Need SBG6580 Firmware backup

[ABMJR]

NOSH=NO SHELL

i had telnet access but while testing don't know what happen.. for some reason it locked me from my machine to logging..

[Rickz]

NOSH=NO SHELL

i had telnet access but while testing don't know what happen.. for some reason it locked me from my machine to logging..

i wish to have a backup for this to gain more experience checking the telnet feature..i mean made a full flash with jtagnt before locked.. but i don't have it and that will be my next project..

keep in mind NOSH never have or give any time telnet access so far i know.. i was logged in this one. i believe the protection it has..after been logged for a while then some key was changed.

Regards

[ABMJR]

TELNET after registration is closed

[Rickz]

Stack Sta
ck Stack
TaskId TaskName Priority State Size Use
d Margin
---------- -------------------------------- -------- -------- -------- -----
--- --------
0x80d81dd8 Network alarm support 6 SLEEP 5328 151
2 3816
0x80d204b0 Network support 7 SLEEP 8192 199
2 6200
0x80d86590 pthread.00000800 15 EXIT 7812 161
6 6196
0x80ce7720 tStartup 18 SLEEP 12288 692
8 5360
0x83fb8650 NonVol Device Async Helper 25 SLEEP 3072 118
8 1884
0x83f96c00 LED Controller Thread 23 SLEEP 4096 47
6 3620
0x83f95504BRCM Reset/Standby Switch Thread 23 SLEEP 8192 87
6 7316
0x83f92d50 Motorola Vendor Ctl Thread 23 SLEEP 4096 48
4 3612
0x83f916c8 CableHome Ping Thread 29 SLEEP 6144 39
6 5748
0x83fb9e14 WDOG 17 RUN 5120 512
0 0 OVERFLOW
0x83f2fb14 BFC Ping Thread 29 SLEEP 6144 187
6 4268
0x83f2f704 ConsoleThread 27 SUSP 24576 682
8 17748
0x83f01968 Telnet Thread 23 RUN 4096 262
4 1472
0x83f4eab8 SSH Thread 23 SLEEP 32768 166
4 31104
0x80d1d768 Idle Thread 31 RUN 2048 105
6 992
0x83f12994 Time Of Day Thread 23 SLEEP 6144 164
0 4504
0x83f12ea0 CmDocsisIpThread 23 SLEEP 8192 230
0 5892
0x83f835ac CmBpiManagerThd 23 SLEEP 8192 272
8 5464
0x83f7fd18 CmDsxHelper 23 SLEEP 8192 119
6 6996
0x83f18f44 CmDocsisCtlThread 21 SLEEP 8192 594
0 2252
0x82d31718 Scan Downstream Thread 23 SLEEP 4096 174
8 2348
0x83f729fc RateShaping Thread 23 SLEEP 4096 152
8 2568
0x83fb9f34 DocsisCmHalDataForwardingThread 23 SLEEP 6500 250
0 4000
0x83fba054 DocsisCmHalControlThread 22 SLEEP 4500 148
4 3016
0x83fba174 UtpRxMsgDqmThread 22 SLEEP 4500 41
2 4088
0x83fba294 AsyncDs_0 23 SLEEP 4500 36
8 4132
0x83fba3b4 AsyncDs_1 23 SLEEP 4500 121
6 3284
0x83fba4d4 AsyncDs_2 23 SLEEP 4500 104
8 3452
0x83fba5f4 AsyncDs_3 23 SLEEP 4500 91
2 3588
0x83fba714 AsyncDs_4 23 SLEEP 4500 36
8 4132
0x83fba834 AsyncDs_5 23 SLEEP 4500 36
8 4132
0x83fba954 AsyncDs_6 23 SLEEP 4500 36
8 4132
0x83fbaa74 AsyncDs_7 23 SLEEP 4500 36
8 4132
0x83fbab94 ENRX 23 SLEEP 8192 190
4 6288
0x83fbacb4 MSELNK 23 SLEEP 4500 101
2 3488
0x83fbadd4 USBCT 21 SLEEP 4500 46
8 4032
0x83fbaef4 UBCRX 23 SLEEP 4500 37
2 4128
0x83fbb014 USBRX 23 SLEEP 8192 38
8 7804
0x83fbb134 WL_TMR_scantimer 23 SLEEP 4500 34
0 4160
0x83fbb254 WL_TMR_phycal 23 SLEEP 4500 154
4 2956
0x83fbb374 WL_TMR_dfs 23 SLEEP 4500 34
0 4160
0x83fbb494 WL_TMR_resp 23 SLEEP 4500 218
4 2316
0x83fbb5b4 WL_TMR_eventq 23 SLEEP 4500 162
8 2872
0x83fbb6d4 WL_TMR_watchdog 23 SLEEP 4500 224
4 2256
0x83fbb7f4 WL_TMR_radio 23 SLEEP 4500 34
0 4160
0x83fbb914 WL_TMR_csa 23 SLEEP 4500 34
0 4160
0x83fbba34 RFMT 23 SLEEP 8596 472
8 3868
0x83fbbb54 RFNK 23 SLEEP 4500 73
6 3764
0x83fbbc74 RFBK 23 SLEEP 4500 108
8 3412
0x83fbbd94 ThreadDeleteTask 23 SLEEP 4096 42
0 3676
0x83fbbeb4 nas_wksp 23 SLEEP 12288 333
2 8956
0x83fbbfd4 EAPD 23 SLEEP 12288 217
6 10112
0x83fbc0f4 WPAT0 23 RUN 6548 79
6 5752
0x83fbc214 WifiSecureEzSetupThread 23 SLEEP 12288 229
2 9996
0x83fbc334 GuiCommandTask 23 SLEEP 16384 33
6 16048
0x83fbc454 WPSM 24 SLEEP 16384 438
0 12004
0x82c9a1e0 DHCP Client Thread 23 SLEEP 12288 270
0 9588
0x82c96bc4 DHCPv6 Client Thread 23 SLEEP 8192 47
2 7720
0x83fbc574 IpHalIst 23 SLEEP 9000 240
8 6592
0x82c88780 Forward Assist Manager 23 SLEEP 10240 314
4 7096
0x83fbc694 WPAT1 23 SLEEP 6548 306
4 3484
0x82c79578 ParentalCtlThread 23 SLEEP 40000 47
6 39524
0x82c64644 CmPropaneCtlThread 23 SLEEP 8192 160
8 6584
0x82c617a0 IGMP Thread 23 SLEEP 4096 202
4 2072
0x82c5872c CfgVB Thread 23 SLEEP 12288 295
6 9332
0x82c55154 DHCM 25 SLEEP 16384 47
2 15912
0x82c4fabc NetToMedia Thread 23 SLEEP 4096 223
6 1860
0x82c4e068 Trap Thread 23 SLEEP 16384 47
6 15908
0x82c5897c SNMP Thread 23 SLEEP 20480 566
8 14812
0x82b2c518 Event Log Thread 25 SLEEP 8192 267
2 5520
0x82ae9f84FTP Lite Client Thread for IP Stack1 23 SLEEP 8192
1008 7184
0x82ae4f4c WPA-NAS 23 SLEEP 8192 189
6 6296
0x82ae290c WiFi 80211 Configure Thread 23 RUN 8192 96
8 7224
0x82ae0624 WiFi 80211 Led Control Thread 23 RUN 8192 225
6 5936
0x82ade418 WiFi 80211 Control Thread 23 SLEEP 8192 162
8 6564
0x82adc22c HOME-PLUG 23 SLEEP 4096 139
2 2704
0x82adaad4 ND Thread for IP Stack1 23 SLEEP 6144 92
4 5220
0x82ad77a0 DHCP Server Thread 23 SLEEP 8192 321
6 4976
0x82ad4c2c Rip Client Thread 23 SLEEP 8192 84
4 7348
0x82acb914 CableHomeCtlThread 23 SLEEP 8192 573
2 2460
0x82ac8c04 Firewall Thread 29 SLEEP 8192 47
2 7720
0x82ac5d2c ArpPacketManagerThread 23 SLEEP 8192 156
4 6628
0x82aa97b0 eRouterCtlThread 23 SLEEP 8192 47
6 7716
0x82aa6ab0 BcmCspSecFwPolicyFileThread 23 SLEEP 8192 65
2 7540
0x82a9a97c Nat Timer Thread 23 SLEEP 4096 84
0 3256
0x82a96e00 RG SMTP Thread 23 SLEEP 8192 38
4 7808
0x829effb4 erouter IGMP Thread 23 SLEEP 4096 276
4 1332
0x829edff8Neighbor Discovery Thread for IP Stack3 23 SLEEP 6144
920 5224
0x829eb9a4Neighbor Discovery Thread for IP Stack5 23 SLEEP 6144
1204 4940
0x829e879c DHCPv6 Server Thread 23 SLEEP 8192 47
2 7720
0x829e5e94 DNS Server Thread 23 SLEEP 8192 89
6 7296
0x82976754 UpnpThread 23 SLEEP 8192 47
6 7716
0x829abc48 CableHomePingTool Thread 29 SLEEP 4096 348
4 612
0x829acd78 Ping Maintenance Thread 29 SLEEP 6144 40
0 5744
0x82965680 CableHomeConnSpeedTool Thread 29 SLEEP 4096 38
8 3708
0x8293ffc0 BcmStSessionTrackThread 23 SLEEP 8192 126
0 6932
0x8293d95c NAT Session Manager Thread 23 SLEEP 8192 152
4 6668
0x83fbc7b4 NATP NO-MATCH RX 23 SLEEP 8192 233
6 5856
0x83fbc8d4 NATP WIFI RX 23 SLEEP 8192 38
8 7804
0x8292a6d0 Traceroute Thread 29 SLEEP 8192 41
2 7780
0x82925390 IkeThread 23 SLEEP 8192 37
2 7820
0x829229c0 L2tp Thread 23 SLEEP 8192 48
0 7712
0x8291f884 Dynamic DNS Client Thread 23 SLEEP 8192 203
6 6156
0x8291cb30 HttpServerThread 23 SLEEP 12288 449
6 7792
0x828e5130 SLED Packet Generator Thread 23 SLEEP 8192 48
0 7712


Dear ABMJR

in the node where i connect there are more modems with telnet still open..most of them has been online for days/month

[maximus64]

Ok. I have successfully recover the modem back then. But now I wanted to extract the Certs to used on my other SB6120 modem ( I have to do all this BS because TWC isn't allow that specific modem to be online and I don't want to buy another modem ). I Extract it with cmnonexp 1.1.1 but there is some error complaining about the cert format. I try to load it in to the SB6120 anyway but doesn't work. It just can't parse the CM private key file, but everything else seem ok and was able to get my config from CMTS.

The warning are:
WARNING: address: 033F; size: 0x02A0 (672); unknow cert type: 0xE14B
Writing to file non01_2_private.key 672 bytes

Clearly cmnonexp didn't parse the CFG correctly :/

cmnonexp ouput:

Code:

cmnonexp (CableModem non-volatile explorer for BCM3348/BCM3349)
Version: 1.1.1 (Nov 16 2014 23:20:39)
         (c)2008-2009 under GPLv3 by qingpu & raikol

Read 65536 bytes from file mycfg.bin

0x00CA:(202) ---> Start new non-volatile nonvol <---
0x00CC:Length:0x541F (21535)
0x00CE:CRC32-Motorola:0xFFFFFFFFADB8E409 (-1380391927)
Non-volatile nonvol length: 0x541F (21535) at offset: 0x00CA
Calculate CRC: 0xADB8E409
CRC OK!!!

CM Application NonVol Settings found!
0x00D2:CMAp Size:0x0009 (9)
0x00D4:CMAp Magic:0x434D4170 ('CMAp')

Message Logging NonVol Settings found!
0x00DB:MLog Size:0x003C (60)
0x00DD:MLog Magic:0x4D4C6F67 ('MLog')

ERROR: address: 0119; size: 0x00C9 (201); unknow magic: 0xFFFFFFFFF2A1F61F ('    ')

8021 NonVol Settings found!
0x01E0:8021 Size:0x0010 (16)
0x01E2:8021 Magic:0x38303231 ('8021')

ERROR: address: 01F2; size: 0x008C (140); unknow magic: 0x38303253 ('802S')

Factory NonVol Settings found!
0x027C:FACT Size:0x0023 (35)
0x027E:FACT Magic:0x46414354 ('FACT')

PRNT NonVol Settings found!
0x029F:PRNT Size:0x0008 (8)
0x02A1:PRNT Magic:0x50524E54 ('PRNT')

CM BPI NonVol Settings found!
0x02A7:bpi Size:0x16C7 (5831)
0x02A9:bpi Magic:0x62706920 ('bpi ')

Cert number 1 found!
0x02AF:Cert Size:0x008C (140)
0x02B1:Cert class 1:0x3081 (12417)
Writing to file non01_1_public.key 140 bytes

WARNING: address: 033F; size: 0x02A0 (672); unknow cert type: 0xE14B
Writing to file non01_2_private.key 672 bytes

Cert number 3 found!
0x05DF:Cert Size:0x010E (270)
0x05E1:Cert class 2:0x3082 (12418)
Writing to file non01_3_root.key 270 bytes

Cert number 4 found!
0x06EF:Cert Size:0x0327 (807)
0x06F1:Cert class 2:0x3082 (12418)
Writing to file non01_4_cm_cert.cer 807 bytes

Cert number 5 found!
0x0A18:Cert Size:0x0404 (1028)
0x0A1A:Cert class 2:0x3082 (12418)
Writing to file non01_5_ca_cert.cer 1028 bytes

Cert number 6 found!
0x0E1E:Cert Size:0x008C (140)
0x0E20:Cert class 1:0x3081 (12417)
Writing to file non01_unknow06.key 140 bytes

WARNING: address: 0EAE; size: 0x02A0 (672); unknow cert type: 0x6299
Writing to file non01_unknow07.key 672 bytes

Cert number 8 found!
0x114E:Cert Size:0x010E (270)
0x1150:Cert class 2:0x3082 (12418)
Writing to file non01_unknow08.key 270 bytes

Cert number 9 found!
0x125E:Cert Size:0x032C (812)
0x1260:Cert class 2:0x3082 (12418)
Writing to file non01_unknow09.key 812 bytes

Cert number 10 found!
0x158C:Cert Size:0x03E0 (992)
0x158E:Cert class 2:0x3082 (12418)
Writing to file non01_unknow10.key 992 bytes

ERROR: address: 1970; size: 0x0082 (130); unknow magic: 0xFFFFFFFFD0C20100 ('    ')

ERROR: address: 19F2; size: 0x002C (44); unknow magic: 0xFFFFFFFFD0C20300 ('    ')

CableModem EventLog NonVol Settings found!
0x1A1C:CMEV Size:0x0008 (8)
0x1A1E:CMEV Magic:0x434D4556 ('CMEV')

Also, Does anyone know where is the UART port on this modem (SBG6580)? or maybe someway to enable telnet/ssh?

Thank you

[maximus64]

Founded UART port on the SBG6580, JTAG seen to be disabled. Got message from boot-loader but firmware seen to be silence.

Anyone got a shell firmware or maybe FW dump from the "orange" diagnostic version?

My modem is toast from the lightning strike. Tuner isn't working anymore. So I just playing around with it see if i can make it to a diagnostic modem.

Code:

BCM338031 TP0
1
Sync:1
346890
MemSize:             64 M

BootLoader Version: 2.6.3 production-release Gnu pcminit spiboot reduced DDR drive
Build Date: Nov  3 2011
Build Time: 11:34:58
SPI flash ID 0xc22018, size 16MB, block size 64KB, write buffer 256, busy bit 1

Signature/PID: c055

Reset BCM53115 - Low GPIO-16 5ms
Image sig = c055, chip sig = c055
Image 1 Program Header:
   Signature: c055
     Control: 0005
   Major Rev: 0003
   Minor Rev: 0003
  Build Time: 2013/1/23 21:01:47 Z
File Length: 3287534 bytes
Load Address: 80004000
    Filename: ecram_sto.bin
         HCS: 1764
         CRC: c1515ff4

Found image 1 at offset 20000

Enter '1', '2', or 'p' within 2 seconds or take default...
. .

Performing CRC on Image 1...
CRC time = 51961142
Detected LZMA compressed image... decompressing...
Target Address: 0x80004000
decompressSpace is 0x4000000
Elapsed time 1002981720

Decompressed length: 16948568

Executing Image 1...


BCM338031 TP0
1
Sync:1
346890
MemSize:             64 M

BootLoader Version: 2.6.3 production-release Gnu pcminit spiboot reduced DDR drive
Build Date: Nov  3 2011
Build Time: 11:34:58
SPI flash ID 0xc22018, size 16MB, block size 64KB, write buffer 256, busy bit 1

Signature/PID: c055

Reset BCM53115 - Low GPIO-16 5ms
Image sig = c055, chip sig = c055
Image 1 Program Header:
   Signature: c055
     Control: 0005
   Major Rev: 0003
   Minor Rev: 0003
  Build Time: 2013/1/23 21:01:47 Z
File Length: 3287534 bytes
Load Address: 80004000
    Filename: ecram_sto.bin
         HCS: 1764
         CRC: c1515ff4

Found image 1 at offset 20000

Enter '1', '2', or 'p' within 2 seconds or take default...
.

Board IP Address  [0.0.0.0]:          
Board IP Mask     [255.255.255.0]:    
Board IP Gateway  [0.0.0.0]:          
Board MAC Address [00:10:18:ff:ff:ff]:

Internal/External phy? (e/i)[i]
Waiting for link up...


Main Menu:
==========
  b) Boot from flash
  g) Download and run from RAM
  d) Download and save to flash
  e) Erase flash sector
  m) Set mode
  s) Store bootloader parameters to flash
  i) Re-init ethernet
  r) Read memory
  w) Write memory
  j) Jump to arbitrary address
  z) Reset

[maximus64]

WIN GOT SSH + TELNET Shell on NOSH FW

Code:

+-----------------------------------------------------------------------+
| Portions of this product contain open source software and are subject |
| to terms of the applicable license as specified in the release notes. |
+-----------------------------------------------------------------------+



           *         *
          ***       ***
          ***       ***
          ***       ***
         *****     *****
         *****     *****
         *****     *****
        *******   *******
        *******   *******
        *******   *******
       ********* *********
       ********* *********
       ****  *** ***  ****
      ***      ***      ***
      ***       *       ***
      **                 **
     **                   **
     **                   **
    **                     **
    *                       *
      Motorola  Corporation

+----------------------------------------------------------------------------+
                                                                              | |       _/_/     _/_/_/_/    _/_/
                                                                              | |      _/  _/   _/        _/    _/   Broadband
                                                                              | |     _/  _/   _/        _/
                                                                              | |    _/_/     _/_/_/    _/           Foundation
                                                                              | |   _/  _/   _/        _/
                                                                              | |  _/   _/  _/        _/    _/       Classes
                                                                              | | _/_/_/   _/          _/_/
                                                                              | |
                                                                              | | Copyright (c) 1999 - 2012 Broadcom Corporation
                                                                              | |
                                                                              | | Revision:  5.5.6mp5
                                                                              | |
                                                                              | | Features:  SBG6580 Console TelnetConsole SshConsole Nonvol Fat HeapManager
                                                                              | | Features:  SNMP Networking USB2.0 IPv6 (script Mot_SBG6580) Switch53125
+----------------------------------------------------------------------------+
                                                                              | | Standard Embedded Target Support for BFC
                                                                              | |
                                                                              | | Copyright (c) 2003-2012 Broadcom Corporation
                                                                              | |
                                                                              | | Revision:  3.0.1
                                                                              | |
                                                                              | | Features:  PID=0xa0f7 BID=0x0 Bootloader-Rev=2.3.0beta5
                                                                              | | Features:  Bootloader-Compression-Support=0x11 MANUFACT_BITS=0xa
                                                                              | | Features:  Bcm80211=Build Dec 19 2012 20:49:24
                                                                              | | Features:  App Ver 5.110.27.2006.556.45.5
                                                                              | | Features:  Wl Ver 5.100.138.2006.556.45.5
                                                                              | | Features:  IopLib-Rev=556.12.0
+----------------------------------------------------------------------------+
                                                                              | | eCos BFC Application Layer
                                                                              | |
                                                                              | | Copyright (c) 1999 - 2012 Broadcom Corporation
                                                                              | |
                                                                              | | Revision:  3.0.2
                                                                              | |
                                                                              | | Features:  eCos Console Cmds, (no Idle Loop Profiler)
+----------------------------------------------------------------------------+
                                                                              | |         _/_/    _/     _/
                                                                              | |      _/    _/  _/_/ _/_/   DOCSIS Cable Modem
                                                                              | |     _/        _/  _/ _/
                                                                              | |    _/        _/     _/
                                                                              | |   _/        _/     _/
                                                                              | |  _/    _/  _/     _/
                                                                              | |   _/_/    _/     _/
                                                                              | |
                                                                              | | Copyright (c) 1999 - 2012 Broadcom Corporation
                                                                              | |
                                                                              | | Revision:  5.5.6mp5
                                                                              | |
                                                                              | | Features:  AckCel(tm) DOCSIS 1.0/1.1/2.0/3.0 Propane(tm) CM SNMP w/Factory
                                                                              | | Features:  MIB Support CM Vendor Extension eDOCSIS SLED D3.0 Drop
                                                                              | | Features:  Classifiers FAP NA Production L2VPN
+----------------------------------------------------------------------------+
                                                                              | | Motorola Data-Only CM Vendor Extension
                                                                              | |
                                                                              | | Revision:  3.0.0a
                                                                              | |
                                                                              | | Features:  DHCP Server  HTTP Server  
+----------------------------------------------------------------------------+
                                                                              | |                 _/_/_/
                                                                              | |        _/_/    _/    _/    eRouter Dual Stack
                                                                              | |     _/    _/  _/    _/
                                                                              | |    _/_/_/_/  _/_/_/
                                                                              | |   _/        _/ _/
                                                                              | |  _/        _/   _/
                                                                              | |   _/_/_/  _/     _/
                                                                              | |
                                                                              | | Copyright (c) 1999 - 2012 Broadcom Corporation
                                                                              | |
                                                                              | | Revision:  5.5.6mp5
                                                                              | |
                                                                              | | Features:  eRouter SNMP Customer Extension NATP DS-Lite
+----------------------------------------------------------------------------+
                                                                              | | Broadcom eRouter Customer Extension
                                                                              | |
                                                                              | | Copyright (c) 1999 - 2012 Broadcom Corporation
                                                                              | |
                                                                              | | Revision:  3.0.2
                                                                              | |
                                                                              | | Features:  ()
+----------------------------------------------------------------------------+
                                                                              | | Build Date:  Jan 23 2013
                                                                              | | Build Time:  13:01:32 (-0800)
                                                                              | | Built By:    vobadm02
                                                                              | | Image Name:  ecram_sto.bin
                                                                              | | Image Path:  /vobs/sb/sb_ecos/rbb_cm_src/CmDocsisSystem/ecos/Mot_SBG6580_ipv6
+----------------------------------------------------------------------------+
CM> help

!               ?               REM             call            cd            
dir             find_command    help            history         instances      
ls              man             pwd             sleep           syntax        
system_time     usage          
----
con_high        cpuLoad         cpuUtilization  exit            mbufShow      
memShow         mutex_debug     ping            read_memory     reset          
routeShow       run_app         shell           socket_debug    stackShow      
taskDelete      taskInfo        taskPrioritySet taskResume      taskShow      
taskSuspend     taskSuspendAll  taskTrace       usfsShow        version        
write_memory    zone            
----
[80211_hal] [Console] [HeapManager] [HostDqm] [cablemedea] [cm_hal]
[docsis_ctl] [dtp] [eRouter] [embedded_target] [enet_hal] [event_log] [fam]
[flash] [forwarder] [ftpLite] [ip_hal] [msgLog] [non-vol] [pingHelper] [snmp]
[snoop] [usb_hal]

CM>

[maximus64]

Checking the log of SBG6580. I see

***BpiPrivateKey: Using Primary key
sha-1 comparison passed total size=634

******* Decrypt Complete *******
***BpiPlusCmCertificate: Using Primary cer
***BpiPlusCmCertificate: Using Primary cer

It look like that the Private key is encrypted.
Anyone know about this?

[maximus64]

Finally got my SB6120 online. Turn out that cmnonexp didn't parse the nonvol correctly. Used the SSH shell and do "/nonvol/bpi/print private" and there is the private key

[newname]

hahaha......this guy is a one man show......great stuff !!