D-Link DPN-FX3060V GPON Router
A GPON WiFi Router (All in One) based on Realtek SoC Processor that given by TM for Unifi Ultra Subscriber,
it share same Realtek LUNA SDK as my PON Stick Project. So I quite familiar with the layout.

Official Warranty
1. 1-Year Limited Warranty: Provided by TM, ensuring coverage for manufacturing defects.
2. Free Replacement: Available for customers who are currently under contract with TM.
3. Contractual Implications: For customers not under contract, a replacement will automatically initiate a new 2-year contract with TM.

Avoiding Contract
If you want to avoid committing to a 2-year contract, you can opt for a custom-built GPON Stick or a managed GPON device compatible with TM's OMCI, available for purchase.

Specification
SoC: RTL9607DQ (Cortex A55), 4 Core @ 1GHz, AArch64, ARMv8
RAM: 512MB DDR3L @ 1866MT/s
MEM: 256MB SPI Flash Winbond
OS: Realtek ASDK64, Linux Kernel 5.10.70 (glibc v2.30)
MB: Realtek Taurus ENG Board

A1 (White)
WiFi6: RTL8852CE (2.4GHz & 5GHz)

B1 (Black)
WiFi6: RTL8192XBR (2.4GHz) + RTL8832CR (5GHz)
LAN1: RTL8221B Switch Chip (HiSGMII to 2500Base-T)

Internal
Image of A1 Hardware a gift by chong601
Image of B1 Hardware

Block Diagram
A1 (White)


B1 (Black)


Discovery 10G
I found stock firmware has 10G PON (XGPON, XGSPON). Maybe TM have planning to migrating


Known Issue
1. Prior to B1 Hardware @ V2.0.2 have issue to set bridge mode on certain OLT, temporary fix is by accessing UART at change FwdOp to 0x02
2. Prior to B1 Hardware @ V2.0.2 when in bridge mode, LAN side management such as WebGUI, SSH, Telnet being killed by deep ME 171 (ex: Alcatel-Lucent/Nokia OLT)
3. Both Hardware has so called "Cloud IoT" for D-Link Air, it always running and always watching, other considered this as Backdoor

Vulnerability ⚠️
Two user has been verified there several CVE or more.
If you are concern about security and want to minimise risk of attack, DON'T USE THIS DEVICE

Use of Dumb ONT Bridge to avoid backdoor, can re-use this D-Link as ATA Device, I recommend get own ATA or Desktop SIP Phone

It appear that Firmware V2.0.3 as same vulnerability as previous version

VoIP User Agent


Management Entities Issue
OMCI ME can be very complex and total control of your ONT even without TR069! This mean TM can disallow Bridging and Force creation of PPPoE inside the Router!

Example of Simple OMCI Stack

* based on Alcatel-Lucent/Nokia OLT

ME Point
The RLT9607DQ has HiSGMII which can be paired with RLT8221B for 2.5GbE Access, but it use wrong ME Point, this can be fix by adjusting the OLT or Hack


Nijika Firmware A port form PON Stick Project


I have ported my PON Stick Project to both hardware, In my spare time, I manage to add OLT Info page and bug fix!

OLT Info
ZTEG/5a544547 (ZTE)


ALCL/414c434c (Alcatel-Lucent/Nokia)


ALCL/414c434c (Alcatel-Lucent/Nokia) by jonathanwhm


As you can see, even on same OLT, the way VLAN is being push, set and manage is different, for example my fiber VLAN400 (VoIP) doesn't exist on LAN1 UNI but only exist on VEIP UNI
This discrepancy among OLT's make many user unable to bridge!

OLT Vendor Id

ASCII	HEX
ALCL	414c434c
FHTT	46485454
FHTT	0x00*
HWTC	48575443
UBNT	55424e54
ZTEG	5a544547
-	0x00**

* FHTT send 0x00 to ONT as allowing other ONT work on FHTT OLT
** Sometime TM use off-brand OLT on Kampung/under-develop area

OLT Issue
On my experience during PON Stick deployment, there are many ME 171 to map. Rank from top (most troublesome)

1. Fiberhome (FHTT) (most troublesome)
2. Alcatel-Lucent/Nokia (ALCL)
3. Huawei (HWTC)
4. ZTE (ZTEG) (least troublesome)
If you ask me, FHTT is crap to work with! I hate FHTT Priority Queue so much!

Share OLT Status Page
Please update the firmware to correct Hardware A1 or B1, and share your OLT Info just like screenshot above,
This way we here can know which OLT are you on, either troublesome FHTT or awesome ZTEG

Firmware download can be found on next post

This post has been edited by Anime4000: Oct 27 2024, 03:49 AM

Firmware Download
D-Link DPN-FX3060V, Hardware A1 (White):
DPN-FX3060V_V1.1.2_20231108_rel241118.njk

D-Link DPN-FX3060V, Hardware B1 (Black):
DPN-FX3060V_V2.0.3_20240802_rel241118.njk

WARNING!
By flashing this custom firmware, your device warranty will be invalid!

Change Log


Revert Firmware
To roll back, just enable SSH/Telnet in the WebGUI and do this:



If value return 0:


If value return 1:


This post has been edited by Anime4000: Nov 28 2024, 10:00 AM

I have 3 questions:

1. Does your firmware provide a fix for the issue where bridge mode is unavailable on certain OLTs?
2. Do we have the original firewall configuration to roll back to in case anything happens before the TM team arrives?
3. Could you share the steps or method for updating the firmware, so we avoid any mistakes that might cause issues?

This post has been edited by jiaen0509: May 23 2024, 05:52 PM

1. Not yet, I believe this fixable via changing FwdOp, at least works on me under Nokia OLT

2. The firmware is pulled from the SPI Flash, I only modify to add only OLT Info page, this help to troubleshooting how OLT set your VLAN and TM doesn't care, I show this to them, they liked OLT Info page as this very useful information

3. Just update as usual at Maintenance ▶️ Firmware Upgrade.
To roll back, just enable SSH/Telnet and do this:



If value return 0:


If value return 1:


This Router has two different OS, can set which partition need to boot

I requested TM to switch the ONU model from A1 to B1. The next morning, three technicians from TM came to my house to inspect the ONU. They decided not to make the change because the ONU was still functioning perfectly. They also questioned me about how I obtained Nijiki's firmware over the call. Unfortunately, I wasn't home at that time to answer their questions and paksa them to change the model
P/S: My dad saw them taking a photo of the ONU login screen at that time.

This post has been edited by jonathanwhm: May 25 2024, 03:49 PM

They like to snap snap snap whatever they like. I use my own Asus router also their face like surprised and take my asus router picture😒

Using own router not a problem but custom modding or tampering their service equipment considered breach of ToS already. They can deny you their service or even blacklist you. It also break your ONR warranty. In this case I'm sure they'll dig more about Anime's firmware and I'm not surprised if they disable manual future update and only push updates through TR-069. That's why it's important to roll back any changes you made to the device before any on-site visit or warranty claim. Not just for TM's equipment but all other devices running under custom firmwares. Aways make sure to go back to stock beforehand.

This post has been edited by Ashren: May 25 2024, 09:53 PM

You can just switch Boot Partition back to Stock Partition, first, do this:

Roll Back Previous Boot Partition
Enable SSH/Telnet


Login SSH

Type tmadmin@192.168.0.1 at Windows Console or Linux/Mac Terminal

Enter Busybox

Type "sh" after saw >

Now in Busybox

You will see # when in busybox

Get Current Boot Partition


Set Boot Partition


NOTE:
When return sw_active=1, type this:


When return sw_active=0, type this:


This will switch boot, it's recommend boot into 0 first and let Nijika at 1

before you flash Nijika, make sure check sw_active=0, then you can update firmware, this will flash Nijika at Partition 1 and automatically reboot to Partition 1

This time, you have:
Stock at sw_active=0 Partition 0
Nijika at sw_active=1 Partition 1

This post has been edited by Anime4000: May 25 2024, 10:07 PM

Nice to see some Java. Don’t know why I expected the ont to be running some version of sap hana for account status stuff 💀

This post has been edited by sadlyfalways: May 26 2024, 01:59 AM

Java? It's more like C to me.

I have send mtd14 (ubi_apps) and IoT Module (D-Link Air) to PON Hacking

There is several vulnerabilities:
1. IoT not suppose to run as Root Privilege
2. IoT bind on all Interface (ppp, nas0, nas1, ethX, wlanX) including t-cont





ubi_apps, tr142 and /bin/ccom_linkkit always run as root no matter what, cannot be disable in WebGUI

they found many vulnerability such as common overflow, it can be attack even in Bridge Mode.

I trying to remove from the firmware, it caught on boot loop 😭
It has been suggested that to replace to ability to reply in boot process, this will take time, might more time eradicate any IoT

Today I plugged back the A1 (White) ONR and bridge mode to my ASUS router. Noticed one issue with my speed where my upload was capped around 150mbps.

While full speed on my ZTE ONU

can you flash my custom firmware and screenshot OLT Info

I just got the ONU replaced by TM this evening, from model A1 to B1. I'm running on Bridge Mode and using my Deco BE85 as a router. I managed to get around 2085Mbps DL and 1037Mbps UL.

hi, would like to ask, is it possible for me to setup my old router (dir x1860z) as mesh with my new onr (dpn fx3060z)

i already tried couple of time using wps button, but not successful

is there any method and step to pair it if it possible

replaced ? u request or the white one got prob ? got contract extension for replacement ?

Yes, it has been replaced. There is no contract extension, but an additional RM50 is charged to this month's bill.

I just take a look at the firmware. Can you provide the content of ubi0:ubi_Config (/var/config)?

ubi cannot be disabled because it is used to mount the config partition.

tr142 (kernel module + tr142_app) is loaded via the following path:
insdrv.sh -> rtk_tr142.sh

However I am not sure if it can be easily disabled because it is referenced in the following binary: axel, boa, monitord, omci_app, smuxctl, startup.
You can try nuking it in insdrv.sh and see if the device still boots.

ccom_linkkit is linked inside /bin/startup. Theoretically building a new statically linked ccom_linkkit should work.

Depending if they actually check for error code, you might get away with replacing ccom_linkkit with inert binary like id:


Also looks like iot-auth-global.aliyuncs.com is actually dead. Depending on which server you hit, you get a 302 to different location. I did not have the hardware to test this, but it seems hardcoded to lookup using the following DNS server: 223.5.5.5, 223.6.6.6, 8.8.8.8.

Completely untested, all based on static analysis and non expert understanding.

This post has been edited by kwss: Jul 24 2024, 09:15 AM

I have ARM64 build root, all sus binary replaced with "int main::return 0;" as you mention it, luckily it still boot but usable not tried yet.

all the rucks happen lately, I stop Reverse Engineering on this D-Link DPN series, and remove the firmware download links

I have been told in discord discussion that D-Link DPN-FX3060V has vulnerable, they still didn't tell me how to exploit it, as for this I now didn't care to nuke sus IoT binary out of D-Link, just let them hack the D-Link

This post has been edited by Anime4000: Jul 24 2024, 12:39 PM

I reverse engineer ccom_linkkit.
It is basically built on top of AliOS Things, which can be found here:
https://github.com/alibaba/AliOS-Things

The vulnerabilities seems to be many of the components are old and never updated.
After looking at some of the CVE, potentially exploitable in the real world are:
CVE-2024-2466
CVE-2024-23775
CVE-2024-6197

I am limiting my CVE search to within these 2 years based on the state of AliOS Things repo.
No doubt there are other known CVE but I feel they are a bit "hard" to exploit.
If I am the attacker I would just focus on the above CVEs.

I only check for curl, cjson and mbedtls. I did not go look at the other long list of components.
This is really some intense time consuming work.

As for boa, I let this article do the talking:
https://www.theregister.com/2022/11/23/micr...boa_web_server/

This post has been edited by kwss: Jul 27 2024, 07:38 AM

Your finding is same CVE as other guy found, but he found more apparently.
he said firmware is easily override with infected firmware and can prevent bridging,

so, forcing user to use as router so the device can become zombie/botnet
⬆️ it is possible some user reportingg can't bridge and slow speed? might device already infected

OMG that is scary and diabolical man!

Both my dlinks at different sites have this problem, suddenly speed with throttle down to 300/100. white and black also like that. There seems to be no set schedule when it happens, sometimes, day time, night time/ twice a day, 3 days once......

Black one will replace once i get my media converter, will use with the ODI stick.

This whole speed drop thing is still a mystery.
It might be malware, might be something else, might be a lot of things.

I don't think I will spend that kind of time to finally prove what caused it. Or maybe I get lucky.

I don't even know where to look right now.

Well, not worth of time to clean-up the D-Link or even de-compile ARM64 driver for OpenWRT on D-Link ONR

unlike PON Stick use very specific modified MIPS R3000 SoC, so far no one can compile simple hello beside obtain official Realtek Luna SDK

ARM64? Quite easy to make own binary

I having this same exact issue! It's driving me nuts why suddenly my internet will DC and later internet speed dropped to exactly the speed range you mentioned. (Free upgraded 1Gbps plan, and TM said have to change ONU/router to this). It's running in bridge mode currently.

Not sure if complaining to TM will help.. or if there's any way to resolve the issue/root cause.. reboot seems to fix but it's just the temporary for a few days.

I tried changing all sorts of setting, no point mentioning coz nothing worked.

Since it's a 1 gbps package, I have reverted to to the old huawei onu, it's been two days, speed hasnt' dropped yet. Will wait 1 week and update here (Coz sometimes the speed can tahan 4, 5 days, then suddenly drop again).

My other site is using a 2 gbps package, so using the old onu is not an option. For this site, I'm using an SFP xpon flashed by Anime4000.

Basically, stopped using the dlink ONU's both white and black.

I'm trying to revert to the old Huawei ONU, but for now seems like the PPPoE cannot dial, not sure if the old modem already blacklist or what.. will keep trying.

All the setting still intact, installer didn't reset it so not sure why it's not working.

This post has been edited by MelancholicAnubis: Jul 30 2024, 10:36 PM

You should make a fuss out of it to MCMC. I hope the pressure will stop TM from giving ONR to people.

Same issue I facing before when change DP Fiberhome to DP Nokia.
Their system has bind your ONU/PLOAM Password with S/N (Reason: prevent stolen PLOAM Password)

I believe Huawei HG8240H (and H5 variant) can change S/N in Full Hex,
So, Try this example:


Then, backup your Huawei SN then replace like this 444C4B4934101F1F



It said can put "DLKI34101F1F", try that too

With recent my IPv6 case has been closed, I think TM still giving AIO / ONR for make internet cheaper...

at least TM didn't prevent use of PON Stick,

This post has been edited by Anime4000: Jul 31 2024, 01:03 PM

Joining the DPN-FX3060V Black club. Still in box though.

Welcome, we advice not to use this D-Link because have unpatched CVE

It's has been 1 week, speeds are stable on both sides, one using old ONU, other using the Xpon stick.

This pretty much confirms that the speed throttling issue is only with the black or white D-Link ONR, using bridge mode

I read this thread. Now scared to even look at the DLink.

Later PM you for GPON stick.

feel free to whatsapp me

Also joined the black ONR club.

Is it possible to change the default DNS to Google or Cloudflare on the router?

It isn't as straightforward as the DIR-X3060Z.

can, but Plain DNS, ISP can hijack the query

Understood. Got any pointers on where to change it? Thanks!

via DHCP Server?

Tried changing it. Either I did it wrong or the router is ignoring the settings.

welp, if that didn't work, I suggest you to use own Router with DoH Support

I think ASUS models have the best DoT/DoH support? If i bridge the ONR will it break VoIP?

Technically it shouldn’t although I’ve not tried the VoIP as I no longer use a home phone.

Asus only supports DoT, it seems to come from Asuswrt-Merlin then got implemented back to stock firmware

DoH is not supported, and it seems like Merlin is not a fan of DoH so I don't think he will ever implement it (he does not like that dns traffic gets mixed in with http content)

with that said, there's probably something you can download and install on asuswrt-merlin

When in bridge mode, only bridge what ME 171 told to do, only VLAN500 get passed as tagged traffic and VoIP remain as is

Many reports D-Link speed would drop overtime

This post has been edited by Anime4000: Aug 30 2024, 01:28 PM

Any guesses/speculations why the speed drops overtime when in bridge mode?

This one I not sure, check RAM are fine and no visible memory leak, it appear to be random time at random OLT,
I thought FHTT OLT cause it, also effect on HWTC and ALCL OLT.

This post has been edited by Hikari Natsumi: Aug 30 2024, 01:47 PM

I finally encountered a speed drop issue when my VPN was connected to SG server. Initially, the connection was running at full speed for the first 5-10 minutes after the VPN was established. However, after some time, the speed capped at 320/150. Even after disconnecting the VPN, the speed remained capped at 320/150 until I rebooted the ONU unit.

No speed drop issue so far if I am not using any VPN service after the ONU rebooted. It happened again and again 10 minutes after the VPN was established.

This post has been edited by jonathanwhm: Aug 30 2024, 01:54 PM

Just wondering. Did you torrent or transfer lots of data after you turn on VPN?
If you turn on VPN and do nothing, does the speed still drop?

Yes. The speed is still capped after a certain period, even if I do nothing once the VPN is established. Is it possible to have a capping system that detects the change in the routing and then throttles the speed?

I'm not aware of such thing in D-Link but currently I suspect the 2.5G switch chip is overheating.
In the white D-Link, this external switch chip doesn't exist. All the functionality is provided by the SoC.

Do you happen to put the device in a confined space?

You have experiment and can trigger the speed drop as many times as you want just by connecting to VPN?

What VPN protocol did you use?

The ONU device is placed in an open area, and the ONU temperature is consistently below 20 degrees.

The speed drop only happens when connecting to a VPN (OpenVPN protocol). I tested many times and am pretty sure my line was capped after the VPN was established.

This post has been edited by jonathanwhm: Aug 30 2024, 03:49 PM

Just to be clear. You establish the VPN from your computer and not via the ONR right?
Do you use UDP or TCP for your OpenVPN?

As far as I know, middlebox don't have any special rules for OpenVPN, unlike IKE, GRE or some other protocol.

Does your VPN provider provide more than one SG server? Try to do a traceroute/mtr to the hostname of your current SG VPN server (while not connected to the VPN, obviously) to determine the peering/transit providers. Check with your other SG VPN nodes. Hopefully your provider has a different server on a different rack/datacenter using a different peering path. I’m asking because with certain peering providers, ISPs might perform some sort of load balancing, not to target you specifically, but mainly because they’re cheapskate and won’t pay peering providers for a bigger bandwidth pipe.

This post has been edited by dev/numb: Aug 30 2024, 04:01 PM

I tested both on my computer and on my own router (in bridge mode) using the UDP setting. Both are getting the speed capped too.

With bridge mode most of the control logic are turned off. Either something is happening at the OMCI or my earlier suspicion, the external switch chip.

But none of these know you are using OpenVPN.

Just to rule out the switch chip:
Can you try iperf between the 2.5G port and the other 1G port?
Just blast them with bi-directional data

I tested on 3 different SG servers (all 3 SG servers hosted by different telcos in SG) and got the same result which the speed was capped after some time. It's really strange that it happened only when the VPN was established. All back to normal after I rebooted the ONU without connecting to the VPN.

I recently got upgraded and was given the DPN-FX3060V combo box. Every time I leave the house or disconnect from the home internet, I can’t connect back to the wifi.

I need to restart the router every time in order to make a connection. Restarting the phone doesn’t work. Is there a way to troubleshoot this?

* the combo box come in default settings done by the technician.

Do you happen to use a USB-C dock?
What about other device? Can they reconnect?
What about already connected devices? Do they continue to work?
What if you manually disconnect your phone while you are home? Can it reconnect?
Can you pinpoint it to a single device that cause this issue?

Today I also reporting in.

I am able to connect to the 2.4G without problem but all devices can’t connect to 5G after manually disconnect. Sometimes it also auto disconnect from the 5G

This post has been edited by micwk: Sep 2 2024, 10:58 AM


Attached thumbnail(s)

Welcome, for safety...
There is known vulnerabilities and been proven hacker can override own firmware and turn as zombie/bot net, I suggest not using this D-Link, perhaps use stock ONU

Can you try changing the 5GHz Wi-Fi to non-DFS channel?

Did you have this problem since the day you get the D-Link or only these few days?
Do you have non-Apple device? Do they work?

ive been offered a free upgrade.

my current ONT is some 2 years old i believe. currently i use my own mikrotik router. i hear the new device is some combobox, i desire to use my own mikrotik router still, so what kinda changes are we seeing here?

i really hope to not involve double NAT.

what stock ONU? my current one?

LMAO. F.

It can be bridged, so double NAT can be avoided

problem is there seems to be serious speed issues, a lot of people have it drop to 300Mbps randomly and only a reboot resolves it

so if there's security and performance issues, then can we just use our existing one?

they called me today, say im eligible for a free upgrade. as i asked questions, i learned of this new 'combobox'. i thought it was weird that they need to ask if i want the upgrade, so i asked why wouldn't anyone want it? anything hidden? and thats when i learned that they may not like the router. and so it brought me to this post.

plan would be 800mbps -> 1gbit plan. i am very certain the bottleneck isn't going to be local 99.99% the time. LAN being 1gbit, why would i need 2.5gbit lan port? can we actually purchase our own ONU or ONT wahtever its called?

Well, 1gig Lan port = 940Mbps in the real world
2.5gig Lan port can help you extract that last 60Mbps or so for a true 1gig

But yes, the bottleneck will mostly be in international routing

Own ONU/ONT, not supposed to replace on your own, but the TS of this thread sells their own customized one

o i'd actually be interested. what benefit from custom one?

all own devices, many big company I setup use my GPON stick, as they don't want ISP and Gov spying and/or take control, especially at ONU.

Who knows, now DNS has been hijacked as per MCMC requirement.

Future? all using ONR, ISP can override bridge mode into router mode and prevent user using own Router...
Or SNI intercepted (force using TLS1.2 and detect Domain Name in HTTPS header)
Or even worst ONR do the MITM attack.

Even you disable TR069, ISP can manage your ONU/ONR from OLT.

this what GPON Stick come... Ignore, Override and Reply fake OK to OLT and keep bridge mode.

ISP can say giving ONR is able to reduce cost, but I don't believe it!

Like Huawei EG8010Hv6 is just dumb one LAN port bridge that Allo in Penang using it.

But... One LAN port no longer allow customers use two ISP
TM no longer allow to subscribe multiple ISP for quite some time, EG8010Hv6 + AX3000/6000 router still cost effective and as usual user can use own router,

TM so big, can ask Huawei to make EG8010Hv6 with POTS variant for analogue telephone, and still cheap.

If you want avoid tampering by big boyz, don't use ONR, if you have old ONU, use it, or buy used Huawei ONU like HG8240H, HG8240H5

ill surely reject the dlink, i suppose i insist on keeping my old one then? or must i change

for >= 1Gbps plan, just use old ONU, technician won't take it after upgrade

I just got my upgrade with the Dlink DPN-FX3060V as well...
when raise a case with them...
TM installer called said they can offer the choice of the other 2 model of
Fiberhome AX3000 or skyworth AX3000 CPE that only drawback has only 1G port instead of 2.5G port...

finally finish my FSU upgrade





This post has been edited by syahpian: Sep 6 2024, 12:01 AM

Nice, an ALCL (Nokia) OLT,

are you on Unifi Biz? saw VLAN400 exist on LAN1

nope, me on normal home unifi plan

odd, the way VLAN is provision is not same as me even same OLT, haha

Out of curiosity, who is responsible to patch the known CVEs? Can we report it to somebody?

have told TM and still no answer, I guess they don't care

Fiberhome which they also like to use has a model exactly with those requirements

Fiberhome AN5506-02-B
1 or 2 LAN Port, 1 VOIP Port

https://en.fiberhome.com/TNOTN/20240130/46448.html
https://www.gditechnology.com/manuals/AN550...2%20_Manual.pdf

Maybe can open ticket at cyber security malaysia?

https://www.cybersecurity.my/en/index.html

I try to compile required document, but... only I know, thing some one in Hack GPON group didn't disclose the exploit, so I can't report this as I don't know how to replicate their exploit