Getting root access on ZyXEL VMG1312-B30B

Nothing special, just use undocumented command sh and you are there (I found it out by a mistake):

danman@silverhorse:~$ nmap 10.0.0.138

Starting Nmap 7.60 ( https://nmap.org ) at 2018-03-26 22:54 CEST
Nmap scan report for 10.0.0.138
Host is up (0.013s latency).
Not shown: 996 closed ports
PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
23/tcp open  telnet
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 3.14 seconds
danman@silverhorse:~$ telnet 10.0.0.138
Trying 10.0.0.138...
Connected to 10.0.0.138.
Escape character is '^]'.
ZyXEL VDSL Router
Login: admin
Password: admin
 > help
?
help
logout
exit
quit
reboot
adsl
xdslctl
xtm
brctl
cat
loglevel
logdest
virtualserver
ddns
df
dumpcfg
dumpmdm
meminfo
psp
kill
dumpsysinfo
dnsproxy
syslog
echo
ifconfig
ping
ps
pwd
sntp
snmp
sysinfo
tftp
wlctl
arp
defaultgateway
dhcpserver
dhcpcondserv
dns
lan
lanhosts
passwd
ppp
restoredefault
route
save
swversion
uptime
cfgupdate
swupdate
exitOnIdle
wan
rip
igmp
wlan
telnetd
natp
sysstate
sipalgctl
celld
autoexec
fileShare
igmp
btt
ledctl
 > sh
shell Password: admin
~ # ls
bin         etc         linuxrc     proc        tmp         vmlinux.lz
data        firmware    mnt         sbin        usr         webs
dev         lib         opt         sys         var

~ # cat /proc/cpuinfo 
system type             : 963168VXB
processor               : 0
cpu model               : Broadcom4350 V8.0
BogoMIPS                : 398.33
wait instruction        : yes
microsecond timers      : yes
tlb_entries             : 32
extra interrupt vector  : no
hardware watchpoint     : no
ASEs implemented        :
shadow register sets    : 1
core                    : 0
VCED exceptions         : not available
VCEI exceptions         : not available

unaligned exceptions            : 1399
processor               : 1
cpu model               : Broadcom4350 V8.0
BogoMIPS                : 402.43
wait instruction        : yes
microsecond timers      : yes
tlb_entries             : 32
extra interrupt vector  : no
hardware watchpoint     : no
ASEs implemented        :
shadow register sets    : 1
core                    : 0
VCED exceptions         : not available
VCEI exceptions         : not available

unaligned exceptions            : 1399
~ # cat /proc/devices 
Character devices:
  1 mem
  2 pty
  3 ttyp
  4 ttyS
  5 /dev/tty
  5 /dev/console
  5 /dev/ptmx
 10 misc
 90 mtd
108 ppp
128 ptm
136 pts
180 usb
189 usb_device
206 brcmboard
208 adsl
227 p8021ag
228 bcmxtmcfg
233 spu
238 bcmvlan
240 pwrmngt
241 bcmfap
242 fcache
243 ingqos
244 bpm
245 bcmarl
246 chipinfo
254 usb_endpoint

Block devices:
259 blkext
  8 sd
 31 mtdblock
 65 sd
 66 sd
 67 sd
 68 sd
 69 sd
 70 sd
 71 sd
128 sd
129 sd
130 sd
131 sd
132 sd
133 sd
134 sd
135 sd
~ # lsmod
Module                  Size  Used by    Tainted: P  
nf_nat_tftp             1152  0 
nf_nat_irc              1888  0 
nf_nat_rtsp             4320  0 
nf_nat_h323             6640  0 
nf_nat_ftp              2608  0 
nf_conntrack_tftp       4032  1 nf_nat_tftp
nf_conntrack_irc        5264  1 nf_nat_irc
nf_conntrack_rtsp       9872  1 nf_nat_rtsp
nf_conntrack_ftp        7088  1 nf_nat_ftp
nf_conntrack_h323      47520  1 nf_nat_h323
nf_nat_pptp             2416  0 
nf_conntrack_pptp       5840  1 nf_nat_pptp
nf_nat_proto_gre        1840  1 nf_nat_pptp
nf_conntrack_proto_gre     5104  1 nf_conntrack_pptp
nfnetlink_queue         8864  0 
ipt_REJECT              2960  0 
ipt_LOG                 7520 13 
ipt_REDIRECT            1504  0 
ipt_MASQUERADE          4368  1 
nfnetlink               4080  1 nfnetlink_queue
xt_SKIPLOG              1200  0 
xt_TCPMSS               4224  1 
xt_limit                2112 17 
xt_state                1728 32 
nf_conntrack_ipv6      13568 15 
xt_pkttype              1296  2 
xt_recent               9728  6 
iptable_nat             4896  1 
nf_nat                 16608 10 nf_nat_tftp,nf_nat_irc,nf_nat_rtsp,nf_nat_h323,nf_nat_ftp,nf_nat_pptp,nf_nat_proto_gre,ipt_REDIRECT,ipt_MASQUERADE,iptable_nat
nf_conntrack_ipv4      13360 20 iptable_nat,nf_nat
nf_defrag_ipv4          1536  1 nf_conntrack_ipv4
nf_conntrack           60848 19 nf_nat_tftp,nf_nat_irc,nf_nat_rtsp,nf_nat_h323,nf_nat_ftp,nf_conntrack_tftp,nf_conntrack_irc,nf_conntrack_rtsp,nf_conntrack_ftp,nf_conntrack_h323,nf_nat_pptp,nf_conntrack_pptp,nf_conntrack_proto_gre,ipt_MASQUERADE,xt_state,nf_conntrack_ipv6,iptable_nat,nf_nat,nf_conntrack_ipv4
ip6table_filter         2144  1 
ip6table_mangle         2256  1 
ip6_tables             13184  2 ip6table_filter,ip6table_mangle
iptable_mangle          2304  1 
iptable_filter          2240  1 
ip_tables              12080  3 iptable_nat,iptable_mangle,iptable_filter
xt_multiport            2720  0 
xt_MARK                 1888 25 
xt_mark                 1376 21 
xt_length               1408  0 
xt_mac                  1264  0 
xt_DSCP                 2992  1 
xt_dscp                 2064  0 
pwrmngtd                7216  0 
bcmvlan                99472  0 
wl                   3450288  0 
bcmarl                  7440  0 
bcm_usb                26512  0 
bcm_enet              125584  2 pwrmngtd,wl
adsldd                349600  0 
bcmxtmcfg              78512  1 adsldd
bcmfap                185120  1 bcmarl
pktflow               112464  1 bcmfap
bcm_bpm               208736  0 [permanent]
bcm_ingqos             10560  0 
chipinfo                1712  0 
~ # ifconfig 
bcmsw     Link encap:Ethernet  HWaddr 1C:74:0D:04:9F:30  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
          Base address:0xda00 

br0       Link encap:Ethernet  HWaddr 1C:74:0D:04:9F:30  
          inet addr:10.0.0.138  Bcast:10.0.0.255  Mask:255.255.255.0
          inet6 addr: fe80::1/64 Scope:Link
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:477641 errors:2994 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:183 overruns:1293627 carrier:0
          collisions:2473 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

br1       Link encap:Ethernet  HWaddr B2:C8:2D:87:EA:13  
          inet addr:192.168.2.1  Bcast:192.168.2.255  Mask:255.255.255.0
          inet6 addr: fe80::b0c8:2dff:fe87:ea13/64 Scope:Link
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:1556 carrier:0
          collisions:26 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

eth0      Link encap:Ethernet  HWaddr 1C:74:0D:04:9F:30  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:105842 carrier:0
          collisions:493 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
          

eth1      Link encap:Ethernet  HWaddr 1C:74:0D:04:9F:30  
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
          

eth2      Link encap:Ethernet  HWaddr 1C:74:0D:04:9F:30  
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

eth3      Link encap:Ethernet  HWaddr 1C:74:0D:04:9F:30  
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
          

eth4      Link encap:Ethernet  HWaddr 1C:74:0D:04:9F:30  
          inet6 addr: fe80::1e74:dff:fe04:9f30/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:101428 carrier:0
          collisions:443 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
          

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:19586 errors:91 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:19586 carrier:0
          collisions:91 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

ppp1.1    Link encap:Point-to-Point Protocol  
          inet addr:85.135.150.207  P-t-P:84.16.59.41  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1492  Metric:1
          RX packets:859177 errors:1602 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:308035 carrier:0
          collisions:1759 txqueuelen:3 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

ptm0      Link encap:Ethernet  HWaddr 1C:74:0D:04:9F:34  
          inet6 addr: fe80::1e74:dff:fe04:9f34/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:902686 errors:1629 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:355872 carrier:0
          collisions:1790 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

ptm0.1    Link encap:Ethernet  HWaddr 1C:74:0D:04:9F:35  
          inet6 addr: fe80::1e74:dff:fe04:9f35/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:873364 errors:1629 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:355023 carrier:0
          collisions:1787 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

wl0       Link encap:Ethernet  HWaddr 1C:74:0D:04:9F:33  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:503536 errors:2906 dropped:0 overruns:0 frame:0
          TX packets:2247 errors:0 dropped:204 overruns:1352452 carrier:0
          collisions:2704 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
          Interrupt:15 Base address:0x4000 

~ # 
~ # iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
DOS_INPUT  all  --  0.0.0.0/0            0.0.0.0/0           
SERVICE_CONTROL  all  --  0.0.0.0/0            0.0.0.0/0           
FrwlInChk  all  --  0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
DOS_FORWARD  all  --  0.0.0.0/0            0.0.0.0/0           
NAT_FORWARD  all  --  0.0.0.0/0            0.0.0.0/0           
DMZ_FORWARD  all  --  0.0.0.0/0            0.0.0.0/0           
FrwlForwardInChk  all  --  0.0.0.0/0            0.0.0.0/0           
FrwlForwardInChk  all  --  0.0.0.0/0            0.0.0.0/0           
FrwlForwardInChk  all  --  0.0.0.0/0            0.0.0.0/0           
FrwlForwardInChk  all  --  0.0.0.0/0            0.0.0.0/0           
FrwlForwardInChk  all  --  0.0.0.0/0            0.0.0.0/0           
FrwlForwardInChk  all  --  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
FrwlOutChk  all  --  0.0.0.0/0            0.0.0.0/0           

Chain DMZ_FORWARD (1 references)
target     prot opt source               destination         
TCPMSS     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 TCPMSS clamp to PMTU 

Chain DOS_FORWARD (1 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
RETURN     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 limit: avg 30/sec burst 10 
SYN_FLOODING  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 
PING_DEATH  icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 8 state NEW 

Chain DOS_INPUT (1 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
RETURN     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 limit: avg 30/sec burst 10 
SYN_FLOODING  tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 
PORT_SCAN  udp  --  0.0.0.0/0            0.0.0.0/0           state NEW PKTTYPE != broadcast recent: UPDATE seconds: 120 hit_count: 20 name: port_scan side: source 
           all  --  0.0.0.0/0            0.0.0.0/0           recent: SET name: port_scan side: source 
PING_DEATH  icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 8 state NEW 

Chain FrwlForwardInChk (6 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 limit: avg 6/hour burst 5 LOG flags 0 level 1 prefix `Intrusion -> ' 
DROP       all  --  0.0.0.0/0            0.0.0.0/0           
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 limit: avg 6/hour burst 5 LOG flags 0 level 1 prefix `Intrusion -> ' 
DROP       all  --  0.0.0.0/0            0.0.0.0/0           
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 limit: avg 6/hour burst 5 LOG flags 0 level 1 prefix `Intrusion -> ' 
DROP       all  --  0.0.0.0/0            0.0.0.0/0           
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 limit: avg 6/hour burst 5 LOG flags 0 level 1 prefix `Intrusion -> ' 
DROP       all  --  0.0.0.0/0            0.0.0.0/0           
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 limit: avg 6/hour burst 5 LOG flags 0 level 1 prefix `Intrusion -> ' 
DROP       all  --  0.0.0.0/0            0.0.0.0/0           
FrwlOutChk  all  --  0.0.0.0/0            0.0.0.0/0           
FrwlOutChk  all  --  0.0.0.0/0            0.0.0.0/0           

Chain FrwlInChk (1 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:7547 
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:7547 
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:7547 
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:7547 
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:7547 
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 limit: avg 6/hour burst 5 LOG flags 0 level 1 prefix `Intrusion -> ' 
DROP       all  --  0.0.0.0/0            0.0.0.0/0           
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 limit: avg 6/hour burst 5 LOG flags 0 level 1 prefix `Intrusion -> ' 
DROP       all  --  0.0.0.0/0            0.0.0.0/0           
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 limit: avg 6/hour burst 5 LOG flags 0 level 1 prefix `Intrusion -> ' 
DROP       all  --  0.0.0.0/0            0.0.0.0/0           
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 limit: avg 6/hour burst 5 LOG flags 0 level 1 prefix `Intrusion -> ' 
DROP       all  --  0.0.0.0/0            0.0.0.0/0           
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 limit: avg 6/hour burst 5 LOG flags 0 level 1 prefix `Intrusion -> ' 
DROP       all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           

Chain FrwlOutChk (3 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           

Chain NAT_FORWARD (1 references)
target     prot opt source               destination         

Chain PING_DEATH (2 references)
target     prot opt source               destination         
RETURN     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 8 limit: avg 10/sec burst 10 
LOG        icmp --  0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 1 prefix `Ping of Death Attack:' 
DROP       icmp --  0.0.0.0/0            0.0.0.0/0           

Chain PORT_SCAN (1 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           limit: avg 1/sec burst 4 
LOG        all  --  0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 1 prefix `Port Scan Attack:' 
DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain SERVICE_CONTROL (1 references)
target     prot opt source               destination         
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           state ESTABLISHED 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80 
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22 
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:22 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:23 
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:23 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:21 
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:21 
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:53 
DROP       udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:53 

Chain SYN_FLOODING (2 references)
target     prot opt source               destination         
RETURN     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 recent: UPDATE seconds: 60 hit_count: 1 name: SYN_FLOOD side: source 
           tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 recent: SET name: SYN_FLOOD side: source 
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 LOG flags 0 level 1 prefix `SYN FLOODING Attack:' 
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 
~ # 
~ # uname -a
Linux (none) 2.6.30 #2 SMP PREEMPT Fri Jan 20 10:19:06 CST 2017 mips GNU/Linux
~ # mount
rootfs on / type rootfs (rw)
mtd:rootfs on / type jffs2 (ro,relatime)
proc on /proc type proc (rw,relatime)
tmpfs on /var type tmpfs (rw,relatime,size=420k)
tmpfs on /mnt type tmpfs (rw,relatime,size=16k)
sysfs on /sys type sysfs (rw,relatime)
/dev/mtdblock1 on /data type jffs2 (rw,relatime)
/dev/mtdblock3 on /firmware type jffs2 (rw,relatime)
usbfs on /proc/bus/usb type usbfs (rw,relatime)
~ # df -h
Filesystem                Size      Used Available Use% Mounted on
mtd:rootfs               18.0M     18.0M         0 100% /
/dev/mtdblock1            4.0M    460.0K      3.6M  11% /data
/dev/mtdblock3           19.6M    844.0K     18.8M   4% /firmware
~ # dmesg
 Deflate Compression module registered
PPP BSD Compression module registered
NET: Registered protocol family 24
Broadcom DSL NAND controller (BrcmNand Controller)
-->brcmnand_scan: CS=0, numchips=1, csi=0
mtd->oobsize=0, mtd->eccOobSize=0
NAND_CS_NAND_XOR=00000000
Disabling XOR on CS#0
brcmnand_scan: Calling brcmnand_probe for CS=0
B4: NandSelect=40000001, nandConfig=14152300, chipSelect=0
brcmnand_read_id: CS0: dev_id=98f00015
After: NandSelect=40000001, nandConfig=14152300
Block size=00020000, erase shift=17
NAND Config: Reg=14152300, chipSize=64 MB, blockSize=128K, erase_shift=11
busWidth=1, pageSize=2048B, page_shift=11, page_mask=000007ff
timing1 not adjusted: 6574845b
timing2 not adjusted: 00001e96
brcmnand_adjust_acccontrol: gAccControl[CS=0]=00000000, ACC=f7ff1010
BrcmNAND mfg 98 f0 TOSHIBA TC58NVM9S3ETA00 64MB on CS0

Found NAND on CS0: ACC=f7ff1010, cfg=14152300, flashId=98f00015, tim1=6574845b, tim2=00001e96
BrcmNAND version = 0x0400 64MB @00000000
brcmnand_scan: Done brcmnand_probe
brcmnand_scan: B4 nand_select = 40000001
brcmnand_scan: After nand_select = 40000001
100 CS=0, chip->ctrl->CS[0]=0
ECC level 15, threshold at 1 bits
reqEccLevel=0, eccLevel=15
190 eccLevel=15, chip->ecclevel=15, acc=f7ff1010
brcmnand_scan 10
200 CS=0, chip->ctrl->CS[0]=0
200 chip->ecclevel=15, acc=f7ff1010
page_shift=11, bbt_erase_shift=17, chip_shift=26, phys_erase_shift=17
brcmnand_scan 220
Brcm NAND controller version = 4.0 NAND flash size 64MB @1c000000
brcmnand_scan 230
brcmnand_scan 40, mtd->oobsize=64, chip->ecclayout=00000000
brcmnand_scan 42, mtd->oobsize=64, chip->ecclevel=15, isMLC=0, chip->cellinfo=0
ECC layout=brcmnand_oob_bch4_4k
brcmnand_scan:  mtd->oobsize=64
brcmnand_scan: oobavail=50, eccsize=512, writesize=2048
brcmnand_scan, eccsize=512, writesize=2048, eccsteps=4, ecclevel=15, eccbytes=3
300 CS=0, chip->ctrl->CS[0]=0
500 chip=83a47990, CS=0, chip->ctrl->CS[0]=0
-->brcmnand_default_bbt
brcmnand_default_bbt: bbt_td = bbt_main_descr
Bad block table Bbt0 not found for chip on CS0
Bad block table 1tbB not found for chip on CS0
File system address: 0xb93e0000
Scanning device for bad blocks, options=00004000
-->brcmnand_isbad_raw(offs=3fe0000
Bad block table written to 0x03fe0000, version 0x01
-->brcmnand_isbad_raw(offs=3fc0000
Bad block table written to 0x03fc0000, version 0x01
rescanning .... 
----- Contents of BBT -----
----- END Contents of BBT -----
brcmnandCET: Did not find CET, recreating
brcmnandCET: Status -> Deferred
brcmnand_scan 99
Root file system size 13a0000
Creating 4 MTD partitions on "brcmnand.0":
0x0000013e0000-0x0000025e0000 : "rootfs"
0x000002760000-0x000002b60000 : "data"
0x000000000000-0x000000020000 : "nvram"
0x000002b60000-0x000003f00000 : "fw"
ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
PCI: Enabling device 0000:00:0a.0 (0000 -> 0002)
PCI: Setting latency timer of device 0000:00:0a.0 to 64
ehci_hcd 0000:00:0a.0: EHCI Host Controller
ehci_hcd 0000:00:0a.0: new USB bus registered, assigned bus number 1
ehci_hcd 0000:00:0a.0: Enabling legacy PCI PM
ehci_hcd 0000:00:0a.0: irq 18, io mem 0x10002500
ehci_hcd 0000:00:0a.0: USB f.f started, EHCI 1.00
usb usb1: configuration #1 chosen from 1 choice
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 2 ports detected
ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver
PCI: Enabling device 0000:00:09.0 (0000 -> 0002)
PCI: Setting latency timer of device 0000:00:09.0 to 64
ohci_hcd 0000:00:09.0: OHCI Host Controller
ohci_hcd 0000:00:09.0: new USB bus registered, assigned bus number 2
ohci_hcd 0000:00:09.0: irq 17, io mem 0x10002600
usb usb2: configuration #1 chosen from 1 choice
hub 2-0:1.0: USB hub found
hub 2-0:1.0: 2 ports detected
usbcore: registered new interface driver usblp
Initializing USB Mass Storage driver...
usbcore: registered new interface driver usb-storage
USB Mass Storage support registered.
Watchdog Timer Init -- kthread
brcmboard: brcm_board_init entry
SES: Button Interrupt 0x1 is enabled
SES: LED GPIO 0x10 is enabled
PCIe: No device found - Powering down
Serial: BCM63XX driver $Revision: 3.00 $
Magic SysRq enabled (type ^ h for list of supported commands)
ttyS0 at MMIO 0xb0000180 (irq = 13) is a BCM63XX
ttyS1 at MMIO 0xb00001a0 (irq = 42) is a BCM63XX
Total # RxBds=1448
bcmPktDmaBds_init: Broadcom Packet DMA BDs initialized

bcmPktDma_init: Broadcom Packet DMA Library initialized
bcmxtmrt: Broadcom BCM3168D0 ATM/PTM Network Device v0.4 Jan 20 2017 09:49:26
p8021ag: p8021ag_init entry
IPSEC SPU: SUCCEEDED 
GACT probability NOT on
Mirror/redirect action on
u32 classifier
    input device check on 
    Actions configured 
TCP cubic registered
Initializing XFRM netlink socket
NET: Registered protocol family 10
IPv6 over IPv4 tunneling driver
NET: Registered protocol family 17
NET: Registered protocol family 15
Initializing MCPD Module
Ebtables v2.0 registered
ebt_time registered
ebt_ftos registered
ebt_wmm_mark registered
802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
All bugs added by David S. Miller <davem@redhat.com>
VFS: Mounted root (jffs2 filesystem) readonly on device 31:0.
Freeing unused kernel memory: 152k freed
Empty flash at 0x000031e4 ends at 0x00003800
Empty flash at 0x00123504 ends at 0x00123800
Empty flash at 0x0012cb2c ends at 0x0012d000
Empty flash at 0x00131428 ends at 0x00131800
JFFS2 notice: (225) check_node_data: wrong data CRC in data node at 0x0000666c: read 0x965adb67, calculated 0x2c3d788a.
JFFS2 notice: (225) check_node_data: wrong data CRC in data node at 0x000021a0: read 0x965adb67, calculated 0x7f308400.
JFFS2 notice: (226) check_node_data: wrong data CRC in data node at 0x006f177c: read 0x61258b67, calculated 0xa38181d8.
chipinfo: module license 'proprietary' taints kernel.
Disabling lock debugging due to kernel taint
brcmchipinfo: brcm_chipinfo_init entry
Broadcom Ingress QoS Module  Char Driver v0.1 Jan 20 2017 09:48:05 Registered<243>

Broadcom Ingress QoS ver 0.1 initialized
BPM: tot_mem_size=67108864B (64MB), buf_mem_size=10066320B (9MB), num of buffers=4730, buf size=2128
Broadcom BPM Module Char Driver v0.1 Jan 20 2017 09:47:59 Registered<244>
[NTC bpm] bpm_set_status: BPM status : enabled 

NBUFF v1.0 Initialized
Initialized fcache state
Broadcom Packet Flow Cache  Char Driver v2.2 Jan 20 2017 09:48:06 Registered<242>
Created Proc FS /procfs/fcache
Broadcom Packet Flow Cache registered with netdev chain
Broadcom Packet Flow Cache learning via BLOG enabled.
Constructed Broadcom Packet Flow Cache v2.2 Jan 20 2017 09:48:06
chipId 0x631680D0
Broadcom Forwarding Assist Processor (FAP) Char Driver v0.1 Jan 20 2017 09:48:00 Registered <241>
Enabling SMISBUS PHYS_FAP_BASE[0] is 0x10c01000
FAP Soft Reset Done
4ke Reset Done
Enabling SMISBUS PHYS_FAP_BASE[1] is 0x10c01000
FAP Soft Reset Done
4ke Reset Done
FAP Debug values at 0xa241cf90 0xa249cf90
Allocated FAP0 GSO Buffers (0xA242E018) : 1048576 bytes @ 0xA2500000
Allocated FAP1 GSO Buffers (0xA24AE018) : 1048576 bytes @ 0xA2600000
Allocated FAP0 TM SDRAM Queue Storage (a242e01c) : 341376 bytes @ a2700000
Allocated FAP1 TM SDRAM Queue Storage (a24ae01c) : 341376 bytes @ a2780000
[NTC fapProto] fapReset  : Reset FAP Protocol layer
fapDrv_construct: FAP0: pManagedMemory=b0820650. wastage 8 bytes
fapDrv_construct: FAP1: pManagedMemory=b0a20650. wastage 8 bytes
bcmPktDma_bind: FAP Driver binding successfull
[FAP0] DSPRAM : stack <0x80000000><1536>, global <0x80000600><3960>, free <2696>, total<8192>
[FAP1] DSPRAM : stack <0x80000000><1536>, global <0x80000600><3960>, free <2696>, total<8192>
[FAP0] PSM : addr<0x80002000>, used <23436>, free <1140>, total <24576>
[FAP1] PSM : addr<0x80002000>, used <23436>, free <1140>, total <24576>
[FAP0] DQM : availableMemory 14652 bytes, nextByteAddress 0xE0004948
[FAP1] DQM : availableMemory 14652 bytes, nextByteAddress 0xE0004948
[FAP0] GSO Buffer set to 0xA2500000
[FAP1] GSO Buffer set to 0xA2600000
[FAP0] FAP BPM Initialized.
[FAP1] FAP BPM Initialized.
[FAP0] FAP TM: ON
[FAP1] FAP TM: ON
bcmxtmcfg: bcmxtmcfg_init entry
adsl: adsl_init entry
Broadcom BCM63168D0 Ethernet Network Device v0.1 Jan 20 2017 09:49:21
fapDrv_psmAlloc: fapIdx=0, size: 4800, offset=b0820650 bytes remaining 7000
ETH Init: Ch:0 - 200 tx BDs at 0xb0820650
fapDrv_psmAlloc: fapIdx=1, size: 4800, offset=b0a20650 bytes remaining 7000
ETH Init: Ch:1 - 200 tx BDs at 0xb0a20650
fapDrv_psmAlloc: wastage 8 bytes
fapDrv_psmAlloc: fapIdx=0, size: 4808, offset=b0821910 bytes remaining 2184
ETH Init: Ch:0 - 600 rx BDs at 0xb0821910
fapDrv_psmAlloc: wastage 8 bytes
fapDrv_psmAlloc: fapIdx=1, size: 4808, offset=b0a21910 bytes remaining 2184
ETH Init: Ch:1 - 600 rx BDs at 0xb0a21910
dgasp: kerSysRegisterDyingGaspHandler: bcmsw registered 
eth2: MAC Address: 1C:74:0D:04:9F:30
eth1: MAC Address: 1C:74:0D:04:9F:30
eth0: MAC Address: 1C:74:0D:04:9F:30
eth3: MAC Address: 1C:74:0D:04:9F:30
eth4: MAC Address: 1C:74:0D:04:9F:30
eth0 Link UP 10 mbps full duplex
eth4 Link UP 1000 mbps full duplex
message received before monitor task is initialized kerSysSendtoMonitorTask 
Broadcom BCM3168D0 USB Network Device v0.4a Jan 20 2017 09:48:11
usb0: MAC Address: 1C 74 0D 04 9F 31
usb0: Host MAC Address: 1C 74 0D 04 9F 32
hub 1-0:1.0: over-current change on port 2
USBD Initialization done status 0 
USB Link DOWN.
message received before monitor task is initialized kerSysSendtoMonitorTask 
[NTC arl] arlEnable : Enabled ARL binding to FAP
Broadcom Address Resolution Logic Processor (ARL) Char Driver v0.1 Jan 20 2017 09:47:58 Registered <245>
--SMP support
wl: dsl_tx_pkt_flush_len=338
wl: high_wmark_tot=3074
PCI: Setting latency timer of device 0000:00:00.0 to 64
wl: passivemode=1
wl: napimode=0
wl0: allocskbmode=1 currallocskbsz=256
Neither SPROM nor OTP has valid image
wl:srom/otp not programmed, using main memory mapped srom info(wombo board)
wl:loading /etc/wlan/bcm6362_map.bin
srom rev:8
wl: reading /etc/wlan/bcmcmn_nvramvars.bin, file size=32
wl0: Broadcom BCM435f 802.11 Wireless Controller 6.30.102.7.cpe4.12L08.4
dgasp: kerSysRegisterDyingGaspHandler: wl0 registered 
Broadcom 802.1Q VLAN Interface, v0.1
Host MIPS Clock divider pwrsaving is enabled
DDR Self Refresh pwrsaving is enabled
Energy Efficient Ethernet is disabled
eth0 Link DOWN.
message received before monitor task is initialized kerSysSendtoMonitorTask 
ip_tables: (C) 2000-2006 Netfilter Core Team
eth0 Link UP 10 mbps full duplex
message received before monitor task is initialized kerSysSendtoMonitorTask 
ip6_tables: (C) 2000-2006 Netfilter Core Team
device eth0 entered promiscuous mode
br0: port 1(eth0) entering forwarding state
device eth2 entered promiscuous mode
br0: port 1(eth0) entering disabled state
br0: port 1(eth0) entering forwarding state
ADDRCONF(NETDEV_UP): eth2: link is not ready
device eth3 entered promiscuous mode
br0: port 1(eth0) entering disabled state
br0: port 1(eth0) entering forwarding state
ADDRCONF(NETDEV_UP): eth3: link is not ready
device eth1 entered promiscuous mode
br0: port 1(eth0) entering disabled state
br0: port 1(eth0) entering forwarding state
ADDRCONF(NETDEV_UP): eth1: link is not ready
device wl0 entered promiscuous mode
br0: port 1(eth0) entering disabled state
br0: port 1(eth0) entering forwarding state
br0: port 5(wl0) entering forwarding state
*** dslThread dslPid=1286
BcmAdsl_Initialize=0xC026FB70, g_pFnNotifyCallback=0xC02AC8F4
lmemhdr[2]=0x100CE000, pAdslLMem[2]=0x100CE000
pSdramPHY=0xA3FFFFF8, 0x1B7768 0xDEADBEEF
*** XfaceOffset: 0x5FF90 => 0x5FF90 ***
*** PhySdramSize got adjusted: 0xDACE8 => 0x111500 ***
AdslCoreSharedMemInit: shareMemSize=133853(133856)
AdslCoreHwReset:  pLocSbSta=80d80000 bkupThreshold=3072
AdslCoreHwReset:  AdslOemDataAddr = 0xA3F9A5F4
***BcmDiagsMgrRegisterClient: 0 ***
dgasp: kerSysRegisterDyingGaspHandler: dsl0 registered 
fapDrv_psmAlloc: fapIdx=1, size: 1600, offset=b0a22be0 bytes remaining 584
XTM Init: Ch:0 - 200 rx BDs at 0xb0a22be0
fapDrv_psmAlloc: fapIdx=1, size: 128, offset=b0a23220 bytes remaining 456
XTM Init: Ch:1 - 16 rx BDs at 0xb0a23220
bcmxtmrt: PTM/ATM Non-Bonding Mode configured in system 
Line 0: xDSL G.994 training
message received before monitor task is initialized kerSysSendtoMonitorTask 
device eth4 entered promiscuous mode
br0: port 6(eth4) entering forwarding state
nf_conntrack version 0.5.0 (1024 buckets, 4096 max)
monitor task is initialized pid= 295 
br0: port 5(wl0) entering disabled state
device wl0 left promiscuous mode
br0: port 5(wl0) entering disabled state
Line 0: VDSL G.993 started
device wl0 entered promiscuous mode
br0: port 6(eth4) entering disabled state
br0: port 1(eth0) entering disabled state
br0: port 6(eth4) entering forwarding state
br0: port 1(eth0) entering forwarding state
br0: port 5(wl0) entering forwarding state
br0: port 5(wl0) entering disabled state
device wl0 left promiscuous mode
br0: port 5(wl0) entering disabled state
device wl0 entered promiscuous mode
br0: port 6(eth4) entering disabled state
br0: port 1(eth0) entering disabled state
br0: port 6(eth4) entering forwarding state
br0: port 1(eth0) entering forwarding state
br0: port 5(wl0) entering forwarding state
Line 0: VDSL2 link up, Bearer 0, us=3199, ds=31545
bcmxtmcfg: XTM Link Information, port = 0, State = UP, Service Support = PTM 
bcmxtmcfg: ReconfigureSAR port 0 traffictype 2 
bcmxtmcfg: Normal(XTM/PTM) Mode enabled 
TxLineRateTimer=10003 
bcmxtmrt: MAC address: 1c 74 0d 04 9f 34
[DoCreateDeviceReq.3137]: register_netdev
[DoCreateDeviceReq.3139]: register_netdev done
bcmxtmcfg: Reserve PTM vcid=0 ptmPri=1 port=0 bondingPort=4
bcmxtmcfg: Reserve PTM vcid=1 ptmPri=2 port=0 bondingPort=4
bcmxtmcfg: Reserve TxQueueIdx=0 for vcid 0
bcmxtmcfg: Reserve MP group=0 priority=0 weight=1
XTM Init: Ch:0 - 400 tx BDs at 0xa0810000
bcmxtmcfg: Connection UP, LinkActiveStatus=0x1, US=3199000, DS=31545000 
[FAP0] xtmCreateDevice : devId 0, encapType 0, headerLen 0
[FAP1] xtmCreateDevice : devId 0, encapType 0, headerLen 0
[FAP0] xtmLinkUp : devId 0, matchId 0
[FAP1] xtmLinkUp : devId 0, matchId 0
[FAP0] xtmLinkUp : devId 0, matchId 1
[FAP1] xtmLinkUp : devId 0, matchId 1
ptm0.1 MAC address set to 1C:74:0D:04:9F:35
netdev path : ptm0.1 -> ptm0
BCMVLAN : ptm0 mode was set to RG
device ptm0 entered promiscuous mode
netdev path : ppp1.1 -> ptm0.1 -> ptm0
Netfilter messages via NETLINK v0.30.
bcmxtmcfg: Reserve TxQueueIdx=1 for vcid 0
XTM Init: Ch:1 - 400 tx BDs at 0xa0948000
bcmxtmcfg: Reserve TxQueueIdx=2 for vcid 0
XTM Init: Ch:2 - 400 tx BDs at 0xa096c000
bcmxtmcfg: Reserve TxQueueIdx=3 for vcid 0
XTM Init: Ch:3 - 400 tx BDs at 0xa080c000
usbserial: `0x' invalid for parameter `vendor'
Intrusion -> IN=ppp1.1 OUT= MAC= SRC=191.101.167.235 DST=85.135.150.207 LEN=40 TOS=0x00 PREC=0x00 TTL=249 PROTO=TCP SPT=38685 DPT=8545 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x8000000 
Intrusion -> IN=ppp1.1 OUT= MAC= SRC=77.72.82.92 DST=85.135.150.207 LEN=40 TOS=0x00 PREC=0x00 TTL=249 PROTO=TCP SPT=58529 DPT=12393 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000 
Intrusion -> IN=ppp1.1 OUT= MAC= SRC=77.72.82.80 DST=85.135.150.207 LEN=40 TOS=0x00 PREC=0x00 TTL=249 PROTO=TCP SPT=58011 DPT=8610 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000 
Intrusion -> IN=ppp1.1 OUT= MAC= SRC=77.72.85.17 DST=85.135.150.207 LEN=40 TOS=0x00 PREC=0x00 TTL=250 PROTO=TCP SPT=47589 DPT=445 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000 
~ # 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.