Arris TG2492 (VM Super hub 3)

[vmu19]

Something like this:
$ mkdir /tmp/mmc;chmod 777 /tmp/mmc
$ sudo in.tftpd -cls /tmp/mmc
$ ssh root2@192.168.0.1 /bin/bash -i
root2@192.168.0.1's password:
/bin/bash: can't access tty; job control turned off
# cd /dev
# for p in mmc*;do tftp -p -l $p 192.168.0.100;done

[eltremendo]

But would you be able to extract the certs this way?

[vmu19]

I imagine so. However the modem I'm using hasn't been used to connect to the ISP. I think this is the cert stuff here, but not sure:
# find /nvram/1/security
/nvram/1/security
/nvram/1/security/cm_key_prv.bin
/nvram/1/security/root_pub_key.bin
/nvram/1/security/mfg_cert.cer
/nvram/1/security/download
/nvram/1/security/download/40_0d_10_af_cb_f3_ED_EncCertFile.bin
/nvram/1/security/download/TI_NA_Cert_400d10afcbf3.key
/nvram/1/security/download/40_0d_10_af_cb_f3_ND_EncCertFile.bin
/nvram/1/security/download/TI_EU_Cert_400d10afcbf3.key
/nvram/1/security/download/TI_NA_Cert_400d10afcbf3.cer
/nvram/1/security/download/TI_EU_Cert_400d10afcbf3.cer
/nvram/1/security/cm_cert.cer
/nvram/1/security/mfg_key_pub.bin

[danman]

Hi guys, I'm working on very similar device CH7465 with NOSH firmware.
I was able to make a full dump and have convenient way to modify the internal eMMC.
My device doesn't display almost any messages on its console (just a few messages from bootloader) so no shell access is available.
I was also able to order another device from ebay and after clonning eMMC also the copy works Ok for accessing my internet connection.

I'd like to enable telnet/ssh access on this device. Did you make any progress with this?

[danman]

[danman]

@vmu19 : can you share your flash dump?

[danman]

I'm getting PMs about how did I extract the FW. It's easy, you need a "better" SD card reader, in my case Transcend TS-RDF5K, SD or microSD breakout board:
https://github.com/danielkucera/MicroSD_Sniffer

and connect corresponding pins on the board:
https://blog.danman.eu/wp-content/upload...t-desc.jpg

Then you just insert the breakout board, connect pins to your board and you can extract, e.g. via dd:

Code:

dd if=/dev/sdc of=dump.dd bs=1M

[eltremendo]

Something like this:
$ mkdir /tmp/mmc;chmod 777 /tmp/mmc
$ sudo in.tftpd -cls /tmp/mmc
$ ssh root2@192.168.0.1 /bin/bash -i
root2@192.168.0.1's password:
/bin/bash: can't access tty; job control turned off
# cd /dev
# for p in mmc*;do tftp -p -l $p 192.168.0.100;done

I'm getting PMs about how did I extract the FW. It's easy, you need a "better" SD card reader, in my case Transcend TS-RDF5K, SD or microSD breakout board:
https://github.com/danielkucera/MicroSD_Sniffer

and connect corresponding pins on the board:
https://blog.danman.eu/wp-content/upload...t-desc.jpg

Then you just insert the breakout board, connect pins to your board and you can extract.

Can i pm you?

[danman]

Something like this:
$ mkdir /tmp/mmc;chmod 777 /tmp/mmc
$ sudo in.tftpd -cls /tmp/mmc
$ ssh root2@192.168.0.1 /bin/bash -i
root2@192.168.0.1's password:
/bin/bash: can't access tty; job control turned off
# cd /dev
# for p in mmc*;do tftp -p -l $p 192.168.0.100;done

I'm getting PMs about how did I extract the FW. It's easy, you need a "better" SD card reader, in my case Transcend TS-RDF5K, SD or microSD breakout board:
https://github.com/danielkucera/MicroSD_Sniffer

and connect corresponding pins on the board:
https://blog.danman.eu/wp-content/upload...t-desc.jpg

Then you just insert the breakout board, connect pins to your board and you can extract.

Can i pm you?

Why not ask here?

[eltremendo]

i have another board, from a 1602A arris . how can i trace or find the corresponding pins ?