Posts: 17
Threads: 2
Joined: Apr 2014
Reputation:
0
Thank you...
Now everything is getting more clear... So if I get mac and certs from 5100 and upload them to 6120 everything should work fine. But as I understood ISP can see that I'm using forceware so it's better to use original firmware and upload there cert and change mac and serial. Bad that I don't have serial in my modem(new board release) so I can't connect to original firmware and upload certs and change mac. As I know there is also alpha 1.1 firmware with ssh enabled can I use that one to change mac and upload certs ? New modem from ISP costs 100$ I want to make one I have working and I also have serial and mac of 5100 registered on ISP side they charge for changing this info, They can't know by cert and mac what model I'm using 5100 dc1.0 or 6120 dc3.0 ?
Posts: 17
Threads: 2
Joined: Apr 2014
Reputation:
0
ISP can only see What I'm using by name? they have no access to Modem ? I upload certs, change mac serial wait till ISP try to push firmware use that name and that's all ?
is there any software easier way to grab certs from 5100 or I can do it only unsoldering flash taking fulldump and extracting from there with sbtools or use jtag.
Posts: 17
Threads: 2
Joined: Apr 2014
Reputation:
0
I will try it today... Thanks help...Regarding Firmware Alpha 1.1 did you ever use it, is it original with some modifications ?
Posts: 17
Threads: 2
Joined: Apr 2014
Reputation:
0
08-07-2015, 01:26 AM
(This post was last modified: 08-07-2015, 01:34 AM by -=xXx=-.)
I check I have 5101 Modem and it's flash isn't SPI x25 so I can't backup it with programmer that I have, is there any possibility to dump flash without using Jtag or programmer ?
Thanks.
Posts: 386
Threads: 21
Joined: May 2015
(07-07-2015, 02:53 PM)-=xXx=- Wrote: Thank you...
Now everything is getting more clear... So if I get mac and certs from 5100 and upload them to 6120 everything should work fine. But as I understood ISP can see that I'm using forceware so it's better to use original firmware and upload there cert and change mac and serial. Bad that I don't have serial in my modem(new board release) so I can't connect to original firmware and upload certs and change mac. As I know there is also alpha 1.1 firmware with ssh enabled can I use that one to change mac and upload certs ? New modem from ISP costs 100$ I want to make one I have working and I also have serial and mac of 5100 registered on ISP side they charge for changing this info, They can't know by cert and mac what model I'm using 5100 dc1.0 or 6120 dc3.0 ?
Depend's what the cert is from, they defo know which modem you are using, as in hardware, despite the spoof, it's the equipment that has no brain..yes you can use ssh enabled firmware, all you really need do with 6120 is load a bootloader, that can drop you to shell, (ssh) and away you go.. it's a steep learning curve, but worth it..
Posts: 17
Threads: 2
Joined: Apr 2014
Reputation:
0
I tried to create noise on serial interface but maximum what I could get was:
pppppppCurrent time is 01/01/1970 00:00:00
Current free space on the heap is 3428176
I can't get any future... maybe there is other way to grab certs from 5101 ...
Posts: 386
Threads: 21
Joined: May 2015
08-07-2015, 11:31 PM
(This post was last modified: 08-07-2015, 11:41 PM by Canis-Major.)
I know of at least 10 specific way's to grab cert's from any modem, personally, I even went as far as inputting each digit by hand in the bpi section year's ago before any the app's came out, now that's hardcore..
I'll post a quick how to for ya, best learn the longest way first, pmsl..
/non-vol/bpi/change_key public <- BPI Public Key
/non-vol/bpi/change_key private <- BPI Private Key
/non-vol/bpi/change_key root <- BPI+ Root Public Key
/non-vol/bpi/change_key cm_cert <- BPI+ CM Certificate
/non-vol/bpi/change_key ca_cert BPI+ CA Certificate (This is the Manufacturers cvc found in downloaded config file!!
/non-vol/bpi/code_access 30 30 30 31 30 31 30 30 30 30 30 30 | 000101000000 <- hax defaults (why half you cant get on!!)
/non-vol/bpi/cvc_access 30 30 30 31 30 31 30 30 30 30 30 30 | 000101000000 <- hax defaults (why half you cant get on!!)
Vermin configs have: 30 31 30 39 32 35 30 30 30 30 30 30 | 010925000000 <from d11 10/10
31 33 30 39 32 34 32 33 35 39 35 39 | 130924235959 <from d11 10/10
Latest Moto Ca_Cert has 30 31 30 37 31 31 30 30 30 30 30 30 | 010711000000
32 31 30 37 31 30 32 33 35 39 35 39 | 210710235959
Note: These numbers are NOT found in 76 byte configs.
As an example:
Code Access Start[0] [0 (0x0)] 0x30 Return
Code Access Start[1] [0 (0x0)] 0x31
Code Access Start[2] [0 (0x0)] 0x30
Code Access Start[3] [0 (0x0)] 0x37
Code Access Start[4] [0 (0x0)] 0x31
Code Access Start[5] [0 (0x0)] 0x31
Code Access Start[6] [0 (0x0)] 0x30
Code Access Start[7] [0 (0x0)] 0x30
Code Access Start[8] [0 (0x0)] 0x30
Code Access Start[9] [0 (0x0)] 0x30
Code Access Start[10] [0 (0x0)] 0x30
Code Access Start[11] [0 (0x0)] 0x30
The above is the same way to manually insert certs in the bpi section.
Who need's a shitty app... I do after doing that by hand..
Ps, if ya need more volume..
Posts: 17
Threads: 2
Joined: Apr 2014
Reputation:
0
you showed a way to grab certs when you have dump of cfg, full backup or non-vol in my case I don't have this, so my question was if there any way to grab them without having jtag.
Yesterday I found in my storage old IBM with LPT, made lpt cable with 100 Ohm resistors but I couldn't make JtagUtility_v1.3 connect to it, it simply doesn't see the device, as I understood I need to solder pins to jtag interface and plug power into modem and execute detect and that's all... any extra settings need to be done ?
Thanks.
Posts: 17
Threads: 2
Joined: Apr 2014
Reputation:
0
I found another old machine and could get certificates from 5101 will try them today on 6120.