Downloading... Posted November 21, 2017 Posted November 21, 2017 (edited) Hey guys, I started my journey some time ago here: https://forum.tuts4you.com/topic/39557-getting-docsis-cable-modem-firmware/ My ultimate goal would be to find a remote code execution on the system. The reason you may ask, is twofold: 1. Learning 2. Being able to access the router without opening it up would be nice. But now I am much further in trying to understanding my cable modem / router but I still have so many questions unanswered... What I managed to find so far: *The router has 2 main microcontrollers (one Puma 5 chip and one Realtek chip), what I suppose is that the Puma 5 chip deals with the Modem part and the Realtek chip with the router part? (Datasheets in attachment) I didn't manage to find anything about the Puma 5 chip...No SDK's, datasheets,... so I suppose that is closed source. *2 UART serial ports: I suppose one is for the Puma 5 chip and one for the Realtek chip? *The Realtek UART spawns a busybox root shell *The Puma 5 chip just outputs U-boot info and then nothing --> Does this mean I can't do anything on the modem side? But my question so far is how do these 2 chips interact? Do they boot together, does one chip boot the other? *I managed to dump mtdblock0-4 from /dev folder (copied and then uploaded with ftp) Binwalk could extract the squashfs filesystem but the kernel seems encrypted or smth? Next: The router I am experimenting on seems to be an outdated version. How would I go about updating an unprovisioned modem/router? I tried plugging in the Coax cable and changing the HFC MAC adress from the MIB file to a provisioned HFC MAC, but that didn't seem to update it in any way? What I have been trying so far: Reversing the binaries found on the system but without much luck. The only disassembler that came close was RecStudio but it is very buggy! I tried Radare2 but that doesn't seem to find any symbols for functions etc? The architecture is MIPS 1 (R3000) running on a Lexra core (modified MIPS). Now why does RecStudio manages to disassemble binaries while Radare2 doesn't? The bad news is there is no way to flash a custom firmware (I think) except when launching a webserver that gives you access to a router management page that let's you upload and flash a firmware. The good news is there is an actual SDK available for that specific chip but I haven't had much time to play with it. I'm not even sure the web management does an actual firmware flash. For that I need to compile my own firmware and try. I dropped a binary found on the router for these who want to check it out! (cbnupgfws) I know this thread looks like a draft but I don't have time to make it nice, but in the future (if people want) I could make a DECENT thread with all my finding! (pictures, screenshots, dumps, ...) So to recapitulate: How would I reverse that binary? How do the 2 microcontrollers interact? How would I be able to update it without it being provisioned? Greetings, Me RTL8198_Datasheet_Cleaned_0.91.pdf puma5-prodbrief.pdf cbnupgfws Edited November 21, 2017 by Downloading...
ala_borbe Posted April 25, 2018 Posted April 25, 2018 interesting topic but i doubt you will find lot of info or interest here datasheet explains functions of chips... realtek is NIC (network interface controller) and other is main chipset, guess you can say cpu. its good that you have found UART but some more knowledge is requiired... vendors mess with uart in order to complicate access... on TP-Link routers with atheros chipset in uart there is only read option unless while modem is in u-boot type fast "tpl" in terminal and then you get option to input other commands maybe something similar is here... on other models they remove tiny smd resistor and thus break the input line (TX) so you can only watch... you can check that with multi-meter to really understand firmware you have to find eeprom chip that holds complete firmware and dump it, and with busybox you could only access one part of firmware lots of stuff on those devices is compressed in order to save space (slow cpu, small ram, small eeprom) and thay may seem like encrypted bot most of the time its lzma or similar some time ago while i had cable isp (im on (v)dsl now) i had retarded Thomson TWG-870U/Technicolor modem that i could not put in bridge mode but it was way to slow to do routing so i dig around i turns out that it was using MIB table so i managed to remotely change values and put it in bridge mode... maybe that is what you need read here https://www.boards.ie/b/thread/2057106714 also on some cable modems in order to access root account/settings you have to disconnect cable and to reset it to default and then access root... if cable is connected in time of reset it reads config file from provider and disables root access i havent looked in to binary you posted but it starts with .elf in header so its linux binary and i havent reveres any ever so.... i hope i helped at least a bit... and sorry for mu English 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now