jclehner / bcm2-utils Goto Github PK
View Code? Open in Web Editor NEWUtilities for Broadcom-based cable modems
License: GNU General Public License v3.0
Utilities for Broadcom-based cable modems
License: GNU General Public License v3.0
When trying to supply password, bcm2dump can't connect to the modem, but via PuTTY everything works well:
> bcm2dump -vv dump 192.168.0.1,cable,cable flash image1 image1.bin
telnet: received command 253,33
telnet: received command 251,3
telnet: received command 251,1
error: telnet: interface auto-detection failed
context:
<== ' '
==> (empty)
==> 'Broadcom Corporation Embedded BFC Telnet Server (c) 2000-2008'
==> (empty)
==> 'WARNING: Access allowed by authorized users only.'
==> (empty)
==> 'Login: '
==> ' '
==> 'Password: '
<== ' '
==> (empty)
==> (empty)
==> 'Invalid login...'
==> (empty)
Set user and password to blank via snmp v2C and tried again:
> bcm2dump -vv dump 192.168.0.1,, flash image1 image1.bin
telnet: received command 253,33
telnet: received command 251,3
telnet: received command 251,1
detected non-telnet interface
adjusting dump params: 0x80624d91,14 -> 0x80624d90,16
read incomplete chunk 0x80624d90: 0/16; retrying
read incomplete chunk 0x80624d90: 0/16; retrying
read incomplete chunk 0x80624d90: 0/16; retrying
read incomplete chunk 0x80624d90: 0/16; retrying
read incomplete chunk 0x80624d90: 0/16; retrying
error: telnet: read incomplete chunk 0x80624d90: 0/16
context:
<== ' '
==> ' RG> '
==> 'RG_Console> '
'<== '/read_memory -s 4 -n 16 0x80624d90
==> ' RG_Console> /read_memory -s 4 -n 16 0x80624d90'
==> (empty)
==> 'Error - Unknown command: '/read_memory -s 4 -n 16 0x80624d90''
==> (empty)
==> 'RG_Console> '
<== ' '
==> ' RG_Console> '
==> 'RG_Console> '
'<== '/read_memory -s 4 -n 16 0x80624d90
==> ' RG_Console> /read_memory -s 4 -n 16 0x80624d90'
==> (empty)
==> 'Error - Unknown command: '/read_memory -s 4 -n 16 0x80624d90''
==> (empty)
==> 'RG_Console> '
<== ' '
==> ' RG_Console> '
'<== '/read_memory -s 4 -n 16 0x80624d90
==> ' RG_Console> /read_memory -s 4 -n 16 0x80624d90'
==> (empty)
==> 'Error - Unknown command: '/read_memory -s 4 -n 16 0x80624d90''
==> (empty)
==> 'RG_Console> '
<== ' '
==> ' RG_Console> '
'<== '/read_memory -s 4 -n 16 0x80624d90
==> ' RG_Console> /read_memory -s 4 -n 16 0x80624d90'
==> (empty)
==> 'Error - Unknown command: '/read_memory -s 4 -n 16 0x80624d90''
==> (empty)
==> 'RG_Console> '
<== ' '
==> ' RG_Console> '
'<== '/read_memory -s 4 -n 16 0x80624d90
==> ' RG_Console> /read_memory -s 4 -n 16 0x80624d90'
==> (empty)
==> 'Error - Unknown command: '/read_memory -s 4 -n 16 0x80624d90''
==> (empty)
==> 'RG_Console> '
<== ' '
==> ' RG_Console> '
'<== '/read_memory -s 4 -n 16 0x80624d90
==> ' RG_Console> /read_memory -s 4 -n 16 0x80624d90'
==> (empty)
==> 'Error - Unknown command: '/read_memory -s 4 -n 16 0x80624d90''
==> (empty)
==> 'RG_Console> '
This modem has strange interface: when logging inn, we have "rg_console" with very limited command line interface. To switch this we have to issue "switchCpuConsole" command, then we have "CM_Console".
Unfortunately, password "brcm" for su is not valid. I've tried broadcom, Broadcom, ubee, Ubee, cable etc etc but no password is working.
Below you have few command outputs which might be useful:
CM_Console/system> show version
*
* *
* *
* *
* *
* *
* *
* *
* *
* *
* *
* *
* *
* *
* *
* *
* * * *
* * * * * * ***
* * * * * * * * *******************
* * * * * *
* *
Broadcom Corporation Reference Design
+------------------------------------------------------------------------------------------------+
|
| _/_/ _/_/_/_/ _/_/
|
| _/ _/ _/ _/ _/ Broadband
|
| _/ _/ _/ _/
|
| _/_/ _/_/_/ _/ Foundation
|
| _/ _/ _/ _/
|
| _/ _/ _/ _/ _/ Classes
|
| _/_/_/ _/ _/_/
|
|
|
| Copyright (c) 1999 - 2018 Broadcom Corporation
|
|
|
| Revision: 5.7.1mp4
|
|
|
| Features: BCM93384WVG Console TelnetConsole SshConsole Nonvol Fat HeapManager SNMP Networking
|
| Features: IPv6 (script bcm93384wvg_GENERIC) LinuxOnTP1 TR69 Switch53124
+------------------------------------------------------------------------------------------------+
|
| Standard Embedded Target Support for BFC
|
|
|
| Copyright (c) 2003-2018 Broadcom Corporation
|
|
|
| Revision: 3.0.1
|
|
|
| Features: PID=0x1007 BID=0x0 Bootloader-Rev=1.0.03 Bootloader-Compression-Support=0x11
|
| Features: MANUFACT_BITS=0x9
|
| Features: Dual-band Wifi Bcm80211=Build Apr 11 2017 14:32:54
|
| Features: App Ver 7.14.89.22.571.266
|
| Features: Wl Ver 7.14.89.22.571.266
|
| Features: IopLib-Rev=571.14.1
+------------------------------------------------------------------------------------------------+
|
| eCos BFC Application Layer
|
|
|
| Copyright (c) 1999 - 2018 Broadcom Corporation
|
|
|
| Revision: 3.0.2
|
|
|
| Features: IPv6 Stack Version 1.2.3
|
| Features: eCos Console Cmds, (no Idle Loop Profiler)
+------------------------------------------------------------------------------------------------+
|
| _/_/_/
|
| _/_/ _/ _/ eRouter Dual Stack
|
| _/ _/ _/ _/
|
| _/_/_/_/ _/_/_/
|
| _/ _/ _/
|
| _/ _/ _/
|
| _/_/_/ _/ _/
|
|
|
| Copyright (c) 1999 - 2015 Broadcom Corporation
|
|
|
| Revision: 5.7.1mp4
|
|
|
| Features: eRouter SNMP Customer Extension NATP DS-Lite L2oGRE HomeHotspot
+------------------------------------------------------------------------------------------------+
|
| Broadcom eRouter Customer Extension
|
|
|
| Copyright (c) 1999 - 2018 Broadcom Corporation
|
|
|
| Revision: 3.0.2
|
|
|
| Features: ()
+------------------------------------------------------------------------------------------------+
|
| Build Date : Mar 19 2018
|
| Build Time : 17:26:44 (+0800)
|
| Build By : allan
|
| Build Products :
|
| Build Processors: 3384
|
| Build Parameters: num_sids 16 docsis 20 j 4 mtaipv6 1 wombo1 WIFI_4360MCM5_P120 wombo2
|
| Build Parameters: WIFI_43217 c 45 pid 1007 imagename EVW32C_VECTRA_2.7.1002-NCS outputdir
|
| Build Parameters: GENERIC
|
| Build Targets :
|
| Image Path : /home/allan/D30Euro/ubee571mp2/570mp1_pc15/rbb_cm_src/CmDocsisSystem/ecos/GE
|
| Image Path : NERIC
|
| Image Name : EVW32C_VECTRA_2.7.1002-NCS_sto.bin
|
| Build Command : bcm93384wvg_GENERIC eu nodect linux_on_tp1 nolinux_on_pmc j 4 eu cmvendor
|
| Build Command : emta power litepower nodect nobattery nobattery_fdhdwr vin12v erouter ipv6
|
| Build Command : mtaipv6 1 nandflash spiflash eps novlan noestb_ecm_vlan_connection bcm80211n
|
| Build Command : dual_band_80211n wombo1 WIFI_4360MCM5_P120 wombo2 WIFI_43217 managedswitch
|
| Build Command : switch53124 nointernalusb nousb20 telnet openssh c 45 fap_assist nat_hwaccel
|
| Build Command : linux_partitions nolinux_on_pmc dualflash nolinux_on_zephyr linux_on_tp1 nas
|
| Build Command : nomediaserver monolith turbo_wifi mid_split tr69 homehotspot l2ogre dslite
|
| Build Command : spectrum_analyzer nowifi_spectrum_analyzer vpn dynwebpage legacy_parent
|
| Build Command : grelegacymib grehomehotspot pid 1007 imagename EVW32C_VECTRA_2.7.1002-NCS
|
| Build Command : outputdir GENERIC noslim
|
| Build Options : amdflash cfiflash cmd_help_text nocomcast_video_caching demangle deps
|
| Build Options : dualbuild factorymibs noheapboundscheck noheapleakdebug http intelflash
|
| Build Options : mgmtmibs nocmapp_port_forward nobcm80211n_debug nobonded nocpeportfilter
|
| Build Options : nodasm nodiag nodtp_test nosingleconsole nodualeth noedva noextendedugs
|
| Build Options : noflashserver noflashclient nofn_profile nofonhotspot nofpm nohnap nohttpssl
|
| Build Options : noipsv noitc noiptv nowasu nojedecflash nol2tpv2 nol2tpv3 nolinux_watchdog
|
| Build Options : nolinux_erouter nomap nomultiprocmon nonandboot nootp noperfmonitor
|
| Build Options : nopiggyback pktc nopmip nopopup nopppoe nopptp nortrproxy noserialportoff
|
| Build Options : noshow nosigtls nosip nosipdbg nosipdqos nosipipv6 nosmp nosnmpproxy
|
| Build Options : nosnoopdebug nosplitbootblock nosiliconverify nostress_test nosuperslim
|
| Build Options : notftp_server nousbhost nodualusbhost nouda nousg_web_pages noutp_test
|
| Build Options : novendorhttps useformregistrar nowifihotspot nowifimfg noclwifi nodual_lna
|
| Build Options : openssl quiet nounified warn_error noethwan nopcielowpwr usmac_diag noupnpc
|
| Build Options : noswitchport_1_4 nozephyr_console_uart0 nomoca nomoca20 msc noaprouter
|
| Build Options : noautodetect_tuner2 noautodetect_tuner4 nodocsis20snmp noemtasim noietf
|
| Build Options : nomixed_annex nono_cmts_d3_partial_svc nooms pcie nosingle_ds nosled us
|
| Build Options : nobpi_helper_on_fap noxml_doc nocmtr69 noedge_device noecm normagnum nodsg
|
| Build Options : norswdload noip_rnvol noestb_config nooob noprereg_sets nocdl20 nodsg30
|
| Build Options : noecm_clcerts nopcieep nob2b_rgmii nodavic noext_ephy nohost_bridge
|
| Build Options : nodavic_api nog8davic_api noseb nocustom_vendor_dir use_unimac0
|
| Build Options : nostb_owns_eth2 nodnac nostb_has_lan noecmestbsockif nocablecard_ipproxy
|
| Build Options : nostb_pcie_vlan noexplicit_vlan nolgi_dawn nostb_on_eth2 nolow_gw
|
| Build Options : nostb_include_sidecar d30 noejtag smisb fpm512 newleds cacheopt avs l2vpn eu
|
| Build Options : cmvendor emta power litepower nodect nobattery nobattery_fdhdwr vin12v
|
| Build Options : erouter ipv6 nandflash spiflash eps novlan noestb_ecm_vlan_connection
|
| Build Options : bcm80211n dual_band_80211n managedswitch switch53124 nointernalusb nousb20
|
| Build Options : telnet openssh fap_assist nat_hwaccel linux_partitions nolinux_on_pmc
|
| Build Options : dualflash nolinux_on_zephyr linux_on_tp1 nas nomediaserver monolith
|
| Build Options : turbo_wifi mid_split tr69 homehotspot l2ogre dslite spectrum_analyzer
|
| Build Options : nowifi_spectrum_analyzer vpn dynwebpage legacy_parent grelegacymib
|
| Build Options : grehomehotspot noslim
+------------------------------------------------------------------------------------------------+
# CM_Console/system> show flash
Flash Device Information:
CFI Compliant: no
Command Set: Generic SPI Flash
Device/Bus Width: x16
Little Word Endian: no
Fast Bulk Erase: no
Multibyte Write: 256 bytes max
Phys base address: 0xbadf1a5
Uncached Virt addr: 0x1badf1a5
Cached Virt addr: 0x2badf1a5
Number of blocks: 16
Total size: 1048576 bytes, 1 Mbytes
Current mode: Read Array
Device Size: 1 MB, Write buffer: 256, Flags: 0
Size Device Device Region
Block kB Address Offset Offset Region Allocation
----- ---- ---------- ----------- --------- -----------------
0 64 0x1badf1a5 0 0 bootloader (65536 bytes)
1 64 0x1baef1a5 0x10000 0 permnv
2 64 0x1baff1a5 0x20000 0x10000 permnv (131072 bytes)
3 64 0x1bb0f1a5 0x30000 ??? {unassigned}
4 64 0x1bb1f1a5 0x40000 ??? {unassigned}
5 64 0x1bb2f1a5 0x50000 ??? {unassigned}
6 64 0x1bb3f1a5 0x60000 ??? {unassigned}
7 64 0x1bb4f1a5 0x70000 ??? {unassigned}
8 64 0x1bb5f1a5 0x80000 ??? {unassigned}
9 64 0x1bb6f1a5 0x90000 ??? {unassigned}
10 64 0x1bb7f1a5 0xa0000 ??? {unassigned}
11 64 0x1bb8f1a5 0xb0000 ??? {unassigned}
12 64 0x1bb9f1a5 0xc0000 0 dynnv
13 64 0x1bbaf1a5 0xd0000 0x10000 dynnv
14 64 0x1bbbf1a5 0xe0000 0x20000 dynnv
15 64 0x1bbcf1a5 0xf0000 0x30000 dynnv (262144 bytes)
Flash Device Information:
CFI Compliant: no
Command Set: Generic NAND Flash
Device/Bus Width: x16
Little Word Endian: no
Fast Bulk Erase: no
Multibyte Write: 512 bytes max
Phys base address: 0xbadf1a5
Uncached Virt addr: 0x1badf1a5
Cached Virt addr: 0x2badf1a5
Number of blocks: 1024
Total size: 134217728 bytes, 128 Mbytes
Current mode: Read Array
Device Size: 128MB, Block size: 128KB, Page size: 2048
Size Device Device Region
Block kB Address Offset Offset Region Allocation
----- ---- ---------- ----------- --------- -----------------
0 128 0x1badf1a5 0 0 linuxapps
[...]
609 128 0x206ff1a5 0x4c20000 0x4c20000 linuxapps (79953920 bytes)
610 128 0x2071f1a5 0x4c40000 0 image1
[...]
717 128 0x2147f1a5 0x59a0000 0xd60000 image1 (14155776 bytes)
718 128 0x2149f1a5 0x59c0000 0 image2
[...]
825 128 0x221ff1a5 0x6720000 0xd60000 image2 (14155776 bytes)
826 128 0x2221f1a5 0x6740000 0 linux
[...]
861 128 0x2267f1a5 0x6ba0000 0x460000 linux (4718592 bytes)
862 128 0x2269f1a5 0x6bc0000 0 linuxkfs
[...]
1005 128 0x2387f1a5 0x7da0000 0x11e0000 linuxkfs (18874368 bytes)
1006 128 0x2389f1a5 0x7dc0000 0 dhtml
[...]
1023 128 0x23abf1a5 0x7fe0000 0x220000 dhtml (2359296 bytes)
for this device, /system/diag readmem
command seams to be correct:
RG_Console> cd /system
Active Command Table: System Command Table (system)
Console -> system
RG_Console/system> help diag
COMMAND: diag
USAGE: diag [-p] [-c] [-s ParmSValue] [-n ParmNValue] [readmem|writemem|clear_debug_counters|show_debug_counters|set_debug_flow|snmp_reset|contextSwitch|debugStarvedTask|ecos_dbg] [Parm2] [Parm3]
DESCRIPTION:
Executes diag commands of the system
EXAMPLES:
readmem -s 4 -n 64 0x80001234 -- Reads 64 bytes as 32-bit values.
writemem 0x80001234 0x56 -- Write a byte to the address.
clear_debug_counters -- Clear UTP debug counters.
show_debug_counters -- Show debug counters for a selected flow.
set_debug_flow 0 -- Enable debug counters for the selected
flow.
snmp_reset -- Reset sockets for all SNMP agents.
contextSwitch -- Enable/disable context switch log.
debugStarvedTask -- Check for starved task
ecos_dbg -- Set various eCos debug flag
Hi;
I have Castlenet CBV384Z4-AC1600 modem.
Some features are restricted in the interface, e.g. router and bridge.
I download GatewaySettings.bin.
how can i open the features with dump bootloader?
Hi and thank you for making bcm2-utils
:) I've recently acquired a Technicolor TC7210 and I've been playing around with it for a bit. I've managed to write a draft device profile for it, but I could use your help finishing it up before submitting a pull request, if you'd be willing to walk me through the next steps.
I've got eCos console access through 192.168.100.1
and Linux console access (it's borked at the moment, but hopefully it'll be fixed soon). I've also made a bcm2-utils
AUR package for Arch-based distros, if you want to include that in your README.md
:)
Here are the logs from the eCos console:
tc7210_flash_open.txt
tc7210_flash_show.txt
tc7210_version.txt
Is there a database of dumps we can use? Would be useful to look at it and useit to validate against our own ones. Feel free to DM me if you're willing to share!
I have a bricked Netgear CAX80, probably bricked during the infamous OTA pushed by the ISP in 2022
Only one of the four UARTs (UART_A) is able to give me data and it is of the RG terminal. After the BOLT bootloader, which does not get interrupted by pressing any keys, it gets stuck at RG login.
I would want if someone could guide me on what I can do to get past that to boot into U-boot or revive it in some other way.
Attaching the image of the UARTs and the logs I'm able to get.
CAX80_RG.txt
Hello,
I have a EVW321B (which I assume should work with the EVW32C profile?) and I'm trying bcm2cfg on it. I downloaded the GatewaySettings.bin file, and ran bcm2cfg info
on it. It fails to parse group 'userif' and group 'firewall'.
Also, when I change a setting to the exact same value, the checksum becomes different, and the modem will not restore that GatewaySettings.bin:
$ ./bcm2cfg info ./GatewaySettings.bin
failed to parse group userif
failed to parse group firewall
./GatewaySettings.bin
type : gwsettings
profile : evw32c
checksum: c1d66210260a6585c4e28c997dfd2d3f (ok)
size : 15573 (ok)
key : 6c3ea0477630ce21a2ce334aa746c2cdc782dc4c098c66cbd9cd27d825682c81
36535256 6SRV 0.1 grp_6srv 1294 b
52472e2e RG.. 0.32 rg 3386 b
4d4c6f67 MLog 0.5 userif 120 b
4344502e CDP. 1.5 dhcp 1500 b
7a6f7267 zorg 0.7 grp_zorg 246 b
416d4468 AmDh 0.1 grp_amdh 118 b
46495245 FIRE 0.8 firewall 110 b
4353502e CSP. 1.4 grp_csp 53 b
50524e54 PRNT 0.5 grp_prnt 123 b
56504e47 VPNG 1.0 grp_vpng 15 b
38303231 8021 0.42 bcmwifi 804 b
38303232 8022 0.42 bcmwifi2 804 b
57694775 WiGu 0.15 guestwifi 3434 b
57694776 WiGv 0.15 guestwifi2 3486 b
$ ./bcm2cfg get ./GatewaySettings.bin rg.syslog_email
failed to parse group userif
failed to parse group firewall
rg.syslog_email = ""
$ ./bcm2cfg set ./GatewaySettings.bin rg.syslog_email ''
failed to parse group userif
failed to parse group firewall
rg.syslog_email = ""
$ ./bcm2cfg info ./GatewaySettings.bin
failed to parse group userif
failed to parse group firewall
./GatewaySettings.bin
type : gwsettings
profile : evw32c
checksum: 3ea68fb27b16c00669effb5abc76a04f (ok)
size : 15573 (ok)
key : 6c3ea0477630ce21a2ce334aa746c2cdc782dc4c098c66cbd9cd27d825682c81
36535256 6SRV 0.1 grp_6srv 1294 b
52472e2e RG.. 0.32 rg 3386 b
4d4c6f67 MLog 0.5 userif 120 b
4344502e CDP. 1.5 dhcp 1500 b
7a6f7267 zorg 0.7 grp_zorg 246 b
416d4468 AmDh 0.1 grp_amdh 118 b
46495245 FIRE 0.8 firewall 110 b
4353502e CSP. 1.4 grp_csp 53 b
50524e54 PRNT 0.5 grp_prnt 123 b
56504e47 VPNG 1.0 grp_vpng 15 b
38303231 8021 0.42 bcmwifi 804 b
38303232 8022 0.42 bcmwifi2 804 b
57694775 WiGu 0.15 guestwifi 3434 b
57694776 WiGv 0.15 guestwifi2 3486 b
On a side note, when I change line nonvoldef.cc:192 from
NV_VAR(nv_u32, "ssh_inactivity_timeout"),
to
NV_VAR(nv_data, "", 1),
the group 'userif' is parsed and I can get and set settings contained in that group. The above behavior does not change however, and the modem will still not restore my GatewaySettings.bin.
Is it possible I have a newer, unsupported firmware? I'm on hardware version 3.12.1 and software version 9.12.8006. Or is the EVW321B not supported at all?
With kind regards,
Jurrie
Hi, Joseph. As a weird weekend project I started fiddling with some Netgear CG3100 cable-modem/router/access-point.
I wanted something neat to do some black-box format reversing with, and I have documented most of the structures as a 010 Editor binary template which can be found here: https://github.com/Swyter/netgear-cg3100-config-decoder
I have been interested since opening the GatewaySettings.bin
and seeing what looked like only half of the bytes being XOR'ed and the rest seemed plain text; I could even spot the SSID and password. Adding an extra character to the Wi-Fi password displaced everything in the config file by one byte, revealing in plain text the other half. Decoding it was both easy and hard, because the zero-padded zones made it clear that the byte key was incremental and lined up with the byte offset, what took me a lot of time was figuring out that I had to subtract, not XOR. After that I scratched my head about the output still being garbled, but it was just a matter of swapping the two bytes of each ushort
in what seems like an unintentional artifact of working on 16-bit blocks, I think.
The header seemed to fit the length of an MD5 checksum, but nothing seemed to match. Then I found out your program suite and documentation. That gave me the neat 2Pslc;u(egmd0-'x
salt and a way of enabling SSH and Telnet.
So, yeah. I've had fun. There are some things I wanted to talk about:
FIRE
block doesn't seem to get parsed by your bcm2cfg
program, I have documented most of it. It may be a Netgear extension. Maybe that helps a bit.01
or 00
byte at the end of the file when the byte count ends up being odd, breaking bcm2cfg
's check-summing. The solution is to only check-sum the real size (i.e. until the end of the struct) as stated in the header at offset 0x4C
(or 0x5C
with the MD5 hash prefix from normal files).GND
/TXD
/RXD
/3v3
when looking from the back/Ethernet side, leave 3v3
disconnected). I'm interested in dumping the firmware: https://github.com/Swyter/netgear-cg3100-config-decoder/blob/master/netgear-cg3100-boot-cm-serial-log.txtLet me know what you think. ¯\_(ツ)_/¯
I gained access to the linux running on the above router using the "admin:broadcom" credentials, from there I can dump mtd0, mtd1 and mtd2, mtd4 and mtd5 dumps corrupted I think because race conditions between linux and eCos. I can also dump the complete 128MB ram image using /dev/mem. Looks like it contains eCos symbols too. I can also export and restore Gatewaysettings.bin from from the web ui.
userif secetions are present, but telnet username and password are empty. that section is completely missing from the Gatewaysettings.bin
userif = {
http_user = "admin"
http_pass = "admin"
http_admin_user = ""
http_admin_pass = "aDm1n$TR8r"
remote_acc_methods = telnet | ssh
remote_acc_user = ""
remote_acc_pass = ""
telnet_ipstacks = IP1 | IP2 | IP5
ssh_ipstacks = IP1 | IP2 | IP5
remote_acc_timeout = 0
http_ipstacks = IP1 | IP2 | IP3 | IP5
http_adv_ipstacks = IP1 | IP2 | IP3
http_seed = ""
http_acl_hosts =
http_idle_timeout = 60
}
I tried altering mtd2(dynnv) using bcm2cfg and writing it back using dd and openwrt mtd tool, but linux doesn't let me write to mtd2, is there a way around this? Or way of adding userif section to Gatewaysettings.bin and restoring it?
An interesting thing to note is that mtd device is marked in linux as MTD_BIT_WRITEABLE(flag 0x800). I can share the ramdump if it would help.
I was able to enable telnet on a SkyWorth router (ISP provided) by using a modified config file and remove the coax cable.
I got into Telnet and got BOMBARDED with some kind of log? here is the "log".
$ telnet 192.168.1.1
Trying 192.168.1.1... Connected to 192.168.1.1. Escape character is '^]'. Broadcom Corporation Embedded BFC Telnet Server (c) 2000-2008 WARNING: Access allowed by authorized users only. Login: admin Password:
CM> word:
Console> Scanning DS Channel at 243000000 Hz...(from scan list)
[00:00:59 01/01/1970] [NonVol Device Async Helper] BcmNonVolDeviceDriverBridge::WriteSync: (NonVol Device) Synchronous write to dynamic nonvol section succeeded
Scanning DS Channel at 237000000 Hz...(from scan list)
Scanning DS Channel at 231000000 Hz...(from scan list)
Scanning (pattern) DS Channel at 747000000 Hz...
Console> Scanning (pattern) DS Channel at 741000000 Hz...
Scanning (pattern) DS Channel at 735000000 Hz...
Scanning (pattern) DS Channel at 729000000 Hz...
Scanning (pattern) DS Channel at 723000000 Hz...
Scanning (pattern) DS Channel at 717000000 Hz...
Scanning (pattern) DS Channel at 711000000 Hz...
Scanning (pattern) DS Channel at 705000000 Hz...
Scanning (pattern) DS Channel at 699000000 Hz...
Scanning (pattern) DS Channel at 693000000 Hz...
Scanning (pattern) DS Channel at 687000000 Hz...
Scanning (pattern) DS Channel at 681000000 Hz...
Scanning (pattern) DS Channel at 675000000 Hz...
Scanning (pattern) DS Channel at 669000000 Hz...
Scanning (pattern) DS Channel at 663000000 Hz...
[00:01:01 01/01/1970] [DHCPv6 Server Thread] BcmDhcpV6ServerIf::ProcessSolicitPacket: (DHCPv6 ServerIf instance 0) ERROR - Failed to create lease! Too many active leases
Scanning (pattern) DS Channel at 657000000 Hz...
Scanning (pattern) DS Channel at 651000000 Hz...
Scanning (pattern) DS Channel at 645000000 Hz...
Console> Scanning (pattern) DS Channel at 639000000 Hz...
Scanning (pattern) DS Channel at 633000000 Hz...
Scanning (pattern) DS Channel at 627000000 Hz...
Scanning (pattern) DS Channel at 621000000 Hz...
Scanning (pattern) DS Channel at 615000000 Hz...
Scanning (pattern) DS Channel at 609000000 Hz...
Scanning (pattern) DS Channel at 603000000 Hz...
Scanning (pattern) DS Channel at 597000000 Hz...
Scanning (pattern) DS Channel at 591000000 Hz...
Scanning (pattern) DS Channel at 585000000 Hz...
Scanning (pattern) DS Channel at 579000000 Hz...
Scanning (pattern) DS Channel at 573000000 Hz...
Scanning (pattern) DS Channel at 567000000 Hz...
Scanning (pattern) DS Channel at 561000000 Hz...
Scanning DS Channel at 261000000 Hz...(from scan list)
Scanning DS Channel at 273000000 Hz...(from scan list)
Scanning DS Channel at 267000000 Hz...(from scan list)
Scanning DS Channel at 255000000 Hz...(from scan list)
Scanning DS Channel at 249000000 Hz...(from scan list)
Scanning DS Channel at 243000000 Hz...(from scan list)
Scanning DS Channel at 237000000 Hz...(from scan list)
Scanning DS Channel at 231000000 Hz...(from scan list)
Scanning (pattern) DS Channel at 555000000 Hz...
Scanning (pattern) DS Channel at 549000000 Hz...
Scanning (pattern) DS Channel at 543000000 Hz...
Scanning (pattern) DS Channel at 537000000 Hz...
Scanning (pattern) DS Channel at 531000000 Hz...
Scanning (last happy) DS Channel at 261000000 Hz...
Scanning (pattern) DS Channel at 525000000 Hz...
Scanning (pattern) DS Channel at 519000000 Hz...
Scanning (pattern) DS Channel at 513000000 Hz...
Scanning (pattern) DS Channel at 507000000 Hz...
Scanning (pattern) DS Channel at 501000000 Hz...
Scanning (pattern) DS Channel at 495000000 Hz...
Scanning (pattern) DS Channel at 489000000 Hz...
Scanning (pattern) DS Channel at 483000000 Hz...
Scanning (pattern) DS Channel at 477000000 Hz...
Scanning (pattern) DS Channel at 471000000 Hz...
Scanning (pattern) DS Channel at 465000000 Hz...
Scanning (pattern) DS Channel at 459000000 Hz...
Scanning (pattern) DS Channel at 453000000 Hz...
Scanning (pattern) DS Channel at 447000000 Hz...
Scanning (pattern) DS Channel at 441000000 Hz...
Scanning (pattern) DS Channel at 435000000 Hz...
Scanning (pattern) DS Channel at 429000000 Hz...
Scanning (pattern) DS Channel at 423000000 Hz...
Scanning (pattern) DS Channel at 417000000 Hz...
Scanning (pattern) DS Channel at 411000000 Hz...
Scanning (pattern) DS Channel at 405000000 Hz...
Scanning (pattern) DS Channel at 399000000 Hz...
Scanning (pattern) DS Channel at 393000000 Hz...
Scanning (pattern) DS Channel at 387000000 Hz...
Scanning (pattern) DS Channel at 381000000 Hz...
Scanning (pattern) DS Channel at 375000000 Hz...
Scanning DS Channel at 261000000 Hz...(from scan list)
Scanning DS Channel at 273000000 Hz...(from scan list)
Scanning DS Channel at 267000000 Hz...(from scan list)
Scanning DS Channel at 255000000 Hz...(from scan list)
Scanning DS Channel at 249000000 Hz...(from scan list)
Scanning DS Channel at 243000000 Hz...(from scan list)
Scanning DS Channel at 237000000 Hz...(from scan list)
Scanning DS Channel at 231000000 Hz...(from scan list)
Scanning (pattern) DS Channel at 369000000 Hz...
Scanning (pattern) DS Channel at 363000000 Hz...
Scanning (pattern) DS Channel at 357000000 Hz...
Scanning (pattern) DS Channel at 351000000 Hz...
Scanning (pattern) DS Channel at 345000000 Hz...
Scanning (pattern) DS Channel at 339000000 Hz...
Scanning (pattern) DS Channel at 333000000 Hz...
Scanning (pattern) DS Channel at 327000000 Hz...
Scanning (pattern) DS Channel at 321000000 Hz...
Scanning (pattern) DS Channel at 315000000 Hz...
Scanning (pattern) DS Channel at 309000000 Hz...
Scanning (pattern) DS Channel at 303000000 Hz...
Scanning (pattern) DS Channel at 297000000 Hz...
Scanning (pattern) DS Channel at 291000000 Hz...
Scanning (pattern) DS Channel at 285000000 Hz...
Scanning (pattern) DS Channel at 279000000 Hz...
Scanning (pattern) DS Channel at 273000000 Hz...
Scanning (pattern) DS Channel at 267000000 Hz...
Scanning (pattern) DS Channel at 261000000 Hz...
Scanning (pattern) DS Channel at 255000000 Hz...
Scanning (pattern) DS Channel at 249000000 Hz...
Scanning (pattern) DS Channel at 243000000 Hz...
Scanning (pattern) DS Channel at 237000000 Hz...
Scanning (pattern) DS Channel at 231000000 Hz...
Scanning (pattern) DS Channel at 225000000 Hz...
Scanning (pattern) DS Channel at 219000000 Hz...
Scanning (pattern) DS Channel at 213000000 Hz...
Scanning (pattern) DS Channel at 207000000 Hz...
Scanning (pattern) DS Channel at 201000000 Hz...
Scanning (pattern) DS Channel at 195000000 Hz...
Scanning (pattern) DS Channel at 189000000 Hz...
Scanning (pattern) DS Channel at 183000000 Hz...
Scanning DS Channel at 261000000 Hz...(from scan list)
Scanning DS Channel at 273000000 Hz...(from scan list)
Scanning DS Channel at 267000000 Hz...(from scan list)
Scanning DS Channel at 255000000 Hz...(from scan list)
Scanning DS Channel at 249000000 Hz...(from scan list)
Scanning DS Channel at 243000000 Hz...(from scan list)
Scanning DS Channel at 237000000 Hz...(from scan list)
Scanning DS Channel at 231000000 Hz...(from scan list)
Scanning (pattern) DS Channel at 177000000 Hz...
Scanning (pattern) DS Channel at 171000000 Hz...
Scanning (pattern) DS Channel at 165000000 Hz...
Scanning (pattern) DS Channel at 159000000 Hz...
Scanning (pattern) DS Channel at 153000000 Hz...
Scanning (pattern) DS Channel at 147000000 Hz...
Scanning (last happy) DS Channel at 261000000 Hz...
Scanning (pattern) DS Channel at 141000000 Hz...
Scanning (pattern) DS Channel at 135000000 Hz...
Scanning (pattern) DS Channel at 129000000 Hz...
Scanning (pattern) DS Channel at 123000000 Hz...
Scanning (pattern) DS Channel at 117000000 Hz...
Scanning (pattern) DS Channel at 111000000 Hz...
Scanning (pattern) DS Channel at 105000000 Hz...
Scanning (pattern) DS Channel at 99000000 Hz...
Scanning (pattern) DS Channel at 93000000 Hz...
[00:01:09 01/01/1970] [Scan Downstream Thread] BcmGenericCmDownstreamScanThread::GetNextFrequency: (Scan Downstream Thread) Tried all STD Downstream Frequencies; will start over doing HRC...
Scanning (pattern) DS Channel at 997750000 Hz...
Scanning (pattern) DS Channel at 991750000 Hz...
Scanning (pattern) DS Channel at 985750000 Hz...
Console> Scanning (pattern) DS Channel at 979750000 Hz...
Scanning (pattern) DS Channel at 973750000 Hz...
Scanning (pattern) DS Channel at 967750000 Hz...
Scanning (pattern) DS Channel at 961750000 Hz...
Scanning (pattern) DS Channel at 955750000 Hz...
Scanning (pattern) DS Channel at 949750000 Hz...
Scanning (pattern) DS Channel at 943750000 Hz...
Scanning (pattern) DS Channel at 937750000 Hz...
Scanning (pattern) DS Channel at 931750000 Hz...
Scanning (pattern) DS Channel at 925750000 Hz...
Scanning (pattern) DS Channel at 919750000 Hz...
Scanning (pattern) DS Channel at 913750000 Hz...
Scanning (pattern) DS Channel at 907750000 Hz...
Scanning DS Channel at 261000000 Hz...(from scan list)
Scanning DS Channel at 273000000 Hz...(from scan list)
Scanning DS Channel at 267000000 Hz...(from scan list)
Scanning DS Channel at 255000000 Hz...(from scan list)
Scanning DS Channel at 249000000 Hz...(from scan list)
Scanning DS Channel at 243000000 Hz...(from scan list)
Scanning DS Channel at 237000000 Hz...(from scan list)
Scanning DS Channel at 231000000 Hz...(from scan list)
Scanning (pattern) DS Channel at 901750000 Hz...
Scanning (pattern) DS Channel at 895750000 Hz...
Scanning (pattern) DS Channel at 889750000 Hz...
Scanning (pattern) DS Channel at 883750000 Hz...
Scanning (pattern) DS Channel at 877750000 Hz...
Lease with clientId: htype=0, value=fa a2 bc 99 e6 ee Ip address: 192.168.1.26 has been offered to client!
Scanning (pattern) DS Channel at 871750000 Hz...
Scanning (pattern) DS Channel at 865750000 Hz...
Scanning (pattern) DS Channel at 859750000 Hz...
Console> Scanning (pattern) DS Channel at 853750000 Hz...
Scanning (pattern) DS Channel at 847750000 Hz...
Scanning (pattern) DS Channel at 841750000 Hz...
Scanning (pattern) DS Channel at 835750000 Hz...
Scanning (pattern) DS Channel at 829750000 Hz...
Scanning (pattern) DS Channel at 823750000 Hz...
Scanning (pattern) DS Channel at 817750000 Hz...
Scanning (pattern) DS Channel at 811750000 Hz...
Scanning (pattern) DS Channel at 805750000 Hz...
Scanning (pattern) DS Channel at 799750000 Hz...
Scanning (pattern) DS Channel at 793750000 Hz...
Scanning (pattern) DS Channel at 787750000 Hz...
Scanning (pattern) DS Channel at 781750000 Hz...
Scanning (pattern) DS Channel at 775750000 Hz...
Scanning (pattern) DS Channel at 769750000 Hz...
Scanning (pattern) DS Channel at 763750000 Hz...
Scanning (pattern) DS Channel at 757750000 Hz...
Scanning (pattern) DS Channel at 751750000 Hz...
Scanning (pattern) DS Channel at 745750000 Hz...
Scanning (pattern) DS Channel at 739750000 Hz...
Scanning (pattern) DS Channel at 733750000 Hz...
Scanning (pattern) DS Channel at 727750000 Hz...
Scanning (pattern) DS Channel at 721750000 Hz...
Scanning (pattern) DS Channel at 715750000 Hz...
Scanning DS Channel at 261000000 Hz...(from scan list)
Scanning DS Channel at 273000000 Hz...(from scan list)
Scanning DS Channel at 267000000 Hz...(from scan list)
Scanning DS Channel at 255000000 Hz...(from scan list)
Scanning DS Channel at 249000000 Hz...(from scan list)
Scanning DS Channel at 243000000 Hz...(from scan list)
Scanning DS Channel at 237000000 Hz...(from scan list)
Scanning DS Channel at 231000000 Hz...(from scan list)
Scanning (pattern) DS Channel at 709750000 Hz...
Scanning (pattern) DS Channel at 703750000 Hz...
Scanning (pattern) DS Channel at 697750000 Hz...
Scanning (pattern) DS Channel at 691750000 Hz...
Scanning (pattern) DS Channel at 685750000 Hz...
Scanning (pattern) DS Channel at 679750000 Hz...
Scanning (pattern) DS Channel at 673750000 Hz...
Scanning (last happy) DS Channel at 261000000 Hz...
Scanning (pattern) DS Channel at 667750000 Hz...
Scanning (pattern) DS Channel at 661750000 Hz...
Scanning (pattern) DS Channel at 655750000 Hz...
Scanning (pattern) DS Channel at 649750000 Hz...
Scanning (pattern) DS Channel at 643750000 Hz...
Scanning (pattern) DS Channel at 637750000 Hz...
Scanning (pattern) DS Channel at 631750000 Hz...
Scanning (pattern) DS Channel at 625750000 Hz...
Scanning (pattern) DS Channel at 619750000 Hz...
Scanning (pattern) DS Channel at 613750000 Hz...
Scanning (pattern) DS Channel at 607750000 Hz...
Scanning (pattern) DS Channel at 601750000 Hz...
Scanning (pattern) DS Channel at 595750000 Hz...
Scanning (pattern) DS Channel at 589750000 Hz...
Scanning (pattern) DS Channel at 583750000 Hz...
Scanning (pattern) DS Channel at 577750000 Hz...
Scanning (pattern) DS Channel at 571750000 Hz...
Scanning (pattern) DS Channel at 565750000 Hz...
Scanning (pattern) DS Channel at 559750000 Hz...
Scanning (pattern) DS Channel at 553750000 Hz...
Scanning (pattern) DS Channel at 547750000 Hz...
Scanning (pattern) DS Channel at 541750000 Hz...
Scanning (pattern) DS Channel at 535750000 Hz...
Scanning (pattern) DS Channel at 529750000 Hz...
Scanning DS Channel at 261000000 Hz...(from scan list)
Scanning DS Channel at 273000000 Hz...(from scan list)
Scanning DS Channel at 267000000 Hz...(from scan list)
Scanning DS Channel at 255000000 Hz...(from scan list)
Scanning DS Channel at 249000000 Hz...(from scan list)
Scanning DS Channel at 243000000 Hz...(from scan list)
Scanning DS Channel at 237000000 Hz...(from scan list)
Scanning DS Channel at 231000000 Hz...(from scan list)
Scanning (pattern) DS Channel at 523750000 Hz...
Scanning (pattern) DS Channel at 517750000 Hz...
Scanning (pattern) DS Channel at 511750000 Hz...
Scanning (pattern) DS Channel at 505750000 Hz...
Scanning (pattern) DS Channel at 499750000 Hz...
Scanning (pattern) DS Channel at 493750000 Hz...
Scanning (pattern) DS Channel at 487750000 Hz...
Scanning (pattern) DS Channel at 481750000 Hz...
Scanning (pattern) DS Channel at 475750000 Hz...
Scanning (pattern) DS Channel at 469750000 Hz...
Scanning (pattern) DS Channel at 463750000 Hz...
Scanning (pattern) DS Channel at 457750000 Hz...
Scanning (pattern) DS Channel at 451750000 Hz...
Scanning (pattern) DS Channel at 445750000 Hz...
Scanning (pattern) DS Channel at 439750000 Hz...
Scanning (pattern) DS Channel at 433750000 Hz...
Scanning (pattern) DS Channel at 427750000 Hz...
Scanning (pattern) DS Channel at 421750000 Hz...
Scanning (pattern) DS Channel at 415750000 Hz...
Scanning (pattern) DS Channel at 409750000 Hz...
Scanning (pattern) DS Channel at 403750000 Hz...
Scanning (pattern) DS Channel at 397750000 Hz...
Scanning (pattern) DS Channel at 391750000 Hz...
Scanning (pattern) DS Channel at 385750000 Hz...
Scanning (pattern) DS Channel at 379750000 Hz...
Scanning (pattern) DS Channel at 373750000 Hz...
Scanning (pattern) DS Channel at 367750000 Hz...
Scanning (pattern) DS Channel at 361750000 Hz...
Scanning (pattern) DS Channel at 355750000 Hz...
Scanning (pattern) DS Channel at 349750000 Hz...
Scanning (pattern) DS Channel at 343750000 Hz...
Scanning (pattern) DS Channel at 337750000 Hz...
Scanning DS Channel at 261000000 Hz...(from scan list)
Scanning DS Channel at 273000000 Hz...(from scan list)
Scanning DS Channel at 267000000 Hz...(from scan list)
Scanning DS Channel at 255000000 Hz...(from scan list)
Scanning DS Channel at 249000000 Hz...(from scan list)
Scanning DS Channel at 243000000 Hz...(from scan list)
Scanning DS Channel at 237000000 Hz...(from scan list)
Scanning DS Channel at 231000000 Hz...(from scan list)
Scanning (pattern) DS Channel at 331750000 Hz...
Scanning (pattern) DS Channel at 325750000 Hz...
Scanning (pattern) DS Channel at 319750000 Hz...
Scanning (pattern) DS Channel at 313750000 Hz...
Scanning (pattern) DS Channel at 307750000 Hz...
Scanning (pattern) DS Channel at 301750000 Hz...
Scanning (pattern) DS Channel at 295750000 Hz...
Scanning (pattern) DS Channel at 289750000 Hz...
Scanning (last happy) DS Channel at 261000000 Hz...
Scanning (pattern) DS Channel at 283750000 Hz...
Scanning (pattern) DS Channel at 277750000 Hz...
Scanning (pattern) DS Channel at 271750000 Hz...
Scanning (pattern) DS Channel at 265750000 Hz...
Scanning (pattern) DS Channel at 259750000 Hz...
Scanning (pattern) DS Channel at 253750000 Hz...
Scanning (pattern) DS Channel at 247750000 Hz...
Scanning (pattern) DS Channel at 241750000 Hz...
Scanning (pattern) DS Channel at 235750000 Hz...
Scanning (pattern) DS Channel at 229750000 Hz...
Scanning (pattern) DS Channel at 223750000 Hz...
Scanning (pattern) DS Channel at 217750000 Hz...
Scanning (pattern) DS Channel at 211750000 Hz...
Scanning (pattern) DS Channel at 205750000 Hz...
Scanning (pattern) DS Channel at 199750000 Hz...
Scanning (pattern) DS Channel at 193750000 Hz...
Scanning (pattern) DS Channel at 187750000 Hz...
Scanning (pattern) DS Channel at 181750000 Hz...
Scanning (pattern) DS Channel at 175750000 Hz...
Scanning (pattern) DS Channel at 169750000 Hz...
Scanning (pattern) DS Channel at 163750000 Hz...
Scanning (pattern) DS Channel at 157750000 Hz...
Scanning (pattern) DS Channel at 151750000 Hz...
Scanning DS Channel at 261000000 Hz...(from scan list)
Scanning DS Channel at 273000000 Hz...(from scan list)
Scanning DS Channel at 267000000 Hz...(from scan list)
Scanning DS Channel at 255000000 Hz...(from scan list)
Scanning DS Channel at 249000000 Hz...(from scan list)
Scanning DS Channel at 243000000 Hz...(from scan list)
Scanning DS Channel at 237000000 Hz...(from scan list)
Scanning DS Channel at 231000000 Hz...(from scan list)
Scanning (pattern) DS Channel at 145750000 Hz...
Scanning (pattern) DS Channel at 139750000 Hz...
Scanning (pattern) DS Channel at 133750000 Hz...
Scanning (pattern) DS Channel at 127750000 Hz...
Scanning (pattern) DS Channel at 121750000 Hz...
Scanning (pattern) DS Channel at 115750000 Hz...
Scanning (pattern) DS Channel at 109750000 Hz...
Scanning (pattern) DS Channel at 103750000 Hz...
Scanning (pattern) DS Channel at 97750000 Hz...
Scanning (pattern) DS Channel at 91750000 Hz...
[00:01:23 01/01/1970] [Scan Downstream Thread] BcmGenericCmDownstreamScanThread::GetNextFrequency: (Scan Downstream Thread) Tried all HRC Downstream Frequencies; will start over doing STD...
[00:01:23 01/01/1970] [Scan Downstream Thread] BcmGenericCmDownstreamScanThread::FullLoop_RFI_N_03_0086: (Scan Downstream Thread) Default scanning algorithm has been 'round the horn' 2 times.
[00:01:23 01/01/1970] [Scan Downstream Thread] BcmGenericCmDownstreamScanThread::ScanStarting: (Scan Downstream Thread) Scanning STD & HRC Annex B channel plan frequencies
Scanning (pattern) DS Channel at 93000000 Hz...
We have been all the way around the scan list.
Scanning (pattern) DS Channel at 999000000 Hz...
Didn't find energy anywhere, publishing event kEventScanFullLoopNoEnergy!
Resetting EnergyDetected to false.
Scanning (pattern) DS Channel at 993000000 Hz...
Scanning (pattern) DS Channel at 987000000 Hz...
Connecting coax will immediately disable this telnet port I had opened , it is possible to type commands but most of them just keep showing the help menu (Which has most things compiled out)
Then I tried to get a dump using bcm2dump...
The command I used was:
bcm2dump dump 192.168.1.1,admin,changed flash image1 image.bin
and I get an error similar to (I couldn't find the error , but I did remember the command) telnet: Send failed pipe broken
What does this mean? Anyway to stop the log from bombarding me?
Interesting stuff! Thanks for your work!
From the README.md
:
If the device's bootloader serial console has been disabled, and you do not have access to the firmware console (either via serial connection, or telnet), there are ways to enable them (coming soon).
Would you mind expanding this a bit, maybe a few pointers? Are you talking about vulnerabilities in web GUIs or are there easier ways?
Problem: the settings arris.nvm.serial_console_enabled true, that was set and written to the non-vol, is retained by the device only until the 2nd reboot. It's saved after the first reboot, but then after the 2nd reboot it reset to the default value: Serial Console Enabled = 0. The other changed settings are saved normally. I guess that this value is additionally preset somewhere in the firmware.
TM902S in 'ARRIS' NonVol group have a section callled 'Broadcom CM Vendor Extension Dynamic NonVol Settings' which have a subsection called "ARRIS MFG Block":
ARRIS MFG Block:
Functional revision - 6
MFGID - e3
RF Cal Revision - 2
MSN - 298
ISN - 111539420000111
Product Type - 1204
IP ADDR for CERT - 0.0.0.0
Secure Download - 0
Web Password Checking - 1
WAN Http Access Setting - 0
LAN Http Access Setting - 1
WAN Http Access Setting (LEGACY) - 0
LAN Http Access Setting (LEGACY) - 2
Factory Mode - 0
WDT Enable - 1
Serial Console Enable - 0
Dual Mode Discovered Market - A
Op Mode Enable - 0
Telnet Enable - 1
SSH Enable - 1
Sine Ringing Bitmap - 0
Loop Boost Bitmap - 3
DS Channel Bonding
... ... ...
this block has the entry "Serial Console Enable - 0" that, seems, have been default preset by the manufacturer. Where this block is located and how to change this value to '1'? This, seems, is a different entry, not a one that can be changed by 'arris.nvm.serial_console_enabled true'.
Also, bcm2cfg seems does not recognize the nonvol type (dyn/perm) and device profile properly.
bcm2cfg info dynnv.bin
dynnv.bin
type : dyn
profile : (unknown)
checksum: 403454b3 (ok)
size : 4561 (ok)
bcm2cfg info permnv.bin
failed to parse group bfc
failed to parse group userif
failed to parse group snmp
failed to parse group arris
permnv.bin
type : dyn
profile : (unknown)
checksum: f78c18c9 (ok)
size : 17134 (ok)
Hi,
I have EVW32C, and want to get shell access to in. How to do it?
I check options with remove coaxial cable and reset router - ok, I can get to web base settings, but no telnet/ssh/ftp access (port closed in nmap).
Maybe is a firmware bug like this (https://firefart.at/post/upc_ubee_fail/) - create USB with special label and file .auto?
I check label "EVW3226" and "EVW32C" - no success...
Can someone check is this bug in EVW32C firmware, or publish firmware dump from this modem to reverse it?
hello , i have Ubee cable modem , who can provide the snmp mib file of Ubee company
thanks
I can't compile the latest v0.9.4 release on Ubuntu.
My system Ubuntu 16.04.6 LTS
gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.12)
build=x86_64-linux-gnu
bcm2-utils-master$ make
fatal: Not a git repository (or any of the parent directories): .git
g++ -c -Wall -Wno-sign-compare -g -DVERSION=\"\" -std=c++14 -Wnon-virtual-dtor profile.cc -o profile.o
profile.cc: In static member function ‘static void bcm2dump::profile::parse_opt_override(const string&)’:
profile.cc:599:47: sorry, unimplemented: non-trivial designated initializers not supported
bcm2_typed_val val = { .type = BCM2_TYPE_NIL };
^
Makefile:80: recipe for target 'profile.o' failed
make: *** [profile.o] Error 1
I tried to access serial interface on Cisco EPC3010 model: the bootloader is locked, and there's no access to bootloader menu. Console output just stops print at some point, and further output is hidden from display.
output:
In that case, the only way is to get a full dump from the flash chip?
Hi !
I'm currently working with a Siligence TCG300. The device bootloader is unlocked but the CM console is. I worked out the right profile and have read access to both NAND via NandFlashRead and SPI with SpiFlashRead functions from the bootloader, thanks to the awesome interface definition your tool provides 🔥
./bcm2dump -v info /dev/ttyUSB0,115200
detected profile TCG300(bootloader), version 2.5.0beta8
TCG300: Siligence TCG300-D22F
=============================
pssig 0xd22f
blsig 0x0000
ram 0x00000000 RW
------------------------------------------------------
(no partitions defined)
nvram 0x00000000 - 0x000fffff ( 1 MB) RO
------------------------------------------------------
bootloader 0x00000000 - 0x0000ffff ( 64 KB)
permnv 0x00010000 - 0x0002ffff ( 128 KB)
dynnv 0x000c0000 - 0x000fffff ( 256 KB)
flash 0x00000000 - 0x07ffffff ( 128 MB) RO
------------------------------------------------------
linuxapps 0x00100000 - 0x026fffff ( 38 MB)
image1 0x02700000 - 0x036fffff ( 16 MB)
image2 0x03700000 - 0x046fffff ( 16 MB)
linux 0x04700000 - 0x04efffff ( 8 MB)
linuxkfs 0x04f00000 - 0x06efffff ( 32 MB)
I dumped dynnv from nvram, and modified the serial console settings:
./bcm2cfg get /tmp/dynnv.bin bfc
bfc = {
serial_console_mode = disabled
}
./bcm2cfg set /tmp/dynnv.bin bfc.serial_console_mode 3 /tmp/dynnv.modified.bin
bfc.serial_console_mode = factory
What I would like to do now is write the modified dynnv back to nvram using SpiFlashWrite, but I'm getting the following output from bcm2dump:
./bcm2dump -v write /dev/ttyUSB0,115200 nvram dynnv /tmp/dynnv.modified.bin
error: writing to non-ram address space nvram is dangerous; specify -FF to continue
./bcm2dump -FF -v write /dev/ttyUSB0,115200 nvram dynnv /tmp/dynnv.modified.bin
detected profile TCG300(bootloader), version 2.5.0beta8
error: profile TCG300 does not support fast write mode; use -s flag
./bcm2dump -s -FF -v write /dev/ttyUSB0,115200 nvram dynnv /tmp/dynnv.modified.bin
detected profile TCG300(bootloader), version 2.5.0beta8
error: no such rwx: bootloader,nvram,safe
My understanding is that this feature is something that's planned for bcm2util given the references to .write
and .erase
in some profiles (Cisco EPC3008 and TC7200). Do you have some information on the subject ? Is it something you're working on ?
I haven't looked in the code yet but I'll be happy to assist you in implementing that feature if you'd like.
twg870: Thomson TWG870
======================
pssig 0xa81b
blsig 0x3380
ram 0x80000000 - 0x83ffffff ( 64 MB) RW
------------------------------------------------------
image 0x82f00000 - 0x832dffff ( 3968 KB)
bootloader 0x83f80000 - 0x83f8ffff ( 64 KB)
flash 0x00000000 - 0x007fffff ( 8 MB) RO
------------------------------------------------------
bootloader 0x00000000 - 0x00007fff ( 32 KB)
unknown 0x00008000 - 0x0000ffff ( 32 KB)
permnv 0x00010000 - 0x0001ffff ( 64 KB)
image1 0x00020000 - 0x003fffff ( 3968 KB)
image2 0x00400000 - 0x007dffff ( 3968 KB)
dynnv 0x007e0000 - 0x007effff ( 64 KB)
The following command is not dumping anything:
bcm2dump -P twg870 dump COM6 flash bootloader dump.bin
I have a TC7200.20 running "BOOT Revision 2.4.0 SW Revision STDC.01.30" and cannot "decrypt" the GatewaySettings.bin obtained from the web-interface. reading #7 I derive that I could send it to you in order to provide an educated guess on what's going on with it? :)
error message is: error: key size out of range
I sent you a message on gitter, containing the download-link of my GatewaySettings.bin.
thx+greets from Lower Austria!
Someone from this thread ( https://forums.whirlpool.net.au/thread/9jwqvxm3 ) dumped the SPI flash of a CM8200B cable modem. I compiled ProgramStore and ran it, but the SPI flash doesnt appear to follow this firmware structure. I believe the beginning of the flash is actually ARM executable code -- probably uboot. I was wondering if this rang any bells for you?
➜ ProgramStore git:(master) ✗ xxd ./CM8200B.bin | head
00000000: 0600 00ea 0900 00ea 0800 00ea 0700 00ea ................
00000010: 0600 00ea 0500 00ea 0400 00ea 0300 00ea ................
00000020: 14d0 9fe5 1302 00eb 1502 00eb d301 00ea ................
00000030: feff ffea 0000 0000 5000 0000 0000 e1ff ........P.......
00000040: a08a 0000 00ff ff00 0011 0000 0000 0700 ................
00000050: 0000 0000 0000 0000 0000 0000 0000 0000 ................
Computed HCS f0d7
stored checksum 0
Header checksum failed.
Signature: 0600
Control: 00ea
Major Rev: 0900
Minor Rev: 00ea
Build Time: 1974/4/3 10:46:02 Z
File Length: -1585267047258914582 bytes
Load Address: ea000003040000ea
Filename: П�
HCS: 0000
CRC: 80000580000
I have a CM2000 and I'm wondering if there is anyway to unlock the boot loader to allow dumping of the flash and enabling console. I have UART consoles on both CM and RG, CM seems to allow the boot processes to be interrupted but when pressing P the bootloader menu seems to be quite limited. RG does not seem to allow interrupting of the boot process and SecureBoot is enabled. Have not manged to decrypt the .bin file from the web gui that can be exported I am assuming it is GatewaySettings.bin but they claim it is for Netgear only.
I would like to decode the settings file GatewaySettings.bin of my TWG870ug router. From reading the description of the project, this should in principle be possible using your bcm2cfg utility.
I tried
./bcm2cfg show -i GatewaySettings.bin
and got (decryption failed) as answer. I guess that is because there is no profile for my router.
Do you by any chance have the required information to decode the file?
Cheers,
David
Hi,
i'm trying to extract the bootloader and the flash from a Castlenet CBV734EW cable modem equipped with a BCM3381 chip.
I have access to the CM> prompt over serial, but every input (ls, cd, ...) only sends back newlines.
So i tried to go with the bootloader menu to dump data. I reboot the modem, press 'p' on the serial terminal to access the menu, then launch bcm2dump as so:
./bcm2dump -L iolog -P generic -v dump /dev/ttyUSB0,115200 ram 0x81f80000,256k bootloader.bin
The dump fails after a few seconds.
Here's the io log:
iolog.log
Regards, Antoine
Hi! I have a Netgear C6300BD-1TLAUS cable modem- the variant is specific to Telstra, an Australian ISP. I don't have a cable connection- I got it off a friend (who also no longer has cable). I've been using it as a wireless access point. It's based on the BCM3384 chip.
I opened it up and got access to the linux console (which isn't helpful, it turns off during boot) and the eCos console. I don't have the username/password for the eCos console but can use the bootloader menu.
Following the instructions here, the issue from someone with a different BCM3384 router, and with some extremely dodgy reverse engineering, I made the attached profile, and tried to use the bootloader to dump image2+dhtml from flash, and permnv+dynnv from nvram. They all appeared to work, but only downloaded FFFF etc from flash and 0000 etc from NVRAM.
So I rebooted it. It seems my dodgy profile wiped the NVRAM. Whooooops! I took a backup of the web console settings before I messed with it, so I can still use it as a wireless access point. But it's lost its default wireless name- it now defaults to Telstra0000 instead of the correct one. Also it flashes most of the lights constantly- before it only flashed the cable downstream because I have no cable.
Anyway, I guess I've lost the original NVRAM contents, which is a shame. But I'd still like to download the flash and vennv if I can. Attached is my patch, the bootloader, boot log (post-nvram wipe), partition info, and bootloader crash log.
bootloader.bin.gz
bootlog.txt
crash.txt
partitions.txt
c6300bd.patch.txt
Hi,
I tried to ran bcm2cfg
info on a permnv.bin dump from EPC3008: bcm2cfg fails to parse a lot of groups.
Also, it labeled the file type as 'dyn' - is that correct in this case? How to decrypt the configuration data in permanent non-vol?
$ ./bcm2cfg info permnv.bin
failed to parse group bfc
failed to parse group userif
failed to parse group cmlog
failed to parse group rstl
permnv.bin
type : dyn
profile : (unknown)
checksum: 07818402 (ok)
size : 9925 (ok)
434d4170 CMAp 0.1 bfc 9 b
4d4c6f67 MLog 0.2 userif 60 b
f2a1f61f .... 0.21 halif 194 b
46414354 FACT 0.2 grp_fact 44 b
62706920 bpi. 0.1 bpi 3021 b
d0c20100 .... 0.4 grp_d0c20100 130 b
d0c20300 .... 0.1 grp_d0c20300 44 b
434d4556 CMEV 0.1 cmlog 8 b
736e6d70 snmp 0.4 grp_snmp 1263 b
446e5374 DnSt 2.0 grp_dnst 411 b
55705374 UpSt 0.1 grp_upst 631 b
55705331 UpS1 0.1 grp_ups1 631 b
55705332 UpS2 0.1 grp_ups2 631 b
55705333 UpS3 0.1 grp_ups3 631 b
5070616e Ppan 0.1 grp_ppan 10 b
6d46574c mFWL 0.1 grp_mfwl 8 b
5253544c RSTL 0.1 rstl 8 b
53636965 Scie 0.10 grp_scie 2183 b
Thanks a lot.
Hi,
Thanks to you(#7), I could dump the firmware of my Netmaster modem. However, in the current firmware, they also disabled both telnet and serial console(CM). I tried to dump image1 or image2 with ttyUSB0 but it failed. It says, it needs some function address?. I forgot the exact message. I dumped the bootloader via generic profile(using the address in profiledef.c (0x83f80000, 0x020000
) which took almost an hour.
I checked the source code and it seems, to dump fast, we need the address of Flash Read functions. I think the profile you added doesn't have the address of those functions. Currently, I can stop the boot process by hitting p
and then dump any address by using a generic profile. I disassembled the bootloader but couldn't find anything related to Flash read. I think SPI read function is at 0x83f810e4
Could you help me to identify those functions so we can update our profile?
My current candidates for those functions are
int FUN_83f80e48(byte *param_1,byte param_2,undefined4 param_3)
int FUN_83f810e4(int param_1,undefined4 param_2,int param_3)
void FUN_83f82064(undefined4 param_1,undefined4 param_2,undefined4 param_3)
undefined4 FUN_83f833c8(int param_1,int param_2,undefined4 param_3)
void FUN_83f83800(undefined4 param_1,int param_2,int param_3)
void FUN_83f839c8(undefined4 param_1,undefined4 param_2,undefined4 param_3)
int FUN_83f85ed0(char *param_1,int param_2,int param_3)
void FUN_83f872c0(undefined4 *param_1,undefined4 param_2,undefined4 param_3)
bool FUN_83f87348(undefined4 *param_1,undefined4 param_2,undefined4 param_3)
undefined4 FUN_83f87390(int param_1,int param_2,int param_3)
int FUN_83f881f8(int param_1,undefined4 param_2,int param_3)
int FUN_83f88444(byte *param_1,byte *param_2,char **param_3)
int FUN_83f8883c(undefined4 param_1,int param_2,int param_3)
void FUN_83f890b0(undefined4 param_1,undefined4 param_2,undefined4 param_3)
undefined4 FUN_83f89168(int *param_1,byte *param_2,int param_3)
undefined * FUN_83f89300(undefined *param_1,uint param_2,uint param_3)
undefined * FUN_83f8944c(undefined *param_1,int param_2,int param_3)
void FUN_83f89580(undefined4 param_1,int param_2,int param_3)
int FUN_83f89934(undefined4 param_1,undefined *param_2,int param_3)
undefined4 FUN_83f8162c(undefined4 param_1,uint param_2,int param_3,uint param_4)
void FUN_83f88b48(undefined4 param_1,undefined4 param_2,undefined4 param_3,undefined4 param_4)
void FUN_83f81ae0(uint param_1,undefined4 param_2,undefined4 param_3,undefined4 param_4)
undefined4 FUN_83f858c8(int param_1,int param_2,undefined4 param_3,uint param_4)
I am attaching the bootloader that I dumped
bootloader.bin.zip
I changed some permnv.bin settings (CM DOCSIS NonVol Settings), and used bcm2dump to write permnv back.
Then I rebooted modem and dumped permnv.bin, then I checked section data that I have modified in docsis1 and halif group, the settings have been saved OK. ("CM DOCSIS NonVol Settings")
But when I checked that permnv settings from CLI interface
CM/Console/system> show nonvol
the output show old, unchanged settings: so in fact, it turns out that these settings were not applied.
Where are stored these permnv settings?
If the device's bootloader serial console has been disabled, and you do not have access to the firmware console (either via serial connection, or telnet), there are ways to enable them (coming soon).
I would be interested in getting a shell on TC7200 without using the serial interface. Would you be so kind and share the way to do it? Does it involve exploiting a bug?
Hi jclehner, so I am assuming this is some kind of different image of router than previously tried upon (as I have seen bcm2dump repository). So apparently when I try to open telnet port through config file the router reboots 2 times and closes down the port after the second reboot. SSH works fine but there is no flash command in system subdirectory. diag command works fine but only on ssh RG_Console. My initial idea is to turn on telnet or ftp somehow to transfer all the filesystem data over or simply diag through ssh to read the memory but I am hitting a wall here and would really appreciate the help. Thank you.
Here's some of info that might interest you:
(base) josip@josip-G551JW:~/Downloads$ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -oHostKeyAlgorithms=+ssh-dss -c aes128-cbc [email protected]
Broadcom Corporation Embedded BFC SSH Server (c) 2000-2012
WARNING: Access allowed by authorized users only.
[email protected]'s password:
RG_Console> ls
! ? REM call cd
dir find_command help history instances
ls man pwd sleep syntax
system_time usage
----
exit reset set show
switchCpuConsole
----
[eRouter] [ethernet] [ftpLite] [pingHelper] [system] [wifi]
RG_Console> switchCpuConsole
Switching console to CM
Wait 500 ms for the telnet server to start on the other CPU
Switch to the other console completed
CM_Console>
CM_Console> show version
*
* *
* *
* *
* *
* *
* *
* *
* *
* *
* *
* *
* *
* *
* *
* *
* * * *
* * * * * * ***
* * * * * * * * *******************
* * * * * *
* *
Broadcom Corporation Reference Design
+------------------------------------------------------------------------------------------------+
| _/_/ _/_/_/_/ _/_/ |
| _/ _/ _/ _/ _/ Broadband |
| _/ _/ _/ _/ |
| _/_/ _/_/_/ _/ Foundation |
| _/ _/ _/ _/ |
| _/ _/ _/ _/ _/ Classes |
| _/_/_/ _/ _/_/ |
| |
| Copyright (c) 1999 - 2020 Broadcom Corporation |
| |
| Revision: 5.7.1mp4 |
| |
| Features: BCM93384WVG Console TelnetConsole SshConsole Nonvol Fat HeapManager SNMP Networking |
| Features: IPv6 (script bcm93384wvg_GENERIC) LinuxOnTP1 TR69 Switch53134 |
+------------------------------------------------------------------------------------------------+
| Standard Embedded Target Support for BFC |
| |
| Copyright (c) 2003-2020 Broadcom Corporation |
| |
| Revision: 3.0.1 |
| |
| Features: PID=0x1007 BID=0x11 Bootloader-Rev=16.12.1 Bootloader-Compression-Support=0x11 |
| Features: MANUFACT_BITS=0x9 |
| Features: IopLib-Rev=571.14.1 |
+------------------------------------------------------------------------------------------------+
| eCos BFC Application Layer |
| |
| Copyright (c) 1999 - 2020 Broadcom Corporation |
| |
| Revision: 3.0.2 |
| |
| Features: IPv6 Stack Version 1.2.3 |
| Features: eCos Console Cmds, (no Idle Loop Profiler) |
+------------------------------------------------------------------------------------------------+
| _/_/ _/ _/ |
| _/ _/ _/_/ _/_/ DOCSIS Cable Modem |
| _/ _/ _/ _/ |
| _/ _/ _/ |
| _/ _/ _/ |
| _/ _/ _/ _/ |
| _/_/ _/ _/ |
| |
| Copyright (c) 1999 - 2020 Broadcom Corporation |
| |
| Revision: 5.7.1mp4 |
| |
| Features: AckCel(tm) DOCSIS 1.0/1.1/2.0/3.0 Propane(tm) CM SNMP w/Factory MIB Support CM |
| Features: Vendor Extension D3.0 Drop Classifiers FAP EURO Production L2VPN Custom UI ECN's |
| Features: current to CW115 |
+------------------------------------------------------------------------------------------------+
| Broadcom Data-Only CM Vendor Extension |
| |
| Copyright (c) 1999 - 2020 Broadcom Corporation |
| |
| Revision: 3.0.2 |
| |
| Features: DHCP Server HTTP Server OSS2-N-03025 Visualization LED Controller |
+------------------------------------------------------------------------------------------------+
| _/ _/ _/ _/_/ |
| _/ _/ _/ _/ _/ Linux |
| _/ _/ _/ _/ |
| _/ _/ _/ Based |
| _/ _/ _/ _/ _/_/_/ |
| _/ _/ _/ _/ _/ Gateway |
| _/_/_/_/ _/ _/ _/_/_/ |
| |
| Copyright (c) 1999 - 2020 Broadcom Corporation |
| |
| Revision: 2.6.30-1.7.1mp4 |
| |
| Features: /home/allan/Linux/LxG171mp4_wifi/targets/3384TP1/bcm3384TP1 |
| Features: #1 Wed Sep 13 09:21:40 CST 2017 |
| Features: allan@allan-Ubuntu14. |
| Features: gcc version 4.2.3 |
| Features: BUILD OPTIONS: PID=1007 PCTYPE=15 PCIMAGE=bv16_ilbc_faxr LIBOPT=n PROFILE=3384TP1 |
| Features: Applications: DLNA, NAS |
+------------------------------------------------------------------------------------------------+
| _/ _/ _/_/_/ _/ |
| _/_/ _/_/ _/ _/_/ Embedded MTA |
| _/ _/ _/ _/ _/ _/ |
| _/ _/ _/ _/ _/ |
| _/ _/ _/ _/_/__/ CableLabs Certified |
| _/ _/ _/ _/ _/ PacketCable Certified |
| _/ _/ _/ _/ _/ |
| |
| Copyright (c) 1999 - 2020 Broadcom Corporation |
| |
| Revision: 2.8.1006-SIP |
| |
| Features: bcm93384wvg_GENERIC eCos |
| Features: SIP SIP-DQoS PacketCable-v1.5 |
| Features: dspApp3384_bv16_ilbc_faxr-output/apm_linux (LDX app) (LOT1) |
| Features: LDX VERSION: 24.1.1 |
| Features: Logging: All |
| Features: (MTA LIB DATE: Dec 7 2020 08:57:41) |
| Features: Build options: |
| Features: |
+------------------------------------------------------------------------------------------------+
| _/ _/ _/ _/_/ _/_/_/ _/_/_/ _/_/_/ |
| _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ Linux |
| _/ _/ _/_/_/_/ _/_/_/ _/_/_/ _/_/ |
| _/ _/ _/ _/ _/ _/ _/ _/ Apps |
| _/_/_/_/ _/ _/ _/ _/ _/ _/ _/_/_/ |
| |
| Copyright (c) 1999 - 2020 Broadcom Corporation |
| |
| Revision: 1.7.1mp4 |
| |
| Features: /home/allan/Linux/LxG171mp4_wifi/targets/3384TP1/apps.bin |
| Features: Wed Sep 13 09:27:19 CST 2017 |
| Features: root@allan-Ubuntu14 |
| Features: gcc version 4.2.3 |
+------------------------------------------------------------------------------------------------+
| Build Date : Dec 7 2020 |
| Build Time : 08:58:58 (+0800) |
| Build By : albert |
| Build Products : |
| Build Processors: 3384 |
| Build Parameters: num_sids 16 docsis 20 j 4 mtaipv6 1 wombo1 WIFI_4360MCM5_P120 wombo2 |
| Build Parameters: WIFI_43217 c 45 pid 1007 imagename EVW32C_VIPNET_2.8.1006-SIP outputdir |
| Build Parameters: GENERIC |
| Build Targets : |
| Image Path : /sg3tb/home/albert/Project/EVW32C/A1/ubee571mp2/570mp1_pc15/rbb_cm_src/CmDoc |
| Image Path : sisSystem/ecos/GENERIC |
| Image Name : EVW32C_VIPNET_2.8.1006-SIP_sto.bin |
| Build Command : bcm93384wvg_GENERIC eu sip sipdqos nodect linux_on_tp1 nolinux_on_pmc j 4 eu |
| Build Command : cmvendor emta power litepower nodect nobattery nobattery_fdhdwr vin12v |
| Build Command : erouter ipv6 mtaipv6 1 nandflash spiflash eps novlan |
| Build Command : noestb_ecm_vlan_connection bcm80211n dual_band_80211n wombo1 |
| Build Command : WIFI_4360MCM5_P120 wombo2 WIFI_43217 managedswitch noswitch53124 |
| Build Command : nointernalusb nousb20 telnet openssh c 45 fap_assist nat_hwaccel |
| Build Command : linux_partitions nolinux_on_pmc dualflash nolinux_on_zephyr linux_on_tp1 nas |
| Build Command : mediaserver monolith turbo_wifi mid_split tr69 homehotspot l2ogre dslite |
| Build Command : spectrum_analyzer wifi_spectrum_analyzer vpn legacy_parent grelegacymib |
| Build Command : grehomehotspot pppoe pid 1007 imagename EVW32C_VIPNET_2.8.1006-SIP outputdir |
| Build Command : GENERIC noslim |
| Build Options : amdflash cfiflash cmd_help_text nocomcast_video_caching demangle deps |
| Build Options : dualbuild nodynwebpage factorymibs noheapboundscheck noheapleakdebug http |
| Build Options : intelflash mgmtmibs nocmapp_port_forward nobcm80211n_debug nobonded |
| Build Options : nocpeportfilter nodasm nodiag nodtp_test nosingleconsole nodualeth noedva |
| Build Options : noextendedugs noflashserver noflashclient nofn_profile nofonhotspot nofpm |
| Build Options : nohnap nohttpssl noipsv noitc noiptv nowasu nojedecflash nol2tpv2 nol2tpv3 |
| Build Options : nolinux_watchdog nolinux_erouter nomap nomultiprocmon nonandboot nootp |
| Build Options : noperfmonitor nopiggyback pktc nopmip nopopup nopptp nortrproxy |
| Build Options : noserialportoff noshow nosigtls nosipdbg nosipipv6 nosmp nosnmpproxy |
| Build Options : nosnoopdebug nosplitbootblock nosiliconverify nostress_test nosuperslim |
| Build Options : notftp_server nousbhost nodualusbhost nouda nousg_web_pages noutp_test |
| Build Options : novendorhttps useformregistrar nowifihotspot nowifimfg noclwifi nodual_lna |
| Build Options : openssl quiet nounified warn_error noethwan nopcielowpwr usmac_diag noupnpc |
| Build Options : noswitchport_1_4 nozephyr_console_uart0 nomoca nomoca20 msc noaprouter |
| Build Options : noautodetect_tuner2 noautodetect_tuner4 nodocsis20snmp noemtasim noietf |
| Build Options : nomixed_annex nono_cmts_d3_partial_svc nooms pcie nosingle_ds nosled us |
| Build Options : nobpi_helper_on_fap noxml_doc nocmtr69 noedge_device noecm normagnum nodsg |
| Build Options : norswdload noip_rnvol noestb_config nooob noprereg_sets nocdl20 nodsg30 |
| Build Options : noecm_clcerts nopcieep nob2b_rgmii nodavic noext_ephy nohost_bridge |
| Build Options : nodavic_api nog8davic_api noseb nocustom_vendor_dir use_unimac0 |
| Build Options : nostb_owns_eth2 nodnac nostb_has_lan noecmestbsockif nocablecard_ipproxy |
| Build Options : nostb_pcie_vlan noexplicit_vlan nolgi_dawn nostb_on_eth2 nolow_gw |
| Build Options : nostb_include_sidecar d30 noejtag smisb fpm512 newleds cacheopt avs l2vpn |
| Build Options : sip sipdqos eu cmvendor emta power litepower nodect nobattery |
| Build Options : nobattery_fdhdwr vin12v erouter ipv6 nandflash spiflash eps novlan |
| Build Options : noestb_ecm_vlan_connection bcm80211n dual_band_80211n managedswitch |
| Build Options : noswitch53124 nointernalusb nousb20 telnet openssh fap_assist nat_hwaccel |
| Build Options : linux_partitions nolinux_on_pmc dualflash nolinux_on_zephyr linux_on_tp1 nas |
| Build Options : mediaserver monolith turbo_wifi mid_split tr69 homehotspot l2ogre dslite |
| Build Options : spectrum_analyzer wifi_spectrum_analyzer vpn legacy_parent grelegacymib |
| Build Options : grehomehotspot pppoe noslim |
+------------------------------------------------------------------------------------------------+
CM_Console>
And here is me trying to dump firmware in between reboot even though I know it might take few hours (whilst the time in between reboots is 2 minutes tops):
(base) josip@josip-G551JW:~$ bcm2dump -vv dump 192.168.0.1,ubee,ubee flash image1 image1.bin
bcm2dump v0.9.4-115-gb70bb4b
telnet: received command 253,33
telnet: received command 251,3
telnet: received command 251,1
detected interface: bfc
adjusting dump params: 0x80010000,4 -> 0x80010000,16
adjusting dump params: 0x80624d91,14 -> 0x80624d90,16
adjusting dump params: 0x80624d91,8 -> 0x80624d90,16
adjusting dump params: 0x8070244c,9 -> 0x8070244c,16
adjusting dump params: 0x807023d4,7 -> 0x807023d4,16
adjusting dump params: 0x80eb8a91,8 -> 0x80eb8a90,16
adjusting dump params: 0x80f89da0,11 -> 0x80f89da0,16
adjusting dump params: 0x82f00014,6 -> 0x82f00014,16
adjusting dump params: 0x809864d9,11 -> 0x809864d8,16
adjusting dump params: 0x83e05bb8,11 -> 0x83e05bb8,16
adjusting dump params: 0x80dc48d0,3 -> 0x80dc48d0,16
adjusting dump params: 0x83f8a9ac,5 -> 0x83f8a9ac,16
adjusting dump params: 0x810a4390,12 -> 0x810a4390,16
adjusting dump params: 0x83f8e8a8,6 -> 0x83f8e8a8,16
adjusting dump params: 0x83f8ea40,10 -> 0x83f8ea40,16
adjusting dump params: 0x83f8ecc8,13 -> 0x83f8ecc8,16
adjusting dump params: 0x81083440,29 -> 0x81083440,32
adjusting dump params: 0x812df0e5,24 -> 0x812df0e4,32
adjusting dump params: 0x83f8f188,10 -> 0x83f8f188,16
adjusting dump params: 0x814e8eac,10 -> 0x814e8eac,16
adjusting dump params: 0x814e953c,10 -> 0x814e953c,16
adjusting dump params: 0x83f8e618,14 -> 0x83f8e618,16
adjusting dump params: 0x85f00014,6 -> 0x85f00014,16
su password is 'ubeecable'
detected profile evw32c(bfc)
reinitializing flash driver
error: failed to open partition image1
context:
<== '/flash/close'
==> (empty)
==> ''flash' is not a valid command table.'
==> (empty)
==> 'Type 'help' for information about valid commands and tables.'
==> (empty)
==> 'RG> [debug][second] create time change to 1623363626'
<== '/flash/deinit'
==> 'RG> /flash/close'
==> (empty)
==> ''flash' is not a valid command table.'
==> (empty)
==> 'Type 'help' for information about valid commands and tables.'
==> (empty)
==> 'RG>'
==> 'RG> /flash/deinit'
==> (empty)
==> ''flash' is not a valid command table.'
==> (empty)
==> 'Type 'help' for information about valid commands and tables.'
==> (empty)
==> 'RG>'
<== '/flash/init'
==> 'RG> /flash/init'
==> (empty)
==> ''flash' is not a valid command table.'
==> (empty)
==> 'Type 'help' for information about valid commands and tables.'
==> (empty)
==> 'RG> Lease with clientId: htype=0, value=0c b9 37 19 eb c6 Ip address: 192.168.0.10 has been offered to client!'
<== '/flash/open image1'
==> (empty)
==> '[debug][second] create time change to 1623363627'
==> 'RG> /flash/open image1'
<== '/flash/close'
==> (empty)
==> ''flash' is not a valid command table.'
==> (empty)
==> 'Type 'help' for information about valid commands and tables.'
==> (empty)
==> 'RG>'
==> 'RG> /flash/close'
==> (empty)
==> ''flash' is not a valid command table.'
==> (empty)
==> 'Type 'help' for information about valid commands and tables.'
==> (empty)
==> 'RG>'
<== '/exit'
==> 'RG> /exit'
Hello! Hope you're doing well. Incredible project! I spent all day trying to figure out how to do this manually, and then stumbled across this.
I've already got my serial console working with an Arduino on /dev/ttyACM0 and I get the error
error: serial: interface auto-detection failed
Here are the commands I tried:
sudo ./bcm2dump -P generic dump /dev/ttyACM0,115200 flash image2 image.bin
sudo ./bcm2dump -P tc7200 dump /dev/ttyACM0,115200 flash image2 image.bin
I figured I would also try the TC7200 profile because it could be close enough.
I saw that you were asking for verbose logs in another thread:
sudo ./bcm2dump -vv -P tc7200 dump /dev/ttyACM0,115200 flash image2 image.bin
error: serial: interface auto-detection failed
context:
<== ''
<== ''
==> 'CMM'
Any ideas?
Hello, first of all: nice project!
Now for the business, I am trying to use the tools to parse the Gatewaysettings.bin. My router is Sagemcom F@ST 3686, a modded version of a local ISP. The output filename of the backup file is actually "backupsettings.conf" if that matters.
Attempted to use bcm2cfg
and got this output:
type : gwsettings
profile : (unknown)
checksum: 0000f5ed196f765742431a7a92a5f91d
size : (unknown)
key : (unknown)
I'm guessing the firmware modification included encrypting the Gatewaysettings somehow, however I was not able to put my hands on the firmware of the router to dig further into this...
The steps I have taken:
Would really like any suggestions about how to overcome this gateway device and gain access to the linux shell.
I have a FAST3890 firmware.
[redacted]
There any way to see the telnet "SU"password?
I appreciate your help
I'm having the same problem mentioned in Issue 7, so tried to compile master branch using MSYS2 - http://www.msys2.org/
Tried also 32-bit but same errors, just slightly different function names.
make
g++ -c -Wall -Wno-sign-compare -g -DVERSION="v0.9.2-31-gb6ce13c" -std=c++14 -Wnon-virtual-dtor io.cc -o io.o
g++ -c -Wall -Wno-sign-compare -g -DVERSION="v0.9.2-31-gb6ce13c" -std=c++14 -Wnon-virtual-dtor rwx.cc -o rwx.o
g++ -c -Wall -Wno-sign-compare -g -DVERSION="v0.9.2-31-gb6ce13c" -std=c++14 -Wnon-virtual-dtor interface.cc -o interface.o
g++ -c -Wall -Wno-sign-compare -g -DVERSION="v0.9.2-31-gb6ce13c" -std=c++14 -Wnon-virtual-dtor ps.cc -o ps.o
g++ -Wall -Wno-sign-compare -g -DVERSION="v0.9.2-31-gb6ce13c" -std=c++14 -Wnon-virtual-dtor -c -o bcm2dump.o bcm2dump.cc
g++ -c -Wall -Wno-sign-compare -g -DVERSION="v0.9.2-31-gb6ce13c" -std=c++14 -Wnon-virtual-dtor util.cc -o util.o
cc -c -Wall -Wno-sign-compare -g -DVERSION="v0.9.2-31-gb6ce13c" progress.c -o progress.o
cc -c -Wall -Wno-sign-compare -g -DVERSION="v0.9.2-31-gb6ce13c" mipsasm.c -o mipsasm.o
g++ -c -Wall -Wno-sign-compare -g -DVERSION="v0.9.2-31-gb6ce13c" -std=c++14 -Wnon-virtual-dtor profile.cc -o profile.o
cc -Wall -Wno-sign-compare -g -DVERSION="v0.9.2-31-gb6ce13c" -c -o profiledef.o profiledef.c
g++ -Wall -Wno-sign-compare -g -DVERSION="v0.9.2-31-gb6ce13c" -std=c++14 -Wnon-virtual-dtor io.o rwx.o interface.o ps.o bcm2dump.o util.o progress.o mipsasm.o profile.o profiledef.o -o bcm2dump
io.o:D:\bcm2-utils/io.cc:84: undefined reference to__imp_ioctlsocket' io.o:D:\bcm2-utils/io.cc:96: undefined reference to
__imp_ioctlsocket'
io.o: In functionrecv_dontwait': D:\bcm2-utils/io.cc:108: undefined reference to
__imp_recv'
io.o: In functionsend_nosignal': D:\bcm2-utils/io.cc:116: undefined reference to
__imp_send'
io.o: In functionconnect_nonblock': D:\bcm2-utils/io.cc:163: undefined reference to
__imp_connect'
io.o: In functionset_port': D:\bcm2-utils/io.cc:170: undefined reference to
__imp_htons'
D:\bcm2-utils/io.cc:172: undefined reference to__imp_htons' io.o: In function
addr_to_string':
D:\bcm2-utils/io.cc:182: undefined reference to__imp_inet_ntop' D:\bcm2-utils/io.cc:184: undefined reference to
__imp_inet_ntop'
io.o: In functionpending': D:\bcm2-utils/io.cc:320: undefined reference to
__imp_select'
D:\bcm2-utils/io.cc:327: undefined reference to__imp_WSAGetLastError' io.o:D:\bcm2-utils/io.cc:534: undefined reference to
__imp_getaddrinfo'
io.o:D:\bcm2-utils/io.cc:547: undefined reference to__imp_WSAGetLastError' io.o:D:\bcm2-utils/io.cc:557: undefined reference to
__imp_socket'
io.o:D:\bcm2-utils/io.cc:568: undefined reference to__imp_WSAGetLastError' io.o:D:\bcm2-utils/io.cc:576: undefined reference to
__imp_WSAGetLastError'
io.o:D:\bcm2-utils/io.cc:582: undefined reference to__imp_freeaddrinfo' io.o: In function
read':
D:\bcm2-utils/io.cc:612: undefined reference to__imp_recv' rwx.o: In function
unsigned int bcm2dump::ntoh(unsigned int const&)':
D:\bcm2-utils/util.h:219: undefined reference to__imp_ntohl' rwx.o: In function
unsigned int bcm2dump::hton(unsigned int const&)':
D:\bcm2-utils/util.h:219: undefined reference to__imp_htonl' ps.o: In function
unsigned short bcm2dump::ntoh(unsigned short const&)':
D:\bcm2-utils/util.h:217: undefined reference to__imp_ntohs' bcm2dump.o: In function
do_main(int, char**)':
D:\bcm2-utils/bcm2dump.cc:401: undefined reference to__imp_WSAStartup' D:\bcm2-utils/bcm2dump.cc:402: undefined reference to
__imp_WSAGetLastError'
mipsasm.o: In functionmipsasm_resolve_labels': D:\bcm2-utils/mipsasm.c:46: undefined reference to
__imp_ntohl'
D:\bcm2-utils/mipsasm.c:73: undefined reference to__imp_ntohl' D:\bcm2-utils/mipsasm.c:116: undefined reference to
__imp_htonl'
collect2.exe: error: ld returned 1 exit status
mingw32-make: *** [Makefile:51: bcm2dump] Error 1
Tried to install win32api, tried to include wsock32 and ws2_32, same errors.
Clean-installed environment - the same.
In rwcode2.c
, I saw the comment about using a 5th argument. From what I've seen on the BCM3383 at least it seems to use EABI which uses t0-t3 for extra args which is how everything in the bootloader and ecos are on my device. I tried n32 also but was getting bad instructions. I've had the best results with -march=mips32
and -mabi=eabi
.
I have a repo on my profile with with some of my RE stuff if you're interested
Hi,
I am trying to decrypt my modem's GatewaySettings.bin
file. I tried different profiles but it doesn't seem to work. When I check the file with hex editor, I saw B2 3E AD 05 34 75 2B 6F
over and over again. So I think maybe this file is using static xor key. How can I test my theory? I don't have access to the firmware. I hope maybe this file have username and password for the telnet so that I can dump the firmware.
Please add DOCSIS group (grp_d0c20100) in bcm2cfg for permanent non-vol (permnv.bin) settings for cisco EPC3008 modem. Currently this group is not recognized and non-parsable in both permanent and dynamic nonvol.
./bcm2cfg -f dyn get permnv.bin grp_d0c20100
failed to parse group bfc
failed to parse group userif
failed to parse group cmlog
failed to parse group snmp
failed to parse group rstl
failed to parse group sa
grp_d0c20100 = {
}
Hello.
I'm looking for properly image kernel, app and rootfs for tc_7200. When I was trying to flash new image I put firmware to wrong place -. Now device is working , but linux not . I tried to compile myself form source TC72XX_LxG1.0.10mp5_OpenSrc , but code seems to be obsolete and all the time I have lot of errors. If you have these files - could you put it somwhere please ??
im trying to find the login for my router but with bcm2cfg get GatewaySettings.bin i only found this:
http_pass = "admin"
http_realm = "Technicolor"
i tested the login but it didnt work.
what could the http_realm be? i didnt find a http_user like in ur example
im just trying to find the admin login
My router is FAST3686v2. I'm trying with the coax cable removed, just LAN1 connected to the PC (linux-host).
I logged in to the WWW-GUI and downloaded GatewaySettings.bin
As stated GatewaySettings.bin from this router is obfuscated with xor 0x80.
Using bcm2cfg I found:
remote_acc_user = Admin
_unk_1 = { [hex-dump of password]
-> Username and password for telnet (which is open by default).
Now I can access telnet 192.168.100.1
CM_Console> su
Password: () [] $agem001
Proceed with caution!
Type 'exit' to return.
CM> /docsis_ctl/scan_stop
exit #back to normal user
show version
*
* *
* *
* *
* *
* *
* *
* *
* *
* *
* *
* *
* *
* *
* *
* *
* * * *
* * * * * * ***
* * * * * * * * *******************
* * * * * *
* *
Broadcom Corporation Reference Design
+------------------------------------------------------------------------------------------------+
| _/_/ _/_/_/_/ _/_/ |
| _/ _/ _/ _/ _/ Broadband |
| _/ _/ _/ _/ |
| _/_/ _/_/_/ _/ Foundation |
| _/ _/ _/ _/ |
| _/ _/ _/ _/ _/ Classes |
| _/_/_/ _/ _/_/ |
| |
| Copyright (c) 1999 - 2020 Broadcom Corporation |
| |
| Revision: 5.7.1mp3 |
| |
| Features: BCM93384WVG Console TelnetConsole SshConsole Nonvol Fat HeapManager SNMP Networking |
| Features: IPv6 (script bcm93384wvg) LinuxOnTP1 TR69 Switch53124 |
+------------------------------------------------------------------------------------------------+
| Standard Embedded Target Support for BFC |
| |
| Copyright (c) 2003-2020 Broadcom Corporation |
| |
| Revision: 3.0.1 |
| |
| Features: PID=0xd06e BID=0x0 Bootloader-Rev=2.5.0beta8 Bootloader-Compression-Support=0x11 |
| Features: MANUFACT_BITS=0x9 |
| Features: Dual-band Wifi Bcm80211=Build Apr 24 2020 16:56:57 |
| Features: App Ver 7.14.89.22.571.258.15 |
| Features: Wl Ver 7.14.89.22.571.258.15 |
| Features: IopLib-Rev=571.14.0 |
+------------------------------------------------------------------------------------------------+
| eCos BFC Application Layer |
| |
| Copyright (c) 1999 - 2020 Broadcom Corporation |
| |
| Revision: 3.0.2 |
| |
| Features: IPv6 Stack Version 1.2.3 |
| Features: eCos Console Cmds, (no Idle Loop Profiler) |
+------------------------------------------------------------------------------------------------+
| _/_/_/ |
| _/_/ _/ _/ eRouter Dual Stack |
| _/ _/ _/ _/ |
| _/_/_/_/ _/_/_/ |
| _/ _/ _/ |
| _/ _/ _/ |
| _/_/_/ _/ _/ |
| |
| Copyright (c) 1999 - 2015 Broadcom Corporation |
| |
| Revision: 5.7.1mp3 |
| |
| Features: eRouter SNMP Customer Extension NATP DS-Lite L2oGRE HomeHotspot |
+------------------------------------------------------------------------------------------------+
| Broadcom eRouter Customer Extension |
| |
| Copyright (c) 1999 - 2020 Broadcom Corporation |
| |
| Revision: 3.0.2 |
| |
| Features: () |
+------------------------------------------------------------------------------------------------+
| Build Date : Apr 29 2020 |
| Build Time : 17:03:54 (+0800) |
| Build By : jenkins |
| Build Svn Revision: 21507 |
| Build Command Line: bcm93384wvg ssc eu nodect sagemcom_modification_on dna linux_on_tp1 nolinux_on_pmc nofxs_web_setting j 8 nohttpssl dslite tr69 xml_doc nolinux_on_pmc l2tpv2 pptp l2ogre httpupgrade mediaserver nobattery power vpn perfmonitor legacy_parent switch53124 l2vpn bcm80211n monolith homehotspot grelegacymib nolinux_on_zephyr linux_on_tp1 linux_partitions dual_band_80211n wombo1 WIFI_4360_5G_HP_P453 wombo2 WIFI_4360MC2_P103 nandflash nodualeth noethwan pppoe nodect mid_split uda nolegacy_parent noemta nohttpssl bfc_upgrade dualeth ethwan domos pid d06e imagename FAST3686_DNA_3.490.0-T3-20200429
| Build Products : |
| Build Processors: 3384 |
| Build Parameters: num_sids 16 docsis 20 c 45 j 8 wombo1 WIFI_4360_5G_HP_P453 wombo2 |
| Build Parameters: WIFI_4360MC2_P103 pid d06e imagename FAST3686_DNA_3.490.0-T3-20200429 |
| Build Targets : |
| Image Path : /home/jenkins/workspace/TRUNK_5.7.1mp3_Maintenance_FAST3686V2_DNA/ProdD30PC1 |
| Image Path : 5_BFC5.7.1_CxC5.7.1.15_RG/rbb_cm_src/CmDocsisSystem/ecos/bcm93384wvg_eu_ipv6 |
| Image Name : FAST3686_DNA_3.490.0-T3-20200429.bin |
| Build Command : bcm93384wvg ssc eu nodect sagemcom_modification_on dna linux_on_tp1 |
| Build Command : nolinux_on_pmc nofxs_web_setting j 8 nohttpssl dslite tr69 xml_doc |
| Build Command : nolinux_on_pmc l2tpv2 pptp l2ogre httpupgrade mediaserver nobattery power |
| Build Command : vpn perfmonitor legacy_parent switch53124 l2vpn bcm80211n monolith |
| Build Command : homehotspot grelegacymib nolinux_on_zephyr linux_on_tp1 linux_partitions |
| Build Command : dual_band_80211n wombo1 WIFI_4360_5G_HP_P453 wombo2 WIFI_4360MC2_P103 |
| Build Command : nandflash nodualeth noethwan pppoe nodect mid_split uda nolegacy_parent |
| Build Command : noemta nohttpssl bfc_upgrade dualeth ethwan domos pid d06e imagename |
| Build Command : FAST3686_DNA_3.490.0-T3-20200429 |
| Build Options : nodhcp_passthrough noethSocketToStb nosagem_stb_support |
| Build Options : nosagemcom_dgci362_support notr069_http_upgrade nopotd amdflash cfiflash |
| Build Options : cmd_help_text nocomcast_video_caching demangle deps dualbuild nodynwebpage |
| Build Options : factorymibs noheapboundscheck noheapleakdebug http intelflash mgmtmibs |
| Build Options : nocmapp_port_forward nobcm80211n_debug nobonded nocpeportfilter nodasm |
| Build Options : nodiag nodtp_test nosingleconsole noedva noextendedugs noflashserver |
| Build Options : noflashclient nofn_profile nofonhotspot nofpm nogrehomehotspot nohnap |
| Build Options : nointernalusb noipsv noitc noiptv nowasu nojedecflash nol2tpv3 |
| Build Options : nolinux_watchdog nolinux_erouter nolitepower nomap nomultiprocmon nonandboot |
| Build Options : nootp nopiggyback pktc nopmip nopopup nortrproxy noserialportoff noshow |
| Build Options : nosigtls nosip nosipdbg nosipdqos nosipipv6 noslim nosmp nosnmpproxy |
| Build Options : nosnoopdebug nosplitbootblock nosiliconverify nostress_test nosuperslim |
| Build Options : notftp_server nousbhost nodualusbhost nousg_web_pages noutp_test |
| Build Options : novendorhttps useformregistrar nowifihotspot nowifimfg noclwifi nodual_lna |
| Build Options : quiet nounified warn_error nopcielowpwr usmac_diag noupnpc noswitchport_1_4 |
| Build Options : nozephyr_console_uart0 nosagemcom_https_filter nopppoeiaagent nodhcpiaagent |
| Build Options : nomoca nomoca20 msc noaprouter noautodetect_tuner2 noautodetect_tuner4 |
| Build Options : nodocsis20snmp noemtasim noietf nomixed_annex nono_cmts_d3_partial_svc nooms |
| Build Options : pcie nosingle_ds nosled us nobpi_helper_on_fap nocmtr69 noedge_device noecm |
| Build Options : normagnum nodsg norswdload noip_rnvol noestb_config nooob noprereg_sets |
| Build Options : nocdl20 nodsg30 noecm_clcerts nopcieep nob2b_rgmii nodavic noext_ephy |
| Build Options : nohost_bridge nodavic_api nog8davic_api noseb nocustom_vendor_dir |
| Build Options : use_unimac0 nostb_owns_eth2 nodnac nostb_has_lan noecmestbsockif |
| Build Options : nocablecard_ipproxy nostb_pcie_vlan noexplicit_vlan nolgi_dawn |
| Build Options : noestb_ecm_vlan_connection nostb_on_eth2 nolow_gw nostb_include_sidecar d30 |
| Build Options : noejtag smisb spectrum_analyzer fpm512 newleds cacheopt dualflash avs |
| Build Options : wifi_spectrum_analyzer cmvendor battery_fdhdwr vin12v erouter ipv6 spiflash |
| Build Options : eps novlan managedswitch nousb20 fap_assist nat_hwaccel nas turbo_wifi |
| Build Options : openssl openssh telnet eu sagemcom_modification_on nofxs_web_setting dslite |
| Build Options : tr69 xml_doc nolinux_on_pmc l2tpv2 pptp l2ogre httpupgrade mediaserver |
| Build Options : nobattery power vpn perfmonitor switch53124 l2vpn bcm80211n monolith |
| Build Options : homehotspot grelegacymib nolinux_on_zephyr linux_on_tp1 linux_partitions |
| Build Options : dual_band_80211n nandflash pppoe nodect mid_split uda nolegacy_parent noemta |
| Build Options : nohttpssl bfc_upgrade dualeth ethwan domos |
+------------------------------------------------------------------------------------------------+
CM_Console> system/show flash
Flash Device Information:
CFI Compliant: no
Command Set: Generic SPI Flash
Device/Bus Width: x16
Little Word Endian: no
Fast Bulk Erase: no
Multibyte Write: 256 bytes max
Phys base address: 0xbadf1a5
Uncached Virt addr: 0x1badf1a5
Cached Virt addr: 0x2badf1a5
Number of blocks: 64
Total size: 4194304 bytes, 4 Mbytes
Current mode: Read Array
Device Size: 4 MB, Write buffer: 256, Flags: 0
Size Device Device Region
Block kB Address Offset Offset Region Allocation
----- ---- ---------- ----------- --------- -----------------
0 64 0x1badf1a5 0 0 bootloader (65536 bytes)
1 64 0x1baef1a5 0x10000 0 permnv
2 64 0x1baff1a5 0x20000 0x10000 permnv (131072 bytes)
3 64 0x1bb0f1a5 0x30000 ??? {unassigned}
59 64 0x1be8f1a5 0x3b0000 ??? {unassigned}
60 64 0x1be9f1a5 0x3c0000 0 dynnv
63 64 0x1becf1a5 0x3f0000 0x30000 dynnv (262144 bytes)
Flash Device Information:
CFI Compliant: no
Command Set: Generic NAND Flash
Device/Bus Width: x16
Little Word Endian: no
Fast Bulk Erase: no
Multibyte Write: 512 bytes max
Phys base address: 0xbadf1a5
Uncached Virt addr: 0x1badf1a5
Cached Virt addr: 0x2badf1a5
Number of blocks: 1024
Total size: 134217728 bytes, 128 Mbytes
Current mode: Read Array
Device Size: 128MB, Block size: 128KB, Page size: 2048
Size Device Device Region
Block kB Address Offset Offset Region Allocation
----- ---- ---------- ----------- --------- -----------------
0 128 0x1badf1a5 0 0 linuxapps
609 128 0x206ff1a5 0x4c20000 0x4c20000 linuxapps (79953920 bytes)
610 128 0x2071f1a5 0x4c40000 0 image1
717 128 0x2147f1a5 0x59a0000 0xd60000 image1 (14155776 bytes)
718 128 0x2149f1a5 0x59c0000 0 image2
825 128 0x221ff1a5 0x6720000 0xd60000 image2 (14155776 bytes)
826 128 0x2221f1a5 0x6740000 0 linux
861 128 0x2267f1a5 0x6ba0000 0x460000 linux (4718592 bytes)
862 128 0x2269f1a5 0x6bc0000 0 linuxkfs
1005 128 0x2387f1a5 0x7da0000 0x11e0000 linuxkfs (18874368 bytes)
1006 128 0x2389f1a5 0x7dc0000 0 dhtml
1023 128 0x23abf1a5 0x7fe0000 0x220000 dhtml (2359296 bytes)
CM_Console> su
Password: () [] $agem001
Proceed with caution!
Type 'exit' to return.
CM> /flash/help open
COMMAND: open
USAGE: open bootloader|image1|image2|image3|image3e|perm|dhtml|dyn
DESCRIPTION:
Opens the flash driver for use by the console (locking out the rest of the
application!) so that you can use the read/write/erase commands. NOTE: If
you do something that would cause the driver to be opened again (write
nonvol, dload an image, etc), then the operation will be blocked until you
run the close command, or it may fail.
EXAMPLES:
open image2 -- Opens the image2 region for read/write/erase
exit #back to the user-mode
exit #quit telnet
'help open' shows router has these regions: bootloader|image1|image2|image3|image3e|perm|dhtml|dyn
'show flash' shows these: bootloader,permnv,dynnv,linuxapps,image1,image2,linux,linuxkfs,dhtml
Checked that bcm2dump works and can use su account:
./bcm2dump run -P fast3686 -vv 192.168.100.1,Admin,PASSWORD ls
bcm2dump v0.9.4-30-gb8610dc
telnet: received command 253,33
telnet: received command 251,3
telnet: received command 251,1
detected interface: bfc
ls
! ? REM call cd
dir find_command help history instances
ls man pwd sleep syntax
system_time usage
----
con_high cpuLoad cpuUtilization exit mbufShow
memShow mutex_debug ping read_memory reset
routeShow run_app shell socket_debug stackShow
taskDelete taskInfo taskPrioritySet taskResume taskShow
taskSuspend taskSuspendAll taskTrace usfsShow version
write_memory zone
----
[CmRgMsgPipe] [HeapManager] [HostDqm] [avs] [cm_hal] [docsis_ctl] [dtp]
[embedded_target] [event_log] [fam] [flash] [forwarder] [ftpLite] [ip_hal]
[itc_hal] [msgLog] [non-vol] [pingHelper] [power] [snmp] [snoop]
[spectrum_analyzer]
CM>
Trying to dump
./bcm2dump dump -vvv -P fast3686 192.168.100.1,Admin,PASSWORD flash image1,auto image1.bin
bcm2dump v0.9.4-30-gb8610dc
telnet: received command 253,33
telnet: received command 251,3
telnet: received command 251,1
==> 'Broadcom Corporation Embedded BFC Telnet Server (c) 2000-2008'
==> (empty)
==> 'WARNING: Access allowed by authorized users only.'
==> (empty)
==> 'Login:'
detected interface: bfc
<== 'Admin'
==> 'Admin'
==> 'Password:'
<== 'PASSWORD'
<== ''
==> ''
==> ''
==> 'CM_Console>'
<== ''
<== ''
==> ''
==> 'CM_Console>'
==> ''
==> 'CM_Console>'
<== 'su'
<== '$agem001'
==> 'su'
<== ''
==> (empty)
==> 'Password: () []'
==> '$agem001'
==> 'Proceed with caution!'
==> 'Type 'exit' to return.'
==> (empty)
==> 'CM_Console>'
==> ''
==> 'CM>'
adjusting dump params: 0x04c40000,92 -> 0x04c40000,96
<== '/flash/open image1'
==> ''
==> (empty)
==> 'Opening the flash driver...'
==> 'Flash driver opened.'
==> (empty)
==> 'CM>'
<== '/flash/readDirect 96 0'
<== ''
==> ''
==> (empty)
==> 'Reading 96 bytes, starting at an offset of 0 bytes into the region:'
==> (empty)
==> 'd0 6e 00 05 00 03 00 00 5e a9 42 fa 00 52 e5 75'
==> '80 00 40 00 46 41 53 54 33 36 38 36 5f 44 4e 41'
==> '5f 33 2e 34 39 30 2e 30 2d 54 33 2d 32 30 32 30'
==> '30 34 32 39 2e 62 69 6e 00 00 00 00 00 00 00 00'
==> '00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00'
==> '00 00 00 00 48 df 00 00 3c c2 31 80 5d 00 00 00'
==> (empty)
==> 'CM>'
==> ''
==> 'CM>'
read incomplete chunk 0x04c40000: 0/96; retrying
<== '/flash/readDirect 96 0'
<== ''
==> ''
==> (empty)
==> 'Reading 96 bytes, starting at an offset of 0 bytes into the region:'
==> (empty)
==> 'd0 6e 00 05 00 03 00 00 5e a9 42 fa 00 52 e5 75'
==> '80 00 40 00 46 41 53 54 33 36 38 36 5f 44 4e 41'
==> '5f 33 2e 34 39 30 2e 30 2d 54 33 2d 32 30 32 30'
==> '30 34 32 39 2e 62 69 6e 00 00 00 00 00 00 00 00'
==> '00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00'
==> '00 00 00 00 48 df 00 00 3c c2 31 80 5d 00 00 00'
==> (empty)
==> 'CM>'
==> ''
==> 'CM>'
read incomplete chunk 0x04c40000: 0/96; retrying
<== '/flash/readDirect 96 0'
<== ''
==> ''
==> (empty)
==> 'Reading 96 bytes, starting at an offset of 0 bytes into the region:'
==> (empty)
==> 'd0 6e 00 05 00 03 00 00 5e a9 42 fa 00 52 e5 75'
==> '80 00 40 00 46 41 53 54 33 36 38 36 5f 44 4e 41'
==> '5f 33 2e 34 39 30 2e 30 2d 54 33 2d 32 30 32 30'
==> '30 34 32 39 2e 62 69 6e 00 00 00 00 00 00 00 00'
==> '00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00'
==> '00 00 00 00 48 df 00 00 3c c2 31 80 5d 00 00 00'
==> (empty)
==> 'CM>'
==> ''
==> 'CM>'
read incomplete chunk 0x04c40000: 0/96; retrying
<== '/flash/readDirect 96 0'
<== ''
==> ''
==> (empty)
==> 'Reading 96 bytes, starting at an offset of 0 bytes into the region:'
==> (empty)
==> 'd0 6e 00 05 00 03 00 00 5e a9 42 fa 00 52 e5 75'
==> '80 00 40 00 46 41 53 54 33 36 38 36 5f 44 4e 41'
==> '5f 33 2e 34 39 30 2e 30 2d 54 33 2d 32 30 32 30'
==> '30 34 32 39 2e 62 69 6e 00 00 00 00 00 00 00 00'
==> '00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00'
==> '00 00 00 00 48 df 00 00 3c c2 31 80 5d 00 00 00'
==> (empty)
==> 'CM>'
==> ''
==> 'CM>'
read incomplete chunk 0x04c40000: 0/96; retrying
<== '/flash/readDirect 96 0'
<== ''
==> ''
==> (empty)
==> 'Reading 96 bytes, starting at an offset of 0 bytes into the region:'
==> (empty)
==> 'd0 6e 00 05 00 03 00 00 5e a9 42 fa 00 52 e5 75'
==> '80 00 40 00 46 41 53 54 33 36 38 36 5f 44 4e 41'
==> '5f 33 2e 34 39 30 2e 30 2d 54 33 2d 32 30 32 30'
==> '30 34 32 39 2e 62 69 6e 00 00 00 00 00 00 00 00'
==> '00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00'
==> '00 00 00 00 48 df 00 00 3c c2 31 80 5d 00 00 00'
==> (empty)
==> 'CM>'
==> ''
==> 'CM>'
read incomplete chunk 0x04c40000: 0/96; retrying
<== '/flash/readDirect 96 0'
<== '/flash/close'
<== '/flash/close'
==> ''
==> (empty)
==> 'Reading 96 bytes, starting at an offset of 0 bytes into the region:'
==> (empty)
==> 'd0 6e 00 05 00 03 00 00 5e a9 42 fa 00 52 e5 75'
==> '80 00 40 00 46 41 53 54 33 36 38 36 5f 44 4e 41'
==> '5f 33 2e 34 39 30 2e 30 2d 54 33 2d 32 30 32 30'
==> '30 34 32 39 2e 62 69 6e 00 00 00 00 00 00 00 00'
==> '00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00'
==> '00 00 00 00 48 df 00 00 3c c2 31 80 5d 00 00 00'
==> (empty)
==> 'CM>'
==> ''
==> (empty)
==> 'Flash driver closed.'
==> (empty)
==> 'CM>'
==> ''
==> (empty)
==> 'Flash driver closed.'
==> (empty)
==> 'CM>'
<== '/exit'
Testing with telnet:
CM> /flash/open image1
Opening the flash driver...
Flash driver opened.
CM> /flash/readDirect 96 0
Reading 96 bytes, starting at an offset of 0 bytes into the region:
d0 6e 00 05 00 03 00 00 5e a9 42 fa 00 52 e5 75
80 00 40 00 46 41 53 54 33 36 38 36 5f 44 4e 41
5f 33 2e 34 39 30 2e 30 2d 54 33 2d 32 30 32 30
30 34 32 39 2e 62 69 6e 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 48 df 00 00 3c c2 31 80 5d 00 00 00
CM> /flash/readDirect 96 96
Reading 96 bytes, starting at an offset of 96 bytes into the region:
01 00 20 20 0e 00 0d 3a 28 ab ef 31 23 33 44 83
db 18 9b 57 12 d9 ed 76 9b d2 8d 4c ad 5b 7f 7a
0f 11 d2 c8 a8 77 99 48 98 fb 58 74 c2 b6 82 6e
74 89 bd 9f fb 21 63 03 40 1b dd 39 8c 00 b7 a5
01 1e bc e2 ce 92 ab 82 1f 4e 4e 11 00 61 f8 32
f0 19 27 0b 3a a3 62 81 c1 29 18 d0 2c 8e ad d0
Seems reading with readDirect works, but bcm2dump doesn't get the data .
I happen to have a Sagecom F@ST 3686v2, and its GatewaySettings.bin is perfectly read by bcm2-utils, except for the firewall sections:
C:\Users\agust\Desktop\bcm2utils-v0.9.4-win32>bcm2cfg.exe info GatewaySettings.bin
failed to parse group firewall
GatewaySettings.bin
type : gwsettings
profile : fast3686
checksum: dee176cbe8a0758d284942a330b92a4d (ok)
size : 26317 (ok)
key : 80
38303231 8021 0.44 bcmwifi 819 b
38303232 8022 0.44 bcmwifi2 816 b
57694775 WiGu 0.15 guestwifi 3598 b
57694776 WiGv 0.15 guestwifi2 3598 b
50524e54 PRNT 0.5 grp_prnt 3082 b
36535256 6SRV 0.1 grp_6srv 1354 b
534f4e4f SONO 0.7 grp_sono 2294 b
52472e2e RG.. 0.33 rg 3372 b
4d4c6f67 MLog 0.5 userif 260 b
4344502e CDP. 1.5 dhcp 1709 b
4341502e CAP. 1.3 grp_cap 1726 b
5361676d Sagm 0.34 grp_sagm 3374 b
76366677 v6fw 1.0 grp_v6fw 9 b
46495245 FIRE 0.8 firewall 62 b
4353502e CSP. 1.4 grp_csp 53 b
50505053 PPPS 0.5 grp_ppps 30 b
56504e47 VPNG 1.0 grp_vpng 15 b
4d53432e MSC. 0.1 msc 29 b
4e41532e NAS. 0.2 grp_nas 53 b
I can send my .bin file if it helps.
Thanks and thanks for this tool, I have been able to adjust several parameters of my router that my company blocks us for no apparent reason.
Regards, Agustin
We have access to router DOCSIS 3.0 CG2200, after download GatewaySettings.bin and enable telnet access from web executing bcm2cfg.exe get GatewaySettings.bin userif
not show me password telnet. How to get´s. We try admin:admin
, admin:password
etc
output bcm2cfg.exe get GatewaySettings.bin userif
userif = {
http_user = "admin"
http_pass = "pass"
http_admin_user = "admin"
http_admin_pass = "pass"
remote_acc_methods = 0x00
remote_acc_user = ""
remote_acc_pass = ""
telnet_ipstacks = IP1 | IP4 | IP5 | IP6
ssh_ipstacks = IP5 | IP6
remote_acc_timeout = 1094861636
http_ipstacks = IP1 | IP3 | IP7
http_adv_ipstacks = IP2 | IP3 | IP7
http_seed = ""
http_acl_hosts =
http_idle_timeout = 0
}
In the makefile, the ps2extract rule is named psextract. This naming should be consistent so that make works out of the box.
Hello Jclehnet,
Sorry to submit a help in Issues.
I have a TC7200.U from Unitymedia (now Vodafone). A mistake during porting openwrt on it makes it bricked, the flash MX25L8006 is burned out. Now new MX25L8006 is delivered, but there is no backup bootloader image.
Could you share the bootloader?
Thanks a lot.
Qian
@arrobazo provided a nand dump of CGA4233-sto here(nox-x/TG3442DE-Teardown#3 (comment)). I wasn't able to extract the main filesystem(looks like it uses a custom nand controller) but I was able to extract the spi flash dump which seems to store the permnv and dynnv.
I can upload the extracted files, but just run binwalk on the smaller file in the archive and it'll dump a bunch of jffs2 filesystems.
Not sure if this is enough to add support, but please take a look when you have some time :)
I have Ubee product :UBC1319 and UBC1322 Broadcom SOC modem.
i want to have the cm ecos su passowrd and rg linux root password.
who know that , could you please provide that
thanks
I happen to have a Sagem 3286, and its GatewaySettings.bin is perfectly read by bcm2-utils, except for the userif and firewall sections:
bcm2-utils:master$ ./bcm2cfg info /home/diegoe/Downloads/GatewaySettings.bin
failed to parse group userif
failed to parse group firewall
/home/diegoe/Downloads/GatewaySettings.bin
type : gwsettings
profile : gen2pslc
checksum: c1b7909ce7af6d88d994af488354811e (ok)
size : 19249 (ok)
36535256 6SRV 0.1 grp_6srv 814 b
52472e2e RG.. 0.30 rg 3196 b
4d4c6f67 MLog 0.5 userif 137 b
4344502e CDP. 1.5 dhcp 1629 b
4341502e CAP. 1.3 grp_cap 1726 b
46495245 FIRE 0.8 firewall 86 b
4353502e CSP. 1.4 grp_csp 53 b
50524e54 PRNT 0.5 grp_prnt 1922 b
50505053 PPPS 0.5 grp_ppps 30 b
56504e47 VPNG 1.0 grp_vpng 15 b
38303231 8021 0.38 bcmwifi 726 b
38303232 8022 0.38 bcmwifi2 729 b
57694775 WiGu 0.10 guestwifi 4063 b
57694776 WiGv 0.10 guestwifi2 4063 b
From decrypting the file myself (with XOR - 0x80), I can read my admin username and password:
00000fe0 REDACTED HEX |.............<..|
00000ff0 REDACTED HEX |........MLog....|
00001000 REDACTED HEX |root..REDACTD..r|
00001010 REDACTED HEX |oot..REDACTD..ad|
00001020 REDACTED HEX |min..REDACTD..RE|
00001030 REDACTED HEX |ACTED@REDCTD*..a|
00001040 REDACTED HEX |dmin..REDACTD.te|
00001050 REDACTED HEX |lnet..........te|
(Of course were "REDACTED" is my password / MAC auto password thing)
The header of my decrypted file looks like this:
00000000 c1 b7 90 9c e7 af 6d 88 d9 94 af 48 83 54 81 1e |......m....H.T..|
00000010 46 41 53 54 33 32 38 36 54 4c 46 30 35 36 74 39 |FAST3286TLF056t9|
00000020 70 34 38 6a 70 34 65 65 36 75 39 65 65 36 35 39 |p48jp4ee6u9ee659|
00000030 6a 79 39 65 2d 35 34 65 34 6a 36 72 30 6a 30 36 |jy9e-54e4j6r0j06|
00000040 39 6b 2d 30 35 36 01 02 00 00 4b 31 03 2e 36 53 |9k-056....K1..6S|
00000050 52 56 00 01 00 00 00 00 00 00 00 00 00 00 00 00 |RV..............|
(Seems to be: FAST3286TLF056t9p48jp4ee6u9ee659jy9e-54e4j6r0j06
)
I can send my .bin file if it helps.
Thanks for this tool. The code and research is great ⭐
Hello, I'm trying to use bcm2cfg on a Fast3686 modem but it's a v2 CVA and the only output I'm getting is this:
./bcm2cfg -v info GatewaySettings.bin
failed to remove padding
group size 0 too small to be valid
GatewaySettings.bin
type : gwsettings
profile : fast3686
checksum: d46eca07a67cc93a820af19cdcdae88c (ok)
size : 23632 (ok)
key : 80
is this because the configuration encryption key is unknown and I should try to get it somehow and use it with the -k parameter? or is it because the Fast3686 profile is not compatible with my specific hardware version of the modem?
Thank you for the help.
I try to dump the flash of an unsupported device. It's a CH7485E cable modem with Broadcom 3384 soc. It has two serial consoles which I have access to. One is for the linux kernel the other for the bootloader. I don't know the password for the linux console, however.
The device has a nand flash and an spi flash. The latter one seems to store the bootloader, user config stuff and logs. From what I read the device or similar ones use two images. One ecos and a normal linux one. Only the latter one has serial access.
I reset the device but telnet still shows a filtered state even with firewall off.
snmp is enabled but the command for enabling telnet is not supported (object does not support modification)
So unless I try desoldering I'm stuck with dumping via serial from the bootloader prompt.
However, the command listed in the readme does not work for me (bcm2dump -P generic dump dev/ttyUSB0 0x83f60000,256k bootloader.bin) . Neither on the windows/linux release nor on master. Instead it just shows the help. There is a "/" missing but adding it does not help either.
I attached some files from the boot log and snmp (minus mac addresses).
putty_bootlogCH7485E.log
putty_crash+partitionCH7485E.log
snmp_afterreset_re.log
If you have some ideas what to change or if you need more logs, let me know.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.