TG3442DE-Teardown
TG3442DE-Teardown copied to clipboard
nox-x
Were you able to dump the firmware?
I got a tg3442s/ce off ebay for about 12eur. Before attempting any hardware hacks, I wanted to know if you were able to dump the firmware?
Unfortunately not yet. Didn't find the time in the past months to make some progress. But got a second PCB from ebay too. Planned to desolder the flash chip there and then reconstruct traces and vias located around it. So with this reconstruction hopefully it would be possible to dump the firmware directly from the flash.
Not searched for vulnerabilities of the network services and software yet. Maybe this could be open another option to dump the firmware "over the air".
I was looking at a firmware with a higher version number(http://cmapp.ark.cablelynx.com/AR01.02.085_102620_711.NCS.10.7.NA.simg) looks like vodafone hasn't got around to updating to it yet. You can extract is by running binwalk on it.
There is a code exec vulnerability in dnsmasq that are unpatched but I don't think there is a way to exploit them(https://kb.cert.org/vuls/id/434904)
BTW make sure you connect the router to cable network and get the firmware updated to latest before deslodering the flash. Looks like they have fixed a bunch of command injection vulnerabilities in the latest firmware(by making some annoying api limitations)
More firmware files the ones for tg3442de begins from ARXX. http://72.240.115.5/
hello in your hw review I miss the SPI Bios ̶M̶X̶2̶5̶U̶3̶2̶3̶5̶F̶B̶A̶I̶-̶1̶0̶G̶ I correct MX25U1635FBAI-10G sorry :P "12-BALL BGA" (WLCSP). there is another missing component that converts TTL 1.8v to 3.3v ATOM core console, it is a 2bit logic converter "SN74AVC2T245RSWR" (XQFN10)
logic converter is some sort of a uart interface you think?
On Tue, Jul 6, 2021, 5:37 AM arrobazo @.***> wrote:
hello in your hw review I miss the SPI Bios MX25U3235FBAI-10G "12-BALL BGA" (WLCSP). there is another missing component that converts TTL 1.8v to 3.3v ATOM core console, it is a 2bit logic converter "SN74AVC2T245RSWR" (XQFN10) [image: 3a6b2869ea18894f64a0b360adabd8ce] https://user-images.githubusercontent.com/21269675/124538618-56062700-ddf2-11eb-920b-ba49a9eee49c.jpg [image: 6d3fd5258e9ebe1499a0529806f318be] https://user-images.githubusercontent.com/21269675/124538624-57375400-ddf2-11eb-9cb9-341a56247f7f.png [image: 8f908d9849557290a1eaee0f8aaffd66] https://user-images.githubusercontent.com/21269675/124538625-57cfea80-ddf2-11eb-8041-a38abffbbdb4.png [image: 645907c0fed10f5dca7f2e6c91149a66] https://user-images.githubusercontent.com/21269675/124538628-57cfea80-ddf2-11eb-87a9-615292bf6047.png
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/nox-x/TG3442DE-Teardown/issues/3#issuecomment-874434710, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABDCLGAE5EEN2YW4CLSH4EDTWJ3ATANCNFSM43U72VJQ .
@arrobazo didn't notice that you mention it's console, were you able to monitor something on the console?
@madushan1000 It is only a logical converter, the modems do not come from the factory, "I added it and soldered it", its job is to convert the 1.8v of the UART ATOM output of the cpu to 3.3v but since that IC is not present there is no physical connection to the UART connector (which are also not present are single row smt pinheader). But there is no UART signal neither in ATOM nor ARM core! They are disabled from the Bios (securityboot xD benefits) If you want to make an emmc dump you only have to connect Data0, Cmd, Clk, Vcc (3.3v) and Vccq (1.8v) (I could do a ps8211 pinout) and use a low voltage sd breakout exploitee or also use an Isp emmc programmer to access boot0 / 1 partitions. They can also make backup of spi, but beware that the logic levels are 1.8v it is not tolerable to 3v if you connect a programmer soldering on the pcb to read spi you will burn your cpu (if you want I upload a pinout to solder on the pcb without removing the spibga)
Oh thanks! I was confused, did you mange to get a dump this way? If so I'd appreciate a copy :) My soldering skills are almost nonexistent and the ps8211 pins are so tiny :/
haha if there are no problems, give me a moment and I upload the backup emmc / bios, and on soldering mm if it is the smallest package smd201 haha, but it is not difficult only solder on resistors and capacitors, you would only have to scrape Data0 in a through hole
update: "link backup´s" https://mega.nz/file/cZAVVCzR#UIMpt-3HjXoZLEZDrR7fOmiXIcjc_VAQ_s2eTUaGQ_E
Thank you very much for the dump! Can you post a hi res picture(s) of your soldering so I can follow it?
@arrobazo yes, you are right. I missed the SPI BIOS (U17). Got some trouble with identifying those chips.
And also missing the logic converter (U12) ;)
Which hw-rev do you have?
Currently considering to solder the logic converter and the UART connector onto the board.
If this is done properly i would be able dumping boot0/1 via UART?
I just soldered it at that time and then removed it, I have another modem of these with the mod made but it is different "DiagModem", the notable differences are that it does not have fused cpu, it does not have safe boot and spi is soic8 and nand is tsop48 a difference from vodafone ISP version which are bga, let me upload pictures and draw pinout
Is the DiagModem the retail tg3442? or is it from a different ISP? would love to get my hands on one of those. Vodafone like to lock things down too much :/
@nox-x The spi does not need a converter, the 1.8v logic connection comes directly from the cpu, you only need a 1.8v spi programmer to avoid burning your cpu, on the 2bit UART logic converter ic this I only soldered it for entertainment, there are no active uart outputs, they are They are disabled from the bios by secureboot. You can dump all your emmc from usb but you should have access to the core atom as root
Oh wow, nice find!, btw I extracted the dump and the firmware version is quite old. but it has the nvram(ext4) partitions so very helpful nevertheless!
Oh wow, nice find!, btw I extracted the dump and the firmware version is quite old. but it has the nvram(ext4) partitions so very helpful nevertheless!
I am not in Germany so that my modem can be updated by vodafone xD, I have the diag version updated as root there are no problems :P there you can play without involving secureboot 🤫
ha ha, If I can root my router, I'll probably be able to download the latest firmware file from vodafone. There is a command injection vulnerability(which I can not find no matter how long I stare at the code :/) somebody found(https://forum.level1techs.com/t/success-command-injection-possible/163881/) but they're waiting for vodafone to fix the issue before they disclose it. In any case, you might be able to flash the generic firmware updates from arris because it looks like all of them share the same firmware image. (look here: https://bt4g.piracyproxy.cc/magnet/30f31ab64d8b3153fd1f85c2e1232055600d42ea and here: http://cmapp.ark.cablelynx.com/)
emmc accepts 3v but I do not recommend it better to use a sd exploitee low voltage 1.8v, you can also put off r19 (0 ohms) clk and use them to turn the modem with 12v, it will not start the cpu and you will not need to power phison. I recommend using 0.1mm thin enameled wires (only with an emmc isp programmer can you access boot0/1 through a compatible sd reader 1bit does not have access to those partitions )
https://user-images.githubusercontent.com/21269675/124634270-8682ab00-de5c-11eb-9e47-c3eb0b975c18.mp4
Also, thanks for the pictures! going to be very helpful :) Any chance you looked at cga4233de(the other vodafone station based on boradcom docsis 3.1 chip) too?
nop ...I do not have a vodafone brand, cga4233-STO technicolor which is the same, they are bcm3390 spi and nand bga24 6x4, bga63 4g (512mb) same brand hw vodafone, I think that if you upload some photos I would confirm it but the one that I have the same vodafone cut of pcb
I backed him up, a while ago https://mega.nz/file/4BYnlIiR#ykZ6Pn_4Xp_hPYLrFwKERYyfFj5wRjDafEA4QzerX-I
I didn't remove the cover yet(pain in the ass to do because it's glued :/) I'll upload some picture when I do! Thanks for the dump again, you're a godsend :D
Oh, I wonder what they're paying for. I guess to lock the firmware down some more :/
BTW I think the cga4322 dump might actually be encrypted. Weird.
I remember that a friend mentioned to me that this algorithm is known as BCMNAND, and I think it is open source so it needs to be publicly documented somewhere, the goal of this algorithm is to reduce wear on the NAND .. I think
Both the main operating system (Linux BCM manager) and the CM operating system (eCos) are stored on the NAND SPI stores NVRAM and DTB parameters DTB is the branch of the device tree, it is for customizing the Linux kernel without recompiling
Interesting! I was able to extract the spi(they were in a ton of jffs file system volumes for some reason). I'll look into bcmnand, wonder if I can build it as a module for my x86 kernel and use nandsim to extract the files. Thanks for the info.
Hi. bcmnand is just a NAND controller driver that's used on this device, but that has got nothing to do with the dump not being readable.
The dump actually contains 0x40000 pages of 2048 + 64 bytes, the 64 bytes being the NAND's OOB data. Additionally, there seems to be an endianess issue, as the first 4 bytes of the dump should read UBI# instead of #IBU.
To convert this to a readable dump, read the file in blocks of 2048 + 64, byte swap each 32-bit value, then write only the first 2048 bytes of every block to the output file. The dump still appears to be corrupted, as ubiattach bails out with an error, when using nandsim, but I was able to extract at least some files using ubireader_extract_files -w (from ubi-reader).
@jclehner I was able to extract some file this way too, thanks for the help!, I guess the ubifs volumes are somewhat corrupted because we don't preform error correction? But I think I have enough to look for a way in :)
@arrobazo Do you still have the cga4233-STO dump? The Mega link is broken.
https://www.mediafire.com/file/vhwdgsdmn7w6dy0/CGA4233STO.7z/file
@arrobazo Do you still have the cga4233-STO dump? The Mega link is broken.
https://www.mediafire.com/file/vhwdgsdmn7w6dy0/CGA4233STO.7z/file
Mediafire says "The key you provided for file access was invalid"