Hacking Siemens SX541

Ich hab ein neues Spielzeug, einen Siemens SX541 und nun will ich mal sehen, was man damit alles anstellen kann. Ich will ne serielle Konsole! Es hat ein nettes debug-interface, mit dem ich morgen mal rumspielen will. Warum die im binary enthaltenen Seiten (wie engineer.stm) nicht anzeigbar sind, waere auch noch zu klaeren.

Wie man das Firmware-Binary zerlegt, wird auch erklaert (da gibt es auch Bilder des Innenlebens). Was soll man denn sonst machen, wenn Strato zwar DSL mit Voip bewirbt, aber den ganzen Kram noch nicht anbieten kann ;-)
Morgen nochmal Siemens wegen Quellcode nerven.

Das hab ich gemacht
loneranger# nmap sx541

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-03-14 12:27 CET
Interesting ports on sx541.rebootking.de (10.1.2.254):
(The 1659 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
80/tcp open http
139/tcp open netbios-ssn
515/tcp open printer
8081/tcp open blackice-icecap
MAC Address: 00:01:E3:4D:B9:77 (Siemens AG)

Nmap finished: 1 IP address (1 host up) scanned in 0.703 seconds

loneranger# telnet sx541 8081

User Name : root
User Password : *****

Telnet Manager Version 1.62


Type ? for Command-Sensitive Help, TAB match command

ROOT :> ?

system Generic system parameter configuration
interface Interface parameter configuration
wLAN Wireless LAN configuration
bridge Transparent bridging parameter configuration
vc <1~8> ATM virtual circuit parameter configuration
ppp PPP parameter configuration
dial <1~20> Dial-out parameter configuration
ip_share NAT parameter configuration
firewall-func
Enable disable firewall functions
access-list Access list rules manager
inspect Inspection threshold and rules manager
route Routing parameter configuration
dhcp DHCP parameter configuration
dns DNS proxy parameter configuration
snmp SNMP parameter configuration
tftp Default TFTP parameter configuration
mail Mail parameter configuration
chuser Configuration parameters and user access control
upnp Enable or disable Universal Plug and Play
voip_sip Configure VoIP_SIP parameter
show Showing system configuration
monitor Monitor system running status
upgrade Upgrade system firmware to new version
backup Backup system configuration file
passwd [username] [old_pass] [new_pass]
Change user password
default_reset Reset system configuration to default status
write [reboot|exit] Write configuration and restart system
reboot Restart system and activate new system configuration
enable Enable configuration mode
su Change to super user(root) mode
ping [1~65534|-t] [1~1999]
Ping test
tracert [option1] [option2]
Trace route utility
exit Disable privilege command or disconnect
This entry was posted by molli123 on Monday, March 14. 2005 at 20:38. and is filed under Computer. You can leave a response, or trackback from your own blog.

Trackbacks

Trackback specific URI for this entry

    No Trackbacks

Comments

Display comments as (Linear | Threaded)

  1. Armin says:
    #1 2005-06-08 20:19 (Reply)

    If you connect a Siemens datacable (I bought one at CONRAD for €17,95, a "goobay" datenkabel, passend für SIEMENS 25-/35-/45-/50-serie, Best.-Nr.:760217) to the 10-pin header inside the SX541 you can in addition trace the bootlog, enter the bootmonitor for recovery, set debugmode, and telnet via serial cable.

    Strip the gsm phoneplug off, you see 3 wires: black, blue & white. Open the sx541 and look at the at the pin header from the top.
    --5---4---3---2---1
    +---+---+---+---+---+
    | o | o | o | o | o |
    + + + + + +
    | o | o | o | o | o |
    +---+---+---+---+---+
    -10---9---8---7---6
    ---------- front side ---------------

    Connect the 3 wires as follows:
    2:TX : blue
    3:RX : white
    5:GND : black

    Connect the 9-pin d-sub to the serial port of your PC. Open hyperterminal and set to 115200-8-N-1-No flow control.

    If you switch on the SX541 you'll see following bootlog:
    ===========================================================
    TI ADSL AR7300 Loader 0.67.3 build Sep 15 2004 17:03:49
    Broad Net Technology, INC.
    ===========================================================
    Flash not found

    Copying boot params.....DONE

    Press any key to enter command mode ...
    Flash Checking Passed.

    Unzipping web at 0x94f30000 ... done
    Unzipping code at 0x94000000 ... done
    In C_Entry() function ...
    install_exception
    sys_irq_init() ...
    Set GPIO
    Reset USB and VP140 module ...
    ##### _ftext = 0x94000000
    ##### _fdata = 0x94345120
    ##### __bss_start = 0x9439C300
    ##### end = 0x9545847C
    ##### Backup Data from 0x94345120 to 0x9547847C~0x954CF65C len 356832
    [INIT] System Log Pool startup ...
    [INIT] MTinitialize ..
    userclk_init() ...
    Runtime code version: 1.56
    System startup...
    [INIT] Memory COLOR 0, 1500000 bytes ..
    [INIT] Memory COLOR 1, 600000 bytes ..
    [INIT] Memory COLOR 2, 1900000 bytes ..

    manu_id=004A chip_id=2249
    ES29LV160D bottom boot 16-bit mode found
    Set flash memory layout to Boot Parameters found !!!
    Bootcode version: 0.67.3
    Serial number: A448012289
    Hardware version: 01
    sizeof(struct III_Config_t) is 82376

    manu_id=004A chip_id=2249
    ES29LV160D bottom boot 16-bit mode found
    !!! Invalid wireless channel range 0 ~ 0
    !!! Use default value 1 ~ 13
    default route: 0.0.0.0
    BufferInit:
    BUF_HDR_SZ=48 BUF_ALIGN_SZ=8 BUFFER_OFFSET=112
    BUF_BUFSZ0=384 BUF_BUFSZ1=1872
    NUM_OF_B0=0 NUM_OF_B1=1200
    BUF_POOL0_SZ=0 BUF_POOL1_SZ=2304000
    sizeof(BUFFER0)=432,sizeof(BUFFER1)=1920
    *BUF0=0x94c7506c *BUF1=0x94a4285c
    Altgn *BUF0=0x94c75070 *BUF1=0x94a42860
    End at BUF0:0x94c75070, BUF1:0x94c75060

    BUF0[0]=0x94c75070 BUF1[0]=0x94a42860

    buffer0 pointer init OK!
    buffer1 pointer init OK!
    [qm_lnk_init] CLOCKHZ=1000 ...
    CLOCKHZ=1000
    time = 08/01/2003, 00:00:00
    TRAP(linkUp) : send ok!
    Interface 0 ip = 127.0.0.1

    MAC Address: 00:01:e3:50:98:dd
    Memory request 2072 left 297928 ptr 9443F074
    Call tn7sar_malloc_dma_xfer() addr:B443F074 size:2072
    MAC1 [RX=128 TX=1]: TI External PHY
    time = 08/01/2003, 00:00:00
    TRAP(linkUp) : send ok!
    Interface 1 ip = 192.168.1.100

    ruleCheck()> Group: 0, Error: Useless rule index will be truncated
    ruleCheck()> Group: 1, Error: Useless rule index will be truncated
    ruleCheck()> Group: 2, Error: Useless rule index will be truncated
    CBAC rule format check succeed !!
    reqCBACBuf()> init match pool, Have: 1000
    Memory Address: 0x950c31e8 ~ 0x950c9f64
    reqCBACBuf()> init timeGap pool, Have: 10000
    Memory Address: 0x950c9f64 ~ 0x950facb8
    reqCBACBuf()> init sameHost pool, Have: 2000
    Memory Address: 0x950facb8 ~ 0x9510a6d8
    CBAC rule pool initialized !!
    [initClsfy] clsfy_local_if_mask=0xf00007
    [initClsfy] clsfy_localorVPN_if_mask=0xf00007
    Init NAT data structure
    RUNTASK id=2 if_task if0...
    RUNTASK id=3 if_task if1...
    RUNTASK id=4 timer_task...
    RUNTASK id=5 conn_mgr...
    RUNTASK id=6 main_8021x...
    RUNTASK id=7 UsbSysInitTask ...
    RUNTASK id=8 period_task...

    ========== ADSL Modem initialization OK ! ======

    RUNTASK id=9 telnetd_main...
    Unzipping from B0040000 to 95EF0000 ... done
    Uncompressed size = 978080
    drive start addr[0]=95ef0000, [1]=95fdeca0
    [HTTPD] flash_init: failed!!
    httpd: listen at 192.168.1.100:80
    HTTPD TIMER_RESOURCE:5, FS_RESOURCE:6
    RUNTASK httpd...
    RUNTASK id=12 dnsproxy...
    RUNTASK id=13 snmp_task...
    RUNTASK id=14 rip...
    RUNTASK id=15 ripout...
    UPnP is enabled
    UPNP Device initialize success! slot=16
    Starting Multitask...
    ------------------------------------------------------
    You can now press:
    shift-0: to enable debug
    shift-9: to enable config
    shift-8:to start telnet console
    ENTER : show this help


    Looking at this bootlog I'd say it is some kind of RTOS, but not a Linux kernel Sad


    If you press any key directly after switching on the sx541 you get into the bootmonitor console:

    ======================
    [U] Upload to Flash
    [E] Erase Flash
    [G] Run Runtime Code
    [A] Set MAC Address
    [#] Set Serial Number
    [V] Set Board Version
    [H] Set Options
    [P] Print Boot Params
    ======================

    [AR7300 Boot]:p


    MAC address : 00-01-E3-xx-xx-xx
    Serial number : A4xxxxxxxxx
    Hardware version: 01
    Options : 00-00-00-00-00-00

    [AR7300 Boot]:g

    Unzipping web at 0x94f30000 ... done
    Unzipping code at 0x94000000 ... done
    In C_Entry() function ...
    install_exception
    sys_irq_init() ...
    Set GPIO
    Reset USB and VP140 module ...
    ......
    -------------------------------

    Have Phun :-)

  2. elie says:
    #1.1 2005-12-11 14:07 (Reply)

    hello,

    i don't write you about the hacking of the sx541...but as you seem to know it well i would like to ask you about another problem.

    i have an sx541 and i receive internet with the TV-cable, then i MUST use their special modem and cannot enter the sx541 in the ADSL entry. I then enter the SX541 at the LAN1 entry. i've made some parameter changes proposed on this forum by guidog http://www.ip-phone-forum.de/forum/viewtopic.php?t=25103

    in my case the ip adress of the tv-cable-modem is 192.168.40.5 (i put this instead of the 192.168.0.1 they use)...i also configure the voip setting in the sx541. well for internet it's ok, but for voip it doesn't work, the voip led blink and if i try to use voip it try to change to "normal line". do you have any idea how to make it work? thanks

  3. JockyW (jockyw2001) says:
    #1.2 2006-01-03 13:22 (Reply)

    Funny to see the previous reply from Armin which is completely ripped from my reply in the IP phone forum:
    http://www.ip-phone-forum.de/showpost.php?p=338411&postcount=17

    Sad that no source is given and that Armin ends with "Have Phun".... Poor boy

    If you want more specific info about hacking the SX541 then read my thread:
    http://www.ip-phone-forum.de/showthread.php?t=72010

    It shows you how to readout bootloader and how to run your code on the SX541. It is possible to run Fritz!box code on the SX541

    /JockyW

  4. Edmond739 says:
    #1.2.1 2008-07-18 17:52 (Reply)

    Please, I need some help.
    I have a Siemens Gigaset SX541 WLAN Annex A, Swiss Model.
    I need the bootloader Vers. 0.69.6.
    Someone can help me?
    The router is always on the page Recovering Tools and led ONLINE and WLAN continue to flash.
    Is there any bootloader compatible with Annex A?
    Is there a way to reconstruct the original bootloader 0.69.6?
    Thanks very much.

  5. t0m3k says:
    #2 2005-12-08 21:48 (Reply)

    hi,
    wenn man sich als root anstatt admin anmeldet bekommt man ein viel einfacher gestalltetes menü ;-)
    aber ich denke das wusstet ihr schon :-D
    greetz T0m3k

  6. Corrector says:
    #3 2006-11-11 01:26 (Reply)

    Please note that in posting of "Armin" (which has been more or less copied from "jockyw2001"s posting in ip-phone-forum.de) the RX and TX is mixed up.

    It should say:
    3:TX : blue
    2:RX : white

  7. mac says:
    #3.1 2008-02-20 06:31 (Reply)

    I don't know anything about the siemens sx541
    but, by reading the above comments and all those things I'm attracted towards it and I think I should use siemens sx541 and try all those things. Thank You

  8. Dierck says:
    #4 2009-01-29 13:51 (Reply)

    Es ist unglaublich, wie einfach man sich meistens selbst helfen kann, nach ein wenig Recherche in den Erfahrungen anderer User. Vielen Dank fürs teilen der Infos. Gerade bei Siemens-Geräten muss man ja doch schonmal des öfteren zur Selbsthilfe greifen.


Add Comment


Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA