Thread Rating:
  • 5 Vote(s) - 4 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Arris TG2492 (VM Super hub 3)
#1
I've been doing some research on this cable modem in the hope of getting access to the firmware but I've hit a road block so hoping someone here has the knowledge/skills to crack this open. 

A decent breakdown of the modem can be found here which includes a mostly complete list of components and UART output: 
https://www.mobile-computer-repairs.co.u...ris-TG2492 

Having also checked myself I can confirm the console is locked, there's seemingly no way to stop or interrupt the boot script and no input is accepted. 

I then proceeded to desolder the nand and attempted to dump it. Unfortunately it would appear the nand is encrypted but for those interested you can get it here:
https://mega.nz/#!qZ5nETaI!QqGD5XRCeLUAtiDTqh3xJ17IwlnWcystaSf--kC4vy8

At this point I'm not sure how to proceed, with the nand being encrypted I tried to get some information on the eMMC chip Phison PS8211-0 but there doesn't appear to be any public information or data sheet. Does anyone know if this is what handles the nand encryption or is it being done at a bootloader level?

The only interesting information I could find was this anonymous pastebin which would appear to be from a fritzbox modem 

https://pastebin.com/GZDdJRPs

Code:
4    /etc/mmc/PS8211/phison_fw/PS8211_SLC_BFW_A.BIN
4    /etc/mmc/PS8211/phison_fw/PS8211_SLC_BFW_B.BIN
4    /etc/mmc/PS8211/phison_fw/phison.cfg
4    /etc/mmc/PS8211/read_image_version.sh
4    /etc/mmc/PS8211/read_mmc_fw_version.sh
4    /etc/mmc/PS8211/upgrade_mmc_fw.sh

It doesn't say what fritzbox modem this came from but obtaining a copy of the eMMC firmware would likely be useful in decrypting the nand.
Reply
#2
If only the bootloader weren't encrypted it could be possible to mod it to be "noisy" (display output and allow input/interrupt) but it appears the bootloader is also encrypted?
Reply
#3
(08-09-2018, 02:19 PM)ricktendo Wrote: If only the bootloader weren't encrypted it could be possible to mod it to be "noisy" (display output and allow input/interrupt) but it appears the bootloader is also encrypted?

Would assume the bootloader is the first/second page of the nand dump which would appear to be encrypted.
Reply
#4
have you considered crashing the bootloader after uboot has loaded, i'd start with connecting read-enable to ground with luck it'll crash to a uboot prompt
__________________________________________________________________________________
******new discord chat link https://discord.gg/5BQQbsb*******
Reply
#5
Was thinking about how to do that (couldn't find any public information) so I'll give that a try!
Need to wait for a replacement to arrive first though, currently disassembling current one to trace jtag.
Reply
#6
Do you have a JTAGulator or something similar?

If not how do you go about finding the JTAG pinout without something like it?
Reply
#7
(09-09-2018, 08:20 PM)ricktendo Wrote: Do you have a JTAGulator or something similar?

If not how do you go about finding the JTAG pinout without something like it?

It's on its way Wink
Reply
#8
update @emantec
Reply
#9
JTAGulator didn't work, managed to work out a way to dump unencrypted firmware though so currently investigating a exploit to allow remote root access.
Reply
#10
upload the dump . how have you get the dump from the route it self
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)