UPC Technicolor TC7200 - serial console

someone21

Hi!
I found pic [attached file] of Technicolor TC7200 and I thought that this white 4pin connector is a serial console.
I tried to connect to and I succeeded.
The pinout is:

___________________
|  *   *   *   *  |
------      -------
3.3v - GND - TX - RX
Speed: 115200

I figured out that this router has two firmware images and some third image, maybe it's something like base-system.
I think that first is a backup image, when the second one is the latest firmware version.
On my device image 1 is TC7200U-D6.01.12-130329-F-1C1.bin and image 2 is TC7200U-D6.01.27-131031-F-1C1.bin.

When router is booting there is a possibility to choose image 1 or 2 or "p".
P-option gives this menu:

Board IP Address  [0.0.0.0]:          
Board IP Mask     [255.255.255.0]:     
Board IP Gateway  [0.0.0.0]:           
Board MAC Address [00:10:18:ff:ff:ff]: 

Internal/External phy? (e/i/a)[a] 
Switch detected: 53125
ProbePhy: Found PHY 0, MDIO on MAC 0, data on MAC 0
Using GMAC0, phy 0
Enet link up: 1G full

Main Menu:
==========
  b) Boot from flash
  c) Check DRAM
  g) Download and run from RAM
  d) Download and save to flash
  e) Erase flash sector
  m) Set mode
  s) Store bootloader parameters to flash
  i) Re-init ethernet
  r) Read memory
  w) Write memory
  j) Jump to arbitrary address
  p) Print flash partition map
  E) Erase flash region/partition
  X) Erase all of flash except the bootloader
  z) Reset

In Set mode you can set to boot always from first image by setting mode to 8027:

Mode Configuration Bits
=======================
 0x8000 Boot
 0x4000 Load-N-Go
 0x0004 Boot image 1
 0x0002 Verify image CRC
 0x0001 Prompt

Phy Selection
-------------
 0x0000  Default PHY
 0x0100  Internal EPHY
 0x0200  External EPHY

Enter hex value of desired features
MODE=8023: Enter new value: 8023
Updating MODE: 8023

If someone has got a file with firmware it could be an opportunity to unlock all functions on this router because by serial console you can download firmware to router by TFTP (option d ang g).

I set my router to boot to STD6.01.12 and I tried to set bridge mode (as wrote here) but it didn't work - router initiates reboot and after that I still get private IP address. Maybe someone could provide me some tip?

Below I post some information I took:

Flash Partition information:
Name           Size           Offset
=====================================
bootloader   0x00010000     0x00000000
image1       0x006c0000     0x01ac0000
image2       0x006c0000     0x02180000
linux        0x00480000     0x02840000
linuxapps    0x019c0000     0x00100000
permnv       0x00010000     0x00010000
dhtml        0x00240000     0x03ec0000
dynnv        0x00020000     0x000e0000
linuxkfs     0x01200000     0x02cc0000

BCM3383A2 
Sync: 0 
MemSize:            128 M

Chip ID:     BCM3383Z-B0


BootLoader Version: 2.4.0alpha18p1 Pre-release Gnu spiboot dual-flash reduced DDR drive linux

Build Date: Aug 14 2012

Build Time: 09:48:58

SPI flash ID 0xc22014, size 1MB, block size 64KB, write buffer 256, flags 0x0

NAND flash: Device size 64 MB, Block size 16 KB, Page size 512 B

Cust key size 128

parameter offset is 43872


Signature/PID: a825


Reading flash map at ff30, size 192

Successfully restored flash map from SPI flash!

NandFlashRead: Reading offset 0x19c0000, length 0x5c


Image 1 Program Header:

   Signature: a825

     Control: 0005

   Major Rev: 0100

   Minor Rev: 01ff

  Build Time: 2013/3/29 07:53:59 Z

 File Length: 4839099 bytes

Load Address: 80004000

    Filename: TC7200U-D6.01.12-130329-F-1C1.bin

         HCS: 7f47

         CRC: fb7111d8


Found image 1 at offset 1ac0000

NandFlashRead: Reading offset 0x2080000, length 0x5c


Image 2 Program Header:

   Signature: a825

     Control: 0005

   Major Rev: 0100

   Minor Rev: 01ff

  Build Time: 2013/10/31 09:45:22 Z

 File Length: 5298465 bytes

Load Address: 80004000

    Filename: TC7200U-D6.01.27-131031-F-1C1.bin

         HCS: 0046

         CRC: 87e2a6ee


Found image 2 at offset 2180000

NandFlashRead: Reading offset 0x2740000, length 0x5c


Image 3 Program Header:

   Signature: a825

     Control: 0005

   Major Rev: 0100

   Minor Rev: 01ff

  Build Time: 2012/11/28 07:33:42 Z

 File Length: 1507236 bytes

Load Address: 84010000

    Filename: LNXD6.01.08-kernel-121128.bin

         HCS: a8ef

         CRC: fad26589


Found image 3 at offset 2840000


Enter '1', '2', or 'p' within 2 seconds or take default...

. . 


NandFlashRead: Reading offset 0x2740000, length 0x200

NandFlashRead: Reading offset 0x2740200, length 0x16fe00

Performing CRC on Image 3...

CRC time = 33081974

Detected LZMA compressed image... decompressing... 

Target Address: 0x84010000

decompressSpace is 0x8000000

Elapsed time 1694014890


Decompressed length: 7107662

Done Copying Root File System...


NandFlashRead: Reading offset 0x2080000, length 0x200

NandFlashRead: Reading offset 0x2080200, length 0x50d77d

Performing CRC on Image 2...

CRC time = 152229967

Detected LZMA compressed image... decompressing... 

Target Address: 0x80004000

decompressSpace is 0x8000000

Elapsed time 110742320


Decompressed length: 23970120

Copying partition table to 0x83fffc04 180

Copying partition table to 0x80000904 180


Executing Image 2...



 eCos - hal_diag_init
Init device '/dev/BrcmTelnetIoDriver'
Init device '/dev/ttydiag'
Init tty channel: 816dfbb8
Init device '/dev/tty0'
Init tty channel: 816dfbd8
Init device '/dev/haldiag'
HAL/diag SERIAL init
Init device '/dev/ser0'
BCM 33XX SERIAL init - dev: 0.2
Set output buffer - buf: 0x81832c68 len: 4096
Set input buffer - buf: 0x81833c68 len: 4096
BCM 33XX SERIAL config

“nit device '/dev/ser1'
BCM 33XX SERIAL init - dev: 0.3
Set output buffer - buf: 0x81834c68 len: 4096
Set input buffer - buf: 0x81835c68 len: 4096
BCM 33XX SERIAL config

InitBoard: MIPS frequency 637200000
Function: SetHardcodeVendorProfile
[00:00:00 01/01/1970] [tStartup] BcmBfcStdEmbeddedTarget::InitStorageDrivers:  (BFC Target) Configuring/Loading Flash driver...
[00:00:00 01/01/1970] [tStartup] BcmSpiFlashDevice::DetectFlash:  (SPI Flash Device Factory) WARNING - Detected SPI flash with JEDEC ID =0xc22014
Waited 12 iterations after device ID read
NAND flash: Device size 64 MB, Block size 16 KB, Page size 512 B
[00:00:00 01/01/1970] [tStartup] BcmNandFlashDevice::DetectNandFlash:  (NAND Flash Device Factory) WARNING - Detected NAND flash with JEDEC ID =0x20762076
Found bootloader flash map at 0x80000904.
[00:00:00 01/01/1970] [tStartup] FlashDeviceDriver::SpiFlashPlaceRegions:  (Flash Driver C API) WARNING - Partition falls out of range of device 0. Placing in device 1...
[00:00:00 01/01/1970] [tStartup] FlashDeviceDriver::SpiFlashPlaceRegions:  (Flash Driver C API) WARNING - Partition falls out of range of device 0. Placing in device 1...
[00:00:00 01/01/1970] [tStartup] FlashDeviceDriver::SpiFlashPlaceRegions:  (Flash Driver C API) WARNING - Partition falls out of range of device 0. Placing in device 1...
[00:00:00 01/01/1970] [tStartup] FlashDeviceDriver::SpiFlashPlaceRegions:  (Flash Driver C API) WARNING - Partition falls out of range of device 0. Placing in device 1...
[00:00:00 01/01/1970] [tStartup] FlashDeviceDriver::SpiFlashPlaceRegions:  (Flash Driver C API) WARNING - Partition falls out of range of device 0. Placing in device 1...
[00:00:00 01/01/1970] [tStartup] FlashDeviceDriver::SpiFlashPlaceRegions:  (Flash Driver C API) WARNING - Partition falls out of range of device 0. Placing in device 1...
[00:00:00 01/01/1970] [tStartup] BcmBfcStdEmbeddedTarget::InitStorageDrivers:  (BFC Target) Loading BootloaderStore driver...
[00:00:00 01/01/1970] [tStartup] BcmBfcStdEmbeddedTarget::InitStorageDrivers:  (BFC Target) Loading ProgramStore driver...
ProgramStoreDeviceDriver::ProgramStoreDriverInit:  INFO - Initializing...
[00:00:00 01/01/1970] [tStartup] BcmBfcStdEmbeddedTarget::InitStorageDrivers:  (BFC Target) Loading NonVol driver...
[00:00:00 01/01/1970] [tStartup] BcmBfcStdEmbeddedTarget::InitStorageDrivers:  (BFC Target) Storage drivers initialized successfully.
[00:00:00 01/01/1970] [tStartup] BcmBfcStdEmbeddedTarget::InitDeviceAbstractions:  (BFC Target) Creating singletons for ProgramStore/BootloaderStore/NonVol devices...
Detecting the next image number that we will store to by default...
Bootloader indicates we are running image 2
By default, we will dload to image number 1!

By default, we will dload to block number 0!

[00:00:00 01/01/1970] [tStartup] BcmBfcStdEmbeddedTarget::InitDeviceAbstractions:  (BFC Target) Device abstraction singletons created successfully.

[Askey Debug]: No VP-24, use the default valus
ThomWiFi80211NonVolSettings::GetSingletonInstance:  WARNING - the singleton instance is NULL, and someone is accessing it!
CmSnmpNonVolSettings::GetSingletonInstance:  WARNING - the singleton instance is NULL, and someone is accessing it!
ThomWiFi80211NonVolSettings::GetSingletonInstance:  WARNING - the singleton instance is NULL, and someone is accessing it!
CmSnmpNonVolSettings::GetSingletonInstance:  WARNING - the singleton instance is NULL, and someone is accessing it!
ThomWiFi80211NonVolSettings::GetSingletonInstance:  WARNING - the singleton instance is NULL, and someone is accessing it!
CmSnmpNonVolSettings::GetSingletonInstance:  WARNING - the singleton instance is NULL, and someone is accessing it!
ThomWiFi80211NonVolSettings::GetSingletonInstance:  WARNING - the singleton instance is NULL, and someone is accessing it!
CmSnmpNonVolSettings::GetSingletonInstance:  WARNING - the singleton instance is NULL, and someone is accessing it!
[00:00:00 01/01/1970] [tStartup] BcmCmBpiNonVolSettings::BcmCmBpiNonVolSettings:  (Euro-Docsis CM BPI NonVol Settings) WARNING - Singleton pointer is not NULL!  There are multiple instances!  Leaving the singleton pointer alone...
ThomWiFi80211NonVolSettings::GetSingletonInstance:  WARNING - the singleton instance is NULL, and someone is accessing it!
ThomWiFi80211NonVolSettings::GetSingletonInstance:  WARNING - the singleton instance is NULL, and someone is accessing it!
ThomWiFi80211NonVolSettings::GetSingletonInstance:  WARNING - the singleton instance is NULL, and someone is accessing it!
ThomWiFi80211NonVolSettings::GetSingletonInstance:  WARNING - the singleton instance is NULL, and someone is accessing it!
BcmPcpClientServiceAppIf::GetSingletonInstance:  WARNING - the singleton is NULL, and someone is accessing it!
mtaNvCalcChecksum: checksum= 1273036263
Reading Permanent settings from non-vol...
Checksum for permanent settings:  0xc3b78a85
Setting downstream calibration signature to ''
[00:00:00 01/01/1970] [tStartup] BcmDocsisCmDownstreamCalibrationNonVolSettings::ReadFromImpl:  (DOCSIS CM Downstream Calibration NonVol Settings) WARNING - Read older version of the settings (2.0); they have been upgraded to version 2.1, preserving original settings.
[00:00:00 01/01/1970] [tStartup] ThomWiFi80211NonVolSettings::ReadFromImpl:  (Thomson WiFi 802.11 NonVol Settings) WARNING - Read older version of the settings (0.2); they have been upgraded to version 0.3, preserving original settings.
[00:00:00 01/01/1970] [tStartChipHalSelectPinMux: Setting pin mux sel 10, word 0, value 5
up]ChipHalSelectPinMux: Setting pin mux sel 6, word 0, value 5
 BcmEmtaSipNonVolSettings::ReadFromImpl:  (EMTA Config NonVol Settings) ERROR - Read unsupported version (less than 1.0)!  These settings are not valid!
[00:00:00 01/01/1970] [tStartup] BcmEmtaSipNonVolSettings::ReadFrom:  (EMTA Config NonVol Settings) ERROR - EMTA Config NonVol Settings failed to read all of its settings from the buffer!
[00:00:00 01/01/1970] [tStartup] BcmBfcAppCompositeNonVolSettings::ReadFrom:  ERROR - A contained Settings object failed to parse the Group settings!
[00:00:00 01/01/1970] [tStartup] BcmBfcTr69NonVolSettings::IsDefault:  (TR69 NonVol Settings) Permanent settings are default!
[00:00:00 01/01/1970] [tStartup] BcmEmtaSipNonVolSettings::IsDefault:  (EMTA Config NonVol Settings) Permanent settings are default!

*
*
* One or more of the settings groups was missing, possibly as a result of a code upgrade.
*
*

*
*
* One or more of the settings groups was upgraded.
*
*
Settings were read and verified.


Reading Dynamic settings from non-vol...
Checksum for dynamic settings:  0x93f550b0
Settings were read and verified.

[Askey Debug]: UPC NonVol IsUpgraded=0, Native version=6, Previous=0
[Askey Debug]: No need to rework UPC NonVol country/language code.
[00:00:00 01/01/1970] [tStartup] BcmBfcFpmDriver::Init:  Setting FPM Buffer size to: 256 Base Address: 0x836f6900
[00:00:00 01/01/1970] [tStartup] BcmBfcFpmDriver::Init:  fFpmLargestBufferSize: 2048 fFpmSizeShiftBits: 0x8
[00:00:00 01/01/1970] [tStartup] ChipHalSelectPinMux: Setting pin mux sel 6, word 0, value 5
BcmBfcFpmDriver::Init:  Pool index: 0  pool size: 2048
[00:00:00 01/01/1970] [tStartup] BcmBfcFpmDriver::Init:  Pool index: 1  pool size: 1024
[00:00:00 01/01/1970] [tStartup] BcmBfcFpmDriver::Init:  Pool index: 2  pool size: 512
[00:00:00 01/01/1970] [tStartup] BcmBfcFpmDriver::Init:  Pool index: 3  pool size: 256
[00:00:00 01/01/1970] [tStartup] BcmBfcFpmDriver::Init:  Lookup table index: 0  pool size: 3
[00:00:00 01/01/1970] [tStartup] BcmBfcFpmDriver::Init:  Lookup table index: 1  pool size: 2
[00:00:00 01/01/1970] [tStartup] BcmBfcFpmDriver::Init:  Lookup table index: 2  pool size: 1
[00:00:00 01/01/1970] [tStartup] BcmBfcFpmDriver::Init:  Lookup table index: 3  pool size: 1
[00:00:00 01/01/1970] [tStartup] BcmBfcFpmDriver::Init:  Lookup table index: 4  pool size: 0
[00:00:00 01/01/1970] [tStartup] BcmBfcFpmDriver::Init:  Lookup table index: 5  pool size: 0
[00:00:00 01/01/1970] [tStartup] BcmBfcFpmDriver::Init:  Lookup table index: 6  pool size: 0
[00:00:00 01/01/1970] [tStartup] BcmBfcFpmDriver::Init:  Lookup table index: 7  pool size: 0

------------------------------------
Free Pool Manager Configuration
------------------------------------
Buffer size in Bytes............... 256
Number of Tokens................... 32768
Tokens used in 256 byte pool....... 32
Tokens used in 512 byte pool....... 32
Tokens used in 1024 byte pool...... 32
Tokens used in 2048 byte pool...... 33
Base Address of FPM Memory ........ 0xb2200200
Base Address of FPM Mem in DDR2.... 0x836f6900
Total Configured FPM Memory Size... 8388608
Free Fifo Full..................... 0
Free Fifo Empty.................... 1
Alloc Fifo Full.................... 1
Alloc Fifo Empty................... 0
Number of tokens available......... 32768
Number of not valid token frees.... 0
Number of not valid token multi.... 0
Overflow Count..................... 0
Underflow Count.................... 0
[00:00:00 01/01/1970] [tStartup] BcmBfcPacketAlloc::Init:  Packet Alloc Header Buffer Start Addr: 0x83016860 Length: 0x6e0000 Max Buffer Size: 0xdc
PCI Core Init!  instance = 0, pCoreRegs = b2800000
PCI Core PowerUp!  instance = 0.

PCI ENUMERATE****************************************************************************
Checking bus #1
	Checking device #0
		In pcieEnumerateDevices(0) found a card: deviceNo = 0, funcNo = 0, busNo = 1, pcieAddr = 00000000
		In pcieEnumerateDevices: vendor = 000014e4, device = 00004359
PCIELIB: Setting PCIE clk request mode to 1 for active power savings.
PCIELIB: Found Capability ID = 16
PCIELIB: ClkReq power mode set to 1.
END PCIE ENUMERATE************************************************************************

PCI Core Init!  instance = 1, pCoreRegs = b2a00000
PCI Core PowerUp!  instance = 1.
PCI Core Init Instance (1): No Link Status Found! Skipping enumeration.
PCI Core Power Down. Instance = 1!
Creating a new host MSG PROC DQM manager. Instance: 83f543e8, DQM_REGS = b8601800, CTRL_REGS = b8601000
Initializing main MSG_PROC DQM interrupts.
 b8601000: 00000000
 b8601004: 00000000
 b8601008: 00000008
 b860100c: 00000000
 b8601010: 00000000
 b8601014: 00000000
 b8601018: 00000000
 b860101c: 00000000
Creating a new host FAP DQM manager. Instance: 83f58d64
Initializing main FAP DQM interrupts.
 b8401000: 00000000
 b8401004: 00000000
 b8401008: 00000008
 b840100c: 00000000
 b8401010: 00000000
 b8401014: 00000000
 b8401018: 00000000
 b840101c: 00000000


>>> ITC Initialized!!! <<<

Booting Linux...
NandFlashRead: Detected out-of-order block @offset 0x28b0000, tagged offset 0xffffff00, expected offset 0x170000
NandFlashRead: Failed to find replacement block!
Found bootloader flash map at 0x80000904.
Linux Boot Args: console=ttyS0,115200 partoffset=0x029b0000 partsize=0x00000000 fptaddr=0x83fffe00 ubi.mtd=linuxkfs ubi.mtd=linuxapps root=ubi0:rootfs ro noinitrd rootfstype=ubifs   [email protected] [email protected]
BootLinux: stopping the intermediate AVS code...
BootLinux: intermediate AVS code stopped via 
HandShakeMsg = 00000000
delay
BcmNasServiceAppIf::GetSingletonInstance:  WARNING - the singleton is NULL, and someone is accessing it!
BcmMscServiceAppIf::GetSingletonInstance:  WARNING - the singleton is NULL, and someone is accessing it!
[00:00:02 01/01/1970] [Telnet Thread] BcmTelnetThread::ThreadMain:  (Telnet Thread) Telnet server thread running...
Creating SNMP agent cablemodem agent
cablemodem agent disabling management.
cablemodem agent defering traps.
Creating BcmEmtaCommandTable
Creating BcmEmtaEndptCommandTable

If you pressed the 's' key before this point, we will skip driver initialization...
AVS Thread Constructor....
AVS Thread InitAVS: Bootloader AVS data was retrieved successfully.
   disabled     = 0
   rmon ratio   = 1051
   sigma        = 344
   dac change   = 129
   flash margin = 150
   adc_margin   = 150
   dac_margin   = -449
   madcperdac   = 302
   marginOffset = 65534
   deviceMap    = 0x8171c7f8
   K = 1.051, L = 2.04, BG_Code = 5

Creating TR-069 Thread...
Creating DOCSIS Control Thread...

I wanted to read memory but I got this:

Address is less than 0x80000000.  Ignoring.

SkateScout

Hi,

is it possible to download the firmware by this way?
Would be interesting if there are hidden WebPages.

someone21

Unfortunately it's impossible to download the firmware.

SkateScout

Some thoughts: a) Maybe it is possible to get the firmware by another trick. 1) Setup DHCP Server that tell give the TC7200 an IP+TFTP Server 2) Log on the TFTP Server what file will be requested. 3) Try to fetch this file from the official server. b)If this Modem Run Linux I think the provider have to provide the sourcecode. My interest in the firmware is to see if there are open ports and or hidden web pages.

cormac_byrne

What are you trying to achieve?
If it's enable bridge mode, then see here

dolallyoh

http://192.168.0.1/system/switch-mode.asp to switch modes. (ie to enable bridge mode as per post above)

beauf

dolallyoh wrote: »

http://192.168.0.1/system/switch-mode.asp to switch modes.

what is that meant to do?

dolallyoh

Basically it turns the upc box into a modem leaving your router do all the internet stuff. Means things like port forwarding and wifi get handled by your router and not the horribly **** upc box.

Note after you do it you still have to turn off wifi on the upc box.

beauf

I meant I don't have a switch mode page. That just brings me into the normal config.

I've mine re-routed to my old WiFi Router. But its not in bridge mode.

MaCXyLo

Hey Someeone21,
thank you for your great post.
If you want to backup the firmware, build a SPI Interface. (It's a direct connection to the flash chip pins via soldering).
search on ebay for a usb spi programmer.
got a cheap one from china for 1,00 €. Works great
If you need help, don't hasitate to contact me!


Kind Regards
MaCXyLo

Cronix

ive just started digging in the TC 7200 crapware my cable company gave me and stumbled across another thread where there is a mention of a second ttl connector below the cooler, one might be able to solder onto that from the back, which is what my soldering iron will try in a few seconds.
Will report back with any findings.

Cronix

Success, Output on second SERIAL Header:


hxxp://pastebin.com/E9MtQpb9

Cronix

i guess this serial is a dead end, i cant get past the login prompt.
admin:admin seems to be the correct credentials but the shell is imidiatly closed again after a successful login:

starting pid 271, tty '': '/bin/cttyhack /bin/login'
(none) login: admin
Password:
Jan 1 00:00:39 login[271]: root login on 'ttyS0'
process '/bin/cttyhack /bin/login' (pid 271) exited. Scheduling for restart.

Bi0H4z4rD

I am really mad at my cable company since i cannot redirect ports or enable bridge mode, and i have already sent two emails and i seem not worth a reply, so i am too looking at the modem.

Hope we can find a valid login for the shell!

@Cronix: Yup, i tried it few days ago and noticed it.


Anyone knows where to find a firmware update for the modem?

BR

Cronix

I guess the only Route we can go from here is reading out the SPI flash and the nand using dedicated Hardware flash dumpers. Which is exactly what i am ging to try to archive next

Bi0H4z4rD

I already did that, just dont want to post too many details so they dont change the schemes.

Spi flash is NVM, and NAND contains various fw, but i still meed to figure out the FS (found two UBI partitions already).

As i said, we need a valid login to the system.

BR

tihm

hey guys, nice to see someone is doing something usefull with this tc7200 crap.
i'd like to join your researches, though i don't think i can open my device and connect to the serial port
i'm very interested in getting the firmware file (maybe a dumped one).
I want to know if there are hidden services running, ports open and stuff like that, maybe it's possible to pwn the device and setup openssh, find a way to download original firmware from some server or other fun stuff ^^
so if someone has a dump or sth, pls let me analyze it ^^

greets tihm

cYrAx

hi,
you guys rock ! I love to see that some people are trying to get "inside" this awful tc7200 ****.
with this information here i will try to get some things out of this crap too.

Besides: The vendor does not have any source code public, doesn´t he ?
It´s not a secret that there is running Linux on that thing, maybe we can carry some information to
"h**p://gpl-violations.org/" to force the vendor to pull out the source ?

cYrAx

Bi0H4z4rD

The super-box is running a linux core with busybox.

It is basically enabling and disabling stuff based on the config file it gets.

There are three kernels that can be booted:

1-latest revision
2-factory revision (.11)
3-minimum kernel

The last two behave in a different way regarding the latest.

To extract the firmware, dump the nand and use same method as sb5200.

There should be four or five files in your dump (rootfs+kernels)

You should be able to identify them easily.

If anyone is into looking at the fw (for other than looking for strings) let me know.

cYrAx

Today, I wrote an email to my cable-provider (KabelBW in Germany, member of Liberty Global, like UPC), and to Technicolor.
I´d like to know where to get the sources.

Now let´s see... :-)

MaCXyLo

@cYrAx
the answer is complex, but you don't get it from your cable company, promised for sure.

@all in this thread
stop thinkin' public...^^
you will punch yourself down after you know more later......

NeoGeon

Would someone be so kind to provide me with a dump?
I'd like to take a look at it, but I'm afraid to break the box with my two left hands.

tihm

Bi0H4z4rD wrote: »

The super-box is running a linux core with busybox.

It is basically enabling and disabling stuff based on the config file it gets.

There are three kernels that can be booted:

1-latest revision
2-factory revision (.11)
3-minimum kernel

The last two behave in a different way regarding the latest.

To extract the firmware, dump the nand and use same method as sb5200.

There should be four or five files in your dump (rootfs+kernels)

You should be able to identify them easily.

If anyone is into looking at the fw (for other than looking for strings) let me know.

Nice to hear there is a successfull dump
Could you pls send me your dump? (maybe via private message?)

I'd love to take a look at the firmware and the kernel with my dissassembler and to find out how to connect to the telnet server which is running on the box :O (why the heck is there a telnet server running???????)

Also I'd like to know whether you can enable features yourself, by restoring a modded config file. I captured multiple configuration (stock / a weird one which is different than others / latest current running config on my device).
I could try dumping those stuff myself, but that would require me to buy an additional box, as i'm not allowed by my ISP to open "their" device
From what i got, the ISP (and others) have way too much control of this device, i don't like that!

Bi0H4z4rD

I insist, we need a configuration file to see how the thing works, as things are enabled or disabled based on it.


BR

Arisu

You can telnet into it on 192.168.100.1 with webstar both as a password and username, and then do a dump of its config with show tech_support which gives you loads of interesting stuff..
a.pomf.se/rvzpjd.png
Oh, and you can read from the memory too with system/diag readmem

However, I'd like to see a classic shell on this thing instead of that Broadcom one.
Also, I tried to download ISP's firmware directly from their TFTP server, but it'd seem they only allow connections to it from the modem's CM IP.

Bi0H4z4rD

Arisu wrote: »

You can telnet into it on 192.168.100.1 with webstar both as a password and username, and then do a dump of its config with show tech_support which gives you loads of interesting stuff..
a.pomf.se/rvzpjd.png

Not working on my router.

Arisu wrote: »

Oh, and you can read from the memory too with system/diag readmem

Yes, but byte by byte, and not full memory.

Arisu wrote: »

However, I'd like to see a classic shell on this thing instead of that Broadcom one.
Also, I tried to download ISP's firmware directly from their TFTP server, but it'd seem they only allow connections to it from the modem's CM IP.

Yes, you can download the update if you are behind they network, f.ex if you have kabelbw modem at home. The problem is you dont know the route to the file

Small tip: TC7200U-D6.0.1.27-131031-F-1C1.bin

Bi0H4z4rD

Another gift, some "strings" stored in the kernel:

admin [at]m3r!c[at]m0v!L

admin Technicolor

Technicolor Technicolor

broadcom broadcom

TechnicolorAP 123456

Broadcom Broadcom

THOMPSON THOMPSON

gzcatvadmin [at]m3r!c[at]m0v!L

upccsr euskaltel

Can guess what they are?

PS: had to change the @ for [at] because the forum script thinks it's an URL, and i am a new user and am not allowed to post urls.

Arisu

Bi0H4z4rD wrote: »

The problem is you dont know the route to the file

I do. It's in that dump, and there are routes for other models which they offer.
a.pomf.se/nrxows.png
a.pomf.se/ehxxxe.png

Bi0H4z4rD

Arisu wrote: »

I do. It's in that dump, and there are routes for other models which they offer.
a.pomf.se/nrxows.png
a.pomf.se/ehxxxe.png

Do you have a cable sniffer?

Arisu

Bi0H4z4rD wrote: »

Do you have a cable sniffer?

Sadly, no.

Bi0H4z4rD wrote: »

Another gift, some "strings" stored in the kernel:
upccsr euskaltel

Can guess what they are?

PS: had to change the @ for [at] because the forum script thinks it's an URL, and i am a new user and am not allowed to post urls.

That's interesting, i tried the one my ISP has set it to, but it seems I can't login with it.

Arisu

Also, could you guys telnet into the modem, do show tech_support and send me the whole thing? I want to do a diff. on what's different.
If you use Windows, use telnet "192.168.100.1 -f log.txt"
If you use an Unix-like operating system, then use "telnet 192.168.100.1 | tee -a -i log.txt"

Then upload it somewhere (I use pomf.se), and send me a PM.
Thanks.