how to dump firmware from broadcom based modems - jofre - 26-07-2017
this may be really useful
https://danidelvalle.me/2016/01/21/how-to-dump-firmware-images-from-broadcom-based-cable-modems/
I wish I knew how to write code in python so I could download the 2mb config from modems. doing it by hand is not working and it's very tiring
RE: how to dump firmware from broadcom based modems - drewmerc - 26-07-2017
you dont need to write python just how to edit it
all i guess you need to do is edit out his validation stuff and make it dump the full 8mb
or for fun you could make it just dump the config/nonvol
RE: how to dump firmware from broadcom based modems - jofre - 26-07-2017
I´m really trying to get the nonvol (I even PMed you about that!) but I'm having trouble locating it
I dumped manually, thru diag readmem, the the regions of Permanent NonVol and all the 3 Dynamic ones but got no luck with cmnonvolextractor, just errors
I must be doing something wrong, how can I locate the 2mb CFG inside the flash? what the offset would be?
and how much memory there is inside the modem? because it´s possible to read portions that go beyond the 8mb region
If I manage to dump the full 8mb, how could I extract the certs, since cmnonvol only works with the 2mb cfg?
damn I think I´m so close but I lack the knowledge!
RE: how to dump firmware from broadcom based modems - drewmerc - 26-07-2017
i dont read my pm's unless i know the name, i dont do this stuff anymore so i generally ignore all requests for help
i dont get why you think the cfg should be 2mb as it will only be 32k or 64k, have you opened what ever you dumped with readmem
and looked it in a hex editor? you should be able to see the nonvol area (certs)
i am assuming you have looked at other verifed nonvols and you'll see the same sequence of text showing the start of the nonvol so just copy out 32k
RE: how to dump firmware from broadcom based modems - jofre - 26-07-2017
I understand and appreciate your attention, thank you.
Yes, I opened the dumped nonvol in a hex editor but, sadly there's nothing there that looks like a cert.
They came from a svg1202, the nonvol are 64k - but they don't work with cmnonvol - that's why I thought I needed the 2mb cfg.
I tried extracting certs from the nonvol I download from haxorware (32k) but nothing happens. No errors, but no certs either. I wouldn't mind scooping out the certs by hand, using a hex editor, but could not find them
I can see some text in the haxorware nonvol but there's nothing like that in nonvol I dumped.
I used the Flash device information to locate the nonvol sections (see below) Btw, which one is the right one? Permanent or dynamic?
Then I tried dump as much as I could, since I can only read 16384 bytes max at a time, it took me a long time to dump almost all of it. Actually I managed to find what looks like the private key, but it was outside the 8mb region displayed in the flash device information - which got me even more confused.
I don't expect to be spoon fed, any ideas will be much appreciated, thank you.
Code: Flash Device Information:
CFI Compliant: no
Command Set: Generic SPI Flash
Device/Bus Width: x16
Little Word Endian: no
Fast Bulk Erase: no
Multibyte Write: 256 bytes max
Phys base address: 0xbadf1a5
Uncached Virt addr: 0x1badf1a5
Cached Virt addr: 0x2badf1a5
Number of blocks: 129
Total size: 8388608 bytes, 8 Mbytes
Current mode: Read Array
Device Size: 8388608, Write buffer: 256, Busy bit:
Size Device Device Region
Block kB Address Offset Offset Region Allocation
----- ---- ---------- ----------- --------- -----------------
0 32 0x1badf1a5 0 0 Bootloader (32768 bytes)
1 32 0x1bae71a5 32768 ??? {unassigned}
2 64 0x1baef1a5 65536 0 Permanent NonVol (65536 bytes)
3 64 0x1baff1a5 131072 0 Image1
4 64 0x1bb0f1a5 196608 65536 Image1
5 64 0x1bb1f1a5 262144 131072 Image1
6 64 0x1bb2f1a5 327680 196608 Image1
7 64 0x1bb3f1a5 393216 262144 Image1
8 64 0x1bb4f1a5 458752 327680 Image1
9 64 0x1bb5f1a5 524288 393216 Image1
10 64 0x1bb6f1a5 589824 458752 Image1
11 64 0x1bb7f1a5 655360 524288 Image1
12 64 0x1bb8f1a5 720896 589824 Image1
13 64 0x1bb9f1a5 786432 655360 Image1
14 64 0x1bbaf1a5 851968 720896 Image1
15 64 0x1bbbf1a5 917504 786432 Image1
16 64 0x1bbcf1a5 983040 851968 Image1
17 64 0x1bbdf1a5 1048576 917504 Image1
18 64 0x1bbef1a5 1114112 983040 Image1
19 64 0x1bbff1a5 1179648 1048576 Image1
20 64 0x1bc0f1a5 1245184 1114112 Image1
21 64 0x1bc1f1a5 1310720 1179648 Image1
22 64 0x1bc2f1a5 1376256 1245184 Image1
23 64 0x1bc3f1a5 1441792 1310720 Image1
24 64 0x1bc4f1a5 1507328 1376256 Image1
25 64 0x1bc5f1a5 1572864 1441792 Image1
26 64 0x1bc6f1a5 1638400 1507328 Image1
27 64 0x1bc7f1a5 1703936 1572864 Image1
28 64 0x1bc8f1a5 1769472 1638400 Image1
29 64 0x1bc9f1a5 1835008 1703936 Image1
30 64 0x1bcaf1a5 1900544 1769472 Image1
31 64 0x1bcbf1a5 1966080 1835008 Image1
32 64 0x1bccf1a5 2031616 1900544 Image1
33 64 0x1bcdf1a5 2097152 1966080 Image1
34 64 0x1bcef1a5 2162688 2031616 Image1
35 64 0x1bcff1a5 2228224 2097152 Image1
36 64 0x1bd0f1a5 2293760 2162688 Image1
37 64 0x1bd1f1a5 2359296 2228224 Image1
38 64 0x1bd2f1a5 2424832 2293760 Image1
39 64 0x1bd3f1a5 2490368 2359296 Image1
40 64 0x1bd4f1a5 2555904 2424832 Image1
41 64 0x1bd5f1a5 2621440 2490368 Image1
42 64 0x1bd6f1a5 2686976 2555904 Image1
43 64 0x1bd7f1a5 2752512 2621440 Image1
44 64 0x1bd8f1a5 2818048 2686976 Image1
45 64 0x1bd9f1a5 2883584 2752512 Image1
46 64 0x1bdaf1a5 2949120 2818048 Image1
47 64 0x1bdbf1a5 3014656 2883584 Image1
48 64 0x1bdcf1a5 3080192 2949120 Image1
49 64 0x1bddf1a5 3145728 3014656 Image1
50 64 0x1bdef1a5 3211264 3080192 Image1
51 64 0x1bdff1a5 3276800 3145728 Image1
52 64 0x1be0f1a5 3342336 3211264 Image1
53 64 0x1be1f1a5 3407872 3276800 Image1
54 64 0x1be2f1a5 3473408 3342336 Image1
55 64 0x1be3f1a5 3538944 3407872 Image1
56 64 0x1be4f1a5 3604480 3473408 Image1
57 64 0x1be5f1a5 3670016 3538944 Image1
58 64 0x1be6f1a5 3735552 3604480 Image1
59 64 0x1be7f1a5 3801088 3670016 Image1
60 64 0x1be8f1a5 3866624 3735552 Image1
61 64 0x1be9f1a5 3932160 3801088 Image1
62 64 0x1beaf1a5 3997696 3866624 Image1
63 64 0x1bebf1a5 4063232 3932160 Image1
64 64 0x1becf1a5 4128768 3997696 Image1 (4063232 bytes)
65 64 0x1bedf1a5 4194304 0 Image2
66 64 0x1beef1a5 4259840 65536 Image2
67 64 0x1beff1a5 4325376 131072 Image2
68 64 0x1bf0f1a5 4390912 196608 Image2
69 64 0x1bf1f1a5 4456448 262144 Image2
70 64 0x1bf2f1a5 4521984 327680 Image2
71 64 0x1bf3f1a5 4587520 393216 Image2
72 64 0x1bf4f1a5 4653056 458752 Image2
73 64 0x1bf5f1a5 4718592 524288 Image2
74 64 0x1bf6f1a5 4784128 589824 Image2
75 64 0x1bf7f1a5 4849664 655360 Image2
76 64 0x1bf8f1a5 4915200 720896 Image2
77 64 0x1bf9f1a5 4980736 786432 Image2
78 64 0x1bfaf1a5 5046272 851968 Image2
79 64 0x1bfbf1a5 5111808 917504 Image2
80 64 0x1bfcf1a5 5177344 983040 Image2
81 64 0x1bfdf1a5 5242880 1048576 Image2
82 64 0x1bfef1a5 5308416 1114112 Image2
83 64 0x1bfff1a5 5373952 1179648 Image2
84 64 0x1c00f1a5 5439488 1245184 Image2
85 64 0x1c01f1a5 5505024 1310720 Image2
86 64 0x1c02f1a5 5570560 1376256 Image2
87 64 0x1c03f1a5 5636096 1441792 Image2
88 64 0x1c04f1a5 5701632 1507328 Image2
89 64 0x1c05f1a5 5767168 1572864 Image2
90 64 0x1c06f1a5 5832704 1638400 Image2
91 64 0x1c07f1a5 5898240 1703936 Image2
92 64 0x1c08f1a5 5963776 1769472 Image2
93 64 0x1c09f1a5 6029312 1835008 Image2
94 64 0x1c0af1a5 6094848 1900544 Image2
95 64 0x1c0bf1a5 6160384 1966080 Image2
96 64 0x1c0cf1a5 6225920 2031616 Image2
97 64 0x1c0df1a5 6291456 2097152 Image2
98 64 0x1c0ef1a5 6356992 2162688 Image2
99 64 0x1c0ff1a5 6422528 2228224 Image2
100 64 0x1c10f1a5 6488064 2293760 Image2
101 64 0x1c11f1a5 6553600 2359296 Image2
102 64 0x1c12f1a5 6619136 2424832 Image2
103 64 0x1c13f1a5 6684672 2490368 Image2
104 64 0x1c14f1a5 6750208 2555904 Image2
105 64 0x1c15f1a5 6815744 2621440 Image2
106 64 0x1c16f1a5 6881280 2686976 Image2
107 64 0x1c17f1a5 6946816 2752512 Image2
108 64 0x1c18f1a5 7012352 2818048 Image2
109 64 0x1c19f1a5 7077888 2883584 Image2
110 64 0x1c1af1a5 7143424 2949120 Image2
111 64 0x1c1bf1a5 7208960 3014656 Image2
112 64 0x1c1cf1a5 7274496 3080192 Image2
113 64 0x1c1df1a5 7340032 3145728 Image2
114 64 0x1c1ef1a5 7405568 3211264 Image2
115 64 0x1c1ff1a5 7471104 3276800 Image2
116 64 0x1c20f1a5 7536640 3342336 Image2
117 64 0x1c21f1a5 7602176 3407872 Image2
118 64 0x1c22f1a5 7667712 3473408 Image2
119 64 0x1c23f1a5 7733248 3538944 Image2
120 64 0x1c24f1a5 7798784 3604480 Image2
121 64 0x1c25f1a5 7864320 3670016 Image2
122 64 0x1c26f1a5 7929856 3735552 Image2
123 64 0x1c27f1a5 7995392 3801088 Image2
124 64 0x1c28f1a5 8060928 3866624 Image2 (3932160 bytes)
125 64 0x1c29f1a5 8126464 0 Dynamic NonVol
126 64 0x1c2af1a5 8192000 65536 Dynamic NonVol
127 64 0x1c2bf1a5 8257536 131072 Dynamic NonVol
128 64 0x1c2cf1a5 8323072 196608 Dynamic NonVol (262144 bytes)
RE: how to dump firmware from broadcom based modems - doctor - 27-07-2017
if you downloaded the nonvol from hax you shouldnt have any issues extracting files with cmnonvol unless the file is corrupt.
RE: how to dump firmware from broadcom based modems - jofre - 27-07-2017
i tried again with different certs and an older version of cmnonvol (cmnonexpv1.1.1.exe). it kinda worked, but all the files were with some extra bytes, e.g. the public key was 141 bytes instead of 140. I opened in hex editor and compared with the original files and could see some extra spaces which were messing up everything. both certs CA an CM were also invalid due to this extra spaces 'D0' bytes.
the 2mb (cmnonexp2mb.exe) version was downloaded from this forum, so I really don't know what's going on.
I tried dumping again a 64k nonvol region using readmem.
I dumped the 3rd dynamic nonvol, offset 8257536, wich gave me 7E0000 in hex, so start woud be at 0x807e0000
the 4th dynamic nonvol starts at 8323072 = 7F0000, so I dumped until I reached 0x807f0000
then I searched for '31 81 89' for the public key in the hex editor, but no candy.
RE: how to dump firmware from broadcom based modems - jofre - 27-07-2017
ok, so I tried to modify the original code but it's not working, so if anyone who understands python could give me a hand, I´ll be really grateful
here's the original
Code: from sys import argv
from math import ceil
from telnetlib import Telnet
from optparse import OptionParser, OptionGroup
from progressbar import ProgressBar
import re
TIMEOUT = 2
BLOCK_SIZE = 8192
class BrcmFirmwareDump:
def __init__(self, ip, user, password, port=23):
# Connect
self.tn = Telnet(ip,port,TIMEOUT)
# self.tn.set_debuglevel(1)
# workarround to avoid the connection getting stuck at option negociation
self.tn.set_option_negotiation_callback(self.option_negociation)
# Some old broadcom versions need any character
# being send before prompting for the username
while True:
r = self.tn.read_until("ogin: ", TIMEOUT)
if re.search("ogin:", r):
break
# Send a '\n'
self.tn.write("\n")
# Send the username
self.tn.write(user+"\n")
# Send the password
self.tn.read_until("assword: ")
self.tn.write(password+"\n")
# Get the first prompt
r = self.tn.read_until("> ")
# Log in as root if necessary
if re.search("Console", r):
self.tn.write("su\n")
self.tn.read_until("assword: () []")
self.tn.write("brcm\n")
self.tn.read_until("> ")
self.tn.write("\n")
self.tn.read_until("> ")
self.tn.write("cd flash\n")
self.tn.read_until("\r\n\r\nCM/Flash> ")
'''
self.tn.write("deinit\n")
self.tn.read_until("\r\n\r\nCM/Flash> ")
self.tn.write("init\n")
self.tn.read_until("\r\n\r\nCM/Flash> ")
'''
def log(self, message, image=1):
print "Image%d> %s" % (image, message)
def option_negociation(self, socket, command, option):
pass
def read_block(self, image, block):
# Get a read command valid response
while True:
offset = block*BLOCK_SIZE
command = "read 4 %d %d" % (BLOCK_SIZE,offset)
self.tn.write(command + "\n")
e = self.tn.read_until("\r\n\r\nCM/Flash> ")
lines = e.split("\r\n")
if len(lines)==7:
response = lines[4].strip().replace(" ", "")
until = len(response) / 2
octecs_as_strings = [ response[2*i:2*i+2] for i in range(0,until)]
if len(octecs_as_strings) != BLOCK_SIZE:
# Continue to try again
continue
break
return octecs_as_strings
def process_block0(self, octecs_as_strings):
filename = "".join( \
[ c for c in \
map(lambda e: e.decode("hex"), octecs_as_strings[20:83]) \
if c != '\x00'])
payload_size_hex = "".join(octecs_as_strings[13:16])
payload_size = int(payload_size_hex,16)
total_size = int(payload_size_hex,16) + int("0x5c",16)
return filename, total_size
def write_block(self, file, octecs_as_strings):
as_decimals = map(lambda e: int(e,16), octecs_as_strings)
file.write(bytearray(as_decimals))
def open_image(self, image):
self.tn.write("open image%d\n" % image)
self.tn.read_until("\r\n\r\nCM/Flash> ")
def close_image(self):
self.tn.write("close\n")
self.tn.read_until("\r\n\r\nCM/Flash> ")
def download_image(self, image=1):
self.log("Downloading first block...", image)
self.open_image(image)
# Read block 0
octecs_as_strings = self.read_block(image, 0)
filename, total_size = self.process_block0(octecs_as_strings)
self.log("Detected firmware '%s' (%d bytes)" % (filename, total_size), image)
# Ask the user whether the fw has to be downloaded
while True:
download = raw_input('Do you want to download the firmware? (y/n): ')
if download.lower() == "n":
self.close_image()
return
elif download.lower() == "y":
break
total_blocks = int(ceil(total_size / float(BLOCK_SIZE)))
self.log("Reading next %d blocks (%d bytes each)" % (total_blocks-1, BLOCK_SIZE), image)
readed = BLOCK_SIZE
# Create ouput filen and save first block
f = open(filename, "wb")
self.write_block(f, octecs_as_strings)
# Read the reamaining blocks
bar = ProgressBar()
for block in bar(range(1, total_blocks)):
octecs_as_strings = self.read_block(image, block)
# Check if it is the final block
if (readed + BLOCK_SIZE) > total_size:
octecs_as_strings = octecs_as_strings[0:total_size-readed]
# Write block to file
self.write_block(f, octecs_as_strings)
# Update the control counters
readed += len(octecs_as_strings)
# Close the output file
f.close()
# Close the flash image zone
self.close_image()
def close(self):
self.tn.write("cd ..\n")
self.tn.read_until("\r\n\r\nCM> ")
self.tn.write("exit\n")
self.tn.close()
def parse_cmdline(argv):
"""Parses the command-line."""
parser = OptionParser(description='brcm_firmware_dump - telnet dump of firmware images from Broadcom based cable modems.')
parser.add_option("-i", "--ip", dest="ip", help="Cable Modem IP Address (required)")
parser.add_option("-u", "--user", dest="user", help="Telnet username")
parser.add_option("-p", "--password", dest="password", help="Telnet password")
# Parse the user input
(options, args) = parser.parse_args()
# Check required arguments
if options.ip is None:
parser.print_help()
parser.error("Cable modem IP address is required.")
if options.user is None:
parser.print_help()
parser.error("Telnet username is required.")
if options.password is None:
parser.print_help()
parser.error("Telnet password is required.")
return (options, args)
if __name__ == '__main__':
# parse the command line
options, args = parse_cmdline(argv)
brcm_fw_dump = BrcmFirmwareDump(options.ip, options.user, options.password)
brcm_fw_dump.download_image(1)
brcm_fw_dump.download_image(2)
brcm_fw_dump.close()
and here's the modded version:
Code: from sys import argv
from math import ceil
from telnetlib import Telnet
from optparse import OptionParser, OptionGroup
from progressbar import ProgressBar
import re
TIMEOUT = 2
BLOCK_SIZE = 16384
class BrcmFirmwareDump:
def __init__(self, ip, user, password, port=23):
# Connect
self.tn = Telnet(ip,port,TIMEOUT)
# self.tn.set_debuglevel(1)
# workarround to avoid the connection getting stuck at option negociation
self.tn.set_option_negotiation_callback(self.option_negociation)
# Some old broadcom versions need any character
# being send before prompting for the username
while True:
r = self.tn.read_until("ogin: ", TIMEOUT)
if re.search("ogin:", r):
break
# Send a '\n'
self.tn.write("\n")
# Send the username
self.tn.write(user+"\n")
# Send the password
self.tn.read_until("assword: ")
self.tn.write(password+"\n")
# Get the first prompt
r = self.tn.read_until("> ")
# Log in as root if necessary
if re.search("Console", r):
self.tn.write("su\n")
self.tn.read_until("assword: () []")
self.tn.write("brcm\n")
self.tn.read_until("> ")
self.tn.write("\n")
self.tn.read_until("> ")
self.tn.write("cd system\n")
self.tn.read_until("\r\n\r\nConsole/system> ")
'''
self.tn.write("deinit\n")
self.tn.read_until("\r\n\r\nConsole/system> ")
self.tn.write("init\n")
self.tn.read_until("\r\n\r\nConsole/system> ")
'''
def log(self, message, image=1):
print "Image%d> %s" % (image, message)
def option_negociation(self, socket, command, option):
pass
def read_block(self, image, block):
# Get a read command valid response
while True:
offset = hex(block*BLOCK_SIZE)
command = "diag readmem -s 1 -n %d %d" % (BLOCK_SIZE,offset)
self.tn.write(command + "\n")
e = self.tn.read_until("\r\n\r\nConsole/system> ")
lines = e.split("\r\n")
if len(lines)==7:
response = lines[4].strip().replace(" ", "")
until = len(response) / 2
octecs_as_strings = [ response[2*i:2*i+2] for i in range(0,until)]
if len(octecs_as_strings) != BLOCK_SIZE:
# Continue to try again
continue
break
return octecs_as_strings
def process_block0(self, octecs_as_strings):
filename = "".join( \
[ c for c in \
map(lambda e: e.decode("hex"), octecs_as_strings[20:83]) \
if c != '\x00'])
payload_size_hex = "".join(octecs_as_strings[13:16])
payload_size = int(payload_size_hex,16)
total_size = int(payload_size_hex,16)
return filename, total_size
def write_block(self, file, octecs_as_strings):
as_decimals = map(lambda e: int(e,16), octecs_as_strings)
file.write(bytearray(as_decimals))
#def open_image(self, image):
# self.tn.write("open image%d\n" % image)
# self.tn.read_until("\r\n\r\nConsole/system> ")
#def close_image(self):
# self.tn.write("close\n")
# self.tn.read_until("\r\n\r\nConsole/system> ")
def download_image(self, image=1):
self.log("Downloading first block...", image)
self.open_image(image)
# Read block 0
octecs_as_strings = self.read_block(image, 0)
filename, total_size = self.process_block0(octecs_as_strings)
self.log("Detected firmware '%s' (%d bytes)" % (filename, total_size), image)
# Ask the user whether the fw has to be downloaded
while True:
download = raw_input('Do you want to download the firmware? (y/n): ')
if download.lower() == "n":
self.close_image()
return
elif download.lower() == "y":
break
total_blocks = int(ceil(total_size / float(BLOCK_SIZE)))
self.log("Reading next %d blocks (%d bytes each)" % (total_blocks-1, BLOCK_SIZE), image)
readed = BLOCK_SIZE
# Create ouput filen and save first block
f = open(filename, "wb")
self.write_block(f, octecs_as_strings)
# Read the reamaining blocks
bar = ProgressBar()
for block in bar(range(1, total_blocks)):
octecs_as_strings = self.read_block(image, block)
# Check if it is the final block
if (readed + BLOCK_SIZE) > total_size:
octecs_as_strings = octecs_as_strings[0:total_size-readed]
# Write block to file
self.write_block(f, octecs_as_strings)
# Update the control counters
readed += len(octecs_as_strings)
# Close the output file
f.close()
# Close the flash image zone
#self.close_image()
def close(self):
self.tn.write("cd ..\n")
self.tn.read_until("\r\n\r\nConsole> ")
self.tn.write("exit\n")
self.tn.close()
def parse_cmdline(argv):
"""Parses the command-line."""
parser = OptionParser(description='brcm_firmware_dump - telnet dump of firmware images from Broadcom based cable modems.')
parser.add_option("-i", "--ip", dest="ip", help="Cable Modem IP Address (required)")
parser.add_option("-u", "--user", dest="user", help="Telnet username")
parser.add_option("-p", "--password", dest="password", help="Telnet password")
# Parse the user input
(options, args) = parser.parse_args()
# Check required arguments
if options.ip is None:
parser.print_help()
parser.error("Cable modem IP address is required.")
if options.user is None:
parser.print_help()
parser.error("Telnet username is required.")
if options.password is None:
parser.print_help()
parser.error("Telnet password is required.")
return (options, args)
if __name__ == '__main__':
# parse the command line
options, args = parse_cmdline(argv)
brcm_fw_dump = BrcmFirmwareDump(options.ip, options.user, options.password)
brcm_fw_dump.download_image(1)
brcm_fw_dump.download_image(2)
brcm_fw_dump.close()
There are some differences in commands syntax and procedure, so I´ll explain:
1. the path in the original is "CM\Flash", needs to be "Console\system" - so I changed that
2. the command in the original was "read 4 64 0"
which means Reading 64 bytes as 4-byte entities, starting at an offset of 0
needs to be: "diag readmem -s 1 -n 16384 0x80000000"
I don't now what the -s 1 does
-n 16384 -> block size
0x800000000 -> offset in hex, so that needs to be changed. I tried, but I don't know if it worked "offset = hex(block*BLOCK_SIZE)"
3. in the original, you have to open the image first with the command "open image" - there's no need for that, so I initally commented out the parts where it appeared but it didn't work, so I removed the # (it didn't work either hehe)
4. the original is meant to download just the firmware, so it has a limiting size feature:
total_size = int(payload_size_hex,16) + int("0x5c",16)
where 0x5c is the starting position and total size is 0x1c0fbc (1,839,036 bytes), tho I could not understand how the total size is calculated and i don't know exactly what I should do to dump the whole thing.
5. since there's an 'open image' command, there's also a 'close image' too and I think this will not be needed.
I know it's logging on to the telnet cause I checked the log of the modem, but it freezes just after I hit enter and does not show any error message, so I don't know exactly what's going on.
RE: how to dump firmware from broadcom based modems - drewmerc - 27-07-2017
post or pm me a link to the crap you have dumped from your modem i wanna look, cant help with the python as i cant write it, when i edit shit like that i do trial and error method with lots of google yet never really understanding wtf is happening
(and is that fails i'd remove all references to modems and what not and post it to somewhere like stackoverflow asking how to change it so it dumps from the nonvol memory address)
RE: how to dump firmware from broadcom based modems - jofre - 27-07-2017
pmed you, thank you
mabye I´ll get in touch with the developer...bad idea?
|