Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
SB6190 Uncapping in process. Suggestions?
#11
Due to the presence of IPsec encryption I believe I have magically discovered a DHCP offer vulnerability to destroy the CM's ARP table. That allows ARP poisoning and easy config forcing, among other things. I should be able to push custom firmware and make it look like it's coming from the CMTS, avoiding physical flashing. I'll keep you all posted!
HeartAngel
-C. Colin Applegate
NSA Director GSA35,0
CEO Comcast Cable
CEO Applegate Consulting LLC
AUTHORIZED BY THE PRESIDENT
Reply
#12
(02-10-2016, 07:53 PM)joejoe402012 Wrote:
(02-10-2016, 07:33 PM)snowden Wrote:
(02-10-2016, 04:39 PM)colin669 Wrote:
(02-10-2016, 04:24 PM)Ictvtec Wrote: U got a pic of the back of the modem?? I don't see the flash chip anywhere in the front.

here's the pic you're asking for.
it looked like a tssop nand flash
where is spi flash then ?

there is no longer a SPI Flash,all the new modems are nand flash only. and they have Bad blocks to prevent it from being copied so far.
ok i got it
i saw also some modems had them in bga format
however the badblock isnt a problem
i didnt saw sb6190 but cpu could use otp key from nand memory for prevent copying it
Reply
#13
(03-10-2016, 06:40 PM)snowden Wrote:
(02-10-2016, 07:53 PM)joejoe402012 Wrote:
(02-10-2016, 07:33 PM)snowden Wrote:
(02-10-2016, 04:39 PM)colin669 Wrote:
(02-10-2016, 04:24 PM)Ictvtec Wrote: U got a pic of the back of the modem?? I don't see the flash chip anywhere in the front.

here's the pic you're asking for.
it looked like a tssop nand flash
where is spi flash then ?

there is no longer a SPI Flash,all the new modems are nand flash only. and they have Bad blocks to prevent it from being copied so far.
ok i got it
i saw also some modems had them in bga format
however the badblock isnt a problem
i didnt saw sb6190 but cpu could use otp key from nand memory for prevent copying it
really? bga been around forever man, wtf. must be good. I'll look into it. thx!!
yeah, snowden, I totally agree.
who cares about the uncrackable code snowden, the sb6190 firmware is open source. fuck copying it. plus I don't believe that it's uncrackable, give the code a cheeseburger, seriously, it'll let you right in. I know you understand.
HeartAngel
-C. Colin Applegate
NSA Director GSA35,0
CEO Comcast Cable
CEO Applegate Consulting LLC
AUTHORIZED BY THE PRESIDENT
Reply
#14
(03-10-2016, 02:14 AM)colin669 Wrote:
(02-10-2016, 10:33 PM)markoco Wrote:
(02-10-2016, 04:39 PM)colin669 Wrote:
(02-10-2016, 04:24 PM)Ictvtec Wrote: U got a pic of the back of the modem?? I don't see the flash chip anywhere in the front.

here's the pic you're asking for.

Can you tell me the numbers of the 48 pin SMT chip on the back of the board
and can you take a clearer picture of the front and back of the board in high resolution so it can be blown up with clarity and post them to a Dropbox and give me the link i will tell you what you will need to read the chip

(02-10-2016, 07:57 PM)colin669 Wrote:
(02-10-2016, 07:53 PM)joejoe402012 Wrote:
(02-10-2016, 07:33 PM)snowden Wrote: it looked like a tssop nand flash
where is spi flash then ?

there is no longer a SPI Flash,all the new modems are nand flash only. and they have Bad blocks to prevent it from being copied so far.

I don't need to copy the firmware, only flash to the NAND. How do I do that? I can compile the firmware from ARRIS, they released it! It's open source, documented link in My first post. Smile

I'm looking into modding & compiling the firmware now. I have an SoC(Jetson TK1) if needed. I should be able to flash to NAND, skipping bad blocks, and the modem will run the My custom firmware just fine. Sounds perfect to Me. Smile

We need some one with coding experience to write a piece of software that can handle the remapping of the bad blocks so we can read the nand correctly just like the guys did for the XBOX so there is hope out there

Experienced coders would be great, but I can write the code Myself, it'll just take more time. That's a guarantee! I will get you a higher res photo set ASAP.

Numbers:
Spansion
S34ML01G200TF100541BB337 A
©12 Spansion

to read this chip correctly you need to use ECC Error correction code
there are many ways to handle this.
Now im wondering if you can see any references to this in the source code in the firmware because the ECC code was written by the manufacturer for that device .
otherwise you will get bite flip every time you read the chip

Each chip has its own bad block or blocks direct from the factory, and bad block occur on the chip after the code is written to it so the code on the chip has to know how to handle the remapping of the chip otherwise you would be trowing these modems into the trash every time it developed a bad block


Attached Files
.pdf   002-00499_S34ML01G2_S34ML02G2_S34ML04G2_1_Gb_2_Gb_4_Gb_3_V_4-bit_ECC_SLC_NAND_Flash_Memory_for_Embedded.pdf (Size: 7.19 MB / Downloads: 126)
Reply
#15
(06-10-2016, 06:19 AM)markoco Wrote:
(03-10-2016, 02:14 AM)colin669 Wrote:
(02-10-2016, 10:33 PM)markoco Wrote:
(02-10-2016, 04:39 PM)colin669 Wrote:
(02-10-2016, 04:24 PM)Ictvtec Wrote: U got a pic of the back of the modem?? I don't see the flash chip anywhere in the front.

here's the pic you're asking for.

Can you tell me the numbers of the 48 pin SMT chip on the back of the board
and can you take a clearer picture of the front and back of the board in high resolution so it can be blown up with clarity and post them to a Dropbox and give me the link i will tell you what you will need to read the chip

(02-10-2016, 07:57 PM)colin669 Wrote:
(02-10-2016, 07:53 PM)joejoe402012 Wrote: there is no longer a SPI Flash,all the new modems are nand flash only. and they have Bad blocks to prevent it from being copied so far.

I don't need to copy the firmware, only flash to the NAND. How do I do that? I can compile the firmware from ARRIS, they released it! It's open source, documented link in My first post. Smile

I'm looking into modding & compiling the firmware now. I have an SoC(Jetson TK1) if needed. I should be able to flash to NAND, skipping bad blocks, and the modem will run the My custom firmware just fine. Sounds perfect to Me. Smile

We need some one with coding experience to write a piece of software that can handle the remapping of the bad blocks so we can read the nand correctly just like the guys did for the XBOX so there is hope out there

Experienced coders would be great, but I can write the code Myself, it'll just take more time. That's a guarantee! I will get you a higher res photo set ASAP.

Numbers:
Spansion
S34ML01G200TF100541BB337 A
©12 Spansion

to read this chip correctly you need to use ECC Error correction code
there are many ways to handle this.
Now im wondering if you can see any references to this in the source code in the firmware because the ECC code was written by the manufacturer for that device .
otherwise you will get bite flip every time you read the chip

Each chip has its own bad block or blocks direct from the factory, and bad block occur on the chip after the code is written to it so the code on the chip has to know how to handle the remapping of the chip otherwise you would be trowing these modems into the trash every time it developed a bad block

I'll comb through the firmware but from what I see, BGA uses a limit algorithm and when the limit is satisfied the algorithm restarts causing a remap generating a new memory location and cycles through the NAND that way.
HeartAngel
-C. Colin Applegate
NSA Director GSA35,0
CEO Comcast Cable
CEO Applegate Consulting LLC
AUTHORIZED BY THE PRESIDENT
Reply
#16
(06-10-2016, 01:49 AM)colin669 Wrote:
(03-10-2016, 06:40 PM)snowden Wrote:
(02-10-2016, 07:53 PM)joejoe402012 Wrote:
(02-10-2016, 07:33 PM)snowden Wrote:
(02-10-2016, 04:39 PM)colin669 Wrote: here's the pic you're asking for.
it looked like a tssop nand flash
where is spi flash then ?

there is no longer a SPI Flash,all the new modems are nand flash only. and they have Bad blocks to prevent it from being copied so far.
ok i got it
i saw also some modems had them in bga format
however the badblock isnt a problem
i didnt saw sb6190 but cpu could use otp key from nand memory for prevent copying it
really? bga been around forever man, wtf. must be good. I'll look into it. thx!!
yeah, snowden, I totally agree.
who cares about the uncrackable code snowden, the sb6190 firmware is open source. fuck copying it. plus I don't believe that it's uncrackable, give the code a cheeseburger, seriously, it'll let you right in. I know you understand.
sure
i even doubt i can see sb6190e version in future
at last there are only sb6120e and sb6180e
sb6180 in datasheet is noticed as E version also but i dont saw it in market yet
and available speeds there maximum 120mb for now
take second sb6190 and swap nand flash beetwen them
just desolder it with hotair gun 330c deegress clean the pins and solder again
if modem will start then there are no any otp keys in use or cpu signatures
later then you can think about ecc correction fix
some of expensiv commerciall programmers have some setups for ecc like elnec but the client devices on market usually have its own customised ecc
have there one up&up up828 but support is crap and propably over for now i pay alot of money for it and its adapters in past
also there are other ways to try snmp factory keys cli etc. so nothing end on soldering things
Reply
#17
(07-10-2016, 11:40 AM)snowden Wrote:
(06-10-2016, 01:49 AM)colin669 Wrote:
(03-10-2016, 06:40 PM)snowden Wrote:
(02-10-2016, 07:53 PM)joejoe402012 Wrote:
(02-10-2016, 07:33 PM)snowden Wrote: it looked like a tssop nand flash
where is spi flash then ?

there is no longer a SPI Flash,all the new modems are nand flash only. and they have Bad blocks to prevent it from being copied so far.
ok i got it
i saw also some modems had them in bga format
however the badblock isnt a problem
i didnt saw sb6190 but cpu could use otp key from nand memory for prevent copying it
really? bga been around forever man, wtf. must be good. I'll look into it. thx!!
yeah, snowden, I totally agree.
who cares about the uncrackable code snowden, the sb6190 firmware is open source. fuck copying it. plus I don't believe that it's uncrackable, give the code a cheeseburger, seriously, it'll let you right in. I know you understand.
sure
i even doubt i can see sb6190e version in future
at last there are only sb6120e and sb6180e
sb6180 in datasheet is noticed as E version also but i dont saw it in market yet
and available speeds there maximum 120mb for now
take second sb6190 and swap nand flash beetwen them
just desolder it with hotair gun 330c deegress clean the pins and solder again
if modem will start then there are no any otp keys in use or cpu signatures
later then you can think about ecc correction fix
some of expensiv commerciall programmers have some setups for ecc like elnec but the client devices on market usually have its own customised ecc
have there one up&up up828 but support is crap and propably over for now i pay alot of money for it and its adapters in past
also there are other ways to try snmp factory keys cli etc. so nothing end on soldering things

Holy shit! You are clearly the REAL EDWARD SNOWDEN. Thanks for the reply!!!!!!!! BRILLIANT. I'm on it. wtf you hacked My haxorware forum account? I'm using a secure password now.
HeartAngel
-C. Colin Applegate
NSA Director GSA35,0
CEO Comcast Cable
CEO Applegate Consulting LLC
AUTHORIZED BY THE PRESIDENT
Reply
#18
Yeah...mine too. He's the real deal......!
Reply
#19
(07-10-2016, 11:40 AM)snowden Wrote:
(06-10-2016, 01:49 AM)colin669 Wrote:
(03-10-2016, 06:40 PM)snowden Wrote:
(02-10-2016, 07:53 PM)joejoe402012 Wrote:
(02-10-2016, 07:33 PM)snowden Wrote: it looked like a tssop nand flash
where is spi flash then ?

there is no longer a SPI Flash,all the new modems are nand flash only. and they have Bad blocks to prevent it from being copied so far.
ok i got it
i saw also some modems had them in bga format
however the badblock isnt a problem
i didnt saw sb6190 but cpu could use otp key from nand memory for prevent copying it
really? bga been around forever man, wtf. must be good. I'll look into it. thx!!
yeah, snowden, I totally agree.
who cares about the uncrackable code snowden, the sb6190 firmware is open source. fuck copying it. plus I don't believe that it's uncrackable, give the code a cheeseburger, seriously, it'll let you right in. I know you understand.
sure
i even doubt i can see sb6190e version in future
at last there are only sb6120e and sb6180e
sb6180 in datasheet is noticed as E version also but i dont saw it in market yet
and available speeds there maximum 120mb for now
take second sb6190 and swap nand flash beetwen them
just desolder it with hotair gun 330c deegress clean the pins and solder again
if modem will start then there are no any otp keys in use or cpu signatures
later then you can think about ecc correction fix
some of expensiv commerciall programmers have some setups for ecc like elnec but the client devices on market usually have its own customised ecc
have there one up&up up828 but support is crap and propably over for now i pay alot of money for it and its adapters in past
also there are other ways to try snmp factory keys cli etc. so nothing end on soldering things

I have tried copying a 48 pin nand with a Xeltek 6100 i get bite flip
talked to Zeltek about the ECC , they can write a custom software to Handel the remapping for about 350.00 but we would need to find out what algorithm they use
Reply
#20
(08-10-2016, 04:13 AM)markoco Wrote:
(07-10-2016, 11:40 AM)snowden Wrote:
(06-10-2016, 01:49 AM)colin669 Wrote:
(03-10-2016, 06:40 PM)snowden Wrote:
(02-10-2016, 07:53 PM)joejoe402012 Wrote: there is no longer a SPI Flash,all the new modems are nand flash only. and they have Bad blocks to prevent it from being copied so far.
ok i got it
i saw also some modems had them in bga format
however the badblock isnt a problem
i didnt saw sb6190 but cpu could use otp key from nand memory for prevent copying it
really? bga been around forever man, wtf. must be good. I'll look into it. thx!!
yeah, snowden, I totally agree.
who cares about the uncrackable code snowden, the sb6190 firmware is open source. fuck copying it. plus I don't believe that it's uncrackable, give the code a cheeseburger, seriously, it'll let you right in. I know you understand.
sure
i even doubt i can see sb6190e version in future
at last there are only sb6120e and sb6180e
sb6180 in datasheet is noticed as E version also but i dont saw it in market yet
and available speeds there maximum 120mb for now
take second sb6190 and swap nand flash beetwen them
just desolder it with hotair gun 330c deegress clean the pins and solder again
if modem will start then there are no any otp keys in use or cpu signatures
later then you can think about ecc correction fix
some of expensiv commerciall programmers have some setups for ecc like elnec but the client devices on market usually have its own customised ecc
have there one up&up up828 but support is crap and propably over for now i pay alot of money for it and its adapters in past
also there are other ways to try snmp factory keys cli etc. so nothing end on soldering things

I have tried copying a 48 pin nand with a Xeltek 6100 i get bite flip
talked to Zeltek about the ECC , they can write a custom software to Handel the remapping for about 350.00 but we would need to find out what algorithm they use
can i see the dump ?
Reply


Forum Jump:


Users browsing this thread: 123 Guest(s)