Thread Rating:
  • 5 Vote(s) - 4 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Arris TG2492 (VM Super hub 3)
#61
How do you actually find /nvram/6/1 file, is this by looking at the full dump in a hex editor?
Reply
#62
Binwalk dump
Reply
#63
Yea, but how do you rebuild the nvram after you edit the file?
Reply
#64
you mount partition any edits is live unmount and you saved auto
Reply
#65
(26-03-2019, 12:47 AM)elbarto Wrote:
(25-02-2019, 10:49 AM)danman Wrote: Hi guys, I'm working on very similar device CH7465 with NOSH firmware.
I was able to make a full dump and have convenient way to modify the internal eMMC.
My device doesn't display almost any messages on its console (just a few messages from bootloader) so no shell access is available.
I was also able to order another device from ebay and after clonning eMMC also the copy works Ok for accessing my internet connection.

I'd like to enable telnet/ssh access on this device. Did you make any progress with this?

Telnet and ssh can be activated, changing 0 by 1 in addresses  0x2A and 0x203 of /nvram/6/1 for TG862.
if nvram DB keeps same it can works. With breakout board taking, edit and get back file /6/1 in nvram partion and add or remplace rules with iptables.

(18-01-2019, 10:32 AM)vmu19 Wrote: Does anyone have the 9.1.116.608 firmware, or a mechanism to log in to this release? I can login to 9.1.116V using the mechanism from the NCC blog and I'm sure there must be other vulnerabilities to allow local login still. I looked at the two UARTs and only get output though someone mentioned the possibility of causing some sort of crash. Also from another site, it seems JTAG is disabled, so not going to try that route.

I got same problem, bucsay's mechanism is not longer work in new firms. Getting image of new firm from upgrade server and scraping file system. i hope find out to way to get acess.

(15-04-2019, 06:06 AM)blacklisted Wrote: you mount partition any edits is live unmount and you saved auto

how you mount ?
Reply
#66
Upon some further research it seems their shell is very locked down and there's no way to break out of it. With that said I did find a extremely easy command injection exploit.
Although it was helpful it's not actually needed to unlock the system, you can do that simply from the NVRAM.

On boot it checks for the script /nvram/0/sys_setup.sh and runs if it exists, I put together a script that runs some code I compiled to enable telnet on every boot, set the client password and set the permissions to the maximum level so you can access all the restricted commands from the restricted shell. You can access pretty much everything from there, even the Intel cpu:

   
Code:
[  6] Atom> help
help

Directory Commands ->

      manuf : <DIR> Manuf
     status : Show Modem Status
     !reset : Reset Modem
     system : Run shell command
       help : Display commands
    !logout : Disconnect telnet/SSH
       quit : Quit the Atom CLI

Type '<cmd> ?' for available help.

Return Status: 0

[  7] Atom> manuf
manuf
[  8] Manuf> help
help

Directory Commands ->

     ccTest : Dummy Cable Card Test
boottimeout : Set CEFDK boot timeout
     macset : Set Atom MAC address
loadFromUSB : Load Inactive Bank from USB
 sectorInfo : Show sector info
     status : Show Modem Status
     !reset : Reset Modem
     system : Run shell command
       help : Display commands
    !logout : Disconnect telnet/SSH
       quit : Quit the Atom CLI

Type '<cmd> ?' for available help.

Return Status: 0

[  9] Manuf>


I've uploaded my script, source and binary here if people want to use it, enjoy.

https://mega.nz/#!g8lTiSbD!mC4J8cFBo38Vv...waLrq6s-XU
Reply
#67
Did a bit more reversing today and worked out how to add custom commands to the cli menu. They have a plugin system which dynamically loads shared libraries to add menus and their commands. 

Once you know the structure it's fairly trivial. Just added a custom 'pwnmenu' to run system level commands. I'll probably make a post at some point summarising everything and detailing this further as I have access to pretty much everything at this point.

[Image: DX4TlSC.png]

Also, a list of most of the commands available from the cli

Code:
system               - Go to system Menu.
        startup              - Go to Startup Sub-menu.
                enable               - Enable auto start, execute the startup script.
                disable              - Disable auto start, jump to command line.
                filename             - Setup startup script filename <startup script>.
                docsis               - Enable/Disable DOCSIS <Bool - on/off>.
                default              - Setup default startup script filename and enable auto start.
                show                 - Show current settings.
                help                 - Display menu commands.
                shortcuts            - Display key shortcuts help.
                exit                 - Exit this sub-menu, go to previous menu.
                                quit                 - Quit and terminate CLI.
                reboot               - Reboot the system.

        nvram                - Go to NVRAM Sub-menu.
                show                 - List database of a module in a component [component module].
                remove               - Remove a database of a module in a component [component module].
                help                 - Display menu commands.
                shortcuts            - Display key shortcuts help.
                exit                 - Exit this sub-menu, go to previous menu.
                                quit                 - Quit and terminate CLI.
                reboot               - Reboot the system.

        environment          - Go to Environment variables Sub-menu.
                printenv             - Print environment variables.
                setenv               - Set an environment variable value [variable value].
                hexgetenv            - Get an environment variable value in hex format [variable].
                help                 - Display menu commands.
                shortcuts            - Display key shortcuts help.
                exit                 - Exit this sub-menu, go to previous menu.
                                quit                 - Quit and terminate CLI.
                reboot               - Reboot the system.

        pp                   - Go to Packet Processor Sub-menu.
                brief                - Show global, vpids and sessions summary.
                devs                 - Show counters by network devices.
                disable              - Disable packet processor.
                enable               - Enable  packet processor.
                flush                - Flush all sessions.
                global               - Show global statistics.
                mapper               - <number of sessions [1..2048(all)]> Show connection tracking mapping.
                nopsm                - Take C/Q/M-PDSPs out of Power Save mode.
                noqos                - Disable QoS processing scheme (Debug purpoces only).
                pids                 - Show pids.
                psm                  - Put  C/Q/M-PDSPs into Power Save mode.
                qos                  - Enable  QoS processing scheme (Debug purpoces only).
                qosDiscardOOO        - <[0=ForwardOOO,1=DiscardOOO(default)]> Qos Discard out of order.
                resetStats           - Reset the HIL Analysis stats.
                resetTimeout         - Reset the session timeout to default.
                session              - <"all"> - Shows all active sessions
                       <"wan2lan"> - Shows all WAN-->LAN active sessions
                       <"lan2wan"> - Shows all LAN-->WAN active sessions
                       <"lan2lan"> - Shows all LAN-->LAN active sessions
                       <"mac"> <"da","sa","all"> <MAC Adress> - Shows all sessions matching to MAC SA/DA/both
                       <"ipv4"> <"src","dst","all"> <IP> - Shows all sessions matching to IPv4 SRC/DST/both
                       <"ipv6"> <"src","dst","all"> <IP> - Shows all sessions matching to IPv6 SRC/DST/both
                       <"tcp"> - Shows all TCP active sessions
                       <"udp"> - Shows all UDP active sessions
                       <"dslite"> - Shows all Ds-Lite active sessions
                       <"gre"> - Shows all GRE active sessions
                       <"drop"> - Shows all drop sessions.
                setDsLiteUsFragIPv4  - <DS-Lite US frag method[0=IPv6(default),1=IPv4]> Set the SD-Lite Fragment method.
                setClstMaxCreditByte - <clusterId> <maxCredit> Set the cluster max Byte Global Credit.
                setClstMaxCreditPkt  - <clusterId> <maxCredit> Set the cluster max Pkt Global Credit.
                setQueueItCreditByte - <queueId> <itCredit> Set the queue Iteration Byte Credit.
                setQueueItCreditPkt  - <queueId> <itCredit> Set the queue Iteration Pkt Credit.
                setQueueMaxCreditByte - <queueId> <maxCredit> Set the queue max Byte Credit.
                setQueueMaxCreditPkt - <queueId> <maxCredit> Set the queue max Pkt Credit.
                setReassDbTimeout    - <[2..254]=Timeout in mSEC , 255=Disable timeout> Set the Reassembly DB timeout.
                setSesTimeout        - <Sec> Set the session timeout.
                stats                - Show HIL Analysis report.
                tdoxAckSupprDis      - <[0=Enable(default),1=Disable]> TDOX ACK suppression.
                tdoxDbg              - <[0=Disable,1=Enable]> TDOX debug.
                tdoxDis              - Disable TDOX feature.
                tdoxEn               - Enable TDOX feature.
                tdoxEvalAvgPktSize   - <Bytes> Set the TDOX Evaluation packet size threshold.
                tdoxEvalPPS          - <PPS> Set the TDOX Evaluation packets per second threshold.
                tdoxEvalTime         - <Sec> Set the TDOX Evaluation time.
                test                 - Go to test Menu.
                        createSession        - create the session.
                        printDsPktEgress     - print dsPktDataEngress.
                        printDsPktIngress    - print dsPktDataIngress.
                        printUsPktEgress     - print usPktDataEngress.
                        printUsPktIngress    - print usPktDataIngress.
                        setDsPktEgress       - <pkt AA:BB:CC..> <length> set dsPktDataEgress.
                        setDsPktIngress      - <pkt AA:BB:CC..> <length> set dsPktDataIngress.
                        setUsPktEgress       - <pkt AA:BB:CC..> <length> set usPktDataEgress.
                        setUsPktIngress      - <pkt AA:BB:CC..> <length> set usPktDataIngress.
                        help                 - Display menu commands.
                        shortcuts            - Display key shortcuts help.
                        exit                 - Exit this sub-menu, go to previous menu.
                                                quit                 - Quit and terminate CLI.
                        reboot               - Reboot the system.

                version              - Show Firmware version.
                vpids                - Show counters by vpids.
                vpidEgressList       - <vpid Id> Show egress handles list for specific VPID.
                vpidIngressList      - <vpid Id> Show ingress handles list for specific VPID.
                vpidTcpList          - <vpid Id> Show tcp handles list for specific VPID.
                vpidTdoxList         - <vpid Id> Show tdox handles list for specific VPID.
                xQC                  - <cluster Id> Show QoS Cluster extended data.
                xQQ                  - <queue Id> Show QoS Queue extended data.
                xSession             - <session Id> Show sessions extended data.
                help                 - Display menu commands.
                shortcuts            - Display key shortcuts help.
                exit                 - Exit this sub-menu, go to previous menu.
                                quit                 - Quit and terminate CLI.
                reboot               - Reboot the system.

        sme                  - Go to State Machine Engine Sub-menu.
                list                 - List all top-level state machines.
                lshort               - List all state machines [filters].
                llong                - List all state machines with state path [filters].
                SetModule            - Set the LOG module (SM name (partial), Module index, [Component index]).
                SetSeverity          - Set the LOG Severity (SM name (partial), Severity index).
                help                 - Display menu commands.
                shortcuts            - Display key shortcuts help.
                exit                 - Exit this sub-menu, go to previous menu.
                                quit                 - Quit and terminate CLI.
                reboot               - Reboot the system.

        l2switch             - Go to L2Switch Sub-menu.
                disableForwarding    - Stops all traffic in l2switch..
                enableForwarding     - Starts traffic in l2switch..
                disablePort          - Stop Rx and Tx on a port.
                       Params:
                               Port number(0-7): 0 = ATOM, 1 = MOCA, 2 = RGMII0, 3 = RGMII1,
                               5 = UDMA0, 6 = UDMA1, 7 = DOCSIS/ARM).
                enablePort           - Starts Rx and Tx on a port.
                       Params:
                               Port number(0-7): 0 = ATOM, 1 = MOCA, 2 = RGMII0, 3 = RGMII1,
                               5 = UDMA0, 6 = UDMA1, 7 = DOCSIS/ARM).
                setPortMode          - Sets MAC gasket mode for a port. Full Duplex is alwyas assumed.
                       Params:
                               Port number(0-7): 0 = ATOM, 1 = MOCA, 2 = RGMII0, 3 = RGMII1,
                               5 = UDMA0, 6 = UDMA1, 7 = DOCSIS/ARM)
                               Mode(0-7): 0 = MII at 10Mbps, 1 = MII at 100 Mbps, 2 = RMII at 10 Mbps,
                               3 = RMII at 100 Mbps, 4 = GMII at 1000 Mbps, 5 = RGMII at 100Mbps,
                               6 = RGMII at 1000Mbps,7 = RGMII at 10Mbps..
                getPortStats         - Get statistic counters for a port.
                       Params:
                               Port number(0-7): 0 = ATOM, 1 = MOCA, 2 = RGMII0, 3 = RGMII1,
                               5 = UDMA0, 6 = UDMA1, 7 = DOCSIS/ARM).
                getProxyStats        - PrxPDSP statistics.
                enableTaggingOnPort  - Mark port as tagged.Tagged ports expect to receive tagged frames.
                       Untagged frames will be assigned to port's Native Vlan.
                       Tagged port always transmits tagged frames.
                       Params:
                               Port number(0-7): 0 = ATOM, 1 = MOCA, 2 = RGMII0, 3 = RGMII1,
                               5 = UDMA0, 6 = UDMA1, 7 = DOCSIS/ARM).
                disableTaggingOnPort - Mark port as untagged.Untagged expect to receive untagged frames.
                       Ttagged frames will be discarded.
                       Untagged port always transmits tagged frames.
                       Params:
                               Port number(0-7): 0 = ATOM, 1 = MOCA, 2 = RGMII0, 3 = RGMII1,
                               5 = UDMA0, 6 = UDMA1, 7 = DOCSIS/ARM).
                setPortNativeVlan    - Set port Native Vlan.Untagged frames will be assigned to this Vlan.
                       Params:
                               Port number(0-7): 0 = ATOM, 1 = MOCA, 2 = RGMII0, 3 = RGMII1,
                               5 = UDMA0, 6 = UDMA1, 7 = DOCSIS/ARM).
                addPortToVlan        - Adds tagged port to Vlan.
                       Params:
                               Port number(0-7): 0 = ATOM, 1 = MOCA, 2 = RGMII0, 3 = RGMII1,
                               5 = UDMA0, 6 = UDMA1, 7 = DOCSIS/ARM).
                removePortFromVlan   - Removes tagged port from Vlan.
                       Params:
                               Port number(0-7): 0 = ATOM, 1 = MOCA, 2 = RGMII0, 3 = RGMII1,
                               5 = UDMA0, 6 = UDMA1, 7 = DOCSIS/ARM).
                getVlans             - Shows vlan configuration.
                getMcastMacs         - Show static and learned multicast MAC addresses in l2switch.
                getMcastRouterPorts  - Show static and learned multicast MAC addresses in l2switch.
                getUcastMacs         - Show static and learned multicast MAC addresses in l2switch.
                addStaticMac         - Add static MAC address to l2switch fwd table.
                       Params:
                               Ports bitmap: Bitmap value of relevant ports.
                               MACaddress: MAC address to add, format: XX-XX-XX-XX-XX-XX.
                deleteStaticMac      - Delete static MAC address from l2switch fwd table.
                       Params:
                               MACaddress: Static MAC address to delete,
                               format: XX-XX-XX-XX-XX-XX.
                getConfig            - Show current switch configuration..
                getStartupConfig     - Show startup switch configuration..
                getLog               - Get l2switch firmware log.
                enableLog            - Enable firmware logging.
                disableLog           - Disable firmware logging.
                getMachineState      - Get l2switch hardware state.
                enableEgressLogPort  - Enable logging of egressing packets on a port
                       Params:
                               Port number(0-7): 0 = ATOM, 1 = MOCA, 2 = RGMII0, 3 = RGMII1,
                               5 = UDMA0, 6 = UDMA1, 7 = DOCSIS/ARM).
                disableEgressLogPort - Disable logging of egressing packets on a port
                       Params:
                               Port number(0-7): 0 = ATOM, 1 = MOCA, 2 = RGMII0, 3 = RGMII1,
                               5 = UDMA0, 6 = UDMA1, 7 = DOCSIS/ARM).
                enableIngressLogPort - Enable logging of ingressing packets on a port
                       Params:
                               Port number(0-7): 0 = ATOM, 1 = MOCA, 2 = RGMII0, 3 = RGMII1,
                               5 = UDMA0, 6 = UDMA1, 7 = DOCSIS/ARM).
                disableIngressLogPort - Disable logging of ingressing packets on a port
                       Params:
                               Port number(0-7): 0 = ATOM, 1 = MOCA, 2 = RGMII0, 3 = RGMII1,
                               5 = UDMA0, 6 = UDMA1, 7 = DOCSIS/ARM).
                readMDIO             - Perform MDIO read.
                               Params:
                               PhyAddr: PHY address on MDIO bus
                               RegAddr: Register address in PHY.
                writeMDIO            - Perform MDIO write.
                       Params:
                               PhyAddr: PHY address on MDIO bus
                               RegAddr: Register address in PHY
                               Data: Value to write to register.
                readCBUSRegister     - Read CBUS register.
                       Params:
                               RegAddr: CBUS register address.
                writeCBUSRegister    - Write CBUS register.
                       Params:
                               RegAddr: CBUS register address
                               RegVal: Value to write.
                disableIgmpSnooping  - Disables IGMP/MLD snooping in l2switch..
                enableIgmpSnooping   - Enable IGMP/MLD snooping in l2switch..
                dbgGetFwdData        - .
                dbgGetCam            - .
                extswitch            - go to external switch Menu.
                        Init                 - Initialize External Switch           - .
                        Shutdown             - Shutdown External Switch             - .
                        Stats                - Display tx, rx numbers per port      - .
                        addVlanToVtu         - add vlan to VTU                      - <vlanid>.
                        chngPortDefVid       - change the port default VID          - <new default vlanid>, <eth Port(0-5)>.
                        deleteVlan           - delete vlan from VTU                 - <vlanid>.
                        globRdReg            - read glob regs                       - <Global device (0x1b - global 1 registers, 0x1c- global 2 registers)>, <regOffset(0-31)>.
                        globWrReg            - write glob regs                      - <Global device (0x1b - global 1 registers, 0x1c- global 2 registers)>, <regOffset(0-31)>, <vlaue>.
                        getVtuInfo           - get vlan info from VTU               - <vlanid>.
                        initExtSwich         - init extern switch to 802.1q modes   - <802.1q igress mode (0-disable, 1-fallback 2-check 3-secure)>.
                        mapPortToVlan        - map port to vlan                     - <vlanid>, <PortMemberTag (0-untouched, 1-untag 2-tag 3-discard)>, <eth Port(0-internal .. 4)>.
                        removePortFromVlan   - unmap port from vlan                     - <vlanid>, <eth Port(0-5)>.
                        portEnable           - read port params                     - <eth Port(0-internal .. 4)>, <Dis/En (0/1)>.
                        portRdReg            - read port regs                       - <eth Port(0-internal .. 7)>, <regOffset(0-31)>.
                        portWrReg            - write port regs                      - <eth Port(0-internal .. 7)>, <regOffset(0-31)>, <value>.
                        rdAllPortsParams     - read all ports parameters            - .
                        resetSwitch          - reset the switch configuration       - .
                        QinQ_NutralPort      - set port to be a non Q in Q          - <eth Port(0-internal .. 4)>.
                        QinQ_Port            - set port to be a Q in Q              - <eth Port(0-internal .. 4)>, <Q in Q tag type>, <Q in Q vlanid>.
                        show                 - Show external switch configuration.
                        initDB               - init external switch restore DB.
                        restoreSwitch        - restore switch configuration from DB.
                        StatisticsPerPort    - counter statistics per port- <eth Port(0-internal .. 4)>.
                        macAddressTable      - macAddressTable.
                        resetCountersPerPort - reset counters per port<eth Port(0-internal .. 4)>.
                        resetCountersPerAllPorts - reset counters for all ports.
                        phyPortEnable        - enable PHY                           - <eth Port(0-internal .. 4)>, <Dis/En (0/1)>.
                        searchMac            - search mac address                   - MACaddress.
                        addMac               - add mac address                      - MACaddress, <eth Port(0-internal .. 4)>, <Dynamic/Static (0/1)>.
                        delMac               - del mac address                      - MACaddress, <eth Port(0-internal .. 4)>.
                        loopDetectEnable     - enable loop detect function          - <Dis/En (0/1)>.
                        help                 - Display menu commands.
                        shortcuts            - Display key shortcuts help.
                        exit                 - Exit this sub-menu, go to previous menu.
                                                quit                 - Quit and terminate CLI.
                        reboot               - Reboot the system.

                help                 - Display menu commands.
                shortcuts            - Display key shortcuts help.
                exit                 - Exit this sub-menu, go to previous menu.
                                quit                 - Quit and terminate CLI.
                reboot               - Reboot the system.

        arm11_atom_mbx       - Go to Arm11-Atom Mail box Sub-menu.
                sendEvent            - event ID <0x1-0xc0>.
                sendRpcIfEvent       - <APP-CPU IP addr> <NP-CPU IP addr> <Network mask> <VLAN ID>.
                receiveAck           - event ID <0x1-0xc0> .
                sendAck              - event ID <0x1-0xc0> .
                receiveEvent         - event ID <0x1-0xc0> isParamRequiered <0-1> Parameter< 4 bytes> .
                help                 - Display menu commands.
                shortcuts            - Display key shortcuts help.
                exit                 - Exit this sub-menu, go to previous menu.
                                quit                 - Quit and terminate CLI.
                reboot               - Reboot the system.

        mmc                  - Go to MMC Controller box Sub-menu.
                show                 - Display settings.
                setcontroller        - <369DB|PS7000|PS8211>, Set MMC controller type.
                imageversion         - Print F/W version in file system.
                fwversion            - Print eMMC Controller F/W version.
                autoupgrade          - <enable|disable>, Enable/Disable auto upgrade on system boot.
                upgrade              - Perform eMMC Controller F/W upgrade.
                help                 - Display menu commands.
                shortcuts            - Display key shortcuts help.
                exit                 - Exit this sub-menu, go to previous menu.
                                quit                 - Quit and terminate CLI.
                reboot               - Reboot the system.

        psm                  - Go to PSM sub menu.
                power                - Simulate power <on/off>.
                showMask             - Show power control mask.
                setMask              - Set power control mask <mask | ALL | ALWAYS> <1/0 | 0x*** | 1/0>.
                help                 - Display menu commands.
                shortcuts            - Display key shortcuts help.
                exit                 - Exit this sub-menu, go to previous menu.
                                quit                 - Quit and terminate CLI.
                reboot               - Reboot the system.

        lpcm                 - Go to LPCM sub menu.
                enable               - Enable low power consumption feature - reset is required..
                disable              - Disable low power consumption feature - reset is required..
                forced               - Forced low power consumption when CMTS not support EM feature..
                unforced             - Unforced low power consumption when CMTS not support EM feature..
                narrowenable         - Enable narrow scanning mode..
                narrowdisable        - Disable narrow scanning mode, halt and resume wide scanning.
                widetimerset         - Set a timer for wide scanning (in seconds).
                widetimerget         - Get a timer for wide scanning (in seconds).
                widetimerenable      - Enable wide scanning timer.
                widetimerdisable     - Disable wide scanning timer.
                halttimerset         - Set a timer for halt scanning (in seconds).
                halttimerget         - Get a timer for halt scanning (in seconds).
                resumetimerset       - Set a timer for resume scanning (in seconds).
                resumetimerget       - Get a timer for resume scanning (in seconds).
                show details         - Display all LPCM details.
                help                 - Display menu commands.
                shortcuts            - Display key shortcuts help.
                exit                 - Exit this sub-menu, go to previous menu.
                                quit                 - Quit and terminate CLI.
                reboot               - Reboot the system.

        network              - Dump networking related information.
        memory               - Dump memory related information.
        timers               - List all GPTimer requests in the system.
        gimdb                - dump the Gim Database on the screen.
        netrxReduce          - Reduce net-rx task priority.
        netrxRestore         - Restore net-rx task priority.
        ipPrint              - Print IP addresses used in the system.
        link                 - Generate LinkUp/Down events : {wlan | moca} {up | down}.
        ProductionSystem     - Go to Production Sub-menu.
                prodset              - Set production params.
                prodshow             - Show production parameters.
                help                 - Display menu commands.
                shortcuts            - Display key shortcuts help.
                exit                 - Exit this sub-menu, go to previous menu.
                                quit                 - Quit and terminate CLI.
                reboot               - Reboot the system.

        help                 - Display menu commands.
        shortcuts            - Display key shortcuts help.
        exit                 - Exit this sub-menu, go to previous menu.
                quit                 - Quit and terminate CLI.
        reboot               - Reboot the system.

voice                - Go to Voice Menu.
logger               - Go to Logger Menu.
        ComponentConfig      - set/unset a component (component_id, 1/0).
        AllComponentsConfig  - set/unset all components (1/0).
        ModuleConfig         - set/unset a module (component_id, module_id, 1/0).
        AllModulesConfig     - set/unset all modules (component_id, 1/0).
        SeverityConfig       - set/unset a severity level (severity_level, 1/0).
        AllSeveritiesConfig  - set/unset all severity levels (1/0).
        SocketConfig         - Set the socket of the Logger UDP target (ip_address, port).
        FilenameConfig       - Set the filename for the file target (/dev/pts/0 for telnet).
        QueueLimitConfig     - Set the message queue limits (Message limit, Bytes limit) (0=Unlimited, -1=Default).
        DebugModulesConfig   - Enable/disable debug output of a module (component_id, module_id, 1/0).
        AllDebugModulesConfig - Enable/disable debug output of all modules (component_id, 1/0).
        TimeDisplay          - Set/unset time display  (1/0).
        ComponentDisplay     - Set/unset component display (1/0).
        ModuleDisplay        - Set/unset module display (1/0).
        FullDisplay          - Set full display.
        DefaultDisplay       - Set default display.
        ShortDisplay         - Set short display.
        UserDisplay          - Save/Restore user defined display (1/0).
        TargetConfig         - Set/unset output target (target_id, 1/0).
        componentsList       - Show components list and indicates set/unset for each.
        modulesList          - Show moudles list for a given component (component_id), and indicates set/unset for each.
        severitiesList       - Show severities list and indicates set/unset for each.
        displayConfigList    - Show display config list and indicates set/unset for each.
        targetsList          - Show targets list and indicates set/unset for each.
        socketShow           - Show the socket of the Logger udp target.
        filenameShow         - Show the filaname for file target.
        queueLimitShow       - Show the Logger queue limit.
        setDefaults          - Set Logger's Configuration default valus.
        list                 - Show all components and their modules.
        info                 - Show all logger information (severities, targets, queue...).
        enable               - Enable logger output.
        disable              - Disable logger output.
        help                 - Display menu commands.
        shortcuts            - Display key shortcuts help.
        exit                 - Exit this sub-menu, go to previous menu.
                quit                 - Quit and terminate CLI.
        reboot               - Reboot the system.

eventm               - Go to Event Manager Menu.
        SendEvent            - Send an event through the system (cm/mta, event_number, vendor, must_text, vendor_text).
        SendStdTrap          - Send a standard trap through the system (cm/mta, sub_type, if_id, admin_status, oper_status).
        ResetLog             - Reset the Event Manager's Log (cm/mta).
        DefaultEventTables   - Set the Event Manager tables to default (cm/mta).
        SetEventLevel        - Set new level for an event      (cm/mta, event_id, new_evel).
        SetEventMask         - Set new mask for an event       (cm/mta, event_id, new_mask).
        SetEventText         - Set new text for an event  (cm/mta, event_id, new_text).
        SetPriorityMask      - Set new mask for a priority  (cm/mta, priority, new_mask).
        GetEventsList        - Gets and prints the events list (cm/mta, vendor_events(1/0)).
        SetThrotAdmin        - Set the throttling admin status  (cm/mta, 1-Unconstrained/2-Throt below threshold/3-Throt stop at threshold/4-Inhibited).
        SetThrotThresh       - Set the throttling threshold  (cm/mta, threshold).
        SetThrotInterval     - Set the throttling interval  (cm/mta, interval).
        GetThrotParams       - Get the throttling parameters  (cm/mta).
        StartSyslog          - Start the Syslog service (cm/mta, ipVer: 0-V4/1-V6, IP address).
        StopSyslog           - Stop the Syslog service (cm/mta).
        GetSyslogServer      - Get the Syslog server (cm/mta).
        StartSNMP            - Start the SNMP service (cm/mta).
        StopSNMP             - Stop the SNMP service (cm/mta).
        ExitManager          - Stop and exit from the event manager  (cm/mta).
        help                 - Display menu commands.
        shortcuts            - Display key shortcuts help.
        exit                 - Exit this sub-menu, go to previous menu.
                quit                 - Quit and terminate CLI.
        reboot               - Reboot the system.

version              - prints system version.
pacm                 - Go to PACM Menu.
        version              - prints PACM version.
        options              - prints PACM compilation options.
        provisioning         - go to Provisioning Menu.
                provDebug            - go to Provision Debug Sub-Menu.
                        display_SME_EventsTable - Display the SME events table.
                        help                 - Display menu commands.
                        shortcuts            - Display key shortcuts help.
                        exit                 - Exit this sub-menu, go to previous menu.
                                                quit                 - Quit and terminate CLI.
                        reboot               - Reboot the system.

                dhcpServersConfig    - Set IPv4 addresses of primary and secondary DHCP servers (dotted notation)
                        dhcpServersConfig <primary> <secondary>.
                sendCMLinkUpEvent    - sending CM link up event for starting MTA provisioning.
                sendMSMStartEvent    - sending MSM start event.
                sendDHCPLeaseFailEvent - sending DHCP Lease Fail event.
                sendDHCPNewIPEvent   - sending DHCP New IP event.
                sendCMLinkDownEvent  - sending CM Link Down event <is this T4>.
                sendCMFullScanNoQam  - sending CM Full scan no QAM.
                sendCMQamRegained    - sending CM QAM Regained.
                sendCMResetEvent     - sending CM Reset event.
                sendMTAResetEvent    - sending MTA Reset event.
                sendVoiceRstDoneEvent - sending voice reset done event.
                sendVoiceRstFailEvent - sending voice reset fail event.
                sendSecRstDoneEvent  - sending Sec Reset done event.
                sendSecRstFailEvent  - sending Sec Reset fail event.
                configFile           - Set configuration file URL: <server> <filename>,
                        <server> can't be NULL.
                hashBypassSet        - Set hash checking bypass.
                provDBcontents       - Print contents of provisioning DB.
                setVoiceLoopVoltage  - Changes the loop voltage state.
                tftpAlwaysOn         - Set permanent TFTP download status.
                provStatus           - print the MTA provisioning status.
                provFlow             - Get the MTA provisioning flow.
                help                 - Display menu commands.
                shortcuts            - Display key shortcuts help.
                exit                 - Exit this sub-menu, go to previous menu.
                                quit                 - Quit and terminate CLI.
                reboot               - Reboot the system.

        security             - go to Security Menu.
                certificates         - go to Certificates Sub-Menu.
                        getMtaCert           - Get mta certfiles from server tftp <1 for Euro, 0 for NA> <cert> <key> <server ip> .
                        getAllCerts          - Get all the certfiles from server tftp <1 for Euro, 0 for NA> <mtaCert> <mtaKey> <manufacturerCert> <rootCert> <server ip> .
                        certMtaSet           - Set mta certfiles <1 for Euro, 0 for NA> <cert> <key> .
                        certManufSet         - Set manuf certfile <1 for Euro, 0 for NA> <cert>  .
                        certIpteleSet        - Set iptel root certfile <1 for Euro, 0 for NA> <cert>  .
                        resetCertsToDefault  - Reset the certificates of manufacturer and iptel root to default (by nvram flag).
                        setCertRootType      - Set iptel root certificate type <zone: (1)Euro, (0)NA> <root cert type: (1)TestRoot (2)RealRoot>.
                        displayCertsDir      - Display Certs data.
                        displayCertContent   - Display certificate content <zone: (1)Euro, (0)NA> <cert type: (1)MTA (2)Manufacture (3)Root>.
                        help                 - Display menu commands.
                        shortcuts            - Display key shortcuts help.
                        exit                 - Exit this sub-menu, go to previous menu.
                                                quit                 - Quit and terminate CLI.
                        reboot               - Reboot the system.

                resetTickets         - Delete ticket from NVRAM <option> (1)PROV-SERVER (2)CMS (3)ALL.
                overrideCmsTtl       - Override the CMS TTL with this value <value in sec>.
                timersDisplay        - Display Security timers.
                smDataDisplay        - Display state machine data.
                mtaDisplay           - Display current MTA data.
                displayDB            - Print contents of security DB.
                help                 - Display menu commands.
                shortcuts            - Display key shortcuts help.
                exit                 - Exit this sub-menu, go to previous menu.
                                quit                 - Quit and terminate CLI.
                reboot               - Reboot the system.

        vendorSubMenu        - go to VendorSubMenu.
                vendorSetDhcpServerAddr - Set the MTA primary DHCP Server Address <IP Address>.
                vendorModifyDhcpAckParam - Modify parameters received in MTA DHCP ACK parameters:
        <flow: 0-Basic 1-Hybrid 2-Secure>
        <MTA24 - syslog 0-false 1-true>
        <MTA25 - Inform 0-false 1-true>
        <download config file 0-false 1-true>
        <local config file name - string>
        <syslog server IP>
        <Realm name - string>.
                vendorSetTftpData    - Set the MTA TFTP server IP and configuration file name <TFTP IP Address> <file name>.
                vendorAddSnmpTarget  - Add a target for sending SNMP message (MTA25) <Server IP Address> <type>.
                printVendorRegisteredEvents - print all vendor registered events.
                VENDOR_STATUS_VENDOR_APP_set - Set status of vendor app <0-disable 1-enable>.
                VENDOR_AFTER_MSM_INIT_set - Set status of VENDOR_AFTER_MSM_INIT message <0-disable 1-enable>.
                VENDOR_SET_DHCP_SERVER_ADDR_set - Set status of VENDOR_SET_DHCP_SERVER_ADDR message <0-disable 1-auto, 2-manual>.
                VENDOR_AFTER_DHCP_ACK_set - Set status of VENDOR_AFTER_DHCP_ACK message <0-disable 1-auto, 2-manual>.
                VENDOR_SET_TFTP_DATA_set - Set status of VENDOR_SET_TFTP_DATA message <0-disable 1-auto, 2-manual>.
                VENDOR_ADD_SNMP_TARGET_set - Set status of VENDOR_ADD_SNMP_TARGET message <0-disable 1-auto, 2-manual>.
                VENDOR_BEFORE_MTA_RESET_set - Set status of VENDOR_BEFORE_MTA_RESET message <0-disable 1-enable>.
                VENDOR_ENABLE_EVENTS_set - Set status of VENDOR_ENABLE_EVENTS message <0-disable 1-enable>.
                VENDOR_ENABLE_DHCP_PLUG_IN_set - Set status of vendor DHCP plug in <0-disable 1-enable>.
                VENDOR_ENABLE_CFM_PLUG_IN_set - Set status of vendor config file manager plug in <0-disable 1-enable>.
                VENDOR_DISABLE_CFM_SPEC_TREE_set - determain spec tree status <0-active (default) 1-disabled>.
                restore              - Restore parameters to defalut.
                save                 - Save all parameters to flash.
                show                 - Print current settings.
                help                 - Display menu commands.
                shortcuts            - Display key shortcuts help.
                exit                 - Exit this sub-menu, go to previous menu.
                                quit                 - Quit and terminate CLI.
                reboot               - Reboot the system.

        production           - go to Production Menu.
                prodSet              - Set a parameter by index.
                PACM_CONFIG_EURO_set - Operation mode US/Euro.
                PACM_CONFIG_MTA_NUM_LINES_set - Number of lines.
                PACM_CONFIG_IP_ADDR_set - Configure IP Address.
                PACM_CONFIG_HW_ADDR_set - MTA network device H/W Address.
                PACM_CONFIG_MTA_TELE_ID_set - MTA Slic Type.
                PACM_CONFIG_MTA_BBU_set - MTA BBU Setting.
                PACM_CONFIG_MTA_NUM_SLIC_set - Number of SLIC.
                save                 - Save all parameters to flash.
                show                 - Print current settings.
                setDefaultMacAddress - Set the default MAC-Address to the MTA.
                help                 - Display menu commands.
                shortcuts            - Display key shortcuts help.
                exit                 - Exit this sub-menu, go to previous menu.
                                quit                 - Quit and terminate CLI.
                reboot               - Reboot the system.

        dynamicConfig        - go to Dynamic Configuraion Menu.
                set                  - Set a parameter by index.
                PACM_DYN_CONFIG_LOOPV_POLICY_set - Set loop voltage policy.
                PACM_DYN_CONFIG_LOOPV_STATUS_set - Set loop voltage status.
                PACM_DYN_CONFIG_LOOPV_RESET_TIMER_set - Set loop voltage reset timer value.
                PACM_DYN_CONFIG_LOOPV_MAINT_TIMER_CD_set - Set loop voltage maint timer count down value.
                PACM_DYN_CONFIG_SNMP_ENGIN_BOOT_NUM_set - Holds the number of SNMP engine reboots.
                restore              - Restore parameters to defalut.
                save                 - Save all parameters to flash.
                show                 - Print current settings.
                help                 - Display menu commands.
                shortcuts            - Display key shortcuts help.
                exit                 - Exit this sub-menu, go to previous menu.
                                quit                 - Quit and terminate CLI.
                reboot               - Reboot the system.

        event                - go to Event Menu.
                sendEvent            - Send an event <eventID> <vendorEvent>.  vendorEvent: (0)False (1)True .
                displayEventTable    - Display the event table.
                printLogFile         - Print the log file to the screen in a formatted manner.
                resetLogFile         - Reset the log file.
                deleteLogFile        - Delete the log file.
                resetTables          - Reset Tables.
                help                 - Display menu commands.
                shortcuts            - Display key shortcuts help.
                exit                 - Exit this sub-menu, go to previous menu.
                                quit                 - Quit and terminate CLI.
                reboot               - Reboot the system.

        debugMenu            - go to debugMenu.
                debugSet             - Set a parameter by index.
                PACM_CONFIG_TICKETS_FLASH_SUPPORT_set - Tickets support.
                PACM_CONFIG_PROV_DHCP_RETRIES_set - DHCP Retries during provisioning.
                PACM_CONFIG_IPSEC_ENABLE_set - Enable/Disable IPSEC on board ('False' overrides conf file).
                PACM_CONFIG_PROVISION_FLOWS_SUPPORT_set - Provision flows: bit mask of 0x1=sec; 0x2=hybrid; 0x4=basic.
                PACM_CONFIG_CERTIFICATION_MODE_set - Enable/Disable Certification mode.
                PACM_CONFIG_SNMPV2_ACCESS_set - Enable MTA SNMPv2 access.
                PACM_CONFIG_TLV38_SNMPV1_ENABLE_set - Enable MTA TLV38 SNMPv1 Trap send.
                PACM_CONFIG_CFM_FILE_HASH_BYPASS_set - Enable config file hash checking bypass.
                PACM_CONFIG_MAS_ROUTE_TO_LOGGER_set - Should MAS Spy messages be routed to logger.
                ARRIS_PROVISIONING_set - Arris provisioning type BASIC1=0, BASIC2=1, HYBRID1=2, HYBRID2=3, SECURE=4, GUPI=5, MINUS_KDC=6.
                PACM_CONFIG_EURO_HASH_SIZE_20_set - Enable Euro Hash of size 20.
                PACM_CONFIG_MTA_RESET_WATCH_DOG_set - Enable MTA reset when voice do not answer on cleanup.
                PACM_CONFIG_SEND_CONN_ERROR_EVENT_set - Enable/Disable sending Connection Error event.
                PACM_CONFIG_LOG_PRIORETY_ALGORITHM_set - Enable/Disable writing to local log according to priorety.
                restore              - Restore parameters to defalut.
                save                 - Save all parameters to flash.
                show                 - Print current settings.
                voicePortsSet        - Set voice ports (ports...).
                voicePortsGet        - Print voice ports to the console.
                voiceDropPortsSet    - Set voice drop ports <src> <dst>.
                voiceDropPortsGet    - Print voice drop ports to the console.
                dhcpActive           - Set DHCP status <1-active, 0-not active>.
                help                 - Display menu commands.
                shortcuts            - Display key shortcuts help.
                exit                 - Exit this sub-menu, go to previous menu.
                                quit                 - Quit and terminate CLI.
                reboot               - Reboot the system.

        managerMenu          - go to managerMenu.
                PACM_MANAGER_TOD_DELAY_SEC_PROV_set - Set TOD feature status.
                PACM_MANAGER_HITLESS_SOFTWARE_DOWNLOAD_set - Set hitless software download feature status.
                PACM_MANAGER_HITLESS_DHCP_set - Set hitless DHCP feature status.
                PACM_MANAGER_RANDOM_USM_SPIN_LOCK_set - Set random usm spin lock feature status.
                PACM_MANAGER_VENDOR_COMMUNITY_NAME_set - Set specific vendor community name feature status.
                PACM_MANAGER_VENDOR_CMS_AS_IP_set - Set Enable using CMS as IP flag..
                PACM_MANAGER_VENDOR_ENABLE_EVENTS_set - Set status of VENDOR_ENABLE_EVENTS message <0-disable 1-enable>.
                PACM_MANAGER_VOICE_SLIC_PSM_STATUS_set - Set status of Voice PSM features <0-disable 1-enable>.
                PACM_MANAGER_VOICE_DECT_IF_set - Set DECT interface <0-disable 1-enable>.
                PACM_MANAGER_VOICE_VLM_IF_set - Set Enable VLM interfaces <0-disable 1-enable>.
                PACM_MANAGER_SNMP_RESTRICT_CONFIG_VIEW_set - Restrict @mtaconfig view acoording to supported zone.
                PACM_MANAGER_VOICE_SLIC_WB_STATUS_set - Set status of Voice SLIC WB features <0-disable 1-enable>.
                PACM_MANAGER_BBU_ISR_MASK_set - BBU interrupt configuration.
                PACM_MANAGER_VOICE_PP_SUPPORT_set - Set Voice PP Support <0-disable 1-enable>.
                PACM_MANAGER_VOICE_DECT_RST_CTS_SUPPORT_set - Set DECT RTS CTS Support <0-disable 1-enable>.
                restore              - Restore parameters to defalut.
                save                 - Save all parameters to flash.
                show                 - Print current settings.
                help                 - Display menu commands.
                shortcuts            - Display key shortcuts help.
                exit                 - Exit this sub-menu, go to previous menu.
                                quit                 - Quit and terminate CLI.
                reboot               - Reboot the system.

        help                 - Display menu commands.
        shortcuts            - Display key shortcuts help.
        exit                 - Exit this sub-menu, go to previous menu.
                quit                 - Quit and terminate CLI.
        reboot               - Reboot the system.

help                 - Display menu commands.
shortcuts            - Display key shortcuts help.
exit                 - Exit this sub-menu, go to previous menu.
quit                 - Quit and terminate CLI.
reboot               - Reboot the system.
Reply
#68
good work
Reply
#69
Other tip, in order to change nvram DB, mini_cli has menu for it;
https://pastebin.com/raw/HmJk7DNn
or mgnforce's tool mfhex to pacth binaries files and nvread to check out.
http://www.filedropper.com/mfhex

Code:
# mfhex
mhex(v0.1b) : Command line HEX Editor
            : By mforce for SBH

Usage:
 ./mfhex <PATH> <OFFSET> <FORMAT> <DATA>
   <PATH>   : /tmp/myfile    : Location of file to edit.
   <OFFSET> : 53484          : Offset in bytes.
   <FORMAT> : hex        : str or hex
   <DATA>   : 4d5920        : Hex Example

FORMAT : Hex Data is in 2 Byte hex
INFO   : No single byte hex. Use '0d' instead of 'd'
Examples:
 Hex Format: ./mfhex /tmp/myfile 53484 hex 4d5920
 Str Format: ./mfhex /tmp/myfile 53484 str "hello 1234"
-------------------------------------------------------
# nvread
usage:
nvread <dir>.<file>.<type> <format>
e.g.: nvread 1.1.2 long - read type 2 from directory 1, file 1, in long format.
format: byte|short|long|str|hexbuf
-------------------------------------------------------

Sourceforge and fesc2000 shares sources of firmwares, most open-source projects like busybox, utelnetd, dropbear...
except sources of dmg_provisioning or dispatcher, Anyone knows where i can get them?
Reply
#70
this is good news fella
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)