![[SX541 backside]](sx541.gif)
Tech Specs:
- Texas Instruments AR7300 MIPS CPU little endian mode (soho.bin loads at 0x94000000) (thanx Sprejz for mailing me this information)
- 802.11b/g WLAN (Texas Instruments TNETW1130 on miniPCI card)
- Fast Ethernet Switch (Marvell Link Street 88E6060)
- VoIP Chip (Voicepump VP101)
- USB 1.1
- some ADSL solution (which?)
- 2MB FLASH ROM (Excel Semiconductor ES29LV160D)
- 256MB 133MHz SDRAM (Hynix Semiconductor HY57V561620CT-H)
Downloads:
- Beschreibung Gigaset SX541 WLAN dsl
- Datenblatt (Gigaset_SX541_Steckbrief_V1_1.pdf)
- Bedienungsanleitung (A31008-M1025-B110-1-19.pdf)
- Firmware Binary (sx541-b-fw1_56_6.bin, Gigaset_SX541_WLAN_dsl_FW163.exe)
- Internal Photo (front [481k], back [421k])
I was quite sure the SX541 runs Linux. Because of this...
$ unzip -p sx541-b-fw1_56_6.bin | strings | grep -i 'linux.........'
warning [sx541-b-fw1_56_6.bin]: 197632 extra bytes at beginning or within zipfile
(attempting to process anyway)
Linux WLAN AP user mode driver starting...
Linux WLAN AP user mode driver exits !
1. Telnet or RS232 terminal type : VT100, Win 95/98, Linux with arrow key
Please send a copy of this message to <linux-usb-devel@lists.sourceforge.net>
if (checkIt('linux')) browserDetectOS = "Linux";
if (checkIt('linux')) browserDetectOS = "Linux";
If i do know how to costumize the firmware or hack the device i'll post it here.
It seems this unit has some in common with the SMC 7804WBRA. Read more about it here.
You could extract the filesystem and the kernel image like this:
$ perl -e '$h="PK\x03\x04"; undef $/; (undef, @f)=split($h,<>); for(@f){ $i++; open F, ">fw$i.zip";
print F "$h$_" }' sx541-b-fw1_56_6.bin
$ unzip fw1.zip
$ unzip fw2.zip
The files of interest are now:
pfs.img 978080 byte ramdisk image of the www folder
soho.bin 3785472 byte kernel image?
both with date 26 Nov 12:21
The pfs image could be accessed with
PFSEditor.exe
from IronCodeds site. (also look at
this japanese page
where you can find what seems to be the source code of PFSEditor).
Or extract it with this litle c program and this commandlines:
$ ./a.out pfs.img|sed 1d|sed -n -e '/ .*\/.*$/p'|awk '{print $4}'|sed -e 's/\/[^/]*$//'|sort -u|xargs mkdir -p
$ ./a.out pfs.img >pfs.txt
$ ./a.out pfs.img|sed 1d|sed -n -e '/ .*\/.*$/p'|awk '{print $4}'|sed -e 's/\/[^/]*$//'|sort -u|xargs chmod -R =Xr
The filesystem contains no executables. Just webpages and images. There is a cgi-bin directory
whith a lot of zero sized files in it. I assume this is one executable hardlinked to many names.
Now soho.bin needs further investigation.
But now I think it's RTOS (Supertask!) that drives this box.
Jocky Wilson (alias JOCKYW2001) has discribed how to get a serial console on the SX541 and how to run your own code on this little box.And he has posted the bootlog.
=========================================================== TI ADSL AR7300 Loader 0.67.3 build Sep 15 2004 17:03:49 Broad Net Technology, INC. =========================================================== Flash not found Copying boot params.....DONE Press any key to enter command mode ... Flash Checking Passed. Unzipping web at 0x94f30000 ... done Unzipping code at 0x94000000 ... done In C_Entry() function ... install_exception sys_irq_init() ... Set GPIO Reset USB and VP140 module ... ##### _ftext = 0x94000000 ##### _fdata = 0x94345120 ##### __bss_start = 0x9439C300 ##### end = 0x9545847C ##### Backup Data from 0x94345120 to 0x9547847C~0x954CF65C len 356832 [INIT] System Log Pool startup ... [INIT] MTinitialize .. userclk_init() ... Runtime code version: 1.56 System startup... [INIT] Memory COLOR 0, 1500000 bytes .. [INIT] Memory COLOR 1, 600000 bytes .. [INIT] Memory COLOR 2, 1900000 bytes .. manu_id=004A chip_id=2249 ES29LV160D bottom boot 16-bit mode found Set flash memory layout to Boot Parameters found !!! Bootcode version: 0.67.3 Serial number: A448012289 Hardware version: 01 sizeof(struct III_Config_t) is 82376 manu_id=004A chip_id=2249 ES29LV160D bottom boot 16-bit mode found !!! Invalid wireless channel range 0 ~ 0 !!! Use default value 1 ~ 13 default route: 0.0.0.0 BufferInit: BUF_HDR_SZ=48 BUF_ALIGN_SZ=8 BUFFER_OFFSET=112 BUF_BUFSZ0=384 BUF_BUFSZ1=1872 NUM_OF_B0=0 NUM_OF_B1=1200 BUF_POOL0_SZ=0 BUF_POOL1_SZ=2304000 sizeof(BUFFER0)=432,sizeof(BUFFER1)=1920 *BUF0=0x94c7506c *BUF1=0x94a4285c Altgn *BUF0=0x94c75070 *BUF1=0x94a42860 End at BUF0:0x94c75070, BUF1:0x94c75060 BUF0[0]=0x94c75070 BUF1[0]=0x94a42860 buffer0 pointer init OK! buffer1 pointer init OK! [qm_lnk_init] CLOCKHZ=1000 ... CLOCKHZ=1000 time = 08/01/2003, 00:00:00 TRAP(linkUp) : send ok! Interface 0 ip = 127.0.0.1 MAC Address: 00:01:e3:50:98:dd Memory request 2072 left 297928 ptr 9443F074 Call tn7sar_malloc_dma_xfer() addr:B443F074 size:2072 MAC1 [RX=128 TX=1]: TI External PHY time = 08/01/2003, 00:00:00 TRAP(linkUp) : send ok! Interface 1 ip = 192.168.1.100 ruleCheck()> Group: 0, Error: Useless rule index will be truncated ruleCheck()> Group: 1, Error: Useless rule index will be truncated ruleCheck()> Group: 2, Error: Useless rule index will be truncated CBAC rule format check succeed !! reqCBACBuf()> init match pool, Have: 1000 Memory Address: 0x950c31e8 ~ 0x950c9f64 reqCBACBuf()> init timeGap pool, Have: 10000 Memory Address: 0x950c9f64 ~ 0x950facb8 reqCBACBuf()> init sameHost pool, Have: 2000 Memory Address: 0x950facb8 ~ 0x9510a6d8 CBAC rule pool initialized !! [initClsfy] clsfy_local_if_mask=0xf00007 [initClsfy] clsfy_localorVPN_if_mask=0xf00007 Init NAT data structure RUNTASK id=2 if_task if0... RUNTASK id=3 if_task if1... RUNTASK id=4 timer_task... RUNTASK id=5 conn_mgr... RUNTASK id=6 main_8021x... RUNTASK id=7 UsbSysInitTask ... RUNTASK id=8 period_task... ========== ADSL Modem initialization OK ! ====== RUNTASK id=9 telnetd_main... Unzipping from B0040000 to 95EF0000 ... done Uncompressed size = 978080 drive start addr[0]=95ef0000, [1]=95fdeca0 [HTTPD] flash_init: failed!! httpd: listen at 192.168.1.100:80 HTTPD TIMER_RESOURCE:5, FS_RESOURCE:6 RUNTASK httpd... RUNTASK id=12 dnsproxy... RUNTASK id=13 snmp_task... RUNTASK id=14 rip... RUNTASK id=15 ripout... UPnP is enabled UPNP Device initialize success! slot=16 Starting Multitask... ------------------------------------------------------------I did an nmap run against the box.
$ NMAPDIR=. sudo ./nmap -v -O 192.168.2.1
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-05-01 17:40 CEST
Initiating SYN Stealth Scan against (192.168.2.1) [1663 ports] at 17:40
Discovered open port 80/tcp on 192.168.2.1
Discovered open port 139/tcp on 192.168.2.1
Discovered open port 8081/tcp on 192.168.2.1
Discovered open port 515/tcp on 192.168.2.1
The SYN Stealth Scan took 4.51s to scan 1663 total ports.
For OSScan assuming port 80 is open, 1 is closed, and neither are firewalled
Host (192.168.2.1) appears to be up ... good.
Interesting ports on (192.168.2.1):
(The 1659 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
80/tcp open http
139/tcp open netbios-ssn
515/tcp open printer
8081/tcp open blackice-icecap
MAC Address: 00:01:E3:50:72:D1 (Siemens AG)
Device type: WAP
Running: SMC embedded
OS details: SMC Barricade DSL Router/Modem/Wireless AP
TCP Sequence Prediction: Class=trivial time dependency
Difficulty=4 (Trivial joke)
IPID Sequence Generation: Incremental
Nmap finished: 1 IP address (1 host up) scanned in 8.255 seconds
Raw packets sent: 1683 (67.6KB) | Rcvd: 1677 (67.1KB)
Michael Fuckner (molli123) has found out that you can configure the SX541 via
telneting to port 8081
(Username: root, Password: is your router password).
The telnet interface looks like this:
$ telnet 192.168.2.1 8081
Trying 192.168.2.1...
Connected to .
Escape character is '^]'.
User Name : root
User Password : ****************
Telnet Manager Version 1.63
Type ? for Command-Sensitive Help, TAB match command
ROOT :> ?
system <more...> Generic system parameter configuration
interface <more...> Interface parameter configuration
wLAN <more...> Wireless LAN configuration
bridge <more...> Transparent bridging parameter configuration
vc <1~8> <more...> ATM virtual circuit parameter configuration
ppp <more...> PPP parameter configuration
dial <1~20> <more...> Dial-out parameter configuration
ip_share <more...> NAT parameter configuration
firewall-func <more...>
Enable disable firewall functions
access-list <more...> Access list rules manager
inspect <more...> Inspection threshold and rules manager
route <more...> Routing parameter configuration
dhcp <more...> DHCP parameter configuration
dns <more...> DNS proxy parameter configuration
snmp <more...> SNMP parameter configuration
tftp <ip> <file> Default TFTP parameter configuration
mail <more...> Mail parameter configuration
chuser <more...> Configuration parameters and user access control
upnp <Disable|Enable> Enable or disable Universal Plug and Play
voip_sip <more...> Configure VoIP_SIP parameter
show <more...> Showing system configuration
monitor <more...> Monitor system running status
upgrade <more...> Upgrade system firmware to new version
backup <more...> Backup system configuration file
passwd [username] [old_pass] [new_pass]
Change user password
default_reset <CR> Reset system configuration to default status
write [reboot|exit] Write configuration and restart system
reboot <CR> Restart system and activate new system configuration
enable <CR> Enable configuration mode
su <password> Change to super user(root) mode
ping <ip|domain> [1~65534|-t] [1~1999]
Ping test
tracert <ip|domain> [option1] [option2]
Trace route utility
exit <CR> Disable privilege command or disconnect