Haxorware Forums

Full Version: how to dump firmware from broadcom based modems
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2
this may be really useful

https://danidelvalle.me/2016/01/21/how-t...le-modems/

[Image: brcm_firmware_dump.gif?w=700]

I wish I knew how to write code in python so I could download the 2mb config from modems. doing it by hand is not working and it's very tiring
you dont need to write python just how to edit it
all i guess you need to do is edit out his validation stuff and make it dump the full 8mb
or for fun you could make it just dump the config/nonvol
I´m really trying to get the nonvol (I even PMed you about that!) but I'm having trouble locating it

I dumped manually, thru diag readmem, the the regions of Permanent NonVol and all the 3 Dynamic ones but got no luck with cmnonvolextractor, just errors

I must be doing something wrong, how can I locate the 2mb CFG inside the flash? what the offset would be?

and how much memory there is inside the modem? because it´s possible to read portions that go beyond the 8mb region
If I manage to dump the full 8mb, how could I extract the certs, since cmnonvol only works with the 2mb cfg?

damn I think I´m so close but I lack the knowledge!
i dont read my pm's unless i know the name, i dont do this stuff anymore so i generally ignore all requests for help
i dont get why you think the cfg should be 2mb as it will only be 32k or 64k, have you opened what ever you dumped with readmem
and looked it in a hex editor? you should be able to see the nonvol area (certs)
i am assuming you have looked at other verifed nonvols and you'll see the same sequence of text showing the start of the nonvol so just copy out 32k
I understand and appreciate your attention, thank you.

Yes, I opened the dumped nonvol in a hex editor but, sadly there's nothing there that looks like a cert.

They came from a svg1202, the nonvol are 64k - but they don't work with cmnonvol - that's why I thought I needed the 2mb cfg.
I tried extracting certs from the nonvol I download from haxorware (32k) but nothing happens. No errors, but no certs either. I wouldn't mind scooping out the certs by hand, using a hex editor, but could not find them

I can see some text in the haxorware nonvol but there's nothing like that in nonvol I dumped.

I used the Flash device information to locate the nonvol sections (see below) Btw, which one is the right one? Permanent or dynamic?

Then I tried dump as much as I could, since I can only read 16384 bytes max at a time, it took me a long time to dump almost all of it. Actually I managed to find what looks like the private key, but it was outside the 8mb region displayed in the flash device information - which got me even more confused.

I don't expect to be spoon fed, any ideas will be much appreciated, thank you.

Code:
Flash Device Information:
      CFI Compliant: no
        Command Set: Generic SPI Flash
   Device/Bus Width: x16
Little Word Endian: no
    Fast Bulk Erase: no
    Multibyte Write: 256 bytes max
  Phys base address: 0xbadf1a5
Uncached Virt addr: 0x1badf1a5
   Cached Virt addr: 0x2badf1a5
   Number of blocks: 129
         Total size: 8388608 bytes, 8 Mbytes
       Current mode: Read Array
        Device Size: 8388608, Write buffer: 256, Busy bit: 
      Size  Device      Device     Region
Block  kB   Address     Offset     Offset   Region Allocation
----- ---- ---------- ----------- --------- -----------------
    0   32 0x1badf1a5           0         0 Bootloader (32768 bytes)
    1   32 0x1bae71a5       32768       ??? {unassigned}
    2   64 0x1baef1a5       65536         0 Permanent NonVol (65536 bytes)
    3   64 0x1baff1a5      131072         0 Image1
    4   64 0x1bb0f1a5      196608     65536 Image1
    5   64 0x1bb1f1a5      262144    131072 Image1
    6   64 0x1bb2f1a5      327680    196608 Image1
    7   64 0x1bb3f1a5      393216    262144 Image1
    8   64 0x1bb4f1a5      458752    327680 Image1
    9   64 0x1bb5f1a5      524288    393216 Image1
   10   64 0x1bb6f1a5      589824    458752 Image1
   11   64 0x1bb7f1a5      655360    524288 Image1
   12   64 0x1bb8f1a5      720896    589824 Image1
   13   64 0x1bb9f1a5      786432    655360 Image1
   14   64 0x1bbaf1a5      851968    720896 Image1
   15   64 0x1bbbf1a5      917504    786432 Image1
   16   64 0x1bbcf1a5      983040    851968 Image1
   17   64 0x1bbdf1a5     1048576    917504 Image1
   18   64 0x1bbef1a5     1114112    983040 Image1
   19   64 0x1bbff1a5     1179648   1048576 Image1
   20   64 0x1bc0f1a5     1245184   1114112 Image1
   21   64 0x1bc1f1a5     1310720   1179648 Image1
   22   64 0x1bc2f1a5     1376256   1245184 Image1
   23   64 0x1bc3f1a5     1441792   1310720 Image1
   24   64 0x1bc4f1a5     1507328   1376256 Image1
   25   64 0x1bc5f1a5     1572864   1441792 Image1
   26   64 0x1bc6f1a5     1638400   1507328 Image1
   27   64 0x1bc7f1a5     1703936   1572864 Image1
   28   64 0x1bc8f1a5     1769472   1638400 Image1
   29   64 0x1bc9f1a5     1835008   1703936 Image1
   30   64 0x1bcaf1a5     1900544   1769472 Image1
   31   64 0x1bcbf1a5     1966080   1835008 Image1
   32   64 0x1bccf1a5     2031616   1900544 Image1
   33   64 0x1bcdf1a5     2097152   1966080 Image1
   34   64 0x1bcef1a5     2162688   2031616 Image1
   35   64 0x1bcff1a5     2228224   2097152 Image1
   36   64 0x1bd0f1a5     2293760   2162688 Image1
   37   64 0x1bd1f1a5     2359296   2228224 Image1
   38   64 0x1bd2f1a5     2424832   2293760 Image1
   39   64 0x1bd3f1a5     2490368   2359296 Image1
   40   64 0x1bd4f1a5     2555904   2424832 Image1
   41   64 0x1bd5f1a5     2621440   2490368 Image1
   42   64 0x1bd6f1a5     2686976   2555904 Image1
   43   64 0x1bd7f1a5     2752512   2621440 Image1
   44   64 0x1bd8f1a5     2818048   2686976 Image1
   45   64 0x1bd9f1a5     2883584   2752512 Image1
   46   64 0x1bdaf1a5     2949120   2818048 Image1
   47   64 0x1bdbf1a5     3014656   2883584 Image1
   48   64 0x1bdcf1a5     3080192   2949120 Image1
   49   64 0x1bddf1a5     3145728   3014656 Image1
   50   64 0x1bdef1a5     3211264   3080192 Image1
   51   64 0x1bdff1a5     3276800   3145728 Image1
   52   64 0x1be0f1a5     3342336   3211264 Image1
   53   64 0x1be1f1a5     3407872   3276800 Image1
   54   64 0x1be2f1a5     3473408   3342336 Image1
   55   64 0x1be3f1a5     3538944   3407872 Image1
   56   64 0x1be4f1a5     3604480   3473408 Image1
   57   64 0x1be5f1a5     3670016   3538944 Image1
   58   64 0x1be6f1a5     3735552   3604480 Image1
   59   64 0x1be7f1a5     3801088   3670016 Image1
   60   64 0x1be8f1a5     3866624   3735552 Image1
   61   64 0x1be9f1a5     3932160   3801088 Image1
   62   64 0x1beaf1a5     3997696   3866624 Image1
   63   64 0x1bebf1a5     4063232   3932160 Image1
   64   64 0x1becf1a5     4128768   3997696 Image1 (4063232 bytes)
   65   64 0x1bedf1a5     4194304         0 Image2
   66   64 0x1beef1a5     4259840     65536 Image2
   67   64 0x1beff1a5     4325376    131072 Image2
   68   64 0x1bf0f1a5     4390912    196608 Image2
   69   64 0x1bf1f1a5     4456448    262144 Image2
   70   64 0x1bf2f1a5     4521984    327680 Image2
   71   64 0x1bf3f1a5     4587520    393216 Image2
   72   64 0x1bf4f1a5     4653056    458752 Image2
   73   64 0x1bf5f1a5     4718592    524288 Image2
   74   64 0x1bf6f1a5     4784128    589824 Image2
   75   64 0x1bf7f1a5     4849664    655360 Image2
   76   64 0x1bf8f1a5     4915200    720896 Image2
   77   64 0x1bf9f1a5     4980736    786432 Image2
   78   64 0x1bfaf1a5     5046272    851968 Image2
   79   64 0x1bfbf1a5     5111808    917504 Image2
   80   64 0x1bfcf1a5     5177344    983040 Image2
   81   64 0x1bfdf1a5     5242880   1048576 Image2
   82   64 0x1bfef1a5     5308416   1114112 Image2
   83   64 0x1bfff1a5     5373952   1179648 Image2
   84   64 0x1c00f1a5     5439488   1245184 Image2
   85   64 0x1c01f1a5     5505024   1310720 Image2
   86   64 0x1c02f1a5     5570560   1376256 Image2
   87   64 0x1c03f1a5     5636096   1441792 Image2
   88   64 0x1c04f1a5     5701632   1507328 Image2
   89   64 0x1c05f1a5     5767168   1572864 Image2
   90   64 0x1c06f1a5     5832704   1638400 Image2
   91   64 0x1c07f1a5     5898240   1703936 Image2
   92   64 0x1c08f1a5     5963776   1769472 Image2
   93   64 0x1c09f1a5     6029312   1835008 Image2
   94   64 0x1c0af1a5     6094848   1900544 Image2
   95   64 0x1c0bf1a5     6160384   1966080 Image2
   96   64 0x1c0cf1a5     6225920   2031616 Image2
   97   64 0x1c0df1a5     6291456   2097152 Image2
   98   64 0x1c0ef1a5     6356992   2162688 Image2
   99   64 0x1c0ff1a5     6422528   2228224 Image2
  100   64 0x1c10f1a5     6488064   2293760 Image2
  101   64 0x1c11f1a5     6553600   2359296 Image2
  102   64 0x1c12f1a5     6619136   2424832 Image2
  103   64 0x1c13f1a5     6684672   2490368 Image2
  104   64 0x1c14f1a5     6750208   2555904 Image2
  105   64 0x1c15f1a5     6815744   2621440 Image2
  106   64 0x1c16f1a5     6881280   2686976 Image2
  107   64 0x1c17f1a5     6946816   2752512 Image2
  108   64 0x1c18f1a5     7012352   2818048 Image2
  109   64 0x1c19f1a5     7077888   2883584 Image2
  110   64 0x1c1af1a5     7143424   2949120 Image2
  111   64 0x1c1bf1a5     7208960   3014656 Image2
  112   64 0x1c1cf1a5     7274496   3080192 Image2
  113   64 0x1c1df1a5     7340032   3145728 Image2
  114   64 0x1c1ef1a5     7405568   3211264 Image2
  115   64 0x1c1ff1a5     7471104   3276800 Image2
  116   64 0x1c20f1a5     7536640   3342336 Image2
  117   64 0x1c21f1a5     7602176   3407872 Image2
  118   64 0x1c22f1a5     7667712   3473408 Image2
  119   64 0x1c23f1a5     7733248   3538944 Image2
  120   64 0x1c24f1a5     7798784   3604480 Image2
  121   64 0x1c25f1a5     7864320   3670016 Image2
  122   64 0x1c26f1a5     7929856   3735552 Image2
  123   64 0x1c27f1a5     7995392   3801088 Image2
  124   64 0x1c28f1a5     8060928   3866624 Image2 (3932160 bytes)
  125   64 0x1c29f1a5     8126464         0 Dynamic NonVol
  126   64 0x1c2af1a5     8192000     65536 Dynamic NonVol
  127   64 0x1c2bf1a5     8257536    131072 Dynamic NonVol
  128   64 0x1c2cf1a5     8323072    196608 Dynamic NonVol (262144 bytes)
if you downloaded the nonvol from hax you shouldnt have any issues extracting files with cmnonvol unless the file is corrupt.
i tried again with different certs and an older version of cmnonvol (cmnonexpv1.1.1.exe). it kinda worked, but all the files were with some extra bytes, e.g. the public key was 141 bytes instead of 140. I opened in hex editor and compared with the original files and could see some extra spaces which were messing up everything. both certs CA an CM were also invalid due to this extra spaces 'D0' bytes.

the 2mb (cmnonexp2mb.exe) version was downloaded from this forum, so I really don't know what's going on.

I tried dumping again a 64k nonvol region using readmem.
I dumped the 3rd dynamic nonvol, offset 8257536, wich gave me 7E0000 in hex, so start woud be at 0x807e0000
the 4th dynamic nonvol starts at 8323072 = 7F0000, so I dumped until I reached 0x807f0000

then I searched for '31 81 89' for the public key in the hex editor, but no candy.
ok, so I tried to modify the original code but it's not working, so if anyone who understands python could give me a hand, I´ll be really grateful

here's the original

Code:
from sys import argv
from math import ceil
from telnetlib import Telnet
from optparse import OptionParser, OptionGroup
from progressbar import ProgressBar
import re

TIMEOUT = 2
BLOCK_SIZE = 8192

class BrcmFirmwareDump:
    
    def __init__(self, ip, user, password, port=23):
        
        # Connect
        self.tn = Telnet(ip,port,TIMEOUT)
        # self.tn.set_debuglevel(1)
        # workarround to avoid the connection getting stuck at option negociation
        self.tn.set_option_negotiation_callback(self.option_negociation)
        
        # Some old broadcom versions need any character
        # being send before prompting for the username
        while True:
            r = self.tn.read_until("ogin: ", TIMEOUT)
            if re.search("ogin:", r):
                break
            # Send a '\n'
            self.tn.write("\n")
        
        # Send the username
        self.tn.write(user+"\n")

        # Send the password
        self.tn.read_until("assword: ")
        self.tn.write(password+"\n")
        
        # Get the first prompt
        r = self.tn.read_until("> ")
        
        # Log in as root if necessary
        if re.search("Console", r):
            self.tn.write("su\n")
            self.tn.read_until("assword:  () []")
            self.tn.write("brcm\n")
            self.tn.read_until("> ")
            self.tn.write("\n")
            self.tn.read_until("> ")
                
        self.tn.write("cd flash\n")
        self.tn.read_until("\r\n\r\nCM/Flash> ")
        
        '''
        self.tn.write("deinit\n")
        self.tn.read_until("\r\n\r\nCM/Flash> ")
        
        self.tn.write("init\n")
        self.tn.read_until("\r\n\r\nCM/Flash> ")
        '''
    
    def log(self, message, image=1):
        print "Image%d> %s" % (image, message)
    
    def option_negociation(self, socket, command, option):
        pass
    
    def read_block(self, image, block):

        # Get a read command valid response
        while True:
            offset = block*BLOCK_SIZE
            command = "read 4 %d %d" % (BLOCK_SIZE,offset)
            self.tn.write(command + "\n")
            e = self.tn.read_until("\r\n\r\nCM/Flash> ")
            lines = e.split("\r\n")

            if len(lines)==7:
                response = lines[4].strip().replace(" ", "")
                until = len(response) / 2
                octecs_as_strings = [ response[2*i:2*i+2] for i in range(0,until)]
                
                if len(octecs_as_strings) != BLOCK_SIZE:
                    # Continue to try again
                    continue
                
                break
                
        return octecs_as_strings
    
    
    def process_block0(self, octecs_as_strings):
        filename = "".join( \
                [ c for c in \
                    map(lambda e: e.decode("hex"), octecs_as_strings[20:83]) \
                    if c != '\x00'])
        payload_size_hex = "".join(octecs_as_strings[13:16])
        payload_size = int(payload_size_hex,16)
        total_size = int(payload_size_hex,16) + int("0x5c",16)
        
        return filename, total_size
        
    def write_block(self, file, octecs_as_strings):
        as_decimals = map(lambda e: int(e,16), octecs_as_strings)
        file.write(bytearray(as_decimals))
        
    def open_image(self, image):
        self.tn.write("open image%d\n" % image)
        self.tn.read_until("\r\n\r\nCM/Flash> ")
    
    def close_image(self):
        self.tn.write("close\n")
        self.tn.read_until("\r\n\r\nCM/Flash> ")
        
    def download_image(self, image=1):
        
        self.log("Downloading first block...", image)
        self.open_image(image)

        # Read block 0
        octecs_as_strings = self.read_block(image, 0)
        filename, total_size = self.process_block0(octecs_as_strings)
        self.log("Detected firmware '%s' (%d bytes)" % (filename, total_size), image)
        
        # Ask the user whether the fw has to be downloaded
        while True:
            download = raw_input('Do you want to download the firmware? (y/n): ')
            if download.lower() == "n":
                self.close_image()
                return
            elif download.lower() == "y":
                break
        
        total_blocks = int(ceil(total_size / float(BLOCK_SIZE)))
        self.log("Reading next %d blocks (%d bytes each)" % (total_blocks-1, BLOCK_SIZE), image)
        
        readed = BLOCK_SIZE

        # Create ouput filen and save first block
        f = open(filename, "wb")
        self.write_block(f, octecs_as_strings)
                        
        # Read the reamaining blocks
        bar = ProgressBar()
        for block in bar(range(1, total_blocks)):
        
            octecs_as_strings = self.read_block(image, block)
            
            # Check if it is the final block
            if (readed + BLOCK_SIZE) > total_size:
                octecs_as_strings = octecs_as_strings[0:total_size-readed]
            
            # Write block to file
            self.write_block(f, octecs_as_strings)
            
            # Update the control counters
            readed += len(octecs_as_strings)
            
        # Close the output file
        f.close()
        
        # Close the flash image zone
        self.close_image()
        
    def close(self):
        self.tn.write("cd ..\n")
        self.tn.read_until("\r\n\r\nCM> ")
        self.tn.write("exit\n")
        self.tn.close()

def parse_cmdline(argv):
    """Parses the command-line."""
    
    parser = OptionParser(description='brcm_firmware_dump - telnet dump of firmware images from Broadcom based cable modems.')
    parser.add_option("-i", "--ip", dest="ip", help="Cable Modem IP Address (required)")
    parser.add_option("-u", "--user", dest="user", help="Telnet username")
    parser.add_option("-p", "--password", dest="password", help="Telnet password")
    
    # Parse the user input          
    (options, args) = parser.parse_args()
    
    # Check required arguments
    if options.ip is None:
        parser.print_help()
        parser.error("Cable modem IP address is required.")
    
    if options.user is None:
        parser.print_help()
        parser.error("Telnet username is required.")
    
    if options.password is None:
        parser.print_help()
        parser.error("Telnet password is required.")
    
    return (options, args)
    
if __name__ == '__main__':
    
    # parse the command line
    options, args = parse_cmdline(argv)
    
    brcm_fw_dump = BrcmFirmwareDump(options.ip, options.user, options.password)
    brcm_fw_dump.download_image(1)
    brcm_fw_dump.download_image(2)
    brcm_fw_dump.close()

and here's the modded version:

Code:
from sys import argv
from math import ceil
from telnetlib import Telnet
from optparse import OptionParser, OptionGroup
from progressbar import ProgressBar
import re

TIMEOUT = 2
BLOCK_SIZE = 16384

class BrcmFirmwareDump:
    
    def __init__(self, ip, user, password, port=23):
        
        # Connect
        self.tn = Telnet(ip,port,TIMEOUT)
        # self.tn.set_debuglevel(1)
        # workarround to avoid the connection getting stuck at option negociation
        self.tn.set_option_negotiation_callback(self.option_negociation)
        
        # Some old broadcom versions need any character
        # being send before prompting for the username
        while True:
            r = self.tn.read_until("ogin: ", TIMEOUT)
            if re.search("ogin:", r):
                break
            # Send a '\n'
            self.tn.write("\n")
        
        # Send the username
        self.tn.write(user+"\n")

        # Send the password
        self.tn.read_until("assword: ")
        self.tn.write(password+"\n")
        
        # Get the first prompt
        r = self.tn.read_until("> ")
        
        # Log in as root if necessary
        if re.search("Console", r):
            self.tn.write("su\n")
            self.tn.read_until("assword:  () []")
            self.tn.write("brcm\n")
            self.tn.read_until("> ")
            self.tn.write("\n")
            self.tn.read_until("> ")
                
        self.tn.write("cd system\n")
        self.tn.read_until("\r\n\r\nConsole/system> ")
        
        '''
        self.tn.write("deinit\n")
        self.tn.read_until("\r\n\r\nConsole/system> ")
        
        self.tn.write("init\n")
        self.tn.read_until("\r\n\r\nConsole/system> ")
        '''
    
    def log(self, message, image=1):
        print "Image%d> %s" % (image, message)
    
    def option_negociation(self, socket, command, option):
        pass
    
    def read_block(self, image, block):

        # Get a read command valid response
        while True:
            offset = hex(block*BLOCK_SIZE)
            command = "diag readmem -s 1 -n %d %d" % (BLOCK_SIZE,offset)
            self.tn.write(command + "\n")
            e = self.tn.read_until("\r\n\r\nConsole/system> ")
            lines = e.split("\r\n")

            if len(lines)==7:
                response = lines[4].strip().replace(" ", "")
                until = len(response) / 2
                octecs_as_strings = [ response[2*i:2*i+2] for i in range(0,until)]
                
                if len(octecs_as_strings) != BLOCK_SIZE:
                    # Continue to try again
                    continue
                
                break
                
        return octecs_as_strings
    
    
    def process_block0(self, octecs_as_strings):
        filename = "".join( \
                [ c for c in \
                    map(lambda e: e.decode("hex"), octecs_as_strings[20:83]) \
                    if c != '\x00'])
        payload_size_hex = "".join(octecs_as_strings[13:16])
        payload_size = int(payload_size_hex,16)
        total_size = int(payload_size_hex,16)
        
        return filename, total_size
        
    def write_block(self, file, octecs_as_strings):
        as_decimals = map(lambda e: int(e,16), octecs_as_strings)
        file.write(bytearray(as_decimals))
        
    #def open_image(self, image):
    #    self.tn.write("open image%d\n" % image)
    #    self.tn.read_until("\r\n\r\nConsole/system> ")
    
    #def close_image(self):
    #    self.tn.write("close\n")
    #    self.tn.read_until("\r\n\r\nConsole/system> ")
        
    def download_image(self, image=1):
        
        self.log("Downloading first block...", image)
        self.open_image(image)

        # Read block 0
        octecs_as_strings = self.read_block(image, 0)
        filename, total_size = self.process_block0(octecs_as_strings)
        self.log("Detected firmware '%s' (%d bytes)" % (filename, total_size), image)
        
        # Ask the user whether the fw has to be downloaded
        while True:
            download = raw_input('Do you want to download the firmware? (y/n): ')
            if download.lower() == "n":
                self.close_image()
                return
            elif download.lower() == "y":
                break
        
        total_blocks = int(ceil(total_size / float(BLOCK_SIZE)))
        self.log("Reading next %d blocks (%d bytes each)" % (total_blocks-1, BLOCK_SIZE), image)
        
        readed = BLOCK_SIZE

        # Create ouput filen and save first block
        f = open(filename, "wb")
        self.write_block(f, octecs_as_strings)
                        
        # Read the reamaining blocks
        bar = ProgressBar()
        for block in bar(range(1, total_blocks)):
        
            octecs_as_strings = self.read_block(image, block)
            
            # Check if it is the final block
            if (readed + BLOCK_SIZE) > total_size:
                octecs_as_strings = octecs_as_strings[0:total_size-readed]
            
            # Write block to file
            self.write_block(f, octecs_as_strings)
            
            # Update the control counters
            readed += len(octecs_as_strings)
            
        # Close the output file
        f.close()
        
        # Close the flash image zone
        #self.close_image()
        
    def close(self):
        self.tn.write("cd ..\n")
        self.tn.read_until("\r\n\r\nConsole> ")
        self.tn.write("exit\n")
        self.tn.close()

def parse_cmdline(argv):
    """Parses the command-line."""
    
    parser = OptionParser(description='brcm_firmware_dump - telnet dump of firmware images from Broadcom based cable modems.')
    parser.add_option("-i", "--ip", dest="ip", help="Cable Modem IP Address (required)")
    parser.add_option("-u", "--user", dest="user", help="Telnet username")
    parser.add_option("-p", "--password", dest="password", help="Telnet password")
    
    # Parse the user input          
    (options, args) = parser.parse_args()
    
    # Check required arguments
    if options.ip is None:
        parser.print_help()
        parser.error("Cable modem IP address is required.")
    
    if options.user is None:
        parser.print_help()
        parser.error("Telnet username is required.")
    
    if options.password is None:
        parser.print_help()
        parser.error("Telnet password is required.")
    
    return (options, args)
    
if __name__ == '__main__':
    
    # parse the command line
    options, args = parse_cmdline(argv)
    
    brcm_fw_dump = BrcmFirmwareDump(options.ip, options.user, options.password)
    brcm_fw_dump.download_image(1)
    brcm_fw_dump.download_image(2)
    brcm_fw_dump.close()

There are some differences in commands syntax and procedure, so I´ll explain:

1. the path in the original is "CM\Flash", needs to be "Console\system" - so I changed that

2. the command in the original was "read 4 64 0"
which means Reading 64 bytes as 4-byte entities, starting at an offset of 0
needs to be: "diag readmem -s 1 -n 16384 0x80000000"
I don't now what the -s 1 does
-n 16384 -> block size
0x800000000 -> offset in hex, so that needs to be changed. I tried, but I don't know if it worked "offset = hex(block*BLOCK_SIZE)"

3. in the original, you have to open the image first with the command "open image" - there's no need for that, so I initally commented out the parts where it appeared but it didn't work, so I removed the # (it didn't work either hehe)

4. the original is meant to download just the firmware, so it has a limiting size feature:
total_size = int(payload_size_hex,16) + int("0x5c",16)
where 0x5c is the starting position and total size is 0x1c0fbc (1,839,036 bytes), tho I could not understand how the total size is calculated and i don't know exactly what I should do to dump the whole thing.

5. since there's an 'open image' command, there's also a 'close image' too and I think this will not be needed.

I know it's logging on to the telnet cause I checked the log of the modem, but it freezes just after I hit enter and does not show any error message, so I don't know exactly what's going on.
post or pm me a link to the crap you have dumped from your modem i wanna look, cant help with the python as i cant write it, when i edit shit like that i do trial and error method with lots of google yet never really understanding wtf is happening
(and is that fails i'd remove all references to modems and what not and post it to somewhere like stackoverflow asking how to change it so it dumps from the nonvol memory address)
pmed you, thank you

mabye I´ll get in touch with the developer...bad idea?
Pages: 1 2