Mobile Computer Repairs

Stockport   07846694124

Talk Talk DSL3782 / D-Link Teardown

Gertrude

If I have another call out about this router I will cry. If you own one of these routers smash it to bits crap on it and send it back to Talk Talk with your contract cancellation letter. Don't turn it, smash it to bits. The problems with these routers is that they have no real antenna so unless you are directly in front of it its not gonna work very well, no shielding to save cost, can't handled more than about 4 devices, and just general internet drop out.

Talk Talk suck balls, they can not do anything right and they block Team Viewer.

Below is a teardown of DSL-3782 router with a serial dump and a copy of the extracted firmware.

 

The first thing you need to do to open the router is take a hammer and hit firmly.

Remove the 2 Philips head screws circled in red and the pull apart.

PCB rear. No components.

Front PCB

No.Part NumberDescription
1Mediatek MT7612EN802.11a/b/g/n/ac WI-FI 2T2R Single Chip
2Winbond W9751G6KB-25512MB DDR2 SDRAM
3Mediatek MT7592NRebranded RT5592EP WI-FI a/n
4MediaTek MT7555NxDSL Line Driver
5Mediatek MT7511TRalink MT751020 SOC / Trendchip
6Macronix MX25L12805D16mb serial flash
7U&T UTH20T12Ethernet transformer
8M3TEK IT76620M23V/2A High Efficiency Synchronous Rectified Step-Down DC/DC
9M3TEK IT76620M23V/2A High Efficiency Synchronous Rectified Step-Down DC/DC
10MP111Operational amplifier
11N/AUART

UART Dump

The serial console is none interactive.

MT751020 at 20161201日 星期四 11:12:16 CST free bootbase Memory size 64MB flash base: bc000000 Found SPI Flash 16MiB MX25L12805D at 0xbc000000 BOOTLOADER version 1.2 Search PHY addr and found PHY addr=8 Not found TC Phy Press any key in 3 secs to enter boot command mode. ............................................................ Decompress to 80002000 free_mem_ptr=80600000 free_mem_ptr_end=80780000 75xx: 0x80 Uncompressing [LZMA] ... done. Linux version 2.6.36 (root@localhost.localdomain) (gcc version 4.3.4 (GCC) ) #20 SMP Fri Dec 14 07:47:18 CST 2018 ISPRAM0: PA=00308000,Size=00008000,enabled DSPRAM0: PA=1dff8000,Size=00001000,enabled flash_init: flash_base:bc000000 flash_init: flash_base:bc000000 memsize:64MB Ralink MT751020 SOC prom init bootconsole [early0] enabled CPU revision is: 00019555 (MIPS 34Kc) Determined physical RAM map: memory: 03fe0000 @ 00020000 (usable) Wasting 1024 bytes for tracking 32 unused pages Zone PFN ranges: Normal 0x00000020 -> 0x00004000 Movable zone start PFN for each node early_node_map[1] active PFN ranges 0: 0x00000020 -> 0x00004000 3 available secondary CPU TC(s) PERCPU: Embedded 7 pages/cpu @81083000 s7232 r8192 d13248 u65536 pcpu-alloc: s7232 r8192 d13248 u65536 alloc=16*4096 pcpu-alloc: [0] 0 [0] 1 [0] 2 [0] 3 Built 1 zonelists in Zone order, mobility grouping on. Total pages: 16224 Kernel command line: es=1 PID hash table entries: 256 (order: -2, 1024 bytes) Dentry cache hash table entries: 8192 (order: 3, 32768 bytes) Inode-cache hash table entries: 4096 (order: 2, 16384 bytes) Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes. Primary data cache 64kB, 4-way, VIPT, cache aliases, linesize 32 bytes Writing ErrCtl register=0000470c Readback ErrCtl register=0000470c nmi base is 810c4200 Memory: 60700k/65408k available (3128k kernel code, 4708k reserved, 639k data, 220k init, 0k highmem) SLUB: Genslabs=7, HWalign=32, Order=0-3, MinObjects=0, CPUs=4, Nodes=1 Hierarchical RCU implementation. RCU-based detection of stalled CPUs is disabled. Verbose stalled-CPUs detection is disabled. NR_IRQS:64 CPU frequency 750.00 MHz Using 266.000 MHz high precision timer. console [ttyS0] enabled, bootconsole disabled console [ttyS0] enabled, bootconsole disabled Calibrating delay loop... 498.07 BogoMIPS (lpj=2490368) pid_max: default: 32768 minimum: 301 Mount-cache hash table entries: 512 34K sync es set to 1. Config7: 0x80080500 Limit of 4 TCs set TLB of 64 entry pairs shared by 2 VPEs VPE 0: TC 0 1 2, VPE 1: TC 3 IPI buffer pool of 16 buffers CPU revision is: 00019555 ((null)) TC 1 going on-line as CPU 1 CPU revision is: 00019555 ((null)) TC 2 going on-line as CPU 2 CPU revision is: 00019555 ((null)) TC 3 going on-line as CPU 3 Brought up 4 CPUs NET: Registered protocol family 16 MT7510_pcie_init check pcie link up status: isRC0_LINKUP=1 isRC1_LINKUP=1 CR 0x50012498 value is 0x5 CR 0x50012040 value is 0x80 registering PCI controller with io_map_base unset bio: create slab <bio-0> at 0 pci 0000:00:00.0: BAR 8: assigned [mem 0x20000000-0x200fffff] pci 0000:00:01.0: BAR 8: assigned [mem 0x20100000-0x201fffff] pci 0000:00:01.0: BAR 9: assigned [mem 0x20200000-0x202fffff pref] pci 0000:01:00.0: BAR 0: assigned [mem 0x20000000-0x200fffff] pci 0000:01:00.0: BAR 0: set to [mem 0x20000000-0x200fffff] (PCI address [0x20000000-0x200fffff] pci 0000:00:00.0: PCI bridge to [bus 01-01] pci 0000:00:00.0: bridge window [io disabled] pci 0000:00:00.0: bridge window [mem 0x20000000-0x200fffff] pci 0000:00:00.0: bridge window [mem pref disabled] pci 0000:02:00.0: BAR 0: assigned [mem 0x20100000-0x201fffff 64bit] pci 0000:02:00.0: BAR 0: set to [mem 0x20100000-0x201fffff 64bit] (PCI address [0x20100000-0x201fffff] pci 0000:02:00.0: BAR 6: assigned [mem 0x20200000-0x2020ffff pref] pci 0000:00:01.0: PCI bridge to [bus 02-02] pci 0000:00:01.0: bridge window [io disabled] pci 0000:00:01.0: bridge window [mem 0x20100000-0x201fffff] pci 0000:00:01.0: bridge window [mem 0x20200000-0x202fffff pref] PCI: Enabling device 0000:00:00.0 (0000 -> 0002) PCI: Enabling device 0000:00:01.0 (0000 -> 0002) NET: Registered protocol family 8 NET: Registered protocol family 20 Switching to clocksource MIPS NET: Registered protocol family 2 IP route cache hash table entries: 1024 (order: 0, 4096 bytes) TCP established hash table entries: 2048 (order: 2, 16384 bytes) TCP bind hash table entries: 2048 (order: 2, 16384 bytes) TCP: Hash tables configured (established 2048 bind 2048) TCP reno registered UDP hash table entries: 128 (order: 0, 4096 bytes) UDP-Lite hash table entries: 128 (order: 0, 4096 bytes) NET: Registered protocol family 1 TC3162 hardware watchdog module loaded. squashfs: version 4.0 (2009/01/31) Phillip Lougher msgmni has been set to 118 cryptomgr_test used greatest stack depth: 15216 bytes left io scheduler noop registered (default) ttyS0 at I/O 0xbfbf0003 (irq = 1) is a TC3162 brd: module loaded tc3162 mtd init: mt6573_nand_init enter MediaTek MT6573 Nand driver init, version v2.0 tc3162: flash device 0x01000000 at 0x1c000000 tc3162: Found SPIFLASH 16MiB MX25L12805D Creating 7 MTD partitions on "tc3162": 0x000000000000-0x000000020000 : "bootloader" 0x000000020000-0x000000030000 : "romfile" 0x000000030000-0x00000017a732 : "kernel" mtd: partition "kernel" doesn't end on an erase block -- force read-only 0x00000017a732-0x000000cea732 : "rootfs" mtd: partition "rootfs" doesn't start on an erase block boundary -- force read-only 0x000000030000-0x000000d40000 : "tclinux" 0x000000d40000-0x000000fc0000 : "web" 0x000000fc0000-0x000001000000 : "reservearea" PPP generic driver version 2.4.2 PPP Deflate Compression module registered PPP BSD Compression module registered NET: Registered protocol family 24 RT3xxx EHCI/OHCI init. Netfilter messages via NETLINK v0.30. nf_conntrack version 0.5.0 (948 buckets, 3792 max) ctnetlink v0.93: registering with nfnetlink. nf_conntrack_rtsp v0.6.21 loading xt_time: kernel timezone is -0000 nf_nat_rtsp v0.6.21 loading ip_tables: (C) 2000-2006 Netfilter Core Team TCP cubic registered Initializing XFRM netlink socket NET: Registered protocol family 10 IPv6 over IPv4 tunneling driver NET: Registered protocol family 17 NET: Registered protocol family 15 802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com> All bugs added by David S. Miller <davem@redhat.com> VFS: Mounted root (squashfs filesystem) readonly on device 31:3. Freeing unused kernel memory: 220k freed busybox init and set aff init started: BusyBox v1.00 (2018.12.13-23:59+0000) multi-call binary init started: BusyBox v1.00 (2018.12.13-23:59+0000) multi-call binary Starting pid 51, console /dev/ttyS0: '/usr/etc/init.d/rcS' [ used greatest stack depth: 14208 bytes left chmod: /userfs/profile.cfg: Read-only file system busybox used greatest stack depth: 14120 bytes left module_sel: module license 'unspecified' taints kernel. Disabling lock debugging due to kernel taint insmod used greatest stack depth: 13896 bytes left tcsmux version: tcsmux V1.1.0.0 (Jul 19 2013-09:04:45). tcportbind version: tcportbind V1.1.0.0 (Jul 19 2013-09:04:47). vlantag_drv_init /usr/etc/init.d/rcS: 97: cannot create /proc/sys/net/netfilter/nf_conntrack_reserve: Directory nonexistent /usr/etc/init.d/rcS: 97: cannot create /proc/sys/net/netfilter/nf_conntrack_reserve_proto: Directory nonexistent /usr/etc/init.d/rcS: 97: cannot create /proc/sys/net/netfilter/nf_conntrack_reserve_port: Directory nonexistent TCSUPPORT_IPV6 TC3162 LED Manager 0.1 init tcledctrl version: tcledctrl V1.1.0.0 (Dec 14 2018-07:47:59). tccicmd V1.1.0.0 (Dec 14 2018-07:48:04) SIFMaster 0.1 init Register sifm cmd the number of cfg node is 74 wlan_init portbind_init autopvc_init logAccess_init LanguageSwitch_init vendorCfgFile_init The number of cache node is 5 Check romfile pass! mtd[readflash]:device=reservearea tclen=65536 tcoffset=0 Unlocking reservearea ... Reading from reservearea to /tmp/tc_backupromfile ... [BK_ROMFILE_FLAG]/userfs/bin/mtd readflash /tmp/tc_backupromfile 65536 0 reservearea WPSActiveStatus = NULL WPSOOBActive = NULL ReCounterActive = NULL WPSGenPinCode = NULL ###3782TT 2.4G IgmpSnEnable on default!!! ###S:3782TT 2.4G IgmpSnEnable on default!!! ###enter write_wlan_coutry,defcountry=UNITED KINGDOM### mtd[readflash]:device=reservear###enter write_wlan_country,defcountry=UNITED KINGDOM,str=UNITED KINGDOM### ea###enter write_wlan_countryregion=1 tclen=987 tcoffset=198145 Unlocking reservearea ... Reading from reservearea to /tmp/readinf ... ###enter write_wlan_country,str=UNITED KINGDOM### ###enter write_wlan_uptime,uptime=4### ###enter write_wlan_ssid,tmp=TALKTALKAF3EDB### mtd[readflash]:device=reservearea tclen=512 tcoffset=196608 Unlocking reservearea ... Reading from reservearea to /tmp/RT30xxEEPROM.bin ... goto wlan11ac_write!! wlan11ac_write---goto fopen 1 1!! run_ac_wps :WPSActiveStatus = NULL WPSOOBActive = NULL ReCounterActive = NULL WPSGenPinCode = NULL ###enter write_wlan11ac_coutry,defcountry=UNITED KINGDOM### mtd[readflash]:device=reserve###enter readinf,readinf=UNITED KINGDOM ######## a###enter write_wlan11ac_country,defcountry=UNITED KINGDOM,str=UNITED KINGDOM### re###enter write_wlan11ac_countryregion=1### a tclen=987 tcoffset=198145 Unlocking reservearea ... Reading from reservearea to /tmp/readinf ... ###enter write_wlan11ac_country,str=UNITED KINGDOM### ###enter write_wlan11ac_uptime,uptime=5### ###enter write_wlan11ac_ssid,tmp=TALKTALKAF3EDB### xyyou:isfirstwrite...offset=30200 mtd[readflash]:device=reservearea tclen=512 tcoffset=197120 Unlocking reservearea ... Reading from reservearea to /tmp/MT7610EEPROM.binxyyou:the tmp/bin is not empty!!! xyyou:id in the bin=6276 .hoben:tempid1 in the bin=RZPV1I1076 .hoben:tempid2 in the bin=466 .hoben:idcount = 466 mtd[readflash]:device=reservearea tclen=32 tcoffset=198240 Unlocking reservearea ... Reading from reservearea to /tmp/number1 ... ip=0.0.0.0 ip=0.0.0.0 ip=0.0.0.0 ip=0.0.0.0 ip=0.0.0.0 ip=0.0.0.0 ip=0.0.0.0 ip=0.0.0.0 ip=0.0.0.0 ip=0.0.0.0 sslca_write:get Frag Number failed! startsmbfilepwent_internal: file /etc/samba/smbpasswd did not exist. File successfully created. Adapter_Interrupts_Init: Successfully hooked IRQ 29 Adapter_Interrupts_Init: call back registeredAdapter_EIP93_Init: CmdRing_Handle=83eb2ffc Adapter_EIP93_Init: ResRing_Handle=83eb2ff8 Adapter: Successfully initialized EIP93v2 in ARM mode PEC_Init: PRNG is initialized The attribute is not in wifiMACTab lanHost_read: Create node LanHost ! insmod raeth driver femac.c:v1.00-NAPI 29.Mar.2011 eth0: FE MAC Ethernet address: 78:32:1B:AF:3E:DB insmod used greatest stack depth: 13864 bytes left Cannotip used greatest stack depth: 13824 bytes left find device "br0" insmod used greatest stack depth: 13744 bytes left Cannot find device "br0" 7510_debug: dmt_base_addr : bf900000 ADSL DMT initialization starting Begin AdslTaskInit..... End AdslTaskInit Begin to request IRQ 20 DMT:Succeed to request IRQ 20 Initializing ADSL F/W 5.5.1.174 ...... Initializing ADSL F/W ........ done insmod used greatest stack depth: 13720 bytes left TCSUPPORT_WLAN TCSUPPORT_WLAN_MT7592 TCSUPPORT_DUAL_WLAN_MT7612E PCI: Enabling device 0000:02:00.0 (0000 -> 0002) === pAd = c1582000, size = 1011944 === <-- RTMPAllocTxRxRingMemory, Status=0 <-- RTMPAllocAdapterBlock, Status=0 device_id =0x7662 ==>rlt_wlan_chip_onoff(): OnOff:1, Reset= 1, pAd->WlanFunCtrl:0x0, Reg-WlanFunCtrl=0x20a Mirror/redirect action on SIOCGIFFLAGS: No such device Ebtables v2.0 registered eth0: starting interface. MT7510FE, PhyPart debug: tcPhyInit() in MT7510Ge,Internal check flag: fgMT7510Ge_INT=0x0 PhyPart debug: tcPhyInit() in Ralink HW NAT Module Enabled IP check use Black List device eth0 entered promiscuous mode br0: port 1(eth0) entering learning state br0: port 1(eth0) entering learning state [ used greatest stack depth: 13712 bytes left mtd[readflash]:device=bootcfg tclen=25 tcoffset=0 Unlocking bootcfg ... Could not open mtd device: bootcfg TCSUPPORT_WLAN: ifconfig efuse_probe: efuse = 10000002 now bb MainSsid mac 78:32:1b:af:3e:db tssi_1_target_pwr_g_band = 29 jiffies=ffff921d, POLLING_MODE_DETECT_INTV=300 ifconfig used greatest stack depth: 13416 bytes left device ra0 entered promiscuous mode br0: port 2(ra0) entering forwarding state br0: port 2(ra0) entering forwarding state TCSUPPORT_WLAN_WDS build time = 20140408060640a rom patch for E3 IC platform = ALPS hw/sw version = ▒▒ patch version = FW Version:0.0.00 Build:1 Build Time:201411280941____ fw for E3 IC RX[0] DESC a1eca000 size = 8192 RX[1] DESC a1ecc000 size = 8192 cfg_mode=14 cfg_mode=14 wmode_band_equal(): Band Not Equal! RtmpChipOpsEepromHook::e2p_type=4, inf_Type=5 NVM is BIN mode 1. Phy Mode = 49 Country Region from e2p = ffff 2. Phy Mode = 49 3. Phy Mode = 49 andes_pci_fw_init 0x1300 = 00073200 AntCfgInit: primary/secondary ant 0/1 andes_load_cr:cr_type(2) ChipStructAssign(): MT76x2 hook ! MCS Set = ff ff 00 00 01 TX0 power compensation = 0x38 TX1 power compensation = 0x38 mt76x2_bbp_adjust():rf_bw=2, ext_ch=1, PrimCh=36, HT-CentCh=38, VHT-CentCh=42 APStartUp(): AP Set CentralFreq at 42(Prim=36, HT-CentCh=38, VHT-CentCh=42, BBP_BW=2) mt76x2_calibration(channel = 42) Main bssid = 7a:32:1b:a3:3e:eb mt76x2_reinit_agc_gain:original agc_vga0 = 0x5c, agc_vga1 = 0x5c mt76x2_reinit_agc_gain:updated agc_vga0 = 0x5c, agc_vga1 = 0x5c mt76x2_reinit_hi_lna_gain:original hi_lna0 = 0x27, hi_lna1 = 0x27 mt76x2_reinit_hi_lna_gain:updated hi_lna0 = 0x27, hi_lna1 = 0x27 original vga value(chain0) = 5c original vga value(chain1) = 5c <==== rt28xx_init, Status=0 RT28xx_Monitor_Init: 611 !!!!####!!!!!! RTMPDrvOpen(1):Check if PDMA is idle! RTMPDrvOpen(2):Check if PDMA is idle! jiffies=ffff9486, POLLING_MODE_DETECT_INTV=300 ifconfig used greatest stack depth: 12800 bytes left device rai0 entered promiscuous mode br0: port 3(rai0) entering forwarding state br0: port 3(rai0) entering forwarding state telnetd: starting port: 23; login program: /bin/login TC3162 hardware watchdog initialized SSH Ethernet Media-Type Support SQUASHFS error: Can't find a SQUASHFS superblock on mtdblock5 s_magic err failed_mount err=8 mount: Mounting /dev/mtdblock5 on /var/boaroot failed: Invalid argument four ports can't open proc_automount_pid SIOCGIFFLAGS: No such device interface eth0.1 does not exist! sh: vconfig: not found [01/Jan/1970:00:00:25 +0000] boa: server version Boa/0.94.13 [01/Jan/1970:00:00:25 +0000] boa: server built Dec 14 2018 at 08:03:13. [01/Jan/1970:00:00:25 +0000] boa: starting server pid=334, port 80 SIOCGIFFLAGS: No such device interface eth0.2 does not exist! sh: vconfig: not found SIOCGIFFLAGS: No such device interface eth0.3 does not exist! sh: vconfig: not found SIOCGIFFLAGS: No such device interface eth0.4 does not exist! sh: vconfig: not found SIOCGIFFLAGS: No such device interface eth0.5 does not exist! sh: vconfig: not found SIOCGIFFLAGS: No such device interface eth0.6 does not exist! sh: vconfig: not found device eth0 is already a member of a bridge; can't enslave it to bridge br0. Added VLAN with VID == 1 to IF -:eth0:- WARNING: VLAN 1 does not work with many switches, consider another number if you have problems. device eth0.1 entered promiscuous mode br0: port 4(eth0.1) entering forwarding state br0: port 4(eth0.1) entering forwarding state Added VLAN with VID == 2 to IF -:eth0:- device eth0.2 entered promiscuous mode br0: port 5(eth0.2) entering forwarding state br0: port 5(eth0.2) entering forwarding state Added VLAN with VID == 3 to IF -:eth0:- device eth0.3 entered promiscuous mode br0: port 6(eth0.3) entering forwarding state br0: port 6(eth0.3) entering forwarding state Added VLAN with VID == 4 to IF -:eth0:- device eth0.4 entered promiscuous mode br0: port 7(eth0.4) entering forwarding state br0: port 7(eth0.4) entering forwarding state br0: port 1(eth0) entering learning state ========FirmVer DSL-3782 FTTxv1.10t ========FirmVer DSL-3782 FTTxv1.10t ========================insmod iptable_filter======================= chmod: /userfs/profile.cfg: Read-only file system iptables: Chain already exists. iptables: Chain already exists. /etc/isp0.conf Plugin libpppoatm.so loaded. PPPoATM plugin_init PPPoATM setdevname_pppoatm - SUCCESS:0.38 Options file - /etc/ppp/options.0.38. Using interface ppp0 local IP address 10.64.64.64 remote IP address 10.112.112.112 no valid pvc Cannot find device "nas0" killall: oam_eci: no process killed Cannot find device "imq0" bad action parsing parse_action: bad value (5:mirred)! Illegal fw "action" killall: cfm: no process killed CFM interface is nas0 Open CFM debug message *reg=00001fe0 value:20087864 (ext_switch:0) /etc/isp1.conf RFC1483/2684 bridge: Interface "nas1" could not be created, reason: No such device RFC1483/2684 bridge: Communicating over ATM 0.0.65, encapsulation: LLC qos.txtp.traffic_class = 1 RFC1483/2684 bridge: Fatal: failed to connect on socket Cannot find device "nas1" Cannot find device "imq0" bad action parsing parse_action: bad value (5:mirred)! Illegal fw "action" no valid pvc CFM interface is nas1 Open CFM debug message *reg=00001fe0 value:20087864 (ext_switch:0) /etc/isp2.conf /etc/isp3.conf /etc/isp4.conf /etc/isp5.conf /etc/isp6.conf /etc/isp7.conf /etc/isp8_0.conf ==>Error, socket or ioctl error for mulifctl info, udhcpc (v0.9.9-pre) started error, SIOCGIFINDEX failed!: No such device Cannot find device "nas8_0" Cannot find device "imq0" bad action parsing parse_action: bad value (5:mirred)! Illegal fw "action" no valid pvc CFM interface is nas8 Open CFM debug message *reg=00001fe0 value:20087864 (ext_switch:0) /etc/isp8_1.conf /etc/isp8_2.conf /etc/isp8_3.conf /etc/isp8_4.conf /etc/isp8_5.conf /etc/isp8_6.conf /etc/isp8_7.conf /etc/isp9_0.conf /etc/isp9_1.conf /etc/isp9_2.conf /etc/isp9_3.conf /etc/isp9_4.conf /etc/isp9_5.conf /etc/isp9_6.conf /etc/isp9_7.conf /etc/isp10_0.conf /etc/isp10_1.conf /etc/isp10_2.conf /etc/isp10_3.conf /etc/isp10_4.conf /etc/isp10_5.conf /etc/isp10_6.conf /etc/isp10_7.conf /usr/bin/wan tcif set gv on! G.VECTOR on /usr/bin/wan tcif set aelem on! AELEM on TCSUPPORT_USBHOST SCSI subsystem initialized insmod: cannot open module `/lib/modules/usbhost/nls_base.ko': No such file or directory insmod: cannot open module `/lib/modules/usbhost/fat.ko': No such file or directory insmod: cannot open module `/lib/modules/usbhost/vfat.ko': No such file or directory usbcore: registered new interface driver usbfs usbcore: registered new interface driver hub usbcore: registered new device driver usb ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver rt3xxx-ohci rt3xxx-ohci: RT3xxx OHCI Controller rt3xxx-ohci rt3xxx-ohci: new USB bus registered, assigned bus number 1 rt3xxx-ohci rt3xxx-ohci: irq 18, io mem 0x1fba0000 hub 1-0:1.0: USB hub found hub 1-0:1.0: 2 ports detected VendorId 6b1d ProductID 100 ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver Warning! ehci_hcd should always be loaded before uhci_hcd and ohci_hcd, not after rt3xxx-ehci rt3xxx-ehci: Ralink EHCI Host Controller rt3xxx-ehci rt3xxx-ehci: new USB bus registered, assigned bus number 2 rt3xxx-ehci rt3xxx-ehci: irq 18, io mem 0x1fbb0000 rt3xxx-ehci rt3xxx-ehci: USB 0.0 started, EHCI 1.00 hub 2-0:1.0: USB hub found hub 2-0:1.0: 2 ports detected VendorId 6b1d ProductID 200 Initializing USB Mass Storage driver... usbcore: registered new interface driver usb-storage USB Mass Storage support registered. fuse init (API version 7.15) usbcore: registered new interface driver usbserial USB Serial support registered for generic usbcore: registered new interface driver usbserial_generic usbserial: USB Serial Driver core USB Serial support registered for GSM modem (1-port) usbcore: registered new interface driver option option: v0.7.2:USB Driver for GSM modems insmod: cannot open module `/kernel/lib/crc-ccitt.ko': No such file or directory usbcore: registered new interface driver usblp Radvd is disabled dhcp6s is disabled! killall: dropbear: no process killed info, udhcpd (v0.9.9-pre) started error, Unable to open /etc/udhcpd.leases for reading sh: /userfs/bin/dproxy: not found read WLAN driver from rt_device failed,set with default value! killall: wscd: no process killed killall: wscd_ac: no process killed killall: rtdot1xd: no process killed Ralink DOT1X daemonStart wireless_auto_channel_period!!! , version = '2.5.0.0' stat the description template(/etc/xml//WFADeviceDesc.xml) failed!(errmsg=No such file or directory) Create Device Description xml buffer failed! Starting link sh: /sbin/modprobe: not found qos.rxtp.traffic_class = 1 qos.txtp.pcr = qos.rxtp.pcr = 0 connect(0.38): No such device connect[radius]: Network is unreachable [DOT1X] Radius_client_init : no any auth RADIUS socket ready [DOT1X] RADIUS client initialization failed. ra1 no private ioctls. ra2 no private ioctls. ra3 no private ioctls. read WLAN driver from rt_device failed,set with default value! killall: rtacdot1xd: no process killed =======rartdot1xd rStart wireless_auto_channel_period!!! ai Ralink DOT1X daemon, version = '2.5.0.0' connect[radius]: Network is unreachable [DOT1X] Radius_client_init : no any auth RADIUS socket ready [DOT1X] RADIUS client initialization failed. iptables: Bad rule (does a matching rule exist in that chain?). iptables: Bad rule (does a matching rule exist in that chain?). ANNEXAIJLM Enter cwmp boot, we will start tr69 Process USB already insert iptables: No chain/target/match by that name. iptables: No chain/target/match by that name. iptables: No chain/target/match by that name. iptables: No chain/target/match by that name. iptables: No chain/target/match by that name. iptables: No chain/target/match by that name. iptables: No chain/target/match by that name. === alpha_syslog_execute in === killall: syslogd: no process killed /usr/script/alpha_syslogd.sh sn done killall: klogd: no process killed ftp switch turn on sip switch turn on h323 switch turn on rtsp switch turn on l2tp switch turn on,sw_state= iptables: Bad rule (does a matching rule exist in that chain?). ipsec switch turn on,sw_state= iptables: Bad rule (does a matching rule exist in that chain?). pptp switch turn on Cannot find device "6rd" Cannot find device "6rd" ioctl: No such devicParental Control: parental_execute() Enter. e iptables v1.4.10: Couldn't find target `parental_chain' Try `iptables -h' or 'iptables --help' for more information. USB already insert RTS debug message OFF! log cicmd 0 (wan dmt2 set largeD 2 ) route: SIOC[ADD|DEL]RT: File exists AutoChannelPeriod 3600 CurrTime 53 StartTime 49 TimeFlag 3596 AutoChannelPeriod 3600 CurrTime 53 StartTime 48 ==>getMacEntryByIndex(): no sta existance ==>getMacEntryByIndex(): no sta existance TimeFlag 3595 Daemon Successfully forked (pid: 2954) Sun Jan 1 00:00:00 UTC 2012 mount: Mounting usbfs on /proc/bus/usb failed: Device or resource busy /usr/etc/init.d/rcS: 1058: /sbin/udevd: not found /usr/etc/init.d/rcS: 1058: /usr/bin/udevstart: not found mtd[readflash]:device=reservearea tclen=1 tcoffset=199131 Unlocking reservearea ... Reading from reservearea to /tmp/telnet_flag ... The flag is error usb eyes pattern!!!!!\n iptables: Chain already exists. <Address> <Value> 0xbfaf1f10 0x00000101 <Address> <Value> 0xbfaf1f0c 0x0000008c <Address> <Value> 0xbfaf1f10 0x00000100 <Address> <Value> 0xbfaf1f0c 0x00000000 system_sirial_no_eoc[0]=52 system_sirial_no_eoc[1]=5a system_sirial_no_eoc[2]=50 system_sirial_no_eoc[3]=56 system_sirial_no_eoc[4]=31 system_sirial_no_eoc[5]=49 system_sirial_no_eoc[6]=31 system_sirial_no_eoc[7]=30 system_sirial_no_eoc[8]=37 system_sirial_no_eoc[9]=36 system_sirial_no_eoc[10]=34 system_sirial_no_eoc[11]=36 system_sirial_no_eoc[12]=36 serial_len=13 The test lab:32 Please press Enter to activate this console. ThreadedTimerCheck: get last for first time mt76x2_bbp_adjust():rf_bw=2, ext_ch=3, PrimCh=40, HT-CentCh=38, VHT-CentCh=42 APStartUp(): AP Set CentralFreq at 42(Prim=40, HT-CentCh=38, VHT-CentCh=42, BBP_BW=2) mt76x2_calibration(channel = 42)

Firmware

The dumped firmware can be found here

https://drive.google.com/open?id=1vqFk2715CZPJEd7f...

or

http://www.mediafire.com/file/iof0jgnqvt2t29h/dsl3...

 

To extract the firmware you should remove the flash chip using a rework station. It maybe possible to read the chip without removing it but I did not try it. Once you have removed the chip it can be read with an EEPROM reader such as CH341A.

Runing Binwalk returned false positives.

65536         0x10000         LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 106944 bytes
151216        0x24EB0         Unix path: /I/J/L/M"
196864        0x30100         LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 4086848 bytes
1550130       0x17A732        Squashfs filesystem, little endian, version 4.0, compression:lzma, size: 11933319 bytes, 1620 inodes, blocksize: 131072 bytes, created: 2018-12-14 00:12:38
16535216      0xFC4EB0        Unix path: /I/J/L/M"

I resorted to a HEX editor, which was fruitful. I was able to extract the main OS in Squashfs. Viewing the dump in a HEX editor left some questions unanswered so I took a look of the UART dump and found the exact locations of the different partitions / files. The partitions are referenced in the dump under "Creating 7 MTD partitions on "tc3162":" Partitions 4 and 5 overlap and I'm unsure whats going on there, but they open in 7zip with out error.

In Linux run the following commands on the extracted bin file.

dd if=dsl3782.bin of=bootloader.bin bs=1 count=131072 skip=0

dd if=dsl3782.bin of=romfile.bin bs=1 count=196608 skip=131072

dd if=dsl3782.bin of=kernel.bin bs=1 count=1550130 skip=196608

dd if=dsl3782.bin of=rootfs.squashfs bs=1 count=13543218 skip=1550130

dd if=dsl3782.bin of=tclinux.squashfs bs=1 count=13893632 skip=196608

dd if=dsl3782.bin of=web.bin bs=1 count=16515072 skip=13893632

dd if=dsl3782.bin of=reservearea.bin bs=1 count=16777216 skip=16515072

Further reading

The links below are not for this router but I believe they share the same or similar re-branded chip and may be of some use.

https://github.com/vasvir/tcrevenge

https://vasvir.wordpress.com/2015/03/08/reverse-engineering-trendchip-firmware-zte-h108ns-part-i/