OpenWrt Forum Archive

Topic: Speedtouch 706 bcm6348 rooting

The content of this topic has been archived on 28 Mar 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
laforge
4 Dec 2015, 17:46

Hello! Big thanks to the OpenWRT community for the great info!

I've got a Thomson Speedtouch 706 where the firmware got heavily obfuscated by my ISP (online.nl)
All possible logins (http, ftp, telnet, serial) where tested with many common user names (Administrator, admin, orange, online, adsl)
I consider it a challenge to be able to root the device.

So with help from OpenWRT's info on Speedtouch 7G and ST706WL i successfully dumped the flash with urtag.
Below will be the command line output.

My chip layout is different from the ST706WL:
CPU: Broadcom bcm6348 (really awful manufacturer's data sheet)
Flash: Spansion S29GL032A90TFIR4 (4GB afaik)
sdram: Hynix HY57V281620FTP-H (different online sources claim different sizes)

It took about 5 hours to dump the 4GB flash using a Raspberry Pi as a jtag dongle.
Many analysis on the flash dump failed. Hexdump, strings and binwalk didn't help much other than producing broken .gz files. Mounting a filesystem seems completely out of the question.
So my next plan is to try and manipulate the sdram on the fly. But i need some help with this.

Questions:
- can i safely read the sdram while the device is running? or does jtag only work in the boot phase?
- how can i find out on what address i can read the sdram?
- any other ideas/comments?

$ sudo jtag

UrJTAG 0.10 #2052
Copyright (C) 2002, 2003 ETC s.r.o.
Copyright (C) 2007, 2008, 2009 Kolja Waschk and the respective authors

UrJTAG is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
There is absolutely no warranty for UrJTAG.

warning: UrJTAG may damage your hardware!
Type "quit" to exit, "help" for help.

jtag> cable gpio tdo=9 tdi=10 tck=11 tms=25
Initializing GPIO JTAG Chain
jtag> detect
IR length: 5
Chain length: 1
Device Id: 00000110001101001000000101111111 (0x0634817F)
  Manufacturer: Broadcom (0x17F)
  Part(0):      BCM6348 (0x6348)
  Stepping:     V1
  Filename:     /usr/local/share/urjtag/broadcom/bcm6348/bcm6348
jtag> endian big
jtag> initbus ejtag_dma
ImpCode=00000000100000000000100100000100
EJTAG version: <= 2.0
EJTAG Implementation flags: R4k DMA MIPS32
Clear memory protection bit in DCR
Clear Watchdog
Potential flash base address: [0x1f80000a], [0x1800]
Processor successfully switched in debug mode.
jtag> detectflash 0x1f800000
Query identification string:
    Primary Algorithm Command Set and Control Interface ID Code: 0x0002 (AMD/Fujitsu Standard Command Set)
    Alternate Algorithm Command Set and Control Interface ID Code: 0x0000 (null)
Query system interface information:
    Vcc Logic Supply Minimum Write/Erase or Write voltage: 2700 mV
    Vcc Logic Supply Maximum Write/Erase or Write voltage: 3600 mV
    Vpp [Programming] Supply Minimum Write/Erase voltage: 0 mV
    Vpp [Programming] Supply Maximum Write/Erase voltage: 0 mV
    Typical timeout per single byte/word program: 128 us
    Typical timeout for maximum-size multi-byte program: 128 us
    Typical timeout per individual block erase: 1024 ms
    Typical timeout for full chip erase: 0 ms
    Maximum timeout for byte/word program: 1024 us
    Maximum timeout for multi-byte program: 4096 us
    Maximum timeout per individual block erase: 16384 ms
    Maximum timeout for chip erase: 0 ms
Device geometry definition:
    Device Size: 4194304 B (4096 KiB, 4 MiB)
    Flash Device Interface Code description: 0x0002 (x8/x16)
    Maximum number of bytes in multi-byte program: 32
    Number of Erase Block Regions within device: 2
    Erase Block Region Information:
        Region 0:
            Erase Block Size: 8192 B (8 KiB)
            Number of Erase Blocks: 8
        Region 1:
            Erase Block Size: 65536 B (64 KiB)
            Number of Erase Blocks: 63
Primary Vendor-Specific Extended Query:
    Major version number: 1
    Minor version number: 3
    Address Sensitive Unlock: Required
    Process Technology: CS99
    Erase Suspend: Read/write
    Sector Protect: 1 sectors per group
    Sector Temporary Unprotect: Not supported
    Sector Protect/Unprotect Scheme: 29BDS640 mode (Software Command Locking)
    Simultaneous Operation: Not supported
    Burst Mode Type: Supported
    Page Mode Type: 4 word Page
    ACC (Acceleration) Supply Minimum: 11500 mV
    ACC (Acceleration) Supply Maximum: 12500 mV
    Top/Bottom Sector Flag: Bottom boot device
    Program Suspend: Not supported
jtag> readmem 0x1f800000 0x400000 dump.bin
address: 0x1F800000
length:  0x00400000
reading:
addr: 0x1F818000
Post #2
rqn
20 Dec 2015, 03:37

Post a link to your dump and I'll have a peek. Those routers usually use something like a ZyNOS-alike mess of an OS, or something like VxWorks. No Linux AFAIK.

By the way, try dumping the flash multiple times and compare the outputs with MD5 or SHA, if they differ you might have corruption in transit.

The discussion might have continued from here.