Hacking Beetle 220BX / 220BXi ADSL2 Modem

Most of the Router usually contains Vxworks or Linux as OS,

All Embedded Board has Serial Port to download and Configure the Image/Bootloader hence the router.

(Airtel’ Modem contains Broadcom BCM6338KFB CPU i.eMIPS32 240Mhz Processor)

220BX –Contains 8MB Flash

220BXi-Contains 16MB Flash

Steps to Run your own custom compile Kernel in Airtel Bx220 or Bx220i ADSL Router.

1. Opening the Router

Open the 4 screws and locate the Jumper J4 as shown in figure

2. Identification of RX,TX,GND and VCC

VCC can be easily located with + of LED matching one of the

-Get a multi-meter in continuity tester mode (beep sound) touch one probe to + of LED light and other pins of J4,the one where meter beeps is +

-Similary located GND of J4

-to Find RX and TX,its tricky .Change mode of multi-meter to measure voltage &

boot the modem and with one probe to GND and other to any of remaining two the Pins .The pin that shows some voltage fluctuation is the TX while other being RX.

The marked VCC,RX,TX and GND are actual pins in 220BX and 220BXi

3. Make a RS232 Adapter using Max232 or similar chips(google it ) & attach one end to J4 and other to Serial port of Computer.

4.Open Hyperterminal or Teraterm and set the Baud rate & Other settings as shown

5.Start the Modem

You will see a countdown –If don’t press any key it boots Linux and start the ADSL Router

Below is the complete bootup log capture –Shows Linux running.

CFE version 1.0.37-0.7 for BCM96338 (32bit,SP,BE)

Build Date: Wed Dec 7 14:11:44 CST 2005 (root@localhost.localdomain)

Copyright (C) 2000,2001,2002,2003 Broadcom Corporation.

Initializing Arena.

Initializing Devices.

Auto-negotiation timed-out

10 MB Half-Duplex (assumed)

CPU type 0x29010: 240MHz

Total memory used by CFE: 0x80401000 - 0x80522A10 (1186320)

Initialized Data: 0x8041ACB0 - 0x8041C3B0 (5888)

BSS Area: 0x8041C3B0 - 0x80420A10 (18016)

Local Heap: 0x80420A10 - 0x80520A10 (1048576)

Stack Area: 0x80520A10 - 0x80522A10 (8192)

Text (code) segment: 0x80401000 - 0x8041ACA8 (105640)

Boot area (physical): 0x00523000 - 0x00563000

Relocation Factor: I:00000000 - D:00000000

Board IP address : 192.168.1.1:ffffff00

Host IP address : 192.168.1.100

Gateway IP address :

Run from flash/host (f/h) : f

Default host run file name : vmlinux

Default host flash file name : bcm963xx_fs_kernel

Boot delay (0-9 seconds) : 1

Board Id Name : 96338L-2M-8M

Psi size in KB : 24

Number of MAC Addresses (1-32) : 11

Base MAC Address : 00:08:5c:8a:9c:50

Ethernet PHY Type : Internal

Memory size in MB : 8

*** Press any key to stop auto run (1 seconds) ***

Auto run second count down: 110

Code Address: 0x80010000, Entry Address: 0x80175018

Decompression OK!

Entry at 0x80175018

Closing network.

Starting program at 0x80175018

Linux version 2.6.8.1 (root@localhost.localdomain) (gcc version 3.4.2) #1 Wed May 17 18:59:51 CST 2006

Total Flash size: 2048K with 35 sectors

96338L-2M-8M prom init

CPU revision is: 00029010

Determined physical RAM map:

memory: 007a0000 @ 00000000 (usable)

On node 0 totalpages: 1952

DMA zone: 1952 pages, LIFO batch:1

Normal zone: 0 pages, LIFO batch:1

HighMem zone: 0 pages, LIFO batch:1

Built 1 zonelists

Kernel command line: root=31:0 ro noinitrd

brcm mips: enabling icache and dcache...

Primary instruction cache 16kB, physically tagged, 2-way, linesize 16 bytes.

Primary data cache 8kB 2-way, linesize 16 bytes.

PID hash table entries: 32 (order 5: 256 bytes)

Using 120.000 MHz high precision timer.

Dentry cache hash table entries: 2048 (order: 1, 8192 bytes)

Inode-cache hash table entries: 1024 (order: 0, 4096 bytes)

Memory: 6076k/7808k available (1244k kernel code, 1712k reserved, 179k data, 68k init, 0k highmem)

Calibrating delay loop... 235.52 BogoMIPS

Mount-cache hash table entries: 512 (order: 0, 4096 bytes)

Checking for 'wait' instruction... unavailable.

NET: Registered protocol family 16

Can't analyze prologue code at 80145acc

PPP generic driver version 2.4.2

NET: Registered protocol family 24

Using noop io scheduler

bcm963xx_mtd driver v1.0

brcmboard: brcm_board_init entry

bcm963xx_serial driver v2.0

NET: Registered protocol family 2

IP: routing cache hash table of 512 buckets, 4Kbytes

TCP: Hash tables configured (established 512 bind 1024)

NET: Registered protocol family 1

NET: Registered protocol family 17

Ebtables v2.0 registered

NET: Registered protocol family 8

NET: Registered protocol family 20

VFS: Mounted root (squashfs filesystem) readonly.

Freeing unused kernel memory: 68k freed

init started: BusyBox v1.00 (2006.05.17-11:08+0000) multi-call binary

Algorithmics/MIPS FPU Emulator v1.5

BusyBox v1.00 (2006.05.17-11:08+0000) Built-in shell (msh)

Enter 'help' for a list of built-in commands.

Loading drivers and kernel modules...

atmapi: module license 'Proprietary' taints kernel.

blaadd: blaa_detect entry

adsl: adsl_init entry

Broadcom BCMPROCFS v1.0 initialized

Broadcom BCM6338A2 Ethernet Network Device v0.3 May 17 2006 18:54:09

Config Internal PHY Through MDIO

BCM63xx_ENET: Auto-negotiation timed-out

BCM63xx_ENET: 10 MB Half-Duplex (assumed)

eth0: MAC Address: 00:08:5C:8A:9C:50

Broadcom BCM6338A2 USB Network Device v0.4 May 17 2006 18:54:15

usb0: MAC Address: 00 08 5C 8A 9C 51

usb0: Host MAC Address: 00 08 5C 8A 9C 52

BcmAdsl_Initialize=0xC00551B8, g_pFnNotifyCallback=0xC0067CB4

AdslCoreHwReset: AdslOemDataAddr = 0xA07E504C

ip_tables: (C) 2000-2002 Netfilter core team

ip_conntrack version 2.1 (61 buckets, 0 max) - 368 bytes per conntrack

==> Bcm963xx Software Version: 3.00L.03.A2pB017l.d15h <==

device usb0 entered promiscuous mode

br0: port 1(usb0) entering learning state

br0: topology change detected, propagating

br0: port 1(usb0) entering forwarding state

device eth0 entered promiscuous mode

br0: port 2(eth0) entering learning state

br0: topology change detected, propagating

br0: port 2(eth0) entering forwarding state

pvc2684d: Interface "nas_0_32" created sucessfully

pvc2684d: Communicating over ATM 0.0.32, encapsulation: LLC

br0: port 2(eth0) entering disabled state

br0: port 1(usb0) entering disabled state

6.Login to shell

Once modem is completely booted pressing the enter will show u login prompt

Use deafault username/password (admin/password) otherwise the once u have set

Login: admin

Password:

[2J[HNote: If you have problem with Backspace key, please make sure you configure your terminal emulator settings. For instance, from HyperTerminal you would need to use File->Properties->Setting->Back Space key sends.

Main Menu

1. ADSL Link State

2. LAN

3. WAN

4. DNS Server

5. Route Setup

6. NAT

7. Firewall

8. Quality Of Service

9. Management

10. Passwords

11. Reset to Default

12. Save and Reboot

13. Exit

-> 13

Bye bye. Have a nice day!!!

Use sh to get busybox shell and use “echo * “ to show files and directory (ls command is not present in busybox of airtel)

Web page directory

Login: admin

Password:

> sh

BusyBox v1.00 (2006.12.06-10:41+0000) Built-in shell (msh)

Enter 'help' for a list of built-in commands.

# cd we echo *

bin dev etc images lib linuxrc mnt proc sbin usr var webs

# cd webs

# echo *

adslcfg.html adslcfg_en.html adslcfgadv.html adslcfgc.html adslcfgtone.html algcfg.html autoscan.html autoscancancel.html autoscanerr.html backupsettings.html berrun.html berstart.html berstop.html certadd.html certcaimport.html certimport.html certloadsigned.html colors.css colors_1.css ddnsadd.html defaultsettings.html dhcpinfo.html diag.html diagbr.html diagipow.html diaglan.html diagmer.html diagpppoa.html diagpppoe.html dnscfg.html dslinfo_en.html enblbridge.html enblservice.html footer.html footer_en.html index.html info.html info_en.html ipoacfg.html ippcfg.html ipsconfig.html ipsec.html lancfg.html lancfg2.html lancfg2_en.html lancfgbr.html languageprocess.html logconfig.html logintro.html logo.html logo_corp.gif logobkg.gif look.html lookme.html main.html menu.html menuBcm.js menuTitle.js menuTree.js menu_en.html my.js natcfg.html natcfg2.html ntwkprtcl.html ntwksum.html ntwksum2.html password.html password_en.html portName.js portmapadd.html portmapedit.html pppautherr.html pppauthinfo.html pppoe.html pvccfg.html pvccfgerr.html pvcindex.html qoscls.html quicksetuperr.html rebootinfo.html resetrouter.html resetrouter_en.html restoreinfo.html routeadd.html routeremove.html rtdefaultcfg.html rtdefaultcfgerr.html scacccntr.html scdmz.html scinflt.html scintro.html scmacflt.html scmacpolicy.html scoutflt.html scprttrg.html scvrtsrv.html snmpconfig.html sntpcfg.html statsadsl.html statsadslerr.html statsadslreset.html statsatm.html statsatmerr.html statsatmreset.html statsifc.html statsifcreset.html statsvdsl.html statsvdslreset.html statswanreset.html stylemain.css todadd.html tr69cfg.html updatesettings.html upload.html uploadinfo.html util.js vpivci.html vpivcierr.html wanadderr.html wancfg.html

some pages like tr69cfg.html are hidden pages and main webpage doesn’t have link to it,

you can access these page by directly appending page name to router ip in browser.

(TR69 sets the Autoconfiguration server address so that airtel guys can access it remotely and debug it)

7.Accessing Bootloader Prompt(CFE bootloader)

Start the modem and Pressing any key during 1 sec countdown.

Press Enter and u will CFE prompt ,type help to get list of command supported

CFE version 1.0.37-0.7 for BCM96338 (32bit,SP,BE)

Build Date: Wed Dec 7 14:11:44 CST 2005 (root@localhost.localdomain)

Copyright (C) 2000,2001,2002,2003 Broadcom Corporation.

Initializing Arena.

Initializing Devices.

Auto-negotiation timed-out

10 MB Half-Duplex (assumed)

CPU type 0x29010: 240MHz

Total memory used by CFE: 0x80401000 - 0x80522A10 (1186320)

Initialized Data: 0x8041ACB0 - 0x8041C3B0 (5888)

BSS Area: 0x8041C3B0 - 0x80420A10 (18016)

Local Heap: 0x80420A10 - 0x80520A10 (1048576)

Stack Area: 0x80520A10 - 0x80522A10 (8192)

Text (code) segment: 0x80401000 - 0x8041ACA8 (105640)

Boot area (physical): 0x00523000 - 0x00563000

Relocation Factor: I:00000000 - D:00000000

Board IP address : 192.168.1.1:ffffff00

Host IP address : 192.168.1.100

Gateway IP address :

Run from flash/host (f/h) : f

Default host run file name : vmlinux

Default host flash file name : bcm963xx_fs_kernel

Boot delay (0-9 seconds) : 1

Board Id Name : 96338L-2M-8M

Psi size in KB : 24

Number of MAC Addresses (1-32) : 11

Base MAC Address : 00:08:5c:8a:9c:50

Ethernet PHY Type : Internal

Memory size in MB : 8

*** Press any key to stop auto run (1 seconds) ***

Auto run second count down: 111

CFE>

CFE> helo

Available commands:

w Write the whole image start from beginning of the flash

e Erase [n]vram or [a]ll flash except bootrom

r Run program from flash image or from host depend on [f/h] flag

p Print boot line and board parameter info

c Change booline parameters

f Write image to the flash

i Erase persistent storage data

b Change board parameters

reset Reset the board

flashimage Flashes a compressed image after the bootloader.

help Obtain help for CFE commands

For more information about a command, enter 'help command-name'

*** command status = 0

CFE> p

Board IP address : 192.168.1.1:ffffff00

Host IP address : 192.168.1.100

Gateway IP address :

Run from flash/host (f/h) : f

Default host run file name : vmlinux

Default host flash file name : bcm963xx_fs_kernel

Boot delay (0-9 seconds) : 1

Board Id Name : 96338L-2M-8M

Psi size in KB : 24

Number of MAC Addresses (1-32) : 11

Base MAC Address : 00:08:5c:8a:9c:50

Ethernet PHY Type : Internal

Memory size in MB : 8

*** command status = 0

CFE>

8.Flashing image

using flash image command –If you have right filesystem and kernel image u can flash .using flashiamge command .

Warning:You might brick it and render router unusable if the file is wrong so avoid this.

CFE> flashimage 192.168.0.1:bcm963xx_fs_kernel

Loading 192.168.0.1:bcm963xx_fs_kernel ...

Finished loading 3155261 bytes

...............................................................

Finished flashing image.

Resetting board...

9. Compiling your own kernel and running

Airtel doesn’t provide source code for the modem .but the Broadcom Chip BCM6338 is being used by different vendors like siemens,TP-Link and u can use source-code from there sites. (issues present)

Download

Following toolchain and other sources of Seimens modem.

http://opensource.albistechnologies.com/ADSL/CL-xxx_SL2-xxx_SLI-5300/GPL_source_CL_SL_SLI_series_consumer_release.tar

or

http://broadband.eip.siemens.ch/public/GPL_source/GPL_source_CL_SL_SLI_series_consumer_release.tar

a)Extract the GPL_source_CL_SL_SLI_series_consumer_release.tar

b)once extracted you will see following files

c) consumer_install is the script that install toolchains and extract kernel sources.

Make sure you have around 500mb of free space.

d)run the script sh consumer_install and press ‘y’when prompted

e)cd to /opt/bcm963xx_router

Read the README file.

Now compile the kernel using

Make PROFILE=SL2141

It will take some time to compile the kernel ,Once the kernel is compiled u can access it in bcm963xx_router/kernel/linux/vmlinux

Now use this vmlinux kernel to boot modem,don’t flash it as it dosent filesytem yet.

To run this image

Access the CFE prompt see point 7.

Now press c to change boot parameters here

Host IP is my pc ip where TFTP Server (tftpd32) is running

Board IP is router IP and vmlinux is image that it will run .

Change from “ f” to “h” to boot from tftp server instead of image from flash

CFE> c

Press: <enter> to use current value

'-' to go previous parameter

'.' to clear the current value

'x' to exit this command

Board IP address : 192.168.0.150

Host IP address : 192.168.0.100

Gateway IP address : 192.168.0.1

Run from flash/host (f/h) : f h

Default host run file name : vmlinux

Default host flash file name : bcm963xx_fs_kernel

Boot delay (0-9 seconds) : 5

*** command status = 0

CFE> r

0x80010000/1476988 0x8017a000/151686 0x8019f086/71586 Entry at 0x8018e018

Closing network.

Enter “r” to run the image vmlinux .

Following Shows a compiled kernel

Notes:

- Openwrt doesn’t Support 6338 ,a higher version is supported

- Airtel uses lots of GPL license Software (Busybox, Kernel Iptables etc) but don’t provide the source code, if you feel this article to be helpful please file a complain against airtel and intimate GPl licensing about the violation.

- Work in progess to get full shell with vi editor and other tools and to port siproxd to run my small sip registrar server.

Full log of kernel running from siemens source code

CFE> web info: Waiting for connection on socket 0.

CFE>

CFE>

CFE> c

Press: <enter> to use current value

'-' to go previous parameter

'.' to clear the current value

'x' to exit this command

Board IP address : 192.168.0.150

Host IP address : 192.168.0.100

Gateway IP address : 192.168.0.1

Run from flash/host (f/h) : f h

Default host run file name : vmlinux

Default host flash file name : bcm963xx_fs_kernel

Boot delay (0-9 seconds) : 5

*** command status = 0

CFE> r

0x80010000/1476988 0x8017a000/151686 0x8019f086/71586 Entry at 0x8018e018

Closing network.

Starting program at 0x8018e018

Linux version 2.6.8.1 (compiled by root) (gcc version 3.4.2) #1 Sun Feb 21 13:23:54 EST 2010

c2/2249 System PLL( MPI clock 0x0)

Flash Config: CS0(1fc00000,4),Base(bfc00000),Size(4MB)

FLASH_BASE bfc00000,blk 0

Total Flash size: 2048K with 35 sectors NVRAM @0 block

***Board id is not set****: Using the default PSI size: 24

Scratch pad is not used for this flash part.

CPU revision is: 00029010

Determined physical RAM map:

memory: 00fa0000 @ 00000000 (usable)

On node 0 totalpages: 4000

DMA zone: 4000 pages, LIFO batch:1

Normal zone: 0 pages, LIFO batch:1

HighMem zone: 0 pages, LIFO batch:1

Built 1 zonelists

Kernel command line: root=31:0 ro noinitrd

brcm mips: enabling icache and dcache...

Primary instruction cache 16kB, physically tagged, 2-way, linesize 16 bytes.

Primary data cache 8kB 2-way, linesize 16 bytes.

PID hash table entries: 64 (order 6: 512 bytes)

Using 16.000 MHz high precision timer.

Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)

Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)

Memory: 14088k/16000k available (1323k kernel code, 1892k reserved, 200k data, 72k init, 0k highmem)

Calibrating delay loop... 31.64 BogoMIPS

Mount-cache hash table entries: 512 (order: 0, 4096 bytes)

Checking for 'wait' instruction... unavailable.

NET: Registered protocol family 16

Can't analyze prologue code at 801597ac

PCI: device 0000:00:00.0 has unknown header type 1b, ignoring.

PCI: device 0000:00:01.0 has unknown header type 1b, ignoring.

PCI: device 0000:00:1a.0 has unknown header type 1b, ignoring.

PCI: device 0000:00:1b.0 has unknown header type 1b, ignoring.

PCI: device 0000:00:1c.0 has unknown header type 1b, ignoring.

PCI: device 0000:00:1d.0 has unknown header type 1b, ignoring.

PCI: device 0000:00:1e.0 has unknown header type 1b, ignoring.

PCI: device 0000:00:1f.0 has unknown header type 1b, ignoring.

1.parse options inodes 1763 block 1763

PPP generic driver version 2.4.2

NET: Registered protocol family 24

Using noop io scheduler

bcm963xx_mtd driver v1.0

rootfs_addr 0bfc10100

No BinFs

brcmboard: brcm_board_init entry

bcm963xx_serial driver v2.0

NET: Registered protocol family 2

Hold Reset button for 21474836 seconds<6>IP: routing cache hash table of 512 buckets, 4Kbytes

TCP: Hash tables configured (established 512 bind 1024)

NET: Registered protocol family 1

NET: Registered protocol family 17

Ebtables v2.0 registered

Hold Reset button for 0 seconds<6>NET: Registered protocol family 8

NET: Registered protocol family 20

802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>

All bugs added by David S. Miller <davem@redhat.com>

Hold Reset button for 0 secondsVFS: Mounted root (squashfs filesystem) readonly.

Freeing unused kernel memory: 72k freed

Hold Reset button for 0 secondsHold Reset button for 1 secondsHold Reset button for 2 secondsHold Reset button for 2 secondsHold Reset button for 3 seconds

Reset to factory default setting...