Support for Technicolor CGM4331COM from Comcast in United States of America

[notunixian]

General info

My gateway is currently running firmware version ??? from Comcast in United States of America

• Product: CGM4331COM
• ISP: Comcast
• Countries: United States of America
• Commercial name from the ISP: Panoramic Wifi Gateway, PW7, xFi Gateway, XB7, and XB7-T for Telephone port (guess)
• Board: Unknown

Did anybody ever manage to get root on that device already?

Select all applicable

• [ ] Yes, by using a root strategy listed in the wiki
• [ ] Yes, following another different strategy
• [x] No, as far as I know it has never been rooted

Firmware versions

Please fill as many available info about each firmware versions you have ever heard about for this board. Leave unknown parts empty.

• Version: Unknown
• Full version: Unknown
• Custom firmware version strings used by ISP in addition to the above: On the Admin Tool for the modem under 'software image name' is "CGM4331COM_4.8p13s1_PROD_sey" And can't really get anything from just this string.
• RBI file name: Maybe software image name from above?
• RBI official download URL: Unknown
• Raw bank dump download link: N/A
• Serial console bootlog: N/A
• Other potentially relevant info about this firmware version: No matter the ISP, they all have the same software image name or version. Another version specified for eMTA/DOCSIS in the Admin Tool is "Prod_20.2_d31 & Prod_20.2"

Other details

These devices are like the CGM4140COM, being sold to Cox and having their label being put on them. They also have mobile phone apps that manage port forwarding and other settings, with similar design to Cox. These are also the newest gateway offered by Comcast.

Wiki for hardware: http://www.en.techinfodepot.shoutwiki.com/wiki/Technicolor_CGM4331COM Wiki 2 for hardware: http://wikidevi.wi-cat.ru/Technicolor_CGM4331COM Photos: (Credits: Technicolor User Manual, Cox Forum)

[checkraisefold]

This thing is pretty much identical to the CGM4140COM excluding the WPS button being in a different position, no reset push-pin thingy, and the extra 2 ethernet ports along with configurable ethernet WAN that might actually be automatically enabled on Cox.

Interesting tidbit in the user manual: https://www.manualslib.com/manual/1877122/Technicolor-Cgm4331-Series.html?page=13&term=ethernet+wan&selected=2#manual

[LuKePicci]

• Another version specified for eMTA/DOCSIS in the Admin Tool is "Prod_20.2_d31 & Prod_20.2"

This should indicate the major Homeware release for this firmware you're running is 20.2

[notunixian]

• Another version specified for eMTA/DOCSIS in the Admin Tool is "Prod_20.2_d31 & Prod_20.2"

This should indicate the major Homeware release for this firmware you're running is 20.2 @LuKePicci

Alright, I've found out that you can enable the bottom right port to be WAN. But, if you read the user manual that @checkraisefold provided, can only be configured to enable WAN if a fiber ONT is connected. I don't know if this applies with the Cox/Comcast versions.

[LuKePicci]

It would be a good idea to capture on it after a full factory reset to see if ACS discovery is enabled. Do it from Linuxso it will see any vlan packets

[Lumonixity]

• Another version specified for eMTA/DOCSIS in the Admin Tool is "Prod_20.2_d31 & Prod_20.2"

This should indicate the major Homeware release for this firmware you're running is 20.2 @LuKePicci

Alright, I've found out that you can enable the bottom right port to be WAN. But, if you read the user manual that @checkraisefold provided, can only be configured to enable WAN if a fiber ONT is connected. I don't know if this applies with the Cox/Comcast versions.

Does not apply with the Comcast version AFAIK.

[checkraisefold]

• Another version specified for eMTA/DOCSIS in the Admin Tool is "Prod_20.2_d31 & Prod_20.2"

This should indicate the major Homeware release for this firmware you're running is 20.2 @LuKePicci

Alright, I've found out that you can enable the bottom right port to be WAN. But, if you read the user manual that @checkraisefold provided, can only be configured to enable WAN if a fiber ONT is connected. I don't know if this applies with the Cox/Comcast versions.

Does not apply with the Comcast version AFAIK.

After scoping out a post on the dslreports forum, a user reported that Comcast supports some fiber services and that the option can be enabled on the XB7. Are you sure?

[Lumonixity]

• Another version specified for eMTA/DOCSIS in the Admin Tool is "Prod_20.2_d31 & Prod_20.2"

This should indicate the major Homeware release for this firmware you're running is 20.2

@LuKePicci

Alright, I've found out that you can enable the bottom right port to be WAN. But, if you read the user manual that @checkraisefold provided, can only be configured to enable WAN if a fiber ONT is connected. I don't know if this applies with the Cox/Comcast versions.

Does not apply with the Comcast version AFAIK.

After scoping out a post on the dslreports forum, a user reported that Comcast supports some fiber services and that the option can be enabled on the XB7. Are you sure?

Sorry for not specifying earlier.

A fiber ONT does not NEED to be connected in order to enable the bottom right Ethernet port to be a WAN port, on the Comcast version of the XB7.

[LuKePicci]

Nice, so you should really enable that WAN port and capture from a Linux pc with Wireshark. If you also have a fiber service then you can capture the actual bootstrap traffic.

[Lumonixity]

Nice, so you should really enable that WAN port and capture from a Linux pc with Wireshark. If you also have a fiber service then you can capture the actual bootstrap traffic.

Nope, don’t have a fiber service. You reckon I could use macOS too? (For ease of convenience) If it would be preferred to use Linux I’ll haul my iMac upstairs and dual boot, haha.

[LuKePicci]

I don’t know how macOS manages vlan packets on vlan-unaware network interfaces, so I’d say you might need linux. From linux you will be able to see all incoming packets, including those ones of other vlans you don’t explicitly setup.

Da: @.> Inviato: giovedì 23 settembre 2021 16:04 A: @.> Cc: Luca @.>; @.> Oggetto: Re: [hack-technicolor/hack-technicolor] Support for Technicolor CGM4331COM from Comcast in United States of America (#181)

Nice, so you should really enable that WAN port and capture from a Linux pc with Wireshark. If you also have a fiber service then you can capture the actual bootstrap traffic.

Nope, don’t have a fiber service. You reckon I could use macOS too? (For ease of convenience) If it would be preferred to use Linux I’ll haul my iMac upstairs and dual boot, haha.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/hack-technicolor/hack-technicolor/issues/181#issuecomment-925847182, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ACCRPNVR3G2H6AYTTBZK5Y3UDMXXLANCNFSM5C6ZLLGA.

[Lumonixity]

Just checking in and letting you guys know I'm still active and not going to abandon you guys, haha.

Going to send some logs next week, see you guys then.

[Lumonixity]

Hi, sorry for leaving you guys hanging.

I no longer have this modem model, but I now do have the model TG4482A.

Edit: It's the XB7-T, so I should be just fine.

[clutchthrower]

Don’t really know if/how these would help anyone looking into this router still, but while doing some DEEP research on my ip cameras, I came across these urls for this router.

• 10.0.0.1:49152/IGDdevicedesc_brlan0.xml

• 10.0.0.1:49152/WANIPConnectionServiceSCPD.xml

• 10.0.0.1:49152/Layer3ForwardingSCPD.xml

• 10.0.0.1:49152/WANCommonInterfaceConfigSCPD.xml

Found on WireShark while ARP Spoofing.

As I said, don’t know if it will help, but thought I’d share 🤷🏽‍♂️

[checkraisefold]

Don’t really know if/how these would help anyone looking into this router still, but while doing some DEEP research on my ip cameras, I came across these urls for this router.

• 10.0.0.1:49152/IGDdevicedesc_brlan0.xml
• 10.0.0.1:49152/WANIPConnectionServiceSCPD.xml
• 10.0.0.1:49152/Layer3ForwardingSCPD.xml
• 10.0.0.1:49152/WANCommonInterfaceConfigSCPD.xml

Found on WireShark while ARP Spoofing.

As I said, don’t know if it will help, but thought I’d share 🤷🏽‍♂️

This is very useful! We were wondering what port 49152 was for over at #143. I checked on my device, and these XML files do exist on the CGM4140COM as well. Looks like the port is solely used as a UPNP service.

[yunghegel]

hey, i have a spare 4331 because cox are insanely incompetent. i'd be happy to contribute in any way i can if it means getting this thing cracked. i'll need some guidance since this is outside my purview though

[checkraisefold]

hey, i have a spare 4331 because cox are insanely incompetent. i'd be happy to contribute in any way i can if it means getting this thing cracked. i'll need some guidance since this is outside my purview though

I think it would be very useful if you enabled the WAN port on the thing and sniffed it with Wireshark from a Linux computer, maybe during a factory reset or power cycle?

[ASentientBot]

Found this https://ssr.ccp.xcal.tv/cgi-bin/x1-sign-redirect.pl?K=10&F=stb_cdl/CGM4331COM_5.2p16s1_PROD_sey-signed.bin which seems to be the firmware, but neither strings nor binwalk gives any obvious starting points. Playing with the version number in the URL gives me other (equally opaque) files.

Maybe someone else could take a look?

Edit: the URL was found by running curl https://xconf.xcal.tv/xconf/swu/stb/ --data 'eStbMac=000000000000&env=PROD&model=CGM4331COM&capabilities=supportsFullHttpUrl' which I figured out based on this file.

Edit 2: my router of this model is from Rogers in Ontario.

[LuKePicci]

Will do, the file format suggests this firmware is likely built on a distinct image buildsr SDK, we have seen something similar already for the Cobra platforms of latest Telstra devices.

---

From: green ball @.> Sent: Friday, October 28, 2022 3:34:45 AM To: hack-technicolor/hack-technicolor @.> Cc: Luca Piccirillo @.>; Mention @.> Subject: Re: [hack-technicolor/hack-technicolor] Support for Technicolor CGM4331COM from Comcast in United States of America (#181)

Found this https://ssr.ccp.xcal.tv/cgi-bin/x1-sign-redirect.pl?K=10&F=stb_cdl/CGM4331COM_5.2p16s1_PROD_sey-signed.bin which seems to be the firmware, but neither strings nor binwalk gives any obvious starting points. Playing with the version number in the URL gives me other (equally opaque) files.

Maybe someone else could take a look?

— Reply to this email directly, view it on GitHubhttps://github.com/hack-technicolor/hack-technicolor/issues/181#issuecomment-1294304474, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ACCRPNURASPWSNGTCCUQ3ITWFMUTLANCNFSM5C6ZLLGA. You are receiving this because you were mentioned.Message ID: @.***>

[checkraisefold]

This works when you replace the model parameter with CGM4140COM as well. Will post the resuling bin url in the CGM4140COM issue.

[ASentientBot]

Thank you! Do you have any links regarding the research on these Cobra systems so far?

I'm not sure if this helps or not, but trying other models, I found that using dpc3941b returns a ccs (rather than bin) file which can be extracted with binwalk. However, it's version 4.12p24s1, so quite a bit older. Not sure if that is useful or not...

Thanks again for looking into it!

[soxrok2212]

Found this https://ssr.ccp.xcal.tv/cgi-bin/x1-sign-redirect.pl?K=10&F=stb_cdl/CGM4331COM_5.2p16s1_PROD_sey-signed.bin which seems to be the firmware, but neither strings nor binwalk gives any obvious starting points. Playing with the version number in the URL gives me other (equally opaque) files.

Awesome find!!! Looks like xb6+ images are encrypted.

[ASentientBot]

Thanks, any ideas for the encrypted ones? I don't know much about modems or where you'd find decryption keys.

Also, found TG3482G which is version 5.3p11s1 and unencrypted, if that helps at all.

[soxrok2212]

Well the keys must be stored on the device itself it it wants to boot, otherwise it'd have no idea what to do with an encrypted image. I've often seen them stored in a Replay Protected Memory Block (RPMB). Typically you need access to the device in an operational state in order to view the contents of it and extract the key, so in order for this to work we need to get into a root shell on a device.

[ASentientBot]

Makes sense, thank you. I don't think I have the knowledge to help much, but tell me if there's something I can try.

For reference, here are all the additional models I've found that work with this API: CGA4131COM CGM4140COM DPC3939 DPC3939B DPC3941B DPC3941T TG1682G DPC3939b PX5001 CGM4981COM TG4482A TG3482G AX061AEI

Seems like all the ones returning ccs are unencrypted, and bin ones are encrypted. I'll try brute-forcing version numbers a bit, but doubt I'll find anything interesting.

[ASentientBot]

I'm guessing this is known, but external port 49971 is SSH, but requires a private key.

amy@zoe ~ % ssh root@[REDACTED] -p 49971
WARNING:

This system is solely for the use of authorized Comcast employees
and contractors.

Comcast reserves the right at any time to monitor usage of this
system to ensure compliance with this policy, all applicable
Comcast policies that apply to electronic communications, and all
applicable laws.

Your use of this system constitutes your acceptance of and
agreement to all applicable Comcast electronic communications
policies, your consent to monitoring by Comcast, and your express
agreement to use this system in compliance with all applicable
laws.

Any unauthorized use of or access to this system may result in a
revocation of your user privileges, other disciplinary action up
to and including termination of employment or contract, or
referrals to law enforcement officials including the provision
evidence of any unauthorized use or access to law enforcement.
root@[REDACTED]: Permission denied (publickey).

[checkraisefold]

I'm guessing this is known, but external port 49971 is SSH, but requires a private key. ...

this was actually not known and i'm pretty sure this ssh port isn't open on most models, and it isn't open on my Cox CGM4140COM. i wonder how cox manages to ssh in? did you do anything special to get this ssh port open, like turning on ethernet wan or something?

EDIT: nevermind, you said EXTERNAL port. just tested and port is open on my Cox CGM4140COM when using public ip. does indeed require private key and it says Comcast still, not Cox. i wonder if they use a unique private key for each device or if it's just one central private key the tech needs, that would be pretty funny and also a serious security hole if that shit ever gets leaked. awesome find though since i don't think anyonne noticed this open port before

[checkraisefold]

Thanks, any ideas for the encrypted ones? I don't know much about modems or where you'd find decryption keys.

Also, found TG3482G which is version 5.3p11s1 and unencrypted, if that helps at all.

this is another awesome find, considering 5.3p11s1 is the latest version number on all the other devices as well. it'd be pretty funny if they're encrypting it but they keep the same firmware unencrypted for another model on the same file host. http://ssr.ccp.xcal.tv/cgi-bin/x1-sign-redirect.pl?K=10&F=stb_cdl/tg3482pc2_5.3p11s1_prod_sey_svn_d30_signed.bin.ccs

EDIT: the CCS for the TG4382G is encrypted, the really old firmware version 4 CCS is not encrypted

[ASentientBot]

Thanks!

I was able to extract the TG3482G 5.3p11s1 filesystem with no issues. (For some reason, binwalk -e misses some contents (/usr/www2 for instance) but running unsquashfs -f on the squashfs files works.) Also, left a script running overnight and found 5.8p3s1 for the same model. Bit weird, since that's substantially newer than the current version. Link: http://ssr.ccp.xcal.tv/cgi-bin/x1-sign-redirect.pl?K=10&F=stb_cdl/tg3482pc2_5.8p3s1_prod_sey_svn_d30_signed.bin.ccs

I guess systems that use ccs files are unable to handle the encrypted bin format? Not sure.

Also noticed (1) the web UI server has switched from PHP-based to JS-based, and (2) a number of files (including dropbear config files) are obfuscated/encrypted and decoded with /usr/bin/configparamgen. I'm not sure if this could be made to run under QEMU or something. Hopefully someone is able to figure out an exploit!

[LuKePicci]

Is any of the firmwares you found mentioning that "20.2" version from the OP of this issue? I wonder if those ones are in .rbi format instead.

[ASentientBot]

It looks like there are two separate versions. My CGM4331COM reports the following:

eMTA & DOCSIS Software Version: Prod_21.1_d31 & Prod_21.1
Software Image Name: CGM4331COM_5.2p16s1_PROD_sey

So the 5.x is not an older version of the 21.x, they are two components of the same image. But I can't find where the 21.x number is defined...

[notunixian]

Is any of the firmwares you found mentioning that "20.2" version from the OP of this issue? I wonder if those ones are in .rbi format instead.

seems like now i have it on Prod_21.1_d31 & Prod_21.1 as mentioned by @ASentientBot, xfinity and the other isps that have these push automatic updates it seems

[soxrok2212]

On Comcast's network, devices running prod firmware have ssh restricted to a set of jumpboxes:

96.114.220.134
96.114.220.251
96.114.220.250
96.114.220.99
96.114.220.240
96.114.220.197
69.252.107.55
162.150.80.117
96.114.220.73
96.114.220.254
96.114.220.196
96.114.220.237
96.114.220.178
96.114.220.101
96.114.220.132
96.114.220.153
96.114.220.148
162.150.19.128/25
96.118.159.156
96.118.159.245
96.118.159.252
96.118.159.235
96.118.136.184
96.118.136.188
96.118.137.237
96.118.137.227
96.118.211.209
96.118.208.237
96.118.213.116
96.118.217.151
96.118.155.199
96.118.149.77
96.118.214.184
96.116.63.53
96.118.21.170
96.118.220.67
192.168.220.219

I've found no evidence of an SSH-CA or password authentication, so yes, it is likely protected via ONE ssh key. So yes, if it is leaked that would suck, but you'd need to be on one of these management IPs to actually utilize it.

If they make a mistake and push a dev image, then SSH would be open to the world.

[floam]

At the house I live on the weekends (long story) I have a CGM4331COM with Cox in Las Vegas. Running CGM4331COM_5.2p19s1_PROD_sey-signed.bin. I have 1000/1000 fiber with a Nokia G-010G-A ONT in the garage, WAN is CAT5 gigabit Ethernet.

If I ever get get a USB-C to Ethernet adapter for my MacBook Pro I'll definitely dump the traffic. I just happen to literally no longer have a computer with ethernet.

[whatsbroke]

I found 4 of these at my local value villagr for 5.99 each! I took one apart and was able to locate a uart port for serial console. Only the TX seems active, i jumped the missing resistor for the rx point to no avail. Its got a quiet uboot bootloader.

I was also able to locate a windbond chip that i am trying to dump. I can see the partition names and addresses and sizes in the miminal bootlog. One of them is a VAR part. So theoretically I should be able modify it with a hex editor and enable further output or possibly even input

[whatsbroke]

Here is a video of the boot log (whatever it allowed before going quiet) and some pics.

Video is on my google drive

Here is the spi flash chip (i just hope this is the chip i am talking to and not the cpu)

If i get anywhere withi this i will of course share. If there is some one here that wants to connect and help out, just let me know!

[soxrok2212]

@whatsbroke i believe this is just for the 5G Quantenna radio, not the RG.

[whatsbroke]

@whatsbroke i believe this is just for the 5G Quantenna radio, not the RG.

The windbond spi chip?? When i hit detect and read the first sectors of the data... i can see the uboot version. I need to build an xml file for my reader to get the rest in a proper layout

[whatsbroke]

Youre right

[soxrok2212]

You can tell because if you look at the partition table there’s uboot, the uboot env and a backup (all just the bootloader), and then the calibration data for the radio. Unsure what data is.

HOWEVER, this poses an interesting point; the RG must talk to the Quantenna chip, could a modified radio firmware cause a compromise of the RG?

[whatsbroke]

I have talked to the rg/modem from wifi chips, i even used the intel chip on a hitron coda 4582 to downgrade firmware.

So if we could unlock access to this chip then possibly. However it does a crc check before it sets the variables (i shouldve read the output thouroghly before my post lol) so any modifications of the envs to slow boot delay or change it to loud would break the crc

[whatsbroke]

Nice!! Found the flash chip, storage chip lol and probably some pads i can interface with. Not that it matters i can probably read that flash chip with my jtagNT and then i'll decompress it hopefully.

They were hiding them under the (faraday?) Sheild. I may have ruined this trying to get the expoxied aluminum blass off of the other side. Thankfully i have 3 more of these id bet the dead uart port can be solder blobbed alive somewhere under this sheild too if not anothet entire one residing under it.

[whatsbroke]

You can tell because if you look at the partition table there’s uboot, the uboot env and a backup (all just the bootloader), and then the calibration data for the radio. Unsure what data is.

HOWEVER, this poses an interesting point; the RG must talk to the Quantenna chip, could a modified radio firmware cause a compromise of the RG?

Well I removed the chip and was able successfully read it and dump it!!! The main chip/cpu is a broadcome 3390 which makes sense because I could see what looked like a “factory key” when I first read the flash chip. These were present is bcm3348/49 chips snd bcm3380/81 chips!

This is great news if it is actually a factory key, because that means we can enable factory mode and have access to the factory mibs through snmp and do literally whatever we want. Enable/disable telnet/ssh serial consoles. Change passwords even the MAC address and bpi certificates.

I am going to investigate a bit further. I can the entire boot log and a lot of other ascii chars in the chip dump through a hex editor. I would rather try and binwalk it but in my past experience binwalk didn’t like broadcom flashes. Unless you found the magic number and removed the header through hex. Anyways I am going to remove the rest of this shield that I bent up to expose the flash chip and see if there anything else under there of interest.

[npellegr]

@whatsbroke I'm super curious about what you find! I've been digging around the web to learn more about this gateway and how I might access further settings. Wishing you the best of luck in your investigation! Cheers.

[noahclements]

@whatsbroke have you found anything with the SPI chip? I managed to get a dump of the chip as well, but binwalk only provides me with a lot of zlib compressed files.

However, there are three files named "cm_dyn.bin", "cm_perm.bin", and "cm_perm-orig.bin" included in the binwalk dump. These files appear to be encrypted with AES-256-ECB after a bit of research (https://github.com/jclehner/bcm2-utils/blob/master/FORMAT.md).

Also, I'm curious if you have these strings included in your dump 🤣

DTCP-IP-SAGE Hot potatoes HDCP22-TXRX: I hate brussels sprouts Leopold I Where's the Charter DKP Pass the Broadcom OCLH salt Salt for Entropic CIDP Salt for Entropic DTCP Salt for Entropic HDCP Salt for RACE Salt for my Verizon TLS I need my docsis identity set salt Broadcom DTCP-IP Key Salt Master Password Delivery to HDD Unpairing Tool MotoPLYR Key Proc/TProc dtcp-ip-sage Santa Claus hdcp22-txrx: Fly me to Dublin, Ireland Fly me to Barcelona, Spain Fly me to Las Vegas, Nevada I love broccoli Leopold IV Gimme the Charter DKP Pass the Broadcom OCLH pepper IV for Entropic CIDP IV for Entropic DTCP IV for Entropic HDCP IV for RACE IV for my Verizon TLS I need my docsis identity set IV Broadcom DTCP-IP Key IV MotoPLYR Key IV 1 I'm going to London, England I'm going to Baltimore, MD I'm going to San Francisco, CA CoreTech/sec BL2.14.8.0-327-gce53030

[noahclements]

Thanks!

I was able to extract the TG3482G 5.3p11s1 filesystem with no issues. (For some reason, binwalk -e misses some contents (/usr/www2 for instance) but running unsquashfs -f on the squashfs files works.) Also, left a script running overnight and found 5.8p3s1 for the same model. Bit weird, since that's substantially newer than the current version. Link: http://ssr.ccp.xcal.tv/cgi-bin/x1-sign-redirect.pl?K=10&F=stb_cdl/tg3482pc2_5.8p3s1_prod_sey_svn_d30_signed.bin.ccs

I guess systems that use ccs files are unable to handle the encrypted bin format? Not sure.

Also noticed (1) the web UI server has switched from PHP-based to JS-based, and (2) a number of files (including dropbear config files) are obfuscated/encrypted and decoded with /usr/bin/configparamgen. I'm not sure if this could be made to run under QEMU or something. Hopefully someone is able to figure out an exploit!

@ASentientBot Would you be able to provide the script?

[ASentientBot]

I didn't save it, but it was nothing sophisticated. Basically:

• Run curl https://xconf.xcal.tv/xconf/swu/stb/ --data "eStbMac=000000000000&env=PROD&model=<model number>&capabilities=supportsFullHttpUrl" for each of AX061AEI CGA4131COM CGA4332COM CGM4140COM CGM4981COM DPC3939 DPC3939B DPC3941B DPC3941T PX5001 PX5001B TG1682G TG3482G TG4482A
• Brute-force version numbers in the returned URLs using curl's wildcard [x-y] number ranges

Not clever, but it worked. I would recommend TG3482G particularly for reverse-engineering since it seems to get current versions, but they are not encrypted.

[ASentientBot]

(Based on the ccs I linked above, I spent a considerable amount of time examining the JS files for "exploits" like those used in AutoFlashGUI (basically failure to sanitize inputs, letting you run shell commands through the web UI) but wasn't able to find anything. I don't have the knowledge for much else.)

[whatsbroke]

@whatsbroke have you found anything with the SPI chip? I managed to get a dump of the chip as well, but binwalk only provides me with a lot of zlib compressed files.

However, there are three files named "cm_dyn.bin", "cm_perm.bin", and "cm_perm-orig.bin" included in the binwalk dump. These files appear to be encrypted with AES-256-ECB after a bit of research (https://github.com/jclehner/bcm2-utils/blob/master/FORMAT.md).

Also, I'm curious if you have these strings included in your dump 🤣

DTCP-IP-SAGE Hot potatoes HDCP22-TXRX: I hate brussels sprouts Leopold I Where's the Charter DKP Pass the Broadcom OCLH salt Salt for Entropic CIDP Salt for Entropic DTCP Salt for Entropic HDCP Salt for RACE Salt for my Verizon TLS I need my docsis identity set salt Broadcom DTCP-IP Key Salt Master Password Delivery to HDD Unpairing Tool MotoPLYR Key Proc/TProc dtcp-ip-sage Santa Claus hdcp22-txrx: Fly me to Dublin, Ireland Fly me to Barcelona, Spain Fly me to Las Vegas, Nevada I love broccoli Leopold IV Gimme the Charter DKP Pass the Broadcom OCLH pepper IV for Entropic CIDP IV for Entropic DTCP IV for Entropic HDCP IV for RACE IV for my Verizon TLS I need my docsis identity set IV Broadcom DTCP-IP Key IV MotoPLYR Key IV 1 I'm going to London, England I'm going to Baltimore, MD I'm going to San Francisco, CA CoreTech/sec BL2.14.8.0-327-gce53030

I am going to take a guess that those are the encrypted (cm_cert and cm_prv_key.bin) bpi+ certs. ( certificates that match the MAC address for registration completion on docsis) the other 3 (of 5) aren’t mac specific.

I wonder if I can find a squashfs header and remove it then unsquash it. Being that this modem has a Broadcom chip I doubt it. Usually found squashfs on Puma based chipset modems. Maybe some of the bcm based hacked firmware would work? Bitware or alphaware etc. foro cable is a treasure trove of docsis hacking threads, but is in Spanish. I used to translate it all and would love it. This was a decade ago so who knows if it’s still active.

There is another trick that used to work on hitron rg’s - through the webgui disable gateway functions and then snmp enables locally before registration and one could see (get) and set the ssh/telnet credentials. Doubt this still works. It’s been a while since I “tested” (hacked) docsis and I’d have to go through my old notes to see what I can find.

[whatsbroke]

I havent run a strings on my dump yet, I havent really messed around again since dumping it. Maybe I will do a hunt for a few things. Try to use notepad++ on windows and search within files for specific "text" i was able to find a alot of useful stuff back in the day like this. I found bootloader passwords for hitron modems, Production and Manucacturer cli passwords etc.

Also I forget how to search for the squashfs header in hex, was it sqhs backwards you needed to search for and then cut the file before that, to remove the header in order to unsquash it?

[whatsbroke]

lol yup those strings are in mine as well hmmm

2pl9z l+fjQ W\k<C AX\; +C-o \g&\y5 AUyL v>O3 &<]7 ;M.8O :p7 @Z!} DTCP-IP-SAGE Hot potatoes HDCP22-TXRX: I hate brussels sprouts Leopold I Where's the Charter DKP Pass the Broadcom OCLH salt Salt for Entropic CIDP Salt for Entropic DTCP Salt for Entropic HDCP Salt for RACE Salt for my Verizon TLS I need my docsis identity set salt Broadcom DTCP-IP Key Salt Master Password Delivery to HDD Unpairing Tool MotoPLYR Key Proc/TProc dtcp-ip-sage Santa Claus hdcp22-txrx: Fly me to Dublin, Ireland Fly me to Barcelona, Spain Fly me to Las Vegas, Nevada I love broccoli Leopold IV Gimme the Charter DKP Pass the Broadcom OCLH pepper IV for Entropic CIDP IV for Entropic DTCP IV for Entropic HDCP IV for RACE IV for my Verizon TLS I need my docsis identity set IV Broadcom DTCP-IP Key IV MotoPLYR Key IV 1 I'm going to London, England I'm going to Baltimore, MD I'm going to San Francisco, CA CoreTech/sec BL2.14.8.0-327-gce53030 SaFrontPanel_SetLights: Not enabled Not Capsense Wd_Enable: seconds out of bounds: `B# B"# 3X_" X+!4@ 2" !DA$