Kabel Deutschland TR-069 Auto-Configuration on a FritzBox 7390

The cable provider Vodafone (Kabel Deutschland) does not officially support VoIP connections from other routers than the ones they have issued: in my case a FRITZ!Box 7270. They do not provide the VoIP credentials; their boxes are auto-configurated via TR-069 protocol. Having a FRITZ!Box 7390 led me to investigate how to enable this full auto-configuration in other boxes than the 7270.

This is a follow-up to my previous post on how to clone CWMP settings between FritzBox 7270s.

I started with a freshly recovered FritzBox 7390, i.e. all previous configuration settings were erased. Also I did not connect any devices to the FritzBox. The Power/DSL LED is blinking.

The following changes were made via the UART interface on the PCB. I have not tested them via the FritzBox Telnet connection. It might be possible to write and  trigger them as a shell script (as the network connection is shut down in the process), I have not tested that either.

FritzBox 7390 UART Connection

Start with a shell on the FritzBox and shut down the network and DSL daemons:

cd /etc/init.d/

./rc.net stop
    [...takes some time...]

./rc.dsl.sh stop
    [...takes some time...]

Then reconfigure the environment settings. I’ve used the urlader / boot loader (EVA) to set the tr069-credentials (as described here). I’m not sure if they can be also defined later, but if so, it should look something like this:

echo "tr069_passphrase XXXXXXXXXXXX" >> /proc/sys/urlader/environment
echo "tr069_serial 00040E-XXXXXXXXXXXX" >> /proc/sys/urlader/environment

You might also want to check the MAC addresses: maca, macb, macwlan, macwlan2, macdsl, usb_board_mac, usb_rndis_mac
If the default addresses are set the FritzFox might completely fail to establish an internet connection. You then should set them to (pseudo)random values.

The following settings have to be adapted temporarily to simulate a FritzBox 7270. These environment variables will be reset on the next reboot (unlike the changes in the urlader, btw.). The remote TR069 server is checking the product name and the software version (besides the previously defined tr069-credentials).

export CONFIG_PRODUKT_NAME="FRITZ!Box Fon WLAN 7270 v2"

export CONFIG_PRODUKT="Fritz_Box_7270_16"

export CONFIG_VERSION="06.05"

export CONFIG_SUBVERSION=""

export CONFIG_VERSION_MAJOR="54"

export EXTERNAL_BOX_PARAMS="hardware=${HWRevision}&oem=${OEM}&language=${Language}&country=&version=${CONFIG_VERSION_MAJOR}.${CONFIG_VERSION}&subversion=${CONFIG_SUBVERSION##*-}"

After that restart the network settings:

./rc.net start
    [...wait 10-20 seconds...]

Connect the FritzBox to the cable modem (via LAN1). After a while the FritzBox should fetch the CWMP/TR069 settings, including the telephone settings. This can be checked by entering:

 cat /var/flash/tr069.cfg
     [...should list tr069 settings...]
cat /var/flash/voip.cfg
    [...should list telephone settings...]

P.S. I recommend to disable the TR-069 auto-configuration settings if not needed. They theoretically poke a quite huge hole into the security of your router.

Cloning FritzBox 7270 CWMP Settings

I own an over 5 years old AVM FritzBox 7270 router which is after all that time becoming slightly unstable. (The capacitors might be wearing out.) The router uses the CWMP (TR-069) protocol to authenticate itself at my cable provider Vodafone (Kabel Deutschland). As these settings are tied to the box and the FritzBox 7270 is neither sold nor supported anymore I bought two cheap 7270_v2 boxes (identical hardware, different branding) on eBay and successfully transferred the authentication credentials from my old box onto the two new ones.

Warning: Please keep in mind that the following steps worked for me but I do not feel responsible if you brick your FritzBox by trying them out yourself. I tested it on two spare routers I’ve explicitly bought for this purpose.

0. Debranding & serial connection

Opening the cases of the routers allowed direct access to the serial interfaces on the PCBs. This might not be necessary as all (following) steps, at least the debranding (here: “1und1” to “AVM”), can be done without access to the serial interface. I have not tested that. But the serial interface allowed the “deepest” access to the routers’ system.

I will not describe how to set-up a terminal connection and how USB to RS232 adapter work. This is sufficiently covered by other tutorials. It is also not necessary to solder pins onto the RS232 interface on the PCB. For me it worked perfect to just stick a few pin headers into the pads as seen on the following two images. (It’s best to not touch the cable during the process though.)

FritzBox 7270 RS-232 Connection FritzBox 7270 RS-232 Connection

1.Test: Directly connecting the two new boxes to the cable modem

After a factory reset (“Werkseinstellungen”) via the web interface I’ve first connected the two boxes to the cable modem. As expected they were able to fetch the general provider settings but not the VoIP (telephone) settings.

Comment: The VoIP settings can be extracted by hand from a fully authenticated FritzBox but I wanted them to also do that for me.

2.Backups: Storing the environment settings and MTDs

It is always a good idea to make backups of the devices you are going to hack. I attached an USB stick to the box and changed into a newly created directory on it.  You will need to backup the following file on all of your FritzBox routers. (Adapt the destination filename as necessary.)

cp /proc/sys/urlader/environment environment-source-fritzbox.txt

It’s also a good idea to make backups of the block devices… just in case. (The FritzBox 7270 there should have 6 block device “mtd0” to “mtd5”.)

dd if=/dev/mtd0 of=mtd0.bin

3.Cloning the CWMP settings

I once again ran a factory reset while having the serial interface connected to the box. I halted the boot process directly after the reset when the bootloader (“urlader” / Eva_AVM) appeared. The bootloader shows a prompt for 5 seconds and the boot process can be interrupted by entering a command, e.g. “h<enter>” for help.

[...]
system is going down ..
The system is going down NOW!
Sent SIGTERM to all processes
Requesting system reboot

(AVM) EVA Revision: 1.455 Version: 1455
(C) Copyright 2005 AVM Date: Apr 1 2008 Time: 13:07:03 (1) 2 0x0-0x41D

[FLASH:] ST Uniform-MirrorBit-Flash 16MB 64 Bytes WriteBuffer
[FLASH:](Eraseregion [0] 128 sectors a 128kB) 
[SYSTEM:] UR8 on 360MHz/120MHz syncron

 Commands Description
 -------- -----------
 help help
 dm dump mem <addr> <range>
 cm change mem <addr> <value>
 erase Erase Flash <mtd>
 printenv print Env. Variables
 restart reboot Device
 setenv set Env. variable <var> <value>
 unsetenv unset Env. variable <var>
 go load & start kernel from mtd1
 setmac set mac addresses <addr> (like 12:23:40)
 memtest test memory

To really erase all settings from the FritzBox 7270 I’ve used the “Erase Flash” option. The settings are stored in two TFFS blocks: mtd3 and mtd4.

Warning: stay away from mtd2 (the bootloader)! Erasing this block device will brick your router.

Eva_AVM >erase mtd3
erase from 0x90F80000 to 0x90FC0000

Eva_AVM >..
Eva_AVM >erase mtd4
erase from 0x90FC0000 to 0x91000000

Eva_AVM >..
Eva_AVM >restart
<create new TFFS>

[...break here! ...]

After a restart the TFFS partitions are recreated based on the hardcoded settings in the bootloader. Again interrupt the boot process directly after the TFFS blocks were restored. Now you have to look into the previously stored environment settings from the original FritzBox and add (or overwrite) the CWMP settings in the destination box. It might be necessary to also set the MAC addresses as they might have been set to default values. (The default MAC addresses possibly won’t let you connect at all – I’ve had that problem with one of my boxes.)

Eva_AVM >setenv tr069_passphrase XPASSPHRASEX

Eva_AVM >setenv tr069_serial 00040E-XXXSERIALXXX

Eva_AVM >restart

Comment: You can check with the “printenv” command if the settings were successful and if the default environment (MAC) settings were set.

Eva_AVM >printenv

In my case that was all I had to do. I then let the router boot as normal and connected it to the cable modem. After a minute or so it fetched all necessary settings (including the VoIP settings) and pre-configurated the FritzBox.

Surprisingly it was not necessary to transfer the MAC addresses or any other settings from the original FritzBox to the other two boxes. (Something I expected based on various forum posts.).

I’ve later also tried the same steps on a FritzBox 7390 but failed to receive the VoIP settings. The ProductID (FritzBox 7270) and the software version is additionally transmitted along with the tr-069 credentials. In a second post I’m providing a possible solution on how to achieve an auto-update via TR-069 on other FritzBoxes.

Dissecting an EasyBox 602

Some time ago I got a Vodafone EasyBox 602 router into my hands (16,- € incl. shipping) and thought about playing around a bit with this hardware and trying to get OpenWRT running on it.

EasyBox 602 - Complete Package

Opening the case is a bit tricky but can be done with a set of plectra. (They are perfect for this task.)EasyBox 602 - Non-destructive Opening

I’ve added two fotos of the pcb inside the case and the position of the plastic hinges.EasyBox 602 - Case 2 EasyBox 602 - Case 1

Inside you will find an already assembled connector for the serial interface. I played around a bit and identified the RxD and TxD pins. I attaced wires to the them and for convenience added an external access to the pins.EasyBox 602 Serial Interface EasyBox 602 External Serial Interface

I’m still playing around with the installed boot loader and firmware but so far I can confirm the following layout of the the rom image:

Area Address Length
Boot 0xB0000000 128K
Configuration 0xB0020000 256K
None 0xB0060000 64K
Special Area 0xB0070000 64K
Primary Setting 0xB0080000 64K
Code Image 0 0xB0090000 3776K
Code Image 1 0xB0440000 3776K
Boot Params 0xB07F0000 64K
Flash Image 0xB0000000 8192K

I’m soon going to add some links to (discontinued) analyses of others on this router. So far it looks like OpenWRT (as an example for an alternative firmware) cannot be installed, but let’s see…

Exposing a Chip on Board (COB)

In a previous post I had described my efforts to build (or should I say extract) a DCF77 clock radio receiver from an old radio clock. The remaining part of the board has undergone another surgery to take a look at the chip on board (COB) technology (German Wikipedia entry). The process of removing the covering epoxy resin with a scalpel was rather destructing, but I did not want to use aggressive chemicals. As a result, the bonding wires (between the silicon chip and the conductor tracks) were destroyed.

The following video shows the process of removing the epoxy resin using a scalpel and a heat gun (fired up to 200°C). The whole process took about 10 Minutes. The last minute of the video also shows some close-ups done with a cheap webcam, which was modified for magnification.

I also added some close-up pictures of the exposed silicon die, taken with my DSLR and a reverse-mounted lens.

Homemade DCF77 receiver [FAIL]

A few weeks ago our old clock radio broke. Out of curiosity I’ve disassembled it: I wanted to remove the DCF77 clock radio signal receiver. Unfortunately, the clock contained a single board, but the receiver part was clearly distinguishable from the rest.

The circuit board of my broken clock radio. The radio signal receiver is marked with a yellow frame.

For fun, I cut out the relevant part of the board and replaced/refreshed the solder joints. I also added four connections for 1.5 Volt (power supply), the clock signal and a power-on line. (At least I think that’s what the last two lines should be).

My low cost self made DCF77 clock signal receiver.

I have not yet managed to get a stable time signal. On my digital storage oscilloscope I get occasional spikes with a distance of one second (what you would expect), but only a few of them and then nothing… The problem is probably the correct initialization of the chip under the black blob (a so called chip-on-board, by the way). Maybe, I also damaged a part of the receiver while cutting out the board, or when resoldering the two joints on the 77.5 kHz antenna.

Update: Well, after playing a bit more with the receiver I’m pretty sure I damaged it while cutting it out. I used common initialization sequences and did not manage to get it work. Too bad…

Dissecting a PICO-C USB flash drive

The Super Talent PICO-C is a really tiny USB flash drive. Ever since I bought mine about a year ago I always wondered how it might look like inside the neat metal housing.

About a month ago, the drive was not accessible anymore. A short search on Google showed that in many cases a bug in the firmware rendered the flash memory inaccessible. There are tools available to revive faulty firmwares, especially for this kind of stick – if at least the controller is still recognized, which was not given in my case. Nevertheless, I tried the tools. As expected, they did not work. Luckily, nothing important was stored on the drive…

Being not that expensive, I did not exchange it (in spite of still having a warranty). Instead, I dissected it. 🙂 Removing the front cover with a screw driver was not complicated.

I first tried to also remove the metal back with a screw driver, but it was firmly glued together. I only managed to break of a piece of the black epoxy (?) housing. Ouch… The solution was to use a hot air gun to melt the glue. The black interior fell out by itself after 10-15 seconds.

Sadly, the black block containing all the logic is rather unspectacular. It does contain a labelling which was only readable after some photoshopping:

BXB08GMBH54UD or BXBO8GMBH54UD
4010 C024L0WAA or CO24LOWAA
MADE IN KOREA

At this point I gave up. Without any further possibilities to dissect the part and without any clues from the caption I put the remains aside. I thought about dissolving it in acetone or a similar solvent but I suspect it would work.

By the way: I bought the same drive again. I hope the new one lasts longer… 😉

Update: I’ve found a nice blog post about the build process of these USB sticks (bunnie’s blog): Where USB Memory Sticks are Born

D-Link DI-614+ Router – Firmware modding

This is a summary of the firmware modification I had made ​​some years ago. The router does not exist anymore and the modifications are no longer maintained. But some people still seem to be interested in the old postings…

Warning: all modifications on your router may void your warranty. I do not claim any responsibility for any form of damages that may result out of the use of the modified firmwares. These firmwares only work with the DI-614+ Rev.A router (two antennas).

Second warning: increasing the output power also results in a higher processor temperature. Additional cooling by adding a heat sink and/or fan to the router might be necessary. I mean it! I think I blew my router that way…

[2004-11-11] a new modded firmware version is available: di614_fw233k1.zip (and untested: di614_fw233k2.zip)

This modified firmware is based on the original firmware v2.33 which is available on the D-Link website. The DDNS problems are now fixed by the official release, the modified version has the following additional changes:

Powerhack (19dBm)
Wireless LAN channel 1-14 support
Increased log readability

[2004-05-05] modified firmware di614_fw230k1d.zip

Just a minor fix compared to the other changes. I modified the ‘Status->Log’ tab a bit. Now all entries a displayed in a grid. This increases the readability of the log.

[2004-04-30] modified firmware di614_fw230k1c.zip

I was told that the DDNS firmware settings were still not working, although they were saved now. Comparing the older firmware version (v2.20) to the newer one I found out that D-Link used different names for the fields of the DDNS entries. I exchanged the new field names with the ones from the older firmware ,et voilà, I get a wonderful ‘DDNS: good .xxx.yyy.xxx.zzz’ in my logs now.

[2004-04-29] modified firmware di614_fw230k1b.zip

Just added another feature to the 2.30 firmware, the so called ‘power hack’. As I was told this seems to be something cool others are waiting for, so I looked at an interesting page about a software hack on the DWL-900AP. Thanks to that hacked firmware I’ve been able to modify the DI-614+ firmware as well. The option ‘Max. 19dBm’ is now available. I have not validated the power gain yet but will do so as soon as possible.

[2004-04-28] modified firmware di614_fw230k1a.zip

Shortly after repairing the DDNS form yesterday I recognized that another feature I liked was missing in the original v2.30 firmware, the wireless LAN channels 12, 13 and 14 (I never had 14 before ;-)). I found out that these channels are not deactivated in the router, they are just hidden from the user. So I modified the firmware once again and added the missing channels in the user interface. I have successfully tested the channels up to 13 using NetStumbler, channel 14 was not found (well, it’s not that widespread anyway).

Known side effects:
Sometimes the channels 12 and 13 appear twice in the drop-down list. You can select either, this has no effect on the routers functionality.
After enabling the wireless LAN with channel 12 or 13 for the first time the router jumps back to channel 6. Reselecting the channel 12 or 13 will fix this. (Verify the channel by selecting ‘status’ in the router configuration.)

[2004-04-27] modified firmware di614_fw230k1.zip

I have modified the firmware version 2.30 from D-Link and corrected the malfunctioning dynamic DNS form. Although I am currently running it on my own router and it seems to work fine, I do not guarantee for anything.

You can use the flash binary converter tool arj2bin.tar.gz to create valid firmware files on your own.

If something goes seriously wrong…
…the D-Link DI-614+ factory default reflash procedure:

The DI-614+ has a tiny flash program saved in the boot sector of the flash that cannot be overwritten. You can restore your flash eeprom by doing the following:

  • Get an original firmware from the D-Link website
  • Power off the router and remove all but the network cable to your computer
  • Give your computer the static IP address 192.168.0.100
    (It might be necessary to remove all other settings, e.g. gateway, DNS, …)
  • Push and hold the reset button down with a paper clip or something similar
  • While holding the reset button down plug the router back in and keep holding the reset button down for 10 seconds
  • Open a browser and go to http://192.168.0.1

You should see a simple web page with an edit box, a browse button and a send button. Use this to flash your router with the D-Link firmware and all should be well again.