Haxorware Forums
Arris TG2492 (VM Super hub 3) - Printable Version

+- Haxorware Forums (http://www.haxorware.com/forums)
+-- Forum: General (http://www.haxorware.com/forums/forumdisplay.php?fid=6)
+--- Forum: Modems (http://www.haxorware.com/forums/forumdisplay.php?fid=7)
+--- Thread: Arris TG2492 (VM Super hub 3) (/showthread.php?tid=6860)

Pages: 1 2 3 4 5 6 7 8 9 10 11


RE: Arris TG2492 (VM Super hub 3) - blacklisted - 19-04-2019

@emantec or elbarto Please confirm

does your sh script get put into folder nvram/0/ ? if so please explain does this path auto run any files in this folder.

and where would i put vmtool binary.

if i put VMTOOL and sh script into path /etc/scripts/ then how is you sh script run?

i asked for understanding. and i noticed that /nvarm/0/ has file that runs script sys_startup.sh are you asking we edit this file?

Please can you answer this and how your script would run what invokes it ?

Thank you


RE: Arris TG2492 (VM Super hub 3) - emantec - 19-04-2019

(19-04-2019, 10:16 AM)blacklisted Wrote: @emantec or elbarto Please confirm

does your sh script get put into folder nvram/0/ ? if so please explain does this path auto run any files in this folder.

and where would i put vmtool binary.

if i put VMTOOL and sh script into path /etc/scripts/ then how is you sh script run?

i asked for understanding. and i noticed that /nvarm/0/ has file that runs script sys_startup.sh are you asking we edit this file?

Please can you answer this and how your script would run what invokes it ?

Thank you

As I said 

"On boot it checks for the script /nvram/0/sys_setup.sh and runs if it exists" 

If that script already exists then I assume you're not using a virgin media modem and your provider has modified the firmware further. In that case just compare the scripts and merge them.

If you read the script it's pretty obvious where the tool should go. 
With that said if your firmware is different your nvram values may also be different.


RE: Arris TG2492 (VM Super hub 3) - blacklisted - 19-04-2019

its VM same SH 3

all i request is should i put your script and vmtool in the scripts dir? i have put /etc/scripts/ there must be something

thas why i would like to confim if i am correct.

its sys_startup.sh that exists not sys_setup


Thanx


I am leaving this here for the moment as others can read who may ask similer question.

i will come and report back and edit once i get going


RE: Arris TG2492 (VM Super hub 3) - guti - 19-04-2019

(02-03-2019, 12:06 PM)danman Wrote: I'm getting PMs about how did I extract the FW. It's easy, you need a "better" SD card reader, in my case Transcend TS-RDF5K, SD or microSD breakout board:
https://github.com/danielkucera/MicroSD_Sniffer

and connect corresponding pins on the board:
https://blog.danman.eu/wp-content/uploads/2019/03/router-upc-pinout-desc.jpg

Then you just insert the breakout board, connect pins to your board and you can extract, e.g. via dd:


Code:
dd if=/dev/sdc of=dump.dd bs=1M


Hello, with the transcend TS-RDF5K, SD or microSD breakout board is it possible to extract the complete dump?


RE: Arris TG2492 (VM Super hub 3) - blacklisted - 19-04-2019

yes


RE: Arris TG2492 (VM Super hub 3) - blacklisted - 20-04-2019

(19-04-2019, 10:44 AM)blacklisted Wrote: its VM same SH 3

all i request is should i put your script and vmtool in the scripts dir? i have put /etc/scripts/ there must be something

thas why i would like to confim if i am correct.

its sys_startup.sh that exists not sys_setup


Thanx


I am leaving this here for the moment as others can read who may ask similer question.

i will come and report back and edit once i get going

ok this has worked perfect need to have modem connected and mount nvram from that


RE: Arris TG2492 (VM Super hub 3) - blacklisted - 21-04-2019

(12-04-2019, 07:27 PM)emantec Wrote: Adding to elbarto's post on enabling telnet you can do the following to bypass the pwod by setting the 'client' password (assuming the client is actually Virgin Media in this case).

In /nvram/6/1 set the following at address 0x1F7

BC AE 6A 68 38 32 4B 18

This will set the password to 'pwned' giving you access to the higher privileged shell (still need to work out how to break into busybox).

(16-04-2019, 12:07 PM)emantec Wrote: Upon some further research it seems their shell is very locked down and there's no way to break out of it. With that said I did find a extremely easy command injection exploit.
Although it was helpful it's not actually needed to unlock the system, you can do that simply from the NVRAM.

On boot it checks for the script /nvram/0/sys_setup.sh and runs if it exists, I put together a script that runs some code I compiled to enable telnet on every boot, set the client password and set the permissions to the maximum level so you can access all the restricted commands from the restricted shell. You can access pretty much everything from there, even the Intel cpu:

   
Code:
[  6] Atom> help
help

Directory Commands ->

      manuf : <DIR> Manuf
     status : Show Modem Status
     !reset : Reset Modem
     system : Run shell command
       help : Display commands
    !logout : Disconnect telnet/SSH
       quit : Quit the Atom CLI

Type '<cmd> ?' for available help.

Return Status: 0

[  7] Atom> manuf
manuf
[  8] Manuf> help
help

Directory Commands ->

     ccTest : Dummy Cable Card Test
boottimeout : Set CEFDK boot timeout
     macset : Set Atom MAC address
loadFromUSB : Load Inactive Bank from USB
 sectorInfo : Show sector info
     status : Show Modem Status
     !reset : Reset Modem
     system : Run shell command
       help : Display commands
    !logout : Disconnect telnet/SSH
       quit : Quit the Atom CLI

Type '<cmd> ?' for available help.

Return Status: 0

[  9] Manuf>


I've uploaded my script, source and binary here if people want to use it, enjoy.

https://mega.nz/#!g8lTiSbD!mC4J8cFBo38VvIDDbnHcM4Cxo-tCPpNZRwaLrq6s-
can you please confirm that the pass word is "pwned" as i have tryed but not letting me in.  the script working as i see the following in serial console at boot

Code:
vm_printf("********** Initializing Telnet **********\n");
    
    vm_printf("******* Disabling Telnet timeout ********\n");
    

    vm_printf("******* Setting Client Password ********\n");
     clientpass[8] = { 0xBC, 0xAE, 0x6A, 0x68, 0x38, 0x32, 0x4B, 0x18 };
    

    
        
            vm_printf("******* Setting Max Priviledges ********\n");
password is as u hve set . what is wrong is the script writting to this area


RE: Arris TG2492 (VM Super hub 3) - emantec - 21-04-2019

[quote pid='36556' dateline='1555826524']

can you please confirm that the pass word is "pwned" as i have tryed but not letting me in.  the script working as i see the following in serial console at boot
[/quote]
If it's not working for you then try rebooting, if it still doesn't work then something else is wrong. 
If you're seeing the output in the console then maybe your database is different and your password is stored elsewhere. You'll need to dump your firmware and check arris_password.


RE: Arris TG2492 (VM Super hub 3) - elbarto - 21-04-2019

(16-04-2019, 12:07 PM)emantec Wrote: With that said I did find a extremely easy command injection exploit.

Could you please share any tip about it?


RE: Arris TG2492 (VM Super hub 3) - blacklisted - 22-04-2019

(21-04-2019, 12:59 PM)emantec Wrote: [quote pid='36556' dateline='1555826524']

can you please confirm that the pass word is "pwned" as i have tryed but not letting me in.  the script working as i see the following in serial console at boot
If it's not working for you then try rebooting, if it still doesn't work then something else is wrong. 
If you're seeing the output in the console then maybe your database is different and your password is stored elsewhere. You'll need to dump your firmware and check arris_password.
[/quote]

i have flashed your firmware and tryed with that.

can you give where the arris pawword would be stored. nvram 6/1

or?