07-09-2018, 08:32 PM
I've been doing some research on this cable modem in the hope of getting access to the firmware but I've hit a road block so hoping someone here has the knowledge/skills to crack this open.
A decent breakdown of the modem can be found here which includes a mostly complete list of components and UART output:
https://www.mobile-computer-repairs.co.u...ris-TG2492
Having also checked myself I can confirm the console is locked, there's seemingly no way to stop or interrupt the boot script and no input is accepted.
I then proceeded to desolder the nand and attempted to dump it. Unfortunately it would appear the nand is encrypted but for those interested you can get it here:
https://mega.nz/#!qZ5nETaI!QqGD5XRCeLUAtiDTqh3xJ17IwlnWcystaSf--kC4vy8
At this point I'm not sure how to proceed, with the nand being encrypted I tried to get some information on the eMMC chip Phison PS8211-0 but there doesn't appear to be any public information or data sheet. Does anyone know if this is what handles the nand encryption or is it being done at a bootloader level?
The only interesting information I could find was this anonymous pastebin which would appear to be from a fritzbox modem
https://pastebin.com/GZDdJRPs
It doesn't say what fritzbox modem this came from but obtaining a copy of the eMMC firmware would likely be useful in decrypting the nand.
A decent breakdown of the modem can be found here which includes a mostly complete list of components and UART output:
https://www.mobile-computer-repairs.co.u...ris-TG2492
Having also checked myself I can confirm the console is locked, there's seemingly no way to stop or interrupt the boot script and no input is accepted.
I then proceeded to desolder the nand and attempted to dump it. Unfortunately it would appear the nand is encrypted but for those interested you can get it here:
https://mega.nz/#!qZ5nETaI!QqGD5XRCeLUAtiDTqh3xJ17IwlnWcystaSf--kC4vy8
At this point I'm not sure how to proceed, with the nand being encrypted I tried to get some information on the eMMC chip Phison PS8211-0 but there doesn't appear to be any public information or data sheet. Does anyone know if this is what handles the nand encryption or is it being done at a bootloader level?
The only interesting information I could find was this anonymous pastebin which would appear to be from a fritzbox modem
https://pastebin.com/GZDdJRPs
Code:
4 /etc/mmc/PS8211/phison_fw/PS8211_SLC_BFW_A.BIN
4 /etc/mmc/PS8211/phison_fw/PS8211_SLC_BFW_B.BIN
4 /etc/mmc/PS8211/phison_fw/phison.cfg
4 /etc/mmc/PS8211/read_image_version.sh
4 /etc/mmc/PS8211/read_mmc_fw_version.sh
4 /etc/mmc/PS8211/upgrade_mmc_fw.shIt doesn't say what fritzbox modem this came from but obtaining a copy of the eMMC firmware would likely be useful in decrypting the nand.
