Resetting.....

Upcoming fresh hacks

Non-Technical Hacks that works - Have Fun! (Status: in progress..)

Hacking network based biometric time-attendance system - Be your own boss! (Status: Done!)
Milestone Xprotect License Bypass hack - Replace a camera without license re-activation (Status: Done!)

Wednesday, June 22, 2011

Zain Wimax: ZyXEL HES-319M serial output log

ZyXEL HES-319M (Outdoor CPE)

Serial Output @ 115200



+Ethernet eth0: MAC address 00:00:00:00:00:00
IP: 192.168.0.8/255.255.255.0, Gateway: 192.168.0.1
Default server: 192.168.0.1

RedBoot(tm) bootstrap and debug environment [ROMRAM]
Non-certified release, version UNKNOWN - built 22:09:57, Aug 24 2010

Platform: MT7119 system (ARM9)
Copyright (C) 2000, 2001, 2002, 2003, 2004 Red Hat, Inc.
Copyright (C) 2003, 2004, 2005, 2006 eCosCentric Limited

RAM: 0x00000000-0x02ffc000, [0x000377e0-0x02ff0000] available
FLASH: 0x60000000 - 0x664c0000, 403 blocks of 0x00040000 bytes each.
RedBoot> cache on
RedBoot> fs setpart -d /dev/flash1 -o 0x40000 -l 0
dev: /dev/flash1, offset: 40000, length: 6480000
RedBoot> fis read -b 0x500000 -f 0x60030000 -l 0x10000
RedBoot> eval 0x500000
[gpio_out 0 47]
[gpio_out 1 46]
[gpio_out 1 34]
[gpio_blink 1 39]
[fs mount -d /dev/flash1 -t jffs2 /flash]
jffs2 cleanmark size=800
<4>Empty flash at 0x00d439cc ends at 0x00d44000
<4>Empty flash at 0x00d4b1cc ends at 0x00d4b800
<4>Empty flash at 0x02ecfd78 ends at 0x02ed0000
<4>Empty flash at 0x02ef2dbc ends at 0x02ef3000
<4>Empty flash at 0x02f26d78 ends at 0x02f27000
<4>Empty flash at 0x02f2e1cc ends at 0x02f2e800
[fs cd /flash]
[load -m file -b 0x800000 -r gym.elf.bin]
Raw file loaded 0x00800000-0x00827b77, assumed entry at 0x00800000
[cache off]
[gym base 0x800000]
[gpio_in 42]
v=1, 44f7
[gym htp_gpio 42 32 33]
htp_gpio 42 32 33
[gpio_blink 0 39]
[gpio_blink 1 34]
[gym htp_test 0]
pin 42: htp jmp detect false
[cache on]
[gpio_blink 0 34]
[gpio_blink 1 39]
[load -m file -b 0x600000 -r zImage]
<5>JFFS2 notice: read_dnode: data CRC failed on node at %#08x: read %#08x, calculated %#08x
<5>JFFS2 notice: read_dnode: data CRC failed on node at %#08x: read %#08x, calculated %#08x
Raw file loaded 0x00600000-0x006ee95b, assumed entry at 0x00600000
[load -m file -b 0x1000000 -r initrd]
<5>JFFS2 notice: read_dnode: data CRC failed on node at %#08x: read %#08x, calculated %#08x
<5>JFFS2 notice: read_dnode: data CRC failed on node at %#08x: read %#08x, calculated %#08x
<5>JFFS2 notice: read_dnode: data CRC failed on node at %#08x: read %#08x, calculated %#08x
<5>JFFS2 notice: read_dnode: data CRC failed on node at %#08x: read %#08x, calculated %#08x
<5>JFFS2 notice: read_dnode: data CRC failed on node at %#08x: read %#08x, calculated %#08x
Raw file loaded 0x01000000-0x01778fff, assumed entry at 0x01000000
[exec -z -b 0x600000]
Decompressing Linux... done, booting the kernel.
Linux version 2.6.26.8-rt16 (agigi@sw1-buildserver225) (gcc version 3.4.4) #1 PREEMPT Mon Jan 24 10:26:31 CST 2011
CPU: ARM926EJ-S [41069265] revision 5 (ARMv5TEJ), cr=00053177
Machine: MT7108
Memory policy: ECC disabled, Data cache writeback
CPU0: D VIVT write-back cache
CPU0: I cache: 32768 bytes, associativity 4, 32 byte lines, 256 sets
CPU0: D cache: 32768 bytes, associativity 4, 32 byte lines, 256 sets
Built 1 zonelists in Zone order, mobility grouping on. Total pages: 13716
Kernel command line: console=ttyS1,115200n1 mem=54M@0M initrd=0x1000000,0x1500000 ramdisk_size=0x1500000 root=/dev/ram
PID hash table entries: 256 (order: 8, 1024 bytes)
console [ttyS1] enabled
Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
Memory: 54MB = 54MB total
Memory: 30592KB available (2380K code, 134K data, 104K init)
Mount-cache hash table entries: 512
CPU: Testing write buffer coherency: ok
net_namespace: 496 bytes
NET: Registered protocol family 16
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 2048 (order: 2, 16384 bytes)
TCP bind hash table entries: 2048 (order: 1, 8192 bytes)
TCP: Hash tables configured (established 2048 bind 2048)
TCP reno registered
NET: Registered protocol family 1
checking if image is initramfs...it isn't (bad gzip magic numbers); looks like an initrd
Freeing initrd memory: 21504K
NetWinder Floating Point Emulator V0.97 (double precision)
squashfs: version 3.4 (2008/08/26) Phillip Lougher
squashfs: LZMA suppport for slax.org by jro
JFFS2 version 2.2. (NAND) © 2001-2006 Red Hat, Inc.
msgmni has been set to 101
io scheduler noop registered
io scheduler cfq registered (default)
Serial: 8250/16550 driver $Revision: 1.90 $ 2 ports, IRQ sharing disabled
serial8250: ttyS0 at MMIO 0x800b0000 (irq = 8) is a 16550A
serial8250: ttyS1 at MMIO 0x800a0000 (irq = 7) is a 16550A
brd: module loaded
loop: module loaded
oprofile: using arm/armv5_mtk
u32 classifier
Netfilter messages via NETLINK v0.30.
nf_conntrack version 0.5.0 (1024 buckets, 4096 max)
ctnetlink v0.93: registering with nfnetlink.
ip_tables: (C) 2000-2006 Netfilter Core Team
TCP cubic registered
NET: Registered protocol family 17
Bridge firewalling registered
802.1Q VLAN Support v1.8 Ben Greear
All bugs added by David S. Miller
RAMDISK: squashfs filesystem found at block 0
RAMDISK: Loading 7650KiB [1 disk] into ram disk... | / - \ | / - \ | / - done.
VFS: Mounted root (squashfs filesystem) readonly.
Freeing init memory: 104K

init started: BusyBox v1.6.1 (2011-01-24 10:30:15 CST) multi-call binary
[Strating] WatchDog ...
6 /sbin/watchdog
[WATCHDOG] check_umac_health=on timeout=31 interval=5 ahb_clk=61666666
[Service ] start
ccif: module license 'Propietary' taints kernel.
register fastpath id=3 net_device=c304e000 name=vth%d if_type=2 hard_header_len=14

total size = 64c0000
page size = 11
erase size = 40000
indirect = 1
program size= 800
etc size = 3e00000

Searching for RedBoot partition table in MTDCCIF at offset 0xc0000
No RedBoot partition table detected in MTDCCIF
use default partition map
Creating 2 MTD partitions on "MTDCCIF":
0x00000000-0x00040000 : "Redboot"
0x00040000-0x03e40000 : "etc_plus"
mtd_partitions add
Empty flash at 0x00d439cc ends at 0x00d44000
Empty flash at 0x00d4b1cc ends at 0x00d4b800
Empty flash at 0x02ecfd78 ends at 0x02ed0000
Empty flash at 0x02ef2dbc ends at 0x02ef3000
Empty flash at 0x02f26d78 ends at 0x02f27000
Empty flash at 0x02f2e1cc ends at 0x02f2e800
mount etc -> mtd1
mount: mounting mtd4 on /usr/local failed
[Service ] /etc/rc.d/S00boot_update
[Service ] /etc/rc.d/S00wimac_update
[Starting] wimac upgrade checking ...
[Service ] /etc/rc.d/S01netmods
[Starting] netmods
JFFS2 notice: (215) check_node_data: wrong data CRC in data node at 0x02f2d188: read 0x1eb09d86, calculated 0xd2f8fcc4.
init mod-syss
init mod-ksocket
******************************************************************
******************************************************************
insmod wimax.ko
register fastpath id=1 net_device=c16f4000 name=wmx0 if_type=1 hard_header_len=14
******************************************************************
******************************************************************
register fastpath id=0 net_device=c2c72000 name=eth%d if_type=0 hard_header_len=14
[Service ] /etc/rc.d/S02sncfgd ffb7f15c
[Starting] sncfgd ... JFFS2 notice: (215) check_node_data: wrong data CRC in data node at 0x02f25d34: read 0x234221da, calculated 0xade04501.
PhysWanIf1=wmx0
JFFS2 notice: (215) check_node_data: wrong data CRC in data node at 0x00d4a188: read 0x245e181c, calculated 0x44d5e000.
JFFS2 notice: (215) check_node_data: wrong data CRC in data node at 0x00d42988: read 0x7e21d53b, calculated 0xca3fdf55.
JFFS2 notice: (215) check_node_data: wrong data CRC in data node at 0x00d5a060: read 0x842534e9, calculated 0x4336ec13.
OK
[Service ] /etc/rc.d/S03ledbutton ffb8edf1
Starting ledbuttongpio_model = 1
ledbutton: PCI is disabled
ledbutton:
wlan(-1) usb(-1) rst(36) wps(-1)
green(32) yellow(33) red(-1) res1(-1)
res2(-1) power(-1) sys1(42) sys2(47)
voip4(-1) voip3(46) voip2(39) voip1(34)
bat0(-1) bat1(-1) bat2(-1) bat3(-1)
bat4(-1) usrin1(-1) usrin2(-1) usrin3(-1)
usrout1(-1) usrout2(-1) usrout3(-1) pwkey(-1)
chgin(-1) chgsta(-1) chgen1(-1) chgen2(-1)
chgen(-1) chgtype(-1) busr1(-1) busr2(-1)
busr3(-1) busr4(-1) lcdreset(-1) lcda0(-1)
lcdfunc1(-1) lcdfunc2(-1) lcdlight1(-1) lcdlight2(-1)
lcdlight3(-1) lcdlight4(-1) n/a(-1) n/a(-1)
n/a(-1) n/a(-1) n/a(-1) n/a(-1)
n/a(-1) n/a(-1) n/a(-1) n/a(-1)
n/a(-1) n/a(-1) n/a(-1) n/a(-1)
n/a(-1) n/a(-1) n/a(-1) n/a(-1)
.
[Service ] /etc/rc.d/S03networking ffb926bc
[Starting] networking
br0: Dropping NETIF_F_UFO since no NETIF_F_HW_CSUM feature.
device eth0 entered promiscuous mode
br0: port 1(eth0) entering learning state
br0: topology change detected, propagating
br0: port 1(eth0) entering forwarding state
.
[Service ] /etc/rc.d/S03ozybr0Downsh ffb946c5
br0: port 1(eth0) entering disabled state
[Service ] /etc/rc.d/S03swctl ffb94c29
Starting switch setting --- NAT mode ---.
[Service ] /etc/rc.d/S03swrtc ffb9ccac
Starting SW RTCThu Jun 9 19:42:00 UTC 2011
Thu Jun 9 22:44:00 LST 2011
SW_RTC_TIMESTAMP=060919442011.00
Jun 9 22:44:00 [CFGD]: /etc/sncfg/swrtc.cfg provisioned and translates to settings --- to install system time log (SW RTC)[Translating] crontab ... OK
.
[Service ] /etc/rc.d/S03zyINITsh ffb9eb9b

Already append MAC in anonymous outer id!

[Starting OK
[Service ] /etc/rc.d/S04ebtables ffb9fb2c
[/etc/rc.d/S04ebtables start] Init ebtables
Ebtables v2.0 registered
[/etc/init.d/ebtables_mac reload] update rule
[Service ] /etc/rc.d/S04netfilter ffba644f
[Starting] FW/NAT
nf_conntrack_rtsp v0.6.21 loading
nf_nat_rtsp v0.6.21 loading
.
[Service ] /etc/rc.d/S04sysklogd ffbc1ff0
[Strating] syslog and klog daemon ... OK
[Service ] /etc/rc.d/S04telnetd ffbc2bd6
[Starting] telnet server/usr/sbin/telnetd -p 23 ...
***********************************
***********************************
* You can do Test MODE now *
***********************************
***********************************
OK
[Service ] /etc/rc.d/S04wifi ffbc3830
soc_id = MT7117 ...exit
[Service ] /etc/rc.d/S04zyBUZZsh ffbc3d02
[Starting] zyBUZZ ... .... done ....
[Service ] /etc/rc.d/S05dropbear ffbc4860
[Starting] ssh server OK
[Service ] /etc/rc.d/S05mini_httpd ffbc5ced
[Starting] httpd server/bin/mini_httpd.elf /etc/conf/mini_httpd.conf ... .
OK
[Service ] /etc/rc.d/S05mini_httpsd ffbc7535
[Starting] https server/usr/trans/httpsd.trans ... /bin/mini_httpd.elf /etc/conf/mini_httpsd.conf ... .
OK
[Service ] /etc/rc.d/S05miniupnpd ffbcbe6b
Starting miniupnpd.
[Service ] /etc/rc.d/S05musbhdrc ffbd0123
[Starting] musbhdrc
insmod: cannot insert '/lib/modules/2.6.26.8-rt16/kernel/drivers/usb/musbhdrc.ko': No such device (-1): No such device
modprobe: failed to load module musbhdrc
[Service ] /etc/rc.d/S06dhcpd ffbd3e70
[Starting] dhcp server/relay ... /usr/trans/dhcpd.trans ... /usr/sbin/udhcpd /etc/conf/udhcpd.conf ... OK
[Service ] /etc/rc.d/S07networking_wan ffbd85da
[Starting] networking
.
[Service ] /etc/rc.d/S10sroute ffbd8a8e
[Strating] zebra daemon ... /usr/trans/sroute.trans ... /usr/sbin/zebra -d -f /etc/conf/zebra.conf -i /var/run/zebra.pid ... OK
[Service ] /etc/rc.d/S11ripd ffbda98b
[Strating] rip daemon ... rip daemon was configured to be disabled ... FAIL
[Service ] /etc/rc.d/S12l2tpd ffbdb0f6
[Starting] L2TP
l2tp is not enabledsh: 0: unknown operand
FAIL
[Service ] /etc/rc.d/S13sc ffbdb7a2
soc_id = MT7117 exit
[Service ] /etc/rc.d/S13zybr0Upsh ffbdbef3
br0: port 1(eth0) entering learning state
br0: topology change detected, propagating
br0: port 1(eth0) entering forwarding state
[Service ] /etc/rc.d/S14zyRSTsh ffbdcc8f
[Starting] zyRST ... .... done ....
[Service ] /etc/rc.d/S15dhcpd ffbdd6e9
[Starting] dhcp server/relay ... dhcp server is already running ... OK
[Service ] /etc/rc.d/S19cron ffbddecd
[Starting] crond ... OK
[Service ] /etc/rc.d/S19wmxd ffbde5b0
[Starting] wmxd ... OK
[Service ] /etc/rc.d/S19zyLEDsh ffbdea11
[Starting] zyLED ... Aieeeeeeeeeeee ............ recv Signal No 15 : closing program safely -----
.... done ....
[Service ] /etc/rc.d/S29apumac_log ffbe7e5a
[Starting] apumac_logd.
OK
[Service ] /etc/rc.d/S29rcmapid ffbe8f80
[Starting] rcmapid.
OK
[Service ] /etc/rc.d/S30priset ffbe95b1
[Starting ] priset, priority sync
[Service ] /etc/rc.d/S31zyFTPDsh ffbef94a
[Starting] ftpd ... .... done ....
[Service ] /etc/rc.d/S31zySYNCsh ffbf03b9
[Starting] zyRST ... ZySync Disabled mode
.... done ....
[Service ] /etc/rc.d/S34zyMultibootsh ffbf0933
[Starting] zyMultiboot ... Multiboot Rx Start...
.... done ....
[Service ] /etc/rc.d/S35zyHTPsh ffbf1b53
[Starting] zyhtp ... Detecting jumper was false! ...Exit zyHTPsh!

[Service ] end ffbf2896

Model Name: HES-319M
Software Version: 2.00(TPD.2)


Press enter to continue...
Exit zyMultiboot program.
Multiboot Rx Stop...

END!

1 comments:

Luke said...

Hi! Good work!! :)
I have one question for you...maybe you can help me!!? :)
My HES-319M, every 10 seconds, play a bip signal!
Why??
It's properly connected.
How I can remove the "bip"??

Thanks in advance,
luke

Post a Comment