Dumping flash/nvram on Netgear C6300BD-1TLAUS

[icjuego]

Hi! I have a Netgear C6300BD-1TLAUS cable modem- the variant is specific to Telstra, an Australian ISP. I don't have a cable connection- I got it off a friend (who also no longer has cable). I've been using it as a wireless access point. It's based on the BCM3384 chip.

I opened it up and got access to the linux console (which isn't helpful, it turns off during boot) and the eCos console. I don't have the username/password for the eCos console but can use the bootloader menu.

Following the instructions here, the issue from someone with a different BCM3384 router, and with some extremely dodgy reverse engineering, I made the attached profile, and tried to use the bootloader to dump image2+dhtml from flash, and permnv+dynnv from nvram. They all appeared to work, but only downloaded FFFF etc from flash and 0000 etc from NVRAM.

So I rebooted it. It seems my dodgy profile wiped the NVRAM. Whooooops! I took a backup of the web console settings before I messed with it, so I can still use it as a wireless access point. But it's lost its default wireless name- it now defaults to Telstra0000 instead of the correct one. Also it flashes most of the lights constantly- before it only flashed the cable downstream because I have no cable.

Anyway, I guess I've lost the original NVRAM contents, which is a shame. But I'd still like to download the flash and vennv if I can. Attached is my patch, the bootloader, boot log (post-nvram wipe), partition info, and bootloader crash log.

bootloader.bin.gz bootlog.txt crash.txt partitions.txt c6300bd.patch.txt

[jclehner]

Hi! Unfortunately, you used the address of SpiFlashWrite (0x83f8119c) as the read function of the NVRAM section. This explains why the code wiped the NVRAM instead of reading from it! I've pushed a commit that adds your profile, but I've fixed the function address (plus some minor stuff). This means that dumping from NVRAM should work now! Please try, and report back!

[jclehner]

I don't have the username/password for the eCos console

Were you successful in dumping image1? If so, the key should be in there somewhere! If you want, you can send me the dump file and I'll take a look, once I find the time!

[icjuego]

Ahahaha yes that would do it. Tried it, successfully dumped NVRAM and the other flash partitions :) Turns out I'd managed to dump two empty flash partitions before, and assumed it wasn't working as a result. linuxapps, dhtml, and image2 are empty. image1 is eCos. linux and linuxkfs both seem to have different version of the linux system, and binwalk says they have squashfs buried in them.

I did have to change a few chunk_timeouts in rwx.cc from their default 60s value, as some of the flash partitions take about 2-3 minutes to start returning data. Otherwise it errors out with (for example) error: read incomplete chunk 0x059c0000: 0/16384. I think it's the router causing this, though it's possible it's my ghetto teensy-as-usb-serial-converter. Once that first lag is done, it works at normal speed.

I've had a brief look at the eCos image and tried a few user/pass combinations (admin, broadcom, r3qu1r3m3nt5) but no luck yet. I'm good with intel assembly but not with mips! Any tips for tools to look at the image? I tried putting it into IDA but it doesn't detect the majority of the code, and I don't want to manually go through the whole thing... maybe I haven't given it the right settings.

I haven't had a chance to look further than that so far, but now it's the weekend I'll have a look at the squashfs buried in the linux partitions!

Here's the interesting flash partitions for your viewing pleasure: image1.bin.gz linux.bin.gz linuxkfs.bin.gz

[jclehner]

I tried putting it into IDA but it doesn't detect the majority of the code, and I don't want to manually go through the whole thing... maybe I haven't given it the right settings.

The images, once extracted using ProgramStore, are raw MIPS machine code. The load address is specified in the image file, but every single one I've seen uses 0x80004000.

[icjuego]

I had some time for another look. Dunno how I missed it last time but one working username/password combo at least is MSO/changeme. This also allows access to the web interface- a nice little hidden backdoor.

This allows me to do one of the things I wanted... which is to put it in bridge mode and disable the dhcp server that serves addresses in the 192.168.100.x range.

I should be able to turn on the linux console, ssh access, etc too, just haven't tried yet.

If there's anything else you'd like to see the output of let me know!

[icjuego]

I also managed to get IDA to convert all the code- just manually selected everything up to the strings and forced it. So that's nice.

[jclehner]

I had some time for another look. Dunno how I missed it last time but one working username/password combo at least is MSO/changeme.

Does the serial console require a password as well, or are you referring to telnet? If this is not telnet, what does the login prompt look like?

I should be able to turn on the linux console, ssh access, etc too, just haven't tried yet.

To access the serial console, you'd have to mess with the linuxkfs image!

[icjuego]

Sorry, I should have been more clear. I got access to the eCos serial console, which required the username MSO, password changeme. The same username and password also works for the web interface (though I already have the normal admin password for that).

I disabled the DHCP server by killing its thread through the eCos serial console. Bridge mode seems to solve my wifi stability issues which is great! I couldn't use it before because the 192.168.100.x DHCP server kept interfering with my real DHCP server, and you can't disable it in the web interface when in bridge mode.

Haven't done much more with it yet!

[icjuego]

The prompt looks like this:

Type 'help' or '?' for a list of commands...

Username:MSO

Password:changeme

CM>

[jclehner]

Very interesting, that's the first device to have a password-protected serial console. I'll have to add support for that in the future!

[jclehner]

How does the prompt behave if you press ENTER twice, without entering any username or password?

[icjuego]

Like this:

Username:
Username:

etc.

Note the lack of extra linefeed here. Also I made an error in the earlier comment where I entered the correct username- there is no space after the colon. I've edited that comment to correct it though.

(if you log in, there's no way to log out- neither exit nor quit commands get the Username: prompt back. I rebooted it to check what it would do)

[icjuego]

I also get a lot of log spam. Unedited version looks more like this:

Didn't run the system; use 'run_app' to start things...

NtgrSmartmeshDrvThread::GetSingletonInstance:  WARNING - the singleton instance is NULL, and someone is accessing it!
NtgrSmartmeshDrvThread::GetSingletonInstance:  WARNING - the singleton instance is NULL, and someone is accessing it!
NtgrSmartmeshDrvThread::GetSingletonInstance:  WARNING - the singleton instance is NULL, and someone is accessing it!
NtgrSmartmeshDrvThread::GetSingletonInstance:  WARNING - the singleton instance is NULL, and someone is accessing it!
NtgrSmartmeshDrvThread::GetSingletonInstance:  WARNING - the singleton instance is NULL, and someone is accessing it!
NtgrSmartmeshDrvThread::GetSingletonInstance:  WARNING - the singleton instance is NULL, and someone is accessing it!

Type 'help' or '?' for a list of commands...

Username:NtgrSmartmeshDrvThread::GetSingletonInstance:  WARNING - the singleton instance is NULL, and someone is accessing it!
NtgrSmartmeshDrvThread::GetSingletonInstance:  WARNING - the singleton instance is NULL, and someone is accessing it!
NtgrSmartmeshDrvThread::GetSingletonInstance:  WARNING - the singleton instance is NULL, and someone is accessing it!

...

NtgrSmartmeshDrvThread::GetSingletonInstance:  WARNING - the singleton instance is NULL, and someone is accessing it!
NtgrSmartmeshDrvThread::GetSingletonInstance:  WARNING - the singleton instance is NULL, and someone is accessing it!
Username:
Username:
Username:
Username:NtgrSmartmeshDrvThread::GetSingletonInstance:  WARNING - the singleton instance is NULL, and someone is accessing it!
NtgrSmartmeshDrvThread::GetSingletonInstance:  WARNING - the singleton instance is NULL, and someone is accessing it!

[jclehner]

Thanks! Another question: according to the firmware you sent me, the MSO / changeme combination should appear in your GatewaySettings.bin file, listed as http_admin_{user,pass} by bcm2cfg. Can you verify that this is the case? Also, does changing this value actually change the login credentials?

[icjuego]

I haven't found the GatewaySettings.bin encryption key or method yet. There's a lot of repeated 39 9A C7 04 00 17 28 C3 in the file, presumably zero blocks. And I did see some DES magic constants in the code. But I haven't gotten further than that finding the key yet.

[jclehner]

Interesting! Can you send me a sample via email?

[icjuego]

Ok, sent! I changed a few of the ssids/passwords etc first so if they look a little odd that's why.

[jclehner]

It's indeed DES, and the key is aabbccddeeffaabb. I've added that in the latest commits, but it's a work in progress, as the file size and checksum are not interpreted correctly yet.

[jclehner]

Apparently, the value of the size field at offset 96 includes the length of the magic string (74 bytes), version (2 bytes), plus itself (4 bytes), so one must subtract 80 to get the correct data size.

The whole of gwsettings.cc is a complete mess, including the padding stuff. I'm planning a rewrite soon though, so stay posted!

[icjuego]

Haha they love the basic keys. Great, will do, thanks again!