CPU | Ram | Flash | Network | USB | a/b line (POTS) | ISDN | Serial | JTAG |
---|---|---|---|---|---|---|---|---|
Kolibri P_2001 | ? MiB | ? MiB | 4 x 1 | 1 x USB Typ B | 8x analog Phone | 1x internal 1x external | Yes (but disabled) | Yes (but not tested) |
Serial console is V24. Default settings are: 57100, 8, n, 1
pin | signal |
---|---|
- | 3V3 |
- | TX |
- | RX |
- | GND |
- | - |
- | - |
Linux Kernel 2.0.38.0 |
Vendor: Funkwerk |
Syslogd Messages:
Jan 1 00:00:02 k800 syslogd[24]: [MSG] version 1.4.1 (re)started Jan 1 00:00:02 k800 vmlinux: memory available is 15449KB Jan 1 00:00:02 k800 vmlinux: start_mem is 0x400e1938 Jan 1 00:00:02 k800 vmlinux: virtual_end is 0x40ff8000 Jan 1 00:00:02 k800 vmlinux: before free_area_init Jan 1 00:00:02 k800 vmlinux: free_area_init -> start_mem is 0x400e3938 Jan 1 00:00:02 k800 vmlinux: virtual_end is 0x40ff8000 Jan 1 00:00:02 k800 vmlinux: Calibrating delay loop.. ok - 56.72 BogoMIPS Jan 1 00:00:02 k800 vmlinux: Memory: 13888k/15M available (712k kernel code, 32k reserved, 1720k data) Jan 1 00:00:02 k800 vmlinux: Swansea University Computer Society NET3.035 for Linux 2.0 Jan 1 00:00:02 k800 vmlinux: NET3: Unix domain sockets 0.13 for Linux NET3.035. Jan 1 00:00:02 k800 vmlinux: Swansea University Computer Society TCP/IP for NET3.034 Jan 1 00:00:02 k800 vmlinux: IP Protocols: ICMP, UDP, TCP Jan 1 00:00:02 k800 vmlinux: Linux version 2.0.38.0 (lueck@TE3lnx-1) (gcc version 2.95.4 20010319 (prerelease)) #1 Mi Dez 15 11:22:14 CET 2010 Jan 1 00:00:02 k800 vmlinux: am29: [INF] flashmem_init (simulation=off) Jan 1 00:00:02 k800 vmlinux: am29: [INF] flashid: 0x7f, 0x49 Jan 1 00:00:02 k800 vmlinux: am29: [INF] toggling_bits=0x44 Jan 1 00:00:02 k800 vmlinux: am29: [INF] special_base=0x2000000 special_base2=0x2000000 Jan 1 00:00:02 k800 vmlinux: am29: [INF] special sectors map: Jan 1 00:00:02 k800 vmlinux: am29: [INF] start=0x0 size=0x4000 Jan 1 00:00:02 k800 vmlinux: am29: [INF] start=0x4000 size=0x2000 Jan 1 00:00:02 k800 vmlinux: am29: [INF] start=0x6000 size=0x2000 Jan 1 00:00:02 k800 vmlinux: am29: [INF] start=0x8000 size=0x8000 Jan 1 00:00:02 k800 vmlinux: am29: [INF] total=4 sectors in 1 region(s) Jan 1 00:00:02 k800 vmlinux: am29: [INF] org='BOTTOM' start_index=3 step=-1 Jan 1 00:00:02 k800 vmlinux: mtd: Giving out device 0 to EN29LV160Bottom Jan 1 00:00:02 k800 vmlinux: am29: [INF] flashmem_init (simulation=off) Jan 1 00:00:02 k800 vmlinux: am29: [INF] flashid: 0x3073, 0xfb Jan 1 00:00:02 k800 vmlinux: am29: [INF] toggling_bits=0x44 Jan 1 00:00:02 k800 vmlinux: am29: [ERR] unknown flash Jan 1 00:00:02 k800 vmlinux: am29: [ERR] unable to get flash info Jan 1 00:00:02 k800 vmlinux: Ramdisk driver initialized : 4 ramdisks of 1024K size Jan 1 00:00:02 k800 vmlinux: bmtd: [INF] registered device at major 42 Jan 1 00:00:02 k800 vmlinux: PPP: version 2.3.11 (demand dialling) Jan 1 00:00:02 k800 vmlinux: TCP compression code copyright 1989 Regents of the University of California Jan 1 00:00:02 k800 vmlinux: PPP line discipline registered. Jan 1 00:00:02 k800 vmlinux: ISDN subsystem Rev: 1.5/none/1.19/1.24/none Jan 1 00:00:02 k800 vmlinux: P2001 FIQ & Timer1 Handler Module - $Revision: 1.19 $, (Dec 15 2010, 11:23:24) Jan 1 00:00:02 k800 vmlinux: P2001 USB Remote NDIS Driver Module - $Revision: 1.33 $, (Dec 15 2010, 11:23:29) Jan 1 00:00:02 k800 vmlinux: P2001 HDLC Driver Module ( $Id: lh_hdlc_p2001.c,v 1.5 2002-04-18 12:26:36 haack Exp $, $Name: $ ) Jan 1 00:00:02 k800 vmlinux: P2001 L1 driver module Jan 1 00:00:02 k800 vmlinux: BHDLC driver module installed Jan 1 00:00:02 k800 vmlinux: VFS: Mounted root (romfs filesystem) readonly. Jan 1 00:00:02 k800 vmlinux: Elmeg LED Driver Module - Version 1.3 (Dec 15 2010, 11:26:15) Jan 1 00:00:02 k800 vmlinux: Elmeg 802.1D Ethernet SoftSwitch Module - Version 1.0 (Dec 15 2010, 11:26:21) Jan 1 00:00:03 k800 vmlinux: P2001 MFV Driver Module - $Revision: 1.21 $, (Dec 15 2010, 11:26:04) Jan 1 00:00:03 k800 vmlinux: P2001 CLIP Driver Module - $Revision: 1.10 $, (Dec 15 2010, 11:26:02) Jan 1 00:00:03 k800 vmlinux: P2001 codec Driver Module - $Revision: 1.18 $, (Dec 15 2010, 11:25:59) Jan 1 00:00:03 k800 vmlinux: P2001 analog scannner Driver Module - $Revision: 1.9 $, (Dec 15 2010, 11:26:07) Jan 1 00:00:03 k800 vmlinux: ISDN hardware layer initialized Jan 1 00:00:03 k800 vmlinux: Elmeg UDP Switch Module - Version 1.0 (Dec 15 2010, 11:26:32) Jan 1 00:00:03 k800 sh[25]: [MSG] starting mpsv6xx Jan 1 00:00:06 k800 mpsv6xx[27]: [WRN] FLASH 2 perhabs no present: /dev/mtd1 open failed with -1 Jan 1 00:00:06 k800 mpsv6xx[27]: [MSG] ***** Flash 1 phys. paramter: ***** Jan 1 00:00:06 k800 mpsv6xx[27]: [MSG] Base. : 0x02000000 Jan 1 00:00:06 k800 mpsv6xx[27]: [MSG] Size : 0x00200000 Jan 1 00:00:06 k800 mpsv6xx[27]: [MSG] Segments: 35 Jan 1 00:00:06 k800 mpsv6xx[27]: [MSG] ***** Flash 2 phys. paramter: ***** Jan 1 00:00:06 k800 mpsv6xx[27]: [MSG] Base. : 0x00000000 Jan 1 00:00:06 k800 mpsv6xx[27]: [MSG] Size : 0x00000000 Jan 1 00:00:06 k800 mpsv6xx[27]: [MSG] Segments: 0 Jan 1 00:00:06 k800 mpsv6xx[27]: [MSG] ***** MPS Flash configuration ***** Jan 1 00:00:06 k800 mpsv6xx[27]: [MSG] ### GEB_START_SEGMENT at 0x021F0000 ### Jan 1 00:00:06 k800 mpsv6xx[27]: [MSG] ### BUCH_START_SEGMENT at 0x021E0000 ### Jan 1 00:00:06 k800 mpsv6xx[27]: [MSG] ### LCR_START_SEGMENT at 0x021E0000 ### Jan 1 00:00:06 k800 mpsv6xx[27]: [MSG] ### TEL_BOOK_INTER at 0x02006000 ### Jan 1 00:00:06 k800 mpsv6xx[27]: [MSG] ### M_HW_FLASH_KFG_ADR at 0x02008000 ### Jan 1 00:00:06 k800 mpsv6xx[27]: [MSG] ### M_HW_BACKUP_KFG_ADR at 0x021D0000 ### Jan 1 00:00:06 k800 mpsv6xx[27]: [MSG] Starting HAL_main! Jan 1 00:00:07 k800 sh[28]: [MSG] configuring system Jan 1 00:00:08 k800 cnfd[29]: [MSG] version 1.4 (Dec 15 2010, 11:29:32) started Jan 1 00:00:09 k800 mpsv6xx[27]: [MSG] init mempool Jan 1 00:00:09 k800 mpsv6xx[27]: [MSG] Setting PORT infos... Jan 1 00:00:09 k800 cnfd[29]: [MSG] writing config files ... Jan 1 00:00:09 k800 cnfd[29]: [MSG] terminating with status=Success Jan 1 00:00:09 k800 init[1]: [MSG] entering runlevel '2' Jan 1 00:00:09 k800 init[1]: [MSG] Sending SIGTERM to runlevel '1' processes Jan 1 00:00:09 k800 init[1]: [MSG] Sending SIGKILL to runlevel '1' processes Jan 1 00:00:09 k800 sh[31]: [MSG] killing wan service Jan 1 00:00:10 k800 sh[35]: [MSG] starting cnfd Jan 1 00:00:11 k800 cnfd[37]: [MSG] version 1.4 (Dec 15 2010, 11:29:32) started Jan 1 00:00:12 k800 sh[38]: [MSG] configuring network devices Jan 1 00:00:14 k800 sh[54]: [MSG] configuring network Jan 1 00:00:16 k800 sh[66]: [MSG] configuring routing table Jan 1 00:00:16 k800 syslogd[24]: [MSG] version 1.4.1 (re)started Jan 1 00:00:17 k800 sh[70]: [MSG] starting dhcpd Jan 1 00:00:17 k800 dhcpd[72]: [MSG] version 0.9.7 (Dec 15 2010, 11:28:51) started Jan 1 00:00:17 k800 sh[73]: [MSG] starting dnsd Jan 1 00:00:19 k800 dnsd[75]: [MSG] version 1.0 (Dec 15 2010, 11:28:56) started Jan 1 00:00:19 k800 sh[76]: [MSG] starting bccd Jan 1 00:00:20 k800 bccd[78]: [MSG] version 1.0 (Dec 15 2010, 11:29:26) started Jan 1 00:00:20 k800 bccd[78]: [MSG] connecting to mps Jan 1 00:00:20 k800 sh[79]: [MSG] starting capid Jan 1 00:00:20 k800 bccd[78]: [MSG] connect with mps Jan 1 00:00:21 k800 sh[82]: [MSG] starting tapid Jan 1 00:00:21 k800 capid[81]: [MSG] ACTIVATE_IND To mps Jan 1 00:00:21 k800 capid[81]: [MSG] M_IT_DAE_ACTIVE_CONF from mps CAUSE = 0. Jan 1 00:00:22 k800 tapid[84]: [MSG] ACTIVATE_IND To mps Jan 1 00:00:22 k800 sh[85]: [MSG] starting statd Jan 1 00:00:22 k800 tapid[84]: [MSG] M_IT_DAE_ACTIVE_CONF from mps. Jan 1 00:00:23 k800 statd[87]: [MSG] version 1.6 (k800, Dec 15 2010, 11:30:26) started Jan 1 00:00:23 k800 statd[87]: [MSG] current provider '---' Jan 1 00:00:23 k800 statd[87]: [MSG] connect from mps client 0x3e7 (1/10) Jan 1 00:00:25 k800 statd[87]: [MSG] SIGHUP received Jan 1 00:00:25 k800 statd[87]: [MSG] current provider '---' Jan 1 00:01:22 k800 dhcpd[72]: [MSG] sending OFFER of 192.168.1.50 Jan 1 00:01:22 k800 dhcpd[72]: [MSG] sending ACK to 192.168.1.50 Jan 1 00:13:51 k800 statd[87]: [MSG] connect from client 192.168.1.50 (2/10) <45>connect from client 192.168.1.50 (1/10)
Firmware:
h t t p://hilfe.telekom.de/dlp/eki/downloads/Eumex%20Serie/Eumex_800/fw_Eumex800_1.21_RC01.exeRun this small programm with wine to extract the firmware file: "fw_Eumex800_1.21_RC01.fwr"
After downloading and extracting the firmware gives me "hexdump -C fw_Eumex800_1.21_RC01.fwr":
00000000 31 31 32 33 34 35 36 37 38 39 02 30 37 02 30 33 |1123456789.07.03| 00000010 02 30 34 02 65 28 08 30 30 30 30 30 30 30 30 0b |.04.e(.00000000.| 00000020 44 65 63 20 31 35 20 32 30 31 30 04 31 2e 32 31 |Dec 15 2010.1.21| 00000030 03 52 43 31 05 6c 75 65 63 6b e5 3d 66 00 02 00 |.RC1.lueck.=f...| 00000040 00 00 00 02 00 00 00 00 00 00 f0 2e 00 00 00 00 |................| 00000050 00 00 38 00 00 00 00 02 02 00 00 80 00 40 00 80 |..8..........@..| 00000060 00 40 91 bd 05 00 03 00 00 00 3c 00 00 00 00 02 |.@........<.....| 00000070 02 00 60 11 1a 00 80 e3 13 00 72 6f 6f 74 3d 2f |..`.......root=/| 00000080 64 65 76 2f 62 6d 74 64 30 20 72 6f 20 43 4f 4e |dev/bmtd0 ro CON| 00000090 53 4f 4c 45 3d 2f 64 65 76 2f 6e 75 6c 6c 00 00 |SOLE=/dev/null..| 000000a0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................| * 00000420 ff ff ff ff ff ff ff ff ff ff 2d 72 6f 6d 31 66 |..........-rom1f| 00000430 73 2d 00 1a 40 50 0b d5 d2 d9 72 6f 6d 20 34 64 |s-..@P....rom 4d| 00000440 30 38 39 38 63 65 00 00 00 00 00 00 00 49 00 00 |0898ce.......I..| 00000450 00 20 00 00 00 00 d1 ff ff 97 2e 00 00 00 00 00 |. ..............| 00000460 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 |.............`..| 00000470 00 20 00 00 00 00 d1 d1 ff 80 2e 2e 00 00 00 00 |. ..............| 00000480 00 00 00 00 00 00 00 00 00 00 00 12 d6 49 00 00 |.............I..| 00000490 00 80 00 00 00 00 9d 83 bb 37 62 69 6e 00 00 00 |.........7bin...| --- cut ---
We can see the command "root=/dev/bmtd0 ro CONSOLE=/dev/null" Thats the reason why we did not get anything from the serialport.
binwalk fw_Eumex800_1.21_RC01.fwr shows me:
DECIMAL HEX DESCRIPTION ------------------------------------------------------------------------------------------------------- 1066 0x42A romfs filesystem, version 1 size: 1720400 bytes, named rom 4d0898ce. 1482 0x5CA BFLT executable version 4, code offset: 0x00000050, data segment starts at: 0x00003E10, bss segment starts at: 0x00005090, bss segment ends at: 0x000053E8, stack size: 7800 bytes, relocation records start at: 0x00005090, number of reolcation records: 304, ram gzip 1546 0x60A gzip compressed data, from Unix, last modified: Wed Dec 15 11:29:51 2010, max compression 13786 0x35DA BFLT executable version 4, code offset: 0x00000050, data segment starts at: 0x0000DFD0, bss segment starts at: 0x000100C0, bss segment ends at: 0x00011A88, stack size: 16000 bytes, relocation records start at: 0x000100C0, number of reolcation records: 1440, ram 85354 0x14D6A BFLT executable version 4, code offset: 0x00000044, data segment starts at: 0x00005E90, bss segment starts at: 0x000078F0, bss segment ends at: 0x00007DCC, stack size: 7900 bytes, relocation records start at: 0x000078F0, number of reolcation records: 438, ram gzip 85418 0x14DAA gzip compressed data, from Unix, last modified: Wed Dec 15 11:30:30 2010, max compression 103738 0x1953A BFLT executable version 4, code offset: 0x00000050, data segment starts at: 0x00006340, bss segment starts at: 0x00007960, bss segment ends at: 0x00007D38, stack size: 3900 bytes, relocation records start at: 0x00007960, number of reolcation records: 399, ram gzip 103802 0x1957A gzip compressed data, from Unix, last modified: Wed Dec 15 11:30:20 2010, max compression 121818 0x1DBDA BFLT executable version 4, code offset: 0x00000044, data segment starts at: 0x00006650, bss segment starts at: 0x00007EB0, bss segment ends at: 0x0000A468, stack size: 16000 bytes, relocation records start at: 0x00007EB0, number of reolcation records: 431, ram gzip 121882 0x1DC1A gzip compressed data, from Unix, last modified: Wed Dec 15 11:29:26 2010, max compression 140730 0x225BA BFLT executable version 4, code offset: 0x00000044, data segment starts at: 0x0000B710, bss segment starts at: 0x0000EEC0, bss segment ends at: 0x0000F668, stack size: 16000 bytes, relocation records start at: 0x0000EEC0, number of reolcation records: 980, ram gzip 140794 0x225FA gzip compressed data, from Unix, last modified: Wed Dec 15 11:29:33 2010, max compression 174218 0x2A88A BFLT executable version 4, code offset: 0x00000044, data segment starts at: 0x00007E20, bss segment starts at: 0x00009860, bss segment ends at: 0x0000A238, stack size: 8100 bytes, relocation records start at: 0x00009860, number of reolcation records: 552, ram gzip 174282 0x2A8CA gzip compressed data, from Unix, last modified: Wed Dec 15 11:28:56 2010, max compression 196842 0x300EA BFLT executable version 4, code offset: 0x00000050, data segment starts at: 0x000068A0, bss segment starts at: 0x00008500, bss segment ends at: 0x00008A38, stack size: 16000 bytes, relocation records start at: 0x00008500, number of reolcation records: 509, ram gzip 196906 0x3012A gzip compressed data, from Unix, last modified: Wed Dec 15 11:28:22 2010, max compression 216122 0x34C3A BFLT executable version 4, code offset: 0x00000044, data segment starts at: 0x0000BB60, bss segment starts at: 0x0000DC70, bss segment ends at: 0x0000F528, stack size: 12000 bytes, relocation records start at: 0x0000DC70, number of reolcation records: 610, ram gzip 216186 0x34C7A gzip compressed data, from Unix, last modified: Wed Dec 15 11:29:44 2010, max compression 247546 0x3C6FA BFLT executable version 4, code offset: 0x00000044, data segment starts at: 0x00006F80, bss segment starts at: 0x00008DE0, bss segment ends at: 0x000091F8, stack size: 16000 bytes, relocation records start at: 0x00008DE0, number of reolcation records: 436, ram gzip 247610 0x3C73A gzip compressed data, from Unix, last modified: Wed Dec 15 11:28:51 2010, max compression 268154 0x4177A BFLT executable version 4, code offset: 0x00000050, data segment starts at: 0x000184A0, bss segment starts at: 0x0001CD50, bss segment ends at: 0x0001DEE8, stack size: 5000 bytes, relocation records start at: 0x0001CD50, number of reolcation records: 1926, ram gzip 268218 0x417BA gzip compressed data, from Unix, last modified: Wed Dec 15 11:30:16 2010, max compression 330490 0x50AFA BFLT executable version 4, code offset: 0x00000044, data segment starts at: 0x00009970, bss segment starts at: 0x0000B590, bss segment ends at: 0x0000F5D8, stack size: 8000 bytes, relocation records start at: 0x0000B590, number of reolcation records: 1063, ram gzip 330554 0x50B3A gzip compressed data, from Unix, last modified: Wed Dec 15 11:29:57 2010, max compression 357546 0x574AA BFLT executable version 4, code offset: 0x00000044, data segment starts at: 0x0000AEC0, bss segment starts at: 0x0000D080, bss segment ends at: 0x0000D91C, stack size: 7900 bytes, relocation records start at: 0x0000D080, number of reolcation records: 848, ram gzip 357610 0x574EA gzip compressed data, from Unix, last modified: Wed Dec 15 11:30:26 2010, max compression 388410 0x5ED3A BFLT executable version 4, code offset: 0x00000044, data segment starts at: 0x00004490, bss segment starts at: 0x00005890, bss segment ends at: 0x00005BC8, stack size: 3900 bytes, relocation records start at: 0x00005890, number of reolcation records: 365, ram gzip 388474 0x5ED7A gzip compressed data, from Unix, last modified: Wed Dec 15 11:29:59 2010, max compression 401994 0x6224A BFLT executable version 4, code offset: 0x00000050, data segment starts at: 0x00005490, bss segment starts at: 0x00006870, bss segment ends at: 0x00006BA8, stack size: 15000 bytes, relocation records start at: 0x00006870, number of reolcation records: 477, ram gzip 402058 0x6228A gzip compressed data, from Unix, last modified: Wed Dec 15 11:29:01 2010, max compression 417914 0x6607A BFLT executable version 4, code offset: 0x00000050, data segment starts at: 0x00003C30, bss segment starts at: 0x00004EC0, bss segment ends at: 0x00005198, stack size: 8000 bytes, relocation records start at: 0x00004EC0, number of reolcation records: 305, ram gzip 417978 0x660BA gzip compressed data, from Unix, last modified: Wed Dec 15 11:30:18 2010, max compression 429722 0x68E9A BFLT executable version 4, code offset: 0x00000050, data segment starts at: 0x00007570, bss segment starts at: 0x00008D40, bss segment ends at: 0x00009558, stack size: 7800 bytes, relocation records start at: 0x00008D40, number of reolcation records: 536, ram gzip 429786 0x68EDA gzip compressed data, from Unix, last modified: Wed Dec 15 11:29:36 2010, max compression 450298 0x6DEFA BFLT executable version 4, code offset: 0x00000044, data segment starts at: 0x0000A300, bss segment starts at: 0x0000C0A0, bss segment ends at: 0x0000CC6C, stack size: 7900 bytes, relocation records start at: 0x0000C0A0, number of reolcation records: 702, ram gzip 450362 0x6DF3A gzip compressed data, from Unix, last modified: Wed Dec 15 11:30:03 2010, max compression 479002 0x74F1A BFLT executable version 4, code offset: 0x00000044, data segment starts at: 0x0010FBB0, bss segment starts at: 0x00122C40, bss segment ends at: 0x00147468, stack size: 3900 bytes, relocation records start at: 0x00122C40, number of reolcation records: 21461, ram gzip 479066 0x74F5A gzip compressed data, from Unix, last modified: Wed Dec 15 11:29:21 2010, max compression 1070970 0x10577A BFLT executable version 4, code offset: 0x00000044, data segment starts at: 0x00002650, bss segment starts at: 0x000037E0, bss segment ends at: 0x00003A78, stack size: 3800 bytes, relocation records start at: 0x000037E0, number of reolcation records: 233, ram gzip 1071034 0x1057BA gzip compressed data, from Unix, last modified: Wed Dec 15 11:29:03 2010, max compression 1079338 0x10782A BFLT executable version 4, code offset: 0x00000044, data segment starts at: 0x00009BD0, bss segment starts at: 0x0000BD50, bss segment ends at: 0x0000C750, stack size: 8000 bytes, relocation records start at: 0x0000BD50, number of reolcation records: 721, ram 1130730 0x1140EA BFLT executable version 4, code offset: 0x00000044, data segment starts at: 0x00014160, bss segment starts at: 0x00017EE0, bss segment ends at: 0x0001AA7C, stack size: 16000 bytes, relocation records start at: 0x00017EE0, number of reolcation records: 1701, ram 1220087 0x129DF7 LZMA compressed data, properties: 0x80, dictionary size: 1048576 bytes, uncompressed size: 18874368 bytes 1239834 0x12EB1A ELF 32-bit LSB relocatable, ARM, version 1 1252058 0x131ADA ELF 32-bit LSB relocatable, ARM, version 1 1258282 0x13332A ELF 32-bit LSB relocatable, ARM, version 1 1265706 0x13502A ELF 32-bit LSB relocatable, ARM, version 1 1269754 0x135FFA ELF 32-bit LSB relocatable, ARM, version 1 1275658 0x13770A ELF 32-bit LSB relocatable, ARM, version 1 1279114 0x13848A ELF 32-bit LSB relocatable, ARM, version 1 1287346 0x13A4B2 LZMA compressed data, properties: 0xB8, dictionary size: 301989888 bytes, uncompressed size: 1006633216 bytes 1292074 0x13B72A ELF 32-bit LSB relocatable, ARM, version 1 1300242 0x13D712 LZMA compressed data, properties: 0x80, dictionary size: 301989888 bytes, uncompressed size: 754974976 bytes 1304490 0x13E7AA gzip compressed data, was "linux.bin", from Unix, last modified: Wed Dec 15 11:23:45 2010 1701480 0x19F668 LZMA compressed data, properties: 0xD2, dictionary size: 1845493760 bytes, uncompressed size: 16777216 bytes 1703648 0x19FEE0 LZMA compressed data, properties: 0x9A, dictionary size: 167772160 bytes, uncompressed size: 131081 bytes 1703666 0x19FEF2 LZMA compressed data, properties: 0xA8, dictionary size: 150994944 bytes, uncompressed size: 21 bytes 1703756 0x19FF4C LZMA compressed data, properties: 0x9A, dictionary size: 167772160 bytes, uncompressed size: 131074 bytes 1703774 0x19FF5E LZMA compressed data, properties: 0xA8, dictionary size: 150994944 bytes, uncompressed size: 23 bytes 1703864 0x19FFB8 LZMA compressed data, properties: 0x9A, dictionary size: 167772160 bytes, uncompressed size: 131074 bytes 1703882 0x19FFCA LZMA compressed data, properties: 0xA8, dictionary size: 150994944 bytes, uncompressed size: 25 bytes 1703972 0x1A0024 LZMA compressed data, properties: 0x9A, dictionary size: 167772160 bytes, uncompressed size: 131075 bytes 1703990 0x1A0036 LZMA compressed data, properties: 0xA8, dictionary size: 150994944 bytes, uncompressed size: 27 bytes 1704080 0x1A0090 LZMA compressed data, properties: 0x9A, dictionary size: 167772160 bytes, uncompressed size: 131074 bytes 1704098 0x1A00A2 LZMA compressed data, properties: 0xA8, dictionary size: 150994944 bytes, uncompressed size: 29 bytes
Mount the romfs with the follow commands:
sudo losetup -o 1066 /dev/loop0 fw_Eumex800_1.21_RC01.fwr sudo mount -t romfs /dev/loop0 fs.src/
tree fs.src/ shows me:
fs.src/ ├── bin │ ├── bccd │ ├── busybox │ ├── capid │ ├── cat -> busybox │ ├── chmod -> busybox │ ├── cnfd │ ├── cp -> busybox │ ├── daemon │ ├── ddu │ ├── dhcpd │ ├── dnsd │ ├── echo -> busybox │ ├── gunzip -> busybox │ ├── init │ ├── ipfwadm │ ├── ipportfw │ ├── ipppd │ ├── ipppd_dialin -> ipppd │ ├── ipupdown │ ├── kill -> busybox │ ├── ln -> busybox │ ├── ls -> busybox │ ├── mkdir -> busybox │ ├── mpsv6xx │ ├── ping -> busybox │ ├── ps -> busybox │ ├── rc │ ├── rm -> busybox │ ├── rmdir -> busybox │ ├── sh │ ├── sswctl │ ├── statd │ ├── syslogd │ ├── tapid │ ├── telnetd │ ├── top -> busybox │ ├── wan │ └── zcat -> busybox ├── bootstage2 ├── dev │ ├── ab_scan │ ├── bhdlc0 │ ├── bhdlc1 │ ├── bhdlc2 │ ├── bhdlc3 │ ├── bhdlc4 │ ├── bhdlc5 │ ├── bhdlc6 │ ├── bhdlc7 │ ├── bhdlcmon │ ├── bmtd0 │ ├── bmtd1 │ ├── clip │ ├── codec │ ├── console │ ├── cua0 │ ├── cui0 │ ├── cui1 │ ├── cui2 │ ├── cui3 │ ├── cui4 │ ├── cui5 │ ├── cui6 │ ├── cui7 │ ├── display │ ├── hdlc1 │ ├── hdlc2 │ ├── hdlc3 │ ├── hdlc4 │ ├── hdlc5 │ ├── hdlc6 │ ├── hdlc7 │ ├── hdlc8 │ ├── ippp0 │ ├── ippp1 │ ├── ippp10 │ ├── ippp11 │ ├── ippp12 │ ├── ippp2 │ ├── ippp3 │ ├── ippp4 │ ├── ippp5 │ ├── ippp6 │ ├── ippp7 │ ├── ippp8 │ ├── ippp9 │ ├── isdn0 │ ├── isdn1 │ ├── isdn2 │ ├── isdn3 │ ├── isdn4 │ ├── isdn5 │ ├── isdn6 │ ├── isdn7 │ ├── isdnctrl │ ├── isdnctrl0 │ ├── isdnctrl1 │ ├── isdnctrl2 │ ├── isdnctrl3 │ ├── isdnctrl4 │ ├── isdnctrl5 │ ├── isdnctrl6 │ ├── isdnctrl7 │ ├── isdninfo │ ├── kf │ ├── kmem │ ├── mem │ ├── mfv │ ├── mps │ ├── mpssio │ ├── mtd0 │ ├── mtd1 │ ├── null │ ├── ptyp0 │ ├── ptyp1 │ ├── ptyp2 │ ├── ptyp3 │ ├── ptyp4 │ ├── ptyp5 │ ├── ptyp6 │ ├── ptyp7 │ ├── ptyp8 │ ├── ptyp9 │ ├── ptypa │ ├── ptypb │ ├── ptypc │ ├── ptypd │ ├── ptype │ ├── ptypf │ ├── ram0 │ ├── s0a │ ├── s0b │ ├── s0mon │ ├── tty │ ├── tty0 │ ├── ttyI0 │ ├── ttyI1 │ ├── ttyI2 │ ├── ttyI3 │ ├── ttyI4 │ ├── ttyI5 │ ├── ttyI6 │ ├── ttyI7 │ ├── ttyp0 │ ├── ttyp1 │ ├── ttyp2 │ ├── ttyp3 │ ├── ttyp4 │ ├── ttyp5 │ ├── ttyp6 │ ├── ttyp7 │ ├── ttyp8 │ ├── ttyp9 │ ├── ttypa │ ├── ttypb │ ├── ttypc │ ├── ttypd │ ├── ttype │ ├── ttypf │ ├── ttyS0 │ ├── usbnet0 │ └── zero ├── etc -> /var/etc ├── etc_ro │ ├── dhcpd.conf │ ├── firewall.lan │ ├── firewall.reset │ ├── group │ ├── hosts │ ├── inittab │ ├── issue │ ├── motd │ ├── passwd │ ├── rc.config │ ├── resolv.conf │ ├── route.conf │ ├── services │ ├── syslog.conf │ └── wantab ├── lib │ └── modules │ ├── ab_scan │ ├── clip │ ├── codec │ ├── ihl │ ├── led_compactdsl │ ├── mfv │ ├── sswmux │ └── usw ├── linux.bin.gz ├── proc ├── ramfs.img ├── sbin │ ├── ifconfig -> ../bin/busybox │ ├── init.d │ │ ├── rc0.d │ │ │ └── 00syslog -> ../rc.syslog │ │ ├── rc1.d │ │ │ ├── 00syslog -> ../rc.syslog │ │ │ ├── 10mps -> ../rc.mps │ │ │ └── 11fcnf -> ../rc.1stcnf │ │ ├── rc.1stcnf │ │ ├── rc2.d │ │ │ ├── 00syslog -> ../rc.syslog │ │ │ ├── 10mps -> ../rc.mps │ │ │ ├── 12cnfd -> ../rc.cnfd │ │ │ ├── 20netdev -> ../rc.netdev │ │ │ ├── 21network -> ../rc.network │ │ │ ├── 22route -> ../rc.route │ │ │ ├── 30dhcpd -> ../rc.dhcpd │ │ │ ├── 30dnsd -> ../rc.dnsd │ │ │ ├── 31bccd -> ../rc.bccd │ │ │ ├── 31capid -> ../rc.capid │ │ │ ├── 31tapid -> ../rc.tapid │ │ │ └── 33statd -> ../rc.statd │ │ ├── rc3.d │ │ │ ├── 00syslog -> ../rc.syslog │ │ │ ├── 10mps -> ../rc.mps │ │ │ ├── 12cnfd -> ../rc.cnfd │ │ │ ├── 20netdev -> ../rc.netdev │ │ │ ├── 21network -> ../rc.network │ │ │ ├── 22route -> ../rc.route │ │ │ ├── 30dhcpd -> ../rc.dhcpd │ │ │ ├── 30dnsd -> ../rc.dnsd │ │ │ ├── 31bccd -> ../rc.bccd │ │ │ ├── 31capid -> ../rc.capid │ │ │ ├── 31tapid -> ../rc.tapid │ │ │ ├── 33statd -> ../rc.statd │ │ │ └── 40ras -> ../rc.ras │ │ ├── rc4.d │ │ │ ├── 00syslog -> ../rc.syslog │ │ │ ├── 10mps -> ../rc.mps │ │ │ ├── 12cnfd -> ../rc.cnfd │ │ │ ├── 20netdev -> ../rc.netdev │ │ │ ├── 21network -> ../rc.network │ │ │ ├── 22route -> ../rc.route │ │ │ ├── 30dhcpd -> ../rc.dhcpd │ │ │ ├── 30dnsd -> ../rc.dnsd │ │ │ ├── 31bccd -> ../rc.bccd │ │ │ ├── 31capid -> ../rc.capid │ │ │ ├── 31tapid -> ../rc.tapid │ │ │ ├── 33statd -> ../rc.statd │ │ │ ├── 40ras -> ../rc.ras │ │ │ └── 40wandemand -> ../rc.wandemand │ │ ├── rc5.d │ │ │ ├── 10mps -> ../rc.mps │ │ │ ├── 20netdev -> ../rc.netdev │ │ │ ├── 21network -> ../rc.network │ │ │ ├── 22route -> ../rc.route │ │ │ └── 31bccd -> ../rc.bccd │ │ ├── rc6.d │ │ │ └── 00syslog -> ../rc.syslog │ │ ├── rc.bccd │ │ ├── rc.boot │ │ ├── rc.capid │ │ ├── rc.cnfd │ │ ├── rc.dhcpd │ │ ├── rc.dnsd │ │ ├── rc.e820test │ │ ├── rc.httpd │ │ ├── rc.mps │ │ ├── rc.netdev │ │ ├── rc.network │ │ ├── rc.ras │ │ ├── rc.rasv2 │ │ ├── rc.route │ │ ├── rcS.d │ │ │ └── 00syslog -> ../rc.syslog │ │ ├── rc.statd │ │ ├── rc.sysinit │ │ ├── rc.syslog │ │ ├── rc.tapid │ │ ├── rc.wan │ │ └── rc.wandemand │ ├── insmod -> ../bin/busybox │ └── route -> ../bin/busybox ├── usr │ └── local └── var 19 directories, 261 filesystem
We can see that in the /bin Folder is a telnetd server. But there is no rc.telnetd script for starting up the telnetd server.
cat fs.src/etc_ro/inittab gives me:
# runlevel to enter id:1:initdefault: # system initialization (done before anything else) si:I:sysinit:/sbin/init.d/rc.sysinit # bootup handling bw::bootwait:/sbin/init.d/rc.boot # runlevel handling k0:01256:wait:/sbin/init.d/rc.wan stop l0:0:wait:/bin/rc 0 l1:1:wait:/bin/rc 1 l2:2:wait:/bin/rc 2 l3:3:wait:/bin/rc 3 l4:4:wait:/bin/rc 4 l5:5:wait:/bin/rc 5 l6:6:wait:/bin/rc 6 # ondemand actions o1:A:ondemand:/sbin/init.d/rc.wan start o2:B:ondemand:/sbin/init.d/rc.wan stop # respawn actions # r2:2345:respawn:/bin/telnetd -l /bin/sh r4:34:respawn:/bin/ipppd_dialin -bufs 14 file /etc/ppp/ioptions.dialin r5:4:respawn:/bin/wan -f /etc/wantab # what to do in single-user mode #ls:S:wait:/bin/rc S # end of inittab
cat fs.src/etc_ro/services gives me:
# # Network services, Internet style # domain 53/udp syslog 514/udp el_config 5000/tcp el_discover 5000/udp el_capi 5001/tcp el_tapi 5002/tcp el_stat 5003/tcp el_syslog 5004/tcp
nmap gives me:
nmap 192.168.1.250 Starting Nmap 5.21 ( http://nmap.org ) at 0000-00-00 00:00 CEST Nmap scan report for k800.home.local (192.168.1.250) Host is up (0.019s latency). Not shown: 995 closed ports PORT STATE SERVICE 5000/tcp open upnp 5001/tcp open commplex-link 5002/tcp open rfe 5003/tcp open filemaker 5004/tcp open unknown