08-07-2011, 11:59 AM
(08-07-2011, 11:03 AM)drewmerc Wrote: just wait till you end up with a computer without a printer port, you end up with a choice of buying a usbjtag or building your own, i built my own damn it was hard but fun (tho now i'd say buy a bus blaster greatest usb jtag/spi thing out there)
anyways why i'm a writing and now working on your dump i'm having my 3rd smoke and a brew (i smoke alot when thinking)
as i dont beleave usbjtag will extract the cfg i tryed will a proper dump as well and the cfg showed up as blank
but looking at the hex i'm sure it's there so after my smoke i'll try ripping it manually
yep it's there, in ghex(sorry linux user) is your dump and in usbjtag(nonvol tab) is a 5101 2mb dump
so i look for a key part of the dump that exists in all nonvols "CMAp" and if you scroll down you'll see "FACT" then scroll some more and you'll see the first config
working out how to extract the config means looking at a 5101 dump and counting up from CMAp to the start then doing the same in you dump and cutting it out to the same size (that sounds a lot more complicated than what it is)
so now i know it's possible to extract the config and extract the certs (but you already have them) as for activating factory mode you could extract the config flash to an haxor modem and activate factory mode dump it and copy paste it back (no idea about this bit)
anyways i got to go to work running late now cause i was having fun (also i think theres more than 1 nonvol in your dump)
dont want to go to work i want to play
Thanks so much, you know I checked over at surfboard hack forum ,and some guy said he dumped the entire flash memory on a 5101 about 8Mb and people where saying this to him ..
Quote: On a 5101 the 8m is the RAM of the modem, not the flash. Once the modem is powered up the CPU will first read the bootloader from the flash memory then it uncompresses the firmware from the 2m flash into the 8meg ram area of the modem and starts working with it. This is dynamic memory so as soon as the modem is powered off it is "erased"
So needless to say if you took the 8meg dump from one modem and them put it to the next modem as soon as you power cycle the modem poof it's gone! So anyone that is telling you that the 8meg dump from the ram of a modem is useful for flashing to another modem is on crack.
Most "bricks" are caused by a corrupted/wrong bootloader on the flash chip the modem CPU reads bad info and then "crashes" and then the Jtag commands don't work on the CPU to read and write to the flash chip.
So there's something I don't quite get is the firmware stored in this MX SPI flash chip? cause I saw near the BCM there's another memory chip but it's only RAM DDR from winbond.
thanks for the hexdumpand stuff, I still don't get what should I do to get the non-vol extract it I mean.. cause the app to extract the certs like you saw extracted something.. but dropped lot's of errors.. we'll keep in touch when you come back.. ll8rz