search

jclehner / bcm2-utils

Utilities for Broadcom-based cable modems
GNU General Public License v3.0
147 stars 25 forks source link

Bootloader Unlocking #50

Open xnuken opened 1 year ago

xnuken commented 1 year ago

I have a CM2000 and I'm wondering if there is anyway to unlock the boot loader to allow dumping of the flash and enabling console. I have UART consoles on both CM and RG, CM seems to allow the boot processes to be interrupted but when pressing P the bootloader menu seems to be quite limited. RG does not seem to allow interrupting of the boot process and SecureBoot is enabled. Have not manged to decrypt the .bin file from the web gui that can be exported I am assuming it is GatewaySettings.bin but they claim it is for Netgear only.

jclehner commented 1 year ago

CM seems to allow the boot processes to be interrupted but when pressing P the bootloader menu seems to be quite limited.

Please attach the console output of the bootloder menu.

Have not manged to decrypt the .bin file from the web gui that can be exported I am assuming it is GatewaySettings.bin but they claim it is for Netgear only.

Hard to say, not all BCM3390 devices have an equivalent of GatewaySettings.bin. If it's encrypted, chances are that it uses the device-specific unique key.

xnuken commented 4 months ago 
CPU 01
BCM33900010
PRID33900010
v5.00
RR:00002000
BFW
AVS init...
B11
STB V=0000280b D=000002b5
DCM V=000027f2 D=000002c4
AVS init OK
AVS load:select_image: addr_offset: 00005800 part_offset: 00000000 bootStatus: 2a052b00
AVS load_code offset =00005800
LOADED
AVS: overtemp mon ON
I2C @ f040a400.
BID: no ack!
I2C @ f040a400.
WBID: no ack!

using board #q
OTP Market ID        = 00000000
FSBL Market ID       = 00002900
Market ID Mask       = 00ffff00
Secure Boot
MARKET ID VALIDATION : Generic Mode - PASS
MEMSYS-ALT
MEMSYS AUTHENTICATION: OK
SHMOO 03030100 BLD:memsys_3.3.0.0-5-gbbc1e43a0 HW:hpg0_generic V:3.3.1.0
MCB: FLEX
AVS start:status=000000ff
STB: Current voltage=0000038c(908)
 temperature=0000fb0e(64270)
 PV=0000034d(845)
 MV=00000383(899)
DCD: Current voltage=0000038c(908)
 temperature=0000fb0e(64270)
 PV=0000034d(845)
 MV=00000382(898)
AVS FW rev=30313978 [0.1.9.x]
OK
DDR0: MCB#2-4 !@ ffe0e500 <= ffe0db30 MEMSYS-0 @ f1500000
ramSize =   00000080
DDR SCRAMBLER ENABLED
OK
Secure boot detected
COPY CODE... DONE
BOLT VERSION(FSBL): v5.00
BOLT VERSION(SSBL): v5.00
SSBL INTEGRITY: OK
SSBL AUTHENTICATION: OK
SSBL
PINMUX
CACHE FLUSH OK
MMU ON
CACHE FLUSH OK
_fbss  07063a28
_ebss  07064198
_end   070641b8
HEAP @ 07100000
STACK @ 07fffff8
ARCH: CONFIG OK
CLR BSS 07063a28 to 07064198 OK
CLR SRAM  OK
CACHE FLUSH OK
CPU CLKSET OK
GO!
CS0: ONFI NAND, 128MB, 128kB blocks, 2048B page, 16B OOB, BCH-4
cannot open flash0.macadr
cannot get flash info
cannot open flash0.macadr
MAC ADDRESS MUST BE PROGRAMMED; use macprog command
RTS0: 0x21501004, 1 clients, ok
rts 01 [FAKE_NO_RTS]        *default
BOX MODE: 1
Console is disabled

BCM3390B0 Bootloader version 2.7.0alpha4, Built by jacky on Oct 30 2019 at 09:32:46
RAM Windows size 47 mb
Warning. Bootloader doesn't seem to be located at top of memory

Loading compressed image 2
Loading 3,106,640 compressed bytes to 0x83b00000
Decompressing DOCSIS image at 0x83b0005c to 0x80004000
Decompressed image size 13,818,460 bytes (0x80004000-0x80d31a5c)
Jumping to application at 0x80004000

 eCos - hal_diag_init

Using 49283072(0x02f00000) Bytes Ram Size from Mbox6.
47MB (48128KB) physical RAM on board

Using 49283072(0x02f00000) Bytes Ram Size from Mbox6.

Using 49283072(0x02f00000) Bytes Ram Size from Mbox6.
CalculateDspRamReservation line 429: DSP_RAM_START_ADDR 07e00000 DSP_RAM_END_ADDR 08000000 DspRamStart 07e00000 DspRamSize 00200000
CalculateDspRamReservation line 436: tDspRamStart 02e00000 DspRamSize 00200000
LinuxRamStart: ffffffff LinuxRamSize 00000000 BoardRamSize 02f00000
    DspRamStart 02e00000 DspRamSize 00200000

Using 49283072(0x02f00000) Bytes Ram Size from Mbox6.
CalculateDspRamReservation line 429: DSP_RAM_START_ADDR 07e00000 DSP_RAM_END_ADDR 08000000 DspRamStart 07e00000 DspRamSize 00200000
CalculateDspRamReservation line 436: tDspRamStart 02e00000 DspRamSize 00200000
Reserving 2MB (2048KB) for EMTA DSP @ 46MB (47104KB)
45MB (46080KB) remaining for eCos
BcmHeapInitialize starts
Init device '/dev/SerialConsoleDriv'
Init device '/dev/BrcmTelnetIoDriver'
Init device '/dev/ttydiag'
Init tty channel: 80d31228
Init device '/dev/tty0'
Init tty channel: 80d31248
Init device '/dev/haldiag'
HAL/diag SERIAL init
Init device '/dev/ser0'
BCM 33XX SERIAL init - dev: d3c00640.1
Set output buffer - buf: 0x80e6cb20 len: 4096
Set input buffer - buf: 0x80e6db20 len: 4096
BCM 33XX SERIAL config - UART = d3c00640, chan = 80cdbb20
Init device '/dev/ser1'
BCM 33XX SERIAL init - dev: d3c00660.2
Set output buffer - buf: 0x80e6eb20 len: 4096
Set input buffer - buf: 0x80e6fb20 len: 4096
BCM 33XX SERIAL config - UART = d3c00660, chan = 80cdbbf0

Init device '/dev/ser2'
InitBoard: MIPS frequency 600000000
InitBoard: MANUFACT bits 0x5
InitBoard: CM_AON_RESET_HISTORY 0x00008000
+------------------------------------------------------------------------+
| This image is built using remote flash as nonvol.                      |
+------------------------------------------------------------------------+

RxMER,4,16,64,128,256,512,1024,2048,4096
Failed OfdmProfileStatsSnapshotValue regression test
[00:00:01 01/01/1970] [tStartup] BcmBfcSystemFactory::NewBfcSystem:  BcmCmDocsisSystem
[00:00:01 01/01/1970] [tStartup] BcmBfcStdEmbeddedTarget::InitStorageDrivers:  (BFC Target) Configuring perm and dyn nonvol section size...32768 and 32768 respectively.
[00:00:01 01/01/1970] [tStartup] BcmBfcStdEmbeddedTarget::InitStorageDrivers:  (BFC Target) Loading BootloaderStore driver...
[00:00:01 01/01/1970] [tStartup] BcmBfcStdEmbeddedTarget::InitStorageDrivers:  (BFC Target) Loading ProgramStore driver...
[00:00:01 01/01/1970] [tStartup] BcmBfcStdEmbeddedTarget::InitStorageDrivers:  (BFC Target) Loading NonVol driver...
== NonVolDriverInit:: Encryption enabled ==
[00:00:01 01/01/1970] [tStartup] BcmBfcStdEmbeddedTarget::InitStorageDrivers:  (BFC Target) Storage drivers initialized successfully.
[00:00:01 01/01/1970] [tStartup] BcmBfcStdEmbeddedTarget::InitDeviceAbstractions:  (BFC Target) Creating singletons for ProgramStore/BootloaderStore/NonVol devices...
Detecting the next image number that we will store to by default...
Bootloader indicates we are running image 2
Image2 header is not valid!
By default, we will dload to image number 2!

ProgramStoreDriverSetAlternateSignature:: Alternate signature is set to D432
[00:00:01 01/01/1970] [tStartup] BcmBfcStdEmbeddedTarget::InitDeviceAbstractions:  (BFC Target) Device abstraction singletons created successfully.

Create task ENL25GNK, priority set to 27, stacksize=4500
[00:00:01 01/01/1970] [tStartup] BcmMessageLogNonVolSettings::RemoteAccessPassword:  (User Interface NonVol Settings) WARNING - Running in POTD mode, password is set, but will not be used.
BcmCmDocsis31NonVolSettings::GetSingletonInstance:  WARNING - the singleton instance is NULL, and someone is accessing it!
BcmCmDocsisNonVolSettings::GetSingletonInstance:  WARNING - the singleton instance is NULL, and someone is accessing it!
BcmCmDocsisNonVolSettings::GetSingletonInstance:  WARNING - the singleton instance is NULL, and someone is accessing it!

Reading Permanent settings from non-vol...
Checksum for permanent settings:  0xefc441af
Creating SNMP agent cablemodem agent
cablemodem agent disabling management.
cablemodem agent deferring traps.
[00:00:02 01/01/1970] [tStartup] BcmBfcAppCompositeNonVolSettings::ReadFrom:  (BFC App Composite Nonvol Settings) WARNING - Read an unrecognized settings group from the buffer (magic number 0x3ca39737 '<..7'); storing in raw form for compatibility...
Settings were read and verified.

Reading Dynamic settings from non-vol...
Checksum for dynamic settings:  0xb40c6f5d
[00:00:03 01/01/1970] [tStartup] BcmMessageLogNonVolSettings::RemoteAccessPassword:  (User Interface NonVol Settings) WARNING - Running in POTD mode, password is set, but will not be used.
Settings were read and verified.

Console input has been disabled in non-vol.
Console output has been disabled in non-vol!  Goodbye...```
xnuken commented 4 months ago 

BCM3390B0 Bootloader version 2.7.0alpha4, Built by jacky on Oct 30 2019 at 09:32:46
RAM Windows size 47 mb
Warning. Bootloader doesn't seem to be located at top of memory

r hexAddr [width] - Display memory location
w hexAddr hexVal [width] - Write memory location
d hexAddr length [width] - Dump memory
rc regNum [select] - Read CP register
wc - regNum hexVal [select] - Write CP register
c [iterations] - Run cache test
m hexAddr hexSize [iterations] - Run memory test
t - Run next command on TP1
x - Exit
z - Cause exception
1 - Boot image 1 on exit
p - Power down non-essential blocks

>
xnuken commented 4 months ago

Running d 0xd384bfe0 0x20 returns

d384bfe0: 923a1856 744f33d1 ae65fc7a 074d8220 d384bff0: c6632668 7ce96d5d 115680c7 a3e8cc30

not entirely sure if this is actually the key or not.