User Tools

Site Tools


toh:t-com:eumex800

T-Home Eumex 800

Hardware Highlights

CPU Ram Flash Network USB a/b line (POTS) ISDN Serial JTAG
Kolibri P_2001 ? MiB ? MiB 4 x 1 1 x USB Typ B 8x analog Phone 1x internal 1x external Yes (but disabled) Yes (but not tested)

Serial

Serial console is V24. Default settings are: 57100, 8, n, 1

pin signal
- 3V3
- TX
- RX
- GND

JTAG

- -
- -

Deviceinfo

Linux Kernel 2.0.38.0
Vendor: Funkwerk

Syslogd Messages:

Jan  1 00:00:02 k800 syslogd[24]: [MSG] version 1.4.1 (re)started
Jan  1 00:00:02 k800 vmlinux: memory available is 15449KB
Jan  1 00:00:02 k800 vmlinux: start_mem is 0x400e1938
Jan  1 00:00:02 k800 vmlinux: virtual_end is 0x40ff8000
Jan  1 00:00:02 k800 vmlinux: before free_area_init
Jan  1 00:00:02 k800 vmlinux: free_area_init -> start_mem is 0x400e3938
Jan  1 00:00:02 k800 vmlinux: virtual_end is 0x40ff8000
Jan  1 00:00:02 k800 vmlinux: Calibrating delay loop.. ok - 56.72 BogoMIPS
Jan  1 00:00:02 k800 vmlinux: Memory: 13888k/15M available (712k kernel code, 32k reserved, 1720k data)
Jan  1 00:00:02 k800 vmlinux: Swansea University Computer Society NET3.035 for Linux 2.0
Jan  1 00:00:02 k800 vmlinux: NET3: Unix domain sockets 0.13 for Linux NET3.035.
Jan  1 00:00:02 k800 vmlinux: Swansea University Computer Society TCP/IP for NET3.034
Jan  1 00:00:02 k800 vmlinux: IP Protocols: ICMP, UDP, TCP
Jan  1 00:00:02 k800 vmlinux: Linux version 2.0.38.0 (lueck@TE3lnx-1) (gcc version 2.95.4 20010319 (prerelease)) #1 Mi Dez 15 11:22:14 CET 2010
Jan  1 00:00:02 k800 vmlinux: am29: [INF] flashmem_init (simulation=off)
Jan  1 00:00:02 k800 vmlinux: am29: [INF] flashid: 0x7f, 0x49
Jan  1 00:00:02 k800 vmlinux: am29: [INF] toggling_bits=0x44
Jan  1 00:00:02 k800 vmlinux: am29: [INF] special_base=0x2000000 special_base2=0x2000000
Jan  1 00:00:02 k800 vmlinux: am29: [INF] special sectors map:
Jan  1 00:00:02 k800 vmlinux: am29: [INF] start=0x0 size=0x4000
Jan  1 00:00:02 k800 vmlinux: am29: [INF] start=0x4000 size=0x2000
Jan  1 00:00:02 k800 vmlinux: am29: [INF] start=0x6000 size=0x2000
Jan  1 00:00:02 k800 vmlinux: am29: [INF] start=0x8000 size=0x8000
Jan  1 00:00:02 k800 vmlinux: am29: [INF] total=4 sectors in 1 region(s)
Jan  1 00:00:02 k800 vmlinux: am29: [INF] org='BOTTOM' start_index=3 step=-1
Jan  1 00:00:02 k800 vmlinux: mtd: Giving out device 0 to EN29LV160Bottom
Jan  1 00:00:02 k800 vmlinux: am29: [INF] flashmem_init (simulation=off)
Jan  1 00:00:02 k800 vmlinux: am29: [INF] flashid: 0x3073, 0xfb
Jan  1 00:00:02 k800 vmlinux: am29: [INF] toggling_bits=0x44
Jan  1 00:00:02 k800 vmlinux: am29: [ERR] unknown flash
Jan  1 00:00:02 k800 vmlinux: am29: [ERR] unable to get flash info
Jan  1 00:00:02 k800 vmlinux: Ramdisk driver initialized : 4 ramdisks of 1024K size
Jan  1 00:00:02 k800 vmlinux: bmtd: [INF] registered device at major 42
Jan  1 00:00:02 k800 vmlinux: PPP: version 2.3.11 (demand dialling)
Jan  1 00:00:02 k800 vmlinux: TCP compression code copyright 1989 Regents of the University of California
Jan  1 00:00:02 k800 vmlinux: PPP line discipline registered.
Jan  1 00:00:02 k800 vmlinux: ISDN subsystem Rev: 1.5/none/1.19/1.24/none
Jan  1 00:00:02 k800 vmlinux: P2001 FIQ & Timer1 Handler Module - $Revision: 1.19 $, (Dec 15 2010, 11:23:24)
Jan  1 00:00:02 k800 vmlinux: P2001 USB Remote NDIS Driver Module - $Revision: 1.33 $, (Dec 15 2010, 11:23:29)
Jan  1 00:00:02 k800 vmlinux: P2001 HDLC Driver Module ( $Id: lh_hdlc_p2001.c,v 1.5 2002-04-18 12:26:36 haack Exp $, $Name:  $ ) 
Jan  1 00:00:02 k800 vmlinux: P2001 L1 driver module 
Jan  1 00:00:02 k800 vmlinux: BHDLC driver module installed 
Jan  1 00:00:02 k800 vmlinux: VFS: Mounted root (romfs filesystem) readonly.
Jan  1 00:00:02 k800 vmlinux: Elmeg LED Driver Module - Version 1.3 (Dec 15 2010, 11:26:15)
Jan  1 00:00:02 k800 vmlinux: Elmeg 802.1D Ethernet SoftSwitch Module - Version 1.0 (Dec 15 2010, 11:26:21)
Jan  1 00:00:03 k800 vmlinux: P2001 MFV Driver Module - $Revision: 1.21 $, (Dec 15 2010, 11:26:04)
Jan  1 00:00:03 k800 vmlinux: P2001 CLIP Driver Module - $Revision: 1.10 $, (Dec 15 2010, 11:26:02)
Jan  1 00:00:03 k800 vmlinux: P2001 codec Driver Module - $Revision: 1.18 $, (Dec 15 2010, 11:25:59)
Jan  1 00:00:03 k800 vmlinux: P2001 analog scannner Driver Module - $Revision: 1.9 $, (Dec 15 2010, 11:26:07)
Jan  1 00:00:03 k800 vmlinux: ISDN hardware layer initialized
Jan  1 00:00:03 k800 vmlinux: Elmeg UDP Switch Module - Version 1.0 (Dec 15 2010, 11:26:32)
Jan  1 00:00:03 k800 sh[25]: [MSG] starting mpsv6xx
Jan  1 00:00:06 k800 mpsv6xx[27]: [WRN] FLASH 2 perhabs no present: /dev/mtd1 open failed with -1 
Jan  1 00:00:06 k800 mpsv6xx[27]: [MSG] ***** Flash 1 phys. paramter: ***** 
Jan  1 00:00:06 k800 mpsv6xx[27]: [MSG] Base.   : 0x02000000 
Jan  1 00:00:06 k800 mpsv6xx[27]: [MSG] Size    : 0x00200000 
Jan  1 00:00:06 k800 mpsv6xx[27]: [MSG] Segments:         35  
Jan  1 00:00:06 k800 mpsv6xx[27]: [MSG] ***** Flash 2 phys. paramter: ***** 
Jan  1 00:00:06 k800 mpsv6xx[27]: [MSG] Base.   : 0x00000000 
Jan  1 00:00:06 k800 mpsv6xx[27]: [MSG] Size    : 0x00000000 
Jan  1 00:00:06 k800 mpsv6xx[27]: [MSG] Segments:         0  
Jan  1 00:00:06 k800 mpsv6xx[27]: [MSG] ***** MPS Flash configuration ***** 
Jan  1 00:00:06 k800 mpsv6xx[27]: [MSG] ### GEB_START_SEGMENT   at 0x021F0000 ### 
Jan  1 00:00:06 k800 mpsv6xx[27]: [MSG] ### BUCH_START_SEGMENT  at 0x021E0000 ### 
Jan  1 00:00:06 k800 mpsv6xx[27]: [MSG] ### LCR_START_SEGMENT   at 0x021E0000 ### 
Jan  1 00:00:06 k800 mpsv6xx[27]: [MSG] ### TEL_BOOK_INTER      at 0x02006000 ### 
Jan  1 00:00:06 k800 mpsv6xx[27]: [MSG] ### M_HW_FLASH_KFG_ADR  at 0x02008000 ### 
Jan  1 00:00:06 k800 mpsv6xx[27]: [MSG] ### M_HW_BACKUP_KFG_ADR at 0x021D0000 ### 
Jan  1 00:00:06 k800 mpsv6xx[27]: [MSG] Starting HAL_main! 
Jan  1 00:00:07 k800 sh[28]: [MSG] configuring system
Jan  1 00:00:08 k800 cnfd[29]: [MSG] version 1.4 (Dec 15 2010, 11:29:32) started 
Jan  1 00:00:09 k800 mpsv6xx[27]: [MSG] init mempool 
Jan  1 00:00:09 k800 mpsv6xx[27]: [MSG] Setting PORT infos... 
Jan  1 00:00:09 k800 cnfd[29]: [MSG] writing config files ... 
Jan  1 00:00:09 k800 cnfd[29]: [MSG] terminating with status=Success 
Jan  1 00:00:09 k800 init[1]: [MSG] entering runlevel '2' 
Jan  1 00:00:09 k800 init[1]: [MSG] Sending SIGTERM to runlevel '1' processes 
Jan  1 00:00:09 k800 init[1]: [MSG] Sending SIGKILL to runlevel '1' processes 
Jan  1 00:00:09 k800 sh[31]: [MSG] killing wan service
Jan  1 00:00:10 k800 sh[35]: [MSG] starting cnfd
Jan  1 00:00:11 k800 cnfd[37]: [MSG] version 1.4 (Dec 15 2010, 11:29:32) started 
Jan  1 00:00:12 k800 sh[38]: [MSG] configuring network devices
Jan  1 00:00:14 k800 sh[54]: [MSG] configuring network
Jan  1 00:00:16 k800 sh[66]: [MSG] configuring routing table
Jan  1 00:00:16 k800 syslogd[24]: [MSG] version 1.4.1 (re)started
Jan  1 00:00:17 k800 sh[70]: [MSG] starting dhcpd
Jan  1 00:00:17 k800 dhcpd[72]: [MSG] version 0.9.7 (Dec 15 2010, 11:28:51) started 
Jan  1 00:00:17 k800 sh[73]: [MSG] starting dnsd
Jan  1 00:00:19 k800 dnsd[75]: [MSG] version 1.0 (Dec 15 2010, 11:28:56) started 
Jan  1 00:00:19 k800 sh[76]: [MSG] starting bccd
Jan  1 00:00:20 k800 bccd[78]: [MSG] version 1.0 (Dec 15 2010, 11:29:26) started 
Jan  1 00:00:20 k800 bccd[78]: [MSG] connecting to mps 
Jan  1 00:00:20 k800 sh[79]: [MSG] starting capid
Jan  1 00:00:20 k800 bccd[78]: [MSG] connect with mps 
Jan  1 00:00:21 k800 sh[82]: [MSG] starting tapid
Jan  1 00:00:21 k800 capid[81]: [MSG] ACTIVATE_IND To mps  
Jan  1 00:00:21 k800 capid[81]: [MSG] M_IT_DAE_ACTIVE_CONF from mps CAUSE = 0.  
Jan  1 00:00:22 k800 tapid[84]: [MSG] ACTIVATE_IND To mps  
Jan  1 00:00:22 k800 sh[85]: [MSG] starting statd
Jan  1 00:00:22 k800 tapid[84]: [MSG] M_IT_DAE_ACTIVE_CONF from mps.  
Jan  1 00:00:23 k800 statd[87]: [MSG] version 1.6 (k800, Dec 15 2010, 11:30:26) started 
Jan  1 00:00:23 k800 statd[87]: [MSG] current provider '---' 
Jan  1 00:00:23 k800 statd[87]: [MSG] connect from mps client 0x3e7 (1/10) 
Jan  1 00:00:25 k800 statd[87]: [MSG] SIGHUP received 
Jan  1 00:00:25 k800 statd[87]: [MSG] current provider '---' 
Jan  1 00:01:22 k800 dhcpd[72]: [MSG] sending OFFER of 192.168.1.50 
Jan  1 00:01:22 k800 dhcpd[72]: [MSG] sending ACK to 192.168.1.50 
Jan  1 00:13:51 k800 statd[87]: [MSG] connect from client 192.168.1.50 (2/10) 
<45>connect from client 192.168.1.50 (1/10)

Firmware Analyses

Firmware:

h t t p://hilfe.telekom.de/dlp/eki/downloads/Eumex%20Serie/Eumex_800/fw_Eumex800_1.21_RC01.exe
Run this small programm with wine to extract the firmware file: "fw_Eumex800_1.21_RC01.fwr"

After downloading and extracting the firmware gives me "hexdump -C fw_Eumex800_1.21_RC01.fwr":

00000000  31 31 32 33 34 35 36 37  38 39 02 30 37 02 30 33  |1123456789.07.03|
00000010  02 30 34 02 65 28 08 30  30 30 30 30 30 30 30 0b  |.04.e(.00000000.|
00000020  44 65 63 20 31 35 20 32  30 31 30 04 31 2e 32 31  |Dec 15 2010.1.21|
00000030  03 52 43 31 05 6c 75 65  63 6b e5 3d 66 00 02 00  |.RC1.lueck.=f...|
00000040  00 00 00 02 00 00 00 00  00 00 f0 2e 00 00 00 00  |................|
00000050  00 00 38 00 00 00 00 02  02 00 00 80 00 40 00 80  |..8..........@..|
00000060  00 40 91 bd 05 00 03 00  00 00 3c 00 00 00 00 02  |.@........<.....|
00000070  02 00 60 11 1a 00 80 e3  13 00 72 6f 6f 74 3d 2f  |..`.......root=/|
00000080  64 65 76 2f 62 6d 74 64  30 20 72 6f 20 43 4f 4e  |dev/bmtd0 ro CON|
00000090  53 4f 4c 45 3d 2f 64 65  76 2f 6e 75 6c 6c 00 00  |SOLE=/dev/null..|
000000a0  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
*
00000420  ff ff ff ff ff ff ff ff  ff ff 2d 72 6f 6d 31 66  |..........-rom1f|
00000430  73 2d 00 1a 40 50 0b d5  d2 d9 72 6f 6d 20 34 64  |s-..@P....rom 4d|
00000440  30 38 39 38 63 65 00 00  00 00 00 00 00 49 00 00  |0898ce.......I..|
00000450  00 20 00 00 00 00 d1 ff  ff 97 2e 00 00 00 00 00  |. ..............|
00000460  00 00 00 00 00 00 00 00  00 00 00 00 00 60 00 00  |.............`..|
00000470  00 20 00 00 00 00 d1 d1  ff 80 2e 2e 00 00 00 00  |. ..............|
00000480  00 00 00 00 00 00 00 00  00 00 00 12 d6 49 00 00  |.............I..|
00000490  00 80 00 00 00 00 9d 83  bb 37 62 69 6e 00 00 00  |.........7bin...|
--- cut ---

We can see the command "root=/dev/bmtd0 ro CONSOLE=/dev/null" Thats the reason why we did not get anything from the serialport.

binwalk fw_Eumex800_1.21_RC01.fwr shows me:

DECIMAL         HEX             DESCRIPTION
-------------------------------------------------------------------------------------------------------
1066            0x42A           romfs filesystem, version 1 size: 1720400 bytes, named rom 4d0898ce.
1482            0x5CA           BFLT executable  version 4,  code offset: 0x00000050,  data segment starts at: 0x00003E10,  bss segment starts at: 0x00005090,  bss segment ends at: 0x000053E8,  stack size: 7800 bytes,  relocation records start at: 0x00005090,  number of reolcation records: 304,  ram gzip
1546            0x60A           gzip compressed data, from Unix, last modified: Wed Dec 15 11:29:51 2010, max compression
13786           0x35DA          BFLT executable  version 4,  code offset: 0x00000050,  data segment starts at: 0x0000DFD0,  bss segment starts at: 0x000100C0,  bss segment ends at: 0x00011A88,  stack size: 16000 bytes,  relocation records start at: 0x000100C0,  number of reolcation records: 1440,  ram
85354           0x14D6A         BFLT executable  version 4,  code offset: 0x00000044,  data segment starts at: 0x00005E90,  bss segment starts at: 0x000078F0,  bss segment ends at: 0x00007DCC,  stack size: 7900 bytes,  relocation records start at: 0x000078F0,  number of reolcation records: 438,  ram gzip
85418           0x14DAA         gzip compressed data, from Unix, last modified: Wed Dec 15 11:30:30 2010, max compression
103738          0x1953A         BFLT executable  version 4,  code offset: 0x00000050,  data segment starts at: 0x00006340,  bss segment starts at: 0x00007960,  bss segment ends at: 0x00007D38,  stack size: 3900 bytes,  relocation records start at: 0x00007960,  number of reolcation records: 399,  ram gzip
103802          0x1957A         gzip compressed data, from Unix, last modified: Wed Dec 15 11:30:20 2010, max compression
121818          0x1DBDA         BFLT executable  version 4,  code offset: 0x00000044,  data segment starts at: 0x00006650,  bss segment starts at: 0x00007EB0,  bss segment ends at: 0x0000A468,  stack size: 16000 bytes,  relocation records start at: 0x00007EB0,  number of reolcation records: 431,  ram gzip
121882          0x1DC1A         gzip compressed data, from Unix, last modified: Wed Dec 15 11:29:26 2010, max compression
140730          0x225BA         BFLT executable  version 4,  code offset: 0x00000044,  data segment starts at: 0x0000B710,  bss segment starts at: 0x0000EEC0,  bss segment ends at: 0x0000F668,  stack size: 16000 bytes,  relocation records start at: 0x0000EEC0,  number of reolcation records: 980,  ram gzip
140794          0x225FA         gzip compressed data, from Unix, last modified: Wed Dec 15 11:29:33 2010, max compression
174218          0x2A88A         BFLT executable  version 4,  code offset: 0x00000044,  data segment starts at: 0x00007E20,  bss segment starts at: 0x00009860,  bss segment ends at: 0x0000A238,  stack size: 8100 bytes,  relocation records start at: 0x00009860,  number of reolcation records: 552,  ram gzip
174282          0x2A8CA         gzip compressed data, from Unix, last modified: Wed Dec 15 11:28:56 2010, max compression
196842          0x300EA         BFLT executable  version 4,  code offset: 0x00000050,  data segment starts at: 0x000068A0,  bss segment starts at: 0x00008500,  bss segment ends at: 0x00008A38,  stack size: 16000 bytes,  relocation records start at: 0x00008500,  number of reolcation records: 509,  ram gzip
196906          0x3012A         gzip compressed data, from Unix, last modified: Wed Dec 15 11:28:22 2010, max compression
216122          0x34C3A         BFLT executable  version 4,  code offset: 0x00000044,  data segment starts at: 0x0000BB60,  bss segment starts at: 0x0000DC70,  bss segment ends at: 0x0000F528,  stack size: 12000 bytes,  relocation records start at: 0x0000DC70,  number of reolcation records: 610,  ram gzip
216186          0x34C7A         gzip compressed data, from Unix, last modified: Wed Dec 15 11:29:44 2010, max compression
247546          0x3C6FA         BFLT executable  version 4,  code offset: 0x00000044,  data segment starts at: 0x00006F80,  bss segment starts at: 0x00008DE0,  bss segment ends at: 0x000091F8,  stack size: 16000 bytes,  relocation records start at: 0x00008DE0,  number of reolcation records: 436,  ram gzip
247610          0x3C73A         gzip compressed data, from Unix, last modified: Wed Dec 15 11:28:51 2010, max compression
268154          0x4177A         BFLT executable  version 4,  code offset: 0x00000050,  data segment starts at: 0x000184A0,  bss segment starts at: 0x0001CD50,  bss segment ends at: 0x0001DEE8,  stack size: 5000 bytes,  relocation records start at: 0x0001CD50,  number of reolcation records: 1926,  ram gzip
268218          0x417BA         gzip compressed data, from Unix, last modified: Wed Dec 15 11:30:16 2010, max compression
330490          0x50AFA         BFLT executable  version 4,  code offset: 0x00000044,  data segment starts at: 0x00009970,  bss segment starts at: 0x0000B590,  bss segment ends at: 0x0000F5D8,  stack size: 8000 bytes,  relocation records start at: 0x0000B590,  number of reolcation records: 1063,  ram gzip
330554          0x50B3A         gzip compressed data, from Unix, last modified: Wed Dec 15 11:29:57 2010, max compression
357546          0x574AA         BFLT executable  version 4,  code offset: 0x00000044,  data segment starts at: 0x0000AEC0,  bss segment starts at: 0x0000D080,  bss segment ends at: 0x0000D91C,  stack size: 7900 bytes,  relocation records start at: 0x0000D080,  number of reolcation records: 848,  ram gzip
357610          0x574EA         gzip compressed data, from Unix, last modified: Wed Dec 15 11:30:26 2010, max compression
388410          0x5ED3A         BFLT executable  version 4,  code offset: 0x00000044,  data segment starts at: 0x00004490,  bss segment starts at: 0x00005890,  bss segment ends at: 0x00005BC8,  stack size: 3900 bytes,  relocation records start at: 0x00005890,  number of reolcation records: 365,  ram gzip
388474          0x5ED7A         gzip compressed data, from Unix, last modified: Wed Dec 15 11:29:59 2010, max compression
401994          0x6224A         BFLT executable  version 4,  code offset: 0x00000050,  data segment starts at: 0x00005490,  bss segment starts at: 0x00006870,  bss segment ends at: 0x00006BA8,  stack size: 15000 bytes,  relocation records start at: 0x00006870,  number of reolcation records: 477,  ram gzip
402058          0x6228A         gzip compressed data, from Unix, last modified: Wed Dec 15 11:29:01 2010, max compression
417914          0x6607A         BFLT executable  version 4,  code offset: 0x00000050,  data segment starts at: 0x00003C30,  bss segment starts at: 0x00004EC0,  bss segment ends at: 0x00005198,  stack size: 8000 bytes,  relocation records start at: 0x00004EC0,  number of reolcation records: 305,  ram gzip
417978          0x660BA         gzip compressed data, from Unix, last modified: Wed Dec 15 11:30:18 2010, max compression
429722          0x68E9A         BFLT executable  version 4,  code offset: 0x00000050,  data segment starts at: 0x00007570,  bss segment starts at: 0x00008D40,  bss segment ends at: 0x00009558,  stack size: 7800 bytes,  relocation records start at: 0x00008D40,  number of reolcation records: 536,  ram gzip
429786          0x68EDA         gzip compressed data, from Unix, last modified: Wed Dec 15 11:29:36 2010, max compression
450298          0x6DEFA         BFLT executable  version 4,  code offset: 0x00000044,  data segment starts at: 0x0000A300,  bss segment starts at: 0x0000C0A0,  bss segment ends at: 0x0000CC6C,  stack size: 7900 bytes,  relocation records start at: 0x0000C0A0,  number of reolcation records: 702,  ram gzip
450362          0x6DF3A         gzip compressed data, from Unix, last modified: Wed Dec 15 11:30:03 2010, max compression
479002          0x74F1A         BFLT executable  version 4,  code offset: 0x00000044,  data segment starts at: 0x0010FBB0,  bss segment starts at: 0x00122C40,  bss segment ends at: 0x00147468,  stack size: 3900 bytes,  relocation records start at: 0x00122C40,  number of reolcation records: 21461,  ram gzip
479066          0x74F5A         gzip compressed data, from Unix, last modified: Wed Dec 15 11:29:21 2010, max compression
1070970         0x10577A        BFLT executable  version 4,  code offset: 0x00000044,  data segment starts at: 0x00002650,  bss segment starts at: 0x000037E0,  bss segment ends at: 0x00003A78,  stack size: 3800 bytes,  relocation records start at: 0x000037E0,  number of reolcation records: 233,  ram gzip
1071034         0x1057BA        gzip compressed data, from Unix, last modified: Wed Dec 15 11:29:03 2010, max compression
1079338         0x10782A        BFLT executable  version 4,  code offset: 0x00000044,  data segment starts at: 0x00009BD0,  bss segment starts at: 0x0000BD50,  bss segment ends at: 0x0000C750,  stack size: 8000 bytes,  relocation records start at: 0x0000BD50,  number of reolcation records: 721,  ram
1130730         0x1140EA        BFLT executable  version 4,  code offset: 0x00000044,  data segment starts at: 0x00014160,  bss segment starts at: 0x00017EE0,  bss segment ends at: 0x0001AA7C,  stack size: 16000 bytes,  relocation records start at: 0x00017EE0,  number of reolcation records: 1701,  ram
1220087         0x129DF7        LZMA compressed data, properties: 0x80, dictionary size: 1048576 bytes, uncompressed size: 18874368 bytes
1239834         0x12EB1A        ELF 32-bit LSB relocatable, ARM, version 1
1252058         0x131ADA        ELF 32-bit LSB relocatable, ARM, version 1
1258282         0x13332A        ELF 32-bit LSB relocatable, ARM, version 1
1265706         0x13502A        ELF 32-bit LSB relocatable, ARM, version 1
1269754         0x135FFA        ELF 32-bit LSB relocatable, ARM, version 1
1275658         0x13770A        ELF 32-bit LSB relocatable, ARM, version 1
1279114         0x13848A        ELF 32-bit LSB relocatable, ARM, version 1
1287346         0x13A4B2        LZMA compressed data, properties: 0xB8, dictionary size: 301989888 bytes, uncompressed size: 1006633216 bytes
1292074         0x13B72A        ELF 32-bit LSB relocatable, ARM, version 1
1300242         0x13D712        LZMA compressed data, properties: 0x80, dictionary size: 301989888 bytes, uncompressed size: 754974976 bytes
1304490         0x13E7AA        gzip compressed data, was "linux.bin", from Unix, last modified: Wed Dec 15 11:23:45 2010
1701480         0x19F668        LZMA compressed data, properties: 0xD2, dictionary size: 1845493760 bytes, uncompressed size: 16777216 bytes
1703648         0x19FEE0        LZMA compressed data, properties: 0x9A, dictionary size: 167772160 bytes, uncompressed size: 131081 bytes
1703666         0x19FEF2        LZMA compressed data, properties: 0xA8, dictionary size: 150994944 bytes, uncompressed size: 21 bytes
1703756         0x19FF4C        LZMA compressed data, properties: 0x9A, dictionary size: 167772160 bytes, uncompressed size: 131074 bytes
1703774         0x19FF5E        LZMA compressed data, properties: 0xA8, dictionary size: 150994944 bytes, uncompressed size: 23 bytes
1703864         0x19FFB8        LZMA compressed data, properties: 0x9A, dictionary size: 167772160 bytes, uncompressed size: 131074 bytes
1703882         0x19FFCA        LZMA compressed data, properties: 0xA8, dictionary size: 150994944 bytes, uncompressed size: 25 bytes
1703972         0x1A0024        LZMA compressed data, properties: 0x9A, dictionary size: 167772160 bytes, uncompressed size: 131075 bytes
1703990         0x1A0036        LZMA compressed data, properties: 0xA8, dictionary size: 150994944 bytes, uncompressed size: 27 bytes
1704080         0x1A0090        LZMA compressed data, properties: 0x9A, dictionary size: 167772160 bytes, uncompressed size: 131074 bytes
1704098         0x1A00A2        LZMA compressed data, properties: 0xA8, dictionary size: 150994944 bytes, uncompressed size: 29 bytes

Mount the romfs with the follow commands:

sudo losetup -o 1066 /dev/loop0 fw_Eumex800_1.21_RC01.fwr 
sudo mount -t romfs /dev/loop0 fs.src/

tree fs.src/ shows me:

fs.src/
├── bin
│   ├── bccd
│   ├── busybox
│   ├── capid
│   ├── cat -> busybox
│   ├── chmod -> busybox
│   ├── cnfd
│   ├── cp -> busybox
│   ├── daemon
│   ├── ddu
│   ├── dhcpd
│   ├── dnsd
│   ├── echo -> busybox
│   ├── gunzip -> busybox
│   ├── init
│   ├── ipfwadm
│   ├── ipportfw
│   ├── ipppd
│   ├── ipppd_dialin -> ipppd
│   ├── ipupdown
│   ├── kill -> busybox
│   ├── ln -> busybox
│   ├── ls -> busybox
│   ├── mkdir -> busybox
│   ├── mpsv6xx
│   ├── ping -> busybox
│   ├── ps -> busybox
│   ├── rc
│   ├── rm -> busybox
│   ├── rmdir -> busybox
│   ├── sh
│   ├── sswctl
│   ├── statd
│   ├── syslogd
│   ├── tapid
│   ├── telnetd
│   ├── top -> busybox
│   ├── wan
│   └── zcat -> busybox
├── bootstage2
├── dev
│   ├── ab_scan
│   ├── bhdlc0
│   ├── bhdlc1
│   ├── bhdlc2
│   ├── bhdlc3
│   ├── bhdlc4
│   ├── bhdlc5
│   ├── bhdlc6
│   ├── bhdlc7
│   ├── bhdlcmon
│   ├── bmtd0
│   ├── bmtd1
│   ├── clip
│   ├── codec
│   ├── console
│   ├── cua0
│   ├── cui0
│   ├── cui1
│   ├── cui2
│   ├── cui3
│   ├── cui4
│   ├── cui5
│   ├── cui6
│   ├── cui7
│   ├── display
│   ├── hdlc1
│   ├── hdlc2
│   ├── hdlc3
│   ├── hdlc4
│   ├── hdlc5
│   ├── hdlc6
│   ├── hdlc7
│   ├── hdlc8
│   ├── ippp0
│   ├── ippp1
│   ├── ippp10
│   ├── ippp11
│   ├── ippp12
│   ├── ippp2
│   ├── ippp3
│   ├── ippp4
│   ├── ippp5
│   ├── ippp6
│   ├── ippp7
│   ├── ippp8
│   ├── ippp9
│   ├── isdn0
│   ├── isdn1
│   ├── isdn2
│   ├── isdn3
│   ├── isdn4
│   ├── isdn5
│   ├── isdn6
│   ├── isdn7
│   ├── isdnctrl
│   ├── isdnctrl0
│   ├── isdnctrl1
│   ├── isdnctrl2
│   ├── isdnctrl3
│   ├── isdnctrl4
│   ├── isdnctrl5
│   ├── isdnctrl6
│   ├── isdnctrl7
│   ├── isdninfo
│   ├── kf
│   ├── kmem
│   ├── mem
│   ├── mfv
│   ├── mps
│   ├── mpssio
│   ├── mtd0
│   ├── mtd1
│   ├── null
│   ├── ptyp0
│   ├── ptyp1
│   ├── ptyp2
│   ├── ptyp3
│   ├── ptyp4
│   ├── ptyp5
│   ├── ptyp6
│   ├── ptyp7
│   ├── ptyp8
│   ├── ptyp9
│   ├── ptypa
│   ├── ptypb
│   ├── ptypc
│   ├── ptypd
│   ├── ptype
│   ├── ptypf
│   ├── ram0
│   ├── s0a
│   ├── s0b
│   ├── s0mon
│   ├── tty
│   ├── tty0
│   ├── ttyI0
│   ├── ttyI1
│   ├── ttyI2
│   ├── ttyI3
│   ├── ttyI4
│   ├── ttyI5
│   ├── ttyI6
│   ├── ttyI7
│   ├── ttyp0
│   ├── ttyp1
│   ├── ttyp2
│   ├── ttyp3
│   ├── ttyp4
│   ├── ttyp5
│   ├── ttyp6
│   ├── ttyp7
│   ├── ttyp8
│   ├── ttyp9
│   ├── ttypa
│   ├── ttypb
│   ├── ttypc
│   ├── ttypd
│   ├── ttype
│   ├── ttypf
│   ├── ttyS0
│   ├── usbnet0
│   └── zero
├── etc -> /var/etc
├── etc_ro
│   ├── dhcpd.conf
│   ├── firewall.lan
│   ├── firewall.reset
│   ├── group
│   ├── hosts
│   ├── inittab
│   ├── issue
│   ├── motd
│   ├── passwd
│   ├── rc.config
│   ├── resolv.conf
│   ├── route.conf
│   ├── services
│   ├── syslog.conf
│   └── wantab
├── lib
│   └── modules
│       ├── ab_scan
│       ├── clip
│       ├── codec
│       ├── ihl
│       ├── led_compactdsl
│       ├── mfv
│       ├── sswmux
│       └── usw
├── linux.bin.gz
├── proc
├── ramfs.img
├── sbin
│   ├── ifconfig -> ../bin/busybox
│   ├── init.d
│   │   ├── rc0.d
│   │   │   └── 00syslog -> ../rc.syslog
│   │   ├── rc1.d
│   │   │   ├── 00syslog -> ../rc.syslog
│   │   │   ├── 10mps -> ../rc.mps
│   │   │   └── 11fcnf -> ../rc.1stcnf
│   │   ├── rc.1stcnf
│   │   ├── rc2.d
│   │   │   ├── 00syslog -> ../rc.syslog
│   │   │   ├── 10mps -> ../rc.mps
│   │   │   ├── 12cnfd -> ../rc.cnfd
│   │   │   ├── 20netdev -> ../rc.netdev
│   │   │   ├── 21network -> ../rc.network
│   │   │   ├── 22route -> ../rc.route
│   │   │   ├── 30dhcpd -> ../rc.dhcpd
│   │   │   ├── 30dnsd -> ../rc.dnsd
│   │   │   ├── 31bccd -> ../rc.bccd
│   │   │   ├── 31capid -> ../rc.capid
│   │   │   ├── 31tapid -> ../rc.tapid
│   │   │   └── 33statd -> ../rc.statd
│   │   ├── rc3.d
│   │   │   ├── 00syslog -> ../rc.syslog
│   │   │   ├── 10mps -> ../rc.mps
│   │   │   ├── 12cnfd -> ../rc.cnfd
│   │   │   ├── 20netdev -> ../rc.netdev
│   │   │   ├── 21network -> ../rc.network
│   │   │   ├── 22route -> ../rc.route
│   │   │   ├── 30dhcpd -> ../rc.dhcpd
│   │   │   ├── 30dnsd -> ../rc.dnsd
│   │   │   ├── 31bccd -> ../rc.bccd
│   │   │   ├── 31capid -> ../rc.capid
│   │   │   ├── 31tapid -> ../rc.tapid
│   │   │   ├── 33statd -> ../rc.statd
│   │   │   └── 40ras -> ../rc.ras
│   │   ├── rc4.d
│   │   │   ├── 00syslog -> ../rc.syslog
│   │   │   ├── 10mps -> ../rc.mps
│   │   │   ├── 12cnfd -> ../rc.cnfd
│   │   │   ├── 20netdev -> ../rc.netdev
│   │   │   ├── 21network -> ../rc.network
│   │   │   ├── 22route -> ../rc.route
│   │   │   ├── 30dhcpd -> ../rc.dhcpd
│   │   │   ├── 30dnsd -> ../rc.dnsd
│   │   │   ├── 31bccd -> ../rc.bccd
│   │   │   ├── 31capid -> ../rc.capid
│   │   │   ├── 31tapid -> ../rc.tapid
│   │   │   ├── 33statd -> ../rc.statd
│   │   │   ├── 40ras -> ../rc.ras
│   │   │   └── 40wandemand -> ../rc.wandemand
│   │   ├── rc5.d
│   │   │   ├── 10mps -> ../rc.mps
│   │   │   ├── 20netdev -> ../rc.netdev
│   │   │   ├── 21network -> ../rc.network
│   │   │   ├── 22route -> ../rc.route
│   │   │   └── 31bccd -> ../rc.bccd
│   │   ├── rc6.d
│   │   │   └── 00syslog -> ../rc.syslog
│   │   ├── rc.bccd
│   │   ├── rc.boot
│   │   ├── rc.capid
│   │   ├── rc.cnfd
│   │   ├── rc.dhcpd
│   │   ├── rc.dnsd
│   │   ├── rc.e820test
│   │   ├── rc.httpd
│   │   ├── rc.mps
│   │   ├── rc.netdev
│   │   ├── rc.network
│   │   ├── rc.ras
│   │   ├── rc.rasv2
│   │   ├── rc.route
│   │   ├── rcS.d
│   │   │   └── 00syslog -> ../rc.syslog
│   │   ├── rc.statd
│   │   ├── rc.sysinit
│   │   ├── rc.syslog
│   │   ├── rc.tapid
│   │   ├── rc.wan
│   │   └── rc.wandemand
│   ├── insmod -> ../bin/busybox
│   └── route -> ../bin/busybox
├── usr
│   └── local
└── var

19 directories, 261 filesystem

We can see that in the /bin Folder is a telnetd server. But there is no rc.telnetd script for starting up the telnetd server.

cat fs.src/etc_ro/inittab gives me:

# runlevel to enter
id:1:initdefault:

# system initialization (done before anything else)
si:I:sysinit:/sbin/init.d/rc.sysinit

# bootup handling
bw::bootwait:/sbin/init.d/rc.boot

# runlevel handling
k0:01256:wait:/sbin/init.d/rc.wan stop
l0:0:wait:/bin/rc 0
l1:1:wait:/bin/rc 1
l2:2:wait:/bin/rc 2
l3:3:wait:/bin/rc 3
l4:4:wait:/bin/rc 4
l5:5:wait:/bin/rc 5
l6:6:wait:/bin/rc 6

# ondemand actions
o1:A:ondemand:/sbin/init.d/rc.wan start
o2:B:ondemand:/sbin/init.d/rc.wan stop

# respawn actions
# r2:2345:respawn:/bin/telnetd -l /bin/sh
r4:34:respawn:/bin/ipppd_dialin -bufs 14 file /etc/ppp/ioptions.dialin
r5:4:respawn:/bin/wan -f /etc/wantab

# what to do in single-user mode
#ls:S:wait:/bin/rc S

# end of inittab

cat fs.src/etc_ro/services gives me:

#
#       Network services, Internet style
#
domain          53/udp
syslog          514/udp
el_config       5000/tcp
el_discover     5000/udp
el_capi         5001/tcp
el_tapi         5002/tcp
el_stat         5003/tcp
el_syslog       5004/tcp

nmap gives me:

nmap 192.168.1.250

Starting Nmap 5.21 ( http://nmap.org ) at 0000-00-00 00:00 CEST
Nmap scan report for k800.home.local (192.168.1.250)
Host is up (0.019s latency).
Not shown: 995 closed ports
PORT     STATE SERVICE
5000/tcp open  upnp
5001/tcp open  commplex-link
5002/tcp open  rfe
5003/tcp open  filemaker
5004/tcp open  unknown

toh/t-com/eumex800.txt · Last modified: 2012/10/20 19:44 (external edit)