Time for PLDT Fiberhome ONU/ONT Replacement

 Today I wanted to share to my reader on how-to retired my PLDT Fiberhome ONU/ONT AN5506-04-FA device, its has been there for couples of years that I wish to get rid of it and replace with SFP module that will work for my project. Googling on the net to find docs and most of all can get the most affordable SFP module that I can substitute for my ONT/ONU.

Not just for the SFP module price is cheaper but also it will works on a budget giga Media Converter, on a giga SC switch, or on the MikroTik Hex but like on a pfSense micro ITX box. After Googling sometime I found ZISA OP151S is the most best that suit for my needs but sadly the SFP module manufacturer is no longer active duplicating the said sfp. ZISA OP151S makes it handy for having a web graphical user interface to interact the device module itself and a command line interface to tune up the settings that you need.

Luckily, after Googling again sometime on the net I found similar SFP module that ZISA OP151S does everything do. The GPON SFP stick is from Usource Technology its DFP-34G-2C2 if you want to try searching on the net. What makes this GPON SFP stick even more better than ZISA OP151S its already a ONT/ONU on a STICK, you can plug it directly to a giga Media Converter, SC Switch with sfp port, to a MikroTik giga Switch or to a running pfSense mini ITX box just add a Chelso PCI card with SFP module port.

The GPON SFP module Stick DFP-34G-2C2 ONT/ONU  is base on a SoC ARM v7 (ZX279125) running at 600Mhz and nearly 1200 bogomips, with 32Mb integrated RAM and a 16Mb of external (SPI?) flash (source) running Linux ZTE flavour 2.6.32 in a SFP form factor. You may like to see the datasheet here.

To be able to configure it there has to be some link in the optical connection, otherwise the SFP interface in your switch/router might not linkup and the SFP internal IP might not be reachable.

The default connection info is as follows:

    IP: 192.168.1.1

    VLAN: 1

    URL: http://192.168.1.1

    User: admin

    Pass: admin

In its web GUI you can configure PON settings and even routing mode. By default, there is no WAN connection (this means there’s no routing mode, only bridge with all vlans through the SFP interface port). You can make the SFP a router to route you house/office traffic by making a WAN connection but I prefer to keep it as bridge.

Once in the web configuration page we can configure LOID, SN and their passwords as per our ISP requirements:

There is also telnet access with the following credentials:

    User: root

    Pass: Pon521

Telnet access is for Linux advanced users and is not recommended to tamper with.

The GPON SFP module stick DFP-34G-2C2 can get purchase online via AliExpress online store.

Read More

Mercusy MW301R Cheap 300Mbps Wireless Router

Mercusy is another subsidiary of TP-Link for budget wireless devices such as wireless access point and router devices.  I seen this Mercusy MW301R 300Mbps cheap plastic case budget router with the price tag of 495Php online its around 10USD if we convert that from Philippine peso. The MW301R is so tiny more or less a clone of TP-Link WR820N v2.0 except that the flash of WR820N v2 is 2Mb whereas SoC and RAM exactly the same including the LAN/WAN ports.

MW301R is equip with MediaTek MT7628KN SoC a single core 570MHz processor, RAM is not expandable it is built-in inside the SoC its 8MB whereas FLASH can be replace with any 8pin chips such 25Q series flash chip.

I buy it for the purpose of its small form factor that I can turn it into OpenWrt IoT, I thought it was just like WR701N and WR703N were you can just desolder the RAM and the FLASH and replace it with higher capacity so OpenWrt will work with full functionality. It was a mistake because during my purchase of this Mercusy devices I can not find any docs on Google.

The only possible thing about this MW301R is upgrade the RAM with 2Mb flash and replace with TP-Link firmware to make it WR820N v2.0 which support the following WISP, AP with smart DHCP, Reapeter or Extenbder. With Mercusys firmware MW301R this device is limited to WAN PPPoE, Dynamic and Static IP only. It has WDS but the range is not that power as such MT7628N SoC like WR840N and WR841N.

Upon testing on the wireless access point I plug my 100Mbps fiber optic connection to the WAN ports it can only gives me around 25Mbps, direct connection on the LAN ports about 39Mbps only. Not bad for the price tag 495Php if you intend to use it at home for limited user for less than ten users only.

Serial port is present on the circuit board its labeled with Tx, Rx and Vcc. USB port can be moded if you wish to have one for some purposes docs is available online.

Read More

ADO PISO WIFI VLAN NO USB LAN, NO NEWIFI3 D2, ANY OPENWRT FW WILL DO

Today I want to share to my readers this over whelming PiSo WiFi Vending machine that majority of Netizens are aiming to build or buy this kind of small business apparatus. I was intrigue by this famous low cost dual band AC1200 wireless router from forum and including on the youtube channels. Lenovo Comfast NEWIFI3 D2 is a 5 port Giga LAN/WAN that competes most well known WAPs such MikroTik, TP-Link, Linksys and others you name it.

I was just curious that I thought it was not equip with RF Amps, good enough the power output is less than 800mWatt its powerful if someone can buil a good 2.4GHz antenna. The 5GHz also can transmit at less than 200mWatt.

My purpose on getting this NEWIFI3 D2 is for my oldys PiSo vendo machine that I wanted to omit the USB LAN that need to be retired. After doing experiment with different firmware I went on sticking with OpenWRT. Now I realize that the NEWIFI3 D2 I buy is now serving only as a L2 managed switch and as a WAP (wireless access point). I did not get TP-Link SG105E and SG108E cause it is a semi managed switch.

I happen to realize again that have a bunch of TP-Link wireless router that can do that task which NEWIFI3 D2 can do except my old wireless router do not have the AC WiFi.

If in your case you are tight budget you can get TP-Link TL-WR740N which is more cheaper and make it as manage switch for Ado Piso WiFi vendo machine.

This will only work if the PiSo WiFi software VLAN is editable, some other vendo wifi developer the VLAN/TAG is fix the end user do not have the permission to edit those value. 

Read More

TP-Link WR940N v4/v5 Brush LEDE OpenWrt

Hold and press RESET button then power ON the wireless router.

Set the PC LAN Ip address to 192.168.0.66


Install Tftpd32 on Windows machine and rename LEDE/Openwrt to wr940nv6_tp_recovery

Read More

OpenWrt L2 Wireless Bridge Client Plus Access Point

My simple way of doing OpenWrt Layer2 Wireless Bridge Client plus Access Point.


root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
option type 'mac80211'
option channel '11'
option hwmode '11g'
option path 'platform/qca953x_wmac'
option htmode 'HT20'
option disabled '0'
option country 'US'
option legacy_rates '1'

config wifi-iface 'default_radio0'
option device 'radio0'
option mode 'ap'
option encryption 'none'
option ssid 'AP101'
option network 'lan'

config wifi-iface
option ssid 'WR941ND'
option encryption 'psk2'
option device 'radio0'
option mode 'sta'
option bssid '00:23:45:67:89:AB'
option key 'password'
option network 'wwan'

root@OpenWrt:~#



root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix 'fd53:bbc3:725d::/48'

config interface 'lan'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
option ifname 'eth0'
option delegate '0'

config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'

config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
option ports '0 1 2 3 4'

config interface 'wwan'
option proto 'relay'
list network 'lan'

root@OpenWrt:~#


config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'

config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan wwan'

config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'

config forwarding
option src 'lan'
option dest 'wan'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'

config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'

config include
option path '/etc/firewall.user'

root@OpenWrt:~#

Read More

AR9341 Router TTL Line Brush Machine

Recently, I have a batch of OEM PoE routers that do not have a USB interface. It is just used to study the TTL flash machine.

Then connect the USB to TTL. Note here that some boards will be incompatible with garbled characters. You can try to change the baud rate. If not, just change a USB to TTL board.

The computer uses SecureCRT, serial port connection, there is no character on the connection, then power on the router, the screen starts to display UBOOT, press any key to interrupt, some press TPL interrupt or ctrl + c interrupt, I first flash breed

These software will be provided below to download, understand the command of FLASH before brushing

2MB FLASH


Flash programmer firmware: tftp 0x80000000 full.bin
erase 0x9f000000 + 0x200000
cp.b 0x80000000 0x9f000000 0x200000 flash
uboot:
tftp 0x80000000 uboot.bin
erase 0x9f000000 + 0x20000
cp.b 0x80000000 0x9f000000 0x20000 flash
fw:
tftp
0x80x9fwfc.
cp.b 0x80000000 0x9f020000 0x1c0000
brush art:
tftp 0x80000000 art.bin
erase 0x9f1f0000 + 0x10000
cp.b 0x80000000 0x9f1f0000 0x10000


4MB FLASH

Flash programmer firmware: tftp 0x80000000 full.bin

erase 0x9f000000 + 0x400000

cp.b 0x80000000 0x9f000000 0x400000 flash

uboot:

tftp 0x80000000 uboot.bin

erase 0x9f000000 + 0x20000

cp.b 0x80000000 0x9f000000 0x20000 flash

fw: tftp 0x80x9 fw0f0f3

cp.b 0x80000000 0x9f020000 0x3c0000

brush art:

tftp 0x80000000 art.bin

erase 0x9f3f0000 + 0x10000

cp.b 0x80000000 0x9f3f0000 0x10000


8MB FLASH

Flash programmer firmware: tftp 0x80000000 full.bin
erase 0x9f000000 + 0x800000
cp.b 0x80000000 0x9f000000 0x800000 flash
uboot:
tftp 0x80000000 uboot.bin
erase 0x9f000000 + 0x20000
cp.b 0x80000000 0x9f000000 0x20000 flash
fw:
tftp
0x80x9 fw.f02
cp.b 0x80000000 0x9f020000 0x7c0000
brush art:
tftp 0x80000000 art.bin
erase 0x9f7f0000 + 0x10000
cp.b 0x80000000 0x9f7f0000 0x10000


16M FLASH: flash address from 0x000000 ~ 0x0FFFFFF
ttl access flash address from 0x9F000000 ~ 0x9F0FFFFFF


The network cable is connected to the router lan port, the computer configuration is set to 192.168.0.2, the mask is 255.255.255.0, and the gateway is 192.168.0.1

Open tftp in my software package, select the network card connected to the router's network cable, it will normally display the IP 192.168.0.2, click "Show Dir" contains a firmware of breed-ar9341.bin, first flash him, execute the following command

setenv ipaddr 192.168.0.1

setenv serverip 192.168.0.2

tftp 0x80000000 breed-ar9341.bin

When done appears, it means that the brushing is successful, and then execute

erase 0x9f000000 + 0x20000

cp.b 0x80000000 0x9f000000 0x20000

When done appears, flashing in is successful. Unplug the router and plug it in again. SecureCRT displays the Breed boot and press any key terminal. At the same time, you can see that the default lan port address is 192.168.1.1

Connect the computer browser to 192.168.1.1, then you can directly use the Breed Web


Enter 192.168.0.1 in the address bar of the browser and select the firmware upgrade. Here you should save the original firmware under backup. You can configure openwrt after the flashing is completed.

Software download address:

https://pan.baidu.com/s/1Z7PkN8ROxpDITdRZHgw3nQ

Extraction code: be5m

Read More

Tenda G103 ONU works on HUAWEI OLT

Today a friend from India an FTTH subscriber of RailWire ISP share the thoughts of his Tenda G103  ONU (Optical Network Unit) as a replacement to Huawei ONT (Optical Network Terminal).

Looking for serial port pin header very easy to guess just like the other wireless router that has Ground TX RX and VCC.

The good news firmware is base on opensource OpenWrt image_name=openwrt-lantiq-falcon-EASY98020

The Tenda ONU G103 is equip with 400MHz Falcon-D Lantiq Chips, with 64MB DDRAM and 8MB Flash.

Another interesting command line interface

Press SPACE to delay and Ctrl-C to abort autoboot in 5 seconds
FALCON => bdinfo
boot_params = 0x83F2FF98
memstart = 0x80000000
memsize = 0x04000000
flashstart = 0xB0000000
flashsize = 0xFFFF0000
flashoffset = 0x00000000
ethaddr = C8:3A:35:B3:E8:50
ip_addr = 192.168.5.1
baudrate = 115200 bps
FALCON => ?
? - alias for 'help'
asc0_fixup- fix asc0 pins (for silent boot)
askenv - get environment variables from stdin
base - print or set address offset
bdinfo - print Board Info structure
boot - boot default, i.e., run 'bootcmd'
bootd - boot default, i.e., run 'bootcmd'
bootm - boot application image from memory
bootp - boot image via network using BOOTP/TFTP protocol
chipinfo- print chip info
cmp - memory compare
cp - memory copy
crc32 - checksum calculation
ddrlp - config DDR LowPower
ddrstatus- show DDR Controller status
dhcp - boot image via network using DHCP/TFTP protocol
echo - echo args to console
editenv - edit environment variable
eeprom - EEPROM sub-system
env - environment handling commands
exit - exit script
extphy - external PHY enable (clock and reset)
false - do nothing, unsuccessfully
go - start application at address 'addr'
gpio - input/set/clear/toggle gpio pins
help - print command description/usage
httpd - start webserver
i2c - I2C sub-system
iminfo - print header information for application image
itest - return true/false on integer compare
loadb - load binary file over serial line (kermit mode)
loads - load S-Record file over serial line
loady - load binary file over serial line (ymodem mode)
loop - infinite loop on address range
md - memory display
mii - MII utility commands
mm - memory modify (auto-incrementing address)
mmd - MMD utility commands
mtest - simple RAM read/write test
mw - memory write (fill)
nm - memory modify (constant address)
ping - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
reset - Perform RESET of the CPU
run - run commands in an environment variable
saveenv - save environment variables to persistent storage
setenv - set environment variables
sf - SPI flash sub-system
sfboot - boot from serial flash device
showvar - print local hushshell variables
sleep - delay execution for some time
sntp - synchronize RTC via network
source - run script from memory
test - minimal test like /bin/sh
tftpboot- boot image via network using TFTP protocol
tlb - setup TLB (virtual memory) mapping
true - do nothing, successfully
version - print monitor, compiler and linker version
wdoff - switch watchdog off
wdtest - watchdog test (endless loop!)
wdtime - set watchdog timeout

On the printenv

FALCON => printenv
act_img_addr=0xBF20003C
addip=setenv bootargs ${bootargs} ip=${ipaddr}:${serverip}:${gatewayip}:${netmask}:${hostname}:${netdev}:off
addmisc=setenv bootargs ${bootargs} ethaddr=${ethaddr} machtype=${machtype} ignore_loglevel vpe1_load_addr=0x83f00000 vpe1_mem=1M mem=63M ${mtdparts}
addmtdparts0=setenv mtdparts mtdparts=sflash:256k(uboot),128k(uboot_env),3712k(linux),3712k(image1),384k(rootfs_data),8192k@0(all)
addmtdparts1=setenv mtdparts mtdparts=sflash:256k(uboot),128k(uboot_env),3712k(image0),3712k(linux),384k(rootfs_data),8192k@0(all)
baudrate=115200
boot_image=run boot_image${c_img};
boot_image0=run kernel0_from_sf flashargs addip addmtdparts0 addmisc && bootm ${ram_addr}
boot_image1=run kernel1_from_sf flashargs addip addmtdparts1 addmisc && bootm ${ram_addr}
boot_image_err=setenv kernel_offs ${kernel0_offs};httpd && setenv image0_is_valid 1
bootcmd=run flash_flash
bootdelay=5
committed_image=1
data_addr=0xB07a0000
data_offs=0x7a0000
data_size=0x60000
env_offs=0x40000
env_offs_redund=0x50000
ethact=GPHY0
ethaddr=C8:3A:35:edited
ethrotate=no
extphy=1
fileaddr=80F00000
filesize=380004
flash_flash=run select_image boot_image
flashargs=setenv bootargs rootfstype=squashfs,jffs2
goi_config=begin-base64 644 goi_config@H4sIAGrcIVMCA+1XS0/bQBDOtfkVW3HICbOzT7tWD6hAhQoSIhE9RMja2Jtg@1c5atmnpv+84KTgPp1woFWq+i62dz/PamZ21reOj2M2n6exo5tJo+dp7WVCE@lnLxRGw+maS8B4wD5VKB0D0KXDHdI7T3CrivalMS0iudq//Ee07+RtFf7jjB@zSeDWeYmJhv037miTt2cfDJZOilN8z5Kc4uZygsyYBTkIVWHACNQH5gY9NeU@lGY+s9XGYm3zwqKm+9JGtZlkDeHRyqi0UzLglHuBTxVlwm9lN8dXJ9EkiRYU@yTwutJKKyQ1GFZtsyaEeUH/DeBIncWSKZNMn9LTK07q25Q5JVLgfW8LczdPa@la0Hl+jASqaiz4ssYkQt5QR9o9HVBSUDCAKPrktgKWFaiVUR6n2ol6JD6mkp@FOZHK6VbynnuElTw+3vpgZaKYw4Dta0GUA142pdoRigO0KUGScA9wQPFGJdS@boeADCZUVwiNJFC8KwS2sE3B577GCLptI0l7PhqVPAAssm3brLEAXbYbiWRs@TYQ10aYdv/M7pLBD6qbTyj4mH/gOvRix2qm2Q/iktdkLpnZoxVh8Lndo7RA+@aW2yzBe+rhesNRX2XW7n9UrTrbaMZFIGjCktYaVor4fD8whEQBNTfnuk4nnt@A/cpoz5HdLBXFTMRYL1iNQGwDmphSjNxWRov+eD5WJeSYuU1fqwF4fL7jZWJ@q8xKPHg6RWeZmaGadvXCueLSJRZ3eOPraVylLe/zzRDdfYCJll1nR+xK27We@JM3h8KbPf4vzv0lCvBj/Zmb/go1n5j8CmvkvtBBCaobzn2lN9/P/NUB7e/zP@WO//xdUsykxly+ZI9uLq+wv1P945dvY/KNne/ynyQAFT+/5/DRzg/YHMXU3i@u+beTuo7S0Y/C0vSBO8L6TS15fswDPvN2seL4+HpdXR9etasHODMxd+B8Zfb@8Ly+I+P8+DYcnpLx/dej5hVHCRlXt32814faE74OgUpPST+k/X3b7bHHHnv8@c/wCI53hZAAUAAA=@====@
gphy0_phyaddr=0
gphy1_phyaddr=1
image0_addr=0xB0060000
image0_is_valid=1
image0_version=G10xla_v1.0.0.2_cn
image1_addr=0xB0400000
image1_is_valid=1
image1_version=G10xla_v1.0.0.2_cn
image_name=openwrt-lantiq-falcon-EASY98020
ipaddr=192.168.5.1
kernel0_from_sf=sf probe 0;sf read ${ram_addr} ${kernel0_offs} ${max_kernel_size}
kernel0_offs=0x60000
kernel1_from_sf=sf probe 0;sf read ${ram_addr} ${kernel1_offs} ${max_kernel_size}
kernel1_offs=0x400000
lang=en
load_kernel=tftpboot ${ram_addr} ${tftppath}${image_name}-uImage
load_uboot=tftpboot ${ram_addr} ${tftppath}u-boot.img
machtype=EASY98020
magic_addr=0xBF200038
magic_val=0xDEADBEEF
max_kernel_size=0x180000
net_nfs=run load_kernel nfsargs addip addmtdparts0 addmisc;bootm ${ram_addr}
nfsargs=setenv bootargs root=/dev/nfs rw nfsroot=${serverip}:${rootpath},${nfsoptions}
nfsoptions=rsize=1024,wsize=1024
omci_loid=GPONONU15
ponmac=00:A1:B2:edited
preboot=echo;echo Type "run flash_nfs" to mount root filesystem over NFS;echo
ram_addr=0x80F00000
reset_uboot_env=sf probe 0;sf erase 0x40000 0x20000
restore_sta=0
rgmii0_phyaddr=4
rgmii1_phyaddr=5
save_uboot=sf probe 0;sf erase 0 0x40000;sf write ${ram_addr} 0 ${filesize}
select_image=setenv activate_image -1;if itest *${magic_addr} == ${magic_val} ; then if itest *${act_img_addr} == 0 ; then setenv activate_image 0;fi;if itest *${act_img_addr} == 1 ; then setenv activate_image 1;fi;mw ${magic_addr} 0x0;mw ${act_img_addr} 0x0;fi;if test $activate_image = -1 ; then setenv c_img $committed_image;else setenv c_img $activate_image;setenv activate_image -1;fi;if test $c_img = 0 && test $image0_is_valid = 0 ; then setenv c_img 1;fi;if test $c_img = 1 && test $image1_is_valid = 0 ; then setenv c_img 0;fi;if test $image0_is_valid = 0 && test $image1_is_valid = 0 ; then setenv c_img _err;fi;exit 0
serial_number=5444544335edited
serverip=192.168.1.2
sgmii_inv=1
sgmii_phyaddr=6
stderr=serial
stdin=serial
stdout=serial
sw_release_time=Apr 20 2015
sw_ver=V1.0.0.2
uboot_env_svn=144
update_image0=tftpboot ${ram_addr} ${tftppath}${image_name}-squashfs.image;sf probe 0;sf erase ${kernel0_offs} +${filesize};sf write ${ram_addr} ${kernel0_offs} ${filesize}
update_image1=tftpboot ${ram_addr} ${tftppath}${image_name}-squashfs.image;sf probe 0;sf erase ${kernel1_offs} +${filesize};sf write ${ram_addr} ${kernel1_offs} ${filesize}
update_openwrt=run update_image0 && setenv committed_image 0 && setenv image0_is_valid 1 && saveenv && run update_rootfs_data
update_rootfs_data=sf probe 0;sf erase ${data_offs} +${data_size}
update_uboot=run load_uboot && run save_uboot
us_vlan_id=145
us_vlan_mode=0
us_vlan_priority=1
ver=U-Boot 2011.12-lantiq-gpon-1.2.20.1 (Sep 18 2014 - 15:38:45),uboot_svn_id=144
vlan_mode=0
vlan_mode_option=0
Environment size: 5203/65531 bytes
FALCON =>

To be continue will see the command line interface of this Tenda G103, this is absolutely applicable on PLDTHOMEFIBR, we can now replace our HUAWEI ONU/ONT with this device.

Read More

TP-Link WR886N Chinese Third Party Firmware

Here we go after we done moding the FLASH and RAM its time for us to Brush it with the third party firmware. This device WR886N version 3.0 is supported by OpenWrt, SuperWrt, DD-Wrt and Gargoyle Linux opensource firmware. What we need is a USB cheap 25Q FLASH programmer and USB to TTL for the serial console. Next is decide to which boot loader you want to be accustom with.

The first boot loader utility is BREED aka  Boot and Recovery Environment for Embedded Devices is a close source boot loader by hackpascal, its in Simplified Chinese language just use Google translate to let you understand their script. You can download it on Google filename breed-tp9343.bin.

The second boot loader is also a BREED but modified version of the Simplified Chinese language its in English version. Download on the Giant Search engine filename u-boot_tp9343.bin.

The third boot loader is from TP-Link WR940N version 3.0 stock firmware stripped u-boot, filename is u-boot_tp-link_wr940nv3.bin.

The first brushing I did is with the TP-Link stock firmware WR940N version 3.x is also identical to WR941ND version 6.x such SoC. RAM and FLASH. Likewise WR940N version 4.x and 5.x too.

This is TP-Link stock firmware version 4.x if you want to know more about the internal web graphical user interface just visit tp-link.com for the respective wireless router emulator.

Brushing with third party firmware such as OpenWrt is straight forward since you can just upload via web interface if the wireless router is in the TP-Link stock firmware, TFTP is another method on brushing the firmware its usually use for device recovery from bricked devices.

I have more favor on OpenWrt third party firmware because of its plenty packages for the wireless router. Successfully also tested on LEDE both WR940N and WR941ND. On the Chinese forum someone mention that the WR886N ver3.0 can be flashed with TP-Link WR940N version 5.x, ow true is it?

This is TP-Link new web graphical user interface that added some features like Access Point only, Repeater or Range Extender, and WISP unlike the old version this addition function is not supported except for WDS and Wireless router only. The said added features were only exclusive for the TP-Link WA series device not on WR and WDR. The firmware option brushing may depends on the users, what I like on OpenWrt firmware is SoC TP9343 can be fully enhanced to 26dBm or 398mW of power.

If you know other third party Linux firmware that I did not mention let me know I want to brush it with your firmware that you have tried.

Read More

TP-Link WR886N Chinese Version 3 Mod RAM FLASH

First we have to open the clam shell type casing of the TP-Link WR886N chinese version 3.0 it has only two small screw found at the back of the device. Unscrew it, use plastic or metal knife to open the rounded clam upper cover.

Things needed basic electronics skill, hot air gun for desoldering the RAM and the FLASH. I used portable hot air gun in my case, for FLASH at least 400 to 450 C so I can lift it with the tweezers while 500 to 550 C for the RAM.

An old RAM of my Laptop PC3200 with eight chips memory module by 64MB to substitute the TP-Link WR886N 16MB memory.

Let just swap the RAM of the memory module to the router, putting back the memory to the router is sweating it will takes time aligning it and most of the time the memory pins don't sits properly need to clean the pad and the pins before heating it back onto the circuit board.

Once it done the FLASH and the RAM are on its place, testing and power ups so we can proceed to Brushing the third party firmware.

Read More

TP-Link WR886N Chinese V3 Specs

A week before went to online store and look for a second hand wireless router that I can make used of for OpenWrt plus VPN addons or similar cheap router that support it. So here I found a used  TP-Link WR886N Chinese version 3.0 it looks like the device is good and very cheap and the specs is near to average for consumer.

Less than ten days the parcel arrived, a postmen came to deliver to the house and paid for the COD.
I ordered two pieces for me the price is reasonable it only cost 354.00 Php each while the shipping is 100 Php for the two devices.

Looking at the physical appearance it has three 5dBi flat circuit omni directional antenna, fronting single system/power  LED.

At the rear face are the power input jack it has no ON/OFF switch, pin hole RESET button, single WAN port 100Mbps and four 100Mbps LAN ports.

The FLASH is 25Q16 series this mean that the chips is 16M-bit Serial Flash or in other words its only a 2Mbytes of flash storage.

The RAM is from Zentel its A3S28D40JTP-50, further specs of the memory its a 128M Double Data Rate Synchronous DRAM. It has only a capacity of 16MB of RAM.

The TP-Link WR886N Chinese version 3.0 is equip with Qualcomm Atheros TP9343-AL3A from Taiwan. The SoC has 750 Mhz processor of speed.

The internal circuitry of the TP-Link WR886N Chinese version 3.0 seems to be have many clones but different name model.  According to Wikidevi which now Deviwiki this wireless router device known similar are TP-LINK TL-WA901ND v4.x and v5.x, TL-WR882N v1.x, TL-WR886N v1.x, TL-WR940N v3.x/v4.x/v5.x, WR941ND v6.x and TL-WR941HP v1.x.

The mention above TP-Link wireless routers are identical to WR886N version 3.0  same SoC but some others vary on RAM and FLASH have more such 4MB and 32MB. For this device it will not qualify to Brush it with third party firmware wireless router such as  OpenWrt, SuperWrt, DD-Wrt or Gargoyle. The remedy for this device WR886N ver3.0 is to modify the RAM and FLASH to make it fully functional third party opensource wireless router firmware.

Read More

Overwrite A5-V11 Qualcomm OEM Firmware With OpenWrt Image

Here are few steps to overwrite OEM firmware of a5-v11 router with openwrt.

1) Prepare a FAT formatted USB-Flash-Drive and unzip this a5-v11-openwrt.zip to USB-Flash-Drive. (Important: do not just copy a5-v11-openwrt.zip to flash-drive, unzip this file to USB-Flash-Drive, this folder contains openwrt-factory.bin with needed boot-loader and update scripts)

2) Prepare this setup as shown in the picture below.

3) After applying +5v power to a5-v11, RED-LED on this router stays ON for few seconds, and then BLUE-LED starts blinking (from power-ON to blinking-blue-led-state, it takes about 1minute)

4) By this time, your PC would get the ip in the range of 192.168.100.x from the a5-v11's dhcp server.

5) Ensure that your a5-v11 has qualcomm firmware by looking at the web-UI of this router.

NOTE: Do not continue incase if your router's web-page is different than the one shown above(Qualcomm), you might have received another variant having chinese firmware, Instructions for overwriting the chinese firmware are given in my other blog.

6) telnet to the a5-v11 using putty.exe(or telnet command) as shown below.

6) Run the following commands as shown in the picture below

7) After rebooot, wait for a minute, this time, openwrt firmware would boot on a5-v11, and your PC would get the ip in the range of 192.168.1.x

8)If everything goes well, your browser would show the following webUI of openwrt

9) As shown above, follow step-1 and 2 to login with default root user.

10) After login you will see following page

11) you can overwrite openwrt firmware with your own openwrt-variant by clicking on menu system=>Backup/Flash Firmware as shown in the picture above.Have Fun hacking your a5-v11 with opensource firmware!!!

Read More

Hack TX Power QCA9533 to 30dbm

Hack TX power family of QCA9533 chipset to 30dbm real TX power 23-24dbm

or around 200mW.

Can be applied to TL-841ND v10 / v11, TL-WR840N v2 and TL-WR740N v6 (but only tested on TL-WR841ND v10):

Step 1 :

I assume the router is installed fw ddwrt, enable the ssh feature on the router in the service and administration tab, save, then apply settings, then reboot

Step 2 :

download the partition art that is on this link:

http://www.mediafire.com/file/8sc11lv5l36k49i/artHACKED+%281%29.bin

Then rename it to "art.bin" without quote

Step 3 :

With the WinSCP Utility send (export) to the folder / tmp router that we downloaded and renamed earlier. make sure art.bin is in the / tmp folder by checking via putty demgan command:

ls /tmp

Step 4 :

Execute files already in the router via putty with the command:

mtd -r write /tmp/art.bin board_config

Step 5 :

Login to ddwrt, then tunning so that what we do works well, in the wireless tab, change country to "Canada", then change the TX power to 30dbm, then save, apply settings and finally reboot.

NB: channels are only 1-11, do not support super channel and only work well with country code "Canada"

Read More

Getting the PPP Username and Password for CenturyLink Zyxel C1000Z Modem

My first DSL modem in 1999 required Telnetting in via serial port to USB. I had to call a network technician at Qwest, and followed by typing in what seemed like arcane commands. I had no idea what I was doing. Things have changed for the better, but most DSL modems still have the ability to log into them directly through command line interfaces. The C1000Z runs BusyBox Linux which comes loaded with your usual base Linux utilities, so if you can wield Bash, you can hack your modem.

Grabbing your PPP username

I was looking to enabled the Transparent Bridge mode for my new Netgear R6050 after a friend managed to break the internal antenna on my Zyxel C1000Z, I wasn’t home so I don’t know the physics involved. Rather than pay $99 to CenturyLink for a new modem/router I decided to buy a new WAP/Router.

Having a little network administration under my belt, I figured I could grab the PPP Password.

The following guide was indispensable and got me 95% of the way there so I suggest checking it out first and/or following it along with my more “For Dummies” guide:

How to Find Your CenturyLink PPP Password on a Zyxel C1000Z Modem

You’ll want a basic understanding of SSH and/or Telnet. OS X regardless of version come with SSH and Telnet as does (almost) every flavor of Linux. Windows users will need Putty.

You’ll want a basic understanding of SSH and/or Telnet. OS X regardless of version come with SSH and Telnet as does (almost) every flavor of Linux. Windows users will need Putty.

Step 1:

First you’ll need to enable telnet in your Router, and you’ll need PPPoe enabled (Under WAN settings), these can easily be done through the Modem’s GUI

Step 2:

Fire up your terminal (Windows users will have to use Putty, and translate the instruction) and type:

telnet YOUR-IP-ADRRESS

In this example, my router’s IP address is 192.168.0.1, this is the default address so I would type:

telnet 192.168.0.1

It make take a moment for the router to respond, once it does, respond something like “BCM963268 Broadband Router” and it should ask for your username, type in the username you entered hit return and it should then ask for your password, enter the password you typed in, hit return.

Step 3:

Using the terminal we can call all the active tasks running on the modem, to do so type:

ps

Geek stuff: Users can use sh to access the BusyBox linux Bash shell and run task monitoring software like top. If you’re feeling adventurous, type sh and poke around using commands like ls and top. You can grab the process ID using top just like we do in step 4.

Step 4:

You should see a long list of responses, that read:

PID USER       VSZ STAT COMMAND  
1 admin     1556 S    init  
2 admin        0 SW<  [kthreadd]    3
 admin        0 SW<  [migration/0]  
4 admin        0 SW   [sirq-high/0]
and so on... We’re only interested in one entry, the one that’s running the pppd (or ppp*) command. it’ll probably be at the bottom. It should read something like:
3494 admin     1808 S    pppd -c ppp0.1 -i ptm0.1 -u myusername@qwest.net -p **

The myusername@qwest.net is your username.

Step 5:

cat proc/3494/cmdline 

Next you’ll need to analyze the process ID further, take special note of the preceding number, in this example its 3494. Type in the console:

pppd-cppp0.1-iptm0.1-umyusername@qwest.net-pjlFrVNtRMtU=-f0-D0-n1-L0-X120 >

The password portion of this is encoded, the tricky part here is identifying it. We know the that this is a concatenated line by gauging from the previous line. The password portion should be between -p  and -.  In this example, the encoded password is:

jlFrVNtRMtU=

Step 6:

This password is encoded in base64, thanks to the leg work Make a new tab or new terminal window, and type:

echo "jlFrVNtRMtU=" | base64 --decode

It should spit back something like:

ac7gkDnUmac-pro:~ user$

The ac7gkDnU will be your PPP password. Congrats! You’re now ready to enable transparent bridge mode on your router.

Article posted by blog@greggant.com

Read More

PLDT Fibr ONU AN5506-04-FA Backdoor Exploit

In the late year of 2016 there was a house to house PLDT agent promoting and advertising for the PLDT Home Fibr in our town particularly on my sister area, I was in my sister's resident that time and the PLDT Home Fibr promoter belling the gate of my sister house while I were there.  I open up the gate, the PLDT Home Fibr advertiser introduces me their Fiber Internet broadband product that they are having the limited promo  for FREE installation including the WiFi once you switch from other ISP's or waived the installation fees plus the device if your are a new subscriber on the monthly billing. I recommend and encourages my sister to get the offer of the PLDT Home Fibr as it is very late  this kind of stuff for my motherland whereas in other developed countries like Singapore or Malaysia they are far from us when it comes to technology.

I noticed the PLDT Home Fibr whenever your monthly internet bills overdue they will automatically disallow you from accessing the internet totally, your PLDT Fiber ONU is blocked and you can never ever enjoy surfing the net unless you have to pay your outstanding fees. Unlike Globe and Smart wireless internet broadband even if you device is banned from accessing the net still you can trick it with the vpn apps. I was thinking perhaps the PLDT Home Fibr is just like the old legacy SmartBro Canopy wireless internet that I have enjoyed the FREE internet for a very very long period time untill the WiMAX replace it.

I have stayed in my sister house during the weekends and the internet connection was interrupted due to late monthly bills payment. So i try to tweak with the old ways like the wireless internet SmartBro Canopy  and it works and my sister said how come you have the internet and we do not have? I said this is just temporary internet connection while your PLDT account is blocked.

While I was inside the PLDT Home Fibr ONU $hell I tour around and see what I have to see looking for stuffs that is interesting while hopping by hops into some other PLDT subscriber's ONU $hell. I find it very interesting, just imagine you can get into the PLDT ONU fiber device and hops by hops from one onto the other ONU device and can copy paste the inside or wipe out the entire filesystem of the ONU's.

The backdoor of PLDT Home Fibr ONU devices such as Fiberhome AN5506-04-F, AN5506-04-FA/T is very special that I do not want to disclosed on this blog. These three Fiberhome AN5506-04-XX series of the PLDT Home Fibr ONU device is until now widely open as of the time I am writing I have tested and proven and not have been yet close for sure the PLDT Tech team will not close the backdoor where they used to enter.

I write this issue because I want to differ the comment on kbeflo's gist.github by chudyvf that.

for those still have rp2627, change iptables directly.

iptables -R INPUT 1 -p TCP --dport 7547 -j REJECT --reject-with tcp-reset
iptables -I INPUT 2 -i lo -p TCP --dport 443 -j ACCEPT
iptables -I INPUT 3 -i br0 -p TCP --dport 23 -j ACCEPT
iptables -I INPUT 4 ! -i br0 -p TCP --dport 443 -j REJECT --reject-with tcp-reset
iptables -I INPUT 5 ! -i br0 -p TCP --dport 23 -j REJECT --reject-with tcp-reset

He commented or suggested, that the PLDT Home Fibr ONU devices aka Fiberhome AN5506-04-FA/T and AN5506-04-F to be safe from the PLDT ONU firmware updates RP2631, it is highly recommended that the above mentioned iptables command is a must for us to redo the iptables. On my own opinion as I have written and commented on kbeflo's gist.github the PLDT ONU firmware updates can not and will not be prevented from patching the firmware updates regardless of what ports you closed  or iptables you redo. The PLDT can still enter your ONU deivices using the so called BACKDOOR, whether  your are connected to the internet or NOT for as long as you are hook to the PLDT Fiberhome OLT you are bound for the firmware updates patching. As I have said I have been thru that backdoor!

My ultimate recommendation or solution to all the PLDT Home Fibr subscribers that are having or using the Fiberhome ONU devices such as AN5506-04-FA/T and AN5506-04-F is on the hardware side from being forcibly firmware updates to RP2631. But you have to be an electronics hobby, this thing needs basic soldering skill. The solution is to pull up the write-protect pinouts of the NAND flash from the circuit so that whenever there is an updates your ONU devices is protected unless you switch ON the write-protect of the NAND flash pinouts.

Your thoughts and comments are welcome, to be true I don't trust the PLDT Home Fibr ONU's better give me a fiber media converter I will provide my own wireless router access point, I rather have favor on OpenWRT, DD-Wrt or Tomato.

Read More

PLDT Fibr ONU AN5506-04-FA RP2631 Super Admin

Oh Well!!! Today when I woke up something strange happen to my PLDT Fibr Optical Network Unit (ONU) AN5506-04-FA as I have been expecting the so called RP2631 firmware update will be enforce and will be force to whether I like it or you don't, it will and will really be patched including YOURS and MINE.

What is new to the PLDT Fibr ONU firmware update RP2631? The Giant Telco ISP likes and wants their AN5506-04-FA/T ONU will serve just like a sitting duck as much as possible it would be a media converter only, why because 171 is fed up already about your calls you are so annoying!!!

Here's the quick and simple summary that PLDT wants to their all-in-one device aka the Fiberhome AN5506-04-FA/T Optical Network Unit and likewise a wireless access point (WAP) router built with two WiFi frequency such as 2.4GHz and 5GHz, it is also equip with two FXS for POTS but in addition you can insert your USB media device too. SAMBA and FTP server is great on this ONU device if were not restricted on the custom PLDT Fibr firmware.

Let see on the Graphical User Interface (GUI), the AN5506-04-FA/T RP2627 firmware downward you can login on the insecure port 80 via HTTP but not here in RP2631 HTTPS is being enforce while port 443 is use.

Next let see if the http://192.168.1.1/info.asp is still vulnerable without using any credential to login to the Fiberhome AN5506-04-FA/T ONU device.

Good patching the firmware already updated, its no longer accessible unlike before you can see the details without going to login to the PLDT Fibr ONU device. Thanks for that effort!

Now the exciting one, lets login to the PLDT Fibr AN5506-04-FA/T firmware RP2631. The username "admin" with the password "1234" for ordinary user account is no longer accepted its now being omitted. So what about the account for the username "adminpldt" with the password "6GFJdY4aAuUKJjdtSn7dC2x" will it be still accessible? And another thing is what happen to the Super Admin Account the username "fiberhomesuperadmin" with the password "sfuhgu" will it still work here on the new firmware updates.

As I have tested and verified all three previous username and password for PLDT Fibr ONU device AN5506-04-FA/T is no longer valid such as username "admin" password "1234", username "adminpldt" password "6GFJdY4aAuUKJjdtSn7dC2x" and username "fiberhomesuperadmin" password "sfuhgu" after the updates. Forget about your custom username and password that you have saved its totally gone.

When I dive and go into the shell I see two account credentials is allowed to get in,  only the Administrator account and the Super Admin account that the PLDT Fibr ONU is giving the permission to do login into the device nothing else can access the Graphical User Interface as for moment in time for my ONU. 

To access the PLDT AN5506-04-FA/T RP2631 firmware GUI Administrator account you have to point your web browser to https:/192.168.1.1/fh but you have to login first as Super Admin and enable the Web Admin Switch from the Management>> Device Mangement>> Debug Switch. Once enabled the Web Admin Switch logout and login again as Administrator account you can now again enjoy the privilege that have been enjoyed before of your ONU PLDT device.

Seen the above screenshot? Yes, that is the new PLDT Fibr ONU AN5506-04-FA/T RP2631 firmware update for the Super Admin account username "f~i!b@e#r$h%o^m*esuperadmin" its a 27 character so be careful on typo error its case sensitive. For Administrator account username still its "adminpldt" the password is no longer "1234567890" nor "0123456789" and certainly not "6GFJdY4aAuUKJjdtSn7dC2x" they changed it already. I am still planning to make a tutorial for the firmware downgrade from RP2631 to RP2627 will follow it soon to write.

Read More

PLDT HOME Fibr Multi-WAN

In February 2007 it was my very first time going out the country to work abroad for operation and maintenance in one of the International Airport in the  Kingdom of Saudi Arabia, I left my previous work in one of the famous University in my hometown. During that time the only fastest Internet broadband connection that you can get for residential was the twin copper wire that carries two carrier in a single physical line,  one for voice such as home phone and the other is data for the Internet. In contrast to my beloved Philippines the Digital Subscriber Loop (DSL) at that time is very expensive, I remember I have three (3)  Internet Cafe whom I work for part time job in 2001 till 2005 and one of the NetCafe only afford a dial-up Internet connection, but during those period of time Netscape is the fave browser and mIrc is the best messenger among all who we used to hang on the net everyday from morning until midnight.

So I experimented my company dial-up internet account whenever I am on the NetCafe during night time to see how it works, so there it goes, it works that credentials. From that moment in time every night time  I hang on my NetCafe I have a free dial-up internet connection. I did the same thing in Saudi Telecom but this time its a Asynchronous Digital Subscriber Line during my three years work period contract and it works because the technology infrastructure used by DSL is same as the dial-up connection the Plain Old Telephone Service (POTS), whereas DSL uses Public Telephone Switch Network (PTSN) is just an upgrade version of POTS using same carrier twin copper wire single physical line.

In the mid of 2009 I got an offered to pursue my MS degree in Electronic and Communications Engineering in Kuala Lumpur to one of the well known International University of that Asia Tiger States, so I did grabbed the opportunity and started new series of being a university student again. The mud city just started their Fiber Optic roll out over the busy town, and my Kondominium were I reside don't offer the Fiber Optic service because its a high rise building and we are on the 11th floor. That's how they pronounce it Kondominium not Condominium, this tall building is equip with xDSL communication infra own by the government the Telekom Malaysia. The good things about Very High Speed Digital Subscriber Line (VDSL) it offers a triple play, you have the voice internet and the video just like the Fiber To The Home (FTTH) the physical connection is twin copper wire of the PTSN whereas FTTH a Passive Optical Network (PON).

I am really eager on experimenting such things like this and I proved that it works as what I have done and mention on my previous case study. In this experiment on Telekom Malaysia xDSL its not only a single connection but multiple logical internet connections. I have a TP-Link WR-TL740N v1.2 reflashed it with OpenWRT firmware Attitude Adjustment 12.09 loaded it with Multi-WAN package and it works I tested up to twelve (12) WANs.

If it works on Saudi Telecom and Telekom Malaysia I thing it would be impossible if it will not work on PLDT or neither to GLOBE Telecom Infrastructure. But this time we are on the PON infra, whether or not the Philippines Giant Telco will of course not right away garbage their vintage SmartBro Canopy equipment  that they still keep on using the authentication technique for P1 wireless CPE an upgrade of SmartBro family brand whom we all know the long term MacDo free internet connection that GLOBE Telco also rival it.

On this case study I am still using my legacy Wireless Access Point (WAP) router WR-TL740N v1.2 it has one WAN port and four LAN ports no modem built but with WiFi BNG 150N Lite. The Processor is 350Mhz MIPS with 4MBit flash and 32MBit of RAM, reflashed with the third party Linux embedded firmware OpenWRT Attitude Adjustment 12.09 and of course the Multi-WAN package.

My final test proves that there is no difference whether the Telecommunication Infrastructure between POTS, PTSN and PON are same regardless to whatever the authentication technique are being implemented they will behave in the same passion, this is just on my observation. I was very unfortunate my dear Professor in that university is a Shifu in Fiberless Optical Communication which is opposite to my field of interest during that time of my study. This case study still unknown issue to the academe, perhaps already known but not yet been publish, not a threat but widely vulnerable.

Read More

PLDT Fiberhome AN5506-04 Slowing After Bridge

I have been satisfied with my PLDT Fibehome internet fiber broadband connection for several months with my download speed of up to 1.2Mbits per second per download. I have no complain about my subscription plan because it is a just and fair with my monthly billing. When the PLDT Fiberhome Technical Team installed my fiber connection my ONU/ONT Fiberhome AN5506-04-FA came with older software version RP2610, the PLDT Manila NOC (Network Operation Center) advice me not to power off the 3in1 device for software updates to RP2616. Yes the AN5506-04-FA is a three in one equipment, it is an ONU/ONT bundled with digital Modem (Modulator De-modulator) similar to media converter likewise a Router for routing, and at same time a WAP (Wireless Access Point) with two Bands, one is 2.4GHz and the other is 5GHz frequency, also a four LAN port and two POTS ports for wired PCs and Telephone.

It has been long time ago that my PLDT Fiberhome internet fiber connection from the time being installed I got no worry about even though the web GUI (Graphical User Interface) has only limited settings,with the helps of those Gurus out the in gist.github.com I able to fully access and navigate the rest of the ONU/ONT web GUI Menu and settings. Early on the month of April the tricks to navigate the rest of the Menus and settings with admin username and password 1234 are unavaible already. After checking the software version, oh! RP2616 is no longer on the Status Device Information but rather an update being done now its RP2621 already. The gist.github.com and symbianize.com altering 1.xml to 2.xml will log you out and prompt you the return2login.html. In other words me and the rest of the Netizen who use the same agenda will now have to end the enjoyable downloading that we have on the previous tricks and settings.

So I make a call and dialed 171, I speak to the CSR and made a request for Bridge Mode of my lousy PLDT Fiberhome ONU/ONT AN5506-04-FA software version RP2621 hoping that from Routing Mode to Bridging will solved my problem. This is purchasing a new wireless router to served for my said purposes. One day after PLDT Technical guy calls up and talk to me and ask me what is my concerned, I said, I just need to be Bridge my ONU/ONT AN5506-04-FA I will just provide another wireless router for me needs.

He told me just to hang the phone for a while and after three (3) minutes he told me to unplug the power adaptor and plug again then power it up. Yes so quick, after he told me to verify if its already in the Bridge Mode and I said yes. I was so happy on that day that my PLDT Fiberhome AN5506-04-FA ONU/ONT is now on Bridge mode.

So finally my goal on Bridging the ONU/ONT is now done worry not because my new TP-Link WR841N can handle it, this kind of router is cheap with fair price and it is also a well know brand in data communication. So from that day I didn't check my speedtest if there is improvement or worst than before. A month have pass I notice it when I download files that my downstream now is on 50Kbits, I keep on downloading until I come to the conclusion that there is something wrong with my speed. Even for YouTube video streaming it took sometime to load the video to play. When I read on the other thread some Netizen also facing this kind problem after changing their ONU/ONT AN5506-04-FA from Router mode to Bridge mode the speed of the downstream get worsen that what they are to expected.

Reading upon research from other thread online about ONU/ONT and OLT, I came to the conclusion that on the side of Optical Network Unit or Optical Network Terminal it won't serve the purpose, you are limited and can be locked, on my observations all the supervision and management are on the side of the Optical Line Terminal (OLT). The OLT can restrict your upload and download, it has also the authority even to null your ONU/ONT LAN ports to a single PC only. Of course there is a remedy for this, remember there is no secured system made by human being there is always a way in that is why they won't stop and always keep on patching from time to time because they know its INSECURED.

Read More

How To Change MAC Address on Embeded System

I have just purchased an ONU/ONT Fiberhome AN5506-01-A at AliExpress a well known online store in Asia region. I decided to buy it because of my Fiber Internet Service Provider is locking down all their Optical Network Unit aka Optical Network Terminal which only allow their subscriber to a limited privileges to the CPE device settings and configurations. My ISP are updating their device remotely via OMCI and not through TR069, the updates or the ONU firmware upgrade is done without your knowing to whether it is online or offline it can be done. Exactly the updates upon updates is done prior without noticed the so called firmware!

My problem is that the ONU AN5506-01-A came in to me is with the Software Version RP0521 and the Hardware Version is HX-2.134.318A9G, this stock firmware also has a limited basic configuration settings. Meaning some of the Menus and sub-menus are being omitted, you can not set the WAN to Bridge Mode on the web Graphical User Interface (GUI) its explicitly as Router mode only. Another thing is that the LAN menu or the setting is missing from the GUI, you can not modify your desired IP configuration, enabling and disabling DHCP server and relay are out of the context. Most of all its NOT a plug and play electronics equipment.

Why do I need to change the MAC Addresses?

Unlike xDSL internet connection, your ISP will just ask you what username and password you wish or they just provide you the username and the password for you such as yourname@isp and your password, most often you can even choose your desired password as you wish for it. Then choosing and buying your own personal wireless modem router from low to mid or high class residential gateway is just on your finger nail because the device is a plug and play after you input the given username and password given by your ISP its now connected to the internet.

Now here we go, I took the fiber patch cord from my ONU/ONT ISP and then plug it to my new Fiberhome AN5506-01-A the LOS LED turns off from blinking Red, and the PON LED now don't stop from blinking Yellow. Obviously the PON LED means that the ONU is not connected to the network or to the OLT it needs an authentication, once the ONU is connected the PON LED lit will be steady in yellow color.

To get the AN5506-01-A to be connected to the OLT of my ISP we need to copy first the PON MAC address of the ONU/ONT and Serial Number of it that was provided by the ISP and replicate to the new ONU/ONT AN5506-01-A.

How do we change the PON MAC Address of the Fiberhome AN5506-01-A?

The ONU/ONT Fiberhome An5506-01-A is a ARM Linux Embeded system, going to the web GUI there is no way of changing the PON MAC Address. The chances of spoofing the Passive Optical Network MAC address is in the Linux environment, we can log in via Telnet and we can get access to its Command Line Interface (CLI), after reviewing the commands it is very reluctant to clone the MAC address. Another option is thru Serial communication port, this is a terminal also a CLI were we can get help from Busybox.

To change the PON MAC Address of AN5506-01-A heres the command.

First find the physical MAC address of your ONU/ONT device by running this following command :

# ifconfig -a | grep HWaddr
pie0  Link encap:Ethernet HWaddr 00:1A:2B:3C:4D:5E

The hexadecimal numbers in blue denote my AN5506-01-A ONU/ONT PON MAC address.

Next, type this following commands.

# ifconfig pie0 down
# ifconfig pie0 hw ether 00:A1:B2:C3:D4:E5
# ifconfig pie0 up
# ifconfig pie0 |grep HWaddr

To check again if the PON MAC Address have been change already just repeat this following command.

# ifconfig -a | grep HWaddr
pie0  Link encap:Ethernet HWaddr 00:A1:B2:C3:D4:E5

This is just a temporary solution, once the machine is being rebooting it will just go back to its original MAC address.

The final option we can do is still via Serial port but now it would be thru U-Boot Linux environment. Power ON the ONU/ONT
then you will see U-Boot started you must be quick in 3 seconds it will continue to boot to the second level of booting. You have to hit any key in 3 seconds.

U-Boot 2010.03-svn462977 (Mar 09 2016 - 17:03:30)

DRAM:  16 MB
Boot From SPI Flash
CHIP ID = 51161110
NAND:  SFC ID: 0x0
SFC : cs0 unrecognized JEDEC id 00000000, extended id 00000000
SFC ID: 0xef4018
SFC: cs1 W25Q128BV (16384 Kbytes)
SFC: Detected W25Q128BV with page size 65536, total 16777216 bytes
SFC: sfc_read flash offset 0x40000, len 0x20000, memory buf 0x81560008
In:    serial
Out:   serial
Err:   serial
Hit any key to stop autoboot:  2

Here's the following command in U-boot.

# setenv ponmac 00:A1:B2:C3:D4:E5

# saveenv

saveenv command means saving the environment variables. This will save permanently to the SPI FLASH storage.

Saving Environment to SPI Flash...
Erasing SPI flash...SFC: erase offset 0x40000, len 0x20000
erase cs 1
Writing to SPI flash...SFC: sfc_write flash to 0x40000, len 0x20000, memory buf 0x81560008
Erasing SPI flash...SFC: erase offset 0x60000, len 0x20000
erase cs 1
Writing to SPI flash...SFC: sfc_write flash to 0x60000, len 0x20000, memory buf 0x81560008
done

You must see something like this log messages.

Finally you can now use your ONU/ONT AN5506-01-A, just input the Serial Number of your device the OLT of your ISP provider will now give the authority to be connected to the system.

Read More