Skip to content

feat(epon): F-MDCONU3A — add CLI permission bypass, full command reference, firmware flash protocol#443

Merged
simonebortolin merged 2 commits intohack-gpon:mainfrom
abeljouve:feat/epon-f-mdconu3a-enrichment
Apr 8, 2026
Merged

feat(epon): F-MDCONU3A — add CLI permission bypass, full command reference, firmware flash protocol#443
simonebortolin merged 2 commits intohack-gpon:mainfrom
abeljouve:feat/epon-f-mdconu3a-enrichment

Conversation

@abeljouve
Copy link
Copy Markdown
Contributor

@abeljouve abeljouve commented Mar 23, 2026

Adds extensive reverse-engineering findings for the Free/Iliad F-MDCONU3A
(BCM55030 10G-EPON ONU):

  • CLI permission system: the pl built-in command bypasses all
    permission checks. pl omega gives full manufacturing access (level 2)
    from the default UART shell, no password required.
  • Complete CLI command tree at all 3 permission levels with inline
    descriptions (~60 level 0 + ~20 level 1 + ~25 level 2 commands).
  • Full CLI command reference: syntax, arguments, and descriptions for
    every command organized by category (system, EPON, MPCP, memory, stats,
    firmware, FDS, debug, multicast, SerDes, MACsec).
  • PON speed mode encoding table (1G/1G, 2G/1G, 10G/1G, 10G/10G).
  • Firmware flash protocol (load/rx): raw binary transfer over UART
    at 57600 baud, TKF container format with trailing CRC32.
  • Hardware architecture details: Harvard ARC (ICCM/DCCM), firmware
    structure, FDS personality records.
  • Expanded flash memory map with all 5 regions.
  • Corrected mcast/ subtree: domains/groups/sources/reporters
    do not exist in the v3.2.9 binary (only igmpinfo and igmpsources).

All findings are from static analysis of the v3.2.9 firmware binary in
Ghidra (2697 functions fully named). No proprietary documentation was used.

@abeljouve
feat(epon): F-MDCONU3A — add CLI permission bypass, full command tree…
3f285dc 
…, firmware flash protocol

Adds extensive reverse-engineering findings for the Free/Iliad F-MDCONU3A
(BCM55030 10G-EPON ONU) from static analysis of the v3.2.9 firmware binary:

- CLI permission system: pl built-in command bypasses all permission checks,
  pl omega gives full manufacturing access (level 2) from default UART shell
- Complete CLI command tree at all 3 permission levels
  (level 0: ~60 cmds, level 1: +20, level 2: +25)
- Firmware flash protocol (load/rx): raw binary transfer over UART at
  57600 baud, TKF container format with trailing CRC32
- Hardware architecture details: Harvard ARC (ICCM/DCCM), firmware structure,
  FDS personality records
- Expanded flash memory map with all 5 regions including FDS/Config
- Filled in missing hardware specs (bootloader, system, load addr, RAM, chipset rev)

All findings from Ghidra static analysis (2697 functions named).
No proprietary documentation was used.
@abeljouve
feat(epon): F-MDCONU3A — add CLI permission bypass, full command refe…
261b768 
…rence, firmware flash protocol

Adds extensive reverse-engineering findings for the Free/Iliad F-MDCONU3A
(BCM55030 10G-EPON ONU) from static analysis of the v3.2.9 firmware binary:

- CLI permission system: pl built-in command bypasses all permission checks,
  pl omega gives full manufacturing access (level 2) from default UART shell
- Complete CLI command tree at all 3 permission levels with inline descriptions
  (level 0: ~60 cmds, level 1: +20, level 2: +25)
- Full CLI command reference: syntax, arguments, and descriptions for every
  command, organized by category (system, EPON/MAC, MPCP, memory, stats,
  firmware/flash, FDS, alarms/debug, multicast, SerDes, MACsec)
- PON speed mode encoding table (1G/1G, 2G/1G, 10G/1G, 10G/10G)
- Firmware flash protocol (load/rx): raw binary transfer over UART at
  57600 baud, TKF container format with trailing CRC32
- Hardware architecture details: Harvard ARC (ICCM/DCCM), firmware structure,
  FDS personality records
- Expanded flash memory map with all 5 regions including FDS/Config
- Filled in missing hardware specs (bootloader, system, load addr, RAM, chipset)
- Corrected mcast/ command tree (domains/groups/sources/reporters don't exist
  in the v3.2.9 binary — only igmpinfo and igmpsources are confirmed)
- Added serdesTestInit and serdesRx to level 0 serdes/ tree

All findings from Ghidra static analysis (2697 functions named).
No proprietary documentation was used.
@simonebortolin simonebortolin merged commit b8712ee into hack-gpon:main Apr 8, 2026
3 checks passed
@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 8, 2026

Preview of the website obtained from the PR: https://b206c9e8.hack-gpon-preview.pages.dev

@abeljouve
Copy link
Copy Markdown
Contributor Author

abeljouve commented Apr 8, 2026

Thanks for the review and merge @simonebortolin ! Great project.
Since this PR, I've been going deeper into the BCM55030 firmware RE, mainly using Claude Opus 4.6 which turned out to be surprisingly effective in RE.
The goal is to understand the firmware well enough to use the Free/Iliad ONU standalone, bypassing the Freebox router entirely. Longer term, if a compatible 10G-EPON transceiver surfaces, this RE work could enable running a custom firmware on generic hardware.
To get there, I've been building an ARC700 emulator that can boot the real bootloader binary and is making progress on the app2 init sequence. This is showing a lot of new details about EPON MAC registers, SerDes init, and FDS internals that I'll document in a follow-up PR.
Stay tuned !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@abeljouve @simonebortolin