VCM2 SERIAL CHANGE.docx

VCM2 Hacking

How to change VCM2 serial number, enter test mode, and get a root shell

I have figured out how to change the serial number of the VCM2 as well as enter test mode, and get a root shell on it. You'll need a microSD card for this to work.

1. Use IDS 86.
2. Recover your VCM2.
a. Describing how to recover is beyond the scope of this post. Search the forums for instructions.
b. After recovery your VCM2 should be at VCM2 FW version 2.1.1.5.
3. Wait about 90 seconds after the VCM2 beeps before proceeding. We are waiting for the SD card to be populated.
4. Unplug the VCM2 and eject the SD card.
5. Mount the SD card with a linux machine.
6. On the SD card open 'apps/vci-diags/hwtest-scripts/self-test.sh' for editing.
7. Add the following line to the file:

touch /etc/vci/config/testmode

8. Cleanly unmount the SD card and insert it back into the VCM2.
9. Plug the VCM2 into the computer and wait 90 seconds past beep before proceeding.
10. Launch IDS.
11. Go to system utilities

12. Select 'Launch Monitor Tool' and confirm on the pop up.
13. Select 'Run System Diagnostics' > 'Next' > 'Test a VCM II Module' > 'Next'

14. Once the test completes unplug, wait a couple seconds, and then re-plug the VCM2 into the computer.
15. Wait about 15 seconds past when the VCM2 beeps and point your browser to http://192.168.171.2

You are now in the test mode web server.
a. To set a new serial number select 'Set New Serial Number' and proceed with serial number setting.
The default serial number is: 1211-31605352
b. To get a root shell Telnet to 192.168.171.2 you will be dropped to a root shell without providing login credentials.
c. To stay in testmode at next reboot select 'Set Repair Test Mode'. This has to be done once per boot or you will have to go through this whole process to re-enable test mode.

Here Be Dragons:
To those who would go poking around, tread carefully. I accidentally ran cgi-bin/total-reflash and wiped my VCM2.
My bootloader was still intacted and available on pins 24 & 25 of the HDL26-PL-B connector.

RS-232 SERIAL ACCESS

The serial console is available on pins 24 (Rx), 25 (Tx), & 26 (Gnd) of the HDL26-PL-B connector. The connection is 38400 8-N-1 @ RS-232 levels.

Make sure to use pin 26 for ground and not the shield. The shield floats and wont produce a usable connection.

U-Boot 1.3.0 (Jan 14 2011 - 17:19:53) ETAS VCI (r68531)

RAM Configuration: on-board
Bank #0: a0000000 64 MB
HW Configuration: (0x1) VCI STD variant 0x1 with SMSC9215I
Flash: 32 MB
*** Warning - bad CRC, using default environment

In:    serial
Out:   serial
Err:   serial
Hit any key to stop autoboot:  0
$ help
?       - alias for 'help'
askenv  - get environment variables from stdin
autoscr - run script from memory
base    - print or set address offset
bdinfo  - print Board Info structure
boot    - boot default, i.e., run 'bootcmd'
bootd   - boot default, i.e., run 'bootcmd'
bootm   - boot application image from memory
bootp   - boot image via network using BootP/TFTP protocol
clock  - display or set processor clock speed
cmp     - memory compare
coninfo - print console devices and information
cp      - memory copy
crc32   - checksum calculation
dhcp    - invoke DHCP client to obtain IP/boot params
dispgd - get info on mmc(sd) card
dmamove     - memory to memory move using DMA
echo    - echo args to console
erase   - erase FLASH memory
exit    - exit script
ext2load- load binary file from a Ext2 filesystem
ext2ls  - list files in a directory (default /)
fatinfo - print information about filesystem
fatload - load binary file from a dos filesystem
fatls   - list files in a directory (default /)
flinfo  - print FLASH memory information
flock  - physical lock of Strataflash
funlock  - physical unlock of Strataflash
go      - start application at address 'addr'
help    - print online help
icrc32  - checksum calculation
iloop   - infinite loop on address range
imd     - i2c memory display
iminfo  - print header information for application image
imls    - list all images found in flash
imm     - i2c memory modify (auto-incrementing)
imw     - memory write (fill)
inm     - memory modify (constant address)
iprobe  - probe to discover valid I2C chip addresses
itest   - return true/false on integer compare
loadb   - load binary file over serial line (kermit mode)
loads   - load S-Record file over serial line
loady   - load binary file over serial line (ymodem mode)
loop    - infinite loop on address range
macaddr  - display or store MAC address in Strataflash
mapadd - add a memory map item
mapdel - delete a memory map item
mapinfo - display the memory map information
md      - memory display
mm      - memory modify (auto-incrementing)
mmcinfo - get info on mmc(sd) card
mmcinit - init mmc card
mtest   - simple RAM test
mw      - memory write (fill)
nfs     - boot image via network using NFS protocol
nm      - memory modify (constant address)
pinit   - PCMCIA sub-system
printenv- print environment variables
protect - enable or disable FLASH write protection
rarpboot- boot image via network using RARP/TFTP protocol
reset   - Perform RESET of the CPU
run     - run commands in an environment variable
saveenv - save environment variables to persistent storage
serialnum  - display or store serial number in Strataflash
setenv  - set environment variables
sleep   - delay execution for some time
test    - minimal test like /bin/sh
tftpboot- boot image via network using TFTP protocol
usb     - USB sub-system
usbboot - boot from USB device
version - print monitor version
$

BACKUP SD CARD

dd bs=512 if=/dev/mtd0 of=/mnt/sd/mtd0
dd bs=512 if=/dev/mtd1 of=/mnt/sd/mtd1
dd bs=512 if=/dev/mtd2 of=/mnt/sd/mtd2
dd bs=512 if=/dev/mtd3 of=/mnt/sd/mtd3
dd bs=512 if=/dev/mtd4 of=/mnt/sd/mtd4
dd bs=512 if=/dev/mtd5 of=/mnt/sd/mtd5
dd bs=512 if=/dev/mtd6 of=/mnt/sd/mtd6
dd bs=512 if=/dev/mtd7 of=/mnt/sd/mtd7
dd bs=512 if=/dev/mtd8 of=/mnt/sd/mtd8
dd bs=512 if=/dev/mtd9 of=/mnt/sd/mtd9
dd bs=512 if=/dev/mtd10 of=/mnt/sd/mtd10
dd bs=512 if=/dev/mtd11 of=/mnt/sd/mtd11
dd bs=512 if=/dev/mtd12 of=/mnt/sd/mtd12

I was able to restore my VCM2. If you find yourself in the same situation:
 

1.       Download and use ExtraPuTTY (Use Ymodem mode for transfers)

2.       Download baner's firmware from post #16

3.       Connect to the serial bootloader as detailed in post #5

4.       Run the following commands one group at a time and using the corresponding mtd partition (list below). You'll need to follow the onscreen prompts.

Code:

setenv baudrate 115200; funlock; saveenv
mw.b 0xa2000000 FF 0x01400000; loady 0xa2000000; funlock; protect off fpga; erase fpga; cp.b 0xa2000000 fpga 0x000a0000
mw.b 0xa2000000 FF 0x01400000; loady 0xa2000000; funlock; protect off linux2; erase linux2; cp.b 0xa2000000 linux2 0x00180000
mw.b 0xa2000000 FF 0x01400000; loady 0xa2000000; funlock; protect off initrd2; erase initrd2; cp.b 0xa2000000 initrd2 0x00600000
mw.b 0xa2000000 FF 0x01400000; loady 0xa2000000; funlock...