SX541 WLAN dsl

[SX541 backside]

Tech Specs:


I was quite sure the SX541 runs Linux. Because of this...

$ unzip -p sx541-b-fw1_56_6.bin | strings | grep -i 'linux.........'
warning [sx541-b-fw1_56_6.bin]:  197632 extra bytes at beginning or within zipfile
  (attempting to process anyway)
Linux WLAN AP user mode driver starting...
Linux WLAN AP user mode driver exits !
 1. Telnet or RS232 terminal type : VT100, Win 95/98, Linux with arrow key
  Please send a copy of this message to <>
if (checkIt('linux')) browserDetectOS = "Linux";
if (checkIt('linux')) browserDetectOS = "Linux";

If i do know how to costumize the firmware or hack the device i'll post it here.

It seems this unit has some in common with the SMC 7804WBRA. Read more about it here.

You could extract the filesystem and the kernel image like this:

$ perl -e '$h="PK\x03\x04"; undef $/; (undef, @f)=split($h,<>); for(@f){ $i++; open F, ">fw$";
print F "$h$_" }' sx541-b-fw1_56_6.bin
$ unzip
$ unzip
The files of interest are now:
pfs.img     978080 byte ramdisk image of the www folder
soho.bin   3785472 byte kernel image?
both with date 26 Nov 12:21 
The pfs image could be accessed with PFSEditor.exe from IronCodeds site. (also look at this japanese page where you can find what seems to be the source code of PFSEditor).

Or extract it with this litle c program and this commandlines:

$ ./a.out pfs.img|sed 1d|sed -n -e '/ .*\/.*$/p'|awk '{print $4}'|sed -e 's/\/[^/]*$//'|sort -u|xargs mkdir -p 
$ ./a.out pfs.img >pfs.txt
$ ./a.out pfs.img|sed 1d|sed -n -e '/ .*\/.*$/p'|awk '{print $4}'|sed -e 's/\/[^/]*$//'|sort -u|xargs chmod -R =Xr
The filesystem contains no executables. Just webpages and images. There is a cgi-bin directory whith a lot of zero sized files in it. I assume this is one executable hardlinked to many names.

Now soho.bin needs further investigation.

But now I think it's RTOS (Supertask!) that drives this box.

Jocky Wilson (alias JOCKYW2001) has discribed how to get a serial console on the SX541 and how to run your own code on this little box.

And he has posted the bootlog.

TI ADSL AR7300 Loader 0.67.3 build Sep 15 2004 17:03:49 
Broad Net Technology, INC. 
Flash not found 

Copying boot params.....DONE 

Press any key to enter command mode ... 
Flash Checking Passed. 

Unzipping web at 0x94f30000 ... done 
Unzipping code at 0x94000000 ... done 
In C_Entry() function ... 
sys_irq_init() ... 
Reset USB and VP140 module ... 
##### _ftext = 0x94000000 
##### _fdata = 0x94345120 
##### __bss_start = 0x9439C300 
##### end = 0x9545847C 
##### Backup Data from 0x94345120 to 0x9547847C~0x954CF65C len 356832 
[INIT] System Log Pool startup ... 
[INIT] MTinitialize .. 
userclk_init() ... 
Runtime code version: 1.56 
System startup... 
[INIT] Memory COLOR 0, 1500000 bytes .. 
[INIT] Memory COLOR 1, 600000 bytes .. 
[INIT] Memory COLOR 2, 1900000 bytes .. 

manu_id=004A chip_id=2249 
ES29LV160D bottom boot 16-bit mode found 
Set flash memory layout to Boot Parameters found !!! 
Bootcode version: 0.67.3 
Serial number: A448012289 
Hardware version: 01 
sizeof(struct III_Config_t) is 82376 

manu_id=004A chip_id=2249 
ES29LV160D bottom boot 16-bit mode found 
!!! Invalid wireless channel range 0 ~ 0 
!!! Use default value 1 ~ 13 
default route: 
NUM_OF_B0=0 NUM_OF_B1=1200 
BUF_POOL0_SZ=0 BUF_POOL1_SZ=2304000 
*BUF0=0x94c7506c *BUF1=0x94a4285c 
Altgn *BUF0=0x94c75070 *BUF1=0x94a42860 
End at BUF0:0x94c75070, BUF1:0x94c75060 

BUF0[0]=0x94c75070 BUF1[0]=0x94a42860 

buffer0 pointer init OK! 
buffer1 pointer init OK! 
[qm_lnk_init] CLOCKHZ=1000 ... 
time = 08/01/2003, 00:00:00 
TRAP(linkUp) : send ok! 
Interface 0 ip = 

MAC Address: 00:01:e3:50:98:dd 
Memory request 2072 left 297928 ptr 9443F074 
Call tn7sar_malloc_dma_xfer() addr:B443F074 size:2072 
MAC1 [RX=128 TX=1]: TI External PHY 
time = 08/01/2003, 00:00:00 
TRAP(linkUp) : send ok! 
Interface 1 ip = 

ruleCheck()> Group: 0, Error: Useless rule index will be truncated 
ruleCheck()> Group: 1, Error: Useless rule index will be truncated 
ruleCheck()> Group: 2, Error: Useless rule index will be truncated 
CBAC rule format check succeed !! 
reqCBACBuf()> init match pool, Have: 1000 
Memory Address: 0x950c31e8 ~ 0x950c9f64 
reqCBACBuf()> init timeGap pool, Have: 10000 
Memory Address: 0x950c9f64 ~ 0x950facb8 
reqCBACBuf()> init sameHost pool, Have: 2000 
Memory Address: 0x950facb8 ~ 0x9510a6d8 
CBAC rule pool initialized !! 
[initClsfy] clsfy_local_if_mask=0xf00007 
[initClsfy] clsfy_localorVPN_if_mask=0xf00007 
Init NAT data structure 
RUNTASK id=2 if_task if0... 
RUNTASK id=3 if_task if1... 
RUNTASK id=4 timer_task...
RUNTASK id=5 conn_mgr...
RUNTASK id=6 main_8021x...
RUNTASK id=7 UsbSysInitTask ...
RUNTASK id=8 period_task...

========== ADSL Modem initialization OK ! ======

RUNTASK id=9 telnetd_main...
Unzipping from B0040000 to 95EF0000 ... done
Uncompressed size = 978080
drive start addr[0]=95ef0000, [1]=95fdeca0
[HTTPD] flash_init: failed!!
httpd: listen at
RUNTASK httpd...
RUNTASK id=12 dnsproxy...
RUNTASK id=13 snmp_task...
RUNTASK id=14 rip...
RUNTASK id=15 ripout...
UPnP is enabled
UPNP Device initialize success! slot=16
Starting Multitask...
I did an nmap run against the box.
$ NMAPDIR=. sudo ./nmap -v -O

Starting nmap 3.81 ( ) at 2005-05-01 17:40 CEST
Initiating SYN Stealth Scan against  ( [1663 ports] at 17:40
Discovered open port 80/tcp on
Discovered open port 139/tcp on
Discovered open port 8081/tcp on
Discovered open port 515/tcp on
The SYN Stealth Scan took 4.51s to scan 1663 total ports.
For OSScan assuming port 80 is open, 1 is closed, and neither are firewalled
Host  ( appears to be up ... good.
Interesting ports on  (
(The 1659 ports scanned but not shown below are in state: closed)
80/tcp   open  http
139/tcp  open  netbios-ssn
515/tcp  open  printer
8081/tcp open  blackice-icecap
MAC Address: 00:01:E3:50:72:D1 (Siemens AG)
Device type: WAP
Running: SMC embedded
OS details: SMC Barricade DSL Router/Modem/Wireless AP
TCP Sequence Prediction: Class=trivial time dependency
                         Difficulty=4 (Trivial joke)
IPID Sequence Generation: Incremental

Nmap finished: 1 IP address (1 host up) scanned in 8.255 seconds
               Raw packets sent: 1683 (67.6KB) | Rcvd: 1677 (67.1KB)
Michael Fuckner (molli123) has found out that you can configure the SX541 via telneting to port 8081 (Username: root, Password: is your router password).

The telnet interface looks like this:

$ telnet 8081
Connected to .
Escape character is '^]'.

User Name : root
User Password : ****************

 Telnet Manager Version 1.63

Type ? for Command-Sensitive Help, TAB match command

ROOT :> ?

  system <more...>      Generic system parameter configuration
  interface <more...>   Interface parameter configuration
  wLAN <more...>        Wireless LAN configuration
  bridge <more...>      Transparent bridging parameter configuration
  vc <1~8> <more...>    ATM virtual circuit parameter configuration
  ppp <more...>         PPP parameter configuration
  dial <1~20> <more...> Dial-out parameter configuration
  ip_share <more...>    NAT parameter configuration
  firewall-func <more...>
                        Enable disable firewall functions
  access-list <more...> Access list rules manager
  inspect <more...>     Inspection threshold and rules manager
  route <more...>       Routing parameter configuration
  dhcp <more...>        DHCP parameter configuration
  dns <more...>         DNS proxy parameter configuration
  snmp <more...>        SNMP parameter configuration
  tftp <ip> <file>      Default TFTP parameter configuration
  mail <more...>        Mail parameter configuration
  chuser <more...>      Configuration parameters and user access control
  upnp <Disable|Enable> Enable or disable Universal Plug and Play
  voip_sip <more...>    Configure VoIP_SIP parameter
  show <more...>        Showing system configuration
  monitor <more...>     Monitor system running status
  upgrade <more...>     Upgrade system firmware to new version
  backup <more...>      Backup system configuration file
  passwd [username] [old_pass] [new_pass]
                        Change user password
  default_reset <CR>    Reset system configuration to default status
  write [reboot|exit]   Write configuration and restart system
  reboot <CR>           Restart system and activate new system configuration
  enable <CR>           Enable configuration mode
  su <password>         Change to super user(root) mode
  ping <ip|domain> [1~65534|-t] [1~1999]
                        Ping test
  tracert <ip|domain> [option1] [option2]
                        Trace route utility
  exit <CR>             Disable privilege command or disconnect

GO GET IT HERE! - sorry nur mit DSL Vertrag bei Freenet.