Joseph C. Lehner

> BTW I found this partial source of bcm proprietary components here Interesting find though, especially regarding the `permnv` format of `userif`, which, according to [this file](https://github.com/mlewertTiVo/google-stb.platform.vendor.broadcom.refsw/blob/94189b540f3eb9607483ddefe20c29398c9eea0a/BSEAV/cable/docsis/estb/Bfc/UserInterface/MessageLogNonVolSettings.cpp#L1195) has three fields...

I just remembered, writing is not yet supported from the BFC console, only from the bootloader. However I've tried the modifications myself, to no avail. I still can't login via...

> I'll add support for this group in bcm2cfg in the near future (think 1-2 weeks). It was a short 1-2 weeks apparently. However, this still won't help you, unfortunately....

It does. Signatures are only checked during a regular software upgrade, but not by the bootloader. Also, this is a device where the bootloader serial console is enabled, so you'll...

> Meanwhile I got a new router which supports docsis 3.1, technicolor cga4322de. Unfortunately, no telnet/ssh only the web interface(running on RG ip) and stripped down snmp running on the...

Do you have access to this device's CM console?

Yes. `cmboot.img` is the bootloader, and the `cmrun{1,2}.img` files are the CM firmware. However, the `cmrun` files appear to be corrupted too.

I don't think that it's actually a new file format. I've managed to extract the first few megabytes from these files, using `unlzma` after fixing the LZMA header, which resulted...

I've had a look at the ARM bootloader, and found the code which _seems_ to initialize the AES key used by the `cm_{perm,dyn}.bin` encryption. The encrypted data starts at offset...

Hmmm. Since you've provided the dumps, I'm assuming you've got hardware access to the SPI NOR flash? If so, you could try setting `32` bytes at offset `0x140` of the...