My OLT ( Optical Line Termination ) is a VSOL V1600GS-O32. It comes with one GPON port with an attached internal 32 port splitter. Why this one? Honestly, I wasn’t able to find a cheap enough used OLT so I went for the I think cheapest new one. In addition having the internal splitter, it saved me from buying one of those. In return it doesn’t allow me to attack the line between OLT and splitter but I guess I’m far from doing that anyways.
What’s interesting about an OLT?
In current FTTH / GPON / xGPON setups, the passive part of “PON” implies that a single fibre strain goes from the OLT to a passive splitter, where all local customers are connected. With the splitter being fully passive, all customers on the same OLT port, on the same fibre strain, on the same splitter receive exactly the same data. Thus, the downstream communication is encrypted by default and an individual key is stored in every single
ONT
. While this setup makes sense and is easy to do securely, well, it’s interesting to look at. In addition, the same as with a
DSLAM in DSL
, the OLT in fibre allows me access to the ONT from the operator side and as such hopefully to management interfaces. A further question to answer is, whether a trivial MitM setup is possible, just as in DSL.
One further aspect to look into is the organization of the upstream channel. As every customer on the same splitter also transmitts they’re upstream via the same fibre straine, time division multiplexing is used. This way each ONT as an individual time window in which it may reply. here the “individual” goes further than just evenly distributing the time slots, as this would waste precious time. Due to each line having a differnt length (the distance of the houses from the distribution box grows, as you move down the street), the signal runtime also varies. Thus the length of the line should be measured and the time slot for each customer adjusted, to ensure an optimal use of the available capacity. This factor might be interesting for injection (complex), DoS (too easy) and MitM scenarios, where one might need a long line infront of the interception point, to stay both synchronized or hidden.
The OLT
Seemingly, plugging in the OLT, connecting an ethernet cable and an ONT is all that’s necessary to have a functioning fibre network. The ONT has to be manually added to the known devices and then starts forwarding traffic. I chose to use the Sn as lone authentication property for an easy start.
The first thing I noticed after connecting ONTs was the direct exposure of the SN, SnPW, loid and loidpw. Not surprising, but good to know! This way, in a MitM position, it’s trivial to extract this information. Also it’s the easiest way to extract configuration from a random ONT.
Serial Access
The Serial Console is accessible via a typical CISCO cable and a USB to serial adapter. Following a CISCO CLI structure, the first command to run is enable to have access to all commands.
start-shell
start-shell Start UNIX shell gives us a full terminal on the OLT.
OMCI
The OLT’s OMCI tools are available via the serial console. omci_app, omci_debug.sh and omcicli are available in $PATH.
Hashes:
33edac5c4722c3e276605a85af4b1074 omci_app5726c2f7f658f14b3a77746ecd888162 omci_debug.sh881f0057c5c382e80d19e386fe49e0a0 omcicli
omci_debug.sh
The script can be found in /etc/scripts/omci_debug.sh.
printf "#################### \n"
printf "# DUMP OMCI PROC # \n"
printf "#################### \n"
printf "\n#cat /proc/omci/debugInfo \n"
cat /proc/omci/debugInfo
printf "\n#cat /proc/omci/vgf \n"
cat /proc/omci/vgf
printf "\n#cat /proc/omci/f2dq \n"
cat /proc/omci/f2dq
printf "\n#cat /var/config/omci_custom_opt.conf \n"
cat /var/config/omci_custom_opt.conf
printf "\n#cat /var/config/omci_mib.cfg \n"
cat /var/config/omci_mib.cfg
printf "#################### \n"
printf "# DUMP TR142 # \n"
printf "#################### \n"
printf "\n#cat /proc/rtk_tr142/wan_info \n"
cat /proc/rtk_tr142/wan_info
printf "#################### \n"
printf "# DUMP OMCICLI # \n"
printf "#################### \n"
printf "\n#/bin/omcicli dump avltree \n"
/bin/omcicli dump avltree
printf "\n#/bin/omcicli dump conn \n"
/bin/omcicli dump conn
sleep 2
printf "\n#/bin/omcicli get cflag \n"
/bin/omcicli get cflag
printf "\n#/bin/omcicli debug showregmod \n"
/bin/omcicli debug showregmod
printf "\n#/bin/omcicli mib get 171 \n"
/bin/omcicli mib get 171
printf "\n#/bin/omcicli mib get 84 \n"
/bin/omcicli mib get 84
printf "\n#/bin/omcicli mib get all \n"
/bin/omcicli mib get all
sleep 15
printf "#################### \n"
printf "# DUMP SYS # \n"
printf "#################### \n"
printf "\n#lsmod \n"
lsmod
printf "\n#flash get DUAL_MGMT_MODE \n"
flash get DUAL_MGMT_MODE
printf "\n#flash get DEVICE_TYPE \n"
flash get DEVICE_TYPE
printf "#################### \n"
printf "# DUMP CHIP CFG # \n"
printf "#################### \n"
printf "\n#/bin/diag classf get entry valid \n"
/bin/diag classf get entry valid
printf "\n#/bin/diag debug get version \n"
/bin/diag debug get version
printf "\n#/bin/diag gpon show us-flow \n"
/bin/diag gpon show us-flow
printf "\n#/bin/diag gpon show ds-flow \n"
/bin/diag gpon show ds-flow
printf "#################### \n"
printf "# OMCI LOG # \n"
printf "#################### \n"
printf "\n#cat /tmp/omcilog \n"
cat /tmp/omcilog
sleep 15
printf "\n#cat /tmp/omcilog.par \n"
cat /tmp/omcilog.par
sleep 15
printf "#################### \n"
printf "# OMCI DEBUG END # \n"
printf "#################### \n"
The output is:
printf "#################### \n"
printf "# DUMP OMCI PROC # \n"
printf "#################### \n"
printf "\n#cat /proc/omci/debugInfo \n"
cat /proc/omci/debugInfo
printf "\n#cat /proc/omci/vgf \n"
cat /proc/omci/vgf
printf "\n#cat /proc/omci/f2dq \n"
cat /proc/omci/f2dq
printf "\n#cat /var/config/omci_custom_opt.conf \n"
cat /var/config/omci_custom_opt.conf
printf "\n#cat /var/config/omci_mib.cfg \n"
cat /var/config/omci_mib.cfg
printf "#################### \n"
printf "# DUMP TR142 # \n"
printf "#################### \n"
printf "\n#cat /proc/rtk_tr142/wan_info \n"
cat /proc/rtk_tr142/wan_info
printf "#################### \n"
printf "# DUMP OMCICLI # \n"
printf "#################### \n"
printf "\n#/bin/omcicli dump avltree \n"
/bin/omcicli dump avltree
printf "\n#/bin/omcicli dump conn \n"
/bin/omcicli dump conn
sleep 2
printf "\n#/bin/omcicli get cflag \n"
/bin/omcicli get cflag
printf "\n#/bin/omcicli debug showregmod \n"
/bin/omcicli debug showregmod
printf "\n#/bin/omcicli mib get 171 \n"
/bin/omcicli mib get 171
printf "\n#/bin/omcicli mib get 84 \n"
/bin/omcicli mib get 84
printf "\n#/bin/omcicli mib get all \n"
/bin/omcicli mib get all
sleep 15
printf "#################### \n"
printf "# DUMP SYS # \n"
printf "#################### \n"
printf "\n#lsmod \n"
lsmod
printf "\n#flash get DUAL_MGMT_MODE \n"
flash get DUAL_MGMT_MODE
printf "\n#flash get DEVICE_TYPE \n"
flash get DEVICE_TYPE
printf "#################### \n"
printf "# DUMP CHIP CFG # \n"
printf "#################### \n"
printf "\n#/bin/diag classf get entry valid \n"
/bin/diag classf get entry valid
printf "\n#/bin/diag debug get version \n"
/bin/diag debug get version
printf "\n#/bin/diag gpon show us-flow \n"
/bin/diag gpon show us-flow
printf "\n#/bin/diag gpon show ds-flow \n"
/bin/diag gpon show ds-flow
printf "#################### \n"
printf "# OMCI LOG # \n"
printf "#################### \n"
printf "\n#cat /tmp/omcilog \n"
cat /tmp/omcilog
sleep 15
printf "\n#cat /tmp/omcilog.par \n"
cat /tmp/omcilog.par
sleep 15
printf "#################### \n"
printf "# OMCI DEBUG END # \n"
printf "#################### \n"#
#
# ./omci_debug.sh
####################
# DUMP OMCI PROC #
####################
#cat /proc/omci/debugInfo
cat: can't open '/proc/omci/debugInfo': No such file or directory
#cat /proc/omci/vgf
cat: can't open '/proc/omci/vgf': No such file or directory
#cat /proc/omci/f2dq
cat: can't open '/proc/omci/f2dq': No such file or directory
#cat /var/config/omci_custom_opt.conf
cat: can't open '/var/config/omci_custom_opt.conf': No such file or directory
#cat /var/config/omci_mib.cfg
cat: can't open '/var/config/omci_mib.cfg': No such file or directory
####################
# DUMP TR142 #
####################
#cat /proc/rtk_tr142/wan_info
cat: can't open '/proc/rtk_tr142/wan_info': No such file or directory
####################
# DUMP OMCICLI #
####################
#/bin/omcicli dump avltree
Error send: 2 No such file or directory msgKey:2048
OMCI_SendToMsgQ fail ret:15
#/bin/omcicli dump conn
Error send: 2 No such file or directory msgKey:2048
OMCI_SendToMsgQ fail ret:15
#/bin/omcicli get cflag
Error send: 2 No such file or directory msgKey:2048
OMCI_SendToMsgQ fail ret:15
#/bin/omcicli debug showregmod
Error send: 2 No such file or directory msgKey:2048
OMCI_SendToMsgQ fail ret:15
#/bin/omcicli mib get 171
Error send: 2 No such file or directory msgKey:2048
OMCI_SendToMsgQ fail ret:15
#/bin/omcicli mib get 84
Error send: 2 No such file or directory msgKey:2048
OMCI_SendToMsgQ fail ret:15
#/bin/omcicli mib get all
Error send: 2 No such file or directory msgKey:2048
OMCI_SendToMsgQ fail ret:15
####################
# DUMP SYS #
####################
#lsmod
Tainted: P
nltr 3670 1 - Live 0xffffffbffd410000 (O)
pcie_proxy 190500 2 nltr, Live 0xffffffbffd3d5000 (O)
devmem 3833 3 - Live 0xffffffbffd3d0000 (O)
fld_linux 31313 1 pcie_proxy, Live 0xffffffbffd3bf000 (O)
os_linux 56364 2 pcie_proxy,fld_linux, Live 0xffffffbffd3a7000 (O)
ll_pcie 14741 3 pcie_proxy,devmem,os_linux, Live 0xffffffbffd39d000 (O)
i2c_devs 6973 1 ll_pcie, Live 0xffffffbffd397000 (O)
rtk_igmp_hook 1330741 0 - Live 0xffffffbffd23f000 (O)
fc_mgr 136973 0 - Live 0xffffffbffd1ff000 (PO)
fc_8277c 12042760 1 fc_mgr, Live 0xffffffbffc631000 (PO)
ca_rtk 269141 0 - Live 0xffffffbffc5d0000 (O)
ca_ne 4656149 3 fc_mgr,fc_8277c,ca_rtk, Live 0xffffffbffc062000 (O)
libscfg 60473 2 ca_rtk,ca_ne, Live 0xffffffbffc04e000 (PO)
ca_plat_kernel 72175 3 ca_rtk,ca_ne,libscfg, Live 0xffffffbffc02a000 (O)
smuxdev 116080 0 - Live 0xffffffbffc000000 (O)
#flash get DUAL_MGMT_MODE
DUAL_MGMT_MODE=1
#flash get DEVICE_TYPE
DEVICE_TYPE=1
####################
# DUMP CHIP CFG #
####################
#/bin/diag classf get entry valid
classf get entry valid
RTK.0> command:
#/bin/diag debug get version
debug get version
Diagshell Build Time: Jul 28 2023 08:40:02
Mode: Kernel mode
Platform: SoC -- Normal mode
Chip Support:
Chip probe setting: Auto detect
Chip probe result : Unknown! (ID = 0x8277C000)
unknown chip mode 0x10
RTK.0> command:
#/bin/diag gpon show us-flow
gpon show us-flow
The U/S Flow is not created.
RTK.0> command:
#/bin/diag gpon show ds-flow
gpon show ds-flow
The D/S Flow is not created.
RTK.0> command:####################
# OMCI LOG #
####################
#cat /tmp/omcilog
cat: can't open '/tmp/omcilog': No such file or directory
^[[A^H
#cat /tmp/omcilog.par
cat: can't open '/tmp/omcilog.par': No such file or directory
####################
# OMCI DEBUG END #
####################
#
# ./omci_debug.sh
####################
# DUMP OMCI PROC #
####################
#cat /proc/omci/debugInfo
cat: can't open '/proc/omci/debugInfo': No such file or directory
#cat /proc/omci/vgf
cat: can't open '/proc/omci/vgf': No such file or directory
#cat /proc/omci/f2dq
cat: can't open '/proc/omci/f2dq': No such file or directory
#cat /var/config/omci_custom_opt.conf
cat: can't open '/var/config/omci_custom_opt.conf': No such file or directory
#cat /var/config/omci_mib.cfg
cat: can't open '/var/config/omci_mib.cfg': No such file or directory
####################
# DUMP TR142 #
####################
#cat /proc/rtk_tr142/wan_info
cat: can't open '/proc/rtk_tr142/wan_info': No such file or directory
####################
# DUMP OMCICLI #
####################
#/bin/omcicli dump avltree
Error send: 2 No such file or directory msgKey:2048
OMCI_SendToMsgQ fail ret:15
#/bin/omcicli dump conn
Error send: 2 No such file or directory msgKey:2048
OMCI_SendToMsgQ fail ret:15
#/bin/omcicli get cflag
Error send: 2 No such file or directory msgKey:2048
OMCI_SendToMsgQ fail ret:15
#/bin/omcicli debug showregmod
Error send: 2 No such file or directory msgKey:2048
OMCI_SendToMsgQ fail ret:15
#/bin/omcicli mib get 171
Error send: 2 No such file or directory msgKey:2048
OMCI_SendToMsgQ fail ret:15
#/bin/omcicli mib get 84
Error send: 2 No such file or directory msgKey:2048
OMCI_SendToMsgQ fail ret:15
#/bin/omcicli mib get all
Error send: 2 No such file or directory msgKey:2048
OMCI_SendToMsgQ fail ret:15
####################
# DUMP SYS #
####################
#lsmod
Tainted: P
nltr 3670 1 - Live 0xffffffbffd410000 (O)
pcie_proxy 190500 2 nltr, Live 0xffffffbffd3d5000 (O)
devmem 3833 3 - Live 0xffffffbffd3d0000 (O)
fld_linux 31313 1 pcie_proxy, Live 0xffffffbffd3bf000 (O)
os_linux 56364 2 pcie_proxy,fld_linux, Live 0xffffffbffd3a7000 (O)
ll_pcie 14741 3 pcie_proxy,devmem,os_linux, Live 0xffffffbffd39d000 (O)
i2c_devs 6973 1 ll_pcie, Live 0xffffffbffd397000 (O)
rtk_igmp_hook 1330741 0 - Live 0xffffffbffd23f000 (O)
fc_mgr 136973 0 - Live 0xffffffbffd1ff000 (PO)
fc_8277c 12042760 1 fc_mgr, Live 0xffffffbffc631000 (PO)
ca_rtk 269141 0 - Live 0xffffffbffc5d0000 (O)
ca_ne 4656149 3 fc_mgr,fc_8277c,ca_rtk, Live 0xffffffbffc062000 (O)
libscfg 60473 2 ca_rtk,ca_ne, Live 0xffffffbffc04e000 (PO)
ca_plat_kernel 72175 3 ca_rtk,ca_ne,libscfg, Live 0xffffffbffc02a000 (O)
smuxdev 116080 0 - Live 0xffffffbffc000000 (O)
#flash get DUAL_MGMT_MODE
DUAL_MGMT_MODE=1
#flash get DEVICE_TYPE
DEVICE_TYPE=1
####################
# DUMP CHIP CFG #
####################
#/bin/diag classf get entry valid
classf get entry valid
RTK.0> command:
#/bin/diag debug get version
debug get version
Diagshell Build Time: Jul 28 2023 08:40:02
Mode: Kernel mode
Platform: SoC -- Normal mode
Chip Support:
Chip probe setting: Auto detect
Chip probe result : Unknown! (ID = 0x8277C000)
unknown chip mode 0x10
RTK.0> command:
#/bin/diag gpon show us-flow
gpon show us-flow
The U/S Flow is not created.
RTK.0> command:
#/bin/diag gpon show ds-flow
gpon show ds-flow
The D/S Flow is not created.
RTK.0> command:####################
# OMCI LOG #
####################
#cat /tmp/omcilog
cat: can't open '/tmp/omcilog': No such file or directory
#cat /tmp/omcilog.par
cat: can't open '/tmp/omcilog.par': No such file or directory
####################
# OMCI DEBUG END #
####################
omcicli
Sadly most parameters run into an error message.
#omcicli -h
Usage: omcicli [cmd]
set : set series cmd
get : get series cmd
mib : mib series cmd
dump : dump series cmd
debug : debug series cmd
# omcicli dump
Usage: omcicli dump [cmd]
avltree : dump MAC bridge AVL tree
[avlkeyid]
-list of avl tree key id-
[PPTP Ethernet UNI 0]
[VEIP 1]
[Ext. VLAN OP UNI 3]
[VLAN OP UNI 5]
[VLAN Filter UNI 4]
[MAC bridge port UNI 6]
[MAC bridge service 7]
[MAC bridge port ANI 8]
[VLAN Filter ANI 11]
[VLAN OP ANI 10]
[Ext. VLAN OP ANI 9]
[802.1P mapper 12]
[GEM IWTP 13]
[Mcast GEM IWTP 14]
[GEM Port 15]
qmap : dump tcont queue mapping
conn : dump data path connections
srvflow : dump data path service flow
tasks : dump tasks
# omcicli dump conn
Error send: 2 No such file or directory msgKey:2048
OMCI_SendToMsgQ fail ret:15
# omcicli dump avltree 5
Error send: 2 No such file or directory msgKey:2048
OMCI_SendToMsgQ fail ret:15
diag
The /bin/diag tool also offers OMCI and PLOAM insights. Sadly a few of the interesting commands result in Error (0xffffffff): General Error. This includes gpon get ds-omci, ds-ploam, and us-ploam.
RTK.0> gpon get
active-timer - activation timer configuration
aes-framecnt - AES frame counter
alarm-status - current alarm status
auto-boh - auto update BOH configuration
auto-tcont - auto add or delete tcont configuration
bwmap - bwmap
dbru-block-size - dbru block size
ds-bwmap - downstream BWMAP configuration
ds-eth - downstream ethernet configuration
ds-flow - downstream flow configuration
ds-gem - downstream GEM configuration
ds-laser - downstream laser configuration
ds-omci - downstream OMCI configuration
ds-phy - downstream PHY configuration
ds-ploam - downstream PLOAM configuration
eqd-offset - EQD offset configuration
multicast-filter - multicast filter configuration
multicast-filter-entry - multicast filter entry configuration
onu-state - ONU state, O1-O7
password - password configuration
password-hex - password configuration
pps-cnt - PPS cnt information
rdi - RDI configuration
rogue-sd-cnt - rogue ont SD cnt information
serial-number - serial number configuration
serial-number-hex - serial number configuration
serialnumber - serial number configuration
tcont - TCONT configuration
tx - transmit configuration
us-dbr - upstream DBR configuration
us-flow - upstream flow configuration
us-laser - upstream laser configuration
us-phy - upstream PHY configuration
us-ploam - upstream PLOAM configuration
RTK.0> gpon get ds-omci
<enter>
RTK.0> gpon get ds-omci
Error (0xffffffff): General Error
RTK.0> gpon get aes-framecnt
cparser_cmd_gpon_get_aes_framecnt 2668
Links
- https://boxmatrix.info/wiki/Property:omcicli
- https://github.com/Anime4000/RTL960x/blob/main/Docs/OMCI_CLI.md
Notes
- The default credentials are admin and Xpon@Olt9417#
- Config changes are not persistent until stored under System Configuration -> Device Management -> Config file
- The OLT offers a mirror function, also allowing mirroring the PON port to one of the ethernet ports
- When having the OLT and ONT on the same switch / Layer 2 Domain, you have created a loop of death
- Some ONTs simply go directly into transparent mode, just as the OLT, and thus …