Hacking RTL960x

⚠️ WARNING: SERIOUS RISKS WITH CUSTOM GPON SFP ONTs

When using custom GPON SFP ONTs (Small Form-factor Pluggable Optical Network Terminals), it’s important to be aware of potential risks and how they can affect not only your connection but also others on the same network.

Using custom GPON SFP ONTs can cause severe network issues, not just for you but for everyone on the same GPON port. A single faulty or misconfigured ONT can take down an entire GPON network, affecting dozens of users.

🚨 Major Risks

• Network-wide Disruptions
  ^{A rogue ONT can cause signal collisions, disconnecting all users on the same fiber split.}
• ISP Blacklisting & Fines
  ^{ISPs may ban your service or impose penalties for unauthorized modifications.}
• Unstable Connection
  ^{Custom ONTs may fail to connect properly or frequently drop connections.}

⚠ DANGER

A faulty SFP can take down an entire GPON network!

xPON SFP ONU

Join us in enhancing this RTL960x documentation repository to support the xPON community. Every piece of information, no matter how small, can make a significant impact on others. Got spare knowledge about ONU Box functionalities? Share it by dumping the information here! Together, let's make xPON more accessible and straightforward!

RTL960x Family

Stick	SoC	NAND	Mode	4-port EthUni	2.5Gb
VSOL V2801F	RTL9601CI	8MiB	VEIP & PPTP	Forced All	MOD
T&W TWCGPON657	RTL9601CI	16MiB	VEIP & PPTP	V1.9.0-240204	MOD
Ubiquiti UFiber Instant	RTL9601CI	8MiB	PPTP	LAN 1	NO
ODI DFP-34X-2C2 (UPC)	RTL9601D	8MiB	VEIP & PPTP	Selective All	YES
ODI DFP-34X-2C3 (APC)	RTL9601D	8MiB	VEIP & PPTP	Selective All	YES
Nokia G-010S-Q	RTL9601CI	16MiB	PPTP	NO	NO

Non-RTL960x GPON

Device	Mode	SoC	NAND	UNI	4-port EthUni
ODI DFP-34X-2C2	GPON SFP	ZTE	?	PPTP/VEIP	NO, NO OMCI EDIT
Huawei MA5671a	GPON SFP	Lantiq	16MiB	PPTP/VEIP	LAN 1
Nokia G-010S-P	GPON SFP	Lantiq	16MiB	PPTP/VEIP	LAN 1
Nokia G-010S-A	GPON SFP	Lantiq	16MiB	PPTP/VEIP	LAN 1

10G xPON ONU

Stick	Mode	SoC	NAND	Mode	4-port EthUni
Hisense LTF7263-BH+	10GE/XG/XGSPON	Realtek	?	?	?
Hisense LTF7267-BH+	XG/XGSPON	Realtek	?	?	?
PRX126	XG/XGSPON	Maxlinear PRX126	?	VEIP & PPTP	Maybe

Note

For XG/XGS/10GE PON RTL CA series Hacking, checkout @YuukiJapanTech on Hacking CA8271x XGS-PON Stick
For XG/XGS PON MxL PRX series hacking, checkout @up-n-atom on 8311

Guide, Links, Info

1. Backup env, env2 & config partition ^{Guide by @tdmadam}
2. Setup XPON ONU SFP Stick
   • Clone Stock ONU OMCI Info
     • Fiberhome ^{for who using Fiberhome ONT, high chance under Fiberhome OLT Standard, not Fiberhome OLT Universal}
   • ISP specific configuration
   • Troubleshoot
3. flash get, flash set
   • xPON Model Id
   • LAN SDS Mode
   • 2.5GbE Compatibility
   • Making the work on the Intel 82599es ^{Guide by @z411}
4. Health Reporting
   • Telegram ^{Mikrotik script by @smnrock, sending health report via Telegram Bot}
   • Telegram via #!/bin/bash ^{Linux Bash script by @chiragkrishna, sending health report via Telegram Bot}
   • Grafana ^{Grafana script by @Strykar, display PON Stats neatly! Project Repo}
5. Diagnostic
   • Factory Reset
   • Switch/Roll back Firmware
   • O5 no Internet ^{fake ONU Status cause by some OLT}
   • OMCI_TM_OPT ^{stick cause internet speed slow? this look at this, found by @ccy}
   • OMCI MIB INFO ^{check various OMCI, VLAN, OLT}
     • Forward Operation FwdOp ^{discussion about special VLAN (vlan 1) to force bridge}
     • Forward Operation FwdOp ^{fix_vlan.sh script for special ISP}
   • OMCI VLAN ^{list available VLAN that provided by OLT}
   • SFU/HGU feature bits ^{RE done by @rajkosto also define 4-port emulation ignore_conn_uniNode_check UniG on SFU firmware}
   • Wireshark ^{OMCI decoding for Wireshark by @tdmadam}
   • UART
6. TWCGPON657 × V2801F Firmware
7. V2801F Auto Reboot
8. Firmware Emulator
9. Keygen
   • V2801F
   • DFP-34X-2C2
10. SPI/EEPROM Programming
    • SPI Flash & EEPROM
    • SFP EEPROM for 2.5G AutoNeg ^{Linux host need this for 2.5G mode if not hacking kernel}

For those interested in learning more about the inner workings of PON technology, Hack-Gpon.org offers extensive resources, tools, and guides for in-depth study. It’s a great resource if you’re ready to dive into the technical details and explore the complexities of GPON—a true rabbit hole of learning!

Success Story

List of users has successfully ditch stock ONU!

1. @stich86 2.5GbE Internet
2. My journey connecting fiber internet to my router
3. Hinet users in TW
4. @izhamsatria: ~2.5Gbps on TM Unifi ^{before TIME announce 2Gbps plan in Malaysia}
5. Orange Fiber at 2Gbps (MikroTik 10Gbps CCR2004 router & ONT SFP+) ^{In French}
6. MagtiCom Fiber in Georgia
7. T-Mobile Netherlands replacing Huawei ONT ^{English version}
8. SilkNet Fiber in Georgia
9. Bangladesh: Dot-Internet Dhaka

VEIP vs PPTP

Code	Full name	Meaning
PPTP	Physical Path Termination Point	Directly binds to a specific LAN port, with OLT managing VLANs and settings on the ONT.
VEIP	Virtual Ethernet Interface Point	Acts like a virtual interface (e.g., tap0), allowing ONT firmware to assign to LAN ports, router mode, management, or VoIP.

Note

Since a PON SFP Stick has only one interface to the host, its firmware may struggle to manage VLANs from both PPTP and VEIP. Many firmware versions simply bridge all VLANs from both, regardless of configuration, which can lead to issues:

• If the same VLAN ID is used for different services on PPTP and VEIP, the stick’s firmware might bridge them together without distinction, potentially causing issues with DHCP/IPoE.
• Most firmware prioritizes PPTP first, using VEIP only if PPTP is unavailable. A few firmware versions allow manual VLAN selection for bridging, independent of PPTP/VEIP.

Also, note that if your ISP uses ME 148 (which enforces PPPoE and routing on the ONT), you may not be able to bridge directly to your own router. For bridge mode, it's best to contact your ISP for assistance.

4-Port LAN (UNI)

Many ISPs use PPTP to bind specific LAN ports to different service providers, allowing one ONT to support multiple ISPs. For instance, LAN 1 might be configured for ISP 1, LAN 2 for ISP 2, and so forth. This setup is common in areas served by single fiber vendors that host multiple ISPs.

However, this multi-ISP setup can pose issues for PON Sticks, as they might struggle to bridge VLANs on any port other than LAN 1. This limitation occurs because PPTP configurations, along with the Forwarding Operation (FwdOp), are often designed specifically for ONTs and may not be fully recognized by PON sticks. Some advanced setups attempt to resolve this by using an HGU MIB file to "trick" the OLT (Optical Line Terminal) into accepting the ME 84 and ME 171 operations, allowing better compatibility.

Fake O5 State

Some OLTs from manufacturers like Calix and Nokia, which support Universal ONU, may provide a “false O5” state, which can be misleading. A device might reach the O5 state (the operational stage where data transmission typically begins) even with incorrect Serial Number or PLOAM Password. In this scenario, the OLT might allow the connection to reach O5 but won’t actually push any VLAN configurations (typically ME 84 & ME 171).

To resolve this, double-check all configuration parameters, including the serial number and password. If the connection still doesn’t work after verification, the OLT may be requiring Vendor-Specific Managed Entities (ME) (IDs 350-399) which are sometimes mandated by ISPs for authentication or additional configuration.

O2-O5 Loop

A device entering an O2-O5 loop (oscillating between states) could indicate a similar issue as the "Fake O5" scenario. Another common reason for this loop is low optical receive power (RX), where the power level drops below the acceptable threshold (e.g., <= -23 dBm). When this happens, the OLT may refuse to allow a stable O5 state to maintain PON performance.

To address an O2-O5 loop caused by low RX power:

• Inspect and clean the fiber connector to ensure there’s no dirt or damage impacting signal strength.
• Check RX readings after cleaning, as improved optical power might stabilize the connection and help maintain a steady O5 state.

⚠️

Caution

If you have attempted all troubleshooting steps and are still unable to establish a connection, it’s recommended to stop further adjustments. Persistent errors or invalid configurations will be flagged by your ISP, and further experimentation can unintentionally disrupt the entire PON network in your area, affecting other users.

Please remember to use these tools responsibly and respect the shared network environment.

Thank you for your consideration and cooperation.

Repository Scope and Legal Considerations

Please note that this repository does not contain ISP-specific configurations or sensitive information, both for legal reasons and to ensure responsible use. We aim to provide general guidance without supporting any unauthorized activity.

If you’re looking for a reliable GPON Stick solution that is ready to use with minimal setup, consider checking with resellers in your country. Many resellers offer modified PON Sticks pre-configured for local ISPs, including:

• Pre-configured serial numbers (S/N) and PLOAM passwords:
  ^{Some resellers can program these credentials before shipping, making installation seamless and avoiding configuration hassle.}
• Enhanced compatibility:
  ^{In many cases, these units are plug-and-play, tailored for compatibility with specific ISPs.}

Note

By choosing a pre-configured unit from a reputable source, you can save time and ensure stability without needing to adjust settings manually.

Nijika Firmware

Modern, Bootstrap WebGUI, community patches for RTL9601D based is W.I.P. ^{Pixiv Artwork by @しみずけいたろう}

^{Preview of OLT Info on Nijika Firmware}

Community Support

For community support and discussions, consider joining these groups. Please remember to be respectful and mindful that members are helping in their free time. PON settings can be very complex and difficult to understand,