ozwaldorf
Get a NAND dump
You should be able to do that using dd on the block device once you get a root shell.
My bus pirate is delivered today, I might just dump from the chip directly
@Brandonv101 no, haven't gotten a chance to look at it. Also, do you know which chip specifically is the NAND chip?
@The5heepDev Not really. I need to see some internal pictures first to tell. I just got my 5th gateway as my old one just gave up after I tried to get a NAND dump via SSH. I think that the HAN port might be a UART but I can't confirm.
@Brandonv101 I tried looking into the HAN port as a UART, didn't have much luck - I wasn't very thorough, though. The cpu is definitely trying to open up 4 UART interfaces tho
@The5heepDev If I had another G1100 I could open it up and see. Although where these UART interfaces lead I have no idea. If we can only get access to the UART then we will probably have some luck.
There is an internal UART but it isn't really useful for anything other than viewing boot logs without a signed RSA token(which can probably only be created by greenwave and is device specific) attacked via USB or activation via the tr-69 backdoor(which is kinda pointless since you would have ssh access at that point anyways).
@jameshilliard I think I am going to try SSH again and see if I can get it working. Not sure if this matters or not but can I run GenieACS in a VM instead of on an actual machine because for some reason when I run it in a VM (VMWare Fusion) the router only pulls the TR-069 programming once and disconnects.
I am using a passthrough to allow the VM to get access to the ethernet port but on a different IP.
@The5heepDev Is there a pre-made genieACS VM that I can get? That will help me speed up the process of getting a NAND dump.
@Brandonv101 not sure, I know there is a docker you can use though https://hub.docker.com/r/thebinary/genieacs/