Were you able to dump the firmware? #3
Comments
|
Unfortunately not yet. Didn't find the time in the past months to make some progress. Not searched for vulnerabilities of the network services and software yet. |
|
I was looking at a firmware with a higher version number(http://cmapp.ark.cablelynx.com/AR01.02.085_102620_711.NCS.10.7.NA.simg) looks like vodafone hasn't got around to updating to it yet. You can extract is by running binwalk on it. There is a code exec vulnerability in dnsmasq that are unpatched but I don't think there is a way to exploit them(https://kb.cert.org/vuls/id/434904) BTW make sure you connect the router to cable network and get the firmware updated to latest before deslodering the flash. Looks like they have fixed a bunch of command injection vulnerabilities in the latest firmware(by making some annoying api limitations) |
|
More firmware files the ones for tg3442de begins from ARXX. http://72.240.115.5/ |
|
hello in your hw review I miss the SPI Bios ̶M̶X̶2̶5̶U̶3̶2̶3̶5̶F̶B̶A̶I̶-̶1̶0̶G̶ I correct MX25U1635FBAI-10G sorry :P "12-BALL BGA" (WLCSP). there is another missing component that converts TTL 1.8v to 3.3v ATOM core console, it is a 2bit logic converter "SN74AVC2T245RSWR" (XQFN10) |
|
logic converter is some sort of a uart interface you think?
…On Tue, Jul 6, 2021, 5:37 AM arrobazo ***@***.***> wrote:
hello in your hw review I miss the SPI Bios MX25U3235FBAI-10G "12-BALL
BGA" (WLCSP). there is another missing component that converts TTL 1.8v to
3.3v ATOM core console, it is a 2bit logic converter "SN74AVC2T245RSWR"
(XQFN10)
[image: 3a6b2869ea18894f64a0b360adabd8ce]
<https://user-images.githubusercontent.com/21269675/124538618-56062700-ddf2-11eb-920b-ba49a9eee49c.jpg>
[image: 6d3fd5258e9ebe1499a0529806f318be]
<https://user-images.githubusercontent.com/21269675/124538624-57375400-ddf2-11eb-9cb9-341a56247f7f.png>
[image: 8f908d9849557290a1eaee0f8aaffd66]
<https://user-images.githubusercontent.com/21269675/124538625-57cfea80-ddf2-11eb-8041-a38abffbbdb4.png>
[image: 645907c0fed10f5dca7f2e6c91149a66]
<https://user-images.githubusercontent.com/21269675/124538628-57cfea80-ddf2-11eb-87a9-615292bf6047.png>
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#3 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABDCLGAE5EEN2YW4CLSH4EDTWJ3ATANCNFSM43U72VJQ>
.
|
|
@arrobazo didn't notice that you mention it's console, were you able to monitor something on the console? |
|
@madushan1000 It is only a logical converter, the modems do not come from the factory, "I added it and soldered it", its job is to convert the 1.8v of the UART ATOM output of the cpu to 3.3v but since that IC is not present there is no physical connection to the UART connector (which are also not present are single row smt pinheader). |
|
Oh thanks! I was confused, did you mange to get a dump this way? If so I'd appreciate a copy :) |
|
haha if there are no problems, give me a moment and I upload the backup emmc / bios, and on soldering mm if it is the smallest package smd201 haha, but it is not difficult only solder on resistors and capacitors, you would only have to scrape Data0 in a through hole update: "link backup´s" |
|
Thank you very much for the dump! Can you post a hi res picture(s) of your soldering so I can follow it? |
|
@arrobazo yes, you are right. I missed the SPI BIOS (U17). Got some trouble with identifying those chips. |
|
I just soldered it at that time and then removed it, I have another modem of these with the mod made but it is different "DiagModem", the notable differences are that it does not have fused cpu, it does not have safe boot and spi is soic8 and nand is tsop48 a difference from vodafone ISP version which are bga, let me upload pictures and draw pinout |
|
Is the DiagModem the retail tg3442? or is it from a different ISP? would love to get my hands on one of those. Vodafone like to lock things down too much :/ |
|
@nox-x The spi does not need a converter, the 1.8v logic connection comes directly from the cpu, you only need a 1.8v spi programmer to avoid burning your cpu, on the 2bit UART logic converter ic this I only soldered it for entertainment, there are no active uart outputs, they are They are disabled from the bios by secureboot. |
|
|
|
Oh wow, nice find!, btw I extracted the dump and the firmware version is quite old. but it has the nvram(ext4) partitions so very helpful nevertheless! |
I am not in Germany so that my modem can be updated by vodafone xD, I have the diag version updated as root there are no problems :P |
|
ha ha, If I can root my router, I'll probably be able to download the latest firmware file from vodafone. There is a command injection vulnerability(which I can not find no matter how long I stare at the code :/) somebody found(https://forum.level1techs.com/t/success-command-injection-possible/163881/) but they're waiting for vodafone to fix the issue before they disclose it. |
|
emmc accepts 3v but I do not recommend it better to use a sd exploitee low voltage 1.8v, you can also put off r19 (0 ohms) clk and use them to turn the modem with 12v, it will not start the cpu and you will not need to power phison. I recommend using 0.1mm thin enameled wires (only with an emmc isp programmer can you access boot0/1 through a compatible sd reader 1bit does not have access to those partitions )
undefined.mp4 |
|
Also, thanks for the pictures! going to be very helpful :) Any chance you looked at cga4233de(the other vodafone station based on boradcom docsis 3.1 chip) too? |
|
nop ...I do not have a vodafone brand, cga4233-STO technicolor which is the same, they are bcm3390 spi and nand bga24 6x4, bga63 4g (512mb) same brand hw vodafone, I think that if you upload some photos I would confirm it but the one that I have the same vodafone cut of pcb I backed him up, a while ago |
|
I didn't remove the cover yet(pain in the ass to do because it's glued :/) I'll upload some picture when I do! Thanks for the dump again, you're a godsend :D |
|
Oh, I wonder what they're paying for. I guess to lock the firmware down some more :/ |
|
I remember that a friend mentioned to me that Both the main operating system (Linux BCM manager) and the CM operating system (eCos) are stored on the NAND |
|
Interesting! I was able to extract the spi(they were in a ton of jffs file system volumes for some reason). I'll look into bcmnand, wonder if I can build it as a module for my x86 kernel and use nandsim to extract the files. Thanks for the info. |
|
Hi. The dump actually contains To convert this to a readable dump, read the file in blocks of |
|
@jclehner I was able to extract some file this way too, thanks for the help!, I guess the ubifs volumes are somewhat corrupted because we don't preform error correction? But I think I have enough to look for a way in :) |
|
@arrobazo Do you still have the cga4233-STO dump? The Mega link is broken. |
https://www.mediafire.com/file/vhwdgsdmn7w6dy0/CGA4233STO.7z/file |
Mediafire says "The key you provided for file access was invalid" |
I thought you already downloaded it, try again! |
Got it, thanks! |
The |
The link is dead, mega.nz says the file has been removed. Could you re-upload it please? |
|
@itspngu in the comments is http://72.240.115.5/ there you can find fw AR010X but there is no EU version. About the Backup here goes the link I don't know why you would need it but here it goes, you can also read via "emmc" your modem, check the pinout. https://www.mediafire.com/file/onanhqy4te3itlq/TG3442DE%255BVODAFONE%255D.zip/file |
Guys, has anyone an idea how to unhide the LAN Settings in the Vodafone TG3442DE? Unbelievable that Vodafone hides fundamental settings like this from the user. I need to change the IPv4 andIPv6 DNS address in order to use my own DNS Server with Pihole. Maybe someone can help or has an idea? Thanks a lot! |
|
Can someone help me - where stored CM MAC address? In SPI bios? |
nop, it is located in the partition "nvram atom" /itstore/production.ini |
so no way to get root or change this file? |
|
I went down this rabbit hole many years ago on the As far as I understand it (this is an assumption, I have put the project on a shelf years ago due to lack of time and have not validated this myself), you should be able to hook up between the CPU and the Phison, it should have an eMMC/SD interface that will expose the memory (after all the fancy wear leveling, etc.) transparently to the CPU as it was not even there. Then you should be able to dump it. Hold the CPU in reset or something, so it doesn't mess with those lines. I am not sure if it performs any kind of authentication before it allows you to access the memory, if it does, then you're perhaps out of luck. But recovering the entire logical structure of the memory is a horrible PITA and you do not want to be doing that, unless you absolutely have to. |
Hallo arrobazo Wanted To ask if you still have the Dump File for the tg3442s/ce .. the Link is not existing anymore Thank you |
|
|
which file do you want? I'll see if I have a backup |
|
The newest Vodafone branded firmware if you have that otherwise the newest non Vodafone firmware would be good |
|
unfortunately I don't have a backup, however there is torrent linked above that's still alive. |
|
Couldn't get the torrent to work do I need a specific tracker? |
|
@marcohald |
|
@arrobazo thank you.I do not have yet Root on the router. My main goal is at the moment to disable the DHCP server. |
I got a tg3442s/ce off ebay for about 12eur. Before attempting any hardware hacks, I wanted to know if you were able to dump the firmware?
The text was updated successfully, but these errors were encountered: