+- Haxorware Forums (http://www.haxorware.com/forums)
+-- Forum: General (http://www.haxorware.com/forums/forumdisplay.php?fid=6)
+--- Forum: Modems (http://www.haxorware.com/forums/forumdisplay.php?fid=7)
+--- Thread: Arris TG2492 (VM Super hub 3) (/showthread.php?tid=6860)
Arris TG2492 (VM Super hub 3) - emantec - 07-09-2018
I've been doing some research on this cable modem in the hope of getting access to the firmware but I've hit a road block so hoping someone here has the knowledge/skills to crack this open.
A decent breakdown of the modem can be found here which includes a mostly complete list of components and UART output:
https://www.mobile-computer-repairs.co.uk/blog/topic/29/routers/Arris-TG2492
Having also checked myself I can confirm the console is locked, there's seemingly no way to stop or interrupt the boot script and no input is accepted.
I then proceeded to desolder the nand and attempted to dump it. Unfortunately it would appear the nand is encrypted but for those interested you can get it here:
https://mega.nz/#!qZ5nETaI!QqGD5XRCeLUAtiDTqh3xJ17IwlnWcystaSf--kC4vy8
At this point I'm not sure how to proceed, with the nand being encrypted I tried to get some information on the eMMC chip Phison PS8211-0 but there doesn't appear to be any public information or data sheet. Does anyone know if this is what handles the nand encryption or is it being done at a bootloader level?
The only interesting information I could find was this anonymous pastebin which would appear to be from a fritzbox modem
https://pastebin.com/GZDdJRPs
Code:
4 /etc/mmc/PS8211/phison_fw/PS8211_SLC_BFW_A.BIN
4 /etc/mmc/PS8211/phison_fw/PS8211_SLC_BFW_B.BIN
4 /etc/mmc/PS8211/phison_fw/phison.cfg
4 /etc/mmc/PS8211/read_image_version.sh
4 /etc/mmc/PS8211/read_mmc_fw_version.sh
4 /etc/mmc/PS8211/upgrade_mmc_fw.shIt doesn't say what fritzbox modem this came from but obtaining a copy of the eMMC firmware would likely be useful in decrypting the nand.
RE: Arris TG2492 (VM Super hub 3) - ricktendo - 08-09-2018
If only the bootloader weren't encrypted it could be possible to mod it to be "noisy" (display output and allow input/interrupt) but it appears the bootloader is also encrypted?
RE: Arris TG2492 (VM Super hub 3) - emantec - 08-09-2018
(08-09-2018, 02:19 PM)ricktendo Wrote: If only the bootloader weren't encrypted it could be possible to mod it to be "noisy" (display output and allow input/interrupt) but it appears the bootloader is also encrypted?
Would assume the bootloader is the first/second page of the nand dump which would appear to be encrypted.
RE: Arris TG2492 (VM Super hub 3) - drewmerc - 09-09-2018
have you considered crashing the bootloader after uboot has loaded, i'd start with connecting read-enable to ground with luck it'll crash to a uboot prompt
RE: Arris TG2492 (VM Super hub 3) - emantec - 09-09-2018
Was thinking about how to do that (couldn't find any public information) so I'll give that a try!
Need to wait for a replacement to arrive first though, currently disassembling current one to trace jtag.
RE: Arris TG2492 (VM Super hub 3) - ricktendo - 09-09-2018
Do you have a JTAGulator or something similar?
If not how do you go about finding the JTAG pinout without something like it?
RE: Arris TG2492 (VM Super hub 3) - emantec - 09-09-2018
(09-09-2018, 08:20 PM)ricktendo Wrote: Do you have a JTAGulator or something similar?
If not how do you go about finding the JTAG pinout without something like it?
It's on its way
RE: Arris TG2492 (VM Super hub 3) - blacklisted - 02-11-2018
update @emantec
RE: Arris TG2492 (VM Super hub 3) - emantec - 02-11-2018
JTAGulator didn't work, managed to work out a way to dump unencrypted firmware though so currently investigating a exploit to allow remote root access.
RE: Arris TG2492 (VM Super hub 3) - andy m - 03-11-2018
upload the dump . how have you get the dump from the route it self