Try to brick "Trend MC2+" unsuccessfull, get working router

All about firmwares for routers. Support for RouterTech firmwares is here too.
Post Reply
TheRaph
Newbie
Newbie
Posts: 1
Joined: Fri Apr 11, 2014 11:53 pm

Try to brick "Trend MC2+" unsuccessfull, get working router

Post by TheRaph » Sat Apr 12, 2014 4:00 am

Hello, this should be a report, not a question (if someone may find it helpfull).

First things first, I'm not a native english speaker so please apologize my bad enunciation.

The report is for "TRENDcommunication MC2+"
Link: http://www.idealindustries.de/product/1 ... _mc2_.html


History:

I was working for a telecommunication provider, as service technician, two years ago (I'm still working for that company, but now I'm sorting paper and email in an office ;) ).

If you are a technician and know the right people you're able to speed up your line a little bit. I think I don't need to explain what I did ;). But for every "good" there's an "evil" - and my speedup causes some instability on my line.
To handle this instability its better to have a "very good modem" - I had one and it works fine until it crashed.

So I live some time with my instabilities and the "bad provider modem" and spend some time in searching for a new "very good modem". Some month ago I got this MC2+ thingy and it works PERFECTLY ... until yesterday. Then I was reading an article in a computer magazine about security holes in routers. So I did some tests with my MC2+ and realized that this thing was completly open. The complete menue was accessable from world wide web! Without password!

So I switched back to my "bad provider modem" and try to get some better firmware for my "MC2+".

By some research in internet I realized that it is very similar to "Solwise SAR-600E" or "Aztech DSL 600ER" ... Some Time later I was landing on this forum.

I start to read the readme-sites, some forum pages and so on. But there are no texts about "MC2+".

With the knowledge in mind, that there are some more of this MC2+ in garbage box at work, I intend to start a brick-contest ... How fast to brick a "MC2+" ... :D


The work:

So I started the download of "1 port adam2"-file ... (the wrong one ... explain later) and read the instructions ...

At first I was reading "1. Run the RouterTech Router Upgrade Checker (RUC), and save all the files that it generates in a secure place. You may need them later. If the program does not tell you that your router is supported, then stop right away. DO NOT SKIP THIS STEP UNDER ANY CIRCUMSTANCES."

So I decide to start RUC and get nothing. No idea how to set username and password ... some research later :idea: (readme.html) ... username: root password: Admin

In this readme-file I found another interesting information ... login per telnet, command: cat /proc/ticfg/env and watch the code ...

Code: Select all

# cat /proc/ticfg/env
bootloaderVersion       1.2.5.9
IPA     192.168.1.1
MEMSZ   0x00800000
FLASHSZ 0x00200000
MODETTY0        9600,n,8,1,hw
MODETTY1        9600,n,8,1,hw
CPUFREQ 150000000
SYSFREQ 125000000
PROMPT  (psbl)
mtd2    0x90000000,0x90010000
mtd3    0x90010000,0x90020000
MAC_PORT        0
mtd4    0x90020000,0x90200000
mtd1    0x90020090,0x90097000
mtd0    0x90097000,0x90200000
vcc_encaps0     0.0
vcc_encaps1     0.0
vcc_encaps2     0.0
vcc_encaps3     0.0
vcc_encaps4     0.0
vcc_encaps5     0.0
vcc_encaps6     0.0
vcc_encaps7     0.0
usb_vid 0x0451
usb_pid 0x6060
BOOTCFG m:f:"mtd1"
modulation      MMODE
HWA_0   00:13:64:2A:81:C2
HWA_2   00:13:64:2A:81:C3
HWA_3   00:13:64:2A:81:C3
HWA_RNDIS       00:13:64:2A:81:C4
HWA_HRNDIS      00:13:64:2A:81:C5
ProductID       ADSL2/2+ Router
HWRevision      9308-1
SerialNumber    20060402
connection1     0x6d97

#
As you can see there is no adam2-bootloader ... ooooops ...

So get back to the internet and download the correct image (psbl) ...


The next start of RUC logs as follows:

Code: Select all

00:00:000 Running script
00:00:000 Opening connection
00:00:233 ÿýÿý!ÿûÿû
BusyBox on (none) login:
00:00:435 Password:
00:00:435 Delay for 3 second(s)
00:03:435 BusyBox v0.61.pre (2006.06.27-06:38+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

#
00:03:637 shell: No such file or directory
#
00:03:838 cm_cli_tty: No such file or directory
#
00:03:842 End of script
00:03:842 ps: No such file or directory
#
00:03:842 Closed connection.
00:03:842 Closed connection.
Previous HTTP daemon process number is invalid.
Ok, this tells me "It won't work" but this can't hold me back I'm a scientist and I'm determined to go where no man has gone before ... (and determined to brick this thingy).

The next step was "Backup" ... an original image is not available (but some more boxes ;) ), and ftp doesn't work ... so I decide to "cat" the files (env, and led) and copy-paste it from telnet into texteditor ... env is seen above and led is here:

Code: Select all

# cat /etc/led.conf
#################################################################
# Configuration File for AR7RD board
##################################################################
##################################################################
# The GPIO numbers 0 to 31  ==> correspond to GPIO pins  #########
# The GPIO numbers 32,33 are mapped to ADSL (LED) pins ###########
##################################################################


module = adsl    # module = {adsl,usb,pppoe}
##################################################################
# Note: state 0 for adsl is dummy state and is present only for ##
#       compatibility with the new LED driver                   ##
##################################################################
state   = 0     # 0=dummy, 1=idle, 2=training, 3=sync, 4=activity
gpio    = 33    # gpio number
mode    = 0     # 0 = off,1 = on,2 = blinkoff,3 = blinkon, 4 = Flash

state   = 1     # 0=dummy, 1=idle, 2=training, 3=sync, 4=activity
gpio    = 33    # gpio number
mode    = 0     # 0 = off,1 = on,2 = blinkoff,3 = blinkon, 4 = Flash

state   = 2     # 0=dummy, 1=idle, 2=training, 3=sync, 4=activity
gpio    = 33    # gpio number
mode    = 4     # 0 = off,1 = on,2 = blinkoff,3 = blinkon, 4 = Flash
param1  = 200   # flash on duration in ms
param2  = 200   # flash off duration in ms

state   = 3     # 0=dummy, 1=idle, 2=training, 3=sync, 4=activity
gpio    = 33    # gpio number
mode    = 1     # 0 = off,1 = on,2 = blinkoff,3 = blinkon, 4 = Flash

state   = 4     # 0=dummy, 1=idle, 2=training, 3=sync, 4=activity
gpio    = 33    # gpio number
mode    = 2     # 0 = off,1 = on,2 = blinkoff,3 = blinkon, 4 = Flash
param1  = 25    # blink/flash rate in ms
######################################################################
module = cpmac    # module = {adsl,usb,pppoe,wlan}

state   = 0     # 0 = link down, 1 = link up, 2 = pkt rcv, 3 = pkt xmit
gpio    = 15    # gpio number
mode    = 0     # 0 = off,1 = on,2 = blinkoff,3 = blinkon, 4 = Flash


state   = 1     # 0 = link down, 1 = link up, 2 = pkt rcv, 3 = pkt xmit
gpio    = 15    # gpio number
mode    = 1     # 0 = off,1 = on,2 = blinkoff,3 = blinkon, 4 = Flash

state   = 2     # 0 = link down, 1 = link up, 7 = pkt rcv, 6 = pkt xmit
gpio    = 15    # gpio number
mode    = 2     # 0 = off,1 = on,2 = blinkoff,3 = blinkon, 4 = Flash
param1  = 100   # blink/flash rate in ms

state   = 3     # 0 = link down, 1 = link up, 7 = pkt rcv, 6= pkt xmit
gpio    = 15    # gpio number
mode    = 2     # 0 = off,1 = on,2 = blinkoff,3 = blinkon, 4 = Flash
param1  = 100   # blink/flash rate in ms

######################################################################
module = usb    # module = {adsl,usb,pppoe}

state   = 0     # 0 = link down, 1 = link up, 2 = pkt rcv, 3 = pkt xmit
gpio    = 12    # gpio number
mode    = 0     # 0 = off,1 = on,2 = blinkoff,3 = blinkon, 4 = Flash


state   = 1     # 0 = link down, 1 = link up, 2 = pkt rcv, 3 = pkt xmit
gpio    = 12    # gpio number
mode    = 1     # 0 = off,1 = on,2 = blinkoff,3 = blinkon, 4 = Flash

state   = 2     # 0 = link down, 1 = link up, 2 = pkt rcv, 3 = pkt xmit
gpio    = 12    # gpio number
mode    = 2     # 0 = off,1 = on,2 = blinkoff,3 = blinkon, 4 = Flash
param1  = 100   # blink/flash rate in ms

state   = 3     # 0 = link down, 1 = link up, 2 = pkt rcv, 3 = pkt xmit
gpio    = 12    # gpio number
mode    = 2     # 0 = off,1 = on,2 = blinkoff,3 = blinkon, 4 = Flash
param1  = 100   # blink/flash rate in ms

######################################################################
module = pppoe    # module = {adsl,usb,pppoe}

state   = 0     # 0 = pppoe down, 1 = pppoe active
gpio    = 13    # gpio number
mode    = 0     # 0 = off,1 = on,2 = blinkoff,3 = blinkon, 4 = Flash

state   = 1     # 0 = pppoe down, 1 = pppoe active
gpio    = 13    # gpio number
mode    = 1     # 0 = off,1 = on,2 = blinkoff,3 = blinkon, 4 = Flash
I skiped Step 4 due to no WLAN.

The next step was to read more files (readme, faq etc.), I realy enjoy that.

Step 5 and 6 I was not able to perform so I skiped them too.

Step 7 is factory default ... and than starts the hot phase ...

I try to load up the img file in to the router ... it doesn't work ... 5 tries no success!

The usermanual of this MC2+-thingy helps me out ... the file name has to be "nsp.annexB.firmware.upgrade.img"

So I had to rename the file ...

After that, it works ... no more problems ... the LED works properly, no need to set up any configs.

I had just to put in my provider data and get online ... wheeew.


I try to turn my "MC2+" into an expensive brick and fail. I got an phenomenal working router instead ...

So on ...


Raph
User avatar
thechief
RouterTech Team
RouterTech Team
Posts: 12067
Joined: Wed Feb 01, 2006 10:22 pm
Location: England, the Centre of Africa
Contact:

Re: Try to brick "Trend MC2+" unsuccessfull, get working rou

Post by thechief » Sat Apr 12, 2014 7:04 am

Well done! :-)
The Chief: :afro: Be sure to read the Firmware FAQ and do a Forum Search before posting!
No support via PM. Ask all questions on the open forum.
Post Reply