Pages: 1 2 3 4 5 6 7 8 9 10 11
@emantec or elbarto Please confirm
does your sh script get put into folder nvram/0/ ? if so please explain does this path auto run any files in this folder.
and where would i put vmtool binary.
if i put VMTOOL and sh script into path /etc/scripts/ then how is you sh script run?
i asked for understanding. and i noticed that /nvarm/0/ has file that runs script sys_startup.sh are you asking we edit this file?
Please can you answer this and how your script would run what invokes it ?
Thank you
(19-04-2019, 10:16 AM)blacklisted Wrote: [ -> ]@emantec or elbarto Please confirm
does your sh script get put into folder nvram/0/ ? if so please explain does this path auto run any files in this folder.
and where would i put vmtool binary.
if i put VMTOOL and sh script into path /etc/scripts/ then how is you sh script run?
i asked for understanding. and i noticed that /nvarm/0/ has file that runs script sys_startup.sh are you asking we edit this file?
Please can you answer this and how your script would run what invokes it ?
Thank you
As I said
"
On boot it checks for the script /nvram/0/sys_setup.sh and runs if it exists"
If that script already exists then I assume you're not using a virgin media modem and your provider has modified the firmware further. In that case just compare the scripts and merge them.
If you read the script it's pretty obvious where the tool should go.
With that said if your firmware is different your nvram values may also be different.
its VM same SH 3
all i request is should i put your script and vmtool in the scripts dir? i have put /etc/scripts/ there must be something
thas why i would like to confim if i am correct.
its sys_startup.sh that exists not sys_setup
Thanx
I am leaving this here for the moment as others can read who may ask similer question.
i will come and report back and edit once i get going
(02-03-2019, 12:06 PM)danman Wrote: [ -> ]I'm getting PMs about how did I extract the FW. It's easy, you need a "better" SD card reader, in my case Transcend TS-RDF5K, SD or microSD breakout board:
https://github.com/danielkucera/MicroSD_Sniffer
and connect corresponding pins on the board:
https://blog.danman.eu/wp-content/upload...t-desc.jpg
Then you just insert the breakout board, connect pins to your board and you can extract, e.g. via dd:
Code:
dd if=/dev/sdc of=dump.dd bs=1M
Hello, with the transcend TS-RDF5K, SD or microSD breakout board is it possible to extract the complete dump?
(19-04-2019, 10:44 AM)blacklisted Wrote: [ -> ]its VM same SH 3
all i request is should i put your script and vmtool in the scripts dir? i have put /etc/scripts/ there must be something
thas why i would like to confim if i am correct.
its sys_startup.sh that exists not sys_setup
Thanx
I am leaving this here for the moment as others can read who may ask similer question.
i will come and report back and edit once i get going
ok this has worked perfect need to have modem connected and mount nvram from that
(12-04-2019, 07:27 PM)emantec Wrote: [ -> ]Adding to elbarto's post on enabling telnet you can do the following to bypass the pwod by setting the 'client' password (assuming the client is actually Virgin Media in this case).
In /nvram/6/1 set the following at address 0x1F7
BC AE 6A 68 38 32 4B 18
This will set the password to 'pwned' giving you access to the higher privileged shell (still need to work out how to break into busybox).
(16-04-2019, 12:07 PM)emantec Wrote: [ -> ]Upon some further research it seems their shell is very locked down and there's no way to break out of it. With that said I did find a extremely easy command injection exploit.
Although it was helpful it's not actually needed to unlock the system, you can do that simply from the NVRAM.
On boot it checks for the script /nvram/0/sys_setup.sh and runs if it exists, I put together a script that runs some code I compiled to enable telnet on every boot, set the client password and set the permissions to the maximum level so you can access all the restricted commands from the restricted shell. You can access pretty much everything from there, even the Intel cpu:
Code:
[ 6] Atom> help
help
Directory Commands ->
manuf : <DIR> Manuf
status : Show Modem Status
!reset : Reset Modem
system : Run shell command
help : Display commands
!logout : Disconnect telnet/SSH
quit : Quit the Atom CLI
Type '<cmd> ?' for available help.
Return Status: 0
[ 7] Atom> manuf
manuf
[ 8] Manuf> help
help
Directory Commands ->
ccTest : Dummy Cable Card Test
boottimeout : Set CEFDK boot timeout
macset : Set Atom MAC address
loadFromUSB : Load Inactive Bank from USB
sectorInfo : Show sector info
status : Show Modem Status
!reset : Reset Modem
system : Run shell command
help : Display commands
!logout : Disconnect telnet/SSH
quit : Quit the Atom CLI
Type '<cmd> ?' for available help.
Return Status: 0
[ 9] Manuf>
I've uploaded my script, source and binary here if people want to use it, enjoy.
https://mega.nz/#!g8lTiSbD!mC4J8cFBo38Vv...NZRwaLrq6s-
can you please confirm that the pass word is "pwned" as i have tryed but not letting me in. the script working as i see the following in serial console at boot
Code:
vm_printf("********** Initializing Telnet **********\n");
vm_printf("******* Disabling Telnet timeout ********\n");
vm_printf("******* Setting Client Password ********\n");
clientpass[8] = { 0xBC, 0xAE, 0x6A, 0x68, 0x38, 0x32, 0x4B, 0x18 };
vm_printf("******* Setting Max Priviledges ********\n");
password is as u hve set . what is wrong is the script writting to this area
[quote pid='36556' dateline='1555826524']
can you please confirm that the pass word is "pwned" as i have tryed but not letting me in. the script working as i see the following in serial console at boot
[/quote]
If it's not working for you then try rebooting, if it still doesn't work then something else is wrong.
If you're seeing the output in the console then maybe your database is different and your password is stored elsewhere. You'll need to dump your firmware and check arris_password.
(16-04-2019, 12:07 PM)emantec Wrote: [ -> ]With that said I did find a extremely easy command injection exploit.
Could you please share any tip about it?
(21-04-2019, 12:59 PM)emantec Wrote: [ -> ][quote pid='36556' dateline='1555826524']
can you please confirm that the pass word is "pwned" as i have tryed but not letting me in. the script working as i see the following in serial console at boot
If it's not working for you then try rebooting, if it still doesn't work then something else is wrong.
If you're seeing the output in the console then maybe your database is different and your password is stored elsewhere. You'll need to dump your firmware and check arris_password.
[/quote]
i have flashed your firmware and tryed with that.
can you give where the arris pawword would be stored. nvram 6/1
or?
Pages: 1 2 3 4 5 6 7 8 9 10 11