Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Netgear 490
#1
To andym, I say, even on sbh, they were completely wrong, just as they were on usbjtag.. believe it or not, you DID make a succesfull dump. And to show how much they know, ask them about 'layering' firmware images..

See, pin 8 we used to use, and it is here we see where you thought you fucked up.. I believe ubfi1 + 2 are INTENTIONALLY left blank, in order for the pin 7 to load ubfi1 + 2 into the bank at pin 8. If this does not happen, modem will not boot. This is the 'new' netgear security.. modem IS run from pin 8, pin 7 being the scource at bootime of what goes into ubfi1+2.

I'll even go as far as say, that it's a puma 5 modem, running ecos. at least in the pin 8 bank.. because I booted using a 280, 480, and ubee, not to mention 6120 and 6141 bootloader's, boot is fine, but no matter what I change, unless I return it to stock, boot is halted, even when crc of either image is fine..

So right now, I have a dedicated worktop with a 485 hooked up awaiting that magic moment when the so called guru's chip in.. or someone throws a working console from mickmc68's post..

What's the bet, in supabooms, is the old netgear bug 'remote server only allows single user access' (if telnet, console, and web gui, are all active at same time) has been set so that if telnet/serial is accessed, gui is switched off, and may even be extended to - if pin 7 bank dont match pin 8 bank.. cant be done, see, pin 8 now only shows u-boot, and env1+2, env1+2 DONT match env1+2 in pin 7 flash..

NOw would be a good time for senior dev's to look into that mickmc68's file, because your gona wanna, knowing that all security from here is spread to the four wind's.. Wink

Oh, and there are 3 flash banks, we can only see pin 7 and pin 8, boot log shows another Wink
Reply
#2
Thanks for the info CM if there is another bank but the the xml is only show up of so much for the xml to be written
Reply
#3
Yeah, seems the dumb fucks that call themselves expert's still think a full dump is 2mb.. it is, and always will be 4 x the size . usbjtagnt.. now why if it can read an 8 meg or 16, cant it do 64, 128? read the log you posted.. mine is different entirely, yet I can tell you flash from pin 8 is one mb in size. I'd go as far as say pin 8 IS the (ecos) bootloader that load's the pin 7 bank, in order for pin 7 to load pin 8 ubfi 1+2 with puma/whateverthefuckinlanguageis.

How to modify a non-vol when it aint been created, until it's got a public ip from isp?

U-Boot 1.2.0 (May 6 2013 - 15:14:41)
PSPU-Boot 1.0.20.1356

DRAM: 128 MB
Spansion S25FL129P flash found
Spansion S25FL129P flash found
Flash: 32 MB
In: serial
Out: serial
Err: serial
*** ACTIMAGE = 2, will try to boot UBFI2 stored @0x4c000000
## Executing script at 4c000000
============== Running script =========
*** Running from UBFI2 partition @0x4c000000
Load address = 0x4c002524 (0x2524)
Kernel address = 0x4c002570 (0x2570)
kernel size = 0x106690
FS address = 0x4c108c00 (0x108c00)
FS size = 0x6a1400
NVRAM offset = 0xfb0000
NVRAM size = 0x50000
*** UBFI2 bootscript executed successfully.
Start booting...
## Booting image at 4c002524 ...
Image Name: Multi Image File
Image Type: ARM Linux Multi-File Image (uncompressed)
Data Size: 8026780 Bytes = 7.7 MB
Load Address: 80a00000
Entry Point: 80a00000
Contents:
Image 0: 1074832 Bytes = 1 MB
Image 1: 6951936 Bytes = 6.6 MB
Verifying Checksum ... Bad Data CRC
*** UBFI2 is corrupted, try UBFI1...
## Executing script at 48040000
Bad magic number
Backup image also corrupted...exit.
=> ?

? - alias for 'help'
autoscr - run script from memory
base - print or set address offset
bdinfo - print Board Info structure
boot - boot default, i.e., run 'bootcmd'
bootd - boot default, i.e., run 'bootcmd'
bootm - boot application image from memory
bootp - boot image via network using BootP/TFTP protocol
cmp - memory compare
coninfo - print console devices and information
cp - memory copy
crc32 - checksum calculation
echo - echo args to console
erase - erase FLASH memory
eval - return addition/subraction
exit - exit script
flinfo - print FLASH memory information
go - start application at address 'addr'
help - print online help
icrc32 - checksum calculation
iloop - infinite loop on address range
imd - i2c memory display
iminfo - print header information for application image
imls - list all images found in flash
imm - i2c memory modify (auto-incrementing)
imw - memory write (fill)
inm - memory modify (constant address)
iprobe - probe to discover valid I2C chip addresses
itest - return true/false on integer compare
loadb - load binary file over serial line (kermit mode)
loads - load S-Record file over serial line
loady - load binary file over serial line (ymodem mode)
loop - infinite loop on address range
md - memory display
mm - memory modify (auto-incrementing)
mtest - simple RAM test
mw - memory write (fill)
nm - memory modify (constant address)
printenv- print environment variables
protect - enable or disable FLASH write protection
rarpboot- boot image via network using RARP/TFTP protocol
reset - Perform RESET of the CPU
run - run commands in an environment variable
saveenv - save environment variables to persistent storage
setenv - set environment variables
sleep - delay execution for some time
test - minimal test like /bin/sh
tftpboot- boot image via network using TFTP protocol
version - print monitor version
=> protect

Usage:
protect - enable or disable FLASH write protection

=> protect disable

Usage:
protect - enable or disable FLASH write protection

=> imls

Image at 4C000000:
Image Name: Boot Script File
Image Type: PowerPC Linux Script (uncompressed)
Data Size: 9444 Bytes = 9.2 kB
Load Address: 00000000
Entry Point: 00000000
Verifying Checksum ... OK
=> coninfo

List of available devices:
serial 80000003 SIO stdin stdout stderr
=>

(03-08-2015, 09:20 PM)andy m Wrote: Thanks for the info CM if there is another bank but the the xml is only show up of so much for the xml to be written

Xml is wrong.

They should read the bloody boot script.

Ps, 2 x 32 = 64 x 2 = 128mb chip
Reply
#4
do ya think you can get telnet on 485 or 490
Reply
#5
Well, as previously mentioned, I aint a programmer, I can flash shit till I'm blue in the face, but without a starting point, or an alternative cg4000 firmware? We need the cg4000 firmware from netgear built.
Reply
#6
you talk an awful lot of shit about developers and don't know what the fuck you're talking about yourself

Spansion S25FL129P flash found
Spansion S25FL129P flash found
Flash: 32 MB

it detects two S25FL129P flashes because its using a 256MiB single flash chip in compatibility page mode, therefor it looks like two 128mbit flash chips.

its funny, looking at the 2nd banks entropy data shows nothing but nvram type data.

since you're not a programmer, what exactly are you, a fluffer?
Reply
#7
A mathematician, who knows the maths equal's yours, I guess you just need to get out the fish bowl, live outside that chip.. Wink

Oh, and you stand corrected, I aint said jack shit about developer's.. unless I dont know they think they are one of course..

We're all developer's..

And still developing..

Let's see, did you know the scientific formula used by EVERYONE today is derived from square root of 8, that being 64?

Did you ever notice that in britain, we use 240v, which is a higher power than 12v, used to run a car.. all we did was drop the 0 as designated by the hebrew math's, of course, they dont recognise 0, so where do you stand now on your math's, knowing that at any given moment, at any given angle you can only ever see 37 option's, the other 27 you cant, but KNOW they are there, or do you?

I was etching binary dial's for amatuer radio in the 70's ya fool..

Ps, hands up if your a dev..?

I'm smart enough to place a 3d math's model in your head, now try same.. like, say, layering images, mirror images, as above so below, so within so with out on earth as it is in heaven, and the truth is it's a 256 chip which is nothing but a quarter of 1024, and at last, we are nearing the 1 meg chip.. lol, you missed the boat, see, the layering has fooled you, cause the 1mb chip is pin 8, so whadyaknow huh? a 1mb bank, which becomes 8 when loaded.

Even better, is when that has happened, you actualy have a 16mb bank, but you dont have it all do ya, because even the log's state there is a third, and it IS used.. since the third is'nt loaded at that point, that 3rd being the empty space that is filled (6meg). Go on dev, fix it!!

A hint.. 6141, same size? coincidence, I dont think so..
Reply
#8
I can't figure out if you are ingesting, smoking some sort of chemical that makes you so crazy or if you are just another ABMJR operator trying to do as they would call it in the UK, "Online Covert Action".
Reply
#9
Dont blame ya, but in a nutshell, it dont matter how much you divvy up the space in the chip..

For instance..

In 2000, we USED to copy an 8mb FULL flash until some bright spark decided to get the groupies behind the 'we only need 2 of these megabytes..'

Roll on 2015, chips are 256, using only 16 meg?

But we're still only copying 2?

Seems to me everything has upgraded, but the advice given by certain member's here, most of these, no longer speak on sbh.. if they do, it's cause the best left there a looong time ago..

As for your covert action, what do you think I have to hide compared to you? NOTHING, because nothing either of us knows, is worth being 'covert' about.. man, some folks here clearly need to get out more..

Allow this covert action:

From now on we'll add an image by adding an extra digit/letter to every digit/letter, of the flash, which will, when loaded into this x amount of blank space, show itself to be the third bank. This third bank will appear to be only two banks at all times, 9 megabytes in total, despite being 64meg, since 32mb is required to load 1x 16meg image's. 32 to store, 32 for loading. 32meg being the entire 'dual' flash.

So we still only require 2mb of 8mb, what is it now, 16mb in moto's?

Cough cough.. am in stitches.. all these questions dds, but I've yet to see an actual answer from you that benefit's people intead of the usual drag..

(05-08-2015, 12:14 PM)Canis-Major Wrote: Dont blame ya, but in a nutshell, it dont matter how much you divvy up the space in the chip..

For instance..

In 2000, we USED to copy an 8mb FULL flash until some bright spark decided to get the groupies behind the 'we only need 2 of these megabytes..'

Roll on 2015, chips are 256, using only 16 meg?

But we're still only copying 2?

Seems to me everything has upgraded, but the advice given by certain member's here, most of these, no longer speak on sbh.. if they do, it's cause the best left there a looong time ago..

As for your covert action, what do you think I have to hide compared to you? NOTHING, because nothing either of us knows, is worth being 'covert' about.. man, some folks here clearly need to get out more..

Allow this covert action:

From now on we'll add an image by adding an extra digit/letter to every digit/letter, of the flash, which will, when loaded into this x amount of blank space, show itself to be the third bank. This third bank will appear to be only two banks at all times, 9 megabytes in total, despite being 64meg, since 32mb is required to load 1x 16meg image's. 32 to store, 32 for loading. 32meg being the entire 'dual' flash.

So we still only require 2mb of 8mb, what is it now, 16mb in moto's?

Cough cough.. am in stitches.. all these questions dds, but I've yet to see an actual answer from you that benefit's people intead of the usual drag..

A hint.. If I can copy 256mb from what you claim is a 128mb chip, please explain?
Reply
#10
have you got the 490 ac router
Reply


Forum Jump:


Users browsing this thread: 3 Guest(s)