Motorola NVG510
Jump to navigation
Jump to search
Motorola NVG510
Availability: AT&T UVerse, possibly others
FCC approval date: 22 April 2011
Country of manuf.: Thailand
Type: wireless router, dsl modem, analog phone gateway
FCC ID: GZ5NVG510
IC ID: 2525B-NVG510
Power: 12 VDC, 2 A
Connector type: barrel
CPU1: Broadcom BCM6362 (210 MHz)
FLA1: 16 MiB16,777,216 B <br />131,072 Kib <br />16,384 KiB <br />128 Mib <br />0.0156 GiB <br /> (Winbond W25Q128BVFG)
RAM1: 64 MiB67,108,864 B <br />524,288 Kib <br />65,536 KiB <br />512 Mib <br />0.0625 GiB <br /> (Winbond W9751G6JB-25)
Expansion IFs: none specified
Serial: yes, (57600,8,N,1)
WI1 chip1: Broadcom BCM6362
WI1 802dot11 protocols: bgn
WI1 MIMO config: 2x2:2
WI1 antenna connector: none
ETH chip1: Broadcom BCM6362
Switch: Broadcom BCM6362
LAN speed: 100M
LAN ports: 4
bgn
Stock FW OS: Linux 2.6.30.10
Flags: ADSL2+, boot log
Default SSID: ATTXXX (2 addl. devices)
Default IP address: 192.168.1.254
the IP 192.168.1.254 is used by 158 additional devices
of which 1 are Motorola devices
802dot11 OUI: 20:E5:64, E4:83:99 (1 E, 1 W), 7C:BF:B1
Ethernet OUI: 20:E5:64, E4:83:99 (1 E, 1 W), 7C:BF:B1
For a list of all currently documented Broadcom chipsets with specifications, see Broadcom.
Use
Sold by AT&T for use with UVerse, in areas where UVerse TV is not available. This device supports internet and VoIP use, but not TV.
Specs
- ADSL2+ modem/wap/router
- Uses BCM6362 SoC - CFE describes it as BCM6362, and the output also mentions DECT. (some chips described as 6362 are actually BCM6361's; that is unlikely in this case because the 6361 lacks DECT)
- CPU is capable of 400MHz but is clocked at 210MHz
- 16M flash, 64M RAM
- Linux 2.6.30.10
Images
These two images are sized and aligned for use with [dePCB] ([latest source]), a board reversing tool. The bottom image needs to be flipped, but is not.
board top
board bottom
Code
Reconfigure without screwdriver or soldering iron
Enabling Telnet
There is a remote vulnerability that allows telnet to be enabled. Once that is enabled, it is trivial to access the root shell by just two commands at the telnet prompt.
Grabbing Files
NOTE: /media is a ramdisk, and the system has limited memory! Do not grab files in /dev unless you know exactly what they are - some are infinite in length!
Get busybox
cd /media wget http://busybox.net/downloads/binaries/1.19.0/busybox-mips chmod +x busybox-mips
Set up symlinks
ln -s busybox-mips tar ln -s busybox-mips nc ln -s busybox-mips lsusb ln -s busybox-mips lspci ln -s busybox-mips lsmod ln -s busybox-mips uname ln -s busybox-mips dmesg ln -s busybox-mips less
Grab an mtd image
- on nvg510: cat /dev/mtdblock0|./nc -l -p 555
- Then, on the pc: nc 192.168.1.254 555 >mtdblock0
Grab the filesystem, except for /dev and /proc
- on nvg510: ./tar cf - /bin /boot /etc /lib /sbin /tftpboot /tmp /usr /var /www |./nc -l -p 555
- Then, on the pc: nc 192.168.1.254 555 >root.tar
Alternatively, there is also a tftp client on the modem. This can be used to transfer files on and off of the modem, if you setup a tftp server on your local network.
MTD Layout
/* * MTD Partitioning scheme for Motopia systems: * * +---------------------+ * | Boot | * +---------+-----------+ * | Image | Kernel | * | +-----------+ * | | Rootfs | * +---------+-----------+ * | Motopia | <- motopia_mtd * +---------------------+ */
# cd /dev # wc -c mtdblock* 131072 mtdblock0 953344 mtdblock1 8409088 mtdblock2 16384000 mtdblock3 262144 mtdblock4 26139648 total
PCI and USB bus
./lsusb -vv Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub Bus 002 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
./lspci -vv 00:00.0 Class 0280: 14e4:435f this class code is for "network device: other" 00:09.0 Class 0c03: 14e4:6300 00:0a.0 Class 0c03: 14e4:6300
Pinouts
- J10 is a 3.3V serial port - 57600 8N1
| 1 | 2 | 3 | 4 |
| GND | 3.3V | Rx | Tx |
- J11 is a 14-pin unpopulated connector that probably includes JTAG. Based upon /www/residential/cgi-bin/usb_disk.ha, this probably also contains USB signals.
Serial output from boot sequence
- No phone line attached
- Some possibly-identifying values have been replaced
- Light starts blinking red when DoDyingGaspCommand is printed
HELO
CPUI
L1CI
HELO
CPUI
L1CI
DRAM
ZQDN
PHYE
DINT
LASY
USYN
MSYN
LMBE
PASS
----
ZBSS
CODE
DATA
L12F
MAIN
CFE version 3.0.0 for BCM6362 (32bit,SP,BE,MIPS)
Copyright (C) 2000,2001,2002,2003,2004,2005 Broadcom Corporation.
Initializing Arena.
Initializing Devices.
HS Serial flash device: name ID_W25X128, id 0xef17 size 16384KB
Total Flash size: 16384K with 256 sectors
Partition information:
#00 00000000 -> 0001FFFF (131072)
#01 00020000 -> 00FFFFFF (16646144)
CPU type 0x2A070: 210MHz
CPU running TP1
Total memory: 0x4000000 bytes (64MB)
Total memory used by CFE: 0x82D00000 - 0x82F3B480 (2339968)
Initialized Data: 0x82D2C670 - 0x82D2E128 (6840)
BSS Area: 0x82D2E140 - 0x82D39480 (45888)
Local Heap: 0x82D39480 - 0x82F39480 (2097152)
Stack Area: 0x82F39480 - 0x82F3B480 (8192)
Text (code) segment: 0x82D00000 - 0x00027D20 (2100460832)
Boot area (physical): 0x83000000 - 0x84000000
Relocation Factor: I:00000000 - D:00000000
Reading the image .....
Loading POST ....
Running POST.....
POST version 1.0.1
Total POST tests: 3
Test: Memory........Pass
Test: MII........Pass
Test: Slic........Pass
Updating the POST results......Done
Completed POST.....
Linux version 2.6.30.10-motopia (fwbuild@ninex) (gcc version 4.2.3) #1 Thu Sep 22 17:25:01 EDT 2011
Broadcom BCM63xx prom init
Boot loader is : CFE
console [early0] enabled
CPU revision is: 0002a070 (Broadcom BCM6362)
Determined physical RAM map:
memory: 03f00000 @ 00000000 (usable)
Zone PFN ranges:
DMA 0x00000000 -> 0x00001000
Normal 0x00001000 -> 0x00003f00
Movable zone start PFN for each node
early_node_map[1] active PFN ranges
0: 0x00000000 -> 0x00003f00
Built 1 zonelists in Zone order, mobility grouping on. Total pages: 16002
Kernel command line: root=/dev/mtdblock2 console=ttyMTD5 console=ttyS0
Primary instruction cache 64kB, VIPT, 4-way, linesize 16 bytes.
Primary data cache 32kB, 2-way, VIPT, cache aliases, linesize 16 bytes
NR_IRQS:128
PID hash table entries: 256 (order: 8, 1024 bytes)m¬Ëk׫
�+ËëË«'$¬ëm
ɱåÁu²ò�
±mÑÑåMÁv52þDentry cache hash table entries: 8192 (order: 3, 32768 bytes)
Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
Allocating memory for DSP module core and initialization code
Allocated DSP module memory - CORE=0x8108c740 SIZE=1690032, INIT=0x812290f0 SIZE=44
Memory: 59020k/64512k available (2582k kernel code, 5472k reserved, 387k data, 128k init, 0k highmem)
Calibrating delay loop... 399.36 BogoMIPS (lpj=199680)
Mount-cache hash table entries: 512
net_namespace: 980 bytes
NET: Registered protocol family 16
registering PCI controller with io_map_base unset
Skipping PCI bus scan due to resource conflict
bio: create slab <bio-0> at 0
SCSI subsystem initialized
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
pci 0000:00:00.0: PME# supported from D0 D3hot D3cold
pci 0000:00:00.0: PME# disabled
BLOG v3.0 Initialized
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 2048 (order: 2, 16384 bytes)
TCP bind hash table entries: 2048 (order: 1, 8192 bytes)
TCP: Hash tables configured (established 2048 bind 2048)
TCP reno registered
NET: Registered protocol family 1
squashfs: version 3.4 (2008/08/26) Phillip Lougher
squashfs: LZMA suppport for slax.org by jro
msgmni has been set to 115
io scheduler noop registered
io scheduler cfq registered (default)
Serial: Motopia BCM63XX driver $Revision: 1.4 $
ttyS0 at MMIO 0xb0000100 (irq = 11) is a BCM63XX
ttyS1 at MMIO 0xb0000120 (irq = 12) is a BCM63XX
Driver 'sd' needs updating - please use bus_type methods
tun: Universal TUN/TAP device driver, 1.6
tun: (C) 1999-2004 Max Krasnyansky <maxk@qualcomm.com>
Parallel flash not supported on this CPU
Detected SPI Flash
Probing for SPI flash
5 motopiapart partitions found on MTD device bcm_HSSpiDev0
Creating 5 MTD partitions on "bcm_HSSpiDev0":
0x000000000000-0x000000020000 : "Boot"
0x000000020118-0x000000108d65 : "Kernel"
0x000000108d65-0x00000090dd65 : "Rootfs"
0x000000020000-0x000000fc0000 : "Image"
0x000000fc0000-0x000001000000 : "Motopia"
ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
PCI: Enabling device 0000:00:0a.0 (0000 -> 0002)
ehci_hcd 0000:00:0a.0: EHCI Host Controller
ehci_hcd 0000:00:0a.0: new USB bus registered, assigned bus number 1
ehci_hcd 0000:00:0a.0: Enabling legacy PCI PM
ehci_hcd 0000:00:0a.0: irq 18, io mem 0x10002500
ehci_hcd 0000:00:0a.0: USB f.f started, EHCI 1.00
usb usb1: configuration #1 chosen from 1 choice
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 2 ports detected
ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver
PCI: Enabling device 0000:00:09.0 (0000 -> 0002)
ohci_hcd 0000:00:09.0: OHCI Host Controller
ohci_hcd 0000:00:09.0: new USB bus registered, assigned bus number 2
ohci_hcd 0000:00:09.0: irq 17, io mem 0x10002600
usb usb2: configuration #1 chosen from 1 choice
hub 2-0:1.0: USB hub found
hub 2-0:1.0: 2 ports detected
GACT probability NOT on
u32 classifier
Actions configured
Netfilter messages via NETLINK v0.30.
nf_conntrack version 0.5.0 (1008 buckets, 4032 max)
ip_tables: (C) 2000-2006 Netfilter Core Team
TCP cubic registered
NET: Registered protocol family 10
IPv6 over IPv4 tunneling driver
NET: Registered protocol family 17
Bridge firewalling registered
Ebtables v2.0 registered
802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
All bugs added by David S. Miller <davem@redhat.com>
VFS: Mounted root (squashfs filesystem) readonly on device 31:2.
Freeing unused kernel memory: 128k freed
Initiating system startup...
Algorithmics/MIPS FPU Emulator v1.5
mount: mounting procfs on /proc failed: Device or resource busy
Starting UDEV...
cannot open /dev/null
Complete!
motopia: module license 'Motorola Proprietary' taints kernel.
Disabling lock debugging due to kernel taint
Motopia driver loading
console [MotCrashDump-1] enabled
crashdump_init done, registered console driver successfully
Motopia event ready
Reset button ready
Push button ready
LEDs ready: Power Dsl Internet SimpleConfig LAN WIFI VOIP1 VOIP2
pfs: Continuing in background
sdb: detaching to run in the background.
Hit the enter key to continue...arp_tables: (C) 2002 David S. Miller
ip6_tables: (C) 2000-2006 Netfilter Core Team
Broadcom BCM6362B0 Ethernet Network Device v0.1 Sep 22 2011 17:20:37
eth0: MAC Address: 00:00:00:00:00:00
eth1: MAC Address: 00:00:00:00:00:00
eth2: MAC Address: 00:00:00:00:00:00
eth3: MAC Address: 00:00:00:00:00:00
ethsw_init_config
ethsw_init_config: multiple queues and SP scheduling enabled
wl: passivemode=0
wl: napimode=1
wl: allocskbmode=1
wl:srom strapped
wl:(srom strapped) probe/present=0
wl: Read SROM/WLCAL from mfg info, sig:0x5372, rev 8, clk_offset 0 - SUCCESS
wl[435f]:Core revision: 16,D11CONF: 65c51800
wl0: MAC Address: 40:b7:f3:21:12:90
wl0: Beacon padding set to 512
NET: Registered protocol family 8
NET: Registered protocol family 20
PPP generic driver version 2.4.2
bcmxtmrt: Broadcom BCM6362B0 ATM/PTM Network Device v0.3 Sep 22 2011 17:18:59
bcmxtmcfg: bcmxtmcfg_init entry
adsl: adsl_init entry
DSP Driver: DSP init stub
Endpoint: endpoint_init entry
Endpoint: endpoint_init COMPLETED
ADDRCONF(NETDEV_UP): eth0: link is not ready
ADDRCONF(NETDEV_UP): eth1: link is not ready
ADDRCONF(NETDEV_UP): eth2: link is not ready
ADDRCONF(NETDEV_UP): eth3: link is not ready
NET: Registered protocol family 24
ADDRCONF(NETDEV_UP): eth0: link is not ready
ADDRCONF(NETDEV_UP): eth1: link is not ready
ADDRCONF(NETDEV_UP): eth2: link is not ready
ADDRCONF(NETDEV_UP): eth3: link is not ready
BcmAdsl_Initialize=0xC0B01B70, g_pFnNotifyCallback=0xC0BAB8F4
*** demodCapabilities=0x008040fa
*** subChannelInfop5 = 0x00d00000, adslDemodCap2Value = 0x00d00000
pSdramPHY=0xA3FFFFF8, 0xD092 0x0
*** PhySdramSize got adjusted: 0x82CDC => 0x98878 ***
AdslCoreSharedMemInit: shareMemAvailable=423776
AdslCoreHwReset: AdslOemDataAddr = 0xA3F77D28
MOTOPIA AFEID 0x000hex00
Set PTM TPS_TC
Set PTM TPS_TC
*** demodCapabilities=0x009044fa
*** subChannelInfop5 = 0x00d00000, adslDemodCap2Value = 0x00d00000
***DoDyingGaspCommand: Dying Gasp command received ***
***DoDyingGaspCommand: Value is 0 ***
bcmxtmrt: MAC address: 42 b7 f3 21 12 9f
[DoCreateDeviceReq.2576]: register_netdev
[DoCreateDeviceReq.2578]: register_netdev done
device ptm0.0 entered promiscuous mode
device ptm0 entered promiscuous mode
br2: port 1(ptm0.0) entering forwarding state
device eth0.16 entered promiscuous mode
device eth0 entered promiscuous mode
br1: port 1(eth0.16) entering forwarding state
device eth1.16 entered promiscuous mode
device eth1 entered promiscuous mode
br1: port 2(eth1.16) entering forwarding state
device eth2.16 entered promiscuous mode
device eth2 entered promiscuous mode
br1: port 3(eth2.16) entering forwarding state
device eth3.16 entered promiscuous mode
device eth3 entered promiscuous mode
br1: port 4(eth3.16) entering forwarding state
device wl0 entered promiscuous mode
device wl0.1 entered promiscuous mode
device wl0.2 entered promiscuous mode
device wl0.3 entered promiscuous mode
Initialized fcache state
Broadcom Packet Flow Cache Char Driver v2.2 Sep 24 2010 19:06:36 Registered<242>
Created Proc FS /procfs/fcache
Broadcom Packet Flow Cache registered with netdev chain
Broadcom Packet Flow Cache learning via BLOG enabled.
Constructed Broadcom Packet Flow Cache v2.2 Sep 24 2010 19:06:36
endpt 0 deviceId 0 indexCount 0
deviceChannelMap[0].txTimeslot = 0
endpt 1 deviceId 0 indexCount 0
deviceChannelMap[1].txTimeslot = 2
BOS: Enter bosInit
Enter bosAppInit
Exit bosAppInit
BOS: Exit bosInit
endpoint_open COMPLETED
Enter bosStartApp
AppResetRootTask() - Is it morning already? Spawning app task...
AppResetDetectionEnable() - Enabled reset detection.
Exit bosStartApp
***** bhiPrepareChannelTimeslotMap 1025 chanTsMap[0].chan = 0
***** bhiPrepareChannelTimeslotMap 1026 chanTsMap[0].txTimeslot = 0
***** bhiPrepareChannelTimeslotMap 1027 chanTsMap[0].rxTimeslot = 0
***** bhiPrepareChannelTimeslotMap 1025 chanTsMap[1].chan = 1
***** bhiPrepareChannelTimeslotMap 1026 chanTsMap[1].txTimeslot = 1
***** bhiPrepareChannelTimeslotMap 1027 chanTsMap[1].rxTimeslot = 1
Enter TaskCreate CMT_EXCEPTION_IST
TaskCreate - spawn new task CMT_EXCEPTION_IST
Exit TaskCreate
Enter TaskCreate HTSK
TaskCreate - spawn new task HTSK
Exit TaskCreate
boardHalInit completed
Enter TaskCreate HRTBEAT
TaskCreate - spawn new task HRTBEAT
Exit TaskCreate
Enter TaskCreate VRGEVPR
TaskCreate - spawn new task VRGEVPR
Exit TaskCreate
Enter TaskCreate HCAS
TaskCreate - spawn new task HCAS
Exit TaskCreate
******* DSP: Found BCM96362 *******
******* DSP: In PCM Mode *******
******* DSP: PCM running in 16 bit mode *******
gInterruptCounter = 0x8114C4E4
gInterruptErrors = 0x8114C4E8
gNextRxDesc = 0x8114C4C4
gNextTxDesc = 0x8114C4C0
gDectTestMode = 0x8114c48c
gDectBuffStart = 0x8114c490
32 ms ECAN tail-length
*** gStartRxDesc[0] = 0xA0C16000
*** gBufferSizeBytes = 640
*** gStartTxDesc[0] = 0xA0C33000
halPcmInit 341 nextTxDesc = 0xA0C33000
halPcmInit 341 nextTxDesc = 0xA0C33008
halPcmInit 345 Ownership for TX desc not set. Use this buffer.
DSP MAIN: Date=Jun 13 2011, Time=15:52:59
DSP: Interrupt Masks
---------------
IrqMask = 0x00003B03
IrqMask1 = 0x00000010
DSP: Interrupt Status
-----------------
IrqStatus = 0x00000000
IrqStatus1 = 0x00000000
EndpointInit completed
Other Resources
Broadcom BCM63xx on the OpenWRT wiki
Broadcom SOCs on the Linux-MIPS wiki
The BCM6362 may also used in the Linksys X3000, the Boblite (nay, BCM6361), and the SKY FAST2504n.
The French Neufbox_6 uses the very similar BCM6361.
