Haxorware Forums
Arris TG2492 (VM Super hub 3) - Printable Version

+- Haxorware Forums (http://www.haxorware.com/forums)
+-- Forum: General (http://www.haxorware.com/forums/forumdisplay.php?fid=6)
+--- Forum: Modems (http://www.haxorware.com/forums/forumdisplay.php?fid=7)
+--- Thread: Arris TG2492 (VM Super hub 3) (/showthread.php?tid=6860)

Pages: 1 2 3 4 5 6 7 8 9 10 11


Arris TG2492 (VM Super hub 3) - emantec - 07-09-2018

I've been doing some research on this cable modem in the hope of getting access to the firmware but I've hit a road block so hoping someone here has the knowledge/skills to crack this open. 

A decent breakdown of the modem can be found here which includes a mostly complete list of components and UART output: 
https://www.mobile-computer-repairs.co.uk/blog/topic/29/routers/Arris-TG2492 

Having also checked myself I can confirm the console is locked, there's seemingly no way to stop or interrupt the boot script and no input is accepted. 

I then proceeded to desolder the nand and attempted to dump it. Unfortunately it would appear the nand is encrypted but for those interested you can get it here:
https://mega.nz/#!qZ5nETaI!QqGD5XRCeLUAtiDTqh3xJ17IwlnWcystaSf--kC4vy8

At this point I'm not sure how to proceed, with the nand being encrypted I tried to get some information on the eMMC chip Phison PS8211-0 but there doesn't appear to be any public information or data sheet. Does anyone know if this is what handles the nand encryption or is it being done at a bootloader level?

The only interesting information I could find was this anonymous pastebin which would appear to be from a fritzbox modem 

https://pastebin.com/GZDdJRPs

Code:
4    /etc/mmc/PS8211/phison_fw/PS8211_SLC_BFW_A.BIN
4    /etc/mmc/PS8211/phison_fw/PS8211_SLC_BFW_B.BIN
4    /etc/mmc/PS8211/phison_fw/phison.cfg
4    /etc/mmc/PS8211/read_image_version.sh
4    /etc/mmc/PS8211/read_mmc_fw_version.sh
4    /etc/mmc/PS8211/upgrade_mmc_fw.sh

It doesn't say what fritzbox modem this came from but obtaining a copy of the eMMC firmware would likely be useful in decrypting the nand.


RE: Arris TG2492 (VM Super hub 3) - ricktendo - 08-09-2018

If only the bootloader weren't encrypted it could be possible to mod it to be "noisy" (display output and allow input/interrupt) but it appears the bootloader is also encrypted?


RE: Arris TG2492 (VM Super hub 3) - emantec - 08-09-2018

(08-09-2018, 02:19 PM)ricktendo Wrote: If only the bootloader weren't encrypted it could be possible to mod it to be "noisy" (display output and allow input/interrupt) but it appears the bootloader is also encrypted?

Would assume the bootloader is the first/second page of the nand dump which would appear to be encrypted.


RE: Arris TG2492 (VM Super hub 3) - drewmerc - 09-09-2018

have you considered crashing the bootloader after uboot has loaded, i'd start with connecting read-enable to ground with luck it'll crash to a uboot prompt


RE: Arris TG2492 (VM Super hub 3) - emantec - 09-09-2018

Was thinking about how to do that (couldn't find any public information) so I'll give that a try!
Need to wait for a replacement to arrive first though, currently disassembling current one to trace jtag.


RE: Arris TG2492 (VM Super hub 3) - ricktendo - 09-09-2018

Do you have a JTAGulator or something similar?

If not how do you go about finding the JTAG pinout without something like it?


RE: Arris TG2492 (VM Super hub 3) - emantec - 09-09-2018

(09-09-2018, 08:20 PM)ricktendo Wrote: Do you have a JTAGulator or something similar?

If not how do you go about finding the JTAG pinout without something like it?

It's on its way Wink


RE: Arris TG2492 (VM Super hub 3) - blacklisted - 02-11-2018

update @emantec


RE: Arris TG2492 (VM Super hub 3) - emantec - 02-11-2018

JTAGulator didn't work, managed to work out a way to dump unencrypted firmware though so currently investigating a exploit to allow remote root access.


RE: Arris TG2492 (VM Super hub 3) - andy m - 03-11-2018

upload the dump . how have you get the dump from the route it self