Da Poetry Hacklab.
Thu, 6 Nov 2003 18:07:30 +0000
--eJnRUKwClWJh1Khz
POETRY MINI-HOWTO - SPEEDWEB HACK version 0.2 - nov 6 18:01:27 UTC 2003
COME RESETTARE VIA HARDWARE UN MODEM/ROUTER ADSL IPM DATACOM SPEEDWEB
ADSL ETHERNET, ALTRIMENTI CONOSCIUTO COME SOLWISE SAR-110
(this document is in spaghetti-english language :)
HOW TO HARDWARE RESET A LOCKED/BROKEN IPM DATACOM SPEEDWEB ADSL ETHERNET,=
=20
ALSO KNOWN AS SOLWISE SAR-110
by asbesto of FreakNet MediaLab
asbesto AT freaknet DOT org
http://www.freaknet.org
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
The IPM DATACOM SPEEDWEB ADSL Ethernet it's an ADSL modem/router
normally shipped with Telecom Italia Alice ADSL. I have purchased
one of these, to try as a modem/router for cheap, on Ebay; it's
know as SOLWISE SAR-110, as the one we have here. It's identical :)
This modem is a little delicate - especially when playing with some
console commands. So i did, obtaining a locked modem!!!
I just added a Routing command forwarding packet from LOCAL interface
to itself. As a result, the modem will be UNUSABLE; i obtained ALL
LED ON (PWR, ADSL, PC, TX/RX and DIAG). Connecting to console
will give the modem booting normally, with checksum ok, but the modem
will FROZE ITSELF printing the "***********" of the "Welcome to Titanium"
greeting.
No way to recover ! I wasn't able to reach it by web admin interface,=20
nor via console.=20
SO, i searched the web for a way to hardware-reset my adsl modem/router,
but i find NOTHING but messages of other people searching the same kind
of information.=20
The SOLWISE documentation say clearly:
----------------------------------------------------------------------
Please Note: Incorrect usage of CLI commands can seriously damage the
firmware settings and configuration of your router to the extent where you
might be unable to reset/restore to an operable state.
We reserve the right to charge for any faulty router
returned for repair which has user corrupted firmware or settings.=20
----------------------------------------------------------------------
It seem evident that the only traditional solution to this problem
is to return the device back to Solwise, so they can "restore" it.
That's mean, you have to pay MONEY, MONEY, MONEY.
So, we have another zyxel router; ok, i will try to open the=20
IPM DATACOM/SOLWISE and try to reset by myself.
=2E.. and i was WINNER !!! :))))
Here is the complete procedure for our modem.
----------------------------------------------------------------------
PLEASE NOTE THAT I'M NOT RESPONSIBLE FOR FAULTS, DAMAGES OR ANYTHING
OCCURRING IF YOU FOLLOW THIS PROCEDURE. DON'T DO IT, IT'S A RISK. I WARNED
YOU. PROBABLY, IF YOU OBTAINED YOUR ADSL MODEM FROM YOUR ISP, YOU *CAN'T*
OPEN IT; JUST RETURN IT TO YOUR ISP AND THEY WILL CHANGE IT FOR FREE (ALL
MAJOR ISP CHANGE FOR FREE THE ADSL MODEM THEY GIVE)
----------------------------------------------------------------------
Open the router. On the board, you can see a connector named J1; an ascii=
=20
image will follow; We're particulary interested in pin 2 and 3 of this=20
connector :)))
SEMPLIFIED ASCII IMAGE of the CIRCUIT BOARD:
(i omitted chips and connector. this is the board seen from top,=20
component side)
| 6 . |
| 5 . |
| 4 . |
| 3 . |
| 2 . |
| 1 . |
| j1 |
| o o o o o |
------------------------------------------------------------
pwr adsl pc tx/rx diag
j1: I don't remember if there are 6 or 5 pin, but, who care? we're
interested only in pin 2 and 3. I started numbering pins from the
front of the circuit, so pin 1 it the pin near the led side, and
pin 6 is the led near the back side of the board, where the
connectors are located.
Set your serial port to 38400 bps, 8n1, and connect a cable to the
console port of the router.
NOW, turning on the unit, you have to jumper the 2 and the 3 pin on the
connector EXACTLY when you see "Testing APPCODE Checksum" on the serial
console. This will start the "EMAC Driver" that enable the TFTP upload
of a new firmware, as you can see here:
--------------------------------------------------
Starting POST - V1.9 =
=20
SDRAM ... Passed =
=20
Loader Checksum ... Passed =
=20
Loader (V1.96) Self-Extracting ... Done =
=20
Decompressing UMON (V1.5) ... Done/Activated =
=20
Flash AT45DB161 (Capacity=3D2112K, PageSize=3D528, TotalPages=3D4096) =
=20
Testing FILESYS Checksum ... Passed =
=20
Testing DSLCODE Checksum ... Passed =
=20
Testing APPCODE Checksum ... Failed (expected=3DAF47A286, actual=3DFB8509BD=
) ... =20
EMAC Driver 1.7 (AutoNego...100BT) MAC Address: FF-FF-FF-FF-FF-FF =
=20
TFTP/GMON Server Started ... Load image/code to 192.168.1.1 =20
--------------------------------------------------
the "Failed" will be printed on terminal when you put the jumper
on pin 2 and 3. Some led on the modem/router will start flashing
(i don't remember what, sorry :)
OK - now you can use your favourite TFTP client, to upload the
binary image and give a new life to your router :)
You can find ROM images here: http://ipmethernet4all.tk/
You have to connect an ethernet cable between your computer and the
IPM router; set your ethernet interface to any address different from
192.168.1.1 (for example, set it to 192.168.1.22). Now you can put
the new binary image to the IPM router, with your tftp client:
----example using linux and BSD tftp port---------
asbesto@gemini ipm $ tftp
tftp> connect 192.168.1.1
tftp> bin
tftp> put TEImage.bin
Sent 1799424 bytes in 59.5 seconds
tftp> quit
asbesto@gemini ipm $=20
--------------------------------------------------
after a minute, you will see in the terminal console something like this:
--------------------------------------------------
TFTP Server is loading "TEImage.bin" ... Done.
--------------------------------------------------
When the transfer has finished, the LINK, TX/RX and DIAG led will
flash slowly. Now, turn OFF and ON your router, so it can
restart with the new binary flashed image, as in the example
that follow (in this example, we have flashed the latest Solwise
version dated 17-06-03):
----------------------------------------------------------------
Starting POST - V1.9 =
=20
SDRAM ... Passed =
=20
Loader Checksum ... Passed =
=20
Loader (V1.96) Self-Extracting ... Done =
=20
Decompressing UMON (V1.5) ... Done/Activated =
=20
Flash AT45DB161 (Capacity=3D2112K, PageSize=3D528, TotalPages=3D4096) =
=20
First time boot up, verifying flash device checksums ... =
=20
CFG1: 49632 : Checksum Passed (00000323) ...
CFG2: 49632 : Checksum Passed (000002F8) ...
ALRM: 8448 : Checksum Passed (000002F6) ...
DHCP: 66000 : Checksum Passed (00000356) ...
FACT: 16384 : Checksum Passed (0007F6D5) ...
MANU: 4096 : Checksum Passed (000044D9) ...
BOOT: 4096 : Checksum Passed (E55263D6) ...
LOAD: 76032 : Checksum Passed (02AE3271) ...
FILE: 232848 : Checksum Passed (01BDC7DC) ...
DSLC: 70224 : Checksum Passed (212F4DB2) ... =
=20
APPC: 1145232 : Checksum Passed (8A590054) ... =
=20
PASSED ... =
=20
=
=20
Decompressing "TEAppl.gsz" (1144122->3277768) ... Done =
=20
=
=20
Text Segment Size =3D 3018112 bytes =
=20
Data Segment Size =3D 259656 bytes =
=20
Bss Segment Size =3D 1913000 bytes =
=20
System Stack Size =3D 16536 bytes =
=20
HISR Stack Size =3D 16536 bytes =
=20
NetBuffer Pool Size=3D 710512 bytes =
=20
System Memory Size =3D 2104248 bytes =
=20
Start of DSPText =3D 207aa8d0 bytes =
=20
Decompressing "TEDSL.gsz" (68991->154832) ... Done
UnTar File System
=2E...\..\.\.\..\..\.\....................\..........\......\..=20
=
=20
Config size =3D 94, DHCP size =3D 125 =
=20
Normal Execution Mode =
=20
=
=20
CfgInit: System Coming up from Default Configuration =
=20
******************* =
=20
Welcome to Titanium =
=20
*******************
=
=20
GlobespanVirata Inc., Software Release VIK-1.38.030331e =
=20
Copyright (c) 2001-2002 by GlobespanVirata, Inc. =
=20
=
=20
$ =
=20
Thu Jan 01 00:00:03 1970 : STATUS ALARM : System Up =
=20
$
-----------------------------------------------------------------
THAT'S ALL, FOLKS! :)))
Note: a more complete version of this document, with images and
a mirror of all needed files and PDF manuals, will come shortly.
Check on http://www.freaknet.org/research for it ! :)
Tnx to: r4m / morpheus / google groups / _lobo / freaknet
[ it's a FREAKNET MEDIALAB PRODUCTION! http://www.freaknet.org ]
----- End forwarded message -----
--=20
[asbesto : freaknet medialab : radio#cybernet : GPG key on keyservers]
[ MAIL ATTACH, SPAM, HTML, WORD, and msgs larger than 95K > /dev/null ]
[http://www.freaknet.org/asbesto IW9HGS http://kyuzz.org/radiocybernet]
--eJnRUKwClWJh1Khz
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQE/qo3i6hWaTmE9RNcRAtGcAJ0dCdsEgaq1xnbxjkGGKaIUZGun7wCg2bGy
oPtyKJWGm5QEbSritI6Wes4=
=uxbC
-----END PGP SIGNATURE-----
--eJnRUKwClWJh1Khz--
