search

jclehner / bcm2-utils

Utilities for Broadcom-based cable modems
GNU General Public License v3.0
147 stars 25 forks source link

Dumping flash on unsupported device #12

Closed bayvita closed 4 years ago

bayvita commented 5 years ago

I try to dump the flash of an unsupported device. It's a CH7485E cable modem with Broadcom 3384 soc. It has two serial consoles which I have access to. One is for the linux kernel the other for the bootloader. I don't know the password for the linux console, however.
The device has a nand flash and an spi flash. The latter one seems to store the bootloader, user config stuff and logs. From what I read the device or similar ones use two images. One ecos and a normal linux one. Only the latter one has serial access. I reset the device but telnet still shows a filtered state even with firewall off. snmp is enabled but the command for enabling telnet is not supported (object does not support modification) So unless I try desoldering I'm stuck with dumping via serial from the bootloader prompt. However, the command listed in the readme does not work for me (bcm2dump -P generic dump dev/ttyUSB0 0x83f60000,256k bootloader.bin) . Neither on the windows/linux release nor on master. Instead it just shows the help. There is a "/" missing but adding it does not help either. I attached some files from the boot log and snmp (minus mac addresses). putty_bootlogCH7485E.log putty_crash+partitionCH7485E.log snmp_afterreset_re.log If you have some ideas what to change or if you need more logs, let me know.

jclehner commented 5 years ago

The command in the readme is wrong. Substituting /dev/ttyUSB0 for the actual device name of your serial adapter, the correct command is:

bcm2dump -P generic dump /dev/ttyUSB0 ram 0x83f60000,256k bootloader.bin
bayvita commented 5 years ago

Thanks a lot. That worked indeed :) If I want to read the NAND I get another error though. bcm2dump -P generic dump COM3 flash image2 image.bin gives error: serial: interface autodetection failed

Well, maybe it is some issue with the serial connection (putty worked). Because after some trials I got a different error: no such rwx: bootloader,flash,safe

Do I need a correct profile or is this another issue? I'm not sure how bcmdump does it under the hood when it works correctly. At least from the bootloader you can read memory but I don't know if this applies to the flash or RAM.

jclehner commented 5 years ago

Reading flash from the bootloader requires a dedicated profile. Send me the bootloader image, and I'll try my best!

bayvita commented 5 years ago

I dumped it three times, the images are >99% similar but there are 1-2 very small differences. Not sure if they matter. Otherwise I'll try again.

bootloaders.tar.gz

jclehner commented 5 years ago

I'll look into it! BTW, I somehow missed that you had SNMP access. If you want access to the eCos serial console, try 

snmpset [...] 1.3.6.1.4.1.4413.2.2.2.1.9.1.2.1.0 i 2
snmpset [...] 1.3.6.1.4.1.4413.2.2.2.1.9.1.2.1.0 i 0                      
snmpset [...] 1.3.6.1.4.1.4413.2.2.2.1.9.1.2.1.0 i 2
jclehner commented 5 years ago

Reading from flash/nvram should be possible with the latest commit!

bayvita commented 5 years ago

Dumping the flash with the profile does not work up to now. Same error as before. It does something when no specifying a profile. But it dumps only ~ 0.5kb . 

sudo ./bcm2dump -vv dump /dev/ttyUSB0,115200 flash image2 image.bin
bcm2dump v0.9.3-61-g8247033
detected interface: bootloader
adjusting dump params: 0x807023d4,7 -> 0x807023d4,8
adjusting dump params: 0x80f89da0,11 -> 0x80f89da0,12
adjusting dump params: 0x82f00014,6 -> 0x82f00014,8
adjusting dump params: 0x83f8a9ac,5 -> 0x83f8a9ac,8
adjusting dump params: 0x83f8a9ac,5 -> 0x83f8a9ac,8
adjusting dump params: 0x83f8e8a8,6 -> 0x83f8e8a8,8
adjusting dump params: 0x83f8ea40,10 -> 0x83f8ea40,12
detected profile ch7485e(bootloader), version 2.5.0beta1
updating code at 0xa4010000 (436 b)
 100.00% (0xa40101b3)               8  bytes/s (ELT      00:00:51)
dumping flash:0x059c0000-0x0673ffff (14155776 b)
 ---.--% (0x059c0000)      0 |     0  bytes/s (ETA      00:00:00)
error: read incomplete chunk 0x059c0000: 0/16384

context:
  ==> 'NandFlashRead: Found replacement block at 0x75a0000'
  ==> 'NandFlashRead: Detected out-of-order block @offset 0x6bc0000, tagged offset 0x0, expected offset 0xa00000'
  ==> 'NandFlashRead: Found replacement block at 0x75c0000'
  ==> 'NandFlashRead: Detected out-of-order block @offset 0x6bc0000, tagged offset 0x0, expected offset 0xa20000'
  ==> 'NandFlashRead: Found replacement block at 0x75e0000'
  ==> 'NandFlashRead: Detected out-of-order block @offset 0x6bc0000, tagged offset 0x0, expected offset 0xa40000'
  ==> 'NandFlashRead: Found replacement block at 0x7600000'
  ==> 'NandFlashRead: Detected out-of-order block @offset 0x6bc0000, tagged offset 0x0, expected offset 0xa60000'
  ==> 'NandFlashRead: Found replacement block at 0x7620000'
  ==> 'NandFlashRead: Detected out-of-order block @offset 0x6bc0000, tagged offset 0x0, expected offset 0xa80000'
  ==> 'NandFlashRead: Found replacement block at 0x7640000'
  ==> 'NandFlashRead: Detected out-of-order block @offset 0x6bc0000, tagged offset 0x0, expected offset 0xaa0000'
  ==> 'NandFlashRead: Found replacement block at 0x7660000'
  ==> 'NandFlashRead: Detected out-of-order block @offset 0x6bc0000, tagged offset 0x0, expected offset 0xac0000'
  <== ''
  ==> 'NandFlashRead: Found replacement block at 0x7680000'
  <== ''
  ==> 'NandFlashRead: Detected out-of-order block @offset 0x6bc0000, tagged offset 0x0, expected offset 0xae0000'
  ==> 'NandFlashRead: Found replacement block at 0x76a0000'
  <== ''
  ==> 'NandFlashRead: Detected out-of-order block @offset 0x6bc0000, tagged offset 0x0, expected offset 0xb00000'
  ==> 'NandFlashRead: Found replacement block at 0x76c0000'
  ==> 'NandFlashRead: Detected out-of-order block @offset 0x6bc0000, tagged offset 0x0, expected offset 0xb20000'
  <== ''
  ==> 'NandFlashRead: Found replacement block at 0x76e0000'
  ==> 'NandFlashRead: Detected out-of-order block @offset 0x6bc0000, tagged offset 0x0, expected offset 0xb40000'
  ==> 'NandFlashRead: Found replacement block at 0x7700000'
  <== ''
  ==> 'NandFlashRead: Detected out-of-order block @offset 0x6bc0000, tagged offset 0x0, expected offset 0xb60000'
  ==> 'NandFlashRead: Found replacement block at 0x7720000'
  ==> 'NandFlashRead: Detected out-of-order block @offset 0x6bc0000, tagged offset 0x0, expected offset 0xb80000'
  <== ''
  ==> 'NandFlashRead: Found replacement block at 0x7740000'
  ==> 'NandFlashRead: Detected out-of-order block @offset 0x6bc0000, tagged offset 0x0, expected offset 0xba0000'
  ==> 'NandFlashRead: Found replacement block at 0x7760000'
  <== ''
  ==> 'NandFlashRead: Detected out-of-order block @offset 0x6bc0000, tagged offset 0x0, expected offset 0xbc0000'
  ==> 'NandFlashRead: Found replacement block at 0x7780000'
  ==> 'NandFlashRead: Detected out-of-order block @offset 0x6bc0000, tagged offset 0x0, expected offset 0xbe0000'
  <== ''
  ==> 'NandFlashRead: Found replacement block at 0x77a0000'
  ==> 'NandFlashRead: Detected out-of-order block @offset 0x6bc0000, tagged offset 0x0, expected offset 0xc00000'
  ==> 'NandFlashRead: Found replacement block at 0x77c0000'
  <== ''
  ==> 'NandFlashRead: Detected out-of-order block @offset 0x6bc0000, tagged offset 0x0, expected offset 0xc20000'
  ==> 'NandFlashRead: Found replacement block at 0x77e0000'
  <== ''
  ==> 'NandFlashRead: Detected out-of-order block @offset 0x6bc0000, tagged offset 0x0, expected offset 0xc40000'
  ==> 'NandFlashRead: Found replacement block at 0x7800000'
  ==> 'NandFlashRead: Detected out-of-order block @offset 0x6bc0000, tagged offset 0x0, expected offset 0xc60000'
sudo ./bcm2dump -vv -P generic dump /dev/ttyUSB0,115200 flash image2 image2.bin
bcm2dump v0.9.3-61-g8247033
detected interface: bootloader
insufficient profile information for code dumper
falling back to safe method

error: no such rwx: bootloader,flash,safe

context:
  ==> ''
  <== ''
  ==> 'Unrecognized command.'
  ==> (empty)
  ==> (empty)
  ==> 'Main Menu:'
sudo ./bcm2dump -vv -P ch7485e dump /dev/ttyUSB0,115200 flash image2 image2.bin
bcm2dump v0.9.3-61-g8247033
detected interface: bootloader
insufficient profile information for code dumper
falling back to safe method

error: no such rwx: bootloader,flash,safe

context:
  ==> ''
  <== ''
  ==> 'Unrecognized command.'
  ==> (empty)
  ==> (empty)
  ==> 'Main Menu:'

But with the snmp commands I got access to the eCos console. Currently it's spamming the console with "Attempting Downstream FEC lock" messages. Is there any way to get rid of those? I can interact with the console and in principle see the CM> prompt and issue command. Need to poke around a bit. Can you enable the console somehow at boot? And how did you actually know what is the right command for this?

jclehner commented 5 years ago

Dumping the flash with the profile does not work up to now. Same error as before. It does something when no specifying a profile. But it dumps only ~ 0.5kb .

Using the latest patch, you should be able to dump flash from the bootloader.

Currently it's spamming the console with "Attempting Downstream FEC lock" messages. Is there any way to get rid of those?

Try the command /docsis_ctl/scan_stop.

Can you enable the console somehow at boot?

Yes, but the mechanism depends on the firmware. Please post the output of the following commands:

./bcm2dump -vv -P ch7485e run /dev/ttyUSB0 "/help"
./bcm2dump -vv -P ch7485e run /dev/ttyUSB0 "/non-vol/help"

Also note that you shouldn't need to run bcm2dump as root.

jclehner commented 5 years ago

@bayvita Any update on this? Were you able to dump the firmware?

jclehner commented 4 years ago

Closing due to inactivity.