Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on [email protected] for help. Thanks :)
Hello All, This is just a friendly reminder to read the Forum Charter where you wish to post before posting in it. :)
Hi all, The AutoSave Draft feature is now disabled across the site. The decision to disable the feature was made via a poll last year. The delay in putting it in place was due to a bug/update issue. This should serve as a reminder to manually save your drafts if you wish to keep them. Thanks, The Boards Team.
Hello all! This is just a quick reminder to ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere.
UPC Technicolor TC7200 - serial console
-
12-02-2014 10:08pmHi!
I found pic [attached file] of Technicolor TC7200 and I thought that this white 4pin connector is a serial console.
I tried to connect to and I succeeded.
The pinout is:___________________ | * * * * | ------ ------- 3.3v - GND - TX - RX Speed: 115200
I figured out that this router has two firmware images and some third image, maybe it's something like base-system.
I think that first is a backup image, when the second one is the latest firmware version.
On my device image 1 is TC7200U-D6.01.12-130329-F-1C1.bin and image 2 is TC7200U-D6.01.27-131031-F-1C1.bin.
When router is booting there is a possibility to choose image 1 or 2 or "p".
P-option gives this menu:Board IP Address [0.0.0.0]: Board IP Mask [255.255.255.0]: Board IP Gateway [0.0.0.0]: Board MAC Address [00:10:18:ff:ff:ff]: Internal/External phy? (e/i/a)[a] Switch detected: 53125 ProbePhy: Found PHY 0, MDIO on MAC 0, data on MAC 0 Using GMAC0, phy 0 Enet link up: 1G full Main Menu: ========== b) Boot from flash c) Check DRAM g) Download and run from RAM d) Download and save to flash e) Erase flash sector m) Set mode s) Store bootloader parameters to flash i) Re-init ethernet r) Read memory w) Write memory j) Jump to arbitrary address p) Print flash partition map E) Erase flash region/partition X) Erase all of flash except the bootloader z) Reset
In Set mode you can set to boot always from first image by setting mode to 8027:Mode Configuration Bits ======================= 0x8000 Boot 0x4000 Load-N-Go 0x0004 Boot image 1 0x0002 Verify image CRC 0x0001 Prompt Phy Selection ------------- 0x0000 Default PHY 0x0100 Internal EPHY 0x0200 External EPHY Enter hex value of desired features MODE=8023: Enter new value: 8023 Updating MODE: 8023
If someone has got a file with firmware it could be an opportunity to unlock all functions on this router because by serial console you can download firmware to router by TFTP (option d ang g).
I set my router to boot to STD6.01.12 and I tried to set bridge mode (as wrote here) but it didn't work - router initiates reboot and after that I still get private IP address. Maybe someone could provide me some tip?
Below I post some information I took:Flash Partition information: Name Size Offset ===================================== bootloader 0x00010000 0x00000000 image1 0x006c0000 0x01ac0000 image2 0x006c0000 0x02180000 linux 0x00480000 0x02840000 linuxapps 0x019c0000 0x00100000 permnv 0x00010000 0x00010000 dhtml 0x00240000 0x03ec0000 dynnv 0x00020000 0x000e0000 linuxkfs 0x01200000 0x02cc0000
BCM3383A2 Sync: 0 MemSize: 128 M Chip ID: BCM3383Z-B0 BootLoader Version: 2.4.0alpha18p1 Pre-release Gnu spiboot dual-flash reduced DDR drive linux Build Date: Aug 14 2012 Build Time: 09:48:58 SPI flash ID 0xc22014, size 1MB, block size 64KB, write buffer 256, flags 0x0 NAND flash: Device size 64 MB, Block size 16 KB, Page size 512 B Cust key size 128 parameter offset is 43872 Signature/PID: a825 Reading flash map at ff30, size 192 Successfully restored flash map from SPI flash! NandFlashRead: Reading offset 0x19c0000, length 0x5c Image 1 Program Header: Signature: a825 Control: 0005 Major Rev: 0100 Minor Rev: 01ff Build Time: 2013/3/29 07:53:59 Z File Length: 4839099 bytes Load Address: 80004000 Filename: TC7200U-D6.01.12-130329-F-1C1.bin HCS: 7f47 CRC: fb7111d8 Found image 1 at offset 1ac0000 NandFlashRead: Reading offset 0x2080000, length 0x5c Image 2 Program Header: Signature: a825 Control: 0005 Major Rev: 0100 Minor Rev: 01ff Build Time: 2013/10/31 09:45:22 Z File Length: 5298465 bytes Load Address: 80004000 Filename: TC7200U-D6.01.27-131031-F-1C1.bin HCS: 0046 CRC: 87e2a6ee Found image 2 at offset 2180000 NandFlashRead: Reading offset 0x2740000, length 0x5c Image 3 Program Header: Signature: a825 Control: 0005 Major Rev: 0100 Minor Rev: 01ff Build Time: 2012/11/28 07:33:42 Z File Length: 1507236 bytes Load Address: 84010000 Filename: LNXD6.01.08-kernel-121128.bin HCS: a8ef CRC: fad26589 Found image 3 at offset 2840000 Enter '1', '2', or 'p' within 2 seconds or take default... . . NandFlashRead: Reading offset 0x2740000, length 0x200 NandFlashRead: Reading offset 0x2740200, length 0x16fe00 Performing CRC on Image 3... CRC time = 33081974 Detected LZMA compressed image... decompressing... Target Address: 0x84010000 decompressSpace is 0x8000000 Elapsed time 1694014890 Decompressed length: 7107662 Done Copying Root File System... NandFlashRead: Reading offset 0x2080000, length 0x200 NandFlashRead: Reading offset 0x2080200, length 0x50d77d Performing CRC on Image 2... CRC time = 152229967 Detected LZMA compressed image... decompressing... Target Address: 0x80004000 decompressSpace is 0x8000000 Elapsed time 110742320 Decompressed length: 23970120 Copying partition table to 0x83fffc04 180 Copying partition table to 0x80000904 180 Executing Image 2... eCos - hal_diag_init Init device '/dev/BrcmTelnetIoDriver' Init device '/dev/ttydiag' Init tty channel: 816dfbb8 Init device '/dev/tty0' Init tty channel: 816dfbd8 Init device '/dev/haldiag' HAL/diag SERIAL init Init device '/dev/ser0' BCM 33XX SERIAL init - dev: 0.2 Set output buffer - buf: 0x81832c68 len: 4096 Set input buffer - buf: 0x81833c68 len: 4096 BCM 33XX SERIAL config “nit device '/dev/ser1' BCM 33XX SERIAL init - dev: 0.3 Set output buffer - buf: 0x81834c68 len: 4096 Set input buffer - buf: 0x81835c68 len: 4096 BCM 33XX SERIAL config InitBoard: MIPS frequency 637200000 Function: SetHardcodeVendorProfile [00:00:00 01/01/1970] [tStartup] BcmBfcStdEmbeddedTarget::InitStorageDrivers: (BFC Target) Configuring/Loading Flash driver... [00:00:00 01/01/1970] [tStartup] BcmSpiFlashDevice::DetectFlash: (SPI Flash Device Factory) WARNING - Detected SPI flash with JEDEC ID =0xc22014 Waited 12 iterations after device ID read NAND flash: Device size 64 MB, Block size 16 KB, Page size 512 B [00:00:00 01/01/1970] [tStartup] BcmNandFlashDevice::DetectNandFlash: (NAND Flash Device Factory) WARNING - Detected NAND flash with JEDEC ID =0x20762076 Found bootloader flash map at 0x80000904. [00:00:00 01/01/1970] [tStartup] FlashDeviceDriver::SpiFlashPlaceRegions: (Flash Driver C API) WARNING - Partition falls out of range of device 0. Placing in device 1... [00:00:00 01/01/1970] [tStartup] FlashDeviceDriver::SpiFlashPlaceRegions: (Flash Driver C API) WARNING - Partition falls out of range of device 0. Placing in device 1... [00:00:00 01/01/1970] [tStartup] FlashDeviceDriver::SpiFlashPlaceRegions: (Flash Driver C API) WARNING - Partition falls out of range of device 0. Placing in device 1... [00:00:00 01/01/1970] [tStartup] FlashDeviceDriver::SpiFlashPlaceRegions: (Flash Driver C API) WARNING - Partition falls out of range of device 0. Placing in device 1... [00:00:00 01/01/1970] [tStartup] FlashDeviceDriver::SpiFlashPlaceRegions: (Flash Driver C API) WARNING - Partition falls out of range of device 0. Placing in device 1... [00:00:00 01/01/1970] [tStartup] FlashDeviceDriver::SpiFlashPlaceRegions: (Flash Driver C API) WARNING - Partition falls out of range of device 0. Placing in device 1... [00:00:00 01/01/1970] [tStartup] BcmBfcStdEmbeddedTarget::InitStorageDrivers: (BFC Target) Loading BootloaderStore driver... [00:00:00 01/01/1970] [tStartup] BcmBfcStdEmbeddedTarget::InitStorageDrivers: (BFC Target) Loading ProgramStore driver... ProgramStoreDeviceDriver::ProgramStoreDriverInit: INFO - Initializing... [00:00:00 01/01/1970] [tStartup] BcmBfcStdEmbeddedTarget::InitStorageDrivers: (BFC Target) Loading NonVol driver... [00:00:00 01/01/1970] [tStartup] BcmBfcStdEmbeddedTarget::InitStorageDrivers: (BFC Target) Storage drivers initialized successfully. [00:00:00 01/01/1970] [tStartup] BcmBfcStdEmbeddedTarget::InitDeviceAbstractions: (BFC Target) Creating singletons for ProgramStore/BootloaderStore/NonVol devices... Detecting the next image number that we will store to by default... Bootloader indicates we are running image 2 By default, we will dload to image number 1! By default, we will dload to block number 0! [00:00:00 01/01/1970] [tStartup] BcmBfcStdEmbeddedTarget::InitDeviceAbstractions: (BFC Target) Device abstraction singletons created successfully. [Askey Debug]: No VP-24, use the default valus ThomWiFi80211NonVolSettings::GetSingletonInstance: WARNING - the singleton instance is NULL, and someone is accessing it! CmSnmpNonVolSettings::GetSingletonInstance: WARNING - the singleton instance is NULL, and someone is accessing it! ThomWiFi80211NonVolSettings::GetSingletonInstance: WARNING - the singleton instance is NULL, and someone is accessing it! CmSnmpNonVolSettings::GetSingletonInstance: WARNING - the singleton instance is NULL, and someone is accessing it! ThomWiFi80211NonVolSettings::GetSingletonInstance: WARNING - the singleton instance is NULL, and someone is accessing it! CmSnmpNonVolSettings::GetSingletonInstance: WARNING - the singleton instance is NULL, and someone is accessing it! ThomWiFi80211NonVolSettings::GetSingletonInstance: WARNING - the singleton instance is NULL, and someone is accessing it! CmSnmpNonVolSettings::GetSingletonInstance: WARNING - the singleton instance is NULL, and someone is accessing it! [00:00:00 01/01/1970] [tStartup] BcmCmBpiNonVolSettings::BcmCmBpiNonVolSettings: (Euro-Docsis CM BPI NonVol Settings) WARNING - Singleton pointer is not NULL! There are multiple instances! Leaving the singleton pointer alone... ThomWiFi80211NonVolSettings::GetSingletonInstance: WARNING - the singleton instance is NULL, and someone is accessing it! ThomWiFi80211NonVolSettings::GetSingletonInstance: WARNING - the singleton instance is NULL, and someone is accessing it! ThomWiFi80211NonVolSettings::GetSingletonInstance: WARNING - the singleton instance is NULL, and someone is accessing it! ThomWiFi80211NonVolSettings::GetSingletonInstance: WARNING - the singleton instance is NULL, and someone is accessing it! BcmPcpClientServiceAppIf::GetSingletonInstance: WARNING - the singleton is NULL, and someone is accessing it! mtaNvCalcChecksum: checksum= 1273036263 Reading Permanent settings from non-vol... Checksum for permanent settings: 0xc3b78a85 Setting downstream calibration signature to '' [00:00:00 01/01/1970] [tStartup] BcmDocsisCmDownstreamCalibrationNonVolSettings::ReadFromImpl: (DOCSIS CM Downstream Calibration NonVol Settings) WARNING - Read older version of the settings (2.0); they have been upgraded to version 2.1, preserving original settings. [00:00:00 01/01/1970] [tStartup] ThomWiFi80211NonVolSettings::ReadFromImpl: (Thomson WiFi 802.11 NonVol Settings) WARNING - Read older version of the settings (0.2); they have been upgraded to version 0.3, preserving original settings. [00:00:00 01/01/1970] [tStartChipHalSelectPinMux: Setting pin mux sel 10, word 0, value 5 up]ChipHalSelectPinMux: Setting pin mux sel 6, word 0, value 5 BcmEmtaSipNonVolSettings::ReadFromImpl: (EMTA Config NonVol Settings) ERROR - Read unsupported version (less than 1.0)! These settings are not valid! [00:00:00 01/01/1970] [tStartup] BcmEmtaSipNonVolSettings::ReadFrom: (EMTA Config NonVol Settings) ERROR - EMTA Config NonVol Settings failed to read all of its settings from the buffer! [00:00:00 01/01/1970] [tStartup] BcmBfcAppCompositeNonVolSettings::ReadFrom: ERROR - A contained Settings object failed to parse the Group settings! [00:00:00 01/01/1970] [tStartup] BcmBfcTr69NonVolSettings::IsDefault: (TR69 NonVol Settings) Permanent settings are default! [00:00:00 01/01/1970] [tStartup] BcmEmtaSipNonVolSettings::IsDefault: (EMTA Config NonVol Settings) Permanent settings are default! * * * One or more of the settings groups was missing, possibly as a result of a code upgrade. * * * * * One or more of the settings groups was upgraded. * * Settings were read and verified. Reading Dynamic settings from non-vol... Checksum for dynamic settings: 0x93f550b0 Settings were read and verified. [Askey Debug]: UPC NonVol IsUpgraded=0, Native version=6, Previous=0 [Askey Debug]: No need to rework UPC NonVol country/language code. [00:00:00 01/01/1970] [tStartup] BcmBfcFpmDriver::Init: Setting FPM Buffer size to: 256 Base Address: 0x836f6900 [00:00:00 01/01/1970] [tStartup] BcmBfcFpmDriver::Init: fFpmLargestBufferSize: 2048 fFpmSizeShiftBits: 0x8 [00:00:00 01/01/1970] [tStartup] ChipHalSelectPinMux: Setting pin mux sel 6, word 0, value 5 BcmBfcFpmDriver::Init: Pool index: 0 pool size: 2048 [00:00:00 01/01/1970] [tStartup] BcmBfcFpmDriver::Init: Pool index: 1 pool size: 1024 [00:00:00 01/01/1970] [tStartup] BcmBfcFpmDriver::Init: Pool index: 2 pool size: 512 [00:00:00 01/01/1970] [tStartup] BcmBfcFpmDriver::Init: Pool index: 3 pool size: 256 [00:00:00 01/01/1970] [tStartup] BcmBfcFpmDriver::Init: Lookup table index: 0 pool size: 3 [00:00:00 01/01/1970] [tStartup] BcmBfcFpmDriver::Init: Lookup table index: 1 pool size: 2 [00:00:00 01/01/1970] [tStartup] BcmBfcFpmDriver::Init: Lookup table index: 2 pool size: 1 [00:00:00 01/01/1970] [tStartup] BcmBfcFpmDriver::Init: Lookup table index: 3 pool size: 1 [00:00:00 01/01/1970] [tStartup] BcmBfcFpmDriver::Init: Lookup table index: 4 pool size: 0 [00:00:00 01/01/1970] [tStartup] BcmBfcFpmDriver::Init: Lookup table index: 5 pool size: 0 [00:00:00 01/01/1970] [tStartup] BcmBfcFpmDriver::Init: Lookup table index: 6 pool size: 0 [00:00:00 01/01/1970] [tStartup] BcmBfcFpmDriver::Init: Lookup table index: 7 pool size: 0 ------------------------------------ Free Pool Manager Configuration ------------------------------------ Buffer size in Bytes............... 256 Number of Tokens................... 32768 Tokens used in 256 byte pool....... 32 Tokens used in 512 byte pool....... 32 Tokens used in 1024 byte pool...... 32 Tokens used in 2048 byte pool...... 33 Base Address of FPM Memory ........ 0xb2200200 Base Address of FPM Mem in DDR2.... 0x836f6900 Total Configured FPM Memory Size... 8388608 Free Fifo Full..................... 0 Free Fifo Empty.................... 1 Alloc Fifo Full.................... 1 Alloc Fifo Empty................... 0 Number of tokens available......... 32768 Number of not valid token frees.... 0 Number of not valid token multi.... 0 Overflow Count..................... 0 Underflow Count.................... 0 [00:00:00 01/01/1970] [tStartup] BcmBfcPacketAlloc::Init: Packet Alloc Header Buffer Start Addr: 0x83016860 Length: 0x6e0000 Max Buffer Size: 0xdc PCI Core Init! instance = 0, pCoreRegs = b2800000 PCI Core PowerUp! instance = 0. PCI ENUMERATE**************************************************************************** Checking bus #1 Checking device #0 In pcieEnumerateDevices(0) found a card: deviceNo = 0, funcNo = 0, busNo = 1, pcieAddr = 00000000 In pcieEnumerateDevices: vendor = 000014e4, device = 00004359 PCIELIB: Setting PCIE clk request mode to 1 for active power savings. PCIELIB: Found Capability ID = 16 PCIELIB: ClkReq power mode set to 1. END PCIE ENUMERATE************************************************************************ PCI Core Init! instance = 1, pCoreRegs = b2a00000 PCI Core PowerUp! instance = 1. PCI Core Init Instance (1): No Link Status Found! Skipping enumeration. PCI Core Power Down. Instance = 1! Creating a new host MSG PROC DQM manager. Instance: 83f543e8, DQM_REGS = b8601800, CTRL_REGS = b8601000 Initializing main MSG_PROC DQM interrupts. b8601000: 00000000 b8601004: 00000000 b8601008: 00000008 b860100c: 00000000 b8601010: 00000000 b8601014: 00000000 b8601018: 00000000 b860101c: 00000000 Creating a new host FAP DQM manager. Instance: 83f58d64 Initializing main FAP DQM interrupts. b8401000: 00000000 b8401004: 00000000 b8401008: 00000008 b840100c: 00000000 b8401010: 00000000 b8401014: 00000000 b8401018: 00000000 b840101c: 00000000 >>> ITC Initialized!!! <<< Booting Linux... NandFlashRead: Detected out-of-order block @offset 0x28b0000, tagged offset 0xffffff00, expected offset 0x170000 NandFlashRead: Failed to find replacement block! Found bootloader flash map at 0x80000904. Linux Boot Args: console=ttyS0,115200 partoffset=0x029b0000 partsize=0x00000000 fptaddr=0x83fffe00 ubi.mtd=linuxkfs ubi.mtd=linuxapps root=ubi0:rootfs ro noinitrd rootfstype=ubifs [email protected] [email protected] BootLinux: stopping the intermediate AVS code... BootLinux: intermediate AVS code stopped via HandShakeMsg = 00000000 delay BcmNasServiceAppIf::GetSingletonInstance: WARNING - the singleton is NULL, and someone is accessing it! BcmMscServiceAppIf::GetSingletonInstance: WARNING - the singleton is NULL, and someone is accessing it! [00:00:02 01/01/1970] [Telnet Thread] BcmTelnetThread::ThreadMain: (Telnet Thread) Telnet server thread running... Creating SNMP agent cablemodem agent cablemodem agent disabling management. cablemodem agent defering traps. Creating BcmEmtaCommandTable Creating BcmEmtaEndptCommandTable If you pressed the 's' key before this point, we will skip driver initialization... AVS Thread Constructor.... AVS Thread InitAVS: Bootloader AVS data was retrieved successfully. disabled = 0 rmon ratio = 1051 sigma = 344 dac change = 129 flash margin = 150 adc_margin = 150 dac_margin = -449 madcperdac = 302 marginOffset = 65534 deviceMap = 0x8171c7f8 K = 1.051, L = 2.04, BG_Code = 5 Creating TR-069 Thread... Creating DOCSIS Control Thread...
I wanted to read memory but I got this:Address is less than 0x80000000. Ignoring.
Tagged:5
Comments
-
Hi,
is it possible to download the firmware by this way?
Would be interesting if there are hidden WebPages.0 -
Unfortunately it's impossible to download the firmware.0
-
Some thoughts: a) Maybe it is possible to get the firmware by another trick. 1) Setup DHCP Server that tell give the TC7200 an IP+TFTP Server 2) Log on the TFTP Server what file will be requested. 3) Try to fetch this file from the official server. b)If this Modem Run Linux I think the provider have to provide the sourcecode. My interest in the firmware is to see if there are open ports and or hidden web pages.0
-
-
http://192.168.0.1/system/switch-mode.asp to switch modes. (ie to enable bridge mode as per post above)0
-
Advertisement
-
-
Basically it turns the upc box into a modem leaving your router do all the internet stuff. Means things like port forwarding and wifi get handled by your router and not the horribly **** upc box.
Note after you do it you still have to turn off wifi on the upc box.0 -
I meant I don't have a switch mode page. That just brings me into the normal config.
I've mine re-routed to my old WiFi Router. But its not in bridge mode.0 -
Hey Someeone21,
thank you for your great post.
If you want to backup the firmware, build a SPI Interface. (It's a direct connection to the flash chip pins via soldering).
search on ebay for a usb spi programmer.
got a cheap one from china for 1,00 €. Works great
If you need help, don't hasitate to contact me!
Kind Regards
MaCXyLo0 -
ive just started digging in the TC 7200 crapware my cable company gave me and stumbled across another thread where there is a mention of a second ttl connector below the cooler, one might be able to solder onto that from the back, which is what my soldering iron will try in a few seconds.
Will report back with any findings.0 -
Advertisement
-
Success, Output on second SERIAL Header:
hxxp://pastebin.com/E9MtQpb90 -
i guess this serial is a dead end, i cant get past the login prompt.
admin:admin seems to be the correct credentials but the shell is imidiatly closed again after a successful login:
starting pid 271, tty '': '/bin/cttyhack /bin/login'
(none) login: admin
Password:
Jan 1 00:00:39 login[271]: root login on 'ttyS0'
process '/bin/cttyhack /bin/login' (pid 271) exited. Scheduling for restart.0 -
I am really mad at my cable company since i cannot redirect ports or enable bridge mode, and i have already sent two emails and i seem not worth a reply, so i am too looking at the modem.
Hope we can find a valid login for the shell!
@Cronix: Yup, i tried it few days ago and noticed it.
Anyone knows where to find a firmware update for the modem?
BR0 -
I guess the only Route we can go from here is reading out the SPI flash and the nand using dedicated Hardware flash dumpers. Which is exactly what i am ging to try to archive next0
-
I already did that, just dont want to post too many details so they dont change the schemes.
Spi flash is NVM, and NAND contains various fw, but i still meed to figure out the FS (found two UBI partitions already).
As i said, we need a valid login to the system.
BR0 -
hey guys, nice to see someone is doing something usefull with this tc7200 crap.
i'd like to join your researches, though i don't think i can open my device and connect to the serial port
i'm very interested in getting the firmware file (maybe a dumped one).
I want to know if there are hidden services running, ports open and stuff like that, maybe it's possible to pwn the device and setup openssh, find a way to download original firmware from some server or other fun stuff ^^
so if someone has a dump or sth, pls let me analyze it ^^
greets tihm0 -
hi,
you guys rock ! I love to see that some people are trying to get "inside" this awful tc7200 ****.
with this information here i will try to get some things out of this crap too.
Besides: The vendor does not have any source code public, doesn´t he ?
It´s not a secret that there is running Linux on that thing, maybe we can carry some information to
"h**p://gpl-violations.org/" to force the vendor to pull out the source ?
cYrAx0 -
The super-box is running a linux core with busybox.
It is basically enabling and disabling stuff based on the config file it gets.
There are three kernels that can be booted:
1-latest revision
2-factory revision (.11)
3-minimum kernel
The last two behave in a different way regarding the latest.
To extract the firmware, dump the nand and use same method as sb5200.
There should be four or five files in your dump (rootfs+kernels)
You should be able to identify them easily.
If anyone is into looking at the fw (for other than looking for strings) let me know.0 -
Today, I wrote an email to my cable-provider (KabelBW in Germany, member of Liberty Global, like UPC), and to Technicolor.
I´d like to know where to get the sources.
Now let´s see... :-)0 -
-
Advertisement
-
Would someone be so kind to provide me with a dump?
I'd like to take a look at it, but I'm afraid to break the box with my two left hands.0 -
The super-box is running a linux core with busybox.
It is basically enabling and disabling stuff based on the config file it gets.
There are three kernels that can be booted:
1-latest revision
2-factory revision (.11)
3-minimum kernel
The last two behave in a different way regarding the latest.
To extract the firmware, dump the nand and use same method as sb5200.
There should be four or five files in your dump (rootfs+kernels)
You should be able to identify them easily.
If anyone is into looking at the fw (for other than looking for strings) let me know.
Nice to hear there is a successfull dump
Could you pls send me your dump? (maybe via private message?)
I'd love to take a look at the firmware and the kernel with my dissassembler and to find out how to connect to the telnet server which is running on the box :O (why the heck is there a telnet server running???????)
Also I'd like to know whether you can enable features yourself, by restoring a modded config file. I captured multiple configuration (stock / a weird one which is different than others / latest current running config on my device).
I could try dumping those stuff myself, but that would require me to buy an additional box, as i'm not allowed by my ISP to open "their" device
From what i got, the ISP (and others) have way too much control of this device, i don't like that!0 -
I insist, we need a configuration file to see how the thing works, as things are enabled or disabled based on it.
BR0 -
You can telnet into it on 192.168.100.1 with webstar both as a password and username, and then do a dump of its config with show tech_support which gives you loads of interesting stuff..
a.pomf.se/rvzpjd.png
Oh, and you can read from the memory too with system/diag readmem
However, I'd like to see a classic shell on this thing instead of that Broadcom one.
Also, I tried to download ISP's firmware directly from their TFTP server, but it'd seem they only allow connections to it from the modem's CM IP.0 -
You can telnet into it on 192.168.100.1 with webstar both as a password and username, and then do a dump of its config with show tech_support which gives you loads of interesting stuff..
a.pomf.se/rvzpjd.pngOh, and you can read from the memory too with system/diag readmemHowever, I'd like to see a classic shell on this thing instead of that Broadcom one.
Also, I tried to download ISP's firmware directly from their TFTP server, but it'd seem they only allow connections to it from the modem's CM IP.
Small tip: TC7200U-D6.0.1.27-131031-F-1C1.bin0 -
Another gift, some "strings" stored in the kernel:
admin [at]m3r!c[at]m0v!L
admin Technicolor
Technicolor Technicolor
broadcom broadcom
TechnicolorAP 123456
Broadcom Broadcom
THOMPSON THOMPSON
gzcatvadmin [at]m3r!c[at]m0v!L
upccsr euskaltel
Can guess what they are?
PS: had to change the @ for [at] because the forum script thinks it's an URL, and i am a new user and am not allowed to post urls.0 -
-
-
Do you have a cable sniffer?Another gift, some "strings" stored in the kernel:
upccsr euskaltel
Can guess what they are?
PS: had to change the @ for [at] because the forum script thinks it's an URL, and i am a new user and am not allowed to post urls.0 -
Advertisement
-
Also, could you guys telnet into the modem, do show tech_support and send me the whole thing? I want to do a diff. on what's different.
If you use Windows, use telnet "192.168.100.1 -f log.txt"
If you use an Unix-like operating system, then use "telnet 192.168.100.1 | tee -a -i log.txt"
Then upload it somewhere (I use pomf.se), and send me a PM.
Thanks.0
Advertisement