PDA

Ver la versión completa : USB & Serial Diagnostic Ports - UART/RS232/TTL



TITOMAN357
03/08/2010, 18:15
Bueno Leyendo en un foro Gringo "SBHacker" me encontre esta infomacion.

Yo se que algun Genio que hay Aqui Podra darle Seguimiento a esto....

Perdon porque no esta en el idioma de Cervantes!!!
caso curioso se me vino a la mente esto, y decidi postearlo aqui....
La Informacion es para todos...

Serial-only device hack


aSmig's
Posted 04 October 2009 - 09:39 AM

Unlock the serial interface without JTAG or any custom firmware





This may be handy for people who don't have or feel like putting together a JTAG interface.
Works on SB5101 and probably other BCM3349 based devices.

I was trying different baud rates to play with my newly added serial connector and found
less than friendly silence at 115200. Interestingly, the stock firmware and bootloader
does respond to a keypress or two at 9600. However, the response is garbage, clearly
at a different baud. If you start at 9600, hit enter a couple times and then quickly
switch to 115200, you get an interactive shell with the scan log output spam.
This only lasts for about 20 seconds, then the watchdog expires and the port goes
silent once again.
But in that 20 second window, you can issue commands like
cd /docsis & scan_stop to quiet down the console.
This is also plenty of time to disable the watchdog with
write_memory -s 4 0xfffe0224 0x0 and then you get to keep the shell.
Here is a simple bash script for the Linux folks to unlock stock SB5101 serial console
using screen:

serial-shell.sh:

#!/bin/sh
DEV=/dev/ttyUSB0 # Set this to your serial device
# If you don't get anything after several seconds, kill screen and run the script again.
TF=`tempfile`
cat <<EOF > $TF
register [ " "
paste [
register ] "write_memory -s 4 0xfffe0224 0x0\015cd /docsis\015scan_stop\015cd ..\015"
exec ! stty 115200
EOF

{
sleep 2
screen -X -S SB5101 source $TF
sleep 2
screen -X -S SB5101 paste ]
rm $TF
} &
screen -S SB5101 -fn $DEV 19200



I suppose everyone knows this, but from here you can load firmware etc.
No need for JTAG or the noisy botloader. Assuming you have DHCP on your network,
and a tftp server running on 192.168.10.210:

cd d
ip_init dhcp
dload -i1 -l -f 192.168.10.210 haxorware11rev38-DIAG.bin



If you don't have DHCP,
you will need to set your computer IP address to 10.10.10.210/255.255.255.0
or similar and start the tftp server, then:

cd d
ip_init
dload -i1 -l -f 10.10.10.210 haxorware11rev38-DIAG.bin



Wait a minute or two for the transfer & write to complete.
The SB5101 will reset itself when done. I didn't get any console output on
the first reset,
but power cycled it and then the console was open with Haxorware running happily.

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

dabyd64's
Posted 26 March 2010 - 11:19 AM

I have a webstar 2100, to try if it works with other bcm3349 modems (sb5101, tcm425)
y flashed it with other firmwares.
I tried this, all with locked bootloader and firmware.
With sb5101 firmware, the frequency scan showed up and could write the memory to disable
the watchdog.
With TCM425 firmware, the frequency scan showed in the console, but no way to write.
Even typing the commands didn't make a difference.


Tip: A quicker way to unlock console is:
-open terminal at 115200
-Now get a wire, connect it to gnd, and touch some times the Rx pin in the modem,
moving it fast.
This will make some noise and unlock the same, but you will get more time as you won't
need to change the COM speed again.

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
abescalamis's

Posted 23 July 2010 - 02:14 PM
This is a good exploit I will try to get a DCM425 to test I will try on windows I will
let know the outcome.