Thread Rating:
  • 5 Vote(s) - 4 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Arris TG2492 (VM Super hub 3)
#51
(03-03-2019, 10:44 PM)eltremendo Wrote:
(03-03-2019, 01:13 AM)danman Wrote: You can probably use Windows too but I have no idea what tool you need to use.

more photos

It's the same chip as on my board PS8211-0 . It's possible that it will have the same pinout as mine:


31 - CMD
22 - CLK
25 - DAT0
26 - DAT1
24 - DAT2
33 - VCC


Attached Files Thumbnail(s)
   
Reply
#52
(03-03-2019, 11:00 PM)danman Wrote:
(03-03-2019, 10:44 PM)eltremendo Wrote:
(03-03-2019, 01:13 AM)danman Wrote: You can probably use Windows too but I have no idea what tool you need to use.

more photos

It's the same chip as on my board PS8211-0 . It's possible that it will have the same pinout as mine:


31 - CMD
22 - CLK
25 - DAT0
26 - DAT1
24 - DAT2
33 - VCC

wao thanks for the info . i can just tap those pins of the phiston chip with a pong
Reply
#53
(03-03-2019, 11:00 PM)danman Wrote:
(03-03-2019, 10:44 PM)eltremendo Wrote:
(03-03-2019, 01:13 AM)danman Wrote: You can probably use Windows too but I have no idea what tool you need to use.

more photos

It's the same chip as on my board PS8211-0 . It's possible that it will have the same pinout as mine:


31 - CMD
22 - CLK
25 - DAT0
26 - DAT1
24 - DAT2
33 - VCC

what about this version with phiston chip


Attached Files Thumbnail(s)
           
Reply
#54
(06-03-2019, 05:42 AM)eltremendo Wrote:
(03-03-2019, 11:00 PM)danman Wrote:
(03-03-2019, 10:44 PM)eltremendo Wrote:
(03-03-2019, 01:13 AM)danman Wrote: You can probably use Windows too but I have no idea what tool you need to use.

more photos

It's the same chip as on my board PS8211-0 . It's possible that it will have the same pinout as mine:


31 - CMD
22 - CLK
25 - DAT0
26 - DAT1
24 - DAT2
33 - VCC

what about this version with phiston chip

no idea...
Reply
#55
(06-03-2019, 07:10 PM)danman Wrote:
(06-03-2019, 05:42 AM)eltremendo Wrote:
(03-03-2019, 11:00 PM)danman Wrote:
(03-03-2019, 10:44 PM)eltremendo Wrote:
(03-03-2019, 01:13 AM)danman Wrote: You can probably use Windows too but I have no idea what tool you need to use.

more photos

It's the same chip as on my board PS8211-0 . It's possible that it will have the same pinout as mine:


31 - CMD
22 - CLK
25 - DAT0
26 - DAT1
24 - DAT2
33 - VCC

what about this version with phiston chip

no idea...

Hey what voltage should i feed the vcc with?
Reply
#56
(25-02-2019, 10:49 AM)danman Wrote: Hi guys, I'm working on very similar device CH7465 with NOSH firmware.
I was able to make a full dump and have convenient way to modify the internal eMMC.
My device doesn't display almost any messages on its console (just a few messages from bootloader) so no shell access is available.
I was also able to order another device from ebay and after clonning eMMC also the copy works Ok for accessing my internet connection.

I'd like to enable telnet/ssh access on this device. Did you make any progress with this?

Telnet and ssh can be activated, changing 0 by 1 in addresses  0x2A and 0x203 of /nvram/6/1 for TG862.
if nvram DB keeps same it can works. With breakout board taking, edit and get back file /6/1 in nvram partion and add or remplace rules with iptables.

(18-01-2019, 10:32 AM)vmu19 Wrote: Does anyone have the 9.1.116.608 firmware, or a mechanism to log in to this release? I can login to 9.1.116V using the mechanism from the NCC blog and I'm sure there must be other vulnerabilities to allow local login still. I looked at the two UARTs and only get output though someone mentioned the possibility of causing some sort of crash. Also from another site, it seems JTAG is disabled, so not going to try that route.

I got same problem, bucsay's mechanism is not longer work in new firms. Getting image of new firm from upgrade server and scraping file system. i hope find out to way to get acess.
Reply
#57
Decrypted 9.1.116 firmware for those interested.

https://mega.nz/#!opVmiILY!xr4En9nFS-6y5...-yJDITiMws
Reply
#58
now for someone to build firmware
Reply
#59
Nice, binwalk extracted it successfully!
Reply
#60
Adding to elbarto's post on enabling telnet you can do the following to bypass the pwod by setting the 'client' password (assuming the client is actually Virgin Media in this case).

In /nvram/6/1 set the following at address 0x1F7

BC AE 6A 68 38 32 4B 18

This will set the password to 'pwned' giving you access to the higher privileged shell (still need to work out how to break into busybox).
Reply


Forum Jump:


Users browsing this thread: 5 Guest(s)