Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Netgear test thread
#1
Just a thread where I can hopefully either find or kick start someone else into figuring out whatever need's sussed.. for instance:

When I wrote that crap on cw, it was as good as two years ago.. but worked. Lateley, I have noticed some cause and effect of what I wrote, like how suddenly modem revert's to default/manufacturer setting's.. no it dont, but it revert's to something.. So on a 480, I loaded the netbeer version of netgear firmware, and I have another two netgear firmware, 1 from sbh, and 1 from foro.. also in virgin firmware, the following is now aparent.

These modem's now seem to reset whenever 'kicked', and I dont just mean a reset, or reset to factory, but they defo reset, ALL setting's, and if you say load a foro negear firmware onto a virgin, the foro becomes the default even after re-flashing a virgin. When you test a mac in the virgin and it is kicked, modem revert's to foro setting's, and here's the kicker, vice versa!!!!

What was your factory key changed to by whatever setting's bin you used from cw, as changed by those who never told you that you should NOT change these factory key password's? Why not? Because now when you test many other firmware's and their upgraded setting's.cfg/.bin..??

You most likely dont have the origional key to change the default settings in perm. So when the reset kicks in, you'll know why suddenly the wifi security has bits greyed out, the plan, ie US/EU wifi settings also unchangable..

When the number is kicked, EVERYTHING in non-vol is reset to what appear's to be default setting's, as this survive's across reset's, reboot's, and even re-flashing 8mb dumps.

Which bring's me to finalise with this: Back in the old days on sbh, people disagreed with me when I asked for the entire chip to be copied, not just the 2mb of the 8mb flash.. today, these chip's are hitting 256mb, yet we're still only copying 2 of 8mb.. most wont know the new security is built the same as the uefi bios's, ie 2 bios's, one hardcoded, and I believe this is what the extra space is in these netgears, a hardcopy of the origional modem's ISP setting's, we can change them, but after every mac fail, these WILL be reset, even if it's not hit you yet.

With regard's to newer 485's, and 490's, I highly suspect there is a hardcoded copy of firmware, which would explain why andy m could change mac's but not get it to stick.. ah, that magic mirror.. again..

Please feel free to chip in with any diagnosis as opposed to can I do this or that, what can we come up with?
Reply
#2
hehe, wait until you see the secure boot on some modems, I posted a fw for a modem that supports secure boot via atom/uefi, that will be REAL fun. thankfully they left the modems open to the net and you can even make the SNMP queries on their stupid fucking web 5.0 fucking bullshit interface.

have you decompiled the firmware image and looked at the uboot startup script? lots of fuckery goes on in there (disabling serial output, firmware checking etc), as some run this firmware called OpenRG, where your modem actually downloads the firmware and runs it to ram.

Could you shoot me a PM with the firmware images you have of Puma5 RG/Modems, esp the newer 480s', I believe they are the same as a netgear/smc 8x4 hardware wise? I'll take a look and see whats going on when i have time.
hehe, wait until you see the secure boot on some modems, I posted a fw for a modem that supports secure boot via atom/uefi, that will be REAL fun. thankfully they left the modems open to the net and you can even make the SNMP queries on their stupid fucking web 5.0 fucking bullshit interface.

EX: "Start download image from Scorpion...*** Running from RAM partition @0x87000000"
EX: "checking section 3... ok: 'Image downloaded from: https://213.60.177.100:550/firmwares/ope..._32.rms?ua"

but no one will post images of the firmwares, its not possible without seeing puma5 firmware images whats going on really.. and a good debugger.

as for the settings reverting, its because many reasons. nvram offsets and shit that goes on when you mix and match firmwares, sometimes you gotta zero the ENTIRE Flash chip, and reload your bin. example: i've put a 6141 firmware on a ubee modem, and when i booted into the ubee firmware, changed macs, and such it was fine, then booted into the 6141 firmware and it had stock macs and all, so i cleared that, then it fucked up the ubee image and the ubee image detected this and set it to boot back into the 6141 image and all sorts of fuckery.

Could you shoot me a PM with the firmware images you have of Puma5 RG/Modems, esp the newer 480s', I believe they are the same as a netgear/smc 8x4 hardware wise? I'll take a look and see whats going on.

for example: take this uboot sourcecode:
https://github.com/duyunfu/U-boot/blob/m....2.0/notes
Code:
LINUX boot related stuff
           -------------------------
           - When CONFIG_SILENT_CONSOLE is defined, all console messages (by
             U-Boot and Linux!) can be silenced with the "silent" environment
             variable.  See doc/README.silent for more information.
they silenced the output, but were too dumb too silence the input... so you can either dump the nvram and hexedit silent out, some also skip the uboot boot to cmd line sequence all together, then you gotta modify the uboot or figure out how to glitch it into a shell.. there are also variables for skipping the option to drop to console but still outputting uboot serial console.


ps; i am bad at forums, somehow my post got edited and doubled its self and did all sorts of wacky shit.
Reply
#3
Looks like some real fuckery is going on in your post....
Reply
#4
For netgear firmware's, just type netbeer, or go to sbh, there are a couple there, I wont release my own compiled firmware (my first compiling test) as I dunno if it's my firmware, or the isp's messing with it, but until I know, I'll keep mine close to my chest.. I believe adz1100 also posted a version on sbh/cable-wizard's, and since I'm now gladly about to attempt some ubee work.. netgears are taking a back seat, not to say I'm dumping netgear's, though I wish I could, pity folks wont tell virgin before signing up that they want normal fuckin modems, not these shitty excuse's for crap box's.. not everyone wants wifi..
Reply
#5
nice post CM
Reply
#6
Thanks andy, pray tell me auld chap, dya happen to know of the isp pin for ubee e08c015t02 (VMNG300v2, model edm3582)? Thanks in advance Smile
Reply
#7
VMNG 300 V2 there isnt an isp had to use pin 2 to 3.3 or 5v power the chip up done this fews years ago
Reply
#8
(22-06-2015, 08:45 PM)andy m Wrote: VMNG 300 V2 there isnt an isp had to use pin 2 to 3.3 or 5v power the chip up done this fews years ago

I was just hookin up a 5v power supply, after testing the 3.3 Smile Thank's though

As for dadviddds, re:atom/uefi, I have succesfully done the speedracer hack on a dell 6430u bios, using a script that can be found online to decode the uefi bios, I'm sure with modification, it could decode these supposed secure firmware's of ours.. after all, isnt a bios update, just firmware itself? I'll search my files for the decoder, it auto search's offset's etc to find correct decompression to decompile, since I have only wifi hacking skills etc from backtrack, I aint a computer language programmer, am all hardwire Wink
Reply
#9
whta exactly are ya doing on a vmng 300 lol a want in on info aswell
Reply
#10
lol, well, quite simply I intend to test the script I posted, race you to it?
Reply


Forum Jump:


Users browsing this thread: 5 Guest(s)