvpn** package, which required the **kmod-tun** one. I mixed packages from different architectures and sources, so probably I got some unworkable mix. It is probable that my customization went into the overlay partition and the boot partition is still good, but unfortunately I don't know any method to clean or format the overlay.
Line 94: Line 94:
 === Accessing the serial line === === Accessing the serial line ===
  
-tried also to connect a serial adapter to the **J5** tagsoldering three wires to it. **TX** and **RX** lines should correspond to **R327** and **R328** resistors, according to some postsBut did not get any serial signal.+connected a serial adapter (3.3 v) to the **J5** tag soldering three wires to it. **TX** and **RX** lines correspond to **R327** and **R328** resistors. I connected the three pins to a serial-to-USB adapter using Minicom at **115200 8N1**. The serial console is displayed, but it is in read-only mode, no input is accepted. 
 + 
 +<code> 
 +Technicolor Gateway 
 +(c) 2015, All rights reserved 
 + 
 +Decompressing Bootloader................................ 
 +Gateway initialization sequence started 
 +Boot Loader Version : 2.0.85 
 +CPU                 : BCM63168-D0 
 +RAM                 : 256MB 
 +Flash               : 128MB NAND, blocksize=128KB, pagesize=2048B 
 +Board Mnemonic      : VANT-6 
 +Market ID           : FFFCExternal switch id = 53125 
 + 
 +Booting             : Bank 1 
 +Magic packet        :  
 +SW Version          : 0.0.0.0.0 
 +Starting the Linux kernel 
 + 
 +[    0.000000] Initializing cgroup subsys cpu 
 +[    0.000000] Linux version 3.4.11-rt19 (repowrt-builder@d0b3de64c70c) 
 +               (gcc version 4.6.4 (OpenWrt/Linaro GCC 4.67 
 +[    0.000000] VANT-6 prom init 
 +[    0.000000] CPU revision is: 0002a080 (Broadcom BMIPS4350) 
 +</code>
  
 === Forcing a bank switch === === Forcing a bank switch ===
 +
 +Someone says that this Technicolor router has **two memory banks** to store (flash) the firmware.
 +
 +  * In normal condition, the router boot from bank_1.
 +  * Flashing via **TFTP** will write to **bank_1** only. It will do so even if the active bank is currently bank_2. It will never set bank_1 as active.
 +  * You can see what is the **active bank** by reading **/proc/banktable/active** or by reading **serial console** output during bootstrap.
 +  * Whenever the Gateway **fails to load the firmware image three times** in a row from the active bank, the bootloader will enter Bootfail mode and will try booting from the inactive/passive bank, without setting it as active.
 +  * To **force the switchover** from one bank to the other, you have to run a command like **echo bank_1 > /proc/banktable/active** as root.
 +
 +So I immagine at least two methods to force the router to boot from the other bank:
 +
 +  - Load a bad image via TFTP flashing (e.g. by disconnecting the cable during the upload, or powering the router off during the flash. I did not tried it.
 +  - Force some **memory read errors** during bootstrap. This can be accomplished by connecting the **RE#** line (pin 8) of the TSOP chip to ground for some short times during bootstrap. This was **[[https://www.ilpuntotecnico.com/forum/index.php/topic,77981.msg238958.html#msg238958|reported to work by some users]]**.
 +
 +{{tg789vac_v2_tsop-pinout.jpg?200|TSOP pinout}}
 ===== Credits and Web References ===== ===== Credits and Web References =====
  
Line 103: Line 143:
   * **[[https://pietrotti97.com/pagine/router/mod-fw/2018/08/05/AGTOT-FW.html|Firmware per TG789Vac-v2]]**   * **[[https://pietrotti97.com/pagine/router/mod-fw/2018/08/05/AGTOT-FW.html|Firmware per TG789Vac-v2]]**
   * **[[https://hack-technicolor.readthedocs.io/en/stable/Repository/|Firmware Repository]]**   * **[[https://hack-technicolor.readthedocs.io/en/stable/Repository/|Firmware Repository]]**
 +  * **[[https://hack-technicolor.readthedocs.io/en/stable/Recovery/|Hacking Technicolor Gateways]]**
   * **[[https://www.crc.id.au/hacking-the-technicolor-tg799vac-and-unlocking-features/|Hacking the Technicolor TG799vac]]**   * **[[https://www.crc.id.au/hacking-the-technicolor-tg799vac-and-unlocking-features/|Hacking the Technicolor TG799vac]]**
 +  * **[[https://www.ilpuntotecnico.com/forum/index.php/topic,77981.msg238958.html#msg238958|TG789vac v2 iiNET/UNO Flash, Sblocco e Modding]]**
doc/appunti/hardware/technicolor_tg789vac_v2.txt · Last modified: 2020/03/23 18:52 by niccolo