Perso
nbux
orange
ONT LEOX-GPON-LXT-010H-D
ONU GPON-ONU-34-20BI
ONU XGS-ONU-25-20NI

ONU XGS-ONU-25-20NI

Version 20240610

The real manufacturer of this ONU is CIG XG-99S.
To configure the ONU, you can use directly switch/router SFP port or a fiber media converter like these :

  • X710-DA2 (ONU is only accessible when fiber is plugged in)
  • MC220L (ONU is accessible with/without fiber plugged in)

WARNING1: The ONU is limited to 17 VLANs sent by the OLT while the OLT, in some case sends 22 (pro line), including VLAN 832 (Net), 840 (TV) and 838 (Phone). If you do not have TV subscription you should NOT have any issue, you will encounter the issue because the VLAN 832 will be 19th position (>17). Refer to the Xgspon_mod configuration method in this document.

WARNING2: Directly changing the serial, vendor and hardware version values on the ONU is NOT recommended. Indeed, in the case of RMA, you will need to make a return. Likewise, the ONU has a set of config files that allow these values to be dynamically replaced, without having to change the default values. This method is therefore greatly favoured and recommended. An ONU must have a failsafe which allows you to return to the initial state in the event of a brick or bad configuration. The mod that is used to configure the ONU allows you to perform a factory reset of the ONU via a double power cycle of less than 30 to 120 seconds. This makes it possible to greatly limit unintentional bricks caused by poor handling. This also makes it easy to return the ONU to factory settings (just do a double power cycle of less than 120sec).

Prefer to the Xgspon_mod configuration method in this document

ONU XGS-ONU-25-20NI

Defaults params

IP : 192.168.100.1 (telnet port 23)
telnet only

login/pasword defined as following :

User Password (Enable Password)
ONU GPON Serial Number 8 digit HMAC-MD5 based on Uppercase ONU GPON Serial Number
GPONxxxxxxxx xxxxxxxx

Note1: FS.com Stick XGS-ONU-25-20NI does not have its PON S/N on the label: the S/N field stamped on the label is FS.com’s internal S/N, not the PON S/N. In order to obtain the actual PON S/N, either ask an FS.com sales representative or check the boot log from the UART!

Note2: You can generate password from https://hack-gpon.org/xgs/ont-fs-XGS-ONU-25-20NI/#login-and-enable (section Login and Enable). You WILL NEED to generate the password after changing the serial number (come from the Livebox SN)

 
WARNING: if you change the serial number (to authenticate on the XGS optical tree), the login and password will be modified. Take care of remember the default and the new one. If you forget these, the provider (FS.com) will NOT help.

Configuration

Xgspon_mod method

Use https://github.com/rssor/fs_xgspon_mod
The ONU software uses a hook system. There is therefore a shim (.so) which is called by the ONU each time a mapping rule is made. shim is therefore the only ONU supported and official way of doing this kind of thing. There is no manual command that allows mapping by hand (at least not that I know of).
The mapping priorities are changed on the bridge, which include the rules requested by the OLT to avoid having "one rule = one mapping" but "one mapping = several rules".

  • Requirements :
    You will need to know the ONU serial. The easiest way to do this is to request it directly from fs.com.
    In case you have forgotten, there is a sub-module in the mod which allows you to find this serial in 20 seconds (see: Retrieving the serial)
    Make sure you are on the same network. You will need an address on the 192.168.100.0/24 network. You will also need to have a firewall rule that allows the ONU to access port 8172 on the address you have chosen on the 192.168.100.0/24 network. The ONU is accessible on IP 192.168.100.1

Basically, instead of having several mapping rules for VLAN 838/840/851 the tool will merge our rules and pool the prios. We are also thinking of simply trashing the 851 (telephone) rules, which would leave less than 17 VLAN mapping rules.

GPONXXXXXXXX is the ORIGINAL serial of ONU
SMBSXXXXXXXX is the Livebox(7) serial

  • Initial configuration :

    If you have less than 17 VLANs (no TV option, try this before if not sure)

./fs_xgspon_mod.py install GPONXXXXXXXX orange SMBSXXXXXXXX --vlan_rules ""
reboot

If you have more than 17 VLANs (TV option enabled for example)

./fs_xgspon_mod.py install GPONXXXXXXXX orange SMBSXXXXXXXX
reboot
  • Verification :
    Display serial, vendor and hwver in hexa
./fs_xgspon_mod.py telnet SMBSXXXXXXXX
/s/m/show 256
/s/m/show 257
  • Registration and link status
/traffic/pon/show onu

------------------------- ONU INFO --------------------------    
Onu id 26  
sdThreshold:   0  
sfThreshold:   0  
TO1:   80000  
TO2:   1  
eqd:   XXXXXXXX  
Serial Number(vendor code): SMBS  
Serial Number(sn):          XXXXXXX  
Password:                   XX XX XX XX XX XX XX XX XX XX  
Registration ID:           0xXXXXXXXXXXXXXXXX0000000000000000000000000000000000000000000000000000000000  
------------------------- INFO END --------------------------

/traffic/pon/show link
----------------- LINK STATE -----------------  
 Operation State Machine: OPERATION (O5)  
 ----------------- STATE  END -----------------
  • VLAN status
/system/mib/show 506

EntityID                  = 0x0101  
OuterPriFilter            = 15  
OuterVidFilter            = 4096  
OuterTPIDFilter           = 0  
InnerPriFilter            = 8  
InnerVidFilter            = 832  
InnerTPIDFilter           = 5  
EtherTypeFilter           = 0  
AniBriPortNum             = 2  
RmTagTreat                = 1  
OuterPriTreat             = 15  
OuterVidTreat             = 0  
OuterTPIDTreat            = 0  
InnerPriTreat             = 8  
InnerVidTreat             = 2800  
InnerTPIDTreat            = 2  
  
EntityID                  = 0x0101  
OuterPriFilter            = 15  
OuterVidFilter            = 4096  
OuterTPIDFilter           = 0  
InnerPriFilter            = 8  
InnerVidFilter            = 835  
InnerTPIDFilter           = 5  
EtherTypeFilter           = 0  
AniBriPortNum             = 6  
RmTagTreat                = 1  
OuterPriTreat             = 15  
OuterVidTreat             = 0  
OuterTPIDTreat            = 0  
InnerPriTreat             = 8  
InnerVidTreat             = 835  
InnerTPIDTreat            = 2
  • VLAN mapping
/traffic/eth/show connect all

$$ US BRIDGE 65535 $$  
---------------------------------------------------------------  
< INDEX = 0, SLOT = 1, PORT = 4, VLANFILTER = 832 PRIFILTER = 0x1>  
    VLAN MATCH : MATCH  
    VLAN ACT   : REPLACE  
    OUT  VID   : 2800  
    OUT  PRI   : 0  
    TCI MAPPING:  
                * PRI 0  -> FLOW 1  
                * PRI 1  -> FLOW 0  
                * PRI 2  -> FLOW 0  
                * PRI 3  -> FLOW 0  
                * PRI 4  -> FLOW 0  
                * PRI 5  -> FLOW 0  
                * PRI 6  -> FLOW 0  
                * PRI 7  -> FLOW 0
  • Persistence of modification : ONLY APPLY IF EVERYTHING IS OK
./fs_xgspon_mod.py persist SMBSXXXXXXXX
  • rearm (crontab) : ONLY APPLY IF EVERYTHING IS OK
    Used to auto rearm the ONU in case of failsafe mode switch(double power failure, double successive reboot, ...). You could use crontab to rearm automatically every 5 min...
    Example :
    • reboot after 300s powered-on : rearm not necessary
    • reboot after 10s powered-on : rearm not necessary
    • reboot after 70s powered-on : FAIL-SAFE enabled, ream in required !
      You can enable fail-safe on the ONU is case of bricked with a double successive reboot between 30-120s (reboot, wait 30s, reboot again).
      That's why it is necessary to use ORIGINAL serial number, NOT Orange serail number on the ream command
./fs_xgspon_mod.py rearm GPONXXXXXXXX

in crontab, for example :

*/2 * * * * (echo "" && /bin/date && /opt/onu_fs/fs_xgspon_mod_release-v1.3/fs_xgspon_mod.py rearm GPONXXXXXXXX) >> /opt/onu_fs/rearm.log 2>&1
  • Serial recuperation (brute force via CIG backdoor)
sudo ./fs_xgspon_mod.py discoverserial_cig

[+] Validated target reachable via telnet, check for ARP entries...
[+] Target reachable at MAC xxxxxxxxx from interface enp6s0 with MAC xxxxxxxxxx
[!] Beginning processing chunk of 1000 serials (next: GPON24100000)
[!] Beginning processing chunk of 1000 serials (next: GPON23b000e8)
...
[+] Telnet credentials: GPONXXXXXXXX / YYYYYYYY
  • Telnet brute force
    This is able to test around one password every 3 seconds or so. Should be able to tell you your serial if you run it overnight. As of Jan 2024 it needs to test up to 7200 serials.
./fs_xgspon_mod.py discoverserial
[!] Attempting GPON24100000
...
[+] Telnet credentials: GPONXXXXXXXX / YYYYYYYY

Manual method

WARNING: Do not forget that the ONU allows you to perform a factory reset of the ONU via a double power cycle of less than 30 to 120 seconds. This makes it possible to greatly limit unintentional bricks caused by poor handling. This also makes it easy to return the ONU to factory settings (just do a double power cycle of less than 120sec). In these case, the ONU will lost all your modifications and you will have to apply them again...

  1. Plug the SFP+ ONU XGS-PON inside the switch (use a bridge if required)

  2. Configure the PC to be able to telnet to 192.168.100.1:23 (must be in the same network than ONU)

  3. Authenticate and configure

  4. Remember the default configuration settings 

#ONT/system/misc>eqsn get  
eqsn: GPONxxxxxxxx  
#ONT/system/misc>vendor get  
vendor: GPON  
#ONT/system/misc>eqvid get  
eqvid: XG-99S
  1. Apply the new config (SN, Vendor, VendorID)
eqsn set "SMBSxxxxxxxx" (Serial Number from Livebox7 info page)  
vendor set "SMBS"  
eqvid set "SMBSXLB7400"  (Livebox7 is the only XGPON box currently)

Note: VendorID for Livebox7 is SMBSXLB7400, Vendor is SMBS
For example, here are some correct ONT Hardware Versions (section 9.9 on Livebox web interface):

Version Hardware
Livebox7 SMBS SMBSXLB7400
Livebox6 SMBS SMBSSGLB6107
Livebox5 SCOM SMBSSGLBF121
Huawei HG8010H HWTC HWTCA240FA
Huawei HG8010H HWTC HWTCA2B5B

Note: If you encounter some DHCP issues and everything seems right, try to change the HWVER without modifying SERIAL number. For example, Huawei ONT serial number with a Livebox6 HWVER.

  1. Set the tips from Snide2242 (https://lafibre.info) for ethernet bridge correction
echo ETH10GESLOT=1 > /mnt/rwdir/sys.cfg    
reboot
  1. Verify after reboot
ONT>enable  
#ONT>system  
#ONT/system>misc  
#ONT/system/misc>eqsn get  
eqsn: SMBSxxxxxxxx (Serial Number de la page d'info de la Livebox 7)  
#ONT/system/misc>vendor get  
vendor: SMBS  
#ONT/system/misc>eqvid get  
eqvid: SMBSXLB7400  
#ONT/system/misc>
#ONT/system/shell>cat /mnt/rwdir/sys.cfg  
ETH10GESLOT=1
  1. Plug the SFP inside your router and enjoy

Note: There is no need to add 2 bytes padding \0\0 on HW Version like on GPON stick
WARNING: Take care of remembering the original and the new SN/login/password !

Setting management IP

To change the management IP, set it with the misc CLI option and the admin_ip set <ip> command. For example, if the desired management IP is 192.168.1.1:

#ONT/system/misc> admin_ip set 192.168.1.1

To change the management IP netmask, set it with the misc CLI option and the admin_mask set <netmask> command. For example, if the desired management IP mask is 255.255.255.0:

#ONT/system/misc> admin_mask set 255.255.255.0

Check Status

Operational

#ONT> traffic/pon/show onu
------------------------- ONU INFO --------------------------

Onu id 65535
sdThreshold:   0
sfThreshold:   0
TO1:   80000
TO2:   1
eqd:   0
Serial Number(vendor code): GPON
Serial Number(sn):          abcd1234
Password:                   30 31 32 33 34 353 36 37 38 39
Registration ID:           0x44454641554c540000000000000000000000000000000000000000000000000000000000
------------------------- INFO END --------------------------

#ONT>traffic/pon/show link
 ----------------- LINK STATE -----------------
 Operation State Machine: INIT (O1)
 ----------------- STATE  END -----------------

MIB 131

#ONT>system/mib/show 131
Table Oltg, Olt-g, total 1 instances

EntityID                  = 0x0000
VendorId                  = ""
EquipmentId               = ""
Version                   = 00 00 00 00 00 00 00 00 00 00 00 00 00 00
TimeOfDay                 = 00 00 00 00 00 00 00 00 00 00 00 00 00 00

LAN Speed

#ONT>traffic/eth/show pack
build time Apr 26 2023: 06:23:15

-------------------- Line Pack -- PWR 0X0      --
Line Slot 10, NumOfPorts 1, type 49, subtype 75, state 2
-------------------- Configuration -------------------
port | enable | loop | Mode | RL Type | RL Us Rate| RL Ds Rate|
1       Yes     No      Auto            0       0       0

-------------------- Status -------------------
1) link state: Up, link mode: 2.5G Full

-------------------- Bridge Pack -------------------
Type:       75
State:      2
MAC Table:  0
MAC Aging:  0
MTU:        0
-------------------- Chip Data -------------------
eth Fd:         7
port Mask:      0x0018
type            28

********** DEBUG INFO **********
                 EmrLogId  : 5
               EmrAdminEn  : 0
              EmrbeInited  : 1
              EmrDumpConn  : 0
             EmrPwrShedEn  : 0x0
           EmrConnItemNum  : 0
         EmrUsDsReverseEn  : 1
       EmrConnAllVidCheck  : 0
      EmrMcastGemVlanOpEn  : 1
       gEmrSaveConnItemEn  : 1
      gEmrMcastCrossVlanEn : 1
    EmrUniExtractPriMatch  : 1
 EMR_DRV_PACK_DUMP_ITEM_EN : 0
********************************
Table Of Contents
ONU XGS-ONU-25-20NI
ONU XGS-ONU-25-20NI
Defaults params
Configuration
Xgspon_mod method
Manual method
Setting management IP
Check Status
Operational
Link
MIB 131
LAN Speed