Closed MalaikaBegum closed 3 years ago
Huh, weird. The modem I've successfully tested this with just now gives the exact same output. I've pushed a few commits, please try again and post the output.
With 28913341b2a1af2b366785cbb2e293d9386a40c5 I got much better results:
./bcm2dump dump -P fast3686 192.168.100.1,Admin,PASSWORD flash linux linux.bin
../aeolus/ProgramStore/ProgramStore -f linux.bin -o linux.out -x
Signature: d06e
Control: 0005
Major Rev: 0002
Minor Rev: 0017
Build Time: 2020/4/29 09:41:53 Z
File Length: 1507236 bytes
Load Address: 7e000000
Filename: FAST3686_DNA_3.490.0-T3-l-20200429.bin
HCS: 8876
CRC: 7648cd35
Performing CRC on Image...
Detected LZMA compressed image... decompressing...
Decompressed length unknown. Padded to 28311552 bytes.
.
./bcm2dump dump -P fast3686 192.168.100.1,Admin,PASSWORD flash linuxapps linuxapps.bin
hd linuxapps.bin |head
00000000 d0 6e 01 00 00 02 00 17 5e a9 4b e9 00 29 ff a4 |.n......^.K..)..|
00000010 7e 00 00 00 46 41 53 54 33 36 38 36 5f 44 4e 41 |~...FAST3686_DNA|
00000020 5f 33 2e 34 39 30 2e 30 2d 54 33 2d 61 70 70 2d |_3.490.0-T3-app-|
00000030 32 30 32 30 30 34 32 39 2e 62 69 6e 00 00 00 00 |20200429.bin....|
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 01 90 00 |................|
00000050 00 28 00 00 a9 34 00 00 87 58 ba 30 63 60 90 86 |.(...4...X.0c`..|
00000060 aa 8c e0 0a df be b6 fd f7 68 b6 98 5e f3 12 23 |.........h..^..#|
00000070 e9 f3 d6 1b a5 71 49 87 80 94 f0 cd 40 6e 4f 84 |.....qI.....@nO.|
00000080 34 5f b3 7f 1d b3 8a ee 9c 8c 13 5f df af 43 80 |4_........._..C.|
00000090 aa a4 85 f7 9f 69 a8 81 e3 57 3c 30 8b 7c 75 55 |.....i...W<0.|uU|
../aeolus/ProgramStore/ProgramStore -f linuxapps.bin -o linuxapps.out -x
Signature: d06e
Control: 0100
Major Rev: 0002
Minor Rev: 0017
Build Time: 2020/4/29 09:42:01 Z
File Length: 2752420 bytes
Load Address: 7e000000
Filename: FAST3686_DNA_3.490.0-T3-app-20200429.bin
HCS: a934
CRC: 8758ba30
Performing CRC on Image...
Image CRC failed!
hd linuxapps.out
00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
1c980000
#linuxapps.out contains only 458MB of 0x00.
Is there just a bug in ProgramStore in crc verification: https://github.com/Broadcom/aeolus/blob/master/ProgramStore/decompress/decompress.cpp#L390
uint32 ulCrc; if ( ulCrc == pProgramHeader->ulcrc )
https://github.com/Broadcom/aeolus/blob/master/ProgramStore/ProgramStore.h#L46 unsigned long ulcrc;
-> Type mismatch. Or corrupted dump?
./bcm2dump dump -P fast3686 192.168.100.1,Admin,PASSWORD flash dhtml dhtml.bin
hd dhtml.bin
00000000 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|
*
00240000
-> Contains only 0xff. Should dhtml.bin have content?
./bcm2dump dump -P fast3686 192.168.100.1,Admin,PASSWORD flash image1 image1.bin
../aeolus/ProgramStore/ProgramStore -f image1.bin -o image1.out -x
Signature: d06e
Control: 0005
Major Rev: 0003
Minor Rev: 0000
Build Time: 2020/4/29 09:03:54 Z
File Length: 5432693 bytes
Load Address: 80004000
Filename: FAST3686_DNA_3.490.0-T3-20200429.bin
HCS: 48df
CRC: 3cc23180
Performing CRC on Image...
Detected LZMA compressed image... decompressing...
Decompressed length unknown. Padded to 84934656 bytes.
./bcm2dump dump -P fast3686 192.168.100.1,Admin,PASSWORD flash image2 image2.bin
hd image2.bin
00000000 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|
*
00d80000
-> Should image2.bin have some content?
./bcm2dump dump -P fast3686 192.168.100.1,Admin,PASSWORD flash linuxkfs linuxkfs.bin
error: failed to open partition linuxkfs
==> 'ERROR: Invalid value for parameter bootloader|image1|image2|image3|image3e|perm|dhtml|dyn! 'linuxkfs' Must match one of the tokens!'
linuxkfs failed.
./bcm2dump dump -P fast3686 192.168.100.1,Admin,PASSWORD nvram permnv permnv.bin
./bcm2cfg -f perm info permnv.bin
type : perm
profile : (unknown)
checksum: 4e28a421 (ok)
size : 15250 (ok)
.
./bcm2dump dump -P fast3686 192.168.100.1,Admin,PASSWORD nvram dynnv dynnv.bin
./bcm2cfg info dynnv.bin
type : dyn
profile : (unknown)
checksum: f7d88d1e (ok)
size : 30555 (ok)
.
./bcm2dump dump -P fast3686 192.168.100.1,Admin,PASSWORD nvram bootloader bootloader.bin
./bcm2cfg list bootloader.bin
error: invalid or encrypted file
hd bootloader.bin | head
00000000 10 00 00 05 00 00 00 00 06 10 15 7f 06 f8 61 80 |..............a.|
00000010 7a b8 00 80 00 40 00 80 00 00 00 00 00 00 00 00 |z....@..........|
00000020 40 08 b0 03 00 08 47 c2 11 00 00 05 00 00 00 00 |@.....G.........|
00000030 3c 08 b3 20 25 08 41 d0 01 00 00 08 00 00 00 00 |<.. %.A.........|
00000040 3c 08 1f a0 35 08 00 0c 40 88 b0 06 3c 08 bf a0 |<...5...@...<...|
00000050 8d 09 00 1c 3c 01 c0 00 01 21 48 25 ad 09 00 1c |....<....!H%....|
00000060 3c 08 b4 e0 24 09 01 18 ad 09 0f 00 3c 08 b3 20 |<...$.......<.. |
00000070 35 08 40 00 3c 09 bf c0 25 2a 02 00 8d 2b 00 00 |5.@.<...%*...+..|
00000080 25 08 00 04 25 29 00 04 15 2a ff fc ad 0b ff fc |%...%)...*......|
00000090 3c 0b b3 20 25 6b 40 a0 01 60 00 08 00 00 00 00 |<.. %k@..`......|
bootloader.bin is not empty file. (README.md said that serial connection is needed for dumping bootloader)
./bcm2dump dump -P fast3686 192.168.100.1,Admin,PASSWORD ram 0x80004000 ram.bin
error: read incomplete chunk 0x80004000: 0/96
Maybe dumping RAM needs similar fix.
I'm trying another idea:
image1.out (output of ProgramStore) contains peculiar strings:
linuxTelnet Enable/Disable
The Linux Side Telnet Service.
linuxTelnet 1 Enable the Linux Side Telnet Service.
linuxTelnet 0 Disable the Linux Side Telnet Service.
telnet 192.168.1.1
RG_Console>su
$agem001
RG>find_command linux
/non-vol/msc/linuxTelnet
RG> /non-vol/msc/help linuxTelnet
COMMAND: linuxTelnet
USAGE: linuxTelnet [Number{0..1}]
DESCRIPTION:
Enable/Disable The Linux Side Telnet Service.
EXAMPLES:
linuxTelnet 1 -- Enable the Linux Side Telnet Service.
linuxTelnet 0 -- Disable the Linux Side Telnet Service.
RG> /non-vol/msc/linuxTelnet 1
Readying to start The Linux Side Telnet Service.
The Linux side Telnet Service is ENABLED
This opened one more telnet, this time on IP=192.168.1.100:
nmap 192.168.1.100
23/tcp open telnet syn-ack ttl 64 security DVR telnetd (many brands)
But I'm missing one more password:
telnet 192.168.1.100
Trying 192.168.1.100...
Connected to 192.168.1.100.
Escape character is '^]'.
(none) login:
None of webgui nor telnet (192.168.1.1=RG and 192.168.100.1=CM) passwords are working. I also found couple potential, but no: spectrum:spectrum Broadcom:Broadcom
Maybe it is possible to dump rest of the firmware from Linux side.
(Note: Linux side telnet is not permanent, /non-vol/msc/linuxTelnet is disabled when rebooted.)
Hi!
Is there just a bug in ProgramStore in crc verification [...] or corrupted dump?
Comparing a uint32_t
with an unsigned long
will yield the expected result. The dump is likely corrupted. This happens on many devices, as reading from NAND can sometimes yield incorrect results, due to an apparently faulty error recovery mechanism in the firmware. This requires patching the correct function - usually just writing a single 32 bit value to the correct memory location. I'll need your firmware image1
for that.
Should image2.bin have some content?
Some devices use only one image. It's possible that a future firmware update will be written to image2
however.
README.md
said that serial connection is needed for dumping bootloader
You don't need a serial connection for dumping the bootloader itself. It's just that some devices have an unlocked bootloader that can be used for dumping firmware images.
bootloader.bin
is not empty file.
This is raw machine code, and represents the stage 1 bootloader. Embedded in this partition (usually within the first 4 KiB) you'll find a ProgramStore
image for the stage 2 bootloader. Look for the string ecram_sto.bin
or ram.sto
- the image starts 26 bytes before this string (probably with0x3384
). Below is an example taken from the TC7200's bootloader, which uses 0x3383
instead:
$ hexdump -C bootloader.bin
...
00000670 33 83 00 05 00 00 00 00 50 29 ae 8c 00 00 5d 07 |3.......P)....].|
00000680 83 f8 00 00 72 61 6d 2e 73 74 6f 00 00 00 00 00 |....ram.sto.....|
00000690 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
...
$ dd if=bootloader.bin of=bootloader2.bin bs=$((0x670)) skip=1
$ ProgramStore -x -f bootloader2.bin
Signature: 3383
Control: 0005
Major Rev: 0000
Minor Rev: 0000
Build Time: 2012/8/14 01:49:00 Z
File Length: 23815 bytes
Load Address: 83f80000
Filename: ram.sto
HCS: b2ae
CRC: 92d1a142
Performing CRC on Image...
Detected LZMA compressed image... decompressing...
Decompressed length unknown. Padded to 383328 bytes.
Can you send me your bootloader.bin
along with image1.bin
?
None of webgui nor telnet (192.168.1.1=RG and 192.168.100.1=CM) passwords are working.
Can you send me your permnv
and dynnv
dumps as well - maybe it's in there somewhere. If not, it's somewhere on the Linux filesystem. This will require non-corrupted dumps of linuxkfs
and linuxapps
(see my post above on how to get those).
I have sent files bootloader.bin image1.bin permnv dynnv.bin to your email.
I got bootloader unpacked with your instructions:
dd if=bootloader.bin of=bootloader2.bin bs=$((0x710)) skip=1
../aeolus/ProgramStore/ProgramStore -x -f bootloader2.bin -o bootloader2.out
Signature: 3384
Control: 0005
Major Rev: 0000
Minor Rev: 0000
Build Time: 2017/5/26 22:30:56 Z
File Length: 24864 bytes
Load Address: 83f80000
Filename: ram.sto
HCS: 90b5
CRC: 4a94e58b
Performing CRC on Image...
Detected LZMA compressed image... decompressing...
Decompressed length unknown. Padded to 382368 bytes.
I will dump linuxapps couple of times during next days if I get non-corrupted dump.
Thanks, I've just started looking into it. Regarding the Linux telnet password, I've found the following, maybe it works:
$ bcm2cfg -v dump dynnv.bin grp_nas | hexdump -C
failed to parse group firewall
00000000 00 2e 4e 41 53 2e 00 02 00 53 07 53 43 2d 4c 56 |..NAS....S.SC-LV|
00000010 47 00 0a 57 4f 52 4b 47 52 4f 55 50 00 00 00 01 |G..WORKGROUP....|
00000020 01 06 61 64 6d 69 6e 00 05 31 32 33 34 00 |..admin..1234.|
0000002e
Hi, please try the latest commit. This should allow dumping all NAND partitions, including linuxkfs
and linuxapps
! The profile, should now be detected automatically, so you can omit -P fast3686
.
Password in dynnv.bin grp_nas relates Network Attached Storage (Samba share if USB storage is attached)
Using web-gui I changed Storage Advanced->Network Attached Storage->Advanced Settings->Administrator User Name and Password. Rebooted. Dumped dynnv. And now it shows the new password. And this is not accepted by Linux-telnet.
./bcm2cfg -v dump dynnv.bin_new grp_nas | hexdump -C
failed to parse group firewall
00000000 00 36 4e 41 53 2e 00 02 00 53 07 53 43 2d 4c 56 |.6NAS....S.SC-LV|
00000010 47 00 0a 57 4f 52 4b 47 52 4f 55 50 00 00 00 01 |G..WORKGROUP....|
00000020 01 06 61 64 6d 69 6e 00 0d 4e 41 53 2d 70 61 73 |..admin..NAS-pas|
00000030 73 77 6f 72 64 00 |sword.|
00000036
If I try to dump without giving profile (with version fead0f04040120ba4ef17fd7180bafc20d7675ca)
./bcm2dump dump 192.168.100.1,Admin,PASSWORD nvram dynnv dynnv.bin_new
error: telnet: read incomplete chunk 0x80624d90: 0/16
With forced profile it works:
./bcm2dump dump -P fast3686 192.168.100.1,Admin,PASSWORD nvram dynnv dynnv.bin_new
dumping nvram:0x003c0000-0x003fffff (262144 b)
100.00% (0x003fffff) 5.95k bytes/s (ELT 00:00:43)
Same happens when trying linuxkfs Dumping linuxkfs with profile:
./bcm2dump dump -P fast3686 -vvv 192.168.100.1,Admin,PASSWORD flash linuxkfs linuxkfs.bin
bcm2dump v0.9.4-37-g2891334
telnet: received command 253,33
telnet: received command 251,3
telnet: received command 251,1
==> 'Broadcom Corporation Embedded BFC Telnet Server (c) 2000-2008'
==> (empty)
==> 'WARNING: Access allowed by authorized users only.'
==> (empty)
==> 'Login:'
detected interface: bfc
<== 'Admin'
==> 'Admin'
==> 'Password:'
<== 'PASSWORD'
<== ''
==> ''
==> ''
==> 'CM>'
<== ''
<== ''
==> ''
==> 'CM>'
==> ''
==> 'CM>'
<== '/flash/open linuxkfs'
==> ''
==> (empty)
==> 'ERROR: Invalid value for parameter bootloader|image1|image2|image3|image3e|perm|dhtml|dyn! 'linuxkfs' Must match one of the tokens!'
==> (empty)
==> 'COMMAND: open'
==> (empty)
==> 'USAGE: open bootloader|image1|image2|image3|image3e|perm|dhtml|dyn'
==> (empty)
==> 'DESCRIPTION:'
==> 'Opens the flash driver for use by the console (locking out the rest of the'
==> 'application!) so that you can use the read/write/erase commands. NOTE: If'
==> 'you do something that would cause the driver to be opened again (write'
==> 'nonvol, dload an image, etc), then the operation will be blocked until you'
==> 'run the close command, or it may fail.'
==> (empty)
==> 'EXAMPLES:'
==> 'open image2 -- Opens the image2 region for read/write/erase'
==> (empty)
==> 'CM>'
<== '/flash/close'
<== '/exit'
error: failed to open partition linuxkfs
Dumping linuxkfs without profile:
./bcm2dump dump -vvvv 192.168.100.1,Admin,PASSWORD flash linuxkfs linuxkfs.bin
bcm2dump v0.9.4-37-g2891334
telnet: received command 253,33
telnet: received command 251,3
telnet: received command 251,1
==> 'Broadcom Corporation Embedded BFC Telnet Server (c) 2000-2008'
==> (empty)
==> 'WARNING: Access allowed by authorized users only.'
==> (empty)
==> 'Login:'
detected interface: bfc
<== 'Admin'
==> 'Admin'
==> 'Password:'
<== 'PASSWORD'
<== ''
==> ''
==> 'CM_Console>'
==> ''
==> 'CM_Console>'
<== ''
<== ''
==> ''
==> 'CM_Console>'
==> ''
==> 'CM_Console>'
adjusting dump params: 0x80624d91,14 -> 0x80624d90,16
<== '/system/diag readmem -s 4 -n 16 0x80624d90'
<== ''
==> ''
==> (empty)
==> '80624d90: 00001021 97a20004 a6020930 24020001 | ...!.......0$...'
==> (empty)
==> 'CM_Console>'
==> ''
==> 'CM_Console>'
read incomplete chunk 0x80624d90: 0/16; retrying
<== '/system/diag readmem -s 4 -n 16 0x80624d90'
<== ''
==> ''
==> (empty)
==> '80624d90: 00001021 97a20004 a6020930 24020001 | ...!.......0$...'
==> (empty)
==> 'CM_Console>'
==> ''
==> 'CM_Console>'
read incomplete chunk 0x80624d90: 0/16; retrying
<== '/system/diag readmem -s 4 -n 16 0x80624d90'
<== ''
==> ''
==> (empty)
==> '80624d90: 00001021 97a20004 a6020930 24020001 | ...!.......0$...'
==> (empty)
==> 'CM_Console>'
==> ''
==> 'CM_Console>'
read incomplete chunk 0x80624d90: 0/16; retrying
<== '/system/diag readmem -s 4 -n 16 0x80624d90'
<== ''
==> ''
==> (empty)
==> '80624d90: 00001021 97a20004 a6020930 24020001 | ...!.......0$...'
==> (empty)
==> 'CM_Console>'
==> ''
==> 'CM_Console>'
read incomplete chunk 0x80624d90: 0/16; retrying
<== '/system/diag readmem -s 4 -n 16 0x80624d90'
<== ''
==> ''
==> (empty)
==> '80624d90: 00001021 97a20004 a6020930 24020001 | ...!.......0$...'
==> (empty)
==> 'CM_Console>'
==> ''
==> 'CM_Console>'
read incomplete chunk 0x80624d90: 0/16; retrying
<== '/system/diag readmem -s 4 -n 16 0x80624d90'
<== '/exit'
error: telnet: read incomplete chunk 0x80624d90: 0/16
I dumped linuxapps several times and then got couple with the same hash and now ProgramStore understand it:
../aeolus/ProgramStore/ProgramStore -f linuxapps.bin -x -o linuxapps.out
Signature: d06e
Control: 0100
Major Rev: 0002
Minor Rev: 0017
Build Time: 2020/4/29 09:42:01 Z
File Length: 2752420 bytes
Load Address: 7e000000
Filename: FAST3686_DNA_3.490.0-T3-app-20200429.bin
HCS: a934
CRC: 8758ba30
Performing CRC on Image...
Loading non-compressed image...
Length: 2752420
-> linuxapps.out is 458MB file, has several UBI#-strings and binwalk founds one hit:
binwalk linuxapps.out
130980 0x1FFA4 UBI erase count header, version: 1, EC: 0x2, VID header offset: 0x800, data offset: 0x1000
But I can't get files out. Tried with these: https://github.com/jrspruitt/ubi_reader
ubireader_list_files linuxapps.out
UBI Fatal: Less than 2 layout blocks found.
ubireader_list_files linuxapps.out -v
guess_start_offset Found UBI magic number at 130980
guess_filetype Looking for file type at 130980
guess_filetype File looks like a UBI image.
UBI_File Open Path: linuxapps.out
UBI_File File Size: 479723520
UBI_File Start Offset: 130980
UBI_File End Offset: 479723428
UBI_File File Tail Size: 92
UBI_File Block Size: 131072
UBI_File read loc: 130980, size: 131072
vid_hdr CRC Failed: expected 0xb730eb2 got 0xffffffff
extract_blocks Block: PEB# 0: LEB# -1
extract_blocks file addr: 130980
extract_blocks PEB: 0 has possible issue EC_HDR [], VID_HDR [crc]
https://github.com/nlitsme/ubidump Doesn't understand the header of the file
dd if=linuxapps.out of=ubi.ubi bs=130980 skip=1
python ubidump.py ubi.ubi --listfiles
==> ubi.ubi <==
no volume directory, 1 physical volumes
ERROR UbiBlocks instance has no attribute 'vtbl'
linuxapps.out is 458MB file, has several UBI#-strings [...] But I can't get files out.
These UBI dump tools sometimes don't work. Your best bet is writing the file to a simulated NAND device (Linux has nandsim.ko
). If you send me the .bin
file, I'll see what I can do!
I sent linuxapps.bin with mail.
I'm reading how to use nandsim (http://www.linux-mtd.infradead.org/faq/nand.html#L_nand_nandsim) but I don't get how to figure parameters. I tried one example, but no go:
sudo modprobe nandsim first_id_byte=0x20 second_id_byte=0xac third_id_byte=0x00 fourth_id_byte=0x15
[nandsim] warning: read_byte: unexpected data output cycle, state is STATE_READY return 0x0
[nandsim] warning: read_byte: unexpected data output cycle, state is STATE_READY return 0x0
[nandsim] warning: read_byte: unexpected data output cycle, state is STATE_READY return 0x0
[nandsim] warning: read_byte: unexpected data output cycle, state is STATE_READY return 0x0
[nandsim] warning: write_byte: command (0x90) wasn't expected, expected state is STATE_READY, ignore previous states
nand: device found, Manufacturer ID: 0x20, Chip ID: 0xac
nand: ST Micro NAND 512MiB 1,8V 8-bit
nand: 512 MiB, SLC, erase size: 128 KiB, page size: 2048, OOB size: 64
flash size: 512 MiB
page size: 2048 bytes
OOB area size: 64 bytes
sector size: 128 KiB
pages number: 262144
pages per sector: 64
bus width: 8
bits in sector size: 17
bits in page size: 11
bits in OOB size: 6
flash size with OOB: 540672 KiB
page address bytes: 5
sector address bytes: 3
options: 0x8
Scanning device for bad blocks
[nandsim] warning: write_byte: command (0x0) wasn't expected, expected state is STATE_READY, ignore previous states
Creating 1 MTD partitions on "NAND 512MiB 1,8V 8-bit":
0x000000000000-0x000020000000 : "NAND simulator partition 0"
[nandsim] warning: CONFIG_MTD_PARTITIONED_MASTER must be enabled to expose debugfs stuff
sudo nandwrite /dev/mtd0 linuxapps.out
Writing data to block 0 at offset 0x0
Writing data to block 1 at offset 0x20000
...
Writing data to block 3658 at offset 0x1c940000
Writing data to block 3659 at offset 0x1c960000
sudo modprobe ubi mtd=/dev/mtd0,4096
modprobe: ERROR: could not insert 'ubi': Invalid argument
ubi0: default fastmap pool size: 200
ubi0: default fastmap WL pool size: 100
ubi0: attaching mtd0
ubi0: scanning is finished
ubi0 error: ubi_read_volume_table [ubi]: the layout volume was not found
ubi0 error: ubi_attach_mtd_dev [ubi]: failed to attach mtd0, error -22
UBI error: cannot attach mtd0
UBI error: cannot initialize UBI, error -22
I sent linuxapps.bin with mail.
The file.io link results in a 404 error!
[...] but I don't get how to figure parameters.
I've had success in the past with the following commands (0x800
is the VID header offset):
modprobe ubi
ubiattach -O $((0x800)) -p /dev/mtd0
mount -t ubifs /dev/ubi0_0 /mnt/ubi
Resent linuxapps.bin.
Resent linuxapps.bin.
I've received the file, but it won't extract:
$ ProgramStore2 -x -f linuxapps_valid.bin
No output file name specified. Using linuxapps_valid.out.
Signature: d06e
Control: 0100
Major Rev: 0002
Minor Rev: 0017
Build Time: 2020/4/29 09:42:01 Z
File Length: 2752420 bytes
Load Address: 7e000000
Filename: FAST3686_DNA_3.490.0-T3-app-20200429.bin
HCS: a934
CRC: 8758ba30
Performing CRC on Image...
Image -135139320 CRC failed!
Please try the latest commit, and send the output and resulting io.log
of:
$ bcm2dump -vv -L io.log info 192.168.100.1,Admin,PASSWORD
This should detect both the profile, and the firmware version. If it does, try dumping linuxapps
and linuxkfs
again.
Ops, I used modified version of ProgramStore which just skips CRC. It produces somehow sane linuxapps_valid.out so I totally forgot it.
6a6b885b5712c131d8c09bf29399a7a0e07ebedc needs one cleanup:
diff --git a/Makefile b/Makefile
index 211cd7b..b9739fc 100644
--- a/Makefile
+++ b/Makefile
@@ -24,7 +24,7 @@ endif
profile_OBJ = profile.o profiledef.o
bcm2dump_OBJ = io.o rwx.o interface.o ps.o bcm2dump.o \
- util.o progress.o mipsasm.o $(profile_OBJ)
+ util.o progress.o $(profile_OBJ)
bcm2cfg_OBJ = util.o nonvol2.o bcm2cfg.o nonvoldef.o \
gwsettings.o $(profile_OBJ) crypto.o
psextract_OBJ = util.o ps.o psextract.o
Without profile it won't work:
./bcm2dump -vv -L io.log info 192.168.100.1,Admin,PASSWORD
bcm2dump v0.9.4-60-g6a6b885
telnet: received command 253,33
telnet: received command 251,3
telnet: received command 251,1
==> (empty)
==> 'Broadcom Corporation Embedded BFC Telnet Server (c) 2000-2008'
==> (empty)
==> 'WARNING: Access allowed by authorized users only.'
==> (empty)
==> 'Login:'
detected interface: bfc
<== 'Admin'
==> 'Admin'
==> 'Password:'
<== 'PASSWORD'
<== ''
==> ''
==> ''
==> 'CM_Console>'
<== ''
<== ''
==> ''
==> 'CM_Console>'
==> ''
==> 'CM_Console>'
adjusting dump params: 0x80010000,4 -> 0x80010000,16
<== '/system/diag readmem -s 4 -n 16 0x80010000'
<== ''
==> ''
==> (empty)
==> '80010000: 1000ffde 01c0c821 01eb1006 00e91804 | .......!........'
==> (empty)
==> 'CM_Console>'
==> ''
==> 'CM_Console>'
read incomplete chunk 0x80010000: 0/16; retrying
<== '/system/diag readmem -s 4 -n 16 0x80010000'
<== ''
==> ''
==> (empty)
==> '80010000: 1000ffde 01c0c821 01eb1006 00e91804 | .......!........'
==> (empty)
==> 'CM_Console>'
==> ''
==> 'CM_Console>'
read incomplete chunk 0x80010000: 0/16; retrying
<== '/system/diag readmem -s 4 -n 16 0x80010000'
<== ''
==> ''
==> (empty)
==> '80010000: 1000ffde 01c0c821 01eb1006 00e91804 | .......!........'
==> (empty)
==> 'CM_Console>'
==> ''
==> 'CM_Console>'
read incomplete chunk 0x80010000: 0/16; retrying
<== '/system/diag readmem -s 4 -n 16 0x80010000'
<== ''
==> ''
==> (empty)
==> '80010000: 1000ffde 01c0c821 01eb1006 00e91804 | .......!........'
==> (empty)
==> 'CM_Console>'
==> ''
==> 'CM_Console>'
read incomplete chunk 0x80010000: 0/16; retrying
<== '/system/diag readmem -s 4 -n 16 0x80010000'
<== ''
==> ''
==> (empty)
==> '80010000: 1000ffde 01c0c821 01eb1006 00e91804 | .......!........'
==> (empty)
==> 'CM_Console>'
==> ''
==> 'CM_Console>'
read incomplete chunk 0x80010000: 0/16; retrying
<== '/system/diag readmem -s 4 -n 16 0x80010000'
<== '/exit'
error: telnet: read incomplete chunk 0x80010000: 0/16
context:
==> 'CM_Console>'
==> ''
==> 'CM_Console>'
<== '/system/diag readmem -s 4 -n 16 0x80010000'
<== ''
==> ''
==> (empty)
==> '80010000: 1000ffde 01c0c821 01eb1006 00e91804 | .......!........'
==> (empty)
==> 'CM_Console>'
==> ''
==> 'CM_Console>'
<== '/system/diag readmem -s 4 -n 16 0x80010000'
<== ''
==> ''
==> (empty)
==> '80010000: 1000ffde 01c0c821 01eb1006 00e91804 | .......!........'
==> (empty)
==> 'CM_Console>'
==> ''
==> 'CM_Console>'
<== '/system/diag readmem -s 4 -n 16 0x80010000'
<== ''
==> ''
==> (empty)
==> '80010000: 1000ffde 01c0c821 01eb1006 00e91804 | .......!........'
==> (empty)
==> 'CM_Console>'
==> ''
==> 'CM_Console>'
<== '/system/diag readmem -s 4 -n 16 0x80010000'
<== ''
==> ''
==> (empty)
==> '80010000: 1000ffde 01c0c821 01eb1006 00e91804 | .......!........'
==> (empty)
==> 'CM_Console>'
==> ''
==> 'CM_Console>'
<== '/system/diag readmem -s 4 -n 16 0x80010000'
<== ''
==> ''
==> (empty)
==> '80010000: 1000ffde 01c0c821 01eb1006 00e91804 | .......!........'
==> (empty)
==> 'CM_Console>'
==> ''
==> 'CM_Console>'
<== '/system/diag readmem -s 4 -n 16 0x80010000'
<== '/exit'
I added one sleep and got info working (smaller sleep time is not enough)
diff --git a/rwx.cc b/rwx.cc
index c31cdfa..2172e99 100644
--- a/rwx.cc
+++ b/rwx.cc
@@ -261,6 +261,7 @@ string parsing_rwx::read_chunk_impl(uint32_t offset, uint32_t length, uint32_t r
unsigned timeout = chunk_timeout(offset, length);
do {
+ usleep(75000);
while ((!length || chunk.size() < length) && m_intf->pending()) {
throw_if_interrupted();
./bcm2dump -vv -L io.log info 192.168.100.1,Admin,PASSWORD
bcm2dump v0.9.4-60-g6a6b885
telnet: received command 253,33
telnet: received command 251,3
telnet: received command 251,1
detected interface: bfc
adjusting dump params: 0x80010000,4 -> 0x80010000,16
adjusting dump params: 0x80624d91,14 -> 0x80624d90,16
adjusting dump params: 0x80624d91,8 -> 0x80624d90,16
adjusting dump params: 0x8070244c,9 -> 0x8070244c,16
adjusting dump params: 0x807023d4,7 -> 0x807023d4,16
adjusting dump params: 0x80eb8a91,8 -> 0x80eb8a90,16
adjusting dump params: 0x80f89da0,11 -> 0x80f89da0,16
adjusting dump params: 0x82f00014,6 -> 0x82f00014,16
adjusting dump params: 0x809864d9,11 -> 0x809864d8,16
adjusting dump params: 0x83e05bb8,11 -> 0x83e05bb8,16
adjusting dump params: 0x80dc48d0,3 -> 0x80dc48d0,16
adjusting dump params: 0x83f8a9ac,5 -> 0x83f8a9ac,16
adjusting dump params: 0x810a4390,12 -> 0x810a4390,16
adjusting dump params: 0x83f8e8a8,6 -> 0x83f8e8a8,16
adjusting dump params: 0x83f8ea40,10 -> 0x83f8ea40,16
adjusting dump params: 0x83f8ecc8,13 -> 0x83f8ecc8,16
detected profile fast3686(bfc), version DNA_3.490.0
fast3686: Sagemcom F@ST 3686
============================
pssig 0xd06e
blsig 0x3384
ram 0x80000000 - 0x9fffffff ( 512 MB) RW
------------------------------------------------------
(no partitions defined)
nvram 0x00000000 - 0x003fffff ( 4 MB) RO
------------------------------------------------------
bootloader 0x00000000 - 0x0000ffff ( 64 KB)
permnv 0x00010000 - 0x0002ffff ( 128 KB)
dynnv 0x003c0000 - 0x003fffff ( 256 KB)
flash 0x00000000 - 0x07ffffff ( 128 MB) RO
------------------------------------------------------
linuxapps 0x00000000 - 0x04c3ffff ( 78080 KB)
image1 0x04c40000 - 0x059bffff ( 13824 KB)
image2 0x059c0000 - 0x0673ffff ( 13824 KB)
linux 0x06740000 - 0x06bbffff ( 4608 KB)
linuxkfs 0x06bc0000 - 0x07dbffff ( 18 MB)
dhtml 0x07dc0000 - 0x07ffffff ( 2304 KB)
And io.log:
bcm2dump v0.9.4-60-g6a6b885
telnet: received command 253,33
telnet: received command 251,3
telnet: received command 251,1
==> (empty)
==> 'Broadcom Corporation Embedded BFC Telnet Server (c) 2000-2008'
==> (empty)
==> 'WARNING: Access allowed by authorized users only.'
==> (empty)
==> 'Login:'
detected interface: bfc
<== 'Admin'
==> 'Admin'
==> 'Password:'
<== 'PASSWORD'
<== ''
==> ''
==> ''
==> 'CM_Console>'
<== ''
<== ''
==> ''
==> 'CM_Console>'
==> ''
==> 'CM_Console>'
adjusting dump params: 0x80010000,4 -> 0x80010000,16
<== '/system/diag readmem -s 4 -n 16 0x80010000'
==> ''
==> (empty)
==> '80010000: 1000ffde 01c0c821 01eb1006 00e91804 | .......!........'
adjusting dump params: 0x80624d91,14 -> 0x80624d90,16
<== '/system/diag readmem -s 4 -n 16 0x80624d90'
==> (empty)
==> ''
==> (empty)
==> '80624d90: 00001021 97a20004 a6020930 24020001 | ...!.......0$...'
adjusting dump params: 0x80624d91,8 -> 0x80624d90,16
<== '/system/diag readmem -s 4 -n 16 0x80624d90'
==> (empty)
==> ''
==> (empty)
==> '80624d90: 00001021 97a20004 a6020930 24020001 | ...!.......0$...'
adjusting dump params: 0x8070244c,9 -> 0x8070244c,16
<== '/system/diag readmem -s 4 -n 16 0x8070244c'
==> (empty)
==> ''
==> (empty)
==> '8070244c: 24a571e8 9665003c 0c41a8a2 00402021 | $.q..e.<.A...@ !'
adjusting dump params: 0x807023d4,7 -> 0x807023d4,16
<== '/system/diag readmem -s 4 -n 16 0x807023d4'
==> (empty)
==> ''
==> (empty)
==> '807023d4: 3c058120 0c41abf4 24a571b8 96650038 | <.. .A..$.q..e.8'
adjusting dump params: 0x80eb8a91,8 -> 0x80eb8a90,16
<== '/system/diag readmem -s 4 -n 16 0x80eb8a90'
==> (empty)
==> ''
==> (empty)
==> '80eb8a90: 5080ffb6 8fbf0114 0c1ec594 00000000 | P...............'
adjusting dump params: 0x80f89da0,11 -> 0x80f89da0,16
<== '/system/diag readmem -s 4 -n 16 0x80f89da0'
==> (empty)
==> ''
==> (empty)
==> '80f89da0: 90a20005 00a21821 24630008 24020001 | .......!$c..$...'
adjusting dump params: 0x82f00014,6 -> 0x82f00014,16
<== '/system/diag readmem -s 4 -n 16 0x82f00014'
==> (empty)
==> ''
==> (empty)
==> '82f00014: ffffffff ffffffff ffffffff ffffffff | ................'
adjusting dump params: 0x809864d9,11 -> 0x809864d8,16
<== '/system/diag readmem -s 4 -n 16 0x809864d8'
==> (empty)
==> ''
==> (empty)
==> '809864d8: 8fb20018 8fb10014 8fb00010 03e00008 | ................'
adjusting dump params: 0x83e05bb8,11 -> 0x83e05bb8,16
<== '/system/diag readmem -s 4 -n 16 0x83e05bb8'
==> (empty)
==> ''
==> (empty)
==> '83e05bb8: ffffffff ffffffff ffffffff ffffffff | ................'
adjusting dump params: 0x80dc48d0,3 -> 0x80dc48d0,16
<== '/system/diag readmem -s 4 -n 16 0x80dc48d0'
==> (empty)
==> ''
==> (empty)
==> '80dc48d0: 8e060024 0c36f75a 02002021 1000ff7d | ...$.6.Z.. !...}'
adjusting dump params: 0x83f8a9ac,5 -> 0x83f8a9ac,16
<== '/system/diag readmem -s 4 -n 16 0x83f8a9ac'
==> (empty)
==> ''
==> (empty)
==> '83f8a9ac: 25080001 0106102a 10400003 0123380b | %......*.@...#8.'
adjusting dump params: 0x810a4390,12 -> 0x810a4390,16
<== '/system/diag readmem -s 4 -n 16 0x810a4390'
==> (empty)
==> ''
==> (empty)
==> '810a4390: 7273696f 6e3a2020 25730a00 62636d56 | rsion: %s..bcmV'
adjusting dump params: 0x83f8e8a8,6 -> 0x83f8e8a8,16
<== '/system/diag readmem -s 4 -n 16 0x83f8e8a8'
==> (empty)
==> ''
==> (empty)
==> '83f8e8a8: 6f6f746c 6f616465 72207061 72616d65 | ootloader parame'
adjusting dump params: 0x83f8ea40,10 -> 0x83f8ea40,16
<== '/system/diag readmem -s 4 -n 16 0x83f8ea40'
==> (empty)
==> ''
==> (empty)
==> '83f8ea40: 50687920 53656c65 6374696f 6e000000 | Phy Selection...'
adjusting dump params: 0x83f8ecc8,13 -> 0x83f8ecc8,16
<== '/system/diag readmem -s 4 -n 16 0x83f8ecc8'
==> (empty)
==> ''
==> (empty)
==> '83f8ecc8: 25783a25 78000000 25733f20 5b6e5d20 | %x:%x...%s? [n]'
<== '/system/diag readmem -s 4 -n 32 0x81082fa8'
==> (empty)
==> ''
==> (empty)
==> '81082fa8: 46415354 33363836 5f444e41 5f332e34 | FAST3686_DNA_3.4'
==> '2164797368: 959458864 760492845 842019376 808727097 | 90.0-T3-20200429'
detected profile fast3686(bfc), version DNA_3.490.0
==> (empty)
==> 'CM_Console>'
<== 'su'
<== '$agem001'
==> 'su'
<== ''
==> (empty)
==> 'Password: () []'
==> '$agem001'
==> 'Proceed with caution!'
==> 'Type 'exit' to return.'
==> (empty)
==> 'CM_Console>'
==> ''
==> 'CM>'
<== '/exit'
Dumping (linuxkfs or linuxapps) with sleep, router reboots and I got empty file:
./bcm2dump -vv dump -L io.log 192.168.100.1,Admin,PASSWORD flash linuxkfs linuxkfs.bin
bcm2dump v0.9.4-60-g6a6b885
telnet: received command 253,33
telnet: received command 251,3
telnet: received command 251,1
detected interface: bfc
adjusting dump params: 0x80010000,4 -> 0x80010000,16
adjusting dump params: 0x80624d91,14 -> 0x80624d90,16
adjusting dump params: 0x80624d91,8 -> 0x80624d90,16
adjusting dump params: 0x8070244c,9 -> 0x8070244c,16
adjusting dump params: 0x807023d4,7 -> 0x807023d4,16
adjusting dump params: 0x80eb8a91,8 -> 0x80eb8a90,16
adjusting dump params: 0x80f89da0,11 -> 0x80f89da0,16
adjusting dump params: 0x82f00014,6 -> 0x82f00014,16
read incomplete chunk 0x82f00014: 0/16; retrying
adjusting dump params: 0x809864d9,11 -> 0x809864d8,16
adjusting dump params: 0x83e05bb8,11 -> 0x83e05bb8,16
adjusting dump params: 0x80dc48d0,3 -> 0x80dc48d0,16
adjusting dump params: 0x83f8a9ac,5 -> 0x83f8a9ac,16
adjusting dump params: 0x810a4390,12 -> 0x810a4390,16
adjusting dump params: 0x83f8e8a8,6 -> 0x83f8e8a8,16
adjusting dump params: 0x83f8ea40,10 -> 0x83f8ea40,16
read incomplete chunk 0x83f8ea40: 0/16; retrying
adjusting dump params: 0x83f8ecc8,13 -> 0x83f8ecc8,16
detected profile fast3686(bfc), version DNA_3.490.0
dumping flash:0x06bc0000-0x07dbffff (18874368 b)
---.--% (0x06bc0000) 0 | 0 bytes/s (ETA 00:00:00)
error: read1: Connection reset by peer
cat io.log
bcm2dump v0.9.4-60-g6a6b885
telnet: received command 253,33
telnet: received command 251,3
telnet: received command 251,1
==> (empty)
==> 'Broadcom Corporation Embedded BFC Telnet Server (c) 2000-2008'
==> (empty)
==> 'WARNING: Access allowed by authorized users only.'
==> (empty)
==> 'Login:'
detected interface: bfc
<== 'Admin'
==> 'Admin'
==> 'Password:'
<== 'PASSWORD'
<== ''
==> ''
==> ''
==> 'CM_Console>'
<== ''
<== ''
==> ''
==> 'CM_Console>'
==> ''
==> 'CM_Console>'
adjusting dump params: 0x80010000,4 -> 0x80010000,16
<== '/system/diag readmem -s 4 -n 16 0x80010000'
==> ''
==> (empty)
==> '80010000: 1000ffde 01c0c821 01eb1006 00e91804 | .......!........'
adjusting dump params: 0x80624d91,14 -> 0x80624d90,16
<== '/system/diag readmem -s 4 -n 16 0x80624d90'
==> (empty)
==> ''
==> (empty)
==> '80624d90: 00001021 97a20004 a6020930 24020001 | ...!.......0$...'
adjusting dump params: 0x80624d91,8 -> 0x80624d90,16
<== '/system/diag readmem -s 4 -n 16 0x80624d90'
==> (empty)
==> ''
==> (empty)
==> '80624d90: 00001021 97a20004 a6020930 24020001 | ...!.......0$...'
adjusting dump params: 0x8070244c,9 -> 0x8070244c,16
<== '/system/diag readmem -s 4 -n 16 0x8070244c'
==> (empty)
==> ''
==> (empty)
==> '8070244c: 24a571e8 9665003c 0c41a8a2 00402021 | $.q..e.<.A...@ !'
adjusting dump params: 0x807023d4,7 -> 0x807023d4,16
<== '/system/diag readmem -s 4 -n 16 0x807023d4'
==> (empty)
==> ''
==> (empty)
==> '807023d4: 3c058120 0c41abf4 24a571b8 96650038 | <.. .A..$.q..e.8'
adjusting dump params: 0x80eb8a91,8 -> 0x80eb8a90,16
<== '/system/diag readmem -s 4 -n 16 0x80eb8a90'
==> (empty)
==> ''
==> (empty)
==> '80eb8a90: 5080ffb6 8fbf0114 0c1ec594 00000000 | P...............'
adjusting dump params: 0x80f89da0,11 -> 0x80f89da0,16
<== '/system/diag readmem -s 4 -n 16 0x80f89da0'
==> (empty)
==> ''
==> (empty)
==> '80f89da0: 90a20005 00a21821 24630008 24020001 | .......!$c..$...'
adjusting dump params: 0x82f00014,6 -> 0x82f00014,16
<== '/system/diag readmem -s 4 -n 16 0x82f00014'
==> (empty)
==> 'CM_Console> /system/diag readmem'
<== ''
==> '=====> send_dqm_message WARNING: send failed, retry 1'
==> '<<<<<<<<<<<<< rpc_dump_msg >>>>>>>>>>>>>>>>>>'
==> 'msg 0x8303b9c8 ID 14 Req 0 Rep 0 Serv ITCn Func 0 reqcnt 0'
==> 'Len: 4 38040000 812a0000 00000008 434d4170'
==> ''
==> (empty)
==> '82f00014: ffffffff ffffffff ffffffff ffffffff | ................'
==> (empty)
==> 'CM_Console>'
==> ''
==> 'CM_Console>'
read incomplete chunk 0x82f00014: 0/16; retrying
<== '/system/diag readmem -s 4 -n 16 0x82f00014'
==> ''
==> (empty)
==> '82f00014: ffffffff ffffffff ffffffff ffffffff | ................'
adjusting dump params: 0x809864d9,11 -> 0x809864d8,16
<== '/system/diag readmem -s 4 -n 16 0x809864d8'
==> (empty)
==> ''
==> (empty)
==> '809864d8: 8fb20018 8fb10014 8fb00010 03e00008 | ................'
adjusting dump params: 0x83e05bb8,11 -> 0x83e05bb8,16
<== '/system/diag readmem -s 4 -n 16 0x83e05bb8'
==> (empty)
==> ''
==> (empty)
==> '83e05bb8: ffffffff ffffffff ffffffff ffffffff | ................'
adjusting dump params: 0x80dc48d0,3 -> 0x80dc48d0,16
<== '/system/diag readmem -s 4 -n 16 0x80dc48d0'
==> (empty)
==> ''
==> (empty)
==> '80dc48d0: 8e060024 0c36f75a 02002021 1000ff7d | ...$.6.Z.. !...}'
adjusting dump params: 0x83f8a9ac,5 -> 0x83f8a9ac,16
<== '/system/diag readmem -s 4 -n 16 0x83f8a9ac'
==> (empty)
==> ''
==> (empty)
==> '83f8a9ac: 25080001 0106102a 10400003 0123380b | %......*.@...#8.'
adjusting dump params: 0x810a4390,12 -> 0x810a4390,16
<== '/system/diag readmem -s 4 -n 16 0x810a4390'
==> (empty)
==> ''
==> (empty)
==> '810a4390: 7273696f 6e3a2020 25730a00 62636d56 | rsion: %s..bcmV'
adjusting dump params: 0x83f8e8a8,6 -> 0x83f8e8a8,16
<== '/system/diag readmem -s 4 -n 16 0x83f8e8a8'
==> (empty)
==> ''
==> (empty)
==> '83f8e8a8: 6f6f746c 6f616465 72207061 72616d65 | ootloader parame'
adjusting dump params: 0x83f8ea40,10 -> 0x83f8ea40,16
<== '/system/diag readmem -s 4 -n 16 0x83f8ea40'
==> (empty)
==> 'CM_Console> /system/diag readmem'
<== ''
==> '=====> send_dqm_message WARNING: send failed, retry 1'
==> '<<<<<<<<<<<<< rpc_dump_msg >>>>>>>>>>>>>>>>>>'
==> 'msg 0x8303b9c8 ID 14 Req 0 Rep 0 Serv ITCn Func 0 reqcnt 0'
==> 'Len: 4 38040000 81268000 00000008 434d4170'
==> ''
==> (empty)
==> '83f8ea40: 50687920 53656c65 6374696f 6e000000 | Phy Selection...'
==> (empty)
==> 'CM_Console>'
==> ''
==> 'CM_Console>'
read incomplete chunk 0x83f8ea40: 0/16; retrying
<== '/system/diag readmem -s 4 -n 16 0x83f8ea40'
==> ''
==> (empty)
==> '83f8ea40: 50687920 53656c65 6374696f 6e000000 | Phy Selection...'
adjusting dump params: 0x83f8ecc8,13 -> 0x83f8ecc8,16
<== '/system/diag readmem -s 4 -n 16 0x83f8ecc8'
==> (empty)
==> ''
==> (empty)
==> '83f8ecc8: 25783a25 78000000 25733f20 5b6e5d20 | %x:%x...%s? [n]'
<== '/system/diag readmem -s 4 -n 32 0x81082fa8'
==> (empty)
==> ''
==> (empty)
==> '81082fa8: 46415354 33363836 5f444e41 5f332e34 | FAST3686_DNA_3.4'
==> '2164797368: 959458864 760492845 842019376 808727097 | 90.0-T3-20200429'
detected profile fast3686(bfc), version DNA_3.490.0
==> (empty)
==> 'CM_Console>'
<== 'su'
<== '$agem001'
==> 'su'
<== ''
==> (empty)
==> 'Password: () []'
==> '$agem001'
==> 'Proceed with caution!'
==> 'Type 'exit' to return.'
==> (empty)
==> 'CM_Console>'
==> ''
==> 'CM>'
<== '/call func -a 0xa03e1940 0x06bc0000 0x07dc0000'
==> ''
dumping flash:0x06bc0000-0x07dbffff (18874368 b)
<== '/write_memory -s 4 0xa03e1598 0x10000018'
==> (empty)
==> 'Calling function 0xa03e1940(0x6bc0000, 0x7dc0000)'
==> (empty)
==> 'CM>'
==> ''
==> (empty)
==> 'Writing 0x10000018 (268435480) to 0xa03e1598'
==> (empty)
==> 'CM>'
<== '/call func -a 0xa03e1408 0x85f00000 0x06bc0000 0x01200000'
==> ''
<== '/read_memory -s 4 -n 8192 0x85f00000'
==> (empty)
==> 'Calling function 0xa03e1408(0x85f00000, 0x6bc0000, 0x1200000)'
<== ''
During dumping I can be logged in 192.168.1.1 (RG>) and there only log I see is
CM processor has crashed!
I'm also tinkering with a FAST3686v2.
bcm2dump dump -vv -F -P fast3686 192.168.100.1,admin,pass flash linuxapps ./out/linuxapps.bin
I'm able to dump linux img fine using profile. ProgramStore can extract linux, but linuxapps fails similar to @MalaikaBegum, tried without CRC check aswell.
Here is my io.log:
./bcm2dump -vv -L io.log info 192.168.100.1,admin,pass
bcm2dump v0.9.4-60-g6a6b885
telnet: received command 253,33
telnet: received command 251,3
telnet: received command 251,1
detected interface: bfc
adjusting dump params: 0x80010000,4 -> 0x80010000,16
read incomplete chunk 0x80010000: 0/16; retrying
adjusting dump params: 0x80624d91,14 -> 0x80624d90,16
adjusting dump params: 0x80624d91,8 -> 0x80624d90,16
adjusting dump params: 0x8070244c,9 -> 0x8070244c,16
adjusting dump params: 0x807023d4,7 -> 0x807023d4,16
adjusting dump params: 0x80eb8a91,8 -> 0x80eb8a90,16
read incomplete chunk 0x80eb8a90: 0/16; retrying
read incomplete chunk 0x80eb8a90: 0/16; retrying
adjusting dump params: 0x80f89da0,11 -> 0x80f89da0,16
adjusting dump params: 0x82f00014,6 -> 0x82f00014,16
adjusting dump params: 0x809864d9,11 -> 0x809864d8,16
adjusting dump params: 0x83e05bb8,11 -> 0x83e05bb8,16
adjusting dump params: 0x80dc48d0,3 -> 0x80dc48d0,16
adjusting dump params: 0x83f8a9ac,5 -> 0x83f8a9ac,16
adjusting dump params: 0x810a4390,12 -> 0x810a4390,16
adjusting dump params: 0x83f8e8a8,6 -> 0x83f8e8a8,16
adjusting dump params: 0x83f8ea40,10 -> 0x83f8ea40,16
adjusting dump params: 0x83f8ecc8,13 -> 0x83f8ecc8,16
adjusting dump params: 0x812df0e5,24 -> 0x812df0e4,32
adjusting dump params: 0x83f8f188,10 -> 0x83f8f188,16
adjusting dump params: 0x814e8eac,10 -> 0x814e8eac,16
adjusting dump params: 0x814e953c,10 -> 0x814e953c,16
adjusting dump params: 0x83f8e618,14 -> 0x83f8e618,16
adjusting dump params: 0x85f00014,6 -> 0x85f00014,16
profile auto-detection failed
su password is '$agem001'
io.log
bcm2dump v0.9.4-60-g6a6b885
telnet: received command 253,33
telnet: received command 251,3
telnet: received command 251,1
==> (empty)
==> 'Broadcom Corporation Embedded BFC Telnet Server (c) 2000-2008'
==> (empty)
==> 'WARNING: Access allowed by authorized users only.'
==> (empty)
==> 'Login:'
detected interface: bfc
<== 'admin'
==> 'admin'
==> 'Password:'
<== 'toor'
<== ''
==> ''
==> ''
==> 'CM_Console>'
<== ''
<== ''
==> ''
==> 'CM_Console>'
==> ''
==> 'CM_Console>'
adjusting dump params: 0x80010000,4 -> 0x80010000,16
<== '/system/diag readmem -s 4 -n 16 0x80010000'
<== ''
==> ''
==> (empty)
==> '80010000: 1000ffde 01c0c821 01eb1006 00e91804 | .......!........'
==> (empty)
==> 'CM_Console>'
==> ''
==> 'CM_Console>'
read incomplete chunk 0x80010000: 0/16; retrying
<== '/system/diag readmem -s 4 -n 16 0x80010000'
==> ''
==> (empty)
==> '80010000: 1000ffde 01c0c821 01eb1006 00e91804 | .......!........'
adjusting dump params: 0x80624d91,14 -> 0x80624d90,16
<== '/system/diag readmem -s 4 -n 16 0x80624d90'
==> (empty)
==> ''
==> (empty)
==> '80624d90: 00603821 24020001 afa201bc 8fa201bc | .`8!$...........'
adjusting dump params: 0x80624d91,8 -> 0x80624d90,16
<== '/system/diag readmem -s 4 -n 16 0x80624d90'
==> (empty)
==> ''
==> (empty)
==> '80624d90: 00603821 24020001 afa201bc 8fa201bc | .`8!$...........'
adjusting dump params: 0x8070244c,9 -> 0x8070244c,16
<== '/system/diag readmem -s 4 -n 16 0x8070244c'
==> (empty)
==> (empty)
==> '8070244c: 24a56f20 8c430000 8c63fff4 00431821 | $.o .C...c...C.!'
adjusting dump params: 0x807023d4,7 -> 0x807023d4,16
<== '/system/diag readmem -s 4 -n 16 0x807023d4'
==> (empty)
==> ''
==> (empty)
==> '807023d4: 0c41ad1a 24a57518 00408821 96620094 | .A..$.u..@.!.b..'
adjusting dump params: 0x80eb8a91,8 -> 0x80eb8a90,16
<== '/system/diag readmem -s 4 -n 16 0x80eb8a90'
==> (empty)
==> 'CM_Console> /system/diag readmem'
<== ''
==> '=====> send_dqm_message WARNING: send failed, retry 1'
==> '<<<<<<<<<<<<< rpc_dump_msg >>>>>>>>>>>>>>>>>>'
==> 'msg 0x8303b328 ID 14 Req 0 Rep 0 Serv ITCn Func 0 reqcnt 0'
==> 'Len: 4 38040000 80a28000 00000008 434d4170'
==> ''
==> (empty)
==> '80eb8a90: 3c050001 afb10004 34a55200 00808821 | <.......4.R....!'
==> (empty)
==> 'CM_Console>'
==> ''
==> 'CM_Console>'
read incomplete chunk 0x80eb8a90: 0/16; retrying
<== '/system/diag readmem -s 4 -n 16 0x80eb8a90'
<== ''
==> ''
==> (empty)
==> '80eb8a90: 3c050001 afb10004 34a55200 00808821 | <.......4.R....!'
==> (empty)
==> 'CM_Console>'
==> ''
==> 'CM_Console>'
read incomplete chunk 0x80eb8a90: 0/16; retrying
<== '/system/diag readmem -s 4 -n 16 0x80eb8a90'
==> ''
==> (empty)
==> '80eb8a90: 3c050001 afb10004 34a55200 00808821 | <.......4.R....!'
adjusting dump params: 0x80f89da0,11 -> 0x80f89da0,16
<== '/system/diag readmem -s 4 -n 16 0x80f89da0'
==> (empty)
==> ''
==> (empty)
==> '80f89da0: 8e030010 1060000b 00002821 24040012 | .....`....(!$...'
adjusting dump params: 0x82f00014,6 -> 0x82f00014,16
<== '/system/diag readmem -s 4 -n 16 0x82f00014'
==> (empty)
==> ''
==> (empty)
==> '82f00014: 00000000 00000000 00010000 00000000 | ................'
adjusting dump params: 0x809864d9,11 -> 0x809864d8,16
<== '/system/diag readmem -s 4 -n 16 0x809864d8'
==> (empty)
==> ''
==> (empty)
==> '809864d8: 3c05812e 24a5a600 3c06812e 0c26d771 | <...$...<....&.q'
adjusting dump params: 0x83e05bb8,11 -> 0x83e05bb8,16
<== '/system/diag readmem -s 4 -n 16 0x83e05bb8'
==> (empty)
==> ''
==> (empty)
==> '83e05bb8: ffffffff ffffffff ffffffff ffffffff | ................'
adjusting dump params: 0x80dc48d0,3 -> 0x80dc48d0,16
<== '/system/diag readmem -s 4 -n 16 0x80dc48d0'
==> (empty)
==> ''
==> (empty)
==> '80dc48d0: 02021021 3463ffff 0062182b 5060ff0b | ...!4c...b.+P`..'
adjusting dump params: 0x83f8a9ac,5 -> 0x83f8a9ac,16
<== '/system/diag readmem -s 4 -n 16 0x83f8a9ac'
==> (empty)
==> ''
==> (empty)
==> '83f8a9ac: 00000000 00000000 00000000 0000003d | ...............='
adjusting dump params: 0x810a4390,12 -> 0x810a4390,16
<== '/system/diag readmem -s 4 -n 16 0x810a4390'
==> (empty)
==> ''
==> (empty)
==> '810a4390: 8014d660 8014d660 8014d660 8014d660 | ...`...`...`...`'
adjusting dump params: 0x83f8e8a8,6 -> 0x83f8e8a8,16
<== '/system/diag readmem -s 4 -n 16 0x83f8e8a8'
==> (empty)
==> ''
==> (empty)
==> '83f8e8a8: 196cf8ff cbd25adb 127a9895 ad476d86 | .l....Z..z...Gm.'
adjusting dump params: 0x83f8ea40,10 -> 0x83f8ea40,16
<== '/system/diag readmem -s 4 -n 16 0x83f8ea40'
==> (empty)
==> ''
==> (empty)
==> '83f8ea40: 03a40000 27a40000 42435e00 62322f00 | ....'...BC^.b2/.'
adjusting dump params: 0x83f8ecc8,13 -> 0x83f8ecc8,16
<== '/system/diag readmem -s 4 -n 16 0x83f8ecc8'
==> (empty)
==> ''
==> (empty)
==> '83f8ecc8: 42dc1631 0e8186f0 d0993861 19de5a2d | B..1......8a..Z-'
<== '/system/diag readmem -s 4 -n 32 0x81082fa8'
==> (empty)
==> ''
==> (empty)
==> '81082fa8: 626c6500 2d3c2573 3e2d0920 456e7465 | ble.-<%s>-. Ente'
==> '2164797368: 1919512167 543585646 1663044096 1717660787 | ring func ..fals'
adjusting dump params: 0x812df0e5,24 -> 0x812df0e4,32
<== '/system/diag readmem -s 4 -n 32 0x812df0e4'
==> (empty)
==> ''
==> (empty)
==> '812df0e4: 6e61626c 65640000 312e332e 362e312e | nabled..1.3.6.1.'
==> '2167271668: 875442478 875835699 775040562 775040561 | 4.1.4413.2.2.2.1'
adjusting dump params: 0x83f8f188,10 -> 0x83f8f188,16
<== '/system/diag readmem -s 4 -n 16 0x83f8f188'
==> (empty)
==> ''
==> (empty)
==> '83f8f188: 04010000 0fac020c 000b0501 00020000 | ................'
adjusting dump params: 0x814e8eac,10 -> 0x814e8eac,16
<== '/system/diag readmem -s 4 -n 16 0x814e8eac'
==> (empty)
==> ''
==> (empty)
==> '814e8eac: 74732069 6e207072 6f677265 73730000 | ts in progress..'
adjusting dump params: 0x814e953c,10 -> 0x814e953c,16
<== '/system/diag readmem -s 4 -n 16 0x814e953c'
==> (empty)
==> ''
==> (empty)
==> '814e953c: 74696f6e 73000000 6e6f7420 61757468 | tions...not auth'
<== '/system/diag readmem -s 4 -n 16 0x85f00014'
==> (empty)
==> ''
==> (empty)
==> '85f00014: ffffffff ffffffff ffffffff ffffffff | ................'
<== '/system/diag readmem -s 4 -n 16 0x85f00014'
==> (empty)
==> ''
==> (empty)
==> '85f00014: ffffffff ffffffff ffffffff ffffffff | ................'
adjusting dump params: 0x83f8e618,14 -> 0x83f8e618,16
<== '/system/diag readmem -s 4 -n 16 0x83f8e618'
==> (empty)
==> ''
==> (empty)
==> '83f8e618: 070f8c53 b481ffaa ba84131a 331048b5 | ...S........3.H.'
adjusting dump params: 0x85f00014,6 -> 0x85f00014,16
<== '/system/diag readmem -s 4 -n 16 0x85f00014'
==> (empty)
==> ''
==> (empty)
==> '85f00014: ffffffff ffffffff ffffffff ffffffff | ................'
profile auto-detection failed
==> (empty)
==> 'CM_Console>'
<== 'su'
<== '$agem001'
==> 'su'
<== ''
==> (empty)
==> 'Password: () []'
==> '$agem001'
==> 'Proceed with caution!'
==> 'Type 'exit' to return.'
==> (empty)
==> 'CM_Console>'
==> ''
==> 'CM>'
su password is '$agem001'
<== '/exit'
I cannot get the auto-detection to work with and without added delay in rwx.cc. fast3686 should be correct.
My version FAST3686_DNA_3.495.0-20200715.bin
@MalaikaBegum the latest commits should make the usleep
unneccessary. I also hope to have fixed the crash, by changing the buffer location.
@j0nh4t auto-detection currently relies on finding certain strings at certain memory locations.. The latest commit should automatically detect your profile. If you want to dump all nand partitions however, this still requires a dedicated profile for your firmware version, so I'd still need your image1
.
@jclehner
Here is my image1.zip
I'm having issues dumping linuxkfs, I have attached linuxkfs.log. The value for /flash/open is incorrect, which one should it be?
bcm2dump dump -vv -F -P fast3686 192.168.100.1,admin,toor flash linuxkfs linuxkfs.bin
==> 'Password: () [] $agem001'
==> 'Proceed with caution!'
==> 'Type 'exit' to return.'
==> (empty)
==> ''
==> 'CM>'
<== '/flash/open linuxkfs'
==> ''
==> (empty)
==> 'ERROR: Invalid value for parameter bootloader|image1|image2|image3|image3e|perm|dhtml|dyn! 'linuxkfs' Must match one of the tokens!'
==> (empty)
==> 'COMMAND: open'
==> (empty)
==> 'USAGE: open bootloader|image1|image2|image3|image3e|perm|dhtml|dyn'
==> (empty)
==> 'DESCRIPTION:'
==> 'Opens the flash driver for use by the console (locking out the rest of the'
==> 'application!) so that you can use the read/write/erase commands. NOTE: If'
==> 'you do something that would cause the driver to be opened again (write'
==> 'nonvol, dload an image, etc), then the operation will be blocked until you'
==> 'run the close command, or it may fail.'
==> (empty)
==> 'EXAMPLES:'
==> 'open image2 -- Opens the image2 region for read/write/erase'
==> (empty)
==> 'CM>'
<== '/flash/close'
==> ''
==> (empty)
==> 'Flash driver closed.'
==> (empty)
==> 'CM>'
<== '/exit'
@MalaikaBegum the latest commits should make the
usleep
unneccessary. I also hope to have fixed the crash, by changing the buffer location.
usleep is not needed anymore, and profile is autodetected.
But dumping linuxkfs and linuxapps not working. This time box reboots without any text in RG-console.
./bcm2dump -vv dump -L io.log 192.168.100.1,Admin,PASSWORD flash linuxapps linuxapps.bin_new2
bcm2dump v0.9.4-69-g30bf260
telnet: received command 253,33
telnet: received command 251,3
telnet: received command 251,1
detected interface: bfc
adjusting dump params: 0x80010000,4 -> 0x80010000,16
adjusting dump params: 0x80624d91,14 -> 0x80624d90,16
adjusting dump params: 0x80624d91,8 -> 0x80624d90,16
adjusting dump params: 0x8070244c,9 -> 0x8070244c,16
adjusting dump params: 0x807023d4,7 -> 0x807023d4,16
adjusting dump params: 0x80eb8a91,8 -> 0x80eb8a90,16
adjusting dump params: 0x80f89da0,11 -> 0x80f89da0,16
adjusting dump params: 0x82f00014,6 -> 0x82f00014,16
adjusting dump params: 0x809864d9,11 -> 0x809864d8,16
adjusting dump params: 0x83e05bb8,11 -> 0x83e05bb8,16
adjusting dump params: 0x80dc48d0,3 -> 0x80dc48d0,16
adjusting dump params: 0x83f8a9ac,5 -> 0x83f8a9ac,16
adjusting dump params: 0x810a4390,12 -> 0x810a4390,16
adjusting dump params: 0x83f8e8a8,6 -> 0x83f8e8a8,16
adjusting dump params: 0x83f8ea40,10 -> 0x83f8ea40,16
adjusting dump params: 0x83f8ecc8,13 -> 0x83f8ecc8,16
detected profile fast3686(bfc), version DNA_3.490.0
dumping flash:0x00000000-0x04c3ffff (79953920 b)
---.--% (0x00000000) 0 | 0 bytes/s (ETA 00:00:00)
error: read incomplete chunk 0x00000000: 0/8192
context:
==> '2164797368: 959458864 760492845 842019376 808727097 | 90.0-T3-20200429'
==> (empty)
==> 'CM_Console>'
<== 'su'
<== '$agem001'
==> 'su'
<== ''
==> (empty)
==> 'Password: () [] $agem001'
==> 'Proceed with caution!'
==> 'Type 'exit' to return.'
==> (empty)
==> ''
==> 'CM>'
<== '/docsis/scan_stop'
<== '/call func -a 0xa03e1940 0x00000000 0x04c40000'
<== ''
==> ''
==> (empty)
==> '[00:07:00 01/01/1970] [Scan Downstream Thread] BcmGenericCmDownstreamScanThread::ThreadMain: (Scan Downstream Thread) Downstream Channel scan stopped!'
==> (empty)
==> ''
==> (empty)
==> 'Calling function 0xa03e1940(0, 0x4c40000)'
==> (empty)
==> ''
==> 'CM>'
<== '/write_memory -s 4 0xa03e1598 0x10000018'
==> ''
==> (empty)
==> 'Writing 0x10000018 (268435480) to 0xa03e1598'
==> (empty)
==> 'CM>'
<== '/call func -a 0xa03e1408 0x88000000 0x00000000 0x04c40000'
<== ''
==> ''
==> (empty)
==> 'Calling function 0xa03e1408(0x88000000, 0, 0x4c40000)'
<== '/read_memory -s 4 -n 8192 0x88000000'
<== ''
<== ''
<== ''
<== ''
<== ''
<== ''
<== ''
<== ''
<== ''
<== ''
<== '/exit'
cat io.log
bcm2dump v0.9.4-69-g30bf260
telnet: received command 253,33
telnet: received command 251,3
telnet: received command 251,1
==> (empty)
==> 'Broadcom Corporation Embedded BFC Telnet Server (c) 2000-2008'
==> (empty)
==> 'WARNING: Access allowed by authorized users only.'
==> (empty)
==> 'Login:'
detected interface: bfc
<== 'Admin'
==> 'Admin'
==> 'Password:'
<== 'PASSWORD'
<== ''
==> ''
==> ''
==> 'CM_Console>'
<== ''
<== ''
==> ''
==> ''
==> 'CM_Console>'
adjusting dump params: 0x80010000,4 -> 0x80010000,16
<== '/system/diag readmem -s 4 -n 16 0x80010000'
==> ''
==> (empty)
==> '80010000: 1000ffde 01c0c821 01eb1006 00e91804 | .......!........'
adjusting dump params: 0x80624d91,14 -> 0x80624d90,16
<== '/system/diag readmem -s 4 -n 16 0x80624d90'
==> (empty)
==> ''
==> (empty)
==> '80624d90: 00001021 97a20004 a6020930 24020001 | ...!.......0$...'
adjusting dump params: 0x80624d91,8 -> 0x80624d90,16
<== '/system/diag readmem -s 4 -n 16 0x80624d90'
==> (empty)
==> ''
==> (empty)
==> '80624d90: 00001021 97a20004 a6020930 24020001 | ...!.......0$...'
adjusting dump params: 0x8070244c,9 -> 0x8070244c,16
<== '/system/diag readmem -s 4 -n 16 0x8070244c'
==> (empty)
==> ''
==> (empty)
==> '8070244c: 24a571e8 9665003c 0c41a8a2 00402021 | $.q..e.<.A...@ !'
adjusting dump params: 0x807023d4,7 -> 0x807023d4,16
<== '/system/diag readmem -s 4 -n 16 0x807023d4'
==> (empty)
==> ''
==> (empty)
==> '807023d4: 3c058120 0c41abf4 24a571b8 96650038 | <.. .A..$.q..e.8'
adjusting dump params: 0x80eb8a91,8 -> 0x80eb8a90,16
<== '/system/diag readmem -s 4 -n 16 0x80eb8a90'
==> (empty)
==> ''
==> (empty)
==> '80eb8a90: 5080ffb6 8fbf0114 0c1ec594 00000000 | P...............'
adjusting dump params: 0x80f89da0,11 -> 0x80f89da0,16
<== '/system/diag readmem -s 4 -n 16 0x80f89da0'
==> (empty)
==> ''
==> (empty)
==> '80f89da0: 90a20005 00a21821 24630008 24020001 | .......!$c..$...'
adjusting dump params: 0x82f00014,6 -> 0x82f00014,16
<== '/system/diag readmem -s 4 -n 16 0x82f00014'
==> (empty)
==> ''
==> (empty)
==> '82f00014: ffffffff ffffffff ffffffff ffffffff | ................'
adjusting dump params: 0x809864d9,11 -> 0x809864d8,16
<== '/system/diag readmem -s 4 -n 16 0x809864d8'
==> (empty)
==> ''
==> (empty)
==> '809864d8: 8fb20018 8fb10014 8fb00010 03e00008 | ................'
adjusting dump params: 0x83e05bb8,11 -> 0x83e05bb8,16
<== '/system/diag readmem -s 4 -n 16 0x83e05bb8'
==> (empty)
==> ''
==> (empty)
==> '83e05bb8: ffffffff ffffffff ffffffff ffffffff | ................'
adjusting dump params: 0x80dc48d0,3 -> 0x80dc48d0,16
<== '/system/diag readmem -s 4 -n 16 0x80dc48d0'
==> (empty)
==> ''
==> (empty)
==> '80dc48d0: 8e060024 0c36f75a 02002021 1000ff7d | ...$.6.Z.. !...}'
adjusting dump params: 0x83f8a9ac,5 -> 0x83f8a9ac,16
<== '/system/diag readmem -s 4 -n 16 0x83f8a9ac'
==> (empty)
==> ''
==> (empty)
==> '83f8a9ac: 25080001 0106102a 10400003 0123380b | %......*.@...#8.'
adjusting dump params: 0x810a4390,12 -> 0x810a4390,16
<== '/system/diag readmem -s 4 -n 16 0x810a4390'
==> (empty)
==> ''
==> (empty)
==> '810a4390: 7273696f 6e3a2020 25730a00 62636d56 | rsion: %s..bcmV'
adjusting dump params: 0x83f8e8a8,6 -> 0x83f8e8a8,16
<== '/system/diag readmem -s 4 -n 16 0x83f8e8a8'
==> (empty)
==> ''
==> (empty)
==> '83f8e8a8: 3c000103 10490006 00372a00 012056f4 | <....I...7*.. V.'
adjusting dump params: 0x83f8ea40,10 -> 0x83f8ea40,16
<== '/system/diag readmem -s 4 -n 16 0x83f8ea40'
==> (empty)
==> ''
==> (empty)
==> '83f8ea40: 50687920 53656c65 6374696f 6e000000 | Phy Selection...'
adjusting dump params: 0x83f8ecc8,13 -> 0x83f8ecc8,16
<== '/system/diag readmem -s 4 -n 16 0x83f8ecc8'
==> (empty)
==> ''
==> (empty)
==> '83f8ecc8: 25783a25 78000000 25733f20 5b6e5d20 | %x:%x...%s? [n]'
<== '/system/diag readmem -s 4 -n 32 0x81082fa8'
==> (empty)
==> ''
==> (empty)
==> '81082fa8: 46415354 33363836 5f444e41 5f332e34 | FAST3686_DNA_3.4'
==> '2164797368: 959458864 760492845 842019376 808727097 | 90.0-T3-20200429'
==> (empty)
==> 'CM_Console>'
<== 'su'
<== '$agem001'
==> 'su'
<== ''
==> (empty)
==> 'Password: () [] $agem001'
==> 'Proceed with caution!'
==> 'Type 'exit' to return.'
==> (empty)
==> ''
==> 'CM>'
detected profile fast3686(bfc), version DNA_3.490.0
<== '/docsis/scan_stop'
<== '/call func -a 0xa03e1940 0x00000000 0x04c40000'
<== ''
==> ''
==> (empty)
==> '[00:07:00 01/01/1970] [Scan Downstream Thread] BcmGenericCmDownstreamScanThread::ThreadMain: (Scan Downstream Thread) Downstream Channel scan stopped!'
==> (empty)
==> ''
==> (empty)
==> 'Calling function 0xa03e1940(0, 0x4c40000)'
==> (empty)
==> ''
==> 'CM>'
dumping flash:0x00000000-0x04c3ffff (79953920 b)
<== '/write_memory -s 4 0xa03e1598 0x10000018'
==> ''
==> (empty)
==> 'Writing 0x10000018 (268435480) to 0xa03e1598'
==> (empty)
==> 'CM>'
<== '/call func -a 0xa03e1408 0x88000000 0x00000000 0x04c40000'
<== ''
==> ''
==> (empty)
==> 'Calling function 0xa03e1408(0x88000000, 0, 0x4c40000)'
<== '/read_memory -s 4 -n 8192 0x88000000'
@j0nh4t @MalaikaBegum please try again, using the latest commits.
Profile detection seems to work.
./bcm2dump info -vv 192.168.100.1,admin,toor
bcm2dump v0.9.4-72-g775a828
telnet: received command 253,33
telnet: received command 251,3
telnet: received command 251,1
detected interface: bfc
adjusting dump params: 0x80010000,4 -> 0x80010000,16
adjusting dump params: 0x80624d91,14 -> 0x80624d90,16
adjusting dump params: 0x80624d91,8 -> 0x80624d90,16
adjusting dump params: 0x8070244c,9 -> 0x8070244c,16
adjusting dump params: 0x807023d4,7 -> 0x807023d4,16
adjusting dump params: 0x80eb8a91,8 -> 0x80eb8a90,16
adjusting dump params: 0x80f89da0,11 -> 0x80f89da0,16
adjusting dump params: 0x82f00014,6 -> 0x82f00014,16
adjusting dump params: 0x809864d9,11 -> 0x809864d8,16
adjusting dump params: 0x83e05bb8,11 -> 0x83e05bb8,16
adjusting dump params: 0x80dc48d0,3 -> 0x80dc48d0,16
adjusting dump params: 0x83f8a9ac,5 -> 0x83f8a9ac,16
adjusting dump params: 0x810a4390,12 -> 0x810a4390,16
adjusting dump params: 0x83f8e8a8,6 -> 0x83f8e8a8,16
adjusting dump params: 0x83f8ea40,10 -> 0x83f8ea40,16
adjusting dump params: 0x83f8ecc8,13 -> 0x83f8ecc8,16
adjusting dump params: 0x81083440,29 -> 0x81083440,32
detected profile fast3686(bfc), version DNA_3.490.0
fast3686: Sagemcom F@ST 3686
============================
pssig 0xd06e
blsig 0x3384
ram 0x80000000 - 0x8fffffff ( 256 MB) RW
------------------------------------------------------
(no partitions defined)
nvram 0x00000000 - 0x003fffff ( 4 MB) RO
------------------------------------------------------
bootloader 0x00000000 - 0x0000ffff ( 64 KB)
permnv 0x00010000 - 0x0002ffff ( 128 KB)
dynnv 0x003c0000 - 0x003fffff ( 256 KB)
flash 0x00000000 - 0x07ffffff ( 128 MB) RO
------------------------------------------------------
linuxapps 0x00000000 - 0x04c3ffff ( 78080 KB)
image1 0x04c40000 - 0x059bffff ( 13824 KB)
image2 0x059c0000 - 0x0673ffff ( 13824 KB)
linux 0x06740000 - 0x06bbffff ( 4608 KB)
linuxkfs 0x06bc0000 - 0x07dbffff ( 18 MB)
dhtml 0x07dc0000 - 0x07ffffff ( 2304 KB)
My modem is crashing now aswell when trying to dump. Logs: linuxapps.log image1.log
I'm pretty sure that it has something to do with the buffer address. Can you try dumping just 1 KiB of the linuxapps
partition?
$ bcm2dump -vv dump -L io.log 192.168.100.1,user,pass flash linuxapps,1k linuxapps.bin_1k
Also, on the firmware console, please try running the following command, and post its output:
CM> /call malloc -r 0x4c40000
I first checked
/call malloc -r 0x4c40000
Calling malloc(79953920)
Return value = 0 (0)
Router still reboots when trying to dump:
./bcm2dump -vv dump -L io.log 192.168.100.1,Admin,PASSWORD flash linuxapps,1k linuxapps.bin_new2
bcm2dump v0.9.4-72-g775a828
telnet: received command 253,33
telnet: received command 251,3
telnet: received command 251,1
detected interface: bfc
adjusting dump params: 0x80010000,4 -> 0x80010000,16
adjusting dump params: 0x80624d91,14 -> 0x80624d90,16
adjusting dump params: 0x80624d91,8 -> 0x80624d90,16
adjusting dump params: 0x8070244c,9 -> 0x8070244c,16
adjusting dump params: 0x807023d4,7 -> 0x807023d4,16
adjusting dump params: 0x80eb8a91,8 -> 0x80eb8a90,16
adjusting dump params: 0x80f89da0,11 -> 0x80f89da0,16
adjusting dump params: 0x82f00014,6 -> 0x82f00014,16
adjusting dump params: 0x809864d9,11 -> 0x809864d8,16
adjusting dump params: 0x83e05bb8,11 -> 0x83e05bb8,16
adjusting dump params: 0x80dc48d0,3 -> 0x80dc48d0,16
adjusting dump params: 0x83f8a9ac,5 -> 0x83f8a9ac,16
adjusting dump params: 0x810a4390,12 -> 0x810a4390,16
adjusting dump params: 0x83f8e8a8,6 -> 0x83f8e8a8,16
adjusting dump params: 0x83f8ea40,10 -> 0x83f8ea40,16
adjusting dump params: 0x83f8ecc8,13 -> 0x83f8ecc8,16
detected profile fast3686(bfc), version DNA_3.490.0-T3
dumping flash:0x00000000-0x000003ff (1024 b)
---.--% (0x00000000) 0 | 0 bytes/s (ETA 00:00:00)
error: read incomplete chunk 0x00000000: 0/1024
context:
==> 'Proceed with caution!'
==> 'Type 'exit' to return.'
==> (empty)
==> ''
==> 'CM>'
<== '/docsis/scan_stop'
<== '/call func -a 0xa03e1940 0x00000000 0x00000400'
<== ''
==> ''
==> (empty)
==> '[10:52:07 01/01/1970] [Scan Downstream Thread] BcmGenericCmDownstreamScanThread::ThreadMain: (Scan Downstream Thread) Downstream Channel scan stopped!'
==> (empty)
==> ''
==> (empty)
==> 'Calling function 0xa03e1940(0, 0x400)'
==> (empty)
==> ''
==> 'CM>'
<== '/write_memory -s 4 0xa03e1598 0x10000018'
==> ''
==> (empty)
==> 'Writing 0x10000018 (268435480) to 0xa03e1598'
==> (empty)
==> 'CM>'
<== '/call func -a 0xa03e1408 0x88000000 0x00000000 0x00000400'
<== ''
==> ''
==> (empty)
==> 'Calling function 0xa03e1408(0x88000000, 0, 0x400)'
==> (empty)
==> 'CM>'
<== '/read_memory -s 4 -n 1024 0x88000000'
==> '=====> send_dqm_message WARNING: send failed, retry 1'
==> '<<<<<<<<<<<<< rpc_dump_msg >>>>>>>>>>>>>>>>>>'
==> 'msg 0x8303b988 ID 14 Req 0 Rep 0 Serv ITCn Func 0 reqcnt 0'
==> 'Len: 4 38040000 81180000 00000008 434d4170'
==> '=====> send_dqm_message WARNING: send failed, retry 2'
==> '<<<<<<<<<<<<< rpc_dump_msg >>>>>>>>>>>>>>>>>>'
==> 'msg 0x8303'
<== ''
<== ''
<== ''
<== ''
<== ''
<== ''
<== ''
<== ''
<== ''
<== ''
<== '/exit'
cat io.log
bcm2dump v0.9.4-72-g775a828
telnet: received command 253,33
telnet: received command 251,3
telnet: received command 251,1
==> (empty)
==> 'Broadcom Corporation Embedded BFC Telnet Server (c) 2000-2008'
==> (empty)
==> 'WARNING: Access allowed by authorized users only.'
==> (empty)
==> 'Login:'
detected interface: bfc
<== 'Admin'
==> 'Admin'
==> 'Password:'
<== 'PASSWORD'
<== ''
==> ''
==> ''
==> 'CM_Console>'
<== ''
<== ''
==> ''
==> ''
==> 'CM_Console>'
adjusting dump params: 0x80010000,4 -> 0x80010000,16
<== '/system/diag readmem -s 4 -n 16 0x80010000'
==> ''
==> (empty)
==> '80010000: 1000ffde 01c0c821 01eb1006 00e91804 | .......!........'
adjusting dump params: 0x80624d91,14 -> 0x80624d90,16
<== '/system/diag readmem -s 4 -n 16 0x80624d90'
==> (empty)
==> ''
==> (empty)
==> '80624d90: 00001021 97a20004 a6020930 24020001 | ...!.......0$...'
adjusting dump params: 0x80624d91,8 -> 0x80624d90,16
<== '/system/diag readmem -s 4 -n 16 0x80624d90'
==> (empty)
==> ''
==> (empty)
==> '80624d90: 00001021 97a20004 a6020930 24020001 | ...!.......0$...'
adjusting dump params: 0x8070244c,9 -> 0x8070244c,16
<== '/system/diag readmem -s 4 -n 16 0x8070244c'
==> (empty)
==> ''
==> (empty)
==> '8070244c: 24a571e8 9665003c 0c41a8a2 00402021 | $.q..e.<.A...@ !'
adjusting dump params: 0x807023d4,7 -> 0x807023d4,16
<== '/system/diag readmem -s 4 -n 16 0x807023d4'
==> (empty)
==> ''
==> (empty)
==> '807023d4: 3c058120 0c41abf4 24a571b8 96650038 | <.. .A..$.q..e.8'
adjusting dump params: 0x80eb8a91,8 -> 0x80eb8a90,16
<== '/system/diag readmem -s 4 -n 16 0x80eb8a90'
==> (empty)
==> ''
==> (empty)
==> '80eb8a90: 5080ffb6 8fbf0114 0c1ec594 00000000 | P...............'
adjusting dump params: 0x80f89da0,11 -> 0x80f89da0,16
<== '/system/diag readmem -s 4 -n 16 0x80f89da0'
==> (empty)
==> ''
==> (empty)
==> '80f89da0: 90a20005 00a21821 24630008 24020001 | .......!$c..$...'
adjusting dump params: 0x82f00014,6 -> 0x82f00014,16
<== '/system/diag readmem -s 4 -n 16 0x82f00014'
==> (empty)
==> ''
==> (empty)
==> '82f00014: ffffffff ffffffff ffffffff ffffffff | ................'
adjusting dump params: 0x809864d9,11 -> 0x809864d8,16
<== '/system/diag readmem -s 4 -n 16 0x809864d8'
==> (empty)
==> ''
==> (empty)
==> '809864d8: 8fb20018 8fb10014 8fb00010 03e00008 | ................'
adjusting dump params: 0x83e05bb8,11 -> 0x83e05bb8,16
<== '/system/diag readmem -s 4 -n 16 0x83e05bb8'
==> (empty)
==> ''
==> (empty)
==> '83e05bb8: ffffffff ffffffff ffffffff ffffffff | ................'
adjusting dump params: 0x80dc48d0,3 -> 0x80dc48d0,16
<== '/system/diag readmem -s 4 -n 16 0x80dc48d0'
==> (empty)
==> ''
==> (empty)
==> '80dc48d0: 8e060024 0c36f75a 02002021 1000ff7d | ...$.6.Z.. !...}'
adjusting dump params: 0x83f8a9ac,5 -> 0x83f8a9ac,16
<== '/system/diag readmem -s 4 -n 16 0x83f8a9ac'
==> (empty)
==> ''
==> (empty)
==> '83f8a9ac: 25080001 0106102a 10400003 0123380b | %......*.@...#8.'
adjusting dump params: 0x810a4390,12 -> 0x810a4390,16
<== '/system/diag readmem -s 4 -n 16 0x810a4390'
==> (empty)
==> ''
==> (empty)
==> '810a4390: 7273696f 6e3a2020 25730a00 62636d56 | rsion: %s..bcmV'
adjusting dump params: 0x83f8e8a8,6 -> 0x83f8e8a8,16
<== '/system/diag readmem -s 4 -n 16 0x83f8e8a8'
==> (empty)
==> ''
==> (empty)
==> '83f8e8a8: 3c000103 10490006 00372a00 012008cc | <....I...7*.. ..'
adjusting dump params: 0x83f8ea40,10 -> 0x83f8ea40,16
<== '/system/diag readmem -s 4 -n 16 0x83f8ea40'
==> (empty)
==> ''
==> (empty)
==> '83f8ea40: 02000000 00008048 02000b10 18008b01 | .......H........'
adjusting dump params: 0x83f8ecc8,13 -> 0x83f8ecc8,16
<== '/system/diag readmem -s 4 -n 16 0x83f8ecc8'
==> (empty)
==> ''
==> (empty)
==> '83f8ecc8: 25783a25 78000000 25733f20 5b6e5d20 | %x:%x...%s? [n]'
<== '/system/diag readmem -s 4 -n 32 0x81082fa8'
==> (empty)
==> ''
==> (empty)
==> '81082fa8: 46415354 33363836 5f444e41 5f332e34 | FAST3686_DNA_3.4'
==> '2164797368: 959458864 760492845 842019376 808727097 | 90.0-T3-20200429'
==> (empty)
==> 'CM_Console>'
<== 'su'
<== '$agem001'
==> 'su'
<== ''
==> (empty)
==> 'Password: () [] $agem001'
==> 'Proceed with caution!'
==> 'Type 'exit' to return.'
==> (empty)
==> ''
==> 'CM>'
detected profile fast3686(bfc), version DNA_3.490.0-T3
<== '/docsis/scan_stop'
<== '/call func -a 0xa03e1940 0x00000000 0x00000400'
<== ''
==> ''
==> (empty)
==> '[10:52:07 01/01/1970] [Scan Downstream Thread] BcmGenericCmDownstreamScanThread::ThreadMain: (Scan Downstream Thread) Downstream Channel scan stopped!'
==> (empty)
==> ''
==> (empty)
==> 'Calling function 0xa03e1940(0, 0x400)'
==> (empty)
==> ''
==> 'CM>'
dumping flash:0x00000000-0x000003ff (1024 b)
<== '/write_memory -s 4 0xa03e1598 0x10000018'
==> ''
==> (empty)
==> 'Writing 0x10000018 (268435480) to 0xa03e1598'
==> (empty)
==> 'CM>'
<== '/call func -a 0xa03e1408 0x88000000 0x00000000 0x00000400'
<== ''
==> ''
==> (empty)
==> 'Calling function 0xa03e1408(0x88000000, 0, 0x400)'
==> (empty)
==> 'CM>'
<== '/read_memory -s 4 -n 1024 0x88000000'
==> '=====> send_dqm_message WARNING: send failed, retry 1'
==> '<<<<<<<<<<<<< rpc_dump_msg >>>>>>>>>>>>>>>>>>'
==> 'msg 0x8303b988 ID 14 Req 0 Rep 0 Serv ITCn Func 0 reqcnt 0'
==> 'Len: 4 38040000 81180000 00000008 434d4170'
==> '=====> send_dqm_message WARNING: send failed, retry 2'
==> '<<<<<<<<<<<<< rpc_dump_msg >>>>>>>>>>>>>>>>>>'
==> 'msg 0x8303'
<== ''
<== ''
<== ''
<== ''
<== ''
<== ''
<== ''
<== ''
<== ''
<== ''
<== '/exit'
error: read incomplete chunk 0x00000000: 0/1024
context:
==> 'Proceed with caution!'
==> 'Type 'exit' to return.'
==> (empty)
==> ''
==> 'CM>'
<== '/docsis/scan_stop'
<== '/call func -a 0xa03e1940 0x00000000 0x00000400'
<== ''
==> ''
==> (empty)
==> '[10:52:07 01/01/1970] [Scan Downstream Thread] BcmGenericCmDownstreamScanThread::ThreadMain: (Scan Downstream Thread) Downstream Channel scan stopped!'
==> (empty)
==> ''
==> (empty)
==> 'Calling function 0xa03e1940(0, 0x400)'
==> (empty)
==> ''
==> 'CM>'
<== '/write_memory -s 4 0xa03e1598 0x10000018'
==> ''
==> (empty)
==> 'Writing 0x10000018 (268435480) to 0xa03e1598'
==> (empty)
==> 'CM>'
<== '/call func -a 0xa03e1408 0x88000000 0x00000000 0x00000400'
<== ''
==> ''
==> (empty)
==> 'Calling function 0xa03e1408(0x88000000, 0, 0x400)'
==> (empty)
==> 'CM>'
<== '/read_memory -s 4 -n 1024 0x88000000'
==> '=====> send_dqm_message WARNING: send failed, retry 1'
==> '<<<<<<<<<<<<< rpc_dump_msg >>>>>>>>>>>>>>>>>>'
==> 'msg 0x8303b988 ID 14 Req 0 Rep 0 Serv ITCn Func 0 reqcnt 0'
==> 'Len: 4 38040000 81180000 00000008 434d4170'
==> '=====> send_dqm_message WARNING: send failed, retry 2'
==> '<<<<<<<<<<<<< rpc_dump_msg >>>>>>>>>>>>>>>>>>'
==> 'msg 0x8303'
<== ''
<== ''
<== ''
<== ''
<== ''
<== ''
<== ''
<== ''
<== ''
<== ''
<== '/exit'
Similar errors for me. Here are some additional logs:
./bcm2dump -vv info -L io.log 192.168.100.1,admin,toor
bcm2dump v0.9.4-72-g775a828
telnet: received command 253,33
telnet: received command 251,3
telnet: received command 251,1
detected interface: bfc
adjusting dump params: 0x80010000,4 -> 0x80010000,16
adjusting dump params: 0x80624d91,14 -> 0x80624d90,16
adjusting dump params: 0x80624d91,8 -> 0x80624d90,16
adjusting dump params: 0x8070244c,9 -> 0x8070244c,16
adjusting dump params: 0x807023d4,7 -> 0x807023d4,16
adjusting dump params: 0x80eb8a91,8 -> 0x80eb8a90,16
adjusting dump params: 0x80f89da0,11 -> 0x80f89da0,16
adjusting dump params: 0x82f00014,6 -> 0x82f00014,16
adjusting dump params: 0x809864d9,11 -> 0x809864d8,16
adjusting dump params: 0x83e05bb8,11 -> 0x83e05bb8,16
adjusting dump params: 0x80dc48d0,3 -> 0x80dc48d0,16
adjusting dump params: 0x83f8a9ac,5 -> 0x83f8a9ac,16
adjusting dump params: 0x810a4390,12 -> 0x810a4390,16
adjusting dump params: 0x83f8e8a8,6 -> 0x83f8e8a8,16
adjusting dump params: 0x83f8ea40,10 -> 0x83f8ea40,16
adjusting dump params: 0x83f8ecc8,13 -> 0x83f8ecc8,16
adjusting dump params: 0x81083440,29 -> 0x81083440,32
detected profile fast3686(bfc), version DNA_3.490.0
fast3686: Sagemcom F@ST 3686
============================
pssig 0xd06e
blsig 0x3384
ram 0x80000000 - 0x8fffffff ( 256 MB) RW
------------------------------------------------------
(no partitions defined)
nvram 0x00000000 - 0x003fffff ( 4 MB) RO
------------------------------------------------------
bootloader 0x00000000 - 0x0000ffff ( 64 KB)
permnv 0x00010000 - 0x0002ffff ( 128 KB)
dynnv 0x003c0000 - 0x003fffff ( 256 KB)
flash 0x00000000 - 0x07ffffff ( 128 MB) RO
------------------------------------------------------
linuxapps 0x00000000 - 0x04c3ffff ( 78080 KB)
image1 0x04c40000 - 0x059bffff ( 13824 KB)
image2 0x059c0000 - 0x0673ffff ( 13824 KB)
linux 0x06740000 - 0x06bbffff ( 4608 KB)
linuxkfs 0x06bc0000 - 0x07dbffff ( 18 MB)
dhtml 0x07dc0000 - 0x07ffffff ( 2304 KB)
CM> /call malloc -r 0x4c40000
Calling malloc(79953920)
Return value = 0 (0)
./bcm2dump -vv dump -L linuxapps_1k.log 192.168.100.1,admin,toor flash linuxapps,1k linuxapps.bin_1k linuxapps_1k.log image1_1k.log
Hmm... what happens if you execute the following commands manually?
@j0nh4t
/read_memory -s 4 -n 1024 0x88000000
/call func -a 0xa03e1e50 0x00000000 0x00000400
/call func -a 0xa03e1918 0x88000000 0x00000000 0x00000400
/read_memory -s 4 -n 1024 0x88000000
@MalaikaBegum
/read_memory -s 4 -n 1024 0x88000000
/call func -a 0xa03e1940 0x00000000 0x00000400
/call func -a 0xa03e1408 0x88000000 0x00000000 0x00000400
/read_memory -s 4 -n 1024 0x88000000
Also try varying 0x88000000
, e.g. try 0x86000000
or 0x87000000
.
With value: 0x88000000
CM> /read_memory -s 4 -n 1024 0x88000000
88000000: 401a6800 00000000 335a007f 3c1b8000 | @.h.....3Z..<...
88000010: 277b0300 037ad820 8f7b0000 03600008 | '{...z. .{...`..
88000020: 00000000 3c0c8000 2d54332d 6170702d | ....<...-T3-app-
88000030: 32303230 30343239 2e62696e 00000000 | 20200429.bin....
88000040: 00000000 00000000 00000000 00019000 | ................
88000050: 00280000 a9340000 8758ba30 63609086 | .(...4...X.0c`..
88000060: aa8ce00a dfbeb6fd f768b698 5ef31223 | .........h..^..#
88000070: e9f3d61b a5714987 8094f0cd 406e4f84 | .....qI.....@nO.
88000080: 345fb37f 1db38aee 9c8c135f dfaf4380 | 4_........._..C.
88000090: aaa485f7 9f69a881 e3573c30 8b7c7555 | .....i...W<0.|uU
880000a0: c554c1f8 ab8a1158 c57acea0 bfad34f9 | .T.....X.z....4.
880000b0: 978b987e a67c201b b8574e27 1e5f08f1 | ...~.| ..WN'._..
880000c0: e94b1b0c e6befcac de757c31 f834bdc2 | .K.......u|1.4..
880000d0: 82f2732f bd6b7233 ef007747 df83cf56 | ..s/.kr3..wG...V
880000e0: ce546631 68ae8284 3c16aeaa 0b1c6223 | .Tf1h...<.....b#
880000f0: d2c89a0a 74c10313 29aecfea 0404cea7 | ....t...).......
88000100: 401a6800 00000000 335a007f 3c1b8000 | @.h.....3Z..<...
88000110: 277b0300 037ad820 8f7b0000 03600008 | '{...z. .{...`..
88000120: 00000000 3c0c8000 f973dd29 3b84b294 | ....<....s.);...
88000130: 3f7afe0e 1ac889b4 a174354f b45e595a | ?z.......t5O.^YZ
88000140: af14e6e0 2d97144f 917df4e5 961e54d2 | ....-..O.}....T.
88000150: 22b51c39 184ec125 a087f879 e49f5d4d | "..9.N.%...y..]M
88000160: a45b95ab 0f56fddb 3e236f48 aa54a8a8 | .[...V..>#oH.T..
88000170: e31dbe04 ba4abb87 086f0348 f6241492 | .....J...o.H.$..
88000180: 401a6800 00000000 335a007f 3c1b8000 | @.h.....3Z..<...
88000190: 277b0300 037ad820 8f7b0000 03600008 | '{...z. .{...`..
880001a0: 00000000 3c0c8000 c94cf1f0 3fdf0327 | ....<....L..?..'
880001b0: e666e183 8ef497ce c1c5a045 0740f2ca | .f.........E.@..
880001c0: 92b894a2 ea137f34 147c736e 5eafe8dd | .......4.|sn^...
880001d0: 573b8f2f 87c009f9 b0787b68 50aae70e | W;./.....x{hP...
880001e0: 550924a3 ca1a9132 318de945 8c207f68 | U.$....21..E. .h
880001f0: 0490d890 3ea9c0e2 f85948a3 0ef2fb23 | ....>....YH....#
88000200: 5c8cf4b1 318f8b77 df8a8ab4 1bc44d06 | \...1..w......M.
88000210: 276233ec f257606a c52de5ee ccfd9c78 | 'b3..W`j.-.....x
88000220: a63c5301 752b06c6 32e311ef ef2940c5 | .<S.u+..2....)@.
88000230: 81a3cd3f 78c9c3c2 2a6020dd 3b025866 | ...?x...*` .;.Xf
88000240: 3cfe8acf 9f23a191 3269dda8 8a20794b | <....#..2i... yK
88000250: b7f8d7e0 9257cfaa ff1253b0 20f14a68 | .....W....S. .Jh
88000260: 1d898f0a 57f915ef 746b02cc 8066f349 | ....W...tk...f.I
88000270: 233139d4 11c2a296 c5e4d72b bb79e9c5 | #19........+.y..
88000280: dcf66991 94724ca1 f055f59f d128e81e | ..i..rL..U...(..
88000290: db08720d 9004f291 011663f6 b17d1c98 | ..r.......c..}..
880002a0: b61fd744 ea177022 058c5101 34e861c5 | ...D..p"..Q.4.a.
880002b0: 5a3753e1 31c1bd4d 4c237e6c 2d9d9329 | Z7S.1..ML#~l-..)
880002c0: 4f8cae87 22d75d2f e2c768ca d4416a3b | O...".]/..h..Aj;
880002d0: 97a4cf62 a2f87db6 ff7ef603 bccdd3fc | ...b..}..~......
880002e0: 5d0ab571 96b94308 f9445e97 e9fcc121 | ]..q..C..D^....!
880002f0: fdef74ea 99c76b66 205aaddf f4bd9168 | ..t...kf Z.....h
88000300: 800043ec 800042e0 800042e0 800042e0 | ..C...B...B...B.
88000310: 800042e0 800042e0 800042e0 800042e0 | ..B...B...B...B.
88000320: 800042e0 800048cc 800042e0 800042e0 | ..B...H...B...B.
88000330: 800042e0 800042e0 800042e0 800042e0 | ..B...B...B...B.
88000340: 29f26ffd 053cfbc7 12785c3c b1694b95 | ).o..<...x\<.iK.
88000350: 3131623a 6483c478 b5496d64 59a71af7 | 11b:d..x.ImdY...
88000360: 7d102f2d 5cc35818 8df1a8ea 0ef8d4c5 | }./-\.X.........
88000370: 8368d361 3a84eb3c 0485ae3a a9a7de26 | .h.a:..<...:...&
88000380: 800042e0 800042e0 800042e0 8bb1b4ca | ..B...B...B.....
88000390: bf289c94 ba357bf5 57735999 955e6c9a | .(...5{.WsY..^l.
880003a0: 43559b1b 583a73bd 41b91b91 e5df26f6 | CU..X:s.A.....&.
880003b0: a7ae8687 444f744a a8189c0d 66e76fcc | ....DOtJ....f.o.
880003c0: 33ba4f9c e7d96f83 0a4a5c1a d37b152a | 3.O...o..J\..{.*
880003d0: aa8aecae d3be2156 d3840433 f1e233d3 | ......!V...3..3.
880003e0: 41c800be 1130fba1 fba030a0 44f9b815 | A....0....0.D...
880003f0: ee598c11 5fcdd06a f1fa9078 5ef73dae | .Y.._..j...x^.=.
CM> /call func -a 0xa03e1940 0x00000000 0x00000400
Calling function 0xa03e1940(0, 0x400)
CM> /call func -a 0xa03e1408 0x88000000 0x00000000 0x00000400
Calling function 0xa03e1408(0x88000000, 0, 0x400)
CM> =====> send_dqm_message WARNING: send failed, retry 1
<<<<<<<<<<<<< rpc_dump_msg >>>>>>>>>>>>>>>>>>
msg 0x8303b9d8 ID 14 Req 0 Rep 0 Serv ITCn Func 0 reqcnt 0
Len: 4 38040000 81200000 00000008 434d4170
=====> send_dqm_message WARNING: send failed, retry 2
<<<<<<<<<<<<< rpc_dump_msg >>>>>>>>>>>>>>>>>>
msg 0x8303b9d8 ID 14 Req 0 Rep 0 Serv ITCn Func 0 reqcnt 0
Len: 4 3
And router crashed middle of the output.
Next value:0x86000000
CM> /read_memory -s 4 -n 1024 0x86000000
86000000: 3c1b864c 401a4000 8f7bc000 001ad582 | <..L@.@..{......
86000010: 001ad080 037ad821 401a2000 8f7b0000 | .....z.!@. ..{..
86000020: 001ad042 335a0ff8 037ad821 8f7a0000 | ...B3Z...z.!.z..
86000030: 8f7b0004 001ad182 409a1000 001bd982 | .{......@.......
86000040: 409b1800 04030001 42000006 00000000 | @.......B.......
86000050: 42000018 00000000 00000000 00000000 | B...............
86000060: 00000000 00000000 00000000 00000000 | ................
86000070: 00000000 00000000 00000000 00000000 | ................
86000080: 00000000 00000000 00000000 00000000 | ................
86000090: 00000000 00000000 00000000 00000000 | ................
860000a0: 00000000 00000000 00000000 00000000 | ................
860000b0: 00000000 00000000 00000000 00000000 | ................
860000c0: 00000000 00000000 00000000 00000000 | ................
860000d0: 00000000 00000000 00000000 00000000 | ................
860000e0: 00000000 00000000 00000000 00000000 | ................
860000f0: 00000000 00000000 00000000 00000000 | ................
86000100: 401a8000 241bfff8 035bd024 375a0002 | @...$....[.$7Z..
86000110: 409a8000 00000000 00000000 00000000 | @...............
86000120: 09803399 00000000 00000000 00000000 | ..3.............
86000130: 27bdffe0 afbf0018 afb10014 afb00010 | '...............
86000140: 00808821 3c028647 8c45dfec 10a00019 | ...!<..G.E......
86000150: 309000ff 90a20008 0202102b 14400012 | 0..........+.@..
86000160: 00000000 90a20009 0050102b 1440000e | .........P.+.@..
86000170: 00000000 8ca40024 10800030 24020002 | .......$...0$...
86000180: 401b6800 337b007c 3c1a864b 035bd021 | @.h.3{.|<..K.[.!
86000190: 8f5a7420 03400008 00000000 401b6800 | .Zt .@......@.h.
860001a0: 241a007c 337b007c 137a0007 241a0038 | $..|3{.|.z..$..8
860001b0: 137a0011 3c1a864b 035bd021 8f5a7420 | .z..<..K.[.!.Zt
860001c0: 03400008 00000000 401a4000 241bfffc | .@......@.@.$...
860001d0: 035bd024 4080e000 bf490000 bf570000 | .[.$@....I...W..
860001e0: 3c1a864b 275a75d0 8f5b0000 277b0001 | <..K'Zu..[..'{..
860001f0: af5b0000 42000018 401a4000 00000000 | .[..B...@.@.....
86000200: 098005c8 00000000 00000000 00000000 | ................
86000210: 00000000 00000000 00000000 00000000 | ................
86000220: 00000000 00000000 00000000 00000000 | ................
86000230: 00000000 00000000 00000000 00000000 | ................
86000240: 00000000 00000000 00000000 00000000 | ................
86000250: 00000000 00000000 00000000 00000000 | ................
86000260: 00000000 00000000 00000000 00000000 | ................
86000270: 00000000 00000000 00000000 00000000 | ................
86000280: 1000ffff 00000000 00000000 00000000 | ................
86000290: 00000000 00000000 00000000 00000000 | ................
860002a0: 00000000 00000000 00000000 00000000 | ................
860002b0: 00000000 00000000 00000000 00000000 | ................
860002c0: 00000000 00000000 00000000 00000000 | ................
860002d0: 00000000 00000000 00000000 00000000 | ................
860002e0: 00000000 00000000 00000000 00000000 | ................
860002f0: 00000000 00000000 00000000 00000000 | ................
86000300: 1000ffff 00000000 00000000 00000000 | ................
86000310: 00000000 00000000 00000000 00000000 | ................
86000320: 00000000 00000000 00000000 00000000 | ................
86000330: 00000000 00000000 00000000 00000000 | ................
86000340: 00000000 00000000 00000000 00000000 | ................
86000350: 00000000 00000000 00000000 00000000 | ................
86000360: 00000000 00000000 00000000 00000000 | ................
86000370: 00000000 00000000 00000000 00000000 | ................
86000380: 1000ffff 00000000 00000000 00000000 | ................
86000390: 00000000 00000000 00000000 00000000 | ................
860003a0: 00000000 00000000 00000000 00000000 | ................
860003b0: 00000000 00000000 00000000 00000000 | ................
860003c0: 00000000 00000000 00000000 00000000 | ................
860003d0: 00000000 00000000 00000000 00000000 | ................
860003e0: 00000000 00000000 00000000 00000000 | ................
860003f0: 81ae0250 00000000 00000000 00000000 | ...P............
CM> /call func -a 0xa03e1940 0x00000000 0x00000400
Calling function 0xa03e1940(0, 0x400)
CM> /call func -a 0xa03e1408 0x86000000 0x00000000 0x00000400
Calling function 0xa03e1408(0x86000000, 0, 0x400)
NandFlashRead: Detected out-of-order block @offset 0x0, tagged offset 0x0, expected offset 0xf9440000
NandFlashRead: Failed to find replacement block!
/read_memory -s 4 -n 1024 0x86000000
86000000: 3c1b864c 401a4000 8f7bc000 001ad582 | <..L@.@..{......
86000010: 001ad080 037ad821 401a2000 8f7b0000 | .....z.!@. ..{..
86000020: 001ad042 335a0ff8 037ad821 8f7a0000 | ...B3Z...z.!.z..
86000030: 8f7b0004 001ad182 409a1000 001bd982 | .{......@.......
86000040: 409b1800 04030001 42000006 00000000 | @.......B.......
86000050: 42000018 00000000 00000000 00000000 | B...............
86000060: 00000000 00000000 00000000 00000000 | ................
86000070: 00000000 00000000 00000000 00000000 | ................
86000080: 00000000 00000000 00000000 00000000 | ................
86000090: 00000000 00000000 00000000 00000000 | ................
860000a0: 00000000 00000000 00000000 00000000 | ................
860000b0: 00000000 00000000 00000000 00000000 | ................
860000c0: 00000000 00000000 00000000 00000000 | ................
860000d0: 00000000 00000000 00000000 00000000 | ................
860000e0: 00000000 00000000 00000000 00000000 | ................
860000f0: 00000000 00000000 00000000 00000000 | ................
86000100: 401a8000 241bfff8 035bd024 375a0002 | @...$....[.$7Z..
86000110: 409a8000 00000000 00000000 00000000 | @...............
86000120: 09803399 00000000 00000000 00000000 | ..3.............
86000130: 27bdffe0 afbf0018 afb10014 afb00010 | '...............
86000140: 00808821 3c028647 8c45dfec 10a00019 | ...!<..G.E......
86000150: 309000ff 90a20008 0202102b 14400012 | 0..........+.@..
86000160: 00000000 90a20009 0050102b 1440000e | .........P.+.@..
86000170: 00000000 8ca40024 10800030 24020002 | .......$...0$...
86000180: 401b6800 337b007c 3c1a864b 035bd021 | @.h.3{.|<..K.[.!
86000190: 8f5a7420 03400008 00000000 401b6800 | .Zt .@......@.h.
860001a0: 241a007c 337b007c 137a0007 241a0038 | $..|3{.|.z..$..8
860001b0: 137a0011 3c1a864b 035bd021 8f5a7420 | .z..<..K.[.!.Zt
860001c0: 03400008 00000000 401a4000 241bfffc | .@......@.@.$...
860001d0: 035bd024 4080e000 bf490000 bf570000 | .[.$@....I...W..
860001e0: 3c1a864b 275a75d0 8f5b0000 277b0001 | <..K'Zu..[..'{..
860001f0: af5b0000 42000018 401a4000 00000000 | .[..B...@.@.....
86000200: 098005c8 00000000 00000000 00000000 | ................
86000210: 00000000 00000000 00000000 00000000 | ................
86000220: 00000000 00000000 00000000 00000000 | ................
86000230: 00000000 00000000 00000000 00000000 | ................
86000240: 00000000 00000000 00000000 00000000 | ................
86000250: 00000000 00000000 00000000 00000000 | ................
86000260: 00000000 00000000 00000000 00000000 | ................
86000270: 00000000 00000000 00000000 00000000 | ................
86000280: 1000ffff 00000000 00000000 00000000 | ................
86000290: 00000000 00000000 00000000 00000000 | ................
860002a0: 00000000 00000000 00000000 00000000 | ................
860002b0: 00000000 00000000 00000000 00000000 | ................
860002c0: 00000000 00000000 00000000 00000000 | ................
860002d0: 00000000 00000000 00000000 00000000 | ................
860002e0: 00000000 00000000 00000000 00000000 | ................
860002f0: 00000000 00000000 00000000 00000000 | ................
86000300: 1000ffff 00000000 00000000 00000000 | ................
86000310: 00000000 00000000 00000000 00000000 | ................
86000320: 00000000 00000000 00000000 00000000 | ................
86000330: 00000000 00000000 00000000 00000000 | ................
86000340: 00000000 00000000 00000000 00000000 | ................
86000350: 00000000 00000000 00000000 00000000 | ................
86000360: 00000000 00000000 00000000 00000000 | ................
86000370: 00000000 00000000 00000000 00000000 | ................
86000380: 1000ffff 00000000 00000000 00000000 | ................
86000390: 00000000 00000000 00000000 00000000 | ................
860003a0: 00000000 00000000 00000000 00000000 | ................
860003b0: 00000000 00000000 00000000 00000000 | ................
860003c0: 00000000 00000000 00000000 00000000 | ................
860003d0: 00000000 00000000 00000000 00000000 | ................
860003e0: 00000000 00000000 00000000 00000000 | ................
860003f0: 81ae0250 00000000 00000000 00000000 | ...P............
(I booted router between) Next value:0x87000000
CM> /read_memory -s 4 -n 1024 0x87000000
87000000: d06e0100 00020017 5ea94be9 0029ffa4 | .n......^.K..)..
87000010: 7e000000 46415354 33363836 5f444e41 | ~...FAST3686_DNA
87000020: 5f332e34 39302e30 2d54332d 6170702d | _3.490.0-T3-app-
87000030: 32303230 30343239 2e62696e 00000000 | 20200429.bin....
87000040: 00000000 00000000 00000000 00019000 | ................
87000050: 00280000 a9340000 8758ba30 63609086 | .(...4...X.0c`..
87000060: aa8ce00a dfbeb6fd f768b698 5ef31223 | .........h..^..#
87000070: e9f3d61b a5714987 8094f0cd 406e4f84 | .....qI.....@nO.
87000080: 345fb37f 1db38aee 9c8c135f dfaf4380 | 4_........._..C.
87000090: aaa485f7 9f69a881 e3573c30 8b7c7555 | .....i...W<0.|uU
870000a0: c554c1f8 ab8a1158 c57acea0 bfad34f9 | .T.....X.z....4.
870000b0: 978b987e a67c201b b8574e27 1e5f08f1 | ...~.| ..WN'._..
870000c0: e94b1b0c e6befcac de757c31 f834bdc2 | .K.......u|1.4..
870000d0: 82f2732f bd6b7233 ef007747 df83cf56 | ..s/.kr3..wG...V
870000e0: ce546631 68ae8284 3c16aeaa 0b1c6223 | .Tf1h...<.....b#
870000f0: d2c89a0a 74c10313 29aecfea 0404cea7 | ....t...).......
87000100: 7313a6a6 6a9cb782 7aaff66f b149001d | s...j...z..o.I..
87000110: 0ef916bc 2aea93c4 0174816e b60a9cc3 | ....*....t.n....
87000120: 7e876f1e a48c40ed f973dd29 3b84b294 | ~.o...@..s.);...
87000130: 3f7afe0e 1ac889b4 a174354f b45e595a | ?z.......t5O.^YZ
87000140: af14e6e0 2d97144f 917df4e5 961e54d2 | ....-..O.}....T.
87000150: 22b51c39 184ec125 a087f879 e49f5d4d | "..9.N.%...y..]M
87000160: a45b95ab 0f56fddb 3e236f48 aa54a8a8 | .[...V..>#oH.T..
87000170: e31dbe04 ba4abb87 086f0348 f6241492 | .....J...o.H.$..
87000180: d579a1fd 88597ceb 4f512a36 f7fdec08 | .y...Y|.OQ*6....
87000190: 1504d046 4a773c3c c852c168 1108974e | ...FJw<<.R.h...N
870001a0: 7343619c 7951e612 c94cf1f0 3fdf0327 | sCa.yQ...L..?..'
870001b0: e666e183 8ef497ce c1c5a045 0740f2ca | .f.........E.@..
870001c0: 92b894a2 ea137f34 147c736e 5eafe8dd | .......4.|sn^...
870001d0: 573b8f2f 87c009f9 b0787b68 50aae70e | W;./.....x{hP...
870001e0: 550924a3 ca1a9132 318de945 8c207f68 | U.$....21..E. .h
870001f0: 0490d890 3ea9c0e2 f85948a3 0ef2fb23 | ....>....YH....#
87000200: 5c8cf4b1 318f8b77 df8a8ab4 1bc44d06 | \...1..w......M.
87000210: 276233ec f257606a c52de5ee ccfd9c78 | 'b3..W`j.-.....x
87000220: a63c5301 752b06c6 32e311ef ef2940c5 | .<S.u+..2....)@.
87000230: 81a3cd3f 78c9c3c2 2a6020dd 3b025866 | ...?x...*` .;.Xf
87000240: 3cfe8acf 9f23a191 3269dda8 8a20794b | <....#..2i... yK
87000250: b7f8d7e0 9257cfaa ff1253b0 20f14a68 | .....W....S. .Jh
87000260: 1d898f0a 57f915ef 746b02cc 8066f349 | ....W...tk...f.I
87000270: 233139d4 11c2a296 c5e4d72b bb79e9c5 | #19........+.y..
87000280: dcf66991 94724ca1 f055f59f d128e81e | ..i..rL..U...(..
87000290: db08720d 9004f291 011663f6 b17d1c98 | ..r.......c..}..
870002a0: b61fd744 ea177022 058c5101 34e861c5 | ...D..p"..Q.4.a.
870002b0: 5a3753e1 31c1bd4d 4c237e6c 2d9d9329 | Z7S.1..ML#~l-..)
870002c0: 4f8cae87 22d75d2f e2c768ca d4416a3b | O...".]/..h..Aj;
870002d0: 97a4cf62 a2f87db6 ff7ef603 bccdd3fc | ...b..}..~......
870002e0: 5d0ab571 96b94308 f9445e97 e9fcc121 | ]..q..C..D^....!
870002f0: fdef74ea 99c76b66 205aaddf f4bd9168 | ..t...kf Z.....h
87000300: 2fc030fc 32d69495 4e8c1395 b7cfd502 | /.0.2...N.......
87000310: 945a7c16 cc8392f7 b0308d92 a3e9d069 | .Z|......0.....i
87000320: 5005b858 b21ed293 9edc6ce0 dd6afaa1 | P..X......l..j..
87000330: 22d85910 76c16d93 605b5da9 3de9bed9 | ".Y.v.m.`[].=...
87000340: 29f26ffd 053cfbc7 12785c3c b1694b95 | ).o..<...x\<.iK.
87000350: 3131623a 6483c478 b5496d64 59a71af7 | 11b:d..x.ImdY...
87000360: 7d102f2d 5cc35818 8df1a8ea 0ef8d4c5 | }./-\.X.........
87000370: 8368d361 3a84eb3c 0485ae3a a9a7de26 | .h.a:..<...:...&
87000380: 82c337f2 a755b88e 675c8e1b 8bb1b4ca | ..7..U..g\......
87000390: bf289c94 ba357bf5 57735999 955e6c9a | .(...5{.WsY..^l.
870003a0: 43559b1b 583a73bd 41b91b91 e5df26f6 | CU..X:s.A.....&.
870003b0: a7ae8687 444f744a a8189c0d 66e76fcc | ....DOtJ....f.o.
870003c0: 33ba4f9c e7d96f83 0a4a5c1a d37b152a | 3.O...o..J\..{.*
870003d0: aa8aecae d3be2156 d3840433 f1e233d3 | ......!V...3..3.
870003e0: 41c800be 1130fba1 fba030a0 44f9b815 | A....0....0.D...
870003f0: ee598c11 5fcdd06a f1fa9078 5ef73dae | .Y.._..j...x^.=.
CM> /call func -a 0xa03e1940 0x00000000 0x00000400
Calling function 0xa03e1940(0, 0x400)
CM> /call func -a 0xa03e1408 0x87000000 0x00000000 0x00000400
Calling function 0xa03e1408(0x87000000, 0, 0x400)
CM> /read_memory -s 4 -n 1024 0x87000000
87000000: d06e0100 00020017 5ea94be9 0029ffa4 | .n......^.K..)..
87000010: 7e000000 46415354 33363836 5f444e41 | ~...FAST3686_DNA
87000020: 5f332e34 39302e30 2d54332d 6170702d | _3.490.0-T3-app-
87000030: 32303230 30343239 2e62696e 00000000 | 20200429.bin....
87000040: 00000000 00000000 00000000 00019000 | ................
87000050: 00280000 a9340000 8758ba30 63609086 | .(...4...X.0c`..
87000060: aa8ce00a dfbeb6fd f768b698 5ef31223 | .........h..^..#
87000070: e9f3d61b a5714987 8094f0cd 406e4f84 | .....qI.....@nO.
87000080: 345fb37f 1db38aee 9c8c135f dfaf4380 | 4_........._..C.
87000090: aaa485f7 9f69a881 e3573c30 8b7c7555 | .....i...W<0.|uU
870000a0: c554c1f8 ab8a1158 c57acea0 bfad34f9 | .T.....X.z....4.
870000b0: 978b987e a67c201b b8574e27 1e5f08f1 | ...~.| ..WN'._..
870000c0: e94b1b0c e6befcac de757c31 f834bdc2 | .K.......u|1.4..
870000d0: 82f2732f bd6b7233 ef007747 df83cf56 | ..s/.kr3..wG...V
870000e0: ce546631 68ae8284 3c16aeaa 0b1c6223 | .Tf1h...<.....b#
870000f0: d2c89a0a 74c10313 29aecfea 0404cea7 | ....t...).......
87000100: 7313a6a6 6a9cb782 7aaff66f b149001d | s...j...z..o.I..
87000110: 0ef916bc 2aea93c4 0174816e b60a9cc3 | ....*....t.n....
87000120: 7e876f1e a48c40ed f973dd29 3b84b294 | ~.o...@..s.);...
87000130: 3f7afe0e 1ac889b4 a174354f b45e595a | ?z.......t5O.^YZ
87000140: af14e6e0 2d97144f 917df4e5 961e54d2 | ....-..O.}....T.
87000150: 22b51c39 184ec125 a087f879 e49f5d4d | "..9.N.%...y..]M
87000160: a45b95ab 0f56fddb 3e236f48 aa54a8a8 | .[...V..>#oH.T..
87000170: e31dbe04 ba4abb87 086f0348 f6241492 | .....J...o.H.$..
87000180: d579a1fd 88597ceb 4f512a36 f7fdec08 | .y...Y|.OQ*6....
87000190: 1504d046 4a773c3c c852c168 1108974e | ...FJw<<.R.h...N
870001a0: 7343619c 7951e612 c94cf1f0 3fdf0327 | sCa.yQ...L..?..'
870001b0: e666e183 8ef497ce c1c5a045 0740f2ca | .f.........E.@..
870001c0: 92b894a2 ea137f34 147c736e 5eafe8dd | .......4.|sn^...
870001d0: 573b8f2f 87c009f9 b0787b68 50aae70e | W;./.....x{hP...
870001e0: 550924a3 ca1a9132 318de945 8c207f68 | U.$....21..E. .h
870001f0: 0490d890 3ea9c0e2 f85948a3 0ef2fb23 | ....>....YH....#
87000200: 5c8cf4b1 318f8b77 df8a8ab4 1bc44d06 | \...1..w......M.
87000210: 276233ec f257606a c52de5ee ccfd9c78 | 'b3..W`j.-.....x
87000220: a63c5301 752b06c6 32e311ef ef2940c5 | .<S.u+..2....)@.
87000230: 81a3cd3f 78c9c3c2 2a6020dd 3b025866 | ...?x...*` .;.Xf
87000240: 3cfe8acf 9f23a191 3269dda8 8a20794b | <....#..2i... yK
87000250: b7f8d7e0 9257cfaa ff1253b0 20f14a68 | .....W....S. .Jh
87000260: 1d898f0a 57f915ef 746b02cc 8066f349 | ....W...tk...f.I
87000270: 233139d4 11c2a296 c5e4d72b bb79e9c5 | #19........+.y..
87000280: dcf66991 94724ca1 f055f59f d128e81e | ..i..rL..U...(..
87000290: db08720d 9004f291 011663f6 b17d1c98 | ..r.......c..}..
870002a0: b61fd744 ea177022 058c5101 34e861c5 | ...D..p"..Q.4.a.
870002b0: 5a3753e1 31c1bd4d 4c237e6c 2d9d9329 | Z7S.1..ML#~l-..)
870002c0: 4f8cae87 22d75d2f e2c768ca d4416a3b | O...".]/..h..Aj;
870002d0: 97a4cf62 a2f87db6 ff7ef603 bccdd3fc | ...b..}..~......
870002e0: 5d0ab571 96b94308 f9445e97 e9fcc121 | ]..q..C..D^....!
870002f0: fdef74ea 99c76b66 205aaddf f4bd9168 | ..t...kf Z.....h
87000300: 2fc030fc 32d69495 4e8c1395 b7cfd502 | /.0.2...N.......
87000310: 945a7c16 cc8392f7 b0308d92 a3e9d069 | .Z|......0.....i
87000320: 5005b858 b21ed293 9edc6ce0 dd6afaa1 | P..X......l..j..
87000330: 22d85910 76c16d93 605b5da9 3de9bed9 | ".Y.v.m.`[].=...
87000340: 29f26ffd 053cfbc7 12785c3c b1694b95 | ).o..<...x\<.iK.
87000350: 3131623a 6483c478 b5496d64 59a71af7 | 11b:d..x.ImdY...
87000360: 7d102f2d 5cc35818 8df1a8ea 0ef8d4c5 | }./-\.X.........
87000370: 8368d361 3a84eb3c 0485ae3a a9a7de26 | .h.a:..<...:...&
87000380: 82c337f2 a755b88e 675c8e1b 8bb1b4ca | ..7..U..g\......
87000390: bf289c94 ba357bf5 57735999 955e6c9a | .(...5{.WsY..^l.
870003a0: 43559b1b 583a73bd 41b91b91 e5df26f6 | CU..X:s.A.....&.
870003b0: a7ae8687 444f744a a8189c0d 66e76fcc | ....DOtJ....f.o.
870003c0: 33ba4f9c e7d96f83 0a4a5c1a d37b152a | 3.O...o..J\..{.*
870003d0: aa8aecae d3be2156 d3840433 f1e233d3 | ......!V...3..3.
870003e0: 41c800be 1130fba1 fba030a0 44f9b815 | A....0....0.D...
870003f0: ee598c11 5fcdd06a f1fa9078 5ef73dae | .Y.._..j...x^.=.
Using the latest commits might fix this issue. Reading from flash is now done in 16 KiB blocks, instead of reading the whole partition, which in your linuxapps
case is 78 MiB. I've also moved the buffer to 0x87000000
!
With commit f585fe8602058c3a64e4fe80a5234877254f52cd Zero sized outputs and router reboots.
./bcm2dump -vv dump -L io.log 192.168.100.1,Admin,PASSWORD flash linuxkfs linuxkfs.bin
bcm2dump v0.9.4-81-gf585fe8
telnet: received command 253,33
telnet: received command 251,3
telnet: received command 251,1
detected interface: bfc
adjusting dump params: 0x80010000,4 -> 0x80010000,16
adjusting dump params: 0x80624d91,14 -> 0x80624d90,16
adjusting dump params: 0x80624d91,8 -> 0x80624d90,16
adjusting dump params: 0x8070244c,9 -> 0x8070244c,16
adjusting dump params: 0x807023d4,7 -> 0x807023d4,16
adjusting dump params: 0x80eb8a91,8 -> 0x80eb8a90,16
adjusting dump params: 0x80f89da0,11 -> 0x80f89da0,16
adjusting dump params: 0x82f00014,6 -> 0x82f00014,16
adjusting dump params: 0x809864d9,11 -> 0x809864d8,16
adjusting dump params: 0x83e05bb8,11 -> 0x83e05bb8,16
adjusting dump params: 0x80dc48d0,3 -> 0x80dc48d0,16
adjusting dump params: 0x83f8a9ac,5 -> 0x83f8a9ac,16
adjusting dump params: 0x810a4390,12 -> 0x810a4390,16
adjusting dump params: 0x83f8e8a8,6 -> 0x83f8e8a8,16
adjusting dump params: 0x83f8ea40,10 -> 0x83f8ea40,16
adjusting dump params: 0x83f8ecc8,13 -> 0x83f8ecc8,16
detected profile fast3686(bfc), version DNA_3.490.0-T3
dumping flash:0x06bc0000-0x07dbffff (18874368 b)
---.--% (0x06bc0000) 0 | 0 bytes/s (ETA 00:00:00)
and then two minutes later router reboots
cat io.log
bcm2dump v0.9.4-81-gf585fe8
telnet: received command 253,33
telnet: received command 251,3
telnet: received command 251,1
==> (empty)
==> 'Broadcom Corporation Embedded BFC Telnet Server (c) 2000-2008'
==> (empty)
==> 'WARNING: Access allowed by authorized users only.'
==> (empty)
==> 'Login:'
detected interface: bfc
<== 'Admin'
==> 'Admin'
==> 'Password:'
<== 'PASSWORD'
<== ''
==> ''
==> ''
==> 'CM_Console>'
<== ''
<== ''
==> ''
==> ''
==> 'CM_Console>'
<== '/docsis/scan_stop'
==> ''
adjusting dump params: 0x80010000,4 -> 0x80010000,16
<== '/system/diag readmem -s 4 -n 16 0x80010000'
==> (empty)
==> ''docsis' is not a valid command table.'
==> (empty)
==> 'Type 'help' for information about valid commands and tables.'
==> (empty)
==> ''
==> (empty)
==> '80010000: 1000ffde 01c0c821 01eb1006 00e91804 | .......!........'
adjusting dump params: 0x80624d91,14 -> 0x80624d90,16
<== '/system/diag readmem -s 4 -n 16 0x80624d90'
==> (empty)
==> ''
==> (empty)
==> '80624d90: 00001021 97a20004 a6020930 24020001 | ...!.......0$...'
adjusting dump params: 0x80624d91,8 -> 0x80624d90,16
<== '/system/diag readmem -s 4 -n 16 0x80624d90'
==> (empty)
==> ''
==> (empty)
==> '80624d90: 00001021 97a20004 a6020930 24020001 | ...!.......0$...'
adjusting dump params: 0x8070244c,9 -> 0x8070244c,16
<== '/system/diag readmem -s 4 -n 16 0x8070244c'
==> (empty)
==> ''
==> (empty)
==> '8070244c: 24a571e8 9665003c 0c41a8a2 00402021 | $.q..e.<.A...@ !'
adjusting dump params: 0x807023d4,7 -> 0x807023d4,16
<== '/system/diag readmem -s 4 -n 16 0x807023d4'
==> (empty)
==> ''
==> (empty)
==> '807023d4: 3c058120 0c41abf4 24a571b8 96650038 | <.. .A..$.q..e.8'
adjusting dump params: 0x80eb8a91,8 -> 0x80eb8a90,16
<== '/system/diag readmem -s 4 -n 16 0x80eb8a90'
==> (empty)
==> ''
==> (empty)
==> '80eb8a90: 5080ffb6 8fbf0114 0c1ec594 00000000 | P...............'
adjusting dump params: 0x80f89da0,11 -> 0x80f89da0,16
<== '/system/diag readmem -s 4 -n 16 0x80f89da0'
==> (empty)
==> ''
==> (empty)
==> '80f89da0: 90a20005 00a21821 24630008 24020001 | .......!$c..$...'
adjusting dump params: 0x82f00014,6 -> 0x82f00014,16
<== '/system/diag readmem -s 4 -n 16 0x82f00014'
==> (empty)
==> ''
==> (empty)
==> '82f00014: ffffffff ffffffff ffffffff ffffffff | ................'
adjusting dump params: 0x809864d9,11 -> 0x809864d8,16
<== '/system/diag readmem -s 4 -n 16 0x809864d8'
==> (empty)
==> ''
==> (empty)
==> '809864d8: 8fb20018 8fb10014 8fb00010 03e00008 | ................'
adjusting dump params: 0x83e05bb8,11 -> 0x83e05bb8,16
<== '/system/diag readmem -s 4 -n 16 0x83e05bb8'
==> (empty)
==> ''
==> (empty)
==> '83e05bb8: ffffffff ffffffff ffffffff ffffffff | ................'
adjusting dump params: 0x80dc48d0,3 -> 0x80dc48d0,16
<== '/system/diag readmem -s 4 -n 16 0x80dc48d0'
==> (empty)
==> ''
==> (empty)
==> '80dc48d0: 8e060024 0c36f75a 02002021 1000ff7d | ...$.6.Z.. !...}'
adjusting dump params: 0x83f8a9ac,5 -> 0x83f8a9ac,16
<== '/system/diag readmem -s 4 -n 16 0x83f8a9ac'
==> (empty)
==> ''
==> (empty)
==> '83f8a9ac: 25080001 0106102a 10400003 0123380b | %......*.@...#8.'
adjusting dump params: 0x810a4390,12 -> 0x810a4390,16
<== '/system/diag readmem -s 4 -n 16 0x810a4390'
==> (empty)
==> ''
==> (empty)
==> '810a4390: 7273696f 6e3a2020 25730a00 62636d56 | rsion: %s..bcmV'
adjusting dump params: 0x83f8e8a8,6 -> 0x83f8e8a8,16
<== '/system/diag readmem -s 4 -n 16 0x83f8e8a8'
==> (empty)
==> ''
==> (empty)
==> '83f8e8a8: 62322f00 e7d477e3 00372a00 01204dca | b2/...w..7*.. M.'
adjusting dump params: 0x83f8ea40,10 -> 0x83f8ea40,16
<== '/system/diag readmem -s 4 -n 16 0x83f8ea40'
==> (empty)
==> ''
==> (empty)
==> '83f8ea40: 02000000 00008048 02002ae0 1800a401 | .......H..*.....'
adjusting dump params: 0x83f8ecc8,13 -> 0x83f8ecc8,16
<== '/system/diag readmem -s 4 -n 16 0x83f8ecc8'
==> (empty)
==> ''
==> (empty)
==> '83f8ecc8: 25783a25 78000000 25733f20 5b6e5d20 | %x:%x...%s? [n]'
<== '/system/diag readmem -s 4 -n 32 0x81082fa8'
==> (empty)
==> ''
==> (empty)
==> '81082fa8: 46415354 33363836 5f444e41 5f332e34 | FAST3686_DNA_3.4'
==> '2164797368: 959458864 760492845 842019376 808727097 | 90.0-T3-20200429'
==> (empty)
==> 'CM_Console>'
<== 'su'
==> 'su'
==> (empty)
==> 'Password: () []'
<== '$agem001'
<== ''
==> '$agem001'
==> 'Proceed with caution!'
==> 'Type 'exit' to return.'
==> (empty)
==> ''
==> 'CM>'
detected profile fast3686(bfc), version DNA_3.490.0-T3
<== '/call func -a 0xa03e1940 0x06bc0000 0x07dc0000'
==> ''
<== ''
==> (empty)
==> 'Calling function 0xa03e1940(0x6bc0000, 0x7dc0000)'
==> (empty)
==> ''
dumping flash:0x06bc0000-0x07dbffff (18874368 b)
<== '/write_memory -s 4 0xa03e1598 0x10000018'
==> 'CM>'
==> ''
==> (empty)
==> 'Writing 0x10000018 (268435480) to 0xa03e1598'
==> (empty)
==> 'CM>'
<== '/call func -a 0xa03e1408 0x87000000 0x06bc0000 0x01200000'
==> ''
<== ''
==> (empty)
==> 'Calling function 0xa03e1408(0x87000000, 0x6bc0000, 0x1200000)'
<== ''
<== ''
(skipped 100 similar rows)
<== ''
<== ''
==> (empty)
==> 'CM>'
<== '/read_memory -s 4 -n 8192 0x87000000'
(this is automatic retry, but router has already crashed)
./bcm2dump -vv dump -L io.log 192.168.100.1,Admin,PASSWORD flash linuxapps linuxapps.bin_2
bcm2dump v0.9.4-81-gf585fe8
telnet: received command 253,33
telnet: received command 251,3
telnet: received command 251,1
detected interface: bfc
adjusting dump params: 0x80010000,4 -> 0x80010000,16
adjusting dump params: 0x80624d91,14 -> 0x80624d90,16
adjusting dump params: 0x80624d91,8 -> 0x80624d90,16
adjusting dump params: 0x8070244c,9 -> 0x8070244c,16
adjusting dump params: 0x807023d4,7 -> 0x807023d4,16
adjusting dump params: 0x80eb8a91,8 -> 0x80eb8a90,16
adjusting dump params: 0x80f89da0,11 -> 0x80f89da0,16
adjusting dump params: 0x82f00014,6 -> 0x82f00014,16
adjusting dump params: 0x809864d9,11 -> 0x809864d8,16
adjusting dump params: 0x83e05bb8,11 -> 0x83e05bb8,16
adjusting dump params: 0x80dc48d0,3 -> 0x80dc48d0,16
adjusting dump params: 0x83f8a9ac,5 -> 0x83f8a9ac,16
adjusting dump params: 0x810a4390,12 -> 0x810a4390,16
adjusting dump params: 0x83f8e8a8,6 -> 0x83f8e8a8,16
adjusting dump params: 0x83f8ea40,10 -> 0x83f8ea40,16
adjusting dump params: 0x83f8ecc8,13 -> 0x83f8ecc8,16
detected profile fast3686(bfc), version DNA_3.490.0-T3
dumping flash:0x00000000-0x04c3ffff (79953920 b)
---.--% (0x00000000) 0 | 0 bytes/s (ETA 00:00:00)
error: timeout while waiting for function 'read' to finish
Ah, sorry, of course. The chunked reads are implemented, but not used in both of your cases! I'll fix this over the weekend, stay tuned!
Please try the latest code!
Now dumping starts, but then fails.
./bcm2dump -vv dump -L io.log 192.168.100.1,Admin,PASSWORD flash linuxkfs linuxkfs.bin
bcm2dump v0.9.4-89-g07c7d20
telnet: received command 253,33
telnet: received command 251,3
telnet: received command 251,1
detected interface: bfc
adjusting dump params: 0x80010000,4 -> 0x80010000,16
adjusting dump params: 0x80624d91,14 -> 0x80624d90,16
adjusting dump params: 0x80624d91,8 -> 0x80624d90,16
adjusting dump params: 0x8070244c,9 -> 0x8070244c,16
adjusting dump params: 0x807023d4,7 -> 0x807023d4,16
adjusting dump params: 0x80eb8a91,8 -> 0x80eb8a90,16
adjusting dump params: 0x80f89da0,11 -> 0x80f89da0,16
adjusting dump params: 0x82f00014,6 -> 0x82f00014,16
adjusting dump params: 0x809864d9,11 -> 0x809864d8,16
adjusting dump params: 0x83e05bb8,11 -> 0x83e05bb8,16
adjusting dump params: 0x80dc48d0,3 -> 0x80dc48d0,16
adjusting dump params: 0x83f8a9ac,5 -> 0x83f8a9ac,16
adjusting dump params: 0x810a4390,12 -> 0x810a4390,16
adjusting dump params: 0x83f8e8a8,6 -> 0x83f8e8a8,16
adjusting dump params: 0x83f8ea40,10 -> 0x83f8ea40,16
adjusting dump params: 0x83f8ecc8,13 -> 0x83f8ecc8,16
detected profile fast3686(bfc), version DNA_3.490.0-T3
dumping flash:0x06bc0000-0x07dbffff (18874368 b)
0.04% (0x06bc2000) 0 | 0 bytes/s (ETA 00:00:00) FAST3686_DNA_3.490.0-T3-rootfs-20200429.bin (0xd06e, 12320676 b)
0.13% (0x06bc6000) 8.00k| 8.01k bytes/s (ETA 00:38:19)
error: failed to patch word at 0x803e1598
And I got only 24K file. I didn't do anything but retry with new output file (no resume)
./bcm2dump -vv dump -L io.log2 192.168.100.1,Admin,PASSWORD flash linuxkfs linuxkfs.bin2
dumping flash:0x06bc0000-0x07dbffff (18874368 b)
0.04% (0x06bc2000) 7.91k| 7.91k bytes/s (ETA 00:38:50) FAST3686_DNA_3.490.0-T3-rootfs-20200429.bin (0xd06e, 12320676 b)
13.28% (0x06e24000) 8.00k| 10.67k bytes/s (ETA 00:25:00)
error: failed to patch word at 0x803e1598
This time I got 2.4MB
Seems resuming is not working correctly:
./bcm2dump -R -vv dump 192.168.100.1,Admin,PASSWORD flash linuxkfs linuxkfs.bin2
It transfer data but size of output file is not growing (modify time is changing)
This fails with the very same message
error: failed to patch word at 0x803e1598
linuxapps also starts but then stops with same error.
./bcm2dump -vv dump -L io.log2 192.168.100.1,Admin,PASSWORD flash linuxapps linuxapps.new
bcm2dump v0.9.4-89-g07c7d20
telnet: received command 253,33
telnet: received command 251,3
telnet: received command 251,1
detected interface: bfc
adjusting dump params: 0x80010000,4 -> 0x80010000,16
adjusting dump params: 0x80624d91,14 -> 0x80624d90,16
adjusting dump params: 0x80624d91,8 -> 0x80624d90,16
adjusting dump params: 0x8070244c,9 -> 0x8070244c,16
adjusting dump params: 0x807023d4,7 -> 0x807023d4,16
adjusting dump params: 0x80eb8a91,8 -> 0x80eb8a90,16
adjusting dump params: 0x80f89da0,11 -> 0x80f89da0,16
adjusting dump params: 0x82f00014,6 -> 0x82f00014,16
adjusting dump params: 0x809864d9,11 -> 0x809864d8,16
adjusting dump params: 0x83e05bb8,11 -> 0x83e05bb8,16
adjusting dump params: 0x80dc48d0,3 -> 0x80dc48d0,16
adjusting dump params: 0x83f8a9ac,5 -> 0x83f8a9ac,16
adjusting dump params: 0x810a4390,12 -> 0x810a4390,16
adjusting dump params: 0x83f8e8a8,6 -> 0x83f8e8a8,16
adjusting dump params: 0x83f8ea40,10 -> 0x83f8ea40,16
adjusting dump params: 0x83f8ecc8,13 -> 0x83f8ecc8,16
detected profile fast3686(bfc), version DNA_3.490.0-T3
dumping flash:0x00000000-0x04c3ffff (79953920 b)
0.01% (0x00002000) 6.36k| 6.36k bytes/s (ETA 03:24:36) FAST3686_DNA_3.490.0-T3-app-20200429.bin (0xd06e, 2752420 b)
0.73% (0x0008e000) 8.00k| 10.57k bytes/s (ETA 02:02:17)
error: failed to patch word at 0x803e1598
context:
==> '87001d30: ffffffff ffffffff ffffffff ffffffff | ................'
==> '87001d40: ffffffff ffffffff ffffffff ffffffff | ................'
==> '87001d50: ffffffff ffffffff ffffffff ffffffff | ................'
==> '87001d60: ffffffff ffffffff ffffffff ffffffff | ................'
==> '87001d70: ffffffff ffffffff ffffffff ffffffff | ................'
==> '87001d80: ffffffff ffffffff ffffffff ffffffff | ................'
==> '87001d90: ffffffff ffffffff ffffffff ffffffff | ................'
==> '87001da0: ffffffff ffffffff ffffffff ffffffff | ................'
==> '87001db0: ffffffff ffffffff ffffffff ffffffff | ................'
==> '87001dc0: ffffffff ffffffff ffffffff ffffffff | ................'
==> '87001dd0: ffffffff ffffffff ffffffff ffffffff | ................'
==> '87001de0: ffffffff ffffffff ffffffff ffffffff | ................'
==> '87001df0: ffffffff ffffffff ffffffff ffffffff | ................'
==> '87001e00: ffffffff ffffffff ffffffff ffffffff | ................'
==> '87001e10: ffffffff ffffffff ffffffff ffffffff | ................'
==> '87001e20: ffffffff ffffffff ffffffff ffffffff | ................'
==> '87001e30: ffffffff ffffffff ffffffff ffffffff | ................'
==> '87001e40: ffffffff ffffffff ffffffff ffffffff | ................'
==> '87001e50: ffffffff ffffffff ffffffff ffffffff | ................'
==> '87001e60: ffffffff ffffffff ffffffff ffffffff | ................'
==> '87001e70: ffffffff ffffffff ffffffff ffffffff | ................'
==> '87001e80: ffffffff ffffffff ffffffff ffffffff | ................'
==> '87001e90: ffffffff ffffffff ffffffff ffffffff | ................'
==> '87001ea0: ffffffff ffffffff ffffffff ffffffff | ................'
==> '87001eb0: ffffffff ffffffff ffffffff ffffffff | ................'
==> '87001ec0: ffffffff ffffffff ffffffff ffffffff | ................'
==> '87001ed0: ffffffff ffffffff ffffffff ffffffff | ................'
==> '87001ee0: ffffffff ffffffff ffffffff ffffffff | ................'
==> '87001ef0: ffffffff ffffffff ffffffff ffffffff | ................'
==> '87001f00: ffffffff ffffffff ffffffff ffffffff | ................'
==> '87001f10: ffffffff ffffffff ffffffff ffffffff | ................'
==> '87001f20: ffffffff ffffffff ffffffff ffffffff | ................'
==> '87001f30: ffffffff ffffffff ffffffff ffffffff | ................'
==> '87001f40: ffffffff ffffffff ffffffff ffffffff | ................'
==> '87001f50: ffffffff ffffffff ffffffff ffffffff | ................'
==> '87001f60: ffffffff ffffffff ffffffff ffffffff | ................'
==> '87001f70: ffffffff ffffffff ffffffff ffffffff | ................'
==> '87001f80: ffffffff ffffffff ffffffff ffffffff | ................'
==> '87001f90: ffffffff ffffffff ffffffff ffffffff | ................'
==> '87001fa0: ffffffff ffffffff ffffffff ffffffff | ................'
==> '87001fb0: ffffffff ffffffff ffffffff ffffffff | ................'
==> '87001fc0: ffffffff ffffffff ffffffff ffffffff | ................'
==> '87001fd0: ffffffff ffffffff ffffffff ffffffff | ................'
==> '87001fe0: ffffffff ffffffff ffffffff ffffffff | ................'
==> '87001ff0: ffffffff ffffffff ffffffff ffffffff | ................'
==> (empty)
==> 'CM>'
<== '/write_memory -s 4 0xa03e1598 0x10000018'
==> '/write_memory -s 4 0'
<== '/exit'
I was able to reproduce that error - using 3c14982 however I could dump the whole of linuxapps
on my device.
Now I can dump whole images, but ProgramStore is not accepting them.
./bcm2dump -vv dump 192.168.100.1,Admin,PASSWORD flash linuxkfs linuxkfs.bin
bcm2dump v0.9.4-90-g3c14982
detected profile fast3686(bfc), version DNA_3.490.0-T3
0.09% (0x06bc4000) 0 | 0 bytes/s (ETA 00:00:00) FAST3686_DNA_3.490.0-T3-rootfs-20200429.bin (0xd06e, 12320676 b)
100.00% (0x07dbffff) 23.30k bytes/s (ELT 00:13:11)
ProgramStore is still not satisfied with it
./ProgramStore -f linuxkfs.bin -o linuxkfs.out -x
Signature: d06e
Control: 0100
Major Rev: 0002
Minor Rev: 0017
Build Time: 2020/4/29 09:42:00 Z
File Length: 12320676 bytes
Load Address: 7e000000
Filename: FAST3686_DNA_3.490.0-T3-rootfs-20200429.bin
HCS: e004
CRC: a02903db
Performing CRC on Image...
Image -1607924773 CRC failed!
And same with the linuxapps
./bcm2dump -vv dump 192.168.100.1,Admin,PASSWORD flash linuxapps linuxapps.bin
bcm2dump v0.9.4-90-g3c14982
detected profile fast3686(bfc), version DNA_3.490.0-T3
dumping flash:0x00000000-0x04c3ffff (79953920 b)
0.02% (0x00004000) 0 | 0 bytes/s (ETA 00:00:00) FAST3686_DNA_3.490.0-T3-app-20200429.bin (0xd06e, 2752420 b)
100.00% (0x04c3ffff) 23.53k bytes/s (ELT 00:55:18)
./ProgramStore -f linuxapps.bin -o linuxapps.out -x
Signature: d06e
Control: 0100
Major Rev: 0002
Minor Rev: 0017
Build Time: 2020/4/29 09:42:01 Z
File Length: 2752420 bytes
Load Address: 7e000000
Filename: FAST3686_DNA_3.490.0-T3-app-20200429.bin
HCS: a934
CRC: 8758ba30
Performing CRC on Image...
Image -2024228304 CRC failed!
This image isn't compressed. Try mounting it as a ubi image as is. If Linux modified the partition, it won't pass the CRC check anymore,but it'll still be mountable. The same applies to the image I just dumped from my device!
In any case, can you send me your linuxapps.bin
file?
You are correct, they are not packed!
ubireader_display_info linuxkfs.bin
UBI File
---------------------
Min I/O: 2048
LEB Size: 126976
PEB Size: 131072
Total Block Count: 143
Data Block Count: 91
Layout Block Count: 2
Internal Volume Block Count: 0
Unknown Block Count: 50
First UBI PEB Number: 0
Image: 0
---------------------
Image Sequence Num: 0
Volume Name:rootfs
PEB Range: 0 - 142
Volume: rootfs
---------------------
Vol ID: 0
Name: rootfs
Block Count: 91
Volume Record
---------------------
alignment: 1
crc: '0x9f20ef3b'
data_pad: 0
errors: ''
flags: 0
name: u'rootfs'
name_len: 6
padding: u'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
rec_index: 0
reserved_pebs: 137
upd_marker: 0
vol_type: 'dynamic'
ubireader_extract_files linuxkfs.bin
-> 438 files (26MB) /etc/passwd is pointing to the /var/passwd And /var/ is empty.
ubireader_display_info linuxapps.bin
UBI File
---------------------
Min I/O: 2048
LEB Size: 126976
PEB Size: 131072
Total Block Count: 161
Data Block Count: 11
Layout Block Count: 2
Internal Volume Block Count: 0
Unknown Block Count: 148
First UBI PEB Number: 448
Image: 0
---------------------
Image Sequence Num: 0
Volume Name:linuxapps
PEB Range: 0 - 160
Volume: linuxapps
---------------------
Vol ID: 0
Name: linuxapps
Block Count: 11
Volume Record
---------------------
alignment: 1
crc: '0xae79ff95'
data_pad: 0
errors: ''
flags: 0
name: u'linuxapps'
name_len: 9
padding: u'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
rec_index: 0
reserved_pebs: 155
upd_marker: 0
vol_type: 'dynamic'
ubireader_extract_files linuxapps.bin
-> 77 files (2.4MB)
And no /var (so no /etc/passwd)
I dumped RAM (which is now working correctly)
./bcm2dump -vv dump 192.168.100.1,Admin,PASSWORD ram 0x80000000,256M ram.bin
grep -a "root:/:/bin/sh" ram.bin -A 4
(Took some time to figure out how to find passwd (or shadow) inside RAM-dump) John the Ripper took no time to crack them all:
root:sagem:0:0:root:/:/bin/sh
admin:sagem:0:0:Administrator:/:/bin/false
support:sagem:502:502:Technical Support:/:/bin/false
user:sagem:503:503:Normal User:/:/bin/false
nobody:sagem:504:504:nobody for ftp:/:/bin/false
I sent linuxapps.zip and linuxkfs.zip to your email. (I didn't realize that 77MB linuxapps is zipped under 1MB)
The file /etc/passwd
is generated by /bin/lxginit
btw. It sets all passwords to "sagem" initially, but has a provision for the root password to be changed via an ioctl
(which is presumably affected by the CM firmware).
I'm still struggling how to get files out of the image1.bin.
image1.bin
contains the cable modem firmware. This is not Linux, but based on eCos. Essentially it's one huge application, where specific tasks are handled by dedicated threads. There's no filesystem, even though the web interface may lead you to believe otherwise. The contents you extract using ProgramStore
are raw MIPS machine code, loaded in RAM at address 0x80004000
.
The BCM3384 SoC (and others) actually contain two CPUs. One for running the CM firmware, and the other one running Linux. RAM is shared between the two. On most devices, Linux is only used for media server and "NAS" capabilities, and not actually required for using the device as a cable modem.
Closing due to inactivty. Also, the original issue has been resolved.
My router is FAST3686v2. I'm trying with the coax cable removed, just LAN1 connected to the PC (linux-host).
I logged in to the WWW-GUI and downloaded GatewaySettings.bin
As stated GatewaySettings.bin from this router is obfuscated with xor 0x80. Using bcm2cfg I found:
-> Username and password for telnet (which is open by default).
Now I can access telnet 192.168.100.1
'help open' shows router has these regions: bootloader|image1|image2|image3|image3e|perm|dhtml|dyn 'show flash' shows these: bootloader,permnv,dynnv,linuxapps,image1,image2,linux,linuxkfs,dhtml
Checked that bcm2dump works and can use su account:
Trying to dump
Testing with telnet:
Seems reading with readDirect works, but bcm2dump doesn't get the data .