Research on Changing Serial Number for GPON ONU Module

lty1993 · Mon Jan 02, 2017 11:09 am

The GPON ONU module is based on Marvell MC-88F6601, and the datasheet for this chip is not available for general public. I have to sign the NDA before I can get the datasheet.

At beginning, I attach this module to a STM32 to dump the EEPROM which connected to SFP side. The checksun is not correct, that is why the module information is not shown in the ROS SFP info page. After correct the checksun, the serial number and diagnostic info shows no problem inside sfp information page.

Then, I changed the serial number inside EEPROM, but it looks like no affect on the serial number which used for GPON handshake.

After that, I desoldered the flash chip, and dump the entire flash. However, nothing interesting inside it.
Flash Dump: https://www.lolicon.me/dl/gpon.rom

Here is the high defination photos:

anass · Mon Jan 02, 2017 4:52 pm

Hi,

Generally such features must be provided by MikroTik like other brand do (GPON ONT SN CHANGER).

when you say "I changed the serial number inside EEPROM" you mean by that address 68-83 on the A0h memory ?

I know that there is some reserved address on the A2h memory used by some manufacturer for storing extra data . could you please share the SN that u see on the OLT side ?

and also the result of this command "/interface ethernet monitor sfp1" .

anass · Mon Jan 02, 2017 5:27 pm

Just analysed the rom file that you posted.

it seem like there is another operating system based on linux inside the SFP module :

U-Boot 2009.08 ( 4
 28 2015 - 16:46:05) Marvell version: 4.1.6_PQ
 """"""
 __   __                      _ _
|  \/  | __ _ _ ____   _____| | |
| |\/| |/ _` | '__\ \ / / _ \ | |
| |  | | (_| | |   \ V /  __/ | |
|_|  |_|\__,_|_|    \_/ \___|_|_|
         _   _     ____              _
        | | | |   | __ )  ___   ___ | |_ 
        | | | |___|  _ \ / _ \ / _ \| __| 
        | |_| |___| |_) | (_) | (_) | |_ 
         \___/    |____/ \___/ \___/ \__| 
 ** LOADER **
 ** MONITOR **
dual_image
Error: dual image isn't supported on flash size=%d KB.
mtdParts
mtdparts=spi_flash:1M@0(uboot),3584K@0x100000(uImg),3M@0x480000(rootFs),512K@0x780000(vars),3584K@0x800000(uImgB),3M@0xB80000(rootFsB),512K@0xE80000(varsB),-(spacer)
env_saved
false
isValidA
isValidB
committedBank
act_test
act_boot_complete
image_address
imgA_mtdblock
imgB_mtdblock
imgA_addr
0x100000
imgB_addr
0x800000
setA
setenv img_mtdblock ${imgA_mtdblock}; setenv img_addr ${imgA_addr}; echo Booting image A;
setB
setenv img_mtdblock ${imgB_mtdblock}; setenv img_addr ${imgB_addr}; echo Booting image B;
get_mtd_list
if test ${isValidA} = true -a ${isValidB} = true; then if test ${committedBank} = A; then setenv mtd_list A B; else setenv mtd_list B A; fi; else if test ${isValidA} = true;then setenv mtd_list A; else if test ${isValidB} = true; then setenv mtd_list B; else setenv mtd_list; fi; fi; fi;
valid_bootcmd
run get_mtd_list; for i in ${mtd_list}; do if test ${i} = A; then run setA; else run setB; fi; run bootcmd_img; done;
bootcmd_img
setenv bootargs ${console} root=/dev/mtdblock${img_mtdblock} rootfstype=squashfs ${mtdParts} ${mvNetConfig} ${mvPhoneConfig}; sf read ${loadaddr} ${img_addr} 0x380000; bootm ${loadaddr};
act_bootcmd
if itest ${act_test} == 1; then if itest ${act_boot_complete} == 0; then setenv act_boot_complete 1; saveenv; echo "Booting Active Image...."; run bootcmd_active;else setenv act_boot_complete 0; setenv act_test 0; saveenv; fi; fi;
bootcmd_active
echo bootcmd_active was not initialized....
save_dual_image_env
if test ${env_saved} = false; then echo "Saving environment for dual image support:"; setenv env_saved true; saveenv; fi;
run act_bootcmd; run save_dual_image_env; run valid_bootcmd; echo "Using default bootcmd...."; run default_bootcmd
console=ttyS0,115200 mv_port1_config=disconnected
console=ttyS0,115200

lty1993 · Mon Jan 02, 2017 6:47 pm

Just analyses the rom file that you posted.

There is a jffs2 at 0x7D0000, however, it is empty.

it seem like there is another operating system based on linux inside the SFP module

Based on the hardware schematic and public available information, there is large chance that the module is more like a linux computer with two bridged interfaces.

when you say "I changed the serial number inside EEPROM" you mean by that address 68-83 on the A0h memory ?

Yes.

I know that there is some reserved address on the A2h memory used by some manufacturer for storing extra data.

I didn't find any interesting data inside A2h except for diagnostic information. If you like, I can give you dump files for both A0h and A2h.
I believe they must have some sort of page switch bits inside A2h or A0h.

console=ttyS0,115200

Looks like there is a serial console on the embedded Linux, It is probabily easier if we hack through the serial console. However, we still need to find out the pin for the console.

could you please share the SN that u see on the OLT side

I don't have an OLT in my lab (yet). I cloned the serial number of my GPON modem, and the module didn't register on my existing network.

and also the result of this command "/interface ethernet monitor sfp1" .

I didn't put the flash back yet. But I can provide you the EEPROM dumps.
A0h (Original): https://www.lolicon.me/dl/onu_256_A0.bin
A0h (Modified 1): https://www.lolicon.me/dl/onu_128.bin
A0h (Modified 2): https://www.lolicon.me/dl/onu_128_2.bin
A2h: https://www.lolicon.me/dl/onu_256_A2.bin

anass · Mon Jan 02, 2017 7:40 pm

the module didn't register on my existing network.

changing only the sn may not end with the registration on the telco network due to all OMCI stuff : http://fr.slideshare.net/wahyunasution1 ... figuration

yes It is easier if we hack through the serial console but i don't see anything for the UART on that board.

it's a linux computer with ethernet interfaces because i see some mac address on the rom file :

mv_net_config=0
mv_net_config=4,(00:50:43:11:11:11,0:1:2:3),mtu=1500
yuk_ethaddr
00:00:00:EE:51:81
rcvrip
169.254.100.100

i see that there is also a recovery mode waiting for a dhcp on boot :

enaAutoRecovery
Missing loadaddr environment variable assuming default (%s)!
Aquiring an IP address using DHCP after delay...
Satrt recovery process (Distress Beacon with TFTP server)

i will analyse the attached file and let you know what i can see

lty1993 · Tue Jan 03, 2017 3:17 pm

and also the result of this command "/interface ethernet monitor sfp1" .

Screenshot from 2017-01-03 13-15-41.png

anass · Tue Jan 03, 2017 5:47 pm

I ve searched on the Flash content and on A0/A2 memory for your original SERIAL 'MKTK0C15...' to see if it's registered somewhere else but without success .
based on the Flash data the sn is grabbed directlly from the eeprom (DIMM Serial No)

DRAM Controller info:
Total DRAM 
DIMM %d version %d.%d
DRAM CS[%d] 
ECC enabled, 
ECC Disabled, 
Registered DIMM
Non registered DIMM
Configured CAS Latency %d.%d
cas2ps Err. unsupported cycle time.
ERROR: Could not read SPD information!
Manufacturer's JEDEC ID Code:   
Manufacturer's Specific Data:   %s
Module Part Number:             %s
DIMM Serial No.                 %ld (%lx)
Manufactoring Date:             Year 20%d%d/ ww %d%d
Module Revision:                %d.%d
manufac_place:                  %d
Dram Type is:                   SDRAM
Dram Type is:                   SDRAM DDR1
Dram Type is:                   SDRAM DDR2
Dram Type unknown
Module Number of row addresses: %d
Module Number of col addresses: %d
Number of Banks on Mod.:        %d
Module Data Width:              %d bit
Module is               TTL_5V_TOLERANT
Module is               LVTTL
Module is               HSTL_1_5V
Module is               SSTL_3_3V
Module is               SSTL_2_5V
Module is                 SSTL_1_8V
Module is               VOLTAGE_UNKNOWN
Minimum Cycle Time At Max CL:   %d.%d [ns]
Clock To Data Out:              %d.%d [ns]
Error Check Type (0=NONE):      %d
Refresh Rate:                   %x
Sdram Width:                    %d bits
Error Check Data Width:         %d bits
Minimum Clk Delay back to back: %d
Burst Length Supported: 
 Bit 
Number Of Banks On Each Chip:   %d
Suported Cas Latencies: (CL)

i think that every thing is done on your side and that your SFP ONU is using the correct SN.
As you are using Alcatel-Lucent and based on this document http://fr.slideshare.net/wahyunasution1 ... figuration [page 35], on the OLT there is the planned software and the active software for each ONT HW version and if they mismatch an alarm is triggered and the ONU will not get registered (this is your case).

You will need that your telco register your ONU as a SFP bridge and not as a router to escape to the planned/active software story

mbasenin · Sat Feb 11, 2017 6:44 pm

Dumped my sfp flash today:

SPI flash structure:

1M@0(uboot),
3584K@0x100000(uImg),
3M@0x480000(rootFs),
512K@0x780000(vars),
3584K@0x800000(uImgB),
3M@0xB80000(rootFsB),
512K@0xE80000(varsB),

There is a Squashfs filesystem, little endian, version 4.0, 2148429 bytes, 470 inodes, blocksize: 131072 bytes, created: Wed Nov 18 10:21:54 2015 at 0x480000, which contains
/etc/xml_params/gpon_xml_cfg_file.xml:

<?xml version="1.0"?>
<cnfg>
    <PON>
        <!--  PON serial number - up to 8 symbols   -->
        <PON_serial_num>MKTK00010203</PON_serial_num>
        <!--  PON serial source: 0 - xml, 1 - digit part is taken from MAC lower 4 bytes-->
        <PON_serial_src>1</PON_serial_src>
        <!--  PON password - up to 10 symbols   -->
        <PON_passwd>1234567890</PON_passwd>
        <!--  PON SN disabled: 0 = FALSE, 1 = TRUE    -->
        <PON_dis_sn>0</PON_dis_sn>
        <!--  gem reset on fiber disconnect: 0 = FALSE, 1 = TRUE    -->
        <PON_gem_reset>0</PON_gem_reset>
        <!--  tcont reset on fiber disconnect: 0 = FALSE, 1 = TRUE    -->
        <PON_tcont_reset>1</PON_tcont_reset>
        <!--  PON Dying Gasp polarity: 0 = low, 1 = high    -->
        <PON_DG_polarity>1</PON_DG_polarity>
        <!--  PON XVR Burst Enable Polarity: 0 - high; 1 - low    -->
        <PON_XVR_burst_enable_polarity>0</PON_XVR_burst_enable_polarity>
        <!--  PON XVR Polarity: 0 - high; 1 - low    -->
        <PON_XVR_polarity>1</PON_XVR_polarity>
        <!--  P2P XVR burst enable polarity: 0 - high; 1 - low    -->
        <P2P_XVR_burst_enable_polarity>1</P2P_XVR_burst_enable_polarity>
        <!--  P2P XVR Polarity: 0 - high; 1 - low    -->
        <P2P_XVR_polarity>0</P2P_XVR_polarity>
        <!--  gem ports restore after return from State 7: 0 = FALSE, 1 = TRUE -->
        <PON_gem_restore>1</PON_gem_restore>
        <!--  Psa FEC Ind Bit Hyst: number of fram 1-4 -->
        <PON_fec_hyst>1</PON_fec_hyst>
        <!--  Coupling Mode: 0 = DC, 1 = AC -->
        <PON_coupling_mode>1</PON_coupling_mode>
    </PON>


</cnfg>

troffasky · Sun Feb 12, 2017 6:51 pm

Based on the hardware schematic and public available information, there is large chance that the module is more like a linux computer with two bridged interfaces.

This is fascinating, and a little bizarre. Surely running an entire OS on SFP is a massive overhead?

ilinsky · Thu May 25, 2017 12:55 pm

How did you dump it?

Dumped my sfp flash today:

SPI flash structure:

1M@0(uboot),
3584K@0x100000(uImg),
3M@0x480000(rootFs),
512K@0x780000(vars),
3584K@0x800000(uImgB),
3M@0xB80000(rootFsB),
512K@0xE80000(varsB),

There is a Squashfs filesystem, little endian, version 4.0, 2148429 bytes, 470 inodes, blocksize: 131072 bytes, created: Wed Nov 18 10:21:54 2015 at 0x480000, which contains
/etc/xml_params/gpon_xml_cfg_file.xml:

<?xml version="1.0"?>
<cnfg>
    <PON>
        <!--  PON serial number - up to 8 symbols   -->
        <PON_serial_num>MKTK00010203</PON_serial_num>
        <!--  PON serial source: 0 - xml, 1 - digit part is taken from MAC lower 4 bytes-->
        <PON_serial_src>1</PON_serial_src>
        <!--  PON password - up to 10 symbols   -->
        <PON_passwd>1234567890</PON_passwd>
        <!--  PON SN disabled: 0 = FALSE, 1 = TRUE    -->
        <PON_dis_sn>0</PON_dis_sn>
        <!--  gem reset on fiber disconnect: 0 = FALSE, 1 = TRUE    -->
        <PON_gem_reset>0</PON_gem_reset>
        <!--  tcont reset on fiber disconnect: 0 = FALSE, 1 = TRUE    -->
        <PON_tcont_reset>1</PON_tcont_reset>
        <!--  PON Dying Gasp polarity: 0 = low, 1 = high    -->
        <PON_DG_polarity>1</PON_DG_polarity>
        <!--  PON XVR Burst Enable Polarity: 0 - high; 1 - low    -->
        <PON_XVR_burst_enable_polarity>0</PON_XVR_burst_enable_polarity>
        <!--  PON XVR Polarity: 0 - high; 1 - low    -->
        <PON_XVR_polarity>1</PON_XVR_polarity>
        <!--  P2P XVR burst enable polarity: 0 - high; 1 - low    -->
        <P2P_XVR_burst_enable_polarity>1</P2P_XVR_burst_enable_polarity>
        <!--  P2P XVR Polarity: 0 - high; 1 - low    -->
        <P2P_XVR_polarity>0</P2P_XVR_polarity>
        <!--  gem ports restore after return from State 7: 0 = FALSE, 1 = TRUE -->
        <PON_gem_restore>1</PON_gem_restore>
        <!--  Psa FEC Ind Bit Hyst: number of fram 1-4 -->
        <PON_fec_hyst>1</PON_fec_hyst>
        <!--  Coupling Mode: 0 = DC, 1 = AC -->
        <PON_coupling_mode>1</PON_coupling_mode>
    </PON>


</cnfg>

lty1993 · Thu May 25, 2017 1:33 pm

Based on the hardware schematic and public available information, there is large chance that the module is more like a linux computer with two bridged interfaces.
This is fascinating, and a little bizarre. Surely running an entire OS on SFP is a massive overhead?

After analyzing the embedded linux, the OS on the module is not forwarding any packets. There is a hardware switch on the SoC actually doing all data forwarding,

ilinsky · Thu May 25, 2017 1:35 pm

Based on the hardware schematic and public available information, there is large chance that the module is more like a linux computer with two bridged interfaces.
This is fascinating, and a little bizarre. Surely running an entire OS on SFP is a massive overhead?
After analyzing the embedded linux, the OS on the module is not forwarding any packets. There is a hardware switch on the SoC actually doing all data forwarding,

How can I dump embedded linux? im curious

lty1993 · Thu May 25, 2017 1:37 pm

How did you dump it?

Dumped my sfp flash today:

SPI flash structure:

1M@0(uboot),
3584K@0x100000(uImg),
3M@0x480000(rootFs),
512K@0x780000(vars),
3584K@0x800000(uImgB),
3M@0xB80000(rootFsB),
512K@0xE80000(varsB),

There is a Squashfs filesystem, little endian, version 4.0, 2148429 bytes, 470 inodes, blocksize: 131072 bytes, created: Wed Nov 18 10:21:54 2015 at 0x480000, which contains
/etc/xml_params/gpon_xml_cfg_file.xml:

<?xml version="1.0"?>
<cnfg>
    <PON>
        <!--  PON serial number - up to 8 symbols   -->
        <PON_serial_num>MKTK00010203</PON_serial_num>
        <!--  PON serial source: 0 - xml, 1 - digit part is taken from MAC lower 4 bytes-->
        <PON_serial_src>1</PON_serial_src>
        <!--  PON password - up to 10 symbols   -->
        <PON_passwd>1234567890</PON_passwd>
        <!--  PON SN disabled: 0 = FALSE, 1 = TRUE    -->
        <PON_dis_sn>0</PON_dis_sn>
        <!--  gem reset on fiber disconnect: 0 = FALSE, 1 = TRUE    -->
        <PON_gem_reset>0</PON_gem_reset>
        <!--  tcont reset on fiber disconnect: 0 = FALSE, 1 = TRUE    -->
        <PON_tcont_reset>1</PON_tcont_reset>
        <!--  PON Dying Gasp polarity: 0 = low, 1 = high    -->
        <PON_DG_polarity>1</PON_DG_polarity>
        <!--  PON XVR Burst Enable Polarity: 0 - high; 1 - low    -->
        <PON_XVR_burst_enable_polarity>0</PON_XVR_burst_enable_polarity>
        <!--  PON XVR Polarity: 0 - high; 1 - low    -->
        <PON_XVR_polarity>1</PON_XVR_polarity>
        <!--  P2P XVR burst enable polarity: 0 - high; 1 - low    -->
        <P2P_XVR_burst_enable_polarity>1</P2P_XVR_burst_enable_polarity>
        <!--  P2P XVR Polarity: 0 - high; 1 - low    -->
        <P2P_XVR_polarity>0</P2P_XVR_polarity>
        <!--  gem ports restore after return from State 7: 0 = FALSE, 1 = TRUE -->
        <PON_gem_restore>1</PON_gem_restore>
        <!--  Psa FEC Ind Bit Hyst: number of fram 1-4 -->
        <PON_fec_hyst>1</PON_fec_hyst>
        <!--  Coupling Mode: 0 = DC, 1 = AC -->
        <PON_coupling_mode>1</PON_coupling_mode>
    </PON>


</cnfg>

I removed the flash chip from board (using hot air), then dumped it by a stm32 flashrom programmer.

Here is the flash: https://www.lolicon.me/mikrotik/flash.bin

ilinsky · Thu May 25, 2017 1:52 pm

is 404 not found.

Im new in hardware debugging and it sounds very interesting, how did you get hot airflow to remove chip?

How did you dump it?

Dumped my sfp flash today:

SPI flash structure:

1M@0(uboot),
3584K@0x100000(uImg),
3M@0x480000(rootFs),
512K@0x780000(vars),
3584K@0x800000(uImgB),
3M@0xB80000(rootFsB),
512K@0xE80000(varsB),

There is a Squashfs filesystem, little endian, version 4.0, 2148429 bytes, 470 inodes, blocksize: 131072 bytes, created: Wed Nov 18 10:21:54 2015 at 0x480000, which contains
/etc/xml_params/gpon_xml_cfg_file.xml:

<?xml version="1.0"?>
<cnfg>
    <PON>
        <!--  PON serial number - up to 8 symbols   -->
        <PON_serial_num>MKTK00010203</PON_serial_num>
        <!--  PON serial source: 0 - xml, 1 - digit part is taken from MAC lower 4 bytes-->
        <PON_serial_src>1</PON_serial_src>
        <!--  PON password - up to 10 symbols   -->
        <PON_passwd>1234567890</PON_passwd>
        <!--  PON SN disabled: 0 = FALSE, 1 = TRUE    -->
        <PON_dis_sn>0</PON_dis_sn>
        <!--  gem reset on fiber disconnect: 0 = FALSE, 1 = TRUE    -->
        <PON_gem_reset>0</PON_gem_reset>
        <!--  tcont reset on fiber disconnect: 0 = FALSE, 1 = TRUE    -->
        <PON_tcont_reset>1</PON_tcont_reset>
        <!--  PON Dying Gasp polarity: 0 = low, 1 = high    -->
        <PON_DG_polarity>1</PON_DG_polarity>
        <!--  PON XVR Burst Enable Polarity: 0 - high; 1 - low    -->
        <PON_XVR_burst_enable_polarity>0</PON_XVR_burst_enable_polarity>
        <!--  PON XVR Polarity: 0 - high; 1 - low    -->
        <PON_XVR_polarity>1</PON_XVR_polarity>
        <!--  P2P XVR burst enable polarity: 0 - high; 1 - low    -->
        <P2P_XVR_burst_enable_polarity>1</P2P_XVR_burst_enable_polarity>
        <!--  P2P XVR Polarity: 0 - high; 1 - low    -->
        <P2P_XVR_polarity>0</P2P_XVR_polarity>
        <!--  gem ports restore after return from State 7: 0 = FALSE, 1 = TRUE -->
        <PON_gem_restore>1</PON_gem_restore>
        <!--  Psa FEC Ind Bit Hyst: number of fram 1-4 -->
        <PON_fec_hyst>1</PON_fec_hyst>
        <!--  Coupling Mode: 0 = DC, 1 = AC -->
        <PON_coupling_mode>1</PON_coupling_mode>
    </PON>


</cnfg>

I removed the flash chip from board (using hot air), then dumped it by a stm32 flashrom programmer.

Here is the flash: https://cdn.lty.me/mikrotik_gpon_flash.bin

ilinsky · Thu May 25, 2017 2:02 pm

send me pm

I have Huawei OLT and this module as well, I want to try to change SN and associate it with my OLT / or my ISP olt using SN of my HG
That sounds interesting

is 404 not found.

Im new in hardware debugging and it sounds very interesting, how did you get hot airflow to remove chip?
How did you dump it?
Dumped my sfp flash today:

SPI flash structure:

1M@0(uboot),
3584K@0x100000(uImg),
3M@0x480000(rootFs),
512K@0x780000(vars),
3584K@0x800000(uImgB),
3M@0xB80000(rootFsB),
512K@0xE80000(varsB),

There is a Squashfs filesystem, little endian, version 4.0, 2148429 bytes, 470 inodes, blocksize: 131072 bytes, created: Wed Nov 18 10:21:54 2015 at 0x480000, which contains
/etc/xml_params/gpon_xml_cfg_file.xml:
Code: Select all
<?xml version="1.0"?>
<cnfg>
    <PON>
        
        <PON_serial_num>MKTK00010203</PON_serial_num>
        
        <PON_serial_src>1</PON_serial_src>
        
        <PON_passwd>1234567890</PON_passwd>
        
        <PON_dis_sn>0</PON_dis_sn>
        
        <PON_gem_reset>0</PON_gem_reset>
        
        <PON_tcont_reset>1</PON_tcont_reset>
        
        <PON_DG_polarity>1</PON_DG_polarity>
        
        <PON_XVR_burst_enable_polarity>0</PON_XVR_burst_enable_polarity>
        
        <PON_XVR_polarity>1</PON_XVR_polarity>
        
        <P2P_XVR_burst_enable_polarity>1</P2P_XVR_burst_enable_polarity>
        
        <P2P_XVR_polarity>0</P2P_XVR_polarity>
        
        <PON_gem_restore>1</PON_gem_restore>
        
        <PON_fec_hyst>1</PON_fec_hyst>
        
        <PON_coupling_mode>1</PON_coupling_mode>
    </PON>


</cnfg>
I removed the flash chip from board (using hot air), then dumped it by a stm32 flashrom programmer.

Here is the flash: https://cdn.lty.me/mikrotik_gpon_flash.bin

lty1993 · Thu May 25, 2017 2:21 pm

@ilinsky

The link has been fixed. And I do not know how to send pm in this forum.

ilinsky · Thu May 25, 2017 2:28 pm

I see

I saw it with binwalk and is huge, is it possible to repack it with canes done and flash back, any idea ? I google about hot air already

I connected my module to my hawed 5608 OLT and it does not appear in iManager U2000 auto discovery, I think it has something to do with interoperability configuration

@ilinsky

The link has been fixed. And I do not know how to send pm in this forum.

lty1993 · Thu May 25, 2017 3:33 pm

I see

I saw it with binwalk and is huge, is it possible to repack it with canes done and flash back, any idea ? I google about hot air already

I connected my module to my hawed 5608 OLT and it does not appear in iManager U2000 auto discovery, I think it has something to do with interoperability configuration

Yes, you can repack it and flash it back.

ilinsky · Sat May 27, 2017 3:46 am

which software do you use to actually interact with stm32 programer to download the flash ?

lty1993 · Sun Jun 11, 2017 5:15 pm

which software do you use to actually interact with stm32 programer to download the flash ?

flashrom
https://www.flashrom.org/Flashrom

filiptc · Mon Sep 18, 2017 11:43 am

Wow, thanks for you research. Is there a way to overwrite the XML with modified values without tinkering with the hardware?

dylanger · Tue Jan 02, 2018 11:16 pm

For anyone interested, I'm sort of following the research but on Ubiquiti's Nano G OLT, read more here: https://community.ubnt.com/t5/UFiber-GP ... 90379#M773

It looks like the serial may be store in simple flash instead of EEPROM, at least I'm hoping, there's a kernel driver that allows writing and read DWORDs over SPI to the Transceiver, this may allow changing of the serial without needing to mess around with the hardware / chip-off

geduxas · Fri Jun 22, 2018 4:18 pm

Hi, any news in this adventure? i am in same boat. Need to change SN and PON password.

CarlitoxxPro · Fri Jun 21, 2019 6:33 pm

We fight with this topic some time ago,

to resume a little bit:

The GPON ONU is a different kind of transceiver than no have a traditional eeprom inside, instead uses a nor flash chip (8, 16, 32 mb depending on the manufacturer) and is emulated their access after the OS was loaded/booted, this kind of transceivers have a embedded linux inside with the specific onu/omci drivers and all other features than each manufacturer want to add it, like the MAC.

the GPON ONU have two versions:
1- without MAC, that means than the gpon no have a accessible network interface configured to we can configure it, comes already preconfigured and only can be provisioned via omci from OLT side.
2- with MAC (Sticks), that means than the gpon have an accessible network interface and a method to do that, like telnet, ssh, or web (linux services), there you have the possibility to configure/debug it.

in the case of Mikrotik ONU is a kind of transceiver from the first group, in their case have pre configured the basic details (SN and PLOAM Password) from factory, and that information is stored on both sites:
1- In the "EEPROM" used by the other devices where is connected this SFP for know what kind of transceiver is and for persist some changes like sn, ploam password and more
2- in the same firmware img: inside of the configuration files used by the PON, OMCI drivers. in the most of cases (with MAC transceiver) this have a default value than is updated on boot time getting the value from "EEPROM".

the problem is than the GPON ONU of mikrotik no updates the sn, ploam password, etc in the config files inside of filesystem at boot time, because was made as a pre-provisioned transceiver, in other words, you can not change this values from client side, only can be configured in the OLT side to be discovered. take in count than the filesystem is readonly when was mounted in boot.

the trick here is (the most complicated part), update the files where is stored the SN and the PLOAM Passwd (SLID), rebuild the filesystem, recalculate the CRC Checksum and rewrite the nor flash. to you can be able to complete the authentication process with the OLT. you should be update the values in both sides filesystem and EEPROM (remember is a virtualized EEPROM inside of nor Flash and only can be accessed before the SFP boot completely vía IC2 eeprom programmer or via comand_cli if the gpon have this feature available).

this is a very expensive procedure and only the peoples with a very good skill on this areas can make this change for their own.

all GPON ONU (and in general SFP) have a two wire console access to debug and configure using an EVM Board (Evaluation Module Board) than provide network access to the GPON (only for Sticks) and Serial Console access.

we speak a lot of times with mikrotik to perform a firmware update and give the MAC capabilities to their GPON ONU, but they are no interested on spend resources on make this changes, as many other manufacturers.

for this reason we develop our own GPON ONU Stick with this features and more.
more details here: https://www.facebook.com/CarlitoxxPro/p ... 1173849605 (Spanish language)

I hope than i've clarify a little bit more this topic for some people.

Kindest Regards.

Error0x29A · Sun Jun 23, 2019 8:08 pm

We fight with this topic some time ago,

to resume a little bit:

The GPON ONU is a different kind of transceiver than no have a traditional eeprom inside, instead uses a nor flash chip (8, 16, 32 mb depending on the manufacturer) and is emulated their access after the OS was loaded/booted, this kind of transceivers have a embedded linux inside with the specific onu/omci drivers and all other features than each manufacturer want to add it, like the MAC.

the GPON ONU have two versions:
1- without MAC, that means than the gpon no have a accessible network interface configured to we can configure it, comes already preconfigured and only can be provisioned via omci from OLT side.
2- with MAC (Sticks), that means than the gpon have an accessible network interface and a method to do that, like telnet, ssh, or web (linux services), there you have the possibility to configure/debug it.

in the case of Mikrotik ONU is a kind of transceiver from the first group, in their case have pre configured the basic details (SN and PLOAM Password) from factory, and that information is stored on both sites:
1- In the "EEPROM" used by the other devices where is connected this SFP for know what kind of transceiver is and for persist some changes like sn, ploam password and more
2- in the same firmware img: inside of the configuration files used by the PON, OMCI drivers. in the most of cases (with MAC transceiver) this have a default value than is updated on boot time getting the value from "EEPROM".

the problem is than the GPON ONU of mikrotik no updates the sn, ploam password, etc in the config files inside of filesystem at boot time, because was made as a pre-provisioned transceiver, in other words, you can not change this values from client side, only can be configured in the OLT side to be discovered. take in count than the filesystem is readonly when was mounted in boot.

the trick here is (the most complicated part), update the files where is stored the SN and the PLOAM Passwd (SLID), rebuild the filesystem, recalculate the CRC Checksum and rewrite the nor flash. to you can be able to complete the authentication process with the OLT. you should be update the values in both sides filesystem and EEPROM (remember is a virtualized EEPROM inside of nor Flash and only can be accessed before the SFP boot completely vía IC2 eeprom programmer or via comand_cli if the gpon have this feature available).

this is a very expensive procedure and only the peoples with a very good skill on this areas can make this change for their own.

all GPON ONU (and in general SFP) have a two wire console access to debug and configure using an EVM Board (Evaluation Module Board) than provide network access to the GPON (only for Sticks) and Serial Console access.

we speak a lot of times with mikrotik to perform a firmware update and give the MAC capabilities to their GPON ONU, but they are no interested on spend resources on make this changes, as many other manufacturers.

for this reason we develop our own GPON ONU Stick with this features and more.
more details here: https://www.facebook.com/CarlitoxxPro/p ... 1173849605 (Spanish language)

I hope than i've clarify a little bit more this topic for some people.

Kindest Regards.

First of all, thank you CarlitoxxPro for your research and comprehensive post. I find it educational and fascinating. As the market matures some countries like Italy passed the law and allow users to register their own GPON SFP. Other countries like France(Orange) and Canada(Bell Canada) make it easy to remove SFP from the gateway (Orange Livebox4) (Bell Canada HH3000) and plug it into compatible Mikrotik router.
I would no longer waste time researching Mikrotik GPON ONU based on the Marvell chip. It has been discontinued and remaining stock on various sites is quite expensive.
https://mikrotik.com/product/SFPONU

On the other hand, all GPON SFP based on the Lantiq FALC™ON MIPS34Kc chipset are quite popular, to name a few.
Huawei MA5671A
Dasan H650SFP
Zisa OP151S
Sercomm FGS202
Alcatel-Lucent G-010S-P
CarlitoxxPro CPGOS03-0490
D-Link DPN-100
Zyxel PMG3000-D20B

FALC stands for Framer and Line Interface Component

Thanks to the French provider Orange, European market is flooded with cheap FGS202 GPON sticks. And they support MAC address.
Average image size for the Lantiq chips is around 3.6MB-4MB. Question for people with the right skillset and equipment(hot air, programmer).

Is it possible to use image from one SFP and flash it to another SFP using programmer or TFTP server to get desired features(SN change)?

I could get 2-3 cheap FGS202 sticks from my French colleagues and I volunteer to flash it with a modified image.

Edit:
1. Added more modules with Lantiq chip. Two more GPON Sticks: D-Link and Zyxel

Error0x29A · Tue Jun 25, 2019 7:17 pm

It's worth mentioning that for majority of GPON sticks we use in our Mikrotik routers, Reference Design and SDK is provided by T&W Shenzhen Gongjin Electronics Co., Ltd
Minimum order is 10000 pieces if you want to order directly from the source.
http://twsz.com/en/product/98/451.html TW2362H-CDEH GPON SFP

Firmwares often contain reference to it e.g. TW2362H-CDEL-TW-R01B010D35befddf-CN.squashfs.upf

CarlitoxxPro · Wed Aug 14, 2019 5:52 pm

hi @Error0x29A,

From the day than we dive into this adventure, we tested dozens of models (brands) of GPON ONUs SFP (with/out MAC feature), but none of them accomplish with this prime features:

1- SN and Pon Password (SLID) be configurable in ASCII and HEX mode
NOTE: the major number of them are only configurable in ASCII only.

2- The interoperability with the most popular OLT brands like ZTE, HUAWEI, Alcatel.
NOTE: this is the more complex part, the most part of manufacturers only support a few of them and with specific software version.

3- The configurability of their settings
NOTE: none of them permits to modify more than a few parameters like Pon SN, Pon Password, network settings (lan), except (CPGOS03-0490 rev 1.0 Currently Out of Stock)

4- SW tweaks, customizations.
NOTE: none manufacturer provide support for individuals than acquire samples, their target is the big companies than will acquire thousands of units. they no will spend resources to customize or fix issues from individuals.

Related to the GPON SoC, the manufacturers like Intel (lantiq), Realtek, Microsemi, Marvel, Hisilicon, Broadcom, Qualcomm, etc, jealously guard their designs and SDKs, for that reason you can't find any documentation or references on internet, even some of them keep like a secret, not including the product on their websites as example Realtek, Lantiq, etc. The SoC manufacturer signs NDA with the hardware manufacturers to keep their market and products safe of the competitors

in other aspects, many GPON ONU SFP manufacturers uses the same hardware with small sw customizations, they only make a rebranding of the same hardware, as example: Zyxel and Zisa have the same HW & SW provided by T&W Shenzhen Gongjin Electronics Co. Ltd

from all the sticks than you mention before, they not are fully compatible with mikrotik routers/switches, this is depending in the most of cases by the architecture MIPSBE / ARM / TILE, sometimes the stick is detected but no displays the eeprom information (Vendor, Part #, SN, Voltage and DDM details).

answering to your question (Is it possible to use image from one SFP and flash it to another SFP using programmer or TFTP server to get desired features(SN change)?): yes if the hardware is exactly the same (same PCB, chipset, SoC, etc), that requires to extract the SPI chip from both SFP and copy the content from one to the another and re-weld again. but you need the skill and hardware to do that and stay very sure than the hardware revision is the same in both sticks.

sometimes require to recalibrate some parameters in the sw to the optics be fully functional. As may you know, each optical laser head have small differences.

Currently we are working on our second revision of our GPON ONU Stick (CPGOS03-0490), but is a little hard to find a balance between interoperability and configuration flexibility.

Kindest Regards

blizzard · Sun Oct 13, 2019 10:18 pm

Hello! Can you share the SPI Flash dump?

diablonet · Sun Sep 06, 2020 2:30 pm

I own this SFP module, I already removed the chip and dumped the firmware, I got the squashfs partition and also I am able to change the XML parameters, but I dont know how to use them:

<?xml version="1.0"?>
<cnfg>
<PON>

<PON_serial_num>MKTK00010203</PON_serial_num>

<PON_serial_src>1</PON_serial_src>

<PON_passwd>1234567890</PON_passwd>

<PON_dis_sn>0</PON_dis_sn>

<PON_gem_reset>0</PON_gem_reset>

<PON_tcont_reset>1</PON_tcont_reset>

<PON_DG_polarity>0</PON_DG_polarity>

<PON_XVR_burst_enable_polarity>0</PON_XVR_burst_enable_polarity>

<PON_XVR_polarity>1</PON_XVR_polarity>

<P2P_XVR_burst_enable_polarity>1</P2P_XVR_burst_enable_polarity>

<P2P_XVR_polarity>0</P2P_XVR_polarity>

<PON_gem_restore>1</PON_gem_restore>

<PON_fec_hyst>1</PON_fec_hyst>

<PON_coupling_mode>1</PON_coupling_mode>
</PON>
</cnfg>

On <PON_serial_num>MKTK00010203</PON_serial_num>, XML says up to 8 symbols, but there are 12!
I am assuming that <PON_serial_src>0</PON_serial_src> must be 0 because the serial source is XML.
Is this in ascii? <PON_passwd>1234567890</PON_passwd>
since I am writing my own password: should this be 0 or 1? <PON_dis_sn>0</PON_dis_sn>

thank you

diablonet · Sun Sep 06, 2020 2:31 pm

Hello! Can you share the SPI Flash dump?

I can share my dump

Newdjeen · Sat Sep 19, 2020 12:42 am

I can share my dump

share, please, or send to newdjeen[at]gmail.com

Research on Changing Serial Number for GPON ONU Module

Research on Changing Serial Number for GPON ONU Module

Re: Research on Changing Serial Number for GPON ONU Module

Re: Research on Changing Serial Number for GPON ONU Module

Re: Research on Changing Serial Number for GPON ONU Module

Re: Research on Changing Serial Number for GPON ONU Module

Re: Research on Changing Serial Number for GPON ONU Module

Re: Research on Changing Serial Number for GPON ONU Module

Re: Research on Changing Serial Number for GPON ONU Module

Re: Research on Changing Serial Number for GPON ONU Module

Re: Research on Changing Serial Number for GPON ONU Module

Re: Research on Changing Serial Number for GPON ONU Module

Re: Research on Changing Serial Number for GPON ONU Module

Re: Research on Changing Serial Number for GPON ONU Module

Re: Research on Changing Serial Number for GPON ONU Module

Re: Research on Changing Serial Number for GPON ONU Module

Re: Research on Changing Serial Number for GPON ONU Module

Re: Research on Changing Serial Number for GPON ONU Module

Re: Research on Changing Serial Number for GPON ONU Module

Re: Research on Changing Serial Number for GPON ONU Module

Re: Research on Changing Serial Number for GPON ONU Module

Re: Research on Changing Serial Number for GPON ONU Module

Re: Research on Changing Serial Number for GPON ONU Module

Re: Research on Changing Serial Number for GPON ONU Module

Re: Research on Changing Serial Number for GPON ONU Module

Re: Research on Changing Serial Number for GPON ONU Module

Re: Research on Changing Serial Number for GPON ONU Module

Re: Research on Changing Serial Number for GPON ONU Module

Re: Research on Changing Serial Number for GPON ONU Module

Re: Research on Changing Serial Number for GPON ONU Module

Re: Research on Changing Serial Number for GPON ONU Module

Re: Research on Changing Serial Number for GPON ONU Module

Who is online