T-Home Eumex 800

Hardware Highlights

CPU	Ram	Flash	Network	USB	a/b line (POTS)	ISDN	Serial	JTAG
Kolibri P_2001	? MiB	? MiB	4 x 1	1 x USB Typ B	8x analog Phone	1x internal 1x external	Yes (but disabled)	Yes (but not tested)

Serial

Serial console is V24. Default settings are: 57100, 8, n, 1

pin	signal
-	3V3
-	TX
-	RX
-	GND

JTAG

-	-
-	-

Deviceinfo

Linux Kernel 2.0.38.0

Vendor: Funkwerk

Syslogd Messages:

Jan  1 00:00:02 k800 syslogd[24]: [MSG] version 1.4.1 (re)started
Jan  1 00:00:02 k800 vmlinux: memory available is 15449KB
Jan  1 00:00:02 k800 vmlinux: start_mem is 0x400e1938
Jan  1 00:00:02 k800 vmlinux: virtual_end is 0x40ff8000
Jan  1 00:00:02 k800 vmlinux: before free_area_init
Jan  1 00:00:02 k800 vmlinux: free_area_init -> start_mem is 0x400e3938
Jan  1 00:00:02 k800 vmlinux: virtual_end is 0x40ff8000
Jan  1 00:00:02 k800 vmlinux: Calibrating delay loop.. ok - 56.72 BogoMIPS
Jan  1 00:00:02 k800 vmlinux: Memory: 13888k/15M available (712k kernel code, 32k reserved, 1720k data)
Jan  1 00:00:02 k800 vmlinux: Swansea University Computer Society NET3.035 for Linux 2.0
Jan  1 00:00:02 k800 vmlinux: NET3: Unix domain sockets 0.13 for Linux NET3.035.
Jan  1 00:00:02 k800 vmlinux: Swansea University Computer Society TCP/IP for NET3.034
Jan  1 00:00:02 k800 vmlinux: IP Protocols: ICMP, UDP, TCP
Jan  1 00:00:02 k800 vmlinux: Linux version 2.0.38.0 (lueck@TE3lnx-1) (gcc version 2.95.4 20010319 (prerelease)) #1 Mi Dez 15 11:22:14 CET 2010
Jan  1 00:00:02 k800 vmlinux: am29: [INF] flashmem_init (simulation=off)
Jan  1 00:00:02 k800 vmlinux: am29: [INF] flashid: 0x7f, 0x49
Jan  1 00:00:02 k800 vmlinux: am29: [INF] toggling_bits=0x44
Jan  1 00:00:02 k800 vmlinux: am29: [INF] special_base=0x2000000 special_base2=0x2000000
Jan  1 00:00:02 k800 vmlinux: am29: [INF] special sectors map:
Jan  1 00:00:02 k800 vmlinux: am29: [INF] start=0x0 size=0x4000
Jan  1 00:00:02 k800 vmlinux: am29: [INF] start=0x4000 size=0x2000
Jan  1 00:00:02 k800 vmlinux: am29: [INF] start=0x6000 size=0x2000
Jan  1 00:00:02 k800 vmlinux: am29: [INF] start=0x8000 size=0x8000
Jan  1 00:00:02 k800 vmlinux: am29: [INF] total=4 sectors in 1 region(s)
Jan  1 00:00:02 k800 vmlinux: am29: [INF] org='BOTTOM' start_index=3 step=-1
Jan  1 00:00:02 k800 vmlinux: mtd: Giving out device 0 to EN29LV160Bottom
Jan  1 00:00:02 k800 vmlinux: am29: [INF] flashmem_init (simulation=off)
Jan  1 00:00:02 k800 vmlinux: am29: [INF] flashid: 0x3073, 0xfb
Jan  1 00:00:02 k800 vmlinux: am29: [INF] toggling_bits=0x44
Jan  1 00:00:02 k800 vmlinux: am29: [ERR] unknown flash
Jan  1 00:00:02 k800 vmlinux: am29: [ERR] unable to get flash info
Jan  1 00:00:02 k800 vmlinux: Ramdisk driver initialized : 4 ramdisks of 1024K size
Jan  1 00:00:02 k800 vmlinux: bmtd: [INF] registered device at major 42
Jan  1 00:00:02 k800 vmlinux: PPP: version 2.3.11 (demand dialling)
Jan  1 00:00:02 k800 vmlinux: TCP compression code copyright 1989 Regents of the University of California
Jan  1 00:00:02 k800 vmlinux: PPP line discipline registered.
Jan  1 00:00:02 k800 vmlinux: ISDN subsystem Rev: 1.5/none/1.19/1.24/none
Jan  1 00:00:02 k800 vmlinux: P2001 FIQ & Timer1 Handler Module - $Revision: 1.19 $, (Dec 15 2010, 11:23:24)
Jan  1 00:00:02 k800 vmlinux: P2001 USB Remote NDIS Driver Module - $Revision: 1.33 $, (Dec 15 2010, 11:23:29)
Jan  1 00:00:02 k800 vmlinux: P2001 HDLC Driver Module ( $Id: lh_hdlc_p2001.c,v 1.5 2002-04-18 12:26:36 haack Exp $, $Name:  $ ) 
Jan  1 00:00:02 k800 vmlinux: P2001 L1 driver module 
Jan  1 00:00:02 k800 vmlinux: BHDLC driver module installed 
Jan  1 00:00:02 k800 vmlinux: VFS: Mounted root (romfs filesystem) readonly.
Jan  1 00:00:02 k800 vmlinux: Elmeg LED Driver Module - Version 1.3 (Dec 15 2010, 11:26:15)
Jan  1 00:00:02 k800 vmlinux: Elmeg 802.1D Ethernet SoftSwitch Module - Version 1.0 (Dec 15 2010, 11:26:21)
Jan  1 00:00:03 k800 vmlinux: P2001 MFV Driver Module - $Revision: 1.21 $, (Dec 15 2010, 11:26:04)
Jan  1 00:00:03 k800 vmlinux: P2001 CLIP Driver Module - $Revision: 1.10 $, (Dec 15 2010, 11:26:02)
Jan  1 00:00:03 k800 vmlinux: P2001 codec Driver Module - $Revision: 1.18 $, (Dec 15 2010, 11:25:59)
Jan  1 00:00:03 k800 vmlinux: P2001 analog scannner Driver Module - $Revision: 1.9 $, (Dec 15 2010, 11:26:07)
Jan  1 00:00:03 k800 vmlinux: ISDN hardware layer initialized
Jan  1 00:00:03 k800 vmlinux: Elmeg UDP Switch Module - Version 1.0 (Dec 15 2010, 11:26:32)
Jan  1 00:00:03 k800 sh[25]: [MSG] starting mpsv6xx
Jan  1 00:00:06 k800 mpsv6xx[27]: [WRN] FLASH 2 perhabs no present: /dev/mtd1 open failed with -1 
Jan  1 00:00:06 k800 mpsv6xx[27]: [MSG] ***** Flash 1 phys. paramter: ***** 
Jan  1 00:00:06 k800 mpsv6xx[27]: [MSG] Base.   : 0x02000000 
Jan  1 00:00:06 k800 mpsv6xx[27]: [MSG] Size    : 0x00200000 
Jan  1 00:00:06 k800 mpsv6xx[27]: [MSG] Segments:         35  
Jan  1 00:00:06 k800 mpsv6xx[27]: [MSG] ***** Flash 2 phys. paramter: ***** 
Jan  1 00:00:06 k800 mpsv6xx[27]: [MSG] Base.   : 0x00000000 
Jan  1 00:00:06 k800 mpsv6xx[27]: [MSG] Size    : 0x00000000 
Jan  1 00:00:06 k800 mpsv6xx[27]: [MSG] Segments:         0  
Jan  1 00:00:06 k800 mpsv6xx[27]: [MSG] ***** MPS Flash configuration ***** 
Jan  1 00:00:06 k800 mpsv6xx[27]: [MSG] ### GEB_START_SEGMENT   at 0x021F0000 ### 
Jan  1 00:00:06 k800 mpsv6xx[27]: [MSG] ### BUCH_START_SEGMENT  at 0x021E0000 ### 
Jan  1 00:00:06 k800 mpsv6xx[27]: [MSG] ### LCR_START_SEGMENT   at 0x021E0000 ### 
Jan  1 00:00:06 k800 mpsv6xx[27]: [MSG] ### TEL_BOOK_INTER      at 0x02006000 ### 
Jan  1 00:00:06 k800 mpsv6xx[27]: [MSG] ### M_HW_FLASH_KFG_ADR  at 0x02008000 ### 
Jan  1 00:00:06 k800 mpsv6xx[27]: [MSG] ### M_HW_BACKUP_KFG_ADR at 0x021D0000 ### 
Jan  1 00:00:06 k800 mpsv6xx[27]: [MSG] Starting HAL_main! 
Jan  1 00:00:07 k800 sh[28]: [MSG] configuring system
Jan  1 00:00:08 k800 cnfd[29]: [MSG] version 1.4 (Dec 15 2010, 11:29:32) started 
Jan  1 00:00:09 k800 mpsv6xx[27]: [MSG] init mempool 
Jan  1 00:00:09 k800 mpsv6xx[27]: [MSG] Setting PORT infos... 
Jan  1 00:00:09 k800 cnfd[29]: [MSG] writing config files ... 
Jan  1 00:00:09 k800 cnfd[29]: [MSG] terminating with status=Success 
Jan  1 00:00:09 k800 init[1]: [MSG] entering runlevel '2' 
Jan  1 00:00:09 k800 init[1]: [MSG] Sending SIGTERM to runlevel '1' processes 
Jan  1 00:00:09 k800 init[1]: [MSG] Sending SIGKILL to runlevel '1' processes 
Jan  1 00:00:09 k800 sh[31]: [MSG] killing wan service
Jan  1 00:00:10 k800 sh[35]: [MSG] starting cnfd
Jan  1 00:00:11 k800 cnfd[37]: [MSG] version 1.4 (Dec 15 2010, 11:29:32) started 
Jan  1 00:00:12 k800 sh[38]: [MSG] configuring network devices
Jan  1 00:00:14 k800 sh[54]: [MSG] configuring network
Jan  1 00:00:16 k800 sh[66]: [MSG] configuring routing table
Jan  1 00:00:16 k800 syslogd[24]: [MSG] version 1.4.1 (re)started
Jan  1 00:00:17 k800 sh[70]: [MSG] starting dhcpd
Jan  1 00:00:17 k800 dhcpd[72]: [MSG] version 0.9.7 (Dec 15 2010, 11:28:51) started 
Jan  1 00:00:17 k800 sh[73]: [MSG] starting dnsd
Jan  1 00:00:19 k800 dnsd[75]: [MSG] version 1.0 (Dec 15 2010, 11:28:56) started 
Jan  1 00:00:19 k800 sh[76]: [MSG] starting bccd
Jan  1 00:00:20 k800 bccd[78]: [MSG] version 1.0 (Dec 15 2010, 11:29:26) started 
Jan  1 00:00:20 k800 bccd[78]: [MSG] connecting to mps 
Jan  1 00:00:20 k800 sh[79]: [MSG] starting capid
Jan  1 00:00:20 k800 bccd[78]: [MSG] connect with mps 
Jan  1 00:00:21 k800 sh[82]: [MSG] starting tapid
Jan  1 00:00:21 k800 capid[81]: [MSG] ACTIVATE_IND To mps  
Jan  1 00:00:21 k800 capid[81]: [MSG] M_IT_DAE_ACTIVE_CONF from mps CAUSE = 0.  
Jan  1 00:00:22 k800 tapid[84]: [MSG] ACTIVATE_IND To mps  
Jan  1 00:00:22 k800 sh[85]: [MSG] starting statd
Jan  1 00:00:22 k800 tapid[84]: [MSG] M_IT_DAE_ACTIVE_CONF from mps.  
Jan  1 00:00:23 k800 statd[87]: [MSG] version 1.6 (k800, Dec 15 2010, 11:30:26) started 
Jan  1 00:00:23 k800 statd[87]: [MSG] current provider '---' 
Jan  1 00:00:23 k800 statd[87]: [MSG] connect from mps client 0x3e7 (1/10) 
Jan  1 00:00:25 k800 statd[87]: [MSG] SIGHUP received 
Jan  1 00:00:25 k800 statd[87]: [MSG] current provider '---' 
Jan  1 00:01:22 k800 dhcpd[72]: [MSG] sending OFFER of 192.168.1.50 
Jan  1 00:01:22 k800 dhcpd[72]: [MSG] sending ACK to 192.168.1.50 
Jan  1 00:13:51 k800 statd[87]: [MSG] connect from client 192.168.1.50 (2/10) 
<45>connect from client 192.168.1.50 (1/10)

Firmware Analyses

Firmware:

h t t p://hilfe.telekom.de/dlp/eki/downloads/Eumex%20Serie/Eumex_800/fw_Eumex800_1.21_RC01.exe

Run this small programm with wine to extract the firmware file: "fw_Eumex800_1.21_RC01.fwr"

After downloading and extracting the firmware gives me "hexdump -C fw_Eumex800_1.21_RC01.fwr":

00000000  31 31 32 33 34 35 36 37  38 39 02 30 37 02 30 33  |1123456789.07.03|
00000010  02 30 34 02 65 28 08 30  30 30 30 30 30 30 30 0b  |.04.e(.00000000.|
00000020  44 65 63 20 31 35 20 32  30 31 30 04 31 2e 32 31  |Dec 15 2010.1.21|
00000030  03 52 43 31 05 6c 75 65  63 6b e5 3d 66 00 02 00  |.RC1.lueck.=f...|
00000040  00 00 00 02 00 00 00 00  00 00 f0 2e 00 00 00 00  |................|
00000050  00 00 38 00 00 00 00 02  02 00 00 80 00 40 00 80  |..8..........@..|
00000060  00 40 91 bd 05 00 03 00  00 00 3c 00 00 00 00 02  |.@........<.....|
00000070  02 00 60 11 1a 00 80 e3  13 00 72 6f 6f 74 3d 2f  |..`.......root=/|
00000080  64 65 76 2f 62 6d 74 64  30 20 72 6f 20 43 4f 4e  |dev/bmtd0 ro CON|
00000090  53 4f 4c 45 3d 2f 64 65  76 2f 6e 75 6c 6c 00 00  |SOLE=/dev/null..|
000000a0  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
*
00000420  ff ff ff ff ff ff ff ff  ff ff 2d 72 6f 6d 31 66  |..........-rom1f|
00000430  73 2d 00 1a 40 50 0b d5  d2 d9 72 6f 6d 20 34 64  |s-..@P....rom 4d|
00000440  30 38 39 38 63 65 00 00  00 00 00 00 00 49 00 00  |0898ce.......I..|
00000450  00 20 00 00 00 00 d1 ff  ff 97 2e 00 00 00 00 00  |. ..............|
00000460  00 00 00 00 00 00 00 00  00 00 00 00 00 60 00 00  |.............`..|
00000470  00 20 00 00 00 00 d1 d1  ff 80 2e 2e 00 00 00 00  |. ..............|
00000480  00 00 00 00 00 00 00 00  00 00 00 12 d6 49 00 00  |.............I..|
00000490  00 80 00 00 00 00 9d 83  bb 37 62 69 6e 00 00 00  |.........7bin...|
--- cut ---

We can see the command "root=/dev/bmtd0 ro CONSOLE=/dev/null" Thats the reason why we did not get anything from the serialport.

binwalk

DECIMAL ----------------------- 1066            0x42A 1482            0x5CA 1546            0x60A 13786           0x35DA 85354           0x14D6A 85418           0x14DAA 103738          0x1953A 103802          0x1957A 121818          0x1DBDA 121882          0x1DC1A 140730          0x225BA 140794          0x225FA 174218          0x2A88A 174282          0x2A8CA 196842          0x300EA 196906          0x3012A 216122          0x34C3A 216186          0x34C7A 247546          0x3C6FA 247610          0x3C73A 268154          0x4177A 268218          0x417BA 330490          0x50AFA 330554          0x50B3A 357546          0x574AA 357610          0x574EA 388410          0x5ED3A 388474          0x5ED7A 401994          0x6224A 402058          0x6228A 417914          0x6607A 417978          0x660BA 429722          0x68E9A 429786          0x68EDA 450298          0x6DEFA 450362          0x6DF3A 479002          0x74F1A 479066          0x74F5A 1070970         0x10577A 1071034         0x1057BA 1079338         0x10782A 1130730         0x1140EA 1220087         0x129DF7 1239834         0x12EB1A 1252058         0x131ADA 1258282         0x13332A 1265706         0x13502A 1269754         0x135FFA 1275658         0x13770A 1279114         0x13848A 1287346         0x13A4B2 1292074         0x13B72A 1300242         0x13D712 1304490         0x13E7AA 1701480         0x19F668 1703648         0x19FEE0 1703666         0x19FEF2 1703756         0x19FF4C 1703774         0x19FF5E 1703864         0x19FFB8 1703882         0x19FFCA 1703972         0x1A0024 1703990         0x1A0036 1704080         0x1A0090 1704098         0x1A00A2



fw_Eumex800_1.21_RC01.fwr shows me: HEX             DESCRIPTION -------------------------------------------------------------------------------- romfs filesystem, version 1 size: 1720400 bytes, named rom 4d0898ce. BFLT executable  version 4,  code offset: 0x00000050,  data segment starts at: 0x00003E10,  bss segment starts at: 0x00005090,  bss segment ends at: 0x000053E8,  stack size: 7800 bytes,  relocation records start at: 0x00005090,  number of reolcation records: 304,  ram gzip gzip compressed data, from Unix, last modified: Wed Dec 15 11:29:51 2010, max compression BFLT executable  version 4,  code offset: 0x00000050,  data segment starts at: 0x0000DFD0,  bss segment starts at: 0x000100C0,  bss segment ends at: 0x00011A88,  stack size: 16000 bytes,  relocation records start at: 0x000100C0,  number of reolcation records: 1440,  ram BFLT executable  version 4,  code offset: 0x00000044,  data segment starts at: 0x00005E90,  bss segment starts at: 0x000078F0,  bss segment ends at: 0x00007DCC,  stack size: 7900 bytes,  relocation records start at: 0x000078F0,  number of reolcation records: 438,  ram gzip gzip compressed data, from Unix, last modified: Wed Dec 15 11:30:30 2010, max compression BFLT executable  version 4,  code offset: 0x00000050,  data segment starts at: 0x00006340,  bss segment starts at: 0x00007960,  bss segment ends at: 0x00007D38,  stack size: 3900 bytes,  relocation records start at: 0x00007960,  number of reolcation records: 399,  ram gzip gzip compressed data, from Unix, last modified: Wed Dec 15 11:30:20 2010, max compression BFLT executable  version 4,  code offset: 0x00000044,  data segment starts at: 0x00006650,  bss segment starts at: 0x00007EB0,  bss segment ends at: 0x0000A468,  stack size: 16000 bytes,  relocation records start at: 0x00007EB0,  number of reolcation records: 431,  ram gzip gzip compressed data, from Unix, last modified: Wed Dec 15 11:29:26 2010, max compression BFLT executable  version 4,  code offset: 0x00000044,  data segment starts at: 0x0000B710,  bss segment starts at: 0x0000EEC0,  bss segment ends at: 0x0000F668,  stack size: 16000 bytes,  relocation records start at: 0x0000EEC0,  number of reolcation records: 980,  ram gzip gzip compressed data, from Unix, last modified: Wed Dec 15 11:29:33 2010, max compression BFLT executable  version 4,  code offset: 0x00000044,  data segment starts at: 0x00007E20,  bss segment starts at: 0x00009860,  bss segment ends at: 0x0000A238,  stack size: 8100 bytes,  relocation records start at: 0x00009860,  number of reolcation records: 552,  ram gzip gzip compressed data, from Unix, last modified: Wed Dec 15 11:28:56 2010, max compression BFLT executable  version 4,  code offset: 0x00000050,  data segment starts at: 0x000068A0,  bss segment starts at: 0x00008500,  bss segment ends at: 0x00008A38,  stack size: 16000 bytes,  relocation records start at: 0x00008500,  number of reolcation records: 509,  ram gzip gzip compressed data, from Unix, last modified: Wed Dec 15 11:28:22 2010, max compression BFLT executable  version 4,  code offset: 0x00000044,  data segment starts at: 0x0000BB60,  bss segment starts at: 0x0000DC70,  bss segment ends at: 0x0000F528,  stack size: 12000 bytes,  relocation records start at: 0x0000DC70,  number of reolcation records: 610,  ram gzip gzip compressed data, from Unix, last modified: Wed Dec 15 11:29:44 2010, max compression BFLT executable  version 4,  code offset: 0x00000044,  data segment starts at: 0x00006F80,  bss segment starts at: 0x00008DE0,  bss segment ends at: 0x000091F8,  stack size: 16000 bytes,  relocation records start at: 0x00008DE0,  number of reolcation records: 436,  ram gzip gzip compressed data, from Unix, last modified: Wed Dec 15 11:28:51 2010, max compression BFLT executable  version 4,  code offset: 0x00000050,  data segment starts at: 0x000184A0,  bss segment starts at: 0x0001CD50,  bss segment ends at: 0x0001DEE8,  stack size: 5000 bytes,  relocation records start at: 0x0001CD50,  number of reolcation records: 1926,  ram gzip gzip compressed data, from Unix, last modified: Wed Dec 15 11:30:16 2010, max compression BFLT executable  version 4,  code offset: 0x00000044,  data segment starts at: 0x00009970,  bss segment starts at: 0x0000B590,  bss segment ends at: 0x0000F5D8,  stack size: 8000 bytes,  relocation records start at: 0x0000B590,  number of reolcation records: 1063,  ram gzip gzip compressed data, from Unix, last modified: Wed Dec 15 11:29:57 2010, max compression BFLT executable  version 4,  code offset: 0x00000044,  data segment starts at: 0x0000AEC0,  bss segment starts at: 0x0000D080,  bss segment ends at: 0x0000D91C,  stack size: 7900 bytes,  relocation records start at: 0x0000D080,  number of reolcation records: 848,  ram gzip gzip compressed data, from Unix, last modified: Wed Dec 15 11:30:26 2010, max compression BFLT executable  version 4,  code offset: 0x00000044,  data segment starts at: 0x00004490,  bss segment starts at: 0x00005890,  bss segment ends at: 0x00005BC8,  stack size: 3900 bytes,  relocation records start at: 0x00005890,  number of reolcation records: 365,  ram gzip gzip compressed data, from Unix, last modified: Wed Dec 15 11:29:59 2010, max compression BFLT executable  version 4,  code offset: 0x00000050,  data segment starts at: 0x00005490,  bss segment starts at: 0x00006870,  bss segment ends at: 0x00006BA8,  stack size: 15000 bytes,  relocation records start at: 0x00006870,  number of reolcation records: 477,  ram gzip gzip compressed data, from Unix, last modified: Wed Dec 15 11:29:01 2010, max compression BFLT executable  version 4,  code offset: 0x00000050,  data segment starts at: 0x00003C30,  bss segment starts at: 0x00004EC0,  bss segment ends at: 0x00005198,  stack size: 8000 bytes,  relocation records start at: 0x00004EC0,  number of reolcation records: 305,  ram gzip gzip compressed data, from Unix, last modified: Wed Dec 15 11:30:18 2010, max compression BFLT executable  version 4,  code offset: 0x00000050,  data segment starts at: 0x00007570,  bss segment starts at: 0x00008D40,  bss segment ends at: 0x00009558,  stack size: 7800 bytes,  relocation records start at: 0x00008D40,  number of reolcation records: 536,  ram gzip gzip compressed data, from Unix, last modified: Wed Dec 15 11:29:36 2010, max compression BFLT executable  version 4,  code offset: 0x00000044,  data segment starts at: 0x0000A300,  bss segment starts at: 0x0000C0A0,  bss segment ends at: 0x0000CC6C,  stack size: 7900 bytes,  relocation records start at: 0x0000C0A0,  number of reolcation records: 702,  ram gzip gzip compressed data, from Unix, last modified: Wed Dec 15 11:30:03 2010, max compression BFLT executable  version 4,  code offset: 0x00000044,  data segment starts at: 0x0010FBB0,  bss segment starts at: 0x00122C40,  bss segment ends at: 0x00147468,  stack size: 3900 bytes,  relocation records start at: 0x00122C40,  number of reolcation records: 21461,  ram gzip gzip compressed data, from Unix, last modified: Wed Dec 15 11:29:21 2010, max compression BFLT executable  version 4,  code offset: 0x00000044,  data segment starts at: 0x00002650,  bss segment starts at: 0x000037E0,  bss segment ends at: 0x00003A78,  stack size: 3800 bytes,  relocation records start at: 0x000037E0,  number of reolcation records: 233,  ram gzip gzip compressed data, from Unix, last modified: Wed Dec 15 11:29:03 2010, max compression BFLT executable  version 4,  code offset: 0x00000044,  data segment starts at: 0x00009BD0,  bss segment starts at: 0x0000BD50,  bss segment ends at: 0x0000C750,  stack size: 8000 bytes,  relocation records start at: 0x0000BD50,  number of reolcation records: 721,  ram BFLT executable  version 4,  code offset: 0x00000044,  data segment starts at: 0x00014160,  bss segment starts at: 0x00017EE0,  bss segment ends at: 0x0001AA7C,  stack size: 16000 bytes,  relocation records start at: 0x00017EE0,  number of reolcation records: 1701,  ram LZMA compressed data, properties: 0x80, dictionary size: 1048576 bytes, uncompressed size: 18874368 bytes ELF 32-bit LSB relocatable, ARM, version 1 ELF 32-bit LSB relocatable, ARM, version 1 ELF 32-bit LSB relocatable, ARM, version 1 ELF 32-bit LSB relocatable, ARM, version 1 ELF 32-bit LSB relocatable, ARM, version 1 ELF 32-bit LSB relocatable, ARM, version 1 ELF 32-bit LSB relocatable, ARM, version 1 LZMA compressed data, properties: 0xB8, dictionary size: 301989888 bytes, uncompressed size: 1006633216 bytes ELF 32-bit LSB relocatable, ARM, version 1 LZMA compressed data, properties: 0x80, dictionary size: 301989888 bytes, uncompressed size: 754974976 bytes gzip compressed data, was "linux.bin", from Unix, last modified: Wed Dec 15 11:23:45 2010 LZMA compressed data, properties: 0xD2, dictionary size: 1845493760 bytes, uncompressed size: 16777216 bytes LZMA compressed data, properties: 0x9A, dictionary size: 167772160 bytes, uncompressed size: 131081 bytes LZMA compressed data, properties: 0xA8, dictionary size: 150994944 bytes, uncompressed size: 21 bytes LZMA compressed data, properties: 0x9A, dictionary size: 167772160 bytes, uncompressed size: 131074 bytes LZMA compressed data, properties: 0xA8, dictionary size: 150994944 bytes, uncompressed size: 23 bytes LZMA compressed data, properties: 0x9A, dictionary size: 167772160 bytes, uncompressed size: 131074 bytes LZMA compressed data, properties: 0xA8, dictionary size: 150994944 bytes, uncompressed size: 25 bytes LZMA compressed data, properties: 0x9A, dictionary size: 167772160 bytes, uncompressed size: 131075 bytes LZMA compressed data, properties: 0xA8, dictionary size: 150994944 bytes, uncompressed size: 27 bytes LZMA compressed data, properties: 0x9A, dictionary size: 167772160 bytes, uncompressed size: 131074 bytes LZMA compressed data, properties: 0xA8, dictionary size: 150994944 bytes, uncompressed size: 29 bytes

Mount the romfs with the follow commands:

sudo losetup -o 1066 /dev/loop0 fw_Eumex800_1.21_RC01.fwr 
sudo mount -t romfs /dev/loop0 fs.src/

tree fs.src/ shows me:

fs.src/
├── bin
│   ├── bccd
│   ├── busybox
│   ├── capid
│   ├── cat -> busybox
│   ├── chmod -> busybox
│   ├── cnfd
│   ├── cp -> busybox
│   ├── daemon
│   ├── ddu
│   ├── dhcpd
│   ├── dnsd
│   ├── echo -> busybox
│   ├── gunzip -> busybox
│   ├── init
│   ├── ipfwadm
│   ├── ipportfw
│   ├── ipppd
│   ├── ipppd_dialin -> ipppd
│   ├── ipupdown
│   ├── kill -> busybox
│   ├── ln -> busybox
│   ├── ls -> busybox
│   ├── mkdir -> busybox
│   ├── mpsv6xx
│   ├── ping -> busybox
│   ├── ps -> busybox
│   ├── rc
│   ├── rm -> busybox
│   ├── rmdir -> busybox
│   ├── sh
│   ├── sswctl
│   ├── statd
│   ├── syslogd
│   ├── tapid
│   ├── telnetd
│   ├── top -> busybox
│   ├── wan
│   └── zcat -> busybox
├── bootstage2
├── dev
│   ├── ab_scan
│   ├── bhdlc0
│   ├── bhdlc1
│   ├── bhdlc2
│   ├── bhdlc3
│   ├── bhdlc4
│   ├── bhdlc5
│   ├── bhdlc6
│   ├── bhdlc7
│   ├── bhdlcmon
│   ├── bmtd0
│   ├── bmtd1
│   ├── clip
│   ├── codec
│   ├── console
│   ├── cua0
│   ├── cui0
│   ├── cui1
│   ├── cui2
│   ├── cui3
│   ├── cui4
│   ├── cui5
│   ├── cui6
│   ├── cui7
│   ├── display
│   ├── hdlc1
│   ├── hdlc2
│   ├── hdlc3
│   ├── hdlc4
│   ├── hdlc5
│   ├── hdlc6
│   ├── hdlc7
│   ├── hdlc8
│   ├── ippp0
│   ├── ippp1
│   ├── ippp10
│   ├── ippp11
│   ├── ippp12
│   ├── ippp2
│   ├── ippp3
│   ├── ippp4
│   ├── ippp5
│   ├── ippp6
│   ├── ippp7
│   ├── ippp8
│   ├── ippp9
│   ├── isdn0
│   ├── isdn1
│   ├── isdn2
│   ├── isdn3
│   ├── isdn4
│   ├── isdn5
│   ├── isdn6
│   ├── isdn7
│   ├── isdnctrl
│   ├── isdnctrl0
│   ├── isdnctrl1
│   ├── isdnctrl2
│   ├── isdnctrl3
│   ├── isdnctrl4
│   ├── isdnctrl5
│   ├── isdnctrl6
│   ├── isdnctrl7
│   ├── isdninfo
│   ├── kf
│   ├── kmem
│   ├── mem
│   ├── mfv
│   ├── mps
│   ├── mpssio
│   ├── mtd0
│   ├── mtd1
│   ├── null
│   ├── ptyp0
│   ├── ptyp1
│   ├── ptyp2
│   ├── ptyp3
│   ├── ptyp4
│   ├── ptyp5
│   ├── ptyp6
│   ├── ptyp7
│   ├── ptyp8
│   ├── ptyp9
│   ├── ptypa
│   ├── ptypb
│   ├── ptypc
│   ├── ptypd
│   ├── ptype
│   ├── ptypf
│   ├── ram0
│   ├── s0a
│   ├── s0b
│   ├── s0mon
│   ├── tty
│   ├── tty0
│   ├── ttyI0
│   ├── ttyI1
│   ├── ttyI2
│   ├── ttyI3
│   ├── ttyI4
│   ├── ttyI5
│   ├── ttyI6
│   ├── ttyI7
│   ├── ttyp0
│   ├── ttyp1
│   ├── ttyp2
│   ├── ttyp3
│   ├── ttyp4
│   ├── ttyp5
│   ├── ttyp6
│   ├── ttyp7
│   ├── ttyp8
│   ├── ttyp9
│   ├── ttypa
│   ├── ttypb
│   ├── ttypc
│   ├── ttypd
│   ├── ttype
│   ├── ttypf
│   ├── ttyS0
│   ├── usbnet0
│   └── zero
├── etc -> /var/etc
├── etc_ro
│   ├── dhcpd.conf
│   ├── firewall.lan
│   ├── firewall.reset
│   ├── group
│   ├── hosts
│   ├── inittab
│   ├── issue
│   ├── motd
│   ├── passwd
│   ├── rc.config
│   ├── resolv.conf
│   ├── route.conf
│   ├── services
│   ├── syslog.conf
│   └── wantab
├── lib
│   └── modules
│       ├── ab_scan
│       ├── clip
│       ├── codec
│       ├── ihl
│       ├── led_compactdsl
│       ├── mfv
│       ├── sswmux
│       └── usw
├── linux.bin.gz
├── proc
├── ramfs.img
├── sbin
│   ├── ifconfig -> ../bin/busybox
│   ├── init.d
│   │   ├── rc0.d
│   │   │   └── 00syslog -> ../rc.syslog
│   │   ├── rc1.d
│   │   │   ├── 00syslog -> ../rc.syslog
│   │   │   ├── 10mps -> ../rc.mps
│   │   │   └── 11fcnf -> ../rc.1stcnf
│   │   ├── rc.1stcnf
│   │   ├── rc2.d
│   │   │   ├── 00syslog -> ../rc.syslog
│   │   │   ├── 10mps -> ../rc.mps
│   │   │   ├── 12cnfd -> ../rc.cnfd
│   │   │   ├── 20netdev -> ../rc.netdev
│   │   │   ├── 21network -> ../rc.network
│   │   │   ├── 22route -> ../rc.route
│   │   │   ├── 30dhcpd -> ../rc.dhcpd
│   │   │   ├── 30dnsd -> ../rc.dnsd
│   │   │   ├── 31bccd -> ../rc.bccd
│   │   │   ├── 31capid -> ../rc.capid
│   │   │   ├── 31tapid -> ../rc.tapid
│   │   │   └── 33statd -> ../rc.statd
│   │   ├── rc3.d
│   │   │   ├── 00syslog -> ../rc.syslog
│   │   │   ├── 10mps -> ../rc.mps
│   │   │   ├── 12cnfd -> ../rc.cnfd
│   │   │   ├── 20netdev -> ../rc.netdev
│   │   │   ├── 21network -> ../rc.network
│   │   │   ├── 22route -> ../rc.route
│   │   │   ├── 30dhcpd -> ../rc.dhcpd
│   │   │   ├── 30dnsd -> ../rc.dnsd
│   │   │   ├── 31bccd -> ../rc.bccd
│   │   │   ├── 31capid -> ../rc.capid
│   │   │   ├── 31tapid -> ../rc.tapid
│   │   │   ├── 33statd -> ../rc.statd
│   │   │   └── 40ras -> ../rc.ras
│   │   ├── rc4.d
│   │   │   ├── 00syslog -> ../rc.syslog
│   │   │   ├── 10mps -> ../rc.mps
│   │   │   ├── 12cnfd -> ../rc.cnfd
│   │   │   ├── 20netdev -> ../rc.netdev
│   │   │   ├── 21network -> ../rc.network
│   │   │   ├── 22route -> ../rc.route
│   │   │   ├── 30dhcpd -> ../rc.dhcpd
│   │   │   ├── 30dnsd -> ../rc.dnsd
│   │   │   ├── 31bccd -> ../rc.bccd
│   │   │   ├── 31capid -> ../rc.capid
│   │   │   ├── 31tapid -> ../rc.tapid
│   │   │   ├── 33statd -> ../rc.statd
│   │   │   ├── 40ras -> ../rc.ras
│   │   │   └── 40wandemand -> ../rc.wandemand
│   │   ├── rc5.d
│   │   │   ├── 10mps -> ../rc.mps
│   │   │   ├── 20netdev -> ../rc.netdev
│   │   │   ├── 21network -> ../rc.network
│   │   │   ├── 22route -> ../rc.route
│   │   │   └── 31bccd -> ../rc.bccd
│   │   ├── rc6.d
│   │   │   └── 00syslog -> ../rc.syslog
│   │   ├── rc.bccd
│   │   ├── rc.boot
│   │   ├── rc.capid
│   │   ├── rc.cnfd
│   │   ├── rc.dhcpd
│   │   ├── rc.dnsd
│   │   ├── rc.e820test
│   │   ├── rc.httpd
│   │   ├── rc.mps
│   │   ├── rc.netdev
│   │   ├── rc.network
│   │   ├── rc.ras
│   │   ├── rc.rasv2
│   │   ├── rc.route
│   │   ├── rcS.d
│   │   │   └── 00syslog -> ../rc.syslog
│   │   ├── rc.statd
│   │   ├── rc.sysinit
│   │   ├── rc.syslog
│   │   ├── rc.tapid
│   │   ├── rc.wan
│   │   └── rc.wandemand
│   ├── insmod -> ../bin/busybox
│   └── route -> ../bin/busybox
├── usr
│   └── local
└── var

19 directories, 261 filesystem

We can see that in the /bin Folder is a telnetd server. But there is no rc.telnetd script for starting up the telnetd server.

cat fs.src/etc_ro/inittab gives me:

# runlevel to enter
id:1:initdefault:

# system initialization (done before anything else)
si:I:sysinit:/sbin/init.d/rc.sysinit

# bootup handling
bw::bootwait:/sbin/init.d/rc.boot

# runlevel handling
k0:01256:wait:/sbin/init.d/rc.wan stop
l0:0:wait:/bin/rc 0
l1:1:wait:/bin/rc 1
l2:2:wait:/bin/rc 2
l3:3:wait:/bin/rc 3
l4:4:wait:/bin/rc 4
l5:5:wait:/bin/rc 5
l6:6:wait:/bin/rc 6

# ondemand actions
o1:A:ondemand:/sbin/init.d/rc.wan start
o2:B:ondemand:/sbin/init.d/rc.wan stop

# respawn actions
# r2:2345:respawn:/bin/telnetd -l /bin/sh
r4:34:respawn:/bin/ipppd_dialin -bufs 14 file /etc/ppp/ioptions.dialin
r5:4:respawn:/bin/wan -f /etc/wantab

# what to do in single-user mode
#ls:S:wait:/bin/rc S

# end of inittab

cat fs.src/etc_ro/services gives me:

#
#       Network services, Internet style
#
domain          53/udp
syslog          514/udp
el_config       5000/tcp
el_discover     5000/udp
el_capi         5001/tcp
el_tapi         5002/tcp
el_stat         5003/tcp
el_syslog       5004/tcp

nmap gives me:

nmap 192.168.1.250

Starting Nmap 5.21 ( http://nmap.org ) at 0000-00-00 00:00 CEST
Nmap scan report for k800.home.local (192.168.1.250)
Host is up (0.019s latency).
Not shown: 995 closed ports
PORT     STATE SERVICE
5000/tcp open  upnp
5001/tcp open  commplex-link
5002/tcp open  rfe
5003/tcp open  filemaker
5004/tcp open  unknown

OpenWrt Wiki

Table of Contents

T-Home Eumex 800

Hardware Highlights

Serial

JTAG

Deviceinfo

Firmware Analyses

OpenWrt Wiki

User Tools

Site Tools

Table of Contents

T-Home Eumex 800

Hardware Highlights

Serial

JTAG

Deviceinfo

Firmware Analyses

Page Tools