1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
|
---
title: Technicolor AFM0002
has_children: false
parent: ONT
---
# Technicolor AFM0002TIM/FWB/WND
## Hardware Specifications
| | |
|-------------|-------------------------------------------------|
| Vendor | Technicolor |
| Model | AFM0002TIM/FWB/WND |
| Alias | |
| Chipset | Realtek RTL9601B |
| Flash | |
| RAM | |
| System | Linux (Luna SDK) |
| HSGMII | NO |
| Optics | |
| IP address | 192.168.2.1 |
| Web Gui | Can be enabled, user `admin`, password `system` |
| SSH | ✅ user `admin`, password `system` |
| Form Factor | miniONT SFP |
## List of software versions
- V1_7_8_181123
- V1_7_8_210928
- V1_7_8_210412
## List of partitions
| dev | size | erasesize | name |
|-------|----------|-----------|-----------------|
| mtd0 | 00040000 | 00001000 | "boot" |
| mtd1 | 00002000 | 00001000 | "env" |
| mtd2 | 00002000 | 00001000 | "env2" |
| mtd3 | 0003c000 | 00001000 | "config" |
| mtd4 | 00300000 | 00001000 | "k0" |
| mtd5 | 004c0000 | 00001000 | "r0" |
| mtd6 | 00300000 | 00001000 | "k1" |
| mtd7 | 004c0000 | 00001000 | "r1" |
| mtd8 | 00001000 | 00001000 | "Partition_008" |
| mtd9 | 00001000 | 00001000 | "Partition_009" |
| mtd10 | 00001000 | 00001000 | "Partition_010" |
| mtd11 | 00001000 | 00001000 | "Partition_011" |
| mtd12 | 00300000 | 00001000 | "linux" |
| mtd13 | 004c0000 | 00001000 | "rootfs" |
This stick supports dual boot.
`k0` and `r0` contains respectively the kernel and firmware of the first image, `k1` and `r1` of the second one
## List of firmware and files
### Useful files
- `/var/config/lastgood.xml` - Contains the user portion of the configuration
- `/var/config/lastgood-hs.xml` - Contains the "hardware" configuration (i.e. that _should_ not be changed)
- `/tmp/omcilog` - OMCI messages logs (must be enabeled, see below)
### Useful binaries
- `/etc/scripts/flash` - Used to manipulate the config files in a samewhat safe manner
- `xmlconfig` - Used to low-level manipulate the XML config files. Called by `flash`
- `nv` - Used to manipulate the nvram storage, including persistent config entries via `nv setenv`/`nv getenv`
- `omcicli` - Used to interact with the running OMCI daemon
- `omci_app` - The OMCI daemon
- `diag` - Used to run low-level diagnostics commands on the stick
## Useful commands
### Enable the Web UI
```sh
# /bin/iptables -D INPUT -p tcp --dport 80 -j DROP
```
### Check the currently active image
```sh
# nv getenv sw_active
sw_activ=1
# nv getenv sw_version0
sw_version0=V1_7_8_210412
# nv getenv sw_version1
sw_version1=V1_7_8_210412
```
### Boot to a different image
```sh
# nv setenv sw_commit 0|1
# reboot
```
### Get/Set the ONT S/N
```sh
# /etc/scripts/bin flash get GPON_SN
GPON_SN=TMBB00000000
# /etc/scripts/bin flash set GPON_SN TMBB0A1B2C3D
```
### Get/Set the ONT PLOAM password
Note: the password is in ASCII format
```sh
# /etc/scripts/bin flash get GPON_PLOAM_PASSWD
GPON_PLOAM_PASSWD=AAAAAAAAAA
# /etc/scripts/bin flash set GPON_PLOAM_PASSWD AAAAAAAAAA
```
### Query a particular OMCI ME
```sh
# omcicli mib get MIB_IDX
```
## Low level modding
Note: this section is based on version `V1_7_8_210412` of the stick
### Trasnfer files from/to the stick
Works with binary files too, just run md5sum on source and destination to make sure you are not corrupting anything...
From the stick to the PC:
```sh
# ssh admin@192.168.2.1 "cat /tmp/omcilog" > omcilog.log
```
From the PC to the stick
```sh
# cat lastgood.xml | ssh admin@192.168.2.1 "cat > /var/config/lastgood.xml"
```
**Note:** on windows replace type with cat and run the commands from cmd (not powershell)
### Extract and repack the rootfs
```sh
# unsquashfs mtd5.bin
# mksquashfs squashfs-root rootfs -b 131072 -comp lzma -no-recovery
```
### Flash a new rootfs
**Note: you can only flash the inactive image**. So mtd4/5 if you are on image1, mtd6/7 if you are on image0.
The follwing examples flashes a new rootfs to image1 and boots to it
```sh
# flash_eraseall /dev/mtd7
# cat /tmp/rootfs.new > /dev/mtd7
# nv setenv sw_commit=1
# reboot
```
### Add support to configurable SW and HW versions, VENDOR ID and much more
We can patch `/etc/scripts/flash` in order to add support for some variables implemented in `omci_app` but removed from `xmlconfig`. The patch is below (change the values to suit your needs)
```patch
--- squashfs-root/etc/scripts/flash 2021-09-28 10:38:52.000000000 +0200
+++ squashfs-root.new/etc/scripts/flash 2022-08-04 00:00:29.769605000 +0200
@@ -62,7 +62,26 @@
if [ `echo $para | egrep $specific_mib_patten` ]; then
/bin/xmlconfig -g $para | sed -r "s/$rename_mib_name+/$2/g" | sed -r "s/,+//g"
else
- /bin/xmlconfig -g $para | sed -r "s/$rename_mib_name+/$2/g"
+ case "$para" in
+ "OMCI_EQID")
+ echo "$para=MY_EQID"
+ ;;
+ "OMCI_VENDOR_ID")
+ echo "$para=MY_VENDOR"
+ ;;
+ "OMCI_SW_VER1")
+ echo "$para=MY_SW_VER1"
+ ;;
+ "OMCI_SW_VER2")
+ echo "$para=MY_SW_VER2"
+ ;;
+ "OMCI_ONT_VER")
+ echo "$para=MY_HW_VER"
+ ;;
+ *)
+ /bin/xmlconfig -g $para | sed -r "s/$rename_mib_name+/$2/g"
+ ;;
+ esac
fi
if [ "$?" = "0" ]; then
exit 0
```
### Increase the length of the software version from 13 to 14 characters
`omci_app` has an hard-coded limit of 13 characters for the software version, which is too low. We can binary patch it to increase it to 14 (or more, if you dare/need)
```
JVhEWjAwNCUAAAAIAAgACAAAAAAAAAAAAAAAAAAAAABvbWNpX2FwcG9tY2lfYXBwH4sIAAAAAAAA
AwMAAAAAAAAAAAAfiwgAAAAAAAADY2BoYGZgYFjh9Uq/aNcZQdXsOh3R5ktr/fd0sTEwcuTnJmfG
JxYUYJVlZGAA0gCHsMK2QQAAAAAAAEQlWERaMDA0JQ==
```
Save it as omci_app.xdelta.b64, then run:
```sh
# base64 -d omci_app.xdelta.base64 > omci_app.xdelta
# xdelta patch omci_app.xdelta bin/omci_app bin/omci_app.new
# mv bin/omci_app.new bin/omci_app
```
For reference, the patch changes the follwing section of the omci_app:
```diff
-00408c24 24 05 00 0e li a1,0xe
+00408c24 24 05 00 0f li a1,0xf
-00408cf0 24 05 00 0f li a1,0xe
+00408cf0 24 05 00 0f li a1,0xf
```
(It's inside the function referecing the string `OMCI_SW_VER1`)
### Enable PLOAM logging
```sh
/etc/scripts/bin flash set OMCI_DBGLVL 1
/etc/scripts/bin flash set OMCI_DBGLOGFILE 1
reboot
/bin/omcicli set logfile 1 ffffffff
```
1. The binary log will be placed inside: `/tmp/omcilog`
2. You can convert it into .pcap using https://github.com/ADeltaX/omcilog2pcap
3. You can then open it into wireshark by installing the OMCI plugin from https://wiki.wireshark.org/Contrib.md
If you want to log everything since the stick boots, you can create a custom rootfs. Place the last command inside `etc/runomci.sh` as the last line of the file
## Miscellaneous Links
|