Haxorware Forums General Modems v
Arris TG1672G - NAND chip swap

Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Threaded Mode
Arris TG1672G - NAND chip swap
Eugene@ Offline
Junior Member
**
Posts: 5
Threads: 2
Joined: Mar 2021
Reputation: 0
#1
14-03-2021, 09:33 PM
Hi guys,

My old Arris TG1672G has an undocumented feature: it gives me two public IP addresses. Newer modem that I can get from my ISP give me only one IP address.
Unfortunately my old Arris TG1672G is almost dead, it reboots and freezes all the time.

How can I transplant the identity of my current modem to a different motherboard that I got from ebay ?

I swapped NAND chip, but it doesn't work.
Where is the NAND encryption key stored ?
What else do I need to swap besides NAND chip ?

If the encryption key is stored in CPU (like in xbox 360 for example), that's a bummer...
Find
Reply
BTC Offline
Junior Member
**
Posts: 19
Threads: 1
Joined: Aug 2018
Reputation: 3
#2
15-03-2021, 12:58 AM
(14-03-2021, 09:33 PM)Eugene@ Wrote: Hi guys,

My old Arris TG1672G has an undocumented feature: it gives me two public IP addresses. Newer modem that I can get from my ISP give me only one IP address.
Unfortunately my old Arris TG1672G is almost dead, it reboots and freezes all the time.

How can I transplant the identity of my current modem to a different motherboard that I got from ebay ?

I swapped NAND chip, but it doesn't work.
Where is the NAND encryption key stored ?
What else do I need to swap besides NAND chip ?

If the encryption key is stored in CPU (like in xbox 360 for example), that's a bummer...

1672 nand is not encrypted.
NAND swap should work fine.
you fucked up the swap, probably.
Find
Reply
Eugene@ Offline
Junior Member
**
Posts: 5
Threads: 2
Joined: Mar 2021
Reputation: 0
#3
15-03-2021, 01:43 AM
(15-03-2021, 12:58 AM)BTC Wrote:
(14-03-2021, 09:33 PM)Eugene@ Wrote: If the encryption key is stored in CPU (like in xbox 360 for example), that's a bummer...

1672 nand is not encrypted.
NAND swap should work fine.
you fucked up the swap, probably.

It could be that I screwed up, I have some experience soldering TSOP 48 though.

Are there any security features preventing TG1672G from cloning ?


How do I copy NAND to a new chip ? Every time I read NAND content it doesn't match the previous dump. Random errors here and there.
Data only dump: 128MB (131,072 KB)
Full dump: 132MB (135,168 KB)

Is it possible to correct those errors manually by dumping multiple times ? There are not too many of them, about 20...30

NAND chips are different
Spansion: s34ml01g200tfi00

I soldered it to the board replacing
Macronix: mx30lf1g18ac-ti

but they should be compatible and swappable.
Find
Reply
BTC Offline
Junior Member
**
Posts: 19
Threads: 1
Joined: Aug 2018
Reputation: 3
#4
21-03-2021, 07:10 PM (This post was last modified: 21-03-2021, 07:12 PM by BTC.)
(15-03-2021, 01:43 AM)Eugene@ Wrote:
(15-03-2021, 12:58 AM)BTC Wrote:
(14-03-2021, 09:33 PM)Eugene@ Wrote: If the encryption key is stored in CPU (like in xbox 360 for example), that's a bummer...

1672 nand is not encrypted.
NAND swap should work fine.
you fucked up the swap, probably.

It could be that I screwed up, I have some experience soldering TSOP 48 though.

Are there any security features preventing TG1672G from cloning ?


How do I copy NAND to a new chip ? Every time I read NAND content it doesn't match the previous dump. Random errors here and there.
Data only dump: 128MB (131,072 KB)
Full dump: 132MB (135,168 KB)

Is it possible to correct those errors manually by dumping multiple times ? There are not too many of them, about 20...30

NAND chips are different
Spansion: s34ml01g200tfi00

I soldered it to the board replacing
Macronix: mx30lf1g18ac-ti

but they should be compatible and swappable.

"Are there any security features preventing TG1672G from cloning ?"
no, there is none.

"NAND chips are different"
you cannot do a cross-MFG NAND clone. the NAND must be identical
the Phison manages different NANDs differently, they are not compatible.


"Random errors here and there."
random errors are normal for NANDs, it has no problems correcting these as long as your NAND is compatible
Find
Reply
bx8055 Offline
Haxorware Enthusiast
***
Posts: 32
Threads: 0
Joined: Apr 2017
Reputation: 2
#5
29-07-2021, 01:41 AM
anyone share tg1672g full dump for me . thank you !
Find
Reply
Eugene@ Offline
Junior Member
**
Posts: 5
Threads: 2
Joined: Mar 2021
Reputation: 0
#6
28-12-2024, 09:35 AM (This post was last modified: 30-12-2024, 09:38 AM by Eugene@.)
   
(15-03-2021, 12:58 AM)BTC Wrote: 1672 nand is not encrypted.
NAND swap should work fine.
you fucked up the swap, probably.

No, I didn't fuck up. It turned out there are at least two versions of NAND dumps that are not compatible. As per my observations BOOTR or Bootcode Version must match. So far I've seen 2.2.0.27 and 2.2.0.45  You can't swap NAND from 27 to 45 and vice versa. From what I can tell looking at spare area (OOB) patterns those two have different ECC algorithms.
Now the question is where this bootcode is stored? I was always thinking that ECC algorithm is implemented on NAND controller. I see Phison chip there, either ps7000-0 or ps8211-0. I see people in the other threads of this forum connected to Phison controller and got a clean dump. So maybe I didn't have to mess with NAND directly.

summary:
1. Different Phision uses different ECC algorithm
2. If modem's web ui reports BOOTR: 2.2.0.27 then Phison ps7000-0 is used, if 2.2.0.45 then ps8211-0
3. NAND mfg doesn't matter, I tested s34ml01g200tfi00, mx30lf1g18ac-ti and tc58nvg0s3hta00, only Phision and bootcode matters, it should be the same, then you can swap NAND without any problem
Find
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)