Community discussions

 
lty1993
just joined
Topic Author
Posts: 13
Joined: Sat May 10, 2014 11:12 am

Research on Changing Serial Number for GPON ONU Module

Mon Jan 02, 2017 11:09 am

The GPON ONU module is based on Marvell MC-88F6601, and the datasheet for this chip is not available for general public. I have to sign the NDA before I can get the datasheet.

At beginning, I attach this module to a STM32 to dump the EEPROM which connected to SFP side. The checksun is not correct, that is why the module information is not shown in the ROS SFP info page. After correct the checksun, the serial number and diagnostic info shows no problem inside sfp information page.

Then, I changed the serial number inside EEPROM, but it looks like no affect on the serial number which used for GPON handshake.

After that, I desoldered the flash chip, and dump the entire flash. However, nothing interesting inside it.
Flash Dump: https://www.lolicon.me/dl/gpon.rom

Here is the high defination photos:
Image
Image
 
anass
just joined
Posts: 9
Joined: Wed Aug 29, 2012 5:49 pm

Re: Research on Changing Serial Number for GPON ONU Module

Mon Jan 02, 2017 4:52 pm

Hi,

Generally such features must be provided by MikroTik like other brand do (GPON ONT SN CHANGER).

when you say "I changed the serial number inside EEPROM" you mean by that address 68-83 on the A0h memory ?

I know that there is some reserved address on the A2h memory used by some manufacturer for storing extra data . could you please share the SN that u see on the OLT side ?

and also the result of this command "/interface ethernet monitor sfp1" .
 
anass
just joined
Posts: 9
Joined: Wed Aug 29, 2012 5:49 pm

Re: Research on Changing Serial Number for GPON ONU Module

Mon Jan 02, 2017 5:27 pm

Just analysed the rom file that you posted.

it seem like there is another operating system based on linux inside the SFP module :
U-Boot 2009.08 ( 4
 28 2015 - 16:46:05) Marvell version: 4.1.6_PQ
 """"""
 __   __                      _ _
|  \/  | __ _ _ ____   _____| | |
| |\/| |/ _` | '__\ \ / / _ \ | |
| |  | | (_| | |   \ V /  __/ | |
|_|  |_|\__,_|_|    \_/ \___|_|_|
         _   _     ____              _
        | | | |   | __ )  ___   ___ | |_ 
        | | | |___|  _ \ / _ \ / _ \| __| 
        | |_| |___| |_) | (_) | (_) | |_ 
         \___/    |____/ \___/ \___/ \__| 
 ** LOADER **
 ** MONITOR **
dual_image
Error: dual image isn't supported on flash size=%d KB.
mtdParts
mtdparts=spi_flash:1M@0(uboot),3584K@0x100000(uImg),3M@0x480000(rootFs),512K@0x780000(vars),3584K@0x800000(uImgB),3M@0xB80000(rootFsB),512K@0xE80000(varsB),-(spacer)
env_saved
false
isValidA
isValidB
committedBank
act_test
act_boot_complete
image_address
imgA_mtdblock
imgB_mtdblock
imgA_addr
0x100000
imgB_addr
0x800000
setA
setenv img_mtdblock ${imgA_mtdblock}; setenv img_addr ${imgA_addr}; echo Booting image A;
setB
setenv img_mtdblock ${imgB_mtdblock}; setenv img_addr ${imgB_addr}; echo Booting image B;
get_mtd_list
if test ${isValidA} = true -a ${isValidB} = true; then if test ${committedBank} = A; then setenv mtd_list A B; else setenv mtd_list B A; fi; else if test ${isValidA} = true;then setenv mtd_list A; else if test ${isValidB} = true; then setenv mtd_list B; else setenv mtd_list; fi; fi; fi;
valid_bootcmd
run get_mtd_list; for i in ${mtd_list}; do if test ${i} = A; then run setA; else run setB; fi; run bootcmd_img; done;
bootcmd_img
setenv bootargs ${console} root=/dev/mtdblock${img_mtdblock} rootfstype=squashfs ${mtdParts} ${mvNetConfig} ${mvPhoneConfig}; sf read ${loadaddr} ${img_addr} 0x380000; bootm ${loadaddr};
act_bootcmd
if itest ${act_test} == 1; then if itest ${act_boot_complete} == 0; then setenv act_boot_complete 1; saveenv; echo "Booting Active Image...."; run bootcmd_active;else setenv act_boot_complete 0; setenv act_test 0; saveenv; fi; fi;
bootcmd_active
echo bootcmd_active was not initialized....
save_dual_image_env
if test ${env_saved} = false; then echo "Saving environment for dual image support:"; setenv env_saved true; saveenv; fi;
run act_bootcmd; run save_dual_image_env; run valid_bootcmd; echo "Using default bootcmd...."; run default_bootcmd
console=ttyS0,115200 mv_port1_config=disconnected
console=ttyS0,115200
Last edited by anass on Mon Jan 02, 2017 11:18 pm, edited 1 time in total.
 
lty1993
just joined
Topic Author
Posts: 13
Joined: Sat May 10, 2014 11:12 am

Re: Research on Changing Serial Number for GPON ONU Module

Mon Jan 02, 2017 6:47 pm

Just analyses the rom file that you posted.
There is a jffs2 at 0x7D0000, however, it is empty.
it seem like there is another operating system based on linux inside the SFP module
Based on the hardware schematic and public available information, there is large chance that the module is more like a linux computer with two bridged interfaces.
when you say "I changed the serial number inside EEPROM" you mean by that address 68-83 on the A0h memory ?
Yes.
I know that there is some reserved address on the A2h memory used by some manufacturer for storing extra data.
I didn't find any interesting data inside A2h except for diagnostic information. If you like, I can give you dump files for both A0h and A2h.
I believe they must have some sort of page switch bits inside A2h or A0h.
console=ttyS0,115200
Looks like there is a serial console on the embedded Linux, It is probabily easier if we hack through the serial console. However, we still need to find out the pin for the console.
could you please share the SN that u see on the OLT side
I don't have an OLT in my lab (yet). I cloned the serial number of my GPON modem, and the module didn't register on my existing network.
and also the result of this command "/interface ethernet monitor sfp1" .
I didn't put the flash back yet. But I can provide you the EEPROM dumps.
A0h (Original): https://www.lolicon.me/dl/onu_256_A0.bin
A0h (Modified 1): https://www.lolicon.me/dl/onu_128.bin
A0h (Modified 2): https://www.lolicon.me/dl/onu_128_2.bin
A2h: https://www.lolicon.me/dl/onu_256_A2.bin
 
anass
just joined
Posts: 9
Joined: Wed Aug 29, 2012 5:49 pm

Re: Research on Changing Serial Number for GPON ONU Module

Mon Jan 02, 2017 7:40 pm

the module didn't register on my existing network.

changing only the sn may not end with the registration on the telco network due to all OMCI stuff : http://fr.slideshare.net/wahyunasution1 ... figuration

yes It is easier if we hack through the serial console but i don't see anything for the UART on that board.

it's a linux computer with ethernet interfaces because i see some mac address on the rom file :
mv_net_config=0
mv_net_config=4,(00:50:43:11:11:11,0:1:2:3),mtu=1500
yuk_ethaddr
00:00:00:EE:51:81
rcvrip
169.254.100.100
i see that there is also a recovery mode waiting for a dhcp on boot :
enaAutoRecovery
Missing loadaddr environment variable assuming default (%s)!
Aquiring an IP address using DHCP after delay...
Satrt recovery process (Distress Beacon with TFTP server)
i will analyse the attached file and let you know what i can see
 
lty1993
just joined
Topic Author
Posts: 13
Joined: Sat May 10, 2014 11:12 am

Re: Research on Changing Serial Number for GPON ONU Module

Tue Jan 03, 2017 3:17 pm

and also the result of this command "/interface ethernet monitor sfp1" .
Screenshot from 2017-01-03 13-15-41.png
You do not have the required permissions to view the files attached to this post.
 
anass
just joined
Posts: 9
Joined: Wed Aug 29, 2012 5:49 pm

Re: Research on Changing Serial Number for GPON ONU Module

Tue Jan 03, 2017 5:47 pm

I ve searched on the Flash content and on A0/A2 memory for your original SERIAL 'MKTK0C15...' to see if it's registered somewhere else but without success .
based on the Flash data the sn is grabbed directlly from the eeprom (DIMM Serial No)
DRAM Controller info:
Total DRAM 
DIMM %d version %d.%d
DRAM CS[%d] 
ECC enabled, 
ECC Disabled, 
Registered DIMM
Non registered DIMM
Configured CAS Latency %d.%d
cas2ps Err. unsupported cycle time.
ERROR: Could not read SPD information!
Manufacturer's JEDEC ID Code:   
Manufacturer's Specific Data:   %s
Module Part Number:             %s
DIMM Serial No.                 %ld (%lx)
Manufactoring Date:             Year 20%d%d/ ww %d%d
Module Revision:                %d.%d
manufac_place:                  %d
Dram Type is:                   SDRAM
Dram Type is:                   SDRAM DDR1
Dram Type is:                   SDRAM DDR2
Dram Type unknown
Module Number of row addresses: %d
Module Number of col addresses: %d
Number of Banks on Mod.:        %d
Module Data Width:              %d bit
Module is               TTL_5V_TOLERANT
Module is               LVTTL
Module is               HSTL_1_5V
Module is               SSTL_3_3V
Module is               SSTL_2_5V
Module is                 SSTL_1_8V
Module is               VOLTAGE_UNKNOWN
Minimum Cycle Time At Max CL:   %d.%d [ns]
Clock To Data Out:              %d.%d [ns]
Error Check Type (0=NONE):      %d
Refresh Rate:                   %x
Sdram Width:                    %d bits
Error Check Data Width:         %d bits
Minimum Clk Delay back to back: %d
Burst Length Supported: 
 Bit 
Number Of Banks On Each Chip:   %d
Suported Cas Latencies: (CL) 

i think that every thing is done on your side and that your SFP ONU is using the correct SN.
As you are using Alcatel-Lucent and based on this document http://fr.slideshare.net/wahyunasution1 ... figuration [page 35], on the OLT there is the planned software and the active software for each ONT HW version and if they mismatch an alarm is triggered and the ONU will not get registered (this is your case).

You will need that your telco register your ONU as a SFP bridge and not as a router to escape to the planned/active software story
 
mbasenin
just joined
Posts: 1
Joined: Sat Feb 11, 2017 6:33 pm

Re: Research on Changing Serial Number for GPON ONU Module

Sat Feb 11, 2017 6:44 pm

Dumped my sfp flash today:

SPI flash structure:

1M@0(uboot),
3584K@0x100000(uImg),
3M@0x480000(rootFs),
512K@0x780000(vars),
3584K@0x800000(uImgB),
3M@0xB80000(rootFsB),
512K@0xE80000(varsB),

There is a Squashfs filesystem, little endian, version 4.0, 2148429 bytes, 470 inodes, blocksize: 131072 bytes, created: Wed Nov 18 10:21:54 2015 at 0x480000, which contains
/etc/xml_params/gpon_xml_cfg_file.xml:
<?xml version="1.0"?>
<cnfg>
    <PON>
        <!--  PON serial number - up to 8 symbols   -->
        <PON_serial_num>MKTK00010203</PON_serial_num>
        <!--  PON serial source: 0 - xml, 1 - digit part is taken from MAC lower 4 bytes-->
        <PON_serial_src>1</PON_serial_src>
        <!--  PON password - up to 10 symbols   -->
        <PON_passwd>1234567890</PON_passwd>
        <!--  PON SN disabled: 0 = FALSE, 1 = TRUE    -->
        <PON_dis_sn>0</PON_dis_sn>
        <!--  gem reset on fiber disconnect: 0 = FALSE, 1 = TRUE    -->
        <PON_gem_reset>0</PON_gem_reset>
        <!--  tcont reset on fiber disconnect: 0 = FALSE, 1 = TRUE    -->
        <PON_tcont_reset>1</PON_tcont_reset>
        <!--  PON Dying Gasp polarity: 0 = low, 1 = high    -->
        <PON_DG_polarity>1</PON_DG_polarity>
        <!--  PON XVR Burst Enable Polarity: 0 - high; 1 - low    -->
        <PON_XVR_burst_enable_polarity>0</PON_XVR_burst_enable_polarity>
        <!--  PON XVR Polarity: 0 - high; 1 - low    -->
        <PON_XVR_polarity>1</PON_XVR_polarity>
        <!--  P2P XVR burst enable polarity: 0 - high; 1 - low    -->
        <P2P_XVR_burst_enable_polarity>1</P2P_XVR_burst_enable_polarity>
        <!--  P2P XVR Polarity: 0 - high; 1 - low    -->
        <P2P_XVR_polarity>0</P2P_XVR_polarity>
        <!--  gem ports restore after return from State 7: 0 = FALSE, 1 = TRUE -->
        <PON_gem_restore>1</PON_gem_restore>
        <!--  Psa FEC Ind Bit Hyst: number of fram 1-4 -->
        <PON_fec_hyst>1</PON_fec_hyst>
        <!--  Coupling Mode: 0 = DC, 1 = AC -->
        <PON_coupling_mode>1</PON_coupling_mode>
    </PON>


</cnfg>
 
troffasky
Member
Member
Posts: 394
Joined: Wed Mar 26, 2014 4:37 pm

Re: Research on Changing Serial Number for GPON ONU Module

Sun Feb 12, 2017 6:51 pm

Based on the hardware schematic and public available information, there is large chance that the module is more like a linux computer with two bridged interfaces.
This is fascinating, and a little bizarre. Surely running an entire OS on SFP is a massive overhead?
 
ilinsky
just joined
Posts: 9
Joined: Sat Jun 28, 2014 9:00 am

Re: Research on Changing Serial Number for GPON ONU Module

Thu May 25, 2017 12:55 pm

How did you dump it?
Dumped my sfp flash today:

SPI flash structure:

1M@0(uboot),
3584K@0x100000(uImg),
3M@0x480000(rootFs),
512K@0x780000(vars),
3584K@0x800000(uImgB),
3M@0xB80000(rootFsB),
512K@0xE80000(varsB),

There is a Squashfs filesystem, little endian, version 4.0, 2148429 bytes, 470 inodes, blocksize: 131072 bytes, created: Wed Nov 18 10:21:54 2015 at 0x480000, which contains
/etc/xml_params/gpon_xml_cfg_file.xml:
<?xml version="1.0"?>
<cnfg>
    <PON>
        <!--  PON serial number - up to 8 symbols   -->
        <PON_serial_num>MKTK00010203</PON_serial_num>
        <!--  PON serial source: 0 - xml, 1 - digit part is taken from MAC lower 4 bytes-->
        <PON_serial_src>1</PON_serial_src>
        <!--  PON password - up to 10 symbols   -->
        <PON_passwd>1234567890</PON_passwd>
        <!--  PON SN disabled: 0 = FALSE, 1 = TRUE    -->
        <PON_dis_sn>0</PON_dis_sn>
        <!--  gem reset on fiber disconnect: 0 = FALSE, 1 = TRUE    -->
        <PON_gem_reset>0</PON_gem_reset>
        <!--  tcont reset on fiber disconnect: 0 = FALSE, 1 = TRUE    -->
        <PON_tcont_reset>1</PON_tcont_reset>
        <!--  PON Dying Gasp polarity: 0 = low, 1 = high    -->
        <PON_DG_polarity>1</PON_DG_polarity>
        <!--  PON XVR Burst Enable Polarity: 0 - high; 1 - low    -->
        <PON_XVR_burst_enable_polarity>0</PON_XVR_burst_enable_polarity>
        <!--  PON XVR Polarity: 0 - high; 1 - low    -->
        <PON_XVR_polarity>1</PON_XVR_polarity>
        <!--  P2P XVR burst enable polarity: 0 - high; 1 - low    -->
        <P2P_XVR_burst_enable_polarity>1</P2P_XVR_burst_enable_polarity>
        <!--  P2P XVR Polarity: 0 - high; 1 - low    -->
        <P2P_XVR_polarity>0</P2P_XVR_polarity>
        <!--  gem ports restore after return from State 7: 0 = FALSE, 1 = TRUE -->
        <PON_gem_restore>1</PON_gem_restore>
        <!--  Psa FEC Ind Bit Hyst: number of fram 1-4 -->
        <PON_fec_hyst>1</PON_fec_hyst>
        <!--  Coupling Mode: 0 = DC, 1 = AC -->
        <PON_coupling_mode>1</PON_coupling_mode>
    </PON>


</cnfg>
 
lty1993
just joined
Topic Author
Posts: 13
Joined: Sat May 10, 2014 11:12 am

Re: Research on Changing Serial Number for GPON ONU Module

Thu May 25, 2017 1:33 pm

Based on the hardware schematic and public available information, there is large chance that the module is more like a linux computer with two bridged interfaces.
This is fascinating, and a little bizarre. Surely running an entire OS on SFP is a massive overhead?
After analyzing the embedded linux, the OS on the module is not forwarding any packets. There is a hardware switch on the SoC actually doing all data forwarding,
 
ilinsky
just joined
Posts: 9
Joined: Sat Jun 28, 2014 9:00 am

Re: Research on Changing Serial Number for GPON ONU Module

Thu May 25, 2017 1:35 pm

Based on the hardware schematic and public available information, there is large chance that the module is more like a linux computer with two bridged interfaces.
This is fascinating, and a little bizarre. Surely running an entire OS on SFP is a massive overhead?
After analyzing the embedded linux, the OS on the module is not forwarding any packets. There is a hardware switch on the SoC actually doing all data forwarding,
How can I dump embedded linux? im curious
 
lty1993
just joined
Topic Author
Posts: 13
Joined: Sat May 10, 2014 11:12 am

Re: Research on Changing Serial Number for GPON ONU Module

Thu May 25, 2017 1:37 pm

How did you dump it?
Dumped my sfp flash today:

SPI flash structure:

1M@0(uboot),
3584K@0x100000(uImg),
3M@0x480000(rootFs),
512K@0x780000(vars),
3584K@0x800000(uImgB),
3M@0xB80000(rootFsB),
512K@0xE80000(varsB),

There is a Squashfs filesystem, little endian, version 4.0, 2148429 bytes, 470 inodes, blocksize: 131072 bytes, created: Wed Nov 18 10:21:54 2015 at 0x480000, which contains
/etc/xml_params/gpon_xml_cfg_file.xml:
<?xml version="1.0"?>
<cnfg>
    <PON>
        <!--  PON serial number - up to 8 symbols   -->
        <PON_serial_num>MKTK00010203</PON_serial_num>
        <!--  PON serial source: 0 - xml, 1 - digit part is taken from MAC lower 4 bytes-->
        <PON_serial_src>1</PON_serial_src>
        <!--  PON password - up to 10 symbols   -->
        <PON_passwd>1234567890</PON_passwd>
        <!--  PON SN disabled: 0 = FALSE, 1 = TRUE    -->
        <PON_dis_sn>0</PON_dis_sn>
        <!--  gem reset on fiber disconnect: 0 = FALSE, 1 = TRUE    -->
        <PON_gem_reset>0</PON_gem_reset>
        <!--  tcont reset on fiber disconnect: 0 = FALSE, 1 = TRUE    -->
        <PON_tcont_reset>1</PON_tcont_reset>
        <!--  PON Dying Gasp polarity: 0 = low, 1 = high    -->
        <PON_DG_polarity>1</PON_DG_polarity>
        <!--  PON XVR Burst Enable Polarity: 0 - high; 1 - low    -->
        <PON_XVR_burst_enable_polarity>0</PON_XVR_burst_enable_polarity>
        <!--  PON XVR Polarity: 0 - high; 1 - low    -->
        <PON_XVR_polarity>1</PON_XVR_polarity>
        <!--  P2P XVR burst enable polarity: 0 - high; 1 - low    -->
        <P2P_XVR_burst_enable_polarity>1</P2P_XVR_burst_enable_polarity>
        <!--  P2P XVR Polarity: 0 - high; 1 - low    -->
        <P2P_XVR_polarity>0</P2P_XVR_polarity>
        <!--  gem ports restore after return from State 7: 0 = FALSE, 1 = TRUE -->
        <PON_gem_restore>1</PON_gem_restore>
        <!--  Psa FEC Ind Bit Hyst: number of fram 1-4 -->
        <PON_fec_hyst>1</PON_fec_hyst>
        <!--  Coupling Mode: 0 = DC, 1 = AC -->
        <PON_coupling_mode>1</PON_coupling_mode>
    </PON>


</cnfg>
I removed the flash chip from board (using hot air), then dumped it by a stm32 flashrom programmer.

Here is the flash: https://www.lolicon.me/mikrotik/flash.bin
Last edited by lty1993 on Thu May 25, 2017 2:16 pm, edited 1 time in total.
 
ilinsky
just joined
Posts: 9
Joined: Sat Jun 28, 2014 9:00 am

Re: Research on Changing Serial Number for GPON ONU Module

Thu May 25, 2017 1:52 pm

is 404 not found.

Im new in hardware debugging and it sounds very interesting, how did you get hot airflow to remove chip?

How did you dump it?
Dumped my sfp flash today:

SPI flash structure:

1M@0(uboot),
3584K@0x100000(uImg),
3M@0x480000(rootFs),
512K@0x780000(vars),
3584K@0x800000(uImgB),
3M@0xB80000(rootFsB),
512K@0xE80000(varsB),

There is a Squashfs filesystem, little endian, version 4.0, 2148429 bytes, 470 inodes, blocksize: 131072 bytes, created: Wed Nov 18 10:21:54 2015 at 0x480000, which contains
/etc/xml_params/gpon_xml_cfg_file.xml:
<?xml version="1.0"?>
<cnfg>
    <PON>
        <!--  PON serial number - up to 8 symbols   -->
        <PON_serial_num>MKTK00010203</PON_serial_num>
        <!--  PON serial source: 0 - xml, 1 - digit part is taken from MAC lower 4 bytes-->
        <PON_serial_src>1</PON_serial_src>
        <!--  PON password - up to 10 symbols   -->
        <PON_passwd>1234567890</PON_passwd>
        <!--  PON SN disabled: 0 = FALSE, 1 = TRUE    -->
        <PON_dis_sn>0</PON_dis_sn>
        <!--  gem reset on fiber disconnect: 0 = FALSE, 1 = TRUE    -->
        <PON_gem_reset>0</PON_gem_reset>
        <!--  tcont reset on fiber disconnect: 0 = FALSE, 1 = TRUE    -->
        <PON_tcont_reset>1</PON_tcont_reset>
        <!--  PON Dying Gasp polarity: 0 = low, 1 = high    -->
        <PON_DG_polarity>1</PON_DG_polarity>
        <!--  PON XVR Burst Enable Polarity: 0 - high; 1 - low    -->
        <PON_XVR_burst_enable_polarity>0</PON_XVR_burst_enable_polarity>
        <!--  PON XVR Polarity: 0 - high; 1 - low    -->
        <PON_XVR_polarity>1</PON_XVR_polarity>
        <!--  P2P XVR burst enable polarity: 0 - high; 1 - low    -->
        <P2P_XVR_burst_enable_polarity>1</P2P_XVR_burst_enable_polarity>
        <!--  P2P XVR Polarity: 0 - high; 1 - low    -->
        <P2P_XVR_polarity>0</P2P_XVR_polarity>
        <!--  gem ports restore after return from State 7: 0 = FALSE, 1 = TRUE -->
        <PON_gem_restore>1</PON_gem_restore>
        <!--  Psa FEC Ind Bit Hyst: number of fram 1-4 -->
        <PON_fec_hyst>1</PON_fec_hyst>
        <!--  Coupling Mode: 0 = DC, 1 = AC -->
        <PON_coupling_mode>1</PON_coupling_mode>
    </PON>


</cnfg>
I removed the flash chip from board (using hot air), then dumped it by a stm32 flashrom programmer.

Here is the flash: https://cdn.lty.me/mikrotik_gpon_flash.bin
 
ilinsky
just joined
Posts: 9
Joined: Sat Jun 28, 2014 9:00 am

Re: Research on Changing Serial Number for GPON ONU Module

Thu May 25, 2017 2:02 pm

send me pm

I have Huawei OLT and this module as well, I want to try to change SN and associate it with my OLT / or my ISP olt using SN of my HG
That sounds interesting
is 404 not found.

Im new in hardware debugging and it sounds very interesting, how did you get hot airflow to remove chip?

How did you dump it?
Dumped my sfp flash today:

SPI flash structure:

1M@0(uboot),
3584K@0x100000(uImg),
3M@0x480000(rootFs),
512K@0x780000(vars),
3584K@0x800000(uImgB),
3M@0xB80000(rootFsB),
512K@0xE80000(varsB),

There is a Squashfs filesystem, little endian, version 4.0, 2148429 bytes, 470 inodes, blocksize: 131072 bytes, created: Wed Nov 18 10:21:54 2015 at 0x480000, which contains
/etc/xml_params/gpon_xml_cfg_file.xml:
<?xml version="1.0"?>
<cnfg>
    <PON>
        <!--  PON serial number - up to 8 symbols   -->
        <PON_serial_num>MKTK00010203</PON_serial_num>
        <!--  PON serial source: 0 - xml, 1 - digit part is taken from MAC lower 4 bytes-->
        <PON_serial_src>1</PON_serial_src>
        <!--  PON password - up to 10 symbols   -->
        <PON_passwd>1234567890</PON_passwd>
        <!--  PON SN disabled: 0 = FALSE, 1 = TRUE    -->
        <PON_dis_sn>0</PON_dis_sn>
        <!--  gem reset on fiber disconnect: 0 = FALSE, 1 = TRUE    -->
        <PON_gem_reset>0</PON_gem_reset>
        <!--  tcont reset on fiber disconnect: 0 = FALSE, 1 = TRUE    -->
        <PON_tcont_reset>1</PON_tcont_reset>
        <!--  PON Dying Gasp polarity: 0 = low, 1 = high    -->
        <PON_DG_polarity>1</PON_DG_polarity>
        <!--  PON XVR Burst Enable Polarity: 0 - high; 1 - low    -->
        <PON_XVR_burst_enable_polarity>0</PON_XVR_burst_enable_polarity>
        <!--  PON XVR Polarity: 0 - high; 1 - low    -->
        <PON_XVR_polarity>1</PON_XVR_polarity>
        <!--  P2P XVR burst enable polarity: 0 - high; 1 - low    -->
        <P2P_XVR_burst_enable_polarity>1</P2P_XVR_burst_enable_polarity>
        <!--  P2P XVR Polarity: 0 - high; 1 - low    -->
        <P2P_XVR_polarity>0</P2P_XVR_polarity>
        <!--  gem ports restore after return from State 7: 0 = FALSE, 1 = TRUE -->
        <PON_gem_restore>1</PON_gem_restore>
        <!--  Psa FEC Ind Bit Hyst: number of fram 1-4 -->
        <PON_fec_hyst>1</PON_fec_hyst>
        <!--  Coupling Mode: 0 = DC, 1 = AC -->
        <PON_coupling_mode>1</PON_coupling_mode>
    </PON>


</cnfg>
I removed the flash chip from board (using hot air), then dumped it by a stm32 flashrom programmer.

Here is the flash: https://cdn.lty.me/mikrotik_gpon_flash.bin
 
lty1993
just joined
Topic Author
Posts: 13
Joined: Sat May 10, 2014 11:12 am

Re: Research on Changing Serial Number for GPON ONU Module

Thu May 25, 2017 2:21 pm

@ilinsky

The link has been fixed. And I do not know how to send pm in this forum.
 
ilinsky
just joined
Posts: 9
Joined: Sat Jun 28, 2014 9:00 am

Re: Research on Changing Serial Number for GPON ONU Module

Thu May 25, 2017 2:28 pm

I see

I saw it with binwalk and is huge, is it possible to repack it with canes done and flash back, any idea ? I google about hot air already

I connected my module to my hawed 5608 OLT and it does not appear in iManager U2000 auto discovery, I think it has something to do with interoperability configuration

@ilinsky

The link has been fixed. And I do not know how to send pm in this forum.
 
lty1993
just joined
Topic Author
Posts: 13
Joined: Sat May 10, 2014 11:12 am

Re: Research on Changing Serial Number for GPON ONU Module

Thu May 25, 2017 3:33 pm

I see

I saw it with binwalk and is huge, is it possible to repack it with canes done and flash back, any idea ? I google about hot air already

I connected my module to my hawed 5608 OLT and it does not appear in iManager U2000 auto discovery, I think it has something to do with interoperability configuration
Yes, you can repack it and flash it back.
 
ilinsky
just joined
Posts: 9
Joined: Sat Jun 28, 2014 9:00 am

Re: Research on Changing Serial Number for GPON ONU Module

Sat May 27, 2017 3:46 am

which software do you use to actually interact with stm32 programer to download the flash ?
 
lty1993
just joined
Topic Author
Posts: 13
Joined: Sat May 10, 2014 11:12 am

Re: Research on Changing Serial Number for GPON ONU Module

Sun Jun 11, 2017 5:15 pm

which software do you use to actually interact with stm32 programer to download the flash ?
flashrom
https://www.flashrom.org/Flashrom
 
filiptc
just joined
Posts: 1
Joined: Mon Sep 18, 2017 11:41 am

Re: Research on Changing Serial Number for GPON ONU Module

Mon Sep 18, 2017 11:43 am

Wow, thanks for you research. Is there a way to overwrite the XML with modified values without tinkering with the hardware?
 
dylanger
just joined
Posts: 1
Joined: Tue Jan 02, 2018 11:12 pm

Re: Research on Changing Serial Number for GPON ONU Module

Tue Jan 02, 2018 11:16 pm

For anyone interested, I'm sort of following the research but on Ubiquiti's Nano G OLT, read more here: https://community.ubnt.com/t5/UFiber-GP ... 90379#M773

It looks like the serial may be store in simple flash instead of EEPROM, at least I'm hoping, there's a kernel driver that allows writing and read DWORDs over SPI to the Transceiver, this may allow changing of the serial without needing to mess around with the hardware / chip-off
 
geduxas
just joined
Posts: 2
Joined: Thu Aug 10, 2017 10:42 am

Re: Research on Changing Serial Number for GPON ONU Module

Fri Jun 22, 2018 4:18 pm

Hi, any news in this adventure? i am in same boat. Need to change SN and PON password.

Who is online

Users browsing this forum: No registered users and 5 guests