Skip to content

Commit b8712ee

Browse files
abeljouveabeljouve
authored
feat(epon): F-MDCONU3A — add CLI permission bypass, full command reference, firmware flash protocol (#443)
* feat(epon): F-MDCONU3A — add CLI permission bypass, full command tree, firmware flash protocol Adds extensive reverse-engineering findings for the Free/Iliad F-MDCONU3A (BCM55030 10G-EPON ONU) from static analysis of the v3.2.9 firmware binary: - CLI permission system: pl built-in command bypasses all permission checks, pl omega gives full manufacturing access (level 2) from default UART shell - Complete CLI command tree at all 3 permission levels (level 0: ~60 cmds, level 1: +20, level 2: +25) - Firmware flash protocol (load/rx): raw binary transfer over UART at 57600 baud, TKF container format with trailing CRC32 - Hardware architecture details: Harvard ARC (ICCM/DCCM), firmware structure, FDS personality records - Expanded flash memory map with all 5 regions including FDS/Config - Filled in missing hardware specs (bootloader, system, load addr, RAM, chipset rev) All findings from Ghidra static analysis (2697 functions named). No proprietary documentation was used. * feat(epon): F-MDCONU3A — add CLI permission bypass, full command reference, firmware flash protocol Adds extensive reverse-engineering findings for the Free/Iliad F-MDCONU3A (BCM55030 10G-EPON ONU) from static analysis of the v3.2.9 firmware binary: - CLI permission system: pl built-in command bypasses all permission checks, pl omega gives full manufacturing access (level 2) from default UART shell - Complete CLI command tree at all 3 permission levels with inline descriptions (level 0: ~60 cmds, level 1: +20, level 2: +25) - Full CLI command reference: syntax, arguments, and descriptions for every command, organized by category (system, EPON/MAC, MPCP, memory, stats, firmware/flash, FDS, alarms/debug, multicast, SerDes, MACsec) - PON speed mode encoding table (1G/1G, 2G/1G, 10G/1G, 10G/10G) - Firmware flash protocol (load/rx): raw binary transfer over UART at 57600 baud, TKF container format with trailing CRC32 - Hardware architecture details: Harvard ARC (ICCM/DCCM), firmware structure, FDS personality records - Expanded flash memory map with all 5 regions including FDS/Config - Filled in missing hardware specs (bootloader, system, load addr, RAM, chipset) - Corrected mcast/ command tree (domains/groups/sources/reporters don't exist in the v3.2.9 binary — only igmpinfo and igmpsources are confirmed) - Added serdesTestInit and serdesRx to level 0 serdes/ tree All findings from Ghidra static analysis (2697 functions named). No proprietary documentation was used.
1 parent 7cbaba4 commit b8712ee

1 file changed

Lines changed: 330 additions & 73 deletions

File tree

0 commit comments

Comments
 (0)