Haxorware Forums
EPC2203 - Printable Version

+- Haxorware Forums (http://www.haxorware.com/forums)
+-- Forum: General (http://www.haxorware.com/forums/forumdisplay.php?fid=6)
+--- Forum: Modems (http://www.haxorware.com/forums/forumdisplay.php?fid=7)
+--- Thread: EPC2203 (/showthread.php?tid=3959)



EPC2203 - Zoro - 12-05-2016

Newbie here, I don't know if this is stupid question but please understand that I don't have any experience in this field. I own EPC2203 since 2009, a new modem is arriving soon so I've decided to experiment with this old one. I've bought a cheap USB to TTL cable and hooked it to my modem. After I access the terminal I get this:

Code:
b00
BCM3368A1 TP1
1
Asymmetric VCDL shmoo:
DDR1 DDR2 DDR3 DDR4 VCDL
0000 0000 0424 0008 0D0D
Reduced DDR drive strength
PI sync init:1
346890
MemSize: .........................32M
Flash detected @0xbf000000

Signature: a010


SA BootLoader Version: 2.1.6l_R7 Release Gnu
Build Date: Aug  7 2006
Build Time: 21:16:19


(A). Image 2 Program Header:
    Location: 0xbf200000
   Signature: a010
     Control: 0005
   Major Rev: 0003
   Minor Rev: 0000
  Build Time: 2011/5/20 09:51:20 Z
File Length: 2005312 bytes
Load Address: 80004000
    Filename: epc2203-ESIP-16-v202r1262-110520s.bin
         HCS: 0c7d
         CRC: 163af4b2

(B). Image 1 Program Header:
    Location: 0xbf010000
   Signature: a010
     Control: 0005
   Major Rev: 0003
   Minor Rev: 0000
  Build Time: 2007/11/20 05:43:42 Z
File Length: 2030952 bytes
Load Address: 80010000
    Filename: epc2203-ESIP-13-v202r1262-071120.bin
         HCS: 5485
         CRC: 412a9f90

. .

Performing CRC on location (A)...
CRC time = 97397859
Detected LZMA compressed image... decompressing...
Target Address: 0x80004000
..................................Elapsed time 1053369552

Decompressed length: 8913900

Executing Image (A)...


eCos - hal_diag_init
Init device '/dev/BrcmTelnetIoDriver'
Init device '/dev/ttydiag'
Init tty channel: 8085e628
Init device '/dev/tty0'
Init tty channel: 8085e648
Init device '/dev/haldiag'
HAL/diag SERIAL init
Init device '/dev/ser0'
BCM 33XX SERIAL init - dev: 0.2
Set output buffer - buf: 0x8090c7b0 len: 2048
Set input buffer - buf: 0x8090cfb0 len: 2048
BCM 33XX SERIAL config
BcmEmtaBlindDataNonVolSettings::GetSingletonInstance:  WARNING - the singleton instance is NULL, and someone is accessing it!
ERROR: Unable to get GetCountry blind data. (BcmEmtaBlindDataNonVolSettings = NULL)
WARNING: ResetDefaultBlindEmtaData() -Resetting EMTA non-vol data section to default

Is possible that this modem has locked bootloader or something as it seems that there is no available console? Any ideas how to unlock it? I just want to dump whole firmware and analyse it.


RE: EPC2203 - Sandy - 12-05-2016

(12-05-2016, 02:10 PM)Zoro Wrote: Newbie here, I don't know if this is stupid question but please understand that I don't have any experience in this field. I own EPC2203 since 2009, a new modem is arriving soon so I've decided to experiment with this old one. I've bought a cheap USB to TTL cable and hooked it to my modem. After I access the terminal I get this:

Code:
b00
BCM3368A1 TP1
1
Asymmetric VCDL shmoo:
DDR1 DDR2 DDR3 DDR4 VCDL
0000 0000 0424 0008 0D0D
Reduced DDR drive strength
PI sync init:1
346890
MemSize: .........................32M
Flash detected @0xbf000000

Signature: a010


SA BootLoader Version: 2.1.6l_R7 Release Gnu
Build Date: Aug  7 2006
Build Time: 21:16:19


(A). Image 2 Program Header:
    Location: 0xbf200000
   Signature: a010
     Control: 0005
   Major Rev: 0003
   Minor Rev: 0000
  Build Time: 2011/5/20 09:51:20 Z
File Length: 2005312 bytes
Load Address: 80004000
    Filename: epc2203-ESIP-16-v202r1262-110520s.bin
         HCS: 0c7d
         CRC: 163af4b2

(B). Image 1 Program Header:
    Location: 0xbf010000
   Signature: a010
     Control: 0005
   Major Rev: 0003
   Minor Rev: 0000
  Build Time: 2007/11/20 05:43:42 Z
File Length: 2030952 bytes
Load Address: 80010000
    Filename: epc2203-ESIP-13-v202r1262-071120.bin
         HCS: 5485
         CRC: 412a9f90

. .

Performing CRC on location (A)...
CRC time = 97397859
Detected LZMA compressed image... decompressing...
Target Address: 0x80004000
..................................Elapsed time 1053369552

Decompressed length: 8913900

Executing Image (A)...


eCos - hal_diag_init
Init device '/dev/BrcmTelnetIoDriver'
Init device '/dev/ttydiag'
Init tty channel: 8085e628
Init device '/dev/tty0'
Init tty channel: 8085e648
Init device '/dev/haldiag'
HAL/diag SERIAL init
Init device '/dev/ser0'
BCM 33XX SERIAL init - dev: 0.2
Set output buffer - buf: 0x8090c7b0 len: 2048
Set input buffer - buf: 0x8090cfb0 len: 2048
BCM 33XX SERIAL config
BcmEmtaBlindDataNonVolSettings::GetSingletonInstance:  WARNING - the singleton instance is NULL, and someone is accessing it!
ERROR: Unable to get GetCountry blind data. (BcmEmtaBlindDataNonVolSettings = NULL)
WARNING: ResetDefaultBlindEmtaData() -Resetting EMTA non-vol data section to default

Is possible that this modem has locked bootloader or something as it seems that there is no available console? Any ideas how to unlock it? I just want to dump whole firmware and analyse it.

Hey bernardo, throw that thing away and don't lose your time with such an old device.