(19-04-2019, 10:16 AM)blacklisted Wrote: @emantec or elbarto Please confirm

does your sh script get put into folder nvram/0/ ? if so please explain does this path auto run any files in this folder.

and where would i put vmtool binary.

if i put VMTOOL and sh script into path /etc/scripts/ then how is you sh script run?

i asked for understanding. and i noticed that /nvarm/0/ has file that runs script sys_startup.sh are you asking we edit this file?

Please can you answer this and how your script would run what invokes it ?

Thank you

(02-03-2019, 12:06 PM)danman Wrote: I'm getting PMs about how did I extract the FW. It's easy, you need a "better" SD card reader, in my case Transcend TS-RDF5K, SD or microSD breakout board:
https://github.com/danielkucera/MicroSD_Sniffer

and connect corresponding pins on the board:
https://blog.danman.eu/wp-content/uploads/2019/03/router-upc-pinout-desc.jpg

Then you just insert the breakout board, connect pins to your board and you can extract, e.g. via dd:

Code:

dd if=/dev/sdc of=dump.dd bs=1M

(19-04-2019, 10:44 AM)blacklisted Wrote: its VM same SH 3

all i request is should i put your script and vmtool in the scripts dir? i have put /etc/scripts/ there must be something

thas why i would like to confim if i am correct.

its sys_startup.sh that exists not sys_setup


Thanx


I am leaving this here for the moment as others can read who may ask similer question.

i will come and report back and edit once i get going

(12-04-2019, 07:27 PM)emantec Wrote: Adding to elbarto's post on enabling telnet you can do the following to bypass the pwod by setting the 'client' password (assuming the client is actually Virgin Media in this case).

In /nvram/6/1 set the following at address 0x1F7

BC AE 6A 68 38 32 4B 18

This will set the password to 'pwned' giving you access to the higher privileged shell (still need to work out how to break into busybox).

(16-04-2019, 12:07 PM)emantec Wrote: Upon some further research it seems their shell is very locked down and there's no way to break out of it. With that said I did find a extremely easy command injection exploit.
Although it was helpful it's not actually needed to unlock the system, you can do that simply from the NVRAM.

On boot it checks for the script /nvram/0/sys_setup.sh and runs if it exists, I put together a script that runs some code I compiled to enable telnet on every boot, set the client password and set the permissions to the maximum level so you can access all the restricted commands from the restricted shell. You can access pretty much everything from there, even the Intel cpu:

   

Code:

[  6] Atom> help
help

Directory Commands ->

      manuf : <DIR> Manuf
     status : Show Modem Status
     !reset : Reset Modem
     system : Run shell command
       help : Display commands
    !logout : Disconnect telnet/SSH
       quit : Quit the Atom CLI

Type '<cmd> ?' for available help.

Return Status: 0

[  7] Atom> manuf
manuf
[  8] Manuf> help
help

Directory Commands ->

     ccTest : Dummy Cable Card Test
boottimeout : Set CEFDK boot timeout
     macset : Set Atom MAC address
loadFromUSB : Load Inactive Bank from USB
 sectorInfo : Show sector info
     status : Show Modem Status
     !reset : Reset Modem
     system : Run shell command
       help : Display commands
    !logout : Disconnect telnet/SSH
       quit : Quit the Atom CLI

Type '<cmd> ?' for available help.

Return Status: 0

[  9] Manuf>

I've uploaded my script, source and binary here if people want to use it, enjoy.

https://mega.nz/#!g8lTiSbD!mC4J8cFBo38VvIDDbnHcM4Cxo-tCPpNZRwaLrq6s-

(16-04-2019, 12:07 PM)emantec Wrote: With that said I did find a extremely easy command injection exploit.

(21-04-2019, 12:59 PM)emantec Wrote: [quote pid='36556' dateline='1555826524']

can you please confirm that the pass word is "pwned" as i have tryed but not letting me in.  the script working as i see the following in serial console at boot