Thread Rating:
  • 4 Vote(s) - 4 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Arris TG2492 (VM Super hub 3)
danman Offline
Junior Member
**

Posts: 16
Threads: 0
Joined: Feb 2019
Reputation: 0
#51
RE: Arris TG2492 (VM Super hub 3)
(03-03-2019, 10:44 PM)eltremendo Wrote:
(03-03-2019, 01:13 AM)danman Wrote: You can probably use Windows too but I have no idea what tool you need to use.

more photos

It's the same chip as on my board PS8211-0 . It's possible that it will have the same pinout as mine:


31 - CMD
22 - CLK
25 - DAT0
26 - DAT1
24 - DAT2
33 - VCC


Attached Files Thumbnail(s)
   
03-03-2019, 11:00 PM
Find Reply
eltremendo Offline
Haxorware Enthusiast
***

Posts: 90
Threads: 6
Joined: Apr 2012
Reputation: 0
#52
RE: Arris TG2492 (VM Super hub 3)
(03-03-2019, 11:00 PM)danman Wrote:
(03-03-2019, 10:44 PM)eltremendo Wrote:
(03-03-2019, 01:13 AM)danman Wrote: You can probably use Windows too but I have no idea what tool you need to use.

more photos

It's the same chip as on my board PS8211-0 . It's possible that it will have the same pinout as mine:


31 - CMD
22 - CLK
25 - DAT0
26 - DAT1
24 - DAT2
33 - VCC

wao thanks for the info . i can just tap those pins of the phiston chip with a pong
03-03-2019, 11:06 PM
Find Reply
eltremendo Offline
Haxorware Enthusiast
***

Posts: 90
Threads: 6
Joined: Apr 2012
Reputation: 0
#53
RE: Arris TG2492 (VM Super hub 3)
(03-03-2019, 11:00 PM)danman Wrote:
(03-03-2019, 10:44 PM)eltremendo Wrote:
(03-03-2019, 01:13 AM)danman Wrote: You can probably use Windows too but I have no idea what tool you need to use.

more photos

It's the same chip as on my board PS8211-0 . It's possible that it will have the same pinout as mine:


31 - CMD
22 - CLK
25 - DAT0
26 - DAT1
24 - DAT2
33 - VCC

what about this version with phiston chip


Attached Files Thumbnail(s)
           
06-03-2019, 05:42 AM
Find Reply
danman Offline
Junior Member
**

Posts: 16
Threads: 0
Joined: Feb 2019
Reputation: 0
#54
RE: Arris TG2492 (VM Super hub 3)
(06-03-2019, 05:42 AM)eltremendo Wrote:
(03-03-2019, 11:00 PM)danman Wrote:
(03-03-2019, 10:44 PM)eltremendo Wrote:
(03-03-2019, 01:13 AM)danman Wrote: You can probably use Windows too but I have no idea what tool you need to use.

more photos

It's the same chip as on my board PS8211-0 . It's possible that it will have the same pinout as mine:


31 - CMD
22 - CLK
25 - DAT0
26 - DAT1
24 - DAT2
33 - VCC

what about this version with phiston chip

no idea...
06-03-2019, 07:10 PM
Find Reply
eltremendo Offline
Haxorware Enthusiast
***

Posts: 90
Threads: 6
Joined: Apr 2012
Reputation: 0
#55
RE: Arris TG2492 (VM Super hub 3)
(06-03-2019, 07:10 PM)danman Wrote:
(06-03-2019, 05:42 AM)eltremendo Wrote:
(03-03-2019, 11:00 PM)danman Wrote:
(03-03-2019, 10:44 PM)eltremendo Wrote:
(03-03-2019, 01:13 AM)danman Wrote: You can probably use Windows too but I have no idea what tool you need to use.

more photos

It's the same chip as on my board PS8211-0 . It's possible that it will have the same pinout as mine:


31 - CMD
22 - CLK
25 - DAT0
26 - DAT1
24 - DAT2
33 - VCC

what about this version with phiston chip

no idea...

Hey what voltage should i feed the vcc with?
16-03-2019, 07:24 PM
Find Reply
elbarto Offline
Junior Member
**

Posts: 10
Threads: 3
Joined: Dec 2014
Reputation: 0
#56
RE: Arris TG2492 (VM Super hub 3)
(25-02-2019, 10:49 AM)danman Wrote: Hi guys, I'm working on very similar device CH7465 with NOSH firmware.
I was able to make a full dump and have convenient way to modify the internal eMMC.
My device doesn't display almost any messages on its console (just a few messages from bootloader) so no shell access is available.
I was also able to order another device from ebay and after clonning eMMC also the copy works Ok for accessing my internet connection.

I'd like to enable telnet/ssh access on this device. Did you make any progress with this?

Telnet and ssh can be activated, changing 0 by 1 in addresses  0x2A and 0x203 of /nvram/6/1 for TG862.
if nvram DB keeps same it can works. With breakout board taking, edit and get back file /6/1 in nvram partion and add or remplace rules with iptables.

(18-01-2019, 10:32 AM)vmu19 Wrote: Does anyone have the 9.1.116.608 firmware, or a mechanism to log in to this release? I can login to 9.1.116V using the mechanism from the NCC blog and I'm sure there must be other vulnerabilities to allow local login still. I looked at the two UARTs and only get output though someone mentioned the possibility of causing some sort of crash. Also from another site, it seems JTAG is disabled, so not going to try that route.

I got same problem, bucsay's mechanism is not longer work in new firms. Getting image of new firm from upgrade server and scraping file system. i hope find out to way to get acess.
(This post was last modified: 26-03-2019, 12:51 AM by elbarto.)
26-03-2019, 12:47 AM
Find Reply
emantec Offline
Junior Member
**

Posts: 13
Threads: 1
Joined: Sep 2018
Reputation: 1
#57
RE: Arris TG2492 (VM Super hub 3)
Decrypted 9.1.116 firmware for those interested.

https://mega.nz/#!opVmiILY!xr4En9nFS-6y5...-yJDITiMws
09-04-2019, 04:30 PM
Find Reply
blacklisted Offline
Haxorware Enthusiast
***

Posts: 24
Threads: 0
Joined: Oct 2018
Reputation: 0
#58
RE: Arris TG2492 (VM Super hub 3)
now for someone to build firmware
09-04-2019, 10:20 PM
Find Reply
ricktendo Offline
Haxorware Expert
*****

Posts: 269
Threads: 13
Joined: Apr 2014
Reputation: 23
#59
RE: Arris TG2492 (VM Super hub 3)
Nice, binwalk extracted it successfully!
12-04-2019, 06:11 AM
Find Reply
emantec Offline
Junior Member
**

Posts: 13
Threads: 1
Joined: Sep 2018
Reputation: 1
#60
RE: Arris TG2492 (VM Super hub 3)
Adding to elbarto's post on enabling telnet you can do the following to bypass the pwod by setting the 'client' password (assuming the client is actually Virgin Media in this case).

In /nvram/6/1 set the following at address 0x1F7

BC AE 6A 68 38 32 4B 18

This will set the password to 'pwned' giving you access to the higher privileged shell (still need to work out how to break into busybox).
12-04-2019, 07:27 PM
Find Reply


Forum Jump:


Users browsing this thread: 2 Guest(s)