search

jclehner / bcm2-utils

Utilities for Broadcom-based cable modems
GNU General Public License v3.0
147 stars 25 forks source link

Can't dump flash via telnet interface, Arris TM902S #60

Open mediotex opened 8 months ago

mediotex commented 8 months ago

Arris TM902S, I'm using the latest build for Linux. I can access a limited shell via telnet and ssh both use POTD, but when I tried dump flash, I got error

$ ./bcm2dump -P tm902s -vv dump '192.168.100.1,ARRIS,VAFRWXSVSG' flash dynnv dynnv.bin
bcm2dump v0.9.8-12-g7c620ca
telnet: received command 253,1
telnet: received command 253,33
telnet: received command 251,3
telnet: received command 251,1
detected interface: bfc
telnet: no login prompt

error: telnet: telnet login failed

context:
  ==> (empty)
  ==> 'Broadcom Corporation Embedded BFC Telnet Server (c) 2000-2008'
  ==> (empty)
  ==> 'WARNING:  Access allowed by authorized users only.'
  ==> (empty)
  ==> (empty)
  ==> (empty)
  ==> 'Arris console is active'
  ==> 'Command interface Copyright 2012, ARRIS Group, Inc.,'
  ==> 'All rights reserved'
  ==> (empty)
  ==> (empty)
  <== ''
  ==> 'password:'

./bcm2dump -vv dump '192.168.100.1,ARRIS,VAFRWXSVSG' flash dynnv dynnv.bin
bcm2dump v0.9.8-12-g7c620ca
telnet: received command 253,1
telnet: received command 253,33
telnet: received command 251,3
telnet: received command 251,1
detected interface: bfc
telnet: no login prompt

error: telnet: telnet login failed

context:
  ==> (empty)
  ==> 'Broadcom Corporation Embedded BFC Telnet Server (c) 2000-2008'
  ==> (empty)
  ==> 'WARNING:  Access allowed by authorized users only.'
  ==> (empty)
  ==> (empty)
  ==> (empty)
  ==> 'Arris console is active'
  ==> 'Command interface Copyright 2012, ARRIS Group, Inc.,'
  ==> 'All rights reserved'
  ==> (empty)
  ==> (empty)
  <== ''
  ==> 'password:'

The same result when use ./bcm2dump -P generic -vv dump '192.168.100.1,ARRIS,VAFRWXSVSG' flash dynnv dynnv.bin The coax cable is conneted during all tests.

When I connect telnet using terminal or putty, first I see this output

$ telnet 192.168.100.1
Trying 192.168.100.1...
Connected to 192.168.100.1.
Escape character is '^].

Broadcom Corporation Embedded BFC Telnet Server (c) 2000-2008

WARNING:  Access allowed by authorized users only.

Arris console is active
Command interface Copyright 2012, ARRIS Group, Inc.,
All rights reserved

To proceed and get password prompt I need press 'Enter'.

jclehner commented 7 months ago

Please retry with the latest commit!

mediotex commented 6 months ago

Hi, I'm back now and starting the testing. So tried the latest commit, but not works.

$ ./bcm2dump -P tm902s -vv dump '192.168.100.1,ARRIS,O9W2Q1BFZP' flash dynnv dynnv2.bin
bcm2dump v0.9.8-13-g9fbac27
telnet: received command 253,1
telnet: received command 253,33
telnet: received command 251,3
telnet: received command 251,1
detected interface: bfc
telnet: no login prompt
telnet: no password prompt

error: telnet: telnet login failed

context:
  ==> (empty)
  ==> 'Broadcom Corporation Embedded BFC Telnet Server (c) 2000-2008'
  ==> (empty)
  ==> 'WARNING:  Access allowed by authorized users only.'
  ==> (empty)
  ==> (empty)
  ==> (empty)
  ==> 'Arris console is active'
  ==> 'Command interface Copyright 2012, ARRIS Group, Inc.,'
  ==> 'All rights reserved'
  ==> (empty)
  ==> (empty)
  <== ''
  ==> 'password:'

--------------

$ ./bcm2dump -L dump.log -vv dump '192.168.100.1,ARRIS,O9W2Q1BFZP' flash dynnv dynnv2.bin
bcm2dump v0.9.8-13-g9fbac27
telnet: received command 253,1
telnet: received command 253,33
telnet: received command 251,3
telnet: received command 251,1
detected interface: bfc
telnet: no login prompt
telnet: no password prompt

error: telnet: telnet login failed

context:
  ==> (empty)
  ==> 'Broadcom Corporation Embedded BFC Telnet Server (c) 2000-2008'
  ==> (empty)
  ==> 'WARNING:  Access allowed by authorized users only.'
  ==> (empty)
  ==> (empty)
  ==> (empty)
  ==> 'Arris console is active'
  ==> 'Command interface Copyright 2012, ARRIS Group, Inc.,'
  ==> 'All rights reserved'
  ==> (empty)
  ==> (empty)
  <== ''
  ==> 'password:'
mediotex commented 6 months ago

dump.log

jclehner commented 6 months ago

Please recompile with the latest commit, re-run with -vv -L io.log and post both the output and the resulting io.log file.

mediotex commented 6 months ago

Tried new commit: the same result, telnet login failed.

$ ./bcm2dump -vv -L io.log dump '192.168.100.1,ARRIS,IRSBXWVM9K' flash dynnv dynnv2.bin
bcm2dump v0.9.8-15-g9d0dca2
telnet: received command 253,1
telnet: received command 253,33
telnet: received command 251,3
telnet: received command 251,1
detected interface: bfc
have_login_prompt=0
checking for login/password prompt
login?=0, pw?=0
checking for login/password prompt
login?=0, pw?=0
telnet: no login prompt
checking for password prompt
telnet: no password prompt

error: telnet: telnet login failed

context:
  ==> (empty)
  ==> 'Broadcom Corporation Embedded BFC Telnet Server (c) 2000-2008'
  ==> (empty)
  ==> 'WARNING:  Access allowed by authorized users only.'
  ==> (empty)
  ==> (empty)
  ==> (empty)
  ==> 'Arris console is active'
  ==> 'Command interface Copyright 2012, ARRIS Group, Inc.,'
  ==> 'All rights reserved'
  ==> (empty)
  ==> (empty)
  <== ''
  ==> 'password:'

Tried telnet with PuTTY, it works:

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2024.05.12 23:18:28 =~=~=~=~=~=~=~=~=~=~=~=

Broadcom Corporation Embedded BFC Telnet Server (c) 2000-2008

WARNING:  Access allowed by authorized users only.

Arris console is active
Command interface Copyright 2012, ARRIS Group, Inc.,
All rights reserved

password: 
Logging event: Telnet user logged in from IP address 192.168.100.10.

CM> - No energy!
Scanning DS Channel at 241750000 Hz - No energy!
mediotex commented 6 months ago

io.log io.log

jclehner commented 6 months ago

Try the latest commit please, and post the io.log.

mediotex commented 6 months ago

Otput and the io.log io.log

$ ./bcm2dump -vv -L io.log dump '192.168.100.1,ARRIS,SZX3NZ3ZBD' flash dynnv dynnv2.bin
bcm2dump v0.9.8-16-g8d5825b
telnet: received command 253,1
telnet: received command 253,33
telnet: received command 251,3
telnet: received command 251,1
detected interface: bfc
have_login_prompt=0
checking for login/password prompt
login?=0, pw?=0
checking for login/password prompt
login?=0, pw?=0
telnet: no login prompt
checking for password prompt
telnet: no password prompt

error: telnet: telnet login failed

context:
  ==> (empty)
  ==> 'Broadcom Corporation Embedded BFC Telnet Server (c) 2000-2008'
  ==> (empty)
  ==> 'WARNING:  Access allowed by authorized users only.'
  ==> (empty)
  ==> (empty)
  ==> (empty)
  ==> 'Arris console is active'
  ==> 'Command interface Copyright 2012, ARRIS Group, Inc.,'
  ==> 'All rights reserved'
  ==> (empty)
  ==> (empty)
  <== ''
  ==> 'password:'
jclehner commented 6 months ago

How about now?

mediotex commented 6 months ago

This time connected, but can't dump anything and exit. io.log output:

$ ./bcm2dump -vv -L io.log dump '192.168.100.1,ARRIS,NUD21IFBUD' flash dynnv dynnv2.bin
bcm2dump v0.9.8-17-gd23db9d
telnet: received command 253,1
telnet: received command 253,33
telnet: received command 251,3
telnet: received command 251,1
detected interface: bfc
have_login_prompt=0
checking for login/password prompt
login?=0, pw?=0
checking for login/password prompt
login?=0, pw?=1
telnet: no login prompt
adjusting dump params: 0x80000818,10 -> 0x80000818,16

read incomplete chunk 0x80000818: 0/16; retrying

read incomplete chunk 0x80000818: 0/16; retrying

read incomplete chunk 0x80000818: 0/16; retrying

read incomplete chunk 0x80000818: 0/16; retrying

read incomplete chunk 0x80000818: 0/16; retrying

error: telnet: read incomplete chunk 0x80000818: 0/16

context:
  ==> 'Scanning DS Channel at 113000000 Hz...(from preset list) - No energy!'
  <== ''
  ==> 'Scanning DS Channel at 115000000 Hz...(from preset list) - No energy!'
  ==> 'CM/Console> Channel at 386000000 Hz...(from preset list)'
  <== '/read_memory -s 4 -n 16 0x80000818'
  ==> 'CM/Console> /read_memory -s 4 -n 16 0x800008188'
  ==> (empty)
  ==> 'Error - what Unknown command:  '/read_memory -s 4 -n 16 0x80000818''
  ==> (empty)
  ==> 'CM/Console> - No energy!'
  ==> 'Scanning DS Channel at 392000000 Hz...(from preset list) - No energy!'
  ==> 'Scanning DS Channel at 404000000 Hz...(from preset list) - No energy!'
  ==> 'Scanning DS Channel at 411000000 Hz...(from preset list) - No energy!'
  ==> 'Scanning DS Channel at 434000000 Hz...(from preset list) - No energy!'
  ==> 'Scanning DS Channel at 465000000 Hz...(from preset list) - No energy!'
  ==> 'Scanning DS Channel at 466000000 Hz...(from preset list) [00:07:41 01/01/1970] [DHCP Client Thread] BcmDhcpClientIf::ProcessPacket:  (DHCP ClientIf for IP Stack3) WARNING - Processing an ARP Reply from 192.168.100.10, 20:47:47:49:bc:75'
  ==> 'CM/Console> - No energy!'
  ==> 'Scanning DS Channel at 513000000 Hz...(from preset list) - No energy!'
  ==> 'Scanning DS Channel at 546000000 Hz...(from preset list) - No energy!'
  ==> 'Scanning DS Channel at 578000000 Hz...(from preset list) - No energy!'
  ==> 'Scanning DS Channel at 594000000 Hz...(from preset list) - No energy!'
  ==> 'Scanning DS Channel at 633000000 Hz...(from preset list) - No energy!'
  ==> 'Scanning DS Channel at 722000000 Hz...(from preset list) - No energy!'
  ==> 'Reached end of preset list...'
  ==> (empty)
  ==> 'Scanning DS Channel at 607750000 Hz - No energy!'
  ==> 'Scanning DS Channel at 601750000 Hz - No energy!'
  ==> 'Scanning DS Channel at 595750000 Hz - No energy!'
  ==> 'Scanning DS Channel at 589750000 Hz - No energy!'
  ==> 'Scanning DS Channel at 583750000 Hz - No energy!'
  ==> 'Scanning DS Channel at 577750000 Hz - No energy!'
  ==> 'Scanning DS Channel at 571750000 Hz - No energy!'
  ==> 'Scanning DS Channel at 565750000 Hz - No energy!'
  ==> 'Scanning DS Channel at 559750000 Hz - No energy!'
  ==> 'Scanning DS Channel at 553750000 Hz - No energy!'
  ==> 'Scanning DS Channel at 547750000 Hz - No energy!'
  ==> 'Scanning DS Channel at 541750000 Hz - No energy!'
  ==> 'Scanning DS Channel at 535750000 Hz - No energy!'
  ==> 'Scanning DS Channel at 529750000 Hz - No energy!'
  ==> 'Scanning DS Channel at 523750000 Hz - No energy!'
  ==> 'Scanning DS Channel at 517750000 Hz - No energy!'
  ==> 'Scanning DS Channel at 511750000 Hz - No energy!'
  ==> 'Scanning DS Channel at 505750000 Hz - No energy!'
  ==> 'Scanning DS Channel at 499750000 Hz - No energy!'
  ==> 'Scanning DS Channel at 493750000 Hz - No energy!'
  ==> 'Scanning DS Channel at 487750000 Hz - No energy!'
  ==> 'Scanning DS Channel at 481750000 Hz - No energy!'
  ==> 'Scanning DS Channel at 475750000 Hz - No energy!'
  <== '/exit'
  ==> 'Scanning DS Channel at 469750000 Hz - No energy!'
jclehner commented 6 months ago

When you connect to it using PuTTY, type help at the prompt, and post the output!

mediotex commented 6 months ago 
CM> help

!               ?               REM             call            cd             
dir             find_command    help            history         instances      
ls              man             pwd             sleep           syntax         
system_time     usage           
----
exit            reset           set             show            
----
[cm] [emta] [ethernet] [ftpLite] [pingHelper] [system] 
CM/Console/system> find_command write

/Console/system/diag writemem

CM/Console/system> find_command read

/Console/system/diag readmem
/Console/system/show threads
CM/Console/system> help diag

COMMAND:  diag

USAGE:  diag  [-p] [-c] [-s ParmSValue] [-n ParmNValue] [readmem|writemem|clear_debug_counters|show_debug_counters|set_debug_flow|snmp_reset] [Parm2] [Parm3]

DESCRIPTION:
Executes diag commands of the system

EXAMPLES:
readmem -s 4 -n 64 0x80001234  -- Reads 64 bytes as 32-bit values.
writemem 0x80001234 0x56       -- Write a byte to the address.
clear_debug_counters           -- Clear UTP debug counters.
show_debug_counters            -- Show debug counters for a selected flow.
set_debug_flow 0               -- Enable debug counters for the selected 
                                  flow.
snmp_reset                     -- Reset sockets for all SNMP agents.
---------------------------------------------------------------------------
jclehner commented 6 months ago

Try the latest commit. That should auto-detect the available read commands on your device!

mediotex commented 6 months ago

io.log

$ ./bcm2dump -vv -L io.log dump '192.168.100.1,ARRIS,WH9INCRM9B' flash dynnv dynnv2.bin
bcm2dump v0.9.8-21-g4f90447
telnet: received command 253,1
telnet: received command 253,33
telnet: received command 251,3
telnet: received command 251,1
detected interface: bfc
telnet: no login prompt
using /Console/system/diag command for memory access
adjusting dump params: 0x80000818,10 -> 0x80000818,16

read incomplete chunk 0x80000818: 0/16; retrying

read incomplete chunk 0x80000818: 0/16; retrying

read incomplete chunk 0x80000818: 0/16; retrying

read incomplete chunk 0x80000818: 0/16; retrying

read incomplete chunk 0x80000818: 0/16; retrying

error: telnet: read incomplete chunk 0x80000818: 0/16

context:
  ==> 'Scanning DS Channel at 338000000 Hz...(from scan cache) - No energy!'
  ==> 'Scanning DS Channel at 354000000 Hz...(from scan cache) - No energy!'
  ==> 'Scanning DS Channel at 346000000 Hz...(from scan cache) - No energy!'
  ==> 'Scanning DS Channel at 330000000 Hz...(from scan cache) - No energy!'
  ==> (empty)
  ==> 'Reached end of chached list...'
  <== ''
  ==> 'CM/Console> Channel at 112000000 Hz...(from preset list)'
  <== '/Console/system/diag readmem -s 4 -n 16 0x80000818'
  ==> 'CM/Console> /Console/system/diag readmem -s 4 -n 16 0x800008188'
  ==> (empty)
  ==> ''Console' is not a valid command table.'
  ==> (empty)
  ==> 'Type 'help' for information about valid commands and tables.'
  ==> (empty)
  ==> 'CM/Console> - No energy!'
  ==> 'Scanning DS Channel at 113000000 Hz...(from preset list) - No energy!'
  ==> 'Scanning DS Channel at 115000000 Hz...(from preset list) - No energy!'
  ==> 'Scanning DS Channel at 386000000 Hz...(from preset list) - No energy!'
  ==> 'Scanning DS Channel at 392000000 Hz...(from preset list) - No energy!'
  ==> 'Scanning DS Channel at 404000000 Hz...(from preset list) - No energy!'
  ==> 'Scanning DS Channel at 411000000 Hz...(from preset list) - No energy!'
  ==> 'Scanning DS Channel at 434000000 Hz...(from preset list) - No energy!'
  ==> 'Scanning DS Channel at 465000000 Hz...(from preset list) - No energy!'
  ==> 'Scanning DS Channel at 466000000 Hz...(from preset list) - No energy!'
  ==> 'Scanning DS Channel at 513000000 Hz...(from preset list) [00:03:29 01/01/1970] [DHCP Client Thread] BcmDhcpClientIf::ProcessPacket:  (DHCP ClientIf for IP Stack3) WARNING - Processing an ARP Reply from 192.168.100.10, 20:47:47:49:bc:75'
  ==> '- No energy!'
  ==> 'CM/Console> - No energy!46000000 Hz...(from preset list)'
  ==> 'Scanning DS Channel at 578000000 Hz...(from preset list) - No energy!'
  ==> 'Scanning DS Channel at 594000000 Hz...(from preset list) - No energy!'
  ==> 'Scanning DS Channel at 633000000 Hz...(from preset list) - No energy!'
  ==> 'Scanning DS Channel at 722000000 Hz...(from preset list) - No energy!'
  ==> 'Reached end of preset list...'
  ==> (empty)
  ==> 'Scanning DS Channel at 975000000 Hz - No energy!'
  ==> 'Scanning DS Channel at 969000000 Hz - No energy!'
  ==> 'Scanning DS Channel at 963000000 Hz - No energy!'
  ==> 'Scanning DS Channel at 957000000 Hz - No energy!'
  ==> 'Scanning DS Channel at 951000000 Hz - No energy!'
  ==> 'Scanning DS Channel at 945000000 Hz - No energy!'
  ==> 'Scanning DS Channel at 939000000 Hz - No energy!'
  ==> 'Scanning DS Channel at 933000000 Hz - No energy!'
  ==> 'Scanning DS Channel at 927000000 Hz - No energy!'
  ==> 'Scanning DS Channel at 921000000 Hz - No energy!'
  ==> 'Scanning DS Channel at 915000000 Hz - No energy!'
  ==> 'Scanning DS Channel at 909000000 Hz - No energy!'
  ==> 'Scanning DS Channel at 903000000 Hz - No energy!'
  ==> 'Scanning DS Channel at 897000000 Hz - No energy!'
  <== '/exit'
  ==> 'Scanning DS Channel at 891000000 Hz - No energy!'
jclehner commented 6 months ago

What's the command to disable the DS channel scan on this device?

Also, please login to the device using PuTTY, run the following commands (in that order), and post the full output:

help
/find_command readmem
/find_command diag
cd
cd /
help
/find_command readmem
/find_command diag
su
help
cd /
help

If prompted for a password by su, try brcm.

mediotex commented 6 months ago

the problem is that with Arris PoTD I can access only limited shell, and there is no docsis_ctlmenu and scan_stop command, so I can't stop console printing frequency scanning. Here is PuTTY output (I cleaned out channel scanning messages):

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2024.05.15 23:29:58 =~=~=~=~=~=~=~=~=~=~=~=

Broadcom Corporation Embedded BFC Telnet Server (c) 2000-2008

WARNING:  Access allowed by authorized users only.

Arris console is active
Command interface Copyright 2012, ARRIS Group, Inc.,
All rights reserved

password: 
- No energy!

CM/Console>

CM/Console>  
CM/Console> pwd

Active Command Table:  Telnet/SSH Commands (Console)

Console

CM/Console>
CM/Console>  
CM/Console> help

!               ?               REM             call            cd             
dir             find_command    help            history         instances      
ls              man             pwd             sleep           syntax         
system_time     usage           
----
exit            reset           set             show            
----
[cm] [emta] [ethernet] [ftpLite] [pingHelper] [system] 

CM/Console>
CM/Console>
CM/Console> /find_command readmem

/Console/system/diag readmem

CM/Console>
CM/Console>
CM/Console> /find_command diag

/Console/cm/diag
/Console/emta/diag
/Console/ethernet/diag
/Console/system/diag

CM/Console>
CM/Console>
CM/Console>  
CM/Console> cd

Active Command Table:  Telnet/SSH Commands (Console)

Console

CM/Console>
CM/Console>  
CM/Console> cd

CM/Console> cd /

Active Command Table:  Telnet/SSH Commands (Console)

Console

CM/Console>

CM/Console>
CM/Console>  
CM/Console> help

!               ?               REM             call            cd             
dir             find_command    help            history         instances      
ls              man             pwd             sleep           syntax         
system_time     usage           
----
exit            reset           set             show            
----
[cm] [emta] [ethernet] [ftpLite] [pingHelper] [system] 

CM/Console>

CM/Console> /find_command readmem

/Console/system/diag readmem

CM/Console>
CM/Console> /find_command
CM/Console> /find_command diag

/Console/cm/diag
/Console/emta/diag
/Console/ethernet/diag
/Console/system/diag

CM/Console>
CM/Console> su
CM/Console> su

Error - what Unknown command:  'su'

CM/Console>

CM/Console>  
CM/Console> help

!               ?               REM             call            cd             
dir             find_command    help            history         instances      
ls              man             pwd             sleep           syntax         
system_time     usage           
----
exit            reset           set             show            
----
[cm] [emta] [ethernet] [ftpLite] [pingHelper] [system] 

CM/Console>
CM/Console>  
CM/Console> cd 

CM/Console> cd /

Active Command Table:  Telnet/SSH Commands (Console)

Console

CM/Console>

CM/Console>

CM/Console>  
CM/Console> help

!               ?               REM             call            cd             
dir             find_command    help            history         instances      
ls              man             pwd             sleep           syntax         
system_time     usage           
----
exit            reset           set             show            
----
[cm] [emta] [ethernet] [ftpLite] [pingHelper] [system] 

CM/Console>

CM/Console> /find_command scan_stop

scan_stop not found

CM/Console>
jclehner commented 6 months ago

Try the latest commit. That should work, although with the scan still running, it's going to be noticeably slower!

mediotex commented 6 months ago

The DS frequency scan is constantly printing because I'm testing offline, with no coax cable connected. Still the same. io.log

$ ./bcm2dump -vv -L io.log dump '192.168.100.1,ARRIS,E3WB72VHPT' flash dynnv dynnv2.bin
bcm2dump v0.9.8-22-g2cf6fd1
telnet: received command 253,1
telnet: received command 253,33
telnet: received command 251,3
telnet: received command 251,1
detected interface: bfc
telnet: no login prompt
using /Console/system/diag command for memory access
adjusting dump params: 0x80000818,10 -> 0x80000818,16

read incomplete chunk 0x80000818: 0/16; retrying

read incomplete chunk 0x80000818: 0/16; retrying

read incomplete chunk 0x80000818: 0/16; retrying

read incomplete chunk 0x80000818: 0/16; retrying

read incomplete chunk 0x80000818: 0/16; retrying

error: telnet: read incomplete chunk 0x80000818: 0/16

context:
  ==> 'Scanning DS Channel at 501000000 Hz - No energy!'
  ==> 'Scanning DS Channel at 495000000 Hz [00:05:31 01/01/1970] [DHCP Client Thread] BcmDhcpClientIf::ProcessPacket:  (DHCP ClientIf for IP Stack3) WARNING - Processing an ARP Reply from 192.168.100.10, 20:47:47:49:bc:75'
  ==> '- No energy!'
  ==> 'Scanning DS Channel at 489000000 Hz - No energy!'
  ==> 'Scanning DS Channel at 483000000 Hz - No energy!'
  ==> 'CM/Console> - No energy!77000000 Hz'
  ==> 'Scanning DS Channel at 471000000 Hz - No energy!'
  ==> 'Scanning DS Channel at 465000000 Hz - No energy!'
  ==> 'Scanning DS Channel at 459000000 Hz - No energy!'
  ==> 'Scanning DS Channel at 453000000 Hz - No energy!'
  ==> 'Scanning DS Channel at 447000000 Hz - No energy!'
  ==> 'Scanning DS Channel at 441000000 Hz - No energy!'
  ==> 'Scanning DS Channel at 435000000 Hz - No energy!'
  ==> 'Scanning DS Channel at 429000000 Hz - No energy!'
  ==> 'Scanning DS Channel at 423000000 Hz - No energy!'
  ==> 'Scanning DS Channel at 417000000 Hz - No energy!'
  ==> 'Scanning DS Channel at 411000000 Hz - No energy!'
  ==> 'Scanning DS Channel at 405000000 Hz - No energy!'
  ==> 'Scanning DS Channel at 399000000 Hz - No energy!'
  ==> 'Scanning DS Channel at 393000000 Hz - No energy!'
  ==> 'Scanning DS Channel at 387000000 Hz - No energy!'
  ==> 'Scanning DS Channel at 381000000 Hz - No energy!'
  ==> 'Scanning DS Channel at 375000000 Hz - No energy!'
  ==> 'Scanning DS Channel at 369000000 Hz - No energy!'
  ==> 'Scanning DS Channel at 363000000 Hz - No energy!'
  ==> 'Scanning DS Channel at 357000000 Hz - No energy!'
  ==> 'Scanning DS Channel at 351000000 Hz - No energy!'
  ==> 'Scanning DS Channel at 345000000 Hz - No energy!'
  ==> 'Scanning DS Channel at 339000000 Hz - No energy!'
  ==> 'Scanning DS Channel at 333000000 Hz - No energy!'
  ==> 'Scanning DS Channel at 327000000 Hz - No energy!'
  ==> 'Scanning DS Channel at 321000000 Hz - No energy!'
  ==> 'Scanning DS Channel at 315000000 Hz - No energy!'
  ==> 'Scanning DS Channel at 309000000 Hz - No energy!'
  ==> 'Scanning DS Channel at 303000000 Hz - No energy!'
  ==> 'Scanning DS Channel at 297000000 Hz - No energy!'
  ==> 'Scanning DS Channel at 291000000 Hz - No energy!'
  ==> 'Scanning DS Channel at 285000000 Hz - No energy!'
  ==> 'Scanning DS Channel at 279000000 Hz - No energy!'
  ==> 'Scanning DS Channel at 338000000 Hz...(from scan cache) - No energy!'
  ==> 'Scanning DS Channel at 354000000 Hz...(from scan cache) - No energy!'
  ==> 'Scanning DS Channel at 346000000 Hz...(from scan cache) - No energy!'
  ==> 'Scanning DS Channel at 330000000 Hz...(from scan cache) - No energy!'
  ==> (empty)
  ==> 'Reached end of chached list...'
  ==> 'Scanning DS Channel at 112000000 Hz...(from preset list) - No energy!'
  ==> 'Scanning DS Channel at 113000000 Hz...(from preset list) - No energy!'
  ==> 'Scanning DS Channel at 115000000 Hz...(from preset list) - No energy!'
  <== '/exit'
  ==> 'Scanning DS Channel at 386000000 Hz...(from preset list) - No energy!'

Is it possible before dump, first run scan_stop command by executing a individual binary code in specific RAM address through the bcm2dump exec command?

jclehner commented 6 months ago

How about now? bcm2dump should now correctly detect your /sytem/diag readmem command. Even though things are going to be slow with a running DS channel scan, it should theoretically work.

mediotex commented 6 months ago

Still complains: io.log

$ ./bcm2dump -vv -L io.log dump '192.168.100.1,ARRIS,64Y3MU3LF9' flash dynnv dynnv2.bin
bcm2dump v0.9.8-26-gbf8da8b
telnet: received command 253,1
telnet: received command 253,33
telnet: received command 251,3
telnet: received command 251,1
detected interface: bfc
telnet: no login prompt
using /system/diag command for memory access
adjusting dump params: 0x80000818,10 -> 0x80000818,16
adjusting dump params: 0x80000844,2 -> 0x80000844,16
adjusting dump params: 0x80010000,4 -> 0x80010000,16
adjusting dump params: 0x80624d91,14 -> 0x80624d90,16
adjusting dump params: 0x80624d91,8 -> 0x80624d90,16
adjusting dump params: 0x8070244c,9 -> 0x8070244c,16
adjusting dump params: 0x807023d4,7 -> 0x807023d4,16
adjusting dump params: 0x80eb8a91,8 -> 0x80eb8a90,16
adjusting dump params: 0x80f89da0,11 -> 0x80f89da0,16
adjusting dump params: 0x82f00000,2 -> 0x82f00000,16
detected profile tm902s(bfc)
reinitializing flash driver

error: failed to open partition dynnv

context:
  ==> 'CM/Console> /flash/open dyn00000 Hz /flash/open dyn'
  ==> (empty)
  ==> ''flash' is not a valid command table.'
  ==> (empty)
  ==> 'Type 'help' for information about valid commands and tables.'
  ==> (empty)
  ==> 'CM/Console> - No energy!'
  ==> 'CM/Console> /flash/close19000000 Hz /flash/close'
  ==> (empty)
  ==> ''flash' is not a valid command table.'
  ==> (empty)
  ==> 'Type 'help' for information about valid commands and tables.'
  ==> (empty)
  ==> 'CM/Console> - No energy!'
  <== '/flash/deinit'
  ==> 'Scanning DS Channel at 213000000 Hz - No energy!'
  ==> 'CM/Console> /flash/deinit7000000 Hz /flash/deinit'
  ==> (empty)
  ==> ''flash' is not a valid command table.'
  ==> (empty)
  ==> 'Type 'help' for information about valid commands and tables.'
  ==> (empty)
  ==> 'CM/Console> - No energy!'
  <== '/flash/init'
  ==> 'Scanning DS Channel at 201000000 Hz - No energy!'
  ==> 'CM/Console> /flash/init195000000 Hz /flash/init'
  <== '/flash/open dyn'
  ==> (empty)
  ==> ''flash' is not a valid command table.'
  ==> (empty)
  ==> 'Type 'help' for information about valid commands and tables.'
  ==> (empty)
  ==> 'CM/Console> - No energy!'
  <== '/flash/close'
  ==> 'CM/Console> /flash/open dyn00000 Hz /flash/open dyn'
  ==> (empty)
  ==> ''flash' is not a valid command table.'
  ==> (empty)
  ==> 'Type 'help' for information about valid commands and tables.'
  ==> (empty)
  ==> 'CM/Console> - No energy!'
  ==> 'CM/Console> /flash/close83000000 Hz /flash/close'
  ==> (empty)
  ==> ''flash' is not a valid command table.'
  ==> (empty)
  ==> 'Type 'help' for information about valid commands and tables.'
  ==> (empty)
  ==> 'CM/Console> - No energy!'
  <== '/exit'
  ==> 'Scanning DS Channel at 177000000 Hz - No energy!'

There is also another, a full shell, and password for it, which is definitely somewhere in the f/w code.

jclehner commented 6 months ago

The ability to dump flash is only available from the full (i.e. privileged) shell. Since there's no su command, you can't easily switch to that from a Telnet session.

What you'll have to do first is dump the currently running firmware from RAM. With that dump in hand, it should be fairly easy to figure out how to switch to a full shell.

$ bcm2dump -vv -L io.log dump -P tm902s '192.168.100.1,ARRIS,64Y3MU3LF9' ram image,auto image.bin
mediotex commented 6 months ago

io.log

$ ./bcm2dump -vv -L io.log dump -P tm902s '192.168.100.1,ARRIS,SZX3NHLZI6' ram image,auto image.bin
bcm2dump v0.9.8-26-gbf8da8b
telnet: received command 253,1
telnet: received command 253,33
telnet: received command 251,3
telnet: received command 251,1
detected interface: bfc
telnet: no login prompt
detected profile tm902s(bfc)
using /system/diag command for memory access
adjusting dump params: 0x82f00000,92 -> 0x82f00000,96
adjusting dump params: 0x82f00000,2302900 -> 0x82f00000,2302912
dumping ram:0x82f00000-0x831323bf (2302912 b)
   0.31% (0x82f01c20)      0 |     0  bytes/s (ETA      00:00:00)
read incomplete chunk 0x82f00000: 7200/16384; retrying
   0.71% (0x82f04000)      1 |     1  bytes/s (ETA  26d 15:41:35)  TS0710144_032912_EU_MODEL_9_TM902_SIP_sto.bin (0xb802, 2302808 b)
   1.40% (0x82f07e20)  30.92k|  2.58k bytes/s (ETA      00:14:20)
read incomplete chunk 0x82f04000: 15904/16384; retrying
   1.35% (0x82f079c0)   2.83k|   877  bytes/s (ETA      00:43:23)
read incomplete chunk 0x82f04000: 14784/16384; retrying
   0.73% (0x82f041d0) 409.60m|   512  bytes/s (ETA      01:14:25)
read incomplete chunk 0x82f04000: 464/16384; retrying
   1.15% (0x82f067e0)      0 |   390  bytes/s (ETA      01:37:42)
read incomplete chunk 0x82f04000: 10208/16384; retrying
   2.11% (0x82f0be00)  14.91k|   597  bytes/s (ETA      01:03:24)
read incomplete chunk 0x82f08000: 15872/16384; retrying
   1.58% (0x82f08e70)    112 |   520  bytes/s (ETA      01:12:45)
read incomplete chunk 0x82f08000: 3696/16384; retrying
   1.94% (0x82f0aea0)      0 |   449  bytes/s (ETA      01:24:15)
read incomplete chunk 0x82f08000: 11936/16384; retrying
   2.08% (0x82f0bb70)   1.88k|   413  bytes/s (ETA      01:31:32)
read incomplete chunk 0x82f08000: 15216/16384; retrying
   2.08% (0x82f0bb30) 409.60m|   348  bytes/s (ETA      01:48:43)
read incomplete chunk 0x82f08000: 15152/16384; retrying
   1.58% (0x82f08e80)      0 |   315  bytes/s (ETA      02:00:06)
error: bad chunk line @82f08e80: '2196803216: 3581576230  3957950447  2300448527  2788328757 | .z.&.........2.5' (offset mismatch)

context:
  ==> '2196802480: 3100333035  2927131702  3140020003  2712015432 | ..S..x|6.(.#...H'
  ==> '2196802496: 968932773  78860067  2211292930  936501783 | 9.....O#....7...'
  ==> '2196802512: 365989993  1957966748  3063138980  2603859417 | ...it.3......3..'
  ==> '2196802528: 867509256  3634100266  3174550166  2316735139 | 3.$....*.7......'
  ==> '2196802544: 2114515269  1268569671  2348695510  1589268039 | ~..EK..G..?.^.NG'
  ==> '2196802560: 2748023074  2659574035  607702963  3151281724 | ..."....$8.....<'
  ==> '2196802576: 3148507880  3553268652  2092537104  3650081993 | ..j.....|.......'
  ==> '2196802592: 4154346688  263647970  1388513167  1914232682 | ..L.....R...r..j'
  ==> '2196802608: 3534931204  79729781  1566617091  1889250373 | .......u]`..p..E'
  ==> '2196802624: 1400622878  604457504  273095084  617547975 | S{..$.J .G..$...'
  ==> '2196802640: 2999497260  4110689120  555053430  2840809804 | ...,..#`!.qv.SQL'
  ==> '2196802656: 3148229404  2257509806  1423059930  3795694132 | ..+.....T.+..=.4'
  ==> '2196802672: 3719401016  4254471431  1414637728  4113872091 | ...8....TQ...4..'
  ==> '2196802688: 4103546785  2998272034  929913391  1447927242 | ..'...."7mZ/VM..'
  ==> '2196802704: 4049060870  298881558  1725343191  1432811124 | .W......f...Uf.t'
  ==> '2196802720: 1826802691  3331700139  1355016449  1572901302 | l.......P...]...'
  ==> '2196802736: 421556626  2754019798  1878859615  1615330936 | . q..'..o.._`G.x'
  ==> '2196802752: 371488350  284074739  1927666008  2519042055 | .$v^....r..X.%..'
  ==> '2196802768: 1075850531  1450740267  2412529971  705019376 | @ -#Vx.+..I3*...'
  ==> '2196802784: 2584826979  489743258  3224911268  847233359 | ..Tc.0...8=.2..O'
  ==> '2196802800: 729510579  828824554  3199569852  2856011391 | +{r.1f.......;F.'
  ==> '2196802816: 2769239093  3497505362  1756686023  3047870600 | ..<5.w.Rh.......'
  ==> '2196802832: 1459994135  2839462073  1853237926  1997952434 | W....>..nv*.w.U.'
  ==> '2196802848: 2387608977  3468490493  1430878917  467456881 | .P......UIz....q'
  ==> '2196802864: 3504201218  3507132364  3129257789  3308262546 | ...........=.0..'
  ==> '2196802880: 1516905545  555763196  3125399137  3760673386 | Zj$I! E..I.a.'Rj'
  ==> '2196802896: 23725380  808577216  2474534225  1348043129 | .j.D01...~eQPY.y'
  ==> '2196802912: 669989055  3098999410  385865539  1817224509 | '.8....r...ClP.='
  ==> '2196802928: 1699924960  3214488438  639625267  1183380967 | eR....3v&..3F...'
  ==> '2196802944: 935511430  427509573  1335480489  1290162731 | 7....{GEO...L.R+'
  ==> '2196802960: 232972761  3061048253  661854572  513880688 | .....s..'s.l..2p'
  ==> '2196802976: 1586767477  4075101255  3308572751  679980246 | ^.&u...G.4.O(...'
  ==> '2196802992: 2710366767  3831008329  917760506  3208557628 | .../.X.I6....>.<'
  ==> '2196803008: 2797110168  1858584330  1930638733  1610532916 | ....n...s.5._..4'
  ==> '2196803024: 3004251435  3517545156  3575048229  3940898382 | ..=+..z....%..VN'
  ==> '2196803040: 1916053005  1758599512  2878288128  680908050 | r4..h..X..1.(...'
  ==> '2196803056: 3133430293  2156616145  1717695896  2675136263 | ..Z...Y.fa...sW.'
  ==> '2196803072: 1199072916  1771830274  677636015  3805653932 | Gxf.i...(c......'
  ==> '2196803088: 1502094156  4174121323  2636194402  1704330717 | Y.#L...k.!"be...'
  ==> '2196803104: 1610371290  1432781723  2245637631  2351681894 | _.P.Uf.......+.f'
  ==> '2196803120: 2674297591  2888182866  357134375  3608389174 | .f...&,R.Ip'...6'
  ==> '2196803136: 3587287111  2907934279  553539632  3768308206 | ...G.S.G .X0....'
  ==> '2196803152: 2424308351  3387857114  4187672637  1354705385 | ...........=P.).'
  ==> '2196803168: 513969790  2417845578  3495689988  2586178811 | ...~..eJ.[...%..'
  ==> '2196803184: 1990154943  1291111030  2388499703  927249243 | v.Z.L..v.]..7D.['
  ==> '2196803200: 1477109117  1924241- No energy!'
  ==> 'Scanning DS Channel at 693000000 Hz 37  439701553  753178557 | X..}.x(..5P1,...'
  ==> '2196803216: 3581576230  3957950447  2300448527  2788328757 | .z.&.........2.5'
  <== '/exit'
  ==> '2196803232: 2954312919  1568147509  3690474648  1787500366 | ..<.]x.5..,.j..N'

Is the RAM image the same as image1, image2 dump? If so, then I have a dump of firmware image1, image2 that I got last year using serial connection.

jclehner commented 6 months ago

The problem is that the channel scan and both output to the console at the same time, leading to clobbered lines such as

2196803200: 1477109117  1924241- No energy!
Scanning DS Channel at 693000000 Hz 37  439701553  753178557 | X..}.x(..5P1,...

which is exactly where the code fails (offset 2196803200 is 0x82f08e80).

Is the RAM image the same as image1, image2 dump? If so, then I have a dump of firmware image1, image2 that I got last year using serial connection.

You're right. The image currently running is TS0710144_032912_EU_MODEL_9_TM902_SIP_sto.bin, of which I've got a copy (which I guess you sent me).

Try adding the following options to your bcm2dump command (before dump):

-O bfc:conthread_instance=0x809ffcd0 -O bfc:conthread_priv_off=0x70

This should switch the Telnet console into privileged mode (which should persist after bcm2dump has finished).

EDIT:

Also try logging into telnet using technician as username and password. Does that work?

mediotex commented 6 months ago

I tried: io.log

$ ./bcm2dump -vv -L io.log -O bfc:conthread_instance=0x809ffcd0 -O bfc:conthread_priv_off=0x70 dump '192.168.100.1,ARRIS,RL93LPR2J5' flash dynnv dynnv2.bin
bcm2dump v0.9.8-26-gbf8da8b
telnet: received command 253,1
telnet: received command 253,33
telnet: received command 251,3
telnet: received command 251,1
detected interface: bfc
telnet: no login prompt
using /system/diag command for memory access
adjusting dump params: 0x80000818,10 -> 0x80000818,16
adjusting dump params: 0x80000844,2 -> 0x80000844,16
adjusting dump params: 0x80010000,4 -> 0x80010000,16
adjusting dump params: 0x80624d91,14 -> 0x80624d90,16
adjusting dump params: 0x80624d91,8 -> 0x80624d90,16
adjusting dump params: 0x8070244c,9 -> 0x8070244c,16
adjusting dump params: 0x807023d4,7 -> 0x807023d4,16
adjusting dump params: 0x80eb8a91,8 -> 0x80eb8a90,16
adjusting dump params: 0x80f89da0,11 -> 0x80f89da0,16
adjusting dump params: 0x82f00000,2 -> 0x82f00000,16
detected profile tm902s(bfc)
reinitializing flash driver

error: failed to open partition dynnv

context:
  ==> 'CM/Console> /flash/open dyn00000 Hz /flash/open dyn'
  ==> (empty)
  ==> ''flash' is not a valid command table.'
  ==> (empty)
  ==> 'Type 'help' for information about valid commands and tables.'
  ==> (empty)
  ==> 'CM/Console> - No energy!'
  ==> 'CM/Console> /flash/close61000000 Hz /flash/close'
  ==> (empty)
  ==> ''flash' is not a valid command table.'
  ==> (empty)
  ==> 'Type 'help' for information about valid commands and tables.'
  ==> (empty)
  ==> 'CM/Console> - No energy!'
  <== '/flash/deinit'
  ==> 'Scanning DS Channel at 555000000 Hz - No energy!'
  ==> 'CM/Console> /flash/deinit9000000 Hz /flash/deinit'
  ==> (empty)
  ==> ''flash' is not a valid command table.'
  ==> (empty)
  ==> 'Type 'help' for information about valid commands and tables.'
  ==> (empty)
  ==> 'CM/Console> - No energy!'
  <== '/flash/init'
  ==> 'Scanning DS Channel at 543000000 Hz - No energy!'
  ==> 'CM/Console> /flash/init537000000 Hz /flash/init'
  <== '/flash/open dyn'
  ==> (empty)
  ==> ''flash' is not a valid command table.'
  ==> (empty)
  ==> 'Type 'help' for information about valid commands and tables.'
  ==> (empty)
  ==> 'CM/Console> - No energy!'
  <== '/flash/close'
  ==> 'CM/Console> /flash/open dyn00000 Hz /flash/open dyn'
  ==> (empty)
  ==> ''flash' is not a valid command table.'
  ==> (empty)
  ==> 'Type 'help' for information about valid commands and tables.'
  ==> (empty)
  ==> 'CM/Console> - No energy!'
  ==> 'CM/Console> /flash/close25000000 Hz /flash/close'
  ==> (empty)
  ==> ''flash' is not a valid command table.'
  ==> (empty)
  ==> 'Type 'help' for information about valid commands and tables.'
  ==> (empty)
  ==> 'CM/Console> - No energy!'
  <== '/exit'
  ==> 'Scanning DS Channel at 519000000 Hz - No energy!'

Logging into telnet or SSH with technician username and password doesn't work, with technician username and PotD pass it gives a limited shell. The problem is that after writing dynnv, the full shell is present both on the serial and telnet/ssh interfaces, but after rebooting, it switches back to a limited shell. So the full shell access is not saved persistently. Sometimes it lasts for several reboots, but then I have to re-write dynnv.bin. I think either the firmware functions override the dunnv settings, or there are some settings in permnv that regulates the access level to the CLI shell.