Category Archives: Hardware

Modifying the Sercomm AD1018 for NAND flashing

My previous work has mostly involved SPI-based flash, but more modern devices like the Meraki MR33 have only NAND storage and there are instances where it is necessary to modify the contents of NAND using hardware means (e.g. to downgrade u-boot before flashing OpenWrt).

There are a wide variety of hardware NAND flashers available on the market, however they are often expensive, proprietary, and slow. Hardware flashers like a Teensy++ 2.0 running NANDway or the NANDLite (which are both quite inexpensive options) will work for reading data, they are not at all convenient if you want to modify the data and rewrite it. Every NAND chip is unique and has its own bad blocks which you should take into consideration. The net result using these programmers is that you have a very slow workflow: you must obtain a consistent dump of the NAND through a device which often reads at only 100KB/s, modify the contents (recalculating ECC/OOB), and then write it back to the NAND.

Why bother with all of this when Linux has a very robust and fast mtd subsystem in the kernel?

Enter the Sercomm AD1018.

Sercomm AD1018

The Sercomm AD1018 is a DSL router originally produced for Vodafone España and based on the Broadcom BCM6328. There are two hardware revisions, which are the same apart from the amount of RAM: v1 has 64MB of RAM and v2 has 128MB. It can be found on eBay from Spanish sellers for less than 20€, and is supported by OpenWrt. As a bonus, you can easily modify the hardware to add SPI flash and then boot OpenWrt off of SPI.

With the operating system booted from SPI, you have a free NAND interface to do what you want. What do we want? A cheap, Linux-based NAND dumping and flashing platform!

However, there is a problem. The “NOR” OpenWrt image for the AD1018 doesn’t include support in the kernel for BRCMNAND so although there is support in the device tree for the onboard NAND, it is unusable in Linux. This makes the device significantly less useful as a NAND flashing platform.

This is easy to solve though: copy the kernel configuration for the smp target, which includes NAND, to the generic target:

cp target/linux/bcm63xx/smp/config-default target/linux/bcm63xx/generic/

You can download the binary image to flash from here.

After flashing the NOR release of LEDE as described in the installation instructions, simply flash the new NOR image with BRCMNAND support using sysupgrade:

sysupgrade -n /tmp/openwrt-21.02.1-bcm63xx-generic-sercomm_ad1018-nor-squashfs-cfe.bin

After rebooting you should now be able to access NAND flash from OpenWrt:

[    0.877092] nand: device found, Manufacturer ID: 0x92, Chip ID: 0xf1
[    0.883812] nand: Eon NAND 128MiB 3,3V 8-bit
[    0.888227] nand: 128 MiB, SLC, erase size: 128 KiB, page size: 2048, OOB size: 64
[    0.896083] bcm6368_nand 10000200.nand: detected 128MiB total, 128KiB blocks, 2KiB pages, 16B OOB, 8-bit, Hamming ECC
[    0.908376] Bad block table found at page 65472, version 0x01
[    0.915264] Bad block table found at page 65408, version 0x01
[    0.923011] 1 fixed-partitions partitions found on MTD device brcmnand.0
[    0.930026] Creating 1 MTD partitions on "brcmnand.0":
[    0.935356] 0x000000000000-0x000008000000 : "storage"

Until now, apart from installing the SPI flash, we have only addressed software issues. The kernel output above is the stock NAND which is soldered to the PCB, not exactly practical for flashing NAND from other devices.

The OpenWrt wiki suggests hand soldering a TSOP48 socket to the PCB. I am here to tell you there is a much easier method.

You can purchase TSOP48 sockets for around $5/piece from distributors (or AliExpress) however I dislike these because I still sometimes have difficulties soldering the 0.5mm pitch of TSOP48, and wrecking a TSOP48 socket while soldering gets expensive quickly. In my opinion, there is a cheaper and easier solution: use a 24 pin 0.5mm pitch FPC connector and a TSOP48 socket for a TL866II.

The TL866II TSOP48 socket can be purchased for under $4 on AliExpress. The FPC to 2.54mm breakout PCB, 24 pin FPC cable, and 24 pin 0.5mm FPC connector can all be purchased for dirt cheap (~$0.10/piece) in lots of 10+ from AliExpress. I feel this provides numerous advantages over a surface mounted TSOP48 socket:

  • FPC connectors are very inexpensive, so if you accidentally destroy it while soldering, no big loss
  • Since the TL866II TSOP48 socket is connected via FPC cables, you can easily bring it between devices while you are iterating the flash contents

Thankfully, the designers of the TL866II TSOP48 socket routed every pin. However, you should be attentive because the pinout of the TL866II TSOP48 socket is not what you might expect:

When mounting the FPC-24P 0.5mm breakout boards, note that the odd-numbered pins are always on the outer row.

All that remains is to desolder the NAND flash and solder the FPC connectors to the AD1018 PCB

Finally, after cutting a small slot the flat flex cables can be routed outside the enclosure and the TSOP48 socket can be securely mounted

Now it is possible to put the TSOP48 NAND from another device into the socket and use tools like nanddump and dd to manipulate the contents. Since it is OpenWrt, you can even mount a remote filesystem using NFS, sshfs or similar to have even more storage.

While I feel the AD1018 is a very good NAND programmer for the price, there are a few important considerations to consider when comparing the AD1018 against commercial NAND programmers:

  • You cannot hot-swap NAND (however, it boots quickly and has a physical power switch)
  • Since brcmnand is built-in to the kernel and not a module, the router won’t boot if NAND is not present
  • Linux attempts to generate a bad block table when one isn’t present, and this may take quite a long time to complete
  • The AD1018 is likely difficult to obtain outside Europe

Fujitsu iRMC S4 on the TX140 S2

Fujitsu servers come with a remote management solution called iRMC S4 (newer models have iRMC S5). iRMC S4 and S5 are like other lights-out remote management solutions from HP (iLO) or Dell (iDRAC) which comprises a baseband management controller firmware along with other software utilities to remotely configure and manage servers. Importantly though, iRMC S4 runs Linux.

Before we get into the hardware of iRMC S4, let us examine the firmware update process. iRMC S4 follows a pretty typical BMC firmware update process: Fujitsu’s support website offers firmware downloads, and the iRMC web management interface allows you to upload the update which is then written to the inactive firmware slot.

As is common for enterprise hardware, there is no rollback protection, so you can downgrade the installed firmware to previous versions. I did not extensively test this functionality though, so there may be limits to how far you can downgrade as the firmware modifies the persistent conf partition (which is not redundant).

Running binwalk against the update file for the TX140 S2, we can immediately see that it is not encrypted:

$ binwalk FTS_TX140S2D3239iRMCKronos4FirmwareUpdatefo_TX140S20960Fsdr0344_1233853.BIN 

148820        0x24554         U-Boot version string, "U-Boot 1.1.6 (Sep 22 2015 - 17:25:45)"
150076        0x24A3C         CRC32 polynomial table, little endian
184888        0x2D238         CRC32 polynomial table, little endian
589824        0x90000         uImage header, header size: 64 bytes, header CRC: 0x2658385F, created: 2020-04-01 11:24:03, image size: 27389952 bytes, Data Address: 0x0, Entry Point: 0x0, data CRC: 0x6B45479A, OS: Linux, CPU: ARM, image type: RAMDisk Image, compression type: none, image name: ""
589888        0x90040         CramFS filesystem, little endian, size: 27389952, version 2, sorted_dirs, CRC 0x6745F599, edition 0, 15794 blocks, 4707 files
27983936      0x1AB0040       uImage header, header size: 64 bytes, header CRC: 0x27056A57, created: 2019-11-04 16:46:29, image size: 3042664 bytes, Data Address: 0x80808000, Entry Point: 0x80808000, data CRC: 0x222093D7, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: none, image name: "Linux-3.14.17-ami"
27984000      0x1AB0080       Linux kernel ARM boot executable zImage (little-endian)
28002116      0x1AB4744       gzip compressed data, maximum compression, from Unix, last modified: 1970-01-01 00:00:00 (null date)
31129600      0x1DB0000       CramFS filesystem, little endian, size: 45056, version 2, sorted_dirs, CRC 0x52551191, edition 0, 31 blocks, 12 files

As far as I have been able to determine, here is the firmware layout of iRMC S4 on the TX140 S2:

00000000:0008ffff uboot1
00090000:01aaf040 root1 # cramfs1
01ab0040:01daffff zImage1
01db0000:01dc0000 platform1 # sdr1
01e24554:01e8ffff uboot2
01e90000:038af040 root2 # cramfs2
038b0040:03baffff zImage2
03bb0000:03bc0000 platform2 # sdr2
03c00000:03ff0000 conf
03ff0000:03ffffff fru

These correspond to the lower and higher firmware slots in iRMC S4, and ensure that the firmware you are updating is not the currently running firmware.

So, could our way into iRMC S4 be as easy as modifying the cramfs from the firmware update?

Unfortunately, no. The update is signed and the signature is checked by /usr/local/bin/flasher against an RSA-1024 public key located on the conf partition prior to overwriting:

-----END PUBLIC KEY-----

Attempting to modify and repack cramfs results in the following output to the UART:

[1533 : 1533 INFO]VerifyImage
Signature Verification Failure
[1533 : 1533 CRITICAL][utils.c:1241]Signature verification failed 
[1533 : 1533 CRITICAL][utils.c:1522]Encrypted hash of Image and the actual contents of rom.ima does not match

With our software-only modification route looking grim, it is time to move on into the realm of the evil maid.

On the TX140 S2 the BMC UART has been routed to pads, located just below PCIe slot 2, which are easily soldered to:

BMC UART connections on a Fujitsu TX140 S2 motherboard
BMC UART on the TX140 S2 (D3239) motherboard

To stop the default boot sequence, press Escape within 2 seconds:

U-Boot 1.1.6 (Jun 20 2013 - 09:09:05)

DRAM:  247 MB
Fast clk is set
Found SPI Chip Macronix MX66L51235F 
Flash: 64 MB
Net:   pilot_eth0, pilot_eth1
Hit Esc key to stop autoboot:  0 
------ Boot Options-------
        0. Normal Boot
        1. Diagnostics
        2. Remote Recovery
        3. Management Console
        4. Raw Console
Select Boot Option:

Despite requesting the GPL source code for iRMC S4 in December 2020, Fujitsu still has not provided the source code. Without the source code for u-boot, it is difficult to determine if there are any routes that could lead to easy exploitation.

Getting a root console is relatively straightforward with soldering or a chip jig. If you use a jig, you will need very steady hands as flashrom requires 20-30 minutes to write and verify the 27MB cramfs region.

512MBit MXIC flash of the TX140 S2 iRMC S4 BMC

Lucky me, Fujitsu engineers considered physical modification of the iRMC S4 firmware out of scope, and there is no secure boot or signature verification of the cramfs on flash.

Since we can manipulate cramfs, we can bypass the stock Fujitsu shell and replace /usr/local/bin/remman with a symlink to /bin/sh and SSH as the admin user. This is not particularly useful though, as the admin user is not root sysadmin, and the busybox that Fujitsu ship is lacking the su applet, so there’s no way to easily escalate your privileges from admin to sysadmin once logged in.

~ $ id
uid=1002(admin) gid=501(ipmi) groups=501(ipmi),504(lanoem),510(serialoem),528(iRMCsettings),529(RemoteStorage),530(UserAccounts),531(VideoRedirection),532(CfgConnectionBlade),535(RemoteManager)

The uid 0 account is not called root, but rather sysadmin with the password superuser:


The sysadmin account is not visible in the iRMC web interface and, as far as I can tell, the password cannot be changed (unless you physically modify the contents of cramfs). I believe the account is leftover from the SDK that iRMC S4 appears to be based on.

All my attempts to login as sysadmin via SSH or uart with the default remman shell were unsuccessful, so it doesn’t appear to be a security risk out of the box.

However, once you have replaced /usr/local/bin/remman with a symlink to /bin/sh it is possible to login as the sysadmin user and enjoy root access to your iRMC S4.

ZyDAS ASM1166 SATA controller

When I was building the Fujitsu TX140 S2, I wanted to purchase a SATA controller to expand the capacity from 6 SATA devices to 12. The ASMedia ASM1166 seemed most interesting as it is a modern design offering six SATA3 6Gbps ports without use of a port multiplier.

Despite what the silk screen on the PCB states, it is not “PCIe 3.0 x4” except in PCIe slot dimensions (since there is no standard for a physical PCIe x2 connector). The ASM1166 has a PCIe 3.0 x2 interface:

So the ASM1166 cannot provide full bandwidth to six SATA3 devices, but it is not as bandwidth limited as other SATA controllers which have only a PCIe x1 host connection. Be aware that the bandwidth will be halved if you install it in a PCIe 2.0 slot, due to the less efficient encoding of PCIe 2.0 (8b/10b) versus PCIe 3.0 (128b/130b).

The board designer did properly route the PCIe x2 connection to the host, as confirmed by lspci:

02:00.0 SATA controller: ASMedia Technology Inc. Device 1166 (rev 02) (prog-if 01 [AHCI 1.0])
        Subsystem: ZyDAS Technology Corp. Device 2116
        Physical Slot: 3
        Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr+ Stepping- SERR+ FastB2B- DisINTx+
        Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
        Latency: 0, Cache Line Size: 64 bytes
        Interrupt: pin A routed to IRQ 26
        Region 0: Memory at f7a82000 (32-bit, non-prefetchable) [size=8K]
        Region 5: Memory at f7a80000 (32-bit, non-prefetchable) [size=8K]
        Expansion ROM at f7a00000 [disabled] [size=512K]
        Capabilities: [40] Power Management version 3
                Flags: PMEClk- DSI+ D1- D2- AuxCurrent=0mA PME(D0+,D1-,D2-,D3hot+,D3cold+)
                Status: D0 NoSoftRst- PME-Enable- DSel=0 DScale=0 PME-
        Capabilities: [50] MSI: Enable+ Count=1/1 Maskable- 64bit+
                Address: 00000000fee00298  Data: 0000
        Capabilities: [80] Express (v2) Endpoint, MSI 00
                DevCap: MaxPayload 512 bytes, PhantFunc 0, Latency L0s <64ns, L1 <1us
                        ExtTag+ AttnBtn- AttnInd- PwrInd- RBE+ FLReset- SlotPowerLimit 75.000W
                DevCtl: CorrErr+ NonFatalErr+ FatalErr+ UnsupReq-
                        RlxdOrd- ExtTag+ PhantFunc- AuxPwr- NoSnoop+
                        MaxPayload 128 bytes, MaxReadReq 512 bytes
                DevSta: CorrErr- NonFatalErr- FatalErr- UnsupReq- AuxPwr- TransPend-
                LnkCap: Port #0, Speed 8GT/s, Width x2, ASPM L0s L1, Exit Latency L0s <4us, L1 <64us
                        ClockPM+ Surprise- LLActRep- BwNot- ASPMOptComp+
                LnkCtl: ASPM Disabled; RCB 64 bytes Disabled- CommClk+
                        ExtSynch- ClockPM- AutWidDis- BWInt- AutBWInt-
                LnkSta: Speed 8GT/s (ok), Width x2 (ok)
                        TrErr- Train- SlotClk+ DLActive- BWMgmt- ABWMgmt-
                DevCap2: Completion Timeout: Not Supported, TimeoutDis-, NROPrPrP-, LTR-
                         10BitTagComp-, 10BitTagReq-, OBFF Not Supported, ExtFmt-, EETLPPrefix-
                         EmergencyPowerReduction Not Supported, EmergencyPowerReductionInit-
                         FRS-, TPHComp-, ExtTPHComp-
                         AtomicOpsCap: 32bit- 64bit- 128bitCAS-
                DevCtl2: Completion Timeout: 50us to 50ms, TimeoutDis-, LTR-, OBFF Disabled
                         AtomicOpsCtl: ReqEn-
                LnkCtl2: Target Link Speed: 8GT/s, EnterCompliance- SpeedDis-
                         Transmit Margin: Normal Operating Range, EnterModifiedCompliance- ComplianceSOS-
                         Compliance De-emphasis: -6dB
                LnkSta2: Current De-emphasis Level: -3.5dB, EqualizationComplete+, EqualizationPhase1+
                         EqualizationPhase2+, EqualizationPhase3+, LinkEqualizationRequest-
        Capabilities: [100 v1] Advanced Error Reporting
                UESta:  DLP- SDES- TLP- FCP- CmpltTO- CmpltAbrt- UnxCmplt- RxOF- MalfTLP- ECRC- UnsupReq- ACSViol-
                UEMsk:  DLP- SDES- TLP- FCP- CmpltTO- CmpltAbrt- UnxCmplt- RxOF- MalfTLP- ECRC- UnsupReq+ ACSViol-
                UESvrt: DLP+ SDES+ TLP- FCP+ CmpltTO- CmpltAbrt- UnxCmplt- RxOF+ MalfTLP+ ECRC- UnsupReq- ACSViol-
                CESta:  RxErr- BadTLP- BadDLLP- Rollover- Timeout- AdvNonFatalErr-
                CEMsk:  RxErr- BadTLP- BadDLLP- Rollover- Timeout- AdvNonFatalErr+
                AERCap: First Error Pointer: 00, ECRCGenCap- ECRCGenEn- ECRCChkCap- ECRCChkEn-
                        MultHdrRecCap- MultHdrRecEn- TLPPfxPres- HdrLogCap-
                HeaderLog: 00000000 00000000 00000000 00000000
        Capabilities: [130 v1] Secondary PCI Express
                LnkCtl3: LnkEquIntrruptEn-, PerformEqu-
                LaneErrStat: 0
        Kernel driver in use: ahci

Power consumption is very good, the card only draws 2.8W idle.

PCIe SATA controllers based on the ASM1166 are comparatively priced to other 5-6 port SATA controllers, but offer more bandwidth than cards using the JMicron JMB585 or Marvell 88SE9125. ASM1166 controllers can be found for around 20€ on AliExpress. There are seemingly some sellers shipping cards with PCIe x1 connectors, so I would advise you to check the reviews of other customers to see which variant the seller sends.

I was unable to find detailed information about the card such as power consumption and lspci output online, which I find very useful when making purchasing decisions, so I thought I should write a short summary. This is not a review or endorsement of any online marketplace or brand.