Thread Rating:
  • 5 Vote(s) - 4 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Arris TG2492 (VM Super hub 3)
#21
Something like this:
$ mkdir /tmp/mmc;chmod 777 /tmp/mmc
$ sudo in.tftpd -cls /tmp/mmc
$ ssh root2@192.168.0.1 /bin/bash -i
root2@192.168.0.1's password:
/bin/bash: can't access tty; job control turned off
# cd /dev
# for p in mmc*;do tftp -p -l $p 192.168.0.100;done
Reply
#22
But would you be able to extract the certs this way?
Reply
#23
I imagine so. However the modem I'm using hasn't been used to connect to the ISP. I think this is the cert stuff here, but not sure:
# find /nvram/1/security
/nvram/1/security
/nvram/1/security/cm_key_prv.bin
/nvram/1/security/root_pub_key.bin
/nvram/1/security/mfg_cert.cer
/nvram/1/security/download
/nvram/1/security/download/40_0d_10_af_cb_f3_ED_EncCertFile.bin
/nvram/1/security/download/TI_NA_Cert_400d10afcbf3.key
/nvram/1/security/download/40_0d_10_af_cb_f3_ND_EncCertFile.bin
/nvram/1/security/download/TI_EU_Cert_400d10afcbf3.key
/nvram/1/security/download/TI_NA_Cert_400d10afcbf3.cer
/nvram/1/security/download/TI_EU_Cert_400d10afcbf3.cer
/nvram/1/security/cm_cert.cer
/nvram/1/security/mfg_key_pub.bin
Reply
#24
Hi guys, I'm working on very similar device CH7465 with NOSH firmware.
I was able to make a full dump and have convenient way to modify the internal eMMC.
My device doesn't display almost any messages on its console (just a few messages from bootloader) so no shell access is available.
I was also able to order another device from ebay and after clonning eMMC also the copy works Ok for accessing my internet connection.

I'd like to enable telnet/ssh access on this device. Did you make any progress with this?
Reply
#25
[Image: wikAHI2.jpg]
Reply
#26
@vmu19 : can you share your flash dump?
Reply
#27
I'm getting PMs about how did I extract the FW. It's easy, you need a "better" SD card reader, in my case Transcend TS-RDF5K, SD or microSD breakout board:
https://github.com/danielkucera/MicroSD_Sniffer

and connect corresponding pins on the board:
https://blog.danman.eu/wp-content/upload...t-desc.jpg

Then you just insert the breakout board, connect pins to your board and you can extract, e.g. via dd:


Code:
dd if=/dev/sdc of=dump.dd bs=1M
Reply
#28
(20-01-2019, 10:12 AM)vmu19 Wrote: Something like this:
$ mkdir /tmp/mmc;chmod 777 /tmp/mmc
$ sudo in.tftpd -cls /tmp/mmc
$ ssh root2@192.168.0.1 /bin/bash -i
root2@192.168.0.1's password:
/bin/bash: can't access tty; job control turned off
# cd /dev
# for p in mmc*;do tftp -p -l $p 192.168.0.100;done

(02-03-2019, 12:06 PM)danman Wrote: I'm getting PMs about how did I extract the FW. It's easy, you need a "better" SD card reader, in my case Transcend TS-RDF5K, SD or microSD breakout board:
https://github.com/danielkucera/MicroSD_Sniffer

and connect corresponding pins on the board:
https://blog.danman.eu/wp-content/upload...t-desc.jpg

Then you just insert the breakout board, connect pins to your board and you can extract.

Can i pm you?
Reply
#29
(02-03-2019, 02:10 PM)eltremendo Wrote:
(20-01-2019, 10:12 AM)vmu19 Wrote: Something like this:
$ mkdir /tmp/mmc;chmod 777 /tmp/mmc
$ sudo in.tftpd -cls /tmp/mmc
$ ssh root2@192.168.0.1 /bin/bash -i
root2@192.168.0.1's password:
/bin/bash: can't access tty; job control turned off
# cd /dev
# for p in mmc*;do tftp -p -l $p 192.168.0.100;done

(02-03-2019, 12:06 PM)danman Wrote: I'm getting PMs about how did I extract the FW. It's easy, you need a "better" SD card reader, in my case Transcend TS-RDF5K, SD or microSD breakout board:
https://github.com/danielkucera/MicroSD_Sniffer

and connect corresponding pins on the board:
https://blog.danman.eu/wp-content/upload...t-desc.jpg

Then you just insert the breakout board, connect pins to your board and you can extract.

Can i pm you?
Why not ask here?
Reply
#30
i have another board, from a 1602A arris . how can i trace or find the corresponding pins ?
Reply


Forum Jump:


Users browsing this thread: 3 Guest(s)