Were you able to dump the firmware?

[madushan1000]

I got a tg3442s/ce off ebay for about 12eur. Before attempting any hardware hacks, I wanted to know if you were able to dump the firmware?

[nox-x]

Unfortunately not yet. Didn't find the time in the past months to make some progress. But got a second PCB from ebay too. Planned to desolder the flash chip there and then reconstruct traces and vias located around it. So with this reconstruction hopefully it would be possible to dump the firmware directly from the flash.

Not searched for vulnerabilities of the network services and software yet. Maybe this could be open another option to dump the firmware "over the air".

[madushan1000]

I was looking at a firmware with a higher version number(http://cmapp.ark.cablelynx.com/AR01.02.085_102620_711.NCS.10.7.NA.simg) looks like vodafone hasn't got around to updating to it yet. You can extract is by running binwalk on it.

There is a code exec vulnerability in dnsmasq that are unpatched but I don't think there is a way to exploit them(https://kb.cert.org/vuls/id/434904)

BTW make sure you connect the router to cable network and get the firmware updated to latest before deslodering the flash. Looks like they have fixed a bunch of command injection vulnerabilities in the latest firmware(by making some annoying api limitations)

[madushan1000]

More firmware files the ones for tg3442de begins from ARXX. http://72.240.115.5/

[arrobazo]

hello in your hw review I miss the SPI Bios ̶M̶X̶2̶5̶U̶3̶2̶3̶5̶F̶B̶A̶I̶-̶1̶0̶G̶ I correct MX25U1635FBAI-10G sorry :P "12-BALL BGA" (WLCSP). there is another missing component that converts TTL 1.8v to 3.3v ATOM core console, it is a 2bit logic converter "SN74AVC2T245RSWR" (XQFN10)

[madushan1000]

logic converter is some sort of a uart interface you think?

On Tue, Jul 6, 2021, 5:37 AM arrobazo @.***> wrote:

hello in your hw review I miss the SPI Bios MX25U3235FBAI-10G "12-BALL BGA" (WLCSP). there is another missing component that converts TTL 1.8v to 3.3v ATOM core console, it is a 2bit logic converter "SN74AVC2T245RSWR" (XQFN10) [image: 3a6b2869ea18894f64a0b360adabd8ce] https://user-images.githubusercontent.com/21269675/124538618-56062700-ddf2-11eb-920b-ba49a9eee49c.jpg [image: 6d3fd5258e9ebe1499a0529806f318be] https://user-images.githubusercontent.com/21269675/124538624-57375400-ddf2-11eb-9cb9-341a56247f7f.png [image: 8f908d9849557290a1eaee0f8aaffd66] https://user-images.githubusercontent.com/21269675/124538625-57cfea80-ddf2-11eb-8041-a38abffbbdb4.png [image: 645907c0fed10f5dca7f2e6c91149a66] https://user-images.githubusercontent.com/21269675/124538628-57cfea80-ddf2-11eb-87a9-615292bf6047.png

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/nox-x/TG3442DE-Teardown/issues/3#issuecomment-874434710, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABDCLGAE5EEN2YW4CLSH4EDTWJ3ATANCNFSM43U72VJQ .

[madushan1000]

@arrobazo didn't notice that you mention it's console, were you able to monitor something on the console?

[arrobazo]

@madushan1000 It is only a logical converter, the modems do not come from the factory, "I added it and soldered it", its job is to convert the 1.8v of the UART ATOM output of the cpu to 3.3v but since that IC is not present there is no physical connection to the UART connector (which are also not present are single row smt pinheader). But there is no UART signal neither in ATOM nor ARM core! They are disabled from the Bios (securityboot xD benefits) If you want to make an emmc dump you only have to connect Data0, Cmd, Clk, Vcc (3.3v) and Vccq (1.8v) (I could do a ps8211 pinout) and use a low voltage sd breakout exploitee or also use an Isp emmc programmer to access boot0 / 1 partitions. They can also make backup of spi, but beware that the logic levels are 1.8v it is not tolerable to 3v if you connect a programmer soldering on the pcb to read spi you will burn your cpu (if you want I upload a pinout to solder on the pcb without removing the spibga)

[madushan1000]

Oh thanks! I was confused, did you mange to get a dump this way? If so I'd appreciate a copy :) My soldering skills are almost nonexistent and the ps8211 pins are so tiny :/

[arrobazo]

haha if there are no problems, give me a moment and I upload the backup emmc / bios, and on soldering mm if it is the smallest package smd201 haha, but it is not difficult only solder on resistors and capacitors, you would only have to scrape Data0 in a through hole

update: "link backup´s" https://mega.nz/file/cZAVVCzR#UIMpt-3HjXoZLEZDrR7fOmiXIcjc_VAQ_s2eTUaGQ_E

[madushan1000]

Thank you very much for the dump! Can you post a hi res picture(s) of your soldering so I can follow it?

[nox-x]

@arrobazo yes, you are right. I missed the SPI BIOS (U17). Got some trouble with identifying those chips. And also missing the logic converter (U12) ;) Which hw-rev do you have? Currently considering to solder the logic converter and the UART connector onto the board. If this is done properly i would be able dumping boot0/1 via UART?

[arrobazo]

I just soldered it at that time and then removed it, I have another modem of these with the mod made but it is different "DiagModem", the notable differences are that it does not have fused cpu, it does not have safe boot and spi is soic8 and nand is tsop48 a difference from vodafone ISP version which are bga, let me upload pictures and draw pinout

[madushan1000]

Is the DiagModem the retail tg3442? or is it from a different ISP? would love to get my hands on one of those. Vodafone like to lock things down too much :/

[arrobazo]

@nox-x The spi does not need a converter, the 1.8v logic connection comes directly from the cpu, you only need a 1.8v spi programmer to avoid burning your cpu, on the 2bit UART logic converter ic this I only soldered it for entertainment, there are no active uart outputs, they are They are disabled from the bios by secureboot. You can dump all your emmc from usb but you should have access to the core atom as root

[arrobazo]

[madushan1000]

Oh wow, nice find!, btw I extracted the dump and the firmware version is quite old. but it has the nvram(ext4) partitions so very helpful nevertheless!

[arrobazo]

Oh wow, nice find!, btw I extracted the dump and the firmware version is quite old. but it has the nvram(ext4) partitions so very helpful nevertheless!

I am not in Germany so that my modem can be updated by vodafone xD, I have the diag version updated as root there are no problems :P there you can play without involving secureboot 🤫

[madushan1000]

ha ha, If I can root my router, I'll probably be able to download the latest firmware file from vodafone. There is a command injection vulnerability(which I can not find no matter how long I stare at the code :/) somebody found(https://forum.level1techs.com/t/success-command-injection-possible/163881/) but they're waiting for vodafone to fix the issue before they disclose it. In any case, you might be able to flash the generic firmware updates from arris because it looks like all of them share the same firmware image. (look here: https://bt4g.piracyproxy.cc/magnet/30f31ab64d8b3153fd1f85c2e1232055600d42ea and here: http://cmapp.ark.cablelynx.com/)

[arrobazo]

emmc accepts 3v but I do not recommend it better to use a sd exploitee low voltage 1.8v, you can also put off r19 (0 ohms) clk and use them to turn the modem with 12v, it will not start the cpu and you will not need to power phison. I recommend using 0.1mm thin enameled wires (only with an emmc isp programmer can you access boot0/1 through a compatible sd reader 1bit does not have access to those partitions )

https://user-images.githubusercontent.com/21269675/124634270-8682ab00-de5c-11eb-9e47-c3eb0b975c18.mp4

[madushan1000]

Also, thanks for the pictures! going to be very helpful :) Any chance you looked at cga4233de(the other vodafone station based on boradcom docsis 3.1 chip) too?

[arrobazo]

nop ...I do not have a vodafone brand, cga4233-STO technicolor which is the same, they are bcm3390 spi and nand bga24 6x4, bga63 4g (512mb) same brand hw vodafone, I think that if you upload some photos I would confirm it but the one that I have the same vodafone cut of pcb

I backed him up, a while ago https://mega.nz/file/4BYnlIiR#ykZ6Pn_4Xp_hPYLrFwKERYyfFj5wRjDafEA4QzerX-I

[madushan1000]

I didn't remove the cover yet(pain in the ass to do because it's glued :/) I'll upload some picture when I do! Thanks for the dump again, you're a godsend :D

[madushan1000]

Oh, I wonder what they're paying for. I guess to lock the firmware down some more :/ BTW I think the cga4322 dump might actually be encrypted. Weird.

[arrobazo]

I remember that a friend mentioned to me that this algorithm is known as BCMNAND, and I think it is open source so it needs to be publicly documented somewhere, the goal of this algorithm is to reduce wear on the NAND .. I think

Both the main operating system (Linux BCM manager) and the CM operating system (eCos) are stored on the NAND SPI stores NVRAM and DTB parameters DTB is the branch of the device tree, it is for customizing the Linux kernel without recompiling

[madushan1000]

Interesting! I was able to extract the spi(they were in a ton of jffs file system volumes for some reason). I'll look into bcmnand, wonder if I can build it as a module for my x86 kernel and use nandsim to extract the files. Thanks for the info.

[jclehner]

Hi. bcmnand is just a NAND controller driver that's used on this device, but that has got nothing to do with the dump not being readable.

The dump actually contains 0x40000 pages of 2048 + 64 bytes, the 64 bytes being the NAND's OOB data. Additionally, there seems to be an endianess issue, as the first 4 bytes of the dump should read UBI# instead of #IBU.

To convert this to a readable dump, read the file in blocks of 2048 + 64, byte swap each 32-bit value, then write only the first 2048 bytes of every block to the output file. The dump still appears to be corrupted, as ubiattach bails out with an error, when using nandsim, but I was able to extract at least some files using ubireader_extract_files -w (from ubi-reader).

[madushan1000]

@jclehner I was able to extract some file this way too, thanks for the help!, I guess the ubifs volumes are somewhat corrupted because we don't preform error correction? But I think I have enough to look for a way in :)

[n0kovo]

@arrobazo Do you still have the cga4233-STO dump? The Mega link is broken.

[arrobazo]

@arrobazo Do you still have the cga4233-STO dump? The Mega link is broken.

https://www.mediafire.com/file/vhwdgsdmn7w6dy0/CGA4233STO.7z/file

[n0kovo]

@arrobazo Do you still have the cga4233-STO dump? The Mega link is broken.

https://www.mediafire.com/file/vhwdgsdmn7w6dy0/CGA4233STO.7z/file

Mediafire says "The key you provided for file access was invalid"

[arrobazo]

@arrobazo Do you still have the cga4233-STO dump? The Mega link is broken.

https://www.mediafire.com/file/vhwdgsdmn7w6dy0/CGA4233STO.7z/file

Mediafire says "The key you provided for file access was invalid"

I thought you already downloaded it, try again!

[n0kovo]

@arrobazo Do you still have the cga4233-STO dump? The Mega link is broken.

https://www.mediafire.com/file/vhwdgsdmn7w6dy0/CGA4233STO.7z/file

Mediafire says "The key you provided for file access was invalid"

I thought you already downloaded it, try again!

Got it, thanks!

[itspngu]

ha ha, If I can root my router, I'll probably be able to download the latest firmware file from vodafone. There is a command injection vulnerability(which I can not find no matter how long I stare at the code :/) somebody found(https://forum.level1techs.com/t/success-command-injection-possible/163881/) but they're waiting for vodafone to fix the issue before they disclose it. In any case, you might be able to flash the generic firmware updates from arris because it looks like all of them share the same firmware image. (look here: https://bt4g.piracyproxy.cc/magnet/30f31ab64d8b3153fd1f85c2e1232055600d42ea and here: http://cmapp.ark.cablelynx.com/)

The bt4g.piracyproxy.cc link ends in a spam loop of death for me (on 2 browsers, with and without ad blockers) and cmapp.ark.cablelynx.com appears to be some kind of Dell customer portal that asks for a login. Do you have an alternate source for the data or a rough description as to what you found there at the time?

[itspngu]

haha if there are no problems, give me a moment and I upload the backup emmc / bios, and on soldering mm if it is the smallest package smd201 haha, but it is not difficult only solder on resistors and capacitors, you would only have to scrape Data0 in a through hole

update: "link backup´s" https://mega.nz/file/cZAVVCzR#UIMpt-3HjXoZLEZDrR7fOmiXIcjc_VAQ_s2eTUaGQ_E

The link is dead, mega.nz says the file has been removed. Could you re-upload it please?

[arrobazo]

@itspngu in the comments is http://72.240.115.5/ there you can find fw AR010X but there is no EU version.

About the Backup here goes the link I don't know why you would need it but here it goes, you can also read via "emmc" your modem, check the pinout.

https://www.mediafire.com/file/onanhqy4te3itlq/TG3442DE%255BVODAFONE%255D.zip/file

[klochden]

@jclehner I was able to extract some file this way too, thanks for the help!, I guess the ubifs volumes are somewhat corrupted because we don't preform error correction? But I think I have enough to look for a way in :)

Guys, has anyone an idea how to unhide the LAN Settings in the Vodafone TG3442DE? Unbelievable that Vodafone hides fundamental settings like this from the user. I need to change the IPv4 andIPv6 DNS address in order to use my own DNS Server with Pihole. Maybe someone can help or has an idea? Thanks a lot!

[marcencov]

Can someone help me - where stored CM MAC address? In SPI bios?

[arrobazo]

Can someone help me - where stored CM MAC address? In SPI bios?

nop, it is located in the partition "nvram atom" /itstore/production.ini (encrypted) you need shell-root to be able to read write to itstore

[marcencov]

Can someone help me - where stored CM MAC address? In SPI bios?

nop, it is located in the partition "nvram atom" /itstore/production.ini (encrypted) you need shell-root to be able to read write to itstore

so no way to get root or change this file?

[lukaskuzmiak]

I went down this rabbit hole many years ago on the SB6190, it utilizes the same Phison PS8211-0. It does a bunch of memory management stuff, like wear leveling etc. It does have an XOR "key" you can recover if you find empty pages that were XORed with it. But then you will stand in front of a logical memory map that the Phison makes. On top of physical pages/blocks etc. of the NAND (at least in SB6190 it is a NAND) there will be a logical structure of pages/blocks Phison introduced, if a physical block/page goes bad it will put it somewhere else, etc. You do not want to be dealing with recovering that map if you can at all avoid it.

As far as I understand it (this is an assumption, I have put the project on a shelf years ago due to lack of time and have not validated this myself), you should be able to hook up between the CPU and the Phison, it should have an eMMC/SD interface that will expose the memory (after all the fancy wear leveling, etc.) transparently to the CPU as it was not even there. Then you should be able to dump it. Hold the CPU in reset or something, so it doesn't mess with those lines.

I am not sure if it performs any kind of authentication before it allows you to access the memory, if it does, then you're perhaps out of luck. But recovering the entire logical structure of the memory is a horrible PITA and you do not want to be doing that, unless you absolutely have to.

[Capobreak]

haha if there are no problems, give me a moment and I upload the backup emmc / bios, and on soldering mm if it is the smallest package smd201 haha, but it is not difficult only solder on resistors and capacitors, you would only have to scrape Data0 in a through hole

update: "link backup´s" https://mega.nz/file/cZAVVCzR#UIMpt-3HjXoZLEZDrR7fOmiXIcjc_VAQ_s2eTUaGQ_E

Hallo arrobazo

Wanted To ask if you still have the Dump File for the tg3442s/ce .. the Link is not existing anymore

Thank you

[marcohald]

I was looking at a firmware with a higher version number(http://cmapp.ark.cablelynx.com/AR01.02.085_102620_711.NCS.10.7.NA.simg) looks like vodafone hasn't got around to updating to it yet. You can extract is by running binwalk on it. @madushan1000 do you have any of the firmware Update Files and could upload them. All links to the Firmware Files here seems to be dead

[madushan1000]

which file do you want? I'll see if I have a backup

[marcohald]

The newest Vodafone branded firmware if you have that otherwise the newest non Vodafone firmware would be good

[madushan1000]

unfortunately I don't have a backup, however there is torrent linked above that's still alive.

[marcohald]

Couldn't get the torrent to work do I need a specific tracker? The whole site is not reachable but I guess the last part of the link is the magnet hash

[arrobazo]

@marcohald Vodafone should update, at least the tg3442de, should have fw AR01.05. Now tg3442s but brand arris. Here I leave you the most recent EU fw that I have (AR01.05.020.05) but to install it you would need to be root or write the partitions directly via emmc mod phison https://www.transfernow.net/dl/20240810Uo7s4KT1

[marcohald]

@arrobazo thank you.I do not have yet Root on the router. I'm more into looking at the firmware. Do you have by any chance a firmware near to the version 01.04.046.04.14.EURO.SIP ? And an Vodafone DE firmware would be nice. As far as I know the firmware updates are pushed to the router and not pulled, but I hope to find maybe an update check URL in there.

My main goal is at the moment to disable the DHCP server. The webui has the option but it does not work. Maybe this has something to do with the Homespot feature.