Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Dlink DCM-202 has a cert download function Possible to get online?
#1
If you telnet into a Dlink DCM-202 you'll see it has a "production" menu. Under this menu (which is password protected) it has a cert downloader in addition to the ability to change other modem parameters such as Mfg, software/hw version, and MAC address. I assume it would be possible to get this modem online?

Here's a thread with pictures and a copy of a flash dump I made: DCM-202_Thread

The question I have, How to proceed? I can put my subscribed modems info onto a haxor modem and d/l the nonvol (~32kB file). I can also copy the certs directly from a dump of my subscribed modem...However, the way the firmware is laid out on my sub modem is different than the Motorola (BCM3349) based modems so I'm not certain what and where to snip from the f/w dump. I know some general info about the layout such as

0x00000000 -- bootloader
0x00010000 -- first image
0x00100000 -- second image
0x001FA000 -- log

Anyway, attached below is a snip from the f/w of a junk modem (not my subscribed) that shows the layout of the "nonvol" It is the last 64kB of the 2MB image.
DO NOT CLICK ON THE SMILEY!! ~~> [Image: tongue.gif] <~~
Reply
#2
ok i downloaded and deleted it from your post (i did not know it was junk, i should read shit first but habits die hard)

anyways an interesting gif (i dont know were i'm going with this)
[Image: J3mTr.gif]

i'd bet if you rename TiZp to lzma you could unpack it (told you i did not know were i was going)
i think i do know were i'm going with that statement ambit256 toolkit, ok the toolkit or the firmware image would need a few mods to work together, like the one about but i guess you could swap nonvols and what not about (ujmodem may extract the certs in 256mode but i cant do shit because it's not activated)
__________________________________________________________________________________
******new discord chat linkĀ https://discord.gg/5BQQbsb*******
Reply
#3
Okay, the DCM-202 firmware images (image1 & 2) are zlib compressed. I know this because of the reference to "Mark Adler" in the boot area. It's not lzma. It will not conventionally deflate because it is probably xor'ed, nor'ed or shifted in some such way to mask it from easily decompressing.

The file you downloaded "test_nonvol.bin" was the nonvol from a junk modem I got at a thrift store. It is the same model as my subscribed modem. I posted "test_nonvol.bin" to demonstrate the format or layout of the nonvol region of my subscribed modems f/w. I'll post some more info in a bit after I do some testing...
DO NOT CLICK ON THE SMILEY!! ~~> [Image: tongue.gif] <~~
Reply
#4
my above post was written over about half hour as i was thinking/playing and that is why my theory shifts about
my point is the image layout matches an ambit 256, now a long time ago before the 256 toolkit/haxorware install
i had a text document with the memory locations to manually swap (now long gone) again i'm thinking as i write but
i also know none of this has anything to do with what you asked, so i'll stop thinking and just say extract them
individually using the cert downloader and try to insert them
__________________________________________________________________________________
******new discord chat linkĀ https://discord.gg/5BQQbsb*******
Reply
#5
what about study this model: to extract OID information.. for getting the 5 certs needed. so in future you won't even have to open it fisically... they usually come with port 162 open for snmp :-)

then later you could use those certs in any haxor or sigma and eventually force a config file

My Best Regards
Reply
#6
Force config's wont happen. The CMTS has the upper hand. Certs arte worthless if the ISP re-signs the MFC'ers CVC, which most do now..
Knowledge=Power
Reply
#7
i mean using their own signed config... not modified of course.

anyway you will be able to use own cert's speed.. that's how most of us do

isp's are using clone control. but not all of them.. everyone nowadays has to deal with that security

Regards
Reply
#8
RadioTubes did you actually get the certs from the production menu?
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)