國外網站找到的備份BCM6345/6335晶片ADSL FW的方法

老大 · 发表于 2004-12-27 01:42:37

By modifying the MTD map driver (responsible for mapping the root filesystem into /dev/mtdblock0, thus allowing it to be used as the root fs!), I could access the whole flash memory of my router. It was very simple, and it allows to dump the whole firmware, that is :
CFE bootloader
firmware header (the 256-bytes header described in FirmwareFormat)
root filesystem image
kernel
some extra stuff, including the router settings ; decoding this might be useful to allow storage of new parameters (custom iptables rules, for instance)
You can download the source and compiled module (compile it like the module in the KernelChmod trick) ; once the module is loaded, you should be able to access /dev/mtdblock1 and dump it ; for instance, I used the netcat of a cross-compiled busybox (binary available here) and did busybox nc -l -p 1234 < /dev/mtdblock1, then on my PC nc 192.168.1.1 1234 > flashdump. Wait a bit, and you have your flash image.
Splitting the firmware image into its components is very easy : the first 64KB is the CFE bootloader ; then there';s a "header" telling the size of the root filesystem and the kernel. The remaining part is yet to be decoded.

老大 · 发表于 2004-12-27 01:45:39

用telnet登錄adsl後
>sh
進入Linux Shell進行操作
我已經dump下來了
可惜沒什麼用,因為做不來這種程式開發
有用的兄弟自己試試看把這傢伙搞點新花樣進去吧

老大 · 发表于 2004-12-27 01:59:38

[这个贴子最后由老大在 2004/12/27 10:34pm 第 1 次编辑]

這是看到的adsl信息
# cat proc/cpuinfo
system type : RTA230
processor : 0
cpu model : BCM6345 V0.0
BogoMIPS : 93.18
wait instruction : no
microsecond timers : yes
tlb_entries : 32
extra interrupt vector : no
hardware watchpoint : no
VCED exceptions : not available
VCEI exceptions : not available

# cat proc/version
Linux version 2.4.17 (michaelc@ADSL_SW1_LINUX) (gcc version 3.1) #1 Mon Apr 12 11:58:33 CST 2004
# df
Filesystem 1k-blocks Used Available Use% Mounted on
/dev/mtdblock0 1088 1088 0 100% /
tmpfs 192 80 112 42% /var

老大 · 发表于 2004-12-27 02:04:48

好複雜的密碼
# cat /etc/passwd
admin:UQs6qhJNW20zo:0:0:Administrator:/:/bin/sh
user:ARMkc3FThMZR6:0:0:Technical Support:/:/bin/sh

junjie6 · 发表于 2004-12-27 10:56:31

好像好久不见yugp2600 上来了，他对Broadcom芯片的Modem较有研究，建议 yugp2600 研究一下上述命令，我的中兴831Modem（Brodcom 6345芯片）根本不能行使tenlnet命令。。。

YES东 · 发表于 2004-12-27 18:08:08

下面引用由junjie6在 2004/12/27 10:56am 发表的内容：
好像好久不见yugp2600 上来了，他对Broadcom芯片的Modem较有研究，建议 yugp2600 研究一下上述命令，我的中兴831Modem（Brodcom 6345芯片）根本不能行使tenlnet命令。。。

我的华硕的broadcom6345芯片也是不能用telnet的！呵呵！

國外網站找到的備份BCM6345/6335晶片ADSL FW的方法