Extracted firmware of my SBG901 from MX Flash , now how can I extract CERTS?

[dssence]

wow, well how ever you did that i have no idea
tho i'd be interested in how what and why you did it that way

you can upload the dump to mediafire or some other filehost and PM me the link i'll have a look at it and see if the certs are even in there

Sure I'm gonna make a tutorial explaining how I did manage to get the dump of the flash chip , it's not complicated at all it was a matter of finding some cheap way of emulating SPI signals over LPT port. I'm going to upload the firmware to mediafire, now big problem the entire dump I have it's 8 megs 8,388,608 bytes in size , by some reason I downloaded another firmware from an sbg901 (SBG901-2.1.3.0-GA-00-256-NOSH-NNDMN.p7) and it's 1,991,313 bytes , so I'm suspecting I just dumped the entire MX flash memory from the fist memory position to the last one.
Anyways , I tried using cmnonexp2mbwin32 which supposedly extracts certificates from BCM3348/BCM3349 chipsets, problem is this modem has a BCM3361 chipset, I ran that app which supposedly rips certificates from 2Mb firmware, but I did find lot's of stuff I'm not quite sure it ripped properly the certs. I'm suspecting that the non-vol memory address location it's in the first 2048Mb of the flash memory so I will try to make a dump of only the first 2048Mb and see if cmnonexp works better. I saw there's another version which it's not limited to 2Mb only bins.. maybe I'm gonna check that one.


cmp NonVol Settings found!
0x14A14:cmp Size:0x0289 (649)
0x14A16:cmp Magic:0x636D702E ('cmp.')

CHEV NonVol Settings found!
0x14C9D:CHEV Size:0x0008 (8)
0x14C9F:CHEV Magic:0x43484556 ('CHEV')

CQP2 NonVol Settings found!
0x14CA5:CQP2 Size:0x0008 (8)
0x14CA7:CQP2 Magic:0x43515032 ('CQP2')

FIRE NonVol Settings found!
0x14CAD:FIRE Size:0x0008 (8)
0x14CAF:FIRE Magic:0x46495245 ('FIRE')

VPNG NonVol Settings found!
0x14CB5:VPNG Size:0x0009 (9)
0x14CB7:VPNG Magic:0x56504E47 ('VPNG')

ERROR: address: 14CC0; size: 0x0009 (9); unknow magic: 0x50505053 ('PPPS')

ERROR: address: 14CC9; size: 0x0008 (8); unknow magic: 0x57694775 ('WiGu')

0x1561E87582) ---> Start new non-volatile nonvol <---
0x15620:Length:0x4C05 (19461)
0x15622:CRC32-Motorola:0x7359C833 (1935263795)
Non-volatile nonvol length: 0x4C05 (19461) at offset: 0x1561E
Calculate CRC: 0x7359C833
CRC OK!!!

CM Application NonVol Settings found!
0x15626:CMAp Size:0x0009 (9)
0x15628:CMAp Magic:0x434D4170 ('CMAp')

Message Logging NonVol Settings found!
0x1562F:MLog Size:0x003C (60)
0x15631:MLog Magic:0x4D4C6F67 ('MLog')

HalIf NonVol Settings found!
0x1566B:HalIf Size:0x00C7 (199)
0x1566D:HalIf Magic:0xF2A1F61F (' ')
0x15677:MAC address for IP Stack 1:74:56:12:CA3:B
0x1567D:MAC address for IP Stack 2:74:56:12:35:CE:0
0x15683:MAC address for IP Stack 3:2C:9E:5F:CF:EC
0x15689:MAC address for IP Stack 4:74:56:12:35:CE:0

8021 NonVol Settings found!
0x15732:8021 Size:0x0083 (131)
0x15734:8021 Magic:0x38303231 ('8021')

ERROR: address: 157B7; size: 0x008C (140); unknow magic: 0x38303253 ('802S')

Factory NonVol Settings found!
0x15841:FACT Size:0x0023 (35)
0x15843:FACT Magic:0x46414354 ('FACT')

RSTL NonVol Settings found!
0x15864:RSTL Size:0x0008 (8)
0x15866:RSTL Magic:0x5253544C ('RSTL')

PRNT NonVol Settings found!
0x1586CRNT Size:0x0008 (8)
0x1586ERNT Magic:0x50524E54 ('PRNT')

CM BPI NonVol Settings found!
0x15874:bpi Size:0x16C7 (5831)
0x15876:bpi Magic:0x62706920 ('bpi ')

Cert number 1 found!
0x1587C:Cert Size:0x008C (140)
0x1587E:Cert class 1:0x3081 (12417)
Writing to file non02_1_public.key 140 bytes

WARNING: address: 1590C; size: 0x02A0 (672); unknow cert type: 0x1CF3
Writing to file non02_2_private.key 672 bytes

Cert number 3 found!
0x15BAC:Cert Size:0x010E (270)
0x15BAE:Cert class 2:0x3082 (12418)
Writing to file non02_3_root.key 270 bytes

Cert number 4 found!
0x15CBC:Cert Size:0x0327 (807)
0x15CBE:Cert class 2:0x3082 (12418)
Writing to file non02_4_cm_cert.cer 807 bytes

Cert number 5 found!
0x15FE5:Cert Size:0x0404 (1028)
0x15FE7:Cert class 2:0x3082 (12418)
Writing to file non02_5_ca_cert.cer 1028 bytes

Cert number 6 found!
0x163EB:Cert Size:0x008C (140)
0x163ED:Cert class 1:0x3081 (12417)
Writing to file non02_unknow06.key 140 bytes

WARNING: address: 1647B; size: 0x02A0 (672); unknow cert type: 0x457F
Writing to file non02_unknow07.key 672 bytes

Cert number 8 found!
0x1671B:Cert Size:0x010E (270)
0x1671D:Cert class 2:0x3082 (12418)
Writing to file non02_unknow08.key 270 bytes

Cert number 9 found!
0x1682B:Cert Size:0x032C (812)
0x1682D:Cert class 2:0x3082 (12418)
Writing to file non02_unknow09.key 812 bytes

Cert number 10 found!
0x16B59:Cert Size:0x03E0 (992)
0x16B5B:Cert class 2:0x3082 (12418)
Writing to file non02_unknow10.key 992 bytes

CM DOCSIS NonVol Settings found!
0x16F3Bocsis Size:0x0082 (130)
0x16F3Docsis Magic:0xD0C20100 (' ')

ERROR: address: 16FBF; size: 0x002C (44); unknow magic: 0xD0C20300 (' ')

CableModem EventLog NonVol Settings found!
0x16FE9:CMEV Size:0x0008 (8)
0x16FEB:CMEV Magic:0x434D4556 ('CMEV')

SNMP NonVol Settings found!
0x16FF1nmp Size:0x04EF (1263)
0x16FF3nmp Magic:0x736E6D70 ('snmp')
0x16FF7:Version:0x0004 (4)
0x16FF994201) Factory mode NOT enabled
0x16FFA94202) Vendor name: Motorola Corporation
0x1701A94234) System Description: <<HW_REV: 1; VENDOR: Motorola Corporation; B
OOTR: 2200; SW_REV: SBG901-2.1.5.0-GA-00-357-NOSH; MODEL: SBG901>>
0x1709A94362) System ObjectID: 1.3.6.1.4.1.1166.901.1.0.1.5.0.0
0x1711A94490) System ObjectID value 1:
0x1719A94618) System ObjectID value 2: SBG901
0x1721A94746) System ObjectID value 3:
0x1729A94874) sysORID.1: UUUOUUUUUWuUUUUUWWUUUUUUUUuUUUUUUUUUUUuWUUUuUUUUUUUUU
UuUUWUUUUUWUQUOUUUUUUuUUuWWUUUUUUUUUUUUUUUUUUWUUWUUUuWUUWUUUUUUUUWUUUUUUUWUWUUUU
UUUUUUUUUUWUUUU§UUuUUUUUUUUUUUUUU§UUUUUUUUUUUUUUUUUUUUUUUuUUUUuUUUuUUUUUWUUuUUUU
UUWUUUWUUUQUUUUUUUUUUUUUUUUUuUUUuUUUUUUuUUUUUUUUuUUUUUUUUU§UUWQUOuUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUWUUUUUUUUUUUoUUUOuUUUUUUUUUUUUUuUUqUU§UUUWWUUUUUUUUU]UuUuUu
UUUUUUUUUUuU318158103001762601014010
0x1731A95002) sysORID.1 description: WUUUUUUUUUUUUUUWUUUU§UUuUUUUUUUUUUUUUU§UU
UUUUUUUUUUUUUUUUUUUUUuUUUUuUUUuUUUUUWUUuUUUUUUWUUUWUUUQUUUUUUUUUUUUUUUUUuUUUuUUU
UUUuUUUUUUUUuUUUUUUUUU§UUWQUOuUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUWUUUUUUUUUUUoUU
UOuUUUUUUUUUUUUUuUUqUU§UUUWWUUUUUUUUU]UuUuUuUUUUUUUUUUuU318158103001762601014010

0x1739A95130) Services: 0x55
0x1739B95131) Device Software Current Version: UUUUuUUUUUUUUU§UUWQUOuUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUWUUUUUUUUUUUoUUUOuUUUUUUUUUUUUUuUUqUU§UUUWWUUUUUUUUU]U
uUuUuUUUUUUUUUUuU318158103001762601014010
0x1783F96319) Device Serial Number: 318158803801762608014010
0x1745B95323) Max Download Tries: 0x4

DOCSIS CM Downstream Calibration NonVol Settings found!
0x174E0nSt Size:0x0181 (385)
0x174E2nSt Magic:0x446E5374 ('DnSt')

DOCSIS CM Upstream Calibration NonVol Settings found!
0x17661:UpSt Size:0x0249 (585)
0x17663:UpSt Magic:0x55705374 ('UpSt')

CM Propane NonVol Settings found!
0x178AApan Size:0x000A (10)
0x178ACpan Magic:0x5070616E ('Ppan')

CM Vendor Motorola NonVol Settings found!
0x178B4:MOTO Size:0x191F (6431)
0x178B6:MOTO Magic:0x4D4F544F ('MOTO')

ERROR: address: 191D5; size: 0x0008 (8); unknow magic: 0x504C5547 ('PLUG')

ERROR: address: 191DD; size: 0x0008 (8); unknow magic: 0x52656777 ('Regw')

FMib NonVol Settings found!
0x191E3:FMib Size:0x0008 (8)
0x191E5:FMib Magic:0x464D6962 ('FMib')

PSV NonVol Settings found!
0x191EBSV Size:0x000F (15)
0x191EDSV Magic:0x50530D56 ('PS V')

CAP NonVol Settings found!
0x191FA:CAP Size:0x0008 (8)
0x191FC:CAP Magic:0x4341502E ('CAP.')

CDP NonVol Settings found!
0x19202:CDP Size:0x0008 (8)
0x19204:CDP Magic:0x4344502E ('CDP.')

CSP found!
0x1920A:CSP Size:0x0D55 (3413)
0x1920C:CSP Magic:0x4353502E ('CSP.')

Cert number 11 found!
0x19212:Cert Size:0x0366 (870)
0x19214:Cert class 2:0x3082 (12418)
Writing to file non02_unknow11.key 870 bytes

Cert number 12 found!
0x1957A:Cert Size:0x03DB (987)
0x1957C:Cert class 2:0x3082 (12418)
Writing to file non02_unknow12.key 987 bytes

Cert number 13 found!
0x19957:Cert Size:0x0364 (868)
0x19959:Cert class 2:0x3082 (12418)
Writing to file non02_unknow13.key 868 bytes

WARNING: address: 19CBF; size: 0x02A0 (672); unknow cert type: 0x6DFC
Writing to file non02_unknow14.key 672 bytes

RG NonVol Settings found!
0x19F5F:RG Size:0x0009 (9)
0x19F61:RG Magic:0x52472E2E ('RG..')

cmp NonVol Settings found!
0x19F68:cmp Size:0x0289 (649)
0x19F6A:cmp Magic:0x636D702E ('cmp.')

CHEV NonVol Settings found!
0x1A1F1:CHEV Size:0x0008 (8)
0x1A1F3:CHEV Magic:0x43484556 ('CHEV')

CQP2 NonVol Settings found!
0x1A1F9:CQP2 Size:0x0008 (8)
0x1A1FB:CQP2 Magic:0x43515032 ('CQP2')

FIRE NonVol Settings found!
0x1A201:FIRE Size:0x0008 (8)
0x1A203:FIRE Magic:0x46495245 ('FIRE')

VPNG NonVol Settings found!
0x1A209:VPNG Size:0x0009 (9)
0x1A20B:VPNG Magic:0x56504E47 ('VPNG')

ERROR: address: 1A214; size: 0x0009 (9); unknow magic: 0x50505053 ('PPPS')

ERROR: address: 1A21D; size: 0x0008 (8); unknow magic: 0x57694775 ('WiGu')

0x1FFF8131064) ---> Start new non-volatile nonvol <---
0x1FFFA:Length:0x5554 (21844)
0x1FFFC:CRC32-Motorola:0xFFFFFFFC (-4)
Non-volatile nonvol length: 0x5554 (21844) at offset: 0x1FFF8
Calculate CRC: 0x991568FF
---> CRC failed!!! FFFFFFFC <> 991568FF

ERROR: address: 20002; size: 0xC035 (49205); unknow magic: 0x00050003 (' ')

0x2554C152908) ---> Start new non-volatile nonvol <---
0x2554E:Length:0xA988 (43400)
0x25550:CRC32-Motorola:0x1F155194 (521490836)
Non-volatile nonvol length: 0xA988 (43400) at offset: 0x2554C
Calculate CRC: 0xA8059A12
---> CRC failed!!! 1F155194 <> A8059A12

ERROR: address: 25556; size: 0x8553 (34131); unknow magic: 0x6235915D ('b5 ]')

ERROR: address: 2DAA9; size: 0x2775 (10101); unknow magic: 0xC16DBEF1 (' m ')

0x2FED4196308) ---> Start new non-volatile nonvol <---
0x2FED6:Length:0x33D7 (13271)
0x2FED8:CRC32-Motorola:0x9F02DE51 (-1627201967)
Non-volatile nonvol length: 0x33D7 (13271) at offset: 0x2FED4
Calculate CRC: 0x6EAB15B0
---> CRC failed!!! 9F02DE51 <> 6EAB15B0

ERROR: address: 2FEDE; size: 0x2F71 (12145); unknow magic: 0x56F2AA68 ('V h')

ERROR: address: 32E4F; size: 0xADDD (44509); unknow magic: 0xC0AA7E9A (' ')

0x332AB209579) ---> Start new non-volatile nonvol <---
0x332AD:Length:0x61DF (25055)
0x332AF:CRC32-Motorola:0xB14062E4 (-1321180444)
Non-volatile nonvol length: 0x61DF (25055) at offset: 0x332AB
Calculate CRC: 0xFF4214FD
---> CRC failed!!! B14062E4 <> FF4214FD

ERROR: address: 332B5; size: 0xB2B7 (45751); unknow magic: 0x534AB97A ('SJ z')

0x3948A234634) ---> Start new non-volatile nonvol <---
0x3948C:Length:0x4776 (18294)
0x3948E:CRC32-Motorola:0xFC6A827D (-60128643)
Non-volatile nonvol length: 0x4776 (18294) at offset: 0x3948A
Calculate CRC: 0x2D52A3BE
---> CRC failed!!! FC6A827D <> 2D52A3BE

ERROR: address: 39494; size: 0x51D3 (20947); unknow magic: 0x77C2377A ('w 7z')

0x3DC00252928) ---> Start new non-volatile nonvol <---
0x3DC02:Length:0xB0C1 (45249)
0x3DC04:CRC32-Motorola:0xDE694DED (-563524115)
Non-volatile nonvol length: 0xB0C1 (45249) at offset: 0x3DC00
Calculate CRC: 0x510DBB21
---> CRC failed!!! DE694DED <> 510DBB21

ERROR: address: 3DC0A; size: 0xF475 (62581); unknow magic: 0xAF79A76B (' y k')