D-Link DPN-FX3060V GPON Router
A GPON WiFi Router (All in One) based on Realtek SoC Processor that given by TM for Unifi Ultra Subscriber,
it share same Realtek LUNA SDK as my PON Stick Project. So I quite familiar with the layout.

Official Warranty
1. 1-Year Limited Warranty: Provided by TM, ensuring coverage for manufacturing defects.
2. Free Replacement: Available for customers who are currently under contract with TM.
3. Contractual Implications: For customers not under contract, a replacement will automatically initiate a new 2-year contract with TM.

Avoiding Contract
If you want to avoid committing to a 2-year contract, you can opt for a custom-built GPON Stick or a managed GPON device compatible with TM's OMCI, available for purchase.

Specification
SoC: RTL9607DQ (Cortex A55), 4 Core @ 1GHz, AArch64, ARMv8
RAM: 512MB DDR3L @ 1866MT/s
MEM: 256MB SPI Flash Winbond
OS: Realtek ASDK64, Linux Kernel 5.10.70 (glibc v2.30)
MB: Realtek Taurus ENG Board

A1 (White)
WiFi6: RTL8852CE (2.4GHz & 5GHz)

B1 (Black)
WiFi6: RTL8192XBR (2.4GHz) + RTL8832CR (5GHz)
LAN1: RTL8221B Switch Chip (HiSGMII to 2500Base-T)

Internal
Image of A1 Hardware a gift by chong601
Image of B1 Hardware

Block Diagram
A1 (White)


B1 (Black)


Discovery 10G
I found stock firmware has 10G PON (XGPON, XGSPON). Maybe TM have planning to migrating


Known Issue
1. Prior to B1 Hardware @ V2.0.2 have issue to set bridge mode on certain OLT, temporary fix is by accessing UART at change FwdOp to 0x02
2. Prior to B1 Hardware @ V2.0.2 when in bridge mode, LAN side management such as WebGUI, SSH, Telnet being killed by deep ME 171 (ex: Alcatel-Lucent/Nokia OLT)
3. Both Hardware has so called "Cloud IoT" for D-Link Air, it always running and always watching, other considered this as Backdoor

Vulnerability ⚠️
Two user has been verified there several CVE or more.
If you are concern about security and want to minimise risk of attack, DON'T USE THIS DEVICE

Use of Dumb ONT Bridge to avoid backdoor, can re-use this D-Link as ATA Device, I recommend get own ATA or Desktop SIP Phone

It appear that Firmware V2.0.3 as same vulnerability as previous version

VoIP User Agent


Management Entities Issue
OMCI ME can be very complex and total control of your ONT even without TR069! This mean TM can disallow Bridging and Force creation of PPPoE inside the Router!

Example of Simple OMCI Stack

* based on Alcatel-Lucent/Nokia OLT

ME Point
The RLT9607DQ has HiSGMII which can be paired with RLT8221B for 2.5GbE Access, but it use wrong ME Point, this can be fix by adjusting the OLT or Hack


Nijika Firmware A port form PON Stick Project


I have ported my PON Stick Project to both hardware, In my spare time, I manage to add OLT Info page and bug fix!

OLT Info
ZTEG/5a544547 (ZTE)


ALCL/414c434c (Alcatel-Lucent/Nokia)


ALCL/414c434c (Alcatel-Lucent/Nokia) by jonathanwhm


As you can see, even on same OLT, the way VLAN is being push, set and manage is different, for example my fiber VLAN400 (VoIP) doesn't exist on LAN1 UNI but only exist on VEIP UNI
This discrepancy among OLT's make many user unable to bridge!

OLT Vendor Id

ASCII	HEX
ALCL	414c434c
FHTT	46485454
FHTT	0x00*
HWTC	48575443
UBNT	55424e54
ZTEG	5a544547
-	0x00**

* FHTT send 0x00 to ONT as allowing other ONT work on FHTT OLT
** Sometime TM use off-brand OLT on Kampung/under-develop area

OLT Issue
On my experience during PON Stick deployment, there are many ME 171 to map. Rank from top (most troublesome)

1. Fiberhome (FHTT) (most troublesome)
2. Alcatel-Lucent/Nokia (ALCL)
3. Huawei (HWTC)
4. ZTE (ZTEG) (least troublesome)
If you ask me, FHTT is crap to work with! I hate FHTT Priority Queue so much!

Share OLT Status Page
Please update the firmware to correct Hardware A1 or B1, and share your OLT Info just like screenshot above,
This way we here can know which OLT are you on, either troublesome FHTT or awesome ZTEG

Firmware download can be found on next post

This post has been edited by Anime4000: Oct 27 2024, 03:49 AM

Firmware Download
D-Link DPN-FX3060V, Hardware A1 (White):
DPN-FX3060V_V1.1.2_20231108_rel241118.njk

D-Link DPN-FX3060V, Hardware B1 (Black):
DPN-FX3060V_V2.0.3_20240802_rel241118.njk

WARNING!
By flashing this custom firmware, your device warranty will be invalid!

Change Log


Revert Firmware
To roll back, just enable SSH/Telnet in the WebGUI and do this:



If value return 0:


If value return 1:


This post has been edited by Anime4000: Nov 28 2024, 10:00 AM

I have 3 questions:

1. Does your firmware provide a fix for the issue where bridge mode is unavailable on certain OLTs?
2. Do we have the original firewall configuration to roll back to in case anything happens before the TM team arrives?
3. Could you share the steps or method for updating the firmware, so we avoid any mistakes that might cause issues?

This post has been edited by jiaen0509: May 23 2024, 05:52 PM

1. Not yet, I believe this fixable via changing FwdOp, at least works on me under Nokia OLT

2. The firmware is pulled from the SPI Flash, I only modify to add only OLT Info page, this help to troubleshooting how OLT set your VLAN and TM doesn't care, I show this to them, they liked OLT Info page as this very useful information

3. Just update as usual at Maintenance ▶️ Firmware Upgrade.
To roll back, just enable SSH/Telnet and do this:



If value return 0:


If value return 1:


This Router has two different OS, can set which partition need to boot

I requested TM to switch the ONU model from A1 to B1. The next morning, three technicians from TM came to my house to inspect the ONU. They decided not to make the change because the ONU was still functioning perfectly. They also questioned me about how I obtained Nijiki's firmware over the call. Unfortunately, I wasn't home at that time to answer their questions and paksa them to change the model
P/S: My dad saw them taking a photo of the ONU login screen at that time.

This post has been edited by jonathanwhm: May 25 2024, 03:49 PM

They like to snap snap snap whatever they like. I use my own Asus router also their face like surprised and take my asus router picture😒

Using own router not a problem but custom modding or tampering their service equipment considered breach of ToS already. They can deny you their service or even blacklist you. It also break your ONR warranty. In this case I'm sure they'll dig more about Anime's firmware and I'm not surprised if they disable manual future update and only push updates through TR-069. That's why it's important to roll back any changes you made to the device before any on-site visit or warranty claim. Not just for TM's equipment but all other devices running under custom firmwares. Aways make sure to go back to stock beforehand.

This post has been edited by Ashren: May 25 2024, 09:53 PM

You can just switch Boot Partition back to Stock Partition, first, do this:

Roll Back Previous Boot Partition
Enable SSH/Telnet


Login SSH

Type tmadmin@192.168.0.1 at Windows Console or Linux/Mac Terminal

Enter Busybox

Type "sh" after saw >

Now in Busybox

You will see # when in busybox

Get Current Boot Partition


Set Boot Partition


NOTE:
When return sw_active=1, type this:


When return sw_active=0, type this:


This will switch boot, it's recommend boot into 0 first and let Nijika at 1

before you flash Nijika, make sure check sw_active=0, then you can update firmware, this will flash Nijika at Partition 1 and automatically reboot to Partition 1

This time, you have:
Stock at sw_active=0 Partition 0
Nijika at sw_active=1 Partition 1

This post has been edited by Anime4000: May 25 2024, 10:07 PM

Nice to see some Java. Don’t know why I expected the ont to be running some version of sap hana for account status stuff 💀

This post has been edited by sadlyfalways: May 26 2024, 01:59 AM

Java? It's more like C to me.

I have send mtd14 (ubi_apps) and IoT Module (D-Link Air) to PON Hacking

There is several vulnerabilities:
1. IoT not suppose to run as Root Privilege
2. IoT bind on all Interface (ppp, nas0, nas1, ethX, wlanX) including t-cont





ubi_apps, tr142 and /bin/ccom_linkkit always run as root no matter what, cannot be disable in WebGUI

they found many vulnerability such as common overflow, it can be attack even in Bridge Mode.

I trying to remove from the firmware, it caught on boot loop 😭
It has been suggested that to replace to ability to reply in boot process, this will take time, might more time eradicate any IoT

Today I plugged back the A1 (White) ONR and bridge mode to my ASUS router. Noticed one issue with my speed where my upload was capped around 150mbps.

While full speed on my ZTE ONU

can you flash my custom firmware and screenshot OLT Info

I just got the ONU replaced by TM this evening, from model A1 to B1. I'm running on Bridge Mode and using my Deco BE85 as a router. I managed to get around 2085Mbps DL and 1037Mbps UL.

hi, would like to ask, is it possible for me to setup my old router (dir x1860z) as mesh with my new onr (dpn fx3060z)

i already tried couple of time using wps button, but not successful

is there any method and step to pair it if it possible

replaced ? u request or the white one got prob ? got contract extension for replacement ?

Yes, it has been replaced. There is no contract extension, but an additional RM50 is charged to this month's bill.

I just take a look at the firmware. Can you provide the content of ubi0:ubi_Config (/var/config)?

ubi cannot be disabled because it is used to mount the config partition.

tr142 (kernel module + tr142_app) is loaded via the following path:
insdrv.sh -> rtk_tr142.sh

However I am not sure if it can be easily disabled because it is referenced in the following binary: axel, boa, monitord, omci_app, smuxctl, startup.
You can try nuking it in insdrv.sh and see if the device still boots.

ccom_linkkit is linked inside /bin/startup. Theoretically building a new statically linked ccom_linkkit should work.

Depending if they actually check for error code, you might get away with replacing ccom_linkkit with inert binary like id:


Also looks like iot-auth-global.aliyuncs.com is actually dead. Depending on which server you hit, you get a 302 to different location. I did not have the hardware to test this, but it seems hardcoded to lookup using the following DNS server: 223.5.5.5, 223.6.6.6, 8.8.8.8.

Completely untested, all based on static analysis and non expert understanding.

This post has been edited by kwss: Jul 24 2024, 09:15 AM

I have ARM64 build root, all sus binary replaced with "int main::return 0;" as you mention it, luckily it still boot but usable not tried yet.

all the rucks happen lately, I stop Reverse Engineering on this D-Link DPN series, and remove the firmware download links

I have been told in discord discussion that D-Link DPN-FX3060V has vulnerable, they still didn't tell me how to exploit it, as for this I now didn't care to nuke sus IoT binary out of D-Link, just let them hack the D-Link

This post has been edited by Anime4000: Jul 24 2024, 12:39 PM