bcm2-utils
bcm2-utils copied to clipboard
jclehner
Finding flash dump functions
Hi,
Thanks to you(https://github.com/jclehner/bcm2-utils/issues/7), I could dump the firmware of my Netmaster modem. However, in the current firmware, they also disabled both telnet and serial console(CM). I tried to dump image1 or image2 with ttyUSB0 but it failed. It says, it needs some function address?. I forgot the exact message. I dumped the bootloader via generic profile(using the address in profiledef.c (0x83f80000, 0x020000) which took almost an hour.
I checked the source code and it seems, to dump fast, we need the address of Flash Read functions. I think the profile you added doesn't have the address of those functions. Currently, I can stop the boot process by hitting p and then dump any address by using a generic profile. I disassembled the bootloader but couldn't find anything related to Flash read. I think SPI read function is at 0x83f810e4
Could you help me to identify those functions so we can update our profile? My current candidates for those functions are
int FUN_83f80e48(byte *param_1,byte param_2,undefined4 param_3)
int FUN_83f810e4(int param_1,undefined4 param_2,int param_3)
void FUN_83f82064(undefined4 param_1,undefined4 param_2,undefined4 param_3)
undefined4 FUN_83f833c8(int param_1,int param_2,undefined4 param_3)
void FUN_83f83800(undefined4 param_1,int param_2,int param_3)
void FUN_83f839c8(undefined4 param_1,undefined4 param_2,undefined4 param_3)
int FUN_83f85ed0(char *param_1,int param_2,int param_3)
void FUN_83f872c0(undefined4 *param_1,undefined4 param_2,undefined4 param_3)
bool FUN_83f87348(undefined4 *param_1,undefined4 param_2,undefined4 param_3)
undefined4 FUN_83f87390(int param_1,int param_2,int param_3)
int FUN_83f881f8(int param_1,undefined4 param_2,int param_3)
int FUN_83f88444(byte *param_1,byte *param_2,char **param_3)
int FUN_83f8883c(undefined4 param_1,int param_2,int param_3)
void FUN_83f890b0(undefined4 param_1,undefined4 param_2,undefined4 param_3)
undefined4 FUN_83f89168(int *param_1,byte *param_2,int param_3)
undefined * FUN_83f89300(undefined *param_1,uint param_2,uint param_3)
undefined * FUN_83f8944c(undefined *param_1,int param_2,int param_3)
void FUN_83f89580(undefined4 param_1,int param_2,int param_3)
int FUN_83f89934(undefined4 param_1,undefined *param_2,int param_3)
undefined4 FUN_83f8162c(undefined4 param_1,uint param_2,int param_3,uint param_4)
void FUN_83f88b48(undefined4 param_1,undefined4 param_2,undefined4 param_3,undefined4 param_4)
void FUN_83f81ae0(uint param_1,undefined4 param_2,undefined4 param_3,undefined4 param_4)
undefined4 FUN_83f858c8(int param_1,int param_2,undefined4 param_3,uint param_4)
I am attaching the bootloader that I dumped bootloader.bin.zip
With the following modification, I could dump image2 with the below command
diff --git a/profiledef.c b/profiledef.c
index b9a648f..e8a4e7d 100644
--- a/profiledef.c
+++ b/profiledef.c
@@ -219,6 +219,14 @@ struct bcm2_profile bcm2_profiles[] = {
.version = "2.4.0",
.intf = BCM2_INTF_BLDR,
.magic = { 0x83f8a9ac, "2.4.0" },
+ .printf = 0x83f88174,
+ .spaces = {
+ {
+ .name = "flash",
+ .read = { 0x83f810e4, BCM2_READ_FUNC_OBL }
+ }
+ }
+
},
},
},
bcm2dump -vv dump /dev/ttyUSB0 flash image2 image2.bin
It's reporting 4.34k bytes/s. I am not sure but it looks like this bootloader doesn't have the same flash read functions as others so reading with SPI read is slow. Is there a way to make it fast? I see two ways
- Enabling telnet again so we can dump with console
- Finding fast flash read functions.
With the following modification, I could dump image2 with the below command
Wanna create a PR for that?
It's reporting 4.34k bytes/s. I am not sure but it looks like this bootloader doesn't have the same flash read functions as others so reading with SPI read is slow. Is there a way to make it fast?
The main bottleneck when dumping via serial console is the serial interface itself: printfd as "%x %x %x %x\r\n", each line of 16 bytes of data is 37 bytes long (worst case). At 115200 baud (roughly 11.52 KiB/s), this amounts to
(11.52 KiB/s) * (16/37) = 4.98 KiB/s
which doesn't include the overhead of calling the dump code. Using base64 encoding in the dump code, you could probably achieve around 8 KiB/s, but this would significantly complicate the dump code (the code that's uploaded and executed on the router itself), which is something I want to avoid.
This is the main reason why reading via telnet is so much faster than with the serial console.
I opened a PR https://github.com/jclehner/bcm2-utils/pull/46 I have a couple of questions.
- Since dumping with serial is slow, is there a way to enable telnet console once again so I can dump with telnet console?
- When I dumped image2 with serial, it had lots of 0xFF bytes at the end. IIRC, when I dumped with telnet it didn't have those bytes. What's the reason for this?
- Can I send the dumped firmware back to the modem again? If so, how can I do that? I guess I have to stop with
pand then useg) Download and run from RAMord) Download and save to flash
I will appreciate it if you can share some pointers because I want to try modifying my firmware and upload it to my device.
Since dumping with serial is slow, is there a way to enable telnet console once again so I can dump with telnet console?
Does this device still allow downloading a GatewaySettings.bin file? If so, it's possible that it can be modified to re-enable telnet using bcm2cfg.
When I dumped image2 with serial, it had lots of 0xFF bytes at the end. IIRC, when I dumped with telnet it didn't have those bytes. What's the reason for this?
Probably the difference between running
$ bcm2dump dump <interface> flash image2 image2_with_ff.bin
and
$ bcm2dump dump <interface> flash image2,auto image2_without_ff.bin
The first command dumps the whole image2 partition, including any unused space, hence the 0xff bytes. The second
command will check if there's an image header at the beginning of the partition, and if it's found, it'll only dump the actual image data.
Can I send the dumped firmware back to the modem again? If so, how can I do that? I guess I have to stop with
pand then useg) Download and run from RAMord) Download and save to flashI will appreciate it if you can share some pointers because I want to try modifying my firmware and upload it to my device.
Yes, you can use both commands. For that to work, you'll have to setup a TFTP server on your computer, and then specify its IP address when you run either command. If you're experimenting, g) Download and run from RAM is the much safer alternative, as it's much harder to brick the device that way!
Sorry for the late replies!
Does this device still allow downloading a
GatewaySettings.binfile? If so, it's possible that it can be modified to re-enable telnet usingbcm2cfg.
Unfortunately, they disabled downloading the GatewaySettings.bin file from the admin console. They actually removed tons of stuff from the admin console. They even removed the diagnosis menu which had ping. I can still download the file thanks to the NVRAM dump and see the credentials. I guess it should be possible to write that file with a serial console but I am not sure. I saw this issue https://github.com/jclehner/bcm2-utils/issues/29 but not sure what's needed more to make it work.
Thanks once again for the replies. I have two firmware dumps. The old one and the new one. I will try to diff two files and try to find how they disabled the downloading and uploading settings files.