key programming immo tools emergency start device программаторы ключа заводилки Кодграббер штатных охранных систем, toyota, lexus, subaru.

прошивка surfbeam 2

da_nikto

Member
была такая ошибка (в thttpd) связаная с доступом к файлам. понту с ее - 0. в модеме cli_enable=0 . хотя если разобратся с тем хешем, то будет проще
 

old_inj

New Member
Приболел, вынужден пока отложить активные "изыскания". А вот это наверное может пригодиться ?

Please Login or Register to view hidden text.

 

BSAsec

New Member
Any news in this topic? Would be really useful if someone would share details e.g. how "root:$1$aA4zAvuc$NZjA7t5E4lHBQA1URzCGn.:0:0:root:/root:/bin/sh" or config file was obtained. I got one modem from Spanish Market and seems that u-boot cannot be interrupted (or I've incorrectly connected TTL-TX) . I've scanned all the IP's 10.0.0.0/8 and 192.168.0.0/8 no additional IP were identified when modem was not linked to satellite. My plan is that after discovering how to dump firmware (u-boot?) without extracting it from Flash chip (S29GL256P90TFCR2) I will let modem to link with satellite so new firmware update should be downloaded (DOCSIS 1.0/2) and later on compared with old one. I'm able to acquire 2-3 additional modems for purpose of this research.

I've tried to use long list of DirBuster + "viasat specific wordlist to guess the endpoints and also used different FuzzDB's to fuzz the parameters but nothing interesting was discovered.
 

Вложения

BSAsec

New Member
Ok I've managed to trace back JTAG pins and added R519 jumper to bridge it with J21 header.

J21 Header:
[TCK][GND]
[TMS][GND]
[TDO][GND]
[TDI][GND]
[RST_L?][GND]

Does RST have to be connected to make (E)JTAG working ?

I'm using OpenOCD and Raspberry PI 1 GPIO as jtag adapter while waiting for CJMCU-FT232H however I'm still struggling with lack of skills in this area - Any tips related to the chip/CPU configuration are more than welcome.
 

Вложения

BSAsec

New Member
Gentlemen's
I hope you are enjoying summer time.
I've did not make as nice progress as @da_nikto that already extracted firmware from the modem. I've just ordered 2'nd modem and 2 antennas with TRIA for this research. Currently I'm struggling with eJtag Connection and correct OPENOCD configuration:

(e)JTAG HARDWARE running @ Raspi:
I got BusBlaster v3 as a (e)Jtag adapter for MIPS
Bash:
[    3.212926] usb 1-1.3: new high-speed USB device number 4 using dwc_otg
[    3.357074] usb 1-1.3: New USB device found, idVendor=[B]0403[/B], idProduct=[B]7780[/B]
[    3.367165] usb 1-1.3: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[    3.377545] usb 1-1.3: Product: [B]BUSBLASTERv3c[/B]
[    3.384914] usb 1-1.3: Manufacturer: FTDI
[    3.391844] usb 1-1.3: SerialNumber: <redacted>
Bash:
root@BSApi:~# cat /etc/udev/rules.d/90-busblaster.rules
ATTRS{idProduct}==”6010″, ATTRS{idVendor}==”0403″, MODE=”0666″
ATTRS{idProduct}==”7780″, ATTRS{idVendor}==”0403″, MODE=”0666″
ATTRS{idProduct}==”6014″, ATTRS{idVendor}==”0403″, MODE=”0666″
Software:
I'm using OpenOCD
Open On-Chip Debugger 0.10.0+dev-00414-gcdf1e826 (2018-07-09-19:04)
Compiled with FTDI options...

Vendor cn5020 documentation:
This CPU supposed to be identified as:

Please Login or Register to view hidden text.




● Version = 0 (Identifies the version of a specific device)
● Part Number = 0xB00 (Identifies the part number of a specific device)
● ManufID = 0x1CC


OpenOCD Config:

Bash:
root@BSApi:~/workspace/ViaSat# cat dp3_busblaster.cfg
#debug_level 3
interface ftdi
#interface usb_blaster
ftdi_device_desc "[B]BUSBLASTERv3c[/B]"
ftdi_vid_pid [B]0x0403 0x7780[/B]
ftdi_layout_init 0x0c08 0x0f1b
ftdi_layout_signal nTRST -data 0x0100 -noe 0x0400
ftdi_layout_signal nSRST -data 0x0200 -noe 0x0800
adapter_khz 2000
ftdi_channel 0
transport select jtag
if { [info exists CHIPNAME] } {
   set _CHIPNAME $CHIPNAME
} else {
   set _CHIPNAME cn5020plus
}
if { [info exists ENDIAN] } {
   set _ENDIAN $ENDIAN
} else {
   set _ENDIAN big
}
if { [info exists CPUTAPID] } {
   set _CPUTAPID $CPUTAPID
} else {
   set _CPUTAPID 0xB00
}
jtag_ntrst_assert_width 200
jtag_ntrst_delay 1
reset_config trst_only
jtag newtap $_CHIPNAME cpu -irlen 5 -ircapture 0x1 -irmask 0x1f -expected-id $_CPUTAPID
set _TARGETNAME $_CHIPNAME.cpu
target create $_TARGETNAME mips_m4k -endian $_ENDIAN -chain-position $_TARGETNAME
I know... config is looking for different CPUID but this shouldn't be a blocker...


While modem is fully powered and booted, I'm using OpenOCD to connect to eJtag and I'm getting following output:
OpenOCD Output:

Bash:
root@BSApi:~/workspace/ViaSat# openocd -f dp3_busblaster.cfg
Open On-Chip Debugger 0.10.0+dev-00414-gcdf1e826 (2018-07-09-19:04)
Licensed under GNU GPL v2
For bug reports, read
        http://openocd.org/doc/doxygen/bugs.html
adapter speed: 2000 kHz
jtag_ntrst_assert_width: 200
jtag_ntrst_delay: 1
trst_only separate trst_push_pull
cn5020plus.cpu
Info : Listening on port 6666 for tcl connections
Info : Listening on port 4444 for telnet connections
Info : clock speed 2000 kHz
[B]Info : JTAG tap: cn5020plus.cpu tap/device found: 0x020f40dd (mfg: 0x06e (Altera), part: 0x20f4, ver: 0x0)
Warn : JTAG tap: cn5020plus.cpu       UNEXPECTED: 0x020f40dd (mfg: 0x06e (Altera), part: 0x20f4, ver: 0x0)
Error: JTAG tap: cn5020plus.cpu  expected 1 of 1: 0x00000b00 (mfg: 0x580 (<invalid>), part: 0x0000, ver: 0x0)[/B]
Error: Trying to use configured scan chain anyway...
Error: cn5020plus.cpu: IR capture error; saw 0x15 not 0x01
Warn : Bypassing JTAG setup events due to errors
Error: isa info not available, failed to read cp0 config register: 0
Info : Listening on port 3333 for gdb connections
Error: isa info not available, failed to read cp0 config register: 0
target halted in MIPS32 mode due to undefined, pc: 0x00000000
Error: isa info not available, failed to read cp0 config register: 0
target halted in MIPS32 mode due to undefined, pc: 0x00000000
Error: isa info not available, failed to read cp0 config register: 0
target halted in MIPS32 mode due to undefined, pc: 0x00000000

[U]Telnet ....[/U]
[B]> reset[/B]
JTAG scan chain interrogation failed: all ones
Check JTAG interface, timings, target power, etc.
Trying to use configured scan chain anyway...
cn5020plus.cpu: IR capture error; saw 0x1f not 0x01
Bypassing JTAG setup events due to errors
isa info not available, failed to read cp0 config register: 0
target halted in MIPS32 mode due to undefined, pc: 0x00000000
Correct me if I'm wrong but:
I guess that mfg: 0x06e (Altera) might be related to Altera Cyclone III EP3C40F324C8N J CBBA51043A FPGA on the board....
I dont see anything like that: (mfg: 0x1cc (Cavium Networks), part: 0x0b00, ver: 0x1)

On the modem board I've connected only eTDO to j21 header by bridging R519 jumper:

My assumption is that besides selection eJtag vs Jtag using (R519 OR R539) bridge, all other Jtag connections like TDI, TMS, TCK are directly accessible over J21.
Please note that E-TRST_L is not connected to J21 - there is accessible only TRST_L and I've kept it floating.


Question:
- Is my assumption correct that is sufficient to select eJtag by bridging R519
- Connection to the AD21: TRST_L OR AF22: E-TRST_L is really optional and should not affect detection of the MIPS CPU:

Please Login or Register to view hidden text.


- eJtag should be accessible when modem is fully booted or I should implement it in the config using ejtag adapter and E-TRST_L
- @da_nikto mentioned something about troubles of halting 2nd core of CPU (I'm not even in this stage now) but I guess that even without this I should be able to detect CPUID

Cheers!
ps. you can reach me by qTOX and other (just DM).
 

BSAsec

New Member
Just to share some info related to filesystem structure:
SPANSION/S29GL256P Flash:
Bank # 1: CFI conformant FLASH (16 x 16) Size: 32 MB in 256 Sectors
AMD Standard command set, Manufacturer ID: 0x01, Device ID: 0x227E
Erase timeout: 4096 ms, write timeout: 1 ms
Buffer write timeout: 3 ms, buffer size: 64 bytes

Bootbus flash: Setting flash for 32MB flash at 0x1dc00000
phys_mapped_flash: Found 1 x16 devices at 0x0 in 16-bit bank
Amd/Fujitsu Extended Query Table at 0x0040
phys_mapped_flash: CFI does not contain boot bank location. Assuming top.
number of CFI chips: 1

u-Boot Config:
flashstart = 0xBDC00000
flashsize = 0x02000000
flashoffset = 0x00000000
uboot_flash_size=50000
flash_unused_addr=bdc50000
flash_unused_size=1fae000

Bootbus flash: Setting flash for 32MB flash at 0x1dc00000

mtdparts=phys_mapped_flash:512k(uboot),14m(SWImage0),14m(SWImage1),128k(certs),3328k(jffs2),-(root)

6 cmdlinepart partitions found on MTD device phys_mapped_flash
Creating 6 MTD partitions on "phys_mapped_flash":
0x00000000-0x00080000 : "uboot"
0x00080000-0x00e80000 : "SWImage0"
0x00e80000-0x01c80000 : "SWImage1"
0x01c80000-0x01ca0000 : "certs"
0x01ca0000-0x01fe0000 : "jffs2"
0x01fe0000-0x02000000 : "root"

OS Layer:
Linux version 2.6.21_mvlcge510-octeon-mips64_octeon_v2_be (sbradshaw@vcalfutd03) (gcc version 4.2.0 (MontaVista 4.2.0-16.0.58.0903352 2009-10-04)) #1 SMP PREEMPT RT Thu Jan 16 08:05:54 PST 2014

Octeon cn3010_lf_p1# printenv
boot_args=coremask=3 console=ttyS0,115200 mem=268435456
bootdelay=3
cli_enable=1
 

da_nikto

Member
короче говоря, все работает;) iodine на раз туннель пробрасывает. только есть ньюанс с мак;).
 

BSAsec

New Member
You did DNS tunnel over this link? As far I know and checked with SkyDSL and VIASat, they are blocking DNS tunneling. Ps. I got 3 modems and 3 dishes with TRIA's if you want to check some inter-modem communication. May be there is a way to create p2p connection between modems and use 1 endpoint to access internet.
 

BSAsec

New Member
IMHO if you want to "inject" packets that suppose to reach other modem (DOCSIS linked but without Internet service) you should generate own Packets on higher level:

Please Login or Register to view hidden text.



I really doubt that you can tunnel via DNS if your modem is not registered into service...
 

BSAsec

New Member

Please Login or Register to view hidden text.


Packets transmitted from a terminal and received at a modem unit may be:
1) routed back through a same beam without being forwarded along a bus to another modem unit or to the router unit,
2) routed back through a different beam by forwarding along the bus to another modem unit without passing through the router unit, or <-- P2P Satlink between EU to Russia?
3) routed back through a same or different beam (e.g, an ISL or a ground directed beam) by forwarding through the router unit.

The lookup may, however, determine that the data packet is destined for one of a second group of ground terminals communicating with a second modem unit on the satellite via a second beam. If so, the data packet may be retrieved and forwarded from the first modem unit to the second modem unit via bus for an additional lookup.

The NCC receives routing information from a number of terminals (Router Table Injection?) via a satellite. The NCC may build a master routing table setting forth routing paths through each modem unit on the satellite. The NCC may distribute relevant portions of the master routing table to particular modem units on the satellite, and to respective terminals. A routing unit onboard the satellite may build its routing table from information in each modem unit.

Or you can spoof control messages
A network management (NetMan) module may route control messages within the system (e.g., between an NCC , satellite , and the terminals ). For example, the NCC may send bulletin board and configuration data to all terminals, and may also send incremental ADD burst or DELETE burst messages to each terminal to set the transmit and receive burst time plan.
 

BSAsec

New Member
It could be so awesome to get datasheet of ViaSat 1087744 IC ... Altogether with FPGA it handles TX / RX of the RF. For a company like ViaSat it makes sense to make own chips with burn-in MAC / modem Serial Number during manuf. process. From other side, u-boot have some parameters where you can set it. If there is Soft-MAC, best change is to find it in FPGA bitstream. What do you think?


The satellite earth station includes a host processor for receiving data packets from the data network and processing DOCSIS management packets, a DOCSIS MAC coupled to the host processor for encrypting the transmit packet data from the host memory, framing data in MAC headers and inserting MAC timestamps in the transmit packet data, a satellite modulator coupled to the DOCSIS MAC for modulating the encrypted transmit packet data to generate downstream output data for transmission to at least one of the plurality of satellite modems, a burst demodulator for demodulating upstream data received from at least one of the plurality of satellite modems, and a turbo decoder coupled to the burst demodulator and the DOCSIS MAC for turbo decoding the demodulated data from the burst demodulator and sending the decoded data to the DOCSIS MAC.
 

da_nikto

Member
все там со свистом работает.... мечта о почти бесконечной космической шаре - реализована.
 

BSAsec

New Member
That means what? You are tunneling traffic via their ground station and back to the modem?
Which bird (космической шаре) you are pointing to? - Lets check if you can ping my modem located in Europe and access ports opened on the modem itself.
PM to get details of my IP and MAC
 
Сверху