Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Extracted firmware of my SBG901 from MX Flash , now how can I extract CERTS?
#1
Hi guys I could finally manage to make the LPT cable work to dump my firmware on the MX memory MX25L6445E, it was sort of complicated cause I had to solder all the cables to each of the legs of the MX flash , and outputs and inputs, but I finally got the flash dump.
total size it's 8,388,608 I'm suspecting it flashed the whole entire MX memory not the firmware area only I don't know if that's right or wrong ,maybe I should have dumped a specific area of the MX flash .
Anyways I'm not that savvy regarding firmware manipulation,and about memory locations .So question is I would like to learn how can I extract the Certificate from the firmware dump I have. Maybe enabling factory mode enabling some hex bit .
thanks.
Reply
#2
wow, well how ever you did that i have no idea
tho i'd be interested in how what and why you did it that way

you can upload the dump to mediafire or some other filehost and PM me the link i'll have a look at it and see if the certs are even in there
__________________________________________________________________________________
******new discord chat link https://discord.gg/5BQQbsb*******
Reply
#3
(08-07-2011, 07:30 AM)drewmerc Wrote: wow, well how ever you did that i have no idea
tho i'd be interested in how what and why you did it that way

you can upload the dump to mediafire or some other filehost and PM me the link i'll have a look at it and see if the certs are even in there

Sure I'm gonna make a tutorial explaining how I did manage to get the dump of the flash chip , it's not complicated at all it was a matter of finding some cheap way of emulating SPI signals over LPT port. I'm going to upload the firmware to mediafire, now big problem the entire dump I have it's 8 megs 8,388,608 bytes in size , by some reason I downloaded another firmware from an sbg901 (SBG901-2.1.3.0-GA-00-256-NOSH-NNDMN.p7) and it's 1,991,313 bytes , so I'm suspecting I just dumped the entire MX flash memory from the fist memory position to the last one.
Anyways , I tried using cmnonexp2mbwin32 which supposedly extracts certificates from BCM3348/BCM3349 chipsets, problem is this modem has a BCM3361 chipset, I ran that app which supposedly rips certificates from 2Mb firmware, but I did find lot's of stuff I'm not quite sure it ripped properly the certs. I'm suspecting that the non-vol memory address location it's in the first 2048Mb of the flash memory so I will try to make a dump of only the first 2048Mb and see if cmnonexp works better. I saw there's another version which it's not limited to 2Mb only bins.. maybe I'm gonna check that one.


cmp NonVol Settings found!
0x14A14:cmp Size:0x0289 (649)
0x14A16:cmp Magic:0x636D702E ('cmp.')

CHEV NonVol Settings found!
0x14C9D:CHEV Size:0x0008 (8)
0x14C9F:CHEV Magic:0x43484556 ('CHEV')

CQP2 NonVol Settings found!
0x14CA5:CQP2 Size:0x0008 (8)
0x14CA7:CQP2 Magic:0x43515032 ('CQP2')

FIRE NonVol Settings found!
0x14CAD:FIRE Size:0x0008 (8)
0x14CAF:FIRE Magic:0x46495245 ('FIRE')

VPNG NonVol Settings found!
0x14CB5:VPNG Size:0x0009 (9)
0x14CB7:VPNG Magic:0x56504E47 ('VPNG')

ERROR: address: 14CC0; size: 0x0009 (9); unknow magic: 0x50505053 ('PPPS')

ERROR: address: 14CC9; size: 0x0008 (8); unknow magic: 0x57694775 ('WiGu')

0x1561ESad87582) ---> Start new non-volatile nonvol <---
0x15620:Length:0x4C05 (19461)
0x15622:CRC32-Motorola:0x7359C833 (1935263795)
Non-volatile nonvol length: 0x4C05 (19461) at offset: 0x1561E
Calculate CRC: 0x7359C833
CRC OK!!!

CM Application NonVol Settings found!
0x15626:CMAp Size:0x0009 (9)
0x15628:CMAp Magic:0x434D4170 ('CMAp')

Message Logging NonVol Settings found!
0x1562F:MLog Size:0x003C (60)
0x15631:MLog Magic:0x4D4C6F67 ('MLog')

HalIf NonVol Settings found!
0x1566B:HalIf Size:0x00C7 (199)
0x1566D:HalIf Magic:0xF2A1F61F (' ')
0x15677:MAC address for IP Stack 1:74:56:12:CABig Grin3:B
0x1567D:MAC address for IP Stack 2:74:56:12:35:CE:0
0x15683:MAC address for IP Stack 3:2C:9E:5F:CF:ECBig Grin
0x15689:MAC address for IP Stack 4:74:56:12:35:CE:0

8021 NonVol Settings found!
0x15732:8021 Size:0x0083 (131)
0x15734:8021 Magic:0x38303231 ('8021')

ERROR: address: 157B7; size: 0x008C (140); unknow magic: 0x38303253 ('802S')

Factory NonVol Settings found!
0x15841:FACT Size:0x0023 (35)
0x15843:FACT Magic:0x46414354 ('FACT')

RSTL NonVol Settings found!
0x15864:RSTL Size:0x0008 (8)
0x15866:RSTL Magic:0x5253544C ('RSTL')

PRNT NonVol Settings found!
0x1586CTongueRNT Size:0x0008 (8)
0x1586ETongueRNT Magic:0x50524E54 ('PRNT')

CM BPI NonVol Settings found!
0x15874:bpi Size:0x16C7 (5831)
0x15876:bpi Magic:0x62706920 ('bpi ')

Cert number 1 found!
0x1587C:Cert Size:0x008C (140)
0x1587E:Cert class 1:0x3081 (12417)
Writing to file non02_1_public.key 140 bytes

WARNING: address: 1590C; size: 0x02A0 (672); unknow cert type: 0x1CF3
Writing to file non02_2_private.key 672 bytes

Cert number 3 found!
0x15BAC:Cert Size:0x010E (270)
0x15BAE:Cert class 2:0x3082 (12418)
Writing to file non02_3_root.key 270 bytes

Cert number 4 found!
0x15CBC:Cert Size:0x0327 (807)
0x15CBE:Cert class 2:0x3082 (12418)
Writing to file non02_4_cm_cert.cer 807 bytes

Cert number 5 found!
0x15FE5:Cert Size:0x0404 (1028)
0x15FE7:Cert class 2:0x3082 (12418)
Writing to file non02_5_ca_cert.cer 1028 bytes

Cert number 6 found!
0x163EB:Cert Size:0x008C (140)
0x163ED:Cert class 1:0x3081 (12417)
Writing to file non02_unknow06.key 140 bytes

WARNING: address: 1647B; size: 0x02A0 (672); unknow cert type: 0x457F
Writing to file non02_unknow07.key 672 bytes

Cert number 8 found!
0x1671B:Cert Size:0x010E (270)
0x1671D:Cert class 2:0x3082 (12418)
Writing to file non02_unknow08.key 270 bytes

Cert number 9 found!
0x1682B:Cert Size:0x032C (812)
0x1682D:Cert class 2:0x3082 (12418)
Writing to file non02_unknow09.key 812 bytes

Cert number 10 found!
0x16B59:Cert Size:0x03E0 (992)
0x16B5B:Cert class 2:0x3082 (12418)
Writing to file non02_unknow10.key 992 bytes

CM DOCSIS NonVol Settings found!
0x16F3BBig Grinocsis Size:0x0082 (130)
0x16F3DBig Grinocsis Magic:0xD0C20100 (' ')

ERROR: address: 16FBF; size: 0x002C (44); unknow magic: 0xD0C20300 (' ')

CableModem EventLog NonVol Settings found!
0x16FE9:CMEV Size:0x0008 (8)
0x16FEB:CMEV Magic:0x434D4556 ('CMEV')

SNMP NonVol Settings found!
0x16FF1Confusednmp Size:0x04EF (1263)
0x16FF3Confusednmp Magic:0x736E6D70 ('snmp')
0x16FF7:Version:0x0004 (4)
0x16FF9Sad94201) Factory mode NOT enabled
0x16FFASad94202) Vendor name: Motorola Corporation
0x1701ASad94234) System Description: <<HW_REV: 1; VENDOR: Motorola Corporation; B
OOTR: 2200; SW_REV: SBG901-2.1.5.0-GA-00-357-NOSH; MODEL: SBG901>>
0x1709ASad94362) System ObjectID: 1.3.6.1.4.1.1166.901.1.0.1.5.0.0
0x1711ASad94490) System ObjectID value 1:
0x1719ASad94618) System ObjectID value 2: SBG901
0x1721ASad94746) System ObjectID value 3:
0x1729ASad94874) sysORID.1: UUUOUUUUUWuUUUUUWWUUUUUUUUuUUUUUUUUUUUuWUUUuUUUUUUUUU
UuUUWUUUUUWUQUOUUUUUUuUUuWWUUUUUUUUUUUUUUUUUUWUUWUUUuWUUWUUUUUUUUWUUUUUUUWUWUUUU
UUUUUUUUUUWUUUU§UUuUUUUUUUUUUUUUU§UUUUUUUUUUUUUUUUUUUUUUUuUUUUuUUUuUUUUUWUUuUUUU
UUWUUUWUUUQUUUUUUUUUUUUUUUUUuUUUuUUUUUUuUUUUUUUUuUUUUUUUUU§UUWQUOuUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUWUUUUUUUUUUUoUUUOuUUUUUUUUUUUUUuUUqUU§UUUWWUUUUUUUUU]UuUuUu
UUUUUUUUUUuU318158103001762601014010
0x1731ASad95002) sysORID.1 description: WUUUUUUUUUUUUUUWUUUU§UUuUUUUUUUUUUUUUU§UU
UUUUUUUUUUUUUUUUUUUUUuUUUUuUUUuUUUUUWUUuUUUUUUWUUUWUUUQUUUUUUUUUUUUUUUUUuUUUuUUU
UUUuUUUUUUUUuUUUUUUUUU§UUWQUOuUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUWUUUUUUUUUUUoUU
UOuUUUUUUUUUUUUUuUUqUU§UUUWWUUUUUUUUU]UuUuUuUUUUUUUUUUuU318158103001762601014010

0x1739ASad95130) Services: 0x55
0x1739BSad95131) Device Software Current Version: UUUUuUUUUUUUUU§UUWQUOuUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUWUUUUUUUUUUUoUUUOuUUUUUUUUUUUUUuUUqUU§UUUWWUUUUUUUUU]U
uUuUuUUUUUUUUUUuU318158103001762601014010
0x1783FSad96319) Device Serial Number: 318158803801762608014010
0x1745BSad95323) Max Download Tries: 0x4

DOCSIS CM Downstream Calibration NonVol Settings found!
0x174E0Big GrinnSt Size:0x0181 (385)
0x174E2Big GrinnSt Magic:0x446E5374 ('DnSt')

DOCSIS CM Upstream Calibration NonVol Settings found!
0x17661:UpSt Size:0x0249 (585)
0x17663:UpSt Magic:0x55705374 ('UpSt')

CM Propane NonVol Settings found!
0x178AATonguepan Size:0x000A (10)
0x178ACTonguepan Magic:0x5070616E ('Ppan')

CM Vendor Motorola NonVol Settings found!
0x178B4:MOTO Size:0x191F (6431)
0x178B6:MOTO Magic:0x4D4F544F ('MOTO')

ERROR: address: 191D5; size: 0x0008 (8); unknow magic: 0x504C5547 ('PLUG')

ERROR: address: 191DD; size: 0x0008 (8); unknow magic: 0x52656777 ('Regw')

FMib NonVol Settings found!
0x191E3:FMib Size:0x0008 (8)
0x191E5:FMib Magic:0x464D6962 ('FMib')

PSV NonVol Settings found!
0x191EBTongueSV Size:0x000F (15)
0x191EDTongueSV Magic:0x50530D56 ('PS V')

CAP NonVol Settings found!
0x191FA:CAP Size:0x0008 (8)
0x191FC:CAP Magic:0x4341502E ('CAP.')

CDP NonVol Settings found!
0x19202:CDP Size:0x0008 (8)
0x19204:CDP Magic:0x4344502E ('CDP.')

CSP found!
0x1920A:CSP Size:0x0D55 (3413)
0x1920C:CSP Magic:0x4353502E ('CSP.')

Cert number 11 found!
0x19212:Cert Size:0x0366 (870)
0x19214:Cert class 2:0x3082 (12418)
Writing to file non02_unknow11.key 870 bytes

Cert number 12 found!
0x1957A:Cert Size:0x03DB (987)
0x1957C:Cert class 2:0x3082 (12418)
Writing to file non02_unknow12.key 987 bytes

Cert number 13 found!
0x19957:Cert Size:0x0364 (868)
0x19959:Cert class 2:0x3082 (12418)
Writing to file non02_unknow13.key 868 bytes

WARNING: address: 19CBF; size: 0x02A0 (672); unknow cert type: 0x6DFC
Writing to file non02_unknow14.key 672 bytes

RG NonVol Settings found!
0x19F5F:RG Size:0x0009 (9)
0x19F61:RG Magic:0x52472E2E ('RG..')

cmp NonVol Settings found!
0x19F68:cmp Size:0x0289 (649)
0x19F6A:cmp Magic:0x636D702E ('cmp.')

CHEV NonVol Settings found!
0x1A1F1:CHEV Size:0x0008 (8)
0x1A1F3:CHEV Magic:0x43484556 ('CHEV')

CQP2 NonVol Settings found!
0x1A1F9:CQP2 Size:0x0008 (8)
0x1A1FB:CQP2 Magic:0x43515032 ('CQP2')

FIRE NonVol Settings found!
0x1A201:FIRE Size:0x0008 (8)
0x1A203:FIRE Magic:0x46495245 ('FIRE')

VPNG NonVol Settings found!
0x1A209:VPNG Size:0x0009 (9)
0x1A20B:VPNG Magic:0x56504E47 ('VPNG')

ERROR: address: 1A214; size: 0x0009 (9); unknow magic: 0x50505053 ('PPPS')

ERROR: address: 1A21D; size: 0x0008 (8); unknow magic: 0x57694775 ('WiGu')

0x1FFF8Sad131064) ---> Start new non-volatile nonvol <---
0x1FFFA:Length:0x5554 (21844)
0x1FFFC:CRC32-Motorola:0xFFFFFFFC (-4)
Non-volatile nonvol length: 0x5554 (21844) at offset: 0x1FFF8
Calculate CRC: 0x991568FF
---> CRC failed!!! FFFFFFFC <> 991568FF

ERROR: address: 20002; size: 0xC035 (49205); unknow magic: 0x00050003 (' ')

0x2554CSad152908) ---> Start new non-volatile nonvol <---
0x2554E:Length:0xA988 (43400)
0x25550:CRC32-Motorola:0x1F155194 (521490836)
Non-volatile nonvol length: 0xA988 (43400) at offset: 0x2554C
Calculate CRC: 0xA8059A12
---> CRC failed!!! 1F155194 <> A8059A12

ERROR: address: 25556; size: 0x8553 (34131); unknow magic: 0x6235915D ('b5 ]')

ERROR: address: 2DAA9; size: 0x2775 (10101); unknow magic: 0xC16DBEF1 (' m ')

0x2FED4Sad196308) ---> Start new non-volatile nonvol <---
0x2FED6:Length:0x33D7 (13271)
0x2FED8:CRC32-Motorola:0x9F02DE51 (-1627201967)
Non-volatile nonvol length: 0x33D7 (13271) at offset: 0x2FED4
Calculate CRC: 0x6EAB15B0
---> CRC failed!!! 9F02DE51 <> 6EAB15B0

ERROR: address: 2FEDE; size: 0x2F71 (12145); unknow magic: 0x56F2AA68 ('V h')

ERROR: address: 32E4F; size: 0xADDD (44509); unknow magic: 0xC0AA7E9A (' ')

0x332ABSad209579) ---> Start new non-volatile nonvol <---
0x332AD:Length:0x61DF (25055)
0x332AF:CRC32-Motorola:0xB14062E4 (-1321180444)
Non-volatile nonvol length: 0x61DF (25055) at offset: 0x332AB
Calculate CRC: 0xFF4214FD
---> CRC failed!!! B14062E4 <> FF4214FD

ERROR: address: 332B5; size: 0xB2B7 (45751); unknow magic: 0x534AB97A ('SJ z')

0x3948ASad234634) ---> Start new non-volatile nonvol <---
0x3948C:Length:0x4776 (18294)
0x3948E:CRC32-Motorola:0xFC6A827D (-60128643)
Non-volatile nonvol length: 0x4776 (18294) at offset: 0x3948A
Calculate CRC: 0x2D52A3BE
---> CRC failed!!! FC6A827D <> 2D52A3BE

ERROR: address: 39494; size: 0x51D3 (20947); unknow magic: 0x77C2377A ('w 7z')

0x3DC00Sad252928) ---> Start new non-volatile nonvol <---
0x3DC02:Length:0xB0C1 (45249)
0x3DC04:CRC32-Motorola:0xDE694DED (-563524115)
Non-volatile nonvol length: 0xB0C1 (45249) at offset: 0x3DC00
Calculate CRC: 0x510DBB21
---> CRC failed!!! DE694DED <> 510DBB21

ERROR: address: 3DC0A; size: 0xF475 (62581); unknow magic: 0xAF79A76B (' y k')

Reply
#4
you should try this http://www.haxorware.com/forums/thread-8...ml#pid4250
ok you'd be loading an 8mb dump but i dont see any difference as the jtag software can cope with the entire memory anyways (no you dont need a usbjtag to use the software)
plus looking at the nonvol explorer log above all the certs have been extracted so you should be good to go

also 8mb is not big it should take no more than a minute to upload unless your on dialup not that it matters as you have the certs
__________________________________________________________________________________
******new discord chat link https://discord.gg/5BQQbsb*******
Reply
#5
(08-07-2011, 09:24 AM)drewmerc Wrote: you should try this http://www.haxorware.com/forums/thread-8...ml#pid4250
ok you'd be loading an 8mb dump but i dont see any difference as the jtag software can cope with the entire memory anyways (no you dont need a usbjtag to use the software)
plus looking at the nonvol explorer log above all the certs have been extracted so you should be good to go

also 8mb is not big it should take no more than a minute to upload unless your on dialup not that it matters as you have the certs

Well I did try USBJTAG NT , and wrote this commands. I chose SBG900 modem at startup on config.

ldram 9fc00000 <<< does this command grab the portion of the dump file from 9fc00000 position?

(pick 2mb dump)
save cfg

it created supposedly the portion of the memory dump which corresponds to non-vol , but there's nothing inside, when I read it with cmnonexp. I'm suspecting the memory locations are not accordingly cause this modem has a broadcom BCM3361 chipset.

Check your PM I sent you the mediafire link to my firm. Let me know how you did manage to get the certs. The app I used was cmnonexp2mbwin32 which is a compiled version to support 2mb flash
By the way can you send me the log output of the command line you get when you extract the certs Smile , this is the schematic I used to build the LPT , after you build the cable you need this app to read the flash

[Image: flashg.png]


http://www.mediafire.com/?envw9p8ss4s0644]

SPIPGM Emulates SPI over LPT port it's better to be run natively under plain dos it works much faster.

type the following commands

CWSDPMI
SPIPGM /i << identifies flash
SPIPGM /d << dumps entire flash




This was the research I made myself.

[Image: sb901main.jpg]

[Image: imagenpins.jpg]


This is is the setup

[img][Image: img0045oe.jpg] Uploaded with ImageShack.us[/img]

[Image: img0046ct.jpg]Uploaded with ImageShack.us





Reply
#6
feel the need to reply before i even look at the dump just to say that is fucking beautiful
__________________________________________________________________________________
******new discord chat link https://discord.gg/5BQQbsb*******
Reply
#7
Thanks Wink was hard but I finally did it.

Reply
#8
just wait till you end up with a computer without a printer port, you end up with a choice of buying a usbjtag or building your own, i built my own damn it was hard but fun (tho now i'd say buy a bus blaster greatest usb jtag/spi thing out there)
anyways why i'm a writing and now working on your dump i'm having my 3rd smoke and a brew (i smoke alot when thinking)
as i dont beleave usbjtag will extract the cfg i tryed will a proper dump as well and the cfg showed up as blank
but looking at the hex i'm sure it's there so after my smoke i'll try ripping it manually
yep it's there, in ghex(sorry linux user) is your dump and in usbjtag(nonvol tab) is a 5101 2mb dump
so i look for a key part of the dump that exists in all nonvols "CMAp" and if you scroll down you'll see "FACT" then scroll some more and you'll see the first config
working out how to extract the config means looking at a 5101 dump and counting up from CMAp to the start then doing the same in you dump and cutting it out to the same size (that sounds a lot more complicated than what it is)
[Image: 9Cwy5.png]

so now i know it's possible to extract the config and extract the certs (but you already have them) as for activating factory mode you could extract the config flash to an haxor modem and activate factory mode dump it and copy paste it back (no idea about this bit)

anyways i got to go to work running late now cause i was having fun (also i think theres more than 1 nonvol in your dump)
i dont want to go to work i want to play
__________________________________________________________________________________
******new discord chat link https://discord.gg/5BQQbsb*******
Reply
#9
(08-07-2011, 11:03 AM)drewmerc Wrote: just wait till you end up with a computer without a printer port, you end up with a choice of buying a usbjtag or building your own, i built my own damn it was hard but fun (tho now i'd say buy a bus blaster greatest usb jtag/spi thing out there)
anyways why i'm a writing and now working on your dump i'm having my 3rd smoke and a brew (i smoke alot when thinking)
as i dont beleave usbjtag will extract the cfg i tryed will a proper dump as well and the cfg showed up as blank
but looking at the hex i'm sure it's there so after my smoke i'll try ripping it manually
yep it's there, in ghex(sorry linux user) is your dump and in usbjtag(nonvol tab) is a 5101 2mb dump
so i look for a key part of the dump that exists in all nonvols "CMAp" and if you scroll down you'll see "FACT" then scroll some more and you'll see the first config
working out how to extract the config means looking at a 5101 dump and counting up from CMAp to the start then doing the same in you dump and cutting it out to the same size (that sounds a lot more complicated than what it is)
[Image: 9Cwy5.png]

so now i know it's possible to extract the config and extract the certs (but you already have them) as for activating factory mode you could extract the config flash to an haxor modem and activate factory mode dump it and copy paste it back (no idea about this bit)

anyways i got to go to work running late now cause i was having fun (also i think theres more than 1 nonvol in your dump)
dont want to go to work i want to play

Thanks so much, you know I checked over at surfboard hack forum ,and some guy said he dumped the entire flash memory on a 5101 about 8Mb and people where saying this to him ..

Quote: On a 5101 the 8m is the RAM of the modem, not the flash. Once the modem is powered up the CPU will first read the bootloader from the flash memory then it uncompresses the firmware from the 2m flash into the 8meg ram area of the modem and starts working with it. This is dynamic memory so as soon as the modem is powered off it is "erased"

So needless to say if you took the 8meg dump from one modem and them put it to the next modem as soon as you power cycle the modem poof it's gone! So anyone that is telling you that the 8meg dump from the ram of a modem is useful for flashing to another modem is on crack.

Most "bricks" are caused by a corrupted/wrong bootloader on the flash chip the modem CPU reads bad info and then "crashes" and then the Jtag commands don't work on the CPU to read and write to the flash chip.

So there's something I don't quite get is the firmware stored in this MX SPI flash chip? cause I saw near the BCM there's another memory chip but it's only RAM DDR from winbond.

thanks for the hexdumpand stuff, I still don't get what should I do to get the non-vol extract it I mean.. cause the app to extract the certs like you saw extracted something.. but dropped lot's of errors.. we'll keep in touch when you come back.. ll8rz
Reply
#10
ok this is how i extract that nonvold
1.set and open a 2mb 5101 dump in usbjtag and save the cfg (cfg and nonvol are the same thing)
[Image: UdxMJ.png]

2.in winhex open your fulldump.bin and the cfg.bin that usbjtag saved
[Image: ZlsA2.png]

3.in the picture above you can see the cfg.bin so you have to find a similler thing in your fulldump.bin (i search the text for CMAp)
[Image: BcSq0.png]

4.now both dumps look the same when switching tabs in winhex we need to cut out the nonvol from the full dump, i do this by counting how many times i press the page down button on my keyboard (67 times) so i right click the matching first block in the fulldump.bin select beginning of block and press the page bown button 70 times (70 cause i like to make sure) right click and select end of block, then paste to a new file (gif's why did i not do all this as a gif, then maybe the last picture would be the right one!!!!)
[Image: g1Yvd.gif]

5.trim off the excess is easy as you know the last line of the 5101 cfg is 00007ff0 so you just cut everything after that in you the one you just cut
[Image: 4SMA1.png]

now thats it's done i'll pm you what i extracted as to if it'll work i do not know maybe the nonvol is 64k as some are, but it's friday and beer food and a good smoke await me
__________________________________________________________________________________
******new discord chat link https://discord.gg/5BQQbsb*******
Reply


Forum Jump:


Users browsing this thread: 3 Guest(s)