Research on Changing Serial Number for GPON ONU Module

The GPON ONU module is based on Marvell MC-88F6601, and the datasheet for this chip is not available for general public. I have to sign the NDA before I can get the datasheet.

At beginning, I attach this module to a STM32 to dump the EEPROM which connected to SFP side. The checksun is not correct, that is why the module information is not shown in the ROS SFP info page. After correct the checksun, the serial number and diagnostic info shows no problem inside sfp information page.

Then, I changed the serial number inside EEPROM, but it looks like no affect on the serial number which used for GPON handshake.

After that, I desoldered the flash chip, and dump the entire flash. However, nothing interesting inside it.
Flash Dump: https://www.lolicon.me/dl/gpon.rom

Here is the high defination photos:

Hi,

Generally such features must be provided by MikroTik like other brand do (GPON ONT SN CHANGER).

when you say “I changed the serial number inside EEPROM” you mean by that address 68-83 on the A0h memory ?

I know that there is some reserved address on the A2h memory used by some manufacturer for storing extra data . could you please share the SN that u see on the OLT side ?

and also the result of this command “/interface ethernet monitor sfp1” .

Just analysed the rom file that you posted.

it seem like there is another operating system based on linux inside the SFP module :

U-Boot 2009.08 ( 4
 28 2015 - 16:46:05) Marvell version: 4.1.6_PQ
 """"""
 __   __                      _ _
|  \/  | __ _ _ ____   _____| | |
| |\/| |/ _` | '__\ \ / / _ \ | |
| |  | | (_| | |   \ V /  __/ | |
|_|  |_|\__,_|_|    \_/ \___|_|_|
         _   _     ____              _
        | | | |   | __ )  ___   ___ | |_ 
        | | | |___|  _ \ / _ \ / _ \| __| 
        | |_| |___| |_) | (_) | (_) | |_ 
         \___/    |____/ \___/ \___/ \__| 
 ** LOADER **
 ** MONITOR **
dual_image
Error: dual image isn't supported on flash size=%d KB.
mtdParts
mtdparts=spi_flash:1M@0(uboot),3584K@0x100000(uImg),3M@0x480000(rootFs),512K@0x780000(vars),3584K@0x800000(uImgB),3M@0xB80000(rootFsB),512K@0xE80000(varsB),-(spacer)
env_saved
false
isValidA
isValidB
committedBank
act_test
act_boot_complete
image_address
imgA_mtdblock
imgB_mtdblock
imgA_addr
0x100000
imgB_addr
0x800000
setA
setenv img_mtdblock ${imgA_mtdblock}; setenv img_addr ${imgA_addr}; echo Booting image A;
setB
setenv img_mtdblock ${imgB_mtdblock}; setenv img_addr ${imgB_addr}; echo Booting image B;
get_mtd_list
if test ${isValidA} = true -a ${isValidB} = true; then if test ${committedBank} = A; then setenv mtd_list A B; else setenv mtd_list B A; fi; else if test ${isValidA} = true;then setenv mtd_list A; else if test ${isValidB} = true; then setenv mtd_list B; else setenv mtd_list; fi; fi; fi;
valid_bootcmd
run get_mtd_list; for i in ${mtd_list}; do if test ${i} = A; then run setA; else run setB; fi; run bootcmd_img; done;
bootcmd_img
setenv bootargs ${console} root=/dev/mtdblock${img_mtdblock} rootfstype=squashfs ${mtdParts} ${mvNetConfig} ${mvPhoneConfig}; sf read ${loadaddr} ${img_addr} 0x380000; bootm ${loadaddr};
act_bootcmd
if itest ${act_test} == 1; then if itest ${act_boot_complete} == 0; then setenv act_boot_complete 1; saveenv; echo "Booting Active Image...."; run bootcmd_active;else setenv act_boot_complete 0; setenv act_test 0; saveenv; fi; fi;
bootcmd_active
echo bootcmd_active was not initialized....
save_dual_image_env
if test ${env_saved} = false; then echo "Saving environment for dual image support:"; setenv env_saved true; saveenv; fi;
run act_bootcmd; run save_dual_image_env; run valid_bootcmd; echo "Using default bootcmd...."; run default_bootcmd
console=ttyS0,115200 mv_port1_config=disconnected
console=ttyS0,115200

Just analyses the rom file that you posted.

There is a jffs2 at 0x7D0000, however, it is empty.

it seem like there is another operating system based on linux inside the SFP module

Based on the hardware schematic and public available information, there is large chance that the module is more like a linux computer with two bridged interfaces.

when you say “I changed the serial number inside EEPROM” you mean by that address 68-83 on the A0h memory ?

Yes.

I know that there is some reserved address on the A2h memory used by some manufacturer for storing extra data.

I didn’t find any interesting data inside A2h except for diagnostic information. If you like, I can give you dump files for both A0h and A2h.
I believe they must have some sort of page switch bits inside A2h or A0h.

console=ttyS0,115200

Looks like there is a serial console on the embedded Linux, It is probabily easier if we hack through the serial console. However, we still need to find out the pin for the console.

could you please share the SN that u see on the OLT side

I don’t have an OLT in my lab (yet). I cloned the serial number of my GPON modem, and the module didn’t register on my existing network.

and also the result of this command “/interface ethernet monitor sfp1” .

I didn’t put the flash back yet. But I can provide you the EEPROM dumps.
A0h (Original): https://www.lolicon.me/dl/onu_256_A0.bin
A0h (Modified 1): https://www.lolicon.me/dl/onu_128.bin
A0h (Modified 2): https://www.lolicon.me/dl/onu_128_2.bin
A2h: https://www.lolicon.me/dl/onu_256_A2.bin

the module didn’t register on my existing network.

changing only the sn may not end with the registration on the telco network due to all OMCI stuff : http://fr.slideshare.net/wahyunasution12/alu-7360-5520gponbasicconfiguration

yes It is easier if we hack through the serial console but i don’t see anything for the UART on that board.

it’s a linux computer with ethernet interfaces because i see some mac address on the rom file :

mv_net_config=0
mv_net_config=4,(00:50:43:11:11:11,0:1:2:3),mtu=1500
yuk_ethaddr
00:00:00:EE:51:81
rcvrip
169.254.100.100

i see that there is also a recovery mode waiting for a dhcp on boot :

enaAutoRecovery
Missing loadaddr environment variable assuming default (%s)!
Aquiring an IP address using DHCP after delay...
Satrt recovery process (Distress Beacon with TFTP server)

i will analyse the attached file and let you know what i can see

and also the result of this command “/interface ethernet monitor sfp1” .

I ve searched on the Flash content and on A0/A2 memory for your original SERIAL ‘MKTK0C15…’ to see if it’s registered somewhere else but without success .
based on the Flash data the sn is grabbed directlly from the eeprom (DIMM Serial No)

DRAM Controller info:
Total DRAM 
DIMM %d version %d.%d
DRAM CS[%d] 
ECC enabled, 
ECC Disabled, 
Registered DIMM
Non registered DIMM
Configured CAS Latency %d.%d
cas2ps Err. unsupported cycle time.
ERROR: Could not read SPD information!
Manufacturer's JEDEC ID Code:   
Manufacturer's Specific Data:   %s
Module Part Number:             %s
DIMM Serial No.                 %ld (%lx)
Manufactoring Date:             Year 20%d%d/ ww %d%d
Module Revision:                %d.%d
manufac_place:                  %d
Dram Type is:                   SDRAM
Dram Type is:                   SDRAM DDR1
Dram Type is:                   SDRAM DDR2
Dram Type unknown
Module Number of row addresses: %d
Module Number of col addresses: %d
Number of Banks on Mod.:        %d
Module Data Width:              %d bit
Module is               TTL_5V_TOLERANT
Module is               LVTTL
Module is               HSTL_1_5V
Module is               SSTL_3_3V
Module is               SSTL_2_5V
Module is                 SSTL_1_8V
Module is               VOLTAGE_UNKNOWN
Minimum Cycle Time At Max CL:   %d.%d [ns]
Clock To Data Out:              %d.%d [ns]
Error Check Type (0=NONE):      %d
Refresh Rate:                   %x
Sdram Width:                    %d bits
Error Check Data Width:         %d bits
Minimum Clk Delay back to back: %d
Burst Length Supported: 
 Bit 
Number Of Banks On Each Chip:   %d
Suported Cas Latencies: (CL)

i think that every thing is done on your side and that your SFP ONU is using the correct SN.
As you are using Alcatel-Lucent and based on this document http://fr.slideshare.net/wahyunasution12/alu-7360-5520gponbasicconfiguration [page 35], on the OLT there is the planned software and the active software for each ONT HW version and if they mismatch an alarm is triggered and the ONU will not get registered (this is your case).

You will need that your telco register your ONU as a SFP bridge and not as a router to escape to the planned/active software story

Dumped my sfp flash today:

SPI flash structure:

1M@0(uboot),
3584K@0x100000(uImg),
3M@0x480000(rootFs),
512K@0x780000(vars),
3584K@0x800000(uImgB),
3M@0xB80000(rootFsB),
512K@0xE80000(varsB),

There is a Squashfs filesystem, little endian, version 4.0, 2148429 bytes, 470 inodes, blocksize: 131072 bytes, created: Wed Nov 18 10:21:54 2015 at 0x480000, which contains
/etc/xml_params/gpon_xml_cfg_file.xml:

<?xml version="1.0"?>
<cnfg>
    <PON>
        <!--  PON serial number - up to 8 symbols   -->
        <PON_serial_num>MKTK00010203</PON_serial_num>
        <!--  PON serial source: 0 - xml, 1 - digit part is taken from MAC lower 4 bytes-->
        <PON_serial_src>1</PON_serial_src>
        <!--  PON password - up to 10 symbols   -->
        <PON_passwd>1234567890</PON_passwd>
        <!--  PON SN disabled: 0 = FALSE, 1 = TRUE    -->
        <PON_dis_sn>0</PON_dis_sn>
        <!--  gem reset on fiber disconnect: 0 = FALSE, 1 = TRUE    -->
        <PON_gem_reset>0</PON_gem_reset>
        <!--  tcont reset on fiber disconnect: 0 = FALSE, 1 = TRUE    -->
        <PON_tcont_reset>1</PON_tcont_reset>
        <!--  PON Dying Gasp polarity: 0 = low, 1 = high    -->
        <PON_DG_polarity>1</PON_DG_polarity>
        <!--  PON XVR Burst Enable Polarity: 0 - high; 1 - low    -->
        <PON_XVR_burst_enable_polarity>0</PON_XVR_burst_enable_polarity>
        <!--  PON XVR Polarity: 0 - high; 1 - low    -->
        <PON_XVR_polarity>1</PON_XVR_polarity>
        <!--  P2P XVR burst enable polarity: 0 - high; 1 - low    -->
        <P2P_XVR_burst_enable_polarity>1</P2P_XVR_burst_enable_polarity>
        <!--  P2P XVR Polarity: 0 - high; 1 - low    -->
        <P2P_XVR_polarity>0</P2P_XVR_polarity>
        <!--  gem ports restore after return from State 7: 0 = FALSE, 1 = TRUE -->
        <PON_gem_restore>1</PON_gem_restore>
        <!--  Psa FEC Ind Bit Hyst: number of fram 1-4 -->
        <PON_fec_hyst>1</PON_fec_hyst>
        <!--  Coupling Mode: 0 = DC, 1 = AC -->
        <PON_coupling_mode>1</PON_coupling_mode>
    </PON>


</cnfg>

This is fascinating, and a little bizarre. Surely running an entire OS on SFP is a massive overhead?

How did you dump it?

After analyzing the embedded linux, the OS on the module is not forwarding any packets. There is a hardware switch on the SoC actually doing all data forwarding,

How can I dump embedded linux? im curious

I removed the flash chip from board (using hot air), then dumped it by a stm32 flashrom programmer.

Here is the flash: https://www.lolicon.me/mikrotik/flash.bin

is 404 not found.

Im new in hardware debugging and it sounds very interesting, how did you get hot airflow to remove chip?

send me pm

I have Huawei OLT and this module as well, I want to try to change SN and associate it with my OLT / or my ISP olt using SN of my HG
That sounds interesting

@ilinsky

The link has been fixed. And I do not know how to send pm in this forum.

I see

I saw it with binwalk and is huge, is it possible to repack it with canes done and flash back, any idea ? I google about hot air already

I connected my module to my hawed 5608 OLT and it does not appear in iManager U2000 auto discovery, I think it has something to do with interoperability configuration

Yes, you can repack it and flash it back.

which software do you use to actually interact with stm32 programer to download the flash ?

flashrom
https://www.flashrom.org/Flashrom