Community discussions

 
lty1993
just joined
Topic Author
Posts: 13
Joined: Sat May 10, 2014 11:12 am

Research on Changing Serial Number for GPON ONU Module

Mon Jan 02, 2017 11:09 am

The GPON ONU module is based on Marvell MC-88F6601, and the datasheet for this chip is not available for general public. I have to sign the NDA before I can get the datasheet.

At beginning, I attach this module to a STM32 to dump the EEPROM which connected to SFP side. The checksun is not correct, that is why the module information is not shown in the ROS SFP info page. After correct the checksun, the serial number and diagnostic info shows no problem inside sfp information page.

Then, I changed the serial number inside EEPROM, but it looks like no affect on the serial number which used for GPON handshake.

After that, I desoldered the flash chip, and dump the entire flash. However, nothing interesting inside it.
Flash Dump: https://www.lolicon.me/dl/gpon.rom

Here is the high defination photos:
Image
Image
 
anass
just joined
Posts: 9
Joined: Wed Aug 29, 2012 5:49 pm

Re: Research on Changing Serial Number for GPON ONU Module

Mon Jan 02, 2017 4:52 pm

Hi,

Generally such features must be provided by MikroTik like other brand do (GPON ONT SN CHANGER).

when you say "I changed the serial number inside EEPROM" you mean by that address 68-83 on the A0h memory ?

I know that there is some reserved address on the A2h memory used by some manufacturer for storing extra data . could you please share the SN that u see on the OLT side ?

and also the result of this command "/interface ethernet monitor sfp1" .
 
anass
just joined
Posts: 9
Joined: Wed Aug 29, 2012 5:49 pm

Re: Research on Changing Serial Number for GPON ONU Module

Mon Jan 02, 2017 5:27 pm

Just analysed the rom file that you posted.

it seem like there is another operating system based on linux inside the SFP module :
U-Boot 2009.08 ( 4
 28 2015 - 16:46:05) Marvell version: 4.1.6_PQ
 """"""
 __   __                      _ _
|  \/  | __ _ _ ____   _____| | |
| |\/| |/ _` | '__\ \ / / _ \ | |
| |  | | (_| | |   \ V /  __/ | |
|_|  |_|\__,_|_|    \_/ \___|_|_|
         _   _     ____              _
        | | | |   | __ )  ___   ___ | |_ 
        | | | |___|  _ \ / _ \ / _ \| __| 
        | |_| |___| |_) | (_) | (_) | |_ 
         \___/    |____/ \___/ \___/ \__| 
 ** LOADER **
 ** MONITOR **
dual_image
Error: dual image isn't supported on flash size=%d KB.
mtdParts
mtdparts=spi_flash:1M@0(uboot),3584K@0x100000(uImg),3M@0x480000(rootFs),512K@0x780000(vars),3584K@0x800000(uImgB),3M@0xB80000(rootFsB),512K@0xE80000(varsB),-(spacer)
env_saved
false
isValidA
isValidB
committedBank
act_test
act_boot_complete
image_address
imgA_mtdblock
imgB_mtdblock
imgA_addr
0x100000
imgB_addr
0x800000
setA
setenv img_mtdblock ${imgA_mtdblock}; setenv img_addr ${imgA_addr}; echo Booting image A;
setB
setenv img_mtdblock ${imgB_mtdblock}; setenv img_addr ${imgB_addr}; echo Booting image B;
get_mtd_list
if test ${isValidA} = true -a ${isValidB} = true; then if test ${committedBank} = A; then setenv mtd_list A B; else setenv mtd_list B A; fi; else if test ${isValidA} = true;then setenv mtd_list A; else if test ${isValidB} = true; then setenv mtd_list B; else setenv mtd_list; fi; fi; fi;
valid_bootcmd
run get_mtd_list; for i in ${mtd_list}; do if test ${i} = A; then run setA; else run setB; fi; run bootcmd_img; done;
bootcmd_img
setenv bootargs ${console} root=/dev/mtdblock${img_mtdblock} rootfstype=squashfs ${mtdParts} ${mvNetConfig} ${mvPhoneConfig}; sf read ${loadaddr} ${img_addr} 0x380000; bootm ${loadaddr};
act_bootcmd
if itest ${act_test} == 1; then if itest ${act_boot_complete} == 0; then setenv act_boot_complete 1; saveenv; echo "Booting Active Image...."; run bootcmd_active;else setenv act_boot_complete 0; setenv act_test 0; saveenv; fi; fi;
bootcmd_active
echo bootcmd_active was not initialized....
save_dual_image_env
if test ${env_saved} = false; then echo "Saving environment for dual image support:"; setenv env_saved true; saveenv; fi;
run act_bootcmd; run save_dual_image_env; run valid_bootcmd; echo "Using default bootcmd...."; run default_bootcmd
console=ttyS0,115200 mv_port1_config=disconnected
console=ttyS0,115200
Last edited by anass on Mon Jan 02, 2017 11:18 pm, edited 1 time in total.
 
lty1993
just joined
Topic Author
Posts: 13
Joined: Sat May 10, 2014 11:12 am

Re: Research on Changing Serial Number for GPON ONU Module

Mon Jan 02, 2017 6:47 pm

Just analyses the rom file that you posted.
There is a jffs2 at 0x7D0000, however, it is empty.
it seem like there is another operating system based on linux inside the SFP module
Based on the hardware schematic and public available information, there is large chance that the module is more like a linux computer with two bridged interfaces.
when you say "I changed the serial number inside EEPROM" you mean by that address 68-83 on the A0h memory ?
Yes.
I know that there is some reserved address on the A2h memory used by some manufacturer for storing extra data.
I didn't find any interesting data inside A2h except for diagnostic information. If you like, I can give you dump files for both A0h and A2h.
I believe they must have some sort of page switch bits inside A2h or A0h.
console=ttyS0,115200
Looks like there is a serial console on the embedded Linux, It is probabily easier if we hack through the serial console. However, we still need to find out the pin for the console.
could you please share the SN that u see on the OLT side
I don't have an OLT in my lab (yet). I cloned the serial number of my GPON modem, and the module didn't register on my existing network.
and also the result of this command "/interface ethernet monitor sfp1" .
I didn't put the flash back yet. But I can provide you the EEPROM dumps.
A0h (Original): https://www.lolicon.me/dl/onu_256_A0.bin
A0h (Modified 1): https://www.lolicon.me/dl/onu_128.bin
A0h (Modified 2): https://www.lolicon.me/dl/onu_128_2.bin
A2h: https://www.lolicon.me/dl/onu_256_A2.bin
 
anass
just joined
Posts: 9
Joined: Wed Aug 29, 2012 5:49 pm

Re: Research on Changing Serial Number for GPON ONU Module

Mon Jan 02, 2017 7:40 pm

the module didn't register on my existing network.

changing only the sn may not end with the registration on the telco network due to all OMCI stuff : http://fr.slideshare.net/wahyunasution1 ... figuration

yes It is easier if we hack through the serial console but i don't see anything for the UART on that board.

it's a linux computer with ethernet interfaces because i see some mac address on the rom file :
mv_net_config=0
mv_net_config=4,(00:50:43:11:11:11,0:1:2:3),mtu=1500
yuk_ethaddr
00:00:00:EE:51:81
rcvrip
169.254.100.100
i see that there is also a recovery mode waiting for a dhcp on boot :
enaAutoRecovery
Missing loadaddr environment variable assuming default (%s)!
Aquiring an IP address using DHCP after delay...
Satrt recovery process (Distress Beacon with TFTP server)
i will analyse the attached file and let you know what i can see
 
lty1993
just joined
Topic Author
Posts: 13
Joined: Sat May 10, 2014 11:12 am

Re: Research on Changing Serial Number for GPON ONU Module

Tue Jan 03, 2017 3:17 pm

and also the result of this command "/interface ethernet monitor sfp1" .
Screenshot from 2017-01-03 13-15-41.png
You do not have the required permissions to view the files attached to this post.
 
anass
just joined
Posts: 9
Joined: Wed Aug 29, 2012 5:49 pm

Re: Research on Changing Serial Number for GPON ONU Module

Tue Jan 03, 2017 5:47 pm

I ve searched on the Flash content and on A0/A2 memory for your original SERIAL 'MKTK0C15...' to see if it's registered somewhere else but without success .
based on the Flash data the sn is grabbed directlly from the eeprom (DIMM Serial No)
DRAM Controller info:
Total DRAM 
DIMM %d version %d.%d
DRAM CS[%d] 
ECC enabled, 
ECC Disabled, 
Registered DIMM
Non registered DIMM
Configured CAS Latency %d.%d
cas2ps Err. unsupported cycle time.
ERROR: Could not read SPD information!
Manufacturer's JEDEC ID Code:   
Manufacturer's Specific Data:   %s
Module Part Number:             %s
DIMM Serial No.                 %ld (%lx)
Manufactoring Date:             Year 20%d%d/ ww %d%d
Module Revision:                %d.%d
manufac_place:                  %d
Dram Type is:                   SDRAM
Dram Type is:                   SDRAM DDR1
Dram Type is:                   SDRAM DDR2
Dram Type unknown
Module Number of row addresses: %d
Module Number of col addresses: %d
Number of Banks on Mod.:        %d
Module Data Width:              %d bit
Module is               TTL_5V_TOLERANT
Module is               LVTTL
Module is               HSTL_1_5V
Module is               SSTL_3_3V
Module is               SSTL_2_5V
Module is                 SSTL_1_8V
Module is               VOLTAGE_UNKNOWN
Minimum Cycle Time At Max CL:   %d.%d [ns]
Clock To Data Out:              %d.%d [ns]
Error Check Type (0=NONE):      %d
Refresh Rate:                   %x
Sdram Width:                    %d bits
Error Check Data Width:         %d bits
Minimum Clk Delay back to back: %d
Burst Length Supported: 
 Bit 
Number Of Banks On Each Chip:   %d
Suported Cas Latencies: (CL) 

i think that every thing is done on your side and that your SFP ONU is using the correct SN.
As you are using Alcatel-Lucent and based on this document http://fr.slideshare.net/wahyunasution1 ... figuration [page 35], on the OLT there is the planned software and the active software for each ONT HW version and if they mismatch an alarm is triggered and the ONU will not get registered (this is your case).

You will need that your telco register your ONU as a SFP bridge and not as a router to escape to the planned/active software story
 
mbasenin
just joined
Posts: 1
Joined: Sat Feb 11, 2017 6:33 pm

Re: Research on Changing Serial Number for GPON ONU Module

Sat Feb 11, 2017 6:44 pm

Dumped my sfp flash today:

SPI flash structure:

1M@0(uboot),
3584K@0x100000(uImg),
3M@0x480000(rootFs),
512K@0x780000(vars),
3584K@0x800000(uImgB),
3M@0xB80000(rootFsB),
512K@0xE80000(varsB),

There is a Squashfs filesystem, little endian, version 4.0, 2148429 bytes, 470 inodes, blocksize: 131072 bytes, created: Wed Nov 18 10:21:54 2015 at 0x480000, which contains
/etc/xml_params/gpon_xml_cfg_file.xml:
<?xml version="1.0"?>
<cnfg>
    <PON>
        <!--  PON serial number - up to 8 symbols   -->
        <PON_serial_num>MKTK00010203</PON_serial_num>
        <!--  PON serial source: 0 - xml, 1 - digit part is taken from MAC lower 4 bytes-->
        <PON_serial_src>1</PON_serial_src>
        <!--  PON password - up to 10 symbols   -->
        <PON_passwd>1234567890</PON_passwd>
        <!--  PON SN disabled: 0 = FALSE, 1 = TRUE    -->
        <PON_dis_sn>0</PON_dis_sn>
        <!--  gem reset on fiber disconnect: 0 = FALSE, 1 = TRUE    -->
        <PON_gem_reset>0</PON_gem_reset>
        <!--  tcont reset on fiber disconnect: 0 = FALSE, 1 = TRUE    -->
        <PON_tcont_reset>1</PON_tcont_reset>
        <!--  PON Dying Gasp polarity: 0 = low, 1 = high    -->
        <PON_DG_polarity>1</PON_DG_polarity>
        <!--  PON XVR Burst Enable Polarity: 0 - high; 1 - low    -->
        <PON_XVR_burst_enable_polarity>0</PON_XVR_burst_enable_polarity>
        <!--  PON XVR Polarity: 0 - high; 1 - low    -->
        <PON_XVR_polarity>1</PON_XVR_polarity>
        <!--  P2P XVR burst enable polarity: 0 - high; 1 - low    -->
        <P2P_XVR_burst_enable_polarity>1</P2P_XVR_burst_enable_polarity>
        <!--  P2P XVR Polarity: 0 - high; 1 - low    -->
        <P2P_XVR_polarity>0</P2P_XVR_polarity>
        <!--  gem ports restore after return from State 7: 0 = FALSE, 1 = TRUE -->
        <PON_gem_restore>1</PON_gem_restore>
        <!--  Psa FEC Ind Bit Hyst: number of fram 1-4 -->
        <PON_fec_hyst>1</PON_fec_hyst>
        <!--  Coupling Mode: 0 = DC, 1 = AC -->
        <PON_coupling_mode>1</PON_coupling_mode>
    </PON>


</cnfg>
 
troffasky
Member
Member
Posts: 394
Joined: Wed Mar 26, 2014 4:37 pm

Re: Research on Changing Serial Number for GPON ONU Module

Sun Feb 12, 2017 6:51 pm

Based on the hardware schematic and public available information, there is large chance that the module is more like a linux computer with two bridged interfaces.
This is fascinating, and a little bizarre. Surely running an entire OS on SFP is a massive overhead?
 
ilinsky
just joined
Posts: 9
Joined: Sat Jun 28, 2014 9:00 am

Re: Research on Changing Serial Number for GPON ONU Module

Thu May 25, 2017 12:55 pm

How did you dump it?
Dumped my sfp flash today:

SPI flash structure:

1M@0(uboot),
3584K@0x100000(uImg),
3M@0x480000(rootFs),
512K@0x780000(vars),
3584K@0x800000(uImgB),
3M@0xB80000(rootFsB),
512K@0xE80000(varsB),

There is a Squashfs filesystem, little endian, version 4.0, 2148429 bytes, 470 inodes, blocksize: 131072 bytes, created: Wed Nov 18 10:21:54 2015 at 0x480000, which contains
/etc/xml_params/gpon_xml_cfg_file.xml:
<?xml version="1.0"?>
<cnfg>
    <PON>
        <!--  PON serial number - up to 8 symbols   -->
        <PON_serial_num>MKTK00010203</PON_serial_num>
        <!--  PON serial source: 0 - xml, 1 - digit part is taken from MAC lower 4 bytes-->
        <PON_serial_src>1</PON_serial_src>
        <!--  PON password - up to 10 symbols   -->
        <PON_passwd>1234567890</PON_passwd>
        <!--  PON SN disabled: 0 = FALSE, 1 = TRUE    -->
        <PON_dis_sn>0</PON_dis_sn>
        <!--  gem reset on fiber disconnect: 0 = FALSE, 1 = TRUE    -->
        <PON_gem_reset>0</PON_gem_reset>
        <!--  tcont reset on fiber disconnect: 0 = FALSE, 1 = TRUE    -->
        <PON_tcont_reset>1</PON_tcont_reset>
        <!--  PON Dying Gasp polarity: 0 = low, 1 = high    -->
        <PON_DG_polarity>1</PON_DG_polarity>
        <!--  PON XVR Burst Enable Polarity: 0 - high; 1 - low    -->
        <PON_XVR_burst_enable_polarity>0</PON_XVR_burst_enable_polarity>
        <!--  PON XVR Polarity: 0 - high; 1 - low    -->
        <PON_XVR_polarity>1</PON_XVR_polarity>
        <!--  P2P XVR burst enable polarity: 0 - high; 1 - low    -->
        <P2P_XVR_burst_enable_polarity>1</P2P_XVR_burst_enable_polarity>
        <!--  P2P XVR Polarity: 0 - high; 1 - low    -->
        <P2P_XVR_polarity>0</P2P_XVR_polarity>
        <!--  gem ports restore after return from State 7: 0 = FALSE, 1 = TRUE -->
        <PON_gem_restore>1</PON_gem_restore>
        <!--  Psa FEC Ind Bit Hyst: number of fram 1-4 -->
        <PON_fec_hyst>1</PON_fec_hyst>
        <!--  Coupling Mode: 0 = DC, 1 = AC -->
        <PON_coupling_mode>1</PON_coupling_mode>
    </PON>


</cnfg>
 
lty1993
just joined
Topic Author
Posts: 13
Joined: Sat May 10, 2014 11:12 am

Re: Research on Changing Serial Number for GPON ONU Module

Thu May 25, 2017 1:33 pm

Based on the hardware schematic and public available information, there is large chance that the module is more like a linux computer with two bridged interfaces.
This is fascinating, and a little bizarre. Surely running an entire OS on SFP is a massive overhead?
After analyzing the embedded linux, the OS on the module is not forwarding any packets. There is a hardware switch on the SoC actually doing all data forwarding,
 
ilinsky
just joined
Posts: 9
Joined: Sat Jun 28, 2014 9:00 am

Re: Research on Changing Serial Number for GPON ONU Module

Thu May 25, 2017 1:35 pm

Based on the hardware schematic and public available information, there is large chance that the module is more like a linux computer with two bridged interfaces.
This is fascinating, and a little bizarre. Surely running an entire OS on SFP is a massive overhead?
After analyzing the embedded linux, the OS on the module is not forwarding any packets. There is a hardware switch on the SoC actually doing all data forwarding,
How can I dump embedded linux? im curious
 
lty1993
just joined
Topic Author
Posts: 13
Joined: Sat May 10, 2014 11:12 am

Re: Research on Changing Serial Number for GPON ONU Module

Thu May 25, 2017 1:37 pm

How did you dump it?
Dumped my sfp flash today:

SPI flash structure:

1M@0(uboot),
3584K@0x100000(uImg),
3M@0x480000(rootFs),
512K@0x780000(vars),
3584K@0x800000(uImgB),
3M@0xB80000(rootFsB),
512K@0xE80000(varsB),

There is a Squashfs filesystem, little endian, version 4.0, 2148429 bytes, 470 inodes, blocksize: 131072 bytes, created: Wed Nov 18 10:21:54 2015 at 0x480000, which contains
/etc/xml_params/gpon_xml_cfg_file.xml:
<?xml version="1.0"?>
<cnfg>
    <PON>
        <!--  PON serial number - up to 8 symbols   -->
        <PON_serial_num>MKTK00010203</PON_serial_num>
        <!--  PON serial source: 0 - xml, 1 - digit part is taken from MAC lower 4 bytes-->
        <PON_serial_src>1</PON_serial_src>
        <!--  PON password - up to 10 symbols   -->
        <PON_passwd>1234567890</PON_passwd>
        <!--  PON SN disabled: 0 = FALSE, 1 = TRUE    -->
        <PON_dis_sn>0</PON_dis_sn>
        <!--  gem reset on fiber disconnect: 0 = FALSE, 1 = TRUE    -->
        <PON_gem_reset>0</PON_gem_reset>
        <!--  tcont reset on fiber disconnect: 0 = FALSE, 1 = TRUE    -->
        <PON_tcont_reset>1</PON_tcont_reset>
        <!--  PON Dying Gasp polarity: 0 = low, 1 = high    -->
        <PON_DG_polarity>1</PON_DG_polarity>
        <!--  PON XVR Burst Enable Polarity: 0 - high; 1 - low    -->
        <PON_XVR_burst_enable_polarity>0</PON_XVR_burst_enable_polarity>
        <!--  PON XVR Polarity: 0 - high; 1 - low    -->
        <PON_XVR_polarity>1</PON_XVR_polarity>
        <!--  P2P XVR burst enable polarity: 0 - high; 1 - low    -->
        <P2P_XVR_burst_enable_polarity>1</P2P_XVR_burst_enable_polarity>
        <!--  P2P XVR Polarity: 0 - high; 1 - low    -->
        <P2P_XVR_polarity>0</P2P_XVR_polarity>
        <!--  gem ports restore after return from State 7: 0 = FALSE, 1 = TRUE -->
        <PON_gem_restore>1</PON_gem_restore>
        <!--  Psa FEC Ind Bit Hyst: number of fram 1-4 -->
        <PON_fec_hyst>1</PON_fec_hyst>
        <!--  Coupling Mode: 0 = DC, 1 = AC -->
        <PON_coupling_mode>1</PON_coupling_mode>
    </PON>


</cnfg>
I removed the flash chip from board (using hot air), then dumped it by a stm32 flashrom programmer.

Here is the flash: https://www.lolicon.me/mikrotik/flash.bin
Last edited by lty1993 on Thu May 25, 2017 2:16 pm, edited 1 time in total.
 
ilinsky
just joined
Posts: 9
Joined: Sat Jun 28, 2014 9:00 am

Re: Research on Changing Serial Number for GPON ONU Module

Thu May 25, 2017 1:52 pm

is 404 not found.

Im new in hardware debugging and it sounds very interesting, how did you get hot airflow to remove chip?

How did you dump it?
Dumped my sfp flash today:

SPI flash structure:

1M@0(uboot),
3584K@0x100000(uImg),
3M@0x480000(rootFs),
512K@0x780000(vars),
3584K@0x800000(uImgB),
3M@0xB80000(rootFsB),
512K@0xE80000(varsB),

There is a Squashfs filesystem, little endian, version 4.0, 2148429 bytes, 470 inodes, blocksize: 131072 bytes, created: Wed Nov 18 10:21:54 2015 at 0x480000, which contains
/etc/xml_params/gpon_xml_cfg_file.xml:
<?xml version="1.0"?>
<cnfg>
    <PON>
        <!--  PON serial number - up to 8 symbols   -->
        <PON_serial_num>MKTK00010203</PON_serial_num>
        <!--  PON serial source: 0 - xml, 1 - digit part is taken from MAC lower 4 bytes-->
        <PON_serial_src>1</PON_serial_src>
        <!--  PON password - up to 10 symbols   -->
        <PON_passwd>1234567890</PON_passwd>
        <!--  PON SN disabled: 0 = FALSE, 1 = TRUE    -->
        <PON_dis_sn>0</PON_dis_sn>
        <!--  gem reset on fiber disconnect: 0 = FALSE, 1 = TRUE    -->
        <PON_gem_reset>0</PON_gem_reset>
        <!--  tcont reset on fiber disconnect: 0 = FALSE, 1 = TRUE    -->
        <PON_tcont_reset>1</PON_tcont_reset>
        <!--  PON Dying Gasp polarity: 0 = low, 1 = high    -->
        <PON_DG_polarity>1</PON_DG_polarity>
        <!--  PON XVR Burst Enable Polarity: 0 - high; 1 - low    -->
        <PON_XVR_burst_enable_polarity>0</PON_XVR_burst_enable_polarity>
        <!--  PON XVR Polarity: 0 - high; 1 - low    -->
        <PON_XVR_polarity>1</PON_XVR_polarity>
        <!--  P2P XVR burst enable polarity: 0 - high; 1 - low    -->
        <P2P_XVR_burst_enable_polarity>1</P2P_XVR_burst_enable_polarity>
        <!--  P2P XVR Polarity: 0 - high; 1 - low    -->
        <P2P_XVR_polarity>0</P2P_XVR_polarity>
        <!--  gem ports restore after return from State 7: 0 = FALSE, 1 = TRUE -->
        <PON_gem_restore>1</PON_gem_restore>
        <!--  Psa FEC Ind Bit Hyst: number of fram 1-4 -->
        <PON_fec_hyst>1</PON_fec_hyst>
        <!--  Coupling Mode: 0 = DC, 1 = AC -->
        <PON_coupling_mode>1</PON_coupling_mode>
    </PON>


</cnfg>
I removed the flash chip from board (using hot air), then dumped it by a stm32 flashrom programmer.

Here is the flash: https://cdn.lty.me/mikrotik_gpon_flash.bin
 
ilinsky
just joined
Posts: 9
Joined: Sat Jun 28, 2014 9:00 am

Re: Research on Changing Serial Number for GPON ONU Module

Thu May 25, 2017 2:02 pm

send me pm

I have Huawei OLT and this module as well, I want to try to change SN and associate it with my OLT / or my ISP olt using SN of my HG
That sounds interesting
is 404 not found.

Im new in hardware debugging and it sounds very interesting, how did you get hot airflow to remove chip?

How did you dump it?
Dumped my sfp flash today:

SPI flash structure:

1M@0(uboot),
3584K@0x100000(uImg),
3M@0x480000(rootFs),
512K@0x780000(vars),
3584K@0x800000(uImgB),
3M@0xB80000(rootFsB),
512K@0xE80000(varsB),

There is a Squashfs filesystem, little endian, version 4.0, 2148429 bytes, 470 inodes, blocksize: 131072 bytes, created: Wed Nov 18 10:21:54 2015 at 0x480000, which contains
/etc/xml_params/gpon_xml_cfg_file.xml:
<?xml version="1.0"?>
<cnfg>
    <PON>
        <!--  PON serial number - up to 8 symbols   -->
        <PON_serial_num>MKTK00010203</PON_serial_num>
        <!--  PON serial source: 0 - xml, 1 - digit part is taken from MAC lower 4 bytes-->
        <PON_serial_src>1</PON_serial_src>
        <!--  PON password - up to 10 symbols   -->
        <PON_passwd>1234567890</PON_passwd>
        <!--  PON SN disabled: 0 = FALSE, 1 = TRUE    -->
        <PON_dis_sn>0</PON_dis_sn>
        <!--  gem reset on fiber disconnect: 0 = FALSE, 1 = TRUE    -->
        <PON_gem_reset>0</PON_gem_reset>
        <!--  tcont reset on fiber disconnect: 0 = FALSE, 1 = TRUE    -->
        <PON_tcont_reset>1</PON_tcont_reset>
        <!--  PON Dying Gasp polarity: 0 = low, 1 = high    -->
        <PON_DG_polarity>1</PON_DG_polarity>
        <!--  PON XVR Burst Enable Polarity: 0 - high; 1 - low    -->
        <PON_XVR_burst_enable_polarity>0</PON_XVR_burst_enable_polarity>
        <!--  PON XVR Polarity: 0 - high; 1 - low    -->
        <PON_XVR_polarity>1</PON_XVR_polarity>
        <!--  P2P XVR burst enable polarity: 0 - high; 1 - low    -->
        <P2P_XVR_burst_enable_polarity>1</P2P_XVR_burst_enable_polarity>
        <!--  P2P XVR Polarity: 0 - high; 1 - low    -->
        <P2P_XVR_polarity>0</P2P_XVR_polarity>
        <!--  gem ports restore after return from State 7: 0 = FALSE, 1 = TRUE -->
        <PON_gem_restore>1</PON_gem_restore>
        <!--  Psa FEC Ind Bit Hyst: number of fram 1-4 -->
        <PON_fec_hyst>1</PON_fec_hyst>
        <!--  Coupling Mode: 0 = DC, 1 = AC -->
        <PON_coupling_mode>1</PON_coupling_mode>
    </PON>


</cnfg>
I removed the flash chip from board (using hot air), then dumped it by a stm32 flashrom programmer.

Here is the flash: https://cdn.lty.me/mikrotik_gpon_flash.bin
 
lty1993
just joined
Topic Author
Posts: 13
Joined: Sat May 10, 2014 11:12 am

Re: Research on Changing Serial Number for GPON ONU Module

Thu May 25, 2017 2:21 pm

@ilinsky

The link has been fixed. And I do not know how to send pm in this forum.
 
ilinsky
just joined
Posts: 9
Joined: Sat Jun 28, 2014 9:00 am

Re: Research on Changing Serial Number for GPON ONU Module

Thu May 25, 2017 2:28 pm

I see

I saw it with binwalk and is huge, is it possible to repack it with canes done and flash back, any idea ? I google about hot air already

I connected my module to my hawed 5608 OLT and it does not appear in iManager U2000 auto discovery, I think it has something to do with interoperability configuration

@ilinsky

The link has been fixed. And I do not know how to send pm in this forum.
 
lty1993
just joined
Topic Author
Posts: 13
Joined: Sat May 10, 2014 11:12 am

Re: Research on Changing Serial Number for GPON ONU Module

Thu May 25, 2017 3:33 pm

I see

I saw it with binwalk and is huge, is it possible to repack it with canes done and flash back, any idea ? I google about hot air already

I connected my module to my hawed 5608 OLT and it does not appear in iManager U2000 auto discovery, I think it has something to do with interoperability configuration
Yes, you can repack it and flash it back.
 
ilinsky
just joined
Posts: 9
Joined: Sat Jun 28, 2014 9:00 am

Re: Research on Changing Serial Number for GPON ONU Module

Sat May 27, 2017 3:46 am

which software do you use to actually interact with stm32 programer to download the flash ?
 
lty1993
just joined
Topic Author
Posts: 13
Joined: Sat May 10, 2014 11:12 am

Re: Research on Changing Serial Number for GPON ONU Module

Sun Jun 11, 2017 5:15 pm

which software do you use to actually interact with stm32 programer to download the flash ?
flashrom
https://www.flashrom.org/Flashrom
 
filiptc
just joined
Posts: 1
Joined: Mon Sep 18, 2017 11:41 am

Re: Research on Changing Serial Number for GPON ONU Module

Mon Sep 18, 2017 11:43 am

Wow, thanks for you research. Is there a way to overwrite the XML with modified values without tinkering with the hardware?
 
dylanger
just joined
Posts: 1
Joined: Tue Jan 02, 2018 11:12 pm

Re: Research on Changing Serial Number for GPON ONU Module

Tue Jan 02, 2018 11:16 pm

For anyone interested, I'm sort of following the research but on Ubiquiti's Nano G OLT, read more here: https://community.ubnt.com/t5/UFiber-GP ... 90379#M773

It looks like the serial may be store in simple flash instead of EEPROM, at least I'm hoping, there's a kernel driver that allows writing and read DWORDs over SPI to the Transceiver, this may allow changing of the serial without needing to mess around with the hardware / chip-off
 
geduxas
just joined
Posts: 2
Joined: Thu Aug 10, 2017 10:42 am

Re: Research on Changing Serial Number for GPON ONU Module

Fri Jun 22, 2018 4:18 pm

Hi, any news in this adventure? i am in same boat. Need to change SN and PON password.
 
User avatar
CarlitoxxPro
just joined
Posts: 13
Joined: Wed Jan 04, 2017 10:15 am
Location: Spain
Contact:

Re: Research on Changing Serial Number for GPON ONU Module

Fri Jun 21, 2019 6:33 pm

We fight with this topic some time ago,

to resume a little bit:

The GPON ONU is a different kind of transceiver than no have a traditional eeprom inside, instead uses a nor flash chip (8, 16, 32 mb depending on the manufacturer) and is emulated their access after the OS was loaded/booted, this kind of transceivers have a embedded linux inside with the specific onu/omci drivers and all other features than each manufacturer want to add it, like the MAC.

the GPON ONU have two versions:
1- without MAC, that means than the gpon no have a accessible network interface configured to we can configure it, comes already preconfigured and only can be provisioned via omci from OLT side.
2- with MAC (Sticks), that means than the gpon have an accessible network interface and a method to do that, like telnet, ssh, or web (linux services), there you have the possibility to configure/debug it.

in the case of Mikrotik ONU is a kind of transceiver from the first group, in their case have pre configured the basic details (SN and PLOAM Password) from factory, and that information is stored on both sites:
1- In the "EEPROM" used by the other devices where is connected this SFP for know what kind of transceiver is and for persist some changes like sn, ploam password and more
2- in the same firmware img: inside of the configuration files used by the PON, OMCI drivers. in the most of cases (with MAC transceiver) this have a default value than is updated on boot time getting the value from "EEPROM".

the problem is than the GPON ONU of mikrotik no updates the sn, ploam password, etc in the config files inside of filesystem at boot time, because was made as a pre-provisioned transceiver, in other words, you can not change this values from client side, only can be configured in the OLT side to be discovered. take in count than the filesystem is readonly when was mounted in boot.

the trick here is (the most complicated part), update the files where is stored the SN and the PLOAM Passwd (SLID), rebuild the filesystem, recalculate the CRC Checksum and rewrite the nor flash. to you can be able to complete the authentication process with the OLT. you should be update the values in both sides filesystem and EEPROM (remember is a virtualized EEPROM inside of nor Flash and only can be accessed before the SFP boot completely vía IC2 eeprom programmer or via comand_cli if the gpon have this feature available).

this is a very expensive procedure and only the peoples with a very good skill on this areas can make this change for their own.

all GPON ONU (and in general SFP) have a two wire console access to debug and configure using an EVM Board (Evaluation Module Board) than provide network access to the GPON (only for Sticks) and Serial Console access.

we speak a lot of times with mikrotik to perform a firmware update and give the MAC capabilities to their GPON ONU, but they are no interested on spend resources on make this changes, as many other manufacturers.

for this reason we develop our own GPON ONU Stick with this features and more.
more details here: https://www.facebook.com/CarlitoxxPro/p ... 1173849605 (Spanish language)

I hope than i've clarify a little bit more this topic for some people.

Kindest Regards.
 
Error0x29A
newbie
Posts: 31
Joined: Thu Feb 28, 2019 5:48 pm

Re: Research on Changing Serial Number for GPON ONU Module

Sun Jun 23, 2019 8:08 pm

We fight with this topic some time ago,

to resume a little bit:

The GPON ONU is a different kind of transceiver than no have a traditional eeprom inside, instead uses a nor flash chip (8, 16, 32 mb depending on the manufacturer) and is emulated their access after the OS was loaded/booted, this kind of transceivers have a embedded linux inside with the specific onu/omci drivers and all other features than each manufacturer want to add it, like the MAC.

the GPON ONU have two versions:
1- without MAC, that means than the gpon no have a accessible network interface configured to we can configure it, comes already preconfigured and only can be provisioned via omci from OLT side.
2- with MAC (Sticks), that means than the gpon have an accessible network interface and a method to do that, like telnet, ssh, or web (linux services), there you have the possibility to configure/debug it.

in the case of Mikrotik ONU is a kind of transceiver from the first group, in their case have pre configured the basic details (SN and PLOAM Password) from factory, and that information is stored on both sites:
1- In the "EEPROM" used by the other devices where is connected this SFP for know what kind of transceiver is and for persist some changes like sn, ploam password and more
2- in the same firmware img: inside of the configuration files used by the PON, OMCI drivers. in the most of cases (with MAC transceiver) this have a default value than is updated on boot time getting the value from "EEPROM".

the problem is than the GPON ONU of mikrotik no updates the sn, ploam password, etc in the config files inside of filesystem at boot time, because was made as a pre-provisioned transceiver, in other words, you can not change this values from client side, only can be configured in the OLT side to be discovered. take in count than the filesystem is readonly when was mounted in boot.

the trick here is (the most complicated part), update the files where is stored the SN and the PLOAM Passwd (SLID), rebuild the filesystem, recalculate the CRC Checksum and rewrite the nor flash. to you can be able to complete the authentication process with the OLT. you should be update the values in both sides filesystem and EEPROM (remember is a virtualized EEPROM inside of nor Flash and only can be accessed before the SFP boot completely vía IC2 eeprom programmer or via comand_cli if the gpon have this feature available).

this is a very expensive procedure and only the peoples with a very good skill on this areas can make this change for their own.

all GPON ONU (and in general SFP) have a two wire console access to debug and configure using an EVM Board (Evaluation Module Board) than provide network access to the GPON (only for Sticks) and Serial Console access.

we speak a lot of times with mikrotik to perform a firmware update and give the MAC capabilities to their GPON ONU, but they are no interested on spend resources on make this changes, as many other manufacturers.

for this reason we develop our own GPON ONU Stick with this features and more.
more details here: https://www.facebook.com/CarlitoxxPro/p ... 1173849605 (Spanish language)

I hope than i've clarify a little bit more this topic for some people.

Kindest Regards.


First of all, thank you CarlitoxxPro for your research and comprehensive post. I find it educational and fascinating. As the market matures some countries like Italy passed the law and allow users to register their own GPON SFP. Other countries like France(Orange) and Canada(Bell Canada) make it easy to remove SFP from the gateway (Orange Livebox4) (Bell Canada HH3000) and plug it into compatible Mikrotik router.
I would no longer waste time researching Mikrotik GPON ONU based on the Marvell chip. It has been discontinued and remaining stock on various sites is quite expensive.
https://mikrotik.com/product/SFPONU

On the other hand, all GPON SFP based on the Lantiq FALC™ON MIPS34Kc chipset are quite popular, to name a few.
Huawei MA5671A
Dasan H650SFP
Zisa OP151S
Sercomm FGS202
Alcatel-Lucent G-010S-P
CarlitoxxPro CPGOS03-0490
D-Link DPN-100
Zyxel PMG3000-D20B

FALC stands for Framer and Line Interface Component

Thanks to the French provider Orange, European market is flooded with cheap FGS202 GPON sticks. And they support MAC address.
Average image size for the Lantiq chips is around 3.6MB-4MB. Question for people with the right skillset and equipment(hot air, programmer).

Is it possible to use image from one SFP and flash it to another SFP using programmer or TFTP server to get desired features(SN change)?

I could get 2-3 cheap FGS202 sticks from my French colleagues and I volunteer to flash it with a modified image.

Edit:
1. Added more modules with Lantiq chip. Two more GPON Sticks: D-Link and Zyxel
Last edited by Error0x29A on Thu Jun 27, 2019 4:12 am, edited 3 times in total.
 
Error0x29A
newbie
Posts: 31
Joined: Thu Feb 28, 2019 5:48 pm

Re: Research on Changing Serial Number for GPON ONU Module

Tue Jun 25, 2019 7:17 pm

It's worth mentioning that for majority of GPON sticks we use in our Mikrotik routers, Reference Design and SDK is provided by T&W Shenzhen Gongjin Electronics Co., Ltd
Minimum order is 10000 pieces if you want to order directly from the source.
http://twsz.com/en/product/98/451.html TW2362H-CDEH GPON SFP

Firmwares often contain reference to it e.g. TW2362H-CDEL-TW-R01B010D35befddf-CN.squashfs.upf

Who is online

Users browsing this forum: No registered users and 9 guests