D-Link DPN-FX3060V GPON Router
A GPON WiFi Router (All in One) based on Realtek SoC Processor that given by TM for Unifi Ultra Subscriber,
it share same Realtek LUNA SDK as my PON Stick Project. So I quite familiar with the layout.

Official Warranty
1. 1-Year Limited Warranty: Provided by TM, ensuring coverage for manufacturing defects.
2. Free Replacement: Available for customers who are currently under contract with TM.
3. Contractual Implications: For customers not under contract, a replacement will automatically initiate a new 2-year contract with TM.

Avoiding Contract
If you want to avoid committing to a 2-year contract, you can opt for a custom-built GPON Stick or a managed GPON device compatible with TM's OMCI, available for purchase.

Specification
SoC: RTL9607DQ (Cortex A55), 4 Core @ 1GHz, AArch64, ARMv8
RAM: 512MB DDR3L @ 1866MT/s
MEM: 256MB SPI Flash Winbond
OS: Realtek ASDK64, Linux Kernel 5.10.70 (glibc v2.30)
MB: Realtek Taurus ENG Board

A1 (White)
WiFi6: RTL8852CE (2.4GHz & 5GHz)

B1 (Black)
WiFi6: RTL8192XBR (2.4GHz) + RTL8832CR (5GHz)
LAN1: RTL8221B Switch Chip (HiSGMII to 2500Base-T)

Internal
Image of A1 Hardware a gift by chong601
Image of B1 Hardware

Block Diagram
A1 (White)


B1 (Black)


Discovery 10G
I found stock firmware has 10G PON (XGPON, XGSPON). Maybe TM have planning to migrating


Known Issue
1. Prior to B1 Hardware @ V2.0.2 have issue to set bridge mode on certain OLT, temporary fix is by accessing UART at change FwdOp to 0x02
2. Prior to B1 Hardware @ V2.0.2 when in bridge mode, LAN side management such as WebGUI, SSH, Telnet being killed by deep ME 171 (ex: Alcatel-Lucent/Nokia OLT)
3. Both Hardware has so called "Cloud IoT" for D-Link Air, it always running and always watching, other considered this as Backdoor

Vulnerability ⚠️
Two user has been verified there several CVE or more.
If you are concern about security and want to minimise risk of attack, DON'T USE THIS DEVICE

Use of Dumb ONT Bridge to avoid backdoor, can re-use this D-Link as ATA Device, I recommend get own ATA or Desktop SIP Phone

It appear that Firmware V2.0.3 as same vulnerability as previous version

VoIP User Agent


Management Entities Issue
OMCI ME can be very complex and total control of your ONT even without TR069! This mean TM can disallow Bridging and Force creation of PPPoE inside the Router!

Example of Simple OMCI Stack

* based on Alcatel-Lucent/Nokia OLT

ME Point
The RLT9607DQ has HiSGMII which can be paired with RLT8221B for 2.5GbE Access, but it use wrong ME Point, this can be fix by adjusting the OLT or Hack


Nijika Firmware A port form PON Stick Project


I have ported my PON Stick Project to both hardware, In my spare time, I manage to add OLT Info page and bug fix!

OLT Info
ZTEG/5a544547 (ZTE)


ALCL/414c434c (Alcatel-Lucent/Nokia)


ALCL/414c434c (Alcatel-Lucent/Nokia) by jonathanwhm


As you can see, even on same OLT, the way VLAN is being push, set and manage is different, for example my fiber VLAN400 (VoIP) doesn't exist on LAN1 UNI but only exist on VEIP UNI
This discrepancy among OLT's make many user unable to bridge!

OLT Vendor Id

ASCII	HEX
ALCL	414c434c
FHTT	46485454
FHTT	0x00*
HWTC	48575443
UBNT	55424e54
ZTEG	5a544547
-	0x00**

* FHTT send 0x00 to ONT as allowing other ONT work on FHTT OLT
** Sometime TM use off-brand OLT on Kampung/under-develop area

OLT Issue
On my experience during PON Stick deployment, there are many ME 171 to map. Rank from top (most troublesome)

1. Fiberhome (FHTT) (most troublesome)
2. Alcatel-Lucent/Nokia (ALCL)
3. Huawei (HWTC)
4. ZTE (ZTEG) (least troublesome)
If you ask me, FHTT is crap to work with! I hate FHTT Priority Queue so much!

Share OLT Status Page
Please update the firmware to correct Hardware A1 or B1, and share your OLT Info just like screenshot above,
This way we here can know which OLT are you on, either troublesome FHTT or awesome ZTEG

Firmware download can be found on next post

This post has been edited by Anime4000: Oct 27 2024, 03:49 AM

Firmware Download
D-Link DPN-FX3060V, Hardware A1 (White):
DPN-FX3060V_V1.1.2_20231108_rel241118.njk

D-Link DPN-FX3060V, Hardware B1 (Black):
DPN-FX3060V_V2.0.3_20240802_rel241118.njk

WARNING!
By flashing this custom firmware, your device warranty will be invalid!

Change Log


Revert Firmware
To roll back, just enable SSH/Telnet in the WebGUI and do this:



If value return 0:


If value return 1:


This post has been edited by Anime4000: Nov 28 2024, 10:00 AM

1. Not yet, I believe this fixable via changing FwdOp, at least works on me under Nokia OLT

2. The firmware is pulled from the SPI Flash, I only modify to add only OLT Info page, this help to troubleshooting how OLT set your VLAN and TM doesn't care, I show this to them, they liked OLT Info page as this very useful information

3. Just update as usual at Maintenance ▶️ Firmware Upgrade.
To roll back, just enable SSH/Telnet and do this:



If value return 0:


If value return 1:


This Router has two different OS, can set which partition need to boot

You can just switch Boot Partition back to Stock Partition, first, do this:

Roll Back Previous Boot Partition
Enable SSH/Telnet


Login SSH

Type tmadmin@192.168.0.1 at Windows Console or Linux/Mac Terminal

Enter Busybox

Type "sh" after saw >

Now in Busybox

You will see # when in busybox

Get Current Boot Partition


Set Boot Partition


NOTE:
When return sw_active=1, type this:


When return sw_active=0, type this:


This will switch boot, it's recommend boot into 0 first and let Nijika at 1

before you flash Nijika, make sure check sw_active=0, then you can update firmware, this will flash Nijika at Partition 1 and automatically reboot to Partition 1

This time, you have:
Stock at sw_active=0 Partition 0
Nijika at sw_active=1 Partition 1

This post has been edited by Anime4000: May 25 2024, 10:07 PM

I have send mtd14 (ubi_apps) and IoT Module (D-Link Air) to PON Hacking

There is several vulnerabilities:
1. IoT not suppose to run as Root Privilege
2. IoT bind on all Interface (ppp, nas0, nas1, ethX, wlanX) including t-cont





ubi_apps, tr142 and /bin/ccom_linkkit always run as root no matter what, cannot be disable in WebGUI

they found many vulnerability such as common overflow, it can be attack even in Bridge Mode.

I trying to remove from the firmware, it caught on boot loop 😭
It has been suggested that to replace to ability to reply in boot process, this will take time, might more time eradicate any IoT

can you flash my custom firmware and screenshot OLT Info

I have ARM64 build root, all sus binary replaced with "int main::return 0;" as you mention it, luckily it still boot but usable not tried yet.

all the rucks happen lately, I stop Reverse Engineering on this D-Link DPN series, and remove the firmware download links

I have been told in discord discussion that D-Link DPN-FX3060V has vulnerable, they still didn't tell me how to exploit it, as for this I now didn't care to nuke sus IoT binary out of D-Link, just let them hack the D-Link

This post has been edited by Anime4000: Jul 24 2024, 12:39 PM

Your finding is same CVE as other guy found, but he found more apparently.
he said firmware is easily override with infected firmware and can prevent bridging,

so, forcing user to use as router so the device can become zombie/botnet
⬆️ it is possible some user reportingg can't bridge and slow speed? might device already infected

Well, not worth of time to clean-up the D-Link or even de-compile ARM64 driver for OpenWRT on D-Link ONR

unlike PON Stick use very specific modified MIPS R3000 SoC, so far no one can compile simple hello beside obtain official Realtek Luna SDK

ARM64? Quite easy to make own binary

Same issue I facing before when change DP Fiberhome to DP Nokia.
Their system has bind your ONU/PLOAM Password with S/N (Reason: prevent stolen PLOAM Password)

I believe Huawei HG8240H (and H5 variant) can change S/N in Full Hex,
So, Try this example:


Then, backup your Huawei SN then replace like this 444C4B4934101F1F



It said can put "DLKI34101F1F", try that too

With recent my IPv6 case has been closed, I think TM still giving AIO / ONR for make internet cheaper...

at least TM didn't prevent use of PON Stick,

This post has been edited by Anime4000: Jul 31 2024, 01:03 PM

Welcome, we advice not to use this D-Link because have unpatched CVE

feel free to whatsapp me

can, but Plain DNS, ISP can hijack the query

via DHCP Server?

welp, if that didn't work, I suggest you to use own Router with DoH Support

When in bridge mode, only bridge what ME 171 told to do, only VLAN500 get passed as tagged traffic and VoIP remain as is

Many reports D-Link speed would drop overtime

This post has been edited by Anime4000: Aug 30 2024, 01:28 PM

Welcome, for safety...
There is known vulnerabilities and been proven hacker can override own firmware and turn as zombie/bot net, I suggest not using this D-Link, perhaps use stock ONU

all own devices, many big company I setup use my GPON stick, as they don't want ISP and Gov spying and/or take control, especially at ONU.

Who knows, now DNS has been hijacked as per MCMC requirement.

Future? all using ONR, ISP can override bridge mode into router mode and prevent user using own Router...
Or SNI intercepted (force using TLS1.2 and detect Domain Name in HTTPS header)
Or even worst ONR do the MITM attack.

Even you disable TR069, ISP can manage your ONU/ONR from OLT.

this what GPON Stick come... Ignore, Override and Reply fake OK to OLT and keep bridge mode.

ISP can say giving ONR is able to reduce cost, but I don't believe it!

Like Huawei EG8010Hv6 is just dumb one LAN port bridge that Allo in Penang using it.

But... One LAN port no longer allow customers use two ISP
TM no longer allow to subscribe multiple ISP for quite some time, EG8010Hv6 + AX3000/6000 router still cost effective and as usual user can use own router,

TM so big, can ask Huawei to make EG8010Hv6 with POTS variant for analogue telephone, and still cheap.

If you want avoid tampering by big boyz, don't use ONR, if you have old ONU, use it, or buy used Huawei ONU like HG8240H, HG8240H5

for >= 1Gbps plan, just use old ONU, technician won't take it after upgrade

Nice, an ALCL (Nokia) OLT,

are you on Unifi Biz? saw VLAN400 exist on LAN1