User Tools

Site Tools


doc:appunti:hardware:technicolor_tg789vac_v2

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
doc:appunti:hardware:technicolor_tg789vac_v2 [2020/03/12 12:41] – [Credits and Web References] niccolodoc:appunti:hardware:technicolor_tg789vac_v2 [2020/03/23 18:52] (current) – [Router Bricked] niccolo
Line 77: Line 77:
 passwd -l tiscali passwd -l tiscali
 </code> </code>
 +
 +===== Router Bricked =====
 +
 +I succeeded in bricking this router, may be after I installed the **openvpn** package, which required the **kmod-tun** one. I mixed packages from different architectures and sources, so probably I got some unworkable mix. It is probable that my customization went into the overlay partition and the boot partition is still good, but unfortunately I don't know any method to clean or format the overlay.
 +
 +I tried some recovery procedures, wihtout success.
 +
 +=== Flash a new firmare via TFTP ===
 +
 +**Power-off**, keep the **reset switch pressed** and **power-on**. This method can be used to start the **bootp** procedure, which indeed can load and flash the stock firmware from a TFTP server. I did that: it seems that the firmware is loaded because the TFTP server logs the activity and I can see the network traffic. But the router did not revive; I think that the overlay partition is still messed and the router cannot boot properly.
 +
 +=== Factory reset ===
 +
 +With the router powered-on and fully booted, **press the reset switch** for 7 seconds or more (someone says 20). The router should erase custom data and restart. Unfortunately this does not work for me, may be because the router is so messed-up, that the reset procedure does not even start.
 +
 +=== Accessing the serial line ===
 +
 +I connected a serial adapter (3.3 v) to the **J5** tag soldering three wires to it. **TX** and **RX** lines correspond to **R327** and **R328** resistors. I connected the three pins to a serial-to-USB adapter using Minicom at **115200 8N1**. The serial console is displayed, but it is in read-only mode, no input is accepted.
 +
 +<code>
 +Technicolor Gateway
 +(c) 2015, All rights reserved
 +
 +Decompressing Bootloader................................
 +Gateway initialization sequence started
 +Boot Loader Version : 2.0.85
 +CPU                 : BCM63168-D0
 +RAM                 : 256MB
 +Flash               : 128MB NAND, blocksize=128KB, pagesize=2048B
 +Board Mnemonic      : VANT-6
 +Market ID           : FFFCExternal switch id = 53125
 +
 +Booting             : Bank 1
 +Magic packet        : 
 +SW Version          : 0.0.0.0.0
 +Starting the Linux kernel
 +
 +[    0.000000] Initializing cgroup subsys cpu
 +[    0.000000] Linux version 3.4.11-rt19 (repowrt-builder@d0b3de64c70c)
 +               (gcc version 4.6.4 (OpenWrt/Linaro GCC 4.6-2013.05 r49389) )
 +               #1 SMP PREEMPT Thu Mar 9 02:28:17 UTC 2017
 +[    0.000000] VANT-6 prom init
 +[    0.000000] CPU revision is: 0002a080 (Broadcom BMIPS4350)
 +</code>
 +
 +=== Forcing a bank switch ===
 +
 +Someone says that this Technicolor router has **two memory banks** to store (flash) the firmware.
 +
 +  * In normal condition, the router boot from bank_1.
 +  * Flashing via **TFTP** will write to **bank_1** only. It will do so even if the active bank is currently bank_2. It will never set bank_1 as active.
 +  * You can see what is the **active bank** by reading **/proc/banktable/active** or by reading **serial console** output during bootstrap.
 +  * Whenever the Gateway **fails to load the firmware image three times** in a row from the active bank, the bootloader will enter Bootfail mode and will try booting from the inactive/passive bank, without setting it as active.
 +  * To **force the switchover** from one bank to the other, you have to run a command like **echo bank_1 > /proc/banktable/active** as root.
 +
 +So I immagine at least two methods to force the router to boot from the other bank:
 +
 +  - Load a bad image via TFTP flashing (e.g. by disconnecting the cable during the upload, or powering the router off during the flash. I did not tried it.
 +  - Force some **memory read errors** during bootstrap. This can be accomplished by connecting the **RE#** line (pin 8) of the TSOP chip to ground for some short times during bootstrap. This was **[[https://www.ilpuntotecnico.com/forum/index.php/topic,77981.msg238958.html#msg238958|reported to work by some users]]**.
 +
 +{{tg789vac_v2_tsop-pinout.jpg?200|TSOP pinout}}
 ===== Credits and Web References ===== ===== Credits and Web References =====
  
Line 82: Line 143:
   * **[[https://alastair.d-silva.org/technicolor-tg789vac-v2-root-access|Technicolor TG789vac V2 Root Access]]**   * **[[https://alastair.d-silva.org/technicolor-tg789vac-v2-root-access|Technicolor TG789vac V2 Root Access]]**
   * **[[https://pietrotti97.com/pagine/router/mod-fw/2018/08/05/AGTOT-FW.html|Firmware per TG789Vac-v2]]**   * **[[https://pietrotti97.com/pagine/router/mod-fw/2018/08/05/AGTOT-FW.html|Firmware per TG789Vac-v2]]**
 +  * **[[https://hack-technicolor.readthedocs.io/en/stable/Repository/|Firmware Repository]]**
 +  * **[[https://hack-technicolor.readthedocs.io/en/stable/Recovery/|Hacking Technicolor Gateways]]**
 +  * **[[https://www.crc.id.au/hacking-the-technicolor-tg799vac-and-unlocking-features/|Hacking the Technicolor TG799vac]]**
 +  * **[[https://www.ilpuntotecnico.com/forum/index.php/topic,77981.msg238958.html#msg238958|TG789vac v2 iiNET/UNO Flash, Sblocco e Modding]]**
doc/appunti/hardware/technicolor_tg789vac_v2.1584013286.txt.gz · Last modified: 2020/03/12 12:41 by niccolo