Hacking Flarion Desktop Modem

This modem is made by Qualcomm Flarion Technologies – it’s either FDM 2087 or FDM 2210 model.
T-Mobile also provides a firmware upgrade here:
http://www.t-mobile.sk/c1/sluzby_tarify/sunflower/new5/pkg-cust-tmsk.exe

When extracted (run in Wine and look in the TEMP directory), it contains dtm.tgz file which contains .dui files (unknown format), an ELF executable file for ARM architecture and a shell script “install.sh”. The kern.dui file contains interesting string “vmlinux.bin”.

By placing “telnetd” command in the install.sh file and running the firmware “update”, you can connect to the device:

$ telnet 172.30.30.128
Trying 172.30.30.128...
Connected to 172.30.30.128.
Escape character is '^]'.

BusyBox v1.00-rc3 (2005.06.29-14:39+0000) Built-in shell (ash)
Enter ‘help’ for a list of built-in commands.

/ # dmesg
6, size 393216
SDRAM start 8d04f50 end 8d64f50
SYSMEM_ABM_Impl: file emacdmarx.c, line 119, size 48
SDRAM start 8d64f50 end 8d64f80
SYSMEM_ABM_Impl: file LnxTools.c, line 190, size 768
SDRAM start 8d64f80 end 8d65280
SRAM start f0802800 end f0803000
eth0 DmaRxChannel 8d036e8
EMAC Network Driver Cnxt 2004/06/07 00:30:cd:00:02:d4
emac_probe: eth1 is not supported by CX861xx Family BSP
emac_probe: eth1 is not supported by CX861xx Family BSP
emac_probe: eth2 is not supported by CX861xx Family BSP
emac_probe: eth3 is not supported by CX861xx Family BSP
emac_probe: eth4 is not supported by CX861xx Family BSP
emac_probe: eth5 is not supported by CX861xx Family BSP
emac_probe: eth6 is not supported by CX861xx Family BSP
emac_probe: eth7 is not supported by CX861xx Family BSP
CX861xx flash device: 400000 at 4000000 mapped to 900d000
cfi_intelext_setup: map = 0x08151AAC, cfi = 0x081C1CFC
0: offset=0×0,size=0×2000,blocks=8
1: offset=0×10000,size=0×10000,blocks=63
Using word write method
Creating 7 MTD partitions on “CX861xx flash device”:
0×00000000-0×00020000 : “Bootloader”
0×00020000-0×00040000 : “TTLV Provisioning”
0×00040000-0×00110000 : “dui image containing compressed Linux Kernel”
0×00110000-0x001e0000 : “dui image containing tgz file for /apps”
0x001e0000-0x002b0000 : “Upgrade scratch area”
0x002b0000-0×00380000 : “dui image containing jffs2 image for /”
0×00380000-0×00400000 : “dui image containing tgz file for DSP images”
CX861xx flash device initialization completed
slram: devname = memmtd
slram: devstart = 0x8E00000
slram: devlength = 0×9000000
slram: devname=memmtd, devstart=0x8e00000, devlength=0×200000
slram: Registered device memmtd from 145408KiB to 147456KiB
slram: Mapped from 0x0940e000 to 0x0960e000
usb.c: registered new driver usbdevfs
usb.c: registered new driver hub
usb-ohci.c: USB OHCI at membase 0xf0606000, IRQ 17
usb.c: new USB bus registered, assigned bus number 1
usb.c: kmalloc IF 081fbc44, numif 1
usb.c: new device strings: Mfr=0, Product=2, SerialNumber=1
usb.c: USB device number 1 default language ID 0×0
Product: USB OHCI Root Hub
SerialNumber: f0606000
hub.c: USB hub found
hub.c: 1 port detected
hub.c: standalone hub
hub.c: ganged power switching
hub.c: no over-current protection
hub.c: Port indicators are not supported
hub.c: power on to power good time: 4ms
hub.c: hub controller current requirement: 0mA
hub.c: port removable status: R
hub.c: local power source is good
hub.c: no over-current condition exists
hub.c: enabling power on all ports
usb.c: hub driver claimed interface 081fbc44
usb.c: call_policy add, num 1 — no FS yet
USB: CnxtUdcInit – init USB Controler
cnxt_usbd: sysGetUSBCfg

USB: UsbLoadSWDefaults

USB: ProfileInitDescriptorPtrs
cnxt_usbd: sysUSBHwInit
sysTimerDelay 1 start
sysTimerDelay 1 end
cnxt_usbd: taking USB out of reset
sysTimerDelay 3 start
sysTimerDelay 3 end
USB: USBUDCConfigure
USB: set EP2 IN
USB: set EP2 OUT
USB: set EP4 IN
SYSMEM_ABM_Impl: file dmasrv.c, line 813, size 80
SDRAM start 8d65280 end 8d652d0
SYSMEM_ABM_Impl: file dmabuff.c, line 129, size 24
SDRAM start 8d652d0 end 8d652e8
SYSMEM_ABM_Impl: file dmabuff.c, line 135, size 192
SDRAM start 8d652e8 end 8d653a8
SYSMEM_ABM_Impl: file dmabuff.c, line 146, size 512
SDRAM start 8d653b0 end 8d655b0
SYSMEM_ABM_Impl: file LnxTools.c, line 190, size 192
SDRAM start 8d655b0 end 8d65670
SRAM start f0803000 end f0803200
SYSMEM_ABM_Impl: file dmasrv.c, line 813, size 80
SDRAM start 8d65670 end 8d656c0
SYSMEM_ABM_Impl: file dmabuff.c, line 129, size 24
SDRAM start 8d656c0 end 8d656d8
SYSMEM_ABM_Impl: file dmabuff.c, line 135, size 96
SDRAM start 8d656d8 end 8d65738
SYSMEM_ABM_Impl: file dmabuff.c, line 146, size 256
SDRAM start 8d65740 end 8d65840
SYSMEM_ABM_Impl: file LnxTools.c, line 190, size 192
SDRAM start 8d65840 end 8d65900
SRAM start f0804000 end f0804100
USB: USBEth_restart_tx
SYSMEM_ABM_Impl: file dmasrv.c, line 813, size 80
SDRAM start 8d65900 end 8d65950
SYSMEM_ABM_Impl: file dmabuff.c, line 129, size 24
SDRAM start 8d65950 end 8d65968
SYSMEM_ABM_Impl: file dmabuff.c, line 135, size 192
SDRAM start 8d65968 end 8d65a28
SYSMEM_ABM_Impl: file dmabuff.c, line 146, size 512
SDRAM start 8d65a30 end 8d65c30
SYSMEM_ABM_Impl: file LnxTools.c, line 190, size 192
SDRAM start 8d65c30 end 8d65cf0
SRAM start f0805000 end f0805100
SYSMEM_ABM_Impl: file dmasrv.c, line 813, size 80
SDRAM start 8d65cf0 end 8d65d40
SYSMEM_ABM_Impl: file dmabuff.c, line 129, size 24
SDRAM start 8d65d40 end 8d65d58
SYSMEM_ABM_Impl: file dmabuff.c, line 135, size 192
SDRAM start 8d65d58 end 8d65e18
SYSMEM_ABM_Impl: file dmabuff.c, line 146, size 512
SDRAM start 8d65e20 end 8d66020
SYSMEM_ABM_Impl: file LnxTools.c, line 190, size 192
SDRAM start 8d66020 end 8d660e0
SRAM start f0805200 end f0805400
SYSMEM_ABM_Impl: file dmasrv.c, line 813, size 80
SDRAM start 8d660e0 end 8d66130
SYSMEM_ABM_Impl: file dmabuff.c, line 129, size 24
SDRAM start 8d66130 end 8d66148
SYSMEM_ABM_Impl: file dmabuff.c, line 135, size 3072
SDRAM start 8d66148 end 8d66d48
SYSMEM_ABM_Impl: file dmabuff.c, line 146, size 204800
SDRAM start 8d66d50 end 8d98d50
SYSMEM_ABM_Impl: file LnxTools.c, line 190, size 1536
SDRAM start 8d98d50 end 8d99350
SRAM start f0806000 end f0806800
SYSMEM_ABM_Impl: file dmasrv.c, line 813, size 80
SDRAM start 8d99350 end 8d993a0
SYSMEM_ABM_Impl: file dmabuff.c, line 129, size 24
SDRAM start 8d993a0 end 8d993b8
SYSMEM_ABM_Impl: file dmabuff.c, line 135, size 1536
SDRAM start 8d993b8 end 8d999b8
SYSMEM_ABM_Impl: file dmabuff.c, line 146, size 4096
SDRAM start 8d999c0 end 8d9a9c0
SYSMEM_ABM_Impl: file LnxTools.c, line 190, size 768
SDRAM start 8d9a9c0 end 8d9acc0
SRAM start f0806800 end f0807000
SYSMEM_ABM_Impl: file dmasrv.c, line 813, size 80
SDRAM start 8d9acc0 end 8d9ad10
SYSMEM_ABM_Impl: file dmabuff.c, line 129, size 24
SDRAM start 8d9ad10 end 8d9ad28
SYSMEM_ABM_Impl: file dmabuff.c, line 135, size 24
SDRAM start 8d9ad28 end 8d9ad40
SYSMEM_ABM_Impl: file dmabuff.c, line 146, size 64
SDRAM start 8d9ad40 end 8d9ad80
SYSMEM_ABM_Impl: file LnxTools.c, line 190, size 192
SDRAM start 8d9ad80 end 8d9ae40
SRAM start f0807000 end f0807100
SYSMEM_ABM_Impl: file dmasrv.c, line 813, size 80
SDRAM start 8d9ae40 end 8d9ae90
SYSMEM_ABM_Impl: file dmabuff.c, line 129, size 24
SDRAM start 8d9ae90 end 8d9aea8
SYSMEM_ABM_Impl: file dmabuff.c, line 135, size 96
SDRAM start 8d9aea8 end 8d9af08
SYSMEM_ABM_Impl: file dmabuff.c, line 146, size 256
SDRAM start 8d9af10 end 8d9b010
SYSMEM_ABM_Impl: file LnxTools.c, line 190, size 192
SDRAM start 8d9b010 end 8d9b0d0
SRAM start f0807200 end f0807400
SYSMEM_ABM_Impl: file dmasrv.c, line 813, size 80
SDRAM start 8d9b0d0 end 8d9b120
ReleaseMem SDRAM <7>8d9b0d0
USB: USBEth_restart_tx
USB: USBEth_restart_tx
USB: USBEth_restart_tx
USB: USBEth_restart_tx
USB: USBEth_restart_tx
USB: USB device has been properly initilized (&x)
USBEth Network Driver Cnxt 2004/05/10
USBEth_probe: usb0 found.
USB: USBEth_probe, hw_num 0
USB: USBEth_init_rx
Rx DMA Ring 8cb0000
NET4: Linux TCP/IP 1.0 for NET4.0
IP Protocols: ICMP, UDP, TCP, IGMP
IP: routing cache hash table of 512 buckets, 4Kbytes
TCP: Hash tables configured (established 512 bind 1024)
NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.
NetWinder Floating Point Emulator V0.95 (c) 1998-1999 Rebel.com
cramfs: wrong magic
VFS: Mounted root (jffs2 filesystem).
Mounted devfs on /dev
Freeing init memory: 52K
usb0 : CNXT set mac address
00 07 35 a2 f6 64.
eth0: (CX861xx EMAC) started!
USBEth_open
usb0: (CX861xx USB) started!
ip_tables: (C) 2000-2002 Netfilter core team
PAD DNS Filter module initializing
ip_conntrack (112 buckets, 896 max)
/ # ps axu
PID  Uid     VmSize Stat Command
1 root        272 S   init
2 root            SW  [keventd]
3 root            SWN [ksoftirqd_CPU0]
4 root            SW  [kswapd]
5 root            SW  [bdflush]
6 root            SW  [kupdated]
7 root            SW  [EMAC1_Task]
8 root            SW  [mtdblockd]
9 root            SW  [khubd]
10 root            SW  [swapper]
12 root            SWN [jffs2_gcd_mtd7]
70 root        272 S   init
71 root        324 S   /bin/sh /etc/init.d/rc 2
86 root            Z   [syslogd]
92 root        276 S   syslogd -m 0 -O /dev/null
148 root        316 S   /sbin/pad_dhcp_proxy eth0 usb0 172.30.30.128 eth1 172.30.30.129 172.30.30.1 255.255.255.0 10
154 root         72 S   /sbin/oam
155 root        144 S   /sbin/watchdog
156 root        236 S   /sbin/dtm_ota_upgrade
157 root         72 S   /sbin/oam
165 root        152 S   /sbin/pad_dns_proxy pad.flarion.local 172.30.30.128
170 root        308 S   /bin/sh /bin/watch_proc.sh
176 root        188 S   webs
182 root        336 S   /bin/sh
1167 root            Z   [tar]
1183 root            Z   [telnetd]
1194 root        248 S   telnetd
1219 root        344 S   /bin/sh
1243 root        192 S   sleep 20
1244 root        256 R   ps axu
/ # uname -a
Linux flarion_pad 2.4.18-rmk8 #303 Sun Jul 8 20:14:30 EDT 2007 armv5EJl unknown
/ # cat /proc/cpuinfo
Processor       : ARM ARM926EJ-Sid(wb) rev 3 (v5EJl)
BogoMIPS        : 99.73
Features        : swp half thumb fastmult

Hardware        : Flarion Lightning Desktop Modem
Revision        : 0000
Serial          : 0000000000000000
/ # free
total         used         free       shared      buffers
Mem:        12620         7540         5080            0           16
Swap:            0            0            0
Total:        12620         7540         5080
/ # df -h
Filesystem                Size      Used Available Use% Mounted on
/dev/mtdblock/7           2.0M      1.1M    956.0k  53% /
/ # cat /proc/mounts
/dev/mtdblock/7 / jffs2 rw 0 0
none /dev devfs rw 0 0
none /apps ramfs rw 0 0
/proc /proc proc rw 0 0

By analyzing the data flow during firmware upload (using wireshark), a C implementation of uploader called flarion_upload was created. It allows upgrading the firmware from Linux – just upload the dtm_2.6.11.tgz (extracted from the official Windows upgrade package) file to the flarion (flarion_upload dtm_2.6.11.tgz) and wait until it updates and reboots itself. It was tested on Linux only. You can also use it to upload flarion_telnet.tgz so you can connect using telnet.

Flarion inside:

  • Conexant CX86111 CPU
  • Micron MT48LC8M16A2 SDRAM (16MB)
  • Intel JS28F320 Flash ROM (4MB)

flarion_3

Comments are closed.