Advertisement
Boards are fundraising to help the people of Ukraine via the Red Cross at this horrific time. Please donate and share if you can, you will find the link here. Many thanks.

UPC Technicolor TC7200 - serial console

  • 12-02-2014 9:08pm
    #1
    Registered Users Posts: 4 someone21


    Hi!
    I found pic [attached file] of Technicolor TC7200 and I thought that this white 4pin connector is a serial console.
    I tried to connect to and I succeeded.
    The pinout is:
    ___________________
    |  *   *   *   *  |
    ------      -------
    3.3v - GND - TX - RX
    Speed: 115200
    
    I figured out that this router has two firmware images and some third image, maybe it's something like base-system.
    I think that first is a backup image, when the second one is the latest firmware version.
    On my device image 1 is TC7200U-D6.01.12-130329-F-1C1.bin and image 2 is TC7200U-D6.01.27-131031-F-1C1.bin.

    When router is booting there is a possibility to choose image 1 or 2 or "p".
    P-option gives this menu:
    Board IP Address  [0.0.0.0]:          
    Board IP Mask     [255.255.255.0]:     
    Board IP Gateway  [0.0.0.0]:           
    Board MAC Address [00:10:18:ff:ff:ff]: 
    
    Internal/External phy? (e/i/a)[a] 
    Switch detected: 53125
    ProbePhy: Found PHY 0, MDIO on MAC 0, data on MAC 0
    Using GMAC0, phy 0
    Enet link up: 1G full
    
    Main Menu:
    ==========
      b) Boot from flash
      c) Check DRAM
      g) Download and run from RAM
      d) Download and save to flash
      e) Erase flash sector
      m) Set mode
      s) Store bootloader parameters to flash
      i) Re-init ethernet
      r) Read memory
      w) Write memory
      j) Jump to arbitrary address
      p) Print flash partition map
      E) Erase flash region/partition
      X) Erase all of flash except the bootloader
      z) Reset
    
    In Set mode you can set to boot always from first image by setting mode to 8027:
    Mode Configuration Bits
    =======================
     0x8000 Boot
     0x4000 Load-N-Go
     0x0004 Boot image 1
     0x0002 Verify image CRC
     0x0001 Prompt
    
    Phy Selection
    -------------
     0x0000  Default PHY
     0x0100  Internal EPHY
     0x0200  External EPHY
    
    Enter hex value of desired features
    MODE=8023: Enter new value: 8023
    Updating MODE: 8023
    

    If someone has got a file with firmware it could be an opportunity to unlock all functions on this router because by serial console you can download firmware to router by TFTP (option d ang g).

    I set my router to boot to STD6.01.12 and I tried to set bridge mode (as wrote here) but it didn't work - router initiates reboot and after that I still get private IP address. Maybe someone could provide me some tip?

    Below I post some information I took:
    Flash Partition information:
    Name           Size           Offset
    =====================================
    bootloader   0x00010000     0x00000000
    image1       0x006c0000     0x01ac0000
    image2       0x006c0000     0x02180000
    linux        0x00480000     0x02840000
    linuxapps    0x019c0000     0x00100000
    permnv       0x00010000     0x00010000
    dhtml        0x00240000     0x03ec0000
    dynnv        0x00020000     0x000e0000
    linuxkfs     0x01200000     0x02cc0000
    
    BCM3383A2 
    Sync: 0 
    MemSize:            128 M
    
    Chip ID:     BCM3383Z-B0
    
    
    BootLoader Version: 2.4.0alpha18p1 Pre-release Gnu spiboot dual-flash reduced DDR drive linux
    
    Build Date: Aug 14 2012
    
    Build Time: 09:48:58
    
    SPI flash ID 0xc22014, size 1MB, block size 64KB, write buffer 256, flags 0x0
    
    NAND flash: Device size 64 MB, Block size 16 KB, Page size 512 B
    
    Cust key size 128
    
    parameter offset is 43872
    
    
    Signature/PID: a825
    
    
    Reading flash map at ff30, size 192
    
    Successfully restored flash map from SPI flash!
    
    NandFlashRead: Reading offset 0x19c0000, length 0x5c
    
    
    Image 1 Program Header:
    
       Signature: a825
    
         Control: 0005
    
       Major Rev: 0100
    
       Minor Rev: 01ff
    
      Build Time: 2013/3/29 07:53:59 Z
    
     File Length: 4839099 bytes
    
    Load Address: 80004000
    
        Filename: TC7200U-D6.01.12-130329-F-1C1.bin
    
             HCS: 7f47
    
             CRC: fb7111d8
    
    
    Found image 1 at offset 1ac0000
    
    NandFlashRead: Reading offset 0x2080000, length 0x5c
    
    
    Image 2 Program Header:
    
       Signature: a825
    
         Control: 0005
    
       Major Rev: 0100
    
       Minor Rev: 01ff
    
      Build Time: 2013/10/31 09:45:22 Z
    
     File Length: 5298465 bytes
    
    Load Address: 80004000
    
        Filename: TC7200U-D6.01.27-131031-F-1C1.bin
    
             HCS: 0046
    
             CRC: 87e2a6ee
    
    
    Found image 2 at offset 2180000
    
    NandFlashRead: Reading offset 0x2740000, length 0x5c
    
    
    Image 3 Program Header:
    
       Signature: a825
    
         Control: 0005
    
       Major Rev: 0100
    
       Minor Rev: 01ff
    
      Build Time: 2012/11/28 07:33:42 Z
    
     File Length: 1507236 bytes
    
    Load Address: 84010000
    
        Filename: LNXD6.01.08-kernel-121128.bin
    
             HCS: a8ef
    
             CRC: fad26589
    
    
    Found image 3 at offset 2840000
    
    
    Enter '1', '2', or 'p' within 2 seconds or take default...
    
    . . 
    
    
    NandFlashRead: Reading offset 0x2740000, length 0x200
    
    NandFlashRead: Reading offset 0x2740200, length 0x16fe00
    
    Performing CRC on Image 3...
    
    CRC time = 33081974
    
    Detected LZMA compressed image... decompressing... 
    
    Target Address: 0x84010000
    
    decompressSpace is 0x8000000
    
    Elapsed time 1694014890
    
    
    Decompressed length: 7107662
    
    Done Copying Root File System...
    
    
    NandFlashRead: Reading offset 0x2080000, length 0x200
    
    NandFlashRead: Reading offset 0x2080200, length 0x50d77d
    
    Performing CRC on Image 2...
    
    CRC time = 152229967
    
    Detected LZMA compressed image... decompressing... 
    
    Target Address: 0x80004000
    
    decompressSpace is 0x8000000
    
    Elapsed time 110742320
    
    
    Decompressed length: 23970120
    
    Copying partition table to 0x83fffc04 180
    
    Copying partition table to 0x80000904 180
    
    
    Executing Image 2...
    
    
    
     eCos - hal_diag_init
    Init device '/dev/BrcmTelnetIoDriver'
    Init device '/dev/ttydiag'
    Init tty channel: 816dfbb8
    Init device '/dev/tty0'
    Init tty channel: 816dfbd8
    Init device '/dev/haldiag'
    HAL/diag SERIAL init
    Init device '/dev/ser0'
    BCM 33XX SERIAL init - dev: 0.2
    Set output buffer - buf: 0x81832c68 len: 4096
    Set input buffer - buf: 0x81833c68 len: 4096
    BCM 33XX SERIAL config
    
    “nit device '/dev/ser1'
    BCM 33XX SERIAL init - dev: 0.3
    Set output buffer - buf: 0x81834c68 len: 4096
    Set input buffer - buf: 0x81835c68 len: 4096
    BCM 33XX SERIAL config
    
    InitBoard: MIPS frequency 637200000
    Function: SetHardcodeVendorProfile
    [00:00:00 01/01/1970] [tStartup] BcmBfcStdEmbeddedTarget::InitStorageDrivers:  (BFC Target) Configuring/Loading Flash driver...
    [00:00:00 01/01/1970] [tStartup] BcmSpiFlashDevice::DetectFlash:  (SPI Flash Device Factory) WARNING - Detected SPI flash with JEDEC ID =0xc22014
    Waited 12 iterations after device ID read
    NAND flash: Device size 64 MB, Block size 16 KB, Page size 512 B
    [00:00:00 01/01/1970] [tStartup] BcmNandFlashDevice::DetectNandFlash:  (NAND Flash Device Factory) WARNING - Detected NAND flash with JEDEC ID =0x20762076
    Found bootloader flash map at 0x80000904.
    [00:00:00 01/01/1970] [tStartup] FlashDeviceDriver::SpiFlashPlaceRegions:  (Flash Driver C API) WARNING - Partition falls out of range of device 0. Placing in device 1...
    [00:00:00 01/01/1970] [tStartup] FlashDeviceDriver::SpiFlashPlaceRegions:  (Flash Driver C API) WARNING - Partition falls out of range of device 0. Placing in device 1...
    [00:00:00 01/01/1970] [tStartup] FlashDeviceDriver::SpiFlashPlaceRegions:  (Flash Driver C API) WARNING - Partition falls out of range of device 0. Placing in device 1...
    [00:00:00 01/01/1970] [tStartup] FlashDeviceDriver::SpiFlashPlaceRegions:  (Flash Driver C API) WARNING - Partition falls out of range of device 0. Placing in device 1...
    [00:00:00 01/01/1970] [tStartup] FlashDeviceDriver::SpiFlashPlaceRegions:  (Flash Driver C API) WARNING - Partition falls out of range of device 0. Placing in device 1...
    [00:00:00 01/01/1970] [tStartup] FlashDeviceDriver::SpiFlashPlaceRegions:  (Flash Driver C API) WARNING - Partition falls out of range of device 0. Placing in device 1...
    [00:00:00 01/01/1970] [tStartup] BcmBfcStdEmbeddedTarget::InitStorageDrivers:  (BFC Target) Loading BootloaderStore driver...
    [00:00:00 01/01/1970] [tStartup] BcmBfcStdEmbeddedTarget::InitStorageDrivers:  (BFC Target) Loading ProgramStore driver...
    ProgramStoreDeviceDriver::ProgramStoreDriverInit:  INFO - Initializing...
    [00:00:00 01/01/1970] [tStartup] BcmBfcStdEmbeddedTarget::InitStorageDrivers:  (BFC Target) Loading NonVol driver...
    [00:00:00 01/01/1970] [tStartup] BcmBfcStdEmbeddedTarget::InitStorageDrivers:  (BFC Target) Storage drivers initialized successfully.
    [00:00:00 01/01/1970] [tStartup] BcmBfcStdEmbeddedTarget::InitDeviceAbstractions:  (BFC Target) Creating singletons for ProgramStore/BootloaderStore/NonVol devices...
    Detecting the next image number that we will store to by default...
    Bootloader indicates we are running image 2
    By default, we will dload to image number 1!
    
    By default, we will dload to block number 0!
    
    [00:00:00 01/01/1970] [tStartup] BcmBfcStdEmbeddedTarget::InitDeviceAbstractions:  (BFC Target) Device abstraction singletons created successfully.
    
    [Askey Debug]: No VP-24, use the default valus
    ThomWiFi80211NonVolSettings::GetSingletonInstance:  WARNING - the singleton instance is NULL, and someone is accessing it!
    CmSnmpNonVolSettings::GetSingletonInstance:  WARNING - the singleton instance is NULL, and someone is accessing it!
    ThomWiFi80211NonVolSettings::GetSingletonInstance:  WARNING - the singleton instance is NULL, and someone is accessing it!
    CmSnmpNonVolSettings::GetSingletonInstance:  WARNING - the singleton instance is NULL, and someone is accessing it!
    ThomWiFi80211NonVolSettings::GetSingletonInstance:  WARNING - the singleton instance is NULL, and someone is accessing it!
    CmSnmpNonVolSettings::GetSingletonInstance:  WARNING - the singleton instance is NULL, and someone is accessing it!
    ThomWiFi80211NonVolSettings::GetSingletonInstance:  WARNING - the singleton instance is NULL, and someone is accessing it!
    CmSnmpNonVolSettings::GetSingletonInstance:  WARNING - the singleton instance is NULL, and someone is accessing it!
    [00:00:00 01/01/1970] [tStartup] BcmCmBpiNonVolSettings::BcmCmBpiNonVolSettings:  (Euro-Docsis CM BPI NonVol Settings) WARNING - Singleton pointer is not NULL!  There are multiple instances!  Leaving the singleton pointer alone...
    ThomWiFi80211NonVolSettings::GetSingletonInstance:  WARNING - the singleton instance is NULL, and someone is accessing it!
    ThomWiFi80211NonVolSettings::GetSingletonInstance:  WARNING - the singleton instance is NULL, and someone is accessing it!
    ThomWiFi80211NonVolSettings::GetSingletonInstance:  WARNING - the singleton instance is NULL, and someone is accessing it!
    ThomWiFi80211NonVolSettings::GetSingletonInstance:  WARNING - the singleton instance is NULL, and someone is accessing it!
    BcmPcpClientServiceAppIf::GetSingletonInstance:  WARNING - the singleton is NULL, and someone is accessing it!
    mtaNvCalcChecksum: checksum= 1273036263
    Reading Permanent settings from non-vol...
    Checksum for permanent settings:  0xc3b78a85
    Setting downstream calibration signature to ''
    [00:00:00 01/01/1970] [tStartup] BcmDocsisCmDownstreamCalibrationNonVolSettings::ReadFromImpl:  (DOCSIS CM Downstream Calibration NonVol Settings) WARNING - Read older version of the settings (2.0); they have been upgraded to version 2.1, preserving original settings.
    [00:00:00 01/01/1970] [tStartup] ThomWiFi80211NonVolSettings::ReadFromImpl:  (Thomson WiFi 802.11 NonVol Settings) WARNING - Read older version of the settings (0.2); they have been upgraded to version 0.3, preserving original settings.
    [00:00:00 01/01/1970] [tStartChipHalSelectPinMux: Setting pin mux sel 10, word 0, value 5
    up]ChipHalSelectPinMux: Setting pin mux sel 6, word 0, value 5
     BcmEmtaSipNonVolSettings::ReadFromImpl:  (EMTA Config NonVol Settings) ERROR - Read unsupported version (less than 1.0)!  These settings are not valid!
    [00:00:00 01/01/1970] [tStartup] BcmEmtaSipNonVolSettings::ReadFrom:  (EMTA Config NonVol Settings) ERROR - EMTA Config NonVol Settings failed to read all of its settings from the buffer!
    [00:00:00 01/01/1970] [tStartup] BcmBfcAppCompositeNonVolSettings::ReadFrom:  ERROR - A contained Settings object failed to parse the Group settings!
    [00:00:00 01/01/1970] [tStartup] BcmBfcTr69NonVolSettings::IsDefault:  (TR69 NonVol Settings) Permanent settings are default!
    [00:00:00 01/01/1970] [tStartup] BcmEmtaSipNonVolSettings::IsDefault:  (EMTA Config NonVol Settings) Permanent settings are default!
    
    *
    *
    * One or more of the settings groups was missing, possibly as a result of a code upgrade.
    *
    *
    
    *
    *
    * One or more of the settings groups was upgraded.
    *
    *
    Settings were read and verified.
    
    
    Reading Dynamic settings from non-vol...
    Checksum for dynamic settings:  0x93f550b0
    Settings were read and verified.
    
    [Askey Debug]: UPC NonVol IsUpgraded=0, Native version=6, Previous=0
    [Askey Debug]: No need to rework UPC NonVol country/language code.
    [00:00:00 01/01/1970] [tStartup] BcmBfcFpmDriver::Init:  Setting FPM Buffer size to: 256 Base Address: 0x836f6900
    [00:00:00 01/01/1970] [tStartup] BcmBfcFpmDriver::Init:  fFpmLargestBufferSize: 2048 fFpmSizeShiftBits: 0x8
    [00:00:00 01/01/1970] [tStartup] ChipHalSelectPinMux: Setting pin mux sel 6, word 0, value 5
    BcmBfcFpmDriver::Init:  Pool index: 0  pool size: 2048
    [00:00:00 01/01/1970] [tStartup] BcmBfcFpmDriver::Init:  Pool index: 1  pool size: 1024
    [00:00:00 01/01/1970] [tStartup] BcmBfcFpmDriver::Init:  Pool index: 2  pool size: 512
    [00:00:00 01/01/1970] [tStartup] BcmBfcFpmDriver::Init:  Pool index: 3  pool size: 256
    [00:00:00 01/01/1970] [tStartup] BcmBfcFpmDriver::Init:  Lookup table index: 0  pool size: 3
    [00:00:00 01/01/1970] [tStartup] BcmBfcFpmDriver::Init:  Lookup table index: 1  pool size: 2
    [00:00:00 01/01/1970] [tStartup] BcmBfcFpmDriver::Init:  Lookup table index: 2  pool size: 1
    [00:00:00 01/01/1970] [tStartup] BcmBfcFpmDriver::Init:  Lookup table index: 3  pool size: 1
    [00:00:00 01/01/1970] [tStartup] BcmBfcFpmDriver::Init:  Lookup table index: 4  pool size: 0
    [00:00:00 01/01/1970] [tStartup] BcmBfcFpmDriver::Init:  Lookup table index: 5  pool size: 0
    [00:00:00 01/01/1970] [tStartup] BcmBfcFpmDriver::Init:  Lookup table index: 6  pool size: 0
    [00:00:00 01/01/1970] [tStartup] BcmBfcFpmDriver::Init:  Lookup table index: 7  pool size: 0
    
    ------------------------------------
    Free Pool Manager Configuration
    ------------------------------------
    Buffer size in Bytes............... 256
    Number of Tokens................... 32768
    Tokens used in 256 byte pool....... 32
    Tokens used in 512 byte pool....... 32
    Tokens used in 1024 byte pool...... 32
    Tokens used in 2048 byte pool...... 33
    Base Address of FPM Memory ........ 0xb2200200
    Base Address of FPM Mem in DDR2.... 0x836f6900
    Total Configured FPM Memory Size... 8388608
    Free Fifo Full..................... 0
    Free Fifo Empty.................... 1
    Alloc Fifo Full.................... 1
    Alloc Fifo Empty................... 0
    Number of tokens available......... 32768
    Number of not valid token frees.... 0
    Number of not valid token multi.... 0
    Overflow Count..................... 0
    Underflow Count.................... 0
    [00:00:00 01/01/1970] [tStartup] BcmBfcPacketAlloc::Init:  Packet Alloc Header Buffer Start Addr: 0x83016860 Length: 0x6e0000 Max Buffer Size: 0xdc
    PCI Core Init!  instance = 0, pCoreRegs = b2800000
    PCI Core PowerUp!  instance = 0.
    
    PCI ENUMERATE****************************************************************************
    Checking bus #1
    	Checking device #0
    		In pcieEnumerateDevices(0) found a card: deviceNo = 0, funcNo = 0, busNo = 1, pcieAddr = 00000000
    		In pcieEnumerateDevices: vendor = 000014e4, device = 00004359
    PCIELIB: Setting PCIE clk request mode to 1 for active power savings.
    PCIELIB: Found Capability ID = 16
    PCIELIB: ClkReq power mode set to 1.
    END PCIE ENUMERATE************************************************************************
    
    PCI Core Init!  instance = 1, pCoreRegs = b2a00000
    PCI Core PowerUp!  instance = 1.
    PCI Core Init Instance (1): No Link Status Found! Skipping enumeration.
    PCI Core Power Down. Instance = 1!
    Creating a new host MSG PROC DQM manager. Instance: 83f543e8, DQM_REGS = b8601800, CTRL_REGS = b8601000
    Initializing main MSG_PROC DQM interrupts.
     b8601000: 00000000
     b8601004: 00000000
     b8601008: 00000008
     b860100c: 00000000
     b8601010: 00000000
     b8601014: 00000000
     b8601018: 00000000
     b860101c: 00000000
    Creating a new host FAP DQM manager. Instance: 83f58d64
    Initializing main FAP DQM interrupts.
     b8401000: 00000000
     b8401004: 00000000
     b8401008: 00000008
     b840100c: 00000000
     b8401010: 00000000
     b8401014: 00000000
     b8401018: 00000000
     b840101c: 00000000
    
    
    >>> ITC Initialized!!! <<<
    
    Booting Linux...
    NandFlashRead: Detected out-of-order block @offset 0x28b0000, tagged offset 0xffffff00, expected offset 0x170000
    NandFlashRead: Failed to find replacement block!
    Found bootloader flash map at 0x80000904.
    Linux Boot Args: console=ttyS0,115200 partoffset=0x029b0000 partsize=0x00000000 fptaddr=0x83fffe00 ubi.mtd=linuxkfs ubi.mtd=linuxapps root=ubi0:rootfs ro noinitrd rootfstype=ubifs   [email protected] [email protected]
    BootLinux: stopping the intermediate AVS code...
    BootLinux: intermediate AVS code stopped via 
    HandShakeMsg = 00000000
    delay
    BcmNasServiceAppIf::GetSingletonInstance:  WARNING - the singleton is NULL, and someone is accessing it!
    BcmMscServiceAppIf::GetSingletonInstance:  WARNING - the singleton is NULL, and someone is accessing it!
    [00:00:02 01/01/1970] [Telnet Thread] BcmTelnetThread::ThreadMain:  (Telnet Thread) Telnet server thread running...
    Creating SNMP agent cablemodem agent
    cablemodem agent disabling management.
    cablemodem agent defering traps.
    Creating BcmEmtaCommandTable
    Creating BcmEmtaEndptCommandTable
    
    If you pressed the 's' key before this point, we will skip driver initialization...
    AVS Thread Constructor....
    AVS Thread InitAVS: Bootloader AVS data was retrieved successfully.
       disabled     = 0
       rmon ratio   = 1051
       sigma        = 344
       dac change   = 129
       flash margin = 150
       adc_margin   = 150
       dac_margin   = -449
       madcperdac   = 302
       marginOffset = 65534
       deviceMap    = 0x8171c7f8
       K = 1.051, L = 2.04, BG_Code = 5
    
    Creating TR-069 Thread...
    Creating DOCSIS Control Thread...
    

    I wanted to read memory but I got this:
    Address is less than 0x80000000.  Ignoring.
    


«1

Comments

  • Registered Users Posts: 2 SkateScout


    Hi,

    is it possible to download the firmware by this way?
    Would be interesting if there are hidden WebPages.


  • Registered Users Posts: 4 someone21


    Unfortunately it's impossible to download the firmware.


  • Registered Users Posts: 2 SkateScout


    Some thoughts: a) Maybe it is possible to get the firmware by another trick. 1) Setup DHCP Server that tell give the TC7200 an IP+TFTP Server 2) Log on the TFTP Server what file will be requested. 3) Try to fetch this file from the official server. b)If this Modem Run Linux I think the provider have to provide the sourcecode. My interest in the firmware is to see if there are open ports and or hidden web pages.


  • Registered Users Posts: 487 ✭✭ cormac_byrne


    What are you trying to achieve?
    If it's enable bridge mode, then see here


  • Closed Accounts Posts: 532 dolallyoh


    http://192.168.0.1/system/switch-mode.asp to switch modes. (ie to enable bridge mode as per post above)


  • Advertisement
  • Closed Accounts Posts: 22,676 ✭✭✭✭ beauf


    dolallyoh wrote: »

    what is that meant to do?


  • Closed Accounts Posts: 532 dolallyoh


    Basically it turns the upc box into a modem leaving your router do all the internet stuff. Means things like port forwarding and wifi get handled by your router and not the horribly **** upc box.

    Note after you do it you still have to turn off wifi on the upc box.


  • Closed Accounts Posts: 22,676 ✭✭✭✭ beauf


    I meant I don't have a switch mode page. That just brings me into the normal config.

    I've mine re-routed to my old WiFi Router. But its not in bridge mode.


  • Registered Users Posts: 6 ✭✭✭ MaCXyLo


    Hey Someeone21,
    thank you for your great post.
    If you want to backup the firmware, build a SPI Interface. (It's a direct connection to the flash chip pins via soldering).
    search on ebay for a usb spi programmer.
    got a cheap one from china for 1,00 €. Works great ;)
    If you need help, don't hasitate to contact me!


    Kind Regards
    MaCXyLo


  • Registered Users Posts: 4 Cronix


    ive just started digging in the TC 7200 crapware my cable company gave me and stumbled across another thread where there is a mention of a second ttl connector below the cooler, one might be able to solder onto that from the back, which is what my soldering iron will try in a few seconds.
    Will report back with any findings.


  • Advertisement
  • Registered Users Posts: 4 Cronix


    Success, Output on second SERIAL Header:


    hxxp://pastebin.com/E9MtQpb9


  • Registered Users Posts: 4 Cronix


    i guess this serial is a dead end, i cant get past the login prompt.
    admin:admin seems to be the correct credentials but the shell is imidiatly closed again after a successful login:

    starting pid 271, tty '': '/bin/cttyhack /bin/login'
    (none) login: admin
    Password:
    Jan 1 00:00:39 login[271]: root login on 'ttyS0'
    process '/bin/cttyhack /bin/login' (pid 271) exited. Scheduling for restart.


  • Registered Users Posts: 7 ✭✭✭ Bi0H4z4rD


    I am really mad at my cable company since i cannot redirect ports or enable bridge mode, and i have already sent two emails and i seem not worth a reply, so i am too looking at the modem.

    Hope we can find a valid login for the shell!

    @Cronix: Yup, i tried it few days ago and noticed it.


    Anyone knows where to find a firmware update for the modem?

    BR


  • Registered Users Posts: 4 Cronix


    I guess the only Route we can go from here is reading out the SPI flash and the nand using dedicated Hardware flash dumpers. Which is exactly what i am ging to try to archive next


  • Registered Users Posts: 7 ✭✭✭ Bi0H4z4rD


    I already did that, just dont want to post too many details so they dont change the schemes.

    Spi flash is NVM, and NAND contains various fw, but i still meed to figure out the FS (found two UBI partitions already).

    As i said, we need a valid login to the system.

    BR


  • Registered Users Posts: 2 tihm


    hey guys, nice to see someone is doing something usefull with this tc7200 crap.
    i'd like to join your researches, though i don't think i can open my device and connect to the serial port :/
    i'm very interested in getting the firmware file (maybe a dumped one).
    I want to know if there are hidden services running, ports open and stuff like that, maybe it's possible to pwn the device and setup openssh, find a way to download original firmware from some server or other fun stuff ^^
    so if someone has a dump or sth, pls let me analyze it ^^

    greets tihm


  • Registered Users Posts: 2 cYrAx


    hi,
    you guys rock ! I love to see that some people are trying to get "inside" this awful tc7200 ****.
    with this information here i will try to get some things out of this crap too.

    Besides: The vendor does not have any source code public, doesn´t he ?
    It´s not a secret that there is running Linux on that thing, maybe we can carry some information to
    "h**p://gpl-violations.org/" to force the vendor to pull out the source ?

    cYrAx


  • Registered Users Posts: 7 ✭✭✭ Bi0H4z4rD


    The super-box is running a linux core with busybox.

    It is basically enabling and disabling stuff based on the config file it gets.

    There are three kernels that can be booted:

    1-latest revision
    2-factory revision (.11)
    3-minimum kernel

    The last two behave in a different way regarding the latest.

    To extract the firmware, dump the nand and use same method as sb5200.

    There should be four or five files in your dump (rootfs+kernels)

    You should be able to identify them easily.

    If anyone is into looking at the fw (for other than looking for strings) let me know.


  • Registered Users Posts: 2 cYrAx


    Today, I wrote an email to my cable-provider (KabelBW in Germany, member of Liberty Global, like UPC), and to Technicolor.
    I´d like to know where to get the sources.

    Now let´s see... :-)


  • Registered Users Posts: 6 ✭✭✭ MaCXyLo


    @cYrAx
    the answer is complex, but you don't get it from your cable company, promised for sure.

    @all in this thread
    stop thinkin' public...^^
    you will punch yourself down after you know more later......


  • Advertisement
  • Registered Users Posts: 1 NeoGeon


    Would someone be so kind to provide me with a dump?
    I'd like to take a look at it, but I'm afraid to break the box with my two left hands.


  • Registered Users Posts: 2 tihm


    Bi0H4z4rD wrote: »
    The super-box is running a linux core with busybox.

    It is basically enabling and disabling stuff based on the config file it gets.

    There are three kernels that can be booted:

    1-latest revision
    2-factory revision (.11)
    3-minimum kernel

    The last two behave in a different way regarding the latest.

    To extract the firmware, dump the nand and use same method as sb5200.

    There should be four or five files in your dump (rootfs+kernels)

    You should be able to identify them easily.

    If anyone is into looking at the fw (for other than looking for strings) let me know.

    Nice to hear there is a successfull dump :D
    Could you pls send me your dump? (maybe via private message?)

    I'd love to take a look at the firmware and the kernel with my dissassembler and to find out how to connect to the telnet server which is running on the box :O (why the heck is there a telnet server running???????)

    Also I'd like to know whether you can enable features yourself, by restoring a modded config file. I captured multiple configuration (stock / a weird one which is different than others / latest current running config on my device).
    I could try dumping those stuff myself, but that would require me to buy an additional box, as i'm not allowed by my ISP to open "their" device :/
    From what i got, the ISP (and others) have way too much control of this device, i don't like that!


  • Registered Users Posts: 7 ✭✭✭ Bi0H4z4rD


    I insist, we need a configuration file to see how the thing works, as things are enabled or disabled based on it.


    BR


  • Registered Users Posts: 5 ✭✭✭ Arisu


    You can telnet into it on 192.168.100.1 with webstar both as a password and username, and then do a dump of its config with show tech_support which gives you loads of interesting stuff..
    a.pomf.se/rvzpjd.png
    Oh, and you can read from the memory too with system/diag readmem

    However, I'd like to see a classic shell on this thing instead of that Broadcom one.
    Also, I tried to download ISP's firmware directly from their TFTP server, but it'd seem they only allow connections to it from the modem's CM IP.


  • Registered Users Posts: 7 ✭✭✭ Bi0H4z4rD


    Arisu wrote: »
    You can telnet into it on 192.168.100.1 with webstar both as a password and username, and then do a dump of its config with show tech_support which gives you loads of interesting stuff..
    a.pomf.se/rvzpjd.png
    Not working on my router.
    Arisu wrote: »
    Oh, and you can read from the memory too with system/diag readmem
    Yes, but byte by byte, and not full memory.
    Arisu wrote: »
    However, I'd like to see a classic shell on this thing instead of that Broadcom one.
    Also, I tried to download ISP's firmware directly from their TFTP server, but it'd seem they only allow connections to it from the modem's CM IP.
    Yes, you can download the update if you are behind they network, f.ex if you have kabelbw modem at home. The problem is you dont know the route to the file ;)

    Small tip: TC7200U-D6.0.1.27-131031-F-1C1.bin


  • Registered Users Posts: 7 ✭✭✭ Bi0H4z4rD


    Another gift, some "strings" stored in the kernel:

    admin [at]m3r!c[at]m0v!L

    admin Technicolor

    Technicolor Technicolor

    broadcom broadcom

    TechnicolorAP 123456

    Broadcom Broadcom

    THOMPSON THOMPSON

    gzcatvadmin [at]m3r!c[at]m0v!L

    upccsr euskaltel

    Can guess what they are? ;)

    PS: had to change the @ for [at] because the forum script thinks it's an URL, and i am a new user and am not allowed to post urls.


  • Registered Users Posts: 5 ✭✭✭ Arisu


    Bi0H4z4rD wrote: »
    The problem is you dont know the route to the file ;)
    I do. It's in that dump, and there are routes for other models which they offer.
    a.pomf.se/nrxows.png
    a.pomf.se/ehxxxe.png


  • Registered Users Posts: 7 ✭✭✭ Bi0H4z4rD


    Arisu wrote: »
    I do. It's in that dump, and there are routes for other models which they offer.
    a.pomf.se/nrxows.png
    a.pomf.se/ehxxxe.png

    Do you have a cable sniffer?


  • Registered Users Posts: 5 ✭✭✭ Arisu


    Bi0H4z4rD wrote: »
    Do you have a cable sniffer?
    Sadly, no.
    Bi0H4z4rD wrote: »
    Another gift, some "strings" stored in the kernel:
    upccsr euskaltel

    Can guess what they are? ;)

    PS: had to change the @ for [at] because the forum script thinks it's an URL, and i am a new user and am not allowed to post urls.
    That's interesting, i tried the one my ISP has set it to, but it seems I can't login with it.


  • Advertisement
  • Registered Users Posts: 5 ✭✭✭ Arisu


    Also, could you guys telnet into the modem, do show tech_support and send me the whole thing? I want to do a diff. on what's different.
    If you use Windows, use telnet "192.168.100.1 -f log.txt"
    If you use an Unix-like operating system, then use "telnet 192.168.100.1 | tee -a -i log.txt"

    Then upload it somewhere (I use pomf.se), and send me a PM.
    Thanks.


Advertisement