I was able to obtain a NBN FTTP NTD from a building that burnt down to take a look at the internal workings of the device.
Part Number (P/N): 3FE56159AAA
This device takes in a single-mode Fibre optic which connects to the NBN PON network, it has 4x UNI-D (Gigiabit) Ethernet ports and 2x UNI-V POTS Telephone ports.
The unit has one single main board inside.
The main processor (SOC) is a Broadcom BCM683801FSBG (Photo)
Onboard RAM is a Winbond W631GG6KB-15 (Photo)
- SDRAM - DDR3 Memory IC 1Gbit (128Mb) Parallel 667 MHz 20 ns 96-WBGA (9x13)
Main Memory is a Micron MT29F1G08ABAEAWP (Photo)
- TSOP-48 1Gbit (128Mb) parallel NAND flash
GPON Laser (Photo)
- Unsure of the laser. IC Markings is a MINDSPEED 0209G13
There is a UART connector on the side of the board on a 5 pin header. It has a baud rate of 115200
Booting the unit with only Power, the serial output gives the following output
I haven't tried to power it up with Optical connected as of yet
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2024.10.01 10:57:17 =~=~=~=~=~=~=~=~=~=~=~=
CFEROM --> CFERAM0 --> HERE
************************************************************
* *
* Bootloader For Bcm9638x *
* *
************************************************************
Version : V9.09.19
Buile Date : Sep 26 2014-14:28:04
CPU : Soc(68380_B0) MIPS32(600Mhz) DDR(333Mhz) Bus(240Mhz) RDP(800Mhz)
DRAM : 128 MB
NAND : 128 MB 4Bits Ecc
DEVxID : 0x00980101
Usrinfo : 0x00980101
Hit password to stop autoboot @ 3 2 1 0
### CRAMFS loading 'vmlinux.lz' from imageb to 0x82800000
### CRAMFS load complete: 1143748 bytes loaded to 0x82800000
Decompression OK!
Entry at 0x8026ea90
Closing network.
Starting program at 0x8026ea90
Linux version 3.4.11-rt19+ (junjie@GPONBUSW1) (gcc version 4.6.2 (Buildroot 2011.11) ) #1 SMP PREEMPT Mon May 25 17:59:08 CST 2015
968380FSV_G prom init
CPU revision is: 0002a080 (Broadcom BMIPS4350)
Determined physical RAM map:
memory: 01400000 @ 06c00000 (reserved)
memory: 00400000 @ 06800000 (reserved)
memory: 06800000 @ 00000000 (usable)
Zone PFN ranges:
DMA 0x00000000 -> 0x00001000
Normal 0x00001000 -> 0x00006800
Movable zone start PFN for each node
Early memory PFN ranges
0: 0x00000000 -> 0x00006800
On node 0 totalpages: 26624
free_area_init_node: node 0, pgdat 8031f940, node_mem_map 81000000
DMA zone: 32 pages used for memmap
DMA zone: 0 pages reserved
DMA zone: 4064 pages, LIFO batch:0
Normal zone: 176 pages used for memmap
Normal zone: 22352 pages, LIFO batch:3
PERCPU: Embedded 7 pages/cpu @810d3000 s5088 r8192 d15392 u32768
pcpu-alloc: s5088 r8192 d15392 u32768 alloc=8*4096
pcpu-alloc: [0] 0 [0] 1
Built 1 zonelists in Zone order, mobility grouping on. Total pages: 26416
Kernel command line: ro noinitrd irqaffinity=0
PID hash table entries: 512 (order: -1, 2048 bytes)
Dentry cache hash table entries: 16384 (order: 4, 65536 bytes)
Inode-cache hash table entries: 8192 (order: 3, 32768 bytes)
Primary instruction cache 64kB, VIPT, 4-way, linesize 16 bytes.
Primary data cache 32kB, 2-way, VIPT, cache aliases, linesize 16 bytes
Memory: 101864k/106496k available (2460k kernel code, 4632k reserved, 676k data, 176k init, 0k highmem)
Preemptible hierarchical RCU implementation.
NR_IRQS:256
console [ttyS0] enabled
Allocating memory for DSP module core and initialization code
Allocated DSP module memory - CORE=0x0 SIZE=0, INIT=0x0 SIZE=0
Calibrating delay loop... 598.01 BogoMIPS (lpj=299008)
pid_max: default: 32768 minimum: 301
Mount-cache hash table entries: 512
--Kernel Config--
SMP=1
PREEMPT=1
DEBUG_SPINLOCK=0
DEBUG_MUTEXES=0
Broadcom Logger v0.1 May 25 2015 17:54:22
CPU revision is: 0002a080 (Broadcom BMIPS4350)
Primary instruction cache 64kB, VIPT, 4-way, linesize 16 bytes.
Primary data cache 32kB, 2-way, VIPT, cache aliases, linesize 16 bytes
Brought up 2 CPUs
NET: Registered protocol family 16
PMC Driver Init... done.
bio: create slab <bio-0> at 0
bcmhs_spi bcmhs_spi.1: master is unqueued, this is deprecated
skbFreeTask created successfully
[0;34mBLOG v3.0 Initialized[0m
BLOG Rule v1.0 Initialized
Broadcom IQoS v0.1 May 25 2015 17:57:46 initialized
Switching to clocksource MIPS
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 4096 (order: 3, 32768 bytes)
TCP bind hash table entries: 4096 (order: 3, 32768 bytes)
TCP: Hash tables configured (established 4096 bind 4096)
TCP: reno registered
UDP hash table entries: 128 (order: 0, 4096 bytes)
UDP-Lite hash table entries: 128 (order: 0, 4096 bytes)
NET: Registered protocol family 1
init_bcm_tstamp: unhandled mips_hpt_freq=300000000, adjust constants in bcm_tstamp.c
bcm_tstamp initialized, (hpt_freq=300000000 2us_div=300 2ns_mult=0 2ns_shift=0)
jffs2: version 2.2. (NAND) © 2001-2006 Red Hat, Inc.
msgmni has been set to 198
io scheduler noop registered (default)
Broadcom NAND controller (BrcmNand Controller)
mtd->oobsize=0, mtd->eccOobSize=0
NAND_CS_NAND_XOR=00000000
B4: NandSelect=40000001, nandConfig=15142200, chipSelect=0
brcmnand_read_id: CS0: dev_id=2cf18095
After: NandSelect=40000001, nandConfig=15142200
Block size=00020000, erase shift=17
NAND Config: Reg=15142200, chipSize=128 MB, blockSize=128K, erase_shift=11
busWidth=1, pageSize=2048B, page_shift=11, page_mask=000007ff
timing1 not adjusted: 6574845b
timing2 not adjusted: 00001e96
BrcmNAND mfg 2c f1 MICRON MT29F1G08ABA 128MB on CS0
Found NAND on CS0: ACC=f7441010, cfg=15142200, flashId=2cf18095, tim1=6574845b, tim2=00001e96
BrcmNAND version = 0x80000500 128MB @00000000
brcmnand_scan: B4 nand_select = 40000001
brcmnand_scan: After nand_select = 40000001
handle_acc_control: default CORR ERR threshold 1 bits
ACC: 16 OOB bytes per 512B ECC step; from ID probe: 16
page_shift=11, bbt_erase_shift=17, chip_shift=27, phys_erase_shift=17
Brcm NAND controller version = 5.0 NAND flash size 128MB @18000000
ECC layout=brcmnand_oob_bch4_2k
brcmnand_scan: mtd->oobsize=64
brcmnand_scan: oobavail=35, eccsize=512, writesize=2048
brcmnand_scan, eccsize=512, writesize=2048, eccsteps=4, ecclevel=4, eccbytes=7
-->brcmnand_default_bbt
brcmnand_default_bbt: bbt_td = bbt_slc_bch4_main_descr
Bad block table Bbt0 found at page 0000ffc0, version 0x01 for chip on CS0
Bad block table 1tbB found at page 0000ff80, version 0x01 for chip on CS0
brcmnand_reset_corr_threshold: default CORR ERR threshold 1 bits for CS0
brcmnand_reset_corr_threshold: CORR ERR threshold changed to 3 bits for CS0
brcmnandCET: Status -> Deferred
Creating 11 MTD partitions on "brcmnand.0":
0x000000000000-0x000000100000 : "boota"
0x000000100000-0x000000200000 : "bootb"
0x000000200000-0x000000400000 : "configa"
0x000000400000-0x000000600000 : "configb"
0x000000600000-0x000002200000 : "imagea"
0x000002200000-0x000003000000 : "imagec0"
0x000003000000-0x000004c00000 : "imageb"
0x000004c00000-0x000005a00000 : "imagec1"
0x000005a00000-0x000005b00000 : "misca"
0x000005b00000-0x000005c00000 : "miscb"
0x000005c00000-0x000008000000 : "reserved"
i2c /dev entries driver
brcmboard: brcm_board_init entry
#### g_product_id=0x00980101 g_flag_5srst=0x00000000####
Alloc watchdog timer 2
Serial: BCM63XX driver $Revision: 3.00 $
[0;33mMagic SysRq with Auxilliary trigger char enabled (type ^ h for list of supported commands)[0m
ttyS0 at MMIO 0xb4e00500 (irq = 9) is a BCM63XX
ttyS1 at MMIO 0xb4e00520 (irq = 10) is a BCM63XX
TCP: cubic registered
NET: Registered protocol family 17
Initializing MCPD Module
Ebtables v2.0 registered
ebt_time registered
ebt_ftos registered
8021q: 802.1Q VLAN Support v1.8
VFS: Mounted root (cramfs filesystem) readonly on device 31:6.
Freeing unused kernel memory: 176k freed
init started: BusyBox v1.9.2 (2014-01-06 10:43:27 CST)
tar: chdir(/dev/shm): No such file or directory
grep: /etc/network/options: No such file or directory
grep: /etc/network/options: No such file or directory
grep: /etc/network/options: No such file or directory
jffs2: Empty flash at 0x00086040 ends at 0x00086800
#mount /dev/mtdblock2 --> /mnt/rwdir ok
# num is 10,nothing need to do
cp: cannot stat '/etc/resolv.conf.rwdir': No such file or directory
cat: can't open '/dev/rgs_logger': No such file or directory
ifconfig: SIOCGIFFLAGS: No such device
# Created object <system>
RDPA lan init
# Created object <port/index=lan0>
# Created object <port/index=lan1>
# Created object <port/index=lan2>
# Created object <port/index=lan3>
# Created object <egress_tm/dir=ds,index=0>
# Created object <egress_tm/dir=ds,index=1>
# Created object <egress_tm/dir=ds,index=2>
# Created object <egress_tm/dir=ds,index=3>
# Created object <bridge/index=0>
RDPA lan init end
rdpa filter init start!!
# Created object <filter>
rdpa filter init end
Writing to memory done
Writing to memory done
ONT>SSP: Set rlimit: S = 0x100000, H = 0x7fffffff
TMR: Set rlimit: S = 0x100000, H = 0x7fffffff
Starting Application: 0x00002000, /bin/TimerMgr................Done. elapsed time:(146)ms
LOG: Set rlimit: S = 0x100000, H = 0x7fffffff
Starting Application: 0x00001000, /bin/LogMgr................Done. elapsed time:(93)ms
Update timer: curTime=00002a95, gTmrTimerMsCounter=00000000
MMR: Set rlimit: S = 0x100000, H = 0x7fffffff
actImage[1], PartId[6], custom[UUAL] sys_cfg[/etc/sys.cfg.alu]
cp: cannot stat '/etc/sys.cfg.alu': No such file or directory
Set OK
Set OK
Starting Application: 0x00007000, /bin/MiscMgr................Done. elapsed time:(967)ms
Mount Backup[/dev/mtdblock4] as cramfs...Success.
major ID[0x98] minor ID[0x1]
PMR: Set rlimit: S = 0x100000, H = 0x7fffffff
Starting Application: 0x00004000, /bin/PonMgr................Done. elapsed time:(250)ms
NET: Set rlimit: S = 0x100000, H = 0x7fffffff
sh: can't open /sbin/ath_wifi.sh
VOS_RegisterEventListener:2718, Init event socket 5
vos_OnKernelEvent:2639, Start receving event on socket 5
Starting Application: 0x00009000, /bin/NetMgr................Done. elapsed time:(295)ms
VMR: Set rlimit: S = 0x100000, H = 0x7fffffff
----VoipLoadVersionInfoInit...
Starting Application: 0x00006000, /bin/VmrMgr................Done. elapsed time:(3463)ms
EMR: Set rlimit: S = 0x100000, H = 0x7fffffff
--->Start Register MIB stub...
Starting Application: 0x00005000, /bin/EthMgr................Done. elapsed time:(453)ms
Starting tr069_0.
TR069_0: Set rlimit: S = 0x100000, H = 0x7fffffff
cd /tmp/cpe3_0
TR069_main 295
Starting Application: 0x0000d000, /bin/tr069Mgr................Done. elapsed time:(2664)ms
Starting tr069_1.
TR069_1: Set rlimit: S = 0x100000, H = 0x7fffffff
cd /tmp/cpe3_1
TR069_main 295
Starting Application: 0x0000f000, /bin/tr069Mgr................
7dd905a5 7dd905a5 7dd905a5
Done. elapsed time:(1443)ms
MEC: Set rlimit: S = 0x100000, H = 0x7fffffff
Starting Application: 0x00003000, /bin/MecMgr................Done. elapsed time:(1625)ms
1944ccf:Exit SSP -->ssp, msg 0x50000,elapsed time:15844 ms
226a31a:Exit MEC -->net, msg 0xc0002,elapsed time:764 ms
2300fc1:Exit MEC -->emr, msg 0xc0002,elapsed time:614 ms
Create do_spin = TRUE;()....init SIP.
BOS: Enter bosInit
bosTimerInit
Enter bosAppInit Exit bosAppInit BOS: Exit bosInit
bcm interface for pil, CIG country = 36, BCM country = 0...
vrgEndptDriverOpen: Endpoint driver open success
Endpoint Event task started with pid 659...
Endpoint Packet task started with pid 660 ...
****bcm init success just go...
InitRTPCb: RTPhandler 0 ...
InitRTPCb: RTPhandler 1 ...
InitRTPCb: RTPhandler 2 ...
InitRTPCb: RTPhandler 3 ...
RTP read thread started with pid 661
RTCP thread started with pid 662
Create RTCP task id = 5126 ...
rtpInit: RTCP task created, taskId = 5126...
27baca3:Exit MEC -->vmr, msg 0xc0002,elapsed time:4950 ms
Powered down
Powered down
Powered down
Powered down
29304d2:Exit MEC -->emr, msg 0xc0004,elapsed time:1271 ms
i/f name: brdg
gem ids:
INFO: ALL APPs are ready.
2948cab:Exit TR069_1 -->mec, msg 0xc0000,elapsed time:8389 ms
start config net connection for WAN[0]
start config net connection for WAN[1]
Putting attention towards the main memory chip now, I did a chip off read using a RT809h programmer/reader.
/mt29f1g08abaeawp@tsop48_flash.bin
md5: 5d1fbf9ead5cc92b9f7f6cacbfcc39fe
/mt29f1g08abaeawp@tsop48_otp.bin
md5: 3d0bd451cbc4e288f18955d37a508c59
Using binwalk on the file gives
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
5652 0x1614 Copyright string: "Copyright 2013, Cambridge Industry Group(CIG), All Rights Reserved."
135196 0x2101C CFE boot loader
592560 0x90AB0 CRC32 polynomial table, big endian
1086996 0x109614 Copyright string: "Copyright 2013, Cambridge Industry Group(CIG), All Rights Reserved."
1216540 0x12901C CFE boot loader
1673904 0x198AB0 CRC32 polynomial table, big endian
2946300 0x2CF4FC Zlib compressed data, compressed
2946920 0x2CF768 JFFS2 filesystem, big endian
6488064 0x630000 CramFS filesystem, big endian, size 11452416, version 2, sorted_dirs, CRC 0x9F210E4B, edition 0, 6692 blocks, 577 files
18296341 0x1172E15 Zlib compressed data, best compression
36765696 0x2310000 CramFS filesystem, big endian, size 11472896, version 2, sorted_dirs, CRC 0x6B12CC69, edition 0, 6696 blocks, 489 files
51904512 0x3180000 CramFS filesystem, big endian, size 11472896, version 2, sorted_dirs, CRC 0x6B12CC69, edition 0, 6696 blocks, 489 files
I did try to extract the filesystems and read but no luck for me.