Thread Rating:
  • 4 Vote(s) - 4 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Arris TG2492 (VM Super hub 3)
vmu19 Offline
Junior Member
**

Posts: 6
Threads: 0
Joined: Jan 2019
Reputation: 0
#21
RE: Arris TG2492 (VM Super hub 3)
Something like this:
$ mkdir /tmp/mmc;chmod 777 /tmp/mmc
$ sudo in.tftpd -cls /tmp/mmc
$ ssh root2@192.168.0.1 /bin/bash -i
root2@192.168.0.1's password:
/bin/bash: can't access tty; job control turned off
# cd /dev
# for p in mmc*;do tftp -p -l $p 192.168.0.100;done
20-01-2019, 10:12 AM
Find Reply
eltremendo Offline
Haxorware Enthusiast
***

Posts: 95
Threads: 6
Joined: Apr 2012
Reputation: 0
#22
RE: Arris TG2492 (VM Super hub 3)
But would you be able to extract the certs this way?
20-01-2019, 03:48 PM
Find Reply
vmu19 Offline
Junior Member
**

Posts: 6
Threads: 0
Joined: Jan 2019
Reputation: 0
#23
RE: Arris TG2492 (VM Super hub 3)
I imagine so. However the modem I'm using hasn't been used to connect to the ISP. I think this is the cert stuff here, but not sure:
# find /nvram/1/security
/nvram/1/security
/nvram/1/security/cm_key_prv.bin
/nvram/1/security/root_pub_key.bin
/nvram/1/security/mfg_cert.cer
/nvram/1/security/download
/nvram/1/security/download/40_0d_10_af_cb_f3_ED_EncCertFile.bin
/nvram/1/security/download/TI_NA_Cert_400d10afcbf3.key
/nvram/1/security/download/40_0d_10_af_cb_f3_ND_EncCertFile.bin
/nvram/1/security/download/TI_EU_Cert_400d10afcbf3.key
/nvram/1/security/download/TI_NA_Cert_400d10afcbf3.cer
/nvram/1/security/download/TI_EU_Cert_400d10afcbf3.cer
/nvram/1/security/cm_cert.cer
/nvram/1/security/mfg_key_pub.bin
20-01-2019, 04:50 PM
Find Reply
danman Offline
Junior Member
**

Posts: 16
Threads: 0
Joined: Feb 2019
Reputation: 0
#24
RE: Arris TG2492 (VM Super hub 3)
Hi guys, I'm working on very similar device CH7465 with NOSH firmware.
I was able to make a full dump and have convenient way to modify the internal eMMC.
My device doesn't display almost any messages on its console (just a few messages from bootloader) so no shell access is available.
I was also able to order another device from ebay and after clonning eMMC also the copy works Ok for accessing my internet connection.

I'd like to enable telnet/ssh access on this device. Did you make any progress with this?
25-02-2019, 10:49 AM
Find Reply
danman Offline
Junior Member
**

Posts: 16
Threads: 0
Joined: Feb 2019
Reputation: 0
#25
RE: Arris TG2492 (VM Super hub 3)
[Image: wikAHI2.jpg]
(This post was last modified: 25-02-2019, 10:55 AM by danman.)
25-02-2019, 10:53 AM
Find Reply
danman Offline
Junior Member
**

Posts: 16
Threads: 0
Joined: Feb 2019
Reputation: 0
#26
RE: Arris TG2492 (VM Super hub 3)
@vmu19 : can you share your flash dump?
25-02-2019, 11:46 AM
Find Reply
danman Offline
Junior Member
**

Posts: 16
Threads: 0
Joined: Feb 2019
Reputation: 0
#27
RE: Arris TG2492 (VM Super hub 3)
I'm getting PMs about how did I extract the FW. It's easy, you need a "better" SD card reader, in my case Transcend TS-RDF5K, SD or microSD breakout board:
https://github.com/danielkucera/MicroSD_Sniffer

and connect corresponding pins on the board:
https://blog.danman.eu/wp-content/upload...t-desc.jpg

Then you just insert the breakout board, connect pins to your board and you can extract, e.g. via dd:


Code:
dd if=/dev/sdc of=dump.dd bs=1M
(This post was last modified: 02-03-2019, 05:23 PM by danman.)
02-03-2019, 12:06 PM
Find Reply
eltremendo Offline
Haxorware Enthusiast
***

Posts: 95
Threads: 6
Joined: Apr 2012
Reputation: 0
#28
RE: Arris TG2492 (VM Super hub 3)
(20-01-2019, 10:12 AM)vmu19 Wrote: Something like this:
$ mkdir /tmp/mmc;chmod 777 /tmp/mmc
$ sudo in.tftpd -cls /tmp/mmc
$ ssh root2@192.168.0.1 /bin/bash -i
root2@192.168.0.1's password:
/bin/bash: can't access tty; job control turned off
# cd /dev
# for p in mmc*;do tftp -p -l $p 192.168.0.100;done

(02-03-2019, 12:06 PM)danman Wrote: I'm getting PMs about how did I extract the FW. It's easy, you need a "better" SD card reader, in my case Transcend TS-RDF5K, SD or microSD breakout board:
https://github.com/danielkucera/MicroSD_Sniffer

and connect corresponding pins on the board:
https://blog.danman.eu/wp-content/upload...t-desc.jpg

Then you just insert the breakout board, connect pins to your board and you can extract.

Can i pm you?
02-03-2019, 02:10 PM
Find Reply
danman Offline
Junior Member
**

Posts: 16
Threads: 0
Joined: Feb 2019
Reputation: 0
#29
RE: Arris TG2492 (VM Super hub 3)
(02-03-2019, 02:10 PM)eltremendo Wrote:
(20-01-2019, 10:12 AM)vmu19 Wrote: Something like this:
$ mkdir /tmp/mmc;chmod 777 /tmp/mmc
$ sudo in.tftpd -cls /tmp/mmc
$ ssh root2@192.168.0.1 /bin/bash -i
root2@192.168.0.1's password:
/bin/bash: can't access tty; job control turned off
# cd /dev
# for p in mmc*;do tftp -p -l $p 192.168.0.100;done

(02-03-2019, 12:06 PM)danman Wrote: I'm getting PMs about how did I extract the FW. It's easy, you need a "better" SD card reader, in my case Transcend TS-RDF5K, SD or microSD breakout board:
https://github.com/danielkucera/MicroSD_Sniffer

and connect corresponding pins on the board:
https://blog.danman.eu/wp-content/upload...t-desc.jpg

Then you just insert the breakout board, connect pins to your board and you can extract.

Can i pm you?
Why not ask here?
02-03-2019, 05:24 PM
Find Reply
eltremendo Offline
Haxorware Enthusiast
***

Posts: 95
Threads: 6
Joined: Apr 2012
Reputation: 0
#30
RE: Arris TG2492 (VM Super hub 3)
i have another board, from a 1602A arris . how can i trace or find the corresponding pins ?
02-03-2019, 11:29 PM
Find Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)