Can't dump Sagemcom FAST3686v2

[MalaikaBegum]

My router is FAST3686v2. I'm trying with the coax cable removed, just LAN1 connected to the PC (linux-host).

I logged in to the WWW-GUI and downloaded GatewaySettings.bin

As stated GatewaySettings.bin from this router is obfuscated with xor 0x80. Using bcm2cfg I found:

  remote_acc_user = Admin
  _unk_1 = { [hex-dump of password]

-> Username and password for telnet (which is open by default).

Now I can access telnet 192.168.100.1

CM_Console> su
Password: () [] $agem001
Proceed with caution!
Type 'exit' to return.

CM> /docsis_ctl/scan_stop

exit #back to normal user
show version

                          *
                         * *
                         * *
                        *   *
                        *   *
                       *     *
                       *     *
                       *     *
                      *       *
                      *       *
                      *       *
                     *         *
                     *         *
                     *         *
                     *         *
                    *           *
          *         *           *         *
        *   *       *           *       *   *          ***
*     *      *     *             *     *      *     *       *******************
   *          *   *               *   *          *
                *                   *

Broadcom Corporation Reference Design

 +------------------------------------------------------------------------------------------------+
 |       _/_/     _/_/_/_/    _/_/                                                                |
 |      _/  _/   _/        _/    _/   Broadband                                                   |
 |     _/  _/   _/        _/                                                                      |
 |    _/_/     _/_/_/    _/           Foundation                                                  |
 |   _/  _/   _/        _/                                                                        |
 |  _/   _/  _/        _/    _/       Classes                                                     |
 | _/_/_/   _/          _/_/                                                                      |
 |                                                                                                |
 | Copyright (c) 1999 - 2020 Broadcom Corporation                                                 |
 |                                                                                                |
 | Revision:  5.7.1mp3                                                                            |
 |                                                                                                |
 | Features:  BCM93384WVG Console TelnetConsole SshConsole Nonvol Fat HeapManager SNMP Networking |
 | Features:  IPv6 (script bcm93384wvg) LinuxOnTP1 TR69 Switch53124                               |
 +------------------------------------------------------------------------------------------------+
 | Standard Embedded Target Support for BFC                                                       |
 |                                                                                                |
 | Copyright (c) 2003-2020 Broadcom Corporation                                                   |
 |                                                                                                |
 | Revision:  3.0.1                                                                               |
 |                                                                                                |
 | Features:  PID=0xd06e BID=0x0 Bootloader-Rev=2.5.0beta8 Bootloader-Compression-Support=0x11    |
 | Features:  MANUFACT_BITS=0x9                                                                   |
 | Features:  Dual-band Wifi Bcm80211=Build Apr 24 2020 16:56:57                                  |
 | Features:  App Ver 7.14.89.22.571.258.15                                                       |
 | Features:  Wl Ver 7.14.89.22.571.258.15                                                        |
 | Features:  IopLib-Rev=571.14.0                                                                 |
 +------------------------------------------------------------------------------------------------+
 | eCos BFC Application Layer                                                                     |
 |                                                                                                |
 | Copyright (c) 1999 - 2020 Broadcom Corporation                                                 |
 |                                                                                                |
 | Revision:  3.0.2                                                                               |
 |                                                                                                |
 | Features:  IPv6 Stack Version 1.2.3                                                            |
 | Features:  eCos Console Cmds, (no Idle Loop Profiler)                                          |
 +------------------------------------------------------------------------------------------------+
 |                 _/_/_/                                                                         |
 |        _/_/    _/    _/    eRouter Dual Stack                                                  |
 |     _/    _/  _/    _/                                                                         |
 |    _/_/_/_/  _/_/_/                                                                            |
 |   _/        _/ _/                                                                              |
 |  _/        _/   _/                                                                             |
 |   _/_/_/  _/     _/                                                                            |
 |                                                                                                |
 | Copyright (c) 1999 - 2015 Broadcom Corporation                                                 |
 |                                                                                                |
 | Revision:  5.7.1mp3                                                                            |
 |                                                                                                |
 | Features:  eRouter SNMP Customer Extension NATP DS-Lite L2oGRE HomeHotspot                     |
 +------------------------------------------------------------------------------------------------+
 | Broadcom eRouter Customer Extension                                                            |
 |                                                                                                |
 | Copyright (c) 1999 - 2020 Broadcom Corporation                                                 |
 |                                                                                                |
 | Revision:  3.0.2                                                                               |
 |                                                                                                |
 | Features:  ()                                                                                  |
 +------------------------------------------------------------------------------------------------+
 | Build Date      : Apr 29 2020                                                                  |
 | Build Time      : 17:03:54 (+0800)                                                             |
 | Build By        : jenkins                                                                      |
 | Build Svn Revision:  21507                                                                     |
 | Build Command Line:  bcm93384wvg ssc eu nodect sagemcom_modification_on dna linux_on_tp1 nolinux_on_pmc nofxs_web_setting j 8 nohttpssl dslite tr69 xml_doc nolinux_on_pmc l2tpv2 pptp l2ogre httpupgrade mediaserver nobattery power vpn perfmonitor legacy_parent switch53124 l2vpn bcm80211n monolith homehotspot grelegacymib nolinux_on_zephyr linux_on_tp1 linux_partitions dual_band_80211n wombo1 WIFI_4360_5G_HP_P453 wombo2 WIFI_4360MC2_P103 nandflash nodualeth noethwan pppoe nodect mid_split uda nolegacy_parent noemta nohttpssl bfc_upgrade dualeth ethwan domos pid d06e imagename FAST3686_DNA_3.490.0-T3-20200429
 | Build Products  :                                                                              |
 | Build Processors: 3384                                                                         |
 | Build Parameters:  num_sids 16 docsis 20 c 45 j 8 wombo1 WIFI_4360_5G_HP_P453 wombo2           |
 | Build Parameters: WIFI_4360MC2_P103 pid d06e imagename FAST3686_DNA_3.490.0-T3-20200429        |
 | Build Targets   :                                                                              |
 | Image Path      : /home/jenkins/workspace/TRUNK_5.7.1mp3_Maintenance_FAST3686V2_DNA/ProdD30PC1 |
 | Image Path      : 5_BFC5.7.1_CxC5.7.1.15_RG/rbb_cm_src/CmDocsisSystem/ecos/bcm93384wvg_eu_ipv6 |
 | Image Name      : FAST3686_DNA_3.490.0-T3-20200429.bin                                         |
 | Build Command   : bcm93384wvg ssc eu nodect sagemcom_modification_on dna linux_on_tp1          |
 | Build Command   : nolinux_on_pmc nofxs_web_setting j 8 nohttpssl dslite tr69 xml_doc           |
 | Build Command   : nolinux_on_pmc l2tpv2 pptp l2ogre httpupgrade mediaserver nobattery power    |
 | Build Command   : vpn perfmonitor legacy_parent switch53124 l2vpn bcm80211n monolith           |
 | Build Command   : homehotspot grelegacymib nolinux_on_zephyr linux_on_tp1 linux_partitions     |
 | Build Command   : dual_band_80211n wombo1 WIFI_4360_5G_HP_P453 wombo2 WIFI_4360MC2_P103        |
 | Build Command   : nandflash nodualeth noethwan pppoe nodect mid_split uda nolegacy_parent      |
 | Build Command   : noemta nohttpssl bfc_upgrade dualeth ethwan domos pid d06e imagename         |
 | Build Command   : FAST3686_DNA_3.490.0-T3-20200429                                             |
 | Build Options   :  nodhcp_passthrough noethSocketToStb nosagem_stb_support                     |
 | Build Options   : nosagemcom_dgci362_support notr069_http_upgrade nopotd amdflash cfiflash     |
 | Build Options   : cmd_help_text nocomcast_video_caching demangle deps dualbuild nodynwebpage   |
 | Build Options   : factorymibs noheapboundscheck noheapleakdebug http intelflash mgmtmibs       |
 | Build Options   : nocmapp_port_forward nobcm80211n_debug nobonded nocpeportfilter nodasm       |
 | Build Options   : nodiag nodtp_test nosingleconsole noedva noextendedugs noflashserver         |
 | Build Options   : noflashclient nofn_profile nofonhotspot nofpm nogrehomehotspot nohnap        |
 | Build Options   : nointernalusb noipsv noitc noiptv nowasu nojedecflash nol2tpv3               |
 | Build Options   : nolinux_watchdog nolinux_erouter nolitepower nomap nomultiprocmon nonandboot |
 | Build Options   : nootp nopiggyback pktc nopmip nopopup nortrproxy noserialportoff noshow      |
 | Build Options   : nosigtls nosip nosipdbg nosipdqos nosipipv6 noslim nosmp nosnmpproxy         |
 | Build Options   : nosnoopdebug nosplitbootblock nosiliconverify nostress_test nosuperslim      |
 | Build Options   : notftp_server nousbhost nodualusbhost nousg_web_pages noutp_test             |
 | Build Options   : novendorhttps useformregistrar nowifihotspot nowifimfg noclwifi nodual_lna   |
 | Build Options   : quiet nounified warn_error nopcielowpwr usmac_diag noupnpc noswitchport_1_4  |
 | Build Options   : nozephyr_console_uart0 nosagemcom_https_filter nopppoeiaagent nodhcpiaagent  |
 | Build Options   : nomoca nomoca20 msc noaprouter noautodetect_tuner2 noautodetect_tuner4       |
 | Build Options   : nodocsis20snmp noemtasim noietf nomixed_annex nono_cmts_d3_partial_svc nooms |
 | Build Options   : pcie nosingle_ds nosled us nobpi_helper_on_fap nocmtr69 noedge_device noecm  |
 | Build Options   : normagnum nodsg norswdload noip_rnvol noestb_config nooob noprereg_sets      |
 | Build Options   : nocdl20 nodsg30 noecm_clcerts nopcieep nob2b_rgmii nodavic noext_ephy        |
 | Build Options   : nohost_bridge nodavic_api nog8davic_api noseb nocustom_vendor_dir            |
 | Build Options   : use_unimac0 nostb_owns_eth2 nodnac nostb_has_lan noecmestbsockif             |
 | Build Options   : nocablecard_ipproxy nostb_pcie_vlan noexplicit_vlan nolgi_dawn               |
 | Build Options   : noestb_ecm_vlan_connection nostb_on_eth2 nolow_gw nostb_include_sidecar d30  |
 | Build Options   : noejtag smisb spectrum_analyzer fpm512 newleds cacheopt dualflash avs        |
 | Build Options   : wifi_spectrum_analyzer cmvendor battery_fdhdwr vin12v erouter ipv6 spiflash  |
 | Build Options   : eps novlan managedswitch nousb20 fap_assist nat_hwaccel nas turbo_wifi       |
 | Build Options   : openssl openssh telnet eu sagemcom_modification_on nofxs_web_setting dslite  |
 | Build Options   : tr69 xml_doc nolinux_on_pmc l2tpv2 pptp l2ogre httpupgrade mediaserver       |
 | Build Options   : nobattery power vpn perfmonitor switch53124 l2vpn bcm80211n monolith         |
 | Build Options   : homehotspot grelegacymib nolinux_on_zephyr linux_on_tp1 linux_partitions     |
 | Build Options   : dual_band_80211n nandflash pppoe nodect mid_split uda nolegacy_parent noemta |
 | Build Options   : nohttpssl bfc_upgrade dualeth ethwan domos                                   |
 +------------------------------------------------------------------------------------------------+

CM_Console> system/show flash

Flash Device Information:

      CFI Compliant: no
        Command Set: Generic SPI Flash
   Device/Bus Width: x16
 Little Word Endian: no
    Fast Bulk Erase: no
    Multibyte Write: 256 bytes max
  Phys base address: 0xbadf1a5
 Uncached Virt addr: 0x1badf1a5
   Cached Virt addr: 0x2badf1a5
   Number of blocks: 64
         Total size: 4194304 bytes, 4 Mbytes
       Current mode: Read Array
        Device Size: 4 MB, Write buffer: 256, Flags: 0

      Size  Device      Device     Region
Block  kB   Address     Offset     Offset   Region Allocation
----- ---- ---------- ----------- --------- -----------------
    0   64 0x1badf1a5           0         0 bootloader (65536 bytes)
    1   64 0x1baef1a5     0x10000         0 permnv
    2   64 0x1baff1a5     0x20000   0x10000 permnv (131072 bytes)
    3   64 0x1bb0f1a5     0x30000       ??? {unassigned}
   59   64 0x1be8f1a5    0x3b0000       ??? {unassigned}
   60   64 0x1be9f1a5    0x3c0000         0 dynnv
   63   64 0x1becf1a5    0x3f0000   0x30000 dynnv (262144 bytes)

Flash Device Information:

      CFI Compliant: no
        Command Set: Generic NAND Flash
   Device/Bus Width: x16
 Little Word Endian: no
    Fast Bulk Erase: no
    Multibyte Write: 512 bytes max
  Phys base address: 0xbadf1a5
 Uncached Virt addr: 0x1badf1a5
   Cached Virt addr: 0x2badf1a5
   Number of blocks: 1024
         Total size: 134217728 bytes, 128 Mbytes
       Current mode: Read Array
        Device Size: 128MB, Block size: 128KB, Page size: 2048

      Size  Device      Device     Region
 Block  kB   Address     Offset     Offset   Region Allocation
 ----- ---- ---------- ----------- --------- -----------------
    0  128 0x1badf1a5           0         0 linuxapps
  609  128 0x206ff1a5   0x4c20000 0x4c20000 linuxapps (79953920 bytes)
  610  128 0x2071f1a5   0x4c40000         0 image1
  717  128 0x2147f1a5   0x59a0000  0xd60000 image1 (14155776 bytes)
  718  128 0x2149f1a5   0x59c0000         0 image2
  825  128 0x221ff1a5   0x6720000  0xd60000 image2 (14155776 bytes)
  826  128 0x2221f1a5   0x6740000         0 linux       
  861  128 0x2267f1a5   0x6ba0000  0x460000 linux (4718592 bytes)
  862  128 0x2269f1a5   0x6bc0000         0 linuxkfs
 1005  128 0x2387f1a5   0x7da0000 0x11e0000 linuxkfs (18874368 bytes)
 1006  128 0x2389f1a5   0x7dc0000         0 dhtml
 1023  128 0x23abf1a5   0x7fe0000  0x220000 dhtml (2359296 bytes)

 CM_Console> su

 Password: () [] $agem001
 Proceed with caution!
 Type 'exit' to return.

 CM> /flash/help open

 COMMAND:  open

 USAGE:  open  bootloader|image1|image2|image3|image3e|perm|dhtml|dyn

 DESCRIPTION:
 Opens the flash driver for use by the console (locking out the rest of the 
 application!) so that you can use the read/write/erase commands.  NOTE:  If 
 you do something that would cause the driver to be opened again (write 
 nonvol, dload an image, etc), then the operation will be blocked until you 
 run the close command, or it may fail.

 EXAMPLES:
 open image2  -- Opens the image2 region for read/write/erase

exit #back to the user-mode
exit #quit telnet

'help open' shows router has these regions: bootloader|image1|image2|image3|image3e|perm|dhtml|dyn 'show flash' shows these: bootloader,permnv,dynnv,linuxapps,image1,image2,linux,linuxkfs,dhtml

Checked that bcm2dump works and can use su account:

./bcm2dump run -P fast3686 -vv 192.168.100.1,Admin,PASSWORD ls
bcm2dump v0.9.4-30-gb8610dc
telnet: received command 253,33
telnet: received command 251,3
telnet: received command 251,1
detected interface: bfc
ls

!               ?               REM             call            cd
dir             find_command    help            history         instances
ls              man             pwd             sleep           syntax
system_time     usage
----
con_high        cpuLoad         cpuUtilization  exit            mbufShow
memShow         mutex_debug     ping            read_memory     reset
routeShow       run_app         shell           socket_debug    stackShow
taskDelete      taskInfo        taskPrioritySet taskResume      taskShow
taskSuspend     taskSuspendAll  taskTrace       usfsShow        version
write_memory    zone
----
[CmRgMsgPipe] [HeapManager] [HostDqm] [avs] [cm_hal] [docsis_ctl] [dtp]
[embedded_target] [event_log] [fam] [flash] [forwarder] [ftpLite] [ip_hal]
[itc_hal] [msgLog] [non-vol] [pingHelper] [power] [snmp] [snoop]
[spectrum_analyzer]

CM>

Trying to dump

./bcm2dump dump -vvv -P fast3686 192.168.100.1,Admin,PASSWORD flash image1,auto image1.bin
bcm2dump v0.9.4-30-gb8610dc
telnet: received command 253,33
telnet: received command 251,3
telnet: received command 251,1
==> 'Broadcom Corporation Embedded BFC Telnet Server (c) 2000-2008'
==> (empty)
==> 'WARNING:  Access allowed by authorized users only.'
==> (empty)
==> 'Login:'
detected interface: bfc
<== 'Admin'
==> 'Admin'
==> 'Password:'
<== 'PASSWORD'
<== ''
==> ''
==> ''
==> 'CM_Console>'
<== ''
<== ''
==> ''
==> 'CM_Console>'
==> ''
==> 'CM_Console>'
<== 'su'
<== '$agem001'
==> 'su'
<== ''
==> (empty)
==> 'Password: () []'
==> '$agem001'
==> 'Proceed with caution!'
==> 'Type 'exit' to return.'
==> (empty)
==> 'CM_Console>'
==> ''
==> 'CM>'
adjusting dump params: 0x04c40000,92 -> 0x04c40000,96
<== '/flash/open image1'
==> ''
==> (empty)
==> 'Opening the flash driver...'
==> 'Flash driver opened.'
==> (empty)
==> 'CM>'
<== '/flash/readDirect 96 0'
<== ''
==> ''
==> (empty)
==> 'Reading 96 bytes, starting at an offset of 0 bytes into the region:'
==> (empty)
==> 'd0 6e 00 05   00 03 00 00   5e a9 42 fa   00 52 e5 75'
==> '80 00 40 00   46 41 53 54   33 36 38 36   5f 44 4e 41'
==> '5f 33 2e 34   39 30 2e 30   2d 54 33 2d   32 30 32 30'
==> '30 34 32 39   2e 62 69 6e   00 00 00 00   00 00 00 00'
==> '00 00 00 00   00 00 00 00   00 00 00 00   00 00 00 00'
==> '00 00 00 00   48 df 00 00   3c c2 31 80   5d 00 00 00'
==> (empty)
==> 'CM>'
==> ''
==> 'CM>'

read incomplete chunk 0x04c40000: 0/96; retrying
<== '/flash/readDirect 96 0'
<== ''
==> ''
==> (empty)
==> 'Reading 96 bytes, starting at an offset of 0 bytes into the region:'
==> (empty)
==> 'd0 6e 00 05   00 03 00 00   5e a9 42 fa   00 52 e5 75'
==> '80 00 40 00   46 41 53 54   33 36 38 36   5f 44 4e 41'
==> '5f 33 2e 34   39 30 2e 30   2d 54 33 2d   32 30 32 30'
==> '30 34 32 39   2e 62 69 6e   00 00 00 00   00 00 00 00'
==> '00 00 00 00   00 00 00 00   00 00 00 00   00 00 00 00'
==> '00 00 00 00   48 df 00 00   3c c2 31 80   5d 00 00 00'
==> (empty)
==> 'CM>'
==> ''
==> 'CM>'

read incomplete chunk 0x04c40000: 0/96; retrying
<== '/flash/readDirect 96 0'
<== ''
==> ''
==> (empty)
==> 'Reading 96 bytes, starting at an offset of 0 bytes into the region:'
==> (empty)
==> 'd0 6e 00 05   00 03 00 00   5e a9 42 fa   00 52 e5 75'
==> '80 00 40 00   46 41 53 54   33 36 38 36   5f 44 4e 41'
==> '5f 33 2e 34   39 30 2e 30   2d 54 33 2d   32 30 32 30'
==> '30 34 32 39   2e 62 69 6e   00 00 00 00   00 00 00 00'
==> '00 00 00 00   00 00 00 00   00 00 00 00   00 00 00 00'
==> '00 00 00 00   48 df 00 00   3c c2 31 80   5d 00 00 00'
==> (empty)
==> 'CM>'
==> ''
==> 'CM>'

read incomplete chunk 0x04c40000: 0/96; retrying
<== '/flash/readDirect 96 0'
<== ''
==> ''
==> (empty)
==> 'Reading 96 bytes, starting at an offset of 0 bytes into the region:'
==> (empty)
==> 'd0 6e 00 05   00 03 00 00   5e a9 42 fa   00 52 e5 75'
==> '80 00 40 00   46 41 53 54   33 36 38 36   5f 44 4e 41'
==> '5f 33 2e 34   39 30 2e 30   2d 54 33 2d   32 30 32 30'
==> '30 34 32 39   2e 62 69 6e   00 00 00 00   00 00 00 00'
==> '00 00 00 00   00 00 00 00   00 00 00 00   00 00 00 00'
==> '00 00 00 00   48 df 00 00   3c c2 31 80   5d 00 00 00'
==> (empty)
==> 'CM>'
==> ''
==> 'CM>'

read incomplete chunk 0x04c40000: 0/96; retrying
<== '/flash/readDirect 96 0'
<== ''
==> ''
==> (empty)
==> 'Reading 96 bytes, starting at an offset of 0 bytes into the region:'
==> (empty)
==> 'd0 6e 00 05   00 03 00 00   5e a9 42 fa   00 52 e5 75'
==> '80 00 40 00   46 41 53 54   33 36 38 36   5f 44 4e 41'
==> '5f 33 2e 34   39 30 2e 30   2d 54 33 2d   32 30 32 30'
==> '30 34 32 39   2e 62 69 6e   00 00 00 00   00 00 00 00'
==> '00 00 00 00   00 00 00 00   00 00 00 00   00 00 00 00'
==> '00 00 00 00   48 df 00 00   3c c2 31 80   5d 00 00 00'
==> (empty)
==> 'CM>'
==> ''
==> 'CM>'

read incomplete chunk 0x04c40000: 0/96; retrying
<== '/flash/readDirect 96 0'
<== '/flash/close'
<== '/flash/close'
==> ''
==> (empty)
==> 'Reading 96 bytes, starting at an offset of 0 bytes into the region:'
==> (empty)
==> 'd0 6e 00 05   00 03 00 00   5e a9 42 fa   00 52 e5 75'
==> '80 00 40 00   46 41 53 54   33 36 38 36   5f 44 4e 41'
==> '5f 33 2e 34   39 30 2e 30   2d 54 33 2d   32 30 32 30'
==> '30 34 32 39   2e 62 69 6e   00 00 00 00   00 00 00 00'
==> '00 00 00 00   00 00 00 00   00 00 00 00   00 00 00 00'
==> '00 00 00 00   48 df 00 00   3c c2 31 80   5d 00 00 00'
==> (empty)
==> 'CM>'
==> ''
==> (empty)
==> 'Flash driver closed.'
==> (empty)
==> 'CM>'
==> ''
==> (empty)
==> 'Flash driver closed.'
==> (empty)
==> 'CM>'
<== '/exit'

Testing with telnet:

CM> /flash/open image1
Opening the flash driver...
Flash driver opened.
CM> /flash/readDirect 96 0

Reading 96 bytes, starting at an offset of 0 bytes into the region:

d0 6e 00 05   00 03 00 00   5e a9 42 fa   00 52 e5 75 
80 00 40 00   46 41 53 54   33 36 38 36   5f 44 4e 41 
5f 33 2e 34   39 30 2e 30   2d 54 33 2d   32 30 32 30 
30 34 32 39   2e 62 69 6e   00 00 00 00   00 00 00 00 
00 00 00 00   00 00 00 00   00 00 00 00   00 00 00 00 
00 00 00 00   48 df 00 00   3c c2 31 80   5d 00 00 00 
CM> /flash/readDirect 96 96 

Reading 96 bytes, starting at an offset of 96 bytes into the region:

01 00 20 20   0e 00 0d 3a   28 ab ef 31   23 33 44 83 
db 18 9b 57   12 d9 ed 76   9b d2 8d 4c   ad 5b 7f 7a 
0f 11 d2 c8   a8 77 99 48   98 fb 58 74   c2 b6 82 6e 
74 89 bd 9f   fb 21 63 03   40 1b dd 39   8c 00 b7 a5 
01 1e bc e2   ce 92 ab 82   1f 4e 4e 11   00 61 f8 32 
f0 19 27 0b   3a a3 62 81   c1 29 18 d0   2c 8e ad d0 

Seems reading with readDirect works, but bcm2dump doesn't get the data .

[jclehner]

Huh, weird. The modem I've successfully tested this with just now gives the exact same output. I've pushed a few commits, please try again and post the output.

[MalaikaBegum]

With 28913341b2a1af2b366785cbb2e293d9386a40c5 I got much better results:

./bcm2dump dump -P fast3686 192.168.100.1,Admin,PASSWORD flash linux linux.bin
../aeolus/ProgramStore/ProgramStore -f linux.bin -o linux.out -x
   Signature: d06e
     Control: 0005
   Major Rev: 0002
   Minor Rev: 0017
  Build Time: 2020/4/29 09:41:53 Z
 File Length: 1507236 bytes
Load Address: 7e000000
    Filename: FAST3686_DNA_3.490.0-T3-l-20200429.bin
         HCS: 8876
         CRC: 7648cd35

Performing CRC on Image...
Detected LZMA compressed image... decompressing... 

Decompressed length unknown.  Padded to 28311552 bytes.

.

./bcm2dump dump -P fast3686 192.168.100.1,Admin,PASSWORD flash linuxapps linuxapps.bin
hd linuxapps.bin |head
00000000  d0 6e 01 00 00 02 00 17  5e a9 4b e9 00 29 ff a4  |.n......^.K..)..|
00000010  7e 00 00 00 46 41 53 54  33 36 38 36 5f 44 4e 41  |~...FAST3686_DNA|
00000020  5f 33 2e 34 39 30 2e 30  2d 54 33 2d 61 70 70 2d  |_3.490.0-T3-app-|
00000030  32 30 32 30 30 34 32 39  2e 62 69 6e 00 00 00 00  |20200429.bin....|
00000040  00 00 00 00 00 00 00 00  00 00 00 00 00 01 90 00  |................|
00000050  00 28 00 00 a9 34 00 00  87 58 ba 30 63 60 90 86  |.(...4...X.0c`..|
00000060  aa 8c e0 0a df be b6 fd  f7 68 b6 98 5e f3 12 23  |.........h..^..#|
00000070  e9 f3 d6 1b a5 71 49 87  80 94 f0 cd 40 6e 4f 84  |.....qI.....@nO.|
00000080  34 5f b3 7f 1d b3 8a ee  9c 8c 13 5f df af 43 80  |4_........._..C.|
00000090  aa a4 85 f7 9f 69 a8 81  e3 57 3c 30 8b 7c 75 55  |.....i...W<0.|uU|

../aeolus/ProgramStore/ProgramStore -f linuxapps.bin -o linuxapps.out -x
   Signature: d06e
     Control: 0100
   Major Rev: 0002
   Minor Rev: 0017
  Build Time: 2020/4/29 09:42:01 Z
 File Length: 2752420 bytes
Load Address: 7e000000
    Filename: FAST3686_DNA_3.490.0-T3-app-20200429.bin
         HCS: a934
         CRC: 8758ba30

Performing CRC on Image...
Image CRC failed!

hd linuxapps.out
00000000  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
1c980000
#linuxapps.out contains only 458MB of 0x00.

Is there just a bug in ProgramStore in crc verification: https://github.com/Broadcom/aeolus/blob/master/ProgramStore/decompress/decompress.cpp#L390

uint32 ulCrc; if ( ulCrc == pProgramHeader->ulcrc )

https://github.com/Broadcom/aeolus/blob/master/ProgramStore/ProgramStore.h#L46 unsigned long ulcrc;

-> Type mismatch. Or corrupted dump?

./bcm2dump dump -P fast3686 192.168.100.1,Admin,PASSWORD flash dhtml dhtml.bin      
hd dhtml.bin
00000000  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
*
00240000

-> Contains only 0xff. Should dhtml.bin have content?

./bcm2dump dump -P fast3686 192.168.100.1,Admin,PASSWORD flash image1 image1.bin
../aeolus/ProgramStore/ProgramStore -f image1.bin -o image1.out -x
   Signature: d06e
     Control: 0005
   Major Rev: 0003
   Minor Rev: 0000
  Build Time: 2020/4/29 09:03:54 Z
 File Length: 5432693 bytes
Load Address: 80004000
    Filename: FAST3686_DNA_3.490.0-T3-20200429.bin
         HCS: 48df
         CRC: 3cc23180

Performing CRC on Image...
Detected LZMA compressed image... decompressing... 

Decompressed length unknown.  Padded to 84934656 bytes.

./bcm2dump dump -P fast3686 192.168.100.1,Admin,PASSWORD flash image2 image2.bin
hd image2.bin 
00000000  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
*
00d80000

-> Should image2.bin have some content?

./bcm2dump dump -P fast3686 192.168.100.1,Admin,PASSWORD flash linuxkfs linuxkfs.bin
error: failed to open partition linuxkfs
 ==> 'ERROR:  Invalid value for parameter bootloader|image1|image2|image3|image3e|perm|dhtml|dyn!  'linuxkfs'  Must match one of the tokens!'

linuxkfs failed.

./bcm2dump dump -P fast3686 192.168.100.1,Admin,PASSWORD nvram permnv permnv.bin
./bcm2cfg -f perm info permnv.bin 
type    : perm
profile : (unknown)
checksum: 4e28a421 (ok)
size    : 15250 (ok)

.

./bcm2dump dump -P fast3686 192.168.100.1,Admin,PASSWORD nvram dynnv dynnv.bin
./bcm2cfg info dynnv.bin 
type    : dyn
profile : (unknown)
checksum: f7d88d1e (ok)
size    : 30555 (ok)

.

./bcm2dump dump -P fast3686 192.168.100.1,Admin,PASSWORD nvram bootloader bootloader.bin
./bcm2cfg list bootloader.bin 
error: invalid or encrypted file
hd bootloader.bin | head
00000000  10 00 00 05 00 00 00 00  06 10 15 7f 06 f8 61 80  |..............a.|
00000010  7a b8 00 80 00 40 00 80  00 00 00 00 00 00 00 00  |z....@..........|
00000020  40 08 b0 03 00 08 47 c2  11 00 00 05 00 00 00 00  |@.....G.........|
00000030  3c 08 b3 20 25 08 41 d0  01 00 00 08 00 00 00 00  |<.. %.A.........|
00000040  3c 08 1f a0 35 08 00 0c  40 88 b0 06 3c 08 bf a0  |<...5...@...<...|
00000050  8d 09 00 1c 3c 01 c0 00  01 21 48 25 ad 09 00 1c  |....<....!H%....|
00000060  3c 08 b4 e0 24 09 01 18  ad 09 0f 00 3c 08 b3 20  |<...$.......<.. |
00000070  35 08 40 00 3c 09 bf c0  25 2a 02 00 8d 2b 00 00  |5.@.<...%*...+..|
00000080  25 08 00 04 25 29 00 04  15 2a ff fc ad 0b ff fc  |%...%)...*......|
00000090  3c 0b b3 20 25 6b 40 a0  01 60 00 08 00 00 00 00  |<.. %k@..`......|

bootloader.bin is not empty file. (README.md said that serial connection is needed for dumping bootloader)

./bcm2dump dump  -P fast3686 192.168.100.1,Admin,PASSWORD ram 0x80004000 ram.bin
error: read incomplete chunk 0x80004000: 0/96

Maybe dumping RAM needs similar fix.

[MalaikaBegum]

I'm trying another idea:

image1.out (output of ProgramStore) contains peculiar strings:

    linuxTelnet     Enable/Disable
    The Linux Side Telnet Service.
    linuxTelnet 1   Enable the Linux Side Telnet Service.
    linuxTelnet 0   Disable the Linux Side Telnet Service.

telnet 192.168.1.1

RG_Console>su
$agem001

RG>find_command linux 
/non-vol/msc/linuxTelnet

RG> /non-vol/msc/help linuxTelnet
COMMAND:  linuxTelnet    
USAGE:  linuxTelnet  [Number{0..1}]    
DESCRIPTION:
Enable/Disable The Linux Side Telnet Service.    
EXAMPLES:
linuxTelnet 1   -- Enable the Linux Side Telnet Service.
linuxTelnet 0   -- Disable the Linux Side Telnet Service.

RG> /non-vol/msc/linuxTelnet 1
Readying to start The Linux Side Telnet Service.
The Linux side Telnet Service is ENABLED

This opened one more telnet, this time on IP=192.168.1.100:

nmap 192.168.1.100
23/tcp    open          telnet      syn-ack ttl 64      security DVR telnetd (many brands)

But I'm missing one more password:

telnet 192.168.1.100
Trying 192.168.1.100...
Connected to 192.168.1.100.
Escape character is '^]'.

(none) login: 

None of webgui nor telnet (192.168.1.1=RG and 192.168.100.1=CM) passwords are working. I also found couple potential, but no: spectrum:spectrum Broadcom:Broadcom

Maybe it is possible to dump rest of the firmware from Linux side.

(Note: Linux side telnet is not permanent, /non-vol/msc/linuxTelnet is disabled when rebooted.)

[jclehner]

Hi!

Is there just a bug in ProgramStore in crc verification [...] or corrupted dump?

Comparing a uint32_t with an unsigned long will yield the expected result. The dump is likely corrupted. This happens on many devices, as reading from NAND can sometimes yield incorrect results, due to an apparently faulty error recovery mechanism in the firmware. This requires patching the correct function - usually just writing a single 32 bit value to the correct memory location. I'll need your firmware image1 for that.

Should image2.bin have some content?

Some devices use only one image. It's possible that a future firmware update will be written to image2 however.

README.md said that serial connection is needed for dumping bootloader

You don't need a serial connection for dumping the bootloader itself. It's just that some devices have an unlocked bootloader that can be used for dumping firmware images.

bootloader.bin is not empty file.

This is raw machine code, and represents the stage 1 bootloader. Embedded in this partition (usually within the first 4 KiB) you'll find a ProgramStore image for the stage 2 bootloader. Look for the string ecram_sto.bin or ram.sto - the image starts 26 bytes before this string (probably with0x3384). Below is an example taken from the TC7200's bootloader, which uses 0x3383 instead:

$ hexdump -C bootloader.bin
...
00000670  33 83 00 05 00 00 00 00  50 29 ae 8c 00 00 5d 07  |3.......P)....].|
00000680  83 f8 00 00 72 61 6d 2e  73 74 6f 00 00 00 00 00  |....ram.sto.....|
00000690  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
...
$ dd if=bootloader.bin of=bootloader2.bin bs=$((0x670)) skip=1
$ ProgramStore -x -f bootloader2.bin 
   Signature: 3383
     Control: 0005
   Major Rev: 0000
   Minor Rev: 0000
  Build Time: 2012/8/14 01:49:00 Z
 File Length: 23815 bytes
Load Address: 83f80000
    Filename: ram.sto
         HCS: b2ae
         CRC: 92d1a142

Performing CRC on Image...
Detected LZMA compressed image... decompressing... 

Decompressed length unknown.  Padded to 383328 bytes.

Can you send me your bootloader.bin along with image1.bin?

[jclehner]

None of webgui nor telnet (192.168.1.1=RG and 192.168.100.1=CM) passwords are working.

Can you send me your permnv and dynnv dumps as well - maybe it's in there somewhere. If not, it's somewhere on the Linux filesystem. This will require non-corrupted dumps of linuxkfs and linuxapps (see my post above on how to get those).

[MalaikaBegum]

I have sent files bootloader.bin image1.bin permnv dynnv.bin to your email.

I got bootloader unpacked with your instructions:

dd if=bootloader.bin of=bootloader2.bin bs=$((0x710)) skip=1
../aeolus/ProgramStore/ProgramStore -x -f bootloader2.bin -o bootloader2.out
   Signature: 3384
     Control: 0005
   Major Rev: 0000
   Minor Rev: 0000
  Build Time: 2017/5/26 22:30:56 Z
 File Length: 24864 bytes
Load Address: 83f80000
    Filename: ram.sto
         HCS: 90b5
         CRC: 4a94e58b

Performing CRC on Image...
Detected LZMA compressed image... decompressing... 

Decompressed length unknown.  Padded to 382368 bytes.

I will dump linuxapps couple of times during next days if I get non-corrupted dump.

[jclehner]

Thanks, I've just started looking into it. Regarding the Linux telnet password, I've found the following, maybe it works:

$ bcm2cfg -v dump dynnv.bin grp_nas | hexdump -C
failed to parse group firewall
00000000  00 2e 4e 41 53 2e 00 02  00 53 07 53 43 2d 4c 56  |..NAS....S.SC-LV|
00000010  47 00 0a 57 4f 52 4b 47  52 4f 55 50 00 00 00 01  |G..WORKGROUP....|
00000020  01 06 61 64 6d 69 6e 00  05 31 32 33 34 00        |..admin..1234.|
0000002e

[jclehner]

Hi, please try the latest commit. This should allow dumping all NAND partitions, including linuxkfs and linuxapps! The profile, should now be detected automatically, so you can omit -P fast3686.

[MalaikaBegum]

Password in dynnv.bin grp_nas relates Network Attached Storage (Samba share if USB storage is attached)

Using web-gui I changed Storage Advanced->Network Attached Storage->Advanced Settings->Administrator User Name and Password. Rebooted. Dumped dynnv. And now it shows the new password. And this is not accepted by Linux-telnet.

./bcm2cfg -v dump dynnv.bin_new grp_nas | hexdump -C
failed to parse group firewall
00000000  00 36 4e 41 53 2e 00 02  00 53 07 53 43 2d 4c 56  |.6NAS....S.SC-LV|
00000010  47 00 0a 57 4f 52 4b 47  52 4f 55 50 00 00 00 01  |G..WORKGROUP....|
00000020  01 06 61 64 6d 69 6e 00  0d 4e 41 53 2d 70 61 73  |..admin..NAS-pas|
00000030  73 77 6f 72 64 00                                 |sword.|
00000036

If I try to dump without giving profile (with version fead0f04040120ba4ef17fd7180bafc20d7675ca)

./bcm2dump dump 192.168.100.1,Admin,PASSWORD nvram dynnv dynnv.bin_new
error: telnet: read incomplete chunk 0x80624d90: 0/16

With forced profile it works:

./bcm2dump dump -P fast3686 192.168.100.1,Admin,PASSWORD nvram dynnv dynnv.bin_new
dumping nvram:0x003c0000-0x003fffff (262144 b)
 100.00% (0x003fffff)            5.95k bytes/s (ELT      00:00:43)

Same happens when trying linuxkfs Dumping linuxkfs with profile:

./bcm2dump dump -P fast3686 -vvv 192.168.100.1,Admin,PASSWORD flash linuxkfs linuxkfs.bin
bcm2dump v0.9.4-37-g2891334
telnet: received command 253,33
telnet: received command 251,3
telnet: received command 251,1
==> 'Broadcom Corporation Embedded BFC Telnet Server (c) 2000-2008'
==> (empty)
==> 'WARNING:  Access allowed by authorized users only.'
==> (empty)
==> 'Login:'
detected interface: bfc
<== 'Admin'
==> 'Admin'
==> 'Password:'
<== 'PASSWORD'
<== ''
==> ''
==> ''
==> 'CM>'
<== ''
<== ''
==> ''
==> 'CM>'
==> ''
==> 'CM>'
<== '/flash/open linuxkfs'
==> ''
==> (empty)
==> 'ERROR:  Invalid value for parameter bootloader|image1|image2|image3|image3e|perm|dhtml|dyn!  'linuxkfs'  Must match one of the tokens!'
==> (empty)
==> 'COMMAND:  open'
==> (empty)
==> 'USAGE:  open  bootloader|image1|image2|image3|image3e|perm|dhtml|dyn'
==> (empty)
==> 'DESCRIPTION:'
==> 'Opens the flash driver for use by the console (locking out the rest of the'
==> 'application!) so that you can use the read/write/erase commands.  NOTE:  If'
==> 'you do something that would cause the driver to be opened again (write'
==> 'nonvol, dload an image, etc), then the operation will be blocked until you'
==> 'run the close command, or it may fail.'
==> (empty)
==> 'EXAMPLES:'
==> 'open image2  -- Opens the image2 region for read/write/erase'
==> (empty)
==> 'CM>'
<== '/flash/close'
<== '/exit'

error: failed to open partition linuxkfs

Dumping linuxkfs without profile:

./bcm2dump dump -vvvv 192.168.100.1,Admin,PASSWORD flash linuxkfs linuxkfs.bin
bcm2dump v0.9.4-37-g2891334
telnet: received command 253,33
telnet: received command 251,3
telnet: received command 251,1
==> 'Broadcom Corporation Embedded BFC Telnet Server (c) 2000-2008'
==> (empty)
==> 'WARNING:  Access allowed by authorized users only.'
==> (empty)
==> 'Login:'
detected interface: bfc
<== 'Admin'
==> 'Admin'
==> 'Password:'
<== 'PASSWORD'
<== ''
==> ''
==> 'CM_Console>'
==> ''
==> 'CM_Console>'
<== ''
<== ''
==> ''
==> 'CM_Console>'
==> ''
==> 'CM_Console>'
adjusting dump params: 0x80624d91,14 -> 0x80624d90,16
<== '/system/diag readmem -s 4 -n 16 0x80624d90'
<== ''
==> ''
==> (empty)
==> '80624d90: 00001021  97a20004  a6020930  24020001 | ...!.......0$...'
==> (empty)
==> 'CM_Console>'
==> ''
==> 'CM_Console>'

read incomplete chunk 0x80624d90: 0/16; retrying
<== '/system/diag readmem -s 4 -n 16 0x80624d90'
<== ''
==> ''
==> (empty)
==> '80624d90: 00001021  97a20004  a6020930  24020001 | ...!.......0$...'
==> (empty)
==> 'CM_Console>'
==> ''
==> 'CM_Console>'

read incomplete chunk 0x80624d90: 0/16; retrying
<== '/system/diag readmem -s 4 -n 16 0x80624d90'
<== ''
==> ''
==> (empty)
==> '80624d90: 00001021  97a20004  a6020930  24020001 | ...!.......0$...'
==> (empty)
==> 'CM_Console>'
==> ''
==> 'CM_Console>'

read incomplete chunk 0x80624d90: 0/16; retrying
<== '/system/diag readmem -s 4 -n 16 0x80624d90'
<== ''
==> ''
==> (empty)
==> '80624d90: 00001021  97a20004  a6020930  24020001 | ...!.......0$...'
==> (empty)
==> 'CM_Console>'
==> ''
==> 'CM_Console>'

read incomplete chunk 0x80624d90: 0/16; retrying
<== '/system/diag readmem -s 4 -n 16 0x80624d90'
<== ''
==> ''
==> (empty)
==> '80624d90: 00001021  97a20004  a6020930  24020001 | ...!.......0$...'
==> (empty)
==> 'CM_Console>'
==> ''
==> 'CM_Console>'

read incomplete chunk 0x80624d90: 0/16; retrying
<== '/system/diag readmem -s 4 -n 16 0x80624d90'
<== '/exit'

error: telnet: read incomplete chunk 0x80624d90: 0/16

I dumped linuxapps several times and then got couple with the same hash and now ProgramStore understand it:

../aeolus/ProgramStore/ProgramStore -f linuxapps.bin -x -o linuxapps.out
   Signature: d06e
     Control: 0100
   Major Rev: 0002
   Minor Rev: 0017
  Build Time: 2020/4/29 09:42:01 Z
 File Length: 2752420 bytes
Load Address: 7e000000
    Filename: FAST3686_DNA_3.490.0-T3-app-20200429.bin
         HCS: a934
         CRC: 8758ba30

Performing CRC on Image...
Loading non-compressed image...
Length: 2752420

-> linuxapps.out is 458MB file, has several UBI#-strings and binwalk founds one hit:

binwalk linuxapps.out
130980        0x1FFA4         UBI erase count header, version: 1, EC: 0x2, VID header offset: 0x800, data offset: 0x1000

But I can't get files out. Tried with these: https://github.com/jrspruitt/ubi_reader

ubireader_list_files linuxapps.out 
UBI Fatal: Less than 2 layout blocks found.

ubireader_list_files linuxapps.out -v
guess_start_offset Found UBI magic number at 130980
guess_filetype Looking for file type at 130980
guess_filetype File looks like a UBI image.
UBI_File Open Path: linuxapps.out
UBI_File File Size: 479723520
UBI_File Start Offset: 130980
UBI_File End Offset: 479723428
UBI_File File Tail Size: 92
UBI_File Block Size: 131072
UBI_File read loc: 130980, size: 131072
vid_hdr CRC Failed: expected 0xb730eb2 got 0xffffffff
extract_blocks Block: PEB# 0: LEB# -1
extract_blocks file addr: 130980
extract_blocks PEB: 0 has possible issue EC_HDR [], VID_HDR [crc]

https://github.com/nlitsme/ubidump Doesn't understand the header of the file

dd if=linuxapps.out of=ubi.ubi bs=130980 skip=1
python ubidump.py ubi.ubi --listfiles
==> ubi.ubi <==
no volume directory, 1 physical volumes
ERROR UbiBlocks instance has no attribute 'vtbl'

[jclehner]

linuxapps.out is 458MB file, has several UBI#-strings [...] But I can't get files out.

These UBI dump tools sometimes don't work. Your best bet is writing the file to a simulated NAND device (Linux has nandsim.ko). If you send me the .bin file, I'll see what I can do!

[MalaikaBegum]

I sent linuxapps.bin with mail.

I'm reading how to use nandsim (http://www.linux-mtd.infradead.org/faq/nand.html#L_nand_nandsim) but I don't get how to figure parameters. I tried one example, but no go:

sudo modprobe nandsim first_id_byte=0x20 second_id_byte=0xac third_id_byte=0x00 fourth_id_byte=0x15
[nandsim] warning: read_byte: unexpected data output cycle, state is STATE_READY return 0x0
[nandsim] warning: read_byte: unexpected data output cycle, state is STATE_READY return 0x0
[nandsim] warning: read_byte: unexpected data output cycle, state is STATE_READY return 0x0
[nandsim] warning: read_byte: unexpected data output cycle, state is STATE_READY return 0x0
[nandsim] warning: write_byte: command (0x90) wasn't expected, expected state is STATE_READY, ignore previous states
nand: device found, Manufacturer ID: 0x20, Chip ID: 0xac
nand: ST Micro NAND 512MiB 1,8V 8-bit
nand: 512 MiB, SLC, erase size: 128 KiB, page size: 2048, OOB size: 64
flash size: 512 MiB
page size: 2048 bytes
OOB area size: 64 bytes
sector size: 128 KiB
pages number: 262144
pages per sector: 64
bus width: 8
bits in sector size: 17
bits in page size: 11
bits in OOB size: 6
flash size with OOB: 540672 KiB
page address bytes: 5
sector address bytes: 3
options: 0x8
Scanning device for bad blocks
[nandsim] warning: write_byte: command (0x0) wasn't expected, expected state is STATE_READY, ignore previous states
Creating 1 MTD partitions on "NAND 512MiB 1,8V 8-bit":
0x000000000000-0x000020000000 : "NAND simulator partition 0"
[nandsim] warning: CONFIG_MTD_PARTITIONED_MASTER must be enabled to expose debugfs stuff

sudo nandwrite /dev/mtd0 linuxapps.out
Writing data to block 0 at offset 0x0
Writing data to block 1 at offset 0x20000
...
Writing data to block 3658 at offset 0x1c940000
Writing data to block 3659 at offset 0x1c960000

sudo modprobe ubi mtd=/dev/mtd0,4096
modprobe: ERROR: could not insert 'ubi': Invalid argument

ubi0: default fastmap pool size: 200
ubi0: default fastmap WL pool size: 100
ubi0: attaching mtd0
ubi0: scanning is finished
ubi0 error: ubi_read_volume_table [ubi]: the layout volume was not found
ubi0 error: ubi_attach_mtd_dev [ubi]: failed to attach mtd0, error -22
UBI error: cannot attach mtd0
UBI error: cannot initialize UBI, error -22

[jclehner]

I sent linuxapps.bin with mail.

The file.io link results in a 404 error!

[...] but I don't get how to figure parameters.

I've had success in the past with the following commands (0x800 is the VID header offset):

modprobe ubi
ubiattach -O $((0x800)) -p /dev/mtd0
mount -t ubifs /dev/ubi0_0 /mnt/ubi

[MalaikaBegum]

Resent linuxapps.bin.

[jclehner]

Resent linuxapps.bin.

I've received the file, but it won't extract:

$ ProgramStore2 -x -f linuxapps_valid.bin 
No output file name specified.  Using linuxapps_valid.out.
   Signature: d06e
     Control: 0100
   Major Rev: 0002
   Minor Rev: 0017
  Build Time: 2020/4/29 09:42:01 Z
 File Length: 2752420 bytes
Load Address: 7e000000
    Filename: FAST3686_DNA_3.490.0-T3-app-20200429.bin
         HCS: a934
         CRC: 8758ba30

Performing CRC on Image...
Image -135139320 CRC failed!

Please try the latest commit, and send the output and resulting io.log of:

$ bcm2dump -vv -L io.log info 192.168.100.1,Admin,PASSWORD

This should detect both the profile, and the firmware version. If it does, try dumping linuxapps and linuxkfs again.

[MalaikaBegum]

Ops, I used modified version of ProgramStore which just skips CRC. It produces somehow sane linuxapps_valid.out so I totally forgot it.

6a6b885b5712c131d8c09bf29399a7a0e07ebedc needs one cleanup:

diff --git a/Makefile b/Makefile
index 211cd7b..b9739fc 100644
--- a/Makefile
+++ b/Makefile
@@ -24,7 +24,7 @@ endif
 profile_OBJ = profile.o profiledef.o

 bcm2dump_OBJ = io.o rwx.o interface.o ps.o bcm2dump.o \
-       util.o progress.o mipsasm.o $(profile_OBJ)
+       util.o progress.o $(profile_OBJ)
 bcm2cfg_OBJ = util.o nonvol2.o bcm2cfg.o nonvoldef.o \
        gwsettings.o $(profile_OBJ) crypto.o
 psextract_OBJ = util.o ps.o psextract.o

Without profile it won't work:

./bcm2dump -vv -L io.log info 192.168.100.1,Admin,PASSWORD

bcm2dump v0.9.4-60-g6a6b885
telnet: received command 253,33
telnet: received command 251,3
telnet: received command 251,1
==> (empty)
==> 'Broadcom Corporation Embedded BFC Telnet Server (c) 2000-2008'
==> (empty)
==> 'WARNING:  Access allowed by authorized users only.'
==> (empty)
==> 'Login:'
detected interface: bfc
<== 'Admin'
==> 'Admin'
==> 'Password:'
<== 'PASSWORD'
<== ''
==> ''
==> ''
==> 'CM_Console>'
<== ''
<== ''
==> ''
==> 'CM_Console>'
==> ''
==> 'CM_Console>'
adjusting dump params: 0x80010000,4 -> 0x80010000,16
<== '/system/diag readmem -s 4 -n 16 0x80010000'
<== ''
==> ''
==> (empty)
==> '80010000: 1000ffde  01c0c821  01eb1006  00e91804 | .......!........'
==> (empty)
==> 'CM_Console>'
==> ''
==> 'CM_Console>'

read incomplete chunk 0x80010000: 0/16; retrying
<== '/system/diag readmem -s 4 -n 16 0x80010000'
<== ''
==> ''
==> (empty)
==> '80010000: 1000ffde  01c0c821  01eb1006  00e91804 | .......!........'
==> (empty)
==> 'CM_Console>'
==> ''
==> 'CM_Console>'

read incomplete chunk 0x80010000: 0/16; retrying
<== '/system/diag readmem -s 4 -n 16 0x80010000'
<== ''
==> ''
==> (empty)
==> '80010000: 1000ffde  01c0c821  01eb1006  00e91804 | .......!........'
==> (empty)
==> 'CM_Console>'
==> ''
==> 'CM_Console>'

read incomplete chunk 0x80010000: 0/16; retrying
<== '/system/diag readmem -s 4 -n 16 0x80010000'
<== ''
==> ''
==> (empty)
==> '80010000: 1000ffde  01c0c821  01eb1006  00e91804 | .......!........'
==> (empty)
==> 'CM_Console>'
==> ''
==> 'CM_Console>'

read incomplete chunk 0x80010000: 0/16; retrying
<== '/system/diag readmem -s 4 -n 16 0x80010000'
<== ''
==> ''
==> (empty)
==> '80010000: 1000ffde  01c0c821  01eb1006  00e91804 | .......!........'
==> (empty)
==> 'CM_Console>'
==> ''
==> 'CM_Console>'

read incomplete chunk 0x80010000: 0/16; retrying
<== '/system/diag readmem -s 4 -n 16 0x80010000'
<== '/exit'

error: telnet: read incomplete chunk 0x80010000: 0/16

context:
  ==> 'CM_Console>'
  ==> ''
  ==> 'CM_Console>'
  <== '/system/diag readmem -s 4 -n 16 0x80010000'
  <== ''
  ==> ''
  ==> (empty)
  ==> '80010000: 1000ffde  01c0c821  01eb1006  00e91804 | .......!........'
  ==> (empty)
  ==> 'CM_Console>'
  ==> ''
  ==> 'CM_Console>'
  <== '/system/diag readmem -s 4 -n 16 0x80010000'
  <== ''
  ==> ''
  ==> (empty)
  ==> '80010000: 1000ffde  01c0c821  01eb1006  00e91804 | .......!........'
  ==> (empty)
  ==> 'CM_Console>'
  ==> ''
  ==> 'CM_Console>'
  <== '/system/diag readmem -s 4 -n 16 0x80010000'
  <== ''
  ==> ''
  ==> (empty)
  ==> '80010000: 1000ffde  01c0c821  01eb1006  00e91804 | .......!........'
  ==> (empty)
  ==> 'CM_Console>'
  ==> ''
  ==> 'CM_Console>'
  <== '/system/diag readmem -s 4 -n 16 0x80010000'
  <== ''
  ==> ''
  ==> (empty)
  ==> '80010000: 1000ffde  01c0c821  01eb1006  00e91804 | .......!........'
  ==> (empty)
  ==> 'CM_Console>'
  ==> ''
  ==> 'CM_Console>'
  <== '/system/diag readmem -s 4 -n 16 0x80010000'
  <== ''
  ==> ''
  ==> (empty)
  ==> '80010000: 1000ffde  01c0c821  01eb1006  00e91804 | .......!........'
  ==> (empty)
  ==> 'CM_Console>'
  ==> ''
  ==> 'CM_Console>'
  <== '/system/diag readmem -s 4 -n 16 0x80010000'
  <== '/exit'

[MalaikaBegum]

I added one sleep and got info working (smaller sleep time is not enough)

diff --git a/rwx.cc b/rwx.cc
index c31cdfa..2172e99 100644
--- a/rwx.cc
+++ b/rwx.cc
@@ -261,6 +261,7 @@ string parsing_rwx::read_chunk_impl(uint32_t offset, uint32_t length, uint32_t r
        unsigned timeout = chunk_timeout(offset, length);

        do {
+               usleep(75000);
                while ((!length || chunk.size() < length) && m_intf->pending()) {
                        throw_if_interrupted();

./bcm2dump -vv  -L io.log info 192.168.100.1,Admin,PASSWORD
bcm2dump v0.9.4-60-g6a6b885
telnet: received command 253,33
telnet: received command 251,3
telnet: received command 251,1
detected interface: bfc
adjusting dump params: 0x80010000,4 -> 0x80010000,16
adjusting dump params: 0x80624d91,14 -> 0x80624d90,16
adjusting dump params: 0x80624d91,8 -> 0x80624d90,16
adjusting dump params: 0x8070244c,9 -> 0x8070244c,16
adjusting dump params: 0x807023d4,7 -> 0x807023d4,16
adjusting dump params: 0x80eb8a91,8 -> 0x80eb8a90,16
adjusting dump params: 0x80f89da0,11 -> 0x80f89da0,16
adjusting dump params: 0x82f00014,6 -> 0x82f00014,16
adjusting dump params: 0x809864d9,11 -> 0x809864d8,16
adjusting dump params: 0x83e05bb8,11 -> 0x83e05bb8,16
adjusting dump params: 0x80dc48d0,3 -> 0x80dc48d0,16
adjusting dump params: 0x83f8a9ac,5 -> 0x83f8a9ac,16
adjusting dump params: 0x810a4390,12 -> 0x810a4390,16
adjusting dump params: 0x83f8e8a8,6 -> 0x83f8e8a8,16
adjusting dump params: 0x83f8ea40,10 -> 0x83f8ea40,16
adjusting dump params: 0x83f8ecc8,13 -> 0x83f8ecc8,16
detected profile fast3686(bfc), version DNA_3.490.0
fast3686: Sagemcom F@ST 3686
============================
pssig         0xd06e
blsig         0x3384

ram           0x80000000 - 0x9fffffff  (   512 MB)  RW
------------------------------------------------------
(no partitions defined)

nvram         0x00000000 - 0x003fffff  (     4 MB)  RO
------------------------------------------------------
bootloader    0x00000000 - 0x0000ffff  (    64 KB)
permnv        0x00010000 - 0x0002ffff  (   128 KB)
dynnv         0x003c0000 - 0x003fffff  (   256 KB)

flash         0x00000000 - 0x07ffffff  (   128 MB)  RO
------------------------------------------------------
linuxapps     0x00000000 - 0x04c3ffff  ( 78080 KB)
image1        0x04c40000 - 0x059bffff  ( 13824 KB)
image2        0x059c0000 - 0x0673ffff  ( 13824 KB)
linux         0x06740000 - 0x06bbffff  (  4608 KB)
linuxkfs      0x06bc0000 - 0x07dbffff  (    18 MB)
dhtml         0x07dc0000 - 0x07ffffff  (  2304 KB)

And io.log:

bcm2dump v0.9.4-60-g6a6b885
telnet: received command 253,33
telnet: received command 251,3
telnet: received command 251,1
==> (empty)
==> 'Broadcom Corporation Embedded BFC Telnet Server (c) 2000-2008'
==> (empty)
==> 'WARNING:  Access allowed by authorized users only.'
==> (empty)
==> 'Login:'
detected interface: bfc
<== 'Admin'
==> 'Admin'
==> 'Password:'
<== 'PASSWORD'
<== ''
==> ''
==> ''
==> 'CM_Console>'
<== ''
<== ''
==> ''
==> 'CM_Console>'
==> ''
==> 'CM_Console>'
adjusting dump params: 0x80010000,4 -> 0x80010000,16
<== '/system/diag readmem -s 4 -n 16 0x80010000'
==> ''
==> (empty)
==> '80010000: 1000ffde  01c0c821  01eb1006  00e91804 | .......!........'
adjusting dump params: 0x80624d91,14 -> 0x80624d90,16
<== '/system/diag readmem -s 4 -n 16 0x80624d90'
==> (empty)
==> ''
==> (empty)
==> '80624d90: 00001021  97a20004  a6020930  24020001 | ...!.......0$...'
adjusting dump params: 0x80624d91,8 -> 0x80624d90,16
<== '/system/diag readmem -s 4 -n 16 0x80624d90'
==> (empty)
==> ''
==> (empty)
==> '80624d90: 00001021  97a20004  a6020930  24020001 | ...!.......0$...'
adjusting dump params: 0x8070244c,9 -> 0x8070244c,16
<== '/system/diag readmem -s 4 -n 16 0x8070244c'
==> (empty)
==> ''
==> (empty)
==> '8070244c: 24a571e8  9665003c  0c41a8a2  00402021 | $.q..e.<.A...@ !'
adjusting dump params: 0x807023d4,7 -> 0x807023d4,16
<== '/system/diag readmem -s 4 -n 16 0x807023d4'
==> (empty)
==> ''
==> (empty)
==> '807023d4: 3c058120  0c41abf4  24a571b8  96650038 | <.. .A..$.q..e.8'
adjusting dump params: 0x80eb8a91,8 -> 0x80eb8a90,16
<== '/system/diag readmem -s 4 -n 16 0x80eb8a90'
==> (empty)
==> ''
==> (empty)
==> '80eb8a90: 5080ffb6  8fbf0114  0c1ec594  00000000 | P...............'
adjusting dump params: 0x80f89da0,11 -> 0x80f89da0,16
<== '/system/diag readmem -s 4 -n 16 0x80f89da0'
==> (empty)
==> ''
==> (empty)
==> '80f89da0: 90a20005  00a21821  24630008  24020001 | .......!$c..$...'
adjusting dump params: 0x82f00014,6 -> 0x82f00014,16
<== '/system/diag readmem -s 4 -n 16 0x82f00014'
==> (empty)
==> ''
==> (empty)
==> '82f00014: ffffffff  ffffffff  ffffffff  ffffffff | ................'
adjusting dump params: 0x809864d9,11 -> 0x809864d8,16
<== '/system/diag readmem -s 4 -n 16 0x809864d8'
==> (empty)
==> ''
==> (empty)
==> '809864d8: 8fb20018  8fb10014  8fb00010  03e00008 | ................'
adjusting dump params: 0x83e05bb8,11 -> 0x83e05bb8,16
<== '/system/diag readmem -s 4 -n 16 0x83e05bb8'
==> (empty)
==> ''
==> (empty)
==> '83e05bb8: ffffffff  ffffffff  ffffffff  ffffffff | ................'
adjusting dump params: 0x80dc48d0,3 -> 0x80dc48d0,16
<== '/system/diag readmem -s 4 -n 16 0x80dc48d0'
==> (empty)
==> ''
==> (empty)
==> '80dc48d0: 8e060024  0c36f75a  02002021  1000ff7d | ...$.6.Z.. !...}'
adjusting dump params: 0x83f8a9ac,5 -> 0x83f8a9ac,16
<== '/system/diag readmem -s 4 -n 16 0x83f8a9ac'
==> (empty)
==> ''
==> (empty)
==> '83f8a9ac: 25080001  0106102a  10400003  0123380b | %......*.@...#8.'
adjusting dump params: 0x810a4390,12 -> 0x810a4390,16
<== '/system/diag readmem -s 4 -n 16 0x810a4390'
==> (empty)
==> ''
==> (empty)
==> '810a4390: 7273696f  6e3a2020  25730a00  62636d56 | rsion:  %s..bcmV'
adjusting dump params: 0x83f8e8a8,6 -> 0x83f8e8a8,16
<== '/system/diag readmem -s 4 -n 16 0x83f8e8a8'
==> (empty)
==> ''
==> (empty)
==> '83f8e8a8: 6f6f746c  6f616465  72207061  72616d65 | ootloader parame'
adjusting dump params: 0x83f8ea40,10 -> 0x83f8ea40,16
<== '/system/diag readmem -s 4 -n 16 0x83f8ea40'
==> (empty)
==> ''
==> (empty)
==> '83f8ea40: 50687920  53656c65  6374696f  6e000000 | Phy Selection...'
adjusting dump params: 0x83f8ecc8,13 -> 0x83f8ecc8,16
<== '/system/diag readmem -s 4 -n 16 0x83f8ecc8'
==> (empty)
==> ''
==> (empty)
==> '83f8ecc8: 25783a25  78000000  25733f20  5b6e5d20 | %x:%x...%s? [n]'
<== '/system/diag readmem -s 4 -n 32 0x81082fa8'
==> (empty)
==> ''
==> (empty)
==> '81082fa8: 46415354  33363836  5f444e41  5f332e34 | FAST3686_DNA_3.4'
==> '2164797368: 959458864  760492845  842019376  808727097 | 90.0-T3-20200429'
detected profile fast3686(bfc), version DNA_3.490.0
==> (empty)
==> 'CM_Console>'
<== 'su'
<== '$agem001'
==> 'su'
<== ''
==> (empty)
==> 'Password: () []'
==> '$agem001'
==> 'Proceed with caution!'
==> 'Type 'exit' to return.'
==> (empty)
==> 'CM_Console>'
==> ''
==> 'CM>'
<== '/exit'

Dumping (linuxkfs or linuxapps) with sleep, router reboots and I got empty file:

./bcm2dump -vv dump -L io.log 192.168.100.1,Admin,PASSWORD flash linuxkfs linuxkfs.bin 
bcm2dump v0.9.4-60-g6a6b885
telnet: received command 253,33
telnet: received command 251,3
telnet: received command 251,1
detected interface: bfc
adjusting dump params: 0x80010000,4 -> 0x80010000,16
adjusting dump params: 0x80624d91,14 -> 0x80624d90,16
adjusting dump params: 0x80624d91,8 -> 0x80624d90,16
adjusting dump params: 0x8070244c,9 -> 0x8070244c,16
adjusting dump params: 0x807023d4,7 -> 0x807023d4,16
adjusting dump params: 0x80eb8a91,8 -> 0x80eb8a90,16
adjusting dump params: 0x80f89da0,11 -> 0x80f89da0,16
adjusting dump params: 0x82f00014,6 -> 0x82f00014,16

read incomplete chunk 0x82f00014: 0/16; retrying
adjusting dump params: 0x809864d9,11 -> 0x809864d8,16
adjusting dump params: 0x83e05bb8,11 -> 0x83e05bb8,16
adjusting dump params: 0x80dc48d0,3 -> 0x80dc48d0,16
adjusting dump params: 0x83f8a9ac,5 -> 0x83f8a9ac,16
adjusting dump params: 0x810a4390,12 -> 0x810a4390,16
adjusting dump params: 0x83f8e8a8,6 -> 0x83f8e8a8,16
adjusting dump params: 0x83f8ea40,10 -> 0x83f8ea40,16

read incomplete chunk 0x83f8ea40: 0/16; retrying
adjusting dump params: 0x83f8ecc8,13 -> 0x83f8ecc8,16
detected profile fast3686(bfc), version DNA_3.490.0
dumping flash:0x06bc0000-0x07dbffff (18874368 b)
 ---.--% (0x06bc0000)      0 |     0  bytes/s (ETA      00:00:00)
error: read1: Connection reset by peer

cat io.log
bcm2dump v0.9.4-60-g6a6b885
telnet: received command 253,33
telnet: received command 251,3
telnet: received command 251,1
==> (empty)
==> 'Broadcom Corporation Embedded BFC Telnet Server (c) 2000-2008'
==> (empty)
==> 'WARNING:  Access allowed by authorized users only.'
==> (empty)
==> 'Login:'
detected interface: bfc
<== 'Admin'
==> 'Admin'
==> 'Password:'
<== 'PASSWORD'
<== ''
==> ''
==> ''
==> 'CM_Console>'
<== ''
<== ''
==> ''
==> 'CM_Console>'
==> ''
==> 'CM_Console>'
adjusting dump params: 0x80010000,4 -> 0x80010000,16
<== '/system/diag readmem -s 4 -n 16 0x80010000'
==> ''
==> (empty)
==> '80010000: 1000ffde  01c0c821  01eb1006  00e91804 | .......!........'
adjusting dump params: 0x80624d91,14 -> 0x80624d90,16
<== '/system/diag readmem -s 4 -n 16 0x80624d90'
==> (empty)
==> ''
==> (empty)
==> '80624d90: 00001021  97a20004  a6020930  24020001 | ...!.......0$...'
adjusting dump params: 0x80624d91,8 -> 0x80624d90,16
<== '/system/diag readmem -s 4 -n 16 0x80624d90'
==> (empty)
==> ''
==> (empty)
==> '80624d90: 00001021  97a20004  a6020930  24020001 | ...!.......0$...'
adjusting dump params: 0x8070244c,9 -> 0x8070244c,16
<== '/system/diag readmem -s 4 -n 16 0x8070244c'
==> (empty)
==> ''
==> (empty)
==> '8070244c: 24a571e8  9665003c  0c41a8a2  00402021 | $.q..e.<.A...@ !'
adjusting dump params: 0x807023d4,7 -> 0x807023d4,16
<== '/system/diag readmem -s 4 -n 16 0x807023d4'
==> (empty)
==> ''
==> (empty)
==> '807023d4: 3c058120  0c41abf4  24a571b8  96650038 | <.. .A..$.q..e.8'
adjusting dump params: 0x80eb8a91,8 -> 0x80eb8a90,16
<== '/system/diag readmem -s 4 -n 16 0x80eb8a90'
==> (empty)
==> ''
==> (empty)
==> '80eb8a90: 5080ffb6  8fbf0114  0c1ec594  00000000 | P...............'
adjusting dump params: 0x80f89da0,11 -> 0x80f89da0,16
<== '/system/diag readmem -s 4 -n 16 0x80f89da0'
==> (empty)
==> ''
==> (empty)
==> '80f89da0: 90a20005  00a21821  24630008  24020001 | .......!$c..$...'
adjusting dump params: 0x82f00014,6 -> 0x82f00014,16
<== '/system/diag readmem -s 4 -n 16 0x82f00014'
==> (empty)
==> 'CM_Console> /system/diag readmem'
<== ''
==> '=====> send_dqm_message WARNING: send failed, retry 1'
==> '<<<<<<<<<<<<< rpc_dump_msg >>>>>>>>>>>>>>>>>>'
==> 'msg 0x8303b9c8 ID 14 Req 0 Rep 0 Serv ITCn Func 0 reqcnt 0'
==> 'Len: 4 38040000 812a0000 00000008 434d4170'
==> ''
==> (empty)
==> '82f00014: ffffffff  ffffffff  ffffffff  ffffffff | ................'
==> (empty)
==> 'CM_Console>'
==> ''
==> 'CM_Console>'

read incomplete chunk 0x82f00014: 0/16; retrying
<== '/system/diag readmem -s 4 -n 16 0x82f00014'
==> ''
==> (empty)
==> '82f00014: ffffffff  ffffffff  ffffffff  ffffffff | ................'
adjusting dump params: 0x809864d9,11 -> 0x809864d8,16
<== '/system/diag readmem -s 4 -n 16 0x809864d8'
==> (empty)
==> ''
==> (empty)
==> '809864d8: 8fb20018  8fb10014  8fb00010  03e00008 | ................'
adjusting dump params: 0x83e05bb8,11 -> 0x83e05bb8,16
<== '/system/diag readmem -s 4 -n 16 0x83e05bb8'
==> (empty)
==> ''
==> (empty)
==> '83e05bb8: ffffffff  ffffffff  ffffffff  ffffffff | ................'
adjusting dump params: 0x80dc48d0,3 -> 0x80dc48d0,16
<== '/system/diag readmem -s 4 -n 16 0x80dc48d0'
==> (empty)
==> ''
==> (empty)
==> '80dc48d0: 8e060024  0c36f75a  02002021  1000ff7d | ...$.6.Z.. !...}'
adjusting dump params: 0x83f8a9ac,5 -> 0x83f8a9ac,16
<== '/system/diag readmem -s 4 -n 16 0x83f8a9ac'
==> (empty)
==> ''
==> (empty)
==> '83f8a9ac: 25080001  0106102a  10400003  0123380b | %......*.@...#8.'
adjusting dump params: 0x810a4390,12 -> 0x810a4390,16
<== '/system/diag readmem -s 4 -n 16 0x810a4390'
==> (empty)
==> ''
==> (empty)
==> '810a4390: 7273696f  6e3a2020  25730a00  62636d56 | rsion:  %s..bcmV'
adjusting dump params: 0x83f8e8a8,6 -> 0x83f8e8a8,16
<== '/system/diag readmem -s 4 -n 16 0x83f8e8a8'
==> (empty)
==> ''
==> (empty)
==> '83f8e8a8: 6f6f746c  6f616465  72207061  72616d65 | ootloader parame'
adjusting dump params: 0x83f8ea40,10 -> 0x83f8ea40,16
<== '/system/diag readmem -s 4 -n 16 0x83f8ea40'
==> (empty)
==> 'CM_Console> /system/diag readmem'
<== ''
==> '=====> send_dqm_message WARNING: send failed, retry 1'
==> '<<<<<<<<<<<<< rpc_dump_msg >>>>>>>>>>>>>>>>>>'
==> 'msg 0x8303b9c8 ID 14 Req 0 Rep 0 Serv ITCn Func 0 reqcnt 0'
==> 'Len: 4 38040000 81268000 00000008 434d4170'
==> ''
==> (empty)
==> '83f8ea40: 50687920  53656c65  6374696f  6e000000 | Phy Selection...'
==> (empty)
==> 'CM_Console>'
==> ''
==> 'CM_Console>'

read incomplete chunk 0x83f8ea40: 0/16; retrying
<== '/system/diag readmem -s 4 -n 16 0x83f8ea40'
==> ''
==> (empty)
==> '83f8ea40: 50687920  53656c65  6374696f  6e000000 | Phy Selection...'
adjusting dump params: 0x83f8ecc8,13 -> 0x83f8ecc8,16
<== '/system/diag readmem -s 4 -n 16 0x83f8ecc8'
==> (empty)
==> ''
==> (empty)
==> '83f8ecc8: 25783a25  78000000  25733f20  5b6e5d20 | %x:%x...%s? [n]'
<== '/system/diag readmem -s 4 -n 32 0x81082fa8'
==> (empty)
==> ''
==> (empty)
==> '81082fa8: 46415354  33363836  5f444e41  5f332e34 | FAST3686_DNA_3.4'
==> '2164797368: 959458864  760492845  842019376  808727097 | 90.0-T3-20200429'
detected profile fast3686(bfc), version DNA_3.490.0
==> (empty)
==> 'CM_Console>'
<== 'su'
<== '$agem001'
==> 'su'
<== ''
==> (empty)
==> 'Password: () []'
==> '$agem001'
==> 'Proceed with caution!'
==> 'Type 'exit' to return.'
==> (empty)
==> 'CM_Console>'
==> ''
==> 'CM>'
<== '/call func -a 0xa03e1940 0x06bc0000 0x07dc0000'
==> ''
dumping flash:0x06bc0000-0x07dbffff (18874368 b)
 <== '/write_memory -s 4 0xa03e1598 0x10000018'
==> (empty)
==> 'Calling function 0xa03e1940(0x6bc0000, 0x7dc0000)'
==> (empty)
==> 'CM>'
==> ''
==> (empty)
==> 'Writing 0x10000018 (268435480) to 0xa03e1598'
==> (empty)
==> 'CM>'
<== '/call func -a 0xa03e1408 0x85f00000 0x06bc0000 0x01200000'
==> ''
<== '/read_memory -s 4 -n 8192 0x85f00000'
==> (empty)
==> 'Calling function 0xa03e1408(0x85f00000, 0x6bc0000, 0x1200000)'
<== ''

During dumping I can be logged in 192.168.1.1 (RG>) and there only log I see is

CM processor has crashed!

[j0nh4t]

I'm also tinkering with a FAST3686v2.

bcm2dump dump -vv -F -P fast3686 192.168.100.1,admin,pass flash linuxapps ./out/linuxapps.bin

I'm able to dump linux img fine using profile. ProgramStore can extract linux, but linuxapps fails similar to @MalaikaBegum, tried without CRC check aswell.

Here is my io.log:

./bcm2dump -vv  -L io.log info 192.168.100.1,admin,pass
bcm2dump v0.9.4-60-g6a6b885
telnet: received command 253,33
telnet: received command 251,3
telnet: received command 251,1
detected interface: bfc
adjusting dump params: 0x80010000,4 -> 0x80010000,16

read incomplete chunk 0x80010000: 0/16; retrying
adjusting dump params: 0x80624d91,14 -> 0x80624d90,16
adjusting dump params: 0x80624d91,8 -> 0x80624d90,16
adjusting dump params: 0x8070244c,9 -> 0x8070244c,16
adjusting dump params: 0x807023d4,7 -> 0x807023d4,16
adjusting dump params: 0x80eb8a91,8 -> 0x80eb8a90,16

read incomplete chunk 0x80eb8a90: 0/16; retrying

read incomplete chunk 0x80eb8a90: 0/16; retrying
adjusting dump params: 0x80f89da0,11 -> 0x80f89da0,16
adjusting dump params: 0x82f00014,6 -> 0x82f00014,16
adjusting dump params: 0x809864d9,11 -> 0x809864d8,16
adjusting dump params: 0x83e05bb8,11 -> 0x83e05bb8,16
adjusting dump params: 0x80dc48d0,3 -> 0x80dc48d0,16
adjusting dump params: 0x83f8a9ac,5 -> 0x83f8a9ac,16
adjusting dump params: 0x810a4390,12 -> 0x810a4390,16
adjusting dump params: 0x83f8e8a8,6 -> 0x83f8e8a8,16
adjusting dump params: 0x83f8ea40,10 -> 0x83f8ea40,16
adjusting dump params: 0x83f8ecc8,13 -> 0x83f8ecc8,16
adjusting dump params: 0x812df0e5,24 -> 0x812df0e4,32
adjusting dump params: 0x83f8f188,10 -> 0x83f8f188,16
adjusting dump params: 0x814e8eac,10 -> 0x814e8eac,16
adjusting dump params: 0x814e953c,10 -> 0x814e953c,16
adjusting dump params: 0x83f8e618,14 -> 0x83f8e618,16
adjusting dump params: 0x85f00014,6 -> 0x85f00014,16
profile auto-detection failed
su password is '$agem001'

io.log
bcm2dump v0.9.4-60-g6a6b885
telnet: received command 253,33
telnet: received command 251,3
telnet: received command 251,1
==> (empty)
==> 'Broadcom Corporation Embedded BFC Telnet Server (c) 2000-2008'
==> (empty)
==> 'WARNING:  Access allowed by authorized users only.'
==> (empty)
==> 'Login:'
detected interface: bfc
<== 'admin'
==> 'admin'
==> 'Password:'
<== 'toor'
<== ''
==> ''
==> ''
==> 'CM_Console>'
<== ''
<== ''
==> ''
==> 'CM_Console>'
==> ''
==> 'CM_Console>'
adjusting dump params: 0x80010000,4 -> 0x80010000,16
<== '/system/diag readmem -s 4 -n 16 0x80010000'
<== ''
==> ''
==> (empty)
==> '80010000: 1000ffde  01c0c821  01eb1006  00e91804 | .......!........'
==> (empty)
==> 'CM_Console>'
==> ''
==> 'CM_Console>'

read incomplete chunk 0x80010000: 0/16; retrying
<== '/system/diag readmem -s 4 -n 16 0x80010000'
==> ''
==> (empty)
==> '80010000: 1000ffde  01c0c821  01eb1006  00e91804 | .......!........'
adjusting dump params: 0x80624d91,14 -> 0x80624d90,16
<== '/system/diag readmem -s 4 -n 16 0x80624d90'
==> (empty)
==> ''
==> (empty)
==> '80624d90: 00603821  24020001  afa201bc  8fa201bc | .`8!$...........'
adjusting dump params: 0x80624d91,8 -> 0x80624d90,16
<== '/system/diag readmem -s 4 -n 16 0x80624d90'
==> (empty)
==> ''
==> (empty)
==> '80624d90: 00603821  24020001  afa201bc  8fa201bc | .`8!$...........'
adjusting dump params: 0x8070244c,9 -> 0x8070244c,16
<== '/system/diag readmem -s 4 -n 16 0x8070244c'
==> (empty)
==> (empty)
==> '8070244c: 24a56f20  8c430000  8c63fff4  00431821 | $.o .C...c...C.!'
adjusting dump params: 0x807023d4,7 -> 0x807023d4,16
<== '/system/diag readmem -s 4 -n 16 0x807023d4'
==> (empty)
==> ''
==> (empty)
==> '807023d4: 0c41ad1a  24a57518  00408821  96620094 | .A..$.u..@.!.b..'
adjusting dump params: 0x80eb8a91,8 -> 0x80eb8a90,16
<== '/system/diag readmem -s 4 -n 16 0x80eb8a90'
==> (empty)
==> 'CM_Console> /system/diag readmem'
<== ''
==> '=====> send_dqm_message WARNING: send failed, retry 1'
==> '<<<<<<<<<<<<< rpc_dump_msg >>>>>>>>>>>>>>>>>>'
==> 'msg 0x8303b328 ID 14 Req 0 Rep 0 Serv ITCn Func 0 reqcnt 0'
==> 'Len: 4 38040000 80a28000 00000008 434d4170'
==> ''
==> (empty)
==> '80eb8a90: 3c050001  afb10004  34a55200  00808821 | <.......4.R....!'
==> (empty)
==> 'CM_Console>'
==> ''
==> 'CM_Console>'

read incomplete chunk 0x80eb8a90: 0/16; retrying
<== '/system/diag readmem -s 4 -n 16 0x80eb8a90'
<== ''
==> ''
==> (empty)
==> '80eb8a90: 3c050001  afb10004  34a55200  00808821 | <.......4.R....!'
==> (empty)
==> 'CM_Console>'
==> ''
==> 'CM_Console>'

read incomplete chunk 0x80eb8a90: 0/16; retrying
<== '/system/diag readmem -s 4 -n 16 0x80eb8a90'
==> ''
==> (empty)
==> '80eb8a90: 3c050001  afb10004  34a55200  00808821 | <.......4.R....!'
adjusting dump params: 0x80f89da0,11 -> 0x80f89da0,16
<== '/system/diag readmem -s 4 -n 16 0x80f89da0'
==> (empty)
==> ''
==> (empty)
==> '80f89da0: 8e030010  1060000b  00002821  24040012 | .....`....(!$...'
adjusting dump params: 0x82f00014,6 -> 0x82f00014,16
<== '/system/diag readmem -s 4 -n 16 0x82f00014'
==> (empty)
==> ''
==> (empty)
==> '82f00014: 00000000  00000000  00010000  00000000 | ................'
adjusting dump params: 0x809864d9,11 -> 0x809864d8,16
<== '/system/diag readmem -s 4 -n 16 0x809864d8'
==> (empty)
==> ''
==> (empty)
==> '809864d8: 3c05812e  24a5a600  3c06812e  0c26d771 | <...$...<....&.q'
adjusting dump params: 0x83e05bb8,11 -> 0x83e05bb8,16
<== '/system/diag readmem -s 4 -n 16 0x83e05bb8'
==> (empty)
==> ''
==> (empty)
==> '83e05bb8: ffffffff  ffffffff  ffffffff  ffffffff | ................'
adjusting dump params: 0x80dc48d0,3 -> 0x80dc48d0,16
<== '/system/diag readmem -s 4 -n 16 0x80dc48d0'
==> (empty)
==> ''
==> (empty)
==> '80dc48d0: 02021021  3463ffff  0062182b  5060ff0b | ...!4c...b.+P`..'
adjusting dump params: 0x83f8a9ac,5 -> 0x83f8a9ac,16
<== '/system/diag readmem -s 4 -n 16 0x83f8a9ac'
==> (empty)
==> ''
==> (empty)
==> '83f8a9ac: 00000000  00000000  00000000  0000003d | ...............='
adjusting dump params: 0x810a4390,12 -> 0x810a4390,16
<== '/system/diag readmem -s 4 -n 16 0x810a4390'
==> (empty)
==> ''
==> (empty)
==> '810a4390: 8014d660  8014d660  8014d660  8014d660 | ...`...`...`...`'
adjusting dump params: 0x83f8e8a8,6 -> 0x83f8e8a8,16
<== '/system/diag readmem -s 4 -n 16 0x83f8e8a8'
==> (empty)
==> ''
==> (empty)
==> '83f8e8a8: 196cf8ff  cbd25adb  127a9895  ad476d86 | .l....Z..z...Gm.'
adjusting dump params: 0x83f8ea40,10 -> 0x83f8ea40,16
<== '/system/diag readmem -s 4 -n 16 0x83f8ea40'
==> (empty)
==> ''
==> (empty)
==> '83f8ea40: 03a40000  27a40000  42435e00  62322f00 | ....'...BC^.b2/.'
adjusting dump params: 0x83f8ecc8,13 -> 0x83f8ecc8,16
<== '/system/diag readmem -s 4 -n 16 0x83f8ecc8'
==> (empty)
==> ''
==> (empty)
==> '83f8ecc8: 42dc1631  0e8186f0  d0993861  19de5a2d | B..1......8a..Z-'
<== '/system/diag readmem -s 4 -n 32 0x81082fa8'
==> (empty)
==> ''
==> (empty)
==> '81082fa8: 626c6500  2d3c2573  3e2d0920  456e7465 | ble.-<%s>-. Ente'
==> '2164797368: 1919512167  543585646  1663044096  1717660787 | ring func ..fals'
adjusting dump params: 0x812df0e5,24 -> 0x812df0e4,32
<== '/system/diag readmem -s 4 -n 32 0x812df0e4'
==> (empty)
==> ''
==> (empty)
==> '812df0e4: 6e61626c  65640000  312e332e  362e312e | nabled..1.3.6.1.'
==> '2167271668: 875442478  875835699  775040562  775040561 | 4.1.4413.2.2.2.1'
adjusting dump params: 0x83f8f188,10 -> 0x83f8f188,16
<== '/system/diag readmem -s 4 -n 16 0x83f8f188'
==> (empty)
==> ''
==> (empty)
==> '83f8f188: 04010000  0fac020c  000b0501  00020000 | ................'
adjusting dump params: 0x814e8eac,10 -> 0x814e8eac,16
<== '/system/diag readmem -s 4 -n 16 0x814e8eac'
==> (empty)
==> ''
==> (empty)
==> '814e8eac: 74732069  6e207072  6f677265  73730000 | ts in progress..'
adjusting dump params: 0x814e953c,10 -> 0x814e953c,16
<== '/system/diag readmem -s 4 -n 16 0x814e953c'
==> (empty)
==> ''
==> (empty)
==> '814e953c: 74696f6e  73000000  6e6f7420  61757468 | tions...not auth'
<== '/system/diag readmem -s 4 -n 16 0x85f00014'
==> (empty)
==> ''
==> (empty)
==> '85f00014: ffffffff  ffffffff  ffffffff  ffffffff | ................'
<== '/system/diag readmem -s 4 -n 16 0x85f00014'
==> (empty)
==> ''
==> (empty)
==> '85f00014: ffffffff  ffffffff  ffffffff  ffffffff | ................'
adjusting dump params: 0x83f8e618,14 -> 0x83f8e618,16
<== '/system/diag readmem -s 4 -n 16 0x83f8e618'
==> (empty)
==> ''
==> (empty)
==> '83f8e618: 070f8c53  b481ffaa  ba84131a  331048b5 | ...S........3.H.'
adjusting dump params: 0x85f00014,6 -> 0x85f00014,16
<== '/system/diag readmem -s 4 -n 16 0x85f00014'
==> (empty)
==> ''
==> (empty)
==> '85f00014: ffffffff  ffffffff  ffffffff  ffffffff | ................'
profile auto-detection failed
==> (empty)
==> 'CM_Console>'
<== 'su'
<== '$agem001'
==> 'su'
<== ''
==> (empty)
==> 'Password: () []'
==> '$agem001'
==> 'Proceed with caution!'
==> 'Type 'exit' to return.'
==> (empty)
==> 'CM_Console>'
==> ''
==> 'CM>'
su password is '$agem001'
<== '/exit'

I cannot get the auto-detection to work with and without added delay in rwx.cc. fast3686 should be correct.

My version FAST3686_DNA_3.495.0-20200715.bin

[jclehner]

@MalaikaBegum the latest commits should make the usleep unneccessary. I also hope to have fixed the crash, by changing the buffer location.

@j0nh4t auto-detection currently relies on finding certain strings at certain memory locations.. The latest commit should automatically detect your profile. If you want to dump all nand partitions however, this still requires a dedicated profile for your firmware version, so I'd still need your image1.

[j0nh4t]

@jclehner

Here is my image1.zip

I'm having issues dumping linuxkfs, I have attached linuxkfs.log. The value for /flash/open is incorrect, which one should it be?

bcm2dump dump -vv -F -P fast3686 192.168.100.1,admin,toor flash linuxkfs linuxkfs.bin

  ==> 'Password: () [] $agem001'
  ==> 'Proceed with caution!'
  ==> 'Type 'exit' to return.'
  ==> (empty)
  ==> ''
  ==> 'CM>'
  <== '/flash/open linuxkfs'
  ==> ''
  ==> (empty)
  ==> 'ERROR:  Invalid value for parameter bootloader|image1|image2|image3|image3e|perm|dhtml|dyn!  'linuxkfs'  Must match one of the tokens!'
  ==> (empty)
  ==> 'COMMAND:  open'
  ==> (empty)
  ==> 'USAGE:  open  bootloader|image1|image2|image3|image3e|perm|dhtml|dyn'
  ==> (empty)
  ==> 'DESCRIPTION:'
  ==> 'Opens the flash driver for use by the console (locking out the rest of the'
  ==> 'application!) so that you can use the read/write/erase commands.  NOTE:  If'
  ==> 'you do something that would cause the driver to be opened again (write'
  ==> 'nonvol, dload an image, etc), then the operation will be blocked until you'
  ==> 'run the close command, or it may fail.'
  ==> (empty)
  ==> 'EXAMPLES:'
  ==> 'open image2  -- Opens the image2 region for read/write/erase'
  ==> (empty)
  ==> 'CM>'
  <== '/flash/close'
  ==> ''
  ==> (empty)
  ==> 'Flash driver closed.'
  ==> (empty)
  ==> 'CM>'
  <== '/exit'

[MalaikaBegum]

@MalaikaBegum the latest commits should make the usleep unneccessary. I also hope to have fixed the crash, by changing the buffer location.

usleep is not needed anymore, and profile is autodetected.

But dumping linuxkfs and linuxapps not working. This time box reboots without any text in RG-console.

./bcm2dump -vv dump -L io.log 192.168.100.1,Admin,PASSWORD flash linuxapps linuxapps.bin_new2
bcm2dump v0.9.4-69-g30bf260
telnet: received command 253,33
telnet: received command 251,3
telnet: received command 251,1
detected interface: bfc
adjusting dump params: 0x80010000,4 -> 0x80010000,16
adjusting dump params: 0x80624d91,14 -> 0x80624d90,16
adjusting dump params: 0x80624d91,8 -> 0x80624d90,16
adjusting dump params: 0x8070244c,9 -> 0x8070244c,16
adjusting dump params: 0x807023d4,7 -> 0x807023d4,16
adjusting dump params: 0x80eb8a91,8 -> 0x80eb8a90,16
adjusting dump params: 0x80f89da0,11 -> 0x80f89da0,16
adjusting dump params: 0x82f00014,6 -> 0x82f00014,16
adjusting dump params: 0x809864d9,11 -> 0x809864d8,16
adjusting dump params: 0x83e05bb8,11 -> 0x83e05bb8,16
adjusting dump params: 0x80dc48d0,3 -> 0x80dc48d0,16
adjusting dump params: 0x83f8a9ac,5 -> 0x83f8a9ac,16
adjusting dump params: 0x810a4390,12 -> 0x810a4390,16
adjusting dump params: 0x83f8e8a8,6 -> 0x83f8e8a8,16
adjusting dump params: 0x83f8ea40,10 -> 0x83f8ea40,16
adjusting dump params: 0x83f8ecc8,13 -> 0x83f8ecc8,16
detected profile fast3686(bfc), version DNA_3.490.0
dumping flash:0x00000000-0x04c3ffff (79953920 b)
 ---.--% (0x00000000)      0 |     0  bytes/s (ETA      00:00:00)
error: read incomplete chunk 0x00000000: 0/8192

context:
  ==> '2164797368: 959458864  760492845  842019376  808727097 | 90.0-T3-20200429'
  ==> (empty)
  ==> 'CM_Console>'
  <== 'su'
  <== '$agem001'
  ==> 'su'
  <== ''
  ==> (empty)
  ==> 'Password: () [] $agem001'
  ==> 'Proceed with caution!'
  ==> 'Type 'exit' to return.'
  ==> (empty)
  ==> ''
  ==> 'CM>'
  <== '/docsis/scan_stop'
  <== '/call func -a 0xa03e1940 0x00000000 0x04c40000'
  <== ''
  ==> ''
  ==> (empty)
  ==> '[00:07:00 01/01/1970] [Scan Downstream Thread] BcmGenericCmDownstreamScanThread::ThreadMain:  (Scan Downstream Thread) Downstream Channel scan stopped!'
  ==> (empty)
  ==> ''
  ==> (empty)
  ==> 'Calling function 0xa03e1940(0, 0x4c40000)'
  ==> (empty)
  ==> ''
  ==> 'CM>'
  <== '/write_memory -s 4 0xa03e1598 0x10000018'
  ==> ''
  ==> (empty)
  ==> 'Writing 0x10000018 (268435480) to 0xa03e1598'
  ==> (empty)
  ==> 'CM>'
  <== '/call func -a 0xa03e1408 0x88000000 0x00000000 0x04c40000'
  <== ''
  ==> ''
  ==> (empty)
  ==> 'Calling function 0xa03e1408(0x88000000, 0, 0x4c40000)'
  <== '/read_memory -s 4 -n 8192 0x88000000'
  <== ''
  <== ''
  <== ''
  <== ''
  <== ''
  <== ''
  <== ''
  <== ''
  <== ''
  <== ''
  <== '/exit'

cat io.log
bcm2dump v0.9.4-69-g30bf260
telnet: received command 253,33
telnet: received command 251,3
telnet: received command 251,1
==> (empty)
==> 'Broadcom Corporation Embedded BFC Telnet Server (c) 2000-2008'
==> (empty)
==> 'WARNING:  Access allowed by authorized users only.'
==> (empty)
==> 'Login:'
detected interface: bfc
<== 'Admin'
==> 'Admin'
==> 'Password:'
<== 'PASSWORD'
<== ''
==> ''
==> ''
==> 'CM_Console>'
<== ''
<== ''
==> ''
==> ''
==> 'CM_Console>'
adjusting dump params: 0x80010000,4 -> 0x80010000,16
<== '/system/diag readmem -s 4 -n 16 0x80010000'
==> ''
==> (empty)
==> '80010000: 1000ffde  01c0c821  01eb1006  00e91804 | .......!........'
adjusting dump params: 0x80624d91,14 -> 0x80624d90,16
<== '/system/diag readmem -s 4 -n 16 0x80624d90'
==> (empty)
==> ''
==> (empty)
==> '80624d90: 00001021  97a20004  a6020930  24020001 | ...!.......0$...'
adjusting dump params: 0x80624d91,8 -> 0x80624d90,16
<== '/system/diag readmem -s 4 -n 16 0x80624d90'
==> (empty)
==> ''
==> (empty)
==> '80624d90: 00001021  97a20004  a6020930  24020001 | ...!.......0$...'
adjusting dump params: 0x8070244c,9 -> 0x8070244c,16
<== '/system/diag readmem -s 4 -n 16 0x8070244c'
==> (empty)
==> ''
==> (empty)
==> '8070244c: 24a571e8  9665003c  0c41a8a2  00402021 | $.q..e.<.A...@ !'
adjusting dump params: 0x807023d4,7 -> 0x807023d4,16
<== '/system/diag readmem -s 4 -n 16 0x807023d4'
==> (empty)
==> ''
==> (empty)
==> '807023d4: 3c058120  0c41abf4  24a571b8  96650038 | <.. .A..$.q..e.8'
adjusting dump params: 0x80eb8a91,8 -> 0x80eb8a90,16
<== '/system/diag readmem -s 4 -n 16 0x80eb8a90'
==> (empty)
==> ''
==> (empty)
==> '80eb8a90: 5080ffb6  8fbf0114  0c1ec594  00000000 | P...............'
adjusting dump params: 0x80f89da0,11 -> 0x80f89da0,16
<== '/system/diag readmem -s 4 -n 16 0x80f89da0'
==> (empty)
==> ''
==> (empty)
==> '80f89da0: 90a20005  00a21821  24630008  24020001 | .......!$c..$...'
adjusting dump params: 0x82f00014,6 -> 0x82f00014,16
<== '/system/diag readmem -s 4 -n 16 0x82f00014'
==> (empty)
==> ''
==> (empty)
==> '82f00014: ffffffff  ffffffff  ffffffff  ffffffff | ................'
adjusting dump params: 0x809864d9,11 -> 0x809864d8,16
<== '/system/diag readmem -s 4 -n 16 0x809864d8'
==> (empty)
==> ''
==> (empty)
==> '809864d8: 8fb20018  8fb10014  8fb00010  03e00008 | ................'
adjusting dump params: 0x83e05bb8,11 -> 0x83e05bb8,16
<== '/system/diag readmem -s 4 -n 16 0x83e05bb8'
==> (empty)
==> ''
==> (empty)
==> '83e05bb8: ffffffff  ffffffff  ffffffff  ffffffff | ................'
adjusting dump params: 0x80dc48d0,3 -> 0x80dc48d0,16
<== '/system/diag readmem -s 4 -n 16 0x80dc48d0'
==> (empty)
==> ''
==> (empty)
==> '80dc48d0: 8e060024  0c36f75a  02002021  1000ff7d | ...$.6.Z.. !...}'
adjusting dump params: 0x83f8a9ac,5 -> 0x83f8a9ac,16
<== '/system/diag readmem -s 4 -n 16 0x83f8a9ac'
==> (empty)
==> ''
==> (empty)
==> '83f8a9ac: 25080001  0106102a  10400003  0123380b | %......*.@...#8.'
adjusting dump params: 0x810a4390,12 -> 0x810a4390,16
<== '/system/diag readmem -s 4 -n 16 0x810a4390'
==> (empty)
==> ''
==> (empty)
==> '810a4390: 7273696f  6e3a2020  25730a00  62636d56 | rsion:  %s..bcmV'
adjusting dump params: 0x83f8e8a8,6 -> 0x83f8e8a8,16
<== '/system/diag readmem -s 4 -n 16 0x83f8e8a8'
==> (empty)
==> ''
==> (empty)
==> '83f8e8a8: 3c000103  10490006  00372a00  012056f4 | <....I...7*.. V.'
adjusting dump params: 0x83f8ea40,10 -> 0x83f8ea40,16
<== '/system/diag readmem -s 4 -n 16 0x83f8ea40'
==> (empty)
==> ''
==> (empty)
==> '83f8ea40: 50687920  53656c65  6374696f  6e000000 | Phy Selection...'
adjusting dump params: 0x83f8ecc8,13 -> 0x83f8ecc8,16
<== '/system/diag readmem -s 4 -n 16 0x83f8ecc8'
==> (empty)
==> ''
==> (empty)
==> '83f8ecc8: 25783a25  78000000  25733f20  5b6e5d20 | %x:%x...%s? [n]'
<== '/system/diag readmem -s 4 -n 32 0x81082fa8'
==> (empty)
==> ''
==> (empty)
==> '81082fa8: 46415354  33363836  5f444e41  5f332e34 | FAST3686_DNA_3.4'
==> '2164797368: 959458864  760492845  842019376  808727097 | 90.0-T3-20200429'
==> (empty)
==> 'CM_Console>'
<== 'su'
<== '$agem001'
==> 'su'
<== ''
==> (empty)
==> 'Password: () [] $agem001'
==> 'Proceed with caution!'
==> 'Type 'exit' to return.'
==> (empty)
==> ''
==> 'CM>'
detected profile fast3686(bfc), version DNA_3.490.0
<== '/docsis/scan_stop'
<== '/call func -a 0xa03e1940 0x00000000 0x04c40000'
<== ''
==> ''
==> (empty)
==> '[00:07:00 01/01/1970] [Scan Downstream Thread] BcmGenericCmDownstreamScanThread::ThreadMain:  (Scan Downstream Thread) Downstream Channel scan stopped!'
==> (empty)
==> ''
==> (empty)
==> 'Calling function 0xa03e1940(0, 0x4c40000)'
==> (empty)
==> ''
==> 'CM>'
dumping flash:0x00000000-0x04c3ffff (79953920 b)
 <== '/write_memory -s 4 0xa03e1598 0x10000018'
==> ''
==> (empty)
==> 'Writing 0x10000018 (268435480) to 0xa03e1598'
==> (empty)
==> 'CM>'
<== '/call func -a 0xa03e1408 0x88000000 0x00000000 0x04c40000'
<== ''
==> ''
==> (empty)
==> 'Calling function 0xa03e1408(0x88000000, 0, 0x4c40000)'
<== '/read_memory -s 4 -n 8192 0x88000000'

[jclehner]

@j0nh4t @MalaikaBegum please try again, using the latest commits.

[j0nh4t]

Profile detection seems to work.

./bcm2dump info -vv 192.168.100.1,admin,toor
bcm2dump v0.9.4-72-g775a828
telnet: received command 253,33
telnet: received command 251,3
telnet: received command 251,1
detected interface: bfc
adjusting dump params: 0x80010000,4 -> 0x80010000,16
adjusting dump params: 0x80624d91,14 -> 0x80624d90,16
adjusting dump params: 0x80624d91,8 -> 0x80624d90,16
adjusting dump params: 0x8070244c,9 -> 0x8070244c,16
adjusting dump params: 0x807023d4,7 -> 0x807023d4,16
adjusting dump params: 0x80eb8a91,8 -> 0x80eb8a90,16
adjusting dump params: 0x80f89da0,11 -> 0x80f89da0,16
adjusting dump params: 0x82f00014,6 -> 0x82f00014,16
adjusting dump params: 0x809864d9,11 -> 0x809864d8,16
adjusting dump params: 0x83e05bb8,11 -> 0x83e05bb8,16
adjusting dump params: 0x80dc48d0,3 -> 0x80dc48d0,16
adjusting dump params: 0x83f8a9ac,5 -> 0x83f8a9ac,16
adjusting dump params: 0x810a4390,12 -> 0x810a4390,16
adjusting dump params: 0x83f8e8a8,6 -> 0x83f8e8a8,16
adjusting dump params: 0x83f8ea40,10 -> 0x83f8ea40,16
adjusting dump params: 0x83f8ecc8,13 -> 0x83f8ecc8,16
adjusting dump params: 0x81083440,29 -> 0x81083440,32
detected profile fast3686(bfc), version DNA_3.490.0
fast3686: Sagemcom F@ST 3686
============================
pssig         0xd06e
blsig         0x3384

ram           0x80000000 - 0x8fffffff  (   256 MB)  RW
------------------------------------------------------
(no partitions defined)

nvram         0x00000000 - 0x003fffff  (     4 MB)  RO
------------------------------------------------------
bootloader    0x00000000 - 0x0000ffff  (    64 KB)
permnv        0x00010000 - 0x0002ffff  (   128 KB)
dynnv         0x003c0000 - 0x003fffff  (   256 KB)

flash         0x00000000 - 0x07ffffff  (   128 MB)  RO
------------------------------------------------------
linuxapps     0x00000000 - 0x04c3ffff  ( 78080 KB)
image1        0x04c40000 - 0x059bffff  ( 13824 KB)
image2        0x059c0000 - 0x0673ffff  ( 13824 KB)
linux         0x06740000 - 0x06bbffff  (  4608 KB)
linuxkfs      0x06bc0000 - 0x07dbffff  (    18 MB)
dhtml         0x07dc0000 - 0x07ffffff  (  2304 KB)

My modem is crashing now aswell when trying to dump. Logs: linuxapps.log image1.log

[jclehner]

I'm pretty sure that it has something to do with the buffer address. Can you try dumping just 1 KiB of the linuxapps partition?

$ bcm2dump -vv dump -L io.log 192.168.100.1,user,pass flash linuxapps,1k linuxapps.bin_1k

Also, on the firmware console, please try running the following command, and post its output:

CM> /call malloc -r 0x4c40000

[MalaikaBegum]

I first checked

/call malloc -r 0x4c40000

Calling malloc(79953920)
Return value = 0 (0)

Router still reboots when trying to dump:

./bcm2dump -vv dump -L io.log 192.168.100.1,Admin,PASSWORD flash linuxapps,1k linuxapps.bin_new2
bcm2dump v0.9.4-72-g775a828
telnet: received command 253,33
telnet: received command 251,3
telnet: received command 251,1
detected interface: bfc
adjusting dump params: 0x80010000,4 -> 0x80010000,16
adjusting dump params: 0x80624d91,14 -> 0x80624d90,16
adjusting dump params: 0x80624d91,8 -> 0x80624d90,16
adjusting dump params: 0x8070244c,9 -> 0x8070244c,16
adjusting dump params: 0x807023d4,7 -> 0x807023d4,16
adjusting dump params: 0x80eb8a91,8 -> 0x80eb8a90,16
adjusting dump params: 0x80f89da0,11 -> 0x80f89da0,16
adjusting dump params: 0x82f00014,6 -> 0x82f00014,16
adjusting dump params: 0x809864d9,11 -> 0x809864d8,16
adjusting dump params: 0x83e05bb8,11 -> 0x83e05bb8,16
adjusting dump params: 0x80dc48d0,3 -> 0x80dc48d0,16
adjusting dump params: 0x83f8a9ac,5 -> 0x83f8a9ac,16
adjusting dump params: 0x810a4390,12 -> 0x810a4390,16
adjusting dump params: 0x83f8e8a8,6 -> 0x83f8e8a8,16
adjusting dump params: 0x83f8ea40,10 -> 0x83f8ea40,16
adjusting dump params: 0x83f8ecc8,13 -> 0x83f8ecc8,16
detected profile fast3686(bfc), version DNA_3.490.0-T3
dumping flash:0x00000000-0x000003ff (1024 b)
 ---.--% (0x00000000)      0 |     0  bytes/s (ETA      00:00:00)
error: read incomplete chunk 0x00000000: 0/1024

context:
  ==> 'Proceed with caution!'
  ==> 'Type 'exit' to return.'
  ==> (empty)
  ==> ''
  ==> 'CM>'
  <== '/docsis/scan_stop'
  <== '/call func -a 0xa03e1940 0x00000000 0x00000400'
  <== ''
  ==> ''
  ==> (empty)
  ==> '[10:52:07 01/01/1970] [Scan Downstream Thread] BcmGenericCmDownstreamScanThread::ThreadMain:  (Scan Downstream Thread) Downstream Channel scan stopped!'
  ==> (empty)
  ==> ''
  ==> (empty)
  ==> 'Calling function 0xa03e1940(0, 0x400)'
  ==> (empty)
  ==> ''
  ==> 'CM>'
  <== '/write_memory -s 4 0xa03e1598 0x10000018'
  ==> ''
  ==> (empty)
  ==> 'Writing 0x10000018 (268435480) to 0xa03e1598'
  ==> (empty)
  ==> 'CM>'
  <== '/call func -a 0xa03e1408 0x88000000 0x00000000 0x00000400'
  <== ''
  ==> ''
  ==> (empty)
  ==> 'Calling function 0xa03e1408(0x88000000, 0, 0x400)'
  ==> (empty)
  ==> 'CM>'
  <== '/read_memory -s 4 -n 1024 0x88000000'
  ==> '=====> send_dqm_message WARNING: send failed, retry 1'
  ==> '<<<<<<<<<<<<< rpc_dump_msg >>>>>>>>>>>>>>>>>>'
  ==> 'msg 0x8303b988 ID 14 Req 0 Rep 0 Serv ITCn Func 0 reqcnt 0'
  ==> 'Len: 4 38040000 81180000 00000008 434d4170'
  ==> '=====> send_dqm_message WARNING: send failed, retry 2'
  ==> '<<<<<<<<<<<<< rpc_dump_msg >>>>>>>>>>>>>>>>>>'
  ==> 'msg 0x8303'
  <== ''
  <== ''
  <== ''
  <== ''
  <== ''
  <== ''
  <== ''
  <== ''
  <== ''
  <== ''
  <== '/exit'

cat io.log 
bcm2dump v0.9.4-72-g775a828
telnet: received command 253,33
telnet: received command 251,3
telnet: received command 251,1
==> (empty)
==> 'Broadcom Corporation Embedded BFC Telnet Server (c) 2000-2008'
==> (empty)
==> 'WARNING:  Access allowed by authorized users only.'
==> (empty)
==> 'Login:'
detected interface: bfc
<== 'Admin'
==> 'Admin'
==> 'Password:'
<== 'PASSWORD'
<== ''
==> ''
==> ''
==> 'CM_Console>'
<== ''
<== ''
==> ''
==> ''
==> 'CM_Console>'
adjusting dump params: 0x80010000,4 -> 0x80010000,16
<== '/system/diag readmem -s 4 -n 16 0x80010000'
==> ''
==> (empty)
==> '80010000: 1000ffde  01c0c821  01eb1006  00e91804 | .......!........'
adjusting dump params: 0x80624d91,14 -> 0x80624d90,16
<== '/system/diag readmem -s 4 -n 16 0x80624d90'
==> (empty)
==> ''
==> (empty)
==> '80624d90: 00001021  97a20004  a6020930  24020001 | ...!.......0$...'
adjusting dump params: 0x80624d91,8 -> 0x80624d90,16
<== '/system/diag readmem -s 4 -n 16 0x80624d90'
==> (empty)
==> ''
==> (empty)
==> '80624d90: 00001021  97a20004  a6020930  24020001 | ...!.......0$...'
adjusting dump params: 0x8070244c,9 -> 0x8070244c,16
<== '/system/diag readmem -s 4 -n 16 0x8070244c'
==> (empty)
==> ''
==> (empty)
==> '8070244c: 24a571e8  9665003c  0c41a8a2  00402021 | $.q..e.<.A...@ !'
adjusting dump params: 0x807023d4,7 -> 0x807023d4,16
<== '/system/diag readmem -s 4 -n 16 0x807023d4'
==> (empty)
==> ''
==> (empty)
==> '807023d4: 3c058120  0c41abf4  24a571b8  96650038 | <.. .A..$.q..e.8'
adjusting dump params: 0x80eb8a91,8 -> 0x80eb8a90,16
<== '/system/diag readmem -s 4 -n 16 0x80eb8a90'
==> (empty)
==> ''
==> (empty)
==> '80eb8a90: 5080ffb6  8fbf0114  0c1ec594  00000000 | P...............'
adjusting dump params: 0x80f89da0,11 -> 0x80f89da0,16
<== '/system/diag readmem -s 4 -n 16 0x80f89da0'
==> (empty)
==> ''
==> (empty)
==> '80f89da0: 90a20005  00a21821  24630008  24020001 | .......!$c..$...'
adjusting dump params: 0x82f00014,6 -> 0x82f00014,16
<== '/system/diag readmem -s 4 -n 16 0x82f00014'
==> (empty)
==> ''
==> (empty)
==> '82f00014: ffffffff  ffffffff  ffffffff  ffffffff | ................'
adjusting dump params: 0x809864d9,11 -> 0x809864d8,16
<== '/system/diag readmem -s 4 -n 16 0x809864d8'
==> (empty)
==> ''
==> (empty)
==> '809864d8: 8fb20018  8fb10014  8fb00010  03e00008 | ................'
adjusting dump params: 0x83e05bb8,11 -> 0x83e05bb8,16
<== '/system/diag readmem -s 4 -n 16 0x83e05bb8'
==> (empty)
==> ''
==> (empty)
==> '83e05bb8: ffffffff  ffffffff  ffffffff  ffffffff | ................'
adjusting dump params: 0x80dc48d0,3 -> 0x80dc48d0,16
<== '/system/diag readmem -s 4 -n 16 0x80dc48d0'
==> (empty)
==> ''
==> (empty)
==> '80dc48d0: 8e060024  0c36f75a  02002021  1000ff7d | ...$.6.Z.. !...}'
adjusting dump params: 0x83f8a9ac,5 -> 0x83f8a9ac,16
<== '/system/diag readmem -s 4 -n 16 0x83f8a9ac'
==> (empty)
==> ''
==> (empty)
==> '83f8a9ac: 25080001  0106102a  10400003  0123380b | %......*.@...#8.'
adjusting dump params: 0x810a4390,12 -> 0x810a4390,16
<== '/system/diag readmem -s 4 -n 16 0x810a4390'
==> (empty)
==> ''
==> (empty)
==> '810a4390: 7273696f  6e3a2020  25730a00  62636d56 | rsion:  %s..bcmV'
adjusting dump params: 0x83f8e8a8,6 -> 0x83f8e8a8,16
<== '/system/diag readmem -s 4 -n 16 0x83f8e8a8'
==> (empty)
==> ''
==> (empty)
==> '83f8e8a8: 3c000103  10490006  00372a00  012008cc | <....I...7*.. ..'
adjusting dump params: 0x83f8ea40,10 -> 0x83f8ea40,16
<== '/system/diag readmem -s 4 -n 16 0x83f8ea40'
==> (empty)
==> ''
==> (empty)
==> '83f8ea40: 02000000  00008048  02000b10  18008b01 | .......H........'
adjusting dump params: 0x83f8ecc8,13 -> 0x83f8ecc8,16
<== '/system/diag readmem -s 4 -n 16 0x83f8ecc8'
==> (empty)
==> ''
==> (empty)
==> '83f8ecc8: 25783a25  78000000  25733f20  5b6e5d20 | %x:%x...%s? [n]'
<== '/system/diag readmem -s 4 -n 32 0x81082fa8'
==> (empty)
==> ''
==> (empty)
==> '81082fa8: 46415354  33363836  5f444e41  5f332e34 | FAST3686_DNA_3.4'
==> '2164797368: 959458864  760492845  842019376  808727097 | 90.0-T3-20200429'
==> (empty)
==> 'CM_Console>'
<== 'su'
<== '$agem001'
==> 'su'
<== ''
==> (empty)
==> 'Password: () [] $agem001'
==> 'Proceed with caution!'
==> 'Type 'exit' to return.'
==> (empty)
==> ''
==> 'CM>'
detected profile fast3686(bfc), version DNA_3.490.0-T3
<== '/docsis/scan_stop'
<== '/call func -a 0xa03e1940 0x00000000 0x00000400'
<== ''
==> ''
==> (empty)
==> '[10:52:07 01/01/1970] [Scan Downstream Thread] BcmGenericCmDownstreamScanThread::ThreadMain:  (Scan Downstream Thread) Downstream Channel scan stopped!'
==> (empty)
==> ''
==> (empty)
==> 'Calling function 0xa03e1940(0, 0x400)'
==> (empty)
==> ''
==> 'CM>'
dumping flash:0x00000000-0x000003ff (1024 b)
 <== '/write_memory -s 4 0xa03e1598 0x10000018'
==> ''
==> (empty)
==> 'Writing 0x10000018 (268435480) to 0xa03e1598'
==> (empty)
==> 'CM>'
<== '/call func -a 0xa03e1408 0x88000000 0x00000000 0x00000400'
<== ''
==> ''
==> (empty)
==> 'Calling function 0xa03e1408(0x88000000, 0, 0x400)'
==> (empty)
==> 'CM>'
<== '/read_memory -s 4 -n 1024 0x88000000'
==> '=====> send_dqm_message WARNING: send failed, retry 1'
==> '<<<<<<<<<<<<< rpc_dump_msg >>>>>>>>>>>>>>>>>>'
==> 'msg 0x8303b988 ID 14 Req 0 Rep 0 Serv ITCn Func 0 reqcnt 0'
==> 'Len: 4 38040000 81180000 00000008 434d4170'
==> '=====> send_dqm_message WARNING: send failed, retry 2'
==> '<<<<<<<<<<<<< rpc_dump_msg >>>>>>>>>>>>>>>>>>'
==> 'msg 0x8303'
<== ''
<== ''
<== ''
<== ''
<== ''
<== ''
<== ''
<== ''
<== ''
<== ''
<== '/exit'

error: read incomplete chunk 0x00000000: 0/1024

context:
  ==> 'Proceed with caution!'
  ==> 'Type 'exit' to return.'
  ==> (empty)
  ==> ''
  ==> 'CM>'
  <== '/docsis/scan_stop'
  <== '/call func -a 0xa03e1940 0x00000000 0x00000400'
  <== ''
  ==> ''
  ==> (empty)
  ==> '[10:52:07 01/01/1970] [Scan Downstream Thread] BcmGenericCmDownstreamScanThread::ThreadMain:  (Scan Downstream Thread) Downstream Channel scan stopped!'
  ==> (empty)
  ==> ''
  ==> (empty)
  ==> 'Calling function 0xa03e1940(0, 0x400)'
  ==> (empty)
  ==> ''
  ==> 'CM>'
  <== '/write_memory -s 4 0xa03e1598 0x10000018'
  ==> ''
  ==> (empty)
  ==> 'Writing 0x10000018 (268435480) to 0xa03e1598'
  ==> (empty)
  ==> 'CM>'
  <== '/call func -a 0xa03e1408 0x88000000 0x00000000 0x00000400'
  <== ''
  ==> ''
  ==> (empty)
  ==> 'Calling function 0xa03e1408(0x88000000, 0, 0x400)'
  ==> (empty)
  ==> 'CM>'
  <== '/read_memory -s 4 -n 1024 0x88000000'
  ==> '=====> send_dqm_message WARNING: send failed, retry 1'
  ==> '<<<<<<<<<<<<< rpc_dump_msg >>>>>>>>>>>>>>>>>>'
  ==> 'msg 0x8303b988 ID 14 Req 0 Rep 0 Serv ITCn Func 0 reqcnt 0'
  ==> 'Len: 4 38040000 81180000 00000008 434d4170'
  ==> '=====> send_dqm_message WARNING: send failed, retry 2'
  ==> '<<<<<<<<<<<<< rpc_dump_msg >>>>>>>>>>>>>>>>>>'
  ==> 'msg 0x8303'
  <== ''
  <== ''
  <== ''
  <== ''
  <== ''
  <== ''
  <== ''
  <== ''
  <== ''
  <== ''
  <== '/exit'

[j0nh4t]

Similar errors for me. Here are some additional logs:

./bcm2dump -vv info -L io.log 192.168.100.1,admin,toor
bcm2dump v0.9.4-72-g775a828
telnet: received command 253,33
telnet: received command 251,3
telnet: received command 251,1
detected interface: bfc
adjusting dump params: 0x80010000,4 -> 0x80010000,16
adjusting dump params: 0x80624d91,14 -> 0x80624d90,16
adjusting dump params: 0x80624d91,8 -> 0x80624d90,16
adjusting dump params: 0x8070244c,9 -> 0x8070244c,16
adjusting dump params: 0x807023d4,7 -> 0x807023d4,16
adjusting dump params: 0x80eb8a91,8 -> 0x80eb8a90,16
adjusting dump params: 0x80f89da0,11 -> 0x80f89da0,16
adjusting dump params: 0x82f00014,6 -> 0x82f00014,16
adjusting dump params: 0x809864d9,11 -> 0x809864d8,16
adjusting dump params: 0x83e05bb8,11 -> 0x83e05bb8,16
adjusting dump params: 0x80dc48d0,3 -> 0x80dc48d0,16
adjusting dump params: 0x83f8a9ac,5 -> 0x83f8a9ac,16
adjusting dump params: 0x810a4390,12 -> 0x810a4390,16
adjusting dump params: 0x83f8e8a8,6 -> 0x83f8e8a8,16
adjusting dump params: 0x83f8ea40,10 -> 0x83f8ea40,16
adjusting dump params: 0x83f8ecc8,13 -> 0x83f8ecc8,16
adjusting dump params: 0x81083440,29 -> 0x81083440,32
detected profile fast3686(bfc), version DNA_3.490.0
fast3686: Sagemcom F@ST 3686
============================
pssig         0xd06e
blsig         0x3384

ram           0x80000000 - 0x8fffffff  (   256 MB)  RW
------------------------------------------------------
(no partitions defined)

nvram         0x00000000 - 0x003fffff  (     4 MB)  RO
------------------------------------------------------
bootloader    0x00000000 - 0x0000ffff  (    64 KB)
permnv        0x00010000 - 0x0002ffff  (   128 KB)
dynnv         0x003c0000 - 0x003fffff  (   256 KB)

flash         0x00000000 - 0x07ffffff  (   128 MB)  RO
------------------------------------------------------
linuxapps     0x00000000 - 0x04c3ffff  ( 78080 KB)
image1        0x04c40000 - 0x059bffff  ( 13824 KB)
image2        0x059c0000 - 0x0673ffff  ( 13824 KB)
linux         0x06740000 - 0x06bbffff  (  4608 KB)
linuxkfs      0x06bc0000 - 0x07dbffff  (    18 MB)
dhtml         0x07dc0000 - 0x07ffffff  (  2304 KB)

CM> /call malloc -r 0x4c40000

Calling malloc(79953920)
Return value = 0 (0)

./bcm2dump -vv dump -L linuxapps_1k.log 192.168.100.1,admin,toor flash linuxapps,1k linuxapps.bin_1k linuxapps_1k.log image1_1k.log

[jclehner]

Hmm... what happens if you execute the following commands manually?

@j0nh4t

/read_memory -s 4 -n 1024 0x88000000
/call func -a 0xa03e1e50 0x00000000 0x00000400
/call func -a 0xa03e1918 0x88000000 0x00000000 0x00000400
/read_memory -s 4 -n 1024 0x88000000

@MalaikaBegum

/read_memory -s 4 -n 1024 0x88000000
/call func -a 0xa03e1940 0x00000000 0x00000400
/call func -a 0xa03e1408 0x88000000 0x00000000 0x00000400
/read_memory -s 4 -n 1024 0x88000000

Also try varying 0x88000000, e.g. try 0x86000000 or 0x87000000.

[MalaikaBegum]

With value: 0x88000000

CM> /read_memory -s 4 -n 1024 0x88000000

88000000: 401a6800  00000000  335a007f  3c1b8000 | @.h.....3Z..<...
88000010: 277b0300  037ad820  8f7b0000  03600008 | '{...z. .{...`..
88000020: 00000000  3c0c8000  2d54332d  6170702d | ....<...-T3-app-
88000030: 32303230  30343239  2e62696e  00000000 | 20200429.bin....
88000040: 00000000  00000000  00000000  00019000 | ................
88000050: 00280000  a9340000  8758ba30  63609086 | .(...4...X.0c`..
88000060: aa8ce00a  dfbeb6fd  f768b698  5ef31223 | .........h..^..#
88000070: e9f3d61b  a5714987  8094f0cd  406e4f84 | .....qI.....@nO.
88000080: 345fb37f  1db38aee  9c8c135f  dfaf4380 | 4_........._..C.
88000090: aaa485f7  9f69a881  e3573c30  8b7c7555 | .....i...W<0.|uU
880000a0: c554c1f8  ab8a1158  c57acea0  bfad34f9 | .T.....X.z....4.
880000b0: 978b987e  a67c201b  b8574e27  1e5f08f1 | ...~.| ..WN'._..
880000c0: e94b1b0c  e6befcac  de757c31  f834bdc2 | .K.......u|1.4..
880000d0: 82f2732f  bd6b7233  ef007747  df83cf56 | ..s/.kr3..wG...V
880000e0: ce546631  68ae8284  3c16aeaa  0b1c6223 | .Tf1h...<.....b#
880000f0: d2c89a0a  74c10313  29aecfea  0404cea7 | ....t...).......
88000100: 401a6800  00000000  335a007f  3c1b8000 | @.h.....3Z..<...
88000110: 277b0300  037ad820  8f7b0000  03600008 | '{...z. .{...`..
88000120: 00000000  3c0c8000  f973dd29  3b84b294 | ....<....s.);...
88000130: 3f7afe0e  1ac889b4  a174354f  b45e595a | ?z.......t5O.^YZ
88000140: af14e6e0  2d97144f  917df4e5  961e54d2 | ....-..O.}....T.
88000150: 22b51c39  184ec125  a087f879  e49f5d4d | "..9.N.%...y..]M
88000160: a45b95ab  0f56fddb  3e236f48  aa54a8a8 | .[...V..>#oH.T..
88000170: e31dbe04  ba4abb87  086f0348  f6241492 | .....J...o.H.$..
88000180: 401a6800  00000000  335a007f  3c1b8000 | @.h.....3Z..<...
88000190: 277b0300  037ad820  8f7b0000  03600008 | '{...z. .{...`..
880001a0: 00000000  3c0c8000  c94cf1f0  3fdf0327 | ....<....L..?..'
880001b0: e666e183  8ef497ce  c1c5a045  0740f2ca | .f.........E.@..
880001c0: 92b894a2  ea137f34  147c736e  5eafe8dd | .......4.|sn^...
880001d0: 573b8f2f  87c009f9  b0787b68  50aae70e | W;./.....x{hP...
880001e0: 550924a3  ca1a9132  318de945  8c207f68 | U.$....21..E. .h
880001f0: 0490d890  3ea9c0e2  f85948a3  0ef2fb23 | ....>....YH....#
88000200: 5c8cf4b1  318f8b77  df8a8ab4  1bc44d06 | \...1..w......M.
88000210: 276233ec  f257606a  c52de5ee  ccfd9c78 | 'b3..W`j.-.....x
88000220: a63c5301  752b06c6  32e311ef  ef2940c5 | .<S.u+..2....)@.
88000230: 81a3cd3f  78c9c3c2  2a6020dd  3b025866 | ...?x...*` .;.Xf
88000240: 3cfe8acf  9f23a191  3269dda8  8a20794b | <....#..2i... yK
88000250: b7f8d7e0  9257cfaa  ff1253b0  20f14a68 | .....W....S. .Jh
88000260: 1d898f0a  57f915ef  746b02cc  8066f349 | ....W...tk...f.I
88000270: 233139d4  11c2a296  c5e4d72b  bb79e9c5 | #19........+.y..
88000280: dcf66991  94724ca1  f055f59f  d128e81e | ..i..rL..U...(..
88000290: db08720d  9004f291  011663f6  b17d1c98 | ..r.......c..}..
880002a0: b61fd744  ea177022  058c5101  34e861c5 | ...D..p"..Q.4.a.
880002b0: 5a3753e1  31c1bd4d  4c237e6c  2d9d9329 | Z7S.1..ML#~l-..)
880002c0: 4f8cae87  22d75d2f  e2c768ca  d4416a3b | O...".]/..h..Aj;
880002d0: 97a4cf62  a2f87db6  ff7ef603  bccdd3fc | ...b..}..~......
880002e0: 5d0ab571  96b94308  f9445e97  e9fcc121 | ]..q..C..D^....!
880002f0: fdef74ea  99c76b66  205aaddf  f4bd9168 | ..t...kf Z.....h
88000300: 800043ec  800042e0  800042e0  800042e0 | ..C...B...B...B.
88000310: 800042e0  800042e0  800042e0  800042e0 | ..B...B...B...B.
88000320: 800042e0  800048cc  800042e0  800042e0 | ..B...H...B...B.
88000330: 800042e0  800042e0  800042e0  800042e0 | ..B...B...B...B.
88000340: 29f26ffd  053cfbc7  12785c3c  b1694b95 | ).o..<...x\<.iK.
88000350: 3131623a  6483c478  b5496d64  59a71af7 | 11b:d..x.ImdY...
88000360: 7d102f2d  5cc35818  8df1a8ea  0ef8d4c5 | }./-\.X.........
88000370: 8368d361  3a84eb3c  0485ae3a  a9a7de26 | .h.a:..<...:...&
88000380: 800042e0  800042e0  800042e0  8bb1b4ca | ..B...B...B.....
88000390: bf289c94  ba357bf5  57735999  955e6c9a | .(...5{.WsY..^l.
880003a0: 43559b1b  583a73bd  41b91b91  e5df26f6 | CU..X:s.A.....&.
880003b0: a7ae8687  444f744a  a8189c0d  66e76fcc | ....DOtJ....f.o.
880003c0: 33ba4f9c  e7d96f83  0a4a5c1a  d37b152a | 3.O...o..J\..{.*
880003d0: aa8aecae  d3be2156  d3840433  f1e233d3 | ......!V...3..3.
880003e0: 41c800be  1130fba1  fba030a0  44f9b815 | A....0....0.D...
880003f0: ee598c11  5fcdd06a  f1fa9078  5ef73dae | .Y.._..j...x^.=.

CM> /call func -a 0xa03e1940 0x00000000 0x00000400

Calling function 0xa03e1940(0, 0x400)

CM> /call func -a 0xa03e1408 0x88000000 0x00000000 0x00000400

Calling function 0xa03e1408(0x88000000, 0, 0x400)

CM> =====> send_dqm_message WARNING: send failed, retry 1
<<<<<<<<<<<<< rpc_dump_msg >>>>>>>>>>>>>>>>>>
msg 0x8303b9d8 ID 14 Req 0 Rep 0 Serv ITCn Func 0 reqcnt 0
Len: 4 38040000 81200000 00000008 434d4170
=====> send_dqm_message WARNING: send failed, retry 2
<<<<<<<<<<<<< rpc_dump_msg >>>>>>>>>>>>>>>>>>
msg 0x8303b9d8 ID 14 Req 0 Rep 0 Serv ITCn Func 0 reqcnt 0
Len: 4 3

And router crashed middle of the output.

Next value:0x86000000

 CM> /read_memory -s 4 -n 1024 0x86000000
 86000000: 3c1b864c  401a4000  8f7bc000  001ad582 | <..L@.@..{......
 86000010: 001ad080  037ad821  401a2000  8f7b0000 | .....z.!@. ..{..
 86000020: 001ad042  335a0ff8  037ad821  8f7a0000 | ...B3Z...z.!.z..
 86000030: 8f7b0004  001ad182  409a1000  001bd982 | .{......@.......
 86000040: 409b1800  04030001  42000006  00000000 | @.......B.......
 86000050: 42000018  00000000  00000000  00000000 | B...............
 86000060: 00000000  00000000  00000000  00000000 | ................
 86000070: 00000000  00000000  00000000  00000000 | ................
 86000080: 00000000  00000000  00000000  00000000 | ................
 86000090: 00000000  00000000  00000000  00000000 | ................
 860000a0: 00000000  00000000  00000000  00000000 | ................
 860000b0: 00000000  00000000  00000000  00000000 | ................
 860000c0: 00000000  00000000  00000000  00000000 | ................
 860000d0: 00000000  00000000  00000000  00000000 | ................
 860000e0: 00000000  00000000  00000000  00000000 | ................
 860000f0: 00000000  00000000  00000000  00000000 | ................
 86000100: 401a8000  241bfff8  035bd024  375a0002 | @...$....[.$7Z..
 86000110: 409a8000  00000000  00000000  00000000 | @...............
 86000120: 09803399  00000000  00000000  00000000 | ..3.............
 86000130: 27bdffe0  afbf0018  afb10014  afb00010 | '...............
 86000140: 00808821  3c028647  8c45dfec  10a00019 | ...!<..G.E......
 86000150: 309000ff  90a20008  0202102b  14400012 | 0..........+.@..
 86000160: 00000000  90a20009  0050102b  1440000e | .........P.+.@..
 86000170: 00000000  8ca40024  10800030  24020002 | .......$...0$...
 86000180: 401b6800  337b007c  3c1a864b  035bd021 | @.h.3{.|<..K.[.!
 86000190: 8f5a7420  03400008  00000000  401b6800 | .Zt .@......@.h.
 860001a0: 241a007c  337b007c  137a0007  241a0038 | $..|3{.|.z..$..8
 860001b0: 137a0011  3c1a864b  035bd021  8f5a7420 | .z..<..K.[.!.Zt 
 860001c0: 03400008  00000000  401a4000  241bfffc | .@......@.@.$...
 860001d0: 035bd024  4080e000  bf490000  bf570000 | .[.$@....I...W..
 860001e0: 3c1a864b  275a75d0  8f5b0000  277b0001 | <..K'Zu..[..'{..
 860001f0: af5b0000  42000018  401a4000  00000000 | .[..B...@.@.....
 86000200: 098005c8  00000000  00000000  00000000 | ................
 86000210: 00000000  00000000  00000000  00000000 | ................
 86000220: 00000000  00000000  00000000  00000000 | ................
 86000230: 00000000  00000000  00000000  00000000 | ................
 86000240: 00000000  00000000  00000000  00000000 | ................
 86000250: 00000000  00000000  00000000  00000000 | ................
 86000260: 00000000  00000000  00000000  00000000 | ................
 86000270: 00000000  00000000  00000000  00000000 | ................
 86000280: 1000ffff  00000000  00000000  00000000 | ................
 86000290: 00000000  00000000  00000000  00000000 | ................
 860002a0: 00000000  00000000  00000000  00000000 | ................
 860002b0: 00000000  00000000  00000000  00000000 | ................
 860002c0: 00000000  00000000  00000000  00000000 | ................
 860002d0: 00000000  00000000  00000000  00000000 | ................
 860002e0: 00000000  00000000  00000000  00000000 | ................
 860002f0: 00000000  00000000  00000000  00000000 | ................
 86000300: 1000ffff  00000000  00000000  00000000 | ................
 86000310: 00000000  00000000  00000000  00000000 | ................
 86000320: 00000000  00000000  00000000  00000000 | ................
 86000330: 00000000  00000000  00000000  00000000 | ................
 86000340: 00000000  00000000  00000000  00000000 | ................
 86000350: 00000000  00000000  00000000  00000000 | ................
 86000360: 00000000  00000000  00000000  00000000 | ................
 86000370: 00000000  00000000  00000000  00000000 | ................
 86000380: 1000ffff  00000000  00000000  00000000 | ................
 86000390: 00000000  00000000  00000000  00000000 | ................
 860003a0: 00000000  00000000  00000000  00000000 | ................
 860003b0: 00000000  00000000  00000000  00000000 | ................
 860003c0: 00000000  00000000  00000000  00000000 | ................
 860003d0: 00000000  00000000  00000000  00000000 | ................
 860003e0: 00000000  00000000  00000000  00000000 | ................
 860003f0: 81ae0250  00000000  00000000  00000000 | ...P............

 CM> /call func -a 0xa03e1940 0x00000000 0x00000400

 Calling function 0xa03e1940(0, 0x400)

 CM> /call func -a 0xa03e1408 0x86000000 0x00000000 0x00000400

 Calling function 0xa03e1408(0x86000000, 0, 0x400)
 NandFlashRead: Detected out-of-order block @offset 0x0, tagged offset 0x0, expected offset 0xf9440000
 NandFlashRead: Failed to find replacement block!

 /read_memory -s 4 -n 1024 0x86000000                     

 86000000: 3c1b864c  401a4000  8f7bc000  001ad582 | <..L@.@..{......
 86000010: 001ad080  037ad821  401a2000  8f7b0000 | .....z.!@. ..{..
 86000020: 001ad042  335a0ff8  037ad821  8f7a0000 | ...B3Z...z.!.z..
 86000030: 8f7b0004  001ad182  409a1000  001bd982 | .{......@.......
 86000040: 409b1800  04030001  42000006  00000000 | @.......B.......
 86000050: 42000018  00000000  00000000  00000000 | B...............
 86000060: 00000000  00000000  00000000  00000000 | ................
 86000070: 00000000  00000000  00000000  00000000 | ................
 86000080: 00000000  00000000  00000000  00000000 | ................
 86000090: 00000000  00000000  00000000  00000000 | ................
 860000a0: 00000000  00000000  00000000  00000000 | ................
 860000b0: 00000000  00000000  00000000  00000000 | ................
 860000c0: 00000000  00000000  00000000  00000000 | ................
 860000d0: 00000000  00000000  00000000  00000000 | ................
 860000e0: 00000000  00000000  00000000  00000000 | ................
 860000f0: 00000000  00000000  00000000  00000000 | ................
 86000100: 401a8000  241bfff8  035bd024  375a0002 | @...$....[.$7Z..
 86000110: 409a8000  00000000  00000000  00000000 | @...............
 86000120: 09803399  00000000  00000000  00000000 | ..3.............
 86000130: 27bdffe0  afbf0018  afb10014  afb00010 | '...............
 86000140: 00808821  3c028647  8c45dfec  10a00019 | ...!<..G.E......
 86000150: 309000ff  90a20008  0202102b  14400012 | 0..........+.@..
 86000160: 00000000  90a20009  0050102b  1440000e | .........P.+.@..
 86000170: 00000000  8ca40024  10800030  24020002 | .......$...0$...
 86000180: 401b6800  337b007c  3c1a864b  035bd021 | @.h.3{.|<..K.[.!
 86000190: 8f5a7420  03400008  00000000  401b6800 | .Zt .@......@.h.
 860001a0: 241a007c  337b007c  137a0007  241a0038 | $..|3{.|.z..$..8
 860001b0: 137a0011  3c1a864b  035bd021  8f5a7420 | .z..<..K.[.!.Zt 
 860001c0: 03400008  00000000  401a4000  241bfffc | .@......@.@.$...
 860001d0: 035bd024  4080e000  bf490000  bf570000 | .[.$@....I...W..
 860001e0: 3c1a864b  275a75d0  8f5b0000  277b0001 | <..K'Zu..[..'{..
 860001f0: af5b0000  42000018  401a4000  00000000 | .[..B...@.@.....
 86000200: 098005c8  00000000  00000000  00000000 | ................
 86000210: 00000000  00000000  00000000  00000000 | ................
 86000220: 00000000  00000000  00000000  00000000 | ................
 86000230: 00000000  00000000  00000000  00000000 | ................
 86000240: 00000000  00000000  00000000  00000000 | ................
 86000250: 00000000  00000000  00000000  00000000 | ................
 86000260: 00000000  00000000  00000000  00000000 | ................
 86000270: 00000000  00000000  00000000  00000000 | ................
 86000280: 1000ffff  00000000  00000000  00000000 | ................
 86000290: 00000000  00000000  00000000  00000000 | ................
 860002a0: 00000000  00000000  00000000  00000000 | ................
 860002b0: 00000000  00000000  00000000  00000000 | ................
 860002c0: 00000000  00000000  00000000  00000000 | ................
 860002d0: 00000000  00000000  00000000  00000000 | ................
 860002e0: 00000000  00000000  00000000  00000000 | ................
 860002f0: 00000000  00000000  00000000  00000000 | ................
 86000300: 1000ffff  00000000  00000000  00000000 | ................
 86000310: 00000000  00000000  00000000  00000000 | ................
 86000320: 00000000  00000000  00000000  00000000 | ................
 86000330: 00000000  00000000  00000000  00000000 | ................
 86000340: 00000000  00000000  00000000  00000000 | ................
 86000350: 00000000  00000000  00000000  00000000 | ................
 86000360: 00000000  00000000  00000000  00000000 | ................
 86000370: 00000000  00000000  00000000  00000000 | ................
 86000380: 1000ffff  00000000  00000000  00000000 | ................
 86000390: 00000000  00000000  00000000  00000000 | ................
 860003a0: 00000000  00000000  00000000  00000000 | ................
 860003b0: 00000000  00000000  00000000  00000000 | ................
 860003c0: 00000000  00000000  00000000  00000000 | ................
 860003d0: 00000000  00000000  00000000  00000000 | ................
 860003e0: 00000000  00000000  00000000  00000000 | ................
 860003f0: 81ae0250  00000000  00000000  00000000 | ...P............

(I booted router between) Next value:0x87000000

CM> /read_memory -s 4 -n 1024 0x87000000
87000000: d06e0100  00020017  5ea94be9  0029ffa4 | .n......^.K..)..
87000010: 7e000000  46415354  33363836  5f444e41 | ~...FAST3686_DNA
87000020: 5f332e34  39302e30  2d54332d  6170702d | _3.490.0-T3-app-
87000030: 32303230  30343239  2e62696e  00000000 | 20200429.bin....
87000040: 00000000  00000000  00000000  00019000 | ................
87000050: 00280000  a9340000  8758ba30  63609086 | .(...4...X.0c`..
87000060: aa8ce00a  dfbeb6fd  f768b698  5ef31223 | .........h..^..#
87000070: e9f3d61b  a5714987  8094f0cd  406e4f84 | .....qI.....@nO.
87000080: 345fb37f  1db38aee  9c8c135f  dfaf4380 | 4_........._..C.
87000090: aaa485f7  9f69a881  e3573c30  8b7c7555 | .....i...W<0.|uU
870000a0: c554c1f8  ab8a1158  c57acea0  bfad34f9 | .T.....X.z....4.
870000b0: 978b987e  a67c201b  b8574e27  1e5f08f1 | ...~.| ..WN'._..
870000c0: e94b1b0c  e6befcac  de757c31  f834bdc2 | .K.......u|1.4..
870000d0: 82f2732f  bd6b7233  ef007747  df83cf56 | ..s/.kr3..wG...V
870000e0: ce546631  68ae8284  3c16aeaa  0b1c6223 | .Tf1h...<.....b#
870000f0: d2c89a0a  74c10313  29aecfea  0404cea7 | ....t...).......
87000100: 7313a6a6  6a9cb782  7aaff66f  b149001d | s...j...z..o.I..
87000110: 0ef916bc  2aea93c4  0174816e  b60a9cc3 | ....*....t.n....
87000120: 7e876f1e  a48c40ed  f973dd29  3b84b294 | ~.o...@..s.);...
87000130: 3f7afe0e  1ac889b4  a174354f  b45e595a | ?z.......t5O.^YZ
87000140: af14e6e0  2d97144f  917df4e5  961e54d2 | ....-..O.}....T.
87000150: 22b51c39  184ec125  a087f879  e49f5d4d | "..9.N.%...y..]M
87000160: a45b95ab  0f56fddb  3e236f48  aa54a8a8 | .[...V..>#oH.T..
87000170: e31dbe04  ba4abb87  086f0348  f6241492 | .....J...o.H.$..
87000180: d579a1fd  88597ceb  4f512a36  f7fdec08 | .y...Y|.OQ*6....
87000190: 1504d046  4a773c3c  c852c168  1108974e | ...FJw<<.R.h...N
870001a0: 7343619c  7951e612  c94cf1f0  3fdf0327 | sCa.yQ...L..?..'
870001b0: e666e183  8ef497ce  c1c5a045  0740f2ca | .f.........E.@..
870001c0: 92b894a2  ea137f34  147c736e  5eafe8dd | .......4.|sn^...
870001d0: 573b8f2f  87c009f9  b0787b68  50aae70e | W;./.....x{hP...
870001e0: 550924a3  ca1a9132  318de945  8c207f68 | U.$....21..E. .h
870001f0: 0490d890  3ea9c0e2  f85948a3  0ef2fb23 | ....>....YH....#
87000200: 5c8cf4b1  318f8b77  df8a8ab4  1bc44d06 | \...1..w......M.
87000210: 276233ec  f257606a  c52de5ee  ccfd9c78 | 'b3..W`j.-.....x
87000220: a63c5301  752b06c6  32e311ef  ef2940c5 | .<S.u+..2....)@.
87000230: 81a3cd3f  78c9c3c2  2a6020dd  3b025866 | ...?x...*` .;.Xf
87000240: 3cfe8acf  9f23a191  3269dda8  8a20794b | <....#..2i... yK
87000250: b7f8d7e0  9257cfaa  ff1253b0  20f14a68 | .....W....S. .Jh
87000260: 1d898f0a  57f915ef  746b02cc  8066f349 | ....W...tk...f.I
87000270: 233139d4  11c2a296  c5e4d72b  bb79e9c5 | #19........+.y..
87000280: dcf66991  94724ca1  f055f59f  d128e81e | ..i..rL..U...(..
87000290: db08720d  9004f291  011663f6  b17d1c98 | ..r.......c..}..
870002a0: b61fd744  ea177022  058c5101  34e861c5 | ...D..p"..Q.4.a.
870002b0: 5a3753e1  31c1bd4d  4c237e6c  2d9d9329 | Z7S.1..ML#~l-..)
870002c0: 4f8cae87  22d75d2f  e2c768ca  d4416a3b | O...".]/..h..Aj;
870002d0: 97a4cf62  a2f87db6  ff7ef603  bccdd3fc | ...b..}..~......
870002e0: 5d0ab571  96b94308  f9445e97  e9fcc121 | ]..q..C..D^....!
870002f0: fdef74ea  99c76b66  205aaddf  f4bd9168 | ..t...kf Z.....h
87000300: 2fc030fc  32d69495  4e8c1395  b7cfd502 | /.0.2...N.......
87000310: 945a7c16  cc8392f7  b0308d92  a3e9d069 | .Z|......0.....i
87000320: 5005b858  b21ed293  9edc6ce0  dd6afaa1 | P..X......l..j..
87000330: 22d85910  76c16d93  605b5da9  3de9bed9 | ".Y.v.m.`[].=...
87000340: 29f26ffd  053cfbc7  12785c3c  b1694b95 | ).o..<...x\<.iK.
87000350: 3131623a  6483c478  b5496d64  59a71af7 | 11b:d..x.ImdY...
87000360: 7d102f2d  5cc35818  8df1a8ea  0ef8d4c5 | }./-\.X.........
87000370: 8368d361  3a84eb3c  0485ae3a  a9a7de26 | .h.a:..<...:...&
87000380: 82c337f2  a755b88e  675c8e1b  8bb1b4ca | ..7..U..g\......
87000390: bf289c94  ba357bf5  57735999  955e6c9a | .(...5{.WsY..^l.
870003a0: 43559b1b  583a73bd  41b91b91  e5df26f6 | CU..X:s.A.....&.
870003b0: a7ae8687  444f744a  a8189c0d  66e76fcc | ....DOtJ....f.o.
870003c0: 33ba4f9c  e7d96f83  0a4a5c1a  d37b152a | 3.O...o..J\..{.*
870003d0: aa8aecae  d3be2156  d3840433  f1e233d3 | ......!V...3..3.
870003e0: 41c800be  1130fba1  fba030a0  44f9b815 | A....0....0.D...
870003f0: ee598c11  5fcdd06a  f1fa9078  5ef73dae | .Y.._..j...x^.=.
CM> /call func -a 0xa03e1940 0x00000000 0x00000400

Calling function 0xa03e1940(0, 0x400)

CM> /call func -a 0xa03e1408 0x87000000 0x00000000 0x00000400

Calling function 0xa03e1408(0x87000000, 0, 0x400)

CM> /read_memory -s 4 -n 1024 0x87000000

87000000: d06e0100  00020017  5ea94be9  0029ffa4 | .n......^.K..)..
87000010: 7e000000  46415354  33363836  5f444e41 | ~...FAST3686_DNA
87000020: 5f332e34  39302e30  2d54332d  6170702d | _3.490.0-T3-app-
87000030: 32303230  30343239  2e62696e  00000000 | 20200429.bin....
87000040: 00000000  00000000  00000000  00019000 | ................
87000050: 00280000  a9340000  8758ba30  63609086 | .(...4...X.0c`..
87000060: aa8ce00a  dfbeb6fd  f768b698  5ef31223 | .........h..^..#
87000070: e9f3d61b  a5714987  8094f0cd  406e4f84 | .....qI.....@nO.
87000080: 345fb37f  1db38aee  9c8c135f  dfaf4380 | 4_........._..C.
87000090: aaa485f7  9f69a881  e3573c30  8b7c7555 | .....i...W<0.|uU
870000a0: c554c1f8  ab8a1158  c57acea0  bfad34f9 | .T.....X.z....4.
870000b0: 978b987e  a67c201b  b8574e27  1e5f08f1 | ...~.| ..WN'._..
870000c0: e94b1b0c  e6befcac  de757c31  f834bdc2 | .K.......u|1.4..
870000d0: 82f2732f  bd6b7233  ef007747  df83cf56 | ..s/.kr3..wG...V
870000e0: ce546631  68ae8284  3c16aeaa  0b1c6223 | .Tf1h...<.....b#
870000f0: d2c89a0a  74c10313  29aecfea  0404cea7 | ....t...).......
87000100: 7313a6a6  6a9cb782  7aaff66f  b149001d | s...j...z..o.I..
87000110: 0ef916bc  2aea93c4  0174816e  b60a9cc3 | ....*....t.n....
87000120: 7e876f1e  a48c40ed  f973dd29  3b84b294 | ~.o...@..s.);...
87000130: 3f7afe0e  1ac889b4  a174354f  b45e595a | ?z.......t5O.^YZ
87000140: af14e6e0  2d97144f  917df4e5  961e54d2 | ....-..O.}....T.
87000150: 22b51c39  184ec125  a087f879  e49f5d4d | "..9.N.%...y..]M
87000160: a45b95ab  0f56fddb  3e236f48  aa54a8a8 | .[...V..>#oH.T..
87000170: e31dbe04  ba4abb87  086f0348  f6241492 | .....J...o.H.$..
87000180: d579a1fd  88597ceb  4f512a36  f7fdec08 | .y...Y|.OQ*6....
87000190: 1504d046  4a773c3c  c852c168  1108974e | ...FJw<<.R.h...N
870001a0: 7343619c  7951e612  c94cf1f0  3fdf0327 | sCa.yQ...L..?..'
870001b0: e666e183  8ef497ce  c1c5a045  0740f2ca | .f.........E.@..
870001c0: 92b894a2  ea137f34  147c736e  5eafe8dd | .......4.|sn^...
870001d0: 573b8f2f  87c009f9  b0787b68  50aae70e | W;./.....x{hP...
870001e0: 550924a3  ca1a9132  318de945  8c207f68 | U.$....21..E. .h
870001f0: 0490d890  3ea9c0e2  f85948a3  0ef2fb23 | ....>....YH....#
87000200: 5c8cf4b1  318f8b77  df8a8ab4  1bc44d06 | \...1..w......M.
87000210: 276233ec  f257606a  c52de5ee  ccfd9c78 | 'b3..W`j.-.....x
87000220: a63c5301  752b06c6  32e311ef  ef2940c5 | .<S.u+..2....)@.
87000230: 81a3cd3f  78c9c3c2  2a6020dd  3b025866 | ...?x...*` .;.Xf
87000240: 3cfe8acf  9f23a191  3269dda8  8a20794b | <....#..2i... yK
87000250: b7f8d7e0  9257cfaa  ff1253b0  20f14a68 | .....W....S. .Jh
87000260: 1d898f0a  57f915ef  746b02cc  8066f349 | ....W...tk...f.I
87000270: 233139d4  11c2a296  c5e4d72b  bb79e9c5 | #19........+.y..
87000280: dcf66991  94724ca1  f055f59f  d128e81e | ..i..rL..U...(..
87000290: db08720d  9004f291  011663f6  b17d1c98 | ..r.......c..}..
870002a0: b61fd744  ea177022  058c5101  34e861c5 | ...D..p"..Q.4.a.
870002b0: 5a3753e1  31c1bd4d  4c237e6c  2d9d9329 | Z7S.1..ML#~l-..)
870002c0: 4f8cae87  22d75d2f  e2c768ca  d4416a3b | O...".]/..h..Aj;
870002d0: 97a4cf62  a2f87db6  ff7ef603  bccdd3fc | ...b..}..~......
870002e0: 5d0ab571  96b94308  f9445e97  e9fcc121 | ]..q..C..D^....!
870002f0: fdef74ea  99c76b66  205aaddf  f4bd9168 | ..t...kf Z.....h
87000300: 2fc030fc  32d69495  4e8c1395  b7cfd502 | /.0.2...N.......
87000310: 945a7c16  cc8392f7  b0308d92  a3e9d069 | .Z|......0.....i
87000320: 5005b858  b21ed293  9edc6ce0  dd6afaa1 | P..X......l..j..
87000330: 22d85910  76c16d93  605b5da9  3de9bed9 | ".Y.v.m.`[].=...
87000340: 29f26ffd  053cfbc7  12785c3c  b1694b95 | ).o..<...x\<.iK.
87000350: 3131623a  6483c478  b5496d64  59a71af7 | 11b:d..x.ImdY...
87000360: 7d102f2d  5cc35818  8df1a8ea  0ef8d4c5 | }./-\.X.........
87000370: 8368d361  3a84eb3c  0485ae3a  a9a7de26 | .h.a:..<...:...&
87000380: 82c337f2  a755b88e  675c8e1b  8bb1b4ca | ..7..U..g\......
87000390: bf289c94  ba357bf5  57735999  955e6c9a | .(...5{.WsY..^l.
870003a0: 43559b1b  583a73bd  41b91b91  e5df26f6 | CU..X:s.A.....&.
870003b0: a7ae8687  444f744a  a8189c0d  66e76fcc | ....DOtJ....f.o.
870003c0: 33ba4f9c  e7d96f83  0a4a5c1a  d37b152a | 3.O...o..J\..{.*
870003d0: aa8aecae  d3be2156  d3840433  f1e233d3 | ......!V...3..3.
870003e0: 41c800be  1130fba1  fba030a0  44f9b815 | A....0....0.D...
870003f0: ee598c11  5fcdd06a  f1fa9078  5ef73dae | .Y.._..j...x^.=.

[j0nh4t]

0x88000000 crash 0x87000000 ok 0x86000000 crash

test.log

[jclehner]

Using the latest commits might fix this issue. Reading from flash is now done in 16 KiB blocks, instead of reading the whole partition, which in your linuxapps case is 78 MiB. I've also moved the buffer to 0x87000000!

[MalaikaBegum]

With commit f585fe8602058c3a64e4fe80a5234877254f52cd Zero sized outputs and router reboots.

./bcm2dump -vv dump -L io.log 192.168.100.1,Admin,PASSWORD flash linuxkfs linuxkfs.bin
bcm2dump v0.9.4-81-gf585fe8
telnet: received command 253,33
telnet: received command 251,3
telnet: received command 251,1
detected interface: bfc
adjusting dump params: 0x80010000,4 -> 0x80010000,16
adjusting dump params: 0x80624d91,14 -> 0x80624d90,16
adjusting dump params: 0x80624d91,8 -> 0x80624d90,16
adjusting dump params: 0x8070244c,9 -> 0x8070244c,16
adjusting dump params: 0x807023d4,7 -> 0x807023d4,16
adjusting dump params: 0x80eb8a91,8 -> 0x80eb8a90,16
adjusting dump params: 0x80f89da0,11 -> 0x80f89da0,16
adjusting dump params: 0x82f00014,6 -> 0x82f00014,16
adjusting dump params: 0x809864d9,11 -> 0x809864d8,16
adjusting dump params: 0x83e05bb8,11 -> 0x83e05bb8,16
adjusting dump params: 0x80dc48d0,3 -> 0x80dc48d0,16
adjusting dump params: 0x83f8a9ac,5 -> 0x83f8a9ac,16
adjusting dump params: 0x810a4390,12 -> 0x810a4390,16
adjusting dump params: 0x83f8e8a8,6 -> 0x83f8e8a8,16
adjusting dump params: 0x83f8ea40,10 -> 0x83f8ea40,16
adjusting dump params: 0x83f8ecc8,13 -> 0x83f8ecc8,16
detected profile fast3686(bfc), version DNA_3.490.0-T3
dumping flash:0x06bc0000-0x07dbffff (18874368 b)
 ---.--% (0x06bc0000)      0 |     0  bytes/s (ETA      00:00:00)
 and then two minutes later router reboots

cat io.log 
bcm2dump v0.9.4-81-gf585fe8
telnet: received command 253,33
telnet: received command 251,3
telnet: received command 251,1
==> (empty)
==> 'Broadcom Corporation Embedded BFC Telnet Server (c) 2000-2008'
==> (empty)
==> 'WARNING:  Access allowed by authorized users only.'
==> (empty)
==> 'Login:'
detected interface: bfc
<== 'Admin'
==> 'Admin'
==> 'Password:'
<== 'PASSWORD'
<== ''
==> ''
==> ''
==> 'CM_Console>'
<== ''
<== ''
==> ''
==> ''
==> 'CM_Console>'
<== '/docsis/scan_stop'
==> ''
adjusting dump params: 0x80010000,4 -> 0x80010000,16
<== '/system/diag readmem -s 4 -n 16 0x80010000'
==> (empty)
==> ''docsis' is not a valid command table.'
==> (empty)
==> 'Type 'help' for information about valid commands and tables.'
==> (empty)
==> ''
==> (empty)
==> '80010000: 1000ffde  01c0c821  01eb1006  00e91804 | .......!........'
adjusting dump params: 0x80624d91,14 -> 0x80624d90,16
<== '/system/diag readmem -s 4 -n 16 0x80624d90'
==> (empty)
==> ''
==> (empty)
==> '80624d90: 00001021  97a20004  a6020930  24020001 | ...!.......0$...'
adjusting dump params: 0x80624d91,8 -> 0x80624d90,16
<== '/system/diag readmem -s 4 -n 16 0x80624d90'
==> (empty)
==> ''
==> (empty)
==> '80624d90: 00001021  97a20004  a6020930  24020001 | ...!.......0$...'
adjusting dump params: 0x8070244c,9 -> 0x8070244c,16
<== '/system/diag readmem -s 4 -n 16 0x8070244c'
==> (empty)
==> ''
==> (empty)
==> '8070244c: 24a571e8  9665003c  0c41a8a2  00402021 | $.q..e.<.A...@ !'
adjusting dump params: 0x807023d4,7 -> 0x807023d4,16
<== '/system/diag readmem -s 4 -n 16 0x807023d4'
==> (empty)
==> ''
==> (empty)
==> '807023d4: 3c058120  0c41abf4  24a571b8  96650038 | <.. .A..$.q..e.8'
adjusting dump params: 0x80eb8a91,8 -> 0x80eb8a90,16
<== '/system/diag readmem -s 4 -n 16 0x80eb8a90'
==> (empty)
==> ''
==> (empty)
==> '80eb8a90: 5080ffb6  8fbf0114  0c1ec594  00000000 | P...............'
adjusting dump params: 0x80f89da0,11 -> 0x80f89da0,16
<== '/system/diag readmem -s 4 -n 16 0x80f89da0'
==> (empty)
==> ''
==> (empty)
==> '80f89da0: 90a20005  00a21821  24630008  24020001 | .......!$c..$...'
adjusting dump params: 0x82f00014,6 -> 0x82f00014,16
<== '/system/diag readmem -s 4 -n 16 0x82f00014'
==> (empty)
==> ''
==> (empty)
==> '82f00014: ffffffff  ffffffff  ffffffff  ffffffff | ................'
adjusting dump params: 0x809864d9,11 -> 0x809864d8,16
<== '/system/diag readmem -s 4 -n 16 0x809864d8'
==> (empty)
==> ''
==> (empty)
==> '809864d8: 8fb20018  8fb10014  8fb00010  03e00008 | ................'
adjusting dump params: 0x83e05bb8,11 -> 0x83e05bb8,16
<== '/system/diag readmem -s 4 -n 16 0x83e05bb8'
==> (empty)
==> ''
==> (empty)
==> '83e05bb8: ffffffff  ffffffff  ffffffff  ffffffff | ................'
adjusting dump params: 0x80dc48d0,3 -> 0x80dc48d0,16
<== '/system/diag readmem -s 4 -n 16 0x80dc48d0'
==> (empty)
==> ''
==> (empty)
==> '80dc48d0: 8e060024  0c36f75a  02002021  1000ff7d | ...$.6.Z.. !...}'
adjusting dump params: 0x83f8a9ac,5 -> 0x83f8a9ac,16
<== '/system/diag readmem -s 4 -n 16 0x83f8a9ac'
==> (empty)
==> ''
==> (empty)
==> '83f8a9ac: 25080001  0106102a  10400003  0123380b | %......*.@...#8.'
adjusting dump params: 0x810a4390,12 -> 0x810a4390,16
<== '/system/diag readmem -s 4 -n 16 0x810a4390'
==> (empty)
==> ''
==> (empty)
==> '810a4390: 7273696f  6e3a2020  25730a00  62636d56 | rsion:  %s..bcmV'
adjusting dump params: 0x83f8e8a8,6 -> 0x83f8e8a8,16
<== '/system/diag readmem -s 4 -n 16 0x83f8e8a8'
==> (empty)
==> ''
==> (empty)
==> '83f8e8a8: 62322f00  e7d477e3  00372a00  01204dca | b2/...w..7*.. M.'
adjusting dump params: 0x83f8ea40,10 -> 0x83f8ea40,16
<== '/system/diag readmem -s 4 -n 16 0x83f8ea40'
==> (empty)
==> ''
==> (empty)
==> '83f8ea40: 02000000  00008048  02002ae0  1800a401 | .......H..*.....'
adjusting dump params: 0x83f8ecc8,13 -> 0x83f8ecc8,16
<== '/system/diag readmem -s 4 -n 16 0x83f8ecc8'
==> (empty)
==> ''
==> (empty)
==> '83f8ecc8: 25783a25  78000000  25733f20  5b6e5d20 | %x:%x...%s? [n]'
<== '/system/diag readmem -s 4 -n 32 0x81082fa8'
==> (empty)
==> ''
==> (empty)
==> '81082fa8: 46415354  33363836  5f444e41  5f332e34 | FAST3686_DNA_3.4'
==> '2164797368: 959458864  760492845  842019376  808727097 | 90.0-T3-20200429'
==> (empty)
==> 'CM_Console>'
<== 'su'
==> 'su'
==> (empty)
==> 'Password: () []'
<== '$agem001'
<== ''
==> '$agem001'
==> 'Proceed with caution!'
==> 'Type 'exit' to return.'
==> (empty)
==> ''
==> 'CM>'
detected profile fast3686(bfc), version DNA_3.490.0-T3
<== '/call func -a 0xa03e1940 0x06bc0000 0x07dc0000'
==> ''
<== ''
==> (empty)
==> 'Calling function 0xa03e1940(0x6bc0000, 0x7dc0000)'
==> (empty)
==> ''
dumping flash:0x06bc0000-0x07dbffff (18874368 b)
 <== '/write_memory -s 4 0xa03e1598 0x10000018'
==> 'CM>'
==> ''
==> (empty)
==> 'Writing 0x10000018 (268435480) to 0xa03e1598'
==> (empty)
==> 'CM>'
<== '/call func -a 0xa03e1408 0x87000000 0x06bc0000 0x01200000'
==> ''
<== ''
==> (empty)
==> 'Calling function 0xa03e1408(0x87000000, 0x6bc0000, 0x1200000)'
<== ''
<== ''
(skipped 100 similar rows)
<== ''
<== ''
==> (empty)
==> 'CM>'
<== '/read_memory -s 4 -n 8192 0x87000000'
(this is automatic retry, but router has already crashed)

./bcm2dump -vv dump -L io.log 192.168.100.1,Admin,PASSWORD flash linuxapps linuxapps.bin_2
bcm2dump v0.9.4-81-gf585fe8
telnet: received command 253,33
telnet: received command 251,3
telnet: received command 251,1
detected interface: bfc
adjusting dump params: 0x80010000,4 -> 0x80010000,16
adjusting dump params: 0x80624d91,14 -> 0x80624d90,16
adjusting dump params: 0x80624d91,8 -> 0x80624d90,16
adjusting dump params: 0x8070244c,9 -> 0x8070244c,16
adjusting dump params: 0x807023d4,7 -> 0x807023d4,16
adjusting dump params: 0x80eb8a91,8 -> 0x80eb8a90,16
adjusting dump params: 0x80f89da0,11 -> 0x80f89da0,16
adjusting dump params: 0x82f00014,6 -> 0x82f00014,16
adjusting dump params: 0x809864d9,11 -> 0x809864d8,16
adjusting dump params: 0x83e05bb8,11 -> 0x83e05bb8,16
adjusting dump params: 0x80dc48d0,3 -> 0x80dc48d0,16
adjusting dump params: 0x83f8a9ac,5 -> 0x83f8a9ac,16
adjusting dump params: 0x810a4390,12 -> 0x810a4390,16
adjusting dump params: 0x83f8e8a8,6 -> 0x83f8e8a8,16
adjusting dump params: 0x83f8ea40,10 -> 0x83f8ea40,16
adjusting dump params: 0x83f8ecc8,13 -> 0x83f8ecc8,16
detected profile fast3686(bfc), version DNA_3.490.0-T3
dumping flash:0x00000000-0x04c3ffff (79953920 b)
 ---.--% (0x00000000)      0 |     0  bytes/s (ETA      00:00:00)
error: timeout while waiting for function 'read' to finish

[jclehner]

Ah, sorry, of course. The chunked reads are implemented, but not used in both of your cases! I'll fix this over the weekend, stay tuned!

[jclehner]

Please try the latest code!

[MalaikaBegum]

Now dumping starts, but then fails.

./bcm2dump -vv dump -L io.log 192.168.100.1,Admin,PASSWORD flash linuxkfs linuxkfs.bin
bcm2dump v0.9.4-89-g07c7d20
telnet: received command 253,33
telnet: received command 251,3
telnet: received command 251,1
detected interface: bfc
adjusting dump params: 0x80010000,4 -> 0x80010000,16
adjusting dump params: 0x80624d91,14 -> 0x80624d90,16
adjusting dump params: 0x80624d91,8 -> 0x80624d90,16
adjusting dump params: 0x8070244c,9 -> 0x8070244c,16
adjusting dump params: 0x807023d4,7 -> 0x807023d4,16
adjusting dump params: 0x80eb8a91,8 -> 0x80eb8a90,16
adjusting dump params: 0x80f89da0,11 -> 0x80f89da0,16
adjusting dump params: 0x82f00014,6 -> 0x82f00014,16
adjusting dump params: 0x809864d9,11 -> 0x809864d8,16
adjusting dump params: 0x83e05bb8,11 -> 0x83e05bb8,16
adjusting dump params: 0x80dc48d0,3 -> 0x80dc48d0,16
adjusting dump params: 0x83f8a9ac,5 -> 0x83f8a9ac,16
adjusting dump params: 0x810a4390,12 -> 0x810a4390,16
adjusting dump params: 0x83f8e8a8,6 -> 0x83f8e8a8,16
adjusting dump params: 0x83f8ea40,10 -> 0x83f8ea40,16
adjusting dump params: 0x83f8ecc8,13 -> 0x83f8ecc8,16
detected profile fast3686(bfc), version DNA_3.490.0-T3
dumping flash:0x06bc0000-0x07dbffff (18874368 b)
   0.04% (0x06bc2000)      0 |     0  bytes/s (ETA      00:00:00)  FAST3686_DNA_3.490.0-T3-rootfs-20200429.bin (0xd06e, 12320676 b)
   0.13% (0x06bc6000)   8.00k|  8.01k bytes/s (ETA      00:38:19)
error: failed to patch word at 0x803e1598

And I got only 24K file. I didn't do anything but retry with new output file (no resume)

./bcm2dump -vv dump -L io.log2 192.168.100.1,Admin,PASSWORD flash linuxkfs linuxkfs.bin2

dumping flash:0x06bc0000-0x07dbffff (18874368 b)
   0.04% (0x06bc2000)   7.91k|  7.91k bytes/s (ETA      00:38:50)  FAST3686_DNA_3.490.0-T3-rootfs-20200429.bin (0xd06e, 12320676 b)
  13.28% (0x06e24000)   8.00k| 10.67k bytes/s (ETA      00:25:00)
error: failed to patch word at 0x803e1598

This time I got 2.4MB

Seems resuming is not working correctly:

./bcm2dump -R -vv dump 192.168.100.1,Admin,PASSWORD flash linuxkfs linuxkfs.bin2

It transfer data but size of output file is not growing (modify time is changing)

This fails with the very same message

error: failed to patch word at 0x803e1598

linuxapps also starts but then stops with same error.

./bcm2dump -vv dump -L io.log2 192.168.100.1,Admin,PASSWORD flash linuxapps linuxapps.new
bcm2dump v0.9.4-89-g07c7d20
telnet: received command 253,33
telnet: received command 251,3
telnet: received command 251,1
detected interface: bfc
adjusting dump params: 0x80010000,4 -> 0x80010000,16
adjusting dump params: 0x80624d91,14 -> 0x80624d90,16
adjusting dump params: 0x80624d91,8 -> 0x80624d90,16
adjusting dump params: 0x8070244c,9 -> 0x8070244c,16
adjusting dump params: 0x807023d4,7 -> 0x807023d4,16
adjusting dump params: 0x80eb8a91,8 -> 0x80eb8a90,16
adjusting dump params: 0x80f89da0,11 -> 0x80f89da0,16
adjusting dump params: 0x82f00014,6 -> 0x82f00014,16
adjusting dump params: 0x809864d9,11 -> 0x809864d8,16
adjusting dump params: 0x83e05bb8,11 -> 0x83e05bb8,16
adjusting dump params: 0x80dc48d0,3 -> 0x80dc48d0,16
adjusting dump params: 0x83f8a9ac,5 -> 0x83f8a9ac,16
adjusting dump params: 0x810a4390,12 -> 0x810a4390,16
adjusting dump params: 0x83f8e8a8,6 -> 0x83f8e8a8,16
adjusting dump params: 0x83f8ea40,10 -> 0x83f8ea40,16
adjusting dump params: 0x83f8ecc8,13 -> 0x83f8ecc8,16
detected profile fast3686(bfc), version DNA_3.490.0-T3
dumping flash:0x00000000-0x04c3ffff (79953920 b)
   0.01% (0x00002000)   6.36k|  6.36k bytes/s (ETA      03:24:36)  FAST3686_DNA_3.490.0-T3-app-20200429.bin (0xd06e, 2752420 b)
   0.73% (0x0008e000)   8.00k| 10.57k bytes/s (ETA      02:02:17)
error: failed to patch word at 0x803e1598
context:
  ==> '87001d30: ffffffff  ffffffff  ffffffff  ffffffff | ................'
  ==> '87001d40: ffffffff  ffffffff  ffffffff  ffffffff | ................'
  ==> '87001d50: ffffffff  ffffffff  ffffffff  ffffffff | ................'
  ==> '87001d60: ffffffff  ffffffff  ffffffff  ffffffff | ................'
  ==> '87001d70: ffffffff  ffffffff  ffffffff  ffffffff | ................'
  ==> '87001d80: ffffffff  ffffffff  ffffffff  ffffffff | ................'
  ==> '87001d90: ffffffff  ffffffff  ffffffff  ffffffff | ................'
  ==> '87001da0: ffffffff  ffffffff  ffffffff  ffffffff | ................'
  ==> '87001db0: ffffffff  ffffffff  ffffffff  ffffffff | ................'
  ==> '87001dc0: ffffffff  ffffffff  ffffffff  ffffffff | ................'
  ==> '87001dd0: ffffffff  ffffffff  ffffffff  ffffffff | ................'
  ==> '87001de0: ffffffff  ffffffff  ffffffff  ffffffff | ................'
  ==> '87001df0: ffffffff  ffffffff  ffffffff  ffffffff | ................'
  ==> '87001e00: ffffffff  ffffffff  ffffffff  ffffffff | ................'
  ==> '87001e10: ffffffff  ffffffff  ffffffff  ffffffff | ................'
  ==> '87001e20: ffffffff  ffffffff  ffffffff  ffffffff | ................'
  ==> '87001e30: ffffffff  ffffffff  ffffffff  ffffffff | ................'
  ==> '87001e40: ffffffff  ffffffff  ffffffff  ffffffff | ................'
  ==> '87001e50: ffffffff  ffffffff  ffffffff  ffffffff | ................'
  ==> '87001e60: ffffffff  ffffffff  ffffffff  ffffffff | ................'
  ==> '87001e70: ffffffff  ffffffff  ffffffff  ffffffff | ................'
  ==> '87001e80: ffffffff  ffffffff  ffffffff  ffffffff | ................'
  ==> '87001e90: ffffffff  ffffffff  ffffffff  ffffffff | ................'
  ==> '87001ea0: ffffffff  ffffffff  ffffffff  ffffffff | ................'
  ==> '87001eb0: ffffffff  ffffffff  ffffffff  ffffffff | ................'
  ==> '87001ec0: ffffffff  ffffffff  ffffffff  ffffffff | ................'
  ==> '87001ed0: ffffffff  ffffffff  ffffffff  ffffffff | ................'
  ==> '87001ee0: ffffffff  ffffffff  ffffffff  ffffffff | ................'
  ==> '87001ef0: ffffffff  ffffffff  ffffffff  ffffffff | ................'
  ==> '87001f00: ffffffff  ffffffff  ffffffff  ffffffff | ................'
  ==> '87001f10: ffffffff  ffffffff  ffffffff  ffffffff | ................'
  ==> '87001f20: ffffffff  ffffffff  ffffffff  ffffffff | ................'
  ==> '87001f30: ffffffff  ffffffff  ffffffff  ffffffff | ................'
  ==> '87001f40: ffffffff  ffffffff  ffffffff  ffffffff | ................'
  ==> '87001f50: ffffffff  ffffffff  ffffffff  ffffffff | ................'
  ==> '87001f60: ffffffff  ffffffff  ffffffff  ffffffff | ................'
  ==> '87001f70: ffffffff  ffffffff  ffffffff  ffffffff | ................'
  ==> '87001f80: ffffffff  ffffffff  ffffffff  ffffffff | ................'
  ==> '87001f90: ffffffff  ffffffff  ffffffff  ffffffff | ................'
  ==> '87001fa0: ffffffff  ffffffff  ffffffff  ffffffff | ................'
  ==> '87001fb0: ffffffff  ffffffff  ffffffff  ffffffff | ................'
  ==> '87001fc0: ffffffff  ffffffff  ffffffff  ffffffff | ................'
  ==> '87001fd0: ffffffff  ffffffff  ffffffff  ffffffff | ................'
  ==> '87001fe0: ffffffff  ffffffff  ffffffff  ffffffff | ................'
  ==> '87001ff0: ffffffff  ffffffff  ffffffff  ffffffff | ................'
  ==> (empty)
  ==> 'CM>'
  <== '/write_memory -s 4 0xa03e1598 0x10000018'
  ==> '/write_memory -s 4 0'
  <== '/exit'

[jclehner]

I was able to reproduce that error - using 3c14982 however I could dump the whole of linuxapps on my device.

[MalaikaBegum]

Now I can dump whole images, but ProgramStore is not accepting them.

./bcm2dump -vv dump 192.168.100.1,Admin,PASSWORD flash linuxkfs linuxkfs.bin
bcm2dump v0.9.4-90-g3c14982
detected profile fast3686(bfc), version DNA_3.490.0-T3
   0.09% (0x06bc4000)      0 |     0  bytes/s (ETA      00:00:00)  FAST3686_DNA_3.490.0-T3-rootfs-20200429.bin (0xd06e, 12320676 b)
 100.00% (0x07dbffff)           23.30k bytes/s (ELT      00:13:11)

ProgramStore is still not satisfied with it

./ProgramStore -f linuxkfs.bin -o linuxkfs.out -x
   Signature: d06e
     Control: 0100
   Major Rev: 0002
   Minor Rev: 0017
  Build Time: 2020/4/29 09:42:00 Z
 File Length: 12320676 bytes
Load Address: 7e000000
    Filename: FAST3686_DNA_3.490.0-T3-rootfs-20200429.bin
         HCS: e004
         CRC: a02903db

Performing CRC on Image...
Image -1607924773 CRC failed!

And same with the linuxapps

./bcm2dump -vv dump 192.168.100.1,Admin,PASSWORD flash linuxapps linuxapps.bin
bcm2dump v0.9.4-90-g3c14982
detected profile fast3686(bfc), version DNA_3.490.0-T3
dumping flash:0x00000000-0x04c3ffff (79953920 b)
   0.02% (0x00004000)      0 |     0  bytes/s (ETA      00:00:00)  FAST3686_DNA_3.490.0-T3-app-20200429.bin (0xd06e, 2752420 b)
 100.00% (0x04c3ffff)           23.53k bytes/s (ELT      00:55:18)

./ProgramStore -f linuxapps.bin -o linuxapps.out -x
   Signature: d06e
     Control: 0100
   Major Rev: 0002
   Minor Rev: 0017
  Build Time: 2020/4/29 09:42:01 Z
 File Length: 2752420 bytes
Load Address: 7e000000
    Filename: FAST3686_DNA_3.490.0-T3-app-20200429.bin
         HCS: a934
         CRC: 8758ba30

Performing CRC on Image...
Image -2024228304 CRC failed!

[jclehner]

This image isn't compressed. Try mounting it as a ubi image as is. If Linux modified the partition, it won't pass the CRC check anymore,but it'll still be mountable. The same applies to the image I just dumped from my device!

[jclehner]

In any case, can you send me your linuxapps.bin file?

[MalaikaBegum]

You are correct, they are not packed!

ubireader_display_info linuxkfs.bin
UBI File
---------------------
    Min I/O: 2048
    LEB Size: 126976
    PEB Size: 131072
    Total Block Count: 143
    Data Block Count: 91
    Layout Block Count: 2
    Internal Volume Block Count: 0
    Unknown Block Count: 50
    First UBI PEB Number: 0

    Image: 0
    ---------------------
        Image Sequence Num: 0
        Volume Name:rootfs
        PEB Range: 0 - 142

        Volume: rootfs
        ---------------------
            Vol ID: 0
            Name: rootfs
            Block Count: 91

            Volume Record
            ---------------------
                alignment: 1
                crc: '0x9f20ef3b'
                data_pad: 0
                errors: ''
                flags: 0
                name: u'rootfs'
                name_len: 6
                padding: u'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
                rec_index: 0
                reserved_pebs: 137
                upd_marker: 0
                vol_type: 'dynamic'
ubireader_extract_files linuxkfs.bin

-> 438 files (26MB) /etc/passwd is pointing to the /var/passwd And /var/ is empty.

ubireader_display_info linuxapps.bin 
UBI File
---------------------
    Min I/O: 2048
    LEB Size: 126976
    PEB Size: 131072
    Total Block Count: 161
    Data Block Count: 11
    Layout Block Count: 2
    Internal Volume Block Count: 0
    Unknown Block Count: 148
    First UBI PEB Number: 448

    Image: 0
    ---------------------
        Image Sequence Num: 0
        Volume Name:linuxapps
        PEB Range: 0 - 160

        Volume: linuxapps
        ---------------------
            Vol ID: 0
            Name: linuxapps
            Block Count: 11

            Volume Record
            ---------------------
                alignment: 1
                crc: '0xae79ff95'
                data_pad: 0
                errors: ''
                flags: 0
                name: u'linuxapps'
                name_len: 9
                padding: u'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
                rec_index: 0
                reserved_pebs: 155
                upd_marker: 0
                vol_type: 'dynamic'

ubireader_extract_files linuxapps.bin 

-> 77 files (2.4MB)

And no /var (so no /etc/passwd)

I dumped RAM (which is now working correctly)

./bcm2dump -vv dump 192.168.100.1,Admin,PASSWORD ram 0x80000000,256M ram.bin
grep -a "root:/:/bin/sh" ram.bin  -A 4

(Took some time to figure out how to find passwd (or shadow) inside RAM-dump) John the Ripper took no time to crack them all:

root:sagem:0:0:root:/:/bin/sh
admin:sagem:0:0:Administrator:/:/bin/false
support:sagem:502:502:Technical Support:/:/bin/false
user:sagem:503:503:Normal User:/:/bin/false
nobody:sagem:504:504:nobody for ftp:/:/bin/false

I sent linuxapps.zip and linuxkfs.zip to your email. (I didn't realize that 77MB linuxapps is zipped under 1MB)

[jclehner]

The file /etc/passwd is generated by /bin/lxginit btw. It sets all passwords to "sagem" initially, but has a provision for the root password to be changed via an ioctl (which is presumably affected by the CM firmware).

[MalaikaBegum]

I'm still struggling how to get files out of the image1.bin.

[jclehner]

image1.bin contains the cable modem firmware. This is not Linux, but based on eCos. Essentially it's one huge application, where specific tasks are handled by dedicated threads. There's no filesystem, even though the web interface may lead you to believe otherwise. The contents you extract using ProgramStore are raw MIPS machine code, loaded in RAM at address 0x80004000.

The BCM3384 SoC (and others) actually contain two CPUs. One for running the CM firmware, and the other one running Linux. RAM is shared between the two. On most devices, Linux is only used for media server and "NAS" capabilities, and not actually required for using the device as a cable modem.

[jclehner]

Closing due to inactivty. Also, the original issue has been resolved.