Get a NAND dump

[ozwaldorf]

Need to dump the NAND and pull the firmware

[jameshilliard]

You should be able to do that using dd on the block device once you get a root shell.

[ozwaldorf]

My bus pirate is delivered today, I might just dump from the chip directly

[Brandonv101]

@The5heepDev Any luck on the Bus Pirate?

[ozwaldorf]

@Brandonv101 no, haven't gotten a chance to look at it. Also, do you know which chip specifically is the NAND chip?

[Brandonv101]

@The5heepDev Not really. I need to see some internal pictures first to tell. I just got my 5th gateway as my old one just gave up after I tried to get a NAND dump via SSH. I think that the HAN port might be a UART but I can't confirm.

[ozwaldorf]

@Brandonv101 I tried looking into the HAN port as a UART, didn't have much luck - I wasn't very thorough, though. The cpu is definitely trying to open up 4 UART interfaces tho

[Brandonv101]

@The5heepDev If I had another G1100 I could open it up and see. Although where these UART interfaces lead I have no idea. If we can only get access to the UART then we will probably have some luck.

[jameshilliard]

There is an internal UART but it isn't really useful for anything other than viewing boot logs without a signed RSA token(which can probably only be created by greenwave and is device specific) attacked via USB or activation via the tr-69 backdoor(which is kinda pointless since you would have ssh access at that point anyways).

[Brandonv101]

@jameshilliard I think I am going to try SSH again and see if I can get it working. Not sure if this matters or not but can I run GenieACS in a VM instead of on an actual machine because for some reason when I run it in a VM (VMWare Fusion) the router only pulls the TR-069 programming once and disconnects.

[ozwaldorf]

There might be a nat issue - are you using host bridge or passthrough?

[Brandonv101]

I am using a passthrough to allow the VM to get access to the ethernet port but on a different IP.

[Brandonv101]

@The5heepDev Is there a pre-made genieACS VM that I can get? That will help me speed up the process of getting a NAND dump.

[ozwaldorf]

@Brandonv101 not sure, I know there is a docker you can use though https://hub.docker.com/r/thebinary/genieacs/

[Brandonv101]

@The5heepDev Thanks I will take a look.