Thread Rating:
  • 1 Vote(s) - 1 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Just dumped a Arris TG862A, what next?
#11
(23-09-2014, 05:16 AM)sixteen Wrote: If you or talking a bout forceware it self, its not supported.
Ok, that's what I wanted to know.
Anyway, I managed to dump the firmware, extract the U-boot Multi File, extract the SquashFS partition (actually, both of them), patch /etc/inittab (replace the silly CLI with /bin/ash), re-pack everything and re-flash it, trace the UART port on the board and get a root shell. I'm getting there Smile
Now, time to sleep...
If someone's interested, I can document all the steps.
Cheers!

Ciaby
Reply
#12
(23-09-2014, 09:45 AM)ciaby Wrote:
(23-09-2014, 05:16 AM)sixteen Wrote: If you or talking a bout forceware it self, its not supported.
Ok, that's what I wanted to know.
Anyway, I managed to dump the firmware, extract the U-boot Multi File, extract the SquashFS partition (actually, both of them), patch /etc/inittab (replace the silly CLI with /bin/ash), re-pack everything and re-flash it, trace the UART port on the board and get a root shell. I'm getting there Smile
Now, time to sleep...
If someone's interested, I can document all the steps.
Cheers!

Ciaby

Can you explain how you did it?
Reply
#13
This arris firmware is a compleate junk. Not to mention they put their custom additions everywhere, theyve also added 2 password sets to protect the modem.
One of them is widely known arris password of the day, the second one is called a cm password.
Arris pwod can be generated using a public tool, but it seems they are now changing password seed, so the password u generate will not be valid. No biggie, all it does is that it gives you access to cm page with some technical info.
The other password is needed for accessing modems cli. Well, theres something to care about, like the ability to change mac address, right? After taking a quick look-the password is generated from modem serial number, then hashed at hmac function, then theres some byte shifting.
Since iam just lazy i just patched them both lol.

Btw, iam looking for some newer firmware revisions, like 2014 ones would be helpful.
Reply
#14
(08-01-2015, 11:27 PM)kapec Wrote: This arris firmware is a compleate junk. Not to mention they put their custom additions everywhere, theyve also added 2 password sets to protect the modem.
One of them is widely known arris password of the day, the second one is called a cm password.
Arris pwod can be generated using a public tool, but it seems they are now changing password seed, so the password u generate will not be valid. No biggie, all it does is that it gives you access to cm page with some technical info.
The other password is needed for accessing modems cli. Well, theres something to care about, like the ability to change mac address, right? After taking a quick look-the password is generated from modem serial number, then hashed at hmac function, then theres some byte shifting.
Since iam just lazy i just patched them both lol.

Btw, iam looking for some newer firmware revisions, like 2014 ones would be helpful.

i happen to have cm820a 2013 -2014 fermware just its on modem lol
Reply
#15
Thanks,
i need tg862 firmware, the other models wont work well because they dont support integrated ethernet switch :/
Reply
#16
(23-09-2014, 05:41 PM)pidiware Wrote:
(23-09-2014, 09:45 AM)ciaby Wrote:
(23-09-2014, 05:16 AM)sixteen Wrote: If you or talking a bout forceware it self, its not supported.
Ok, that's what I wanted to know.
Anyway, I managed to dump the firmware, extract the U-boot Multi File, extract the SquashFS partition (actually, both of them), patch /etc/inittab (replace the silly CLI with /bin/ash), re-pack everything and re-flash it, trace the UART port on the board and get a root shell. I'm getting there Smile
Now, time to sleep...
If someone's interested, I can document all the steps.
Cheers!

Ciaby
Can you help us to unpack/repack the modem firmware?
Can you explain how you did it?
Reply
#17
(22-09-2014, 05:06 PM)ciaby Wrote: Hi there! I'm very new to cable modem hacking. I just made a dump of the SPI flash inside a TG862A. Using binwalk and the firmware-mod-kit, I managed to extract the two filesystems. I also tried to modify /etc/passwd and point the root shell to /bin/sh, but of course it didn't work...
What's the next step? I got the full image, should I upload it somewhere?
Cheers

Ciaby Big Grin

can you send me the dumb... i want to extract it and see what i find... trying to find the oid to put them in factory via snmp.
Reply
#18
and they tried to put forceware?
Reply
#19
(08-01-2015, 11:27 PM)kapec Wrote: This arris firmware is a compleate junk. Not to mention they put their custom additions everywhere, theyve also added 2 password sets to protect the modem.
One of them is widely known arris password of the day, the second one is called a cm password.
Arris pwod can be generated using a public tool, but it seems they are now changing password seed, so the password u generate will not be valid. No biggie, all it does is that it gives you access to cm page with some technical info.
The other password is needed for accessing modems cli. Well, theres something to care about, like the ability to change mac address, right? After taking a quick look-the password is generated from modem serial number, then hashed at hmac function, then theres some byte shifting.
Since iam just lazy i just patched them both lol.

Btw, iam looking for some newer firmware revisions, like 2014 ones would be helpful.

Hello, i'm trying to get access to the busybox, but i need the password, could you share the chunk of code where is generated the password? (to see the algorithm) so i could generate the password from my modem's serial.
Reply
#20
(12-05-2016, 04:34 PM)joepanda Wrote:
(08-01-2015, 11:27 PM)kapec Wrote: This arris firmware is a compleate junk. Not to mention they put their custom additions everywhere, theyve also added 2 password sets to protect the modem.
One of them is widely known arris password of the day, the second one is called a cm password.
Arris pwod can be generated using a public tool, but it seems they are now changing password seed, so the password u generate will not be valid. No biggie, all it does is that it gives you access to cm page with some technical info.
The other password is needed for accessing modems cli. Well, theres something to care about, like the ability to change mac address, right? After taking a quick look-the password is generated from modem serial number, then hashed at hmac function, then theres some byte shifting.
Since iam just lazy i just patched them both lol.

Btw, iam looking for some newer firmware revisions, like 2014 ones would be helpful.

Hello, i'm trying to get access to the busybox, but i need the password, could you share the chunk of code where is generated the password? (to see the algorithm) so i could generate the password from my modem's serial.
Hi, I don't know the answer to what you're asking but since you were able to make the dump, can I ask you how you opened the modem in the first place? I've unscrewed all the screws I could see holding the modem, two upper corner screws and two screws on the bottom of the modem. I just can't seem to take the outter enclosure apart. I need to get to the internals to try to make a dump. Please provide some detailed guide and pictures do help me alot. Thanks fellow memebers.
Reply


Forum Jump:


Users browsing this thread: 16 Guest(s)