Posts: 6
Threads: 1
Joined: Sep 2014
Reputation:
0
(23-09-2014, 05:16 AM)sixteen Wrote: If you or talking a bout forceware it self, its not supported. Ok, that's what I wanted to know.
Anyway, I managed to dump the firmware, extract the U-boot Multi File, extract the SquashFS partition (actually, both of them), patch /etc/inittab (replace the silly CLI with /bin/ash), re-pack everything and re-flash it, trace the UART port on the board and get a root shell. I'm getting there 
Now, time to sleep...
If someone's interested, I can document all the steps.
Cheers!
Ciaby
Posts: 8
Threads: 0
Joined: Dec 2011
Reputation:
2
(23-09-2014, 09:45 AM)ciaby Wrote: (23-09-2014, 05:16 AM)sixteen Wrote: If you or talking a bout forceware it self, its not supported. Ok, that's what I wanted to know.
Anyway, I managed to dump the firmware, extract the U-boot Multi File, extract the SquashFS partition (actually, both of them), patch /etc/inittab (replace the silly CLI with /bin/ash), re-pack everything and re-flash it, trace the UART port on the board and get a root shell. I'm getting there
Now, time to sleep...
If someone's interested, I can document all the steps.
Cheers!
Ciaby
Can you explain how you did it?
Posts: 14
Threads: 2
Joined: Sep 2012
Reputation:
0
This arris firmware is a compleate junk. Not to mention they put their custom additions everywhere, theyve also added 2 password sets to protect the modem.
One of them is widely known arris password of the day, the second one is called a cm password.
Arris pwod can be generated using a public tool, but it seems they are now changing password seed, so the password u generate will not be valid. No biggie, all it does is that it gives you access to cm page with some technical info.
The other password is needed for accessing modems cli. Well, theres something to care about, like the ability to change mac address, right? After taking a quick look-the password is generated from modem serial number, then hashed at hmac function, then theres some byte shifting.
Since iam just lazy i just patched them both lol.
Btw, iam looking for some newer firmware revisions, like 2014 ones would be helpful.
Posts: 7
Threads: 2
Joined: Jan 2015
Reputation:
0
(08-01-2015, 11:27 PM)kapec Wrote: This arris firmware is a compleate junk. Not to mention they put their custom additions everywhere, theyve also added 2 password sets to protect the modem.
One of them is widely known arris password of the day, the second one is called a cm password.
Arris pwod can be generated using a public tool, but it seems they are now changing password seed, so the password u generate will not be valid. No biggie, all it does is that it gives you access to cm page with some technical info.
The other password is needed for accessing modems cli. Well, theres something to care about, like the ability to change mac address, right? After taking a quick look-the password is generated from modem serial number, then hashed at hmac function, then theres some byte shifting.
Since iam just lazy i just patched them both lol.
Btw, iam looking for some newer firmware revisions, like 2014 ones would be helpful.
i happen to have cm820a 2013 -2014 fermware just its on modem lol
Posts: 14
Threads: 2
Joined: Sep 2012
Reputation:
0
Thanks,
i need tg862 firmware, the other models wont work well because they dont support integrated ethernet switch :/
Posts: 1
Threads: 0
Joined: Jan 2014
Reputation:
0
(23-09-2014, 05:41 PM)pidiware Wrote: (23-09-2014, 09:45 AM)ciaby Wrote: (23-09-2014, 05:16 AM)sixteen Wrote: If you or talking a bout forceware it self, its not supported. Ok, that's what I wanted to know.
Anyway, I managed to dump the firmware, extract the U-boot Multi File, extract the SquashFS partition (actually, both of them), patch /etc/inittab (replace the silly CLI with /bin/ash), re-pack everything and re-flash it, trace the UART port on the board and get a root shell. I'm getting there
Now, time to sleep...
If someone's interested, I can document all the steps.
Cheers!
Ciaby Can you help us to unpack/repack the modem firmware?
Can you explain how you did it?
Posts: 81
Threads: 16
Joined: Aug 2012
Reputation:
14
18-05-2015, 04:30 AM
(This post was last modified: 18-05-2015, 04:30 AM by christianrodher.)
(22-09-2014, 05:06 PM)ciaby Wrote: Hi there! I'm very new to cable modem hacking. I just made a dump of the SPI flash inside a TG862A. Using binwalk and the firmware-mod-kit, I managed to extract the two filesystems. I also tried to modify /etc/passwd and point the root shell to /bin/sh, but of course it didn't work...
What's the next step? I got the full image, should I upload it somewhere?
Cheers
Ciaby 
can you send me the dumb... i want to extract it and see what i find... trying to find the oid to put them in factory via snmp.
Posts: 6
Threads: 0
Joined: Mar 2009
Reputation:
0
and they tried to put forceware?
Posts: 1
Threads: 0
Joined: May 2016
Reputation:
0
(08-01-2015, 11:27 PM)kapec Wrote: This arris firmware is a compleate junk. Not to mention they put their custom additions everywhere, theyve also added 2 password sets to protect the modem.
One of them is widely known arris password of the day, the second one is called a cm password.
Arris pwod can be generated using a public tool, but it seems they are now changing password seed, so the password u generate will not be valid. No biggie, all it does is that it gives you access to cm page with some technical info.
The other password is needed for accessing modems cli. Well, theres something to care about, like the ability to change mac address, right? After taking a quick look-the password is generated from modem serial number, then hashed at hmac function, then theres some byte shifting.
Since iam just lazy i just patched them both lol.
Btw, iam looking for some newer firmware revisions, like 2014 ones would be helpful.
Hello, i'm trying to get access to the busybox, but i need the password, could you share the chunk of code where is generated the password? (to see the algorithm) so i could generate the password from my modem's serial.
Posts: 25
Threads: 3
Joined: Jun 2015
Reputation:
0
(12-05-2016, 04:34 PM)joepanda Wrote: (08-01-2015, 11:27 PM)kapec Wrote: This arris firmware is a compleate junk. Not to mention they put their custom additions everywhere, theyve also added 2 password sets to protect the modem.
One of them is widely known arris password of the day, the second one is called a cm password.
Arris pwod can be generated using a public tool, but it seems they are now changing password seed, so the password u generate will not be valid. No biggie, all it does is that it gives you access to cm page with some technical info.
The other password is needed for accessing modems cli. Well, theres something to care about, like the ability to change mac address, right? After taking a quick look-the password is generated from modem serial number, then hashed at hmac function, then theres some byte shifting.
Since iam just lazy i just patched them both lol.
Btw, iam looking for some newer firmware revisions, like 2014 ones would be helpful.
Hello, i'm trying to get access to the busybox, but i need the password, could you share the chunk of code where is generated the password? (to see the algorithm) so i could generate the password from my modem's serial. Hi, I don't know the answer to what you're asking but since you were able to make the dump, can I ask you how you opened the modem in the first place? I've unscrewed all the screws I could see holding the modem, two upper corner screws and two screws on the bottom of the modem. I just can't seem to take the outter enclosure apart. I need to get to the internals to try to make a dump. Please provide some detailed guide and pictures do help me alot. Thanks fellow memebers.
|
