Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi all! We have been experiencing an issue on site where threads have been missing the latest postings. The platform host Vanilla are working on this issue. A workaround that has been used by some is to navigate back from 1 to 10+ pages to re-sync the thread and this will then show the latest posts. Thanks, Mike.
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest
UPC Technicolor TC7200 - serial console
-
12-02-2014 10:08pmHi!
I found pic [attached file] of Technicolor TC7200 and I thought that this white 4pin connector is a serial console.
I tried to connect to and I succeeded.
The pinout is:___________________ | * * * * | ------ ------- 3.3v - GND - TX - RX Speed: 115200
I figured out that this router has two firmware images and some third image, maybe it's something like base-system.
I think that first is a backup image, when the second one is the latest firmware version.
On my device image 1 is TC7200U-D6.01.12-130329-F-1C1.bin and image 2 is TC7200U-D6.01.27-131031-F-1C1.bin.
When router is booting there is a possibility to choose image 1 or 2 or "p".
P-option gives this menu:Board IP Address [0.0.0.0]: Board IP Mask [255.255.255.0]: Board IP Gateway [0.0.0.0]: Board MAC Address [00:10:18:ff:ff:ff]: Internal/External phy? (e/i/a)[a] Switch detected: 53125 ProbePhy: Found PHY 0, MDIO on MAC 0, data on MAC 0 Using GMAC0, phy 0 Enet link up: 1G full Main Menu: ========== b) Boot from flash c) Check DRAM g) Download and run from RAM d) Download and save to flash e) Erase flash sector m) Set mode s) Store bootloader parameters to flash i) Re-init ethernet r) Read memory w) Write memory j) Jump to arbitrary address p) Print flash partition map E) Erase flash region/partition X) Erase all of flash except the bootloader z) Reset
In Set mode you can set to boot always from first image by setting mode to 8027:Mode Configuration Bits ======================= 0x8000 Boot 0x4000 Load-N-Go 0x0004 Boot image 1 0x0002 Verify image CRC 0x0001 Prompt Phy Selection ------------- 0x0000 Default PHY 0x0100 Internal EPHY 0x0200 External EPHY Enter hex value of desired features MODE=8023: Enter new value: 8023 Updating MODE: 8023
If someone has got a file with firmware it could be an opportunity to unlock all functions on this router because by serial console you can download firmware to router by TFTP (option d ang g).
I set my router to boot to STD6.01.12 and I tried to set bridge mode (as wrote here) but it didn't work - router initiates reboot and after that I still get private IP address. Maybe someone could provide me some tip?
Below I post some information I took:Flash Partition information: Name Size Offset ===================================== bootloader 0x00010000 0x00000000 image1 0x006c0000 0x01ac0000 image2 0x006c0000 0x02180000 linux 0x00480000 0x02840000 linuxapps 0x019c0000 0x00100000 permnv 0x00010000 0x00010000 dhtml 0x00240000 0x03ec0000 dynnv 0x00020000 0x000e0000 linuxkfs 0x01200000 0x02cc0000
BCM3383A2 Sync: 0 MemSize: 128 M Chip ID: BCM3383Z-B0 BootLoader Version: 2.4.0alpha18p1 Pre-release Gnu spiboot dual-flash reduced DDR drive linux Build Date: Aug 14 2012 Build Time: 09:48:58 SPI flash ID 0xc22014, size 1MB, block size 64KB, write buffer 256, flags 0x0 NAND flash: Device size 64 MB, Block size 16 KB, Page size 512 B Cust key size 128 parameter offset is 43872 Signature/PID: a825 Reading flash map at ff30, size 192 Successfully restored flash map from SPI flash! NandFlashRead: Reading offset 0x19c0000, length 0x5c Image 1 Program Header: Signature: a825 Control: 0005 Major Rev: 0100 Minor Rev: 01ff Build Time: 2013/3/29 07:53:59 Z File Length: 4839099 bytes Load Address: 80004000 Filename: TC7200U-D6.01.12-130329-F-1C1.bin HCS: 7f47 CRC: fb7111d8 Found image 1 at offset 1ac0000 NandFlashRead: Reading offset 0x2080000, length 0x5c Image 2 Program Header: Signature: a825 Control: 0005 Major Rev: 0100 Minor Rev: 01ff Build Time: 2013/10/31 09:45:22 Z File Length: 5298465 bytes Load Address: 80004000 Filename: TC7200U-D6.01.27-131031-F-1C1.bin HCS: 0046 CRC: 87e2a6ee Found image 2 at offset 2180000 NandFlashRead: Reading offset 0x2740000, length 0x5c Image 3 Program Header: Signature: a825 Control: 0005 Major Rev: 0100 Minor Rev: 01ff Build Time: 2012/11/28 07:33:42 Z File Length: 1507236 bytes Load Address: 84010000 Filename: LNXD6.01.08-kernel-121128.bin HCS: a8ef CRC: fad26589 Found image 3 at offset 2840000 Enter '1', '2', or 'p' within 2 seconds or take default... . . NandFlashRead: Reading offset 0x2740000, length 0x200 NandFlashRead: Reading offset 0x2740200, length 0x16fe00 Performing CRC on Image 3... CRC time = 33081974 Detected LZMA compressed image... decompressing... Target Address: 0x84010000 decompressSpace is 0x8000000 Elapsed time 1694014890 Decompressed length: 7107662 Done Copying Root File System... NandFlashRead: Reading offset 0x2080000, length 0x200 NandFlashRead: Reading offset 0x2080200, length 0x50d77d Performing CRC on Image 2... CRC time = 152229967 Detected LZMA compressed image... decompressing... Target Address: 0x80004000 decompressSpace is 0x8000000 Elapsed time 110742320 Decompressed length: 23970120 Copying partition table to 0x83fffc04 180 Copying partition table to 0x80000904 180 Executing Image 2... eCos - hal_diag_init Init device '/dev/BrcmTelnetIoDriver' Init device '/dev/ttydiag' Init tty channel: 816dfbb8 Init device '/dev/tty0' Init tty channel: 816dfbd8 Init device '/dev/haldiag' HAL/diag SERIAL init Init device '/dev/ser0' BCM 33XX SERIAL init - dev: 0.2 Set output buffer - buf: 0x81832c68 len: 4096 Set input buffer - buf: 0x81833c68 len: 4096 BCM 33XX SERIAL config “nit device '/dev/ser1' BCM 33XX SERIAL init - dev: 0.3 Set output buffer - buf: 0x81834c68 len: 4096 Set input buffer - buf: 0x81835c68 len: 4096 BCM 33XX SERIAL config InitBoard: MIPS frequency 637200000 Function: SetHardcodeVendorProfile [00:00:00 01/01/1970] [tStartup] BcmBfcStdEmbeddedTarget::InitStorageDrivers: (BFC Target) Configuring/Loading Flash driver... [00:00:00 01/01/1970] [tStartup] BcmSpiFlashDevice::DetectFlash: (SPI Flash Device Factory) WARNING - Detected SPI flash with JEDEC ID =0xc22014 Waited 12 iterations after device ID read NAND flash: Device size 64 MB, Block size 16 KB, Page size 512 B [00:00:00 01/01/1970] [tStartup] BcmNandFlashDevice::DetectNandFlash: (NAND Flash Device Factory) WARNING - Detected NAND flash with JEDEC ID =0x20762076 Found bootloader flash map at 0x80000904. [00:00:00 01/01/1970] [tStartup] FlashDeviceDriver::SpiFlashPlaceRegions: (Flash Driver C API) WARNING - Partition falls out of range of device 0. Placing in device 1... [00:00:00 01/01/1970] [tStartup] FlashDeviceDriver::SpiFlashPlaceRegions: (Flash Driver C API) WARNING - Partition falls out of range of device 0. Placing in device 1... [00:00:00 01/01/1970] [tStartup] FlashDeviceDriver::SpiFlashPlaceRegions: (Flash Driver C API) WARNING - Partition falls out of range of device 0. Placing in device 1... [00:00:00 01/01/1970] [tStartup] FlashDeviceDriver::SpiFlashPlaceRegions: (Flash Driver C API) WARNING - Partition falls out of range of device 0. Placing in device 1... [00:00:00 01/01/1970] [tStartup] FlashDeviceDriver::SpiFlashPlaceRegions: (Flash Driver C API) WARNING - Partition falls out of range of device 0. Placing in device 1... [00:00:00 01/01/1970] [tStartup] FlashDeviceDriver::SpiFlashPlaceRegions: (Flash Driver C API) WARNING - Partition falls out of range of device 0. Placing in device 1... [00:00:00 01/01/1970] [tStartup] BcmBfcStdEmbeddedTarget::InitStorageDrivers: (BFC Target) Loading BootloaderStore driver... [00:00:00 01/01/1970] [tStartup] BcmBfcStdEmbeddedTarget::InitStorageDrivers: (BFC Target) Loading ProgramStore driver... ProgramStoreDeviceDriver::ProgramStoreDriverInit: INFO - Initializing... [00:00:00 01/01/1970] [tStartup] BcmBfcStdEmbeddedTarget::InitStorageDrivers: (BFC Target) Loading NonVol driver... [00:00:00 01/01/1970] [tStartup] BcmBfcStdEmbeddedTarget::InitStorageDrivers: (BFC Target) Storage drivers initialized successfully. [00:00:00 01/01/1970] [tStartup] BcmBfcStdEmbeddedTarget::InitDeviceAbstractions: (BFC Target) Creating singletons for ProgramStore/BootloaderStore/NonVol devices... Detecting the next image number that we will store to by default... Bootloader indicates we are running image 2 By default, we will dload to image number 1! By default, we will dload to block number 0! [00:00:00 01/01/1970] [tStartup] BcmBfcStdEmbeddedTarget::InitDeviceAbstractions: (BFC Target) Device abstraction singletons created successfully. [Askey Debug]: No VP-24, use the default valus ThomWiFi80211NonVolSettings::GetSingletonInstance: WARNING - the singleton instance is NULL, and someone is accessing it! CmSnmpNonVolSettings::GetSingletonInstance: WARNING - the singleton instance is NULL, and someone is accessing it! ThomWiFi80211NonVolSettings::GetSingletonInstance: WARNING - the singleton instance is NULL, and someone is accessing it! CmSnmpNonVolSettings::GetSingletonInstance: WARNING - the singleton instance is NULL, and someone is accessing it! ThomWiFi80211NonVolSettings::GetSingletonInstance: WARNING - the singleton instance is NULL, and someone is accessing it! CmSnmpNonVolSettings::GetSingletonInstance: WARNING - the singleton instance is NULL, and someone is accessing it! ThomWiFi80211NonVolSettings::GetSingletonInstance: WARNING - the singleton instance is NULL, and someone is accessing it! CmSnmpNonVolSettings::GetSingletonInstance: WARNING - the singleton instance is NULL, and someone is accessing it! [00:00:00 01/01/1970] [tStartup] BcmCmBpiNonVolSettings::BcmCmBpiNonVolSettings: (Euro-Docsis CM BPI NonVol Settings) WARNING - Singleton pointer is not NULL! There are multiple instances! Leaving the singleton pointer alone... ThomWiFi80211NonVolSettings::GetSingletonInstance: WARNING - the singleton instance is NULL, and someone is accessing it! ThomWiFi80211NonVolSettings::GetSingletonInstance: WARNING - the singleton instance is NULL, and someone is accessing it! ThomWiFi80211NonVolSettings::GetSingletonInstance: WARNING - the singleton instance is NULL, and someone is accessing it! ThomWiFi80211NonVolSettings::GetSingletonInstance: WARNING - the singleton instance is NULL, and someone is accessing it! BcmPcpClientServiceAppIf::GetSingletonInstance: WARNING - the singleton is NULL, and someone is accessing it! mtaNvCalcChecksum: checksum= 1273036263 Reading Permanent settings from non-vol... Checksum for permanent settings: 0xc3b78a85 Setting downstream calibration signature to '' [00:00:00 01/01/1970] [tStartup] BcmDocsisCmDownstreamCalibrationNonVolSettings::ReadFromImpl: (DOCSIS CM Downstream Calibration NonVol Settings) WARNING - Read older version of the settings (2.0); they have been upgraded to version 2.1, preserving original settings. [00:00:00 01/01/1970] [tStartup] ThomWiFi80211NonVolSettings::ReadFromImpl: (Thomson WiFi 802.11 NonVol Settings) WARNING - Read older version of the settings (0.2); they have been upgraded to version 0.3, preserving original settings. [00:00:00 01/01/1970] [tStartChipHalSelectPinMux: Setting pin mux sel 10, word 0, value 5 up]ChipHalSelectPinMux: Setting pin mux sel 6, word 0, value 5 BcmEmtaSipNonVolSettings::ReadFromImpl: (EMTA Config NonVol Settings) ERROR - Read unsupported version (less than 1.0)! These settings are not valid! [00:00:00 01/01/1970] [tStartup] BcmEmtaSipNonVolSettings::ReadFrom: (EMTA Config NonVol Settings) ERROR - EMTA Config NonVol Settings failed to read all of its settings from the buffer! [00:00:00 01/01/1970] [tStartup] BcmBfcAppCompositeNonVolSettings::ReadFrom: ERROR - A contained Settings object failed to parse the Group settings! [00:00:00 01/01/1970] [tStartup] BcmBfcTr69NonVolSettings::IsDefault: (TR69 NonVol Settings) Permanent settings are default! [00:00:00 01/01/1970] [tStartup] BcmEmtaSipNonVolSettings::IsDefault: (EMTA Config NonVol Settings) Permanent settings are default! * * * One or more of the settings groups was missing, possibly as a result of a code upgrade. * * * * * One or more of the settings groups was upgraded. * * Settings were read and verified. Reading Dynamic settings from non-vol... Checksum for dynamic settings: 0x93f550b0 Settings were read and verified. [Askey Debug]: UPC NonVol IsUpgraded=0, Native version=6, Previous=0 [Askey Debug]: No need to rework UPC NonVol country/language code. [00:00:00 01/01/1970] [tStartup] BcmBfcFpmDriver::Init: Setting FPM Buffer size to: 256 Base Address: 0x836f6900 [00:00:00 01/01/1970] [tStartup] BcmBfcFpmDriver::Init: fFpmLargestBufferSize: 2048 fFpmSizeShiftBits: 0x8 [00:00:00 01/01/1970] [tStartup] ChipHalSelectPinMux: Setting pin mux sel 6, word 0, value 5 BcmBfcFpmDriver::Init: Pool index: 0 pool size: 2048 [00:00:00 01/01/1970] [tStartup] BcmBfcFpmDriver::Init: Pool index: 1 pool size: 1024 [00:00:00 01/01/1970] [tStartup] BcmBfcFpmDriver::Init: Pool index: 2 pool size: 512 [00:00:00 01/01/1970] [tStartup] BcmBfcFpmDriver::Init: Pool index: 3 pool size: 256 [00:00:00 01/01/1970] [tStartup] BcmBfcFpmDriver::Init: Lookup table index: 0 pool size: 3 [00:00:00 01/01/1970] [tStartup] BcmBfcFpmDriver::Init: Lookup table index: 1 pool size: 2 [00:00:00 01/01/1970] [tStartup] BcmBfcFpmDriver::Init: Lookup table index: 2 pool size: 1 [00:00:00 01/01/1970] [tStartup] BcmBfcFpmDriver::Init: Lookup table index: 3 pool size: 1 [00:00:00 01/01/1970] [tStartup] BcmBfcFpmDriver::Init: Lookup table index: 4 pool size: 0 [00:00:00 01/01/1970] [tStartup] BcmBfcFpmDriver::Init: Lookup table index: 5 pool size: 0 [00:00:00 01/01/1970] [tStartup] BcmBfcFpmDriver::Init: Lookup table index: 6 pool size: 0 [00:00:00 01/01/1970] [tStartup] BcmBfcFpmDriver::Init: Lookup table index: 7 pool size: 0 ------------------------------------ Free Pool Manager Configuration ------------------------------------ Buffer size in Bytes............... 256 Number of Tokens................... 32768 Tokens used in 256 byte pool....... 32 Tokens used in 512 byte pool....... 32 Tokens used in 1024 byte pool...... 32 Tokens used in 2048 byte pool...... 33 Base Address of FPM Memory ........ 0xb2200200 Base Address of FPM Mem in DDR2.... 0x836f6900 Total Configured FPM Memory Size... 8388608 Free Fifo Full..................... 0 Free Fifo Empty.................... 1 Alloc Fifo Full.................... 1 Alloc Fifo Empty................... 0 Number of tokens available......... 32768 Number of not valid token frees.... 0 Number of not valid token multi.... 0 Overflow Count..................... 0 Underflow Count.................... 0 [00:00:00 01/01/1970] [tStartup] BcmBfcPacketAlloc::Init: Packet Alloc Header Buffer Start Addr: 0x83016860 Length: 0x6e0000 Max Buffer Size: 0xdc PCI Core Init! instance = 0, pCoreRegs = b2800000 PCI Core PowerUp! instance = 0. PCI ENUMERATE**************************************************************************** Checking bus #1 Checking device #0 In pcieEnumerateDevices(0) found a card: deviceNo = 0, funcNo = 0, busNo = 1, pcieAddr = 00000000 In pcieEnumerateDevices: vendor = 000014e4, device = 00004359 PCIELIB: Setting PCIE clk request mode to 1 for active power savings. PCIELIB: Found Capability ID = 16 PCIELIB: ClkReq power mode set to 1. END PCIE ENUMERATE************************************************************************ PCI Core Init! instance = 1, pCoreRegs = b2a00000 PCI Core PowerUp! instance = 1. PCI Core Init Instance (1): No Link Status Found! Skipping enumeration. PCI Core Power Down. Instance = 1! Creating a new host MSG PROC DQM manager. Instance: 83f543e8, DQM_REGS = b8601800, CTRL_REGS = b8601000 Initializing main MSG_PROC DQM interrupts. b8601000: 00000000 b8601004: 00000000 b8601008: 00000008 b860100c: 00000000 b8601010: 00000000 b8601014: 00000000 b8601018: 00000000 b860101c: 00000000 Creating a new host FAP DQM manager. Instance: 83f58d64 Initializing main FAP DQM interrupts. b8401000: 00000000 b8401004: 00000000 b8401008: 00000008 b840100c: 00000000 b8401010: 00000000 b8401014: 00000000 b8401018: 00000000 b840101c: 00000000 >>> ITC Initialized!!! <<< Booting Linux... NandFlashRead: Detected out-of-order block @offset 0x28b0000, tagged offset 0xffffff00, expected offset 0x170000 NandFlashRead: Failed to find replacement block! Found bootloader flash map at 0x80000904. Linux Boot Args: console=ttyS0,115200 partoffset=0x029b0000 partsize=0x00000000 fptaddr=0x83fffe00 ubi.mtd=linuxkfs ubi.mtd=linuxapps root=ubi0:rootfs ro noinitrd rootfstype=ubifs mem=66060288@67108864 mem=0@0 BootLinux: stopping the intermediate AVS code... BootLinux: intermediate AVS code stopped via HandShakeMsg = 00000000 delay BcmNasServiceAppIf::GetSingletonInstance: WARNING - the singleton is NULL, and someone is accessing it! BcmMscServiceAppIf::GetSingletonInstance: WARNING - the singleton is NULL, and someone is accessing it! [00:00:02 01/01/1970] [Telnet Thread] BcmTelnetThread::ThreadMain: (Telnet Thread) Telnet server thread running... Creating SNMP agent cablemodem agent cablemodem agent disabling management. cablemodem agent defering traps. Creating BcmEmtaCommandTable Creating BcmEmtaEndptCommandTable If you pressed the 's' key before this point, we will skip driver initialization... AVS Thread Constructor.... AVS Thread InitAVS: Bootloader AVS data was retrieved successfully. disabled = 0 rmon ratio = 1051 sigma = 344 dac change = 129 flash margin = 150 adc_margin = 150 dac_margin = -449 madcperdac = 302 marginOffset = 65534 deviceMap = 0x8171c7f8 K = 1.051, L = 2.04, BG_Code = 5 Creating TR-069 Thread... Creating DOCSIS Control Thread...
I wanted to read memory but I got this:Address is less than 0x80000000. Ignoring.
Tagged:5
Comments
-
Hi,
is it possible to download the firmware by this way?
Would be interesting if there are hidden WebPages.0 -
Unfortunately it's impossible to download the firmware.0
-
Some thoughts: a) Maybe it is possible to get the firmware by another trick. 1) Setup DHCP Server that tell give the TC7200 an IP+TFTP Server 2) Log on the TFTP Server what file will be requested. 3) Try to fetch this file from the official server. b)If this Modem Run Linux I think the provider have to provide the sourcecode. My interest in the firmware is to see if there are open ports and or hidden web pages.0
-
-
http://192.168.0.1/system/switch-mode.asp to switch modes. (ie to enable bridge mode as per post above)0
-
Advertisement
-
-
Basically it turns the upc box into a modem leaving your router do all the internet stuff. Means things like port forwarding and wifi get handled by your router and not the horribly **** upc box.
Note after you do it you still have to turn off wifi on the upc box.0 -
I meant I don't have a switch mode page. That just brings me into the normal config.
I've mine re-routed to my old WiFi Router. But its not in bridge mode.0 -
Hey Someeone21,
thank you for your great post.
If you want to backup the firmware, build a SPI Interface. (It's a direct connection to the flash chip pins via soldering).
search on ebay for a usb spi programmer.
got a cheap one from china for 1,00 €. Works great
If you need help, don't hasitate to contact me!
Kind Regards
MaCXyLo0 -
ive just started digging in the TC 7200 crapware my cable company gave me and stumbled across another thread where there is a mention of a second ttl connector below the cooler, one might be able to solder onto that from the back, which is what my soldering iron will try in a few seconds.
Will report back with any findings.0 -
Advertisement
-
Success, Output on second SERIAL Header:
hxxp://pastebin.com/E9MtQpb90 -
i guess this serial is a dead end, i cant get past the login prompt.
admin:admin seems to be the correct credentials but the shell is imidiatly closed again after a successful login:
starting pid 271, tty '': '/bin/cttyhack /bin/login'
(none) login: admin
Password:
Jan 1 00:00:39 login[271]: root login on 'ttyS0'
process '/bin/cttyhack /bin/login' (pid 271) exited. Scheduling for restart.0 -
I am really mad at my cable company since i cannot redirect ports or enable bridge mode, and i have already sent two emails and i seem not worth a reply, so i am too looking at the modem.
Hope we can find a valid login for the shell!
@Cronix: Yup, i tried it few days ago and noticed it.
Anyone knows where to find a firmware update for the modem?
BR0 -
I guess the only Route we can go from here is reading out the SPI flash and the nand using dedicated Hardware flash dumpers. Which is exactly what i am ging to try to archive next0
-
I already did that, just dont want to post too many details so they dont change the schemes.
Spi flash is NVM, and NAND contains various fw, but i still meed to figure out the FS (found two UBI partitions already).
As i said, we need a valid login to the system.
BR0 -
hey guys, nice to see someone is doing something usefull with this tc7200 crap.
i'd like to join your researches, though i don't think i can open my device and connect to the serial port
i'm very interested in getting the firmware file (maybe a dumped one).
I want to know if there are hidden services running, ports open and stuff like that, maybe it's possible to pwn the device and setup openssh, find a way to download original firmware from some server or other fun stuff ^^
so if someone has a dump or sth, pls let me analyze it ^^
greets tihm0 -
hi,
you guys rock ! I love to see that some people are trying to get "inside" this awful tc7200 ****.
with this information here i will try to get some things out of this crap too.
Besides: The vendor does not have any source code public, doesn´t he ?
It´s not a secret that there is running Linux on that thing, maybe we can carry some information to
"h**p://gpl-violations.org/" to force the vendor to pull out the source ?
cYrAx0 -
The super-box is running a linux core with busybox.
It is basically enabling and disabling stuff based on the config file it gets.
There are three kernels that can be booted:
1-latest revision
2-factory revision (.11)
3-minimum kernel
The last two behave in a different way regarding the latest.
To extract the firmware, dump the nand and use same method as sb5200.
There should be four or five files in your dump (rootfs+kernels)
You should be able to identify them easily.
If anyone is into looking at the fw (for other than looking for strings) let me know.0 -
Today, I wrote an email to my cable-provider (KabelBW in Germany, member of Liberty Global, like UPC), and to Technicolor.
I´d like to know where to get the sources.
Now let´s see... :-)0 -
-
Advertisement
-
Would someone be so kind to provide me with a dump?
I'd like to take a look at it, but I'm afraid to break the box with my two left hands.0 -
The super-box is running a linux core with busybox.
It is basically enabling and disabling stuff based on the config file it gets.
There are three kernels that can be booted:
1-latest revision
2-factory revision (.11)
3-minimum kernel
The last two behave in a different way regarding the latest.
To extract the firmware, dump the nand and use same method as sb5200.
There should be four or five files in your dump (rootfs+kernels)
You should be able to identify them easily.
If anyone is into looking at the fw (for other than looking for strings) let me know.
Nice to hear there is a successfull dump
Could you pls send me your dump? (maybe via private message?)
I'd love to take a look at the firmware and the kernel with my dissassembler and to find out how to connect to the telnet server which is running on the box :O (why the heck is there a telnet server running???????)
Also I'd like to know whether you can enable features yourself, by restoring a modded config file. I captured multiple configuration (stock / a weird one which is different than others / latest current running config on my device).
I could try dumping those stuff myself, but that would require me to buy an additional box, as i'm not allowed by my ISP to open "their" device
From what i got, the ISP (and others) have way too much control of this device, i don't like that!0 -
I insist, we need a configuration file to see how the thing works, as things are enabled or disabled based on it.
BR0 -
You can telnet into it on 192.168.100.1 with webstar both as a password and username, and then do a dump of its config with show tech_support which gives you loads of interesting stuff..
a.pomf.se/rvzpjd.png
Oh, and you can read from the memory too with system/diag readmem
However, I'd like to see a classic shell on this thing instead of that Broadcom one.
Also, I tried to download ISP's firmware directly from their TFTP server, but it'd seem they only allow connections to it from the modem's CM IP.0 -
You can telnet into it on 192.168.100.1 with webstar both as a password and username, and then do a dump of its config with show tech_support which gives you loads of interesting stuff..
a.pomf.se/rvzpjd.pngOh, and you can read from the memory too with system/diag readmemHowever, I'd like to see a classic shell on this thing instead of that Broadcom one.
Also, I tried to download ISP's firmware directly from their TFTP server, but it'd seem they only allow connections to it from the modem's CM IP.
Small tip: TC7200U-D6.0.1.27-131031-F-1C1.bin0 -
Another gift, some "strings" stored in the kernel:
admin [at]m3r!c[at]m0v!L
admin Technicolor
Technicolor Technicolor
broadcom broadcom
TechnicolorAP 123456
Broadcom Broadcom
THOMPSON THOMPSON
gzcatvadmin [at]m3r!c[at]m0v!L
upccsr euskaltel
Can guess what they are?
PS: had to change the @ for [at] because the forum script thinks it's an URL, and i am a new user and am not allowed to post urls.0 -
-
-
Do you have a cable sniffer?Another gift, some "strings" stored in the kernel:
upccsr euskaltel
Can guess what they are?
PS: had to change the @ for [at] because the forum script thinks it's an URL, and i am a new user and am not allowed to post urls.0 -
Advertisement
-
Also, could you guys telnet into the modem, do show tech_support and send me the whole thing? I want to do a diff. on what's different.
If you use Windows, use telnet "192.168.100.1 -f log.txt"
If you use an Unix-like operating system, then use "telnet 192.168.100.1 | tee -a -i log.txt"
Then upload it somewhere (I use pomf.se), and send me a PM.
Thanks.0 -
Please be EXTREMLY careful while using this modem. My cat somehow managed to the device. To fix it, I read I should connect a serial cable. I just bought "USB zu TTL-Konverter-Modul mit eingebautem in CP2102", that should do it.
For KabelBW in Germany I was also unable to login via telnet, I always got "invalid password". Maybe I can get some information from the KabelBW Firmware (I was not able to download that - how can I get the tftp-ip from my isp?).0 -
Please be EXTREMLY careful while using this modem. My cat somehow managed to open the device. To fix it, I read I should connect a serial cable. I just bought "USB zu TTL-Konverter-Modul mit eingebautem in CP2102", that should do it.
For KabelBW in Germany I was also unable to login via telnet, I always got "invalid password". Maybe I can get some information from the KabelBW Firmware (I was not able to download that - how can I get the tftp-ip from my isp?).0 -
@Bi0H4z4rD, @Cronix Sorry to necrobump, but would anyone in possession of the dumps care to share them with me? Can't PN anyone as I don't have enough posts yet.0
-
@Bi0H4z4rD, @Cronix Sorry to necrobump, but would anyone in possession of the dumps care to share them with me? Can't PN anyone as I don't have enough posts yet.
necrobump. verb: (internet) To revive a long dormant forum thread by adding a new post
Had to look that one up!0 -
I've played around with the dumps, but haven't gotten any further...
The TC7200U-D6.0.1.27-131031-F-1C1.bin is a bit of a mystery. From the bootloader serial output,
the size is reported as 5298465:Image 2 Program Header: Signature: a825 Control: 0005 Major Rev: 0100 Minor Rev: 01ff Build Time: 2013/10/31 09:45:22 Z File Length: [b]5298465[/b] bytes Load Address: 80004000 Filename: TC7200U-D6.01.27-131031-F-1C1.bin HCS: 0046 CRC: 87e2a6ee
the extracted size is reported as 23970120:NandFlashRead: Reading offset 0x2080000, length 0x200 NandFlashRead: Reading offset 0x2080200, length 0x50d77d Performing CRC on Image 2... CRC time = 152229967 Detected LZMA compressed image... decompressing... Target Address: 0x80004000 decompressSpace is 0x8000000 Elapsed time 110742320 Decompressed length: [b]23970120[/b]
but the size of my file is 16777215 (0xffffff). How exactly did you obtain that file? Also, starting from offset 0xe0d0a0 there's a block of strings which seem to be related - amongst others - to the UPC web interface...
TL;DR: The file size 16777215 is too large to be the compressed data, and too small to be the decompressed data.0 -
Advertisement
-
hi guys,
is it possible to get better internet speed with tweeking some parameters?
how to do that?
thanks..0 -
this thread won't simply die.. anyone will be kind enough to share image with me?
thanks0 -
I'ld also like to get a copy of that dump. Is that possible via PN?
The new firmware seems to be encrypted with an (for me) unknown key, can somebody have a look at it? I'll also supply a configuration dump later with a known password, if that may help you decrypting it.0 -
To fuel the fire a little bit: apparently Technicolor has released sources for the TC72xx modems:
hxxps://github.com/tch-opensrc
I've tried both TC72XX_LxG1.0.10mp5_OpenSrc and TC72XX_LxG1.7.1mp1_OpenSrc. The repository descriptions mention the TC7210 and TC7230 only, no mention of the TC7200. I could get my TC7200 to download the image (option "g" in the bootloader), but it crashed before booting.
This happens when attempting to boot the initrd image (./build_gpl.sh 93383LxG initrd), but it also crashes when using the regular images (when building with ./build_gpl.sh 93383LxG)TFTP Get Selected Board TFTP Server IP Address [192.168.0.2]: Enter filename [vmlinux_initrd_sto.bin]: Destination: a5f00000 Destination: a5f00000 Starting TFTP of vmlinux_initrd_sto.bin from 192.168.0.2 Getting vmlinux_initrd_sto.bin using octet mode .............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................. Tftp complete Received 1471014 bytes Image 3 Program Header: Signature: 0000 Control: 0005 Major Rev: 0003 Minor Rev: 0000 Build Time: 2016/3/14 14:01:31 Z File Length: 1470922 bytes Load Address: 84010000 Filename: vmlinux_initrd_sto.bin HCS: b293 CRC: 61b7f94e WARNING: Signatures do not match! This may be a bad image! Image sig = 0000, chip sig = a825 Store parameters to flash? [n] n NandFlashRead: Reading offset 0x2740000, length 0x5c Image 3 Program Header: Signature: a825 Control: 0005 Major Rev: 0100 Minor Rev: 03ff Build Time: 2014/2/24 14:02:37 Z File Length: 1507236 bytes Load Address: 84010000 Filename: LNXD6.02.07-kernel-20140224.bin HCS: b184 CRC: 72a7cada Found image 3 at offset 2840000 NandFlashRead: Reading offset 0x2740000, length 0x200 NandFlashRead: Reading offset 0x2740200, length 0x16fe00 Performing CRC on Image 3... CRC time = 188588101 Detected LZMA compressed image... decompressing... Target Address: 0x84010000 decompressSpace is 0x8000000 Elapsed time 1153661470 Decompressed length: 6291567 Done Copying Root File System... Performing CRC on Image 4... CRC time = 224147203 Detected LZMA compressed image... decompressing... Target Address: 0x84010000 decompressSpace is 0x8000000 Elapsed time 1733865110 Decompressed length: 4914804 Copying partition table to 0x83fffc04 180 Copying partition table to 0x80000904 180 Executing Image 4... ******************** CRASH ******************** EXCEPTION TYPE: 10/Reserved instruction TP0 r00/00 = 00000000 r01/at = 10000000 r02/v0 = 0000002f r03/v1 = 00000001 r04/a0 = 84479770 r05/a1 = 000000ee r06/a2 = ffffffff r07/a3 = 00003fff r08/t0 = 00000034 r09/t1 = 00000001 r10/t2 = 00000001 r11/t3 = 0000000f r12/t4 = 843b7528 r13/t5 = 84477850 r14/t6 = 00000000 r15/t7 = 00000000 r16/s0 = 00000000 r17/s1 = ffffff00 r18/s2 = 80000904 r19/s3 = 844c0000 r20/s4 = 00000004 r21/s5 = 00008023 r22/s6 = 84010000 r23/s7 = 80000800 r24/t8 = 00000010 r25/t9 = 00001021 r26/k0 = 84010000 r27/k1 = ffffff00 r28/gp = 84474000 r29/sp = 84477b40 r30/fp = 00000215 r31/ra = 8449f3c0 pc : 0x8449f3d4 sr : 0x10000002 cause: 0x00008028 addr: 0xffffff04
Note that I had to apply the following patch to get it to compile under Ubuntu 15.10:diff --git a/hostTools/mtd-utils/mkfs.ubifs/hashtable/hashtable_itr.h b/hostTools/mtd-utils/mkfs.ubifs/hashtable/hashtable_itr.h index eea699a..a1ef9f2 100755 --- a/hostTools/mtd-utils/mkfs.ubifs/hashtable/hashtable_itr.h +++ b/hostTools/mtd-utils/mkfs.ubifs/hashtable/hashtable_itr.h @@ -28,20 +28,14 @@ hashtable_iterator(struct hashtable *h); /* hashtable_iterator_key * - return the value of the (key,value) pair at the current position */ -extern inline void * -hashtable_iterator_key(struct hashtable_itr *i) -{ - return i->e->k; -} +extern void * +hashtable_iterator_key(struct hashtable_itr *i); /*****************************************************************************/ /* value - return the value of the (key,value) pair at the current position */ -extern inline void * -hashtable_iterator_value(struct hashtable_itr *i) -{ - return i->e->v; -} +extern void * +hashtable_iterator_value(struct hashtable_itr *i); /*****************************************************************************/ /* advance - advance the iterator to the next element
0 -
Is there any update on this? So the only path ahead is to dump or download the firmware and hunt for the password in there?
I barely made 4-5 attempts when the telnet gave me:telnet 192.168.100.1 Trying 192.168.100.1... Connected to 192.168.100.1. Escape character is '^]'. Telnet connection from 192.168.1.12:32108 refused. Your IP address has been logged and reported.
That's when I decided I would not give up let my cat play with this0 -
Advertisement
-
The firmware can be dumped via serial console using bcm2-utils (hxxps://github.com/jclehner/bcm2-utils), but the telnet password is most likely set by your ISP's DOCSIS config file during provisioning, so dumping the firmware won't be of much use. Your best bet is to use the bootloader to flash a firmware image with the serial console enabled. What exactly are you after?0
-
The firmware can be dumped via serial console using bcm2-utils (hxxps://github.com/jclehner/bcm2-utils), but the telnet password is most likely set by your ISP's DOCSIS config file during provisioning, so dumping the firmware won't be of much use. Your best bet is to use the bootloader to flash a firmware image with the serial console enabled. What exactly are you after?
But if I flash the firmware:
1) will my internet stop working or it will somehow still receive the necessary settings? Or I can copy/get them from somewhere
2) what firmware image can I flash? Is there a vanilla one from Thomson? I see people here can't compile from sources
3) will my ISP notice it? Although not much important as they'd also loose their remote access to it
4) is this device supported upstream by the Linux kernel? I think not and haven't seen a Thomson fork
What I am after is using the device as I like, possibly with some customization of the daemons running there. Also I don't like my ISP being in control of enabling a WiFi they sell to people passing by. Generally my purpose is customization and security.0 -
Does SNMP stay enabled after your modem has registered with your ISP? If so, you might be able to change the telnet password using an SNMP client.
Regarding your questions:
1. It might continue to work.
2. The Technicolor firmware of the TC7200.20 works on the TC7200.U (they're the same device, just the branding differs).
3. Quite possibly, yes.
4. This device's primary firmware is not based on Linux, but eCos. There is a secondary
firmware running on another processor, based on Linux, but this is only used to provide NAS and media server capabilities (broken on the TC7200.U, at least in STD6.02.11), nothing else. The eCos-based firmware is the only one that matters on this device.
The problem with disabling/enabling certain features is the fact that, when registering with your ISP, the modem downloads a config file which might revert some of the changes you made. So the only way in this case would be to patch the firmware itself, to permanently disable stuff.0 -
Does SNMP stay enabled after your modem has registered with your ISP? If so, you might be able to change the telnet password using an SNMP client.Regarding your questions:
1. It might continue to work.
2. The Technicolor firmware of the TC7200.20 works on the TC7200.U (they're the same device, just the branding differs).
3. Quite possibly, yes.
4. This device's primary firmware is not based on Linux, but eCos. There is a secondary
firmware, based on Linux, but this is only used to provide NAS and media server capabilities (broken on the TC7200.U, at least in STD6.02.11), nothing else. The eCos-based firmware is the only one that matters on this device.The problem with disabling/enabling certain features is the fact that, when registering with your ISP, the modem downloads a config file which might revert some of the changes you made. So the only way in this case would be to patch the firmware itself, to permanently disable stuff.
I assume that this functionality is also in the TC7200.20; the best I could achieve is a sort of backdoor. Would this firmware accept remote upgrades from ISP? This would revert everything..0 -
Will try this ASAP, although I believe not since a default scan returned only telnet and http open on the .100 address
SNMP uses UDP, and most port scanners are TCP-only by default.I assume that this functionality is also in the TC7200.20; the best I could achieve is a sort of backdoor. Would this firmware accept remote upgrades from ISP? This would revert everything..
Yes, since this is how DOCSIS modems register themselves on your ISP's network. This firmware would accept remote upgrades, in fact, your ISP might detect that you're not using its latest firmware, and force an upgrade immediately after successful registration (this could be circumvented by spoofing the version).
PN me if you need more info.0 -
Yeah it's there but closed:
PORT STATE SERVICE 161/udp closed snmp
Given all the blockers, I am a bit demotivated to dig more into this device. It seems to have little RAM for creative purposes and hard to keep in control, but thanks for the help.0 -
Any progress made on this? This seems like the furthest anyone has got.
0
Advertisement