Thread Rating:
  • 2 Vote(s) - 5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
[Release] BitWare 1.0.5.4 - Arris Puma6 firmware (SB6190, TM1602, TG2492, TG2472)
BTC Offline
Haxorware Enthusiast
***

Posts: 55
Threads: 5
Joined: Aug 2018
Reputation: 7
#1
[Release] BitWare 1.0.5.4 - Arris Puma6 firmware (SB6190, TM1602, TG2492, TG2472)
BitWare
Arris Puma6 firmware
Supports SB6190, TM1602, TG2492, and TG2472, TG1682G, and maybe more!


BitWare is a custom firmware designed for the SB6190, TM1602, and TG2492 modems.

There is two versions of the firmware, VSDK and VGWSDK.
VSDK is built for modems that are Voice+DOCSIS, or DOCSIS only, and VGWSDK is built for modems that are Voice+Gateway+DOCSIS.

The VSDK firmware is based on TM1602 firmware 9.1.103BE.
The VGWSDK firmware is based on TG2492 firmware 9.1.116.608.


Features (1.0.5.4)
  • Updated Busybox, added extra commands
  • Added standard telnetd server
  • Added vi text editor
  • Added forcing configs
  • Added custom CLI based NVRAM editing tool
  • Bypassed Advanced Password of the Day (Use any password that isn't empty)
  • Bypassed RIP CLI password
  • Bypass Technician CLI password
  • Enabled telnet on ARM core
  • Unlocked ARM serial console
  • Unlocked Atom serial console
  • Added net-snmp tools (snmpset, snmpget, snmpwalk)
  • Enabled SSH and added SFTP support
  • Added PHP support to Lighttpd
  • Disabled firmware updates
  • Added a web interface for management
  • Force max CPE
  • SNMP disable
  • NACO off bypass
  • Maybe more...

Pictures
[Image: M0qmfIP.png]
[Image: pba5c5O.png]

[Image: yORfj8e.png]

As not to take up too much space, that is all the pictures I'll show here.

Changelog
Code:
#1.0.5.4
Implemented force Max CPE (Located in new Runtime settings page)
Implemented SNMP disable (Located in new Runtime settings page)
Implemented NACO off bypass
Added BitWare specific logging for easier diagnostics.
Bind SSH/Telnet to 192.168.100.1

#1.0.5.3
Fixed TG2492 and other VGWSDK modem's Qualcomm and Atheros WiFi drivers.
Fixed firmware upgrade via web UI
Added adduser, deluser, chpasswd, mkpasswd, watch, and login commands to busybox.
Moved shadow/passwd to NVRAM. You can now change the root password.
Add passwd command to VSDK.
Serial and telnet now require credentials to login.

#1.0.5.2
Fixed bug in NVM editor...again.

#1.0.5.1
Forced IPv4 provisioning for HFC - TODO: Make it selectable
Fixed bug in NVM editor, nvm setbyte was not working.

#1.0.5
Added web interface, accessible at http://192.168.100.1/bw/
Added ProdDb, and NvramDb support to NVM editor.

#1.0.4.3
Fixed VGWSDK kernel
Added http://192.168.100.1/debug/ symlink to NVRAM /nvram/debug for web testing

#1.0.4.2
Disabled firmware updates
Added PHP support to Lighttpd
Started development on web interface

#1.0.4.1
Fixed PATH environment variable on VSDK

#1.0.4
Fixed Atom serial console on VSDK
Added Lighttpd error logging, for debug purposes. May need to disable this in future.
Added kernel flashing support, and static kernel images.

#1.0.3
Redesigned build system (Dual FW base)
Added vsdk support (SB6190, TM1602)

#1.0.2
Added dropbear+sftp server
Added nano

#1.0.1
Added net-snmp tools (snmpset, snmpget, snmpwalk)

#1.0.0
Unlocked Atom serial (Bypassed shell disable on RPC initialize)
Unlocked Arm serial (Removal of mini_cli)
Enabled telnet to Arm core (192.168.0.1 and 192.168.100.1)
Bypassed Technician CLI password (LD_PRELOAD=/lib/arrisbypass.so cli)
Bypassed RIP CLI password (LD_PRELOAD=/lib/arrisbypass.so /fss/gw/usr/sbin/tw_rip_cli)
Bypassed Advanced Web Password of the Day (Use any password that isnt empty)
Added local config serve+TFTP enforce bypass (force config) (To use, put config at /nvram/1/config.cm).
Recompiled Busybox with telnetd, vi, and other convenient shell commands.
NVRAM Editing tool (e.g nvm setbyte 0x3C 1 to unbrand modem)
Supports TG2492, TG2472 (maybe DG3272).

FAQ
Q: How do I flash this?
A: I can't help with that.

Q: What are the SSH credentials?
A: Username root, password arris.

Q: How do I access the web UI on TG2492?
A: First, the modem must be unbranded. To unbrand the modem, run this command:
Code:
nvm nvm setbyte 0x3C 1
Then, you will be able to access the web UI at http://192.168.100.1/bw

Q: I can't access the internet on a TG2492!
A: If your modem was originally branded, set it back to your original brand (try 6 for VTR, which should work), then disable the firewall in the original web UI. Unbrand it again, then reboot and you should be able to access the internet.

Q: Will you add support for (insert non-Arris modem here)?
A: No.

...and maybe more later..

TODO List/Known bugs
Code:
* Web UI for configuration
   * Authentication (High priority)
    * GUI authentication only.
   * Autostart Mode
   * BPI manage
      * Certificate database, swap between sets of certs
      * Disable/enable BPI
   * DOCSIS settings manage
      * DHCP Options configuration (Set to 1.0, 2.0, 3.0, etc)
         * Version spoof
   * Brand manage
      * Enable/Disable Gateway
      * Enable/Disable eMTA
      * Enable/Disable MoCA
   * NVRAM Editor
   * TR69DB Editor (VGWSDK only)
* Add guest network support to Arris gateway web UI
* Add TR69 DB support to NVRAM editor
* L2switch configuration
* SNMP OID response spoofing
* TR69 disable (High priority)
* Fix Voice/MTA config, currently broke when forcing DOCSIS configs.
* Force Voice/MTA config
* Custom LED manager for cross-model support, LEDs break sometimes.
* Issue with a certain ISP's config file TLV-11s..needs more investigation.
* VGWSDK Status page is broken, something to do with CGI.

Download
VGWSDK (For TG2492, TG2472, or other Touchstone Gateway modems)

VSDK (For TM1602, SB6190, or other Surfboard/Touchstone Media modems)

Notes
This firmware was made as a fun project to learn more about Puma6 modems, DOCSIS, and ARM assembly. It was designed purely for research purposes.
Distribution of this firmware by means other than this forum (Haxorware forums) is unsanctioned, with the exception of authorized resellers.


I received lots of help and information from people in Discord and the forums, so thank all of the people that helped me along the way.
Additionally, the research on how to flash these modems was done by others.


If you have any questions about the firmware, or Puma6/Puma7 modems in general I can answer them in the cable modem hacking Discord server.

Please leave feedback and let me know what you think, and if you have any particular feature requests.
This is a work in progress, and things will be improved over time.
(This post was last modified: 04-10-2019, 05:56 PM by BTC.)
06-08-2019, 07:06 AM
Find Reply
ricktendo Offline
Haxorware Expert
*****

Posts: 272
Threads: 13
Joined: Apr 2014
Reputation: 23
#2
Thumbs Up  RE: BitWare - Arris Puma6 firmware (SB6190, TM1602, TG2492)
Thank you for sharing, features and web ui looking very good!
(This post was last modified: 06-08-2019, 07:15 AM by ricktendo.)
06-08-2019, 07:14 AM
Find Reply
guti Offline
Junior Member
**

Posts: 16
Threads: 1
Joined: Mar 2009
Reputation: 0
#3
RE: BitWare - Arris Puma6 firmware (SB6190, TM1602, TG2492)
Thank you for the wonderful work you present us, formidable. Smile
06-08-2019, 03:46 PM
Find Reply
drewmerc Offline
Prefect
******

Posts: 3,899
Threads: 18
Joined: Oct 2008
Reputation: 157
#4
RE: BitWare - Arris Puma6 firmware (SB6190, TM1602, TG2492)
oooooooooooooooh stickyed
__________________________________________________________________________________
******new discord chat link https://discord.gg/su2VjJ3*******
06-08-2019, 05:43 PM
Website Find Reply
occalifornia Offline
Haxorware VIP
*****

Posts: 908
Threads: 9
Joined: Apr 2011
Reputation: 14
#5
RE: BitWare - Arris Puma6 firmware (SB6190, TM1602, TG2492)
Q: How do I flash this?
A: I can't help with that.

rofl
____________________________________________________________
Disclaimer: My comments are for legitimate diagnostics and testing ONLY. 
06-08-2019, 06:46 PM
Find Reply
jeramy1time Offline
Junior Member
**

Posts: 2
Threads: 0
Joined: Sep 2011
Reputation: 0
#6
RE: BitWare - Arris Puma6 firmware (SB6190, TM1602, TG2492)
Awesome work!!!!!!!!!!!!!!will try on a 2472
06-08-2019, 06:56 PM
Find Reply
BTC Offline
Haxorware Enthusiast
***

Posts: 55
Threads: 5
Joined: Aug 2018
Reputation: 7
#7
RE: BitWare - Arris Puma6 firmware (SB6190, TM1602, TG2492)
(06-08-2019, 06:46 PM)occalifornia Wrote: Q: How do I flash this?
A: I can't help with that.

rofl

The reason is because I did not do any of the research for flashing these modems myself.
That being said, I do not know the pin outs and am not dexterous enough to do the soldering required to flash them.
People who are more skilled than me at this have generously sent me modems to test on.

I can describe the general process, but I can't really get more specific than this due to a lack of knowledge on the process.

You need to get access to the Phison PS8211 chip, which is the eMMC/NAND controller for the board. The Phison manages the blocks on the NAND, and provides the CPU an eMMC interface to read/write with.
Luckily enough, eMMC and SD are almost 1:1 compatible - so if you plug the Phison's eMMC interface into a computer's SD card reader, you will get full access to the NAND chip via the Phison.

To do this, you simply have to locate the Phison VCC, CMD, CLK, and DAT0 lines and connect them to an SD card breakout board. This process is described in this thread here.


(06-08-2019, 06:56 PM)jeramy1time Wrote: Awesome work!!!!!!!!!!!!!!will try on a 2472

Let me know how it goes. This is actually untested on the 2472, but should work in theory.
06-08-2019, 06:59 PM
Find Reply
occalifornia Offline
Haxorware VIP
*****

Posts: 908
Threads: 9
Joined: Apr 2011
Reputation: 14
#8
RE: BitWare - Arris Puma6 firmware (SB6190, TM1602, TG2492)
(06-08-2019, 06:59 PM)BTC Wrote:
(06-08-2019, 06:46 PM)occalifornia Wrote: Q: How do I flash this?
A: I can't help with that.

rofl

The reason is because I did not do any of the research for flashing these modems myself.
That being said, I do not know the pin outs and am not dexterous enough to do the soldering required to flash them.
People who are more skilled than me at this have generously sent me modems to test on.

I can describe the general process, but I can't really get more specific than this due to a lack of knowledge on the process.

You need to get access to the Phison PS8211 chip, which is the eMMC/NAND controller for the board. The Phison manages the blocks on the NAND, and provides the CPU an eMMC interface to read/write with.
Luckily enough, eMMC and SD are almost 1:1 compatible - so if you plug the Phison's eMMC interface into a computer's SD card reader, you will get full access to the NAND chip via the Phison.

To do this, you simply have to locate the Phison VCC, CMD, CLK, and DAT0 lines and connect them to an SD card breakout board. This process is described in this thread here.


(06-08-2019, 06:56 PM)jeramy1time Wrote: Awesome work!!!!!!!!!!!!!!will try on a 2472

Let me know how it goes. This is actually untested on the 2472, but should work in theory.

You da real MVP  Heart
____________________________________________________________
Disclaimer: My comments are for legitimate diagnostics and testing ONLY. 
06-08-2019, 07:20 PM
Find Reply
occalifornia Offline
Haxorware VIP
*****

Posts: 908
Threads: 9
Joined: Apr 2011
Reputation: 14
#9
RE: BitWare - Arris Puma6 firmware (SB6190, TM1602, TG2492)
@drewmerc, should we make a separate section for this firmware?
____________________________________________________________
Disclaimer: My comments are for legitimate diagnostics and testing ONLY. 
06-08-2019, 07:26 PM
Find Reply
andy m Offline
Senior Member
****

Posts: 178
Threads: 7
Joined: Dec 2008
Reputation: 4
#10
RE: BitWare - Arris Puma6 firmware (SB6190, TM1602, TG2492)
Diff section be ideal
06-08-2019, 09:34 PM
Find Reply


Forum Jump:


Users browsing this thread: 3 Guest(s)